From 3d649b47c07edc529eda6880a929a0363d6a4328 Mon Sep 17 00:00:00 2001 From: mgstate <44847443+mgstate@users.noreply.github.com> Date: Mon, 3 Feb 2025 13:19:19 -0500 Subject: [PATCH 1/8] Create Machine_Learning_Creation.yaml Machine learning creation event --- .../Machine_Learning_Creation.yaml | 40 +++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 Solutions/Azure Activity/Hunting Queries/Machine_Learning_Creation.yaml diff --git a/Solutions/Azure Activity/Hunting Queries/Machine_Learning_Creation.yaml b/Solutions/Azure Activity/Hunting Queries/Machine_Learning_Creation.yaml new file mode 100644 index 00000000000..2ea9a3f3b4e --- /dev/null +++ b/Solutions/Azure Activity/Hunting Queries/Machine_Learning_Creation.yaml @@ -0,0 +1,40 @@ +name: Azure Machine Learning Write Operations +description: | + 'Shows the most prevalent users who perform write operations on Azure Machine Learning resources. List the common source IP address for each of those accounts. If an operation is not from those IP addresses, it may be worthy of investigation.' +requiredDataConnectors: + - connectorId: AzureActivity + dataTypes: + - AzureActivity +tactics: + - InitialAccess + - Execution + - Impact +relevantTechniques: + - T1078 + - T1059 + - T1496 +query: | + AzureActivity + | where ResourceProviderValue == "MICROSOFT.MACHINELEARNINGSERVICES" // Filter activities related to Microsoft Machine Learning Services + | extend SCOPE = tostring(parse_json(Authorization).scope) + | extend subname = split(Hierarchy, "/") + | extend ['Subscription Name'] = subname[-2], ['Subscription ID'] = subname[-1] // Extract Subscription Name and ID + | extend Properties = parse_json(Properties) + | extend Properties_entity = tostring(Properties.entity) + | where isnotempty(Properties_entity) // Filter activities where Properties.entity is not empty + | where OperationNameValue contains "write" // Filter activities where OperationNameValue contains "write" + | where OperationNameValue !contains "MICROSOFT.AUTHORIZATION/ROLEASSIGNMENTS/WRITE" // Exclude role assignments + | extend LLM = tostring(split(Properties_entity, "/")[-1]) + | distinct TimeGenerated, tostring(['Subscription Name']), ResourceGroup, tostring(['Subscription ID']), Caller, CallerIpAddress, OperationNameValue, LLM +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: Caller + - identifier: UPNSuffix + columnName: SCOPE + - entityType: IP + fieldMappings: + - identifier: Address + columnName: CallerIpAddress +version: 1.0 From 0e35098b5ee08490a1473b734345a10ce1c0c256 Mon Sep 17 00:00:00 2001 From: Thijs Xhaflaire Date: Tue, 4 Feb 2025 12:53:41 +0100 Subject: [PATCH 2/8] Minor tweaks to Jamf Protect 3.2.0 A minor change and swapped the labels for stream names as those got in incorrect --- .../JamfProtect_ccp/connectorDefinition.json | 4 +- Solutions/Jamf Protect/Package/3.2.0.zip | Bin 51409 -> 50565 bytes .../Package/createUiDefinition.json | 708 +- .../Jamf Protect/Package/mainTemplate.json | 10894 ++++++++-------- 4 files changed, 5803 insertions(+), 5803 deletions(-) diff --git a/Solutions/Jamf Protect/Data Connectors/JamfProtect_ccp/connectorDefinition.json b/Solutions/Jamf Protect/Data Connectors/JamfProtect_ccp/connectorDefinition.json index 12b31926519..0f2aae2766c 100644 --- a/Solutions/Jamf Protect/Data Connectors/JamfProtect_ccp/connectorDefinition.json +++ b/Solutions/Jamf Protect/Data Connectors/JamfProtect_ccp/connectorDefinition.json @@ -174,7 +174,7 @@ }, { "parameters": { - "label": "Telemetry Stream ID", + "label": "Telemetry (Legacy) Stream ID", "value": "Custom-jamfprotecttelemetryv1_CL" }, "type": "CopyableLabel" @@ -188,7 +188,7 @@ }, { "parameters": { - "label": "Telemetry (Legacy) Stream ID", + "label": "Telemetry Stream ID", "value": "Custom-jamfprotecttelemetryv2_CL" }, "type": "CopyableLabel" diff --git a/Solutions/Jamf Protect/Package/3.2.0.zip b/Solutions/Jamf Protect/Package/3.2.0.zip index eea8ac7c720cafdf29eea5089a03a17cbf5b79ff..b24c462c863483f2ff70d91e43ca825013367e14 100644 GIT binary patch literal 50565 zcmY&<1B@=P*6kQ)Y}>ZYGq!EpK4aUqZGU5)v2EMdJNN$o%galev}wAUoo1)mU29cA z8Wao_2nYxYD8Niq3q-EM-tiX@5F!r{5XQe*V<%HX7gJSBQByNZJ4+W!dpmk7XM4LN z?JuVdcI2NO`G&#m7_vA~E~oiT5BjTiw_3{sR(@^CbuB;X6Nz*O`p37q}cYuRGKpZ>EI&xr^4&}oqH*)!f`!3qT2&B(%USfT-$|Lll>SVmoqz6~U#7=__fFf$9{Qi9v?0F(n9J z{`r1Ik<0m{M%epARbFRJ>99DImQCyMvQ;BFhT)wE&zP>G#r^_xc^9S(_qj2z$2Jp$ z$Qpr#CvAhV2@jbuigNZQTTut#Bqehhq)o=jjGC|<2V`fV z4^1dVrG^}#r~{w}xEv9%Zk+i`7b@icO84v2F3CaF!zT|FB-+Lxg=Wv)$T`#RCCn@M z<2eC?NU@_@7?dLK$4oF`YaapQo+U~Mqos2(JQm@Z7s9K?#}||?5HL+Z{3v<-bs0PI zFj(@3^FpZ|?1x@(W9Mv=YGQ(SGJHe9iMXL!Vz|F1LxtPkin6uyP0DHaHyO+`B9WXmqiG= zd&k)cNLoxYeewuREqoy03H6(S2k>Qneqv^%A|`yVDUh{>K9GHKjiv?FL;r-BQiFf* z{5S>VD1ghJ3^R`!CmOCjOzI;0m(7)nLV6S~p&=-{yX#>CnaaQOieCX4`RJ zS8W^bV_1$MWlXcKWStGYZQ_wDXj6PI4N;?JgQ&&vsTt$92apt$j?lz(QTpkpiIS=G zoe!ZFm=ZPF?D2=-;)kB%zN5&s0&zv4%OH(d1ZZPgqH$5eutBI9w8aZ$G$8Y!mbCAQ z1bF&am~yY|&1jL`5uZeNzaDUGB8CHe>$#~E*QkH;=CUE{aG^>F$u&hMJ&c=2Aw#ZG z=FH3+aF|wv1N46ce?u|}sLWfDQ8Q4Hd1a@+cpaMj)={_&*|VW11$7&sC9DB&ce&@C zN`<$(GEguuV4_WePlnYU5FDBrrH7k^3vjZbh>1MKmd#6DvAJSr_>0QgBR9K>EhB>( z;&*d03it&9NMDP{qE}!xXjN?O6JIznwC)OiM_@}P(45@RT)!{x+Ssza`7Q!@+jn{H z(OEaQXt^&SC~p)*5|e$A)a;Y6r5yDK!YR(4YJm*}f^#Yo%dj-Cl%X1swfFvhC{S~h zxbylO0wmO_rj%@;ARN$v2OGTTNN`5U|T$we29K%lQ7`Gq7O3i0><;=&UYGY)iF`^&fWP^E5=0gp) z0BJ$395IRX3tu{3ta|JSqS7PNh1P=q)}2`dv<`E)F$Gq$hT``$2tcFh(DxK%+cF5# zkcp!l-cI`(<`O0=Tp`{%Q z3rY|JP#4%EQIPPV-R(+S>y zJ}m3wbZ6gcNS+i*>sNJsroRQ^r8#3MyX;oFT|r7ubH>K zpPi1jH|%Lc+y@|}?qI!9t4Z*5yY+N%9f zUHI(mKstIM130Isy z-p%dhpE4|l1{FHDhB_#4EKr05X&u{P!2inS_vS2TpL6aJq)5&)M1>Kzy}()ES*fQy zaYK_b6XExxAE{d#4U?$N&v{;#<)JI}^I3W*GUyxpO(CUCzCKJ1X_sWAuq~x!Ei)F< zQ;d>}{5Zps%4{y3!9NkoC{ili*&_*TO8{a)fxm?9{tCC*P9?X1;$G^$vi7cIO$}kl(n5MKt3Kmw=0lGkG{p}3VxWLR{ ze=XUPlu`Gt?|#fCC<7}h;bBuM>@1)XlkEsBKY?(hoyl$@(8_S1T0v2?_e_7;{jL}O z^4b=&OFjeETs|fB0`g`%4RRZ{!1NUz&jX=%yJ0+@2HM^3 zByq{k#pwDVPe4l~Vh{h=R^i!O{&-v3= zP19+V|g`;h_1cxR>{%K1-J~QHV3F09TYn`_4&?#Mlh?18hTNwKyV?qP^MN}Wyg!Ny=zjPt zRK#ccDGUf*oJ{e}5Ss7a?%aMCQ276#c%(*S=6Yj+Idyipt8iLSi2h_Az_q7yar~P z=3UBRlxOgBU3B?y33EwfLkg5g2z@J^c$8bg?cCWlBx**SAVG>8F(lw8SpGz?n4JV} z2N0|A#C(6e`sV*B>FT4;O#pWsr2jU?imyGR8{+8P5jX{$;o`c&dwrna;oTtZj+pH6 zaFTBAl%IUBu7iG-o`ep;2_*Ti=faqHZGpZDe0vHB+w38p{v1FCBUv!%H>VIEwbf<%8!(x!M0`XHe<9kjsH}heH1k$iRfjsu!8AaBD zGLV|Bz5^EsU}5mX-v$Pg=0g+2nj2XV`~)h{_&h@ImKqv#u?V4g8Frlv<%B#eYcEFq zX&FOh$hl>4ORZi?^H;FPN5}3Z|k#2#ClGxPo!hO4AEZP1f+XXoO9W z4i}?E^%@&ZCdQ@ZHuMM+78ZHjISCXsXMIVHUFvuonC6*(3kRKeq&50-$0*Q;YShI> zwgFZ{orZqDfn;be;%AqnFuL!Z8{A|+87mzl4)B$yWrgbo2NfX5ZwHn@`~DpNo;r+D zpoy!C)M-MlrYd77J;~(UwA_iuS^z_EG!Z_Kv_P9&bNlCGe=OdP0I{1tsmyg5wcOL&0+W`sPdznnr0W4~I;g2NZ7cqC)ycT!mVW1^$0v@bY=9LSYs8&B{r(dm~ zFTMXU8z|og4Z8vg52ZKH*cTh~bvp-Lvpwc z{+?ZrnCzQfw;XLM@;*xP*EGI_)wP;ACfbUdVz9j-T5}pDSnulcmKb0rK4z{T9K{ri zq!A=}l3a1Oyf!~nCQk>65UpJrqaZK0me<>1_1&<(!EmVos4sUKXXHF@&$s;1N48^i zt8~>z7W^e4Lp1VX*p@a~z)HWztOuFf!fI@byczl$Tf7=?KC&GJy4wX2AR5=bYu2{5{ljmqv+*#O7!D=F{mc%uyo1SHraWOcgOzW zB2(UI2}to9Vb)sAO7@^>rnur8`XO4wC4fu@Q%~9n$9gt7>EG42O3!`P(?-@1CJ{oPx+F*U z&D-}jih+Wk^h`LvA)>>`j;O&@6BvW9oishkbR>^6n6z6DCbyG-&DU)NUrwFZPM&)< z6+r~Hm@~s2Y8SfOEfq)YW3jf*t+p91tkcHo3X_~0Qemdg!fp{XO%n_u-tohWIvgy% zBgTUB_VZO~$kWDd@=8NTM$cN#DiJ|#mH4Kmp|3VzAf+K0gm#4H0`Ph~tPi~Av+#Kc zasU3k95sCi&VSl{hL@NYhT^m8{X{NAdO)RikiyS;lucSKr;D&ZjrA+2rk5)43 z8Khc+LWNR_osfcx2^oXN2_Fr_fGgcX?-*!XYSaCPDk^hj%P-=ZISgnPFXfCrh?l$Z zHcI57o`o+P*Cm#`4xZbCJIAfGZu?Omz(`>q8~e_^byZi}r8=g*y!D;x(xydGd13eG zqf@&=I`JA`b$)9Qd5bUFrA@!I3-%r^>^IWQf20?vhc|1ICN2}Dj*57?7h@a$7k{Iw zmx5&DZ?Z(bN?J__$;t2Lox%2?opc87-(M9=o+1);#yuV^e7xznvUC@w{~)&i3t^BV z{V4nwo=NW?PG9IK;4?gY*I2#y6}-<8uQe{_yNeu3Bsh{O7adxQJ;;W?NIAHFN~q|1r_i&FiEQvHXz zl!p)Zba`!jcn2EE=;pnYfv4Lf3S)qe)$2VckVVi}O}ebIJ+leHrzE8T2Z1|w#wkJ! zleU80y6DRS4{j`XMysdnQ$;GlWvZGLjdkRCWx{z#o-Qn$Sr0e2L|DW$34K8P^&Kf9 zd$K*ruKDV6?tzeTTk-2pZl9a*j-2AF%6L02e+WN^EzAVrz)9}ZHwOgb&7X%bHb61{+hN^m+;%jKq<@U)Ox!)S?l zSS&px&&0XY{;G>yAe0Uq`P4QH?xyB8Xwr^{+$=`M*h-E?Cm%0weX|XFuTM|%obPK1 z33AJedkGiANL-_h8_I`=5s%v|RGSP)yEMu!r08`7O*D9ya$+M ziHdo2|&wzbFJASq8-a+iu`^0Rzck&Ntb+eFr z!QjL&2;?&XSPoN)fOu(}%V3Ufd|)G*$PFZZurUv?;fg1}7pqB{Xe`XSXyZ|Eu2iY< z%x^%DXs*w=`5a7Vq=m>#+tgi=JZxlaoFWeB2>U>7N(#5K1bj!;doCUteRUa5TD&wR zc7`eiCnnjcZO}L#7lP^(>gI7^^$(6A2pjpua*FnNV~AyJ>>S9S4auq3EgKa6WA>OZ z_&#@av=oh`zHEV9FgFPh91cY7!+zKb2XSIa3vhRa>*xw-rua%?-ceTG7qdA;mBi9n zB~qs7Sm*R_l)a2LXAc9*!|2%+w4=D2hO6)+{R52t$YG=G`2@kivEGp-I~g+w&WLIy3grA$AtE3$D&0mWNkf{2ZR94cmGj;HI4bHlTl%gohb<5hQ5YmOClMcpJ zzp}+}k&PEYDjzeydR|!9>*Y^4372OM9nps4mxvw_M{I`@~=v2%+S=O(_e2CdbwK?`76y>COHcz636w=~6%_OC3h)HCM~d~Z#nUzi|B9${^wPuvW!Ryd&uViZroJ;b9a zZPs(bU{3x_|UZ@b36f2ntkpN~Ct;JJXOe$S5 znnSgw6bGyO-h<&EvC>t}u5V52B##@ep_)7*p)T)x3>#wc zNFmgFVjzznUZXkv>7Y(8g>b2fGl34Hm9AzjpH;bHPZ4;#&f!*J*kUAGbRvs8zmhrC zYHV@XXRAZWr&`70IFhbnIg)x!DV1|CM4q}y*~alAb2jssh5dLpr5#&2x2djz5U@Rx zsxeKV;#W#qkUA5G{Ac+>39OJyVuFDFk1A^{uZOAhYq_0TWwa6sQ~&SFZbsE1@o78V zEo9NFKlDssbTk0ZIhnpx<`TgPReA!(!EAuhN2i*!YL+G58fZsIhvahKgLZgJ1^93{ zYS^2sGmeWS(2o<%&)A!$lgWrIhyl zUpnpg%esy~w5+b$e-FxYdm93}V@B8|^2!R>2ETm{{MKEJq`l{38%=?}OOu7emAEzyR;(x1<#}AN1Jx zbnwyt=7uo+L?iF1y&UD{DC#iWwFw9FQFK~-jqv{R?8+G(fCL0^HN zTZa~hjhO5p{`b{%DJZ&k)s|k9@5lAV*)q~sy<>mr2DjTYkwy>N8mIfxwXwLMt^Nnd z(e|?^trN&c&8JeK*bo2jreE)U%YF*OKH_T$VVXWxGi;ID%a=F?fca|0NuFY>Nxqh^ zB?3GSZ!R-O`@S@mqbP8xJ(5G4vZrGKIC~ayhEJoukQ0GqZ)0j5=CCTo5)^(8-|V z64i$fXDwq_Zs3}^lfC-g*N5-s&5I+4D}nl3mr{~pis2sqx=cjj5m$t4c86hn?^n^w z7YdUIV{qOH;U)3q2PGj3j-K$*36T?6u%gi50zJ0Cdus&V3DZ0Y_8(Eu9e0~M^ao3q zI~ed>k$8;!4!*1;LFb_QwVLB@P6)&bTUvOT3O?sKaDm|FEv!xhZ-dC%qQ2DASR6ET z=b@wpN)2wXtL)s(OX`pzOc9P72#VA5ellQ*LliP#>~!)1RJiJpE2p!;fb0{C>qEXU z?RH0>`V}z>ogfGf3`*{!{K;1+>v3WS4x?BS&qV95f_L+jO9$jYUrw2@yVT^_o3Ny# zu%z{d_~eo?6SOHME_?!TZn;Rk_OAHgqw^I zB5eHPpH%8$*>sy;yDgMa_M1M4z8$TBpAOps$PGsY%+)5Wy*1>?aA6$#OwYf%r(}qu z+1HXrjCQ0!ju-GE0hpmIOcU8m*^I4WgjZQ}e0&`NNUei>;sMB|u;J}Q0UhEIScvH3 zq55Q~x2&`ChEd-6~Blx}-e5kW!zh#55{sIleKoe);PDC7+%*o7v_~SY^-a&1R zq?H1j{0GlhyDsw#CGqnZWy+m z3p}{6(5U{6!C>Qz5_Xmi9i&*)XaJm6t8}~sBUUhKPmPh?io6Wd^t7O-`q0P3zXH44>Q`+blpmn6>;2ZD(-xwp3;)ppDnMthKOs0tLrurkkX`9^Gt`Z%U`3Z3cu1 z4i^=b&{LQ{-22C;8bjb@t5p+WvSaFbV##LonEZO^xtysb2po3Q5AGhjHFn(Soc?H+n zf-<%4lKRwE)sYU!z9~gxc&Uiz6L_zZU$y zLb>;h-&&HvkhUgse0e^FNXa%{l3~TCPymM|2vK$|Vh4zy=rwe)bAhqT26pGHa{`Im z2C~D)$6W71+Y`4#-X^=}oV$Wd`E@KJ_JM);!0BjsNI68epqH0@sz@}U>u^Mm@^jna z#Vmn_8lrEDFST!DaqiB>tmQ_IFE?H;Iiq^=lV`wGmExxQv$wd1Ua$vhdiSWpMI;;l z9r`yjX}>KDDv>UXJ`{|~f<)GEVH+5XUs=lFnXvGkJQJI z15>!JM6$G3N-IMzn4O{_WJauzE~0qsH!A-l|4?9)pq&xT~RB=c@|1WoJtUfH_df?Pm5w{2lr_kj~(gxrQHuFI6u}noDuy zb39aCE^*{Y7wg&$j9jt4)X1Rj>(73TKKb`4ARdbgFV-tO8h2jYUnY5cPGji!Q1j_QrQsVhQMbFr}&K%q=I);XBgQ zvmz~a;27jxF+=3^6A=T&Nd~ChmM9$9n70w^>HV-av$67K?8FDFCK5sqPZL5-h-L~h z7v=bK;q6(+cA8-JFt+)enXC%|9i7-|yDh7g3OG+oM@MVp9!17|Fp_A~H0&AegGOwk z`uW+6);Po`VptQN0;UeKb7{BRh;M6k<`j7|tR5sBWf>aNet5A_NO1*Yxf@_FA5~d- z90QMGO?SHs3g-6bMjxIYemzu3*$BT6nkHi8q(-wmrJtCA5&|#U?I~FL5Le%=e+nGsd6rs4Y>&hzK+P1PrN+dzt7EhF>Oaeb@XFGd;gteKSLT$ zKS6wmyF4r%Yftiy{xuWK2In$UG?`$fM)W#o zqSWL4z%J%Cg}IcEk*Gr&Nd~+bTE41fu|GTuh=?Q`iU^ zIk&|^aJ{K9C-S9ScEG+;lKnczvJ}qCT2tjw7N>fKeSY@uefpu}dC+}PT+nw^ni%dh zQ%+e{U|Eq70`4}hJrJ#M3>R{BfEvizLm=nxv>XIX2PJbJ(nwMGRpm7B;xU)M+qZi> zAEg^M;8)H9j7#BP#mcb9Mx_=^w|kbk9PpV?pS0)3L;<46o=TRm z)R}9`_ll++5e#1_{C;@jP0WrKOx;R1b{YosFmJlV<56P~zb+zryx)wpB z0yOEu#vzw#-*)u(@Ex1mx*Tq@(G5rE+^RiKk_F&K$7%O}ppzP`u{ctTe5ye5#W)8hG(0)sRrxyP1e%$IZ>(wWlBHDJv% zKg<=#jJy%+bh9f2OZM4H!^_}og*n8vo?N7tM?8W{o;YOl}q ztQjsVs+SR2wHG1vF?qG59a0wxON<Ofv`;*`KsMB&(TyF7C#!`}Z1Hl#OYM#mx`^Yy4@-xHPu)jVZx>^>SI;<=u8TpV(q z*Xsppe_Q}jfP_0xoTX841Zv1HAoy6UBs3Bd8ONCkMfUdMGbMt`GR}A2%u2FH15FI^ zcxTW%XRNr7Nx`d3aM0oIhO|tIzsB|se;sO)AX@+mK?3q$K ztSU&whFs;2i&3@3`>Tq`1Fab=(vLq>9RplD8WR2eG$Ur6K!X5VuS3*ETMc$Qa0g!}f(U3$ey0-Tqr`j_ImM=~R7eEZHQVacI2;6abHBm znDl{l$~f{$!@(W|j9BVzX)C{ch1X~K9>GC%S*FlW7O%ok(MQ5*eqFi!Hm$u9+>Ywr z&lo@h3LosC9A?vOMcijYJfQW_K=!N(6e&t`=w6$-BaJr`P@Uh)tas!YvMn@xf+mIk zuqQ8Rf0+ZmO0ndp((le#l(k5wSdK2hOyx~c(iu;Kc00E$S@AkA+#<~6sxK3JVJGBo zEZyvE&UWNuA$gjqW=$YsBY5B^ni{`vI5xsq;vXIZ!(ezvvf z>wax3)hmx1M@R8j%)~*6UU&`;h*fSH)1^tI zwcd9ZXR@kpN6cGd3SWn;^R4}j0Nd)GonM)*Wl<9s`*M9^jd1P>t8D@>Qu)p?V)1=v zt7%=YJzdX#+c#S)I-KShIi+15OhQyUp16}|(2Rc!brMQqB>NbMNtmr9OQU6^c4lRU z%&={=1iijv7V!90oCNvB9hZZmtpfWD52Xvuh!CHtj7E06i&S$I)svaIV~F_@$AsXNxjV;% z%o)l)&Qi#IStUny5&jD5CO2p(S6hy4$XaD@!WWniDj!ylt{glK&6aN9lJ)RIs=N&>h)=wMZ(5O zo^oOP3fimA(7*pjsVrB0ZxY-8O-}FNVD5<^gMGjyq;G<)?|y7}y3qFVfq;OZ8&2UW zYY#jh+9Ch4mlg}fbahkMUMCR^DYlnQ_+QcT7TxKTh;lO)=*o3kw18eRE! z)q%>xrp#Xki3*-!m>r^&C*8~gu7x=v&`~4=r6aCyK=_6>#uthr1Jv9hQb}Pg6ylgzG}SB-jsC9n*$?Ue^Un$dBaVFs-4t)9pewm+>ucL zs0R|_d-(qdi>~e*8;6E+Ab~dLUPPL&dnBMcwzltrWm5VJoVoV;6O$?c$1A>z9`x0A z>aAqDv7|=@o|KR*qn(Yt14)B0#30(dr388I;(?RM&WxlHKDSg+&*)_n?mT1cT<<1{ z=9EJcJt-07x>L@uGXbPrPoBE!&&+6S*^w(}EmvyWyoFy)dsOM41(dr5c|x!F8?m=% z&SkT7-{r;^bmw3BOq_IiU@%$t)@L2hb5(9DM#^RBQk6juV4e3pifj_d)@AHZc%Pi) zJHmZ`-RM_aWka|E%tGI~X;%jMtrdU2_Vy>$tdfd9V! zGYA^ilm0~odM;P%caP#E9f?PXMT6*Oz9DOsX^kmeg5c1KP2}6lz=6;pi;I@e2nT1+ zGZS=>Ky*WT_C<})kQJ#VIK!hDj14W*W%YZsMd6t?X6<494&Rkj%=-OH;j^0J7jGCL zgP^lFJB1Jj&!`j8kkl65X90bg;-;?59+9leUWePMP&AzGt#-#L_b)^!H{Bj2j)OEJ z#d;U0buPY+HPv4MOu=^BaB{OtLDC?nOow}g0nl@rto7)v6D1dp#5G1wv+KV$N(}2w zWMYK()gAf{JS6L)>S>Z?jSO`)g7?KIiAd!OH#>8Yo;>W7sSbgi!=(0L z`zBDL6*xx?xw{*Rg9AqlB~SLF2~cNV{-a_RGT_$zuZoGB-oTqgo{*s;IC3we1{p$i z%KvIU@_`wI=SYZH*fo2f=F#(^gs}=a$^H{<&@3x;5!qBi^MkR$1hltU67&R|@TP{^lQHPM6(Y)M;rq-0r7%OoXKa0-Nc|3%1-JE27M!jXKI&6S~J?FATTSya3 zHvLgYIE!g6!Wvh+#X6@mLI@qBZ?~9XRm;C=-9TTcwKn|HMvDmmrv3(P{x<5-W|vMW zT1)cDS%(!ToZFz$f0#vWz%dr0MVOReY^H6~`qZU#qI?Ywn}$}*E8U=~_x^|TuazAVMVc-s;h*@_($G*jM&uu`t285bQWMvI03 z{Bzb#{$u!V&yDlyShh}on$h{tn(vBQr1YuhbXra7kZFVcv-T&v0R6i;Pgt0d6Y>8Zf z>|G=ls3G-GSIH(osY9CoGEFv1QA%4vJ}e&5d0oS;wveDMdl+vj(%LRwY~oB}$p}LZ z^T3)05Kb6ogYdNdDLP%@%H>|277f-m39zLYMfp(uiz1U$B)#(zsPH>Zj9h%1HCSoD z`}FfuR77d_t&S2kW6Izl7Eu&?YjXGz9V~sfh-okp})OJjIP(*sF z>u~f=T@^*N(^0XyofK$Ze`055mTzA62oY3~{|MXk{l3ZXP1>vXTe#o>D4%{^E3=vR21OV1H`vAUtkuyp71 z;?+E^Kq>pwiMQdjqBdvb3aQ)nq-_eb>O-SpD6QdgpwJ;!-J)6zFr_v64G5|3N~!KB zscvqu=^T#s)*hW(O|B8Unmnr4II80tZP?0is!_Kce$Q$wu-s^B2$ZVXTxyqc)4Bmd z*Xyd*E!O|hK_XI@7ve(p`bM6dFRzxY#{3-h%1c+{!&GpBn? z&C#rSW#`?{pgfxX&39b|Nu#5o?#;z!U;DeE>Q5NX#S9rUmFw^*Fj+s^2J!QHm+tpV z_~aPH<+8<%_hh}@q=F+b>#w%@$0ciWi(D3*UydXN_NVn5@-+JoaVHgMl0ee$MNsEx zV1#OM5UBM~H&2SlCa9lOf1QzOc~+cM2hZkBNB-=trmGR6>W8{P^*Rz7cpe7=r@|K)4}AlgqP`t3DsPJa z$=E^0cORw|D?F%JwRI3(f?q$zXeM9Ab9UiaDX`@6D!;fPax|tE zKO9gPhekPaTCi+$%x>^3PulE)R>ECm={XT0V)Z0MK0fhSWNhNKO0+m>q@{#B%K)g` zDzUvHT51D*ri(+n)Bx`WDiwnz2m$-~%xkkV1Br;PbGBDwj%Z9XEy@V?h-s1FcQu;^ z2|Mnd`24m@AA4Q~=YM(G`&n>D=5|!ztH|pkVgW?ONe_P7DzmexC%(Gy^WxugQ9o0KIXmy4o9}H@5p4DruWP@CyeOIa1Xc|}+de`<10qC%u(ETYbFthH6C&fh%m01w^NZ=6@(VUXAxML{ z{AJ}!UZRED$gB`ku^op>t%*`yg^8o0f7m<98 zsXKW?6c9nucrYS{;Y1}#5Ue(^rpJqkZgzq_J9sbUATfnfj-)fbN3I-Ikpq{A{d5CQ zP*y5Y$c5|Vi_k2l<{f}|Lkz)rBb$WBMmcybigKC+L>`013}71GZRvVlZrJs*+R*QF z0fBZNI`{jRQ9ab^oQ4!tO|J2D*O?|*|F8+}0ADRQ{B?MU;1yTN-^qUC?e(|A#4uD> zcFtL&ii_~bA-p$qZv5p+mQE7j_S?H}+$+H(-A8|_z)&_zx~-8#j|J>UTzj)Fh!67! zB6!UVG)z?lyXAn?yRM86Y3xgR8+ZM5Cxei=t46=2@$1|!lPyl0$Yr&jr0WGu+USCjh61P&|qmY8pUJw097#q2+)SV zUJeHY(9yE#K)%()R`6-aZcafx38d(V4lBsH>vA@=MuUBsi|IVMrn`)=m*dP}C#uqP zfrf1*eCh1nDj?O2J?WzA{Emt~Y|U8za!P2f6NhCWRY48cXmAp>u9Zo^2yiIUW0(6n z>=s0{Kn+HLRs~{jToc9aQtpFXox;qppj5ZgJ+*GJa{9DRxq&L2-XifpUbS$n3U?kK z``4^mDg(}VZs<1*h<(4QkA)r3GRrt8%M$T~ZQ=Gp!|GtcDR4@M;59b+E!n zfbO=AuL*jtsXPH3f%5wy*6XVeRK3vQT5O5h15BjZpDDBxWfd3{C?(S< zVuf6f`J(wzd7%#2*P_>vB8n$yG20l*FCZvjsw1`7|F|#V`L<#jn_RrE!Z~Yilo;-9 z56<*pC7lFW__f(bA6~&GEq#5WVV}p))oMcOLsZQpBnOOevUSfz4ws_xIOx<#ScC^` zC$6QD4(dK+$reXfD_8GadLjx_C>L5Rq>^TH-WR0i`xpo2Qcz_yypW8Hs6xM}&kt7@ z2?`qeh@_Fq@G!uJ+}iN&Nc}_bf3eS^hucDsJOr= zQr3c1n&_73bUTSU*j_uWdXw)-=TXAov9uMY3ExUUP>gnD&6Z}1+4ULN#-8y1uy;@0 zp@vE>Z`8qG3u!Mw4a}FKWFP&bFSXsn2rT{ znuop9o1VSW+wRCcL}aLZn5 z3b37Jw3K;R^RaqjsNRLl5~RNhKYLa+heJE$eA82x!Dj z;db-(ET$gs!Cs@Y=rq6;fPt}L%$VmC0RzA9fa~7PAKSUuAfI@qAT+|n#_!gprdO|i zxS|!z)N)fvDv(SI%&&X(d1oN|_U%#y86r&zMCAnsR5921Cx}N^M}jO53wbhjB_*tg z0_p;1Vfkrn2VK)eC5nXZP3bh)aB$nO0d(xnoU_;GF01khcc^E+Vp z-wjnP%C+L~iF$j)o7$SRWWG$Uy3*;73I4mM386@Qxt6;!GoB z8C@3tM!6wW5#{QO}4dI44M}*#=i(&je{)+9rdFfGmK_890X`Vo0M$H7{|=v zT-27!(_?ICW}*x!wHK+l8%MSb;L=T^t&kh*nb;1c?I*gJQb$l)eWnVjqTk{)s=gEP z6@uj;N1s?DNM?s8ZpN6-=|3R1lo%wX($j#0E zS=lOZyC(4JVee?hlx^7Tb?-jh2-c$qb?E2mau7W$D#t;?SW%biL9Vs?d1d-@0qe7% z=~>_H?e5ZqomF(;f@~iza%%mvzJxJe>tdzv>1=04F6!c;@AYeGYG{FeM;Ge>VQ08w z?`ZeD_v_-yWHG7@(+(@$esJ~XCYUusM zMryA4F_i|;$|3#&BMG8N4{Nr+7y=?rl*GV%7j)5Y$)b>Wl(b8-jNjSZVk6vyyAI!x zUsDR~KnPLcy1{2>m(=tL*EknzlyUmHT#|8zpP)+^{|qR+^U$yk!z?vh({4S^+Ll_J z{Uu(Sq}Ite-e5-h^7`yttGqAo)!1rsoZ78Cy9iggAbxCUPWW}scrI_^8nBWXXb4RS zDwywu92te>gtdZ~N?WIj*sbm88kZ6b5iw?okrLfJto-t6RA{6_cO4-B!iHA>`z!H7h4`DK{fkx$n&4lRcn*_?Rfm~aN~}(z673G_ z+!$fWqaTgL6+M1m{&uSgre!F@pOhtr-N2WHmnh@iMMEG>7ZE8MFvi$qFQ$2g1%q{j z#AJ3~zP#c-(^8QMgLfctscix#D_+*zX)IKv6MBy}sUgV zh$HgABjkkO#{SJ_-Zt0jmtDpcnv+rUNbT^x6?6~#CQ^nyvdd6T)XvL@=y^mj=P(#E zlR@XOiz&!#@ro>@PbR5?37UHXSaT$U*i>~%1U*T#^N@q2?vBDB{UQ29-F!>QQ!-+0 z8cEO}Q&rMe>T1NzUb>@;HYYqv$EdPN+c9%UW>&YVk}?|Yv2qi(0~e18j6m)<+oZPX zARocD5AL&_)!>9pIXg9C3=Wfdx3-PAQgl`0+r~esJ&r|fu7%wqMcn`@BwEQ>Kdqx0 zk=57xW&OD-U?_IRL#27xAdvl?nvX~oO(Q>4?G_o4t`1$zPMJvuSlU}MTL)G9N>n4K z+m6Xlt(8zQ1oiNWT?jyd97S7Yb#_8w*|lscPDF)3)9bE%@D~#ipKdnBHteM#Xf7&} zRdw){$e3z|6#h%M!dHCh_YD5cN7VGSk`E>QopX~Zmq{XzNQ%0w%D%gQCBJ2= zKjPnmRj`ftMvYY!d&Kb-Rgk{_X+;vJ4a(OscXw}k)v0K$QMcP_IA|zp0Enryi)uKF zs?dpQoQo(F7ByS;N~JC4Y)fQjIrSyy_#ZcQybTER_{Grr?p|S$VsGUzj zNVJO&m|{fyjqo23+7uVz2pLg~j}WpDr6@{yA1VTk$2XJ00Ey+tCFj0o7oor}KvjZv zC1P5bOVV@P4KL^U`zcvJ5z6|XVVLD^r46H~%Ud*EXvnw7_(ZU!u4VT|I01kod+TFIV}=W46hZy1+~MmpBkh&9Nd)M+C5V!pssA zRP8-|DKKG6=vlgX|I}kd6W2bSIlNL~_DxXgy9+~(`NFJ1IZTO3Sm?St6|$ZwaD12` z0>PnD-?DkuX$^`LOC2T%q(;tA*ylBWAI9-yslZ7w3XUncv!s&+BB6m+hvGx9iyp0< zH~Av8^kk^Jm=7{7yc-L8bJ$xUZN-gvpz92w|E8RTk)(?p10~UQM$ma9Ma}GZDpx*b z7>C>*qmuAzSotihJY$bd@`tM@mW~$zBtYOFl|EZG>#|D66@FG}we^J+5DV|ev=(F2 zb+)SN%+`%%nk;P~DLdxH7BfOHhz?Ququgi3aMmChEc5I|irAhnv^j|J4H^yiPQD%l(zH+ zXZe!~wYPo<2qbhnE&7|}*s#zL4?Jo*e-E1v%VPz2`SyJUArKmLk z?Y>dXIkItHs6%Z}Oz|&TeqJd(N^V%6qLwQgn$t*Mw=s)*DYN6u6I9%~Tv+oKSU$Vt zl?rHm8Rmhth$pDdhO|!-R$pypMcJ+lLk%4znHx_#ekv_ax1cD=tzRtiglADQj}LiQ zP6sAkv9#iv@I!|Zq{v>nYB8G}Ab*c8>4iLK1bG&;B%-D>CZVoz=}&4_E|@ns9Zz0L z$Qr}42qx|J<&zeNMOyB{Q%DpQ<0Ek9cn}`&c@iP05>@ba=5X;wdD0~K1~*J#VreV; zHj)V$iyV$01j*Rq>V4w%T=heTk7;XT^8h;eYt<-l9cZbQGeWbSy0wXAk6YKXOz zMtma+;`AjlS?z;+y;}~hZ_4g)y%+kWbK`8% z;619kh>h)opa&%4hhC*6aEe^*adnyFV-M`v8&aO+J2=ezd6s*mCj;E8_s@_+uO`Lt z+0~F@VkU37!@!*-hX&UXc6NDrnbTwLCZbI0F}@gXj~9Bt~@ZMU0v+O+XljQtxwme(T>@zLAQjxXf{v0W7|~krEUFflq`- z5fM$P{(^}J$AsGON6V0zX(~nVfHw%-aTT1o%O?yL<(D@2sI1bzx;8=BscrB-r2yMD z0y>KwWF*~>l5EwOh&t^3UF5f6NXoTCNfFWkgZ3L}-eBD7d==%E2W@+VSS6?53k7M; zGDK4B)EdaH--X&TcRZ&q2mlBY*wA3i?`kCrkB|q51PV-^Q%c4P+x-Mhmn8D>uodkQ zWlXw^{7%(i-sZ6nJAo6@H2lLr$!t{+_c5L-9Ggu*BEySHAC z*OvI1eG zwwLs02Iy5E*eWFemR8QTTAe}i^`9jO?glj}oSD($KPVOHZBDP8|HO9h7waf1b={EI z=l37aod{Rt*OEH3b9AB&#AGlDQ@&xWQVnW{tbj;5mF0>TJdr4e>b0&}Hqu=`g|_E~ zq5p9%U>4KZ`dh0FF~T$@5Lrm!qfQ>UHOrxh4?Bu8bN3OX-3^Mv6t9*5WSZ!GK$iqi z%#i`moTW(hy?go(JqZP$hpbdr1%(Sm3u4ng;dDV>rd=7F3>Uke9A>k7R1#R~g)Nx- z({~{5AnZ#qUxK{xYa#mmN!K24HH`gIc?DX_5g<-aQtx;!Uzz49dQw|kt(=?G?A;Ai4tJ4p#s~dzi`!5qP7|{ zR=KNH2vvDzasJ2on#Mc`wF8f_eug5Fjyn=xcjB2M-WtCq`y~QG#S@YI_IDi|qQ4t0 zC!nNPft@X=Nd$!H`cY?;oJX=-&ImH=;=NN9jsKT=yQlWd+Y2a;~M(`2sZsfi* zkekaji#8Ww;{>I>%QI{}hIMi_f$}=x?lF#TNPn1en;M~dogCS?O^u;??My#I=R#Jo z>op>`&xlcTN@w96wa1xh{Egjv56wO#K(=m|-qjSi!!*&flB+Cm2oPmQPze618C2#U zz>B01SoFP96ns*yc6avW>RLa!4I{Cofqj3*xqpl#w;y4FtXT}H?8%;Q2Kw5={hSZx z>5?g#;QMyt21O$3IGMEGkABPk{2)u=8S}oLy5HFcQ@r*R!TWfNi9mnW*)!Q&w!ZrE zWAxQrD4IBQkNVSzPXJ+dL1R&dFVfocg!+V{E5sd`tm~i){~o%}7NnU=&o5PP0$HEQ zj6KQFjlAG=iv`fV1g||_{qPsHd0vEPd7i8b%wj= zYaLHMeJ9~b5_SL7iRWyyt?pq!5`mJgP;BV|oO3RhR>zn>Sl9ORSbiZ1EacMA4=1sjL&)(bI+6%b{jLg`-$F@~nJ z4&Yw&$$xANS195poP|*SHL@48G=X)eE`nlNbrd)+8G^0Ozy;E%_s0j(|0Qwt+A4)$ z|BpI11C>0IW@+&dNJ(N{VO%{|Ze|_B4AG2+#Yt0cGFpOwNJAb7;xx;Yv|b3*JakuX zfu*<$wZUE^}{@lohY?0(UO-SaPp zU~)G~;470lC2F4Zb`QM`8|e)>uQ}Elo)#DOeB|zm5JD0VSvMT;e*xA^TOV1%gk^a5~N+ zx-#TvOSwq;i?$X7kkyF?y+&W2zIVU;uO*qU+}|Y`SW{o!c!Zi=3OlomhT=@i?amN< z_O@sJmK`3yCUO$=58Yfi7@1eN`%0t+YDV^_uhd0MbjK10Z4a=lKph~24$7ko9I|i@-c^}T@ERP7r2WHDmmOQysy^-53Kla+-;0k4jbOosRn5*XnzQF=#^xM(?>C3+_*{a}kbr5#Rr<9u>;*<+rmo_Hfj; z9QNW>yraYiY~nI-TtVp?((us5x*mi-f1j@S52H-$hWm~UI=OF@0#lEo9R_QErloTy zhc)@ald)&-OwQ7jV{Mg-X`ryvA87yKJ0JYX-`dKbY-C!w&%5-!rz~gWpus|%b)`zg ze*n!l*$Kj(f@l_>{a?gkq*#`}2P57Jy;m} z^N5VY_i=29HV!UMw^mOw`Wody3rBb3lc%p|Kwg5gJ0cC^uzKOV(QyWJtw`Ha?ZQE& zl&w;yt`$2}L4!LZ1>M*q2#ggVRk`l2=!TyqoaSkriO{}V_B3~+!}6;ZO!cu+btd7EQp3@-m$CVNZ8W1~c~j_m=;`q>wcIFA z`}H?=+Xw7HWU%f^szJE=D}o9v_UamT&IaT2o8vzHJbkPpH?{6yPYtUNc#p8!wUU#7 z4m`<@R(W>OLcnK7^4;)8j0A%stM%uj{A%c4G?^l3s!Y@lgiC4Er4gPR5v-TcT^u9V zk?PW1`RlEfv)~by2ZF5M|5eEZyMf%N|HEUCo0ksPdTAxVC$ne!(ItMyXgq z>NqmK=WsD9S$_S$VM2t&4om((#&XsWC3T-uS|lVjWyoLQDfVEBe*CKSSp8TU}Wvr8Vd1e zDPwR&eqv5qBt!>h5&LxrVtySzH*%*U6 zPw{YX?e61=96WKnIiv`ED*fOh8-taG|?r6s1rwC9!|i`i00kDV}0k1Vj9c7LfBwNV4_i` zDPwt|y?9ev*3zYOMF^4qhc(E^gjoEyGte=yj(K3A>T!l9t<~R6KAD+ic;O@Vq!E>& zy_1u9ABXt=-=U#MvGX*p_f*Cj&7=!0*Um<1TEppv;yr=$BbKhOn&JPb408!g~{dn|@ zQha6kCE{-8xD!>B`GVo^p(*i=i?$UhrG{zzN(AF_ri^o72n(57)9Vh{tLjR*GUSbb ziR7O_lzi7nQ`#ufQYkl^fL8A3Vfue=8y-TIes7VX3(FWBe;WUUB}MU&-mruY0(`;j z1oyyoiU=XTOH9M-gvrmpAE?d|A&`B_dsO+Cc@#G)_LddT(Z!Hxlfjo|5VlO{jMVg1U#Zba-$cKwU$K1XjVVOc_$%TO!miMXNj@|7X9boovhy?Nr_JZvaNr z2+xui_jgCKKfRYS^d8s7P~X95c3U$S*6a7JG95pxkr5a{uz~b#K7g3`tzh8p;UiII z^@V2oGPV-QgOCR+r@d9}*R0#VyKH-z42&R5f`2K378iREI_6IYZWP^aB*dRZElQdd zBSLeBb4f=5PoIh5*~wDm z_VO8-p@-f3-T5I!+I5Zp8Jwx1AvgM$74-B>jgPzJbs7VQi!! zAt$OqwM8$$~{hn8r`w;#7tCjr#E9UG2rIy=I8 z_QSc>o451x?Q$3$hEIz(Zc^Z8CI7W2I}5#_;ZBLRLi*g&_#0wn<$FEN*CWukahVsI zjxT!)dSuwl?MwJGuudaG_gPu=x6y#JmG|r8t<2t=7ro~tRRV{XExs4rT@!dyqNBD#ay2tNwsf|@&Ln1e=t+<3 zh3mzMhef8Aa*$C$1~uKe{E~-xxAnRNv9vIkCf#I(&RW)_{j?X%>68$)99fN!$|=RoS!TmXP>f)OO-}T@#0W>c7cVe2 z4yrc_pzZ$D2bb05#1AmY^HRX^w6W^Xb{~*uWx+EIrlLLq{cWa8Ud1?}Zmx1_CyFqz zLv&O;;5v5-b|yGWlxbSnGC_FSs7c#ymfZi74`#N>LO9p|w;mKd z4&}^IG{ze3>J)MQpTqdk1}Ue;VIpoVNf{0(vHBv`inQSsy~%DpC#cu0&wF8o%Z}Y?}T<9ia1eZ7O@{+=Moz zs%93w)H-?o_<4?{c)t=9Mf#E#f;lyyP>_22pkfh5r79SM9JQ`U^{WDk$m2Uk1+C)$ zj|cx}Jiy(qBAMfwhW9IF6V#(GY2;!-wE>?)dM=Kz2~zIW_@G5M@YaaKo2ih$n4U`%Jg}f9sm07L{Ss5+C7o@~1OZhw|5i?AOMi>+st@xKJf8?Thx3ve z>lt&_RqUya2)qPqo0L39gAgva==Y8L7e}0cPMJKsl9EB!96^;K@l zzm%JzC`2OzK}xp0%E=6GS6-zvNI}o@2d0s0p%n;9vdV?0LgMGZM6;b?5b26tk!?j^ zKyrs&4z+OZ)X?Ff*nkcO@o9wMx5ZS2GCQW`i)%TiYg|0k(7th zbVpinw=V$X+k`IpU+bt-xECXM!W{<*?c#C{cYR62xxR!bxjSWz=!22net+*1JTc%% z>8EDbGu{5PE7AmQl$(iWk8~*=S+sRN*S$L2Kn41MSWJjnK$(+`JjB2S`atL$I81fu zQ+kg?F?vjQ9pd5Au~?Kf-2A5W;;M7odL|}*89;zf#7{C;Gm;9&Io?JQRV2A&fHH5| zKTO4iiVhZ3nU2abmnj(mW3~4%j|F)H!gfo-DxbE zmO9d6c@-V^rKyE~xBZk{1`CD~s@otgDXSVwtE^nM3aI#kd_{O?VU(Z}(N52@ahNq^%NUlU(zR7sxkSc zn^(c*nE*HvXk~Eo>w#~tl~PqX{iT62uiZrDp{agnum%D8Qssfmz)D%1E~z|h?DqR5gdih!Zp+>o*i|pJXtLtYr_v)Bg2OSkv1|2QQw$3M8C~HD% zuho0hGr0>@%?`fYghGtz_qV?gMa-X`k`>aLW}B_nbdwh@k(bxdj#Ss=>rf5i>03Dz zld>)4RF28NJv4<~fj%-tK~1kI+O;WZ5%d@Lm3Vo6DcHa=pA4)sp$&LPnY`dSOg&XQ zp*loK5dH+opV$sUbG-ucZMVxeFFU^2Xb%r=S5ZaSZnyh>%cYvU1vuh3N%a4g7YiK# z$d#~8lyo}dATqK8lIj760d9~4MI(H?Ow+!Dncn`kG)KIdW@bL@e23#66XR>K+C4xF zED;aDaa)>)fF7~(4*dDAW%bhO>u+An$Pl#Bz}{R>+W%_xKmcTTN&|V5)|!BtWw7}3 zVvRD&LWa|KNY7AKq!tDdib>C7nT4oHTkLAJ&&vVq9 zA&rj{uRbi?sQ|%d*%pV*9{tiwQ;djQz3(u3;Rk59>hiZZ18pY^Y#cv@7Z3}C^s~0N z+0jZcBE@o53Dql)%UU+eSQ*}r-i%91v=QxvSOEdjPeE^%(PP}<4?^Y+zmoZ&+|AVK zig{Ae+C~QL8QM-GG0i6QiQ!)j_5}(CEW~(71#qQq5^YSMS9rhMU4Foy+N|wqZ7*JR1JQD zvIP>;%+$$}J;bE!h+lbFm{7PZl@L0d@9~FGf^JTg$qh<5A9M1s6)aLup6D|9`w;Cr z`ZqmHU%^y!pz(;N_NrXHIM2mF*cxImz#V($xeRE`4K_T4jGdS%8@;R#`2*Q+0op2O zPnn+N9XOZd%Yj1Om#((er&NCHcD*Ty-hNaeY@n#SK+T`0LHlxZ_3=7$6G<$F#Rvx4 zo|6XNL~Wl-&?`Ko3m-2`3doMXK?=hay1oZe7ypAPOt=Bjaz*E9y{)A2n-VL7C0*m9 zq=EKL1SXmLNwH)Wc`8Vr!oxqithin$W&DZoUMjn`*jd7!_r&O;v@a3X4Es z^(Ej|X&2ea@9RNnx70hmvlkQ=LeNQ4(29%0Kh6_zm4NA5!nEvlsrFR@aH1uAg1DAR zuP}fcXw>mW;N^?t?`pU)9U5os3c&qb_LMU~*B=bRkyV$jr-Q22^Pz3a<^Lhr0;bhG8&{>Vq^?I=Jo{bPpdzz!fZ(Z)fJ3yk-!zA`4D3vq2>W5wqQ- zR7kVeKn9Yq-%bC;L2wu#Ho`KOzW}D0=!%l+l&tW}T+f0|n_uo(caqpT_L%tscgn@0UP3q0| zsxG|z@1|m@l(D;Cj1&+=oc*n1k0%gz`;QzH{mQ|gQMx-i@Gqfv+g~{V_miquMAVGN zgk4AHIeXzd`1yVh{G7*#5l^Hk~GAV9qV4NWON92EMQipMd?RrQ;VKrO#)dgyJ2#wSiR>^gcAlKoNFRg0Hi+;Bt9Y|3}WPD zgfY`oAh{sy*v;lgbgssc+qo7emRY0uV{Fc-$6{=*2o5SU8u#L0G$X_gy*+e#Mvj>n zB>N}84BUvVuum`p*Z^FJjU|MB#`*=8cY0v9#P;O{4;Qx`A>G^GRd?S65g?o zKM2Zx=kRYRmw~%It@iIg?U-fetQ-S~97C2IH@5mI8iC!TUZ^87WF3({&Fp`~AT|mB z__UyJOg88z_c)Wfwle1vO@YN)V6*n$k2+{j1=WY>%LiB&o0ix!%|6#QQLhMddym4* z7XuGOP$MymQklHbz`RTH#>ZgUYbbNy+B)6sA)g3joHKnrZHR+GQ6fmIl!^3axfw6< zG4Do}3aRjPn9wm_-TjVZLi-Ab+ZM;^5rH8YX%&`56!wgD`gYIIIr|e3@;|sJ{JKFB z*!?6Na*xMk^2gY#X>gbY^40Eepa3xJUKN=Q7#@)7YZ_1X_wD9gMv>lU+QdJGBLb;! z6P{sWx!cPebnYl;lp#B;P|1_m&ywQRc{U=uxL$C`( z2&>CgU-*kesqUwk4YRHu>#pFBECN94kFIM#Bj(0j8|*IYuCM!;zr~d;RV}v9HU;6% z8y*<~w+}b6mk~n29q0=E6}_PP#VsvWV-tZZhblLvOdP}}C#Sbh0;c!(M-#Ge2WmB* zbRMB@{fJ!^3VRSfwtLwZ#H#quBJ@9q@4~jDH&R@FdgFgp!#|sw)H(Bb2w@op4o7xU za64zdpPQFV*s1qdp)x?~x9jnMw-4v6;6ty{r{@X(jI>#I8Rup5z1aMP&4z#7YkvCq zy+?KO^YZhlOFp%i;~6eqECyCn!sEDJM|xc7$n1Sr{&0M{D^v1Q?)!RfW`L8fiWK*W zIAy1SOUHZuK)-{4UnjaLDNv@?*GPM z!o)XXwXLU9mZOKOfB6~^1ppC?EJC5Kt<5I<>ah9sdUvp+fsNGb9}i{avhbFka~zs6 zZOY5q3v9z#QzV4QCR<*cb04^$BOW`gK)EW>vlj8~`};soJ$>=0rm1fp-JtlSJ)Psd zcA(xvR|bn{9h8EaEw&e$YDzF-DArPOMwa16B){kzVIJQ8^Vajz!;f7DtDUc>uI}4p z@@2Y~P74jbw4<-*g~g@RetxqH7GC^DRzTw=|CkOJU%u?6fYNp>rCU=$gyDb#QqTH( z-vDi?T{E5<_FOzgrL1|Zu_eMbeNpYA8zV%Z0}0Ph2_biYY=IqO#L67kAyS3!ox6i0 zq_877s3YG{TpI-r6kq1CdQoiEP7CK>L>+L)8j&6eANKTR@Xx^yvMeMXMumidqYhTE zYsspJ65rT_{Os-SE+LM0dt11T4bUD{oRE{O&F|Zc<@`vHOcT5XBC35q+l^wCmj3Wo zR%QPT2BW-5+BJf$pPppEYV@+Vy_|Uw{3~vujKH(+e$~KN(uZD)FoI9D+gsD!O(gW{ zE$Q*H8nB9w@O_g~petW4{k}RTZEb_77E^ysr2BU7d5;*YCcHxsIUcKmO@|DmbrpZ^ z-#yKh^*?|CXTDIQ=8r8qF$_Jo20D!f8Vm&=L?zwrP3yHJ)?%u#V9MgUr4|#sj3VPD zjldMW<9WM$-_w@!Qz!U{?{5m7#vQWoEHJvni?#PMAg3wK zoZUgRu1A$#2C~egm|#u!TVNg&Qq;pdMX5=s6RbPG)wZOHp0 z-`LU5p#o&MN8LMjtHX{b7n^m6Rc2pJO2Ru|`h6Ln5Y&(E-52{L1g_1v4zTm~0z_!7 zKux>DsS(W;*{vsr4-~pB7KS@eEbw~WaYO#DhN*M?KBGzMiTn*Q33(McXC(N2^$~!! zx|g~cIg7KF)K&R)0Pyw_ZVHv6gg0W&=jAmtGbOr)B>n)Q%V2)zQRKwRI*n20h8J zSaM*TJ^R9-w_1SOs3H5jLPMpU3_G6&(U<{|^pSq7J#&riNTs;vVSlK`tGL|D`JDII zNK-qm9YaRrF8Rhv4=>e_?k<*2cy)x_u;p@gEQl$-ADs=}UELId9l6jTg@WjLQ@u!1awQQNF zShY&owLebG>8rB+17dMkt@)QTB-ok!Yq~b84w40)xclb_FbHhbbQ0J5U!AQAKjd@g z1S)7Ts4jy3MMWZ!V%&hrB^tRaTlh#IH8ACx)W)&EzqW$cLqPn$Ld0FG+iQ2&qA_t@mEVUj-Ffl(L}EqD(Dwe^ zVuQzec`w8@61L18*qZo4Gr&i?--xz$gXtw_liW^9_6PxT(f~C_C;(9yZ>O%3(j?M zJnbWIPbNl|956(5@-b+ULKZe>+zkf+z|th^HUjY?NQwAF_uF&6slab=u6>3##}Bi2 z3MSkshS{p7jU9eO5`h*^#&sn7}k$)Dbj4%gO-PMlppL@ zTd;e$=01aIugqFgOV-m&Oys_pc(9|ixVexX#S=0U2Oh~WK; z5>cn>vUMieQtc>@5MUB^S&^6DssD%|GH}OW1-&X6?aQs`A!~mpL^V0rFTM*5NiBPq zsyksZL)rlijVrSq)T%TZ{yPq|O-cPsctwb2@DpN|M@=V<>I*Arg1&^xO%O&;k!;x< zYZ&6Doxtv&kuklZ>~_CFdEuw}7T#$(gymYC8@;U=pGWPiZ%) z5b)RuE!c|QeGr}rE>0M!q0g2H3M=zG84Pp#hers5e_rb^aMt4`9QuGW_*kFgyjfI# zQPVwlBzH+Ew~{=QE8%R|AI9LI^mzyV9CMsn{bFBV{QL|SDA;hPD+!`b($7y;E-0@V zQZrXSn=XRa6p}o6#uPV`*Si3qSJwr1x7W|x+DO#D@@3hQ2~$}gAUMe(S8VJrE0h^y zlo`7?GX(OquyQ_po>mg6&foDy2dI%2d5wwZg(PY#>yYD-+T)PxvL?LQlh__DF*Hop z$3wTu`|;()GQ>v*ly%Ml@c{M2O3x|Evh}Mz-33>J4GWDNZ7!