From cf96dce0b6988596d9c6b7a6a1b2f11e3faea4c0 Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Mon, 9 Mar 2020 12:10:50 +0100 Subject: [PATCH 1/7] Update vendored elastic/ecs to v1.5.0 --- go.mod | 2 +- go.sum | 4 +- .../elastic/ecs/code/go/ecs/code_signature.go | 46 +++++++++++++++++++ .../elastic/ecs/code/go/ecs/container.go | 2 +- .../github.com/elastic/ecs/code/go/ecs/dll.go | 37 +++++++++++++++ .../elastic/ecs/code/go/ecs/event.go | 38 +++++++++++---- .../elastic/ecs/code/go/ecs/file.go | 7 +++ .../elastic/ecs/code/go/ecs/host.go | 8 ++-- .../elastic/ecs/code/go/ecs/interface.go | 38 +++++++++++++++ .../elastic/ecs/code/go/ecs/network.go | 7 +++ .../elastic/ecs/code/go/ecs/observer.go | 26 ++++++++++- .../github.com/elastic/ecs/code/go/ecs/pe.go | 38 +++++++++++++++ .../elastic/ecs/code/go/ecs/process.go | 20 ++++++++ .../elastic/ecs/code/go/ecs/related.go | 7 ++- .../elastic/ecs/code/go/ecs/rule.go | 10 +++- .../elastic/ecs/code/go/ecs/user.go | 2 +- .../elastic/ecs/code/go/ecs/version.go | 2 +- .../elastic/ecs/code/go/ecs/vlan.go | 44 ++++++++++++++++++ vendor/modules.txt | 2 +- 19 files changed, 317 insertions(+), 23 deletions(-) create mode 100644 vendor/github.com/elastic/ecs/code/go/ecs/code_signature.go create mode 100644 vendor/github.com/elastic/ecs/code/go/ecs/dll.go create mode 100644 vendor/github.com/elastic/ecs/code/go/ecs/interface.go create mode 100644 vendor/github.com/elastic/ecs/code/go/ecs/pe.go create mode 100644 vendor/github.com/elastic/ecs/code/go/ecs/vlan.go diff --git a/go.mod b/go.mod index d98f1518c15a..d1b0760f7ae5 100644 --- a/go.mod +++ b/go.mod @@ -55,7 +55,7 @@ require ( github.com/dop251/goja_nodejs v0.0.0-20171011081505-adff31b136e6 github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4 github.com/eclipse/paho.mqtt.golang v1.2.1-0.20200121105743-0d940dd29fd2 - github.com/elastic/ecs v1.4.0 + github.com/elastic/ecs v1.5.0 github.com/elastic/go-libaudit v0.4.0 github.com/elastic/go-licenser v0.2.1 github.com/elastic/go-lookslike v0.3.0 diff --git a/go.sum b/go.sum index 9ba3979f1e66..b73343384c6e 100644 --- a/go.sum +++ b/go.sum @@ -216,8 +216,8 @@ github.com/eclipse/paho.mqtt.golang v1.2.1-0.20200121105743-0d940dd29fd2 h1:DW6W github.com/eclipse/paho.mqtt.golang v1.2.1-0.20200121105743-0d940dd29fd2/go.mod h1:H9keYFcgq3Qr5OUJm/JZI/i6U7joQ8SYLhZwfeOo6Ts= github.com/elastic/dhcp v0.0.0-20200227161230-57ec251c7eb3 h1:lnDkqiRFKm0rxdljqrj3lotWinO9+jFmeDXIC4gvIQs= github.com/elastic/dhcp v0.0.0-20200227161230-57ec251c7eb3/go.mod h1:aPqzac6AYkipvp4hufTyMj5PDIphF3+At8zr7r51xjY= -github.com/elastic/ecs v1.4.0 h1:BGIUwWJhThRO2IQxzm7ekV9TMUGwZoYyevT5/1xmMf0= -github.com/elastic/ecs v1.4.0/go.mod h1:pgiLbQsijLOJvFR8OTILLu0Ni/R/foUNg0L+T6mU9b4= +github.com/elastic/ecs v1.5.0 h1:/VEIBsRU4ecq2+U3RPfKNc6bFyomP6qnthYEcQZu8GU= +github.com/elastic/ecs v1.5.0/go.mod h1:pgiLbQsijLOJvFR8OTILLu0Ni/R/foUNg0L+T6mU9b4= github.com/elastic/fsevents v0.0.0-20181029231046-e1d381a4d270 h1:cWPqxlPtir4RoQVCpGSRXmLqjEHpJKbR60rxh1nQZY4= github.com/elastic/fsevents v0.0.0-20181029231046-e1d381a4d270/go.mod h1:Msl1pdboCbArMF/nSCDUXgQuWTeoMmE/z8607X+k7ng= github.com/elastic/go-libaudit v0.4.0 h1:pxLCycMJKW91W8ZmZT74DQmryTZuXryKESo6sXdu1XY= diff --git a/vendor/github.com/elastic/ecs/code/go/ecs/code_signature.go b/vendor/github.com/elastic/ecs/code/go/ecs/code_signature.go new file mode 100644 index 000000000000..df61c3b9355d --- /dev/null +++ b/vendor/github.com/elastic/ecs/code/go/ecs/code_signature.go @@ -0,0 +1,46 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// Code generated by scripts/gocodegen.go - DO NOT EDIT. + +package ecs + +// These fields contain information about binary code signatures. +type CodeSignature struct { + // Boolean to capture if a signature is present. + Exists bool `ecs:"exists"` + + // Subject name of the code signer + SubjectName string `ecs:"subject_name"` + + // Boolean to capture if the digital signature is verified against the + // binary content. + // Leave unpopulated if a certificate was unchecked. + Valid bool `ecs:"valid"` + + // Stores the trust status of the certificate chain. + // Validating the trust of the certificate chain may be complicated, and + // this field should only be populated by tools that actively check the + // status. + Trusted bool `ecs:"trusted"` + + // Additional information about the certificate status. + // This is useful for logging cryptographic errors with the certificate + // validity or trust status. Leave unpopulated if the validity or trust of + // the certificate was unchecked. + Status string `ecs:"status"` +} diff --git a/vendor/github.com/elastic/ecs/code/go/ecs/container.go b/vendor/github.com/elastic/ecs/code/go/ecs/container.go index be47d0ce940c..34c5698ba506 100644 --- a/vendor/github.com/elastic/ecs/code/go/ecs/container.go +++ b/vendor/github.com/elastic/ecs/code/go/ecs/container.go @@ -32,7 +32,7 @@ type Container struct { // Name of the image the container was built on. ImageName string `ecs:"image.name"` - // Container image tag. + // Container image tags. ImageTag string `ecs:"image.tag"` // Container name. diff --git a/vendor/github.com/elastic/ecs/code/go/ecs/dll.go b/vendor/github.com/elastic/ecs/code/go/ecs/dll.go new file mode 100644 index 000000000000..3671e7096e65 --- /dev/null +++ b/vendor/github.com/elastic/ecs/code/go/ecs/dll.go @@ -0,0 +1,37 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// Code generated by scripts/gocodegen.go - DO NOT EDIT. + +package ecs + +// These fields contain information about code libraries dynamically loaded +// into processes. +// +// Many operating systems refer to "shared code libraries" with different +// names, but this field set refers to all of the following: +// * Dynamic-link library (`.dll`) commonly used on Windows +// * Shared Object (`.so`) commonly used on Unix-like operating systems +// * Dynamic library (`.dylib`) commonly used on macOS +type Dll struct { + // Name of the library. + // This generally maps to the name of the file on disk. + Name string `ecs:"name"` + + // Full file path of the library. + Path string `ecs:"path"` +} diff --git a/vendor/github.com/elastic/ecs/code/go/ecs/event.go b/vendor/github.com/elastic/ecs/code/go/ecs/event.go index e9c5da72bceb..410d49a0c975 100644 --- a/vendor/github.com/elastic/ecs/code/go/ecs/event.go +++ b/vendor/github.com/elastic/ecs/code/go/ecs/event.go @@ -30,9 +30,10 @@ import ( // log events include a process starting on a host, a network packet being sent // from a source to a destination, or a network connection between a client and // a server being initiated or closed. A metric is defined as an event -// containing one or more numerical or categorical measurements and the time at -// which the measurement was taken. Examples of metric events include memory -// pressure measured on a host, or vulnerabilities measured on a scanned host. +// containing one or more numerical measurements and the time at which the +// measurement was taken. Examples of metric events include memory pressure +// measured on a host and device temperature. See the `event.kind` definition +// in this section for additional details about metric and state events. type Event struct { // Unique ID to describe the event. ID string `ecs:"id"` @@ -73,10 +74,19 @@ type Event struct { // This is one of four ECS Categorization Fields, and indicates the lowest // level in the ECS category hierarchy. - // `event.outcome` simply denotes whether the event represent a success or - // a failure. Note that not all events will have an associated outcome. For - // example, this field is generally not populated for metric events or - // events with `event.type:info`. + // `event.outcome` simply denotes whether the event represents a success or + // a failure from the perspective of the entity that produced the event. + // Note that when a single transaction is described in multiple events, + // each event may populate different values of `event.outcome`, according + // to their perspective. + // Also note that in the case of a compound event (a single event that + // contains multiple logical events), this field should be populated with + // the value that best captures the overall success or failure from the + // perspective of the event producer. + // Further note that not all events will have an associated outcome. For + // example, this field is generally not populated for metric events, events + // with `event.type:info`, or any events for which an outcome does not make + // logical sense. Outcome string `ecs:"outcome"` // This is one of four ECS Categorization Fields, and indicates the third @@ -136,7 +146,7 @@ type Event struct { // Sequence number of the event. // The sequence number is a value published by some event sources, to make - // the exact ordering of events unambiguous, regarless of the timestamp + // the exact ordering of events unambiguous, regardless of the timestamp // precision. Sequence int64 `ecs:"sequence"` @@ -185,4 +195,16 @@ type Event struct { // chronologically look like this: `@timestamp` < `event.created` < // `event.ingested`. Ingested time.Time `ecs:"ingested"` + + // Reference URL linking to additional information about this event. + // This URL links to a static definition of the this event. Alert events, + // indicated by `event.kind:alert`, are a common use case for this field. + Reference string `ecs:"reference"` + + // URL linking to an external system to continue investigation of this + // event. + // This URL links to another system where in-depth investigation of the + // specific occurence of this event can take place. Alert events, indicated + // by `event.kind:alert`, are a common use case for this field. + Url string `ecs:"url"` } diff --git a/vendor/github.com/elastic/ecs/code/go/ecs/file.go b/vendor/github.com/elastic/ecs/code/go/ecs/file.go index 4b85809d3e32..1dc53d28b07a 100644 --- a/vendor/github.com/elastic/ecs/code/go/ecs/file.go +++ b/vendor/github.com/elastic/ecs/code/go/ecs/file.go @@ -102,4 +102,11 @@ type File struct { // Last time the file was accessed. // Note that not all filesystems keep track of access time. Accessed time.Time `ecs:"accessed"` + + // MIME type should identify the format of the file or stream of bytes + // using + // https://www.iana.org/assignments/media-types/media-types.xhtml[IANA + // official types], where possible. When more than one type is applicable, + // the most specific type should be used. + MimeType string `ecs:"mime_type"` } diff --git a/vendor/github.com/elastic/ecs/code/go/ecs/host.go b/vendor/github.com/elastic/ecs/code/go/ecs/host.go index 44e52b6c8acc..1d66d78832fb 100644 --- a/vendor/github.com/elastic/ecs/code/go/ecs/host.go +++ b/vendor/github.com/elastic/ecs/code/go/ecs/host.go @@ -41,10 +41,10 @@ type Host struct { // Example: The current usage of `beat.name`. ID string `ecs:"id"` - // Host ip address. + // Host ip addresses. IP string `ecs:"ip"` - // Host mac address. + // Host mac addresses. MAC string `ecs:"mac"` // Type of host. @@ -61,7 +61,7 @@ type Host struct { // Name of the domain of which the host is a member. // For example, on Windows this could be the host's Active Directory domain - // or NetBIOS domain name. For Linux this could be the domain of the - // host's LDAP provider. + // or NetBIOS domain name. For Linux this could be the domain of the host's + // LDAP provider. Domain string `ecs:"domain"` } diff --git a/vendor/github.com/elastic/ecs/code/go/ecs/interface.go b/vendor/github.com/elastic/ecs/code/go/ecs/interface.go new file mode 100644 index 000000000000..56b2e65e534a --- /dev/null +++ b/vendor/github.com/elastic/ecs/code/go/ecs/interface.go @@ -0,0 +1,38 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// Code generated by scripts/gocodegen.go - DO NOT EDIT. + +package ecs + +// The interface fields are used to record ingress and egress interface +// information when reported by an observer (e.g. firewall, router, load +// balancer) in the context of the observer handling a network connection. In +// the case of a single observer interface (e.g. network sensor on a span port) +// only the observer.ingress information should be populated. +type Interface struct { + // Interface ID as reported by an observer (typically SNMP interface ID). + ID string `ecs:"id"` + + // Interface name as reported by the system. + Name string `ecs:"name"` + + // Interface alias as reported by the system, typically used in firewall + // implementations for e.g. inside, outside, or dmz logical interface + // naming. + Alias string `ecs:"alias"` +} diff --git a/vendor/github.com/elastic/ecs/code/go/ecs/network.go b/vendor/github.com/elastic/ecs/code/go/ecs/network.go index 1175227f36b1..e47d15abd294 100644 --- a/vendor/github.com/elastic/ecs/code/go/ecs/network.go +++ b/vendor/github.com/elastic/ecs/code/go/ecs/network.go @@ -92,4 +92,11 @@ type Network struct { // If `source.packets` and `destination.packets` are known, // `network.packets` is their sum. Packets int64 `ecs:"packets"` + + // Network.inner fields are added in addition to network.vlan fields to + // describe the innermost VLAN when q-in-q VLAN tagging is present. + // Allowed fields include vlan.id and vlan.name. Inner vlan fields are + // typically used when sending traffic with multiple 802.1q encapsulations + // to a network sensor (e.g. Zeek, Wireshark.) + Inner map[string]interface{} `ecs:"inner"` } diff --git a/vendor/github.com/elastic/ecs/code/go/ecs/observer.go b/vendor/github.com/elastic/ecs/code/go/ecs/observer.go index c7b65f84af46..a7459aa11a97 100644 --- a/vendor/github.com/elastic/ecs/code/go/ecs/observer.go +++ b/vendor/github.com/elastic/ecs/code/go/ecs/observer.go @@ -32,10 +32,10 @@ package ecs // and ETL components used in processing events or metrics are not considered // observers in ECS. type Observer struct { - // MAC address of the observer + // MAC addresses of the observer MAC string `ecs:"mac"` - // IP address of the observer. + // IP addresses of the observer. IP string `ecs:"ip"` // Hostname of the observer. @@ -65,4 +65,26 @@ type Observer struct { // `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM // server`. Type string `ecs:"type"` + + // Observer.ingress holds information like interface number and name, vlan, + // and zone information to classify ingress traffic. Single armed + // monitoring such as a network sensor on a span port should only use + // observer.ingress to categorize traffic. + Ingress map[string]interface{} `ecs:"ingress"` + + // Network zone of incoming traffic as reported by the observer to + // categorize the source area of ingress traffic. e.g. internal, External, + // DMZ, HR, Legal, etc. + IngressZone string `ecs:"ingress.zone"` + + // Observer.egress holds information like interface number and name, vlan, + // and zone information to classify egress traffic. Single armed + // monitoring such as a network sensor on a span port should only use + // observer.ingress to categorize traffic. + Egress map[string]interface{} `ecs:"egress"` + + // Network zone of outbound traffic as reported by the observer to + // categorize the destination area of egress traffic, e.g. Internal, + // External, DMZ, HR, Legal, etc. + EgressZone string `ecs:"egress.zone"` } diff --git a/vendor/github.com/elastic/ecs/code/go/ecs/pe.go b/vendor/github.com/elastic/ecs/code/go/ecs/pe.go new file mode 100644 index 000000000000..983585597a78 --- /dev/null +++ b/vendor/github.com/elastic/ecs/code/go/ecs/pe.go @@ -0,0 +1,38 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// Code generated by scripts/gocodegen.go - DO NOT EDIT. + +package ecs + +// These fields contain Windows Portable Executable (PE) metadata. +type Pe struct { + // Internal name of the file, provided at compile-time. + OriginalFileName string `ecs:"original_file_name"` + + // Internal version of the file, provided at compile-time. + FileVersion string `ecs:"file_version"` + + // Internal description of the file, provided at compile-time. + Description string `ecs:"description"` + + // Internal product name of the file, provided at compile-time. + Product string `ecs:"product"` + + // Internal company name of the file, provided at compile-time. + Company string `ecs:"company"` +} diff --git a/vendor/github.com/elastic/ecs/code/go/ecs/process.go b/vendor/github.com/elastic/ecs/code/go/ecs/process.go index 64767d8992d9..568a3cb584bc 100644 --- a/vendor/github.com/elastic/ecs/code/go/ecs/process.go +++ b/vendor/github.com/elastic/ecs/code/go/ecs/process.go @@ -34,6 +34,26 @@ type Process struct { // Process id. ParentPID int64 `ecs:"parent.pid"` + // Unique identifier for the process. + // The implementation of this is specified by the data source, but some + // examples of what could be used here are a process-generated UUID, Sysmon + // Process GUIDs, or a hash of some uniquely identifying components of a + // process. + // Constructing a globally unique identifier is a common practice to + // mitigate PID reuse as well as to identify a specific process over time, + // across multiple monitored hosts. + EntityID string `ecs:"entity_id"` + + // Unique identifier for the process. + // The implementation of this is specified by the data source, but some + // examples of what could be used here are a process-generated UUID, Sysmon + // Process GUIDs, or a hash of some uniquely identifying components of a + // process. + // Constructing a globally unique identifier is a common practice to + // mitigate PID reuse as well as to identify a specific process over time, + // across multiple monitored hosts. + ParentEntityID string `ecs:"parent.entity_id"` + // Process name. // Sometimes called program name or similar. Name string `ecs:"name"` diff --git a/vendor/github.com/elastic/ecs/code/go/ecs/related.go b/vendor/github.com/elastic/ecs/code/go/ecs/related.go index 492701d02917..8facf9bcec0b 100644 --- a/vendor/github.com/elastic/ecs/code/go/ecs/related.go +++ b/vendor/github.com/elastic/ecs/code/go/ecs/related.go @@ -26,11 +26,16 @@ package ecs // A concrete example is IP addresses, which can be under host, observer, // source, destination, client, server, and network.forwarded_ip. If you append // all IPs to `related.ip`, you can then search for a given IP trivially, no -// matter where it appeared, by querying `related.ip:a.b.c.d`. +// matter where it appeared, by querying `related.ip:192.0.2.15`. type Related struct { // All of the IPs seen on your event. IP string `ecs:"ip"` // All the user names seen on your event. User string `ecs:"user"` + + // All the hashes seen on your event. Populating this field, then using it + // to search for hashes can help in situations where you're unsure what the + // hash algorithm is (and therefore which key name to search). + Hash string `ecs:"hash"` } diff --git a/vendor/github.com/elastic/ecs/code/go/ecs/rule.go b/vendor/github.com/elastic/ecs/code/go/ecs/rule.go index 708c922fbd30..ae07c808f54b 100644 --- a/vendor/github.com/elastic/ecs/code/go/ecs/rule.go +++ b/vendor/github.com/elastic/ecs/code/go/ecs/rule.go @@ -22,7 +22,7 @@ package ecs // Rule fields are used to capture the specifics of any observer or agent rules // that generate alerts or other notable events. // Examples of data sources that would populate the rule fields include: -// network admission control platforms, network or host IDS/IPS, network +// network admission control platforms, network or host IDS/IPS, network // firewalls, web application firewalls, url filters, endpoint detection and // response (EDR) systems, etc. type Rule struct { @@ -57,4 +57,12 @@ type Rule struct { // that's not available, it can also be a link to a more general page // describing this type of alert. Reference string `ecs:"reference"` + + // Name, organization, or pseudonym of the author or authors who created + // the rule used to generate this event. + Author string `ecs:"author"` + + // Name of the license under which the rule used to generate this event is + // made available. + License string `ecs:"license"` } diff --git a/vendor/github.com/elastic/ecs/code/go/ecs/user.go b/vendor/github.com/elastic/ecs/code/go/ecs/user.go index e80effb7710a..d010a054c948 100644 --- a/vendor/github.com/elastic/ecs/code/go/ecs/user.go +++ b/vendor/github.com/elastic/ecs/code/go/ecs/user.go @@ -24,7 +24,7 @@ package ecs // Fields can have one entry or multiple entries. If a user has more than one // id, provide an array that includes all of them. type User struct { - // One or multiple unique identifiers of the user. + // Unique identifiers of the user. ID string `ecs:"id"` // Short name or login of the user. diff --git a/vendor/github.com/elastic/ecs/code/go/ecs/version.go b/vendor/github.com/elastic/ecs/code/go/ecs/version.go index ac59bfa32e12..c9f77f3d6ec5 100644 --- a/vendor/github.com/elastic/ecs/code/go/ecs/version.go +++ b/vendor/github.com/elastic/ecs/code/go/ecs/version.go @@ -20,4 +20,4 @@ package ecs // Version is the Elastic Common Schema version from which this was generated. -const Version = "1.4.0" +const Version = "1.5.0" diff --git a/vendor/github.com/elastic/ecs/code/go/ecs/vlan.go b/vendor/github.com/elastic/ecs/code/go/ecs/vlan.go new file mode 100644 index 000000000000..d4a1e69fdf9e --- /dev/null +++ b/vendor/github.com/elastic/ecs/code/go/ecs/vlan.go @@ -0,0 +1,44 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// Code generated by scripts/gocodegen.go - DO NOT EDIT. + +package ecs + +// The VLAN fields are used to identify 802.1q tag(s) of a packet, as well as +// ingress and egress VLAN associations of an observer in relation to a +// specific packet or connection. +// Network.vlan fields are used to record a single VLAN tag, or the outer tag +// in the case of q-in-q encapsulations, for a packet or connection as +// observed, typically provided by a network sensor (e.g. Zeek, Wireshark) +// passively reporting on traffic. +// Network.inner VLAN fields are used to report inner q-in-q 802.1q tags +// (multiple 802.1q encapsulations) as observed, typically provided by a +// network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. +// Network.inner VLAN fields should only be used in addition to network.vlan +// fields to indicate q-in-q tagging. +// Observer.ingress and observer.egress VLAN values are used to record observer +// specific information when observer events contain discrete ingress and +// egress VLAN information, typically provided by firewalls, routers, or load +// balancers. +type Vlan struct { + // VLAN ID as reported by the observer. + ID string `ecs:"id"` + + // Optional VLAN name as reported by the observer. + Name string `ecs:"name"` +} diff --git a/vendor/modules.txt b/vendor/modules.txt index 0b11cef6bb8c..95d78f415c22 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -407,7 +407,7 @@ github.com/eapache/queue # github.com/eclipse/paho.mqtt.golang v1.2.1-0.20200121105743-0d940dd29fd2 github.com/eclipse/paho.mqtt.golang github.com/eclipse/paho.mqtt.golang/packets -# github.com/elastic/ecs v1.4.0 +# github.com/elastic/ecs v1.5.0 github.com/elastic/ecs/code/go/ecs # github.com/elastic/go-libaudit v0.4.0 github.com/elastic/go-libaudit From f74581bffab763505a00f3d5a60c0c063a0854ed Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Mon, 9 Mar 2020 12:12:13 +0100 Subject: [PATCH 2/7] Update fields.ecs.yml to v1.5.0 --- libbeat/_meta/fields.ecs.yml | 806 ++++++++++++++++++++++++++++++++++- 1 file changed, 783 insertions(+), 23 deletions(-) diff --git a/libbeat/_meta/fields.ecs.yml b/libbeat/_meta/fields.ecs.yml index 94c05de3d40f..0998278657ed 100644 --- a/libbeat/_meta/fields.ecs.yml +++ b/libbeat/_meta/fields.ecs.yml @@ -1,5 +1,5 @@ # WARNING! Do not edit this file directly, it was generated by the ECS project, -# based on ECS version 1.4.0. +# based on ECS version 1.5.0. # Please visit https://github.com/elastic/ecs to suggest changes to ECS fields. - key: ecs @@ -30,7 +30,9 @@ All values are stored as keyword. Example: `docker` and `k8s` labels.' - example: '{ "application": "foo-bar", "env": "production" }' + example: + application: foo-bar + env: production - name: message level: core type: text @@ -358,7 +360,7 @@ level: core type: keyword ignore_above: 1024 - description: One or multiple unique identifiers of the user. + description: Unique identifiers of the user. - name: user.name level: core type: keyword @@ -427,6 +429,54 @@ ignore_above: 1024 description: Region in which this host is running. example: us-east-1 + - name: code_signature + title: Code Signature + group: 2 + description: These fields contain information about binary code signatures. + type: group + fields: + - name: exists + level: core + type: boolean + description: Boolean to capture if a signature is present. + example: 'true' + default_field: false + - name: status + level: extended + type: keyword + ignore_above: 1024 + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + default_field: false + - name: subject_name + level: core + type: keyword + ignore_above: 1024 + description: Subject name of the code signer + example: Microsoft Corporation + default_field: false + - name: trusted + level: extended + type: boolean + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + default_field: false + - name: valid + level: extended + type: boolean + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + default_field: false - name: container title: Container group: 2 @@ -450,7 +500,7 @@ level: extended type: keyword ignore_above: 1024 - description: Container image tag. + description: Container image tags. - name: labels level: extended type: object @@ -678,7 +728,7 @@ level: core type: keyword ignore_above: 1024 - description: One or multiple unique identifiers of the user. + description: Unique identifiers of the user. - name: user.name level: core type: keyword @@ -690,6 +740,140 @@ default_field: false description: Short name or login of the user. example: albert + - name: dll + title: DLL + group: 2 + description: 'These fields contain information about code libraries dynamically + loaded into processes. + + + Many operating systems refer to "shared code libraries" with different names, + but this field set refers to all of the following: + + * Dynamic-link library (`.dll`) commonly used on Windows + + * Shared Object (`.so`) commonly used on Unix-like operating systems + + * Dynamic library (`.dylib`) commonly used on macOS' + type: group + fields: + - name: code_signature.exists + level: core + type: boolean + description: Boolean to capture if a signature is present. + example: 'true' + default_field: false + - name: code_signature.status + level: extended + type: keyword + ignore_above: 1024 + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + default_field: false + - name: code_signature.subject_name + level: core + type: keyword + ignore_above: 1024 + description: Subject name of the code signer + example: Microsoft Corporation + default_field: false + - name: code_signature.trusted + level: extended + type: boolean + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + default_field: false + - name: code_signature.valid + level: extended + type: boolean + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + default_field: false + - name: hash.md5 + level: extended + type: keyword + ignore_above: 1024 + description: MD5 hash. + default_field: false + - name: hash.sha1 + level: extended + type: keyword + ignore_above: 1024 + description: SHA1 hash. + default_field: false + - name: hash.sha256 + level: extended + type: keyword + ignore_above: 1024 + description: SHA256 hash. + default_field: false + - name: hash.sha512 + level: extended + type: keyword + ignore_above: 1024 + description: SHA512 hash. + default_field: false + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the library. + + This generally maps to the name of the file on disk.' + example: kernel32.dll + default_field: false + - name: path + level: extended + type: keyword + ignore_above: 1024 + description: Full file path of the library. + example: C:\Windows\System32\kernel32.dll + default_field: false + - name: pe.company + level: extended + type: keyword + ignore_above: 1024 + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + default_field: false + - name: pe.description + level: extended + type: keyword + ignore_above: 1024 + description: Internal description of the file, provided at compile-time. + example: Paint + default_field: false + - name: pe.file_version + level: extended + type: keyword + ignore_above: 1024 + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + default_field: false + - name: pe.original_file_name + level: extended + type: keyword + ignore_above: 1024 + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + default_field: false + - name: pe.product + level: extended + type: keyword + ignore_above: 1024 + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + default_field: false - name: dns title: DNS group: 2 @@ -932,9 +1116,10 @@ events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or - more numerical or categorical measurements and the time at which the measurement - was taken. Examples of metric events include memory pressure measured on a host, - or vulnerabilities measured on a scanned host.' + more numerical measurements and the time at which the measurement was taken. + Examples of metric events include memory pressure measured on a host and device + temperature. See the `event.kind` definition in this section for additional + details about metric and state events.' type: group fields: - name: action @@ -987,7 +1172,7 @@ your agent''s or pipeline''s ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used.' - example: 2016-05-23 08:05:34.857000 + example: '2016-05-23T08:05:34.857Z' - name: dataset level: core type: keyword @@ -1041,7 +1226,7 @@ In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.' - example: 2016-05-23 08:05:35.101000 + example: '2016-05-23T08:05:35.101Z' default_field: false - name: kind level: core @@ -1086,9 +1271,21 @@ description: 'This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represent a success or a - failure. Note that not all events will have an associated outcome. For example, - this field is generally not populated for metric events or events with `event.type:info`.' + `event.outcome` simply denotes whether the event represents a success or a + failure from the perspective of the entity that produced the event. + + Note that when a single transaction is described in multiple events, each + event may populate different values of `event.outcome`, according to their + perspective. + + Also note that in the case of a compound event (a single event that contains + multiple logical events), this field should be populated with the value that + best captures the overall success or failure from the perspective of the event + producer. + + Further note that not all events will have an associated outcome. For example, + this field is generally not populated for metric events, events with `event.type:info`, + or any events for which an outcome does not make logical sense.' example: success - name: provider level: extended @@ -1101,6 +1298,16 @@ the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing).' example: kernel + - name: reference + level: extended + type: keyword + ignore_above: 1024 + description: 'Reference URL linking to additional information about this event. + + This URL links to a static definition of the this event. Alert events, indicated + by `event.kind:alert`, are a common use case for this field.' + example: https://system.vendor.com/event/#0001234 + default_field: false - name: risk_score level: core type: float @@ -1121,7 +1328,7 @@ description: 'Sequence number of the event. The sequence number is a value published by some event sources, to make the - exact ordering of events unambiguous, regarless of the timestamp precision.' + exact ordering of events unambiguous, regardless of the timestamp precision.' - name: severity level: core type: long @@ -1165,6 +1372,18 @@ This field is an array. This will allow proper categorization of some events that fall in multiple event types.' + - name: url + level: extended + type: keyword + ignore_above: 1024 + description: 'URL linking to an external system to continue investigation of + this event. + + This URL links to another system where in-depth investigation of the specific + occurence of this event can take place. Alert events, indicated by `event.kind:alert`, + are a common use case for this field.' + example: https://mysystem.mydomain.