|n?xMIiq^cs(3&}p^ zrHLJMg-zo+yiB4=z6G{zbso;&1Uu^X_7VY+LgmT?Iqw8JS0(kxTbQ02KGgzf22c~?svBf4eq#y*A=%?>&6rdRIAqG_7ifQ z;cfAe_ufdivX1LyT3Awd=p}vHPht%NMtb@(r2R&w?xoR5@KQOnJYGL*9j;DHuX2}n zO)TIxxMPZ64;^b0tHVH)jNa-~2fpVAC6JdY>_OVkVv*=g|4EDNCgkAIotmxs9fr~o zJBY>(z8mf$Zs5}s$3eNp=#Y?+%TjVjhk2KWoM7VMbTIt}mgn}arB@R{I*Ye7eqxW2 z*|;5u74$Mv${aRDP|wvoezyV}@a-k6E(zE~5!`p4o@B&KXk=pl%%uhI9COWA?G!FO zs#mx)QsCIMxh!Zo|A=DIn)n>RIL!U!CbTfFX^pttf>@_Yyt}`m zG*Sq^^5Cr+Q$3>~d5w&vlqzaE9faTE$1V*1LUKbmX##NHAh1fho?8JD;e-XgHiIip>1tzvrK?`boRAk6#E+S~LA=A+Oj?Ia<6$en&XAIDBJF3b??G zUsK4ZU`PYQPm_+{vce?(087I+l&Ph3UsERyL@P3ul<5gCF>E(Lu|65hR}>`m@+n*b z?<2cMv!WSL{{;8#eq@n{okMqmKKhe92{1t{;9G`l7Ys28g;=IbBY}@hj~m>LWXhM& zEcDK-THQ;BU@r`$z)wb0==gptQ-=>BN~$}arl}u5h7j$pheg30WJ+ZYwFvcC{Gj6X zO36ciHd{-Ve$iAP>Ipr^R^b{~{IBYgB(h%o`ZrqkW<>Q7R{Nj?+_}=2v3S({wdrf( zVUF$z@eLs&;zK-b059Cvq-fA_UzagytXRKenuY`mWf1e3_9=NG`-e{dgK@IK>KNr% zZv%^II(?WK5Kx7~9TtMlFJ-%?lVFf)ja*!|D-R3|?ks@^SocZ8e-B>and{!X)0I=x z&d;lK-eirz4N*W85-zTDwn)EZg!qS?4>@{#;gR{^9(Vf@wcfjn1@a-k!L+(RlgsrU zOlV8Pkz8G;R(DYMe%}|JfX*$qOO)L&5|z9keEU=;$O9+C_|HjrZ5j~4r&G@KOP?d3 z@hI|S`+m=mP_3_t)juM*5#gdK6i@}Zp28HhxpL z6-nc=#Y56Z3*Bi9@5CzKcdPUynorU!ng-_VhZbRr2C6@yU@?t+l5rPa-PsSxW&^mv z_$!*b2Qdahe*?^JvHJ5j1kOAun#pIv9{2kCz4b`F$l=_;cd2x0Mth(Rg#98rS~NmJ z)K`08kq#G-3sJmWZZ}yzweW8?@s$wqhfXZ3MM0qWiwrc%EDB@eiqfm7)OJuwM@Jx} zdV`B0;L59%wulQVJEj&|8G|oP?euQ@@xMs<;4O8rR_P4{&Z)ijkbKxnCs*BnzSZsB905Sw*WQm@n~ zP6tV{hB1wE0tH8G|$YQ1Cb10z| z0gN8Adu*u&{X>+XyCP?GUJXRSH35`>Hn}W{+$+RKs#O$wbV>=uL+-Kr#&6EZ1Nw;Y2}=ioL!+ z@?hW=BXhWtr`cm|$qbk%*u!Y^PP9Xj?3z3& z`rC1UQenI;tz1w9FOk8vrQ0)2T-eXKQ%uJNMS<>Njd@Q57>Z!kaRT=4j2wJ4-;OW~ z?%vEnO!HS!d$oB{wdf)euoK2LF_5ghko3XO&VnoH(Wv_W)@)C`4cS{aoUO_m=%>?s zlf~0~bC1R!>xL3c__aDI?pZG}&{}pj11-#6Gk&tz*-Atux86n}C*-sMt7kQywXiq)H z?`DlyS4u}28Ou)$+RMl=K_Y^4C|`lC5uHm%+$V)(wtL=MA-l!rOyN1RMY~9&TaU*Y zQL@1+H_|l0cWG!$Imq=;t41|u#|@8kFfC&mP8j#tmKRf> z9b{0*o#@a3a5yH_PJ=jw*i0%rvza50$G_S#>?E@Ix0MbYHk?F}@eBrZk%DdQApx^} zg?ZEfWMaUU$Alv-#L(yQR`HVTndTf!U>qsAW&WiYhrm_6W-UCB^+TM$A+Ug7pb$Qx1>7)*Pzwm z4-Qd_5v3Irg^5lj-2hOd-o+b-DEca+4LOr`U(|=I4rfA?$@P`@;Y*N=Noiz-JcMWJ zGs=Fj9_a*Svtt2~QYugz%g%24PZ$ESYlV|!F#yiEIQAOOC~GGPh9lvv((s;#KPXuR zVF3e>*uLCMHPhAA(|nz5HPtb6H5dPMI(c|~eZ8OYR*pB|dQ!>ow!3+_+Cn@`dvdyR zlx|8M;M9(1PEu~Z?Y-PhzI|LEvb2{{dfsO$E*e~qht`f}@Mw2%diXe)cCxf}vvVfP z9NoRVO}cq}U46X2ztJ9E_xG>f*32c$Eg3i-a8CjDfNTF=EN_Pl%sQ)CA5r4YO*TtV zVVV5{mcgd}X&K4}=ykuWtP3M~l!3j=$~7_?2Fn?o+3+QuI>e5&V~he~dNGMfJIcta z!&u3&Is=-)cD`W$xnER*F?1nrQ#WN?cseNOkX}<`)k%0#;(|CqJFY|Wmw2AKJk7|O zh;LqOgJ!D%{&>-v`X5YvV~{9Ku;tjcZQHhO+qUP9ZQHhuJDxkXZQI)U-oB04A6-$^ zofXj$T~U>NGV`2}l_kuVp@Hu(OCv$Nx*+@g;#!`BW7%2a%w4VV63pJrt?iN+-YN@c zZ`onLXl0s9;rG(Zo0!JC zCP`EEs==vR`HODbsVoZ|Go7Yo`9^f=!XR^v-g@*4_@4D9L$@+D-&fP~l2L+m4O#Et z?tYLU0H?{bMdwLFNB*XP4x|BW!(Vuad1TyA7dtGFNk4Nf?7@`U z1Z>d&wfX}KQmN6l%p}=M>W3u8;o~uD9djzCS#NoEUHp0MA;(36Bpy!4d z;Jj7Yd`4lMM*P}-*Ym;X!vZX3f^s@d8iz&HpT@N+D97ZEe#8Q{dd9YjWCJRJ&r@us zjt$_CIT?jd(qjR)E#;}O?wG+yovo7K!;~k9zjwB2(^`A#*Jnt(79RFqhqx%K&&?8b zx8A)#F9e2Itn~U1jgLC0JUcX5XAm{v!0k2{Jq17EiFYGdwiX^XjeO)@2Qf3 zAovv(=|t}-?R-?}8IhVcd;q?^c_XNa4G@n7m>wR`y`~-Pxy+wC4CYftSyUP)(>aqY z>KC4UTUGLZFwlJpVM6U>)k zBYxWU5Ml}2IaX{!OJ)EoWSGKt_lbx3PAMdI-&P2@nNiCmDf%R;u zg_o|1#kZQ4YYVV65?k!_lN{8Sbc(Dk3s;wLG|`p-R3)g|GxHqmq){WezVbWH%3VUWUMxFIgTKFu15=dxie=7EdKViu?r86Q5?4{( zXlTB;FzP6^9oZ)NQHQKd;9HA}XS`M2^wLGP+)JNP`xXU{Kes`ypn0(WNj(A8kl45#xqlT>Ktu~Ai-cA#3Jv+8}}>n zaMXIHl(>uuKd9Rz=d@DT@11zSC9$--6Hej*U%h6DrUOHenj@NaN2B{O;BCweXM_7v zJ#{nL+fgdrB6M$)zAZCJOcosDwrD{%Qy=gonIY=V>4_|f9#B0!nz_ZluPUUFaXRek ztH)^dlm6LJ$Gs;m9t@_TvR~Nt%+71@dx#N`rT}|(O`_H9>_bLFdl7|*dJuPDJbz*u{+%It zV~xD~{`3l4;=ffN{1*ll8G4NIm0b(Uy91Ody*e957~a9! zgjbkmZF=|P3jId03Dwj%7=ECRCa`rXYcjJrpt(hVCUxICxu0^~cgtSKyp9Ub%(D+i zTq>U+BwnaujR{Sv)wF*Jx%0m%m2OAU>ie;!#>5BHZkLwK)x)Yr<884??Ucmc+@Idz z=++;kYtEnUSpFGR9euQeY+;RR`JOwOs3xnr+Q$?K#~NQ-hY~ zQPE?wiVe?m0`SoY^w~+b9hjyj&U&ij-M2LM02X6a9)~bg{`GJ)a^c@`T zlTf~(ef7e_+j*Flb{q0Se8QEG%g`Cf33|l7SGsYy;PohykKRkcU;Rz!(jFYi&(jUW z=P3V=m^|i`q}yh2S!*^~c%<{Qzdwf={!Wrdd0&W5<7pSzJi_~5TDFn?HhOpj76m45>1f$__(mV#x1O#E**Rx zV`p~f?o9TZWTv*9*+O*FQ8}Xbi6`J|iWno2ad79z#y+9A2Z>VoI}U;Qq- z(YTc4tEv7PTNR9zX`^^LXbpdOpS|C;aJfIj@u{~MFw4Sd?JCbxqIy$&eks@-SywP5 z(9LRb@%O-EhULsStLN8Hwg-I!Se zfG1cs3<5B%n%U)aoUL(lY)+sxjxyhtsa)eWu6z4%c6p;rY{rrIrd_5T<49$5BU!rL z?C$0pP5;F-4J;ZObUb;Qyo3}YPy2v6{kfyIe`WXiAsemEF8rw zg7Ch(x~&tcZDC&_rbmMk%4j2OHzX;3AkbkHLvRoPBi{^DzU6)nB#ccmLZ)$z!xnR= zaH=Qv5JXaIUh0C(pRNJ#B}Sk|5|fmH7AD~(YNwcaq+aFeqm%fK1N8qPx&BfG03+lW zr_2TDL|Vm*-BE~3-3EsqdMcY~UX{cE!BFy`rI<)R^@$GUIA+#VjI|wOXFBZvs1hiC z&H4xVRTa**UXTe4F2Rk6&!;DFJ=Ys__=X^BYF? zaAo9hXaVxFU-WU(X%{F_ql-ULK#&_p9bKLWMi~&&FA+d|Da42V6)5C&&D-65j;JH4(`lvtW|(%GI_R{f1`@xjigvTO zgUW`oHk>Y%SPig2PtgG~VXW#~jUJIZ7G2&)#6WZ2Pg6MHUJ2dJ$aUkgl{Ku>=`T~l z_Pwfh_?@~ZoH5RD+c?!a5plxBlcUsjb!)kcXp5BgWb@D_1_E?XclLXF?$`XbApH;Z z&AnBitp*=u7M8@7P5>qH0ePW&xS>ZmspkT8LAL1uUXkx|v$0wWn_2ms~PJ54V zffy(s2g>vDX@55IDPNG=Ih$tda^8aBl0}y(EqfV;B6P<%ut5SmGaj_1KsA7W6ODrn zZo3f~1#d@t(C8TSt5pgJf8Wkg9LBq}eKZiuQ2bJB*mt&AdM?MIwhu|v{GY~!gdlQ1 z5BMVwe34&DK*9WnD=lJFbZ6`xY0(f0^fEAD>TIu^=C3vRZ1?>P;_AP$cA=bOMn`QT zt(!h0Fd-t0k1pHDv`g${dI!+68-epCYU3*T%9s#m?4rBY$P%n^7 zeTQ_wfcZ^rl~lMLF10FTW3`py^xh1TES}3YkbzVwtrs{D^7t=J!C-mxA`rUGLK|A#b)5#aVo@>QIgF=2&Ko)&X@>BA2Q+k$R zI&xj)n&HJw3keE>7zLU=hlP>q&XoR}Q<(!_z=`AGMdl9L;GW|zi;(eiSO%26B9P_9 zc1W9u-<%XG|FjBE1cRp}$lK_lE`V0kE%lFQ={2RBBf>$Gw#ePV;J+O+aCFZ$JRTfZ zv<(Qm@ou}RunaH{j7h`2ohIQT&f+-WFw#^r<0Af|fte=b2P5uo(%l!sw;9bqiSv&E z7`0EA1xZcljiUaKm1GlFP}yY>#o+6gJABA)@YbIL*^>pwmp+A;nHhHWX?4^;27;5k z(s_yw4*l4sSxsYgkFJbzCrcQjkl;!o*oC>Bejeg+s=c;NglN`HX;qS|X#zq=*BW2K z-<7PcfX76IIxqt~RC7`3SN`#geO`l#rWt1-I->zquhM0QRGze7o%ye8LV)5shNSEQ zxeFDQQ{kk}T(kx!N)Yy7Lnh_8!Q^fTK^TvS1AI%oCd5~USFr*>Wn)MZVv;9I5?rJ@O_1 z{}QS@ZFKh|!eZH(k>}?^mvIQ@>TjSooEnajFw50_hOq8xURKgVbh9Nhi8BaKr6I6^ z&4KPcOI^SoypeL+fR#MV3{2OFN@e=cE^N{)rBK{G2GByNPl6?Xg%-WP%P_OnDIH~f zG1YOisc$oQpu?M&A_S5J5f)>lb8kA~c9K(Rb&gp0_^r>*g8PhWKsb$w=PFy*7n?G7 zhlZvDA^y@Lt6%I1I(UdckubhxF8Jc(Rf3P6N(7W;v^wwL;Ss!G%kmzBw(T;pfeg9G z4ZZ+kc|VKdy;@l!5?|GWT`%B%pjG>|fHCgFrQ9Eq-VwcGOnFpKqSj177Jfsqbcicw z`jNvE@#6`8-W`@c)>FlaD1aHTIKR>bHl5qEC9QP)^#|67ZMa^4xpu++@Lvvxf>Y<70iIy_|2S33S) z=X~JF?55y;Ta1WmMOzDjgld>YNcB3! zcEg}@#;r;>ZcRI7AX$MroA1|e9#kmVnAM|E0o`c~=SH)hv%cY0v3a!24yPJia;6hK zx=gaH9Cx!5=d8(f-%G+0)3GuwK~aOEHHW?v1k(ch_;ZJTteHi}))E0k5QKwT;c z=wr#Uo5pCTAO+dLKNP%jB?}#E`S3{HdJNf-Yn`g#b)5^6$rx`@?F`Eyeb&@A>I?Yu zkY=Xi182B6vvEIA^wW5VztpBkW;E4C7!gkm?yIU^Sm4hC)P_T(1D#I~gS+W-sl(WN zl`wFuR1_aWHqJuyWffdm%F)ww{HybKnY zDqAZ^z{d{!*8&P-Bc21pjM4T@-yO0Le@?(4HsNdUACIX2_t`s2GvbheX0hZ4pLn!8-6(YJ<^OVtIJw6_IY6?dU+L%{bWj>%Vm++bsr?L06q| zA+0|97uxEHR65E~-gsP5)r7tB+Dh%lb0XR0`cOnAoN9_f(lfVS+9?Fv(OFt`+|^n# z}G;CmZ!eutHMfU|SkWs#F?C?XiAe@fB0uMjYsiw^kQTM{wYcfyVI7UQ-yG ziQzGarQYN6(4z9rOBfU3c@%LqTa&8LO3u)7s@CGOd4Qvh^Dc;}*yR<`V3nnL8{uWq zODu_IlfinMQNecmsK%ItJqim0X<&7s%JRpLRvK!%-kJbY2|6c~4*K=lLhHgqBT1wN ziV0uUro#Z*Usm1n$fEH~i&Nle9Fx^ZyS2(=ETdl9V(Q9T?)`qX_*fI${35}fzmas$ zsM78xJvUUqpyQ#|8e;kbnb8fbr^GZ?SWe&}uFW(P!<{x=iDZ$T6crkCkAC{jv>OVl zz|{R1tw!ZgXsnv8ByDwLL{2Q)j9`hpV{N8gSZ+2es-m)g@B3R#MBPy?CFsyxv0+hy zUDeffHAfrCBtwf{7*kQ^urylf*1vqTW7#k`#PpRCj0vS(NL5pGVI>PK$~91QK`}$^ zj4SF4SmISp)?(=_E2+5(x7%o1W>c#)wfb(XGR-zx4=PiS&Vgm;-&0AnGK&bNR9%M! z!PE@iX}~!~g$g%DV~f$&oxsNwOZw~(UpH^kY)SE14A#4(~FdBDbmOM0wNp48>f z?P?GfTE6cpQ>B95iuFDvehBYLBW#1-B6iS0I8qIq9hf#aTo3|6-o*316U^dxRB2hh z5_p>I7Xmuz-lFUn@n`=zZeT+~$&9qO$w1d>(t z4*FG9UZQ@HYW96X1NsjOpPgniD$46)pGHZZ;ohy@q^k8~Ao1p#H7j77DJ_{@*=4_ZtWM$2#77c!ua7>&UwD z9W?8rR<4Rne0W=vHO(TFOUZgNhhWu!B6?emVfA9~eds^hN1zTDbW_Xkd&_-c`VNn@ zMKz|S8-+C5@-eOdW)N+UV7`if>5#>p8%$tCblDk}hk8R{hmlxS7hJ`aKUS4gg&R!g z+`v1lPkl${P@oZLd1h5L*-YR#w_K6~OxF_WfJCZ*#LhX!6v10*D*g!|tBO0is;Ag) zwBm^3lw&30uDQ}IjQ{|Z?k>rK7X*;45j`G8CLV_Sstb08lgy>!I2ve%b}6W~w?=OLM-;iXz)aqTcpVd$HbWYbcxa z!PRPNOrTx6w~rI;v!KYjc1_Kc2%|cut1A?HOvN;k$jg8uy~rY*OV?8mJAt)VP)q?XxE#PW z)WAZE)m0)_r*}G^WLY( zr2moM{qk`7F=F8A&2UE8vd1aR8cD}V*keKKACz+#V2Ip<=A{VsaDr#2b3p9*WuCB{1fN~E8GchkZp$e-j z2n=rMn-52$jTK&4U0!Q=+IRp2H4Gp!?x=FPUQ1Y^p-zj+SxIPIY}t7vC6NrHj+(%t z5MPV63^3t4p~~WG0OKNy1RLb(t0>=uLP6q4Mxvq=~ zl;mpSpsMWMSp5PU5`o@qy=pPXb${iMvD0b{ zi-K3;_KjraVv@)~N9U)C0E5q+8^k1BfM)?jv{uzkMV6q!VwsS^ag2{Dh?(5R?=Z6h zv3dy?s7cu1*ASVA0d{y;3o#vP_|X%P!I|ue6PRHF?gA8uVI2rSYy*(N8r*=c%<+C< z@jEcd9xafv>DT)`X#MTY;Ik{}1 zl8Oq)Mv{!Cn5xdRtT33!Dl=kX5XI145NKak6>g`!ryf<(rK(1YECIpeuPDHF@yEj~ zInijX$CGaLw{keRthwn(t2_zrsBH$oS;QT#t|qFo7}$2jni#7Kqp8(fOoWzV&kM{a z98yUvxT-5HehZ{Ll3nw(;>+daB7e>`%?(M%=Z(f&opY>y&nuHakY|Z;ggP`asN4GI z$z98XsCC?j2B5>lktaPY2#xNwhmj%UzmUa#bcNkGxGZoIASze)rYw&ldeR*4>^7tu zmpd<1?gGJhv-dVzg39H>KYgBPRT7~Id z%~p|%)L}(NwG^tSaD6=t)E&!gIFHn&;x0oE)jfi~rt}WhEywEX$`=id?$EfYnsNRv z5X;|Q3BUMdWa9%e7rdaHpSoygwZ&I2QHO>y3@)Lp8x167W~pW&uY!%_3ahl5sdh7| zI_|H3be?D>{CtZZR6g6XT0qIoauiZX=~Z)HY7Ztmmj@-A!G5ngm&|GVJG3lCu2*xn z_y;GuRzN8qUdn=kZY`>8);xI1w-P0HLYJ5KK%7)-e#J z9@_ELl1p;V8}7ES*s)fJXxNy}v<5BI50zyO9(?tu9vvzevn8{w0h3_TgNndrdrTd4 z;JCR5lb||-Zd7Xv(2$$J20WOT5MfzCry3QastcEgp2uc-lGmKaX3db-n+N7~8ETN; zbWxgWSDky)T6OaRL+^{R4k=m2_<^TAe84dHK%?E@;m65=Zd&ovb(;x8d7ugEL~Hb! zxADRu-h+-;&)S|y1!uDI-1FaKTrtBgfBV!~N()n<}wWeN?I6J$GM*6WV7jdjV?1`fu8ArAp;f z?S*FiZscEY!R&bVIzGK#)LZa^!$*LTNIm8xE&y1HVZ@L*g9Zeqt zh#cC<8pIDZC!yS=!G-)V!zt)*=9~9wRcxLqa<$H20E`F@{a5)Pp$`afF=P-*k`)0W<{_AwPmYf>mWEATg&4l#46F`zn0J8nAM z-Zp%9;ZSLt>dr!5p9x`9aR(Ser8ybK#jIh&kg8GK=70*i8JKf_YtcPy!c($mmEvj> zKU{E~vDh{?&*sfkR4i7VS!|sqXmlVmEtl7J?}aLARqP^8zuNx|C>U=@r073##sUUw;?g4N~ z9>Rt>W3p_CknzLG(AP)sSPs;UBGYs8eFxMao|d%;KL(DoWVFG96c~rdwO~x7G$h;% zK6D?m5CPoB>HE^l$*tDm6Z`)d9D_AD)JRSgG034k=fZgij&C;H8t0PU3mM+*Dl1lO ze|%Dw3FUHoqn;Sp(MZQQ1&*nfIS-|ET8p>;zU+>?vzQ39h{4GT0~2GT_(S?MEU{Yg z1M$ISp3sTk&#rymvk(!-3*XPxf}WdA0{=KF?RHkv0~(?@6fSoxBLf(2c6djPUgVDM@mVmp|TX8{~*nrL9c z5y)4AKYpw+AvXskP(gd}CjtF;AvbZW_B;5pe(8N)&g$hEL)O$!Y(#Hkt7=$p801Cq zw?iPu27+fQX1UCD%{f+4x0kUOpQnGhpFg~H&~9)irIZ=U zNbP%eC%Tt1*jrtt+F2pDqs zO?ZJ&eP9iUOJC+fkOCGQBFuQh&UMTECUu<>V7HT3_Rw)IajVHjGIPQECryHJ&@<$4 zk_{TWqr?+_wL;4vEk(yv(R%|AOs~T{@?^fP_o^6jyyQN$UR@T(b0Du??QVAWN*~_h zbD-)%vNbOPjva}=pn=wgKj8yhrha5E=KJt=e|R=Q;MoPuWt~u3pNKfQVgQiOKVMsp zxx{A%iU==X{ogLqYHHX&GJ|D+GkSTAO0NDQ?nT7ebngglQSJ_PJdulPMD%zn71+I5 zi?7-=aH(@JItPx6G>lW~){Dt5pEz4rzGZ$++VR)iM(H~M+{0y!nuw5L&UbUGHE~8d z8mU#UEl)0O8aw(jfPijOBb-jru_RkXv~?4bA)u(S>8 zcpb>Gf8k4R4kCQ*DR@mn|q4ZVQD zJ%9nKeE9Kls}_q6A;FPLwwIonMOVfbDralNNeT!w1f3)ftx(yWj}n$JwCWBoX&vy# z!g&?(dbY;_UrzGIm_AYi0NNJu8X^8FAc`{}4+iL^0-=8cs(jpinOYubNI{p>L#af? zy*T%lS&kr=ml*$&uKC4Aq(J-BM2+VkZ$J?vqYP%pImF?$@Vur8I3L<9LZdfH(;e01 zB#a<;6E6jCz&mwt z`Kz}euy=}c-Oi5N*rdik^aMFPWzx@aP6{1bEQXMA1yqU@9LnuK@j#l%IJn7aA$L=G z8XWfgNY5Cks5J zksP(zr4P!Y&+a>rYVs8MJHfgOQ=eNlU}U@P5BXLn_~2uG@;q5%1?eK)DI&x@mQZ&T z+3#@SELpCy57P+z!Z1n{PfRsNaB}pf35lOk1%$`LqHh5g2tp8l%_xu+^s=vK)5m2p zzrm2Uci*Tn4e^UG`rxbDOhcg9kaKk$KWjaT75FL$BYaHKA>u5rnq_2?elmU6j<__G zgy~LL$`#^I4w)?w^fYp2@*{_SBgG~EMT*Ox=}C?Bw?!}c^@jMO*ZYR2C*oG<>k*TT zyF9*hyT9r5{DJS@btW$hpWNr(yDYwRo4@I_{LyRrqLz0=FK!B-G`D_l88Q98r+%Ut z|6}rl9lLz8J3yzB7i(LRa3l02xu;wHO{e0IUitGW^rY;)OsCMtINT-hHOj%}7VzGD zPN(3{eQbqZE|2n|oBvIxz+Ys5Ufu`2xC45A1N7t`@SbA&Yq#eA+x*UYrHOIn>pq(4#xy zdl$l&Zn)paU@+4-9iPAT!NbvL)J&a0#8J`1(eE{(s(t!EPs*jgCVEoG%JpMw;SVUE zU>Qh^jAItjHYSSF`w8&{L`@q#YaULwlFo*auaB75r-JY?5_ErH#Nx-5xoK)t5zq`b z2mD`fL?OghmK{dMI7HT?2D2bMlYdSh z)76&LOui%h=%OZK=YeC3{JGlu4N1R!2`vb4rQ2*Z{)125T^C|31^$7*Yy$p`aP-di z-!fi}%$}LB0X!Oc-)0r=8yUPW>j66!V;qiSO0Y2UcE_Yo@NkNe7$=rlPKzNu=VODc zd1f6|d5A}jM>|IVegp*~wjV#&7Sp`}dQNEInFN6qu|LC-3nUOWDfe%v{Wf^tFa43^ z{=Yl#q#h_8ZEcxl0S31jMtX)F%=yp`-xX{`#x{9z(!}!#IFzn)CPDfH9Bww!W2Srd zh)n4m$yl_)Zm==D*MjUQwpWB?d}mKkm~L-aTKY}F-}O5AKeT@juS`}4d_S1)Kd+*U zzM+)+=<%R}g2GaMG~|B1K*=9x%e64+C5kGtj(;@t-NMcO78jo~-g!KJ%QU3qF+@6$ z{GQEp4}+f=n)4LNc_df+${XXs`qOGsdi_GQ-+r#c37bVKh#Wv`9*+krN?s`)P-?2z zsOn;)OI7)}(FmmjEW4wM-vC5kf4zV<0pEgRZd+u9cUxLZ
<2UY2gwX zI{7OVc8_ln*R;>@^Q570PIKY?qbk(ykJFl7%+p5gSNc{`xkFc)ch>D6uhu-G4mz~2 zdMn$n)smQBuD5y4yKE2HDQ8|=75AQ}lDObneL=)VwPoZh+|L#r7K9gCouVv43gYH~ z02dTyi(?K5pnUPU`@F+DVvWM)eZ+bh^w+KkQddRd{n1F~zRs$5=GXVvv=>rjfN}Im z4TIxsxwF9_oin#mBZ7qY$ms>eoE;!V-3D-G+Cpjm{j9E$i2-*`laIy< z(ykWk94S}9v((fxbWiV2?}MEzR|NcPGD4aqBj4zXu=jd zuq_}TIA9pBD9VZ#o>X;ob~@F(Dh|)i{!OeCa5y4+9nj7sU5~tFBUhF_YrxW-iBvu~ z18MXa(suFA8R6i{{S$@jw#|7kT6VFNX<^@^0IOx&TcE{klk}^%OZ@y}CHk&4^)hG- zl=jf@&T5nb8)LMCA+ctnmWz~QGX_1;D*y2Zica!+7D~jz|4vJdJs+774%j*3z$3_= zH+KqIexSqtwwk!-gzGe$?D<*lcr*XcXa`j@spG-sD+LvuWC0Q)t6jol-B#j6&E>pI z*FddJUw;gB^1MN{F0;PagFPTO>r$hq7E<7SI&$QP&CU4SyIzN+o}_mY6*_xb+nSUX zqNq+2ArmVXdm*5;n(S^&sDx%o z;*4<5;s)ON`58BC2>iDD5^dz+xEPOCkSHxXWOExk=YG*xKICPuqK)>=H>&O>yggsY z>fz{XGDq8dx7VvBcq@o)C0xTIxE0JVMO{cDk~(GMw0ylFQni$2p-oF>UCL2C(Wsuk{*W*$)?mE8ua|u4r+}}JnprjWoyK?7B1Zxs$EA2`;4JY7ZiIE zb6|LJBHt`y7$9yu&qK~t-PB;WU3&{+|BNMV({DA7}SOmDz;;{4)gz{}BYu4cXx z0@s$418ooK{-GLYZC=u?B8Q3x*I{HgO{uBXkB5!~>)4tl3O%VAtl>=7;qUzK4W$(`+^PuHlZ-bEl9a!mDjr7Fqj!6mpU)@=P6EsMRD?s-uQXjB>_ z=0ix+GzeDBBcK}(Mn-bN=j{&L_q|!`3zjDqw`J3C9mzV9iZ{$g?)!eiYrN_+5>5Y) zRyDL4>1>iW#OOJEGT(uH%=zoNWMsbY!Dev^q36w))mC2$KL4=iw}crvN94C8M5t0@ z9M3CfVxBz#H3pCBuw!v`yfl8wHl#5hwb>O2(P>;FdJA5^WTd-MHeC7vHqOk{2j&e4 zklEiX@IrSH3!4$YRXp|eaLIo{l7U6u`!2?9@)eDQM84fibjoTNWMsbSb{80PnImRA zeF2T;#Xg*`Ya&S{+A=SA0A< ze@1h7O~a8se}7A3TVI2p13B)HkR~F0m4*8C`!Wt}PdHtz98KTq1V>>D5TR9>*w@}C; zFB8%XxHDPcSWtDeggi_LXveX)~PF{Pp19t&gVz)N~<$vpNoqbYv8jSU)?{aIN6 zMb2@#o1a9}r-f;44|1EQN~S{k8kbcmaBRYdjbl|NhH^x=v0qy`L5(rcH^c zbg{*KaUCYWU#1X2?j+{s!rZj#j;x5mB2DoTabY81#dc$*KeYu1aS2Dw4O+B3h@3(y zHG*>!#ML93$3JU94k342YoL`Q(F$o~yVdA+ceK65eVLTknq64CJ;!W}G)JK~A;>e3 z*q$lSq;A8BL%uYDSIDu8*x7Rwj=^@-;bd)E8%_$zByKl+TkPOht%y%-18eehn9R78 zmNb46SC+q#N93oxWBeY(&e6j=VVV}!;e|JCHv9?%^x5s5Te07$iqr@r%NQgHA-{k7 ze2W>fjm;XA*fy$-rOZK^{efij_yd*ussE;bTkcyrg$M7m`$(k`q-I0nh!!q;IbjvM z;1W({hM;4|j8M1KF-mkFrXnjjX69TC+t?ec<$+S4mgSEb{NvzJOkteY+@F;mA_q2- z?|r`BEx9!Mm8e_X`!CWa78^4+kMh&?YZ?D7!%MnjQuZyfwZ5 z{&%ExK=UXv1|KB383m=mO6;=dk6<>c@988*CJX6%0Kz8hx7Aqt_FND(Z%xM0t@Z!Cbg%*D{&y9pT7EsF?VY@5>+3J=!wN#e!&;tDhfBOK)dDt${H+E= zL?hYZ%>7-L_rLnJpE>{Q2|l5T;;o&2c#nk|bY9#-!#%^{p$(AZQt$&J+vAn;zMJFF z^`D^MI+;f&DMC;vpX?7VJpplXEsO;f^84lFL&PxFuYTk4bb2F(;M4D1uk-vD8|x51x9R1rplP$!cgYDe z)3$edCKn!fDbsA}(Zf0O5~=M9ix%FQcDcNpiA!?-Klju%-dmbG$%9MD$y<*|q-F~tXoHPU<{0MH zDpR;7t&BM<>LZd}%rQ{-(NgRXVtkH9w#BwGJ(I?syL+EYxj+BZX2zUckn25M%~&` zIWEEG<5Fp=diC%*Q?`Qqg0u0i#}#i|@cD-DM^5WpnDl0L)>hx<*kHiHPM>|yJiYK# z73=KAee3EgUArHewq%{XAwO8dtPL@1R+QO({uEfIzqAem^3+P#T8?NcVo5TsQgWb+S-aN;_klu0zY6$G2u^P-NnN z^BXZ~!1W~Qa`kC;r}+QFCPk7c+g^WMa8XYJ%!deT4#Rt(i|Fq_*4iheUH*%obh`sg zHJlv8k?Z-WXcY96D!a@*Ze9ZfgVwOiY$e&PxF?TLTM6=#TNpU?nVov3*gjePWxF7; z(BS3HNjTx)ICZjn2iK>aepRI&rv*QOqfzR3Pu86c(W*lOdkY89HnMPnXwLd0xASW#v zM6aHuJ~n7!Fsa6k=5~r`l>&i=M#lIO!Wcy+;bsTgki;Y4Pq6Xxu096DF9jI1B*hSi z0|*KPBI&`_8Fv7tRg{Q;rjRky04Z02n^gs>OMr$IsNKd@%6J$Fq&j4-3gtiC3i8ir zWba_(c|;91P%j3k{NzOZ4ng61Vwl-30hw+g3?Y43V`o141vtsgYTj~|@yge>ny(pZ_#{p&z2i&hIb~1E zA}?=xk*jkR7+^;G$#n2hdq3<_5h}=4B9)*=AydjI&|)crc4Bz&Uq8@BBiKbC5zz#x zGSD2nf+h9xUkq7`{Bx>qBzPOh)ht=9xeZPm7ZJqym@Y+jO?tFkrs(nV-s;xUHklq) z<95zf8TClY64j~HFTE9!4^tMr9aN{*qUh^d71AbD4WaH(0i&FUs7g$A1f7pn{j1co z_r@tLLg6vgavj4Vb2Z2}wV_@IO!TQc+rx#-t!9WDb?RlR+I*JKq<*S+oEb;^@N z2+0%f1&=$Jy*X7n3$qW_Yni4nn*v>_Tq>tc ztlso^2Iee9-?)zW>n6T4qa*Hrz7E6wHyB1hsPFGT^o>LpzKTM0xeu|($U(6+`!dKK z--qTl2ocN#8MO;exszVk$DjG>fb7Hnw&(v{_Y>zJiB_T@@QMdn1kq)0H{UfdD=nrR zh4Ti2Q}mNnh$Su={99=@3>h2yiZUwBu=^v5wuXYMdmQX*f4S-6XV3?6SauUP3lBP9 zE6y=6fUz~W#w?Be9_V%O8h)Ue{r>u2#-SdLyra*;TfisjEPnwwpa!_-ZlgT;bQGxE zT>(Qz&dS}T%d-+wow#Z;s=eBo3kmV;+87@|=3qYd9-|x2dG;?GCgF@i@Un}jz>h4u zrJKjXB3i?5tRO&(9%BHKS2`Yf-BAp2WqGU+g{76)0fN~du812YKn|jJajYB9Gr@RZ z>wdetkn&5G&$LI8>G>xy|5aK&#k7b8!V9+G;d)*zqBc8NwWxp{c6TT;ZWQqT26-kn z1Vv~fHQ)w`06!U5fNqdt+7{zYVK)R~Qva306u-a`p@21y6ZLRDoxaG#)DP6W+koQp z17*{RwBgKQ+at%@=$e-SH&pE_J#w- zh>3cJ9|z2TwRfe&o1St^Ud{`Q&Exp&xQ4-d46;Ap1sMa%RWeI^iBGIl_GAx)y~DG5 z))Mq}>uN$CG5K91@w&ZTR^hdjEGr0!S>%F1|PsLwiO18A8Bofww+DN6?lVu=|* z#-3+_IoUdgc1F^$QMm@RBg}-Td zM$CHNrf||rND2^IvvC@{<*8Gp89!@!MxK>fQ$L;iN;US~PFEgBsw33uaq52ecT_D0 zs%n^ZO1yfe<9AF)s4goXXoI*%l}D?bKMzcoI$Jj1E2wLpwu33wVH<&2RarF{wV#WF zs#d?FjQ>X0Nz6@J+&Zo)dzDLrs(D`RT2~G&|7W3Xt3&z2t6x2Qwe|4TaLILXwlRNK zwr5}AyB?9c!|iK9Z))istNGI{trF!<+kY#ZG9&!S+`!K=b8fT=s9kaM)H(R_w038< zEVo7b&+RuN6IDJ2(56EfQ*K_|vue|Zr}>xHi61@5di14#rkK^M<7%C;D;s_` zi&kz^FwF2MVx0JJ*~Ck(vl+N0Yc07m*ypIXC599(E_eFC+nN6EjqE!S^^(?XCiUWo zv}=pz=+7=Lzq$WcK~3d^`5W$tY^+}zyjAb`-aUu27^NP0v)fKy`EtV-b^~Sp^>T54 z{|9(8GKnyYFfcH1Ff^vQL^1iT%rE3(U=XloU=Rn2!oZS75G%PTHL)Z$G}9$DEi*5( zBr`uxFRM5|58V)5o4rrPb}=wmI7 zf35RvkJEwl+b6giG}lsZdIm^LmO*0mxEt=6)XR~v=D|R1B~t848G5{Njz7{?S^)A( zD%|0vEh-g9+C$Ii%XltgSYU193XmsnGGgfGOP+H7q}YM&XHmw;9UsTxqmp-V@gbHRu=oVkTN`WF#7c< zE^^S;<5-E2@F!%AeU|ms#$s#u#*^q0Cc5+`Zw4m1(8Zzk!E>1wF`9?s+fhcr=0lS^ zYPJPkvHdIeBl(_&GG zTgF&Q36tV*BtJRa0>v^T4*(5^shQvLAW#$o34ET|dT$xKoNr=T?)G8yjU393 zoll|9?&3*|&YzsrO+-OvXJ3gCwj;?#N6t-An_C3SsUrUCh$*wBC6|UFCo%CtRD|i_ zpq8|xN5Gu_xb6D|yyPO_y$8_F|oXXCx2Z!UWP(2 z&B8Np#JLJQ@eKVTk%zYcferTs-dUfwDmg()9wAkOf1`4=gdoRZI$dkuu{wp14sFG4 zFXl?tEHUEZ&_l12rqe}J&u<42xr%7Fz`7+Pczo|xn2@n6$f(Rkvc+SL6hV7tg&j%H z@kih;{mX<)LpbXU%#3vJL16{!c<~y#E?cFl~*AFrT`k7KACCV`CZr6 z!+gB-Y>>Yqz82d-F(7m4=L~$+or$|%8Zao)QUAe$1F@@VFYn_K4*0}7$l^!m=LGeE zLy?q?YYt22K|(-BXCKk0^0PL+fucB_mNSm!Q&s}2O=bUkW0Y=ZAIz|p;?pZK`?RfD zvDipfKK_F8CoZe4;$2GEM1EZWxzKFGe-{b%t%$H*E`;D3s+I&j>E~UOtTpHn?ThO- zJ)|D+Gpt^L`quY$2*NX`M&V|bdCD~2e&J0m55*uPNVb6jG@SXQQtqL8Jy1#i%tbqB z)Xz)f>lwLm@$b}cEF_;qWM&NZq~m6aa7Kc_vEAuX)e*P_8>&1Mh8rLxJ^P%~U!1Al zawzqFS4-U}=+&*H`v-OlawN?_5jLrpA;%$rc$`*KzGU(wST59Tp)pduP=w8w?GQW$ zMroiun&_hF=*7JZ8s&E zIpKdFM%*Qs!)b7P*0etdF+-@}uKLcV8OgveT@mrQxMC97l?QQtX=a0ssFlYr%c#6- znX4jk?f~I0)FxO`W>I&+^Wq_Zn>kT$EfWXn5ETEq(#e?c+=GL9<*pavi7(!aVbTU4 zzAa3rr>5_@^~N@EpZwaLVd3D55A97dlt}lpR{fsd*u2K0f0Vf3X4*0Ww0TN3kW0B7 zw47js#@rDJ+BfD*MK*tu&=B}sPfQ3L8BH{UMtD#&Hqb$?Y5&hJ2fpC3d=OFmCKcgk zg;z7j1w{S)dA`ys{p5$+8sHZ5*bQ^Axn=`YEVn1*ghwx}jqRW=1m4a{?CgwCj;$!S z(DLxwiTd$yCFF2L9HUnJ?@bl`Ca1kyyiQ#5N!u;EU}xAB?547aAPs*Jb;AOg8jqPE z&v*~yLi?NYsgV9M4TuLzR$7ry%_8SsFK5b%lZ%nUzr2GL=@K3Hv+11ebFKT0+M#Th z>qEqz06|Jly?0TrVuK)U>9~X; z#l=9Pk2C)mx7Fqo#}??*W65GHkg8ph+dPBp!7k8_YF$JXw=eM(Xl+hN^IDk3h8aNb zWFE#czh5$0XZM#%;Xn1a4$b0sI9VKMuw2tbKF)l~JOplGRolOZ2ottwretqQzdq8| z25p+h;n3ZJ3OQmSs@K#zC27#KvMp`U*ZCC2i0vA_ONf_?RlC}6GAf-^l9WyQE@>kL z_P9>l>c06ytwIk{dSsZ1*a9s|1I9Zamb4=PF9{J;&s1lqVf4!4{(QL52@8&Y+1FUOcl6`_QPYgNSW9zR>vcEdU^o}3Ys69OHA*ubz*o`k zhp*or2hg^^3e@bht(L#0C(<$}*=T&cOe=CDcQVpU8kparIaM!S)a7(cFW}7xEWpj2 zJlR=cJOvM4it*KD$u4tsd10xI5KLlrvnDS@ZbtVP29+{wH{#3L2PKvQotCLx9X?i) z4ft1#tFceBnTn$U)7SFwP~%yS^_)V!1*G?Rp+tmuI@#$rkNjFZmN3Yv+qwHDAc4J8 z^TdW~0xe<>murL~VumBmmgu=^c{hizj3h%v(xPd0a$MFqYY-RIVm|!`8(axnE`jpjT$vBG8Rkt(DEq^-kl_*iRLPxG*?;U)Z)4K{ZlDi4ei{& z7Sy8;fj-MSDF9IMxsSA{Ldlal-ln`mXQMqqWI!(kXL<%%#}irtC#r{;hh&1gi-??V zqd^PZ9AUP;P{sGRgK@?!TG;!9s&5UU@#4tKe%x?Xy*>4jk~-AkjVlm!4y%+Fw+MQD ziVJfAY|y4cF?%}|DeAjyAa`JnNPH4Lv>iQOTleVG2Q}8XytZ|Cu3nV*zKHJSL-k

!B$ zN6Vu3W*~PH&(oZJ74y0qwDiuplQXV|h6Eif+f(~$(G}np9Hntt3RPQC^zs~1tnKTi z7P$Kuil3kh`8Ej0D!B9VmlZr~ymD2y_I5EOJ4|m#)qZ!r7JUF!C#~a!30v({x6|=a zVx3+i?g zVI;5A$ZCC)e$jsPuGT6%x_?7Uo`RoW_N5%X^|>VPOx%dncb1UXeUV0o{}OkWq@C?2 zr~?j=v8%+Mhy$*x6AX|?>;uDAYLM?+uwEy>VprB)Eyj_{KRvpC`qkEW#|YQj=?}<% zo~Mazhmx2TTx|4ABs{Af=MK#hgcg z5y7Oj%i$C5vvrq6p#Br;5+4Z&L=em#OiC?RHGd`v2*Cs4f7htP@0UVU<1<4ZJDd5% zipRvt((CDt$LHshluOyh#ZU%T>#k~mUc0!8i}_V<+pbm1EOre*ysD=T$7Rw>s6B`& zTc^^2HQ)vJlR?MlZ{W!qfA^J zwXWiyQ)wc@rYB-W$3apK;XD=Uh!NaAiTAQLBI_fc;#53HntrOeN44J82DVRPPO z8?y>#^0!1AX5psE#&c$HIp(#tDdYBv9hBO@Qz!BB*%WpwApFW_@E%ViUNWE04I|?qxHzIyd@tnYHXUUCJFl8T06W~w zx2xzj1iiqX^6TloCE-wOEly(iD3EemQ6Y!6sNxD>%MUzSb2A6~s;v487vXw;>hS@C z#_CEO+nC{-9861BJ6jMZ=xFh|lYuzwh+5efg>fd$$ey=gNtqX<9TXMv4U-W%icX2} z)!Kt$H9g~g=kMe3D&xOvqBnDvsk;g7_8uOXXAD|w3Zct|QfgDR6767(A5#jfa=Edj zJL)phyAXbEvJn;vxWxJ~roWb!jdcL>X;G4ugEVdaQvFj;i6ScEqtoNCV?1P1w?HTJ z{DtRWpLxd+4##ad=)1i`VXfSn&PzVLlzv7;eK6*PzX^w`*24eLs`?&8G{q4CZl_aF zXQ=^Vud=;Q`<8r>buq^52?{@%YDLt#m1=?+><^E0ZJQjvIWK4j2P!jw%1<7`irRLE z$I3I%7!ExGR6OSS zQ_SH@fqv3q5etOF7m+Y_G+%K`(nSrZ+0IJaDvt-Kr*zvb4@44m+ZF|^<$>?K@C86~b(P=OH zMJ|eP3bkyPALpLM3H|%`K{S~xxu4^577h-rZMrTjY3JJR*22}^hoR0*WEFeU2WIoj z%t%qDQAHN0`;W1rEi=*yLe`$7H0f}TydtMxVJP+R+w-yn$;cl8v6ndQvG^w{ z1JsQm{%arrk)3>&{#~~sZ78?=`FI$|nXj;5;TQ>BJYD6#^Cnrj-@=HpN%Qx2y@i(9 z?A`rj7!%tKa^^*;jEJsKj_DPXB_ph&SsEo-BsN^=bz3=hFi(Xgg&Vhh`tWx34K-o1 zo#DjNjd=V;hCOK(_g0AlwkLv}4o_R7vjsB)WfK3WOqwabBO5EPr@i_cVG#p{`c9uQG+Ib@j_v|wjb&9wYnoK_)O2E< zF2^i!@h>D|=aIg=R`?m?5X3KpK96DmLnIR`H!13Fbb#juy@L9GH=AN-qi`6rgW|3R za@lppJrOvp^98h}Bb7Q@v4Az`2jK?POBAwpIn+3JMkD=2>aB4VqXP=U5r8flc|m`c zw`&0&>j-4A`k|xig7v?{`*tRNuFD);tKudAAWk)uXR^u>>0?-}y@?2oekB^2dTYHK z8sh?`d@vkb?Tt_&6afV7=BSbpn2$v~_kMids(6_jlMNn08!~ng^t#>2y$JiGaD|%@ zep4BZUsFFcdXAxX5E4gu-?)dea1b(EV_(?sK((Djb^jd1q&m5e4)#^-Nb>GBIS%aB z7{RN*orKB0;yST17JKAO(+(HAK9+|^Wj1h=<@w0e6!#w_BrZArytw-PIRn)<)k0|S z!SzvOn~H8X*psS&%BF=y@yPi4z188}k>?U-3wLqY4!31RjXR9GO-+F(4-T?JB0VbV ztx%pPLR55mAby+p_00WxyOX2ypP8A=S`K-MYjpr8>qxo8$GoHfKQ-k}2wY^FBnEWU zE2Bbp`0%idAY2X0O|x1{VV;#lEMP{{AqPvms}L_Y7D2lh&`?W&fqJ_iHl$Mm13v7N zLa|ePa6nd&J2UWxi2+sY=eWkn%Pb!x^WE|xwvERsL9TV@&8otA4xHp4;DHDK2}4leJIALyt7t+kfPUxsK;oS z*pLJ8bY@(Lf2fHG3+giwJ5$jD(46t3`ydeAhH_8TkMU;lOi1wf(cFm8_~kB)iqe%s z0U;7F@`}tY%wQAwn!LTji`140OcmT6$(1TeeoVnrRLe*T74mi}l`59fZuoWS=gnTHD(l|Kf&~dxF5Uau4huav!b2Wc_D(i1V{^`7%S3OyfvZ z;T10WTP9hpupi$tKlxK<^qH{0qd^Lkht3{9@><5$X~^nR^7Pk5D>wKvH=r?b#yr`> zOi;7+(ueMrlu3;ESQn}To%~Q1qAB8dj=xj(fR!E{9%LA=-uIz?K?JpHrCdZ_X1hJ) z@jk~6tXj~Rck=vm>WPBb($k_TG&;o2;1l*v%zIHt6)Dpo!`fQwje$SI6*c=Gl9H5u zv7(joiJucxplCW*VWYSA=?zEwLp%duF#g655tpCNWqqc#l%s;y_N_RMGelY0M#*F` zqP*j3fn670a7esa>D*Cq-;B-u#aAWG;0jaz0+xPn;~v5@)Dbf$?Db5C?u z!k$Un!(+@nR7VO-o=~_P`E_cqN*;NUn2;(W?^DU|jVQ8xr>7Q4B=RSlIrOeO{QN=t z6!o87IcSE5XNkBza=BF`iy(YM(M$;uwKTOK)tCwe_DjAAHjGSF#v8$tkaAKUp^j@V?4O&)bBUapqhVp^&7S^F$6E~h9(BC% zd?H}o6>-4e>B*Sx|MO){nQjWv9pnW%zmTh!^0yvM2w{n_e$x@o8T=fyn~Xzi$Fv#h zNCv7#sTS0twpk}pwn9fxm|#cw;5oOW0?tqi%X=c5W1=;RvJGu{B{_*AONz)t>^7N1 z1iZDk;l3gwc)r4@vp9DUUL)%w$VX|-b)Sv3JJE3#wsrKj#Vp)0+<|`*}R5wi!*ZH2Wq01gw8?5XfX`LY@ z;SyquC{ZDEsv2inp&s&LAJxUsI+x`+vr~v|IsxRf6dT;}e5-0=pg#qZz~qccCXI)69_lLQZ}LGA&>8e zgUQJn`4#Pp69d9lzl>w+_Xvya0b%0@hQ*PHU?I}=w`>nE_bw22S1K!yMuv@|^^e;`7fj6P9Zt2|jwYWQ8Pd1KlPta%#+V;7ig?25x_+MJ zoj))+S6uXGCyak4*~@>XJ{VLkV@KT^0`Aprk(`scDY~Kn^jkiA)Fu>eS8~-J{jIrM z^vOJLcaX9SSE+kx{Q$;S~~*kW!I9>K1b>IcDHRbqmRfog^bdcG+vsF1)e_ z(20`86SQPt(Mb`-6CFtEds%-=r4)YdS}=_DU|6n{6ZgM1P=zniaEOVH7MUsVLZ__8 zWb1*XgIkGNsDWeA2ovzE#3;1aPZ&nWq~WSF*o>Sov>!^rWVlw^o89Pav_w?m>0w1- zNfo6wad=S2>ias_Q-6~m<-N3m@CeJZb}cM5fJnGzWb!=&kXqo~fdn-q7V%1AN|P{>zo6hpCWt6)7D-d9tjFyn z>;9W6VC(Nk(arjdiIYvS{>$+tl2dwn?0}k_{nBkS#PSe4fH^ol7leW&lX#n7v5NHzj4T4lgeC;Oce@Cbc(AL-j?`Kd0Y`Xv|6#2mQn_|vMJAgoQuQ^(G#ewUh-ig2k( z0fM`0pHHU7!osgi4Nr| ze`zFH*VhwpsY`+S6t|C6!|nZ7QzB7!8Ejt4<6%T#FiSTrS!jjYX&NtVR=raJw=+az zs}`N}IFwlP?Z2ZB_dsbI5f zT{BucPmQ1^uYdePpD8UGJ6vPPdH($~N|T;(c4gq&rt^Rnq>3-v}wdp2RWLYYd69NB_j^IH2EqpBaAtu2oe0%X0i<_p00B z2cZ(9{C+kN(1rb%W50(#M35W{I2?JMy2{h0w;orVU{mfm=R*1QM;j_>oG+=PzmaqI~yUz+Mqdm2QCpra5x#36ey2i<^| zZkcmZNS$IrBxyS4#T{eVYNf5#HCmQfGr?AP4BqSY;44ewul`EFZdEs`v^5^E~jDx^$NFQ5#-+PA^0xw$QZAz zE~^sWPTrWl4&WHyXRJ9b6&am=FXrx9W0!k~D5MhJ+CxxES-FJL@-1+9~6M z0)t;YB#a=1&Sq!YeD*Y~DBT`NY(W2!#LvfLt_?Y$ig}TYXdBCMcfAU3e1DVcKaI0BqvbQPsj-zcS%U3%fA(T}=1idGZkkB5jZVD^s za1&)r*wJ>|CzpvJ3*rf(J^Tm##tVEuZ?FOcU$!I%MeUDH7{*g&3C!Q}5hZ8k2S-hy zB)@h7>g?wwua}LD3i28BZ1_+gt$Mt}A!{H#!+klS%>Ig5DH!-DC ze6~#O-`{(E_n(Py-75~(PcE?kO5V1?->?FCEZ+tIfuVbsu(0RD$!Q4lqt$pcp0|m8 zMQuG^8mrrTHC(Ul8r-Xo6ev7!HfN*JJ7Qoimx=rUt}{DG7v@&y37G4~hb1vs9#iBFbJ2VvH-c-N z!F*ub7Z=BD(noc#;+t%Fpe`XIAMwhu>EmYzE@G5kHi#*KHFUFvRT&$3q_B zPOeD`mz^Vb`Zi__oLS&9%Hj%bkc^3rVH3t^RSWwK==Ivk@`aIK$kHw=ffr%XAV#=e zCSw1upermE<>yPv?cASndF>D_L?ex*tTEgLXSn60wkxFVP_HX!r*6pOsgppBT}>6l zU)h#t8rl%TEZ>+Qa){@@*BJB=%|#oaSd!i>8ND8e+8Ce2?SAH@mJ@?XGa^AYj+c)3 zZ{5KHF^>g|x4_Gwjf7NZE_0`>+J#9Dj}?5McGUOwezFDJkFSTo_10 zVK~@v!A}2-(Na-W=DeUqkO&ey3a|nP&zK4m^x$Z|3+ThE=@ER)I393Edr|uTKyD#u z{xw`?dJ1~fhfWhJg1Ma8^K~Q>+SNNNQ{YyDy1$;T5Ag6==J~B~|MDcWY!BR#VKmSl zLFv0e75!}Wa3KPWxqgh?F;y->Mn`MwW%b(yyw!RHe2cvPIKQ1g^zL@`oXbeQ81U|9 z+`IfEZFxk%=<$Ji@Hq1RZg~{VnNG62b#Q>>@^owDO%eC=adGkD*F49Z%hJz$jFKh4 z=sZK4x1gk$*@zmmTA%XWVfdq~_Qch#A?p8rc>G>21GUq?UqPNWN#GM=I|N$oZK*Nv zee?43nacS6<2?7hmb{+bxYm2Cr&l8lrqT1W_h4R{jQk~e$3;eJ=yM%2TB^iPqP{pI zsGT)^dGlT$z=gT9y_>h%`!DF$B+lT0!b9zF;%-)LHY9PuY-3PAUqQ`BIa4wYs$wJb zaxT;E&Jsz%pZlaxRh_o;F z`q8LfLg4U_ULOBaJpuA8(#FB58|vfXv3$J^OCNv>TW7xuc)7fQZZ#NE_wVc;ueZ7- zR7lx=W00u-MR`kF1$0gNBz(KQp5UTCPY(Fq^7>%-TC|(u*xEo;K{Mz?UP)xj-oH(5 zBk$7~xpu*vvcHHTs++%}WYz9Z6D3&+pNuDjn(nKT7U0_oGag>^o3J2lq+=UdF|dwWaWjs};RGdw&ZzxwvNz5arLy z?#s^3Bi2O1IfijSniNfR0}~E39q?pA}Kh?P(mSR`)i;?B(aPvnKTzz z8W>w*Y5XNjvgZsW!7N*mWcztXZN_698x&DOXHtaL0=6$>By8xDA;@V_I7Mk^=MyeY)ueo zp9g9L#<7h~V!0^+g3;`*_tL^hbW^kq!p!mEonn2nf?2bVL!WTLSAqY)tX*r2$`ots z)=1*j67$iv8%Y&wYxOmRw&boe$5!hBoBS~WBp!Uo*J!PgvHtHA5X|x0Dkn*TA~3eE zx}FiUlDPpoxX_OQ($;rdrsStXv@of`Xv~FRpvfxXuWgK#FPL&-Pt1 zNiQ##;t08!YY3fpCH5XIO-{Ohk7p13NXP>Tyg)&M@pf0>Ctl)u>UpA3Dxe|tmuID8 z>JDZ21{)m$A!IIm-%njn!w*Y4jPJgjxj+x|{3V^7z%EIA!qnAp#5s{6VicMwa*;9p zAPWID(!}QKVJnUc{}xr`%Yk#MLpF@KxR?}SDV02j%8E2vPu?hp|1a;TCV3Yu zcR>=lEuvV>8PLS$ypT-WkVE9;=75e63NqOsoaF)=GT|Si>?fU_`zivb>c|8w;1pew zR_}16#)at+ARJK=#vxU3F$%nCn&@EK5j{L!u^Q!15!+uR8?((IhMX8w=Mc;hD44l{ zexpHXqOv@UtG01i94>k1u+X(BMAm7=Sj6om@etUG zxTmBNY&JLKYSo=yDOntPqd*SnzvDYG^;V+q4q6=yW6qw z$Y6%^gvSw5*DJE`T4>hD-uvWFw6MToQsbXP9)niv&z-+t`d)?c^36J80^Es@Xrv#d zw`l%;Ag{7${A^5Zs>0mVUc?K`-tjux%%#Eg(aT^-8d_8zz)``^<`V&P+_aCOPVsOH z3V4U8dt&-{)>8bEa8Ynf2|CR-$0CUuGy%u3sI+lv&8+Hj(ohs(;GW~vtZk$ePYGU& z$tk(!4q35lOz&lxk*mP#tQ-S;htm}{U!E2r4}0{a4rwsjhsI63bFPhWkM-lBp}JnX zTh)6GTMmlQ4cz21GXLQqzh2PIQJ*!+wWF?#m(Y)3{U;$Cw9hij;t#vY<_S8Lu$;>c zy5p47FGv?fn6A*OC%I^!P@6sDNA{Q0HzPIoWt;VVj7`~^lvHi?zGKaTb9Ef^;9L@0 zZ%*S1i|pp>-B$W;&R#pc|MpL{PWpr`=_9QHBn54av&&S;0-*sEO{g(^24#yjJL9=s zNLJER|JEL>JgKq0wW~5!W;T3AZ``~Tsb?>`JT&~Aw&y@|p+*rcE8KZ1Bft#Mn^q`& zvf7I*C1%x`-ROT`y&a37kpT0hjY-8`vCfG)Odtz1tqMP;olh^b{_ICYdt%p2kq0hicPMZzIz{|1`g+HtU(88;wPIPp+Z# z%tm``)|b`o9QM$M+-JQ_c?bTmybJmVhNl;re9vHU!*s1~=yY}!AakOzzuF(%AqBOU zI}evsF6O~8E_l~d0{4KpB)&xm6F&k0XuopN#<}{zWmn2x0qIugk$S-CBMa@w*EspF zDeUwD&xG9AosDGJ1j=-cA7|0nbV<=$#%{^!=dkqJFZg|>rG7~_C2{0KPWd4^FRnVU z=Zn730a&=GapWF6!L?kEn}*fNVyLNHZN?Y8<+^QM|5lR5){xB~>#VF15ZYX^1q@p~YO7dwD$cV8hsOPO|DU_`fkb{~F^>rI@B|D(8sOJGEQ`j!t z=&Z*OH;Mk+qgoHBLL)+%Xwya#Zt$%_yRT9IYdGP{BNY*Os8bWM>QwYlGljPq1ywuM{F+DQ7&{SoXvMb?;7Vm3O>8)VI1<6+aU9M@eCKXImvsyUS-Y_PWPT zZAq0hYnzv@SFyI(<#&FXJSvBS~5aYGtq)syH(Y@RQt~83Jj{c#KRG3ubkhCwY z9k+&pafcwu8H07gsu*kx(DSR*+7_|uT}&Ra6pNlGf-(U$#2YJq0t9k~cDC|KOeB&m;@xk2q%T}0U7_g_!uCSc>8iE=i$oP6{s)Pwyf?Bue|NlY|NJ~Yx}bn+%S~q% zF3n?le!hW)CHCLkQX2)JvD4=rfJ*;gHaZyZ{}~sYkFTivtVKjnqUgAl(r`I-U=Ye| zN2Ur=8qdDUUTt24gQAhE@Y@==#3SP9M2iPe8o3<=g$uU20Ji!|Yhpad#PFz>mUw|R zHY4K>Xq?~V+`LL2pFjgciFVGzxk`1)vuwvbE$mOtr72o5j>--PO zRByet8u$b>T^S_SKDe9l^-N`KO*Jv)_eXL;QegExE1Bj&!rLLdtb&Qmtv1W%soEGt z)b(j(?rRVlJ0gKVVIZS?CKU`i!CWV0{KzR$%*;g6Yxbl{CqJUqYrE?AfT+VvMY}m> znm)+fkC*UQlnuLsovXM;NEq+)dd{C14B5@0+qRpRNzg!-D1i|Kben97%r_&06+2R3 z^keLVK#xY7+zvhw*6f)X`aUDkt^WuX$a#sg6gdV$ALRmW&eFk$x}JvADFz4tSe#`7 zU{jI{Xofyn2(j`TPU^h@Vg4XM(UEBdOtO|Xv>!HD4j z#XM&@2U!ut;9)$>N%rj>n|%p2G!Nie5Bix~kI-O3T&h=xuG5KYmJI4Ewi8MkJvfp< zX^ng#!*I#9LebU-R5CzB2D_m);>dq!l;Nl&d_Kcng{$0Tx2I42CUf|HY|Gp|TvXs@ zy<7P$GFATv1(`rrEN}vg%bVJPosPic6Pzf?E>&13M;&YT_$=OSPu87yzGO$2c7q< z;ES;3`2PT^G0*=1)CQ-u^PDSccqGs_n<%6IC8*K=5mZ=WU`}EYxMBTLfQ0mH9wz?( z08}Vi+B(D}X;EVz%n`Z}!>qLvF(!#jv)F@?h#Q8xVpj~q)v>UY5k!os&Vszegqp&F zr;ZuE?4OiO)SW!uwbMJEA!Z6rCW6*A?%#TFI71dV7Ek7&OmSlOe`{+aSSC4l|FnSq8 zUwra*+cnmJJhE8-{D2%NIwk{04TP~j%{;)-RnwP@V=k?EiQ7d$L|5P1E+|n7+muTj_5AFM#4YS}3%km6ak7JyMi8u^hZfG3A zfaZF-mD#uF+C!XE=MYyqUCay9li|pz>kKtc*-yG0Q(@B31K9-RqIzq265>6u&#BY^ zb{Jqe@EWOBC-(-sjSWc{azKOkH~LZLxY&lC!o{1Ffc7W7mEYrN*uffww{~OfgFt%Y zRoa1F2XWWRiU$RQr&G6zgQEm8fRY6T4^F5xvT&wx2wzlx{oTL#?0vrq9VkGyI|r6| zHqf92b^&t6%}V4HfgH-as7v?OEPV0VmDj<5aI#28gBsNaPeD?KG$nO1aY8Q1dNq#} z{98S7lz3dG8IxMZD`c+)IK!yNsB1Q_7sXa|fAzYkJFuJdA>4Q1ItDnQ)Ps%%Xwa8W zD9!+@#3@JUKvUK#ZR-0_XAxM^EEW7vnO7$O7><$mxRb_~JrWJk99i zl@K;-Vy2iMHH?eMFxN9WkS^fmLf>FuDWVk|TJXK6yk4-~z3Hc#3YhSA2ofQhR3 zfnk67WzKk>Vmi}0(^zCP zN$-O?s44)j$n03E;@9}VR ztWR)N_2S6kpgCpGLn4yqNCZNy)*Za?81kIxI~CI)0-H8z0C@>UR;TrNp?A@Y)a+^p zZWNC@I#CFEF2fz4Vr*g<;p2CW$_KW*z7)KP3gLdi3CPQY`%+!w10|>y3=Za|v;&dJ zPmT}JCq}?Fn)89?jHtOusbeGCZ|I57v<+-jJz}!47IZqph*h>iUnI78J=6dq_M;Y` zp?CgYD5Fy5%qy19-G?^#{>CAoF3hP0W|rZBj+B?@^!iOH)z?l(go6V|$Yqw_##? zl%P9FTJHW#EZg*dm0L|wK8r*Qd&<$9V^a#Xi)tx~MOH?|M4N!2Ck6IDPrAGw*~C^G z2G;q?%^?}@P*yez{5!=EIXp1Twbz4^JzUj|563b37@u|ZOv9A{SOj=mAL%DC{)z4fzyYZ?$*!^tMC1~T>SCsQ(dGGemo?_G7i@D^=nG_Tiw?At%Fl5HXvaq4w zP71k@YtmD?uab3x38w0=Id|8OZ_KsGF4G88ck9^;6`?}PF4Bcr0;3(r3jcI9Reik} zMl(Eo>k%m-=ju;H`w@q2F#+eT>1k*(_I=!4&J`P!;C#SWLqqUy+~Z9KnJqP+!t|YE zbA~*Tf5zqgzYz&35Dn;t8n*PO%;KX_d<5!#`Z_KMZA!yhx)O3s=Hb2kmwe$_IVQqy zS@Ua(uc^#f5!smua1@cZkC9d+P0Dz_pyhp%x|z6&2f87x^m7n}RNpm_Dl4Sw^kPy5 z`rXbaY;h0cGoRQ~t=LX!Ly-_oAjUvR#64N^-tF&)Aq6?&q<+XzOO8}Zw+ZePX(;*t z%#n)u$&{)=Hv2ew;kiVkUwz{2x8K+A+jfjNW=A}=vf`L%9fU5sk$YRxYvLh9k?C#* z{=CB`yNTn-)_hsv4r2G7As`Y$p!?}DS#BnKO=T<{F;ljr=L+?PtY;EFm<%IDPR`2$ zJM9LF$N$}}R#+R%y7hKW1UClFYXosS6pz`lD}NuH7EHw0(Ovw)^v$x{^NMUJBCB2* ze48Ah!F4no{EeD-LzHK3bGsxe^niK#9zOIFSK{sXv9*nG6{D?>(qSh7rq0r?_2cOr zu#z`;v7*$~NOSeVwjF-Z|1XcIzGd9L8yLA=Xf!mwc1DnD`^u;)ngc?Q48BU1h#M%R z5C&)5lB@Qe#)|*Tt5Bs}K{`c?ned2;oRp$-h)LiRA4;5J}jTvjCIvA7ornX z?OcRqHapE-NOSm4D=!4>(&j7jIfXXibSneha7_~{aor; zj*n0SJobPgonuVHMHuv!;Qs-kKwiJcY4I4!O=;pevrbAsHvKBl$M!3CvZyl%Cv$L2 zWlzw-P_?O)B!i~Ff%ed;P8vo=uc~vK;0N}))%c+edE-}^Bg4n=Y5u+(p~x;VwwEK7 zi2UNz7KQeSr0xtk34p%gHr$&UmKBsXQoO|o;wC=&exwzg=|hmuFK*ksh3?3u4le^n z6i34fOT`s#VXr}}zs`p<)xxOGFo>4qgrt590{dZfg(0YDJU9+u9vix;mf#_3u_PD7 zens~K(vxlvC%h=fmvb}-;JM5}U7@2Z$bpBv*RnhW_H1cBN zA5>RIgfTm^A{?2TY%@wR$HYl!)hhSTbdoFUpS z#>xf`k$24@F+_h)cj52A!K_F^KFJBfYZgkXKW=r$UZ2xL=~@F*9A|2Nh>>>+l*+>SXai0g5xglp?FG}H#_MZT`n$2e!#F;zK z@@E_?*nj5i7U@J#V8&xEl~>=ku`1&H{bLoiDzJ;JgtpLDa%s#p%c9_}a!K5oTgxiA z%O+dXUSJDC72_Q|TL31XacbT!Kor zH(1e8st>#?yr^1_iH~Zrq8l4vI06G=L%6OCgT_hibIxdI;AjLg#W-!9~6@EkKjnuZd6BuPt^TFUJDFeR$A{fHArmea!eRE<% z11yPhAr~M88YTxJhGJl-vkV+Qyp|w1zxaTs>#~-b4u|YQ=6l{{|J*Xs_G9Cb<5=;g zrZ+Uap+-Q&2<|M^#~2#@TaISV;D#dtD7jRcugM0d$+0WV8SUvUo1tVz#js?~C;=XR zVgVw@&FP8&1>d9CUFZxntQL)lL3K&DVyH5^B|}E~mhCs(10vYFLrTy&-Uniutc)#n z!n+ZPiK-hoA>JWS=u{N_!Brx;K7@+SFymAsECjMB@`JZBvHnVd`{tZO-5-AHUiB`7 zUYN8CEzw z?=J_#LAU??uzPiN`@=f9KdgcK-c5f1j9=cblkw9U7=L$re|~u}y!y08#@nr0Bu?fg zRhP?k&e2XC?0@LquaW0=s}7#O?_FK3kLOM;JfDBKJpX=p`Qu&hzB}mM-mH)R!&>;i zzw8h0d*_4o@qJng-SB0z)g6G|T(5`uPHoHwd=KCDZo2nBt%v=?`q{th4nC}h`P2Fo=ko2x_wU!F z@J!$9;CtQcYF*O)G(5k(SdTMvSR>!vLHASl#Nxme zs3EJxNO6!=dKFWF;?k71W6fw{LE?b4ln#c6B&^(L`M%*z&f+~vKv$4unB7&BWV(Ss zdXYfl1rlk=$80lDF+DZov?JMm2nRee85*-Z3m&Uy zDF>CPWOQ*f5`J)5v}coh085QP_Qljp;ZH$iL#&i-lIpYE<<&xh=Uaj_^MRPeL$wSF zMh;n-_HyL0<4u@p3`v6_!Fi&TY>{M)-bNqR!XL%eD9@&};kpzzogl9K=hRb{_!sH+ zTYuKWEVe9tPUx{|D?74;^sJn6{DcI*bXpq>dpUw4d|& zaN%0zn821z)>6s=4OYA+S2(}vl^ zDU4k1T(Q#Pgh|py7FAOJTtX5*rVyi9%opLt5-|jbxl1fXn&E2I3V9;=DtyI{qA1!S z3dnsb-MSODCdDBuac~gfAV#S>ffl8)944?_s9?#W6$T_^KibYSJc;al$* z7Ym!EnTI7Az_o@)X#Kc^R z2$Q=|R~)bS-6bImDTX0@6I@e*wVbNa9#2287gv(On9~L@~;3neAirgnUy) zHbNrcqEbExjg>LCSy#Si%Y!z$&aXc?3C}#9)(*geM2(xCom`X@?L=iu|!i$;c(w zQXaYFfRd#3QH8(}Ya}Je-Y02+ZE#$@LNB?7Qkoo0O1zZNo`wh5m=lq;x}wHSIWJH`j4Nir+Yo7NmavLv-`Df>)WmA}_ezUdpee-zLR% z%LQjVaGR9UK`a5D!jUXN+eA1k2-fUXKofpUNxIJQ|#^FmO2pQNS@MzgDjOQP}=*q(jC@xz@)K^~J~niv%aM`Hd9nFXV%r0a%4~f2YI9 z{Y1Tv$n3MK9OaMg;uS^&B|!?G%mocS4Hk@Y>n&^ABu%AjZVW29(g)P5h8Y9o1;UMK z&=(mucp0`DAM}c_k`E*!&AwD!!TSlY^B8hj;ell=IqpQYS)K1{Eb$m}S>l1E>H^6Z z^LP=lVo~X!ojfQVKuAf`?|=;Ha$ae<4K*=_s_@DyZXRERXL{Zdn;c8D@&e#OwU#xu z)y`Xl1&F|w#y-*!R1D%A>DV_sDo1wWRKn^<=oyRXmye(X-y#iy-DR^O;;l2%A>x2Z zt*$f1FUcn?5b&3@Or0Gja_ve6P!p}?A=Ct5Duinq&lniO?`)KnR=lm0g*aGhiyjwO z`Ixo8d7W^`>klOwdwcJuxyPD<6 zwKy_MQ`!y9@;(JlCss%*n|(TY%E&sMJS9mO_7lYT+>&IVm3&FFg+xf$xHJ{oEQ=O} zNF~wondarF#+phg$DoqbxqA>LQ)!}x@>H4#Ce>@zv>>Ax62?6bQv6Exn>D6k6nV#E zV3~2+40|E95xNtz61r15;YwPnQD`w_Wy{LRPNNN_LSyg09VSGF33cyB1f|hoHzF=) z9%jc+PHS>vJ7=W7Am73e1#XPmRe;8Lf!OoUZ~ zPwDpZqudl|%7-;4wu<*Ps@;1?HJ7{6Nyr+LME;JU&Yxk_8|pJ0(%V?J76?4pgbDaB zE57+)|NgHy&C&(u8p@5~L!A6k8Mx{grXB@@tOf$dz!(ez8RB+Hfhk7*yR)nOMj8AW z8nF2{JinsP{;oVv4cDNu!JAJiUQHSTn7#lokJ|VI4@%#MAyU&97KYbT~6D{9?1_*g9+{91OAH^Bv!@ zoS;Y{7&FZ<=cMgW-`!0jz9(k`!KWN(lM$vv!UP|&Z&c#VT52S_mgPKCizx)ftGE>M z&Lsd8c6*zrn-*W62Ffs(J_75z8a|kT^YTW+6fX#*j7jjt+u5enNk)Z%5JPV}Nrts& z_av1p6bK{0AZ7G|_yeetYvS>`0N@goI!dK+v##t2rOymLq0k0~C5jbH)Wu zA{Y#-rw=C*G`C({4_Qmc!}$@|k?ZdH@U~Ae%v6p3ngQPnfX!Uc?#;#hEh$Ecf7rU~ zkj-NB0gZ%uQK7QQTZV5i7ck&7b*u>M*Uku!v?#qYok%qlb|tOn7dQRTQR9Zl_Wp)8 zOfcANHlY&Uh$j<_FII{rx!g6|nz!^t+R_9JvpUlfrgaA_h%I8-^QDs`XbaZbgtec9 zdFP%0$zY0!hUZ|LCp0lqf+_SV5U1vX$wr(4rdXd4G^by-ht?ks$fY;4kKCas^$x}+C1T=K+Aoj_A06GEiu8G0s~%5q)G z*Nebk1?$89lQcrKAr-Y3f+pNn3PfS*cUogCY{+F5@vu^dmG?Dei#qz5aL75E4_StG zd`01=#~aSr)4fX|T+VFA{t&@(A4N<26*oeR@Z53zkFJ%`0rD?^h<%#0z`B;<`mm7t zF!NFZ17xo06XPCr)?-hHIz1^M`8Hvh1abzfh#(IU^2&LZy+0-kJ8Z%iGa1M!f_yM1 zQyDve4jHVhW(4AB@RC1V9|Bb-Cun{q6W_pTfhI zyjmRe%{%1r8Ij|TOB7zH4M~4JrfnJeLp^wiMuH=0dgH~fzrMUd6T`db#BHLE`5yoL zqfI`^edSEj@4^qHJhii4cG52eG3>p}&BBAdwfE2e6m&57*%~iwBG5b41=+x2<86JX zYzaYGz#rasM6Z2yf^9#iUn$COqKD81wFc>NCQU?|lE>pY!kh@;_w>Ur$wvv8-xHKl zOm1P`3R1i_HP`W+vERIf+->GN_G~x{nfl&7j)Mn>V}`d6_TmW+Xv!%|> zPoXHcI;~Ep(Q4!W<`77RkrFfs~=XFDVhc6)n2VzqB*3$zI#pWAz^ z^)?JPOxXq)drS5F9Z2Fe{T;}&F!5F=pq!KUwkUr??ZJ@Bd3qM~3OzOrQ zY@c^)i?v|ub0G>}Qp5WtO$y`;1L2znYMem1wrG`-o=$`YiyQGpd-~3H;i2@@CqwTW zSPRX-Wl<(_x`}18Zd)W6UL{T`g(ns? zr<=T+AfCh_-+fq%<#U}8ObZLP6trDWM?t6CCTBFkhAD`So6G)SYX0mgKTg%LrJAlG zVU6tRQhbr8C0Oznb6m)aiL?*Oil@JO%GK3*9$O6azhfK-^ExE(Fmqg{KtA{}5-7{G z9}#Nm`*ZKR{r%_X=VpL-pHbQu^*PV*@_%wxnwJ&KVC@mIguc&EnE-~frb2aL?-P?V zXpKIBv?;!nw9C~`z6~<~eK007mE-rI*=n{#kV~410L}MOOR>c+Zv@@vte6N9b6^=; zY$5U0M`K4OfW4y@EJ(1(Y|mZz2Ui<#py1HAPiuZM9Ma~bDdn3sFChy`Zu_9wX|`~^ zip$3QGjyV&fe$dSIT%d2&<>UNd14D?#G=T}X}7@5;Xp#SCf_qaHRV-&3%2!yDbilJ zI5z^2*kqLY4qL`RoglWqR+=Vkvl0`X(#L!q8%~A<^DpqcyOybXS*S@e1p*|_1Go)G z;v|4O1yCsvo(05%<*{#BCcf<&rd`N0F334Pq)1t~2gd6_h{o_flY$pR%djW@R0gyQ zQG_-rHbXbRB)YyU{2FC~vFMsq)=x1W{!M8Ix398(mXJkD(8mH4L-a*TQ5E=7Z*~uK zX8{whR3CVf;YUn02UN||l9(`>?0s&t1ai?kppg3HFqh4ehnHp=OAwP(Wr`R#@QDeO z*qO^G(Sib6&LlpQG7^^Zv;|Hev}u!spqk+c)9!9oYTKo)&+)qf(PveK*=@;~g1lQk z2bneyCHuzoXlkgi|82(LAZn#eL%m7lVgM*&)3I z!IIz|q{Ibhf`X1;ew{-~v=RFhE?J3&KSN?UjZg1>h8JM?X_cQu5p&!bHeuz7Re&Ubz{s*d;}NqnCROYeP+}!0M~*9tTAY}$wzsgKc+qg%Q{KYH2n%qL z?}vDg$~7tF>?)AjN9?EKPvLYQ^V6~ZAdnVdh8`T-kiG!NBv> z$>7kU?IlKst8yzQ^GNFHQtL=+vhHA$UF8`_V#AWOf*QINsL`e+=#dgmVIik1Lrm-H z;HWy#DbRQuUZ6JZFFbdDWZL_3ESZ!^y{IhG0D~%zT8kIeDiciAy3L@8+Coo)L5o3C z$vymPq;f?|X^}pHP@hbdkR+vk6)ga+Ik}K$}Jlh7w+wSCT~oN-z=D56)qN z!o`G5$GWm4f?~H~!lVukGgqNuAWcfl9YH}(A+-Po1PL;>X|Eyajn)>WlL%{sDq)e( zYAo>8KeHJjODIlcb;ZnNueKpSY`vsIUN=vP8mD4~prk@opl$TJXveBZNhd+AloJJ8 z3-y||sf~7tUe`uBUVXL@Y1(9Y+OZX~Geh3x5` z;vzBa>*OTE9CKQ)1}vF2Y_P!Z^l&9~fiZ~TYBh|^%+by93&f-o<@khp5kNu8h(a3T zP6OS6s`L|OI*Ym>pcZ5qrpsf%K)?T?3gv1(2qRe9_25h871{H$K61^uF@5>R2>=I*pxe@V8i&I+^+9!I5nw$hc-*6l5 zO%2Op_Ec58#R%diKKg#76}_qM7q@NFx)?<2SZRYXqBt7lHI-1f=sOuJ)M|09g{+X& zk3nERjIJ;Q6^)0as6#Oxq83YXLF|_nnq;{Rb5(DOD>G1?*boVaXgnE+$Zw`d%7s4i zNnhHqM=`u$mSW(8(Sy~CA%3mEas%=LBTP68E=~nMv9k~U7Hy3I zcGy*yFf!%h=={Ors-oo;Y2?MkgYUMkAnr|BT}|Zrf^48_3OJWo4hqGF*%guHBf1sG zJSTu#a$Islv?a$PKLlHDsul>WBEs>w=E&(XNNekR!T4u&UNa+_<(SR#GolZFU9To8 zS!R-#iZYg*O=W|IB_~(0_}_bcSJtW&3h!ZNN(ICPqIZO6Dvc_rb9k=FBq5*V1mQIcCDk9d3cfONP7kGP z4NR3YrG)}cC5?W5Ea@(SxTrU3RMLnRiUgIkoY~QxXnjKcU0q10oEnq~&Xm-K>?ljW zjtI)7WjvJ`^^6!uSyb6Uk7%$z+N+CnTvITvf<^t23`XNV4=!^<9+jo5dr#g2(Yo~f zeFghZfLzVyvkcM zjZ&OZY4W@})1S8?#d#b5v(Qa{=sS;wy&bkl-t6J0OOvLlV??V-%gzfBkehVk=3J+m^W=Rw*8Kg#EQWx7XfXfkpcoTL10Zz~ zg*aH{rd%mt`6d|xTC=GL3V;;%B>GwgV3OGucLJjae>oTq zy8Z8m-K(qHAJ)nJVGZ2(Zu$dY{PKRCjGxxP_`BQt^UI6j)u%Nw-fq<*aWXflx?HYv zj&|x`|3mkFjXbwob@2Rs@9JuOJa=m0`TWD>`S-)iAMbki-9hj6W_|o0*24e&Wq)wr zJ0Gl%@6%fNzPurp<@)kweXN6)*CX=3eeB&|uG1!huGb^yq}T;rZ>wdYqZV8u{)Hx}UlquLi*V&EWoaZNZsSc^`@q-wi)oA^P@oB2z6H zhK*`1mOpn3KJ}h^%oYJwImwN_DW89S%fnWnrD_@`M3PUGPn41^ zQlGgeiCDv0_@lTQ<=K=rT$kde6U3GOoO;R<|03Of>(6?a#g?Vd2|YG#Wk;5fo|RM1 z-!_rSBBk_*ElTZxcmA~8xF#A)hcN+{)G_3P_H#ZTE?lb|6WFrJT1q+Kfu!WCkq(+> z(+;4d#Al>HYDt4nP_vfV^cj$pyk$&O?WF>B+Ay0qg^|mhD^^;ZFiG0TqDtzYOGx53 z7h*Jv`6Ap{B8C7lcZsD)GhD4&Ax|VX6l6BBbOB24Z=U2(kPcb9}Pq!@j*K z)^hG@Q8f79lQO}VVU^$tekongx%*IwYfO25OG;C)F(e`4MqzAnSF(!P&9I%^a)uyl z@~slrnP4nZ_j%&a$c2;CBfKjTjT|v)wA^iKgaTbnmaCJ9!kGF_V zEgYjK{P3+2deF3b%DmGDBY zO0msl${8!p(b&Vr#aN19B|LfNuT}XNVcUEb2w0){Q()dm=1cO*B1{+043cnR8iESO6#Xkd;&s zR-K7Gj046?y$Fi5ly(hhDUCK(A&4$5&6Hj~m0A(9mNW08`PORl9na>)TDN$aBufg{#PN|3!z(gNGy zxO#Q_aJ#*fUrE2xjO&&Q&UoN9DW!v00z8EyS%S8Sa8?kk z*{gsi3TgH3o(`+w=tKoGQ2{o_c7jFWP$k0a`fkp&hBPH4+vI0-R)fMZLr6CQVNPzb|mh~a&|uXOKv z<(i*GQ;bI6ND1;{^P|MJ2O5>x`0&-{!~jtR5HS0RdL5D3XH_}MAKS$%j0j4C6h4^? z8hRQm80FSm*0f2QO4r;NRC1*cs8$6z6j6sydyR_mT2V#z=dipYiz5Xw+IUmfh~=Fq$8*p#5vNjZ+KLW z?8K>r)sN6K7SS&sK?%M^8U(w`W<$hVXQV^K0h3x?XN+HxPgo$}FKL-NJ51!-l?P3Y<=?kW@DNbn=vu zbvk)Uk}&Kii1E24$v`Xll4c8ukg#!SDzsS^EeerJqUAHq%TbLrl~RsDC8=}wAWEjv zL=EMsG!aay*Q#kjMlmFedmg0tmFzcbOv5Phj>o_<BjZXE>y{v1~06c(4f*@LyJZ^TGc8UvZkH3(hr^8^eb<`J*y$ z)iF#x3I5MW6j$d7c`sL1lwCpH#e> zGz2hx0bm}r@d+N3z7NY0L{uma;JMrHT?4OZ&>`XPooQIQ7Z6}mpIDGj@SEcTYum{E zwg}{ok`7?xl3-kfNCHtqHZM8?G1Sorr3EZtI{Ep+hpk^05Fd>#bBV7h;1mWR&ldn; z2~k#LbYYucv6$#^W?J~gX3ep6*iJYYV#DV|H)^|00 zFazi1jfN>+5J(x5;ET7jO{tTN3IidA-gc4Bd{aa z-SgpXpJJG)8vQi`z83(SxuD&fi~Czrj1vE_b=M)A#pnYX3H72vWs|oI-(W6az-j7O z5!SDr5gut#dSyD1YAEbVTF)5H_b2^eN|rX@`44p|QXQaTb~?=vCRgG|!p%PQhwr4B3aYswaN^fTd*b2cBc4DI-e!cC7ioUx~Smq56j*^d1og5^Gn zmiQ}fgc#wuH%k2LU|wTw3o1&{bdJ!l zPsL=R!LP&=Ktn$mlY==z{`p6ne3JXhnWW!^A4qv>XT9vCUkYN_ zdzqVs2YYMppZ_W7;MRCy6G7goF31EH8E@-5Wh(~40{rm2!$0=b3BrDk9x2Li{2u^= z+JN{tQ^ljE=<&FX5anO|9{uqp_?12TonZ)xZDC#sVz@Rn*YTXO-@Jv~YUbPZY&ff! z`rbau$%Dfy!`p}X`~-(6uD2g-gCe%J)VcX7?DAHp)#)@^ZT#OH0=ytW4iwfDLInXo z&qERJY=^WO0m%057p`F-n9mT&hW9(dwqSs__oF`b4Q+vwJM7T*9&5b~qX%=Z0an{m zJ%0zXaZP^*5++Q%o(U-DhK_dU_iuZ12Jk&zx?|!FYMMc6@lZJ{Q9H zB^<{u5lRp^jEHXy}KEbeGAd zMQk*H4G^Rs@sZI_`uBMN-j1VrG;M-`j)!Cx6~NE*FM*v3CoVvaXdhO#^b8ACjbFYK zAc54A%z^JtQTB8cSkxw%f^@z>ZlB|(*b3+lrsmI{^5aw;TdL_A3DRV9l%h+XW{~t2 zb6f$XG)Z6kpgee7x~E)Soy*8FO#hAn6HI_ez=6iPY(RZj=o4=((|*LaQ{SI^-|g=| zKR-7EMEeZ$KHrB`S~8}>12{dgV8!&ZEZRY%bttxIp<&{N1IdjX=P^KyULUTYps!!* zFosflLxMWU_I+d+s@Mp*RY0?lVPTm}?;zs=GL;aIY%?s6=jvUq1 zl^>Ycm1onRDn1jw!VHOW(Cjo@G5dfq{a}nzQ{!Jeu#Yp9S6BLkRa%=tKbz{WaH3DO zm%Q`#JFWH^RhE4iCd+w2xPVCWXGpI4OJY(mnQ;my(xt${B@8iL5h73IH-6d^XMtf7 zybClV<&~uT65&LP=?${T&7iPZ*7S%Lg;b}Onja}ckJknaT>y}p=is)S!q5poL%%1X zCu02s8}7yTf1z?h6io?*sPr*0#fBpgS{cGqUYv#EJ8;|!)5njaAp0&45rCD(tDdF} zkZD{^@W=0nnZwH%F4_Bd6j-$^_5AyN=~4kjbWew9)0p>PlWS=3e4Y zTzxX96W4&hj&DM1JUfa zn=Q0h5YaAY&wi=`3&-OyR(TBHD9Hy;V3*CU|5d2NT zMZW`_rHKp_^@?4ZfoO)KGH^w!|~Bcs_IeWR69Ou937tMhb?V%(C&;X3@K3t{)dwBPpdT@7&NS(uw%hA))#ctukk^feky?UHumD+Sn{HM zcqn;uc+io&IX#xOX`ggt9CVJ(WcZF-hq6}fPU}p@dgrh$MHx~PygO>29?IUGoSaZ{ zt=~~oVTo~`&ljHW%-GQU&MB6>_q@94C+*|$sBJV_@LS{1I6FgY0tWU}HBR*LvC%p> zsi1D!6jjM`CaJmbKmK>+Job{Q8XSTZ*0rhgd|`}LFv`3QMUM{`E<)(@!-M+(tMhNf z4pEuFFW-?rf1(x#BB>7nbIEsrkRcGXzj36^`B#ClB5z47?stmx3*g5A^!yi#%1a&5 z5?OKc)5gN7oH@*zI>*FoQp+T!G)No{ z?Uc`SG)4>4@*5y!FAxJo5b?u86j*26qT4>hZcIk|lLg3nKWK)(93G$PhbJTbbpP2H z?E)1@&u}z&k9??P`6r}VciI{QcKp zu;5p;6magO<6eOk&%BFDXeieZBR4f9fR1)U=}{-p1AQ>u$&1pPf!g^z5=nwKf%r%( z14J7gP_LQ#Xkg_K#Tk>{+Qzf>qNoHH4czhA$#6Uy&_-8?!J&H+;>R#CD9|e!D@=5c z3kWdGWRBvmsH})*2BSuPhj{@0t}`RMBlVfg%4USW3*vwAp?CKS*pP*Eg8s!{7wctH zA?W>J#M=4e70$`Xn0a%A4|Cc zp5jQdcnVN~fS9?Dl#d)td(4%_kx>GJ?Q{x*=5DBnl+lCxXBBG( zF=?T4Axg6H;zahTNo*W`N-gpOtgjXf z6Tuc+<2zY<^I&sNwoai(N48a=?*Z#F@$sqSX8O!~VPgHTz=d?8{1$CCz9ZcJPT-BN zbI?`VJaF#lGv3`3gcRhy3HXJe|8&cV^MI|z5DLXT2wDt}oW3X|yAIZ0$S;}hDd(Rq z6}ox!U@>5E8-$^HM(h_T6g0{qZ^uT~n!&qymho@R& zG&b~;gOir39v@fQi?V_a+{S>aShO8LRplam)P<#!QJXpr{0E07L}YsJEoX$;a!YR; zh^b3%8}J{jCWHDT^8N82qF^5w0EF-|P=Nx< z^!WV_u>QwU$O{F8I;Q~(v&LNlrr=6L|zNZ`+a5BWc3|_lsv#}IH zF}8$3qXNve2$7PlZb=7_& z9<51ys7BTu3sUzd) zaHMG?{ZKzUI6OQtPR=x4Z56``1trp zYo#U!Zn{1=U^mc3w>CUWr2c+sjgH1Q<~q{kB7rJ1&{e5%3&-mCbkt}cYln@)LpYpM z4^^#ka-g1$w9^B>`QspkN_iGK_YBcd;) zTnsYOt%DrhiVb$2cfnoLe?z=bR$C^z!;VfSSRWbSIf)1pFb-|3P7TT2CU*@0=(o^# z2D?>8fHrwczKP9}v@_ep92}C5O(@8Lz0L|z~O7R5m zWBJw`qA+JW;i1u8<{z;S9`5JCZH#eEchuy&G~{42ieC^eAYQK*WI*j1G(q>H}RvS%9Rtw}?LJZFYk`Q6aFZAgq#3pWfRpg=TVlEyTFh6ZV^5F-E%EVHv=&(4xnWqwR-eoXW}LzA z4oj%__oB?-uqYTJ*Yon-X^f*B2Ga#~n=hr<)No|ohU;N(;>h|?w>2^w+xg|JofnV=b* zVS6T=X5(id!gi^Lf`%9?c2(;dvRW{8AZpBBDDgJ}4B*9+QgW)*rQbCPQABSPcon@9 zAb}{KVSC2q6CBa;0%OmW*b7nrUGoVR;E8eRX(}A{#E^t9mE>Cirr?A>Xw3gD>OHmP zU0Xk=NyA+C=__*H6?-Y_zv*cpXgtvlyB>ceVwE0#CdD3{i6)=p|L+E?3n;LmO>Gkk zr-2TGYP-3}#za0`sVNYr8fkE;hJ;I)F+P=G6mkYr!mvj-O zt5odSMHEWdi%-Px&#+r17w-SRy?0-38(H#%|NkQP9Wb2TmDC~e0^a+ydn`-tZk?8G zjU@M(Z`=w5t`d$Zfvm?MK(dr=4KspHIOqXtLc~oh)hKvB@yt(I)BPibA@m?py ztK8Q&}l*k6!*iK2Qbp+Er9 zp#~Iuk%0(&blvfcRKpe|KfWO+XOvDmT@9SuCJKyBn+tdl9VDz%hnR$9#1ZjNrSM!X z)lut&E$l|YcCK~8c0AxI?Iz+Pm9;d35Mfe7c$OVVw|SRVUbQ9UMR>|6Re6T8{=f~qO?q` z=~wWZ&X}ZaK`eG-$ONEaR3N4Z!AFW0EbQiG=STPzsPM4`Ae*!${8v=Lk`Z7jCFm2W zfQt;EC`dXZxg^1(fS{EpmLEPQZF}^3Eup}#;Fo5ifDVR7$Mn^!XhCuqnY@W-d&L2s zK`DN)jTE}Zt1oE_Gzt{Ps{Q?2=R1=QIlo2o#Y(?$Z{z8k^*<4$oRxmXn};X4*ZB&| zNh|#Zpzv=1%(+?Q{Y(&YTYT)Vm|g1mAo${=&V+^GXn7xi|(W z3>6RgCc8{t_PUGRA)*XshMxBhdW!*&-(}V;Q-epa0x_)z$t@l0cAzHtOZ9t1RUQZ0 zjLUnx7hDO~b!80ZRk|nBU>5X_s2I|8&Awu|)7>ckB8va(IbdGj=~w5l4TBK_09wa; zeiur*jm)U^y5f@CQEDY(!OZwc5IdTaZ{q!kLIsHbm&&1*Xr zDjE~?})ggqjMTvLIMuhE7of@ts^!m8at?7e^~$BlM+d0}Kf zAe2r59Rcs3=O`rd+7muM)Q_R_-yZ~Tlm63-poU$2N$bP{92B;Lg10#tD zc5?hawlNClcHzy|7%Idif>f@B25WmmkPErx;)|>>ovyGj6${Ch!r_-3GL1C<{Rvr} zF^NUOx?*M}PrF`RYf_G&dQ(|#Sq7E`m1{@iT9asc+5qe+b~2?v5Q$oU-=k3X^dx>n4=)eC62WmGr{ZUPvivt)9FLL%Jecvj?ckzZzz3dS6N8cd#kp&T!;`|Fu z`~w{ek0(KZf)~jCG_I?zsr-VhCW^^~(6{Btq=io`PpFofk9wa5Q*MWXecJ0&b)9b_8?BrPb=F--0PmU#=sr#ma;qt!XxO0CYFsa&)V}iMNB200SuaFt$ zVnsQ1)5Dyf9oOa?jx8k?rrF}(kZkcM(=ciNrRT8>h^3PXSJ_tPs{vtxGaV*OBEHG| z&`(AWbd?e8Wu&@bigRAUF?-tby%=;Z38l+{oM+Z5qFnf}hnBF<98QmG+z7EMaji0) zEf*R|3`1`V*Zig76C6zQd20~p$*z6)57uUo(YSdwSwi&B;n_*7;b0w+WcnKBbly#V zjE0cf7F#Nszt;qB(qidrw`}DpKmAN-_;eLZ&!I#MYOuaG^-b|BHqYdt@#M2>eJR;o z#1!O#IWec4B01E_pIs2zU&Tfvc>NCeVq(8a5;vo2Me~EALDCZKn9=r1()*0VOK~|? zLick9Q_k6)Gk}O)Kp4c+7Gg!@h-?H%BovK1jBcYc)v?0vT-%CaKyQEN`A;fs3W$Je zyj%=ceTxCCCIT?G-W_&?cJs`exF*ThB8rM=19*wS1m<63k|NEp$n_aojHwrr-=zfF z7uzkWS@RdDvZuW4q;C0$_cYH@n(_x_T;So1b25_S0GmK$za2v8)%xc*U^SB%GDeWt zCY|kImIJ77Wket|VYe0%C_m1T8V0xO*hc2bjM&MGl@WzGVgl2KYpZdQDN+9X3M?Vv z{;fWX9pv#$jNvDJIn@`Z9zWy_B19+|=_tNCyuO~>*C8uju#-`koNH>)FURZAcWE_I zOB~_BGwF2v*|-7N5y+<^0?VZ}H1#Z4-%ubtfFlsWnmH5rmK=jRCyPW1hchcDp~$%e z4ID)IASY~Yi;&YpDMNb0GTO?ZjX(xT%wtvr{%v_A0Rpu}Nq9PRCbhzh?saI53`H2R zmRa5WS6=KZOeMbJb@OlJGb7>Rnl`wf>?x~S*}@p)SQtzZ6^YA{I}&8}XW`459xhHT zd81u*3}lxiZ(Q7K!~r*D zQ=!7#^A>64PAq;d@SqcyGRT~G$EbEVzb02=`bon(H6;SA@Z($U;_b!7$%psa#pU7oWqQ%G)5DYZ zmv8^$QakI(xX^w%Ie+($!}GV=A8*g`V;AY=FaH0F z%eU{ev$yBJd^mr1`2Ogv_U`TF`N>g6o%6%Xx7z8+yOYb4_rGd~XJ@A;Z;xX}TY6g;Wxbs@rlY4IF;_d2;dwga0!*XF@qQt!y zp{b=BDQkcp&;?gWE+zOXxx8ZwJ85Whf3)x@whumsDjMf#Nwy|QSV-b45gwH^m=X2C zQ~F7{7}GxoA=li)1PqMno5J5)W#cDv+fS+umz*#uBg@qEZoNx8dU{TnM-Ly9L zm5w?Jt^(kl@WrZ;O{G|x`G>`_5}AQDSOt&~atRXiZ3kq;z7+fP2 zj#}g?k92`1ukSUN+=GJ4o)&3Fo{JTD1PQaKdHIx^r87-%v044@nnc*Z@|^5OJ|4&V z4`DK?uN~^_!v9D8-y(fwk|5zr>MEv)z7*HjBW|W>7Ml-9AJ{bfTp{U;LNA)Zi?{Gy zn0wiQ3;l?>-F_hK=ojA!Tf}@udPtZou6`p?`volk1 zy6_a76Ov#XkY6kZ+e*N5-01->OJxFdggI?bm9vJ<0`=D>BYP&bK z^npGobFH;}goTWO5y3*oK~1@?di@=V3`xaM^CQk}fkBaGALMr(#dIhr%t&7g3VonC z$x1<7QYiHWEk?`nc+z)Rul@b;6dmDo#%)8Zqjq&mJ?IPvqk|ss*n!dOjt=^RzHanJ zU9;WmmEktvGAduv*zNF6cj4E>CMy=FeiMwBm#sJ(idO}(8sUX40qI${%4QvtNPExB zzUZ4Y$eh2Y==i4)C=YS+HQKw{V0$~*!cM%g$ij;aMq_geYB(GY+T_n8t}I+9L1bg= zPM^1chgz86s|o*LNu)z%3C;i(x3SUHoivDgvE_N@LO9ACRAwj$w-Ylm(zAYejX*#u z2lDF8>=WC}=G?u^gmmR% z0l#~#K5X`h4O z@6_+<_Z$CQw_W5?%KRVvIqicCj?8~UW&UrjysvW%N$6m~a@lnp`H{y_+T>qc4xAKIw0GK8=AU zI2@Q^Ny0S}-7d6J)b5Pdm3&Tm)MLH0$5G~HsoQz#AgBpo1I=vrVwjzcfgu@#r_1WH zBFFxM9;#o1+j$d(S)EsW6uv$=dvWY6bUlIMOHp#XX@+`Ss)^{&b;rT%hEEC0j}gCm zFUb@_>PC{iFRN(wgMZ<$$4?SJ_;SScGP!%`3vuU76Xru@K$us{5N#&os z3OVP~^#XN>*!OfL!kDJG`aoZS1LJiGTr~l^`7K~& z-GYdmB()8F=Kc{5irQAygLVi1fB1#S8QMiGV<522hMeQ%2FAzRoq8;e{v1Pq!Y6R2g7tgG?LEI=Tm4a8ot zIv=RVZChNu}CTR_vsyE&| zm3&SYtk!?}%75JG&O~?Tb_!{rTHHy3F7mVhN&a$%>v1JbNrqfS7Hj!6IYkIMG^ISq zLmUxI|FZz!Xi6!tRz71XuA0Am`O@SKx7e3jdHZY$A|bWoJeUE$dief0g)WnM*rC)X zSpkWvlrK8$%#5<4c62KLT7<`snJ|=ensi+D_)0QBt2Dp(Q>ZTvEJz;nGYHV%GnOAO zBdBxfdSdTm0)W>>>6}^>U#8Ssxq!twY+f#i^(N5UMcFSaSw?K~y1!>g&4%TIwV@L% zmwX{^%V34h0WQ&$*4Z8{gTQ#f1fA|0bqh#)UW@S?XRl!OtYcs@I{BW!4{1yqnB9YR zPikO>hNaLGogLgfUrualEI?r?&KXkuy#`n=e>PpC&O~)JVDnTwv)E#gh{^&dzNM-$Bkpb zo}ylMjUS@bCphlD5*(^k@HfjO$7X}ub4s@f7F~pAL48g6q{Wp3-zAEgh(2jTTs8C; zbK^Gkzm{{GDkk#IZ>jChnDSK%W^Ur$V>$j2Vg>$dRO0jXn<6b&vmIYrF*8ay?}mMg zYR5+K1<5^&vdx$n;}C2z~F z;?f&KngbknNU)1C$(<14iIvEvgp4xT5aE&1N_DJ5>AR1ZQwEN<%bGeqSU+N-=Qq zQ~PR<)w$HKBjriFwC3pM!iQ4L1-uT6LUfQB#LUx@SU|baeV``Dwn_rzqdyac#ZxI* zI{G_N{0w;=cC+-@NAf|U!YT09T%Wx2?ua;}l_U=n6@e|u^(6Y_kX$xEYet^($BDWS zEev|getV}=P#S9{pCvmtckf`+er>XBtayfeq;nCkN#`~tOc|(SwyAGS2B~!@xyDzN%KEEoP#ualB5if>kN8~7o&jbJpncqOy$P2-a5!1rs z9c(Na57~oWc79t`{_ScZM=y9K8%LfjO4{n2rHML@09I*R$&`&GnhLZgwekhQnzoB< z1VCE)wpB@NN#*4vTT1EXGc@spFQ8ml+`rRjGX(XEb{wF=iM6V7Mgyb~de(*OIw2%B zeG5)DMMydjK;QwaLRv_xAwwZbkoLhZK-7neU-Vmda{ur|acimwZM;q@aVgxE#?h3M z2p+;FMB22x&s$_LZfF!3EVMg7^gPf|ot#y3plFULem6;h;mTf!YmF6XVD$J_dBFHR zHOo2r0**nupk}x)Fn+=nHxDX0BJ_gl%1>cf=V7LqwO`F?4z@8xBuG%_;V1MBxq69i zuL_VzjwC+Ne4<ZdOSZ1C_oBy|^SUZ%bj2}v z$lXc$=ZL4#wlwUi1{U^Bk@-M=CpI1j%&@X}sqBhsxDTe^ga4HmjgUfau1pY!7bZ`y zFCj+gB+b_nFaOTJPH6_y4P+BfD;Ythu%YmoJtrKL-Fq@n8fUd2+fqs`K2d~PiuXk5 z=Q$Bmsx#YOy9hQI>`871Br+l6CQNxhhgF!)#H4Tt2GI+!@vGmyiTv^XJNWL|2^vhg z@=dU!zkg5Z3Td2!HAfLa62Wn@stX4Q60`~LfW8BTrCM{RcNiiEOViG3nE^IYy4b@^ ziteG)u6ZT`dWHRhBnm7Th;tGz@o_H2>cnrekKPBu22}XxH1FX4dPMy}E`lyX5e)#L zsZ$<^CA59y?LTSXr>5BLah{v@_Ke<0)XSi05>@9bqIaPB>>HwbHeICF%kwX zElL8fLG93Ucxm^){}Wbj7|3d?Cdq;9N8S3yWeqeJQp>D$H$| zfa%f10}x&4F8N4Kt6`-h{l$jR1&%oM&7{ZCt#)dGLuZrmbx}`A)LYmo6k(N%^n#IB z>-xC_w^d{UiiBmA_A|0(>u{}bEb4HrJmFfagsAwljz-EEjZ|Kg#G{l_B}rkY@yZCL z{6vTGN2?;2)^BqIg7UdUI;krnozyzgY15HT?0gK%zx1*rp5pAsDvDh9Y$Kl3RPi0} z{t^kWcq8Zq8#Av0>Xtm|*OJqqi8XwVO9S zEVY}rte2h$h5~-xbAV1Pmq?k5g*{94_SXLA+W(y7irW9Y1^;s#Vgz_?TmENtP5-lm z^tJuZ#ZbqG@jvH8eOa@$|2Z6s+W%bppC2h3MtM=PDgSc@ZePL?oko4ogj(DYU9`;& zNX+Nri0-a%M0aaP^rjurAE$`=SeTdXWqYCHyvHhvEca}^(A`ua9`F8h^g;`+%T-x8 z*lNKvhMUdBAvFAuzUbik@J6`qsRww~#af}0xKM_T+IJkAr2341_0RY}Qzz(?IkEm6 zd_nvyWtfyD#eKm9u?CVjz@P=!NlGnxSdpJ^jvvBKclWJ4?YLb>mGp?;<9n&3WCflo zQ=cusKE*7_>teiNi^;x-RaaJzA5rs|IwtN-cHGLHl z(%1G?6x*9VjISamHo%&#eHGzY)V_+^S5X;XMP5;|DPKhzs8hmGkw$vZM7Ox3qG+2N z5SLHWQE>zDov^ngk(A+?K=Emv8~nj@gKM|C`Qbu4*8loz0uG^j?YD6Jp&f<&ROl^L z&&gM@n*FMlBV4v-ef`e1E^K`cqvYqa*gI_)!wgFuxkKaZ!RB8h1EO^v#mis=>VvKS zkkI%Z$@V^0n%k5?%!dPVZluRotTmliyh$a?8OkF9%jX*0!edzQ?eXBPFx(2E>R)?K_*HU|?ZuW+~zBO$3x@M<8=!|u-t&yYK zZL2>Tv~|7LGy3LG9kgv{r~^U6p9TfM$BY>RE_1L(%U zYLCsXKG4&xRRu zdhLGKh8`JecVKmG3%c4Km^zST51c{IQ3tl#?{tRNU}VFjwvDl24%+5OY|HA8#}*LZ z(=9_c+D@m}Q=PuvX}5z9*p~){>bRGjXq3W9~iX@;|*g7!)I8?IfmYLMnHTo(v~yUt)8ln4GaDO zpC8%d@epRv)PXhI{m~G)c%XM-d<@6YO-pS%HuQgpT-5DBAHj#FDBfJSNRzD52CTTI z+V3}ey{3@=9-gb+W~bR1wws;4Dm+))!)B*9YIfRcQ*Gnm1$;YdsvUSSR+}AF_#%}L zJd+){&kfWiX8mrRy2f0e-?vWn<%XhRDbv?kj@I8qr3y;XJ7d|^}YZQ z>?ykApe(17oZf-wD|fE0=*m0Yy!oKegoGP#4)Koi)0`_i$?uRk21I<~&Cnp(BpEBy zqY0_hU=~xTahP&uqqk;8 zcGFSwK1WioN9cS(tg}$#*;uE@1Vy0E(pwAGYz=jWV^Kq$HPrb?P-l5b5{Ej|1j!nk zS2^0r)Yn4)Z11Lx(|*4V3I&wf&dq#S!Fh2j3)`)to&ID{MLzN#fXdwd92eX0;HXYWTw zZ~-R;$Z$Ar4+cZq?zcyMd)NiYsn-WAu-_Zm2HkOQp3TT;Ob=%`!Uso;Fv5cN+ zBeEDEVt_^J0Hm1!_!+v>?sTj+V2?ULU7fZGKj1UE*;SoxSM7DWmeDu5BV#n|4*UI) z-X2+ICv3?Y!Iy{qc7JI1#vMR_0rdlPwL4a!V|K3#a9dC9TOB|~bzlsAV8iP^VA%lb zj)qo%9s<_d2P|z27~cTFzAhlzJ%DZ1Hq;mbx(OKOz#KV_V-5f(?)TNvz&6z(e8(BW z2#44-pxk}c1iVx40R9QkWe0FirweE*0G~q(#=bx7!zgyzfO~c<(`s8?b6^=`$LQ;0 z-PVQPArK14DB!(gC}0f@=sdu@rej-uTkUrG4$Pqmq&Z`A(C@-5z`Tx~F}#CM^-O}| zA!;aOfDsYAYj<&QvoxBwHX?Kx1tA2v=}sL8uGHtB?M2g@U$YwY<_L^$70dq%{OK1osvA2W(QP=<|mgmiVd_#4I0;7SjC_d&P$ zxLUnA*gjYsBom%Rf$!oe0p0a|eQMey$sbZ>()*mqZkwuLz!OA!4(&07bE;i))Ug1kGX`w{1&0F&YJ?ca z!MFzzdYy3_Bx}zBKv9LLPZnkT1bvkyocghRF=NVErd zAi#!$-p~L*Yh*Zp!i|UH0pN7QA&XC=F>xuN)nayVJ@E{^`St!UepiAlgbpL#I^*V` z*X(r(_6FUApt@dDRR_&61X1oiVGxTURU(WPu+tNZUwix2aVHCQ1>~avO=?^I?K)ho z$`DgG)m-gv3u4M~uJ#c+zc$2_(fGC?rkth^Yqo}%!m+3!rW#_Z48)XIl57@Yk{Z`f z3uDR{xF?MWQZxweXOF$bT1rY>OED6iL>`3 zAxxN7?axNr80!$6*6y}dM~9H9@em*-2)SwlNaUy%#DJ*~R5pN^Fw+{3dJv%2$K#Si zv!{10XKYA89sv*nIH}ngjGCQZrwJg^lMYUj;5vK`Ygng-bzTUp(@V7wd)tC_dXEO{ zWOaURSSO?LZNWM@%?;LU4eNwsQNubltWz0SC$A*gEUY6lXrC6UlQC{j8r3P?uV;(u z^jDxd{TkJIAXMjk=`Y?a&CmAYCF44A{$mwIwtL~YPXDRmIw6BUX6#VI9`@{!X*r|O zP`6dfR{Q;N+wAvEqpw=JH5fSUPPY#+Kzhe=RJGUX_aS5mO7(1gJZ#g$bq(EYk9zIF zs53Gk(8#e>c-!t77>nc#dqZBzeK4xt@R>!oRzHZoEyKSn&{$SV{cLsXL>FRx;uhZ>~#=XuUPvDU`@s?K8ntpAX zz=jKbA_7w>bu8Qb-0XJnG#v;4A5YtPLbcspI=F90^v#8PJ%y<{oXt*-BOmr|oBC`v zv70l?`2$puJqLQpSus}M2Wd0fwt0A!$0*Uog&FlWQ zAhG_VL1I~*UmFt3Xnb3cSWZigHCsbs;aJp=SPh9)1`^9FNj3|K$@cipUeO-AF}f@pHu4y@T4q6x>MhG=StrZNysUP-c9 zh$d;BJ}r1AW7M8BJX5+~&la8;u7GETH9Ye`@XX=DyLHWrg^dYnUouJ)XF*m`+Fi3hve)uyHVk_- zR`tHsGe(XvHix>9WV~aV`pD=HyVe-umJEo68afcW1YhXD$lF7`tB;+L-EKp;QLm#r z-H`?HN*xG{vf8R6q);CY1|!SV@m5UL=?uE#frXjG_5P@Bz$eCfcQEV&W@L8ku`?do z!?88&TLT-rF#lmq1o%;al782-|OiBTD46Z zy3p@HY!`IFfhenXuRj7ZjrQt%;s=)ZWjgV6%NMeVr>1h6>kzqgjhf0wDZ`6PPx+1d z%}#sJ#KV65US^tdov@it+3dN&YLPWmqiZ#~_CnCLVXCb@+!nevd^B_|tMhB4YZ;Ai z3th`;^RZ@YbS)f<8eOZ=waTDtc_qna(Y4fF#nS@WG6wHSgKVYy^-MrEWMBg<`Z$!< zi7d&|8+fo^X7<$bKTM;$mBuIgEA$A-J`atO{PsyWN-#w!*5V#aUWU2Immd{RF(c=J zz_dfW-buSy=!>PVolN2JHT2n6&e$wGEAWi77Qe_jf$YRUvZyW9FeffqhwvZQaY1%U z4CG)$ zLk6uqtOP#u95S${-nDBghqGCWcXj0$i9fU8^4L%wq8PhC88NjdN8WS_T?B%-P4(d`K;hUOlyb}Lgam7^#&~;bfWFH{G}0$1A-8W_+WRhDgHdMKqm=$JycKsu#Fbi zprjQ+kS2BPfjgZ*KfvaJ=BQA&4ri|4iu6(fr8l%>PlPXtFJ-k;DG_bFod9R}b?z-^ zFa)eHT2s@j>~;eiB}J)c)C~;@+Aq}ISLxz{CP^?l06k+OC;B=bk76a*ICX06pF(dZ!35zixItA`VKGKH?( z$>Vfk?B(QzTb#(=HolUQ6~7nM8hLn#$X#L_I}`6qE*=^lw1=yBNL-8Ds(W~@0TBuF zy0}kai$F(``%DjgSj$t}O6r*s90!H~F{{B;K+@$2DnZA(Q-2N&^uV59Y7{xh>j+xgFN%KtiePAhT?IEVyjGUy3Tb&ewWsl{(0Eex6eVxs* z!NStG($L(gNhD1!1_mQ5)H0y4Z_u<&@2ESSEf<+f0}2_Ql_KMWLZ&{M;1$o>ay~&q zUVodo{^E!|{WzcO?j`pjtLL4xedGCy)dU3HUR6|39j`_H5T(V=-lwQVzH{|Sus#8G zk*Q3fKP9_5)5(^p(c-gy0Nk2>xlhKYiZG_WN<=n(@#dPXn>U$E2wQhnrtzBb`WxV# z-MxSNwBr%Ux^o5p4AmR?N%nj2&kQzQNgpW%F%MwY+@jLb7GAJ!wB0|tdn?&zzMLL9 zzy~>)=eNttGwtld#ie$j9o^{DYdgAUUHTYoBt{_Z_}Z^?eRlKjry3v`+S{o$^IWo` zr2!I=uU#xnh=H*rmP7Q|Jtcdcs)CZyiwq@gTx`72m8BLVO+4hNK%k*$QmDc43DB)5WFq&R$Z?qI+*~>P|mr zPE%(8HYxZvCXLVSTiBJrcfp@@;J9Bk&%v?Q@LGz`wmrjFYzB^rgU^Tx;vfx7^ACd7E^T!!FAiK*2Vd z=^Q-?B42Npz`N+f66!18Fq~9);O~+-0J@ar(zSeGqCXpg!YIarpg#U=TmcSCR?Ux! z;Ai_z^XQT9D+*cF{D(q5&Hqj7(qG^4f8amxx3Mw#ipzYZdF~O5V+E+`|6xJ$p@Uj9Lwp+k3ionwXCy*kn#7?G|NM(fdUgn%N*v>CB zL0W0LuW@QuO;)anx++0BpPXOV-l-rg@~b^XIS7iF^h+Zh%iN^p94jzuHOc%{YRs~A z=O)1o3h+@JJu2-2><<+IYR(~;Ynww z2=u+$P6$wO>W7v`j>kf(qQPC6p+i~j>j(iGib_hv5624_NF_SxoGqmRXMQBzCr27MOJ7TF|ir&RRj-B3}lwSq;M?WpQX52s+DsiY16A zuHuu8P+%v=A`~FFK!_$tgqJ4{)VO~1+(>YC%hab3 zvY;$|+fqPjE+IDS9i@uPx3IAIG$>fe4^V_sB>K)mWP+b2R+6c(YB&YNaVgfxBqMD`rueh9Vp&Ca^{L1 z&5C~(@6N)LvdYv8+2ZJwM6e!{w`UB|ZYrN9wmzRKH{O@4T^?ji9)+vUSWc~p-NN6X zPst|^EYDnGpaw;zXJ9(DqCTgyljhChcJi+%`d#aQtRsl?l1>>-62niL#Yj{vP`T4< zQXo86NP7iqDdm7rVsKF>esH0bW zI9-#4dqj3vbVb6ffbX+yE)sil9E_Bd`X7E!4B%rCf+yS?tnVKriLj9UfSo1M;1F!L zdstRPHu>a?U`$@pZL8wnc*}`}V$NjWrg?uz6eTRlX&_kSoWd!l{1Ow2upm8!#iUW@ z;MRr$MjEspN-cQDm#ohODa}8GIf?95Q#!X{h4}V+=$w=}WHwvkytmBiSy$VTMsU%m zLLVG%;b(&-n)GUgCXKuo-hG#3ZQwZ&E+ibz%cLCt4USN=_wgJLtah-0mQ}4#K8e-# zbv$o`%)HLX8Ik8;raWhajLLYy1hEWgC{?$>-r#vKmO2?ioeW|18mf~a)X5N5ut}W^Ax-nt$q?#f2$4T^GK80u3_*SH zWC+Pq62%W|sar^fkot`}8A3P~buxsCCqqa({!nK^c;T540>-G*Ak=9PB4VXZgHWeI z*qELnEz~&>o<MRH>sV>hpRr0iWq08+r#q3s?9!WH{ize0N9iUgGW|J@8kh+OZ z_~e^G7lJ+s80nK|(uFUbLHb6~%Nxux)mLi;N;!>M!h&o;?g z9HsJm;nCqMn5nz%CN@YFEOl~&I=Mle+@MZwAPSN?xj`@#b#j9`xj{n9*2xXFlH6dW zb)0JXeEKB0dxN%huQr(i^xF+>+_@xqh#~Zd`+HsYdTC z(J&-I`)$Qd^d;^TgZ(ebcunu8!VmI$+aEoQ_TR|?$u-v%c1wOUS9;G^+$H$s#-7t_ zo$UWw>Jxt#?~LBv`?P~|v~#tu?BG0QT)12GRxW}Q^ng3ghGlN6+-P}ppV`7H3d1Mh!M4S)8x*WVJ07dbXMubQFzwxxMfErhMn z_yBsZNzBBA(2jnMovZH@I_EUuUBISi*#SX6@(%~+tAk5Nb!`rmdbciqZJ=51wY$&= zD7drt{ioLK=XGz^#6_NK&O*yOPjSJg^ZKC_GU?x%-48D{#w!n2-my2+2?W|`apCQ^ z0NW&YBxEkilBd0Mu)!v!S_zIXDA-mn<6m@lvK0wP6W(Op6d9F$jo06B3U=H3%6RYl z+CR!(!u_kgpc+LsL+&(4-m{V|^4+i=9fMW;lkT^1`8sJ8E6f%JZ#^$4D1LpLdHMOu3((muoG^?0Uc6RdEwoT*wqAcj8xLya zGR26}30=NK?>KYV4Oe9^81F_-_K zm)U_k1x8tT^ZS;>+RI=mvetqhS21f3E!FS;2L5f7Igm*W9zT@ z(y!J+B*XW2)CwEYd@R^R*zpz|qHGX=d?N^)S*=`Gop?!9U|gK9bcqj;N|tR-V2R@O zSX7I>3&!W|6g7S(s*pOF;6|U=`YHvVSNH_Y+tax>0h<1Bb#_UZZBeq{k~i#Pw93#+ zTtoT&7y(Mh?=_P3u8a`AQZ``RqzYinEsxp3f z{te?@0Rv+<4_1jXx*T9}REz15w38VCg5(CXYSDFW&&IW_7z%o485%iIT+^+7W8d}NSfQX5aAlyu-g$&R7w{T(Cdn)C%3fb zM7>tb9>FWQx5FZCdG07I;0x)lqB3Po(w-dO`b(JbJM{5XX=k(qQ{!-kC%$a!oprkn z(()9`M}P4d%hPUwC03k&a}lt#9+ZStMOM>TY~a5?Fi4v1CD4QQTYIHrlv_g5WwZ{7BqcSxQ~tS_nhh z2C2)1S?M7q;VlrKw+4~L_Zo$%d<4#XAmexr;hn%3Rvz7ux<*S*ad{42XPK6m>HIaK zDXAX9tS_~3D1vL{w$MS@I_~w7Vo2JIqDqz4E5)~{+ZEET4<_TScUJ}pe)a;e7=d_y z&o6?QS`4c7DpFrooFgIcbxAq;MplZBfva9L8j7ORP| zsIJ^!cam$tUtqk-ufj5uTI-4p#L%thfm>{$qIQ)16TLvNC*5J-6u6Ss~vF2mQv8L0QV-5DZdf~X^ZN~Ot46+vH zb*wwYEW7YLt_>;{1;to2ou;#J zI<{hpMh{nmb_ig945A+pvMlKaF1l!}Tdm@UOau}&ob)ZP>-gu_VzUxB@^j%b773t{ zunQU-P-!C~h34uS5?c;vFGSkYfnCd-?b#xE^qh}yn19Q{u-t*4$FL6sa}aZ!0smQ= zf1|7Y!6QiUHHb%@Q!cKi);n}tRb^yYps?ENP$aavIuOnJUZfU$1D5e=(M2hVAl7S`T$6xU+# zNkk0p@Qw%oR0}5(dtB0QymI@Db$1%2iPe1fuO~>cc5AFjbUB->6xC(zvPT)>xvfv0 z6v3qqq-=!N2R7%+9#AQH<|I1%<>sNJz+6XkttmwI*Ho&T&~C+=C~_2XJrBk9(tQ=$ zaiH6hXZ$U5T5&BT0D?}5BTJ`AL|s#xc-L;>_^!wD_m-k_Ju4I&;PCMctQ!vlBJCNu zd7(sO>&xvjT1M=|t^QS`SCc$V@?Dy#V`6{R%o}|U;Zr4C!d2?cgx_WSBzwTryrxfP zH#*?10Kk?=CGn_zS;xb&A+on%Xs)40s~Upv+d8a$woe<+>uHS0@#47<*ZOIpA=nGIf_arRHERmIFYjnb3Ry?>1nuq9Da!+9u znbKJLnm@DGaIHM_6mtT#+nc|tN~EcqH|3zZ?Ng|IHmXV_Y~DV@uG^g7&qyd*B-2hs z7f=8fs3l`JpK+G(BI9@saTlL$8w`PJYjJn#FWdz=)CwLaFgzeS8#Lu-`@X6KgLiWV zyGdC56BkxgRTbr}{<*3#Ot&zApnzuZjWT=j?JS^M&$1^~9YCZ_qY3aFx3YmtQ-BNC zGlm|RJ`(i>YH?lyR^5^gXEef|4lk4R=9MMX0~-T_2CVryXOtgy!aZLzmhQx=E_oG> z$p`AHeY!hXBbq)pZ@>;T7t3PM$)gZk>Fr{S%qnjhLsBbzS_HNqdrP?ZwquAxxH6t3@HH1S5bPYl84m0@ znfO)Rc`ZC34?*dwO3Hx15@BWAqVX$;bJXCEu+pELm&l#nc+-NZT^}^1H---vz7ejp z+lrXzXS>>&7*&yL< zk>^#`A6hn4<|V0b(0ZW3G5ce!}RI6*mo}f>~#644GcS#V$0bXBJqNG+g5x~TC2$>+?^{H9e2rUYM zR9#X6m9VG4I}~9otG<|KUX}BGFzTwk$T^YKUEV-pwKr%?En-lFSy^5TY(joCy!wQ) zjJXvh^v<4I#gD3Qi8%0J%=PKwzT)ybPG+@5WrEu6%FHLXIreRHIWHJ8zvc-Dnzs=! z?9Wx*qu|AE0IN(i5)BUlvz3ihbAZRcfU~Y_YKv`+Xb^ac(_VFA$(pbqXY!w(0AarP z?ZH@hF*-<)CzCeESWYd7XMVK263;xt$V@MLSoaZ#E$MA%wd)Kc^4Tvx5BqDZ=3-S} zdY+B&IB6_;t3HCX_K21p$hA_J(2qV&29QV24p1&ZgZUX^086>yADQ&El-5S5-hyU+ zhUpjzAGozN0}s(dD0+F!>_L@?