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe + default_field: false - name: file title: File group: 2 @@ -1194,6 +1413,48 @@ execute, hidden, read, readonly, system, write.' example: '["readonly", "system"]' default_field: false + - name: code_signature.exists + level: core + type: boolean + description: Boolean to capture if a signature is present. + example: 'true' + default_field: false + - name: code_signature.status + level: extended + type: keyword + ignore_above: 1024 + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + default_field: false + - name: code_signature.subject_name + level: core + type: keyword + ignore_above: 1024 + description: Subject name of the code signer + example: Microsoft Corporation + default_field: false + - name: code_signature.trusted + level: extended + type: boolean + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + default_field: false + - name: code_signature.valid + level: extended + type: boolean + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + default_field: false - name: created level: extended type: date @@ -1274,6 +1535,15 @@ ignore_above: 1024 description: Inode representing the file in the filesystem. example: '256383' + - name: mime_type + level: extended + type: keyword + ignore_above: 1024 + description: MIME type should identify the format of the file or stream of bytes + using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA + official types], where possible. When more than one type is applicable, the + most specific type should be used. + default_field: false - name: mode level: extended type: keyword @@ -1308,6 +1578,41 @@ description: Full path to the file, including the file name. It should include the drive letter, when appropriate. example: /home/alice/example.png + - name: pe.company + level: extended + type: keyword + ignore_above: 1024 + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + default_field: false + - name: pe.description + level: extended + type: keyword + ignore_above: 1024 + description: Internal description of the file, provided at compile-time. + example: Paint + default_field: false + - name: pe.file_version + level: extended + type: keyword + ignore_above: 1024 + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + default_field: false + - name: pe.original_file_name + level: extended + type: keyword + ignore_above: 1024 + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + default_field: false + - name: pe.product + level: extended + type: keyword + ignore_above: 1024 + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + default_field: false - name: size level: extended type: long @@ -1553,12 +1858,12 @@ - name: ip level: core type: ip - description: Host ip address. + description: Host ip addresses. - name: mac level: core type: keyword ignore_above: 1024 - description: Host mac address. + description: Host mac addresses. - name: name level: core type: keyword @@ -1681,7 +1986,7 @@ level: core type: keyword ignore_above: 1024 - description: One or multiple unique identifiers of the user. + description: Unique identifiers of the user. - name: user.name level: core type: keyword @@ -1773,6 +2078,39 @@ ignore_above: 1024 description: HTTP version. example: 1.1 + - name: interface + title: Interface + group: 2 + description: The interface fields are used to record ingress and egress interface + information when reported by an observer (e.g. firewall, router, load balancer) + in the context of the observer handling a network connection. In the case of + a single observer interface (e.g. network sensor on a span port) only the observer.ingress + information should be populated. + type: group + fields: + - name: alias + level: extended + type: keyword + ignore_above: 1024 + description: Interface alias as reported by the system, typically used in firewall + implementations for e.g. inside, outside, or dmz logical interface naming. + example: outside + default_field: false + - name: id + level: extended + type: keyword + ignore_above: 1024 + description: Interface ID as reported by an observer (typically SNMP interface + ID). + example: 10 + default_field: false + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Interface name as reported by the system. + example: eth0 + default_field: false - name: log title: Log group: 2 @@ -1956,6 +2294,30 @@ Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. example: 6 + - name: inner + level: extended + type: object + object_type: keyword + description: Network.inner fields are added in addition to network.vlan fields + to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed + fields include vlan.id and vlan.name. Inner vlan fields are typically used + when sending traffic with multiple 802.1q encapsulations to a network sensor + (e.g. Zeek, Wireshark.) + default_field: false + - name: inner.vlan.id + level: extended + type: keyword + ignore_above: 1024 + description: VLAN ID as reported by the observer. + example: 10 + default_field: false + - name: inner.vlan.name + level: extended + type: keyword + ignore_above: 1024 + description: Optional VLAN name as reported by the observer. + example: outside + default_field: false - name: name level: extended type: keyword @@ -1999,6 +2361,20 @@ The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS".' example: ipv4 + - name: vlan.id + level: extended + type: keyword + ignore_above: 1024 + description: VLAN ID as reported by the observer. + example: 10 + default_field: false + - name: vlan.name + level: extended + type: keyword + ignore_above: 1024 + description: Optional VLAN name as reported by the observer. + example: outside + default_field: false - name: observer title: Observer group: 2 @@ -2016,6 +2392,61 @@ are not considered observers in ECS.' type: group fields: + - name: egress + level: extended + type: object + object_type: keyword + description: Observer.egress holds information like interface number and name, + vlan, and zone information to classify egress traffic. Single armed monitoring + such as a network sensor on a span port should only use observer.ingress + to categorize traffic. + default_field: false + - name: egress.interface.alias + level: extended + type: keyword + ignore_above: 1024 + description: Interface alias as reported by the system, typically used in firewall + implementations for e.g. inside, outside, or dmz logical interface naming. + example: outside + default_field: false + - name: egress.interface.id + level: extended + type: keyword + ignore_above: 1024 + description: Interface ID as reported by an observer (typically SNMP interface + ID). + example: 10 + default_field: false + - name: egress.interface.name + level: extended + type: keyword + ignore_above: 1024 + description: Interface name as reported by the system. + example: eth0 + default_field: false + - name: egress.vlan.id + level: extended + type: keyword + ignore_above: 1024 + description: VLAN ID as reported by the observer. + example: 10 + default_field: false + - name: egress.vlan.name + level: extended + type: keyword + ignore_above: 1024 + description: Optional VLAN name as reported by the observer. + example: outside + default_field: false + - name: egress.zone + level: extended + type: keyword + ignore_above: 1024 + description: Network zone of outbound traffic as reported by the observer to + categorize the destination area of egress traffic, e.g. Internal, External, + DMZ, HR, Legal, etc. + example: Public_Internet + default_field: false - name: geo.city_name level: core type: keyword @@ -2074,15 +2505,70 @@ type: keyword ignore_above: 1024 description: Hostname of the observer. + - name: ingress + level: extended + type: object + object_type: keyword + description: Observer.ingress holds information like interface number and name, + vlan, and zone information to classify ingress traffic. Single armed monitoring + such as a network sensor on a span port should only use observer.ingress + to categorize traffic. + default_field: false + - name: ingress.interface.alias + level: extended + type: keyword + ignore_above: 1024 + description: Interface alias as reported by the system, typically used in firewall + implementations for e.g. inside, outside, or dmz logical interface naming. + example: outside + default_field: false + - name: ingress.interface.id + level: extended + type: keyword + ignore_above: 1024 + description: Interface ID as reported by an observer (typically SNMP interface + ID). + example: 10 + default_field: false + - name: ingress.interface.name + level: extended + type: keyword + ignore_above: 1024 + description: Interface name as reported by the system. + example: eth0 + default_field: false + - name: ingress.vlan.id + level: extended + type: keyword + ignore_above: 1024 + description: VLAN ID as reported by the observer. + example: 10 + default_field: false + - name: ingress.vlan.name + level: extended + type: keyword + ignore_above: 1024 + description: Optional VLAN name as reported by the observer. + example: outside + default_field: false + - name: ingress.zone + level: extended + type: keyword + ignore_above: 1024 + description: Network zone of incoming traffic as reported by the observer to + categorize the source area of ingress traffic. e.g. internal, External, DMZ, + HR, Legal, etc. + example: DMZ + default_field: false - name: ip level: core type: ip - description: IP address of the observer. + description: IP addresses of the observer. - name: mac level: core type: keyword ignore_above: 1024 - description: MAC address of the observer + description: MAC addresses of the observer - name: name level: extended type: keyword @@ -2346,6 +2832,47 @@ ignore_above: 1024 description: Package version example: 1.12.9 + - name: pe + title: PE Header + group: 2 + description: These fields contain Windows Portable Executable (PE) metadata. + type: group + fields: + - name: company + level: extended + type: keyword + ignore_above: 1024 + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + default_field: false + - name: description + level: extended + type: keyword + ignore_above: 1024 + description: Internal description of the file, provided at compile-time. + example: Paint + default_field: false + - name: file_version + level: extended + type: keyword + ignore_above: 1024 + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + default_field: false + - name: original_file_name + level: extended + type: keyword + ignore_above: 1024 + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + default_field: false + - name: product + level: extended + type: keyword + ignore_above: 1024 + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + default_field: false - name: process title: Process group: 2 @@ -2379,6 +2906,48 @@ indication of suspicious activity.' example: 4 default_field: false + - name: code_signature.exists + level: core + type: boolean + description: Boolean to capture if a signature is present. + example: 'true' + default_field: false + - name: code_signature.status + level: extended + type: keyword + ignore_above: 1024 + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + default_field: false + - name: code_signature.subject_name + level: core + type: keyword + ignore_above: 1024 + description: Subject name of the code signer + example: Microsoft Corporation + default_field: false + - name: code_signature.trusted + level: extended + type: boolean + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + default_field: false + - name: code_signature.valid + level: extended + type: boolean + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + default_field: false - name: command_line level: extended type: keyword @@ -2393,6 +2962,21 @@ Some arguments may be filtered to protect sensitive information.' example: /usr/bin/ssh -l user 10.0.0.16 default_field: false + - name: entity_id + level: extended + type: keyword + ignore_above: 1024 + description: 'Unique identifier for the process. + + The implementation of this is specified by the data source, but some examples + of what could be used here are a process-generated UUID, Sysmon Process GUIDs, + or a hash of some uniquely identifying components of a process. + + Constructing a globally unique identifier is a common practice to mitigate + PID reuse as well as to identify a specific process over time, across multiple + monitored hosts.' + example: c2c455d9f99375d + default_field: false - name: executable level: extended type: keyword @@ -2469,6 +3053,48 @@ indication of suspicious activity.' example: 4 default_field: false + - name: parent.code_signature.exists + level: core + type: boolean + description: Boolean to capture if a signature is present. + example: 'true' + default_field: false + - name: parent.code_signature.status + level: extended + type: keyword + ignore_above: 1024 + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + default_field: false + - name: parent.code_signature.subject_name + level: core + type: keyword + ignore_above: 1024 + description: Subject name of the code signer + example: Microsoft Corporation + default_field: false + - name: parent.code_signature.trusted + level: extended + type: boolean + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + default_field: false + - name: parent.code_signature.valid + level: extended + type: boolean + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + default_field: false - name: parent.command_line level: extended type: keyword @@ -2483,6 +3109,21 @@ Some arguments may be filtered to protect sensitive information.' example: /usr/bin/ssh -l user 10.0.0.16 default_field: false + - name: parent.entity_id + level: extended + type: keyword + ignore_above: 1024 + description: 'Unique identifier for the process. + + The implementation of this is specified by the data source, but some examples + of what could be used here are a process-generated UUID, Sysmon Process GUIDs, + or a hash of some uniquely identifying components of a process. + + Constructing a globally unique identifier is a common practice to mitigate + PID reuse as well as to identify a specific process over time, across multiple + monitored hosts.' + example: c2c455d9f99375d + default_field: false - name: parent.executable level: extended type: keyword @@ -2503,6 +3144,30 @@ start).' example: 137 default_field: false + - name: parent.hash.md5 + level: extended + type: keyword + ignore_above: 1024 + description: MD5 hash. + default_field: false + - name: parent.hash.sha1 + level: extended + type: keyword + ignore_above: 1024 + description: SHA1 hash. + default_field: false + - name: parent.hash.sha256 + level: extended + type: keyword + ignore_above: 1024 + description: SHA256 hash. + default_field: false + - name: parent.hash.sha512 + level: extended + type: keyword + ignore_above: 1024 + description: SHA512 hash. + default_field: false - name: parent.name level: extended type: keyword @@ -2586,6 +3251,41 @@ description: The working directory of the process. example: /home/alice default_field: false + - name: pe.company + level: extended + type: keyword + ignore_above: 1024 + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + default_field: false + - name: pe.description + level: extended + type: keyword + ignore_above: 1024 + description: Internal description of the file, provided at compile-time. + example: Paint + default_field: false + - name: pe.file_version + level: extended + type: keyword + ignore_above: 1024 + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + default_field: false + - name: pe.original_file_name + level: extended + type: keyword + ignore_above: 1024 + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + default_field: false + - name: pe.product + level: extended + type: keyword + ignore_above: 1024 + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + default_field: false - name: pgid level: extended type: long @@ -2728,9 +3428,17 @@ A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where - it appeared, by querying `related.ip:a.b.c.d`.' + it appeared, by querying `related.ip:192.0.2.15`.' type: group fields: + - name: hash + level: extended + type: keyword + ignore_above: 1024 + description: All the hashes seen on your event. Populating this field, then + using it to search for hashes can help in situations where you're unsure what + the hash algorithm is (and therefore which key name to search). + default_field: false - name: ip level: extended type: ip @@ -2753,6 +3461,15 @@ etc.' type: group fields: + - name: author + level: extended + type: keyword + ignore_above: 1024 + description: Name, organization, or pseudonym of the author or authors who created + the rule used to generate this event. + example: + - Star-Lord + default_field: false - name: category level: extended type: keyword @@ -2776,6 +3493,14 @@ or other entity using the rule for detection of this event. example: 101 default_field: false + - name: license + level: extended + type: keyword + ignore_above: 1024 + description: Name of the license under which the rule used to generate this + event is made available. + example: Apache 2.0 + default_field: false - name: name level: extended type: keyword @@ -3043,7 +3768,7 @@ level: core type: keyword ignore_above: 1024 - description: One or multiple unique identifiers of the user. + description: Unique identifiers of the user. - name: user.name level: core type: keyword @@ -3354,7 +4079,7 @@ level: core type: keyword ignore_above: 1024 - description: One or multiple unique identifiers of the user. + description: Unique identifiers of the user. - name: user.name level: core type: keyword @@ -3904,7 +4629,7 @@ level: core type: keyword ignore_above: 1024 - description: One or multiple unique identifiers of the user. + description: Unique identifiers of the user. - name: name level: core type: keyword @@ -3999,6 +4724,41 @@ ignore_above: 1024 description: Version of the user agent. example: 12.0 + - name: vlan + title: VLAN + group: 2 + description: 'The VLAN fields are used to identify 802.1q tag(s) of a packet, + as well as ingress and egress VLAN associations of an observer in relation to + a specific packet or connection. + + Network.vlan fields are used to record a single VLAN tag, or the outer tag in + the case of q-in-q encapsulations, for a packet or connection as observed, typically + provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. + + Network.inner VLAN fields are used to report inner q-in-q 802.1q tags (multiple + 802.1q encapsulations) as observed, typically provided by a network sensor (e.g. + Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields should + only be used in addition to network.vlan fields to indicate q-in-q tagging. + + Observer.ingress and observer.egress VLAN values are used to record observer + specific information when observer events contain discrete ingress and egress + VLAN information, typically provided by firewalls, routers, or load balancers.' + type: group + fields: + - name: id + level: extended + type: keyword + ignore_above: 1024 + description: VLAN ID as reported by the observer. + example: 10 + default_field: false + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Optional VLAN name as reported by the observer. + example: outside + default_field: false - name: vulnerability title: Vulnerability group: 2 From 01bf4e9549f96b2023190b319d8d5fc521d5ca2a Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Mon, 9 Mar 2020 14:43:56 +0100 Subject: [PATCH 3/7] Make update --- NOTICE.txt | 2 +- auditbeat/docs/fields.asciidoc | 1030 ++++++++++++++++++- auditbeat/include/fields.go | 2 +- filebeat/docs/fields.asciidoc | 1146 ++++++++++++++++++++-- filebeat/include/fields.go | 2 +- heartbeat/docs/fields.asciidoc | 1030 ++++++++++++++++++- heartbeat/include/fields.go | 2 +- journalbeat/docs/fields.asciidoc | 1030 ++++++++++++++++++- journalbeat/include/fields.go | 2 +- metricbeat/docs/fields.asciidoc | 1030 ++++++++++++++++++- metricbeat/include/fields/fields.go | 2 +- packetbeat/docs/fields.asciidoc | 1030 ++++++++++++++++++- packetbeat/include/fields.go | 2 +- winlogbeat/docs/fields.asciidoc | 1030 ++++++++++++++++++- winlogbeat/include/fields.go | 2 +- x-pack/functionbeat/docs/fields.asciidoc | 1030 ++++++++++++++++++- x-pack/functionbeat/include/fields.go | 2 +- 17 files changed, 8163 insertions(+), 211 deletions(-) diff --git a/NOTICE.txt b/NOTICE.txt index 68c9b8218b23..a3fac7d2ea57 100644 --- a/NOTICE.txt +++ b/NOTICE.txt @@ -1622,7 +1622,7 @@ Everyone is permitted to copy and distribute copies of this Agreement, but in or This Agreement is governed by the laws of the State of New York and the intellectual property laws of the United States of America. No party to this Agreement will bring a legal action under this Agreement more than one year after the cause of action arose. Each party waives its rights to a jury trial in any resulting litigation. -------------------------------------------------------------------- Dependency: github.com/elastic/ecs -Version: v1.4.0 +Version: v1.5.0 License type (autodetected): Apache-2.0 ./vendor/github.com/elastic/ecs/LICENSE.txt: -------------------------------------------------------------------- diff --git a/auditbeat/docs/fields.asciidoc b/auditbeat/docs/fields.asciidoc index 5cdbff145e99..e53d11e57341 100644 --- a/auditbeat/docs/fields.asciidoc +++ b/auditbeat/docs/fields.asciidoc @@ -2949,7 +2949,7 @@ Example: `docker` and `k8s` labels. type: object -example: { "application": "foo-bar", "env": "production" } +example: {'application': 'foo-bar', 'env': 'production'} -- @@ -3404,7 +3404,7 @@ type: keyword *`client.user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -3510,6 +3510,70 @@ example: us-east-1 -- +[float] +=== code_signature + +These fields contain information about binary code signatures. + + +*`code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + [float] === container @@ -3538,7 +3602,7 @@ type: keyword *`container.image.tag`*:: + -- -Container image tag. +Container image tags. type: keyword @@ -3897,7 +3961,7 @@ type: keyword *`destination.user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -3921,6 +3985,189 @@ type: text -- +[float] +=== dll + +These fields contain information about code libraries dynamically loaded into processes. + +Many operating systems refer to "shared code libraries" with different names, but this field set refers to all of the following: +* Dynamic-link library (`.dll`) commonly used on Windows +* Shared Object (`.so`) commonly used on Unix-like operating systems +* Dynamic library (`.dylib`) commonly used on macOS + + +*`dll.code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`dll.code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`dll.code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`dll.code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`dll.code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + +*`dll.hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`dll.hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`dll.hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`dll.hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + +*`dll.name`*:: ++ +-- +Name of the library. +This generally maps to the name of the file on disk. + +type: keyword + +example: kernel32.dll + +-- + +*`dll.path`*:: ++ +-- +Full file path of the library. + +type: keyword + +example: C:\Windows\System32\kernel32.dll + +-- + +*`dll.pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`dll.pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`dll.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`dll.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`dll.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + [float] === dns @@ -4222,7 +4469,7 @@ example: java.lang.NullPointerException === event The event fields are used for context information about the log or metric event itself. -A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical or categorical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host, or vulnerabilities measured on a scanned host. +A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host and device temperature. See the `event.kind` definition in this section for additional details about metric and state events. *`event.action`*:: @@ -4272,7 +4519,7 @@ In case the two timestamps are identical, @timestamp should be used. type: date -example: 2016-05-23 08:05:34.857000 +example: 2016-05-23T08:05:34.857Z -- @@ -4341,7 +4588,7 @@ In normal conditions, assuming no tampering, the timestamps should chronological type: date -example: 2016-05-23 08:05:35.101000 +example: 2016-05-23T08:05:35.101Z -- @@ -4386,7 +4633,10 @@ example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0&# + -- This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. -`event.outcome` simply denotes whether the event represent a success or a failure. Note that not all events will have an associated outcome. For example, this field is generally not populated for metric events or events with `event.type:info`. +`event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. +Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. +Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. +Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. type: keyword @@ -4406,6 +4656,18 @@ example: kernel -- +*`event.reference`*:: ++ +-- +Reference URL linking to additional information about this event. +This URL links to a static definition of the this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. + +type: keyword + +example: https://system.vendor.com/event/#0001234 + +-- + *`event.risk_score`*:: + -- @@ -4429,7 +4691,7 @@ type: float + -- Sequence number of the event. -The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regarless of the timestamp precision. +The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. type: long @@ -4482,6 +4744,18 @@ type: keyword -- +*`event.url`*:: ++ +-- +URL linking to an external system to continue investigation of this event. +This URL links to another system where in-depth investigation of the specific occurence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. + +type: keyword + +example: https://mysystem.mydomain.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe + +-- + [float] === file @@ -4511,6 +4785,64 @@ example: ["readonly", "system"] -- +*`file.code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`file.code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`file.code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`file.code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`file.code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + *`file.created`*:: + -- @@ -4645,6 +4977,15 @@ example: 256383 -- +*`file.mime_type`*:: ++ +-- +MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. + +type: keyword + +-- + *`file.mode`*:: + -- @@ -4705,6 +5046,61 @@ type: text -- +*`file.pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`file.pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`file.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`file.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`file.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + *`file.size`*:: + -- @@ -5073,7 +5469,7 @@ type: keyword *`host.ip`*:: + -- -Host ip address. +Host ip addresses. type: ip @@ -5082,7 +5478,7 @@ type: ip *`host.mac`*:: + -- -Host mac address. +Host mac addresses. type: keyword @@ -5277,7 +5673,7 @@ type: keyword *`host.user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -5442,6 +5838,45 @@ example: 1.1 -- +[float] +=== interface + +The interface fields are used to record ingress and egress interface information when reported by an observer (e.g. firewall, router, load balancer) in the context of the observer handling a network connection. In the case of a single observer interface (e.g. network sensor on a span port) only the observer.ingress information should be populated. + + +*`interface.alias`*:: ++ +-- +Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. + +type: keyword + +example: outside + +-- + +*`interface.id`*:: ++ +-- +Interface ID as reported by an observer (typically SNMP interface ID). + +type: keyword + +example: 10 + +-- + +*`interface.name`*:: ++ +-- +Interface name as reported by the system. + +type: keyword + +example: eth0 + +-- + [float] === log @@ -5679,6 +6114,37 @@ example: 6 -- +*`network.inner`*:: ++ +-- +Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) + +type: object + +-- + +*`network.inner.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`network.inner.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + *`network.name`*:: + -- @@ -5738,6 +6204,28 @@ example: ipv4 -- +*`network.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`network.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + [float] === observer @@ -5745,6 +6233,81 @@ An observer is defined as a special network, security, or application device use This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, web proxies, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS. +*`observer.egress`*:: ++ +-- +Observer.egress holds information like interface number and name, vlan, and zone information to classify egress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. + +type: object + +-- + +*`observer.egress.interface.alias`*:: ++ +-- +Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. + +type: keyword + +example: outside + +-- + +*`observer.egress.interface.id`*:: ++ +-- +Interface ID as reported by an observer (typically SNMP interface ID). + +type: keyword + +example: 10 + +-- + +*`observer.egress.interface.name`*:: ++ +-- +Interface name as reported by the system. + +type: keyword + +example: eth0 + +-- + +*`observer.egress.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`observer.egress.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + +*`observer.egress.zone`*:: ++ +-- +Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. + +type: keyword + +example: Public_Internet + +-- + *`observer.geo.city_name`*:: + -- @@ -5844,10 +6407,85 @@ type: keyword -- +*`observer.ingress`*:: ++ +-- +Observer.ingress holds information like interface number and name, vlan, and zone information to classify ingress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. + +type: object + +-- + +*`observer.ingress.interface.alias`*:: ++ +-- +Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. + +type: keyword + +example: outside + +-- + +*`observer.ingress.interface.id`*:: ++ +-- +Interface ID as reported by an observer (typically SNMP interface ID). + +type: keyword + +example: 10 + +-- + +*`observer.ingress.interface.name`*:: ++ +-- +Interface name as reported by the system. + +type: keyword + +example: eth0 + +-- + +*`observer.ingress.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`observer.ingress.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + +*`observer.ingress.zone`*:: ++ +-- +Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. + +type: keyword + +example: DMZ + +-- + *`observer.ip`*:: + -- -IP address of the observer. +IP addresses of the observer. type: ip @@ -5856,7 +6494,7 @@ type: ip *`observer.mac`*:: + -- -MAC address of the observer +MAC addresses of the observer type: keyword @@ -6277,6 +6915,67 @@ example: 1.12.9 -- +[float] +=== pe + +These fields contain Windows Portable Executable (PE) metadata. + + +*`pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + [float] === process @@ -6308,6 +7007,64 @@ example: 4 -- +*`process.code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`process.code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`process.code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`process.code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`process.code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + *`process.command_line`*:: + -- @@ -6327,6 +7084,19 @@ type: text -- +*`process.entity_id`*:: ++ +-- +Unique identifier for the process. +The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. +Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + +type: keyword + +example: c2c455d9f99375d + +-- + *`process.executable`*:: + -- @@ -6436,6 +7206,64 @@ example: 4 -- +*`process.parent.code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`process.parent.code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`process.parent.code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`process.parent.code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`process.parent.code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + *`process.parent.command_line`*:: + -- @@ -6455,6 +7283,19 @@ type: text -- +*`process.parent.entity_id`*:: ++ +-- +Unique identifier for the process. +The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. +Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + +type: keyword + +example: c2c455d9f99375d + +-- + *`process.parent.executable`*:: + -- @@ -6485,6 +7326,42 @@ example: 137 -- +*`process.parent.hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`process.parent.hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`process.parent.hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`process.parent.hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + *`process.parent.name`*:: + -- @@ -6622,6 +7499,61 @@ type: text -- +*`process.pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`process.pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`process.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`process.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`process.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + *`process.pgid`*:: + -- @@ -6830,8 +7762,17 @@ example: Debugger This field set is meant to facilitate pivoting around a piece of data. Some pieces of information can be seen in many places in an ECS event. To facilitate searching for them, store an array of all seen values to their corresponding field in `related.`. -A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:a.b.c.d`. +A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:192.0.2.15`. + + +*`related.hash`*:: ++ +-- +All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). + +type: keyword +-- *`related.ip`*:: + @@ -6858,6 +7799,17 @@ Rule fields are used to capture the specifics of any observer or agent rules tha Examples of data sources that would populate the rule fields include: network admission control platforms, network or host IDS/IPS, network firewalls, web application firewalls, url filters, endpoint detection and response (EDR) systems, etc. +*`rule.author`*:: ++ +-- +Name, organization, or pseudonym of the author or authors who created the rule used to generate this event. + +type: keyword + +example: ['Star-Lord'] + +-- + *`rule.category`*:: + -- @@ -6891,6 +7843,17 @@ example: 101 -- +*`rule.license`*:: ++ +-- +Name of the license under which the rule used to generate this event is made available. + +type: keyword + +example: Apache 2.0 + +-- + *`rule.name`*:: + -- @@ -7272,7 +8235,7 @@ type: keyword *`server.user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -7712,7 +8675,7 @@ type: keyword *`source.user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -8429,7 +9392,7 @@ type: keyword *`user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -8591,6 +9554,37 @@ example: 12.0 -- +[float] +=== vlan + +The VLAN fields are used to identify 802.1q tag(s) of a packet, as well as ingress and egress VLAN associations of an observer in relation to a specific packet or connection. +Network.vlan fields are used to record a single VLAN tag, or the outer tag in the case of q-in-q encapsulations, for a packet or connection as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. +Network.inner VLAN fields are used to report inner q-in-q 802.1q tags (multiple 802.1q encapsulations) as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields should only be used in addition to network.vlan fields to indicate q-in-q tagging. +Observer.ingress and observer.egress VLAN values are used to record observer specific information when observer events contain discrete ingress and egress VLAN information, typically provided by firewalls, routers, or load balancers. + + +*`vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + [float] === vulnerability diff --git a/auditbeat/include/fields.go b/auditbeat/include/fields.go index 07f87d89f0ec..2ee1c4301937 100644 --- a/auditbeat/include/fields.go +++ b/auditbeat/include/fields.go @@ -32,5 +32,5 @@ func init() { // AssetFieldsYml returns asset data. // This is the base64 encoded gzipped contents of fields.yml. func AssetFieldsYml() string { - return "" + return "" } diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index e37b70dc0dbf..cd02ed3647c9 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -5340,7 +5340,7 @@ Example: `docker` and `k8s` labels. type: object -example: { "application": "foo-bar", "env": "production" } +example: {'application': 'foo-bar', 'env': 'production'} -- @@ -5795,7 +5795,7 @@ type: keyword *`client.user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -5901,6 +5901,70 @@ example: us-east-1 -- +[float] +=== code_signature + +These fields contain information about binary code signatures. + + +*`code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + [float] === container @@ -5929,7 +5993,7 @@ type: keyword *`container.image.tag`*:: + -- -Container image tag. +Container image tags. type: keyword @@ -6288,7 +6352,7 @@ type: keyword *`destination.user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -6312,6 +6376,189 @@ type: text -- +[float] +=== dll + +These fields contain information about code libraries dynamically loaded into processes. + +Many operating systems refer to "shared code libraries" with different names, but this field set refers to all of the following: +* Dynamic-link library (`.dll`) commonly used on Windows +* Shared Object (`.so`) commonly used on Unix-like operating systems +* Dynamic library (`.dylib`) commonly used on macOS + + +*`dll.code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`dll.code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`dll.code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`dll.code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`dll.code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + +*`dll.hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`dll.hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`dll.hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`dll.hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + +*`dll.name`*:: ++ +-- +Name of the library. +This generally maps to the name of the file on disk. + +type: keyword + +example: kernel32.dll + +-- + +*`dll.path`*:: ++ +-- +Full file path of the library. + +type: keyword + +example: C:\Windows\System32\kernel32.dll + +-- + +*`dll.pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`dll.pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`dll.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`dll.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`dll.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + [float] === dns @@ -6613,7 +6860,7 @@ example: java.lang.NullPointerException === event The event fields are used for context information about the log or metric event itself. -A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical or categorical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host, or vulnerabilities measured on a scanned host. +A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host and device temperature. See the `event.kind` definition in this section for additional details about metric and state events. *`event.action`*:: @@ -6663,7 +6910,7 @@ In case the two timestamps are identical, @timestamp should be used. type: date -example: 2016-05-23 08:05:34.857000 +example: 2016-05-23T08:05:34.857Z -- @@ -6732,7 +6979,7 @@ In normal conditions, assuming no tampering, the timestamps should chronological type: date -example: 2016-05-23 08:05:35.101000 +example: 2016-05-23T08:05:35.101Z -- @@ -6777,7 +7024,10 @@ example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0&# + -- This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. -`event.outcome` simply denotes whether the event represent a success or a failure. Note that not all events will have an associated outcome. For example, this field is generally not populated for metric events or events with `event.type:info`. +`event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. +Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. +Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. +Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. type: keyword @@ -6797,6 +7047,18 @@ example: kernel -- +*`event.reference`*:: ++ +-- +Reference URL linking to additional information about this event. +This URL links to a static definition of the this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. + +type: keyword + +example: https://system.vendor.com/event/#0001234 + +-- + *`event.risk_score`*:: + -- @@ -6820,7 +7082,7 @@ type: float + -- Sequence number of the event. -The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regarless of the timestamp precision. +The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. type: long @@ -6873,6 +7135,18 @@ type: keyword -- +*`event.url`*:: ++ +-- +URL linking to an external system to continue investigation of this event. +This URL links to another system where in-depth investigation of the specific occurence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. + +type: keyword + +example: https://mysystem.mydomain.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe + +-- + [float] === file @@ -6902,6 +7176,64 @@ example: ["readonly", "system"] -- +*`file.code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`file.code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`file.code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`file.code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`file.code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + *`file.created`*:: + -- @@ -7036,6 +7368,15 @@ example: 256383 -- +*`file.mime_type`*:: ++ +-- +MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. + +type: keyword + +-- + *`file.mode`*:: + -- @@ -7096,31 +7437,86 @@ type: text -- -*`file.size`*:: +*`file.pe.company`*:: + -- -File size in bytes. -Only relevant when `file.type` is "file". +Internal company name of the file, provided at compile-time. -type: long +type: keyword -example: 16384 +example: Microsoft Corporation -- -*`file.target_path`*:: +*`file.pe.description`*:: + -- -Target path for symlinks. +Internal description of the file, provided at compile-time. type: keyword +example: Paint + -- -*`file.target_path.text`*:: +*`file.pe.file_version`*:: + -- -type: text +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`file.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`file.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + +*`file.size`*:: ++ +-- +File size in bytes. +Only relevant when `file.type` is "file". + +type: long + +example: 16384 + +-- + +*`file.target_path`*:: ++ +-- +Target path for symlinks. + +type: keyword + +-- + +*`file.target_path.text`*:: ++ +-- +type: text -- @@ -7464,7 +7860,7 @@ type: keyword *`host.ip`*:: + -- -Host ip address. +Host ip addresses. type: ip @@ -7473,7 +7869,7 @@ type: ip *`host.mac`*:: + -- -Host mac address. +Host mac addresses. type: keyword @@ -7668,7 +8064,7 @@ type: keyword *`host.user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -7833,6 +8229,45 @@ example: 1.1 -- +[float] +=== interface + +The interface fields are used to record ingress and egress interface information when reported by an observer (e.g. firewall, router, load balancer) in the context of the observer handling a network connection. In the case of a single observer interface (e.g. network sensor on a span port) only the observer.ingress information should be populated. + + +*`interface.alias`*:: ++ +-- +Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. + +type: keyword + +example: outside + +-- + +*`interface.id`*:: ++ +-- +Interface ID as reported by an observer (typically SNMP interface ID). + +type: keyword + +example: 10 + +-- + +*`interface.name`*:: ++ +-- +Interface name as reported by the system. + +type: keyword + +example: eth0 + +-- + [float] === log @@ -8070,6 +8505,37 @@ example: 6 -- +*`network.inner`*:: ++ +-- +Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) + +type: object + +-- + +*`network.inner.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`network.inner.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + *`network.name`*:: + -- @@ -8129,6 +8595,28 @@ example: ipv4 -- +*`network.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`network.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + [float] === observer @@ -8136,6 +8624,81 @@ An observer is defined as a special network, security, or application device use This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, web proxies, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS. +*`observer.egress`*:: ++ +-- +Observer.egress holds information like interface number and name, vlan, and zone information to classify egress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. + +type: object + +-- + +*`observer.egress.interface.alias`*:: ++ +-- +Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. + +type: keyword + +example: outside + +-- + +*`observer.egress.interface.id`*:: ++ +-- +Interface ID as reported by an observer (typically SNMP interface ID). + +type: keyword + +example: 10 + +-- + +*`observer.egress.interface.name`*:: ++ +-- +Interface name as reported by the system. + +type: keyword + +example: eth0 + +-- + +*`observer.egress.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`observer.egress.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + +*`observer.egress.zone`*:: ++ +-- +Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. + +type: keyword + +example: Public_Internet + +-- + *`observer.geo.city_name`*:: + -- @@ -8235,10 +8798,85 @@ type: keyword -- +*`observer.ingress`*:: ++ +-- +Observer.ingress holds information like interface number and name, vlan, and zone information to classify ingress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. + +type: object + +-- + +*`observer.ingress.interface.alias`*:: ++ +-- +Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. + +type: keyword + +example: outside + +-- + +*`observer.ingress.interface.id`*:: ++ +-- +Interface ID as reported by an observer (typically SNMP interface ID). + +type: keyword + +example: 10 + +-- + +*`observer.ingress.interface.name`*:: ++ +-- +Interface name as reported by the system. + +type: keyword + +example: eth0 + +-- + +*`observer.ingress.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`observer.ingress.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + +*`observer.ingress.zone`*:: ++ +-- +Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. + +type: keyword + +example: DMZ + +-- + *`observer.ip`*:: + -- -IP address of the observer. +IP addresses of the observer. type: ip @@ -8247,7 +8885,7 @@ type: ip *`observer.mac`*:: + -- -MAC address of the observer +MAC addresses of the observer type: keyword @@ -8556,146 +9194,265 @@ example: 68b329da9893e34099c7d8ad5cb9c940 -- -*`package.description`*:: +*`package.description`*:: ++ +-- +Description of the package. + +type: keyword + +example: Open source programming language to build simple/reliable/efficient software. + +-- + +*`package.install_scope`*:: ++ +-- +Indicating how the package was installed, e.g. user-local, global. + +type: keyword + +example: global + +-- + +*`package.installed`*:: ++ +-- +Time when package was installed. + +type: date + +-- + +*`package.license`*:: ++ +-- +License under which the package was released. +Use a short name, e.g. the license identifier from SPDX License List where possible (https://spdx.org/licenses/). + +type: keyword + +example: Apache License 2.0 + +-- + +*`package.name`*:: ++ +-- +Package name + +type: keyword + +example: go + +-- + +*`package.path`*:: ++ +-- +Path where the package is installed. + +type: keyword + +example: /usr/local/Cellar/go/1.12.9/ + +-- + +*`package.reference`*:: ++ +-- +Home page or reference URL of the software in this package, if available. + +type: keyword + +example: https://golang.org + +-- + +*`package.size`*:: ++ +-- +Package size in bytes. + +type: long + +example: 62231 + +format: string + +-- + +*`package.type`*:: ++ +-- +Type of package. +This should contain the package file type, rather than the package manager name. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar. + +type: keyword + +example: rpm + +-- + +*`package.version`*:: + -- -Description of the package. +Package version type: keyword -example: Open source programming language to build simple/reliable/efficient software. +example: 1.12.9 -- -*`package.install_scope`*:: +[float] +=== pe + +These fields contain Windows Portable Executable (PE) metadata. + + +*`pe.company`*:: + -- -Indicating how the package was installed, e.g. user-local, global. +Internal company name of the file, provided at compile-time. type: keyword -example: global +example: Microsoft Corporation -- -*`package.installed`*:: +*`pe.description`*:: + -- -Time when package was installed. +Internal description of the file, provided at compile-time. -type: date +type: keyword + +example: Paint -- -*`package.license`*:: +*`pe.file_version`*:: + -- -License under which the package was released. -Use a short name, e.g. the license identifier from SPDX License List where possible (https://spdx.org/licenses/). +Internal version of the file, provided at compile-time. type: keyword -example: Apache License 2.0 +example: 6.3.9600.17415 -- -*`package.name`*:: +*`pe.original_file_name`*:: + -- -Package name +Internal name of the file, provided at compile-time. type: keyword -example: go +example: MSPAINT.EXE -- -*`package.path`*:: +*`pe.product`*:: + -- -Path where the package is installed. +Internal product name of the file, provided at compile-time. type: keyword -example: /usr/local/Cellar/go/1.12.9/ +example: Microsoft® Windows® Operating System -- -*`package.reference`*:: +[float] +=== process + +These fields contain information about a process. +These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation. + + +*`process.args`*:: + -- -Home page or reference URL of the software in this package, if available. +Array of process arguments, starting with the absolute path to the executable. +May be filtered to protect sensitive information. type: keyword -example: https://golang.org +example: ['/usr/bin/ssh', '-l', 'user', '10.0.0.16'] -- -*`package.size`*:: +*`process.args_count`*:: + -- -Package size in bytes. +Length of the process.args array. +This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. type: long -example: 62231 - -format: string +example: 4 -- -*`package.type`*:: +*`process.code_signature.exists`*:: + -- -Type of package. -This should contain the package file type, rather than the package manager name. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar. +Boolean to capture if a signature is present. -type: keyword +type: boolean -example: rpm +example: true -- -*`package.version`*:: +*`process.code_signature.status`*:: + -- -Package version +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. type: keyword -example: 1.12.9 +example: ERROR_UNTRUSTED_ROOT -- -[float] -=== process +*`process.code_signature.subject_name`*:: ++ +-- +Subject name of the code signer -These fields contain information about a process. -These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation. +type: keyword +example: Microsoft Corporation -*`process.args`*:: +-- + +*`process.code_signature.trusted`*:: + -- -Array of process arguments, starting with the absolute path to the executable. -May be filtered to protect sensitive information. +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. -type: keyword +type: boolean -example: ['/usr/bin/ssh', '-l', 'user', '10.0.0.16'] +example: true -- -*`process.args_count`*:: +*`process.code_signature.valid`*:: + -- -Length of the process.args array. -This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. -type: long +type: boolean -example: 4 +example: true -- @@ -8718,6 +9475,19 @@ type: text -- +*`process.entity_id`*:: ++ +-- +Unique identifier for the process. +The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. +Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + +type: keyword + +example: c2c455d9f99375d + +-- + *`process.executable`*:: + -- @@ -8827,6 +9597,64 @@ example: 4 -- +*`process.parent.code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`process.parent.code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`process.parent.code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`process.parent.code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`process.parent.code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + *`process.parent.command_line`*:: + -- @@ -8846,6 +9674,19 @@ type: text -- +*`process.parent.entity_id`*:: ++ +-- +Unique identifier for the process. +The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. +Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + +type: keyword + +example: c2c455d9f99375d + +-- + *`process.parent.executable`*:: + -- @@ -8876,6 +9717,42 @@ example: 137 -- +*`process.parent.hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`process.parent.hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`process.parent.hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`process.parent.hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + *`process.parent.name`*:: + -- @@ -9013,6 +9890,61 @@ type: text -- +*`process.pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`process.pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`process.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`process.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`process.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + *`process.pgid`*:: + -- @@ -9221,8 +10153,17 @@ example: Debugger This field set is meant to facilitate pivoting around a piece of data. Some pieces of information can be seen in many places in an ECS event. To facilitate searching for them, store an array of all seen values to their corresponding field in `related.`. -A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:a.b.c.d`. +A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:192.0.2.15`. + + +*`related.hash`*:: ++ +-- +All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). + +type: keyword +-- *`related.ip`*:: + @@ -9249,6 +10190,17 @@ Rule fields are used to capture the specifics of any observer or agent rules tha Examples of data sources that would populate the rule fields include: network admission control platforms, network or host IDS/IPS, network firewalls, web application firewalls, url filters, endpoint detection and response (EDR) systems, etc. +*`rule.author`*:: ++ +-- +Name, organization, or pseudonym of the author or authors who created the rule used to generate this event. + +type: keyword + +example: ['Star-Lord'] + +-- + *`rule.category`*:: + -- @@ -9282,6 +10234,17 @@ example: 101 -- +*`rule.license`*:: ++ +-- +Name of the license under which the rule used to generate this event is made available. + +type: keyword + +example: Apache 2.0 + +-- + *`rule.name`*:: + -- @@ -9663,7 +10626,7 @@ type: keyword *`server.user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -10103,7 +11066,7 @@ type: keyword *`source.user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -10820,7 +11783,7 @@ type: keyword *`user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -10982,6 +11945,37 @@ example: 12.0 -- +[float] +=== vlan + +The VLAN fields are used to identify 802.1q tag(s) of a packet, as well as ingress and egress VLAN associations of an observer in relation to a specific packet or connection. +Network.vlan fields are used to record a single VLAN tag, or the outer tag in the case of q-in-q encapsulations, for a packet or connection as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. +Network.inner VLAN fields are used to report inner q-in-q 802.1q tags (multiple 802.1q encapsulations) as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields should only be used in addition to network.vlan fields to indicate q-in-q tagging. +Observer.ingress and observer.egress VLAN values are used to record observer specific information when observer events contain discrete ingress and egress VLAN information, typically provided by firewalls, routers, or load balancers. + + +*`vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + [float] === vulnerability diff --git a/filebeat/include/fields.go b/filebeat/include/fields.go index c88ec996f42c..f76628364578 100644 --- a/filebeat/include/fields.go +++ b/filebeat/include/fields.go @@ -32,5 +32,5 @@ func init() { // AssetFieldsYml returns asset data. // This is the base64 encoded gzipped contents of fields.yml. func AssetFieldsYml() string { - return "" + return "" } diff --git a/heartbeat/docs/fields.asciidoc b/heartbeat/docs/fields.asciidoc index fab3155994cc..3e4752e197de 100644 --- a/heartbeat/docs/fields.asciidoc +++ b/heartbeat/docs/fields.asciidoc @@ -382,7 +382,7 @@ Example: `docker` and `k8s` labels. type: object -example: { "application": "foo-bar", "env": "production" } +example: {'application': 'foo-bar', 'env': 'production'} -- @@ -837,7 +837,7 @@ type: keyword *`client.user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -943,6 +943,70 @@ example: us-east-1 -- +[float] +=== code_signature + +These fields contain information about binary code signatures. + + +*`code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + [float] === container @@ -971,7 +1035,7 @@ type: keyword *`container.image.tag`*:: + -- -Container image tag. +Container image tags. type: keyword @@ -1330,7 +1394,7 @@ type: keyword *`destination.user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -1354,6 +1418,189 @@ type: text -- +[float] +=== dll + +These fields contain information about code libraries dynamically loaded into processes. + +Many operating systems refer to "shared code libraries" with different names, but this field set refers to all of the following: +* Dynamic-link library (`.dll`) commonly used on Windows +* Shared Object (`.so`) commonly used on Unix-like operating systems +* Dynamic library (`.dylib`) commonly used on macOS + + +*`dll.code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`dll.code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`dll.code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`dll.code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`dll.code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + +*`dll.hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`dll.hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`dll.hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`dll.hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + +*`dll.name`*:: ++ +-- +Name of the library. +This generally maps to the name of the file on disk. + +type: keyword + +example: kernel32.dll + +-- + +*`dll.path`*:: ++ +-- +Full file path of the library. + +type: keyword + +example: C:\Windows\System32\kernel32.dll + +-- + +*`dll.pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`dll.pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`dll.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`dll.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`dll.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + [float] === dns @@ -1655,7 +1902,7 @@ example: java.lang.NullPointerException === event The event fields are used for context information about the log or metric event itself. -A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical or categorical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host, or vulnerabilities measured on a scanned host. +A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host and device temperature. See the `event.kind` definition in this section for additional details about metric and state events. *`event.action`*:: @@ -1705,7 +1952,7 @@ In case the two timestamps are identical, @timestamp should be used. type: date -example: 2016-05-23 08:05:34.857000 +example: 2016-05-23T08:05:34.857Z -- @@ -1774,7 +2021,7 @@ In normal conditions, assuming no tampering, the timestamps should chronological type: date -example: 2016-05-23 08:05:35.101000 +example: 2016-05-23T08:05:35.101Z -- @@ -1819,7 +2066,10 @@ example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0&# + -- This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. -`event.outcome` simply denotes whether the event represent a success or a failure. Note that not all events will have an associated outcome. For example, this field is generally not populated for metric events or events with `event.type:info`. +`event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. +Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. +Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. +Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. type: keyword @@ -1839,6 +2089,18 @@ example: kernel -- +*`event.reference`*:: ++ +-- +Reference URL linking to additional information about this event. +This URL links to a static definition of the this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. + +type: keyword + +example: https://system.vendor.com/event/#0001234 + +-- + *`event.risk_score`*:: + -- @@ -1862,7 +2124,7 @@ type: float + -- Sequence number of the event. -The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regarless of the timestamp precision. +The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. type: long @@ -1915,6 +2177,18 @@ type: keyword -- +*`event.url`*:: ++ +-- +URL linking to an external system to continue investigation of this event. +This URL links to another system where in-depth investigation of the specific occurence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. + +type: keyword + +example: https://mysystem.mydomain.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe + +-- + [float] === file @@ -1944,6 +2218,64 @@ example: ["readonly", "system"] -- +*`file.code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`file.code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`file.code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`file.code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`file.code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + *`file.created`*:: + -- @@ -2078,6 +2410,15 @@ example: 256383 -- +*`file.mime_type`*:: ++ +-- +MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. + +type: keyword + +-- + *`file.mode`*:: + -- @@ -2138,6 +2479,61 @@ type: text -- +*`file.pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`file.pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`file.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`file.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`file.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + *`file.size`*:: + -- @@ -2506,7 +2902,7 @@ type: keyword *`host.ip`*:: + -- -Host ip address. +Host ip addresses. type: ip @@ -2515,7 +2911,7 @@ type: ip *`host.mac`*:: + -- -Host mac address. +Host mac addresses. type: keyword @@ -2710,7 +3106,7 @@ type: keyword *`host.user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -2875,6 +3271,45 @@ example: 1.1 -- +[float] +=== interface + +The interface fields are used to record ingress and egress interface information when reported by an observer (e.g. firewall, router, load balancer) in the context of the observer handling a network connection. In the case of a single observer interface (e.g. network sensor on a span port) only the observer.ingress information should be populated. + + +*`interface.alias`*:: ++ +-- +Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. + +type: keyword + +example: outside + +-- + +*`interface.id`*:: ++ +-- +Interface ID as reported by an observer (typically SNMP interface ID). + +type: keyword + +example: 10 + +-- + +*`interface.name`*:: ++ +-- +Interface name as reported by the system. + +type: keyword + +example: eth0 + +-- + [float] === log @@ -3112,6 +3547,37 @@ example: 6 -- +*`network.inner`*:: ++ +-- +Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) + +type: object + +-- + +*`network.inner.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`network.inner.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + *`network.name`*:: + -- @@ -3171,6 +3637,28 @@ example: ipv4 -- +*`network.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`network.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + [float] === observer @@ -3178,6 +3666,81 @@ An observer is defined as a special network, security, or application device use This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, web proxies, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS. +*`observer.egress`*:: ++ +-- +Observer.egress holds information like interface number and name, vlan, and zone information to classify egress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. + +type: object + +-- + +*`observer.egress.interface.alias`*:: ++ +-- +Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. + +type: keyword + +example: outside + +-- + +*`observer.egress.interface.id`*:: ++ +-- +Interface ID as reported by an observer (typically SNMP interface ID). + +type: keyword + +example: 10 + +-- + +*`observer.egress.interface.name`*:: ++ +-- +Interface name as reported by the system. + +type: keyword + +example: eth0 + +-- + +*`observer.egress.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`observer.egress.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + +*`observer.egress.zone`*:: ++ +-- +Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. + +type: keyword + +example: Public_Internet + +-- + *`observer.geo.city_name`*:: + -- @@ -3277,10 +3840,85 @@ type: keyword -- +*`observer.ingress`*:: ++ +-- +Observer.ingress holds information like interface number and name, vlan, and zone information to classify ingress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. + +type: object + +-- + +*`observer.ingress.interface.alias`*:: ++ +-- +Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. + +type: keyword + +example: outside + +-- + +*`observer.ingress.interface.id`*:: ++ +-- +Interface ID as reported by an observer (typically SNMP interface ID). + +type: keyword + +example: 10 + +-- + +*`observer.ingress.interface.name`*:: ++ +-- +Interface name as reported by the system. + +type: keyword + +example: eth0 + +-- + +*`observer.ingress.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`observer.ingress.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + +*`observer.ingress.zone`*:: ++ +-- +Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. + +type: keyword + +example: DMZ + +-- + *`observer.ip`*:: + -- -IP address of the observer. +IP addresses of the observer. type: ip @@ -3289,7 +3927,7 @@ type: ip *`observer.mac`*:: + -- -MAC address of the observer +MAC addresses of the observer type: keyword @@ -3710,6 +4348,67 @@ example: 1.12.9 -- +[float] +=== pe + +These fields contain Windows Portable Executable (PE) metadata. + + +*`pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + [float] === process @@ -3741,6 +4440,64 @@ example: 4 -- +*`process.code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`process.code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`process.code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`process.code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`process.code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + *`process.command_line`*:: + -- @@ -3760,6 +4517,19 @@ type: text -- +*`process.entity_id`*:: ++ +-- +Unique identifier for the process. +The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. +Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + +type: keyword + +example: c2c455d9f99375d + +-- + *`process.executable`*:: + -- @@ -3869,6 +4639,64 @@ example: 4 -- +*`process.parent.code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`process.parent.code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`process.parent.code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`process.parent.code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`process.parent.code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + *`process.parent.command_line`*:: + -- @@ -3888,6 +4716,19 @@ type: text -- +*`process.parent.entity_id`*:: ++ +-- +Unique identifier for the process. +The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. +Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + +type: keyword + +example: c2c455d9f99375d + +-- + *`process.parent.executable`*:: + -- @@ -3918,6 +4759,42 @@ example: 137 -- +*`process.parent.hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`process.parent.hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`process.parent.hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`process.parent.hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + *`process.parent.name`*:: + -- @@ -4055,6 +4932,61 @@ type: text -- +*`process.pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`process.pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`process.