<5kx=OrvJk8pHZ*ZE`62kGbZ5S=J+3jyYk^Y)>I5 zAh5lvxrSzwl~#MMT;3Zf|vXwD7cR7rcHN&spwkf4{gmIbOwN zxVjG=D8HH;8^7992qpw~ysm+($?|S7)xS2-Ece=7Xm|Q#Y3IqY+PGMnrfpj*Gj?8O z4q)bN1vB;AVlm4GJ3#BgfaO??jT>9Ha;6n%94;3(-rW6*A6IC+u|fOHmDk_y^tnsc z|LzVryKUdU^gi3uoxSg?F&S_pnf45Q&LSS%`lk<{Siy@c+HTz1KraHdjk6CIm#au= zfa?s)zWz4T=diCse%sx_i<-~o-pBJ(=uHdQ@7(r1@R-{z&XkN>{TBO2E9B%BCh{{q z%Wl2?<}DXECA&L0I1WGMT2RUGtoz-aGkp%h4u8M+@LqGgd2CH+1_lUf;DigWH99%o z+55LoJJ;k(lbtL0H{Odv{^43XSKk|DmvP#w^ts5n7#qL16YLGq1Eiaa8wli?F2J3s zeRe?_{O0+KRZB6~GQ29$3BL4x@gTe%9Om+ZX$^!@=8&uojVupsNrEm8&rY!z7;t`16&N=_ysnOyB<}D+=DUxxJ7Vzaa0h@HKkv$;skZtRB1} z2{%<0 z&fL2t669oRlGHDmYb&RSy090Tpx!jy*SO+)biqUh;qRz4*OUzy14hTI@fsk$YY6Xo zgIWj`3N;al8VMPN{G8hp5N{SA|DCJMmEr?Db-S7wb0R1O5$N0(b`^y>bJ*Ib$R6$E z`N8T3_;^t-K?%1)qwuNBGGKPjt(-Fly=P7C-xu-_lp-j{HZcdyMK_=Mca{&qaBJ=i zid>(8@*?Nr$~h!C~-FfGla}Rx{&41WNOQ3IOUl9Q8 zL;TZP+NY`+|z%5b0ze@Dc~^bONOB>|t{hZnh3* zuHTAG(oXI{I?Ju&8wi?V`+0LE1?%@6CG&zhdQS)nxwzjv0KVoji$6-PyT(GlP8p}h zjcY;24mfN5gU=ja2C`Y@j*JrvCoJ*(=z};p2_nMr4tVPW%q^KMeR4AO-Rql$-wM9& z3+xD@M2GN0J;^nI>$-mg0c#Dlt*Qs@4*s3Z!OLQQkyPQro-Y*EhzXda|y@D>KMEqYZ{mHF%e$g~IqjDT!>hQoliYE>&%C5-z+6Npmk3B*7g29nf{< zj3&QJDax5VF)lv)gq;6VG#`qg^fRadU6(iRKYistZggj&!_FXuG?Gg!K^J*ifFzdk zaV1S;tS(r{(7tkddbElx*79rgVKl+tm{J}X8b<`p)CKGhQ%Zs2z$1c<8}MKGKek%n zqiOPnTkK0MS)W%)Ch=z!=V%0iB{4QY^kR}=A>}|hw{PK}3Z86JxQkW!;x29!UNGLj zhGhqemd(Ad@Fk>}`cyG&WeGl71vKUoqTlWnZ?3pgMOO~lMUmcAIbTj}W#K8HL@fpC z%qbo3j^8QFuN;>%E zeex;v!YWjUDrnD=huq1cfSV8901EL*E6^<)ui{j24ruA@1=~=Y0V4<8_zK4ud>kKQ z8Y{$Bh9Lwy93P&YC=_VGF%awmThXtfD?lI86buxUmwc()gsBG89tflzBatOAc9!xk z@S}hH2#+FkE8tdChyy+tbV=jArh+jo*abF^WU3OAsb@`;q}@Ic9ai84p{>aTnG7@2 z!gF9P?9dT>3DYkDOA%vB@f`Bp<&)(ue0$a@$RuzI-tU0 zUp10wK71qxEiS=>%M6ujIjcH?upj^WMg{+?lXQgWvWg1IN%X^I(}8=s`x%K$Nn3`6P$P#m3Z zQ;l(0)}E*Uqe>V_W{EXsOJm~tH}?EkQXzH!AX>q{EpEyF;iuWpKLLE|O|O4O8T#W- zE%pnfHwsqJ@eT+$u;Ng$I^JaBeL)#**kEO$;3kJfxZ>rD6`Gm-{O1%J|G)qH|A5HE z$%zzDe$tg2X!_Nk!Da*Os+*-jYy^VA(f(9o|?1@4i{nXNbj*xZwR%@u?Y3dMPx%ZYxEs%yl)Y#b4$bB>AiMAFK^KJkTq|BSO0aP`=1Ybsyd8yf^J{vxI45}VqXKT zlHSk_3UZ?4|vk-aN314F4C{I&f zb1KMoQ!LXB%lw7`hR~6JU)r!e5(^ClBADEcv=R0vjoBkOF%0%8G3jrSJ#_;jq$MLq z2LFF4`I-!v71%=7e6Y5|#hRs%vm|c1KIKHj3+7O#xvSE<6dOOex7Uh4H-%xD>tC8w z++jLt)=;|SV?yuLyY_stva|{Ov+3Vm|JeZ3(^}j>+r$3sEBw5%QL_fWf6i$KrCV8P zcxOfx`Br8HZkPivERGXKtY0}Um=6!kj{`y z!Av#MLQz-CLv<(gNcw8|o*f;X2^+YweWO~gNT+6`#s?Dg0mIs)zr(pI&>wkIe9Fpq zifiXWbA_9V$TqSV*YWC`V7S1DLGz(VCv;X3>xILriI2@P6D4m~e7gRmZLrg7YNyq; zI<3k(tyZGb-PBHZ*Xndv-sx`nPBY6F4d44BeZCRu3EV9{F2&vQcEzXbbNA-@tfuz4 z2y@HZmGoJyLZ7>-eJ;Y=@^&SCt^{xQQv2LntIs`opLxU(2@KY=vTtb)b6A@ch>1rSJEZ%=T*u+-Erss;*2^5VAsig*Xlv1 z4Syp54LZ4#C5b1cqejsm?v;se;R$phkSRK58yM(u?agI?0R%>1{6`WIfB=0O-v>U{ zOM+r^5J=+j77GgjI=dGi4$t=@gC~v_|7SRCn+ik}LvkZvR4|p~<8+W3EX@Rt4LpXw z{|``00Rj{N6aWAK2mlmvL|R%yv@Dzo00444000*N00000000000000000000V{&C- zbY)d(L}g}aZfSIBZ*DGXb8l`?O928D02BZK00;mSazt8rQe!MPy#N4$Rt5kO00000 z00000000000MQBn0BvDuZd7G$aBN|8WiD!SZ*EXa1qJ{B000620sw>n001}000000 DU^z(C diff --git a/Solutions/Jamf Protect/Package/createUiDefinition.json b/Solutions/Jamf Protect/Package/createUiDefinition.json index 9b0ece53e37..7b6e522d622 100644 --- a/Solutions/Jamf Protect/Package/createUiDefinition.json +++ b/Solutions/Jamf Protect/Package/createUiDefinition.json @@ -1,354 +1,354 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", - "handler": "Microsoft.Azure.CreateUIDef", - "version": "0.1.2-preview", - "parameters": { - "config": { - "isWizard": false, - "basics": { - "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Jamf%20Protect/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Jamf Protect](https://www.jamf.com/solutions/threat-prevention-remediation/) solution for Microsoft Sentinel enables you to ingest [Jamf Protect events](https://docs.jamf.com/jamf-protect/documentation/Data_Forwarding_to_a_Third_Party_Storage_Solution.html#task-4227) forwarded into Microsoft Sentinel using the Microsoft Sentinel Analytics Workspace.\n\n**Data Connectors:** 2, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 3, **Hunting Queries:** 7, **Playbooks:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", - "subscription": { - "resourceProviders": [ - "Microsoft.OperationsManagement/solutions", - "Microsoft.OperationalInsights/workspaces/providers/alertRules", - "Microsoft.Insights/workbooks", - "Microsoft.Logic/workflows" - ] - }, - "location": { - "metadata": { - "hidden": "Hiding location, we get it from the log analytics workspace" - }, - "visible": false - }, - "resourceGroup": { - "allowExisting": true - } - } - }, - "basics": [ - { - "name": "getLAWorkspace", - "type": "Microsoft.Solutions.ArmApiControl", - "toolTip": "This filters by workspaces that exist in the Resource Group selected", - "condition": "[greater(length(resourceGroup().name),0)]", - "request": { - "method": "GET", - "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]" - } - }, - { - "name": "workspace", - "type": "Microsoft.Common.DropDown", - "label": "Workspace", - "placeholder": "Select a workspace", - "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected", - "constraints": { - "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]", - "required": true - }, - "visible": true - } - ], - "steps": [ - { - "name": "dataconnectors", - "label": "Data Connectors", - "bladeTitle": "Data Connectors", - "elements": [ - { - "name": "dataconnectors1-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This Solution installs the data connector for Jamf Protect. You can get Jamf Protect custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." - } - }, - { - "name": "dataconnectors2-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This Solution installs the data connector for Jamf Protect. You can get Jamf Protect data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." - } - }, - { - "name": "dataconnectors-link2", - "type": "Microsoft.Common.TextBlock", - "options": { - "link": { - "label": "Learn more about connecting data sources", - "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources" - } - } - } - ] - }, - { - "name": "workbooks", - "label": "Workbooks", - "subLabel": { - "preValidation": "Configure the workbooks", - "postValidation": "Done" - }, - "bladeTitle": "Workbooks", - "elements": [ - { - "name": "workbooks-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This solution installs workbook(s) to help you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view." - } - }, - { - "name": "workbooks-link", - "type": "Microsoft.Common.TextBlock", - "options": { - "link": { - "label": "Learn more", - "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data" - } - } - }, - { - "name": "workbook1", - "type": "Microsoft.Common.Section", - "label": "Jamf Protect Workbook", - "elements": [ - { - "name": "workbook1-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This Jamf Protect Workbook for Microsoft Sentinel enables you to ingest Jamf Protect events forwarded into Microsoft Sentinel.\n Providing reports into all alerts, device controls and Unfied Logs." - } - } - ] - } - ] - }, - { - "name": "analytics", - "label": "Analytics", - "subLabel": { - "preValidation": "Configure the analytics", - "postValidation": "Done" - }, - "bladeTitle": "Analytics", - "elements": [ - { - "name": "analytics-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view." - } - }, - { - "name": "analytics-link", - "type": "Microsoft.Common.TextBlock", - "options": { - "link": { - "label": "Learn more", - "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef" - } - } - }, - { - "name": "analytic1", - "type": "Microsoft.Common.Section", - "label": "Jamf Protect - Alerts", - "elements": [ - { - "name": "analytic1-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Creates an incident based on Jamf Protect Alert data in Microsoft Sentinel" - } - } - ] - }, - { - "name": "analytic2", - "type": "Microsoft.Common.Section", - "label": "Jamf Protect - Network Threats", - "elements": [ - { - "name": "analytic2-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Creates an incident based based on Jamf Protect's Network Threat Event Stream alerts." - } - } - ] - }, - { - "name": "analytic3", - "type": "Microsoft.Common.Section", - "label": "Jamf Protect - Unified Logs", - "elements": [ - { - "name": "analytic3-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Creates an informational incident based on Jamf Protect Unified Log data in Microsoft Sentinel" - } - } - ] - } - ] - }, - { - "name": "huntingqueries", - "label": "Hunting Queries", - "bladeTitle": "Hunting Queries", - "elements": [ - { - "name": "huntingqueries-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This solution installs the following hunting queries. After installing the solution, run these hunting queries to hunt for threats in Manage solution view. " - } - }, - { - "name": "huntingqueries-link", - "type": "Microsoft.Common.TextBlock", - "options": { - "link": { - "label": "Learn more", - "uri": "https://docs.microsoft.com/azure/sentinel/hunting" - } - } - }, - { - "name": "huntingquery1", - "type": "Microsoft.Common.Section", - "label": "JamfProtect - macOS - DazzleSpy", - "elements": [ - { - "name": "huntingquery1-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Use this query to look for alerts related to DazzleSpy activity, known to affect macOS devices via a MachO binary This hunting query depends on JamfProtect data connector (jamfprotect_CL Parser or Table)" - } - } - ] - }, - { - "name": "huntingquery2", - "type": "Microsoft.Common.Section", - "label": "JamfProtect - macOS - JokerSpy", - "elements": [ - { - "name": "huntingquery2-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Use this query to look for alerts related to JokerSpy activity, Known to use various back doors to deploy spyware on victims' systems in order to perform reconnaissance and for command and control. This hunting query depends on JamfProtect data connector (jamfprotect_CL Parser or Table)" - } - } - ] - }, - { - "name": "huntingquery3", - "type": "Microsoft.Common.Section", - "label": "JamfProtect - macOS - KandyKorn", - "elements": [ - { - "name": "huntingquery3-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Use this query to look for activity related to KandyKorn activity, known to affect macOS devices via a MachO binary This hunting query depends on JamfProtect data connector (jamfprotect_CL Parser or Table)" - } - } - ] - }, - { - "name": "huntingquery4", - "type": "Microsoft.Common.Section", - "label": "JamfProtect - macOS - PureLand", - "elements": [ - { - "name": "huntingquery4-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Use this query to look for activity related to PureLand activity, known to affect macOS devices via a MachO binary This hunting query depends on JamfProtect data connector (jamfprotect_CL Parser or Table)" - } - } - ] - }, - { - "name": "huntingquery5", - "type": "Microsoft.Common.Section", - "label": "JamfProtect - macOS - RustBucket", - "elements": [ - { - "name": "huntingquery5-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Use this query to look for activity related to RustBucket activity, known to affect macOS devices via a MachO binary This hunting query depends on JamfProtect data connector (jamfprotect_CL Parser or Table)" - } - } - ] - }, - { - "name": "huntingquery6", - "type": "Microsoft.Common.Section", - "label": "JamfProtect - macOS - Turtle", - "elements": [ - { - "name": "huntingquery6-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Use this query to look for activity related to Turtle activity, known to affect macOS devices via a MachO binary This hunting query depends on JamfProtect data connector (jamfprotect_CL Parser or Table)" - } - } - ] - }, - { - "name": "huntingquery7", - "type": "Microsoft.Common.Section", - "label": "JamfProtect - macOS - AtomicStealer", - "elements": [ - { - "name": "huntingquery7-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Use this query to look for activity related to AtomicStealer activity, known to affect macOS devices via a MachO binary This hunting query depends on JamfProtect data connector (jamfprotect_CL Parser or Table)" - } - } - ] - } - ] - }, - { - "name": "playbooks", - "label": "Playbooks", - "subLabel": { - "preValidation": "Configure the playbooks", - "postValidation": "Done" - }, - "bladeTitle": "Playbooks", - "elements": [ - { - "name": "playbooks-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This solution installs the Playbook templates to help implement your Security Orchestration, Automation and Response (SOAR) operations. After installing the solution, these will be deployed under Playbook Templates in the Automation blade in Microsoft Sentinel. They can be configured and managed from the Manage solution view in Content Hub." - } - }, - { - "name": "playbooks-link", - "type": "Microsoft.Common.TextBlock", - "options": { - "link": { - "label": "Learn more", - "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef" - } - } - } - ] - } - ], - "outputs": { - "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]", - "location": "[location()]", - "workspace": "[basics('workspace')]" - } - } -} +{ + "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", + "handler": "Microsoft.Azure.CreateUIDef", + "version": "0.1.2-preview", + "parameters": { + "config": { + "isWizard": false, + "basics": { + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Jamf%20Protect/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Jamf Protect](https://www.jamf.com/solutions/threat-prevention-remediation/) solution for Microsoft Sentinel enables you to ingest [Jamf Protect events](https://docs.jamf.com/jamf-protect/documentation/Data_Forwarding_to_a_Third_Party_Storage_Solution.html#task-4227) forwarded into Microsoft Sentinel using the Microsoft Sentinel Analytics Workspace.\n\n**Data Connectors:** 2, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 3, **Hunting Queries:** 7, **Playbooks:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "subscription": { + "resourceProviders": [ + "Microsoft.OperationsManagement/solutions", + "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "Microsoft.Insights/workbooks", + "Microsoft.Logic/workflows" + ] + }, + "location": { + "metadata": { + "hidden": "Hiding location, we get it from the log analytics workspace" + }, + "visible": false + }, + "resourceGroup": { + "allowExisting": true + } + } + }, + "basics": [ + { + "name": "getLAWorkspace", + "type": "Microsoft.Solutions.ArmApiControl", + "toolTip": "This filters by workspaces that exist in the Resource Group selected", + "condition": "[greater(length(resourceGroup().name),0)]", + "request": { + "method": "GET", + "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]" + } + }, + { + "name": "workspace", + "type": "Microsoft.Common.DropDown", + "label": "Workspace", + "placeholder": "Select a workspace", + "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected", + "constraints": { + "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]", + "required": true + }, + "visible": true + } + ], + "steps": [ + { + "name": "dataconnectors", + "label": "Data Connectors", + "bladeTitle": "Data Connectors", + "elements": [ + { + "name": "dataconnectors1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Solution installs the data connector for Jamf Protect. You can get Jamf Protect custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." + } + }, + { + "name": "dataconnectors2-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Solution installs the data connector for Jamf Protect. You can get Jamf Protect data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." + } + }, + { + "name": "dataconnectors-link2", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more about connecting data sources", + "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources" + } + } + } + ] + }, + { + "name": "workbooks", + "label": "Workbooks", + "subLabel": { + "preValidation": "Configure the workbooks", + "postValidation": "Done" + }, + "bladeTitle": "Workbooks", + "elements": [ + { + "name": "workbooks-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This solution installs workbook(s) to help you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view." + } + }, + { + "name": "workbooks-link", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data" + } + } + }, + { + "name": "workbook1", + "type": "Microsoft.Common.Section", + "label": "Jamf Protect Workbook", + "elements": [ + { + "name": "workbook1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Jamf Protect Workbook for Microsoft Sentinel enables you to ingest Jamf Protect events forwarded into Microsoft Sentinel.\n Providing reports into all alerts, device controls and Unfied Logs." + } + } + ] + } + ] + }, + { + "name": "analytics", + "label": "Analytics", + "subLabel": { + "preValidation": "Configure the analytics", + "postValidation": "Done" + }, + "bladeTitle": "Analytics", + "elements": [ + { + "name": "analytics-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view." + } + }, + { + "name": "analytics-link", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef" + } + } + }, + { + "name": "analytic1", + "type": "Microsoft.Common.Section", + "label": "Jamf Protect - Alerts", + "elements": [ + { + "name": "analytic1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Creates an incident based on Jamf Protect Alert data in Microsoft Sentinel" + } + } + ] + }, + { + "name": "analytic2", + "type": "Microsoft.Common.Section", + "label": "Jamf Protect - Network Threats", + "elements": [ + { + "name": "analytic2-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Creates an incident based based on Jamf Protect's Network Threat Event Stream alerts." + } + } + ] + }, + { + "name": "analytic3", + "type": "Microsoft.Common.Section", + "label": "Jamf Protect - Unified Logs", + "elements": [ + { + "name": "analytic3-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Creates an informational incident based on Jamf Protect Unified Log data in Microsoft Sentinel" + } + } + ] + } + ] + }, + { + "name": "huntingqueries", + "label": "Hunting Queries", + "bladeTitle": "Hunting Queries", + "elements": [ + { + "name": "huntingqueries-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This solution installs the following hunting queries. After installing the solution, run these hunting queries to hunt for threats in Manage solution view. " + } + }, + { + "name": "huntingqueries-link", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/hunting" + } + } + }, + { + "name": "huntingquery1", + "type": "Microsoft.Common.Section", + "label": "JamfProtect - macOS - DazzleSpy", + "elements": [ + { + "name": "huntingquery1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Use this query to look for alerts related to DazzleSpy activity, known to affect macOS devices via a MachO binary This hunting query depends on JamfProtect data connector (jamfprotect_CL Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery2", + "type": "Microsoft.Common.Section", + "label": "JamfProtect - macOS - JokerSpy", + "elements": [ + { + "name": "huntingquery2-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Use this query to look for alerts related to JokerSpy activity, Known to use various back doors to deploy spyware on victims' systems in order to perform reconnaissance and for command and control. This hunting query depends on JamfProtect data connector (jamfprotect_CL Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery3", + "type": "Microsoft.Common.Section", + "label": "JamfProtect - macOS - KandyKorn", + "elements": [ + { + "name": "huntingquery3-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Use this query to look for activity related to KandyKorn activity, known to affect macOS devices via a MachO binary This hunting query depends on JamfProtect data connector (jamfprotect_CL Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery4", + "type": "Microsoft.Common.Section", + "label": "JamfProtect - macOS - PureLand", + "elements": [ + { + "name": "huntingquery4-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Use this query to look for activity related to PureLand activity, known to affect macOS devices via a MachO binary This hunting query depends on JamfProtect data connector (jamfprotect_CL Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery5", + "type": "Microsoft.Common.Section", + "label": "JamfProtect - macOS - RustBucket", + "elements": [ + { + "name": "huntingquery5-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Use this query to look for activity related to RustBucket activity, known to affect macOS devices via a MachO binary This hunting query depends on JamfProtect data connector (jamfprotect_CL Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery6", + "type": "Microsoft.Common.Section", + "label": "JamfProtect - macOS - Turtle", + "elements": [ + { + "name": "huntingquery6-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Use this query to look for activity related to Turtle activity, known to affect macOS devices via a MachO binary This hunting query depends on JamfProtect data connector (jamfprotect_CL Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery7", + "type": "Microsoft.Common.Section", + "label": "JamfProtect - macOS - AtomicStealer", + "elements": [ + { + "name": "huntingquery7-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Use this query to look for activity related to AtomicStealer activity, known to affect macOS devices via a MachO binary This hunting query depends on JamfProtect data connector (jamfprotect_CL Parser or Table)" + } + } + ] + } + ] + }, + { + "name": "playbooks", + "label": "Playbooks", + "subLabel": { + "preValidation": "Configure the playbooks", + "postValidation": "Done" + }, + "bladeTitle": "Playbooks", + "elements": [ + { + "name": "playbooks-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This solution installs the Playbook templates to help implement your Security Orchestration, Automation and Response (SOAR) operations. After installing the solution, these will be deployed under Playbook Templates in the Automation blade in Microsoft Sentinel. They can be configured and managed from the Manage solution view in Content Hub." + } + }, + { + "name": "playbooks-link", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef" + } + } + } + ] + } + ], + "outputs": { + "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]", + "location": "[location()]", + "workspace": "[basics('workspace')]" + } + } +} diff --git a/Solutions/Jamf Protect/Package/mainTemplate.json b/Solutions/Jamf Protect/Package/mainTemplate.json index 02d681547ee..d927dfc92b7 100644 --- a/Solutions/Jamf Protect/Package/mainTemplate.json +++ b/Solutions/Jamf Protect/Package/mainTemplate.json @@ -1,5447 +1,5447 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "author": "Thijs Xhaflaire - thijs.xhaflaire@jamf.com", - "comments": "Solution template for Jamf Protect" - }, - "parameters": { - "location": { - "type": "string", - "minLength": 1, - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" - } - }, - "workspace-location": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" - } - }, - "workspace": { - "defaultValue": "", - "type": "string", - "metadata": { - "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" - } - }, - "resourceGroupName": { - "type": "string", - "defaultValue": "[resourceGroup().name]", - "metadata": { - "description": "resource group name where Microsoft Sentinel is setup" - } - }, - "subscription": { - "type": "string", - "defaultValue": "[last(split(subscription().id, '/'))]", - "metadata": { - "description": "subscription id where Microsoft Sentinel is setup" - } - }, - "workbook1-name": { - "type": "string", - "defaultValue": "Jamf Protect Workbook", - "minLength": 1, - "metadata": { - "description": "Name for the workbook" - } - } - }, - "variables": { - "email": "thijs.xhaflaire@jamf.com", - "_email": "[variables('email')]", - "_solutionName": "Jamf Protect", - "_solutionVersion": "3.2.0", - "solutionId": "jamfsoftwareaustraliaptyltd1620360395539.jamf_protect", - "_solutionId": "[variables('solutionId')]", - "uiConfigId1": "JamfProtect", - "_uiConfigId1": "[variables('uiConfigId1')]", - "dataConnectorContentId1": "JamfProtect", - "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", - "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "_dataConnectorId1": "[variables('dataConnectorId1')]", - "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", - "dataConnectorVersion1": "3.1.0", - "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", - "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", - "dataConnectorCCPVersion": "1.0.0", - "_dataConnectorContentIdConnectorDefinition2": "JamfProtectPush", - "dataConnectorTemplateNameConnectorDefinition2": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnectorDefinition2')))]", - "_dataConnectorContentIdConnections2": "JamfProtectPushConnections", - "dataConnectorTemplateNameConnections2": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnections2')))]", - "blanks": "[replace('b', 