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`process.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`process.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + *`process.pgid`*:: + -- @@ -4263,8 +5195,17 @@ example: Debugger This field set is meant to facilitate pivoting around a piece of data. Some pieces of information can be seen in many places in an ECS event. To facilitate searching for them, store an array of all seen values to their corresponding field in `related.`. -A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:a.b.c.d`. +A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:192.0.2.15`. + + +*`related.hash`*:: ++ +-- +All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). + +type: keyword +-- *`related.ip`*:: + @@ -4291,6 +5232,17 @@ Rule fields are used to capture the specifics of any observer or agent rules tha Examples of data sources that would populate the rule fields include: network admission control platforms, network or host IDS/IPS, network firewalls, web application firewalls, url filters, endpoint detection and response (EDR) systems, etc. +*`rule.author`*:: ++ +-- +Name, organization, or pseudonym of the author or authors who created the rule used to generate this event. + +type: keyword + +example: ['Star-Lord'] + +-- + *`rule.category`*:: + -- @@ -4324,6 +5276,17 @@ example: 101 -- +*`rule.license`*:: ++ +-- +Name of the license under which the rule used to generate this event is made available. + +type: keyword + +example: Apache 2.0 + +-- + *`rule.name`*:: + -- @@ -4705,7 +5668,7 @@ type: keyword *`server.user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -5145,7 +6108,7 @@ type: keyword *`source.user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -5862,7 +6825,7 @@ type: keyword *`user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -6024,6 +6987,37 @@ example: 12.0 -- +[float] +=== vlan + +The VLAN fields are used to identify 802.1q tag(s) of a packet, as well as ingress and egress VLAN associations of an observer in relation to a specific packet or connection. +Network.vlan fields are used to record a single VLAN tag, or the outer tag in the case of q-in-q encapsulations, for a packet or connection as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. +Network.inner VLAN fields are used to report inner q-in-q 802.1q tags (multiple 802.1q encapsulations) as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields should only be used in addition to network.vlan fields to indicate q-in-q tagging. +Observer.ingress and observer.egress VLAN values are used to record observer specific information when observer events contain discrete ingress and egress VLAN information, typically provided by firewalls, routers, or load balancers. + + +*`vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + [float] === vulnerability diff --git a/heartbeat/include/fields.go b/heartbeat/include/fields.go index 939dd4872b2a..3eeffabb3068 100644 --- a/heartbeat/include/fields.go +++ b/heartbeat/include/fields.go @@ -32,5 +32,5 @@ func init() { // AssetFieldsYml returns asset data. // This is the base64 encoded gzipped contents of fields.yml. func AssetFieldsYml() string { - return "" + return "" } diff --git a/journalbeat/docs/fields.asciidoc b/journalbeat/docs/fields.asciidoc index 0a54ce57217d..78b121b53d8d 100644 --- a/journalbeat/docs/fields.asciidoc +++ b/journalbeat/docs/fields.asciidoc @@ -949,7 +949,7 @@ Example: `docker` and `k8s` labels. type: object -example: { "application": "foo-bar", "env": "production" } +example: {'application': 'foo-bar', 'env': 'production'} -- @@ -1404,7 +1404,7 @@ type: keyword *`client.user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -1510,6 +1510,70 @@ example: us-east-1 -- +[float] +=== code_signature + +These fields contain information about binary code signatures. + + +*`code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + [float] === container @@ -1538,7 +1602,7 @@ type: keyword *`container.image.tag`*:: + -- -Container image tag. +Container image tags. type: keyword @@ -1897,7 +1961,7 @@ type: keyword *`destination.user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -1921,6 +1985,189 @@ type: text -- +[float] +=== dll + +These fields contain information about code libraries dynamically loaded into processes. + +Many operating systems refer to "shared code libraries" with different names, but this field set refers to all of the following: +* Dynamic-link library (`.dll`) commonly used on Windows +* Shared Object (`.so`) commonly used on Unix-like operating systems +* Dynamic library (`.dylib`) commonly used on macOS + + +*`dll.code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`dll.code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`dll.code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`dll.code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`dll.code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + +*`dll.hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`dll.hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`dll.hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`dll.hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + +*`dll.name`*:: ++ +-- +Name of the library. +This generally maps to the name of the file on disk. + +type: keyword + +example: kernel32.dll + +-- + +*`dll.path`*:: ++ +-- +Full file path of the library. + +type: keyword + +example: C:\Windows\System32\kernel32.dll + +-- + +*`dll.pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`dll.pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`dll.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`dll.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`dll.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + [float] === dns @@ -2222,7 +2469,7 @@ example: java.lang.NullPointerException === event The event fields are used for context information about the log or metric event itself. -A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical or categorical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host, or vulnerabilities measured on a scanned host. +A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host and device temperature. See the `event.kind` definition in this section for additional details about metric and state events. *`event.action`*:: @@ -2272,7 +2519,7 @@ In case the two timestamps are identical, @timestamp should be used. type: date -example: 2016-05-23 08:05:34.857000 +example: 2016-05-23T08:05:34.857Z -- @@ -2341,7 +2588,7 @@ In normal conditions, assuming no tampering, the timestamps should chronological type: date -example: 2016-05-23 08:05:35.101000 +example: 2016-05-23T08:05:35.101Z -- @@ -2386,7 +2633,10 @@ example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0&# + -- This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. -`event.outcome` simply denotes whether the event represent a success or a failure. Note that not all events will have an associated outcome. For example, this field is generally not populated for metric events or events with `event.type:info`. +`event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. +Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. +Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. +Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. type: keyword @@ -2406,6 +2656,18 @@ example: kernel -- +*`event.reference`*:: ++ +-- +Reference URL linking to additional information about this event. +This URL links to a static definition of the this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. + +type: keyword + +example: https://system.vendor.com/event/#0001234 + +-- + *`event.risk_score`*:: + -- @@ -2429,7 +2691,7 @@ type: float + -- Sequence number of the event. -The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regarless of the timestamp precision. +The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. type: long @@ -2482,6 +2744,18 @@ type: keyword -- +*`event.url`*:: ++ +-- +URL linking to an external system to continue investigation of this event. +This URL links to another system where in-depth investigation of the specific occurence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. + +type: keyword + +example: https://mysystem.mydomain.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe + +-- + [float] === file @@ -2511,6 +2785,64 @@ example: ["readonly", "system"] -- +*`file.code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`file.code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`file.code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`file.code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`file.code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + *`file.created`*:: + -- @@ -2645,6 +2977,15 @@ example: 256383 -- +*`file.mime_type`*:: ++ +-- +MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. + +type: keyword + +-- + *`file.mode`*:: + -- @@ -2705,6 +3046,61 @@ type: text -- +*`file.pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`file.pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`file.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`file.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`file.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + *`file.size`*:: + -- @@ -3073,7 +3469,7 @@ type: keyword *`host.ip`*:: + -- -Host ip address. +Host ip addresses. type: ip @@ -3082,7 +3478,7 @@ type: ip *`host.mac`*:: + -- -Host mac address. +Host mac addresses. type: keyword @@ -3277,7 +3673,7 @@ type: keyword *`host.user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -3442,6 +3838,45 @@ example: 1.1 -- +[float] +=== interface + +The interface fields are used to record ingress and egress interface information when reported by an observer (e.g. firewall, router, load balancer) in the context of the observer handling a network connection. In the case of a single observer interface (e.g. network sensor on a span port) only the observer.ingress information should be populated. + + +*`interface.alias`*:: ++ +-- +Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. + +type: keyword + +example: outside + +-- + +*`interface.id`*:: ++ +-- +Interface ID as reported by an observer (typically SNMP interface ID). + +type: keyword + +example: 10 + +-- + +*`interface.name`*:: ++ +-- +Interface name as reported by the system. + +type: keyword + +example: eth0 + +-- + [float] === log @@ -3679,6 +4114,37 @@ example: 6 -- +*`network.inner`*:: ++ +-- +Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) + +type: object + +-- + +*`network.inner.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`network.inner.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + *`network.name`*:: + -- @@ -3738,6 +4204,28 @@ example: ipv4 -- +*`network.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`network.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + [float] === observer @@ -3745,6 +4233,81 @@ An observer is defined as a special network, security, or application device use This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, web proxies, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS. +*`observer.egress`*:: ++ +-- +Observer.egress holds information like interface number and name, vlan, and zone information to classify egress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. + +type: object + +-- + +*`observer.egress.interface.alias`*:: ++ +-- +Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. + +type: keyword + +example: outside + +-- + +*`observer.egress.interface.id`*:: ++ +-- +Interface ID as reported by an observer (typically SNMP interface ID). + +type: keyword + +example: 10 + +-- + +*`observer.egress.interface.name`*:: ++ +-- +Interface name as reported by the system. + +type: keyword + +example: eth0 + +-- + +*`observer.egress.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`observer.egress.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + +*`observer.egress.zone`*:: ++ +-- +Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. + +type: keyword + +example: Public_Internet + +-- + *`observer.geo.city_name`*:: + -- @@ -3844,10 +4407,85 @@ type: keyword -- +*`observer.ingress`*:: ++ +-- +Observer.ingress holds information like interface number and name, vlan, and zone information to classify ingress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. + +type: object + +-- + +*`observer.ingress.interface.alias`*:: ++ +-- +Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. + +type: keyword + +example: outside + +-- + +*`observer.ingress.interface.id`*:: ++ +-- +Interface ID as reported by an observer (typically SNMP interface ID). + +type: keyword + +example: 10 + +-- + +*`observer.ingress.interface.name`*:: ++ +-- +Interface name as reported by the system. + +type: keyword + +example: eth0 + +-- + +*`observer.ingress.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`observer.ingress.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + +*`observer.ingress.zone`*:: ++ +-- +Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. + +type: keyword + +example: DMZ + +-- + *`observer.ip`*:: + -- -IP address of the observer. +IP addresses of the observer. type: ip @@ -3856,7 +4494,7 @@ type: ip *`observer.mac`*:: + -- -MAC address of the observer +MAC addresses of the observer type: keyword @@ -4277,6 +4915,67 @@ example: 1.12.9 -- +[float] +=== pe + +These fields contain Windows Portable Executable (PE) metadata. + + +*`pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + [float] === process @@ -4308,6 +5007,64 @@ example: 4 -- +*`process.code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`process.code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`process.code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`process.code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`process.code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + *`process.command_line`*:: + -- @@ -4327,6 +5084,19 @@ type: text -- +*`process.entity_id`*:: ++ +-- +Unique identifier for the process. +The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. +Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + +type: keyword + +example: c2c455d9f99375d + +-- + *`process.executable`*:: + -- @@ -4436,6 +5206,64 @@ example: 4 -- +*`process.parent.code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`process.parent.code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`process.parent.code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`process.parent.code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`process.parent.code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + *`process.parent.command_line`*:: + -- @@ -4455,6 +5283,19 @@ type: text -- +*`process.parent.entity_id`*:: ++ +-- +Unique identifier for the process. +The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. +Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + +type: keyword + +example: c2c455d9f99375d + +-- + *`process.parent.executable`*:: + -- @@ -4485,6 +5326,42 @@ example: 137 -- +*`process.parent.hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`process.parent.hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`process.parent.hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`process.parent.hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + *`process.parent.name`*:: + -- @@ -4622,6 +5499,61 @@ type: text -- +*`process.pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`process.pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`process.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`process.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`process.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + *`process.pgid`*:: + -- @@ -4830,8 +5762,17 @@ example: Debugger This field set is meant to facilitate pivoting around a piece of data. Some pieces of information can be seen in many places in an ECS event. To facilitate searching for them, store an array of all seen values to their corresponding field in `related.`. -A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:a.b.c.d`. +A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:192.0.2.15`. + + +*`related.hash`*:: ++ +-- +All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). + +type: keyword +-- *`related.ip`*:: + @@ -4858,6 +5799,17 @@ Rule fields are used to capture the specifics of any observer or agent rules tha Examples of data sources that would populate the rule fields include: network admission control platforms, network or host IDS/IPS, network firewalls, web application firewalls, url filters, endpoint detection and response (EDR) systems, etc. +*`rule.author`*:: ++ +-- +Name, organization, or pseudonym of the author or authors who created the rule used to generate this event. + +type: keyword + +example: ['Star-Lord'] + +-- + *`rule.category`*:: + -- @@ -4891,6 +5843,17 @@ example: 101 -- +*`rule.license`*:: ++ +-- +Name of the license under which the rule used to generate this event is made available. + +type: keyword + +example: Apache 2.0 + +-- + *`rule.name`*:: + -- @@ -5272,7 +6235,7 @@ type: keyword *`server.user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -5712,7 +6675,7 @@ type: keyword *`source.user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -6429,7 +7392,7 @@ type: keyword *`user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -6591,6 +7554,37 @@ example: 12.0 -- +[float] +=== vlan + +The VLAN fields are used to identify 802.1q tag(s) of a packet, as well as ingress and egress VLAN associations of an observer in relation to a specific packet or connection. +Network.vlan fields are used to record a single VLAN tag, or the outer tag in the case of q-in-q encapsulations, for a packet or connection as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. +Network.inner VLAN fields are used to report inner q-in-q 802.1q tags (multiple 802.1q encapsulations) as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields should only be used in addition to network.vlan fields to indicate q-in-q tagging. +Observer.ingress and observer.egress VLAN values are used to record observer specific information when observer events contain discrete ingress and egress VLAN information, typically provided by firewalls, routers, or load balancers. + + +*`vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + [float] === vulnerability diff --git a/journalbeat/include/fields.go b/journalbeat/include/fields.go index 45161a4a9fe4..5ee25543c0ba 100644 --- a/journalbeat/include/fields.go +++ b/journalbeat/include/fields.go @@ -32,5 +32,5 @@ func init() { // AssetFieldsYml returns asset data. // This is the base64 encoded gzipped contents of fields.yml. func AssetFieldsYml() string { - return "" + return "" } diff --git a/metricbeat/docs/fields.asciidoc b/metricbeat/docs/fields.asciidoc index 77d629110286..b1df53c9698f 100644 --- a/metricbeat/docs/fields.asciidoc +++ b/metricbeat/docs/fields.asciidoc @@ -7457,7 +7457,7 @@ Example: `docker` and `k8s` labels. type: object -example: { "application": "foo-bar", "env": "production" } +example: {'application': 'foo-bar', 'env': 'production'} -- @@ -7912,7 +7912,7 @@ type: keyword *`client.user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -8018,6 +8018,70 @@ example: us-east-1 -- +[float] +=== code_signature + +These fields contain information about binary code signatures. + + +*`code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + [float] === container @@ -8046,7 +8110,7 @@ type: keyword *`container.image.tag`*:: + -- -Container image tag. +Container image tags. type: keyword @@ -8405,7 +8469,7 @@ type: keyword *`destination.user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -8429,6 +8493,189 @@ type: text -- +[float] +=== dll + +These fields contain information about code libraries dynamically loaded into processes. + +Many operating systems refer to "shared code libraries" with different names, but this field set refers to all of the following: +* Dynamic-link library (`.dll`) commonly used on Windows +* Shared Object (`.so`) commonly used on Unix-like operating systems +* Dynamic library (`.dylib`) commonly used on macOS + + +*`dll.code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`dll.code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`dll.code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`dll.code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`dll.code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + +*`dll.hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`dll.hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`dll.hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`dll.hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + +*`dll.name`*:: ++ +-- +Name of the library. +This generally maps to the name of the file on disk. + +type: keyword + +example: kernel32.dll + +-- + +*`dll.path`*:: ++ +-- +Full file path of the library. + +type: keyword + +example: C:\Windows\System32\kernel32.dll + +-- + +*`dll.pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`dll.pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`dll.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`dll.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`dll.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + [float] === dns @@ -8730,7 +8977,7 @@ example: java.lang.NullPointerException === event The event fields are used for context information about the log or metric event itself. -A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical or categorical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host, or vulnerabilities measured on a scanned host. +A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host and device temperature. See the `event.kind` definition in this section for additional details about metric and state events. *`event.action`*:: @@ -8780,7 +9027,7 @@ In case the two timestamps are identical, @timestamp should be used. type: date -example: 2016-05-23 08:05:34.857000 +example: 2016-05-23T08:05:34.857Z -- @@ -8849,7 +9096,7 @@ In normal conditions, assuming no tampering, the timestamps should chronological type: date -example: 2016-05-23 08:05:35.101000 +example: 2016-05-23T08:05:35.101Z -- @@ -8894,7 +9141,10 @@ example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0&# + -- This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. -`event.outcome` simply denotes whether the event represent a success or a failure. Note that not all events will have an associated outcome. For example, this field is generally not populated for metric events or events with `event.type:info`. +`event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. +Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. +Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. +Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. type: keyword @@ -8914,6 +9164,18 @@ example: kernel -- +*`event.reference`*:: ++ +-- +Reference URL linking to additional information about this event. +This URL links to a static definition of the this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. + +type: keyword + +example: https://system.vendor.com/event/#0001234 + +-- + *`event.risk_score`*:: + -- @@ -8937,7 +9199,7 @@ type: float + -- Sequence number of the event. -The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regarless of the timestamp precision. +The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. type: long @@ -8990,6 +9252,18 @@ type: keyword -- +*`event.url`*:: ++ +-- +URL linking to an external system to continue investigation of this event. +This URL links to another system where in-depth investigation of the specific occurence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. + +type: keyword + +example: https://mysystem.mydomain.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe + +-- + [float] === file @@ -9019,6 +9293,64 @@ example: ["readonly", "system"] -- +*`file.code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`file.code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`file.code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`file.code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`file.code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + *`file.created`*:: + -- @@ -9153,6 +9485,15 @@ example: 256383 -- +*`file.mime_type`*:: ++ +-- +MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. + +type: keyword + +-- + *`file.mode`*:: + -- @@ -9213,6 +9554,61 @@ type: text -- +*`file.pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`file.pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`file.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`file.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`file.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + *`file.size`*:: + -- @@ -9581,7 +9977,7 @@ type: keyword *`host.ip`*:: + -- -Host ip address. +Host ip addresses. type: ip @@ -9590,7 +9986,7 @@ type: ip *`host.mac`*:: + -- -Host mac address. +Host mac addresses. type: keyword @@ -9785,7 +10181,7 @@ type: keyword *`host.user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -9950,6 +10346,45 @@ example: 1.1 -- +[float] +=== interface + +The interface fields are used to record ingress and egress interface information when reported by an observer (e.g. firewall, router, load balancer) in the context of the observer handling a network connection. In the case of a single observer interface (e.g. network sensor on a span port) only the observer.ingress information should be populated. + + +*`interface.alias`*:: ++ +-- +Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. + +type: keyword + +example: outside + +-- + +*`interface.id`*:: ++ +-- +Interface ID as reported by an observer (typically SNMP interface ID). + +type: keyword + +example: 10 + +-- + +*`interface.name`*:: ++ +-- +Interface name as reported by the system. + +type: keyword + +example: eth0 + +-- + [float] === log @@ -10187,6 +10622,37 @@ example: 6 -- +*`network.inner`*:: ++ +-- +Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) + +type: object + +-- + +*`network.inner.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`network.inner.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + *`network.name`*:: + -- @@ -10246,6 +10712,28 @@ example: ipv4 -- +*`network.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`network.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + [float] === observer @@ -10253,6 +10741,81 @@ An observer is defined as a special network, security, or application device use This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, web proxies, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS. +*`observer.egress`*:: ++ +-- +Observer.egress holds information like interface number and name, vlan, and zone information to classify egress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. + +type: object + +-- + +*`observer.egress.interface.alias`*:: ++ +-- +Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. + +type: keyword + +example: outside + +-- + +*`observer.egress.interface.id`*:: ++ +-- +Interface ID as reported by an observer (typically SNMP interface ID). + +type: keyword + +example: 10 + +-- + +*`observer.egress.interface.name`*:: ++ +-- +Interface name as reported by the system. + +type: keyword + +example: eth0 + +-- + +*`observer.egress.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`observer.egress.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + +*`observer.egress.zone`*:: ++ +-- +Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. + +type: keyword + +example: Public_Internet + +-- + *`observer.geo.city_name`*:: + -- @@ -10352,10 +10915,85 @@ type: keyword -- +*`observer.ingress`*:: ++ +-- +Observer.ingress holds information like interface number and name, vlan, and zone information to classify ingress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. + +type: object + +-- + +*`observer.ingress.interface.alias`*:: ++ +-- +Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. + +type: keyword + +example: outside + +-- + +*`observer.ingress.interface.id`*:: ++ +-- +Interface ID as reported by an observer (typically SNMP interface ID). + +type: keyword + +example: 10 + +-- + +*`observer.ingress.interface.name`*:: ++ +-- +Interface name as reported by the system. + +type: keyword + +example: eth0 + +-- + +*`observer.ingress.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`observer.ingress.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + +*`observer.ingress.zone`*:: ++ +-- +Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. + +type: keyword + +example: DMZ + +-- + *`observer.ip`*:: + -- -IP address of the observer. +IP addresses of the observer. type: ip @@ -10364,7 +11002,7 @@ type: ip *`observer.mac`*:: + -- -MAC address of the observer +MAC addresses of the observer type: keyword @@ -10785,6 +11423,67 @@ example: 1.12.9 -- +[float] +=== pe + +These fields contain Windows Portable Executable (PE) metadata. + + +*`pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + [float] === process @@ -10816,6 +11515,64 @@ example: 4 -- +*`process.code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`process.code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`process.code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`process.code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`process.code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + *`process.command_line`*:: + -- @@ -10835,6 +11592,19 @@ type: text -- +*`process.entity_id`*:: ++ +-- +Unique identifier for the process. +The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. +Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + +type: keyword + +example: c2c455d9f99375d + +-- + *`process.executable`*:: + -- @@ -10944,6 +11714,64 @@ example: 4 -- +*`process.parent.code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`process.parent.code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`process.parent.code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`process.parent.code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`process.parent.code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + *`process.parent.command_line`*:: + -- @@ -10963,6 +11791,19 @@ type: text -- +*`process.parent.entity_id`*:: ++ +-- +Unique identifier for the process. +The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. +Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + +type: keyword + +example: c2c455d9f99375d + +-- + *`process.parent.executable`*:: + -- @@ -10993,6 +11834,42 @@ example: 137 -- +*`process.parent.hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`process.parent.hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`process.parent.hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`process.parent.hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + *`process.parent.name`*:: + -- @@ -11130,6 +12007,61 @@ type: text -- +*`process.pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`process.pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`process.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`process.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`process.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + *`process.pgid`*:: + -- @@ -11338,8 +12270,17 @@ example: Debugger This field set is meant to facilitate pivoting around a piece of data. Some pieces of information can be seen in many places in an ECS event. To facilitate searching for them, store an array of all seen values to their corresponding field in `related.`. -A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:a.b.c.d`. +A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:192.0.2.15`. + + +*`related.hash`*:: ++ +-- +All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). + +type: keyword +-- *`related.ip`*:: + @@ -11366,6 +12307,17 @@ Rule fields are used to capture the specifics of any observer or agent rules tha Examples of data sources that would populate the rule fields include: network admission control platforms, network or host IDS/IPS, network firewalls, web application firewalls, url filters, endpoint detection and response (EDR) systems, etc. +*`rule.author`*:: ++ +-- +Name, organization, or pseudonym of the author or authors who created the rule used to generate this event. + +type: keyword + +example: ['Star-Lord'] + +-- + *`rule.category`*:: + -- @@ -11399,6 +12351,17 @@ example: 101 -- +*`rule.license`*:: ++ +-- +Name of the license under which the rule used to generate this event is made available. + +type: keyword + +example: Apache 2.0 + +-- + *`rule.name`*:: + -- @@ -11780,7 +12743,7 @@ type: keyword *`server.user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -12220,7 +13183,7 @@ type: keyword *`source.user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -12937,7 +13900,7 @@ type: keyword *`user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -13099,6 +14062,37 @@ example: 12.0 -- +[float] +=== vlan + +The VLAN fields are used to identify 802.1q tag(s) of a packet, as well as ingress and egress VLAN associations of an observer in relation to a specific packet or connection. +Network.vlan fields are used to record a single VLAN tag, or the outer tag in the case of q-in-q encapsulations, for a packet or connection as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. +Network.inner VLAN fields are used to report inner q-in-q 802.1q tags (multiple 802.1q encapsulations) as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields should only be used in addition to network.vlan fields to indicate q-in-q tagging. +Observer.ingress and observer.egress VLAN values are used to record observer specific information when observer events contain discrete ingress and egress VLAN information, typically provided by firewalls, routers, or load balancers. + + +*`vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + [float] === vulnerability diff --git a/metricbeat/include/fields/fields.go b/metricbeat/include/fields/fields.go index bbb4f4bd0f1d..6779003b8af5 100644 --- a/metricbeat/include/fields/fields.go +++ b/metricbeat/include/fields/fields.go @@ -32,5 +32,5 @@ func init() { // AssetLibbeatFieldsYml returns asset data. // This is the base64 encoded gzipped contents of ../libbeat/fields.yml. func AssetLibbeatFieldsYml() string { - return "" + return "" } diff --git a/packetbeat/docs/fields.asciidoc b/packetbeat/docs/fields.asciidoc index c0de335807ea..2893ebb548f2 100644 --- a/packetbeat/docs/fields.asciidoc +++ b/packetbeat/docs/fields.asciidoc @@ -2162,7 +2162,7 @@ Example: `docker` and `k8s` labels. type: object -example: { "application": "foo-bar", "env": "production" } +example: {'application': 'foo-bar', 'env': 'production'} -- @@ -2617,7 +2617,7 @@ type: keyword *`client.user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -2723,6 +2723,70 @@ example: us-east-1 -- +[float] +=== code_signature + +These fields contain information about binary code signatures. + + +*`code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + [float] === container @@ -2751,7 +2815,7 @@ type: keyword *`container.image.tag`*:: + -- -Container image tag. +Container image tags. type: keyword @@ -3110,7 +3174,7 @@ type: keyword *`destination.user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -3134,6 +3198,189 @@ type: text -- +[float] +=== dll + +These fields contain information about code libraries dynamically loaded into processes. + +Many operating systems refer to "shared code libraries" with different names, but this field set refers to all of the following: +* Dynamic-link library (`.dll`) commonly used on Windows +* Shared Object (`.so`) commonly used on Unix-like operating systems +* Dynamic library (`.dylib`) commonly used on macOS + + +*`dll.code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`dll.code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`dll.code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`dll.code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`dll.code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + +*`dll.hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`dll.hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`dll.hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`dll.hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + +*`dll.name`*:: ++ +-- +Name of the library. +This generally maps to the name of the file on disk. + +type: keyword + +example: kernel32.dll + +-- + +*`dll.path`*:: ++ +-- +Full file path of the library. + +type: keyword + +example: C:\Windows\System32\kernel32.dll + +-- + +*`dll.pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`dll.pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`dll.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`dll.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`dll.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + [float] === dns @@ -3435,7 +3682,7 @@ example: java.lang.NullPointerException === event The event fields are used for context information about the log or metric event itself. -A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical or categorical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host, or vulnerabilities measured on a scanned host. +A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host and device temperature. See the `event.kind` definition in this section for additional details about metric and state events. *`event.action`*:: @@ -3485,7 +3732,7 @@ In case the two timestamps are identical, @timestamp should be used. type: date -example: 2016-05-23 08:05:34.857000 +example: 2016-05-23T08:05:34.857Z -- @@ -3554,7 +3801,7 @@ In normal conditions, assuming no tampering, the timestamps should chronological type: date -example: 2016-05-23 08:05:35.101000 +example: 2016-05-23T08:05:35.101Z -- @@ -3599,7 +3846,10 @@ example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0&# + -- This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. -`event.outcome` simply denotes whether the event represent a success or a failure. Note that not all events will have an associated outcome. For example, this field is generally not populated for metric events or events with `event.type:info`. +`event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. +Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. +Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. +Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. type: keyword @@ -3619,6 +3869,18 @@ example: kernel -- +*`event.reference`*:: ++ +-- +Reference URL linking to additional information about this event. +This URL links to a static definition of the this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. + +type: keyword + +example: https://system.vendor.com/event/#0001234 + +-- + *`event.risk_score`*:: + -- @@ -3642,7 +3904,7 @@ type: float + -- Sequence number of the event. -The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regarless of the timestamp precision. +The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. type: long @@ -3695,6 +3957,18 @@ type: keyword -- +*`event.url`*:: ++ +-- +URL linking to an external system to continue investigation of this event. +This URL links to another system where in-depth investigation of the specific occurence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. + +type: keyword + +example: https://mysystem.mydomain.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe + +-- + [float] === file @@ -3724,6 +3998,64 @@ example: ["readonly", "system"] -- +*`file.code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`file.code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`file.code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`file.code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`file.code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + *`file.created`*:: + -- @@ -3858,6 +4190,15 @@ example: 256383 -- +*`file.mime_type`*:: ++ +-- +MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. + +type: keyword + +-- + *`file.mode`*:: + -- @@ -3918,6 +4259,61 @@ type: text -- +*`file.pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`file.pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`file.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`file.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`file.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + *`file.size`*:: + -- @@ -4286,7 +4682,7 @@ type: keyword *`host.ip`*:: + -- -Host ip address. +Host ip addresses. type: ip @@ -4295,7 +4691,7 @@ type: ip *`host.mac`*:: + -- -Host mac address. +Host mac addresses. type: keyword @@ -4490,7 +4886,7 @@ type: keyword *`host.user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -4655,6 +5051,45 @@ example: 1.1 -- +[float] +=== interface + +The interface fields are used to record ingress and egress interface information when reported by an observer (e.g. firewall, router, load balancer) in the context of the observer handling a network connection. In the case of a single observer interface (e.g. network sensor on a span port) only the observer.ingress information should be populated. + + +*`interface.alias`*:: ++ +-- +Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. + +type: keyword + +example: outside + +-- + +*`interface.id`*:: ++ +-- +Interface ID as reported by an observer (typically SNMP interface ID). + +type: keyword + +example: 10 + +-- + +*`interface.name`*:: ++ +-- +Interface name as reported by the system. + +type: keyword + +example: eth0 + +-- + [float] === log @@ -4892,6 +5327,37 @@ example: 6 -- +*`network.inner`*:: ++ +-- +Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) + +type: object + +-- + +*`network.inner.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`network.inner.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + *`network.name`*:: + -- @@ -4951,6 +5417,28 @@ example: ipv4 -- +*`network.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`network.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + [float] === observer @@ -4958,6 +5446,81 @@ An observer is defined as a special network, security, or application device use This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, web proxies, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS. +*`observer.egress`*:: ++ +-- +Observer.egress holds information like interface number and name, vlan, and zone information to classify egress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. + +type: object + +-- + +*`observer.egress.interface.alias`*:: ++ +-- +Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. + +type: keyword + +example: outside + +-- + +*`observer.egress.interface.id`*:: ++ +-- +Interface ID as reported by an observer (typically SNMP interface ID). + +type: keyword + +example: 10 + +-- + +*`observer.egress.interface.name`*:: ++ +-- +Interface name as reported by the system. + +type: keyword + +example: eth0 + +-- + +*`observer.egress.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`observer.egress.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + +*`observer.egress.zone`*:: ++ +-- +Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. + +type: keyword + +example: Public_Internet + +-- + *`observer.geo.city_name`*:: + -- @@ -5057,10 +5620,85 @@ type: keyword -- +*`observer.ingress`*:: ++ +-- +Observer.ingress holds information like interface number and name, vlan, and zone information to classify ingress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. + +type: object + +-- + +*`observer.ingress.interface.alias`*:: ++ +-- +Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. + +type: keyword + +example: outside + +-- + +*`observer.ingress.interface.id`*:: ++ +-- +Interface ID as reported by an observer (typically SNMP interface ID). + +type: keyword + +example: 10 + +-- + +*`observer.ingress.interface.name`*:: ++ +-- +Interface name as reported by the system. + +type: keyword + +example: eth0 + +-- + +*`observer.ingress.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`observer.ingress.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + +*`observer.ingress.zone`*:: ++ +-- +Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. + +type: keyword + +example: DMZ + +-- + *`observer.ip`*:: + -- -IP address of the observer. +IP addresses of the observer. type: ip @@ -5069,7 +5707,7 @@ type: ip *`observer.mac`*:: + -- -MAC address of the observer +MAC addresses of the observer type: keyword @@ -5490,6 +6128,67 @@ example: 1.12.9 -- +[float] +=== pe + +These fields contain Windows Portable Executable (PE) metadata. + + +*`pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + [float] === process @@ -5521,6 +6220,64 @@ example: 4 -- +*`process.code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`process.code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`process.code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`process.code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`process.code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + *`process.command_line`*:: + -- @@ -5540,6 +6297,19 @@ type: text -- +*`process.entity_id`*:: ++ +-- +Unique identifier for the process. +The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. +Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + +type: keyword + +example: c2c455d9f99375d + +-- + *`process.executable`*:: + -- @@ -5649,6 +6419,64 @@ example: 4 -- +*`process.parent.code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`process.parent.code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`process.parent.code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`process.parent.code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`process.parent.code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + *`process.parent.command_line`*:: + -- @@ -5668,6 +6496,19 @@ type: text -- +*`process.parent.entity_id`*:: ++ +-- +Unique identifier for the process. +The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. +Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + +type: keyword + +example: c2c455d9f99375d + +-- + *`process.parent.executable`*:: + -- @@ -5698,6 +6539,42 @@ example: 137 -- +*`process.parent.hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`process.parent.hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`process.parent.hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`process.parent.hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + *`process.parent.name`*:: + -- @@ -5835,6 +6712,61 @@ type: text -- +*`process.pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`process.pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`process.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`process.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`process.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + *`process.pgid`*:: + -- @@ -6043,8 +6975,17 @@ example: Debugger This field set is meant to facilitate pivoting around a piece of data. Some pieces of information can be seen in many places in an ECS event. To facilitate searching for them, store an array of all seen values to their corresponding field in `related.`. -A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:a.b.c.d`. +A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:192.0.2.15`. + + +*`related.hash`*:: ++ +-- +All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). + +type: keyword +-- *`related.ip`*:: + @@ -6071,6 +7012,17 @@ Rule fields are used to capture the specifics of any observer or agent rules tha Examples of data sources that would populate the rule fields include: network admission control platforms, network or host IDS/IPS, network firewalls, web application firewalls, url filters, endpoint detection and response (EDR) systems, etc. +*`rule.author`*:: ++ +-- +Name, organization, or pseudonym of the author or authors who created the rule used to generate this event. + +type: keyword + +example: ['Star-Lord'] + +-- + *`rule.category`*:: + -- @@ -6104,6 +7056,17 @@ example: 101 -- +*`rule.license`*:: ++ +-- +Name of the license under which the rule used to generate this event is made available. + +type: keyword + +example: Apache 2.0 + +-- + *`rule.name`*:: + -- @@ -6485,7 +7448,7 @@ type: keyword *`server.user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -6925,7 +7888,7 @@ type: keyword *`source.user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -7642,7 +8605,7 @@ type: keyword *`user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -7804,6 +8767,37 @@ example: 12.0 -- +[float] +=== vlan + +The VLAN fields are used to identify 802.1q tag(s) of a packet, as well as ingress and egress VLAN associations of an observer in relation to a specific packet or connection. +Network.vlan fields are used to record a single VLAN tag, or the outer tag in the case of q-in-q encapsulations, for a packet or connection as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. +Network.inner VLAN fields are used to report inner q-in-q 802.1q tags (multiple 802.1q encapsulations) as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields should only be used in addition to network.vlan fields to indicate q-in-q tagging. +Observer.ingress and observer.egress VLAN values are used to record observer specific information when observer events contain discrete ingress and egress VLAN information, typically provided by firewalls, routers, or load balancers. + + +*`vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + [float] === vulnerability diff --git a/packetbeat/include/fields.go b/packetbeat/include/fields.go index 1a8b22f1572d..55023cd4cfa0 100644 --- a/packetbeat/include/fields.go +++ b/packetbeat/include/fields.go @@ -32,5 +32,5 @@ func init() { // AssetFieldsYml returns asset data. // This is the base64 encoded gzipped contents of fields.yml. func AssetFieldsYml() string { - return "" + return "" } diff --git a/winlogbeat/docs/fields.asciidoc b/winlogbeat/docs/fields.asciidoc index 989bb7fba4bf..64a013cdf617 100644 --- a/winlogbeat/docs/fields.asciidoc +++ b/winlogbeat/docs/fields.asciidoc @@ -254,7 +254,7 @@ Example: `docker` and `k8s` labels. type: object -example: { "application": "foo-bar", "env": "production" } +example: {'application': 'foo-bar', 'env': 'production'} -- @@ -709,7 +709,7 @@ type: keyword *`client.user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -815,6 +815,70 @@ example: us-east-1 -- +[float] +=== code_signature + +These fields contain information about binary code signatures. + + +*`code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + [float] === container @@ -843,7 +907,7 @@ type: keyword *`container.image.tag`*:: + -- -Container image tag. +Container image tags. type: keyword @@ -1202,7 +1266,7 @@ type: keyword *`destination.user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -1226,6 +1290,189 @@ type: text -- +[float] +=== dll + +These fields contain information about code libraries dynamically loaded into processes. + +Many operating systems refer to "shared code libraries" with different names, but this field set refers to all of the following: +* Dynamic-link library (`.dll`) commonly used on Windows +* Shared Object (`.so`) commonly used on Unix-like operating systems +* Dynamic library (`.dylib`) commonly used on macOS + + +*`dll.code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`dll.code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`dll.code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`dll.code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`dll.code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + +*`dll.hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`dll.hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`dll.hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`dll.hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + +*`dll.name`*:: ++ +-- +Name of the library. +This generally maps to the name of the file on disk. + +type: keyword + +example: kernel32.dll + +-- + +*`dll.path`*:: ++ +-- +Full file path of the library. + +type: keyword + +example: C:\Windows\System32\kernel32.dll + +-- + +*`dll.pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`dll.pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`dll.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`dll.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`dll.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + [float] === dns @@ -1527,7 +1774,7 @@ example: java.lang.NullPointerException === event The event fields are used for context information about the log or metric event itself. -A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical or categorical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host, or vulnerabilities measured on a scanned host. +A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host and device temperature. See the `event.kind` definition in this section for additional details about metric and state events. *`event.action`*:: @@ -1577,7 +1824,7 @@ In case the two timestamps are identical, @timestamp should be used. type: date -example: 2016-05-23 08:05:34.857000 +example: 2016-05-23T08:05:34.857Z -- @@ -1646,7 +1893,7 @@ In normal conditions, assuming no tampering, the timestamps should chronological type: date -example: 2016-05-23 08:05:35.101000 +example: 2016-05-23T08:05:35.101Z -- @@ -1691,7 +1938,10 @@ example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0&# + -- This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. -`event.outcome` simply denotes whether the event represent a success or a failure. Note that not all events will have an associated outcome. For example, this field is generally not populated for metric events or events with `event.type:info`. +`event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. +Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. +Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. +Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. type: keyword @@ -1711,6 +1961,18 @@ example: kernel -- +*`event.reference`*:: ++ +-- +Reference URL linking to additional information about this event. +This URL links to a static definition of the this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. + +type: keyword + +example: https://system.vendor.com/event/#0001234 + +-- + *`event.risk_score`*:: + -- @@ -1734,7 +1996,7 @@ type: float + -- Sequence number of the event. -The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regarless of the timestamp precision. +The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. type: long @@ -1787,6 +2049,18 @@ type: keyword -- +*`event.url`*:: ++ +-- +URL linking to an external system to continue investigation of this event. +This URL links to another system where in-depth investigation of the specific occurence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. + +type: keyword + +example: https://mysystem.mydomain.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe + +-- + [float] === file @@ -1816,6 +2090,64 @@ example: ["readonly", "system"] -- +*`file.code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`file.code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`file.code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`file.code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`file.code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + *`file.created`*:: + -- @@ -1950,6 +2282,15 @@ example: 256383 -- +*`file.mime_type`*:: ++ +-- +MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. + +type: keyword + +-- + *`file.mode`*:: + -- @@ -2010,6 +2351,61 @@ type: text -- +*`file.pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`file.pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`file.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`file.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`file.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + *`file.size`*:: + -- @@ -2378,7 +2774,7 @@ type: keyword *`host.ip`*:: + -- -Host ip address. +Host ip addresses. type: ip @@ -2387,7 +2783,7 @@ type: ip *`host.mac`*:: + -- -Host mac address. +Host mac addresses. type: keyword @@ -2582,7 +2978,7 @@ type: keyword *`host.user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -2747,6 +3143,45 @@ example: 1.1 -- +[float] +=== interface + +The interface fields are used to record ingress and egress interface information when reported by an observer (e.g. firewall, router, load balancer) in the context of the observer handling a network connection. In the case of a single observer interface (e.g. network sensor on a span port) only the observer.ingress information should be populated. + + +*`interface.alias`*:: ++ +-- +Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. + +type: keyword + +example: outside + +-- + +*`interface.id`*:: ++ +-- +Interface ID as reported by an observer (typically SNMP interface ID). + +type: keyword + +example: 10 + +-- + +*`interface.name`*:: ++ +-- +Interface name as reported by the system. + +type: keyword + +example: eth0 + +-- + [float] === log @@ -2984,6 +3419,37 @@ example: 6 -- +*`network.inner`*:: ++ +-- +Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) + +type: object + +-- + +*`network.inner.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`network.inner.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + *`network.name`*:: + -- @@ -3043,6 +3509,28 @@ example: ipv4 -- +*`network.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`network.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + [float] === observer @@ -3050,6 +3538,81 @@ An observer is defined as a special network, security, or application device use This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, web proxies, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS. +*`observer.egress`*:: ++ +-- +Observer.egress holds information like interface number and name, vlan, and zone information to classify egress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. + +type: object + +-- + +*`observer.egress.interface.alias`*:: ++ +-- +Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. + +type: keyword + +example: outside + +-- + +*`observer.egress.interface.id`*:: ++ +-- +Interface ID as reported by an observer (typically SNMP interface ID). + +type: keyword + +example: 10 + +-- + +*`observer.egress.interface.name`*:: ++ +-- +Interface name as reported by the system. + +type: keyword + +example: eth0 + +-- + +*`observer.egress.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`observer.egress.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + +*`observer.egress.zone`*:: ++ +-- +Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. + +type: keyword + +example: Public_Internet + +-- + *`observer.geo.city_name`*:: + -- @@ -3149,10 +3712,85 @@ type: keyword -- +*`observer.ingress`*:: ++ +-- +Observer.ingress holds information like interface number and name, vlan, and zone information to classify ingress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. + +type: object + +-- + +*`observer.ingress.interface.alias`*:: ++ +-- +Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. + +type: keyword + +example: outside + +-- + +*`observer.ingress.interface.id`*:: ++ +-- +Interface ID as reported by an observer (typically SNMP interface ID). + +type: keyword + +example: 10 + +-- + +*`observer.ingress.interface.name`*:: ++ +-- +Interface name as reported by the system. + +type: keyword + +example: eth0 + +-- + +*`observer.ingress.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`observer.ingress.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + +*`observer.ingress.zone`*:: ++ +-- +Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. + +type: keyword + +example: DMZ + +-- + *`observer.ip`*:: + -- -IP address of the observer. +IP addresses of the observer. type: ip @@ -3161,7 +3799,7 @@ type: ip *`observer.mac`*:: + -- -MAC address of the observer +MAC addresses of the observer type: keyword @@ -3582,6 +4220,67 @@ example: 1.12.9 -- +[float] +=== pe + +These fields contain Windows Portable Executable (PE) metadata. + + +*`pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + [float] === process @@ -3613,6 +4312,64 @@ example: 4 -- +*`process.code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`process.code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`process.code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`process.code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`process.code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + *`process.command_line`*:: + -- @@ -3632,6 +4389,19 @@ type: text -- +*`process.entity_id`*:: ++ +-- +Unique identifier for the process. +The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. +Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + +type: keyword + +example: c2c455d9f99375d + +-- + *`process.executable`*:: + -- @@ -3741,6 +4511,64 @@ example: 4 -- +*`process.parent.code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`process.parent.code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`process.parent.code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`process.parent.code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`process.parent.code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + *`process.parent.command_line`*:: + -- @@ -3760,6 +4588,19 @@ type: text -- +*`process.parent.entity_id`*:: ++ +-- +Unique identifier for the process. +The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. +Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + +type: keyword + +example: c2c455d9f99375d + +-- + *`process.parent.executable`*:: + -- @@ -3790,6 +4631,42 @@ example: 137 -- +*`process.parent.hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`process.parent.hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`process.parent.hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`process.parent.hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + *`process.parent.name`*:: + -- @@ -3927,6 +4804,61 @@ type: text -- +*`process.pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`process.pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`process.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`process.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`process.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + *`process.pgid`*:: + -- @@ -4135,8 +5067,17 @@ example: Debugger This field set is meant to facilitate pivoting around a piece of data. Some pieces of information can be seen in many places in an ECS event. To facilitate searching for them, store an array of all seen values to their corresponding field in `related.`. -A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:a.b.c.d`. +A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:192.0.2.15`. + + +*`related.hash`*:: ++ +-- +All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). + +type: keyword +-- *`related.ip`*:: + @@ -4163,6 +5104,17 @@ Rule fields are used to capture the specifics of any observer or agent rules tha Examples of data sources that would populate the rule fields include: network admission control platforms, network or host IDS/IPS, network firewalls, web application firewalls, url filters, endpoint detection and response (EDR) systems, etc. +*`rule.author`*:: ++ +-- +Name, organization, or pseudonym of the author or authors who created the rule used to generate this event. + +type: keyword + +example: ['Star-Lord'] + +-- + *`rule.category`*:: + -- @@ -4196,6 +5148,17 @@ example: 101 -- +*`rule.license`*:: ++ +-- +Name of the license under which the rule used to generate this event is made available. + +type: keyword + +example: Apache 2.0 + +-- + *`rule.name`*:: + -- @@ -4577,7 +5540,7 @@ type: keyword *`server.user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -5017,7 +5980,7 @@ type: keyword *`source.user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -5734,7 +6697,7 @@ type: keyword *`user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -5896,6 +6859,37 @@ example: 12.0 -- +[float] +=== vlan + +The VLAN fields are used to identify 802.1q tag(s) of a packet, as well as ingress and egress VLAN associations of an observer in relation to a specific packet or connection. +Network.vlan fields are used to record a single VLAN tag, or the outer tag in the case of q-in-q encapsulations, for a packet or connection as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. +Network.inner VLAN fields are used to report inner q-in-q 802.1q tags (multiple 802.1q encapsulations) as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields should only be used in addition to network.vlan fields to indicate q-in-q tagging. +Observer.ingress and observer.egress VLAN values are used to record observer specific information when observer events contain discrete ingress and egress VLAN information, typically provided by firewalls, routers, or load balancers. + + +*`vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + [float] === vulnerability diff --git a/winlogbeat/include/fields.go b/winlogbeat/include/fields.go index d1ecb92d9c7b..64366a29f9e8 100644 --- a/winlogbeat/include/fields.go +++ b/winlogbeat/include/fields.go @@ -32,5 +32,5 @@ func init() { // AssetBuildFieldsFieldsCommonYml returns asset data. // This is the base64 encoded gzipped contents of build/fields/fields.common.yml. func AssetBuildFieldsFieldsCommonYml() string { - return "" + return "" } diff --git a/x-pack/functionbeat/docs/fields.asciidoc b/x-pack/functionbeat/docs/fields.asciidoc index 06eae873c2b0..26536faeef98 100644 --- a/x-pack/functionbeat/docs/fields.asciidoc +++ b/x-pack/functionbeat/docs/fields.asciidoc @@ -251,7 +251,7 @@ Example: `docker` and `k8s` labels. type: object -example: { "application": "foo-bar", "env": "production" } +example: {'application': 'foo-bar', 'env': 'production'} -- @@ -706,7 +706,7 @@ type: keyword *`client.user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -812,6 +812,70 @@ example: us-east-1 -- +[float] +=== code_signature + +These fields contain information about binary code signatures. + + +*`code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + [float] === container @@ -840,7 +904,7 @@ type: keyword *`container.image.tag`*:: + -- -Container image tag. +Container image tags. type: keyword @@ -1199,7 +1263,7 @@ type: keyword *`destination.user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -1223,6 +1287,189 @@ type: text -- +[float] +=== dll + +These fields contain information about code libraries dynamically loaded into processes. + +Many operating systems refer to "shared code libraries" with different names, but this field set refers to all of the following: +* Dynamic-link library (`.dll`) commonly used on Windows +* Shared Object (`.so`) commonly used on Unix-like operating systems +* Dynamic library (`.dylib`) commonly used on macOS + + +*`dll.code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`dll.code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`dll.code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`dll.code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`dll.code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + +*`dll.hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`dll.hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`dll.hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`dll.hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + +*`dll.name`*:: ++ +-- +Name of the library. +This generally maps to the name of the file on disk. + +type: keyword + +example: kernel32.dll + +-- + +*`dll.path`*:: ++ +-- +Full file path of the library. + +type: keyword + +example: C:\Windows\System32\kernel32.dll + +-- + +*`dll.pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`dll.pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`dll.