'b', '')]", - "parserObject1": { - "_parserName1": "[concat(parameters('workspace'),'/','JamfProtect')]", - "_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'JamfProtect')]", - "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('JamfProtect-Parser')))]", - "parserVersion1": "3.2.0", - "parserContentId1": "JamfProtect-Parser" - }, - "workbookVersion1": "2.0.0", - "workbookContentId1": "JamfProtectWorkbook", - "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]", - "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]", - "_workbookContentId1": "[variables('workbookContentId1')]", - "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]", - "analyticRuleObject1": { - "analyticRuleVersion1": "1.0.5", - "_analyticRulecontentId1": "6098daa0-f05e-44d5-b5a0-913e63ba3179", - "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '6098daa0-f05e-44d5-b5a0-913e63ba3179')]", - "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('6098daa0-f05e-44d5-b5a0-913e63ba3179')))]", - "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','6098daa0-f05e-44d5-b5a0-913e63ba3179','-', '1.0.5')))]" - }, - "analyticRuleObject2": { - "analyticRuleVersion2": "1.0.4", - "_analyticRulecontentId2": "44da53c3-f3b0-4b70-afff-f79275cb9442", - "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '44da53c3-f3b0-4b70-afff-f79275cb9442')]", - "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('44da53c3-f3b0-4b70-afff-f79275cb9442')))]", - "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','44da53c3-f3b0-4b70-afff-f79275cb9442','-', '1.0.4')))]" - }, - "analyticRuleObject3": { - "analyticRuleVersion3": "1.0.2", - "_analyticRulecontentId3": "9eb2f758-003b-4303-83c6-97aed4c03e41", - "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9eb2f758-003b-4303-83c6-97aed4c03e41')]", - "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('9eb2f758-003b-4303-83c6-97aed4c03e41')))]", - "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','9eb2f758-003b-4303-83c6-97aed4c03e41','-', '1.0.2')))]" - }, - "huntingQueryObject1": { - "huntingQueryVersion1": "1.0.0", - "_huntingQuerycontentId1": "f0a1bacb-eb6a-4edc-99a9-839a77be3a33", - "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('f0a1bacb-eb6a-4edc-99a9-839a77be3a33')))]" - }, - "huntingQueryObject2": { - "huntingQueryVersion2": "1.0.0", - "_huntingQuerycontentId2": "8d9a199b-7968-476b-b02b-d030a010609c", - "huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('8d9a199b-7968-476b-b02b-d030a010609c')))]" - }, - "huntingQueryObject3": { - "huntingQueryVersion3": "1.0.0", - "_huntingQuerycontentId3": "60b1269f-374e-49dd-8b10-e4ef85d5bd65", - "huntingQueryTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('60b1269f-374e-49dd-8b10-e4ef85d5bd65')))]" - }, - "huntingQueryObject4": { - "huntingQueryVersion4": "1.0.0", - "_huntingQuerycontentId4": "ec2f21aa-a9c5-42fd-9ee1-c59f30b4fdd6", - "huntingQueryTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('ec2f21aa-a9c5-42fd-9ee1-c59f30b4fdd6')))]" - }, - "huntingQueryObject5": { - "huntingQueryVersion5": "1.0.0", - "_huntingQuerycontentId5": "223f6758-e134-45e8-a9d6-4ca8455799fb", - "huntingQueryTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('223f6758-e134-45e8-a9d6-4ca8455799fb')))]" - }, - "huntingQueryObject6": { - "huntingQueryVersion6": "1.0.0", - "_huntingQuerycontentId6": "09161cb2-f28a-437c-83e3-60b8545dc8f2", - "huntingQueryTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('09161cb2-f28a-437c-83e3-60b8545dc8f2')))]" - }, - "huntingQueryObject7": { - "huntingQueryVersion7": "1.0.0", - "_huntingQuerycontentId7": "2b0ec436-80d6-4e63-b3da-e35048724f37", - "huntingQueryTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('2b0ec436-80d6-4e63-b3da-e35048724f37')))]" - }, - "JamfProtect_Alert_Status_InProgress": "JamfProtect_Alert_Status_InProgress", - "_JamfProtect_Alert_Status_InProgress": "[variables('JamfProtect_Alert_Status_InProgress')]", - "playbookVersion1": "1.0", - "playbookContentId1": "JamfProtect_Alert_Status_InProgress", - "_playbookContentId1": "[variables('playbookContentId1')]", - "playbookId1": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId1'))]", - "playbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId1'))))]", - "_playbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId1'),'-', variables('playbookVersion1'))))]", - "JamfProtect_Alert_Status_Resolved": "JamfProtect_Alert_Status_Resolved", - "_JamfProtect_Alert_Status_Resolved": "[variables('JamfProtect_Alert_Status_Resolved')]", - "playbookVersion2": "1.0", - "playbookContentId2": "JamfProtect_Alert_Status_Resolved", - "_playbookContentId2": "[variables('playbookContentId2')]", - "playbookId2": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId2'))]", - "playbookTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId2'))))]", - "_playbookcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId2'),'-', variables('playbookVersion2'))))]", - "JamfProtect_LockComputer_with_JamfPro": "JamfProtect_LockComputer_with_JamfPro", - "_JamfProtect_LockComputer_with_JamfPro": "[variables('JamfProtect_LockComputer_with_JamfPro')]", - "playbookVersion3": "1.0", - "playbookContentId3": "JamfProtect_LockComputer_with_JamfPro", - "_playbookContentId3": "[variables('playbookContentId3')]", - "playbookId3": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId3'))]", - "playbookTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId3'))))]", - "_playbookcontentProductId3": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId3'),'-', variables('playbookVersion3'))))]", - "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" - }, - "resources": [ - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('dataConnectorTemplateSpecName1')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Jamf Protect data connector with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('dataConnectorVersion1')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "id": "[variables('_uiConfigId1')]", - "title": "Jamf Protect", - "publisher": "Jamf", - "descriptionMarkdown": "The [Jamf Protect](https://www.jamf.com/products/jamf-protect/) connector provides the capability to read raw event data from Jamf Protect in Microsoft Sentinel.", - "graphQueries": [ - { - "metricName": "Total Activities data received", - "legend": "jamfprotect_CL", - "baseQuery": "jamfprotect_CL" - } - ], - "sampleQueries": [ - { - "description": "Jamf Protect - All events.", - "query": "jamfprotect_CL\n | sort by TimeGenerated desc" - }, - { - "description": "Jamf Protect - All active endpoints.", - "query": "jamfprotect_CL\n | where notempty(input_host_hostname_s) | summarize Event = count() by input_host_hostname_s\n | project-rename HostName = input_host_hostname_s\n | sort by Event desc" - }, - { - "description": "Jamf Protect - Top 10 endpoints with Alerts", - "query": "jamfprotect_CL\n | where topicType_s == 'alert' and notempty(input_eventType_s) and notempty(input_host_hostname_s)\n | summarize Event = count() by input_host_hostname_s\n | project-rename HostName = input_host_hostname_s\n | top 10 by Event" - } - ], - "dataTypes": [ - { - "name": "jamfprotect_CL", - "lastDataReceivedQuery": "jamfprotect_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "jamfprotect_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ] - }, - "instructionSteps": [ - { - "description": "This connector reads data from the jamfprotect_CL table created by Jamf Protect in a Microsoft Analytics Workspace, if the [data forwarding](https://docs.jamf.com/jamf-protect/documentation/Data_Forwarding_to_a_Third_Party_Storage_Solution.html?hl=sentinel#task-4227) option is enabled in Jamf Protect then raw event data is sent to the Microsoft Sentinel Ingestion API." - } - ], - "metadata": { - "id": "AF74EDD7-5534-46CD-B75D-7119BE1D161D", - "version": "3.1.0", - "kind": "dataConnector", - "source": { - "kind": "solution", - "name": "Jamf Protect for Microsoft Sentinel" - }, - "author": { - "name": "Thijs Xhaflaire" - }, - "support": { - "tier": "developer", - "name": "Jamf Software, LLC", - "email": "support@jamf.com", - "link": "https://jamf.com/support/" - } - } - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", - "source": { - "kind": "Solution", - "name": "Jamf Protect", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Thijs Xhaflaire", - "email": "[variables('_email')]" - }, - "support": { - "name": "Jamf Software, LLC", - "email": "support@jamf.com", - "tier": "Partner", - "link": "https://www.jamf.com/support/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_dataConnectorContentId1')]", - "contentKind": "DataConnector", - "displayName": "Jamf Protect", - "contentProductId": "[variables('_dataConnectorcontentProductId1')]", - "id": "[variables('_dataConnectorcontentProductId1')]", - "version": "[variables('dataConnectorVersion1')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", - "dependsOn": [ - "[variables('_dataConnectorId1')]" - ], - "location": "[parameters('workspace-location')]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", - "source": { - "kind": "Solution", - "name": "Jamf Protect", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Thijs Xhaflaire", - "email": "[variables('_email')]" - }, - "support": { - "name": "Jamf Software, LLC", - "email": "support@jamf.com", - "tier": "Partner", - "link": "https://www.jamf.com/support/" - } - } - }, - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "title": "Jamf Protect", - "publisher": "Jamf", - "descriptionMarkdown": "The [Jamf Protect](https://www.jamf.com/products/jamf-protect/) connector provides the capability to read raw event data from Jamf Protect in Microsoft Sentinel.", - "graphQueries": [ - { - "metricName": "Total Activities data received", - "legend": "jamfprotect_CL", - "baseQuery": "jamfprotect_CL" - } - ], - "dataTypes": [ - { - "name": "jamfprotect_CL", - "lastDataReceivedQuery": "jamfprotect_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "jamfprotect_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "sampleQueries": [ - { - "description": "Jamf Protect - All events.", - "query": "jamfprotect_CL\n | sort by TimeGenerated desc" - }, - { - "description": "Jamf Protect - All active endpoints.", - "query": "jamfprotect_CL\n | where notempty(input_host_hostname_s) | summarize Event = count() by input_host_hostname_s\n | project-rename HostName = input_host_hostname_s\n | sort by Event desc" - }, - { - "description": "Jamf Protect - Top 10 endpoints with Alerts", - "query": "jamfprotect_CL\n | where topicType_s == 'alert' and notempty(input_eventType_s) and notempty(input_host_hostname_s)\n | summarize Event = count() by input_host_hostname_s\n | project-rename HostName = input_host_hostname_s\n | top 10 by Event" - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ] - }, - "instructionSteps": [ - { - "description": "This connector reads data from the jamfprotect_CL table created by Jamf Protect in a Microsoft Analytics Workspace, if the [data forwarding](https://docs.jamf.com/jamf-protect/documentation/Data_Forwarding_to_a_Third_Party_Storage_Solution.html?hl=sentinel#task-4227) option is enabled in Jamf Protect then raw event data is sent to the Microsoft Sentinel Ingestion API." - } - ], - "id": "[variables('_uiConfigId1')]" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnectorDefinition2'), variables('dataConnectorCCPVersion'))]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "contentId": "[variables('_dataConnectorContentIdConnectorDefinition2')]", - "displayName": "Jamf Protect Push Connector", - "contentKind": "DataConnector", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('dataConnectorCCPVersion')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition2'))]", - "apiVersion": "2022-09-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions", - "location": "[parameters('workspace-location')]", - "kind": "Customizable", - "properties": { - "connectorUiConfig": { - "id": "JamfProtectPush", - "title": "Jamf Protect Push Connector", - "publisher": "Jamf", - "descriptionMarkdown": "The [Jamf Protect](https://www.jamf.com/products/jamf-protect/) connector provides the capability to read raw event data from Jamf Protect in Microsoft Sentinel.", - "graphQueries": [ - { - "metricName": "Telemetry", - "legend": "jamfprotecttelemetryv2_CL", - "baseQuery": "jamfprotecttelemetryv2_CL" - }, - { - "metricName": "Unified Logs", - "legend": "jamfprotectunifiedlogs_CL", - "baseQuery": "jamfprotectunifiedlogs_CL" - }, - { - "metricName": "Telemetry (Legacy)", - "legend": "jamfprotecttelemetryv1_CL", - "baseQuery": "jamfprotecttelemetryv1_CL" - }, - { - "metricName": "Alerts", - "legend": "jamfprotectalerts_CL", - "baseQuery": "jamfprotectalerts_CL" - } - ], - "sampleQueries": [ - { - "description": "Jamf Protect - All Alerts", - "query": "jamfprotectalerts_CL\n | sort by TimeGenerated desc" - }, - { - "description": "Jamf Protect - All Telemetry events", - "query": "jamfprotecttelemetry_CL\n | sort by TimeGenerated desc" - } - ], - "dataTypes": [ - { - "name": "jamfprotecttelemetryv2_CL", - "lastDataReceivedQuery": "jamfprotecttelemetryv2_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "jamfprotectunifiedlogs_CL", - "lastDataReceivedQuery": "jamfprotectunifiedlogs_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "jamfprotecttelemetryv1_CL", - "lastDataReceivedQuery": "jamfprotecttelemetryv1_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "jamfprotectalerts_CL", - "lastDataReceivedQuery": "jamfprotectalerts_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriteria": [ - { - "type": "IsConnectedQuery", - "value": [ - "jamfprotecttelemetryv2_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)", - "jamfprotectunifiedlogs_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)", - "jamfprotecttelemetryv1_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)", - "jamfprotectalerts_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)" - ] - } - ], - "availability": { - "status": 1 - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true - } - } - ], - "customs": [ - { - "name": "Microsoft Entra", - "description": "Permission to create an app registration in Microsoft Entra ID. Typically requires Entra ID Application Developer role or higher." - }, - { - "name": "Microsoft Azure", - "description": "Permission to assign Monitoring Metrics Publisher role on data collection rule (DCR). Typically requires Azure RBAC Owner or User Access Administrator role" - } - ] - }, - "instructionSteps": [ - { - "title": "1. Create ARM Resources and Provide the Required Permissions", - "description": "This connector reads data from the tables that Jamf Protect uses in a Microsoft Analytics Workspace, if the [data forwarding](https://docs.jamf.com/jamf-protect/documentation/Data_Forwarding_to_a_Third_Party_Storage_Solution.html?hl=sentinel#task-4227) option is enabled in Jamf Protect then raw event data is sent to the Microsoft Sentinel Ingestion API.", - "instructions": [ - { - "type": "Markdown", - "parameters": { - "content": "#### Automated Configuration and Secure Data Ingestion with Entra Application \nClicking on \"Connect\" will trigger the creation of Log Analytics tables and a Data Collection Rule (DCR). \nIt will then create an Entra application, link the DCR to it, and set the entered secret in the application. This setup enables data to be sent securely to the DCR using an Entra token." - } - }, - { - "parameters": { - "label": "Deploy Jamf Protect connector resources", - "applicationDisplayName": "Jamf Protect Connector Application" - }, - "type": "DeployPushConnectorButton" - } - ] - }, - { - "title": "2. Push your logs into the workspace", - "description": "Use the following parameters to configure the your machine to send the logs to the workspace.", - "instructions": [ - { - "parameters": { - "label": "Tenant ID (Directory ID)", - "fillWith": [ - "TenantId" - ] - }, - "type": "CopyableLabel" - }, - { - "parameters": { - "label": "Entra Application ID", - "fillWith": [ - "ApplicationId" - ], - "placeholder": "Deploy push connector to get the Application ID" - }, - "type": "CopyableLabel" - }, - { - "parameters": { - "label": "Entra Application Secret", - "fillWith": [ - "ApplicationSecret" - ], - "placeholder": "Deploy push connector to get the Application Secret" - }, - "type": "CopyableLabel" - }, - { - "parameters": { - "label": "DCE Uri", - "fillWith": [ - "DataCollectionEndpoint" - ], - "placeholder": "Deploy push connector to get the DCR Uri" - }, - "type": "CopyableLabel" - }, - { - "parameters": { - "label": "DCR Immutable ID", - "fillWith": [ - "DataCollectionRuleId" - ], - "placeholder": "Deploy push connector to get the DCR ID" - }, - "type": "CopyableLabel" - }, - { - "parameters": { - "label": "Telemetry Stream ID", - "value": "Custom-jamfprotecttelemetryv1_CL" - }, - "type": "CopyableLabel" - }, - { - "parameters": { - "label": "Unified Logs Stream ID", - "value": "Custom-jamfprotectunifiedlogs_CL" - }, - "type": "CopyableLabel" - }, - { - "parameters": { - "label": "Telemetry (Legacy) Stream ID", - "value": "Custom-jamfprotecttelemetryv2_CL" - }, - "type": "CopyableLabel" - }, - { - "parameters": { - "label": "Alerts Stream ID", - "value": "Custom-jamfprotectalerts_CL" - }, - "type": "CopyableLabel" - } - ] - } - ] - } - } - }, - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition2')))]", - "apiVersion": "2022-01-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition2'))]", - "contentId": "[variables('_dataConnectorContentIdConnectorDefinition2')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorCCPVersion')]", - "source": { - "sourceId": "[variables('_solutionId')]", - "name": "[variables('_solutionName')]", - "kind": "Solution" - }, - "author": { - "name": "Thijs Xhaflaire", - "email": "[variables('_email')]" - }, - "support": { - "name": "Jamf Software, LLC", - "email": "support@jamf.com", - "tier": "Partner", - "link": "https://www.jamf.com/support/" - }, - "dependencies": { - "criteria": [ - { - "version": "[variables('dataConnectorCCPVersion')]", - "contentId": "[variables('_dataConnectorContentIdConnections2')]", - "kind": "ResourcesDataConnector" - } - ] - } - } - }, - { - "name": "JamfProtectCustomDCR", - "apiVersion": "2022-06-01", - "type": "Microsoft.Insights/dataCollectionRules", - "location": "[parameters('workspace-location')]", - "kind": "[variables('blanks')]", - "properties": { - "streamDeclarations": { - "Custom-jamfprotecttelemetryv2": { - "columns": [ - { - "name": "action", - "type": "dynamic" - }, - { - "name": "action_type", - "type": "int" - }, - { - "name": "deadline", - "type": "int" - }, - { - "name": "event", - "type": "dynamic" - }, - { - "name": "event_type", - "type": "int" - }, - { - "name": "glob_seq_num", - "type": "int" - }, - { - "name": "host", - "type": "dynamic" - }, - { - "name": "mach_time", - "type": "long" - }, - { - "name": "metadata", - "type": "dynamic" - }, - { - "name": "process", - "type": "dynamic" - }, - { - "name": "seq_num", - "type": "int" - }, - { - "name": "thread", - "type": "dynamic" - }, - { - "name": "time", - "type": "datetime" - }, - { - "name": "uuid", - "type": "string" - }, - { - "name": "version", - "type": "int" - } - ] - }, - "Custom-jamfprotectunifiedlogs": { - "columns": [ - { - "name": "TimeGenerated", - "type": "datetime" - }, - { - "name": "caid", - "type": "string" - }, - { - "name": "certid", - "type": "string" - }, - { - "name": "input", - "type": "dynamic" - } - ] - }, - "Custom-jamfprotecttelemetryv1": { - "columns": [ - { - "name": "TimeGenerated", - "type": "datetime" - }, - { - "name": "arguments", - "type": "dynamic" - }, - { - "name": "exec_chain", - "type": "dynamic" - }, - { - "name": "header", - "type": "dynamic" - }, - { - "name": "host_info", - "type": "dynamic" - }, - { - "name": "key", - "type": "string" - }, - { - "name": "return", - "type": "dynamic" - }, - { - "name": "subject", - "type": "dynamic" - }, - { - "name": "identity", - "type": "dynamic" - }, - { - "name": "texts", - "type": "string" - }, - { - "name": "metrics", - "type": "dynamic" - }, - { - "name": "page_info", - "type": "dynamic" - }, - { - "name": "attributes", - "type": "dynamic" - }, - { - "name": "exec_chain_child", - "type": "dynamic" - }, - { - "name": "path", - "type": "dynamic" - }, - { - "name": "_event_score", - "type": "int" - }, - { - "name": "contents", - "type": "string" - }, - { - "name": "file", - "type": "dynamic" - }, - { - "name": "socket_inet", - "type": "dynamic" - }, - { - "name": "exit", - "type": "dynamic" - }, - { - "name": "exec_args", - "type": "dynamic" - }, - { - "name": "exec_env", - "type": "dynamic" - }, - { - "name": "exec_chain_parent", - "type": "dynamic" - }, - { - "name": "architecture", - "type": "string" - }, - { - "name": "bios_firmware_versions", - "type": "dynamic" - }, - { - "name": "process", - "type": "dynamic" - }, - { - "name": "rateLimitingSeconds", - "type": "int" - } - ] - }, - "Custom-jamfprotectalerts": { - "columns": [ - { - "name": "TimeGenerated", - "type": "datetime" - }, - { - "name": "caid", - "type": "string" - }, - { - "name": "certid", - "type": "string" - }, - { - "name": "input", - "type": "dynamic" - } - ] - } - }, - "destinations": { - "logAnalytics": [ - { - "workspaceResourceId": "[variables('workspaceResourceId')]", - "name": "clv2ws1" - } - ] - }, - "dataFlows": [ - { - "streams": [ - "Custom-jamfprotecttelemetryv2" - ], - "destinations": [ - "clv2ws1" - ], - "transformKql": "source\n//ASIM - Generic Fields\n| extend\n EventVendor = metadata.vendor,\n EventProduct = metadata.product,\n EventSchemaVersion = metadata.schemaVersion,\n EventProductVersion = host.protectVersion,\n EventSeverity = \"Informational\",\n //\n // Jamf Protect - Device Hostnames\n TargetHostname = host.hostname,\n DvcHostname = host.hostname,\n DvcSerial = host.serial,\n DvcIpAddr = host.ips,\n DvcId = host.provisioningUDID,\n DvcOs = \"macOS\",\n DvcOsVersion = host.os,\n SrcDeviceType = \"Computer\"\n| project-rename\n TimeGenerated = ['time'],\n EventOriginalUid = uuid,\n EventOriginalType = event_type,\n EventCount = glob_seq_num\n| project-away\n metadata,\n host,\n seq_num,\n version,\n deadline,\n mach_time,\n action_type\n\n", - "outputStream": "Custom-jamfprotecttelemetryv2_CL" - }, - { - "streams": [ - "Custom-jamfprotectunifiedlogs" - ], - "destinations": [ - "clv2ws1" - ], - "transformKql": "source\n//ASIM - Generic Fields\n| extend\n EventVendor = \"Jamf\",\n EventProduct = \"Unified Log Stream\",\n // EventSchemaVersion = metadata.schemaVersion,\n EventProductVersion = input.host.protectVersion,\n EventSeverity = case(input.match.severity == 0, \"Informational\", input.match.severity == 1, \"Low\", input.match.severity == 2, \"Medium\", input.match.severity == 3, \"High\", \"Informational\"),\n EventOriginalType = input.eventType,\n EventOriginalUid = input.match.uuid,\n EventType = \"UnifiedLog\",\n EventResult = case(input.match.actions has \"Prevented\", \"Prevented\", \"Allowed\"),\n EventMessage = input.match.event.name,\n EventResultMessage = input.match.event.composedMessage,\n // EventReportUrl = strcat(\"https://\", context_identity_claims_hd_s, \".jamfcloud.com/Alerts/\", input.match.uuid),\n // //\n // // Jamf Protect - Device Hostnames\n TargetHostname = input.host.hostname,\n DvcHostname = input.host.hostname,\n DvcSerial = input.host.serial,\n DvcIpAddr = input.host.ips,\n DvcId = input.host.provisioningUDID,\n DvcOs = \"macOS\",\n DvcOsVersion = input.host.os,\n SrcDeviceType = \"Computer\",\n // Jamf Protect - Event Details\n //\n // Jamf Protect Alerts - Process\n //\n ProcessEventType = \"Create\",\n ProcessEventSubType = \"Exec\",\n TargetProcessName = tostring(input.match.event.process),\n TargetProcessId = toreal(input.match.event.processIdentifier),\n TargetProcessGuid = tostring(input.match.event.uuid),\n TargetProcessCommandLine = input.match.event.process.args,\n TargetProcessCurrentDirectory = input.match.event.processImagePath\n| project-away\n caid,\n certid\n\n", - "outputStream": "Custom-jamfprotectunifiedlogs_CL" - }, - { - "streams": [ - "Custom-jamfprotecttelemetryv1" - ], - "destinations": [ - "clv2ws1" - ], - "transformKql": "source\n// ASIM - Common Fields\n| extend EventVendor = 'Jamf'\n| extend EventProduct = 'Device Telemetry Stream'\n// Data Field Normalization\n| extend\n EventSeverity = \"Informational\",\n //\n // Jamf Protect Telemetry - Endpoint Information\n //\n TargetModel = metrics.hw_model,\n DvcOsVersion = host_info.osversion,\n TargetHostname = host_info.host_name,\n DvcHostname = host_info.host_name,\n DvcId = host_info.host_uuid,\n // Jamf Protect - Event Types\n EventType = case(\n header.event_name == \"AUE_add_to_group\",\n \"UserAddedToGroup\",\n header.event_name == \"AUE_AUDITCTL\",\n \"AuditEvent\",\n header.event_name == \"AUE_AUDITON_SPOLICY\",\n \"AuditEvent\",\n header.event_name == \"AUE_auth_user\",\n \"Elevate\",\n header.event_name == \"AUE_BIND\",\n \"EndpointNetworkSession\",\n header.event_name == \"AUE_BIOS_FIRMWARE_VERSIONS\",\n \"SystemInformation\",\n header.event_name == \"AUE_CHDIR\",\n \"FolderMoved\",\n header.event_name == \"AUE_CHROOT\",\n \"FolderModified\",\n header.event_name == \"AUE_CONNECT\",\n \"EndpointNetworkSession\",\n header.event_name == \"AUE_create_group\",\n \"GroupCreated\",\n header.event_name == \"AUE_create_user\",\n \"UserCreated\",\n header.event_name == \"AUE_delete_group\",\n \"GroupDeleted\",\n header.event_name == \"AUE_delete_user\",\n \"UserDeleted\",\n header.event_name == \"AUE_EXECVE\",\n \"ProcessCreated\",\n header.event_name == \"AUE_EXIT\",\n \"ProcessTerminated\",\n header.event_name == \"AUE_FORK\",\n \"ProcessCreated\",\n header.event_name == \"AUE_GETAUID\",\n \"\",\n header.event_name == \"AUE_KILL\",\n \"ProcessTerminated\",\n header.event_name == \"AUE_LISTEN\",\n \"EndpointNetworkSession\",\n header.event_name == \"AUE_logout\",\n \"Logoff\",\n header.event_name == \"AUE_lw_login\",\n \"Logon\",\n header.event_name == \"AUE_MAC_SET_PROC\",\n \"AuditEvent\",\n header.event_name == \"AUE_modify_group\",\n \"GroupModified\",\n header.event_name == \"AUE_modify_password\",\n \"PasswordChanged\",\n header.event_name == \"AUE_modify_user\",\n \"UserModified\",\n header.event_name == \"AUE_MOUNT\",\n \"VolumeMount\",\n header.event_name == \"AUE_openssh\",\n \"SshInitiated\",\n header.event_name == \"AUE_PIDFORTASK\",\n \"ProcessCreated\",\n header.event_name == \"AUE_POSIX_SPAWN\",\n \"ProcessCreated\",\n header.event_name == \"AUE_remove_from_group\",\n \"UserRemovedFromGroup\",\n header.event_name == \"AUE_SESSION_CLOSE\",\n \"Logoff\",\n header.event_name == \"AUE_SESSION_END\",\n \"Logoff\",\n header.event_name == \"AUE_SESSION_START\",\n \"Logon\",\n header.event_name == \"AUE_SESSION_UPDATE\",\n \"\",\n header.event_name == \"AUE_SETPRIORITY\",\n \"\",\n header.event_name == \"AUE_SETSOCKOPT\",\n \"\",\n header.event_name == \"AUE_SETTIMEOFDAY\",\n \"SystemChange\",\n header.event_name == \"AUE_shutdown\",\n \"ShutdownInitiated\",\n header.event_name == \"AUE_SOCKETPAIR\",\n \"\",\n header.event_name == \"AUE_ssauthint\",\n \"Elevate\",\n header.event_name == \"AUE_ssauthmech\",\n \"Elevate\",\n header.event_name == \"AUE_ssauthorize\",\n \"Elevate\",\n header.event_name == \"AUE_TASKFORPID\",\n \"\",\n header.event_name == \"AUE_TASKNAMEFORPID\",\n \"\",\n header.event_name == \"AUE_UNMOUNT\",\n \"VolumeUnmount\",\n header.event_name == \"AUE_WAIT4\",\n \"ProcessTerminated\",\n header.event_name == \"PLAINTEXT_LOG_COLLECTION_EVENT\",\n \"LogFileCollected\",\n header.event_name == \"SYSTEM_PERFORMANCE_METRICS\",\n \"SystemPerformanceMetrics\",\n \"Unknown\"\n ),\n //\n // Jamf Protect Telemetry - Process\n //\n ActingProcessId = toreal(subject.responsible_process_id),\n ActingProcessName = tostring(subject.responsible_process_name),\n ParentProcessName = tostring(subject.parent_path),\n ParentProcessId = toreal(subject.parent_pid),\n ParentProcessGuid = tostring(subject.parent_uuid),\n TargetProcessName = tostring(subject.process_name),\n TargetProcessId = toreal(subject.process_id),\n TargetProcessGuid = tostring(exec_chain.uuid),\n TargetProcessSHA256 = tostring(subject.process_hash),\n TargetUserId = toreal(subject.user_id),\n TargetUsername = tostring(subject.user_name),\n TargetProcessCommandLine = exec_args.args_compiled,\n ActorUsername = tostring(subject.effective_user_name),\n ActorUserId = toreal(subject.audit_user_name),\n //\n // Jamf Protect Telemetry - Audit/Group\n //\n GroupName = tostring(subject.group_name),\n GroupID = toreal(subject.group_id),\n EffectiveGroupName = tostring(subject.effective_group_name),\n EffectiveGroupID = toreal(subject.effective_group_id),\n //\n // Jamf Protect Telemetry - Network\n //\n DstIpAddr = socket_inet.ip_address,\n DstPortNumber = socket_inet.port,\n NetworkProtocolVersion = case(socket_inet.id == 128, \"IPV4\", socket_inet.id == 129, \"IPV6\", \"\"),\n SrcIpAddr = subject.terminal.id.ip.address,\n //\n // Jamf Protect Telemetry - Binaries\n //\n TargetBinarySHA256 = tostring(identity.cd_hash),\n TargetbinarySignerType = case(identity.signer_type == 0, \"Developer\", identity.signer_type == 1, \"Apple\", \"\"),\n TargetBinarySigningTeamID = tostring(identity.team_id),\n TargetBinarySigningAppID = tostring(identity.signer_id),\n //\n // Jamf Protect Telemetry - Log File Collection\n //\n TargetFilePath = path\n| project-away _event_score\n\n", - "outputStream": "Custom-jamfprotecttelemetryv1_CL" - }, - { - "streams": [ - "Custom-jamfprotectalerts" - ], - "destinations": [ - "clv2ws1" - ], - "transformKql": "source\n//ASIM - Generic Fields\n| extend\n EventVendor = \"Jamf\",\n EventProduct = \"Alerts Stream\",\n // EventSchemaVersion = metadata.schemaVersion,\n EventProductVersion = input.host.protectVersion,\n EventSeverity = case(input.match.severity == 0, \"Informational\", input.match.severity == 1, \"Low\", input.match.severity == 2, \"Medium\", input.match.severity == 3, \"High\", \"Informational\"),\n EventOriginalType = input.eventType,\n EventOriginalUid = input.match.uuid,\n EventType = case(\n input.eventType == \"GPClickEvent\",\n \"Click\",\n input.eventType == \"GPDownloadEvent\",\n \"Download\",\n input.eventType == \"GPFSEvent\",\n \"FileSystem\",\n input.eventType == \"GPProcessEvent\",\n \"Process\",\n input.eventType == \"GPKeylogRegisterEvent\",\n \"Keylog\",\n input.eventType == \"GPGatekeeperEvent\",\n \"Gatekeeper\",\n input.eventType == \"GPMRTEvent\",\n \"MRT\",\n input.eventType == \"GPPreventedExecutionEvent\",\n \"ProcessDenied\",\n input.eventType == \"GPThreatMatchExecEvent\",\n \"ProcessPrevented\",\n input.eventType == \"GPUnifiedLogEvent\",\n \"UnifiedLog\",\n input.eventType == \"GPUSBEvent\",\n \"USB\",\n input.eventType == \"auth-mount\",\n \"UsbBlock\",\n \"Unknown\"\n ),\n EventResult = case(input.match.actions has \"Prevented\", \"Prevented\", \"Allowed\"),\n EventMessage = input.match.facts[0].name,\n EventResultMessage = input.match.facts[0].human,\n //\n // Jamf Protect - Device Hostnames\n //\n TargetHostname = input.host.hostname,\n DvcHostname = input.host.hostname,\n DvcSerial = input.host.serial,\n DvcIpAddr = input.host.ips,\n DvcId = input.host.provisioningUDID,\n DvcOs = \"macOS\",\n DvcOsVersion = input.host.os,\n SrcDeviceType = \"Computer\",\n //\n // Jamf Protect Alerts - Process\n //\n ProcessEventType = case(input.match.event.type == 0, \"None\", input.match.event.type == 1, \"Create\", input.match.event.type == 2, \"Exit\", \"\"),\n ProcessEventSubType = case(input.match.event.subType == 7, \"Exec\", input.match.event.subType == 1, \"Fork\", input.match.event.subType == 23, \"Execve\", input.match.event.subType == 43190, \"Posix Spawn\", \"\"),\n ActingProcessName = tostring(input.related.processes[array_length(input.related.processes) - 1].path),\n ActingProcessId = toreal(input.related.processes[0].responsiblePID),\n ActingProcessGuid = tostring(input.related.processes[array_length(input.related.processes) - 1].uuid),\n ParentProcessName = todynamic(iff(array_length(input.related.processes) > 1, tostring(input.related.processes[1].path), \"\")),\n ParentProcessId = iff(array_length(input.related.processes) > 1, toreal(input.related.processes[1].pid), double(null)),\n ParentProcessGuid = tostring(iff(array_length(input.related.processes) > 1, tostring(input.related.processes[1].uuid), \"\")),\n TargetProcessName = todynamic(input.related.processes[0].name),\n TargetProcessId = input.related.processes[0].pid,\n TargetProcessGuid = input.related.processes[0].uuid,\n TargetProcessSHA1 = tostring(input.related.binaries[0].sha1hex),\n TargetProcessSHA256 = tostring(input.related.binaries[0].sha256hex),\n TargetProcessCommandLine = input.related.processes[0].args,\n TargetProcessCurrentDirectory = tostring(input.related.processes[0].path),\n TargetProcessStatusCode = toreal(input.related.processes[0].exitCode),\n //\n // Jamf Protect Alerts - Files\n //\n TargetFilePath = input.related.files[0].path,\n TargetFileSHA1 = input.related.files[0].sha1hex,\n TargetFileSHA256 = input.related.files[0].sha256hex,\n TargetFileSize = input.related.files[0].size,\n TargetFileSigningInfoMessage = input.related.files[0].signingInfo.statusMessage,\n TargetFileSignerType = case(input.related.files[0].signingInfo.signerType == 0, \"Apple\", input.related.files[0].signingInfo.signerType == 1, \"App Store\", input.related.files[0].signingInfo.signerType == 2, \"Developer\", input.related.files[0].signingInfo.signerType == 3, \"Ad Hoc\", input.related.files[0].signingInfo.signerType == 4, \"Unsigned\", \"\"),\n TargetFileSigningTeamID = input.related.files[0].signingInfo.teamid,\n TargetFileIsDownload = tobool(input.related.files[0].isDownload),\n TargetFileIsAppBundle = tobool(input.related.files[0].isAppBundle),\n TargetFileIsDirectory = tobool(input.related.files[0].isDirectory),\n TargetFileIsScreenshot = tobool(input.related.files[0].isScreenShot),\n TargetFileExtendedAttributes = input.related.files[0].xattrs,\n // Jamf Protect Alerts - Binaries\n TargetBinaryFilePath = input.related.binaries[0].path,\n TargetBinarySHA1 = input.related.binaries[0].sha1hex,\n TargetBinarySHA256 = input.related.binaries[0].sha256hex,\n TargetBinarySigningInfoMessage = input.related.binaries[0].signingInfo.statusMessage,\n TargetbinarySignerType = case(input.related.binaries[0].signingInfo.signerType == 0, \"Apple\", input.related.binaries[0].signingInfo.signerType == 1, \"App Store\", input.related.binaries[0].signingInfo.signerType == 2, \"Developer\", input.related.binaries[0].signingInfo.signerType == 3, \"Ad Hoc\", input.related.binaries[0].signingInfo.signerType == 4, \"Unsigned\", \"\"),\n TargetBinarySigningTeamID = input.related.binaries[0].signingInfo.teamid,\n TargetBinarySigningAppID = input.related.binaries[0].signingInfo.appid\n| project-away\n caid,\n certid\n", - "outputStream": "Custom-jamfprotectalerts_CL" - } - ], - "dataCollectionEndpointId": "[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]" - } - }, - { - "name": "jamfprotecttelemetryv2_CL", - "apiVersion": "2022-10-01", - "type": "Microsoft.OperationalInsights/workspaces/tables", - "location": "[parameters('workspace-location')]", - "kind": null, - "properties": { - "plan": "Analytics", - "schema": { - "name": "jamfprotecttelemetryv2_CL", - "columns": [ - { - "name": "action", - "type": "dynamic" - }, - { - "name": "event", - "type": "dynamic" - }, - { - "name": "EventOriginalType", - "type": "int" - }, - { - "name": "EventCount", - "type": "int" - }, - { - "name": "process", - "type": "dynamic" - }, - { - "name": "thread", - "type": "dynamic" - }, - { - "name": "TimeGenerated", - "type": "datetime" - }, - { - "name": "EventOriginalUid", - "type": "string" - }, - { - "name": "EventVendor", - "type": "dynamic" - }, - { - "name": "EventProduct", - "type": "dynamic" - }, - { - "name": "EventSchemaVersion", - "type": "dynamic" - }, - { - "name": "EventProductVersion", - "type": "dynamic" - }, - { - "name": "EventSeverity", - "type": "string" - }, - { - "name": "TargetHostname", - "type": "dynamic" - }, - { - "name": "DvcHostname", - "type": "dynamic" - }, - { - "name": "DvcSerial", - "type": "dynamic" - }, - { - "name": "DvcIpAddr", - "type": "dynamic" - }, - { - "name": "DvcId", - "type": "dynamic" - }, - { - "name": "DvcOs", - "type": "string" - }, - { - "name": "DvcOsVersion", - "type": "dynamic" - }, - { - "name": "SrcDeviceType", - "type": "string" - } - ] - }, - "totalRetentionInDays": 30 - } - }, - { - "name": "jamfprotectalerts_CL", - "apiVersion": "2022-10-01", - "type": "Microsoft.OperationalInsights/workspaces/tables", - "location": "[parameters('workspace-location')]", - "kind": null, - "properties": { - "plan": "Analytics", - "schema": { - "name": "jamfprotectalerts_CL", - "columns": [ - { - "name": "input", - "type": "dynamic" - }, - { - "name": "TimeGenerated", - "type": "datetime" - }, - { - "name": "EventVendor", - "type": "string" - }, - { - "name": "EventProduct", - "type": "string" - }, - { - "name": "EventProductVersion", - "type": "dynamic" - }, - { - "name": "EventSeverity", - "type": "string" - }, - { - "name": "EventOriginalType", - "type": "dynamic" - }, - { - "name": "EventOriginalUid", - "type": "dynamic" - }, - { - "name": "EventType", - "type": "string" - }, - { - "name": "EventResult", - "type": "string" - }, - { - "name": "EventMessage", - "type": "dynamic" - }, - { - "name": "EventResultMessage", - "type": "dynamic" - }, - { - "name": "TargetHostname", - "type": "dynamic" - }, - { - "name": "DvcHostname", - "type": "dynamic" - }, - { - "name": "DvcSerial", - "type": "dynamic" - }, - { - "name": "DvcIpAddr", - "type": "dynamic" - }, - { - "name": "DvcId", - "type": "dynamic" - }, - { - "name": "DvcOs", - "type": "string" - }, - { - "name": "DvcOsVersion", - "type": "dynamic" - }, - { - "name": "SrcDeviceType", - "type": "string" - }, - { - "name": "ProcessEventType", - "type": "string" - }, - { - "name": "ProcessEventSubType", - "type": "string" - }, - { - "name": "ActingProcessName", - "type": "string" - }, - { - "name": "ActingProcessId", - "type": "real" - }, - { - "name": "ActingProcessGuid", - "type": "string" - }, - { - "name": "ParentProcessName", - "type": "dynamic" - }, - { - "name": "ParentProcessId", - "type": "real" - }, - { - "name": "ParentProcessGuid", - "type": "string" - }, - { - "name": "TargetProcessName", - "type": "dynamic" - }, - { - "name": "TargetProcessId", - "type": "dynamic" - }, - { - "name": "TargetProcessGuid", - "type": "dynamic" - }, - { - "name": "TargetProcessSHA1", - "type": "string" - }, - { - "name": "TargetProcessSHA256", - "type": "string" - }, - { - "name": "TargetProcessCommandLine", - "type": "dynamic" - }, - { - "name": "TargetProcessCurrentDirectory", - "type": "string" - }, - { - "name": "TargetProcessStatusCode", - "type": "real" - }, - { - "name": "TargetFilePath", - "type": "dynamic" - }, - { - "name": "TargetFileSHA1", - "type": "dynamic" - }, - { - "name": "TargetFileSHA256", - "type": "dynamic" - }, - { - "name": "TargetFileSize", - "type": "dynamic" - }, - { - "name": "TargetFileSigningInfoMessage", - "type": "dynamic" - }, - { - "name": "TargetFileSignerType", - "type": "string" - }, - { - "name": "TargetFileSigningTeamID", - "type": "dynamic" - }, - { - "name": "TargetFileIsDownload", - "type": "boolean" - }, - { - "name": "TargetFileIsAppBundle", - "type": "boolean" - }, - { - "name": "TargetFileIsDirectory", - "type": "boolean" - }, - { - "name": "TargetFileIsScreenshot", - "type": "boolean" - }, - { - "name": "TargetFileExtendedAttributes", - "type": "dynamic" - }, - { - "name": "TargetBinaryFilePath", - "type": "dynamic" - }, - { - "name": "TargetBinarySHA1", - "type": "dynamic" - }, - { - "name": "TargetBinarySHA256", - "type": "dynamic" - }, - { - "name": "TargetBinarySigningInfoMessage", - "type": "dynamic" - }, - { - "name": "TargetbinarySignerType", - "type": "string" - }, - { - "name": "TargetBinarySigningTeamID", - "type": "dynamic" - }, - { - "name": "TargetBinarySigningAppID", - "type": "dynamic" - } - ] - }, - "totalRetentionInDays": 30 - } - }, - { - "name": "jamfprotecttelemetryv1_CL", - "apiVersion": "2022-10-01", - "type": "Microsoft.OperationalInsights/workspaces/tables", - "location": "[parameters('workspace-location')]", - "kind": null, - "properties": { - "plan": "Analytics", - "schema": { - "name": "jamfprotecttelemetryv1_CL", - "columns": [ - { - "name": "architecture", - "type": "string" - }, - { - "name": "arguments", - "type": "dynamic" - }, - { - "name": "attributes", - "type": "dynamic" - }, - { - "name": "bios_firmware_versions", - "type": "dynamic" - }, - { - "name": "contents", - "type": "string" - }, - { - "name": "exec_args", - "type": "dynamic" - }, - { - "name": "exec_chain", - "type": "dynamic" - }, - { - "name": "exec_chain_child", - "type": "dynamic" - }, - { - "name": "exec_chain_parent", - "type": "dynamic" - }, - { - "name": "exec_env", - "type": "dynamic" - }, - { - "name": "exit", - "type": "dynamic" - }, - { - "name": "file", - "type": "dynamic" - }, - { - "name": "header", - "type": "dynamic" - }, - { - "name": "host_info", - "type": "dynamic" - }, - { - "name": "identity", - "type": "dynamic" - }, - { - "name": "key", - "type": "string" - }, - { - "name": "metrics", - "type": "dynamic" - }, - { - "name": "page_info", - "type": "dynamic" - }, - { - "name": "path", - "type": "dynamic" - }, - { - "name": "process", - "type": "dynamic" - }, - { - "name": "rateLimitingSeconds", - "type": "int" - }, - { - "name": "return", - "type": "dynamic" - }, - { - "name": "socket_inet", - "type": "dynamic" - }, - { - "name": "subject", - "type": "dynamic" - }, - { - "name": "texts", - "type": "string" - }, - { - "name": "TimeGenerated", - "type": "datetime" - }, - { - "name": "EventVendor", - "type": "string" - }, - { - "name": "EventProduct", - "type": "string" - }, - { - "name": "EventSeverity", - "type": "string" - }, - { - "name": "TargetModel", - "type": "dynamic" - }, - { - "name": "DvcOsVersion", - "type": "dynamic" - }, - { - "name": "TargetHostname", - "type": "dynamic" - }, - { - "name": "DvcHostname", - "type": "dynamic" - }, - { - "name": "DvcId", - "type": "dynamic" - }, - { - "name": "EventType", - "type": "string" - }, - { - "name": "ActingProcessId", - "type": "dynamic" - }, - { - "name": "ActingProcessName", - "type": "dynamic" - }, - { - "name": "ParentProcessName", - "type": "dynamic" - }, - { - "name": "ParentProcessId", - "type": "dynamic" - }, - { - "name": "ParentProcessGuid", - "type": "dynamic" - }, - { - "name": "TargetProcessName", - "type": "dynamic" - }, - { - "name": "TargetProcessId", - "type": "dynamic" - }, - { - "name": "TargetProcessGuid", - "type": "dynamic" - }, - { - "name": "TargetProcessSHA256", - "type": "dynamic" - }, - { - "name": "TargetUserId", - "type": "dynamic" - }, - { - "name": "TargetUsername", - "type": "dynamic" - }, - { - "name": "TargetProcessCommandLine", - "type": "dynamic" - }, - { - "name": "ActorUsername", - "type": "dynamic" - }, - { - "name": "ActorUserId", - "type": "dynamic" - }, - { - "name": "GroupName", - "type": "dynamic" - }, - { - "name": "GroupID", - "type": "dynamic" - }, - { - "name": "EffectiveGroupName", - "type": "dynamic" - }, - { - "name": "EffectiveGroupID", - "type": "dynamic" - }, - { - "name": "DstIpAddr", - "type": "dynamic" - }, - { - "name": "DstPortNumber", - "type": "dynamic" - }, - { - "name": "NetworkProtocolVersion", - "type": "string" - }, - { - "name": "SrcIpAddr", - "type": "dynamic" - }, - { - "name": "TargetBinarySHA256", - "type": "dynamic" - }, - { - "name": "TargetbinarySignerType", - "type": "string" - }, - { - "name": "TargetBinarySigningTeamID", - "type": "string" - }, - { - "name": "TargetBinarySigningAppID", - "type": "string" - }, - { - "name": "TargetFilePath", - "type": "dynamic" - } - ] - }, - "totalRetentionInDays": 30 - } - }, - { - "name": "jamfprotectunifiedlogs_CL", - "apiVersion": "2022-10-01", - "type": "Microsoft.OperationalInsights/workspaces/tables", - "location": "[parameters('workspace-location')]", - "kind": null, - "properties": { - "plan": "Analytics", - "schema": { - "name": "jamfprotectunifiedlogs_CL", - "columns": [ - { - "name": "input", - "type": "dynamic" - }, - { - "name": "TimeGenerated", - "type": "datetime" - }, - { - "name": "EventProductVersion", - "type": "dynamic" - }, - { - "name": "EventSeverity", - "type": "string" - }, - { - "name": "EventOriginalType", - "type": "dynamic" - }, - { - "name": "EventOriginalUid", - "type": "dynamic" - }, - { - "name": "EventType", - "type": "string" - }, - { - "name": "EventResult", - "type": "string" - }, - { - "name": "EventMessage", - "type": "dynamic" - }, - { - "name": "EventResultMessage", - "type": "dynamic" - }, - { - "name": "TargetHostname", - "type": "dynamic" - }, - { - "name": "DvcHostname", - "type": "dynamic" - }, - { - "name": "DvcSerial", - "type": "dynamic" - }, - { - "name": "DvcIpAddr", - "type": "dynamic" - }, - { - "name": "DvcId", - "type": "dynamic" - }, - { - "name": "DvcOs", - "type": "string" - }, - { - "name": "DvcOsVersion", - "type": "dynamic" - }, - { - "name": "SrcDeviceType", - "type": "string" - }, - { - "name": "ProcessEventType", - "type": "string" - }, - { - "name": "ProcessEventSubType", - "type": "string" - }, - { - "name": "TargetProcessName", - "type": "dynamic" - }, - { - "name": "TargetProcessId", - "type": "dynamic" - }, - { - "name": "TargetProcessGuid", - "type": "dynamic" - }, - { - "name": "TargetProcessCommandLine", - "type": "dynamic" - }, - { - "name": "TargetProcessCurrentDirectory", - "type": "dynamic" - } - ] - }, - "totalRetentionInDays": 30 - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentIdConnectorDefinition2'),'-', variables('dataConnectorCCPVersion'))))]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "version": "[variables('dataConnectorCCPVersion')]" - } - }, - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition2'))]", - "apiVersion": "2022-09-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions", - "location": "[parameters('workspace-location')]", - "kind": "Customizable", - "properties": { - "connectorUiConfig": { - "id": "JamfProtectPush", - "title": "Jamf Protect Push Connector", - "publisher": "Jamf", - "descriptionMarkdown": "The [Jamf Protect](https://www.jamf.com/products/jamf-protect/) connector provides the capability to read raw event data from Jamf Protect in Microsoft Sentinel.", - "graphQueries": [ - { - "metricName": "Telemetry", - "legend": "jamfprotecttelemetryv2_CL", - "baseQuery": "jamfprotecttelemetryv2_CL" - }, - { - "metricName": "Unified Logs", - "legend": "jamfprotectunifiedlogs_CL", - "baseQuery": "jamfprotectunifiedlogs_CL" - }, - { - "metricName": "Telemetry (Legacy)", - "legend": "jamfprotecttelemetryv1_CL", - "baseQuery": "jamfprotecttelemetryv1_CL" - }, - { - "metricName": "Alerts", - "legend": "jamfprotectalerts_CL", - "baseQuery": "jamfprotectalerts_CL" - } - ], - "sampleQueries": [ - { - "description": "Jamf Protect - All Alerts", - "query": "jamfprotectalerts_CL\n | sort by TimeGenerated desc" - }, - { - "description": "Jamf Protect - All Telemetry events", - "query": "jamfprotecttelemetry_CL\n | sort by TimeGenerated desc" - } - ], - "dataTypes": [ - { - "name": "jamfprotecttelemetryv2_CL", - "lastDataReceivedQuery": "jamfprotecttelemetryv2_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "jamfprotectunifiedlogs_CL", - "lastDataReceivedQuery": "jamfprotectunifiedlogs_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "jamfprotecttelemetryv1_CL", - "lastDataReceivedQuery": "jamfprotecttelemetryv1_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "jamfprotectalerts_CL", - "lastDataReceivedQuery": "jamfprotectalerts_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriteria": [ - { - "type": "IsConnectedQuery", - "value": [ - "jamfprotecttelemetryv2_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)", - "jamfprotectunifiedlogs_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)", - "jamfprotecttelemetryv1_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)", - "jamfprotectalerts_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)" - ] - } - ], - "availability": { - "status": 1 - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true - } - } - ], - "customs": [ - { - "name": "Microsoft Entra", - "description": "Permission to create an app registration in Microsoft Entra ID. Typically requires Entra ID Application Developer role or higher." - }, - { - "name": "Microsoft Azure", - "description": "Permission to assign Monitoring Metrics Publisher role on data collection rule (DCR). Typically requires Azure RBAC Owner or User Access Administrator role" - } - ] - }, - "instructionSteps": [ - { - "title": "1. Create ARM Resources and Provide the Required Permissions", - "description": "This connector reads data from the tables that Jamf Protect uses in a Microsoft Analytics Workspace, if the [data forwarding](https://docs.jamf.com/jamf-protect/documentation/Data_Forwarding_to_a_Third_Party_Storage_Solution.html?hl=sentinel#task-4227) option is enabled in Jamf Protect then raw event data is sent to the Microsoft Sentinel Ingestion API.", - "instructions": [ - { - "type": "Markdown", - "parameters": { - "content": "#### Automated Configuration and Secure Data Ingestion with Entra Application \nClicking on \"Connect\" will trigger the creation of Log Analytics tables and a Data Collection Rule (DCR). \nIt will then create an Entra application, link the DCR to it, and set the entered secret in the application. This setup enables data to be sent securely to the DCR using an Entra token." - } - }, - { - "parameters": { - "label": "Deploy Jamf Protect connector resources", - "applicationDisplayName": "Jamf Protect Connector Application" - }, - "type": "DeployPushConnectorButton" - } - ] - }, - { - "title": "2. Push your logs into the workspace", - "description": "Use the following parameters to configure the your machine to send the logs to the workspace.", - "instructions": [ - { - "parameters": { - "label": "Tenant ID (Directory ID)", - "fillWith": [ - "TenantId" - ] - }, - "type": "CopyableLabel" - }, - { - "parameters": { - "label": "Entra Application ID", - "fillWith": [ - "ApplicationId" - ], - "placeholder": "Deploy push connector to get the Application ID" - }, - "type": "CopyableLabel" - }, - { - "parameters": { - "label": "Entra Application Secret", - "fillWith": [ - "ApplicationSecret" - ], - "placeholder": "Deploy push connector to get the Application Secret" - }, - "type": "CopyableLabel" - }, - { - "parameters": { - "label": "DCE Uri", - "fillWith": [ - "DataCollectionEndpoint" - ], - "placeholder": "Deploy push connector to get the DCR Uri" - }, - "type": "CopyableLabel" - }, - { - "parameters": { - "label": "DCR Immutable ID", - "fillWith": [ - "DataCollectionRuleId" - ], - "placeholder": "Deploy push connector to get the DCR ID" - }, - "type": "CopyableLabel" - }, - { - "parameters": { - "label": "Telemetry Stream ID", - "value": "Custom-jamfprotecttelemetryv1_CL" - }, - "type": "CopyableLabel" - }, - { - "parameters": { - "label": "Unified Logs Stream ID", - "value": "Custom-jamfprotectunifiedlogs_CL" - }, - "type": "CopyableLabel" - }, - { - "parameters": { - "label": "Telemetry (Legacy) Stream ID", - "value": "Custom-jamfprotecttelemetryv2_CL" - }, - "type": "CopyableLabel" - }, - { - "parameters": { - "label": "Alerts Stream ID", - "value": "Custom-jamfprotectalerts_CL" - }, - "type": "CopyableLabel" - } - ] - } - ] - } - } - }, - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition2')))]", - "apiVersion": "2022-01-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition2'))]", - "contentId": "[variables('_dataConnectorContentIdConnectorDefinition2')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorCCPVersion')]", - "source": { - "sourceId": "[variables('_solutionId')]", - "name": "[variables('_solutionName')]", - "kind": "Solution" - }, - "author": { - "name": "Thijs Xhaflaire", - "email": "[variables('_email')]" - }, - "support": { - "name": "Jamf Software, LLC", - "email": "support@jamf.com", - "tier": "Partner", - "link": "https://www.jamf.com/support/" - }, - "dependencies": { - "criteria": [ - { - "version": "[variables('dataConnectorCCPVersion')]", - "contentId": "[variables('_dataConnectorContentIdConnections2')]", - "kind": "ResourcesDataConnector" - } - ] - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnections2'), variables('dataConnectorCCPVersion'))]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "contentId": "[variables('_dataConnectorContentIdConnections2')]", - "displayName": "Jamf Protect Push Connector", - "contentKind": "ResourcesDataConnector", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('dataConnectorCCPVersion')]", - "parameters": { - "auth": { - "type": "object", - "defaultValue": { - "appId": "[[parameters('auth').appId]]", - "servicePrincipalId": "[[parameters('auth').servicePrincipalId]]" - } - }, - "connectorDefinitionName": { - "defaultValue": "Jamf Protect Push Connector", - "type": "string", - "minLength": 1 - }, - "workspace": { - "defaultValue": "[parameters('workspace')]", - "type": "string" - }, - "dcrConfig": { - "defaultValue": { - "dataCollectionEndpoint": "data collection Endpoint", - "dataCollectionRuleImmutableId": "data collection rule immutableId" - }, - "type": "object" - } - }, - "variables": { - "_dataConnectorContentIdConnections2": "[variables('_dataConnectorContentIdConnections2')]" - }, - "resources": [ - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnections2')))]", - "apiVersion": "2022-01-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentIdConnections2'))]", - "contentId": "[variables('_dataConnectorContentIdConnections2')]", - "kind": "ResourcesDataConnector", - "version": "[variables('dataConnectorCCPVersion')]", - "source": { - "sourceId": "[variables('_solutionId')]", - "name": "[variables('_solutionName')]", - "kind": "Solution" - }, - "author": { - "name": "Thijs Xhaflaire", - "email": "[variables('_email')]" - }, - "support": { - "name": "Jamf Software, LLC", - "email": "support@jamf.com", - "tier": "Partner", - "link": "https://www.jamf.com/support/" - } - } - }, - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', 'JamfProtectPushConnectorPolling')]", - "apiVersion": "2023-02-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "Push", - "properties": { - "connectorDefinitionName": "JamfProtectPush", - "dcrConfig": { - "streamName": "Custom-jamfprotecttelemetryv2", - "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", - "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" - }, - "auth": { - "type": "Push", - "AppId": "[[parameters('auth').appId]", - "ServicePrincipalId": "[[parameters('auth').servicePrincipalId]" - }, - "request": { - "RetryCount": 1 - }, - "response": { - "eventsJsonPaths": [ - "$.messages" - ] - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','rdc','-', uniqueString(concat(variables('_solutionId'),'-','ResourcesDataConnector','-',variables('_dataConnectorContentIdConnections2'),'-', variables('dataConnectorCCPVersion'))))]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "version": "[variables('dataConnectorCCPVersion')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('parserObject1').parserTemplateSpecName1]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "JamfProtect Data Parser with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('parserObject1').parserVersion1]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[variables('parserObject1')._parserName1]", - "apiVersion": "2022-10-01", - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "JamfProtect", - "category": "Microsoft Sentinel Parser", - "functionAlias": "JamfProtect", - "query": "let JamfProtectAlerts_view = view () {\njamfprotectalerts_CL\n| extend\n ActingProcessCreationTime = unixtime_seconds_todatetime(tolong(input.related.processes[array_length(input.related.processes) - 1].startTimestamp)),\n ParentProcessCreationTime = iff(\n array_length(input.related.processes) > 1, \n unixtime_seconds_todatetime(tolong(input.related.processes[0].startTimestamp)), \n datetime(null)\n ),\n TargetProcessCreationTime = unixtime_seconds_todatetime(todouble(input.related.processes[0].startTimestamp)),\n TargetUserId = coalesce(input.related.users[1].uid, input.related.users[0].uid),\n TargetUsername = coalesce(input.related.users[1].name, input.related.users[0].name)\n };\nlet JamfProtectUnifiedLog_view = view () {\njamfprotectunifiedlogs_CL\n| extend EventStartTime = unixtime_seconds_todatetime(tolong(input.match.event.timestamp))\n};\n//\n// Jamf Protect - Endpoint Telemetry\n//\nlet JamfProtectTelemetryv1_view = view () {\njamfprotecttelemetryv1_CL\n| extend\n EventStartTime = unixtime_seconds_todatetime(todouble(header.time_seconds_epoch)),\n EventResult = coalesce(return.description, texts)\n};\nlet JamfProtectTelemetryv2_view = view () {\njamfprotecttelemetryv2_CL\n// Generic Fields\n| extend\n EventExpanded = tostring(parse_json(event)[strcat_array(bag_keys(event), '.')]),\n eventTypeHuman = tostring(bag_keys(event)[0])\n| extend EventResult = iif((event[eventTypeHuman]['success'] == true), \"Success\", dynamic(null))\n| extend\n EventMessage = case(\n eventTypeHuman == \"authentication\",\n \"A user authentication happened\",\n eventTypeHuman == \"authorization_judgement\",\n \"A process has its rights petition judged\",\n eventTypeHuman == \"authorization_petition\",\n \"A process has its rights petition judged\",\n eventTypeHuman == \"bios_uefi\",\n \"Collection of bios and firmware data\",\n eventTypeHuman == \"btm_launch_item_add\",\n \"Apple's Background Task Manager notified that an item has been added\",\n eventTypeHuman == \"btm_launch_item_remove\",\n \"Apple's Background Task Manager notified that an existing item has been removed\",\n eventTypeHuman == \"chroot\",\n \"Software has changed its apparent root directory in which it's actively operating out of\",\n eventTypeHuman == \"cs_invalidated\",\n \"The system detected that a process has had its code signature marked as invalid\",\n eventTypeHuman == \"exec\",\n \"A new process has been executed\",\n eventTypeHuman == \"kextload\",\n \"A kernel extension (kext) was loaded\",\n eventTypeHuman == \"kextunload\",\n \"A kernel extension (kext) was unloaded\",\n eventTypeHuman == \"login_login\",\n \"A user attempted to log in using /usr/bin/login\",\n eventTypeHuman == \"login_logout\",\n \"A user logged out from /usr/bin/login\",\n eventTypeHuman == \"lw_session_lock\",\n \"A user has locked the screen\",\n eventTypeHuman == \"lw_session_login\",\n \"A user has logged in via the Login Window\",\n eventTypeHuman == \"lw_session_logout\",\n \"A user has logged out of an active graphical session\",\n eventTypeHuman == \"lw_session_unlock\",\n \"A user has unlocked the screen from the Login Window\",\n eventTypeHuman == \"mount\",\n \"A file system has been mounted\",\n eventTypeHuman == \"od_attribute_set\",\n \"Attribute set on user or group using Open Directory\",\n eventTypeHuman == \"od_attribute_value_add\",\n \"Attribute added to a user or group using Open Directory\",\n eventTypeHuman == \"od_attribute_value_remove\",\n \"Attribute removed from a user or group using Open Directory\",\n eventTypeHuman == \"od_create_group\",\n \"A group has been created using Open Directory\",\n eventTypeHuman == \"od_create_user\",\n \"A user has been created using Open Directory\",\n eventTypeHuman == \"od_delete_group\",\n \"A group has been deleted using Open Directory\",\n eventTypeHuman == \"od_delete_user\",\n \"A user has been deleted using Open Directory\",\n eventTypeHuman == \"od_disable_user\",\n \"A user has been disabled using Open Directory\",\n eventTypeHuman == \"od_enable_user\",\n \"A user has been enabled using Open Directory\",\n eventTypeHuman == \"od_group_add\",\n \"A member has been added to a group using Open Directory\",\n eventTypeHuman == \"od_group_remove\",\n \"A member has been removed from a group using Open Directory\",\n eventTypeHuman == \"od_group_set\",\n \"A group has a member initialised or replaced using Open Directory\",\n eventTypeHuman == \"od_modify_password\",\n \"A user password is modified via Open Directory\",\n eventTypeHuman == \"openssh_login\",\n \"A user has logged into the system via OpenSSH\",\n eventTypeHuman == \"openssh_logout\",\n \"A user has logged out of an OpenSSH session\",\n eventTypeHuman == \"performance\",\n \"Collection of system performance data\",\n eventTypeHuman == \"profile_add\",\n \"A configuration profile is installed on the system\",\n eventTypeHuman == \"profile_remove\",\n \"A configuration profile is removed from the system\",\n eventTypeHuman == \"remount\",\n \"A file system has been mounted\",\n eventTypeHuman == \"screenscharing_attach\",\n \"A screensharing session has attached to a graphical session\",\n eventTypeHuman == \"screenscharing_detach\",\n \"A screensharing session has detached from a graphical session\",\n eventTypeHuman == \"settime\",\n \"The system time was attempted to be set\",\n eventTypeHuman == \"su\",\n \"A user attempts to start a new shell using a substitute user identity\",\n eventTypeHuman == \"sudo\",\n \"A sudo attempt occured\",\n eventTypeHuman == \"unmount\",\n \"A file system has been mounted\",\n eventTypeHuman == \"xp_malware_detected\",\n \"Apple's XProtect detected malware on the system\",\n eventTypeHuman == \"xp_malware_remediated\",\n \"Apple's XProtect remediated malware on the system\",\n eventTypeHuman == \"file_collection\",\n \"A crash or diagnostic file has been collected\",\n eventTypeHuman == \"log_collection\",\n \"Entries from a log file have been collected\",\n \"No reason yet defined for this event\"\n ),\n EventType = case(\n eventTypeHuman == \"authentication\",\n \"Logon\",\n eventTypeHuman == \"authorization_judgement\",\n \"ProcessCreated\",\n eventTypeHuman == \"authorization_petition\",\n \"ProcessCreated\",\n eventTypeHuman == \"bios_uefi\",\n \"Hardware\",\n eventTypeHuman == \"btm_launch_item_add\",\n \"Create\",\n eventTypeHuman == \"btm_launch_item_remove\",\n \"Delete\",\n eventTypeHuman == \"chroot\",\n \"Set\",\n eventTypeHuman == \"cs_invalidated\",\n \"Other\",\n eventTypeHuman == \"exec\",\n \"ProcessCreated\",\n eventTypeHuman == \"kextload\",\n \"Create\",\n eventTypeHuman == \"kextunload\",\n \"Delete\",\n eventTypeHuman == \"login_login\",\n \"Logon\",\n eventTypeHuman == \"login_logout\",\n \"Logoff\",\n eventTypeHuman == \"lw_session_lock\",\n \"Logoff\",\n eventTypeHuman == \"lw_session_login\",\n \"Logon\",\n eventTypeHuman == \"lw_session_logout\",\n \"Logoff\",\n eventTypeHuman == \"lw_session_unlock\",\n \"Logon\",\n eventTypeHuman == \"mount\",\n \"FileSystemMounted\",\n eventTypeHuman == \"od_attribute_set\",\n \"Set\",\n eventTypeHuman == \"od_attribute_value_add\",\n \"Create\",\n eventTypeHuman == \"od_attribute_value_remove\",\n \"Delete\",\n eventTypeHuman == \"od_create_group\",\n \"GroupCreated\",\n eventTypeHuman == \"od_create_user\",\n \"UserCreated\",\n eventTypeHuman == \"od_delete_group\",\n \"GroupDeleted\",\n eventTypeHuman == \"od_delete_user\",\n \"UserDeleted\",\n eventTypeHuman == \"od_disable_user\",\n \"UserDisabled\",\n eventTypeHuman == \"od_enable_user\",\n \"UserEnabled\",\n eventTypeHuman == \"od_group_add\",\n \"UserAddedToGroup\",\n eventTypeHuman == \"od_group_remove\",\n \"UserRemovedFromGroup\",\n eventTypeHuman == \"od_group_set\",\n \"GroupModified\",\n eventTypeHuman == \"od_modify_password\",\n \"PasswordChanged\",\n eventTypeHuman == \"openssh_login\",\n \"Logon\",\n eventTypeHuman == \"openssh_logout\",\n \"Logoff\",\n eventTypeHuman == \"performance\",\n \"PerformanceData\",\n eventTypeHuman == \"profile_add\",\n \"Create\",\n eventTypeHuman == \"profile_remove\",\n \"Delete\",\n eventTypeHuman == \"remount\",\n \"FileSystemRemounted\",\n eventTypeHuman == \"screenscharing_attach\",\n \"Logon\",\n eventTypeHuman == \"screenscharing_detach\",\n \"Logoff\",\n eventTypeHuman == \"settime\",\n \"Set\",\n eventTypeHuman == \"su\",\n \"Elevate\",\n eventTypeHuman == \"sudo\",\n \"Elevate\",\n eventTypeHuman == \"unmount\",\n \"FileSystemUnmounted\",\n eventTypeHuman == \"xp_malware_detected\",\n \"MalwareDetected\",\n eventTypeHuman == \"xp_malware_remediated\",\n \"MalwareRemediated\",\n \"\"\n ),\n EventSubType = case(\n eventTypeHuman == \"authentication\",\n \"Interactive\",\n eventTypeHuman == \"btm_launch_item_add\",\n \"btm\",\n eventTypeHuman == \"btm_launch_item_remove\",\n \"btm\",\n eventTypeHuman == \"chroot\",\n \"Directory\",\n eventTypeHuman == \"cs_invalidated\",\n \"Other\",\n eventTypeHuman == \"kextload\",\n \"System Settings\",\n eventTypeHuman == \"kextunload\",\n \"System Settings\",\n eventTypeHuman == \"login_login\",\n \"Interactive\",\n eventTypeHuman == \"login_logout\",\n \"Interactive\",\n eventTypeHuman == \"lw_session_lock\",\n \"Interactive\",\n eventTypeHuman == \"lw_session_login\",\n \"Interactive\",\n eventTypeHuman == \"lw_session_logout\",\n \"Interactive\",\n eventTypeHuman == \"lw_session_unlock\",\n \"Interactive\",\n eventTypeHuman == \"od_attribute_set\",\n \"Attribute\",\n eventTypeHuman == \"od_attribute_value_add\",\n \"Attribute\",\n eventTypeHuman == \"od_attribute_value_remove\",\n \"Attribute\",\n eventTypeHuman == \"openssh_login\",\n \"Interactive\",\n eventTypeHuman == \"openssh_logout\",\n \"Interactive\",\n eventTypeHuman == \"profile_add\",\n \"Configuration Profile\",\n eventTypeHuman == \"profile_remove\",\n \"Configuration Profile\",\n eventTypeHuman == \"screenscharing_attach\",\n \"RemoteInteractive\",\n eventTypeHuman == \"screenscharing_detach\",\n \"RemoteInteractive\",\n eventTypeHuman == \"settime\",\n \"System Settings\",\n eventTypeHuman == \"su\",\n \"Interactive\",\n eventTypeHuman == \"sudo\",\n \"Interactive\",\n \"\"\n )\n// Jamf Protect Telemetry - Event Process\n| extend eventContext = \n iif(\n isnotempty(event[eventTypeHuman]['app']['audit_token']),\n event[eventTypeHuman]['app'],\n iif(\n isnotempty(event[eventTypeHuman]['target']['audit_token']),\n event[eventTypeHuman]['target'],\n iif(\n isnotempty(event[eventTypeHuman]['data']['od']['audit_token']),\n event[eventTypeHuman]['data']['od'],\n iif(\n isnotempty(event[eventTypeHuman]['data']['token']['audit_token']),\n event[eventTypeHuman]['data']['token'],\n iif(\n isnotempty(event[eventTypeHuman]['data']['touchid']['audit_token']),\n event[eventTypeHuman]['data']['touchid'],\n iif(\n isnotempty(event[eventTypeHuman]['instigator']['audit_token']),\n event[eventTypeHuman]['instigator'],\n ['process']\n)\n)\n)\n)\n)\n)\n| extend\n TargetProcessName = tostring(eventContext.executable.path),\n TargetProcessId = tostring(eventContext.audit_token.pid),\n TargetProcessGuid = tostring(eventContext.audit_token.uuid),\n TargetProcessCreationTime = tostring(eventContext.start_time),\n TargetProcessSHA1 = tostring(eventContext.executable.sha1),\n TargetProcessSHA256 = tostring(eventContext.executable.sha256),\n TargetProcessCommandLine = event[eventTypeHuman]['args'],\n TargetProcessTTY = tostring(eventContext.tty.path),\n TargetBinarySigningAppID = tostring(eventContext.signing_id),\n TargetBinarySigningTeamID = tostring(eventContext.team_id),\n TargetBinaryCDHash = tostring(eventContext.cdhash),\n TargetBinaryIsESClient = tobool(eventContext.is_es_client),\n TargetBinaryIsPlatformBinary = tobool(eventContext.is_platform_binary),\n TargetUserId = tostring(eventContext.audit_token.euid),\n ActingProcessId = tostring(eventContext.parent_audit_token.pid),\n ActingProcessGuid = tostring(eventContext.parent_audit_token.uuid),\n ActorUserId = tostring(eventContext.parent_audit_token.euid),\n ParentProcessId = tostring(eventContext.responsible_audit_token.pid),\n ParentProcessGuid = tostring(eventContext.responsible_audit_token.uuid)\n// Jamf Protect Telemetry - Revealing Code Signing flags\n| extend TargetProcessCodesignFlags = \n iif(isnotempty(eventContext.codesigning_flags),\n bag_pack(\n \"CS_VALID\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00000001) > 0, true, false),\n \"CS_ADHOC\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00000002) > 0, true, false),\n \"CS_GET_TASK_ALLOW\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00000004) > 0, true, false),\n \"CS_INSTALLER\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00000008) > 0, true, false),\n \"CS_FORCED_LV\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00000010) > 0, true, false),\n \"CS_INVALID_ALLOWED\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00000020) > 0, true, false),\n \"CS_HARD\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00000100) > 0, true, false),\n \"CS_KILL\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00000200) > 0, true, false),\n \"CS_CHECK_EXPIRATION\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00000400) > 0, true, false),\n \"CS_RESTRICT\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00000800) > 0, true, false),\n \"CS_ENFORCEMENT\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00001000) > 0, true, false),\n \"CS_REQUIRE_LV\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00002000) > 0, true, false),\n \"CS_ENTITLEMENTS_VALIDATED\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00004000) > 0, true, false),\n \"CS_NVRAM_UNRESTRICTED\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00008000) > 0, true, false),\n \"CS_RUNTIME\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00010000) > 0, true, false),\n \"CS_LINKER_SIGNED\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x20000) > 0, true, false),\n \"CS_EXEC_SET_HARD\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00100000) > 0, true, false),\n \"CS_EXEC_SET_KILL\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00200000) > 0, true, false),\n \"CS_EXEC_SET_ENFORCEMENT\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00400000) > 0, true, false),\n \"CS_EXEC_INHERIT_SIP\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00800000) > 0, true, false),\n \"CS_KILLED\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x01000000) > 0, true, false),\n \"CS_DYLD_PLATFORM\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x02000000) > 0, true, false),\n \"CS_PLATFORM_BINARY\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x04000000) > 0, true, false),\n \"CS_PLATFORM_PATH\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x08000000) > 0, true, false),\n \"CS_DEBUGGED\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x10000000) > 0, true, false),\n \"CS_SIGNED\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x20000000) > 0, true, false),\n \"CS_DEV_CODE\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x40000000) > 0, true, false),\n \"CS_DATAVAULT_CONTROLLER\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x80000000) > 0, true, false)\n ), \"\")\n// Event Specific - authentication\n| extend TargetUsername =\n iif(\n isnotempty(event[eventTypeHuman]['username']),\n event[eventTypeHuman]['username'],\n iif(\n isnotempty(event[eventTypeHuman]['to_username']),\n event[eventTypeHuman]['to_username'],\n iif(\n isnotempty(event[eventTypeHuman]['account_name']),\n event[eventTypeHuman]['account_name'],\n iif(\n isnotempty(event[eventTypeHuman]['user_name']),\n event[eventTypeHuman]['user_name'],\n iif(\n isnotempty(event[eventTypeHuman]['authentication_username']),\n event[eventTypeHuman]['authentication_username'],\n \"\"\n)\n)\n)\n)\n)\n// Event Specific - authentication\n| extend ActorUsername = \n iif(\n isnotempty(event[eventTypeHuman]['from_username']),\n event[eventTypeHuman]['from_username'],\n iif(\n isnotempty(event[eventTypeHuman]['session_username']),\n event[eventTypeHuman]['session_username'],\n \"\"\n)\n)\n| extend Authentication = iif(\n eventTypeHuman == \"authentication\",\n bag_pack(\n \"authentication_method\",\n iff(isnotempty(event[eventTypeHuman].data), tostring(bag_keys(event[eventTypeHuman].data)[0]), \"\")\n),\n dynamic(null)\n )\n// Event Specific - bios_uefi\n| extend HardwareInformation = iif(\n eventTypeHuman == \"bios_uefi\",\n bag_pack(\n \"host_architecture\",\n iff(isnotempty(event[eventTypeHuman].architecture), event[eventTypeHuman].architecture, \"\"),\n \"firmware_version\",\n iff(isnotempty(event[eventTypeHuman].bios.['firmware-version']), event[eventTypeHuman].bios.['firmware-version'], \"\"),\n \"system_firmware_version\",\n iff(isnotempty(event[eventTypeHuman].bios.['system-firmware-version']), event[eventTypeHuman].bios.['system-firmware-version'], \"\")\n),\n dynamic(null)\n )\n// Event Specific - btm_launch_item_add & btm_launch_item_remove\n| extend BtmItem = iif(\n eventTypeHuman in (\"btm_launch_item_add\", \"btm_launch_item_remove\", \"remount\"),\n bag_pack(\n \"btm_executable_path\",\n iff(isnotempty(event[eventTypeHuman].executable_path), event[eventTypeHuman].executable_path, \"\"),\n \"btm_item_app_url\",\n iff(isnotempty(event[eventTypeHuman].item.app_url), event[eventTypeHuman].item.app_url, \"\"),\n \"btm_item_url\",\n iff(isnotempty(event[eventTypeHuman].item.item_url), event[eventTypeHuman].item.item_url, \"\"),\n \"btm_item_managed\",\n iff(isnotempty(event[eventTypeHuman].item.managed), event[eventTypeHuman].item.managed, \"\"),\n \"btm_item_legacy\",\n iff(isnotempty(event[eventTypeHuman].item.legacy), event[eventTypeHuman].item.legacy, \"\"),\n \"btm_item_uid\",\n iff(isnotempty(event[eventTypeHuman].item.uid), event[eventTypeHuman].item.uid, \"\"),\n \"btm_item_type\",\n iff(\n isnotempty(event[eventTypeHuman].item.item_type),\n case(\n event[eventTypeHuman].item.item_type == 0,\n \"UserItem\",\n event[eventTypeHuman].item.item_type == 1,\n \"App\",\n event[eventTypeHuman].item.item_type == 2,\n \"LoginItem\",\n event[eventTypeHuman].item.item_type == 3,\n \"LaunchAgent\",\n event[eventTypeHuman].item.item_type == 4,\n \"LaunchDaemon\",\n \"Unknown\"\n),\n \"\"\n)\n),\n dynamic(null)\n )\n// Event Specific - chroot\n| extend Chroot = iif(\n eventTypeHuman == \"chroot\",\n bag_pack(\n \"apparent_root_directory\",\n iff(isnotempty(event[eventTypeHuman].target), event[eventTypeHuman].target.path, \"\"),\n \"stats\",\n iff(isnotempty(event[eventTypeHuman].target.stat), event[eventTypeHuman].target.stat, \"\")\n),\n dynamic(null)\n )\n// Event Specific - cs_invalidated\n// Event Specific - exec\n// Event Specific - kextload & kextunload\n| extend KernelExtension = iif(\n eventTypeHuman in (\"kextload\", \"kextunload\"),\n bag_pack(\n \"kext_identifier\",\n iff(isnotempty(event[eventTypeHuman].identifier), event[eventTypeHuman].identifier, \"\")\n),\n dynamic(null)\n )\n// Event Specific - lw_session_lock & lw_session_unlock & lw_session_login & lw_session_logout\n| extend LoginWindowSession = iif(\n eventTypeHuman in (\"lw_session_lock\", \"lw_session_unlock\", \"lw_session_login\", \"lw_session_logout\"),\n bag_pack(\n \"graphical_session_id\",\n iff(isnotempty(event[eventTypeHuman].graphical_session_id), event[eventTypeHuman].graphical_session_id, \"\")\n),\n dynamic(null)\n )\n// Event Specific - mount & remount & unmount\n| extend FileSystem = iif(\n eventTypeHuman in (\"mount\", \"unmount\", \"remount\"),\n bag_pack(\n \"volume_device_name\",\n iff(isnotempty(event[eventTypeHuman].statfs.f_mntfromname), event[eventTypeHuman].statfs.f_mntfromname, \"\"),\n \"volume_mount_name\",\n iff(isnotempty(event[eventTypeHuman].statfs.f_mntonname), event[eventTypeHuman].statfs.f_mntonname, \"\"),\n \"volume_file_system_type\",\n iff(isnotempty(event[eventTypeHuman].statfs.f_fstypename), event[eventTypeHuman].statfs.f_fstypename, \"\"),\n \"volume_size\",\n iff(isnotempty(event[eventTypeHuman].statfs.f_bsize), event[eventTypeHuman].statfs.f_bsize, \"\")\n),\n dynamic(null)\n )\n// Event Specific - od_attribute_set & od_attribute_value_add & od_attribute_value_remove & od_create_group & od_create_user & od_delete_group & od_delete_user & od_disable_user & od_enable_user\n| extend OpenDirectory = iif(\n eventTypeHuman in (\"od_attribute_set\", \"od_attribute_value_add\", \"od_attribute_value_remove\", \"od_create_group\", \"od_create_user\", \"od_delete_group\", \"od_delete_user\", \"od_disable_user\", \"od_enable_user\"),\n bag_pack(\n \"group_name\",\n iff(isnotempty(event[eventTypeHuman].group_name), event[eventTypeHuman].group_name, \"\"),\n \"member_array\",\n iff(isnotempty(event[eventTypeHuman].members.member_array), event[eventTypeHuman].members.member_array, \"\"),\n \"member_value\",\n iff(isnotempty(event[eventTypeHuman].member.member_value), event[eventTypeHuman].member.member_value, \"\"),\n \"user_name\",\n iff(isnotempty(event[eventTypeHuman].user_name), event[eventTypeHuman].user_name, \"\"),\n \"account_name\",\n iff(isnotempty(event[eventTypeHuman].account_name), event[eventTypeHuman].account_name, \"\"),\n \"db_path\",\n iff(isnotempty(event[eventTypeHuman].db_path), event[eventTypeHuman].db_path, \"\"),\n \"record_name\",\n iff(isnotempty(event[eventTypeHuman].record_name), event[eventTypeHuman].record_name, \"\"),\n \"attribute_name\",\n iff(isnotempty(event[eventTypeHuman].attribute_name), event[eventTypeHuman].attribute_name, \"\"),\n \"attribute_value\",\n iff(isnotempty(event[eventTypeHuman].attribute_value), event[eventTypeHuman].attribute_value, \"\"),\n \"node_name\",\n iff(isnotempty(event[eventTypeHuman].node_name), event[eventTypeHuman].node_name, \"\")\n),\n dynamic(null)\n )\n// Event Specific - openssh_login & openssh_logout\n| extend SSHContext = iif(\n eventTypeHuman in (\"openssh_login\", \"openssh_logout\"),\n bag_pack(\n \"source_address_type\", \n iff(\n isnotempty(event[eventTypeHuman].source_address_type),\n case(\n event[eventTypeHuman].source_address_type == 0,\n \"Unknown\",\n event[eventTypeHuman].source_address_type == 1,\n \"IPv4\",\n event[eventTypeHuman].source_address_type == 2,\n \"IPv6\",\n event[eventTypeHuman].source_address_type == 3,\n \"UNIX Socket\",\n \"Unknown\"\n),\n \"\" \n),\n \"result_type\", \n iff(\n isnotempty(event[eventTypeHuman].result_type),\n case(\n event[eventTypeHuman].result_type == 0,\n \"Exceeded maximum attempts\",\n event[eventTypeHuman].result_type == 1,\n \"Denied by root\",\n event[eventTypeHuman].result_type == 2,\n \"Success\",\n event[eventTypeHuman].result_type == 3,\n \"No reason\",\n event[eventTypeHuman].result_type == 4,\n \"Password\",\n event[eventTypeHuman].result_type == 5,\n \"kbdint\",\n event[eventTypeHuman].result_type == 6,\n \"Public key\",\n event[eventTypeHuman].result_type == 7,\n \"Host based\",\n event[eventTypeHuman].result_type == 8,\n \"GSS API\",\n event[eventTypeHuman].result_type == 9,\n \"Invalid user\",\n \"Unknown\"\n),\n \"\" \n)\n),\n dynamic(null) \n )\n// Event Specific - performance\n// Event Specific - profile_add & profile_remove\n| extend Profile = iif(\n eventTypeHuman in (\"profile_add\", \"profile_remove\"),\n bag_pack(\n \"profile_scope\",\n iff(isnotempty(event[eventTypeHuman].profile.scope), event[eventTypeHuman].profile.scope, \"\"),\n \"profile_identifier\",\n iff(isnotempty(event[eventTypeHuman].profile.identifier), event[eventTypeHuman].profile.identifiery, \"\"),\n \"profile_uuid\",\n iff(isnotempty(event[eventTypeHuman].profile.uuid), event[eventTypeHuman].profile.uuid, \"\"),\n \"profile_display_name\",\n iff(isnotempty(event[eventTypeHuman].profile.display_name), event[eventTypeHuman].profile.display_name, \"\"),\n \"profile_organization\",\n iff(isnotempty(event[eventTypeHuman].profile.organization), event[eventTypeHuman].profile.organization, \"\"),\n \"profile_is_updated\",\n iff(isnotempty(event[eventTypeHuman].is_update), event[eventTypeHuman].is_update, \"\"),\n \"profile_install_source\", \n iff(\n isnotempty(event[eventTypeHuman].profile.install_source),\n case(\n event[eventTypeHuman].profile.install_source == 0,\n \"mdm\",\n event[eventTypeHuman].profile.install_source == 1,\n \"manual\",\n \"Unknown\"\n),\n \"\" \n)\n),\n dynamic(null)\n )\n// Event Specific - screenscharing_attach & screensharing_detach\n| extend Screensharing = iif(\n eventTypeHuman in (\"screensharing_attach\", \"screensharing_detach\"),\n bag_pack(\n \"existing_session\",\n iff(isnotempty(event[eventTypeHuman].existing_session), event[eventTypeHuman].existing_session, \"\"),\n \"graphical_session_id\",\n iff(isnotempty(event[eventTypeHuman].graphical_authentication_username), event[eventTypeHuman].graphical_authentication_username, \"\"),\n \"session_username\",\n iff(isnotempty(event[eventTypeHuman].session_username), event[eventTypeHuman].session_username, \"\"),\n \"viewer_appleid\",\n iff(isnotempty(event[eventTypeHuman].viewer_appleid), event[eventTypeHuman].viewer_appleid, \"\"),\n \"authentication_type\",\n iff(isnotempty(event[eventTypeHuman].authentication_type), event[eventTypeHuman].authentication_type, \"\"),\n \"source_address\",\n iff(isnotempty(event[eventTypeHuman].source_address), event[eventTypeHuman].source_address, \"\"),\n \"source_address_type\", \n iff(\n isnotempty(event[eventTypeHuman].source_address_type),\n case(\n event[eventTypeHuman].source_address_type == 0,\n \"Unknown\",\n event[eventTypeHuman].source_address_type == 1,\n \"IPv4\",\n event[eventTypeHuman].source_address_type == 2,\n \"IPv6\",\n event[eventTypeHuman].source_address_type == 3,\n \"UNIX Socket\",\n \"Unknown\"\n),\n \"\" \n)\n),\n dynamic(null)\n )\n// Event Specific - su\n| extend Su = iif(\n eventTypeHuman == \"su\",\n bag_pack(\n \"username\",\n