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`dll.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`dll.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + [float] === dns @@ -1524,7 +1771,7 @@ example: java.lang.NullPointerException === event The event fields are used for context information about the log or metric event itself. -A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical or categorical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host, or vulnerabilities measured on a scanned host. +A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host and device temperature. See the `event.kind` definition in this section for additional details about metric and state events. *`event.action`*:: @@ -1574,7 +1821,7 @@ In case the two timestamps are identical, @timestamp should be used. type: date -example: 2016-05-23 08:05:34.857000 +example: 2016-05-23T08:05:34.857Z -- @@ -1643,7 +1890,7 @@ In normal conditions, assuming no tampering, the timestamps should chronological type: date -example: 2016-05-23 08:05:35.101000 +example: 2016-05-23T08:05:35.101Z -- @@ -1688,7 +1935,10 @@ example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0&# + -- This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. -`event.outcome` simply denotes whether the event represent a success or a failure. Note that not all events will have an associated outcome. For example, this field is generally not populated for metric events or events with `event.type:info`. +`event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. +Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. +Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. +Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. type: keyword @@ -1708,6 +1958,18 @@ example: kernel -- +*`event.reference`*:: ++ +-- +Reference URL linking to additional information about this event. +This URL links to a static definition of the this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. + +type: keyword + +example: https://system.vendor.com/event/#0001234 + +-- + *`event.risk_score`*:: + -- @@ -1731,7 +1993,7 @@ type: float + -- Sequence number of the event. -The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regarless of the timestamp precision. +The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. type: long @@ -1784,6 +2046,18 @@ type: keyword -- +*`event.url`*:: ++ +-- +URL linking to an external system to continue investigation of this event. +This URL links to another system where in-depth investigation of the specific occurence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. + +type: keyword + +example: https://mysystem.mydomain.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe + +-- + [float] === file @@ -1813,6 +2087,64 @@ example: ["readonly", "system"] -- +*`file.code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`file.code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`file.code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`file.code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`file.code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + *`file.created`*:: + -- @@ -1947,6 +2279,15 @@ example: 256383 -- +*`file.mime_type`*:: ++ +-- +MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. + +type: keyword + +-- + *`file.mode`*:: + -- @@ -2007,6 +2348,61 @@ type: text -- +*`file.pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`file.pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`file.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`file.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`file.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + *`file.size`*:: + -- @@ -2375,7 +2771,7 @@ type: keyword *`host.ip`*:: + -- -Host ip address. +Host ip addresses. type: ip @@ -2384,7 +2780,7 @@ type: ip *`host.mac`*:: + -- -Host mac address. +Host mac addresses. type: keyword @@ -2579,7 +2975,7 @@ type: keyword *`host.user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -2744,6 +3140,45 @@ example: 1.1 -- +[float] +=== interface + +The interface fields are used to record ingress and egress interface information when reported by an observer (e.g. firewall, router, load balancer) in the context of the observer handling a network connection. In the case of a single observer interface (e.g. network sensor on a span port) only the observer.ingress information should be populated. + + +*`interface.alias`*:: ++ +-- +Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. + +type: keyword + +example: outside + +-- + +*`interface.id`*:: ++ +-- +Interface ID as reported by an observer (typically SNMP interface ID). + +type: keyword + +example: 10 + +-- + +*`interface.name`*:: ++ +-- +Interface name as reported by the system. + +type: keyword + +example: eth0 + +-- + [float] === log @@ -2981,6 +3416,37 @@ example: 6 -- +*`network.inner`*:: ++ +-- +Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) + +type: object + +-- + +*`network.inner.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`network.inner.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + *`network.name`*:: + -- @@ -3040,6 +3506,28 @@ example: ipv4 -- +*`network.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`network.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + [float] === observer @@ -3047,6 +3535,81 @@ An observer is defined as a special network, security, or application device use This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, web proxies, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS. +*`observer.egress`*:: ++ +-- +Observer.egress holds information like interface number and name, vlan, and zone information to classify egress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. + +type: object + +-- + +*`observer.egress.interface.alias`*:: ++ +-- +Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. + +type: keyword + +example: outside + +-- + +*`observer.egress.interface.id`*:: ++ +-- +Interface ID as reported by an observer (typically SNMP interface ID). + +type: keyword + +example: 10 + +-- + +*`observer.egress.interface.name`*:: ++ +-- +Interface name as reported by the system. + +type: keyword + +example: eth0 + +-- + +*`observer.egress.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`observer.egress.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + +*`observer.egress.zone`*:: ++ +-- +Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. + +type: keyword + +example: Public_Internet + +-- + *`observer.geo.city_name`*:: + -- @@ -3146,10 +3709,85 @@ type: keyword -- +*`observer.ingress`*:: ++ +-- +Observer.ingress holds information like interface number and name, vlan, and zone information to classify ingress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. + +type: object + +-- + +*`observer.ingress.interface.alias`*:: ++ +-- +Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. + +type: keyword + +example: outside + +-- + +*`observer.ingress.interface.id`*:: ++ +-- +Interface ID as reported by an observer (typically SNMP interface ID). + +type: keyword + +example: 10 + +-- + +*`observer.ingress.interface.name`*:: ++ +-- +Interface name as reported by the system. + +type: keyword + +example: eth0 + +-- + +*`observer.ingress.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`observer.ingress.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + +*`observer.ingress.zone`*:: ++ +-- +Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. + +type: keyword + +example: DMZ + +-- + *`observer.ip`*:: + -- -IP address of the observer. +IP addresses of the observer. type: ip @@ -3158,7 +3796,7 @@ type: ip *`observer.mac`*:: + -- -MAC address of the observer +MAC addresses of the observer type: keyword @@ -3579,6 +4217,67 @@ example: 1.12.9 -- +[float] +=== pe + +These fields contain Windows Portable Executable (PE) metadata. + + +*`pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + [float] === process @@ -3610,6 +4309,64 @@ example: 4 -- +*`process.code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`process.code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`process.code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`process.code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`process.code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + *`process.command_line`*:: + -- @@ -3629,6 +4386,19 @@ type: text -- +*`process.entity_id`*:: ++ +-- +Unique identifier for the process. +The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. +Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + +type: keyword + +example: c2c455d9f99375d + +-- + *`process.executable`*:: + -- @@ -3738,6 +4508,64 @@ example: 4 -- +*`process.parent.code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`process.parent.code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`process.parent.code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`process.parent.code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`process.parent.code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + *`process.parent.command_line`*:: + -- @@ -3757,6 +4585,19 @@ type: text -- +*`process.parent.entity_id`*:: ++ +-- +Unique identifier for the process. +The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. +Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + +type: keyword + +example: c2c455d9f99375d + +-- + *`process.parent.executable`*:: + -- @@ -3787,6 +4628,42 @@ example: 137 -- +*`process.parent.hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`process.parent.hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`process.parent.hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`process.parent.hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + *`process.parent.name`*:: + -- @@ -3924,6 +4801,61 @@ type: text -- +*`process.pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`process.pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`process.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`process.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`process.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + *`process.pgid`*:: + -- @@ -4132,8 +5064,17 @@ example: Debugger This field set is meant to facilitate pivoting around a piece of data. Some pieces of information can be seen in many places in an ECS event. To facilitate searching for them, store an array of all seen values to their corresponding field in `related.`. -A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:a.b.c.d`. +A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:192.0.2.15`. + + +*`related.hash`*:: ++ +-- +All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). + +type: keyword +-- *`related.ip`*:: + @@ -4160,6 +5101,17 @@ Rule fields are used to capture the specifics of any observer or agent rules tha Examples of data sources that would populate the rule fields include: network admission control platforms, network or host IDS/IPS, network firewalls, web application firewalls, url filters, endpoint detection and response (EDR) systems, etc. +*`rule.author`*:: ++ +-- +Name, organization, or pseudonym of the author or authors who created the rule used to generate this event. + +type: keyword + +example: ['Star-Lord'] + +-- + *`rule.category`*:: + -- @@ -4193,6 +5145,17 @@ example: 101 -- +*`rule.license`*:: ++ +-- +Name of the license under which the rule used to generate this event is made available. + +type: keyword + +example: Apache 2.0 + +-- + *`rule.name`*:: + -- @@ -4574,7 +5537,7 @@ type: keyword *`server.user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -5014,7 +5977,7 @@ type: keyword *`source.user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -5731,7 +6694,7 @@ type: keyword *`user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -5893,6 +6856,37 @@ example: 12.0 -- +[float] +=== vlan + +The VLAN fields are used to identify 802.1q tag(s) of a packet, as well as ingress and egress VLAN associations of an observer in relation to a specific packet or connection. +Network.vlan fields are used to record a single VLAN tag, or the outer tag in the case of q-in-q encapsulations, for a packet or connection as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. +Network.inner VLAN fields are used to report inner q-in-q 802.1q tags (multiple 802.1q encapsulations) as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields should only be used in addition to network.vlan fields to indicate q-in-q tagging. +Observer.ingress and observer.egress VLAN values are used to record observer specific information when observer events contain discrete ingress and egress VLAN information, typically provided by firewalls, routers, or load balancers. + + +*`vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + [float] === vulnerability diff --git a/x-pack/functionbeat/include/fields.go b/x-pack/functionbeat/include/fields.go index 595261657c6b..3ea39d017eec 100644 --- a/x-pack/functionbeat/include/fields.go +++ b/x-pack/functionbeat/include/fields.go @@ -19,5 +19,5 @@ func init() { // AssetFieldsYml returns asset data. // This is the base64 encoded gzipped contents of fields.yml. func AssetFieldsYml() string { - return "eJzsvWtzGzmyIPq9fwWuJmJlzVIUqZdl7+04K0tyt2L80Fjq6TMznhDBKpBEqwqoBlCi2Rv3v99AJoBCPSRRtmjLvZozZyySVUAikcg3Mv9Cfj388O703U//DzmWREhDWMoNMTOuyYRnjKRcscRkix7hhsypJlMmmKKGpWS8IGbGyMnROSmU/I0lpvfDX8iYapYSKeD7a6Y0l4IM+7v9Qf+Hv5CzjFHNyDXX3JCZMYV+ubU15WZWjvuJzLdYRrXhyRZLNDGS6HI6ZdqQZEbFlMFXdtgJZ1mq+z/8sEmu2OIlYYn+gRDDTcZe2gd+ICRlOlG8MFwK+Iq8du8Q9/bLHwjZJILm7CVZ/9+G50wbmhfrPxBCSMauWfaSJFIx+KzY7yVXLH1JjCrxK7Mo2EuSUoMfa/OtH1PDtuyYZD5jAtDErpkwRCo+5cKir/8DvEfIhcU11/BQGt5jn4yiiUXzRMm8GqFnJ+YJzbIFUaxQTDNhuJjCRG7EarrODdOyVAkL859OohfwNzKjmgjpoc1IQE8PSeOaZiUDoAMwhSzKzE7jhnWTTbjSBt5vgKVYwvh1BVXBC5ZxUcH1weEc94tMpCI0y3AE3cd9Yp9oXthNX98eDPc3B3ub2zsXg4OXg72XO7v9g72df61H25zRMct05wbjbsqxpWL4Av+8xO+v2GIuVdqx0UelNjK3D2whTgrKlQ5rOKKCjBkp7ZEwktA0JTkzlHAxkSqndhD7vVsTOZ/JMkvhGCZSGMoFEUzbrUNwgHztfw6zDPdAE6oY0UZaRFHtIQ0AnHgEjVKZXDE1IlSkZHR1oEcOHS1M/h+yRosi4wmAt/aSrE2k3BxTtdYja0xc228KJdMygd/J/xejOGda0ym7BceGfTIdiHwtFcnk1KECKMKN5fbfIQR/sk+6n3tEFobn/I9AeZZSrjmb21PBBaHwtP2CqYAXO502qkxMaTGXyakmc25msjSEiorwazD0iDQzphwDIQlubiJFQg0TEe0baYHICSWzMqdiUzGa0nHGiC7znKoFkdGZiw9iXmaGF1lYuybsE9f20M/YopowH3PBUsKFkUSK8HRzK39mWSbJr1JlabRFhk5vOwMxrfOpkIpd0rG8Zi/JcLC92965N1wbux73ng7EbuiUMJrM/CrrVPbvmIaQsLbX/hOTEp0ygZTiGPth+GKqZFm8JNsddHQxY/hm2CV3kBx7pYSO7SYjI5yYuT0/loUaK+ImbiuoWFicU3sOs8yevB5JmcE/pCJyrJm6ttuD5Cotmc2k3SmpiKFXTJOcUV0qltsH3LDhseb51ISLJCtTRl4xajkBrFWTnC4IzbQkqhT2bTev0n2QabDQ/l/dUt2QembZ5JhVHBko28JPeaY97SGSVCmEPScSEWRhi9an3JDzGVMx/57RomCWAu1i4aSGpQJvtwgQjhonUhohjd1zv9iX5BSnS6wuICe4aDi39iD2Kvj6lhSI00XGjJp+dH4Pz96CVuJkZ31BbsdpUWzZpfCE9UlFGzH/TSXzqAPGC6oG4ROkFq6JlbDEzJQspzPye8lKO75eaMNyTTJ+xcjf6OSK9sgHlnKkj0LJhGnNxdRvintcl8nM8uk3cqoN1TOC6yDngG6HMjyIQOSIwqCwVKeDFTOWM0WzS+65jjvP7JNhIq14UetU33ium2fpxM9BeGqPyIQzheTDtUPkMz4BDgRsSm8EuvZqjRVmKgcFwetwNFFSW/mvDVX2PI1LQ0a43TwdwX7YnXDIiJjGAd2d7A0GkxoimssP7OyLlv6L4L9bDef+6w4S15IoEja8NwfRPmYEyJinNy4vrS3P/u8qFugUFzhfMUdo7aAmFJ9CdogiaMqvGWguVLjX8Gn384xlxaTM7CGyh9qtMAxs5pK8dgeacKENFYnTZBr8SNuJgSlZInHilFTilBVUwSkOY3NNBGMpmiDzGU9m7anCyU5kbiezGna07tOJ1X0954GlIkvyX8mJYYJkbGIIywuzaG/lRMraLtqNWsUuXiyKW7bPczs7AdGGLjSh2dz+E3BrtUE986SJ2+oUcnzXSvN+hRoReHbAavUskribYsyqR0CE8Ult46sdaxJAbfNzmsysVdBGcTyOx7OzN1eA6n84S7aO7AZM+/1Bf7Cpku1YjdE1HaY0Ushclpqcg0i4Q585FIRWr6AUIc8OzzfwYDrtxAGWSCEY2IynwjAlmCFnShqZyMxB+uz0bIMoWYLFWCg24Z+YJqVIGQpyqywpmdnBLHeTiuRSMSKYmUt1RWRhLUmprMLjzTw2o9nEvkCJlXcZIzTNueDa2JN57ZUrO1Yqc9TEqCHOcsVF5LkUPZJkjKpsEbA/ASU3QCsznixAsZwxq/rCAvtLC0xR5uOg0NwmKjMZpHZtK5xIwHGsKSoTUK4cRK1tcvpG+DoQvNtFN9Czw/N3G6SEwbNFJXE0Ks8B9XgmTmvrjkhvuDfcf1FbsFRTKvgfwB77bTHyJWoCmCmXMZYjVuftO9I2+QjoWCrXL8mEZrqSCCmb0DIzOGT9x9oevI/WBPO18PCTlJYG37w5is5gkvGGLXFUfXOLMXHo3rSHzdMj1Y4AueH2LCDp+21yR9CCN5Ge2pyRoNiUqhSUR6sbSqF70fOoOI45Oty4tNbnJJNzolhi7aqa6XpxdOZGRclUgdmCzX5hH48ggwOomQgmg33m/J/vSEGTK2ae6Y0+zILWbuFYSGsqdCxZ1a42qbd1FHjNmLZwOG3cY8koKjQFYPrkXOYs6MelRjvDMJWTNe8tk2qtsqwVm3hu5UARjQVqPHruZ2cH4s6OWbCDwA6MEOCOpQVLTP02V1PE8KNF64jIT2ClV6lLixA3amWAcWHB+60UuAFgj6GF5X2ZHYNV+BXStIa0ihXu1yacaO9ECq4nHG/LzxOchXB4UFWjaUo0y6kwPAHezz4Zp9WxT6iv91CJ8hxBB93OSHLN7XL5H6wyru1CmQKDW3NTUrcdpxOykKUKc0xolnni8xLBctOpVIuefdQrJdrwLCNMWPPS0S16KK3ikjJtLHlYlFqETXiWBYZGi0LJQnFqWLa4h2FF01QxrVdlUwG1oxXtaMtN6PSfwGbyMZ+WstTZAqkZ3gkMc27RomXOwDNLMq7Bb3V61iPUy1mpCLWC5RPR0tJJn5B/Vph1ahq4Dit+PWNE0bmHydP9qO++GCHK6lqmsEZ4pUSmJToPUTSO+rwYWVBGfQRr1CMpK5hInZqPOroUFRBg0rsdq7So/v91Apzq/pMMj6AaLwzTd6j20d6jh6f+Wg2QV/YH9O6EGIs7k44kkHW2t+pgtwYYEvYKjA7Hw3H8fm3OKZP9hJvF5YocBEdWZ+/cnbfWRmA0a4MjheGCCbMqmN5FzoowWQu+d1KZGTnMmeIJ7QCyFEYtLrmWl4lMV4I6nIKcnr8ndooWhEeHN4K1qt10IHVu6BEVNG1jCtjj3cb0lMnLQvIgm+rBASmm3JQpyuuMGvjQgmD9/5C1DGJNm893+vvD3YOdQY+sZdSsvSS7e/29wd6L4QFGmupAPixPbPgANVObXh5HP6HG79HTI84HglqYnJCpoqLMqOJmEQvWBUmsgAe1MxKgR15uBg8TUjhXqFElzEoMp3xPMimVEzw98KjMeKXaVhIKwctIMVtobv/wEY7EH2sdgfBOmiiQC/Ebjn6HHATklEm/2rYfZiy1kWIzTVp7o9iUS7HKk/YBZrjtoG3+/egmuFZ01BxMnSft7yUbszqieHEHDOGBOnGengUlzXNEEBYxZaEz1jtyfGjx9Ox6135xena9XymfDX0rp8kKcPP28OgmqEnN5236Tbx0HusbcHNhzUu0kk7P7ETOZsDUlHeHF8EAJ89Yf9p33iSaxY4CgtamdzTVQhvhrEQ2pzVqwf0opiSTNCVjmlGRwNGdcMXm1uQBG1/J0p7oBsbtogupzP0UXK/kaKN4t9YbY8OO/73gA23be+h7tVWf4dufpd1t1+Fo7ckySufN+3Hm9uAm4rfcSRumWHrZpVc+nHizxs2MT2dMm2hSjyOcuwcLKQqWepB1OfbqaNj/11WMB8VUNJyzRSdSQR5Jfwq6fT+R+RrhmqxFn5uhJ0yocSGllBmmchDFhWIJ19bWAj8KResXArGQSFSOM54QXU4m/FMYEZ55NjOmeLm1hY/gE9bG2uiTC7WwlGokOg4+cSv6ULyOF0TzvMgWxNCralfRWs6oNhDXwGwaNMyFNASMvjnLMlj7xZvjKvi7lsh+ebXWlqUVMmokYWRxCdv/FSiCTSb2AF8zO6vTadwePmMXb443ehjNuRJyLryXrAYWcajveXckoKigFdm78UBEtomnOW8Y1uKxwhBQz/dNNkAyN1FMtRHL0Q58XyObUjPVXy3FxBYZOq6lQnewnRxjVDkDN4mc3MQxqCBvjg/PIBUCV3wchopJZb29OpZTnq1ocVb9JzCB11n6bQAmZZZ1aJLfpWPGLnhdE7skmA4MDHpNeUbHWVuZPczGTBlywoU2zJFYDTfgZ/1mBAizr54CcZEry8Fp56FMXM4Vrs+HysEjuVVk1FgNpINQEc4VmsvxTuBkbSBmVM9WZq0jpoDv2HksT06kUsyqvrWErwk6xoFBCUKFFIs4fRSVuIhUftHMJbOMYBU8RYc2fLCrG4Ukw0SKCe4VzWpzUpFakVQFcojPC+4iqpXkNL1v2IFlk7SCTQYwtKF6OIP5m7G485nVvtHLAsmGXLQXHfE4CjyuFkmWJS4vBJL9FzfHkfHqAUFSDPEGGIpAcHSiaEhGrtIsMSCEOUrevIBMJXJjWuWEvGVG8QTTnXScTkUFOTnaxmQqS40TZpIZ0+BkikYn3GiXyVoBaSm5noBdy6TlOqTp1EFw46pSuBRZxXJpQlIPkaXRPGXRTE3IECZKXA6nX5AnMFG96hxk9VxxHLQaCJJV3eTeBLTDcl2B6hB2n5BhAu7b1UmB9YsKQTgXJOnGgRSehsRrd6IXJOWTCVOxAQ9uQA7pxlYu2mO4aZigwhAmrrmSIq/7kCraOvz1PEzO054P0gD9k/cffiKnKaZGQ9JAi7m0Fdb9/f3nz58fHBy8eNGIe6HKwTNuFpd/VJHBh8bqYTQPsfNYrGA4Emgajkp1iFrModSbjGqzOWx49Fw+2+rI4dTnMZ4ee+4FsPpD2ASUbw63d3b39p8fvBjQcZKyyaAb4hWqBwHmOOO0DXXkf4Qv24mTDwbRW88HohzKW9Fotvs5S3lZN84LJa95ulRg+otjXnDW/IR9fzjjm0B0rnuE/lEq1iPTpOiFgywVSfmUG5rJhFHRlnRzXVsWOslXtCjnI//M4xaLY2T0DvteJNe+vCW9KzxYT+FxyTWti1rRxZGCJXzCvYs8QIEZKs7t4ZyschIPEt36Y5r5eWcsKyJlFeQVOmfD0NpJQrGwCDI8WCPLCKiV6JNO4a4Wz9P6GeY5na6Up8RnAyYLkWEEaE41GZc8M1acd4Bm6HRFkFWU5eCi0zoA0VXE22ePriTecimxyWxhUne/rzbvCnejWnMV+wrcBEl2VewERyc5FXQK7ji4i+DhaXESvAoZsZEokSxmJMeNr29hJdGjtyccovYcPQ3BZAx2bNXvA3aMGeUY3pVdiNzHZRc+xvS3WvbeUjlwlRqLt4gfKAcuDAu5cE85cE85cP9358DFB9OHSl3JgOZ+fa1EuJgVPmXDPWXDPQxIT9lwy+PsKRvuKRvue8qGi4TY95YSVwOdrCYvjhd2tljS35EMxmpZYIXi19Qwcvz2XxtdeWBwasAOeVSpcJB7Fflm3ErBY1PhxkgyXgAmjhkUjnj4Fa4iue0eatvXy3C7kZa/dZpb2tIon3LdnnLdnnLdnnLdnnLdnnLdmgT3lOv2lOv2lOv2lOv2PbG4L851S0WtdNHxu3P4eEsU7HUt8mWVheN35+T3kinONNAFFXrOogKp9neX7OaiJ4xDAlEoV1HVFfJjLaz5aTmDJFNmsFoHDusGfTZKhYbUkZfw/GjDFSpc+Eni0UEG+HIXSLxVyUg3Ik4bAnkaVReqoSKtLwmFMGAOwJwp5jM1UsfHuMZx2lDiq6ON+8Tpait+8Ajy+qEgVCm68MhALLv3UWmjVksDMIh2lWUUM6USEXvxJYfdVatIe2UEZM0VWziUVdEzvze4BZr56re14OB4QU6OzqvSZB+wTA6ONaPXDEtXxYwpr5aDP/rJBZnbt06Ozt3wTX+g3WZLfuCDRKsaK8PBL/UAr33Okzk5NCTngudl3nNfhnH9ovJSm1qV0pGdZWSBg3TK1jKsnPeaSo/ktAhDUjtaMoOcE+OLZVNNCqk1H6P0T6HqCxUL+y/3hYbw4PooYDegVJMEqwbWosoNiuwnGV1Z/BjzICn6ysKG+Eh/ihTDobgkeniweFKL152+6wQ9yoVdicEJ0EbcEf0HjXrc7nAwiomo3quNrxZMpNprQpC5BgzLoyQe0K+9ZT0NB33/304srDKKcFE3iS3FRSlgDdBJgaWEdL04IyXJjKIwO3p3+PbEHogxs8iy72fXLO3FzGl9XZMRqi4VizFRNoEUvrilVaF0IS2KwW6uDgMMAueyT04Dr7KWrLN7m2P6AtIjKIHlQ9cjK3kYlH9vbct8Pu/f4BTxO2PMMgbgTW5Di3vIkwGP7jVobZZzw3oBAZ2bYLnmmJGEJrOYsbMJ8KVa1gPXCVUpS/vkX0xJn5doSdmP785AhL9xhTScoiPK3E2nK8wNvZhVeaGfyWKANGtwzxhNmbqcZL4A9wrO1yHIbDkh2yRjxjAFXBJnJjBzLbm7wHKRVQLpS3J42CMXRz3y4bhHPhz2yOFxjxwd98jx+xbJBm32w3H1Zz2auzJj0e6QXRp60mOjkWrNpyJqLKDkVNEcKTA0Q6jU7hlDtQxTXaKBIIes4FV2DDIH3XYP7G8Ph8PaumXREeV78MVjPU6rE9jJnBqFuakM/ZFXXIA7GxXYmk5LQtn42JcI9a6Nx11VgA/DvDgM6siAGShBH495I47+/svJh3/WcBQ441fTGFwpRSct0C65UzmoMfBVykUQiA3QYrkXQuKNSy5Cis1CcWGgJnIyo9A4RGnybMwyOSc725AGZyEgw+39jV5E+1LX3qh4ebCQsOQl0wkt7JmimpHhAETIFOb4eHx8vFGp4a9ockV0RvXMWXy/lxJSjMLIbqg+uaBj3SMJVYrTKXO2g0YdNeNRMtyEsTQeIZHimikXqvtoeuSjwrc+CqA/9CVnHXWZb5GxYZu/eWTqKRr1aKJRgSgC8ldJDGESMPEqz4JbYFWmuUWibUbhBpqBSei8YAA0MMIwU69CjS7H23adw77DCpBGr4bzCkLkQe5Meuu1GmOthyQiJDGK8gwqODPFZbfi2430p1ggsr+nWOC9YoEV/XwdA8HZSbcrFYeHh3XN2Nuql1+S0XPYctFlGTk9szocg/tVo9i1MWr4GPyPI+/qc7TDJxOelBl4kErNemTMElrqEPK4poozs/DGUUyoOTXaGoV2KAdWn5xgL7MKvijf3wNqsMWMJOAVjZAzqtRVaKvDTXBnYT2qlH2yb+eWSuKhUSXAl+B3RrVV640MI1YFjFFTscrtRLbvqgbrpuk6qX83bG4waMJfwxDwc3Un/r17f/Lhw/sPNehWeDbW48MRHPwkoQU02+o5RFudFOivLrygTnR1dy4KEEiRLcDpqqFCdBRaqJWMhscSxXxnPoBPVK2aJghbM0awLBQVAN7h78IBNSAa80OrGMBCwZRb/zNZoPc1W9ghtJRBrjhrDU/HRp8cihTuwCdSVIarw2r97N8cqPD+fGvHOZ7Q4qXB8Ru6DCW1EBC2VrwtBPSWGboZO6v9VUnnjV6+X8NdrTw6WjJ+WbOjqF0lyLGAX7sYTYzskxFLdN89NMJ4uwejYoKgGAHrKbXBBkEQe81aJdoJ+XXGBO4ZbCB2Rgr6GhcpT5gmm5vOSeoCGNBbzkiiMz6dmazron+0GnjfNfS0oGXMsmhrvylXCp6mv1lQfdJgMmM5beCf1FrWdZDOsD/oD2LKUUrWbuWehC9u795W3YpNoNWPDwbBgBrJdwF+jYDHX7BpQI76Az7nwkBFweB6VcawrIRFs2cEEBJPqJVCocHZD/HZ4kazbFIZ2lTg6PcI060o1RuQiU6fRjgBAbzVB/eQt387kjU6IIi7Qt4MRhT67lisd1bVBtaGJleXVrv4MyQlgQ1oV0RgRSH2Axi1xFpkECNknxo1I7+Soht2txe39XKlCajWtdoO7FPCiirvN2IVv9Fr2s+omPbflVl2JiEcceIfj3nIdaNry8n1kh0g8fx23er3HSi6L/Zn0psrWABA8aTGCwLLOYSmovW2MJY9NGVy1HQRbqrO8JzSqoeiR8+bqvkpCA7fENL4qA01IVQGlpaYVmNUfSTlJFqEG88PRX1fQgKt93xhIFfup2pi43zqaNCEJHM3po9/g+0Xp1H38LJtRyecMTNzq+bT0PLC6TNRi0mczDWRwc6SSSa1Xduh34m70Y0XO/w5htZVJV59y2BEbDECH+P2nABQN6Kjx9ywVYPLGtZjaqlQnrNcQsIK09DCxA2XRoivCO66zARTWJGGVx1E3cM6ocIuHfqH3qc40RLX1j5bzcfRg27v4wb1i+zOQREuZmHBhjijIWqRDfFVrnH3Ku1xRgUZ4QO+Ucyo8jqHjbBnfQQI2aRpOuqRkSP5TSB5Bl9NeMY2UUNPRxj28cGPGiMH1TzKN8E6E0UG1NBV0qjUTG0WVGuLzE3MKKqrAw701WwHtmuEMzAhE2vBWDXwyBG9u22MOVpoHIOCSQ3uSOXGAjvD+aLc1tiBPPBkxpmiKpktoh1u7k2lueF2r435lIxLuLiyZuGLRuRM1/1hkTKdGaYco2pM8dLt7IgsHJ8PGjaWWnMOKvdYGNOS7DU3Cxf2QqWYa2Q30FU9XANyM9pNGblGSPZJECY0vl+oy7EHq0n1YXxvgbl5wf1Fs0zOLYTWLEzqG+VEhltS5EWj2D/Jbk0wFSJMtq260syslhZdYL1ZPX04L8CpUw2TKEIZEuFcL/taF9UIc1GZCJ9tVerQN0mmTNcKnYVu2aWIakb0XMe1LN594NTY09uqIKX9QypilwcmGJhCKBTkNVMgEawBHrQdr5TxeEsY+ZWLVM41qijk9Li9Dbv7uwd15CMHuoMXpJUfoY5fdxpwkFZ1PrYFsmxuDUxTa7wPHfkD7IpR4G2+kSt2oVugA6TVk79J0ym34j9xt9D+NxTiMDQvQlOv6CsTV4k3sYM7SF6GjkKrqvlbbSGRpilSTgXJpTZRm7GeyxY0c0nCtO6gjVmHtYys339M4kSUWtv+hGYJlFpxV9oyyIhBnSZ2FLnkApcqiSReMYlYxYBtgVd9r3KljedULCW80VDXQ5JLwasWeyQaYn0dLFq/Y/ajL21nJLlirCBlgREAeCk+XHWsQoNXgLSORyta8cQlNOvFO1tFZqMk74jytwfD/c3B3ub2DhkcvBzsvdzZ7R/sPR8M6nk9KTVUs7uuIn751QmcppFTJmoYwagIxLBzrAlDBeaJOVPIav9SeXGDF2VpUpMzmZz2nOmWyelGL548SBEjnY6zqIrAROc1kXl0j73Zpxg2XbFE5jnwbGiSLKQJTikY3uo9tbnBSgv5bblMy6g3M16GmUgrmFDroSSVWA1UtIbpEDYFTWasH+EibG+plqmg0HHVtPEmF0VpLv2Pggrpkti8Jl2a+AGq3/Is453PYGwMaGTYSTjHbuqa+4tAEC9MW6ck5FOIdXvm8TOzFo9iLnxoqnhdLSWxixd5RgOzC/Qsuj3lrWs6TCyTb3WTSKlAbUmTpiBBerOC03/v1aoAuJU1EO6TY7D0GtXhVng/5meqZ+RZwdSMFtoePmy1P+FiyhRkymxA3I7OnSQz0m4AxZBS5LbJpYA2xgytffCZWs2xSfRVec2uvw5fHR1/NYfc6bFdTag9FhljDZg7u81bDOkv0EkugkwAughclSrFr33yJIMqHopmLhfUSNXSMEC3cGIalYFRJXBiXbxBl15dyBZEJkmpFEv7jlNWkjjTsjV6TZuKJ8gZxZYxzsbFyiMgr6OSdiQoUETTeacNfCqcUWlPF2beWzNM6xKa0AtJ7NrA2ukFTcHJXh9VmikpZCanqEhFokZe+Yg+1y9ruCL/b3Nx1Td+u0fLyOy9/nAw9DL7Fqemp6Ur3mRGj8zO9blXn2Xo2tWNXDDQDrTpR2m6FeFmiVcb4p9Nq6Cd57qYO2Nfdi64KIbmqz2FWGblN+m0oF1qr7dakN+h2j4tuZ4RmjFlvCIDZ6HmyWqkDKDQqo/W0FFxjWQm504ft6gCCGoXvSIBR2ZUpBmkBM7YAqJcc2sqCxMdU8XsmsHPWH2JaoZvW1+tmhsYBU46FFeF3CltLDHMZwxumIVkdKywDjE6AxG9aZlRFbLkK9NRWeWqQ+XJmCugEeIdsU61MkUWZ4muh0DCMqylqSm6gLYzH8BAQV5VFoVUzkWTSJGwArKVcGi0KLJyCppA25NSRdQpnAThtWfUhw9BFQT5u9Hz5wZHHjUyx2qmYBVFADegff4mPbOGdc/7V4H3D5aps08mOA8sOQvDVTh9vzjyv0VruMGItho7pLEw1O5SmVxGJZ1Trq1mkoJjFO/VgjnLLGdiaUX0Vvt3qTeQwGsUZ9felh5d4t50sPpzVpDhC8vmt/dfDgdYiPno5PXLwf/4y3B793+ds6S0C8BPxMysHIFaq0zhd8O+e3Q4cH9UWqDlBbqEczoprVzWRhYFS/0L+K9WyY/DQd/+35Ck2vy43R/2t/vbujA/Drd36gVrZGmsYfSohYs1nz5Xtrj1jXweXcoE5FDHnAslRu2WLCIZojCVyUh5VirWJ++kcRcEhLvP6E4vuEfgvqTVYLSWiQvAIBA3iBVTo+Bap/pGj/p6XKSymcEAjRysL63c6KBOt6waAay45vr6eUj86VLk0MUHBaOQefocxfOFdn6BtkfwjZxGHrAcRVmN7VXZRl5t9ie+ox4e0XJi5tQ3xe++1oI0gsz4fKFzKztnxhTpBnZqmKDn2pVydQO7OyVW7YDvw4jPrpgSLOuRtzxR0s6/6Za46TnE5mFpFVsx3WjvI75d20bF9dWljg7uTUd5kknamRrwgesrAiOAqFJcWjDqxjquXzsQiZZZCbp3dGnhF82cIw+WDK4053ZEhWfGVLOidYD90mr1S1DijYtYfwdmAf+DpTDsHQvqhXAgeKPDIgZW+gwHgw5TKqdcYM0yV9xhIUtwqNedW44QgKLwFpWOANJ1X6YdYu5MI80Yoc66gWUg1lw+k2U2OHTzyrBmv5eRs+PhCr2du4F9feIbTjIkXDQehawuhN87AcENplshiR54ZOlV/eYn+0QTa4emLm4V1N4oNuEiE1lU9K/ypgafVAtZ1yyqovkgpdrw3hGGyMME9eNDk8TFRoy81XX8a7jhGdTzMGJ8EzTKMsanvIfLR3polORoiRRStPrO3VkW3gqKIrFhIyDG7mblzDdQEpprE2fHOcKMjR7gqZa/dt7Gdpw9rGfMLJqhNvgok9O+ht/7/vd+IlM26nvx5r+uUpljv0Ilw7FSgpuihvdqO2oati81WJ3M0+Pzjb6/A1J7I5UMVU1H1dDoSc5FmBHzV63ZVCWmhnETWWD8++blRgHTsOC2GHhep2lDlyrzeLvHEt2hd/osXQZA7LWMKAK9l1WE7Aa3pT2nK+xJtB6ZBlFBjKBR1ZdkD0TFOOwOhwWhUeFSiBzMde9EphhNF46SnDfHE3rleoqkJB5ATxzY6GnOdXxWDhNrQaIj1U/qbwXA7WJqj78UkIFzeuwmXzsplSzY1mGuDVMpzdeiO4p0PFbsGnVS//j5xdoG5o+Tn39+mecVM+E0809tDvZeDgZrGw022s6Ve2SWg5lx9ZnZF5CoEGde0GZSwZoux5uYhrEGgr6HJIUpDZHsIFWEqJXageSJPL1HmLD7raNcDcdXUwh1yMgawUXBjaFC2S0FC8GV9/GXMZo1e79iFgXyCYtF1FQ8zUy48+a4PMTX/vMtaYiH8FYzZw0uV7ccgZAOqMnYSsF6VoBLq7O/QpKETwazY7sODR5TFqhQq8UJ2cieg+0E0x5R0QuZev4zFemWVNViSS282XO3hQsl0zJBnQimPPUODvK2ci/9+/Xp2/+4Z8HscyO6hnt6o48vuxRNZ9B1tEqhcB3M2pL28cZ6/KmN3P/O3rxf9z4Iun+BGFp/Q104wEUHMgaCxA9drybUsMOrrdQYpzeKJldgnaFB3xHno8YoPi5bvSBWUEgC8R7mi5l9+BJrqONhvKZqYWkj1OcjPzOF+QhwU519mtFSwwU/uGQoJ46T1M+m1dyYr0/ha264WIPlfvya9Ugic8isZGmvqohoOVKiFoWJfWPsE0tKw3pkxtOUiR7kveD/SpEtes5A6ZG54qbD3bj+7zX/7FqPrOHTa/9ZD7i7IxjSmetzPxqD8wLjANOwRLEsWVWNberv14kqWbJF031OQUU47mxSdLlDamT3ucDfQjEqGMZFPJDCygK0u1Fupxo5QWCtAavxj2AVo0iKYfYPJnZZLmwqXd8+2rPyJwnDeRnj4fbGkAWjga8UqoOv6ABi6fEbGsoFgFrOskbninAoVgVlKB0abtAEsedaC8X1kuKc9lTx68hdCsVqnDISKQitFW7NZM62aOYxH1Zqh7vEYb50sZ3EfayAZWFRnVtWW1dX4DKiYhm7ppH9KYX3DnaG16J8qqJgytq/qDDWlHqI2GRdTSiOluVKgJr2LbsHIw9gWWGS1l4WTtsM7ShWVi3oTPHcyiUsJGsNj59OjzduPUrrw8Fg2GixEvSIVUMYe3o7oWsfgBnVs36e7q0IvrfHezhFe1I9o8MVzXr+8+Hwlmm39/ZXN/H23v4tU++5JgormXpvuN0xNRery9Y+tWNXlqO/TYjcTYS/vcnRPCvbe/s7BzuNfimrg/atBTY6HhZEmRiaVSugnVfP1gf7u4MGmF+o9XQoPUFboRC/5hPe9CJ9pdrUDjdWYIT7oZ4bV0kmJq4n3kKZLwbTZNZyLlYWgENT1k6wDnmyqrN/UJsHFtQ8YE7hN7sH+rrMMlhLrAP3GhsJe4ulZFoKVmRKOUXrsxSsrZv2XvM/7hmz6TBl7CD24EJvwkgPeh+rTAgv3Nhy3i2uyZr92FEKZri/02hIaKiaMnP5J6GLC1gNUgY4zhZ5xsWV/mqXgWHfIJftGZJkyhX4pxwkGy1qCs6kUF19pRUhodC9Ve9+AfVOVWHf6KL6s/OG7oes5mYNMGqXBs84L+BP7uMtTsCfmIyrGSRUqQXmaqGHi1a5fb6nXHz/jHrFvB64BBMjakNX8yaGAlCYcYvBLZbMID24ylWwkJ2eRZdPMYNPbeqysJZ0ep8iB4+n8+aj77r5CDtuPrJum4++0+Yq64A+ddn8/C6bj7HD5iPortn2Xnj5Fb64WYJdhO47UTGNjtQFeEZXrvuGyytOYVi+BNSft53So+6h9JWM09A4qXUjzNHnz/7zHcVeZni5C8izosgqvwh+p9lUKm5meSj2wZULPEURVJalLpaFtWLyXEIN1RnzlzzfHu/1wC21AXReKOa4dZ8cpqkHYxICnpAl4YcYLyAvWCVUezOuDhwyYwtgCU/gtQVIB9SsoIoaGXq+UF2LpD/Tgl5hslSPYMrjjO5c7g2379NW5ms7EL++7/DbuA2/pscwnCepa9WTfvafb81agBSBZtaCS/CGgGtp8LaMNlREiXInR+dYmuav/hB05i9xM+uI8sOkUlR1d2K7J5Q5AlMTDJrO+jxxZR67VkzkaPhEZlSlc6pYj1xzZUqakZwmMy6Y7pFjmVwxFXo9KJem87dyDA2QIX8uDRU2lsotUMmMG5aY8s4c589qc9bI1a7N19IIPh3sX+7vfisJi7JQTqK986TmxexNMrYKl6HumcTqqx1kfV3fJH3DiFKRd8y8On1/3q7D/IaL8lPH2BXQ0UxhRJD7/ipCRxTu/buL9+fvA2buiMVNmew/IkMawHnsxjQC+egM6hisR2JUW5AevWFtgXwyrh+ncW335jEa2BFc39LIrmtdK4Jk/Wc3diyRagVhqrJ1IRt+7q9ljDxkIzBs7Pl1LVe8VQjy2KlDdxisD7MeZ62iHhBngx3qgEd/Q5Zmc7rQrpNrDy6GuFslwengeubBHSdXXomJa66kyBs3+Pz+QXegUoGZWPp7vaMxowbbtTWxUNyBhe4y/aCM8qK7tXZOkxWg9me3ld1zroo+391Km1FPAKTKiCIjSvxF8E/+vphjknBv+PeSZhBKD2NGepwvPgo3eFwHrFCzEdrduste0EMlZQlP4UKtVUWBjCrGDj0PGhsvdX9Cc56tKo/u/TnB8ckzH6BRLIX0/JSNORU9MlGMjXXaI3NUhduxNnyyBXeZPWDX+G8W+2yZOrjr9Zi4r9/ua2N3q7s0sfh+K3+j16yJreiW6gp2ubkGnC2ADaa2onN3Ya8F+W5/tz/YHA63N8Ee50kT+odVnh7bXsf5Kg5lN23ufzcx4z2dX2tn/XzuPFudT+oeKcelMOVtZ5iqOW+d4c5eCKsDfll6HA76w91+vevJyq5XuQo6DbFirfejTJZpMMS9j6C6Nu80GkxcgCpJI7Pdz1nKy3wElyWv80Zlg5oXIPiDamXP8Qo9eHdrPaaDDhJG7NJFGo3wiyWT0G7KqDkPXVydNhWuE6GLvb5tO9t79emtfPxWwRZI2VhlrAVWx3LKV8XWrVlJYIJubQsAsGK4w0L5LvmzXfC6xsb5TgxPqpbk7dZX2ZgpQ0640IY1mBvgBiNBf95oX7TIRx34i+D82jHABhArLA7pjU7gOxB9MxI7f0OF35iXT8CmQAYlCBVSLHL+R9zrB1AYPv4S6muMYBU8HVlKwQ/e8kb7J5FigntFG0XjROqKPIVh63V1a3haiVn+HpooVLdiyyZphaIVAEMbqoczL78ZizufSeUq5WL93ioMUC26los8xiJwwQ1kTC3Z4ueLizP4fHPw7bUPYYf8P/tSVK/e9Tkio1Jl/ha2ZliBxUQYtkCq0D1UMWiIuHzahX9hLNNFH7Jz76eZ+LIj8at15MaZvw0wCczaRO/BwfObQXTp9n8CwXrhnB248bdi5GeWZZLMpXKVFFuYWcG+XUhDs3rednP3nllggYlhz/kOE2e4u9O9mTkzM7kq+bheQylO1bh8F5U1wBY8YxbXNDIyJG9g3QLft61PzpmPFyZl7i+fhLG1a4Ozduor1lhb6+TovKsPMTM9UkA/nqI0nWhSbMKUWtndiw9u+KpXQ4y51m5aPqdfbm2NMzmNGwdvNWB3XeG/Nk9xbTGXZCoxkH9ernIbTm5mKx43X5uvOGg/j7E4oLWhptTLNmK9VwWtOk5xou7Y1e6gnnuxWqcOwHWTl2wITpsq4Xoaaypv3MdbsoSOWwk8oRxRJqdTy95ylsyo4Dp3+hN8GWomRlcZoEpqlTQEJQ1D6PLOxKHWdG7c0LoD6i740iZh/pvKJhOsbBUmwjpffkyIHcQFsP46qi3EvxXXa25VTGusUEgDi2BpPP5fR94hNS4NUdS5mXwpnr+OXPdK9D+dHJ079N0jNQkIbgXWw/p7XzrRIjLE0N1mtauiTzpqG7hWuejR0xD8DkMp4IylZRihcJkVU2FEVy0BG2lQQ6aSVYXaYBB0+sWdW1LJtFhfN6EZhxRRsVNfF60oTbyfgZos3Ye6bVAZINTcjKvGbbQaHNW6ls2pEqMeGTGl7D8c/qeyDGnWUU2t6rIaHeZpUzd4kH29aBQgxYkIF5qnWDu2KDLX7KkfKk+WugQyjwtcxaNg30hXbB+a/zllK8zQw8Z9WM6IJKU2Mu8O7Eg17bOMasMTLI7cH0tptFG06L/yf9WQhVU++3C7MONLFXWDcs4BwS0M2VEaRSfDlWDXozAidwhSub4veGqaJVyjI9MUJ9s3LmWFzpsmFTzQ4qLyL665FjDGZtFb+0JnOYSwvf3f6DXtREwpOhohrg4vbjpX9WYm0xYq7thfexo6FrKa8ub+uJq445aFzZc7p82mMKBQRk+EjR2zCXZuzLjBTGFDyqJWZq2gqtZY4BTzAhStmlCP3LDezYHIizMIqIjahdkR41q4HrVulF6tXUG8DL/YXmtBvvhyGBNrZLuqiVBTDu/2J76LNt6bxAgTE4mEsLRURLA58AVNFMvldXwIJEkyRgVUNa2D/KXV4omWrhi8FWtj5lrlV3OPfSQV7N0vLhoP6WkQenq7CBplyH4HQbjE0cPyde4r/HDZRdats+dEbSgwVS+YzGO1ArLErejOuYk50jWnbpg+OcuYtfI1Y+TD6yNN9na3d+1W7gz3d/sdS+tPaALN1vqrsDHWoxX6Yr1+wpZu1QzGhPUdxgVlq1VZGrLL6nV3paLCi7xQp3cQhrTvbu90NI/ZuRVHK5ZPvoYp+2Q2xxQaPy+LrMY6gKifd63FV+Z+8K1ubPMNFcA/f4tZNSTX5ID8tULO/wyaar/Oe6rK2NbcQP4eavNB9MSxZEc9gVBg5uGLYUephp29LrTWKgrfD7d3nphmeeu7T0xXGWVXPdniuGIYsalS3TtrTlxxGsBSo4QzlG7uxVaJNStawLuTOZWd5ZZvBT1UgPZGDq36d9aLQFtpcFsR6GY57KUqP3fyhLDhq8z7fgzEUC+FHkZdigig8cwNFBAZtd9w8yMoWvt+4mzUkHyKZWdjl9O76Ks7Lnv6orX1G2qYppPnpfDthqFICnTwRdWRVtfhsJNTXPzW3TDTNW+Oe+Kz7rP50RtNEZvleEOjj3vcKKus7FUdl0O0ZLCjE1QhiWd1fphCSSMTmdX71FI15kZRxSPCwU4SrhuMsYdFo46cQx8RVxC4BwopNOyyky3QEKge1leLInLJ8OT3npVcbCzlVY+YudXllC8KHbejtZZH1SM4qtx4zUQatdKFYjEAS1VCxUqhNJRMqfoEwJHaSpk25PQMq8foHoFmMD0SjTnnytc/f4SxJsrzGml1uPaX6S5xo1t/Hf366M8HjRsiS7AjY2nPDeTO2G2p89mR68EAb45AiRhZZFu7mUsRvvf9VHtk5A+r+wlVFV7thC7zDom032jIjRzELC5Xlqazfog5J1CWHN3BAu4i+cWR0zO8oe6oiWoyZ1nmmFxYjz9+1eWeOv+rPHCUGCmzTToVUhsr+QwVKVVp3EA9DDvJ6jVJ3zCqBHaJoSbE+qbczMoxRPksgUBf7a2AvE2ebloh06H0vZy9/5/63e7P//PtT3tv/7l1MDtV/332e7L7r7//MfixthWBNFbg7Vg79oN76e/ZtVF0MuFJ/6P4EHVVrqzrlx8F+RiQ85H8lXAxlqVIPwpC/kpkaaJP0D9Q0Aw/WQqqPpUCCPej+Ch+nTERj5nTooiK6APTQeHljJmoiR/EKD9BxLjwDcq9ryAeM3AuuMKqCVzvg8rbnM37CMMNE3vUSEUKpnjODFMISA3o5WCqAKlBYP8FlcdNFo8cJu2vtT1kgO0a3UykmlOVsvTyS+7qnJ75TM6q4YY7rtFPzl9WKPmpoyXwi+3+sD/s1720nAp6iebUihjM6eG7Q3LmucM7tNye+ZM7n8/7Foa+VNMtFMxWRugtz082Ebj2F/1PM5NnUTeQc8dHQF75Su7+Le34D82giRRwMNB43jHzOpNz7GINf7l0pzBuJqc+IFC6fKeuNbUQvl9D9KrzF1E5Gi9cuzSpNPbBQnFW3fj0cqkJ7U+QhvIrn/Aa2AVNrpi5hxDuErhukM8Sue7dDqFb/dIhdv2PlX7mBHC34N2uR8I91ayA16+/ee6ti0pm4sV/9qkPEq1HMqCo32hiNckQIg4a7uPT3EJyYcgf8VCvAoXnUJNGB1qOmBhq7ZDYTX3NGrvEv+E88TEkodNZwHBGF5Y5lWnRIyYpeoQX1/ubPMmLHmEm6W88PsybpIH4FV13OUWh8/78FIodZyhE5/G1FE/WbywW+xZ3u4jByEoqNEt6pOA5IPTxodMCHbkGXMstFfsG3sff3Va5RoTX2013CpZwmnkK7oWyoHhttGVSY2eHkESSMsMS0/PjY0QaE0vuHHGzLt+ccmW5Kzaq0fWqnuHiUQh1+4I1OCgVCcOrrm6pjeZBUkz4tFSVmJNElWJ5BIS+on1/SbpZQMf7qnSPzNkYtB9uzXcujCrh2hiii0uxVShYL4zrL/R6hbJSGX/wdCO0VG7YGKRoRojtZFJr0jW0xerh2VuHGt2PnDmeNGJvDsXOIDc4c3yfVdcXhk8IFQt/tADruE4d6EL7NCOkDV1pz7fgG1ZRuaVc9yLy1sVdfy9ZiQOTk4s3UH9JCmwn6Qw/15Q70tzDMKFSmGLg+oNOiCmz+oDHB2TGnByd38MD9VSo5qlQzf1BeipUszzOngrVPBWq+a4L1TTr1ATpW3eGfJ6HJvLA3Dr8agqrvD08umn6r+WAWD+qkiDbKIh0fO8AhgextxpGNuLQTnizFsiZsayYlFl84b2yKiZVKlfQzYK+RDEximWgdoQjLYhUUyra7T1PJ0TIOK8TkpwYS1nqOA9mbSFcGZsYwvLCLDrcy5fgijv/qbYRT6Vb3A+PrZzHU+mWp9ItT6VbHhj4Lynd4rr1rgjUi5nvHWxukFwNEPX2YFCDTzPFabba8In3NrnJnMJ7V4Odh0rCdjVqGphBX5vVyMFBlNvtniiZ1x3TylXKi0qSh7BMNRK0tu66feIDZ2pUuQ9HXrrDVZRUwz8F/AOSFv6QWcbgwgr6b+xflQ+mIx3Ij1lDaS0X4yGR+g8YeDmCO1/kVJiGltx5fh+mzILflIghVrn+la4E73pnaPP7O7Kl4nG844sJxZMZEhR4vGrlJ0IKUyLzggqvNVk1EAy5GjE28pni9CkdentbVRISy6hSVEzBfYm94nEcKF3glUTIbIe4Wr0IRQCjWs99Lrt9g7IrdXWXrMw0+HaiPqYtr65Vkq9GtkFMnYOYuoN0LyDyERpnuezibjKVDQm4fJmL79IqeDIJGji62ST4ju2BPwuHeGBj4Du2BB69GRBnoPjrfI57n0Vf3cq0K5l/M88GGa8NzfCOGgYb/awevlNT3dLzrUc6hvKv9UKKLhJYxDg0/yMeFfKLw9AOEBzTxf2qsaCnLxQvSCIh/mVdPx6uXTiu/N4NP8Ylz9LL1VLj+mGacrw/cIPQBiiqbUK9PJBF4DOBKsI3Ua2GkB2WyDznhpz/fIjhEYFBdwbJkn6Ijtzfye7kOTt4kab7w/HgxcHBeLjN2GAwGL84eLG/f7D//PlwkFQXDu9o35HMWHKly1XxpiM3fAtZfoWgd14zFS6kthPkDsY72y9S+uLgxQ7b2R28eJE8Tw9oupeMXyQvduu2djT5ilZ0XA9rQSZlnQsEyN8XTIQrN0pOFc3BCM6omJZ27UY6ktLcvrGlWMbpOGNbbDLhCa8i7KTKb6jbB4jOS53IlTXPPRUpbI2YkpmcxwuGK6lhR133LmjGCrG0HplmckyzFl7w666FsGXsnZs6ml9Yxgd5r53w1TGX8YQJvbJQxxsc3tVGqVoHxZD5w16vxEgo0aGIn8MpBEvdiLHJpmROzs+O/5v46d5wbfCqSMWMpNZ8nLEqmVYX6SdIpHVD6q2NNp85LGgyY2Hg7f5ghZpep4iIpqgoR9YVqwftj92AwsyiSzd+33iLoOIW5KVWW0D6W0csy6jamsqtYX+43X/RLCsGt+uSVaHwZ5lbkNFnESYjv3x4E8JdXoPhAiPiQSXhVTWCmy8YhxsV0vIyS0zLypv7t2C/+/Kxp5hGZ/YGzPvb2zt31fx+wLubziHa1gUgXOnu5Hl9MyaxiW9W3vMFlMyM1h/JqaBVMRfiEoN94ttLooq8R9LiatojY8XmPSLsF1OW94go4evfaEfnL1Xky27jajUxv6H1WeIyYNv9Fz/UIgAJ0zXXzVn01e3OxqW0fz9Ft6swoaJyF1Y1eV02W208vD/phyM83Yr4nLu7UqvmAV6lkZ++gNq8E2MVC0MXmjjiwakIN5plE0JFwLddVcExHxQqF4Ps9ddawEWB4FapKsuZCtNlqul9nhquFF24WxmAJKqmkK9rjRxDFagigEe7IDrWMisNw5uzRlZegRkj7BNLStO4Ef2WLsiYOV8uYqZQ0hojkMvJoT52tGetgxJ8EcDwx1xs6VD2eZNsZuFPqwuFD8NB3/7fcL+FyEvIZbsfV2yoG0xMzSzoo45Y7NjgvV50V2VxuQklln+Oc6XdtSmLAvtpXCZXzNrANFtoDt1uZnIehsypWFSbROYMGszCZfIUi/xSFZ8h8hYu5oUXctyQqGYNdzon6ti61AVPuCx1VVS4xbx2l7Z4sInU5ZKFs76Ns6q+va/LLAvNr6BUF2TFAF5dQSaH26Yv0p+OyDaFU9I4HZiDTLOs2pVm0bfWdn3++amdG7KZYany+vlYYiMr8B/tNi7vczxssLF4U2ts7BZUNrDDzWdUDm3H4uxA6Mius5cqmxJv6zLLK6Lk8M77R1GBnjG0u8YSRyEIXE3m41FY6ADrTcRy3v4HDkCH8TJ0BVWXICJoPvy1u0fDN1+/hbSf9hv0kfZTf7Vm0n+6oMS602hdOKnGnA3PmdVC0bGGniaXO6CI5jnPutT9JscoqLLH9tuodivRz+6vli3BMSI0PSluX1Nxc4h/0t/+JPqb28/vQI1bjaZ2HxQ96XLLY+tRC/yvJNOXx1YxXSrJ7F4O2dMqRhE3zIoEP9O1Y4P16jUxsn9f8O9sJXU/V3Lwy3UUrt7dvi9wLegewtmtXJF5C+g6KbpBHd4TVDh+S8B6Y/BtxjDzIN5WJ+Datxe3B8P9zcHe5vbOxeDg5WDv5c5u/2Bv51/r94TazBSj6XLd6e6F5QsYmJwePwQZOChXGDNz4HZmmuHsm4P7As3N9yKRAxsFmBuyytIifN/D4tfIV8OVL6oDtWIU5YgKTLcZs6oM5sswZHSxjFAyVnKuIeve1wx3QHi9AEoN0Gno1p5B5R0RuuItvx8P2mvVL3mpdqvLwziX6oqL6WVoVPl90I8lEwd61GOzYZO11LmZzNkWzXjClsbSYxS1AbivL0jD1N9aTIbg9CMSgoG4v6GIa8DwGARYAOlRi6fPcOt9f7LL4+fbSSYPwfcjd5YnjAcQSlW60ZRr47Di8iM+xN/dp7frr5g9HgbwN1mgNB9ZMn0gpYYu3ZLvy7p5YRnfueLGMJd+Maaa7e+GXieNPF2/QNVeYJVkfc7MP2hWspNP4Hn7wKZ/L5lauO8anb0gxUIXSOOyuokGRWBYSsYLMsqKS/vdqCqA62uZQ6k6X5s9jDlmxjBFFEvkNVN0jK0QoDxlR7lve/I/nPx0+er03eGHf+LKQ4XYthfhX39/VR4eDQ7/8fdXF4eHh4fwGf/z47LKDmwxSp+76kJ+XjEJ7HOJCZ92e+EaAcznrotW23oWEEE1lAWHMETXm7Avbo88AWCrPc3FNCom4Z4PRAJTkmcWyef/6gGyT/777PDd8eX5vzZcj5JadxIHAw8ZjATuDroLDzgl+71kIsGukm5CIGA7+ttf3lycwlwwth8OaoOFEa+pgoRikkGcAYf1vQTsWiuKtmMe//r+wzES9MlPl3+3n2qgR9TXLD8GRM0SntOMKFYopn2BPfD3kdHacG3U4d5b//fa0cuPytCPiqWXxhQfx1x8zBe0KPrsE1v7z9J2EhDciu44+6Kx9f1Ggeo7JrnGq7q5QiSJZVcx49erWMDheKzYNV55BSeid8na+drdVP/25u2yAF+xxQrg/ZlfMyxByK+dp11O7EhtmXf+/vXFr4cfTj6+hbr8cmI+ehb+7uLjEeou/8BMwo+nuVVoXvOMkRNw1VsCfQ+T6o9zLiyglu6WN3ybGcgPsnwIGNmx43iQ3aqeHQ5OaNyPo7ZxH78YIeGYdyDm4zEbl9O4k+BdmaIRnKsqbYfFQJ2MbxHIchBXylJV9zLoStVXt+aShgCtZsaK8JxRAa3hXK8iahgp+LUEiUOVLEVKKCk4gxaiHj7Lx7zsgtAdPABCIM4kdUFgbZVkLjCWW2Q0wa6hFMoj+jaFFzEIbmjsNQlFGZAX5D28015JJzmBmCJM4arJo2zkKlJqKvvSNXsTZOSw2K8azR5aBpkoZkIFB4uhqigW072oW97YX52YQU9xX/ug567T9CqK8IWeeyTJODTC8Y/aU+Jr/8b11X0XVQLNUzBsenrm+baRFfS8GFW9ZYxVFxBpgDHqylGdnhGj+DWnWbboESFJTkE1i69hcAOTUcXSnlX3Qrg+muol7Y/7ST8d3ac+QLGE/txdjuwwC/1tT8807rEUUZ/Yunsoypl4aF3dQmLBgCiyne1maO4+vWVWuwP6wX++5dzaZ+I2zqEHMy1M6e5/+NbIcArtSQulSUL5Dzq16qgFQLsGvnAD1DBCM6awvin2PRYSIsSu7mk4IaFwrZy4ChNA6240rKEcNSdgMJcH3BW7rbcpIoSmOddwWxE6VcosXA6OStpKPGbk9Ph86/TsvPqhXjPXD9ld4rZUmUsp0D3CRIqdEkJNXTiNVVf0k+MPG6EArmfYJrkH6SfUsOmDmvp1ovQT+EoRKGPcUEgjY6wq4gqMVFXEAxES53SpsCBdmL27d+qhMSwvrI52GjH6N4xeLa0Er/z+IzYMb92BBFp0FO/x0L3IV5lMroiyto02IFCgHVlCjt+dY+erny8uzs7JFrl4c151ZlgWAysrmXKIazw9xvPINSmxiIq1f9w1DLiHiSwC+UEkuiozz/OBTsK5F8EMB0vHeVfqvK03EYZlgMk8FRRY6HKE8eb90d8uj9+dX1oquLx4c77s2lZ9n279Q+0OnZFWabn9qjjgwEmSsPNBIsRbGn61aLTDW2UDuadzRGCVqfV1Xa9c35itj/3zqFlfr9xEQprqGl/PddYNPmJKMi6uYD3YLMkXLQC3ryuSi5sWubN8rS8Qa91NHvTLrS0m+nN+xQuWcuzbYj9tfdb2WpnKVlXg7V2DcjWDJkAZTxY9lEFQ/BxDnEHsWC0X1NUKLY1d79ptTK/KWWcnGO9kuPQtYy5fozxdFk9l+UiYH9g/UoVQZMAR8MSq8ryCtnMxN+RML8UPw4g38MXhYID/v7SZutILjRdRWaAtotg1103ZOWZ21UA7YF24lN320vp3rCkqO9hoSXG+XEMK91xHq0pn8NnfRNRjK5FCuO2ZBHXYFfVXbEqxta9moIjqXvQ87v+Yh/Y+NINebuDXVmmlG7+WilwcnblRscBu1TQDYUsYv67C4Fxww2lGzv/5znUWeqY33I9uUDtgBQs6R5EWg9bRnMkxyGzRwscPFReI2rIJTd3gYMk7jZfQxJS+dDg2l2EqJ2thvDVogGGFTjSsh0I0AIemVeFnZw/4CuftJp/e/MeKOxY8MfUbXE0Rr8M5Ec5rE6ClVEa9ViuPMAdz47dSJNWdV7TO3dtdg1WoFdK0hpwAC7bbuIll4xvG0xEOv+WXUPdB4xVdmqZEs5wKwxPf781Vk2afkhkVU9arMXWuQ0FpI8k1t8vlf7ColqAgCVNwabjq1en9CyrMMbEmkh9T+JLWKEjQweBCA9rwLCNMaLQ7qbmp26JF2IRHBTNoUShZKE4Nyxb3uciL3pdVKU5YsRMb+uLGBHcPtv33DCYf82kpS50tkJrj/iIE4xo6ZMVCfVAqyOlZj1CSytxuALhkSsE/ES0tnfQJ+WeFWZrN6UKjg6susum86oyHdD/quy9GiLK6jiasFlWFctISzWGU+aM+L0YWlFEfwRr1SMoKBl4yIp3OQKSogOBWnDZC6lT3ly4Xe1NU3ZV4dE3QaQb1oKqL4LQ0UshcltpXIAS8V18HAH0RNNeT7/D83YaT/tmiKkeiCaPJrPIpICpPoZkk65DQe8P9F80112pPPuo07i8sN1lDxU9STjNG3rypN1546La2ryAQDon6VUdgV14XSQJZdHurDuq1uJCw74Dss6JsCA2OX3c/PjXveWrec3+QOjf0qXnPU/Me8tS859s07/nM3jnr7eY5rb4xRxg2bBTgJqdn17v2i9Oz6/1K+WzoW1+t505Xwx9BTf8LAnnrF9bMdIYXJH7HhgL23n53eBHsb3f/jjvNrDqzkhSKX1PDyPHbf8U9TOtnBay5TNKUjGlGRQKnNQoESUWULO0hbiDZrrPd6/XLE5ljBEB/1seLgi/rk3zmGiR/jg7XyLi/u+Xu/bLtHdpvInFMm2KKpZdd2uMDll2DlKbpjGkTTepxhHP3YCFFwdIAcjn2SmfY8qhkay9KB4ThnMU5kYqsTaTsT0GD7ycyXyNck7Xoc/MCP4YRXYpDyvCmLdzwZAnX1qJyFcLAxs34lbtMgCEyXU4m/FMYEZ6Buo4vt7bwEXzCWlIbfXKBSQZGonvgE8+DO3q8wKKjC2LoVbWraBNnVBti5pJkdMwyjea3kAYSkrErul37xZtjHfIH1xLZL686euVWyKiRhJHFJWz/V6AINpmwBDLJjCyc5uL28Bm7eHO80cOQCLQH976wGljEob7n3Y2AooJWZO/Gw0T8FvE05w3DWjxWGALq+b7JBkjmJoqpNmI52oHva2RTaqb6q6WY2O6qMu9DhkoUwiFychPHoIK8OT48s6LgEFd8HIaKSWW9vTqWU76q+v9WyScwgddM2mk+0L+tQ1/8Lt0vdsHrGvpPuIq6fHJLYdPDbMyUISfQGr5RCx9wA97Ub0aAGFBbOQXiIr9B8xkXMHTxRPA7bvmEpQ5CRThXaBTHO4GTtYGYUb2qIsTrDlPAd+w8kJYW6ovGmQeYkYgMShAqpFjk/I+oKD2iMHz8BWsH8QkZwSqgrqhyH+zqRqEcKjRnh71qZjsIKEVUhWuIq0rUuiGGM6zAxHrfsPbKJmkFywtgaEP1cGbxN2Nx56FcOLZ9mHLRXnTE4yjwuEak2F9jjkLF/qs7enW5t1uBRxP/JhW0z7I2S1UMPaWGOuDmVJNEZhlLTFQQvbsf14SLFGkvnIRMTrU7Aj5TM8wNyfKuXcvycTFWzFjOFM0uV8YG10/8HDEr9AlfHvxnfAI+DfaJa6M3Wo1yUyAesE0xhKkJTZTUmigGV491D26QjdyAcNJTybRVz9oa1wHdnewNBpMaMlZydNfbYiDkQwiBGQMIMSY2VdSE7QQLxXXE3+QEU+CFTJlzH9aWXEXswv1ZIBjQU9Oag9Aj1r3SjHUtYmDcfb2cXjFNuKnK7cecutK8LZ1agvSloeFgCNai2noiuT0w1tbgSZlRBfCGIVnOjS8i1swoeyeNCyNzzHgXzBV2Y6x6QeO5rIEB+cCyhvYqgTEKWLuGeNIFtUf2PSc+rDSBjxb7oE/RtE1v6c5ztsfGEzagbD/ZffF8Ox2zF5PB8PkuHe7vPB+PD7Z3n0/2G56klfgya4qXJ7aqgaXjTh09LGvZjxGVhpMJchmuCzh6oVkm57j9KddG8XFpImJ2Y7jUb1VCMnwQcharuq4KoIPCZ19oQ+HaIHi+qhMigtM97mON3yZUwwpOrBHHE3fPoXaKvFbQLFyfZKU2rWr0Vhd9xajRXYOgJekEHKEkkUW42xwetRs5qvQXvFsCXbeFa7ftyJV10BWL17HpjludiGTKVhpQ8dREA0nAlA0+E1GCmUvkRbWm5P5lzxW9dmx/g2MaJZjG9/7hsl8fW6xOpGK9aBP80gNbrOIhY69EhUGdOAmQ+YsvfrTlaKnBkiMQ2hTVAED4LnpxtmGdUB0N9i0Idnod9e4IJ1kyLdbXK61rRq99KyaRsML4PkxuNoQYUOyVKweku6cS1eGsTpmRcKK5mJZcz8KuVYcSjrSVF6QsaqLeyTmpLagk1qrd7W+HF8G092AHllAN3+BCdaqpGIynng2yiVwh4NgtKqcCU9Q061AT/HybA/efRll7HV00e9DILt5exPEba/023Y7vJSfgxYhqIE0YbN4OfbamJwQJHSnmfiXRJCd+g04nOIg1jtwYVLEGdM0TegPrnXvNaVTjqh1Nkmu/17Zjdf2I1/9R78fmNyQk6dVsi/auVDzYSJJJeUWoFUl4A4sZIkW2aNoWUQu4wN07erX1t/u7sZ0FuXw1M6v65hYrC5+6O7PTJwsCVBhq2qqrhPWRohTOO5I343Cay+B8lCmGLlnyKcXwKcXwKcXwkaQY4pn0dW8qRvIN8wwRpKc8w6c8w4cB6SnPcHmcPeUZPuUZfld5hiAsvrs8Qwc1WWWeoRPtd+TX0cwlpVWnVobUu84cu+hqGzGKgrElpo8+5/BGdPS/EB+PMOdweaXuKyYedtD8N088jFXNp8TDp8TDp8TDp8TDp8TDp8TDJsE9JR4+JR4+JR4+JR5+TyzuixMPobMDAuMCYhfVN7cExFxVekuTGdWaTxY+kwnbIEK5RZokEivPQH0rnIsY+kkKmXsXklcELMxvuVGMHF5c/I+jv5GJojmD0qGdyYhQf0MqWGcdEDc7tvIPNTa5CtUcwRZ0Y54en/fIu59e/9qD6ocbPsGBQrdIy44cuBg5wTX0DU0MT/p/BSh8jVk3Yly00tojTvkLZavc/jhsoF26xvOCJmZtoz4LS2ZA1P2/enOsWnuobOvnw6DTFRdg24D6RpMZFIoKpRLBp2YgDOvpHKbqwQ4licyLjGvMOppKmnnwomqSwrICa2tjzHVt4x5xyLClX4FnO/yGKUO0f1IqqDAUqkuiD9eTT02txX2G38NmhBxJZk1pyPuD3SKvw1RuLF7zMxOvw4f+rpCABWW1xDSU4iTMKvxYKt8QLqbWnjXcqi9SEcWMkrpATTqLgKXTKS7PV+VpnPy3pxcfTtzRqhtjSMork/iWnjma24jMGjV63P3Tlfj11ZhiThAW+ZYaxT+RCxynXh20F/dW6ZNn7FM/1MGjxtDkqp/bMaEOHkKity4OB4PdwVaYYKOJNXygC19fSfMIeS7L465CV8xNvz7ukKV14W7VxSIv4HT6epGlyr5TDN5rhErf8ELjaxzpwBTreMV97j7VYb0PjlcPjN66GO6+eHHbuba/34C2P4n1W0uK/k636Wa144a9+zacZWns1nSLFTGX5bF7rzECrl0ZPW8tuBqy9+lfRaGsdFz2sabYT2RSau8IqGrU+oKQhBvNsgnoZBz6vUDRymxB6LXkUId9M2WFmUU99ye17PxP/b3BC6+sM2VQUYNqfuweHbQSXsxWVpH/HHsN+Wb+rhorTolklpYqfO1SciOUthjem/PLk6Pjn08uP5wfXv56evHz5eHJ+eVw++Dy6NXR5fnPh9t7S7eNdxUuItytCAtnJ283facsbahIN2kmBavtmoRk+1AK3sEGrvNA+mADYZZlXmLdz032KclKza+BQY7aS7pMZpSLEdFcJM4DHjdSIRg2wDthoaRkxnU7b+ft6Wm/v3RX7ZsgWRGKD32bkRjX0eStbPka9ivTZgbZmTfvxWftQZUA7XeBGhcPqV8mm3ClTY0s/M2YWUgwq3YkiOHazmx+3kbNqJ7183RvRftzVGNQYspUoaxErEo0vz3eIykHM1FOyPHJh7CN9YxvuKC3xMl5jbcsNNeGicRFl7AoL/ghsQ1NL5JlIUhVbQp6Cqt+b2VRMAW3UgBfzSMyeP18/+j56+2jvb1Xr4+fHx+cHLw6eL376vWr14OjFydHn7MnekaH32xTzn8+HH73u/LiZOfFzvGLneHOwcHBwfH2wcH2/v7R9vGL4d72cPd4eDw8Ojp5tX34mbtTSZxvsj/be/vdOxRwGN0x+PIdqkbFnXqYc7N/8Pz1/v7+4WBv9+T18Pnh4OBk+/X2cH/75PDV7tGro8Hx9v7eyfD4+cHzvVcnz3dfvd45ej7cPjp8sX18+HrpjvRujVzrcmUqz3F1Z8u3yLP6fjn+jSUh1I4Q+E+gyXXKI1d6urVLTQQevfvx7eIYQ2IfpDTk6LBH3v/y46mYKKqNKhPwrV4wmvfI8dGP+cInkhwf/ejzGpZH4G90Z1Vy3AWJ4Kpxla6P87p7qFapnsk55mwWTFlis0R2fv5mq1K0CZlRkeoZvWrHSNNdtjceHqT747295Plw+/n2wYud7e1h8mJ/TLd370tPQppLOjFLkdRNHb+PqWFbFzxnsbIMjUVdvfOaVqCJkJDfxNxhTe1Rjs9mR5fy9e3B9nBzYP97MRi8hP/2B4PBv5bujBmtdwxXQb/igp1utPRihy+eDx5isVjx7YGTCRpty7QkCc0yyy4FOX936riqYVlWK6ePsZGZ1Ab4ipEdnUMc9rgmFJtAucCVs6r65FeL44hr2ydrjV0aLVqnzKK94O7SUJyj564NtZA/n8/77gZfP5H3RTiyym/JnlsMuWLEAS13MuR84fsIvv/lx+Nav52H4sO6LDB4c4km9aquxgXryk3TrTvUbHn8ZsayTN5ot9xgzW/v7V/+dPTWWvM7B7sdT58cHS/x/Hq/31/+sJeq2S531U4QO2PVpgVClXAbHnHcQ17oeuR1JfpolhTbe/tq6c40TBs6zoDwl1jpWMqMUdG1oFf4E5lktLYsPvHOLiLYVBqO1D6nkCeXMK0nZUaoiO64Kyo09L9yPjVBmEjUAlrXmVIIli1tyAr2yVx699pX3crg08PWOwg3S/vkjOHGupanUdIk3Dc8fHdY9YF+5v2YlnlyKrDVFdWaT4XlHHrLZHoTVmK1ebuGTRz3xh/6n2Ymz/5Cs0Jsehg3eao3GvaV6wheqe+ZnENkWbepzkK5dWfroDhvWpf5SgmO64YjFgjOzQvpE5WvS6Cny77boNKlycxVpX2UXkMH2329hu0lfSuv4U2QrFqurcBrGO/FZ+3Bo/YaOnD/NF5Dv1vfs9cw3pM/h9fwW+7KQ3sNG7vzJ/EaLrlDsbH+3XkN3RpX6jU8v5d/sOUXrERFVDP/G/gH3fS/0Z2VmaLdDkLXBfShHIQ7L3Z3d4d0vL/3fG+XbW8Pno+HbDje3Xs+3tnfHab3xMdDOAgveG4NuLxo+cucc+gxOAij9X6xg/C+C/7qDkK32NX6q86X9kw1WHIHC7CWpT/Z/UTmK2EBq+1/+66EuiG1e4teUhVUaV+PzH4vFZ9yQTNn33ZQQH976c12k6zawfAOCn3yP1iKRjhIv+BfAHdlvMy7lmjuancf8qEUTfxlSJ8TFX11c17UcVV01A/SXcMW0pj+YJ4fUzRplCynM1n600NJzhMlQ8Vllcy4YUiZNMusYWNN4GvO5pVlVSX8u0MQAU6iqxNEsd9LZi3WzYpIfHffORv73735NFFSmE0m0katvE27nN9LpqzgyWka1lFd4hnT5Cp+8x75WBb6FSa93lwsGSeu7lcd4jcIrq7W5i7I4A3dqjGxs5XHzEodYuSUWe0PNMMwZHWzD+95eYRbQZzh5kWFKA1Tm86rwyJMtq7Y7o4nL7YnO3vPn493dlO6T3cS9mL7RTpgA7b7fGe/id7QSvnbIDlM30C1/97fz/ZFAELdGriTkTOqS+XKOMAFn1DoWZdRKMhq0AG/kK3o5EILfYPBZLD/nNLBmL4YbI+fR1yhVFnMEX758OYObvDLhzc+/9GXGnUxCnBywzllhrk2+HDwfvnwRvcgDdI96TmWxcFYMbikTVI5F5YkJNHJjOWsFyohFNTM3PuSeD/eMgdttTdgnbLtb7GprFfdFa+Hx9bqdW+1zJmrPEsBnzldYLKuc5CfntnVblkUWrzi9dps0QOKkKUJVQbDqHij/9RF/ezYeKU/qlGDlTmn0lfiGLnQnisq2CKajghfCDN4T/SqUHsxc0m2/n6ndm4wy5z85B1qgDsNAS2lyhpVVRtDcI01OzWDuufcOI9nz+6ikMayQrWA/OkZnLf6+43BM0bhEmHBFJcpyUttYJCx5XVJVqYs7Si7gDYyPDxmZK0Q07XKz2FfX+vb79o7VDgJGF1am+ZVsZgH35UzqUxUPNUiBUweJKe/jCL6N7JYayBn9JcRGi31khQe6MZt3EmZPaAC9s3uNpxO8Fa/ZYFwGZLn9ki7C5HQ+L3UrDqwi8hXAsVBKxuHCzKy9GzHG0HsEHwvcOBdwXNNFLPWEaj61khW3nbwCk+9jmlcBacj3b7OAV7u7u5sYbXe//r9x1r13r8YWdR2zx/IP8EOrv8icplC5fiKzwDpa6IZEzXMtiuARW0VRKhGmkvBjbTqPHIAOQbJnQZhMGaW1TjC6WF9cqpjUqAQbIW6zTiGfRVuEBgmyG8llBaqDEfgXVaONmu2BMoJt3TDa2FYCpr+nOoAaK8m5zubg3wWEdnRbvi5Rl8F1TqimgePy7nhG1ZFvwGDWVVJhTNqZo25I97qELTWAGcFlcviilktOHZ3d1qcY3d3pwaUNaEWq1QSYAJHxKEGI8CLv7i4d9caYj16rUFsLdn1XyC7IJ6Xxg6IeBaoyY8KXdBahLTvwgmNLqqh7y6C3betUZirBfONSxOe6kWT4WJRTQkjYmElQVhemAoeAB2fHLm3GwXlax0gyJiZOWP1FAYzl6irNgT0t66WZlnwU6m0x1MqDY22VRHBOYx+M08EabPWkLt4C3L0slPvRHhvkFt1f8JTETjyVATus4rArTCl+Bc3fIeOEkNQc+74z3d06QPHXbODRK2mUugiAY+iegs3Z9k1DfaF8zPUu0q4S7aWPqClDrSrg8LYcYUk+w1n2klUX1mK5BKq1VB0EfPUm8neEUUFoZDv4xRukNY68g/n9ygB86et3/ctS/c9Ve3rrNr3Zy/Y9x3U6vvWZfqeKvTdWaHv0RXne6rLh0rGJZ16t2KkapDq2yUUDhzDqx1Vn1qZM1cgj4yVnEcxxbja3sI5vvRMzollZgLCvT7KDO3NEplbZTHY7i7KXgZQvd18Dx2BhUaVX4FruNmaW8LPZr6B082EuRKAKtS1gDqnE6p4DahH7xRuyJSIPi5r9NFc61v5B88yurXXH5BnuBv/ixyd/eJ2hrw/J8PtyyEaO29pYr/47w1yWBQZ+5WN/8bN1v5grz/sD/cCeM/+9vPF2zc9fOcnllzJDeKa120Nt/sD8laOeca2hnsnw90Dh+6t/cGuu7cRkK77E5rzbFVeuPfnBMcnz7yNpFg6o6ZHUjbmVPTIRDE21mmPzLlI5VxvtC/rwpMtuP8cIaD3BVM0KpzodUWwTny+bkjFVdBG5Ya2T0g6b+Vv9Jo1sXXFlGCrUutba8DZAtiYikDnN52Q3f5uf7A5HG5vTplgiidN6P8kJsENe+3D9tFO37S5/93EjNdWv9bO+vnceU6YMFL3SDkuhSlvO8NUzXnrDK82VbAF/LL0OBz0h01OuVpQG41Hb5GclrtH+tV1mQmm6JhnvpmVU7H+0frhZi3LKlm1gZZw79COqUnL1+OvdF6HpSxVkcyVGF6VwRM33nWkYQ2bONcQFmJaeKHg9wtVaX0pZxeU9YdjM3R3fTaJreNjEGR2rvNfzk827B/A8GgGD4ZBqxeooWNoga3Ia9egZ6Pmla1ujf5e0myhpyVVaR//7icy3/p9zsYzlhVbE3kJuQXZ1pWQ84ylU2aH3qot8NJX7GO6PzP5v/8OAwXA6sionv3PRmfc2CeteMdb2y+6/u81v661/9yjMENHWeJVlEisTxTSjWtY0IlUFY+pbU6lrsXhbkhTh7u9ybXWW61yhkf/OD9fFhMRxI9WPraw2ujU10YpHD7ntdWEpinH2ojgLIhn63r7huORXLOoMiTwsK0J/R3IPPtLcs0uwc98GQGnLxPFqGHpv4+ghHqYNuatnGGp+JNPhdSWcxz94yRe4X9a+3sqSE6T9+cEL0iQ7f5wu7/fiwO8dXS4FJIPZ0f3uJ/JRJmD+FvpAfFcNPKtRQUNuL5la9qHo2uLOk7HybIoWHHdYFyxYw3PTo83fEjN9R4uqny4bmFJMLTRJ6dxNKLpYnITuEG957KN16b0WJb05zNqLrm+tEeApxuO1ps0HkZv0frp8X869mhzezB8AS3971EoYLU1bw+JYr7b3E0MJtJzep7bYG5xzg2fwg8VLvxmBOpPG/vSREz3jiRTvjnmwn4Lhl0y5f9l//gx4HF/OLwHGi3hXa6U+HEOq5XohIpuUm0t3q5kOBge9O9DFHZ8wVT/molUruru5UW9sWtLwAMIBEFoV6Rlgo4ztvyCpGJ9q3ktsZhJJmln2971czsMBkoVFVPnBB30B1bjHg76AzQr4U9flWTGSC61IZpdMxVnIb6yKqZ2I8pra3tYI0kzrXPwugLXLjLJjUdKzoziiSbPsOgyuYYgT5WYjAmAn6ClbaH4Nc/YlLk0fxc/MEzhfYeNnquxX40aRwPsGGFc+9pUwbDQoAXjaQDThrsEkMiC3aAEdKhfXlUH0t1MXZWmjZamutffu98WM3HNlYTKLUs5Nb/SXp/EYN216VQsSEhvBSpxO9Qjn7ND4JrnikE1m0ewRYblhVSPaXcuHER3bQx4AXNqSkS0RWnqii39/8xd32/bthP/Vwj34dsWttAfL9/1ocNWt4u3tgmaZns0aImWuUiiQFJxsr9+4PH4QxEty0kK7CVALPI+5PF4dySPR+jFvGev3VjlTzcvJnL4x+6awEL+K0Xb3dvxCEvn51//XL4Ixt4sjbmmmt/Ed+ZvmAT5pM01b0o405t9FvvZnMy+sIJ39cxK8+yMl7sZDIFZppGbN2ZQvfr0FEESIDGOcy5cvEuEpQEq0HqbvcKYrTu4DIAvm0czCyiEwr0xit+VNiW4ImLfQEbBgtS0oaW9X/dp9e3ye3YuyzlZNXlGnsMPRnmSq8uFvT7fCMgXteXRUkuWtPGJ/Pc7YZQBV+6ajBZkx6oW9H6nmSSK5SCcxrMFPWG8r1Y08eMBjNaK0FwKZR3nvZBVcUBEm5sia7jSWSluYM9igaoIxHWoDOw22TRRxSH5gd6FH/WkhwHhToZ7oCicEXQPA8hwKEaMLRWSaxwIIllJ7ctkkQp4GAcHTryByT10kosLw5B3ZGMfWqNNvhPS/rvI3ZIZ9yN/tWV6nHkPtD+4aGh8qGwDz13hA2EuXgamUlXhPQozGLAJl9o9tPumLkfmyPD12nLmcmriCOHua4/yBh4z4zX7x52oOsK04v4CRkv17h1ued4rXPPSLsnfES071qdu+9IjK+LEAvaf9dGevA96wHEWPC6wAmUngZ0WLNW/AdOGfTO8jcuNdguIJkdjSDg5dKPUDYMVXMTOeKM0DcvHo3yC1LO2LnF1CS+cUOeV6Iogvx/Mv86MSDNJaUE1TYv0F/xqfYG8VxXWmyFZAy2KNRRYO5KmZM6UsmsNJ+G9XkOFrJXCSEQInApX/+yXxe24fMSH9VjFzLPfIIzX9tgudxLgvKYlS0DTmi/oJi9ev3mb1IYBfWUokNXSL6Mtn9xQoGw+I78YMYFCoiriWeIaZBiXeZYAk4/IWbLwqJxFGK6BYYk9DuM75MufjDRh6tzDmjp/IrSa5jveMFAwk8CwQhZVmIoVrwrWE7TpeK2pqCjjUwduML+m4khWBqd3HKNXNEnf6aNC5Ncgq6iQlu7/xPSy34jSVBuzWlU2gwJoI/vNzGu1E1KvrVkIfpGz4hZv4ZXRAWvrm0USh3v9Kj0lYk1T/KZumlkRw9JVkkw7AGU0zulooOmiCXUi6r2a00AfDoeXeMgz8v18eW4cm73xzmsK6SsV+3nQlp6XQcY9DXJYnxOv020TMie5xp4HuT2z/yWIrJqtiKUVzYKpTpyuiQTU/J4UT7QbHz9cxu/M8sY5PSxX2V2NeYWf4REuxZduzdIn1LwXhCt88oDDkn54aHqRsumkt8fYuw0cgYOiMOxDXKGyTcerIeRwRL31nr3+//L1q59m05pzfkkAId42TzckFwVLzoOxtigtmc530xvjUGyofXPnJfC62zDZMA3nGCiHf8S/JeiG797Z63tugSiJpXBcq4ZKRzVrr9HjMnef460o0mrnpMkccaAVNlX+cHANVJfQ4Q9FuhAFuVoth0Dmr2pp/nSdChSHYKIYqPxHgrm4vSEYqsuXj1bM0ed1TduWNyWWnb2cOIuiFqMhqWk7bDLE49vTsP9cu6O2pRsvGaTUV0w/7RAHugcGumBtJe4gncmTAge6B4CNI8i2XfXkXY4IH4A+4gc9FNiTPQqbdvoej2vpooFBXR6sy4X/IUEXPwa74he1KTsQaJOTjAC7nep2IkLGblne6eg0kyRcT+zx36IS15wuaKdFwRUcVITu/26/kiV+uSNxORKtvI/uniRIxVYY2+FJHtoVxHKZ3WLqn0ucsKXmAjUxHENsfQOicM00Jh/bSj4A95HmO7x9YhNM+eAQfAoIb1IzDtl+/Iv8+BCL0lTqru3taRKbyqC2cSl+U1BjAk1aM206JvGsCsYNHvdnNg+F/cH8O8fgB2ga7HDTCq6SK7vpvbqYu60lEHdezOF+GRxe9ZoEW91aAWfSLMTcda0URZfr0xkJ0Xx+7iIZ4yb6vo3BPlhcerD/Uz4C+XmE/OIIdBT4cCKyretYHbofyYIismsa+6RJuh0uBeDJ6FffPmMSZrNUATiUVmjJGNPzTk5/GySg/uWTXrn+7anyIo5LStrpHWu0j+m0CYqcWtt2DcQk4JEGqrNP/V9j+Ejd/BsAAP//49b3Aw==" + return "" } From 3f07126a80b21ff61733c55dcf92606d42edc31b Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Wed, 11 Mar 2020 13:26:03 +0100 Subject: [PATCH 4/7] Fix encoding issue in fields' docs Fields' docs generation is failing in some systems when non-ascii characters appear in the fields descriptions and/or examples. --- libbeat/scripts/generate_fields_docs.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libbeat/scripts/generate_fields_docs.py b/libbeat/scripts/generate_fields_docs.py index e6864252d57a..b52285f49e07 100644 --- a/libbeat/scripts/generate_fields_docs.py +++ b/libbeat/scripts/generate_fields_docs.py @@ -165,10 +165,10 @@ def fields_to_asciidoc(input, output, beat): es_beats = args.es_beats # Read fields.yml - with open(fields_yml) as f: + with open(fields_yml, encoding='utf-8') as f: fields = f.read() - output = open(os.path.join(args.output_path, "docs/fields.asciidoc"), 'w') + output = open(os.path.join(args.output_path, "docs/fields.asciidoc"), 'w', encoding='utf-8') try: fields_to_asciidoc(fields, output, beat_title) From fc1e08643f6c968dd2ab95be05fd1566ed6afa41 Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Wed, 11 Mar 2020 15:44:57 +0000 Subject: [PATCH 5/7] Make update Changes in generators caused examples to be serialised differently --- auditbeat/docs/fields.asciidoc | 2 +- filebeat/docs/fields.asciidoc | 2 +- heartbeat/docs/fields.asciidoc | 2 +- x-pack/functionbeat/docs/fields.asciidoc | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/auditbeat/docs/fields.asciidoc b/auditbeat/docs/fields.asciidoc index e53d11e57341..bb3b2c781987 100644 --- a/auditbeat/docs/fields.asciidoc +++ b/auditbeat/docs/fields.asciidoc @@ -2949,7 +2949,7 @@ Example: `docker` and `k8s` labels. type: object -example: {'application': 'foo-bar', 'env': 'production'} +example: {'env': 'production', 'application': 'foo-bar'} -- diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index cd02ed3647c9..4527f7e47ee9 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -5340,7 +5340,7 @@ Example: `docker` and `k8s` labels. type: object -example: {'application': 'foo-bar', 'env': 'production'} +example: {'env': 'production', 'application': 'foo-bar'} -- diff --git a/heartbeat/docs/fields.asciidoc b/heartbeat/docs/fields.asciidoc index 3e4752e197de..d4e632c811c0 100644 --- a/heartbeat/docs/fields.asciidoc +++ b/heartbeat/docs/fields.asciidoc @@ -382,7 +382,7 @@ Example: `docker` and `k8s` labels. type: object -example: {'application': 'foo-bar', 'env': 'production'} +example: {'env': 'production', 'application': 'foo-bar'} -- diff --git a/x-pack/functionbeat/docs/fields.asciidoc b/x-pack/functionbeat/docs/fields.asciidoc index 26536faeef98..0cc8c722d442 100644 --- a/x-pack/functionbeat/docs/fields.asciidoc +++ b/x-pack/functionbeat/docs/fields.asciidoc @@ -251,7 +251,7 @@ Example: `docker` and `k8s` labels. type: object -example: {'application': 'foo-bar', 'env': 'production'} +example: {'env': 'production', 'application': 'foo-bar'} -- From b056f1e219246d4770d3478d140c0cc99fa26869 Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Wed, 11 Mar 2020 20:27:51 +0100 Subject: [PATCH 6/7] Patch fields.ecs.yml to avoid parser trouble The fields docs generator was having trouble representing an example as an object in a way that was consistent across different python3 versions due to keys in a dict being serialised to string with different orderings. This caused checks to fail. --- libbeat/_meta/fields.ecs.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/libbeat/_meta/fields.ecs.yml b/libbeat/_meta/fields.ecs.yml index 0998278657ed..9032aafba001 100644 --- a/libbeat/_meta/fields.ecs.yml +++ b/libbeat/_meta/fields.ecs.yml @@ -30,9 +30,7 @@ All values are stored as keyword. Example: `docker` and `k8s` labels.' - example: - application: foo-bar - env: production + example: '{"application": "foo-bar", "env": "production"}' - name: message level: core type: text From 8b086bc052dcbeb6f9b0fa57040dc3912bdb96d5 Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Wed, 11 Mar 2020 20:35:49 +0100 Subject: [PATCH 7/7] Make update --- auditbeat/docs/fields.asciidoc | 2 +- auditbeat/include/fields.go | 2 +- filebeat/docs/fields.asciidoc | 2 +- filebeat/include/fields.go | 2 +- heartbeat/docs/fields.asciidoc | 2 +- heartbeat/include/fields.go | 2 +- journalbeat/docs/fields.asciidoc | 2 +- journalbeat/include/fields.go | 2 +- metricbeat/docs/fields.asciidoc | 2 +- metricbeat/include/fields/fields.go | 2 +- packetbeat/docs/fields.asciidoc | 2 +- packetbeat/include/fields.go | 2 +- winlogbeat/docs/fields.asciidoc | 2 +- winlogbeat/include/fields.go | 2 +- x-pack/functionbeat/docs/fields.asciidoc | 2 +- x-pack/functionbeat/include/fields.go | 2 +- 16 files changed, 16 insertions(+), 16 deletions(-) diff --git a/auditbeat/docs/fields.asciidoc b/auditbeat/docs/fields.asciidoc index bb3b2c781987..4c5650a54100 100644 --- a/auditbeat/docs/fields.asciidoc +++ b/auditbeat/docs/fields.asciidoc @@ -2949,7 +2949,7 @@ Example: `docker` and `k8s` labels. type: object -example: {'env': 'production', 'application': 'foo-bar'} +example: {"application": "foo-bar", "env": "production"} -- diff --git a/auditbeat/include/fields.go b/auditbeat/include/fields.go index 2ee1c4301937..67239ca6469f 100644 --- a/auditbeat/include/fields.go +++ b/auditbeat/include/fields.go @@ -32,5 +32,5 @@ func init() { // AssetFieldsYml returns asset data. // This is the base64 encoded gzipped contents of fields.yml. func AssetFieldsYml() string { - return "" + return "" } diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 4527f7e47ee9..a0e9bca8d1ea 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -5340,7 +5340,7 @@ Example: `docker` and `k8s` labels. type: object -example: {'env': 'production', 'application': 'foo-bar'} +example: {"application": "foo-bar", "env": "production"} -- diff --git a/filebeat/include/fields.go b/filebeat/include/fields.go index f76628364578..839cce5e1514 100644 --- a/filebeat/include/fields.go +++ b/filebeat/include/fields.go @@ -32,5 +32,5 @@ func init() { // AssetFieldsYml returns asset data. // This is the base64 encoded gzipped contents of fields.yml. func AssetFieldsYml() string { - return "" + return "" } diff --git a/heartbeat/docs/fields.asciidoc b/heartbeat/docs/fields.asciidoc index d4e632c811c0..b288eec1788c 100644 --- a/heartbeat/docs/fields.asciidoc +++ b/heartbeat/docs/fields.asciidoc @@ -382,7 +382,7 @@ Example: `docker` and `k8s` labels. type: object -example: {'env': 'production', 'application': 'foo-bar'} +example: {"application": "foo-bar", "env": "production"} -- diff --git a/heartbeat/include/fields.go b/heartbeat/include/fields.go index 3eeffabb3068..e21fe351e87f 100644 --- a/heartbeat/include/fields.go +++ b/heartbeat/include/fields.go @@ -32,5 +32,5 @@ func init() { // AssetFieldsYml returns asset data. // This is the base64 encoded gzipped contents of fields.yml. func AssetFieldsYml() string { - return "" + return "" } diff --git a/journalbeat/docs/fields.asciidoc b/journalbeat/docs/fields.asciidoc index 78b121b53d8d..b568e32ed978 100644 --- a/journalbeat/docs/fields.asciidoc +++ b/journalbeat/docs/fields.asciidoc @@ -949,7 +949,7 @@ Example: `docker` and `k8s` labels. type: object -example: {'application': 'foo-bar', 'env': 'production'} +example: {"application": "foo-bar", "env": "production"} -- diff --git a/journalbeat/include/fields.go b/journalbeat/include/fields.go index 5ee25543c0ba..5d1d9a80b6ac 100644 --- a/journalbeat/include/fields.go +++ b/journalbeat/include/fields.go @@ -32,5 +32,5 @@ func init() { // AssetFieldsYml returns asset data. // This is the base64 encoded gzipped contents of fields.yml. func AssetFieldsYml() string { - return "" + return "" } diff --git a/metricbeat/docs/fields.asciidoc b/metricbeat/docs/fields.asciidoc index b1df53c9698f..4ca05f498dce 100644 --- a/metricbeat/docs/fields.asciidoc +++ b/metricbeat/docs/fields.asciidoc @@ -7457,7 +7457,7 @@ Example: `docker` and `k8s` labels. type: object -example: {'application': 'foo-bar', 'env': 'production'} +example: {"application": "foo-bar", "env": "production"} -- diff --git a/metricbeat/include/fields/fields.go b/metricbeat/include/fields/fields.go index 6779003b8af5..6b3c153623f3 100644 --- a/metricbeat/include/fields/fields.go +++ b/metricbeat/include/fields/fields.go @@ -32,5 +32,5 @@ func init() { // AssetLibbeatFieldsYml returns asset data. // This is the base64 encoded gzipped contents of ../libbeat/fields.yml. func AssetLibbeatFieldsYml() string { - return "eJzsvftTHLmSMPr7/BW6bMSHOV9TPAw25t6N+BhgZoi1MWPwmXNmvUGrq9TdOlRJNZIK3PPF/u83lCmpVA+gsSk/ZpmzO0N3V0mpVCpfyse/kd8O3p2enP78/5AjSYQ0hGXcEDPnmkx5zkjGFUtNvhgRbsgN1WTGBFPUsIxMFsTMGTk+PCelkv9iqRn98G9kQjXLiBTw/TVTmktBtpLdZDP54d/IWc6oZuSaa27I3JhS729szLiZV5MklcUGy6k2PN1gqSZGEl3NZkwbks6pmDH4yg475SzPdPLDD+vkii32CUv1D4QYbnK2bx/4gZCM6VTx0nAp4Cvyk3uHuLf3fyBknQhasH2y+n8ML5g2tChXfyCEkJxds3yfpFIx+KzYHxVXLNsnRlX4lVmUbJ9k1ODHxnyrR9SwDTsmuZkzAWhi10wYIhWfcWHRl/wA7xFyYXHNNTyUhffYR6NoatE8VbKoRxjZiXlK83xBFCsV00wYLmYwkRuxnq53w7SsVMrC/CfT6AX8jcypJkJ6aHMS0DNC0rimecUA6ABMKcsqt9O4Yd1kU660gfdbYCmWMn5dQ1XykuVc1HC9czjH/SJTqQjNcxxBJ7hP7CMtSrvpq9ubWy/WN3fXt59fbO7tb+7uP99J9naf/74abXNOJyzXvRuMuyknlorhC/zzEr+/YosbqbKejT6stJGFfWADcVJSrnRYwyEVZMJIZY+EkYRmGSmYoYSLqVQFtYPY792ayPlcVnkGxzCVwlAuiGDabh2CA+Rr/znIc9wDTahiRBtpEUW1hzQAcOwRNM5kesXUmFCRkfHVnh47dLQw6d6jZZnzlOIqp1KuT6hyPzFxvW8PfFal9ucIvwXTms7YHQg27KPpweJPUpFczhwegBzcWG7zHTbwJ/uk+3lEZGl4wf8MZGfJ5JqzG3skuCAUnrZfMBWQYqfTRlWpqSzacjnT5IabuawMoaKm+gYMIyLNnCnHPUiKO5tKkVLDRET4RlogCkLJvCqoWFeMZnSSM6KroqBqQWR04OJTWFS54WUe1q4J+8i1PfFztqgnLCZcsIxwYSSRIjzdPhG/sDyX5Dep8izaIkNndx2AmND5TEjFLulEXrN9srW5vdPduddcG7se954OlG7ojDCazv0qm4f1P1dq+lkZkRUmrrdX/is+qnTGBFKK4+oH4YuZklW5T7Z76OhizvDNsEvuFDneSgmd2E1GLjg1N/bwWP5prHybetoXC4tzag9hnttjNyIZM/iHVERONFPXdnuQXKUls7m0OyUVMfSKaVIwqivFCvuAGzY81j6cmnCR5lXGyI+MWjYAa9WkoAtCcy2JqoR9282rdAICDRaa/M0t1Q2p55ZHTljNjoGyLfyU59rTHiJJVULYcyIRQRa2aH3+vN/MmYqZ95yWJbMUaBcLJzUsFRi7RYBw1DiV0ghp7J77xe6TE5wutYqAnOKi4dzagziq4UssKRCniEwYNUl0fg/O3oBK4gRnc0Fux2lZbtil8JQlpKaNmPlmknnUAdcFPYPwKVIL18SKV2LmSlazOfmjYpUdXy+0YYUmOb9i5D/o9IqOyDuWcaSPUsmUac3FzG+Ke1xX6dwy6ddypg3Vc4LrIOeAbocyPIhA5IjCoK3Up4OVc1YwRfNL7rmOO8/so2Eiq3lR51Tfeq7bZ+nYz0F4Zo/IlDOF5MO1Q+QzPgUOBGxKrwW69jqNlWSqAO3AK3A0VVJb4a8NVfY8TSpDxrjdPBvDftidcMiImMYe3Znubm5OG4hoLz+ws89a+nvB/7DqzcPXHcStJVEkbHjvBuT6hBEgY57duryssTz77yEW6LQWOF8xR+jsoCYUn0J2iCJoxq8ZqC1UuNfwaffznOXltMrtIbKH2q0wDGxuJPnJHWjChTZUpE6NafEjbScGpmSJxIlTUotTVlJFnQrilq+JYCxD++NmztN5d6pwslNZ2Mmseh2t+2RqFV/PeWCpyJL8V3JqmCA5mxrCitIsuls5lbKxi3ajhtjFi0V5x/Z5bmcnINrQhSY0v7H/Cbi1qqCee9LEbXXaOL5rpXlSo0YEnh2wWj+LJO6mmLD6ERBhfNrY+HrH2gTQ2PyCpnNrEnRRHI/j8eyMzQFQ/XdnxjaR3YLpRbKZbK6rdDtWY3RDh6mMFLKQlSbnIBLu0WcOBKH1KyhFyLOD8zU8mE47cYClUggGBuOJMEwJZsiZkkamMneQPjs5WyNKVmAulopN+UemSSUyhoLcKktK5nYwy92kIoVUjAhmbqS6IrK0ZqRUVuHxNh6b03xqX6DEyrucEZoVXHBt7Mm89sqVHSuTBWpi1BBntuIiikKKEUlzRlW+CNifgpIboJU5TxegWM6ZVX1hgcnSAlNUxSQoNHeJylwGqd3YCicScBxrh8oUlCsHUWebnL4Rvg4E73bRDfTs4Px0jVQweL6oJY5G5TmgHs/ESWPdEelt7W69eNVYsFQzKvifwB6Trhj5HDUBzJTLGMsRq/P2HemafAR0LFXofTKlua4lQsamtMoNDtn8sbEHb6M1wXwdPPwspaXB168PozOY5rxlSxzW39xhTBy4N+1h8/RItSNAbrg9C0j6fpvcEbTgTWUwl9FIUGxGVQbKo9UNpdCj6HlUHCccvW1cWutzmssbolhq7aqG6XpxeOZGRclUg9mBzX5hH48ggwOomQgmg33m/J+npKTpFTPP9FoCs6C1WzoW0pkKvUpWtWtM6m0dBS4zpi0cThv3WDKKCk0BmIScy4IF/bjSaGcYpgqy4l1lUq3UlrViU8+tHCiitUCNR8/97OxA3NkJC3YQ2IERAtyxtGCJmd/meooYfrRoHRH5Caz0qnRlEeJGrQ0wLix4/6oEbgDYY2hheUdmz2A1foU0nSGtYoX7tQ4n2nuQgt8Jx9vw8wRPIRweVNVolhHNCioMT4H3s4/GaXXsI+rrI1SiPEfQQbczklxzu1z+J6uNa7tQpsDg1txU1G3HyZQsZKXCHFOa5574vESw3HQm1WJkH/VKiTY8zwkT1rx0dIvuSau4ZEwbSx4WpRZhU57ngaHRslSyVJwali8eYFjRLFNM66FsKqB2tKIdbbkJnf4T2Ewx4bNKVjpfIDXDO4Fh3li0aFkwcMuSnGvwW52cjQj1clYqQq1g+Ui0tHSSEPLPGrNOTQO/Yc2v54woeuNh8nQ/TtwXY0RZU8sU1givlcisQr8hisZxwsuxBWWcIFjjEclYyUTm1HzU0aWogQCT3u1YrUUl/+MEONXJkwyPoJosDNP3qPbR3qOHp/laA5Af7Q/o3QkXLO5MOpJA1tndqr2dBmBI2AMYHY6H4/hJY84Zk0nKzeJyIAfBodXZe3fnjbURGM274EhhuGDCDAXTaeSsCJN14DuVyszJQcEUT2kPkJUwanHJtbxMZTYI6nAKcnL+ltgpOhAeHtwK1lC76UDq3dBDKmjWxRSwx/uN6RmTl6XkQTY1LwekmHFTZSivc2rgQweC1f9LVnIpVvbJ+svnyYutnb3nmyOyklOzsk92dpPdzd1XW3vkv1c7QD4uT2z5ADVT614eRz+hxu/RMyLOB4JamJySmaKiyqniZhEL1gVJrYAHtTMSoIdebgYPE1I4V6hRpcxKDKd8T3MplRM8I/CozHmt2tYSCsHLSTlfaG7/8DccqT/WOgLhVJroFhfubzj6HQoQkDMm/Wq7fpiJ1EaK9Szt7I1iMy7FkCftHcxw10Fb//XwNrgGOmoOpt6T9mvFJqyJKF7eA0N4oEmcJ2dBSfMcEYRFTFnojPWOHH+1eHJ2vWO/ODm7flErny19q6DpALh5c3B4G9Sk4fM2SRsvvcf6FtxcWPMSraSTMzuRsxkwLuX04CIY4OQZS2aJ8ybRPHYUELQ2vaOpcbURzkpkc1qjFtyPYkZySTMyoTkVKRzdKVfsxpo8YOMrWdkT3cK4XXQplXmYguuVHG0U79d6Y2zY8b8XfKBt+wB9r7HqM3z7k7S77SYcnT1ZRum8fT/O3B7cRvyWO2nDFMsu+/TKxxNv1riZ89mcaRNN6nGEc49gIWXJMg+yriZeHQ37/1N9x4NiKhrO2aJTqcjKVMpkBrp9kspihXBNVqLP7asnjKZxV0oZM0wVIIpLxVKura0FfhSK1i9cxEIUUTXJeUp0NZ3yj2FEeObZ3Jhyf2MDH8EnrI21lpALtbCUaiQ6Dj5yK/pQvE4WRPOizBfE0Kt6V9Fazqk2cK+BoTRomAtpCBh9NyzPYe0Xr4/qy9+VVCbV1UpXltbIaJCEkeUlbP8XoAg2ndoDfM3srE6ncXv4jF28Plob4W3OlZA3wnvJGmARh/qRd0cCikpak70bD0Rkl3ja84ZhLR5rDAH1fN9kAyRzG8XUG7Ec7cD3DbKpNFPJsBQTW2TouJYK3cF2cryjKhi4SeT0No5BBXl9dHAGoRC44qMwVEwqq93VsYLyfKDFWfWfwAReZ0m6AEyrPO/RJL9Lx4xd8KomdkkwHRgY9JrynE7yrjJ7kE+YMuSYC22YI7EGbsDP+tUIEGYfngJxkYPF4HTjUKYu5grX56/KwSO5UebUWA2kh1ARzgHN5XgncLIuEHOq54NZ64gp4Dt2HsuTU6kUs6pvI+Brio5xYFCCUCHFIg4fRSUuIpX3mrlgljGsgmfo0IYPdnXjEGSYSjHFvaJ5Y04qMiuS6osc4oOC+4hqkJimDikFGwzm7ELxeAbyV2Np53OrbaNXBYILueguOuJpFHha4+ZYVri8cHHsv7j93hjzDAiSXrhfgKEIXIZOFQ3Bx3VYJV4AYUySNycgMoncGkY5JW+YUTzF8CYdh09RQY4PtzF4ylLflJl0zjQ4laLRCTfaRa7WQFrKbQZcNyJnuQ5hOU0Q3LiqEi4kVrFCmhDEQ2RlNM9YNFMbMoSJEhez6RfkCUzUrzqHWDM2HAetB4LgVDe5N/nssFzXoDqEPeSKMAV37XBcf/WiRhDOBUG58cUJz0KgtTvRC5Lx6ZSp2GAHtx+H8GIrB+0xXDdMUGEIE9dcSVE0fUY1bR38dh4m59nIX8oA/ZO3734mJxmGQkOQQNVmLl0F9cWLFy9fvtzb23v1qnXPhSoGz7lZXP5Z3wQ+NlYPonmIncdiBa8fgabhqNSHqMMcKr3OqDbrWy0PnotfG44cTnzc4smR514Aqz+EbUD5+tb2853dFy/3Xm3SSZqx6WY/xAOqAwHmOMK0C3Xkb4Qvu4GSjwbRG88HopjJO9FotpOCZbxqGuOlktc8W+oi+rPvuOCs+QkTfzjjtB96o0eE/lkpNiKztByFgywVyfiMG5rLlFHRlXQ3urEsdIoPtCjnE//E4xaLY5mxS81nglrR2ZDLMmPkvPHL7QL6Ys40ayeINNQ1kHQTLqhawKQkTKqXDznE4PB7VKiJlDmjog9tP+JPoMnSEpQFjnGWDhaLPhfV071TM6piq2HYW/QlD6o21FSDBb0cZBl3IW1dLAOlM2XFRmpVdQSlJw69Qj3cpYnMrNhO1aI0cqZoOecpYUpJhXlcnVGvac6z+EbOmlGq0sbPR14zes1IJaKoLTyG/tX6FX8+6/HDsDdUk0qkc5ZesZ4Y/+N3796+u3x/evHu/fnF8dHlu7dvL5beowoTEge6uDrH4RsMO5B+4Hd1GABPldRyasihVKVshOHfuxRAI1tGXt5xPFbPjVQM9dN4K3u2h6Tzpsv673ZPKUT61a/f9h6kYWHinQ9tGoHmavlYbTWCKurioKTIF80crMmCGClzjVFsFNwMkBXD0ivUTZEOOyTzsIMMxPqZeO3nO+hiAZHS5EDXTFmVLyN0ZpXwyJqbs5qHCtPUNHuPG20g/56ztAxiasEBTN6RcZAZ8Zd3xAGHB5uxni4Ks5POG2UYliy1q3FABiiQCJx/3N3GyWk8SJQbHsmqOcvLyKsBhg7e4oWhtTOhxMJKVsOD22oZiTWk46FePM+ayh8v6GxQZTRWqmCyEEKEAFlCm1Q8N9YO7AHN0NlAkNWU5eCis5abOcpYv3v6KHP9jtz1tpoOs7o08Ma8A25Hveg6SiLooUizQymiODopqKAzZP5c14TQUaIwYz7iI1HIccxJjlpf38FLokfvDk1Hhhs9DWFHeC2+0cwc7xkzika/Lw4d2Y+LQ/8WA6Ubcd5LRUsHKeOKTTxStHQYFqKmn6Kln6Kl/2dHS8cH0wfVuMoy7f36UiHTMSt8ipt+ipt+HJCe4qaXx9lT3PRT3PT3FDcdCbHvLXi6AToZJoKal3a2WNLfEzbMGvHCpeLX1DBy9Ob3tb6IYTg1YId8U0HTEKUbOWfcSsFlU+PGSDJZACaOGJQYevwVDhEG/QC17cvFQt9Ky187IDrraJRPUdFPUdFPUdFPUdFPUdFPUdFtgnuKin6Kin6Kin6Kiv6WWdpnR0VnOYoXf/v1+jV8vLss7zIRVxBvkvOJooozTbKFoAWaUR7lkma+8rErsgouGffzGyoWrkpdXKTVlYySZEXPKSQ5NuZZcQVyffgsOnp8LN2kCsXwIcCDGRwPStHTPPeom8o8lzdczPY9NH8jR7iA9ZyLKzffgjwbJ1mej9dc4TtvIkpBfuMikze6fv8cwX2LkTnPxomWfe+9F/zjOuhsnbV3YGmAscj5pG/AgqZvz5e/CmyG5SXfUdxbC/KnMLhvPwyuvWV/nai41sqeguSGCpJrIfopZu4WPFmNMSmy3YEY4pujXZziQfDoOd0aCKDzXw62Pg2i7d0Xw8G0vfvi06Dadf7bQaDa3dp+GFQDceiGteuUm7bYrEtpFrTU3ukd83TodCQFybi+6h6bK6YEy59vJ17zXWK5JTVDmXU/VXmOENtJOmtvAX+4/8Eplh+w5vTz7Q+ftCDwMJZULAZa1kkoO4PTdDZo5JNhMgKtOYqS52wdYlwfVRCXLIkAG3q1rSvyT1jsGY3jCO5fnB3+srdW+uOv7rpZOP2BK3uRPE9evdjcTLZe7mztPmCJvoPPJax10EQ3t9DPIdbzs4OT04vk+B/HD1iia6Az9LrcNJ+zvpVwGj98PDj2Zi78/TYYrMibVu5GQPBAiEZZ/aPT8/s8ED81Ym3thEen5+SPioGnwSqqVOgbFnXusr+7xGynsDIOya6hlHJd896PtSCl4hJ8DTNmsJI0DusGfTbOhIY0x314frzmmugs/CTx6OB19qWY0V1WtzNyI+K0IXRY42UJ1bFvwsGAavUNU6zeO/Scco3jdKHEV8drD4kMbqz40WPWVw8EoUrRhUcGYtm9j9dENJ07MIh2Vc8VM5USkUPT98JzZcAijYER8G5fsYVDWR2v6/cGt0Az35atEY48WZDjw/O6bcY7LOGOY82tDg9tFWInQFEvB3/0kwtyY986Pjx3w7cjkOw2W/KDqCe8x8euJfBLM6TcPufJnBwYUnDBi6oYuS9rr4BbVGEtvriD1tjOMrbAQep/Zxlc13cjI6tshSGpHS0FZYUb38WRalJKrfkE7xsyqEhuJT+tXSXOaejjjvsBpZqk2NGmEcfeosgkzelgEeuYs08xOidsiM8tyJBiODQ+wpgSLOzfYZYnp72gR3UbBrniBmgj7ogRC61Gke5wMIpFE3wcHb5aMpFpf/cCWdbAsDxK4gH92juK9tZm4v+vFwtDxi1eNC/hLcVF6cot0EmJZe51s3EQdc4QOSWHpwdvju2BmDCLLPt+fs2yUcycVlc1GeNlSc1iTJS/IIVvvCSVYrqUFsXBsxcNAucyISeBVwlp/E17e0zf3HAM7Rl8sPzYSh4GfUk723Jzc5PcEobhd8aYZa6cbwtUsriHzByIIbsGD6nl3LBeQEDvJnifE03nMWNnU+BLjTwLrlOqMpYl5HempM+hL8BnM3ehqMhCa/xNaqThFD1x7f10OmAdg4t5XcPgE1kMkGbTY8BoxtTlNPfNIYdwf4PMllOyTXJmDFPAJXFmAjM3CpGU2MqoLnawTw4ORuTicETeHY3Iu4MROTgakcOjETl62yFZ93GdvDuq/2zGjw92PW13yC4NY/fia2qqwW1cd7xVcqZogRQYuvQGJNhHQC3D5JpoIMhaK3mdj4PMQfdYUNtbW1uNdcuyJ6740RfvbqKkQHc5qlGYDuvc0VdcQAAdKrANnZaElqZx9BL0YjQed3VzGAwsx2FQRwbMwCVhPOatOPr1/fG7fzZwFDjjF9MYXJsfJy3QLrlXOWgw8CHlIgjEFmix3AvutFZBJiHFeqm4MNCvL51T6GitNHk2Ybm8Ic+3IfHOQkC2tl+sjSLal7rxRs3Lg4WE7ZiYTmlpzxTVjGxtggiZwRwfjo6O1mo1/EeaXhGdUz13Ft8flYSkpjCyGyohF3SiRySlSnE6Y8520Kij5jxKv5sylsUjpFJcM+WCgz+YEfmg8K0PAuiPuTuNB8nYsM1fPRb2Kf71m4l/DUQRkD8kMYRJwMSrPQtugXULwQ6JdhmFG2gOJqFLrACggRGGmUY1anQ12bbr3EocVoA0Rg2c1xA2Lhm99VqPsTJCEhGSGEV5Dt0FmeKyX/HtR/pT9DGyv6fo4wdFH9f082UMBGcn3a1UHBwcNDVjb6tefk4O0UHHRZfn5OTM6nAMaoGNY9fGuOVj8D+OvavP0Q6fTnla5eBBqjQbkQlLaaWDZ/qaKs7MwhtHMaEW1GhrFNqhHFgJOf5olG/5B/BFFQY8oAbbn0sCXtEIOeNaXYWW79wEdxb2SsjYR/t2YakkHhpVAnwJfmdUcwhRCyPWzfVQU7HK7VR26yoG66btOml+t9XeYNCEv4Qh4OfqTzU8fQuxQA3oBjwbq/HhCA5+H7KRjRyirU4K9NcUXtDDsC7XE10QQCjLjF8zDd0Lo6uFRjtDeCxVLA6VyoQOo0wRtvYdwbJQ1AB4h7+7DmgA0Zof2pgDFkqm3PqfyRK9r/nCDqGlDHLFWWt4OtYSciAyqNeaSlEbrg6rzbN/+0WF9+dbO87xhA4vDY7fUF0vbVwBHR/edwX0hhm6HjurfXUm541evrDffW2mFfuj4oplUOjsESIcjg/Pwz0qyLGAX7sYTYxMyJilOnEPjTHC34NRM0FQjID1VNpgfUKI9s477UMJ+W3OBO4ZbCB27Q/6GhcZT5km6+vOSeouMCxAFp8657O5yfuK0kargfej4NqcWRZt7Tfl2pTS7F8WVJ+mmM5ZQVv4J573uyV0ncrJZrIZU45SslEI7Dh8sXQIM7Sh95dBLuISyHcBfo2Ax/fY0LZA/QGfc9dAZcmgoEvOsASyRbNnBBCEn1IrhW5Q+gQ/Bu49N5rl09rQpgJHf8A13UDJ5YBMdPq0rhMQwDt9cMPE9If0kB4InKPpHjCi4PuexXpnVWNgbWh6dWm1i79CGtQFBl+m0Lw5ZeHuBzBqibXM4Y6QfWz1M/pCim7Y3RGeNFcq1wQXWxy+wD6mrKwzjSNW8S96TZOcillyWuX5mYTriGP/eMxDrlsdxY+vl2goHhr59hYS9N2R+4PDc+nNFaw5qHja4AWB5RzYR1styy17aMtkL4mhIVjBzBzPaeBNtaXwWgbOBIKDizSvXB13uLWhJlyVgaUlZvUYoaa4nahehBvPD0V9OoelMmV8EXtXmr5usO586mjQhLR2N6a//wbbL07cHmF5r54u7RNmbqyaT0M7ZqfPqOtwzYyTuQbnDGr4p7nUdm0HfifuRzeWkvDnWCqorQXFdnJSMKorxQrsAgBB032YjR6DQF9Dr1ig4RjNMXnUOC5YISFChWnop+2Gy2pMu7ba1zzwLMMKcORXiiXknOGej7H8nBV0Y1w2N67AMzAFXbfAj27ywxGOIxIcpHZebayd3hDiy1XjX6LazifbCjh6MBD85UOz/p7zcoR6MlhoMg6LENFb5ARKfwIJ1CronAqPV98JfVy7rsPmWoYxBoSs0ywbj8jYnZt1ODcMvprynK2jmp+N8e7I36A0pAHo91HQCtbHLHOgsL4a/pVmar2kWltkrmNYUlOncKAPsx2YAAMHaUqm1gyyuuQhzumLpGGgF1rYoKVSgztS+8LAWHEOLbc1diAPPJlzpqhK53EccXtvavUPt3tlwmdkUkG9jRULXzQiZ7rpVIs08tww5bhda4p9t7NjsnDCIqjp2FvEebncY2FMSJvgZuHuzlCz5hp5Vr6I+5K4Ge2mjF2nf5diZNlYPSLR1cSD1ab6ML4349y84EOjeS5vLITWtkybG+XkjltS5IqjxuohsDXB3ogw2TUNKzO3ql5Ud+t2HffxXAknTr9Mo2vOEE0Hi4JccbCvISMuwlxU3dKHbFWaBaGRMd3o7OEUTE0qEZW6HBHFZlRlebz7wP3haWL1mMr+IRWxywM7DuwpFDTymimQMtaKDyqT1+x4vCXMB22inkNOjrrbsPNiZ6+JfORA9/CCrHZGNPHrTgMO0mlHwzZAPt5YKzXwVpCKU66ihBrFKPA2S50z2BOp7GfwopS8ZDn0friFpjNudYjUFc/5P1A/1NCiRLZBTfyVidugmthLHqQ5Q2+j1fd8MZ4QjdMWKSeCFFYka24qNIZHLuTQ3EgSpnUHbcJ6TG5k/f5jGkezCJ9pjRlLeQoJRa4STw5hNagYxd4mF6Hg4i2RxGsmEastsC3wKiAd9yRk7GaEG8clWpAUUnAj6/i+eojVVTCL/Y7Zj76Xi5HkirGSVCVeI8BL8eFqYtWa1QhpE49WtOKJS2k+ine2vt6NctPjrKrtza0X65u769vPLzb39jd395/vJHu7L39vRiFm1FDN7qug9PkVH3CaVmCaaGAEr1bgIrzAUrZUYLCZs6esCSGVFzdY34umDTmTy9nI2X+5nK2N4smDFDHS6TiLunZtdF5TWUTl97DdVQ02bLpiqSwK4NmQiy2kCZ4tGN7qPY25wdQLQXKFzKq8Jn2s4YHJ2qj1UJJJbH8lOsP0CJuSpnOWRLgI21upZQo/9lTIar3JRVmZS/+joEK6SDhv/1UmfoDqNzzPee8zeMEGNLLVSzhHbuqGD43ATWCYtklJyKcQ6/bM42dmzSbF3B2kqS/9GnGNfbzIMxqYXWTeFLB7yjvVRZhYJmjrNpFSg9qRJm1BgvRmBaf/3qtVAXAra+DOUE7AXGxVtR+wrMcvVM/Js5KpOS21PXza2G+mXMyYgnCbNbj8ozdOkhlpN4DivVTk+ymk0EbZ5YPLAByvVnNsE33dT6rvr4MfD4++mFfv5MiuJpRMj4yxFsx7dGe6u7mZNSETM9ZNql5eJ7kIMgHoInBVqhS/9hGYDIqPKpq7gFIjVUfDAN3C15sAZWBcC5xYF2/RpVcX8gWRaVopxbLEccpaEudadkZvaFPxBAWj2BPd5y1jgo+V11ElfhIUKKLpTa8NfCKcUWlPFxr91gzTuiqsxiAksWsDa2cUNAUne/3V1FxJIXM5axT9sKJGXvmwAK73G7gi/197cfU3frvHS8ns3WRrc+v3pbOjr3ibGX1jdq4P4PokQxedO3ijaAda96O0fZOQnuLVhvhn06nD77kuBuBAiy3040UXcb5IdbgQrf0mvRa0iw/2VgvyO1TbZxXXc0JzpoxXZOAsNLxjrbgDFFrN0Vo6Kq6RzOWN08ctqgCCRrZYJODInIosh7jCOVvAVdmNNZWFiY6pYnbN4Kysv0Q1AxCiZF6vmhsYBU46NIWBACxtLDHczBmkqYWIdmwpChd9Bq4FZ1VOVQi1r01HZZWrHpUnZ67uZ7g0iXWqwRRZnCXKMYGoZ1hLW1N0t+LOfAADBXlVVZZSORdNKkXKSgh5wqHRosirGWgCXU9KfS1P4SQIrz2jPnwAqiDI37WRPzc48rgVftYwBeurCHAD2udv0zMbWPe8fwi8v7NMnX00wXlgyVkYrsLpe+/I/w6t4RYj2mrsEAvDULvLZHoZ9TDMuLaaSQaOUSwHBuYss5yJZTXRW+3fxe9AFLBRnF17W3p8iXvTw+rPWUm2XpHNvf3tF/tbm+jpPjz+aX/zf/3b1vbO/3vO0souAD8RM7dyBFrEMIXfbSXu0a1N90etBVpeoCs4p9PKymVtZFmyzL+A/9Uq/fetzcT+b4tk2vz7drKVbCfbujT/vrX9vFlnV1bGGkbftHCx5tOnyha3vrEPxsuYgEDsmHOhxIicrNRjGe5yapuR8txqLcGhUjLlw6yD/IAq7uiwwXRmlvWqMKfSuFQFVO98ei/UfHZXAZGjP2u4KJFbYH5XS/BZXu2LtkTcvZZdLcSMoPUueuxQJvLaJxItMAL9wIoCEeD3iijF0DgQAqWsvL1GnoW14WeXZIbyOQxah+eiSubWCLZ+XRGtTo4NdWmC9Y3y1I4eyUMdIq6QMctrqM4Rb/BS23odh5W4jY1Dtn6qFNBTjRbhEmYdZwfXGSTkWu1Wa5m6Gz7ch1tUDtPgbnVtETt4jYJp65rWUoaf1cxj1/u+1SjGjd6tVCyCygJGKIecQQ8YySRDvlrQq3p3NBO6R5Q4tDZYzMBtbFfPQ3xa3zlDJzKcKhTPPpT2fKGd56nrc34tZ5GPtUBlqSFY66A4b5h5mdLTKIJoOTU3VLG7sq/cYQFxf77QhdXO5saU2Ro2v57i3YjrceQGbhfhCyM+w7Iro7o6ybpb4rqXQesHlTWdxGzttio0jW2ESoSRO+XR9/Gdn4C8f/ea5Fxc+djqu4vZ+SuQtlLgR8HqiXDny9P4DtnhMBqBHEQa/CiIo0Yif2S07IO6almoYsj3CingdgWYYbihwd5cHSTb3dX7Gxuuq9U1E5lUSSoL7Lm28W+bm+D6WNZKVFxfXepIeN8mzqe5pL0xRu+4viIwAqirikvFMcK5TaHaERHRMq/A/o6yn95r5pz5sDJwp7urB2TSc6bazfgC7JfWsl+Cxm5dxOopuAb4nyyDYe9Z0AhjEnRK4UYqLGLTks3W5maPO6Wg3JWwdHVpF7KCbW86uN1RxQJzkI6pI4B08z7DDnHj3COaWXIS9TIQay4wEsQXltxsuSw1+6Na8oQ+rEfFuRvYt1a7hddC5FbrUQgPRfj9RQC4wnXnWnIEtzL0qplCzj7S1BCpMnd3HUzf6H4yvp0Mpzq4z4JjuoOtaxZ1AHqUNhOYwYjBNmGC5vlpqFt33R/9FnLFgxYXRoxzyqN8BXzKu7n9dS+NwqU9c9KJu/OoSu8KicIxwk5A8I6blTsjKpVCc21ihchRZuz5ALFnRWBvXQcnfMN6JsyiGfoajnM5SzT8nvjfk1RmbJx43uu/rpMiYudiHSyLNVfcFG01t3lJhVzNt0mpj+bJ0fla4rPJGm8EvciRNeHWfr8RYUaMhLf6eB3iHsZNZYlBMLcvN4qaCAvuCpGXTZo2dKkWNXdfW+CdyL0XFy4MKL66iCgCrzDqa/Jb7i7sOf2z7jI5QBbG3dZDY0n2QNSMw+5wWBB6FlwwooO5qY7kitFs4SjJCWtP6LX/ORKTeAA9cRBpDYgbrhumVpqyEjOaw6Q+vwjqFFB7/KUAnfzkyE2+clwpWbKNg0IbpjJarETZznQyUewajQ//+PnFyhraAuSXX/aLomYmnOb+qfXN3f3NzZW1FhvtRt1+Y+4DM+fqE0OwIFqp6RloRRat6GqyjrFYKyDpR0hSGNcUyQ5SG6qd+C4kT+TpI8KE3W8dBWw5vprBfaeMPBK4KMg9LJXdUtA5nbXt07ra/ca+YCiVM/gXZadxWaWGahuy2rYeBIwNBea8RiZdc8rKHuFrpg2f+dU1Te8lDAsB59YPjSkUXKxnrDTzzugokpqt2gler4HSFGLdXa6YgMBbUuY0ZbdaJ7dYJfWJ/yzrpFg4+6RYuCxra6HAHBu72y+3MpZN1qe7k831ne2tvfW9l9PN9R2a7uy93KTP96bsbuvF08OUOye/i3H/yX++I8T9AAuTtuKhoXBH534IQs01mVi9qBks5kK27a8QO+eDlO3YbuV+/3+Cyq2uDphTuyJXDhxw8Pj6LfJR4P4zFdmGVPViSSPqZeQqUQS/4WSBU554vzd5U986/OdPJ2/+y5dM1HW8txWyPGV6LcGXXfi/88L0NP6mkGrMMsRmaz3+OEa3ws7V9KC4aYzF+gzFZPU1dbfEJNTQtaqFH7rXs+pdcPVWagzfMoqmV+BSQS9gT/gHNUbxSdXpbDxAkSLEe5gvFv/hS2wUgez5mqqFpY3QbYb8whSGqUEVFPZxTisN7ktIYJdTJ1ua3NqyBeZrH/l4enc8rTzk12wEvlxIJM5GdX8fK6OgEUB8ZcI+srQybETmPMuYGEE4JP5binwxchxyRG4UNz2uw9X/XPHProzICj698l+fWmn9qTPEU2eIp84QT50hnjpDmO+7M0RvaP/DdAfQg2AcUAahbvSS6gJE1CGxNd5vKgtpFL72WNpNrRA4nYtihA1kQvXrO/hbKGALw7gNRM2hKsGPMy7sVGNn8nF7VpgmY1jFOLJXMdgf8ziw9nbw6tlHR9bSTMNw3pr0cMcVvFv4auT9PbaIwwbJ7m5at27rAkBtotSt/vpB2RkKytDgMGTdB3MGWrm7KBXHpuI82Ezx6yg6AgpcOrdD5ArorHBjLgu2QXOP+bBSO9wlDvO5i+0l7iMFqigW4rxjtU3HBDBmxXJ2TSNPc926rDeaLkqfKEumrKGLAqDhvgPxmfe1yj9clisBagZsagAsK0zS2cvS+ZVC0/zBKoyeKV5YQYDtLk+OyLOfT47W7jxKq1ubm1vNA1/bh0ND2O4d0NNisH0Avmjvoa/UYOgrdhH6iq2C6lj84ZIzT+zYtY/YK6rI3UT427uS2mdle/fF873nzdNS8IJdDljN4s3Jm2OMo/bSxWd/ArRgFDa7FSmijWIU4k4mCxO5EioNJRics/Dm5ibhVNBEqtkG3nlDAuhGwTJO18ETHP+dfJybIv/Pk4PTg5rFT6c85TRHv/F/jZzI8OXOEiwX1JNLZvWPEvT+iasmGMbE9MYQ+x0t3WfaLcv4i+Eo6Y0lpBjtXBCZWrU9UBftLSWyuvliZ7NFQp+pkfYopEGTpBBKDKZD85gNWBr4tN1AC4V5qPfjJWUd72/ijtQdlPninm1BKm/EYJFq6D62E6yCB0VB2t/98ulx23t9tbo+0EoMuohF9smotZGwt1gatKP8NuzTLFIqH6b8bty2909dx566jj11HXvqOvY1u45FoTz8zwcG8vU4vewgVo0AnS2ymN/GxjVyTyjl4yIeuCYr9mNPoeGtF8/3dhqAGqpmzFz+RaTUBawG5RQEUywKuOv/YqXmYN9AQ32GVJhxBTfUDpK1DvWF6+QQXDFovxGruYAj4D04AlQdCxyVQXx23vISoOJzu68geAoYZo27OICf3cc7wgB+ZjKulZlSpRaYxIeXWrRW/MHVhB3aQmGi4Etvxnq4Zq4yvBLfloXy4piKjQGPLJ1D3nidYmAhOznzV6RSOWNDrevK2inBN75UCU1uFkPdLx3azetVRt9IYe2+ZiYAxs4wMdh912njnstN1q3nLJWZkwMsbNcCsBJGLS65lj1lpx8HZTgFOTl/219t+vCgF6ShdtCB07uJh1TQlnfbU/U9oMyYvCxlrHvFJqIUM26goqLISE4NfOie8P9LVnIpVvbJ+svnyYutnb3nmyOyklOzsk92dpPdzd1XW3vkv1e/lCm5+t4eQR8y1FJOaUDNyN93YJCdnJKZoqLKqYqvrqGdZgoRVpbZRCL2MC5GEukWXLlUaYi0xkpLZJpLqVzI/Agv7eIqf2FQBC8n5XyhMUsO8g1HwB4wRqTVs7FOY4KQRC4IrYwsgPtF7K0r6CdSGynWs7SxL4rNuBRDnqx3MMNdB2v918M+mAY6Wg6e3pP1a8UmLP2hz8/t5Vf44nYJZoUqOq+jUq094ezwjK6Dd1qXI3FY+/IFxoftKdIoFhVuvExYMGSHFMwlldzW0ocK8vro4MxK0ANMy6xvz+JuIk0WMpgSdHvRZ1yU60uJHt+NEKX1pfhbjHMAKPmhp1SQo89f/Od7SgnPseoPkGdNkXXOCfxO85lU3MyLUFmWKxd6FsVQsjxz0WxYiRjCUufYKgtDzd8c7Y7gAmMN6LxUzHHrhBxkmQdjGkIeMQLXDTFZQMK4Sqn2TqUmcMiMLYDou8Z6FpAjpllJFTUydBSmuhFd/UwLeoXxsyOCeXBz+vxyd2v7IU2Lv/RV05e/Zfo6F0xf8m4pnCepG7W5f/Gf74xbhiDhdtyyy+4GT0NlsIyKNlREyVPHh+fwbvI3fwhuzYjvxvnCpFLURZ5juycU0QZTEwya+4pBw1rxkqbloZ1Tld1QxUbkmitT0ZwUNJ1zwfSIHMn0iqnQSVS51I3/qCZMCQaRrjJjD6rKrNI5Nyw11b2Jr5+y8W9bKdaN+Toawce9F5cvdr6WhEVZKKfR3nlS82L2NhlbB1ag7pnG6qsdZHVV3yZ9w4hSkVNmfjx5e97t8vWai+pjz9g10NFMYUSQ+76CQE+8xtvTi7fnbwNm7vGpzZhMviFDGsD51o1pBPKbM6hjsL4Ro9qC9M0b1hbIJ+P62zSu7d58iwZ2BNfXNLKbWtdAkKz+4saOJVKjUnDdzyBkSN/4VP2xh2wMho09v66hr7cKQR47degeg/Vx1uOsVdQD4rjhAx3w6Eun0fyGLjSp4JUR5Aq6SgPB6VAwKriYQeELV3ebiWuuJAT6NNqqu/2D3tOVAjOx8gXfxhNGDTCicRsL5T1Y6G8CCcooL+vGh63eSzQdALm/uM28bdahaPT0TvqMuk4iZUZUGVHje8E/+kIijlFCUbk/KppDcE8YM9LlfHsbqOzgeqyHhh6VZipxVUCgS2/GUp5BtTWrjgIp1cwdumq2Nl/qZEoLng8VgfH2nOD45Jm/pFEsg7TtjE04FSMyVYxNdDYiN6gOd+/b8MkO3FX+iCnNX+3+s2Pu4K43o3RCzIPrvtav8tLU4vuN/Be9Zm1sRQWmBtjl9hpwtgA2mNuK3rhCLh3Id5KdZHN9a2t7HWxynrahf1wF6lvb6ziCzqHsts39Rxsz3tv5pXbWz+fOs9X7pB6RalIJU911hqm64Z0zPGzIUAf4ZelxazPZ2kmafXUHK7vhyiu3xIq14A9zWWXBGPd+grrindNqMHgBSmiPzXZSsIxXxRiK6FwXrdKGDU9A8Ak1Guth9Tvw8MZX8LUeEkbs00daVSfKJcNib4uqOcc2BbUmF4oKoJu9uW3Pt3eb01v5+LUuXCBsY8j7FlgdKygfiq1b05LABF7fSroAWDH8yOFwX40/2wWvalDLvBieEnpNeU4nPZktB/mEKUOOudCGtZgb4AZvg/66N37RIr/py78Izi99D9gCYsDOId7wBL4DN3BQdkdh6FWDl0PzRsegBKFCikXB/4y7SQMKw8f3ofDiGFbBs7GlFPzgrW+0f1IpprhX7YIHInMVwMOwzaZLDTx9mebBISEe5uxC8Xjm5FdjaedzqXyoLdSOqF3/9aIb2RAT7AgQXD/GNAIsfrm4OIPPt1+4/eSvrUPMn30pal7oOmeTcaVyX41LMyzFaSIMWyBV7uFV7I+K6QeEWvgXJjJbJHEW1QMLdcavNpEbR/u2wCQwaxu9e3svbwfRJfz8BQTphXNu4MbfiZFfWJ5LciOVa6vRwcwA+3YhsTbDHbv3zAILTGvOqNW+uybN1s7z/s0smJnLoeThagOlOFUrNTsqb4dNnScsLm5rZAjYwKpkf1RMLawdFLoAZzKtCp/+Fsb2vX9XTnzlUmtbHR+e94Stz5gZkRI6PJeV6UUTFLhWg2V/vXPD14XXYsx1dtNnVE5yOUt8xlIqi40W7LqUQrMvzlNw2mWZSgzkX5er3IWT29mKx82X5isO2k9jLA5orITTc1H1+TWnmzh19YJ676t2NpvxFsM6cQCu27xiW+CkqbPODVNTmjYKG540vrw7KDQM0OnhD3GhqVQZ4WJmLWHsj4h/NuclDbUXUn0UK6VypY6o8IV5VbsIMlGyguzKXNKMTGhORcrUWhg1OG3Yx5AuHsaCPlTQHamnF34CLdxM3TXEjRk6hYRhahQgcH4szYSWypVuL6kgdkVrWDQkhiNx+OlBRU/o1PK6HM05HapGWyARnAUvKeodq83LUc8FtN+9wM1CWW/s7IuuNYtKLjTP2IjIyrg/FMmKP0OLjxr1ghZ9bkn34g/3cM3B43FrfJ0ctZHVIO8aW+enb84654SQk6Me7re57AKHTsL0e8Fup4hunruZ3wN/nRIyi/nUa/fxjjjGo06IYSii7YsCFiydU8F1QaJKgaEZS5RsBZ1l6rBG6JUSduve0MbOdG7c0HUaaoj58qth/ihevul+wnrsYSKsTu/HhJvNuGz738aNhfi34laDnTr/rRUKaWARLIvH/1so4jupDFHUOcF9sd+/gdfDGtDww/HhuUPfA4IngVCbRPs49whvfccPi8gQ5eM2q9vQc9pTpwvx5e4bNITnhKEU6HEVdCLy5fYbRf5c5S/sAU0NmUlWtxeAQfBKIm46nkmmxeqqCX2kpYh6Mflq/mVl4v0M1GTpPnQbgJIloZlP3OtgrdObH6kOiX58Q5UYj8iYKWX/w+FftdSieU8PACi22dxWS0tqgH29aHU2womcLIHyb1iBBaV8XS60AjKPS7LEo6Q51T5KALrzeNMwzADSyZdcJmmljSz6r52lmiUsp9rwFPv6JRMpjTaKlsmP/q8GsjCVHooGJDlfqhUBdCIMCO5gyI7S6pUSSqhQLvw1uiM7uEJ3Lcvx1LR7Q0VHprXane1blzKgOGpTwSMtLiplaBzlWMZoujTXX9orbG/yL3pNexFTiXTAkhcdvLjpXAXHucw6qLhnf+1p6FnIMJ05/XEFxhnzb9+pk7b7mYP5Gz0RNnbCppBQU+bcYC6DIVXZaA5QUtXoiXuCUUsKKg9hLtvYDeudsoi8OL4Jq/srCkWs7YjNEv4sBq7RSrCxDL/YUWdBvqtbGBNb+LleH9AJAWshpU69ppjZjfffTKQSgmakIoLdAF+wqlshr+NDIEkKdVursg3y5zY6JVq6PqZWrE0Y+Nbi0K6Jj/MA79xn9zuFAFq4GH+zCBplyM8BQbjE0cMS++4r/HDZR9ads+dEbSiW2uzzxWO1AvJYrOguuIk50jWnbpiEnOXMmqeaMfLup0NNdne2d+xWPt96sZP0LC2Z0pTnvoHPY3tEVqMV+hZTfsKObtW+Kg7rO4jbINWrsjRkl+XOSLuaJhVe5IXuUpthSPvu9vMucWw/vxNHA8sn33mHfTTrE2oNgaWR1VoHEPXLvrX4hnKPvtWtbb6lcd2nbzGrh+Sa7JG/1cj530FTTZq8p27oZs0N5O+hf4BrqQIs2VFPIBSYeevVVk8xmee7fWht9MF6GG7vPTHtpmz3n5i+5l+u55fFcc0wYlOlzoxtT1xzGsBS2+d2cnS+NoqtEmtWdIB3J3Mme5uE3Ql66FvmjRzqetinptW6zEqDu1qXtZu4LdWvrJcnhA0fMjPlWyCGZgO/MOpSRABu1lsoIDJqv+LmR1B0uy04GzU4y9CRG7ucTqOv7klH927gZg4t+qOLohJOHcMyTvKahb7GdcIuQaUsatDjcmB1w5vjnvikjFs/uo80cMO2WwaFDsIPyHmtreyhjssBWjIzfs2E66MVzer8MKWSRqYyd6a+N9DVhBtFFY8IB4vBumbVxh4WjTpyAaXTXNOiESikNNcSJlugIVA/rK8WZeSS4ekfIyu52ETKqxExN1aXU76VWVzf1VoempvKael1FXLsuhtGhHJWAEtd5MlKoSwUdaq7W8KR2siYNuTkDOtb6RFcROgRica84cpX1f0Gb8YpLxqk1XMRuUxP1FsvIVfxFhJvH0Hjhntw2JGJtOcGIvvstjT57Nh1DoU3x6BEjC2yrd3MpQjfK0auhLwRIzL2h9X9hKpK1M9eV0WPRHqx10CA4yBmcTnYjcXqAUbEQTM9dAcLyJb0iyMnZ3il56iJanLD8twxubAef/zq9MMm/6s9cBR6mqzTmZDaWMlnqMioAhrz1Z/DsNO8WV//NaPKVVymJkQmzLiZVxOISbAEkvPZ3GwE5K3zbN0KmR6lb3/+9n/r051f/vebn3ff/HNjb36i/nH2R7rz+69/bv57YysCaQzg7Vg58oN76e/ZtVF0OuVp8kG8Y3Y9sOektq73PwjyISDnA/kb4WIiK5F9EIT8jcjKRJ+4KzOJn3wnQvxUCSDcD+KD+G3ORDxmQcsyav0ITAeFlzNmiroTnLuCHQWBFPk54jED54Ike00gARm6g3F2kyAMt0zsUSMVKZniBTNMISANoJeDqQakAYH9L6g8brJ45DBpstL1kAG2G3QzleqGqoxll5+TTXhy5uPM6zax7rhGPzl/Wankx27Yx9ar7WQr2UqaXlpOBb1Ec2ogBnNycHpAzjx3OEXL7dm9Vdo9P1lH4LpfYL32qIftueMjIK98tzn/lnb8h+bQ+xw4GGg8p8z8lMsb4HAa/nLBmWHcXM78hUDlojP71tStp9tEtFiumvcnOZycuprAJPHFJc0yx41drzXLZL1ous6pcA/HDkCfjY5OSxgSatb//fXBKVLfH+tcrP+BXxiK951RCzpykFtdIYqZRoB80xNiJ044egvhbyzNcQLQR1C1biYrHY0JgGgmMneNa9kk7mjw6u5tbidbfxAmUlpqe/JB37L6Yyt2o2X8/M7Y1Yj8xhXTc6qukrWA8vvCCuwCEre6gY4TIL0bXNAINOkc/aXjBqIVDGj/vnXGHC7mtjCCW5fzwGCPofMa0CyZLIiEpDqpgMac3qvrahD+2LWX8zOEq/7Gp7wBdknTK3Zv28jb/U2g6rpBPknZde/2qLv1Lz0Kr/+xtoyc6tuv8m43I+Y8vx5Ay1p9/dIzylpbRc7DPiagS45IDrz8XzS1NlwIzgi25bdnM4UkhBBn6qEeAoXn7qz6zY7UB7SXIeGL+np2don/gfPEx5B4NbfGcE4XVi2osnJETFqOCC+vX6zztChHhJk0Wfv2MG/SFuIHSoN14Ylvz0+gLUuO6utNnK7qyfq1xWJicbeDGIz8E6Vm6YiUvACEfnvotEA38Pk9y9G/ggQN1/xuFHja+Uffxt/dVV8winnsNEcvGfRWcrxkFIq3Y2GPjlsROzWGQLqMGZaakR8fo3IwuO7eEdebOr4zMK2cw4biull7PaSGh3AfX1YQB6XQL19Bw3dYaqvJuxRTPqtUve+SqEosjwCi5dTY6RJfyqZd5tD76/WI3LAJWICcQWN+oypI7Ed0cSk2SgXrhXF9yRWvD9dm8w/+BFsF2Q0bgxTNCPfbudRgAXSGtlg9OHvjUKOTH2q2E+gz8mhT7PR5i0PbyQ0fc8ynhIqFZ3KAdVynDnShfagl0oaulf878A2r8DZY6DJP3rjYkz8qVuHA5PjiNVTJlAJIyDu/SiVTpnXkvQjDhHquisH1RyohYM1qZh4fEB14fHj+AC88i0PLH92+9Mc9cWH9c4n2XB3BDi7xKEwbzXxod0mLyE1uGSPSxJ9SNFNvjSQYfcenC58/4P1fhJxjND5VRcPjVIsa5xNv23atuHx/Z4Lh+daevyU8H2NhqGEzqfifLECyrATABSQBJclTmP6DLbcODv/ycfudFX+fgfydBX3Puly8hO9cpessyjLhoXwjjg0Dn5fTcBcRnHV3rI4YGQ5UzIMhpaG+maKKQWCdExZ+ZFcP3XfVGpFjd9VRi6GjN7+PyC/vRuQ1m9knrInZxuhZNcl5eonDsKV7vj0V9n0q7PtwkHo39Kmw71Nh36fCvn+9wr7tur5NoV7fxXwZm86nbQ9v1PmZvl+rzo32ZNaRz8m+7iDxL2/XdZf8vRt2fkXfs2XXWMNfxrTzq/qCth0XqSziQIxPs+3qfHSKozbtusSzq45dB/ZcGPUeu+7oze9Lo/LTQrbqkKy6yk2/jB+mFvybg8PbAWjMP6SWflhnRneREDarjgqFB8GH78Kd43jv8GYjunvO8nJa5XGN3lrcTetIoHBZES4QKGZLsrwuZIMpnFLNqOB/ok7diIsQMk72hsxHxjKWOQMAUzkRrpxNDWFFaRY9MaeXEJ93/nNjI56qzbsfvrUK5E/V5p+qzT9Vm39k4D+n2nypZFalj1i0r5Ou62a4RXK1QNTbm5sN+DRTnObDxlR7291N5izzpmoxWFX+uSur3y6zBt55aiiBiAlQB6dKFs2YOeUa/ESdVEOsdj3SomQ66StJ46Pp1bhW98ZeukN9mkzDf0r4D0ha+EPmOYMqNug/sH/VQQk9OYIN67ku5xclaD0mUv8OAy9HcOeLggrTclb1nt/H6TnpNyViiHUBkFpXgnd9dFD7+3tSKONxfCQIE4qncyQoCAFpVMwOeY2pLEoqvNZk1UDwpzaIsZXkGOdU6lDP0KqSkG1KlaJiBvE8U54b5ry9UH3ZK4lQ7gJCfgU86BXNAEa9nodUwPoKleKb6i4ZzDT4eqI+pi2vrtWSr0G2QUydg5i6h3QvICjT048vOdBPprIlAZev7vhdWgVPJkELR7ebBN+xPfBX4RCPbAx8x5bAN28GxMkxvsaX495n0Vd3Mu1a5t/Os0HGa0NzLFyF0bd+Vg/fialLd/mO6T1D+ddG4TYLCSxiHJr/GY8KRQfC0A4QHNMFwtZjGe77V6SREF+qcMOtzcofbcfdnjy4T/mk4nl2OSw1rh64lMjeXbOnHqCot2nq8iEdWQQ+E6gifBMVcA0po6ksCm7I+S8HGKUgMAqdQQa1H6KnIMB0Z/qS7b3Kshdbk81Xe3uTrW3GNjc3J6/2Xr14sffi5cutzbS+4L3HoZ3OWXqlq6F406EbvoMsv0LQO6+ZClXqulmze5Pn268y+mrv1XP2fGfz1av0ZbZHs9108ip9tdO0taPJB1rRUTO6BNKrm1wgQP62ZCLU4VFypmgBRnBOxayyazfSkZSGq9gNxXJOJznbYNMpT3kdck7qgP+mfYDovNSpbNv2j3h5mMHWiBmZy5t4wVCnLuyoC7KrNFPrENIyIrNcTmjewQt+3bcQtoy9k1HT3/LAMj7IAu6Fr4m5nKdM6MGuOl7j8K5gMuaKtzHnD3uzeRShRIc+RA6nELPkRoxNNiULcn529A/ip3vNtcH6MTUzklrzSc7qDHtdZh8hu94NqTfWunzmoKTpnIWBt5PNATW9XhERTVFTjmwqVtQM1SHsjJp5VInH7xvvEFQE3Ual1QaQ/sYhy3OqNmZyYyvZ2k5etTujQMmtdCgU/iILCzL6LMJk5P271+G6y2sw0CmB61ol4XWJ0turDoYyK9LyMktMy8obq9gsseoHVST0FNNoJtKVI9vbz+9rU/qIBd2cQ7SrC8B1pQtP8vpmTGJQr9jOPPJV1c2cNh8pqKB1hWficpZ9Jtg+UWUxIll5NRuRiWI3IyLsFzNWjIio4Ot/UdU986oslt3GYTUxv6HNWeJOJtvJq1j5b+r9x+QXaBfzKZr/b2gckTOpjCV9cvyRpRX++ezseC3Ub11erW56JAeJ7bEqq5um4TO2tDTy1f4yQg08xXO2bq2ErvUK5c7k1JBDqUqpmsmW95DE8KpXWGrW1cEeuNIzGodB37MyO/bAtkdYWsu4eOCyXiTPk1cvNjeTrZc7W7vLrs9XmL6EhQ4dh2ZX+Tk0en52cHJ6kRz/43jZ9Q17QRgW1XdL+MDFrYQT+OHjwbFnRvB32xe9cvfqo7WnPtrV88foq7vvYZZyjPgp+m9RUirqm5S6w6rLfG22f4J6k344wrONiBRdra9G9XNwuI/99CV0Wp0aa3MZutC+CRRORbjRLJ8SKsLu2lWVHHPH7YNolvgyYOC9RXDrYPrlvCizocJ/Vw+UogtXxQqQRNUMqizokV20AvoAPNoF0YmWeWUYVhqNouyg9GqQa5Fu8oYuyIS5ay7ETKmkYVCBVWgO3Y6jPevoEO7jOurCEy42dGjiu07W8/CnNRPDh63NxP5v60UHkZeQbfMwhbFliTExM/NgqjtisWPDxd6iv4q9C9uqsJlvXOHClZmzKLCfJlV6xQyhguYLzTWRwlrJYcjCSuSwSeTG2hOBG0ALV6riM0TeQCHD8EKBGxLV+OfOHEcZoStd8pTLStctYzt63c6yjDKVGbvUfCYo+OXYR67vrTc0kTJnVPTh/kf8CSPsSzsk5OeTMENcI6wN9KpRFVv9RMixJd9gp/A+P2HKlEGHlu8O2BPfGNGWbxGVqkVp5EzRcs5T7Jyj6+Mcj3pNc57FWUvQOqrSxs9HXjN6zUgl6roJrsWAf7V+xefp1eOHYW+oJpUAJ2FoPh0XTn737u27y/enF+/en18cH12+e/v24lO3rMI0lYEybM5x+IZwhts5qPyrHlUTbq0MkLyUZ+uOs7R6bqRi2hVJqje6Z/NIOqc8DlX9u91x1B3q1297z7Mcq6dA+QuWYSZPo4OV60ONVizk2DRKdEwWUNJVY/QucCaWL9DZjP4HpNIOQX3WqQfK/kw09/MsCB7hM44tSyPuhZ5rq9nNKBfaNETshAuqFsQ1lW3WrO2eTdrYi3sO3kPxVBRUZJdLNpD6OvezzX34qcpzDze2rAJSAnnpGhM5mdm+fvdaT5jLaT8trQeJmuZ5LW3bzc86YvjT9aKGPkTWoSiyauk9yyTpQyzTgLWfb48Lamv5qH03U8iQqaB4cx0G63QPDJqC2xCsDKfjaL5akE3JDYT8NyqkgyMWcnI9IBiAAIfn/fuTo5E1iwopvHVDfn5/cqRHsXykUV3rwh4/u9R8EUpMY2ngULkHLuW6qz6UQhtVpQb7x6LRkC/ccDHmIIfBkrAUpFSWCaZw5VNww2exkD07OSKKVZo1SmnXta99aawpdFvB5UHfAGtDjgi1okq3Q86Iz5602JPa9DDbdDvd2d3NXk1fvXr+cnfpK8P6DH2zvGT5WI+Dlo0U03rDRrrjPLeww80nNJ3uxkDagVBFadoudTI5lk5n1hCJqlT1lqSMuiVNrLrthFoIvq0n8+cdu05g/dvYiWD/AS7cc2m05XpxL0FE9igmRbY7ECN7c7SLU3Qn1XO6NdCs578cbN0x7fbui+Em3t59ccfUu1vbw029u7XdM/VfJBhs1QsUDONraAiW/2qSuoAGvOF3FoYimhc877tmaXOMkip7bL+O32gQ58/DfT7LeHFrND15hb6kV8gh/vt1DvUv4MlH9O37iG7Zub+Oq6h/gU8eo6E8Rv34fnIc3YeuJ//RX8J/5PbzyY305Eb66m4kT4vfvjdpGIfRQ1D05FJaHltf1LP0QLC+nO/p4YB9Qe/Uw4H7gv6r5YH7pj1cX8iJtTy2ytlS+saDIr9PajHpOBrEZkWeLqYbDHrC7PhWLD50s8s29Ms0nr0jZj1EuXVzbLd3th8KXAe6x4iqh67gDnOrpOwHdeuBoAKjXwLWW7N8rD3KC9bYVqfWd/1E25tbL9Y3d9e3n19s7u1v7u4/30n2dp///lALyMwVo9lyZQ0fhOULGJicHD0GGTgoB4zgdeD2prTj7OtLF1v0QHPzveh+gY0CzC2tyNIifD9CwwD5aqgtR3WgVkzXOKQC83onrG7Cvx+GjCrYEUomSt5oKO9jwGLgxgHhNVBo8kNnjKSVsgPl0H1QRC6AZfejKi3kn6FqnrNUiqzJd0Pro6rsJnM/3146VN3BeCPVFRezS+xYKNUjJlcMST+WTBzoJIDevoToGA5zWbANmvN06YKfJUv+hySdlCz56+adlCz5q6eelCz5y2efsOR/YgJKhIBvUfEPwH15tT5M/bWV9pCT+w2p5EHUfkWFuwXDt6BOB5C+aWX5E6Jqvj9N2uPn6+nJHoLvRwtenjAeQUWuqyzMuDYOKy738V383e3Jjz9h8qJrCmspw+eF+wF8AT9olk6WTA2EvHGoTjAQP1l965QprIFAbhQ3hrnUygnV7MUOYSKVGRTVCpvzk1Rhgaq7wLq21Dkzf6d5xY4/wu3nOzb7tWJq4b4bNW/8IX1Sl0jjsr68gxZUeKE3zstL+904CSEv0rdGmFTG6y31mBNmDFNEsVReM0UnPOdmAbDU1xH15bg9+e+Of7788eT04N0/ceXMtbXuucj6/dcfq4PDzYO///rjxcHBwQF8xn/+fVllB7YYpc99wVGfVkMfYwKwzo3dXqieBvO5Krn1tp4FRFBNLI+EKMC+N2Ff3B55AkiALDT04wlDuucDkcCU5JlF8vnvI0D28T/ODk6PLs9/X0N6iC+KAgw8FG4hUDLV1XnDKdkfFRMpNipwEwIB29HfvH99cQJzwdh+OOgRHEa8pgrqKJEcwvxwWFFBnzlYa03Rdsyj396+O0KCPv758lf7qQF6RH3tNsTYgDDlBc2JYi5cDW/OnrFkRsYrWyvjnmut1f9cOdz/oAz9oFh2aUz5YcLFh2JByzJhH9nKfy3ttQGCG6i087mhIqMqa+43ClTHRXyQim6vEEli2VXM+fUQCziYTBS7xkq/YBX5q0g7X0eM/PIfr98sC/AVWwwA7y/8mmErcn7tbpjl1I7UlXnnb3+6+O3g3fGH2mLzLPz04sMh6i5/R5P+w0lhFZqfeKhnYgkUm9DoDzdcWEAt3S1t0nUKLz3K8iFox44dx+TYrRrZ4eCEAu/u27gPn42QcMx7EPPhiE2qWV1z5/4CORGcQzXWhDm8jO92tVkK4lpZqvvfB12p/urOOhEhPlozY0V4wagwVpxMaWoFNDWMlPxaYqyLgp6vlJScpXYpHj6oqeM+QPgUPKCx708dQetisLVVkiH2UCxImdMUOuBbCXN8eO6iFshFDIIbWjOoPSlmnhcUIyzlXUsnOYW4LpgCdQUnG7mKlJravsTFc0HGDovJOKzkwDLIVDETYpQshuJ+QCNXHs4Hl0PFuLnUJnSsVyMf8FRThG95OyJpzpkwI+IfhW582I4p8dXxs0teJuRkivXMy5K50LWTM8+3jayh5+V4hPU6sO6UcEgDjFHXhefkjBjFrznN88WICEkKCqpZXH2OG5iMKpaNrLoXouWjqfa3Xm0nm8l2srU7fkCVjTnVQ5V+O8hzlBFUz5lGMpDCIkR5wnKaFYYMevKHtj81F6k0mpcQ0F/jz40a6qJwQTQ3lWvBhxXnFrJaVZYUdKUYxLHV9pYDjNB8JhU388LS0zMMt2WKTSW8YQnKskwQegGAteXbGpZLILe/15VFn2NQJ2e96Gua0Xqwphh+IyFW0s52OzT388cqbxQZe+c/38EZ7TO+Dk5oKhXFB4NHw0XkYaCgWNQ9L0JfCTqzCr8FwEVH+5BFQnOmjCZSEQmF4oTEQmWwsNoS8IXh7BRR+KQb7Qa0c6/XogkQAY6CmO17nuKBygqu4brAKoBK5qHqtB6F1pwSGRk5OTrfODk7r38I7bdG5IZN/JAlho9jz4fwQKVyFzirR4SJDMxHkjHDUkypEFY/tSxZM/Ls+OjdmqsmHcI2mUkfUr+nMvN2T4/H65MHRT3jHgvQXLPUrMqkWIQ6uQgEhJvCX5YzSJIqRk1UaDjslaesQBnAlRr03UnSOjdUrb+Oe8HeV0UAe/MNdad4UDf/QxpA9cYNhUt0McCupQdyWI+EgBXLZWvy8LHEvcggB8aworTmwUmkY7xm9Gpp+2vw68cLbHLfvnmEjXcb7vHQv8gfc5leEWXNam1Alymhkz05Oj3HCOBfLi7OzskGuXh9DoHpMpW5XlpWDBVGfoBrPDlCRsW1j462prer7gWVj5F3IqOMtKbaw+AZZC/hPIhgtjaXDngatsRwbAjkt1Qbvp03BNRgTK5V2mnG7qj46uoB+zrASyx/0GuTRv91XCc4q3yGzXLn4vXbw/+4PDo9v7SH4PLi9fmyaxu6gO/qu0bRXiOtuXB3PmG812F3e+VB+NWi0Q6fQtNsjjYbdrcQmVSrq5pkMq3qvIzmbGBQ2JO5ulrTk5CmpqKRVX/T6HaGkpyLK1gPKWTYpxwvXBAFE69V12LO1dIFdafrS/PFiJlIbvgVL1nGKdS3tp82Pml7ra7FhrqvP21RrmZmREqZ83QxQt0EdQK8yvVS1xoKcLIfJP0xoL9gdTe42IXk3HuXZ47lX/6EetayeKqqb4T3g+dBqhAEEHAEIkHXMkGPWsKAM72UOGgyzK5Y2NrcxP9f2kE0aFDPRdSHaIMods11W3WYMLtqoB2w612uendpyT1rivoc+m7Czkg6r7+5w0w6cM/ZTfYdAKl2dxHgarG/iajlfyqFcNszDao6Gj1EsRlV4DjUDAwUPYqex/2fcLxaRH46zeUN3CiprLaZfpKKXByeuVGxo68OYCJsKePXdQAKF9xwmpPzf55CoW5mnuk196Mb1A5Yw4LXEkiLQelqz+QYZL7o4OOHmgt4vBhFhaZucPChOUuI0NRUmF/muo8YpgqyEsZbsfwDpFo0rIdCtADXCdCX+9nZiY55M9+QphYW3vGGLX6oS3nTrSnidTgvy3ljArSgYRVuxCgLFszQf1UCiQKuZtAv5t7uG6xGrZCmM+QUWLDdxnU4nG2j+hCH3/BLaN7+oIOHZhnRrKDC8BQvSj4a176afUznVMzYqMHUuQ4drI0k19wu1/dCx+aFApJ9acNr5D17KswxtaazH1P4HtooSNC15y7ltOF5Thg6mjBD1rVcF1nsZgSETXnUoYOWpZKl4tSwfPEQ8xr9nkMpTtgiFESf25i677ldQ2AwxYTPKlnpfIHUDO8ELg83ijpkx0BDUirIydmIUJLJwm4AOEMrwT8SLS2dJIT8s8YszW/oQqNruSmy6Y2HydP9OHFfjBFlTR1NWC2qvkTNKp9lD07bhJdjC8o4QbDGI5KxkoF/mkinM5C68z94ZbluBbNQnSzdn/a2eBaX9IvjEJpDA6q6vDKtjBSykJX2LQ8B7/XXAUDfdQ0HenZwfrrWSbO1cpvRdF77mhCVGAzJeiT07taLV+01N5pdftPpXMtH0PT2t2yg4mcpZzkjr18fNvDRE5iyTDBk/FqzwguEoEBqKFTvjvi9Iwlk0d2t2ms2/0LCvgeyT7rfRmhw/KZbesZkknKzGKrIyCE3i/7deSOFUazVHwnAkcJwwcRghU9OGwVP3GQd+E6lMnNyAMEUtAfIShi1uORa9qQsPw7qcApycv4W8os7EB4e3ArWULvpQOrd0EMqaNbFlO/Pdw84MyYvwTjvm/e1FDNuqgzldU4NfOjG3P5fspJLsbJP1l8+T15s7ew93xyRlZyalX2ys5vsbu6+2toj/73aAXJAJ87qe83UupfHLQcnDe0LR4SiywG1MDklM0VFlVMVlzYyc7YgKVR2sGpno9CCk5um6TTiro1zygReLUC0fC4xUmjCVJ0U71XbWkIheDkp5wvN7R/oWByR1B/rOA7rVBqLJ/sgauDYNboysgABOWMyNGvseDcmUhsp1rO0szeKzbgUQ560dzDDXQdt/dfD2+Aa6Kg5mHpP2q8Vm7T6oLcvMjsw9F9irtY39KFlluu+XlMWXti3On6Tk7PrHfvFydn1i1r5bOlbBU0HwM2bg8PboCYNz6xJPuOCd/XCmpnO8IKUi9hQmED/ytODi2B/u4oP3Glm9ZmVpFT8mhpGjt78vhbpvM2zAtZcLmlGJjSnIoXTGl0QSkWUrOwhbiHZrrOUS6U2PCiFIEaAHf8bRgFasA/Q6jp9uJj5NB2ulevS2YbPzLNxaL+NxDFgkSmWXfZpj4/Y5w2CCWdzpk00qccRzj2ChZQlywLI1cQrnWHLox6xoygQF4ZzFudUKrIylTKZgQafpLJYIVyTlehzu4og3qK64KKMYW0XqPTAUq6tReX67oCNm/Mrl8aDN4S6mk75xzAiPAONJPc3NvARfMJaUmsJucDwHiPRPfCRF8EdPVlgl9MFMfSq3lW0iXOqDTE3kuR0wnKN5reQBlIBsJaRXfvF6yMdIndXUplUVytdiVkjo0ESRpaXsP1fgCLYdMqghJ2d1Wkubg+fsYvXR2sjvBK5EvJGeF9YAyziUD/y7kZAUUlrsnfjYQpMh3ja84ZhLR5rDAH1fN9kAyRzG8XUG7Ec7cD3DbKpNFPJsBQT2111zkuIXIqucIic3sYxqCCvjw7OrCg4wBUfhaFiUlntro4VlOcDLc4q+QQm8JpJN/wrmVZ5/siZv1/N/WIXvKqJXRJMB2bEHffq+YQpQ4650Ia1mu8DbsCb+tUIEC/UBqdAXORgl4m3lyN0F4buPhH8jhs+kK2HUBHOAY3ieCdwsi4QA4a++sKNwHcgzNTIqGtfHHmAscDIoAShQopFwf+MgtMQheHjeyxlzKdkDKuAbn3KfbCrG4cmg6kUU9yrdrSDgBrc9XUN8ZUd+4jq3szuRyGlYGnBnF0oHs8M/mos7Tz0IydYiJqL7qIjnkaBp7Vuhn35kuhq2H91dxNK/3bnotHEv2GwJNgodfxTRg11wN1QTVKZ5yw1Ucf1RqvK0KZyykWGtBYoP5cz7Ug+1ND0c0NaCt61P+AejJVzVjBF8wHLsB77OWLW5+PbPPjP+BR8GFjQfa1ThTwD4gFbFK8stS8Vqhgk+Wuswzp2A8LJziTTVh3ralh7dGe6u7k5bSBjkKPaU4U2xD8IgRECCDEGMtXUBK1Bi1JxHfEzOcVkEyEz5tyFjSXXN3QhUx0IBvTSjHXLu4ec1U4J2RgYlxlb0CumCTd1P/+YM9eatqVTS5C+wSocDME6VNtM2bAHxtoWPK1yqgDeMCQruPElk9sRZKfSuGtjjrklgrkOBozVL2g8lw0wIC5cNtBex2tGF9QY+Y0Smhoytu85cWGlB3y02Af9ifYUvM6ev2S7bDJlm5S9SHdevdzOJuzVdHPr5Q7devH85WSyt73zcvqi5TkaxHfZULQ8seG9fsSdAFutMD3R8yKUWXUnE+QwJOY4eqF5Lm9w+zOujeKTKo4cd2O4FABVQVJEcGFCod+m6EeHhI+20IZCgi54uuoTIoKTPQL/BL9NqYYVHFujjacuI6ZxirwW0O6Mn+aVNp1291b3/JFRo/sGQcvRCTion1yGKgLhUbuR41pfwSyuqT0YgO64+nSXrli8jnV33JpEJDM26AWKpyYaSAKmbPGZiBLMjUReFEjJjuBf9lzRa8P2NzimUUBpXGED0mrhEh/TjkbRJvilB7ZY339MfM3sMKgTJwEyn2LmR1uOllosOQKhS1EtAOyzuOdRdGGTUB0NJhYEO71P1WqcZMm0WF2tta45vWb+NjVlpcHFhdkQYkCxV64ckC5fKWo4EyV9SDjRXMwqrudh1+pDCUfaygtSlQ1R7+Sc1BZUEmvRrs6Cw4tg2nusA0uoh29xoSbV1AzGU88aWUeuEHDsFlVQgSFpmvWoCX6+9U33T6s5tI5SOh/1JhfzhHH81lqb2v1AOfeg8vqI5wfLCXgxohoICwYbt0efbegJQUJHirlfSTTJsd+gkykOIlUYgyrWgq59Qm9hvTdecxo3uOr4Hq7b2I7eeNrH2ZG/Nwvj+Q0JQXkN26K7KzUPNpLkUl4RakUSZuIxg81QWrZFVIsvcPcuNp4n28lObGdB7F7DzKq/ucPKwqfuj+T0wYHY0wAuhzaaKmFzpChk855gzfj6zEVsfpMhhS448imk8Cmk8Cmk8BsJKcQz6StM1YzkK8YVIkhPcYVPcYWPA9JTXOHyOHuKK3yKK/yu4gpBWHx3cYUOajJkXKET7ffE09HcBaHVp1aGULvemLoolY0YRcHYErNvPsbwVnQkn4mPbzDGcHml7gsGGvbQ/FcPNIxVzadAw6dAw6dAw6dAw6dAw6dAwzbBPQUaPgUaPgUaPgUafsss7bMDDaFnCgLjLsAu6m/uuABz/R4sDeZUaz5d+MglbPIOZTZpmkqsLAP1q3AuYuhHKWThXUZe8FuY33CjGDm4uPhfh/9BpooWDIry9gYfQn0NqWCdTUDc7GAa0VBblatQxRNsPzfmydH5iJz+/NNvI6h6ueYDGkIHcQ8u3pTgGhIDXcWTvwEUvnqzGzEuVmrtD6fshbJUbn8cNtAOXeFFSVOzstachaVzIOrkb978qtceakb7+VwNWy7AlgF1jaZzKAQVKkGCD83Ataunc5hqBDuUprIoc64xymgmae7Bi6qICnv0rW2Nd6wraw+4dwxb+gV4tMNvmDLc7k8rBRWEQvFM9Nl68mmosbjP8HvYjBATyazpDHF+sFvkpzCVG4s3/MrE6+yhtxgEXEHZLDELJVgJswo+NqEwhIuZtV+x4bxURDGjpC5Rc84jYOlshsvzVXdaJ//NycW7Y3e0msYXkvJgEt7SM0fzGpHZoEaPu3+64tm+2lLMCcIi31Cj+EdygeM0i5+O4q5FCXnGPiahzh01hqZXSWHHhDp3CIneuDjY3NzZ3AgTrLWxhg/04esLaRohrmV53NXoirnpl8cdsrQ+3A1dDPICTqevB1mp/DvF4INGqPUNLzS+xJEOTLGJV9zn/lMd1vvoePXA6I2LrZ1Xr+461/b3W9D2F7F2G0HQ3+k23a523LJ3X4ezLI3dhm4xEHNZHrsPGiPg2pXJ89bC/8/e1fe2jSP9/+9TEOkfmxxsxXZsJ9kHvUViJ9c81zR96mb3cIeFS0u0zVYSXZKKm/30Dzh8EfXi2M7GTbcosFg0lsSXmeFwOJz5jcGI3aYyHAbUbB/WsWDYT1mYCXvwzzFoLeAjolKQeAo2GYVKSgBKGd8jfMco4O83I7KQcwfQmRtseghfgl7r1BrrhEttqOnKr1vUpgvpYr6zSgwjXcWLphEYkQZtVXepxSzKuPvZhOB6JK0ovNej8cVg+Opi/G50Nv7t6v2r8dnFaNzunIwH54Px6NVZp9f/2xoN42auESw82u2ICm8vrpu2Bp2QOI2aOGYpKXCNQXC9Q7o3YwNXuRN9OAPpqMok07ieTfIljDNB70BBfqhOaRzOMU0/IEHT0Hi8/RJFSF8T6BwwBxkZU1GN07m+ugqCjQuJrBrJjkh8Zgv4+LT2Oq9Exxeonx9t5hCNuZoXj+JBHvBsuYCluf8oJo9NKReyIBY2E2buAspqKjoUONN8HKPmWMyDJOrtiD+DgoJKZ4QvuNoRcwjm62EPRRSOiWyKhhfvHBuLEd6QkLfByrnUWRWCCknS0NwmadBd8DvqAk8Nby9zl1I5U7RnMK+kmC0WhEMWCtCrvERal8f9wfFlZ9DrnV8Oj4cnFyfnJ5fd88vzy9bg9GLwGJ6IOW4/G1NGr87af3munF4cnR4NT4/aRycnJyfDzslJp98fdIan7V6n3R22h+3B4OK8c/ZI7uQ7zrPwp9Pr13PI0dDLKfjzHMpb1Zx6mnXTPzm+7Pf7Z61e9+KyfXzWOrnoXHba/c7F2Xl3cD5oDTv93kV7eHxy3Du/OO6eXx4NjtudwdlpZ3h2uXFpCjNHKkS2M5NnmOdo2eKTyt7PJh9J6K7W9QjsX2DJ1e5HBlq6wqUyAQdvXl7fD/UV2DvGJBqcNdDN7curdMqxkDwLwbf6nuCkgYaDl8m9DRwZDl7aOIbNCfgRH+1qHzeXQpBanIfn635N3qkyqudsqWM0F4QrYVNCNhq9PswNbYTmOI3EHH+q3olGXdKbtE+i/qTXC4/bnePOyelRp9MOT/sT3OluK08pk2M8lRuJ1Kpa+kMsyeF7mhDfWIaSvQbPvGAVCJQyiGciZrFGain7a7Om/v9PnVan3Wyp/963Wj/Df0Gr1frPxjVnvflOIPXzK07Y2EYbT7Z9etx6islqRLcnDh4olasTDIU4jpW6TNHozZXRqpLEcQEuX9+NzJmQqanvV60MYqhHBcK6xpW5uDKnqgD9pmjsaW31ZqFwS6n48Ywosi+oSRLyY/JMmlCF+MvlMjAZe0HItiW4VpXPqZ4rCjlXxI4saxVycm8rdN7cvhwW6uk8lR4W2UJf3oz1kXpXqXDudGW6qbcdCmd5/cucxDFbeW5ZcZrv9Prjfw6u1Wn+6KRb8/bFYLjB+z8FQbD5Ys94uRD1rp0gqse8DAtcVUL2u6ZxQ+tCUxuxLrBHkHDR6fX5xpVniJB4EoPgbzDTCWMxwWndhM71IzSNcWFadGqdXSglMyaplvYlhri4kAgxzWKEUy+nneNUQH0r41NLEUlDfg+V+WSWpiTe+CCbki9ybN1rX5WVzqenS+vocZMoQG+JZqwpJuwFSUJ+4dmbs7zC+r71YyrlSXGqS1lhIegsVZpDHMpYNGEmyppXc2jqdlc+CL7MZRK/wPEibdoxNmkkDkrnK1NrPzffY7aEm2VRlTo1ysO1pYH8OGmRJTsVOCpKjlgQONMvhE/kvq5Ue7rUtyUp3VjMDOrsN+k1NGPb1mtYndJzeQ1XjWTX+9oOvIY+Lx7Fg2/aa2iG+914DS23/speQ58n34fX8Dm58tRewxJ3vhOv4YYc8g/rfzmvoZnjTr2Go638gxW/YL5VeJj4z+AfNN1/xEc7O4rWOwhNlc+nchAenXa73Tae9HvHvS7pdFrHkzZpT7q948lRv9uOtqTHUzgI39NEHeCSRcVfZpxD34KD0Jvvn3YQbjvhr+4gNJPdrb9qtLFnqqSSa1SAOlnalR2ELNmJCthtfds3GeCEFPIU7U61wFxY/DH1O+N0RlMcm/NtjQQEnY2ZbTrZtYPhDQB70j9IpA/hsPs5/wK4K/1prpuiXFfN38VDcRza5EcbE+X9tDouapiDjNpG6jFrIYzpD2L1MdZHGs6y2ZxldvVglNCQM4ewzMM5lURLJo5jdbBRR+A7Spb5ySoP+DeLwBs48lInECefM6JOrM1cSGz13iWZ2Of2+DTlLJVNkkYlbLymms7njHC18UD5fDOPHLNhgsNP/pdbxGOp0e8w6HU1OLLuOM+nOtO/6OGKfG4mQUZn5OaFh81ZeULUroMkmxFl/YFl6JrMM/l0XpcluNqIY808D3hSEt40Xh3iUbKSUtudTE8706Pe8fHkqBvhPj4KyWnnNGqRFukeH/XL5HWlkp+HyK77Eqnt7zYf2yb9O5wayMlICBYZN7ANkODjgJ1F5l0FKQva0ReiFc2+UCFfqzVt9Y8xbk3waaszOfa0QsZjXyPcvnu9Rhvcvntt4x8ttKi5owAnN6xTIokpcw8L7/bda9GAMEjzptVYigYTTiApG0VsmSqRYEiEc5KQhkM+WGA5N98zZP14myy03Wa8GmPbZrHxuJHnhhevx/aKOLeCJcQgzWKgZ4LvdbCucZBfvVWzPVQkVHTV6bTxfQMkgmXSoQq6VnUG/5W59VNt6xR+D5NGI3HOmEXe+GCu9gyIYEVoam743DWD9UTvirTv5ybI1uZzCuMGU8rJdl5jBpjV4MiS8biEolpqggqN0SkI4JxTaTyeDcXFlEmlCvk9xE/PYb0Vvy81HhMMSYQLwimLUJIJCY1MlK4L4ywiUQ3Mgj4jw8sTgvYW6Wwv93Ooz/cC9VuVQwuzA3pJa7MkB4d5cq68ZVx6YKmKKHDk0eL04oMn/5It9krE+fDigz60FCEo7KBL2bfTLH5CA+zZchuupjqLX6lASIakiVrSJiESCrtnguQL9t7zlQAYaH7GoSn6oORZtfcB7g7B9wIL3gCcC8SJOh2Bqa8OydyeHazBU8Qt9VFvasLtixrg52736FCj8/7y+WUBrfeFZIsC9+yC/A44+NNtmrAIkOJzPQOiL5AgJC1Qtor45ZVRSB36aMJSKpky57UGYBPYuSO3GUyIUjVGcBoajxwLXxQwXLYCTrNuQ30KGQSSpOhjBlBC+cERdJfaR8sYLU5yXJau+8w1i8HSX2LhBtoo7PO1xUAeJUSqtRWPC/K1wEJ4UvPk93Km+dKpIiiNQe4KQuEtlvNS355uNQTaKw1nB0hlPkJWZRzd7lFFc3S7R4VBqSPU/S6NBOjACLHDXITx6ifm3rtuDr4dvVcStsre9QvsXXCfF/kOCL8XwODXBp2zWlKmvoUV6iWqad+dN3ZbpobrWC3ob5JJ91bD60xPVpsprkUNpJQikixkPh4Yun7zg/m6BCBfqPiAJkQuCSmGMMgl07ZqaYN+bnQ0pYJ/QKN9O9Bo+tC2KyEYQeurdSLsNnulfVdnQX74udbu1ONdsW8V/Qk/QN/QD9C3R4G+7TCk+NY0X2Oj+CMoOHfs32uq8oHjrlwxooCh5KpGwKvavIXMWXKH3fnC+BmKVSRMkq2SDyihA+XpAAjbB8RVv1AizI5qkaRQwgCtBmsXMY3sMdk6onCKMMT7GIMbdmvh+YeTLSBgvlu8vueE6vuB0leL0ve9A/T9BbD5nhuW7wci31pEvmcH4/uBw6eNijGeWTeiZ1qg/NcNDAzdhjUz8jq0LCEGEA9NOFt6d4g+ut69cXSJOVsipbxSuN61t8pQvixkiTIO3Vnd3Kpnbqj2nLyFTUBcIcqvoCVMb2WW0LdzW6BptWDuZEA56SqDGuEp5rQwqG/eCVzSA558jAvyUZ7rNfuDxjE+7AUttK+58T9o8PbWcAbdjFC7M27rw801DtUP/z5AZ4tFTH4jk39Redhv9YJ20O654e3/69X769cN/c0/SfiJHSBTnO6w3Qla6JpNaEwO272LdvfEkPuw3+qaPA1HdBFMcULjXXndbkZIt4/27ZmIk2iOZQNFZEJx2kBTTshERA20pGnEluKgmpwLb1bG/X1c+dwsCMceUKK1DeE0YuNzXegthzIpK8o6adG5Zh/xHSlT6xPhKdmVGV+Zg+7NDVuHHuDlqhXSDbpBq9lud5ozkhJOw/Lov5MjwApe22t6j9OrmPvvMmWsdfq1OGv7M+s5JKlkooGySZbK7KE1jPmSVtbwbkMDK4PfVB7braBd1pS7HWqpsOgDO6fS7p59dRcbzWgsq19fn73ZxKZS7xWLc2oPvys8f9LqBO3PSOLZvjjw63xaLwoW2v2FBaLpDGJGlGlO9D+hfSwEC3U2nS7nnNorQTgvwIFCzdpBDHt1T3VnphKyQ/8y773RN6OBmn3dLDgJGY9UczSdxWa2Es8AahauUDMIRIDkQcs8r5z05yZNm58RSUO8EJkepWiY407dyFDhttOV4jJN+8C42F3rCpIKxg0S8X8I+dRAv1FOxBzzTwdwZwlQuAaP11ZW5ng6pWGFEjRNCV/JVd0E0i+ZyeUMFmjfutJMq+ZZcf4HKyb58PQKoNTbzvKB6RUwCSAox95TqZNoFFEjWXY8BVmBMkiRDpc25JB4NgNdYJq8mdgsD0+4rfQGvpSbXN4a+bOvmyadbPvHWYhfd6vChFLaQ3BERcgJHLrLK8y0CSPw2lvFF698k6nd1NAnOr/K0xZHm505Z2BCV0NtKRogahPH7qhf1dd/W7MRf4WTz81CAzbqGcCReZs5sEwKGpGHJ+K0fhanhOMJjW2JQqv+Kw9W7wNqGyg0tIETH9d0jSoefZu4f+c2sI1wJw2Q/I74UyinbgwCpc/9iHKYiKzQBcPtjsMet4D9JvTGmkRNt773p74PdAjHF9XX6HZ0caD+AWYujuFF12j+AZZ4AjsRR5dm3R4U7t5ybIDPGY7vxSzDPAr0v4OQJYefl2QyJ/HicMrGEEEWH35K2TIm0Yyopg8LExxbXFYigrlM/vt/0JAbWJEY+bu/H9RGB9nQRHu9Ur39+um/e3Zee79vAb9TAz6/CyDcYkcuqaRABREynluWBebkh3Q/qAmSkQDBIbwT4rACWjv4dTTalBLeiL/ZU1GFqqX6q1WSwuIze5ZwWziOYTf0e6v7esXyCO+Ih/8LOuxwij+DmMcvwjsyhtvEsTc4MQ45wZJE/x1AoQzXra9bKdF78cWXBRNKcwx+vfBn+HuFv1cpSnB4M0I6DQ51gnYn6Df8MJ4iOUyg4Lu3gy2y8EmaJXDo2ekCsVrUu0HxYGuoeIA11cVRx6Ka1XGxKQl2jA6vZ2xUw/7V8MAGTpiK8os86rl+s0T6AjtAV/6ds6lBX+7ANGrvp6p0Le8em4r+co7lmIqxWgI0OjCyXpZx13pF1q+Gv9fwqNlptU+brVartQUczG6Rzc8QJ7aG6CoFU7CfjbbRGSQJlXSmjz+OFpYZTvqjEl/KhKnnSDijzQlN1a/gzgtn9Bf1j5eOjv12ewsyKsEb71T4zSmScSRCnNaLamXyaibtVvsk2EYoVPsp4cEdSSO2qwz798Vy3ZUNHoaA9BCquOMkxZN4jbnuT4hxEijLa4PJTGOGa4ux/zRSzehwGI7Tmbn6agUtZXG3W0FLOxPhnxZ7ak5QwoREgtwR7seanysTU5gWmTp9KotNCCJEAndtoLUXMaPSEiUhktNQoH0NrY/u4Co/Tz/RYd5foFD5gtM7GpMZMclc5pZYEq6z2g4appJK3qp/56vacO2qz2YcmoUyXDpqAsZ0YFK9QrYgK4yAGvPLmuogus3IYPEdVCzVXtDbjsUkvaOcAT7XRldZX4nXF/6w1jEdp/fIJTGAlBgONdBjOAQXspQTwCz7BlgkSbJg/FviznszonWMgbufBMtME1qRNDKQejCLRmG/trwKn25dbEjh3frK4SD/BltvS0Fru6Pz/ptfhwf5Zq+OxlRiSe98ZJQ7wkE+cfqJpjNwUe+9Zsu9Btq7JhHNkj0tzXuv6Gy+ByxQxzR011FMderTtQiSIMoOSA3B4PqS0FXe1lHQMpG59+BDjMiUpsVELtVC/nKBR54UwRtUILZMATc2QglO8Uz7ni6v3o3eBzd81kBXaRigffhBKU90O2pqkJSUASrglHpHLT7DqSvXspwzpQyosMmQkqE5iReg98GjLkgIwqksW9ATyvpasNQvEUNwIhAOORPacF4yHkcrRDS9i4KUChnM2B34LJpGFYG4VpWBvhzZTFQNS3ZoXTiu11oYENSqqAeKwm6CtvwLz0MhkNpLGafSMAJxMsO6/qSnAh5HwYoRr7oJXde1VGwqgvyMJrqcJk7DOeP6z2Zoj8zGH3mu3ylQ5h/Q9sDmvJhylBMoamiuLmxUJCylODbZcooZ4ISr8x7q2zKLhPwA+wpjeWWRkw2HzJ1boeUJlKykCfnDxtHYhnFMXZrdAsv5z8blWXo5oTN9JP8ZSZ6RYut6LoVmmQ8fo/8Yr53JP3I9YCkLFhfsArOMAzl1Z3XzqxCtOjdFW/+9B6cFjdZyo9pwLesebF0RWADcRkBTIXF+fFxLJwAY198i+y2ikRXqMGZZlMvvQP1ptxGuFimOsMT1In1tnmpbICx8CufN/BoAR9EYXhjbJtWbIRFCnzWshBdmDR8EC86UROThsXmCt37S/PKwfPghWuYTtc7+Cckaesb6uFPTOU3wjNR0jRPaxJMwaneOarVh3vuVagFdDd0xWtPJssLI5gt0psQEXmJx5K8SOyBFuMCRBIi8Rs5qX35Qzrw+7ADzI/bD3bgJufe37mmDpVPqa9P14/WW4HBOUwIKZqPOzAeB98GmffmngvEG2vThrzbt1cj4poyrrK9N++Fklhu9D/dReLW2fauPIhZ+Alk1Cmlo/65ZXvoZEhLDFXIca5wc0Eb6mVrXYs64HOttIbeL7C6u+2s6ZbRit3XDQjWXe8VPCkpEb01+pfR6YnkEq/+klmgrulIaZ/veQNN5C2rLXktfbtbp47szqZroBXp/M7xRhs1SWecJBpBiQX6pjKVgZaCHLQ20Wp8jp9P1EAIruWo/z+X2lf6rppGrdMp8aTXbgvocWV3jCaj6vVY8zb5xMRj5ETDUxnwEJBTBfWLQ41+YK1xs6pmro0/+ZSnVgjmImNWSvpo1hXyIemjzdeSd5hSBi6Kc7dV+mQgmGY2rXVY56nbvvfbJsN063dtsODcjBD34bvP6gYQsIrXr4KGxCMmJDOebD8b2ohOq0nsngZ+yCeEpkXCPYeTwX/5vNe3mz52xV7Tc8kaRL4UPa9X8o7WatTDoh2WuTPEFi+rVzlaL2aPAgumCKFXmqq6yGh3+2J7esgjdXg2rHan/iwUOn25SeYvVzlhUUfl/sjMbrV3tzKjLv/9pxew9Hid4saDpzLy79/cNV5E3YrORJHhRHTJkXenbsG9u3N7Y6gfPCRROEUQ+LYvzdlcwOiKLmN0DaNWTdpy3u6JjZQiSaRY/+ZS9hld0vcYOemzHrtm13dYbfX++X92u2WCMLs93l7fuh5p2zcN8X3GH2rp9IG8bbbUJkC+bmp2mh4B8IWEmvdtMVGN6mhl/ZDH7RHETZ5JFVMBFRT79/9VP0dA8uUf+e8g7ea/1ntQ05e/CZhyuyVVeQfNeoF1MxXuJLVxqNjzfhGOwqRuAF6Rf3yd9yJW8orsLHM5NzqGGEXTBIabgm8HLIBQw3Vycrym3JSTmMlsUfJpIA9YkOi7FOQWlgUnGCZFqYtzcVQHfiASTXMMqwA/qz4YJfoChgYcbxwAYIrTT++ptw7qWQNxp1IAsYri8KgwJXN1SAGXqSWhiZRecRVkotyckRPO5tWuaUWaim9tD3T5aXArd/iRc3sm+1/PBmq69wIcte9bfWlLn0/dkQSCepakuXFU/Dgv0unXvt+9eG6h9dVSB7oy0wkgeInqY8c0rQOW9/uagDe38llg4ETdHSpzJOUmli+nUMHTO61u6tnCRfxtcXGx5Z1GYu7mKITJIWJTFtbGTRfL6lxX6Gx3WpCOKAXM7B1FZtQf4dxWFjte5usxgvT1906Habx8Y7YrONDpqYS4QbODcT6uuQTLOoQah2lOMfwG0nUZbdbGKmk80RQmNYypIyNLKFYlJFA8MSMnDHZ8ZBF07de3D0KiMDo+fhsRbhqUCXSaOGt9bOFgLsbjUlTqJnpQWc+s4iRlkfawYeel2ZcXQXzEhi3zbZPClu5ncL2wCPyIjTfpHd9J3LF5DTwgeNpEIeq9AZ/ES3wuA4ZUM7UUs3CvPG+Kyo8DixY49/MW1Gg0wn1gx/Ns0qLZimYM5lrtTT7fpBVrzCW67sQDz/x8AAP//sD2CcQ==" + return "" } diff --git a/packetbeat/docs/fields.asciidoc b/packetbeat/docs/fields.asciidoc index 2893ebb548f2..f76a5d2da729 100644 --- a/packetbeat/docs/fields.asciidoc +++ b/packetbeat/docs/fields.asciidoc @@ -2162,7 +2162,7 @@ Example: `docker` and `k8s` labels. type: object -example: {'application': 'foo-bar', 'env': 'production'} +example: {"application": "foo-bar", "env": "production"} -- diff --git a/packetbeat/include/fields.go b/packetbeat/include/fields.go index 55023cd4cfa0..68beee23b266 100644 --- a/packetbeat/include/fields.go +++ b/packetbeat/include/fields.go @@ -32,5 +32,5 @@ func init() { // AssetFieldsYml returns asset data. // This is the base64 encoded gzipped contents of fields.yml. func AssetFieldsYml() string { - return "" + return "" } diff --git a/winlogbeat/docs/fields.asciidoc b/winlogbeat/docs/fields.asciidoc index 64a013cdf617..ba31d8334431 100644 --- a/winlogbeat/docs/fields.asciidoc +++ b/winlogbeat/docs/fields.asciidoc @@ -254,7 +254,7 @@ Example: `docker` and `k8s` labels. type: object -example: {'application': 'foo-bar', 'env': 'production'} +example: {"application": "foo-bar", "env": "production"} -- diff --git a/winlogbeat/include/fields.go b/winlogbeat/include/fields.go index 64366a29f9e8..896d4ad5d5a3 100644 --- a/winlogbeat/include/fields.go +++ b/winlogbeat/include/fields.go @@ -32,5 +32,5 @@ func init() { // AssetBuildFieldsFieldsCommonYml returns asset data. // This is the base64 encoded gzipped contents of build/fields/fields.common.yml. func AssetBuildFieldsFieldsCommonYml() string { - return "" + return "" } diff --git a/x-pack/functionbeat/docs/fields.asciidoc b/x-pack/functionbeat/docs/fields.asciidoc index 0cc8c722d442..06912ba9e887 100644 --- a/x-pack/functionbeat/docs/fields.asciidoc +++ b/x-pack/functionbeat/docs/fields.asciidoc @@ -251,7 +251,7 @@ Example: `docker` and `k8s` labels. type: object -example: {'env': 'production', 'application': 'foo-bar'} +example: {"application": "foo-bar", "env": "production"} -- diff --git a/x-pack/functionbeat/include/fields.go b/x-pack/functionbeat/include/fields.go index 3ea39d017eec..884bb2e208e8 100644 --- a/x-pack/functionbeat/include/fields.go +++ b/x-pack/functionbeat/include/fields.go @@ -19,5 +19,5 @@ func init() { // AssetFieldsYml returns asset data. // This is the base64 encoded gzipped contents of fields.yml. func AssetFieldsYml() string { - return "" + return "" }