iff(isnotempty(event[eventTypeHuman].username), event[eventTypeHuman].username, \"\"),\n \"uid\",\n iff(isnotempty(event[eventTypeHuman].uid), event[eventTypeHuman].uid, \"\"),\n \"args\",\n iff(isnotempty(event[eventTypeHuman].argv), event[eventTypeHuman].argv, \"\"),\n \"env_vars\",\n iff(isnotempty(event[eventTypeHuman].env), event[eventTypeHuman].env, \"\"),\n \"env_count\",\n iff(isnotempty(event[eventTypeHuman].env_count), event[eventTypeHuman].env_count, \"\"),\n \"from_username\",\n iff(isnotempty(event[eventTypeHuman].from_username), event[eventTypeHuman].from_username, \"\"),\n \"to_username\",\n iff(isnotempty(event[eventTypeHuman].to_username), event[eventTypeHuman].to_username, \"\"),\n \"failure_message\",\n iff(isnotempty(event[eventTypeHuman].failure_reason), event[eventTypeHuman].failure_reason, \"\")\n),\n dynamic(null)\n )\n// Event Specific - sudo\n| extend Sudo = iif(\n eventTypeHuman == \"sudo\",\n bag_pack(\n \"TargetProcessCommandLine\",\n iff(isnotempty(event[eventTypeHuman].command), event[eventTypeHuman].command, \"\"),\n \"attribute_name\",\n iff(isnotempty(event[eventTypeHuman].attribute_name), event[eventTypeHuman].attribute_name, \"\"),\n \"attribute_value\",\n iff(isnotempty(event[eventTypeHuman].attribute_value), event[eventTypeHuman].attribute_value, \"\")\n),\n dynamic(null)\n )\n// Event Specific - xp_malware_detected & xp_malware_remediated\n| extend Xprotect = iif(\n eventTypeHuman in (\"xp_malware_detected\", \"xp_malware_remediated\"),\n bag_pack(\n \"detected_path\",\n iff(isnotempty(event[eventTypeHuman].detected_path), event[eventTypeHuman].detected_path, \"\"),\n \"remediated_path\",\n iff(isnotempty(event[eventTypeHuman].remediated_path), event[eventTypeHuman].remediated_path, \"\"),\n \"malware_identifier\",\n iff(isnotempty(event[eventTypeHuman].malware_identifier), event[eventTypeHuman].malware_identifier, \"\"),\n \"signature_version\",\n iff(isnotempty(event[eventTypeHuman].signature_version), event[eventTypeHuman].signature_version, \"\")\n),\n dynamic(null)\n )\n| project-away\naction,\nevent,\nprocess\n};\n//\n// Jamf Protect - Network Traffic\n//\nlet JamfProtectNetworkTraffic_view = view () {\n jamfprotect_CL\n | where event_metadata_product_s == \"Network Traffic Stream\"\n // ASIM - Common Fields\n | extend EventVendor = 'Jamf'\n | extend EventProduct = 'Jamf Protect - Network Traffic Stream'\n | project-rename\n | extend\n // Jamf Protect - Common Fields\n EventType = \"query\",\n EventSubType = \"request\",\n EventStartTime = unixtime_milliseconds_todatetime(tolong(event_receiptTime_d)),\n EventResult = case(event_blocked_b == \"false\", \"Allowed\", event_blocked_b == \"true\", \"Prevented\", ''),\n // Jamf Protect - Source User\n SrcUsermail=column_ifexists('event_user_email_s', ''),\n SrcUsername = column_ifexists('event_user_name_s', ''),\n // Jamf Protect - Source Device Hostnames\n DvcHostname = case(isnotempty(input_host_hostname_s), input_host_hostname_s, isnotempty(host_info_host_name_s), host_info_host_name_s, event_device_userDeviceName_s),\n DvcIpAddr = column_ifexists(\"event_source_ip_s\", \"\"),\n DvcId = column_ifexists(\"event_device_externalId_g\", \"\"),\n DvcOs = case(event_device_osType_s == \"MAC_OS\", \"macOS\", event_device_osType_s == \"IOS\", \"iOS\", event_device_osType_s == \"ANDROID\", \"Android\", \"Other\"),\n SrcDeviceType = case(event_device_osType_s == \"MAC_OS\", \"Computer\", event_device_osType_s == \"IOS\", \"Mobile Device\", event_device_osType_s == \"ANDROID\", \"Mobile Device\", \"Other\"),\n // Jamf Protect - DNS Specific\n DnsQuery = column_ifexists('event_hostName_s', ''),\n DvcAction = case(event_blocked_b == \"false\", \"Allowed\", event_blocked_b == \"true\", \"Blocked\", ''),\n DnsQueryName = column_ifexists('event_domain_s', ''),\n DstIpAddr = column_ifexists('event_destination_ips_s', ''),\n ThreatCategory = column_ifexists('event_eventType_description_s', ''),\n DnsQueryTypeName = column_ifexists('event_dns_recordType_s', ''),\n DnsResponseName = column_ifexists('event_dns_responseStatus_s', ''),\n ThreatOriginalRiskLevel = column_ifexists('event_threat_result_s', '')\n | project-keep\n TimeGenerated,\n EventVendor,\n EventProduct,\n EventType,\n EventSubType,\n EventStartTime,\n EventResult,\n DvcHostname,\n DvcIpAddr,\n DvcId,\n DvcOs,\n SrcDeviceType,\n SrcUsermail,\n SrcUsername,\n DnsQuery,\n DnsQueryName,\n DstIpAddr,\n DnsQueryTypeName,\n DvcAction,\n DnsResponseName,\n ThreatOriginalRiskLevel\n};\n// //\n// // Jamf Protect - Threat Events\n// //\nlet JamfProtectThreatEvents_view = view () {\n jamfprotect_CL\n | where event_metadata_product_s == \"Threat Events Stream\"\n // ASIM - Common Fields\n | extend EventVendor = 'Jamf'\n | extend EventProduct = 'Jamf Protect - Threat Events Stream'\n | project-rename\n | extend\n // Jamf Protect - Common Fields\n EventStartTime = column_ifexists(\"event_timestamp_t\", \"\"),\n EventResult=case(event_action_s == \"Blocked\", \"Blocked\", event_action_s == \"Detected\", \"Detected\", ''),\n EventReportUrl = column_ifexists(\"event_eventUrl_s\", \"\"),\n // Jamf Protect - Alert Details\n EventSeverity = case(event_severity_d == 2, \"Informational\", event_severity_d == 4, \"Low\", event_severity_d == 6, \"Medium\", event_severity_d == 8, \"High\", event_severity_d == 10, \"High\", \"Informational\"),\n // Jamf Protect - Source User\n SrcUsermail=column_ifexists('event_user_email_s', ''),\n SrcUsername=column_ifexists('event_user_name_s', ''),\n // Jamf Protect - Source Device Hostnames\n DvcHostname = column_ifexists(\"event_device_userDeviceName_s\", \"\"),\n DvcIpAddr = column_ifexists(\"event_source_ip_s\", \"\"),\n DvcId = column_ifexists(\"event_device_externalId_g\", \"\"),\n DvcOs=case(event_device_os_s has \"MAC_OS\", \"macOS\", event_device_os_s has \"IOS\", \"iOS\", event_device_os_s has \"ANDROID\", \"Android\", \"Other\"),\n SrcDeviceType=case(event_device_os_s has \"MAC_OS\", \"Computer\", event_device_os_s has \"IOS\", \"Mobile Device\", event_device_os_s has \"ANDROID\", \"Mobile Device\", \"Other\"),\n // Jamf Protect - DNS Specific\n DnsQuery=column_ifexists('event_hostName_s', ''),\n DvcAction=case(event_blocked_b == \"false\", \"Allowed\", event_blocked_b == \"true\", \"Blocked\", ''),\n DnsQueryName=column_ifexists('event_destination_name_s', ''),\n DstIpAddr=column_ifexists('event_destination_ip_s', ''),\n ThreatCategory=column_ifexists('event_eventType_description_s', ''),\n ThreatOriginalRiskLevel=column_ifexists('event_threat_result_s', ''),\n // Jamf Protect - App Specific\n TargetFileName = column_ifexists(\"event_app_name_s\", \"\"),\n TargetFileSHA1 = column_ifexists(\"event_app_sha1_s\", \"\"),\n TargetFileSHA256 = column_ifexists(\"event_app_sha256_s\", \"\")\n | project-keep\n TimeGenerated,\n EventVendor,\n EventProduct,\n EventStartTime,\n EventResult,\n EventReportUrl,\n EventSeverity,\n DvcHostname,\n DvcIpAddr,\n DvcId,\n SrcDeviceType,\n SrcUsermail,\n SrcUsername,\n DnsQuery,\n DnsQueryName,\n DstIpAddr,\n ThreatCategory,\n DvcAction,\n ThreatOriginalRiskLevel,\n TargetFileName,\n TargetFileSHA1,\n TargetFileSHA256\n};\nunion isfuzzy=true JamfProtectAlerts_view, JamfProtectUnifiedLog_view, JamfProtectTelemetryv1_view, JamfProtectTelemetryv2_view, JamfProtectNetworkTraffic_view, JamfProtectThreatEvents_view\n", - "functionParameters": "", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]", - "dependsOn": [ - "[variables('parserObject1')._parserId1]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'JamfProtect')]", - "contentId": "[variables('parserObject1').parserContentId1]", - "kind": "Parser", - "version": "[variables('parserObject1').parserVersion1]", - "source": { - "name": "Jamf Protect", - "kind": "Solution", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Thijs Xhaflaire", - "email": "[variables('_email')]" - }, - "support": { - "name": "Jamf Software, LLC", - "email": "support@jamf.com", - "tier": "Partner", - "link": "https://www.jamf.com/support/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('parserObject1').parserContentId1]", - "contentKind": "Parser", - "displayName": "JamfProtect", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '3.2.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '3.2.0')))]", - "version": "[variables('parserObject1').parserVersion1]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "apiVersion": "2022-10-01", - "name": "[variables('parserObject1')._parserName1]", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "JamfProtect", - "category": "Microsoft Sentinel Parser", - "functionAlias": "JamfProtect", - "query": "let JamfProtectAlerts_view = view () {\njamfprotectalerts_CL\n| extend\n ActingProcessCreationTime = unixtime_seconds_todatetime(tolong(input.related.processes[array_length(input.related.processes) - 1].startTimestamp)),\n ParentProcessCreationTime = iff(\n array_length(input.related.processes) > 1, \n unixtime_seconds_todatetime(tolong(input.related.processes[0].startTimestamp)), \n datetime(null)\n ),\n TargetProcessCreationTime = unixtime_seconds_todatetime(todouble(input.related.processes[0].startTimestamp)),\n TargetUserId = coalesce(input.related.users[1].uid, input.related.users[0].uid),\n TargetUsername = coalesce(input.related.users[1].name, input.related.users[0].name)\n };\nlet JamfProtectUnifiedLog_view = view () {\njamfprotectunifiedlogs_CL\n| extend EventStartTime = unixtime_seconds_todatetime(tolong(input.match.event.timestamp))\n};\n//\n// Jamf Protect - Endpoint Telemetry\n//\nlet JamfProtectTelemetryv1_view = view () {\njamfprotecttelemetryv1_CL\n| extend\n EventStartTime = unixtime_seconds_todatetime(todouble(header.time_seconds_epoch)),\n EventResult = coalesce(return.description, texts)\n};\nlet JamfProtectTelemetryv2_view = view () {\njamfprotecttelemetryv2_CL\n// Generic Fields\n| extend\n EventExpanded = tostring(parse_json(event)[strcat_array(bag_keys(event), '.')]),\n eventTypeHuman = tostring(bag_keys(event)[0])\n| extend EventResult = iif((event[eventTypeHuman]['success'] == true), \"Success\", dynamic(null))\n| extend\n EventMessage = case(\n eventTypeHuman == \"authentication\",\n \"A user authentication happened\",\n eventTypeHuman == \"authorization_judgement\",\n \"A process has its rights petition judged\",\n eventTypeHuman == \"authorization_petition\",\n \"A process has its rights petition judged\",\n eventTypeHuman == \"bios_uefi\",\n \"Collection of bios and firmware data\",\n eventTypeHuman == \"btm_launch_item_add\",\n \"Apple's Background Task Manager notified that an item has been added\",\n eventTypeHuman == \"btm_launch_item_remove\",\n \"Apple's Background Task Manager notified that an existing item has been removed\",\n eventTypeHuman == \"chroot\",\n \"Software has changed its apparent root directory in which it's actively operating out of\",\n eventTypeHuman == \"cs_invalidated\",\n \"The system detected that a process has had its code signature marked as invalid\",\n eventTypeHuman == \"exec\",\n \"A new process has been executed\",\n eventTypeHuman == \"kextload\",\n \"A kernel extension (kext) was loaded\",\n eventTypeHuman == \"kextunload\",\n \"A kernel extension (kext) was unloaded\",\n eventTypeHuman == \"login_login\",\n \"A user attempted to log in using /usr/bin/login\",\n eventTypeHuman == \"login_logout\",\n \"A user logged out from /usr/bin/login\",\n eventTypeHuman == \"lw_session_lock\",\n \"A user has locked the screen\",\n eventTypeHuman == \"lw_session_login\",\n \"A user has logged in via the Login Window\",\n eventTypeHuman == \"lw_session_logout\",\n \"A user has logged out of an active graphical session\",\n eventTypeHuman == \"lw_session_unlock\",\n \"A user has unlocked the screen from the Login Window\",\n eventTypeHuman == \"mount\",\n \"A file system has been mounted\",\n eventTypeHuman == \"od_attribute_set\",\n \"Attribute set on user or group using Open Directory\",\n eventTypeHuman == \"od_attribute_value_add\",\n \"Attribute added to a user or group using Open Directory\",\n eventTypeHuman == \"od_attribute_value_remove\",\n \"Attribute removed from a user or group using Open Directory\",\n eventTypeHuman == \"od_create_group\",\n \"A group has been created using Open Directory\",\n eventTypeHuman == \"od_create_user\",\n \"A user has been created using Open Directory\",\n eventTypeHuman == \"od_delete_group\",\n \"A group has been deleted using Open Directory\",\n eventTypeHuman == \"od_delete_user\",\n \"A user has been deleted using Open Directory\",\n eventTypeHuman == \"od_disable_user\",\n \"A user has been disabled using Open Directory\",\n eventTypeHuman == \"od_enable_user\",\n \"A user has been enabled using Open Directory\",\n eventTypeHuman == \"od_group_add\",\n \"A member has been added to a group using Open Directory\",\n eventTypeHuman == \"od_group_remove\",\n \"A member has been removed from a group using Open Directory\",\n eventTypeHuman == \"od_group_set\",\n \"A group has a member initialised or replaced using Open Directory\",\n eventTypeHuman == \"od_modify_password\",\n \"A user password is modified via Open Directory\",\n eventTypeHuman == \"openssh_login\",\n \"A user has logged into the system via OpenSSH\",\n eventTypeHuman == \"openssh_logout\",\n \"A user has logged out of an OpenSSH session\",\n eventTypeHuman == \"performance\",\n \"Collection of system performance data\",\n eventTypeHuman == \"profile_add\",\n \"A configuration profile is installed on the system\",\n eventTypeHuman == \"profile_remove\",\n \"A configuration profile is removed from the system\",\n eventTypeHuman == \"remount\",\n \"A file system has been mounted\",\n eventTypeHuman == \"screenscharing_attach\",\n \"A screensharing session has attached to a graphical session\",\n eventTypeHuman == \"screenscharing_detach\",\n \"A screensharing session has detached from a graphical session\",\n eventTypeHuman == \"settime\",\n \"The system time was attempted to be set\",\n eventTypeHuman == \"su\",\n \"A user attempts to start a new shell using a substitute user identity\",\n eventTypeHuman == \"sudo\",\n \"A sudo attempt occured\",\n eventTypeHuman == \"unmount\",\n \"A file system has been mounted\",\n eventTypeHuman == \"xp_malware_detected\",\n \"Apple's XProtect detected malware on the system\",\n eventTypeHuman == \"xp_malware_remediated\",\n \"Apple's XProtect remediated malware on the system\",\n eventTypeHuman == \"file_collection\",\n \"A crash or diagnostic file has been collected\",\n eventTypeHuman == \"log_collection\",\n \"Entries from a log file have been collected\",\n \"No reason yet defined for this event\"\n ),\n EventType = case(\n eventTypeHuman == \"authentication\",\n \"Logon\",\n eventTypeHuman == \"authorization_judgement\",\n \"ProcessCreated\",\n eventTypeHuman == \"authorization_petition\",\n \"ProcessCreated\",\n eventTypeHuman == \"bios_uefi\",\n \"Hardware\",\n eventTypeHuman == \"btm_launch_item_add\",\n \"Create\",\n eventTypeHuman == \"btm_launch_item_remove\",\n \"Delete\",\n eventTypeHuman == \"chroot\",\n \"Set\",\n eventTypeHuman == \"cs_invalidated\",\n \"Other\",\n eventTypeHuman == \"exec\",\n \"ProcessCreated\",\n eventTypeHuman == \"kextload\",\n \"Create\",\n eventTypeHuman == \"kextunload\",\n \"Delete\",\n eventTypeHuman == \"login_login\",\n \"Logon\",\n eventTypeHuman == \"login_logout\",\n \"Logoff\",\n eventTypeHuman == \"lw_session_lock\",\n \"Logoff\",\n eventTypeHuman == \"lw_session_login\",\n \"Logon\",\n eventTypeHuman == \"lw_session_logout\",\n \"Logoff\",\n eventTypeHuman == \"lw_session_unlock\",\n \"Logon\",\n eventTypeHuman == \"mount\",\n \"FileSystemMounted\",\n eventTypeHuman == \"od_attribute_set\",\n \"Set\",\n eventTypeHuman == \"od_attribute_value_add\",\n \"Create\",\n eventTypeHuman == \"od_attribute_value_remove\",\n \"Delete\",\n eventTypeHuman == \"od_create_group\",\n \"GroupCreated\",\n eventTypeHuman == \"od_create_user\",\n \"UserCreated\",\n eventTypeHuman == \"od_delete_group\",\n \"GroupDeleted\",\n eventTypeHuman == \"od_delete_user\",\n \"UserDeleted\",\n eventTypeHuman == \"od_disable_user\",\n \"UserDisabled\",\n eventTypeHuman == \"od_enable_user\",\n \"UserEnabled\",\n eventTypeHuman == \"od_group_add\",\n \"UserAddedToGroup\",\n eventTypeHuman == \"od_group_remove\",\n \"UserRemovedFromGroup\",\n eventTypeHuman == \"od_group_set\",\n \"GroupModified\",\n eventTypeHuman == \"od_modify_password\",\n \"PasswordChanged\",\n eventTypeHuman == \"openssh_login\",\n \"Logon\",\n eventTypeHuman == \"openssh_logout\",\n \"Logoff\",\n eventTypeHuman == \"performance\",\n \"PerformanceData\",\n eventTypeHuman == \"profile_add\",\n \"Create\",\n eventTypeHuman == \"profile_remove\",\n \"Delete\",\n eventTypeHuman == \"remount\",\n \"FileSystemRemounted\",\n eventTypeHuman == \"screenscharing_attach\",\n \"Logon\",\n eventTypeHuman == \"screenscharing_detach\",\n \"Logoff\",\n eventTypeHuman == \"settime\",\n \"Set\",\n eventTypeHuman == \"su\",\n \"Elevate\",\n eventTypeHuman == \"sudo\",\n \"Elevate\",\n eventTypeHuman == \"unmount\",\n \"FileSystemUnmounted\",\n eventTypeHuman == \"xp_malware_detected\",\n \"MalwareDetected\",\n eventTypeHuman == \"xp_malware_remediated\",\n \"MalwareRemediated\",\n \"\"\n ),\n EventSubType = case(\n eventTypeHuman == \"authentication\",\n \"Interactive\",\n eventTypeHuman == \"btm_launch_item_add\",\n \"btm\",\n eventTypeHuman == \"btm_launch_item_remove\",\n \"btm\",\n eventTypeHuman == \"chroot\",\n \"Directory\",\n eventTypeHuman == \"cs_invalidated\",\n \"Other\",\n eventTypeHuman == \"kextload\",\n \"System Settings\",\n eventTypeHuman == \"kextunload\",\n \"System Settings\",\n eventTypeHuman == \"login_login\",\n \"Interactive\",\n eventTypeHuman == \"login_logout\",\n \"Interactive\",\n eventTypeHuman == \"lw_session_lock\",\n \"Interactive\",\n eventTypeHuman == \"lw_session_login\",\n \"Interactive\",\n eventTypeHuman == \"lw_session_logout\",\n \"Interactive\",\n eventTypeHuman == \"lw_session_unlock\",\n \"Interactive\",\n eventTypeHuman == \"od_attribute_set\",\n \"Attribute\",\n eventTypeHuman == \"od_attribute_value_add\",\n \"Attribute\",\n eventTypeHuman == \"od_attribute_value_remove\",\n \"Attribute\",\n eventTypeHuman == \"openssh_login\",\n \"Interactive\",\n eventTypeHuman == \"openssh_logout\",\n \"Interactive\",\n eventTypeHuman == \"profile_add\",\n \"Configuration Profile\",\n eventTypeHuman == \"profile_remove\",\n \"Configuration Profile\",\n eventTypeHuman == \"screenscharing_attach\",\n \"RemoteInteractive\",\n eventTypeHuman == \"screenscharing_detach\",\n \"RemoteInteractive\",\n eventTypeHuman == \"settime\",\n \"System Settings\",\n eventTypeHuman == \"su\",\n \"Interactive\",\n eventTypeHuman == \"sudo\",\n \"Interactive\",\n \"\"\n )\n// Jamf Protect Telemetry - Event Process\n| extend eventContext = \n iif(\n isnotempty(event[eventTypeHuman]['app']['audit_token']),\n event[eventTypeHuman]['app'],\n iif(\n isnotempty(event[eventTypeHuman]['target']['audit_token']),\n event[eventTypeHuman]['target'],\n iif(\n isnotempty(event[eventTypeHuman]['data']['od']['audit_token']),\n event[eventTypeHuman]['data']['od'],\n iif(\n isnotempty(event[eventTypeHuman]['data']['token']['audit_token']),\n event[eventTypeHuman]['data']['token'],\n iif(\n isnotempty(event[eventTypeHuman]['data']['touchid']['audit_token']),\n event[eventTypeHuman]['data']['touchid'],\n iif(\n isnotempty(event[eventTypeHuman]['instigator']['audit_token']),\n event[eventTypeHuman]['instigator'],\n ['process']\n)\n)\n)\n)\n)\n)\n| extend\n TargetProcessName = tostring(eventContext.executable.path),\n TargetProcessId = tostring(eventContext.audit_token.pid),\n TargetProcessGuid = tostring(eventContext.audit_token.uuid),\n TargetProcessCreationTime = tostring(eventContext.start_time),\n TargetProcessSHA1 = tostring(eventContext.executable.sha1),\n TargetProcessSHA256 = tostring(eventContext.executable.sha256),\n TargetProcessCommandLine = event[eventTypeHuman]['args'],\n TargetProcessTTY = tostring(eventContext.tty.path),\n TargetBinarySigningAppID = tostring(eventContext.signing_id),\n TargetBinarySigningTeamID = tostring(eventContext.team_id),\n TargetBinaryCDHash = tostring(eventContext.cdhash),\n TargetBinaryIsESClient = tobool(eventContext.is_es_client),\n TargetBinaryIsPlatformBinary = tobool(eventContext.is_platform_binary),\n TargetUserId = tostring(eventContext.audit_token.euid),\n ActingProcessId = tostring(eventContext.parent_audit_token.pid),\n ActingProcessGuid = tostring(eventContext.parent_audit_token.uuid),\n ActorUserId = tostring(eventContext.parent_audit_token.euid),\n ParentProcessId = tostring(eventContext.responsible_audit_token.pid),\n ParentProcessGuid = tostring(eventContext.responsible_audit_token.uuid)\n// Jamf Protect Telemetry - Revealing Code Signing flags\n| extend TargetProcessCodesignFlags = \n iif(isnotempty(eventContext.codesigning_flags),\n bag_pack(\n \"CS_VALID\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00000001) > 0, true, false),\n \"CS_ADHOC\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00000002) > 0, true, false),\n \"CS_GET_TASK_ALLOW\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00000004) > 0, true, false),\n \"CS_INSTALLER\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00000008) > 0, true, false),\n \"CS_FORCED_LV\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00000010) > 0, true, false),\n \"CS_INVALID_ALLOWED\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00000020) > 0, true, false),\n \"CS_HARD\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00000100) > 0, true, false),\n \"CS_KILL\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00000200) > 0, true, false),\n \"CS_CHECK_EXPIRATION\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00000400) > 0, true, false),\n \"CS_RESTRICT\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00000800) > 0, true, false),\n \"CS_ENFORCEMENT\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00001000) > 0, true, false),\n \"CS_REQUIRE_LV\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00002000) > 0, true, false),\n \"CS_ENTITLEMENTS_VALIDATED\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00004000) > 0, true, false),\n \"CS_NVRAM_UNRESTRICTED\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00008000) > 0, true, false),\n \"CS_RUNTIME\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00010000) > 0, true, false),\n \"CS_LINKER_SIGNED\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x20000) > 0, true, false),\n \"CS_EXEC_SET_HARD\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00100000) > 0, true, false),\n \"CS_EXEC_SET_KILL\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00200000) > 0, true, false),\n \"CS_EXEC_SET_ENFORCEMENT\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00400000) > 0, true, false),\n \"CS_EXEC_INHERIT_SIP\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00800000) > 0, true, false),\n \"CS_KILLED\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x01000000) > 0, true, false),\n \"CS_DYLD_PLATFORM\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x02000000) > 0, true, false),\n \"CS_PLATFORM_BINARY\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x04000000) > 0, true, false),\n \"CS_PLATFORM_PATH\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x08000000) > 0, true, false),\n \"CS_DEBUGGED\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x10000000) > 0, true, false),\n \"CS_SIGNED\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x20000000) > 0, true, false),\n \"CS_DEV_CODE\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x40000000) > 0, true, false),\n \"CS_DATAVAULT_CONTROLLER\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x80000000) > 0, true, false)\n ), \"\")\n// Event Specific - authentication\n| extend TargetUsername =\n iif(\n isnotempty(event[eventTypeHuman]['username']),\n event[eventTypeHuman]['username'],\n iif(\n isnotempty(event[eventTypeHuman]['to_username']),\n event[eventTypeHuman]['to_username'],\n iif(\n isnotempty(event[eventTypeHuman]['account_name']),\n event[eventTypeHuman]['account_name'],\n iif(\n isnotempty(event[eventTypeHuman]['user_name']),\n event[eventTypeHuman]['user_name'],\n iif(\n isnotempty(event[eventTypeHuman]['authentication_username']),\n event[eventTypeHuman]['authentication_username'],\n \"\"\n)\n)\n)\n)\n)\n// Event Specific - authentication\n| extend ActorUsername = \n iif(\n isnotempty(event[eventTypeHuman]['from_username']),\n event[eventTypeHuman]['from_username'],\n iif(\n isnotempty(event[eventTypeHuman]['session_username']),\n event[eventTypeHuman]['session_username'],\n \"\"\n)\n)\n| extend Authentication = iif(\n eventTypeHuman == \"authentication\",\n bag_pack(\n \"authentication_method\",\n iff(isnotempty(event[eventTypeHuman].data), tostring(bag_keys(event[eventTypeHuman].data)[0]), \"\")\n),\n dynamic(null)\n )\n// Event Specific - bios_uefi\n| extend HardwareInformation = iif(\n eventTypeHuman == \"bios_uefi\",\n bag_pack(\n \"host_architecture\",\n iff(isnotempty(event[eventTypeHuman].architecture), event[eventTypeHuman].architecture, \"\"),\n \"firmware_version\",\n iff(isnotempty(event[eventTypeHuman].bios.['firmware-version']), event[eventTypeHuman].bios.['firmware-version'], \"\"),\n \"system_firmware_version\",\n iff(isnotempty(event[eventTypeHuman].bios.['system-firmware-version']), event[eventTypeHuman].bios.['system-firmware-version'], \"\")\n),\n dynamic(null)\n )\n// Event Specific - btm_launch_item_add & btm_launch_item_remove\n| extend BtmItem = iif(\n eventTypeHuman in (\"btm_launch_item_add\", \"btm_launch_item_remove\", \"remount\"),\n bag_pack(\n \"btm_executable_path\",\n iff(isnotempty(event[eventTypeHuman].executable_path), event[eventTypeHuman].executable_path, \"\"),\n \"btm_item_app_url\",\n iff(isnotempty(event[eventTypeHuman].item.app_url), event[eventTypeHuman].item.app_url, \"\"),\n \"btm_item_url\",\n iff(isnotempty(event[eventTypeHuman].item.item_url), event[eventTypeHuman].item.item_url, \"\"),\n \"btm_item_managed\",\n iff(isnotempty(event[eventTypeHuman].item.managed), event[eventTypeHuman].item.managed, \"\"),\n \"btm_item_legacy\",\n iff(isnotempty(event[eventTypeHuman].item.legacy), event[eventTypeHuman].item.legacy, \"\"),\n \"btm_item_uid\",\n iff(isnotempty(event[eventTypeHuman].item.uid), event[eventTypeHuman].item.uid, \"\"),\n \"btm_item_type\",\n iff(\n isnotempty(event[eventTypeHuman].item.item_type),\n case(\n event[eventTypeHuman].item.item_type == 0,\n \"UserItem\",\n event[eventTypeHuman].item.item_type == 1,\n \"App\",\n event[eventTypeHuman].item.item_type == 2,\n \"LoginItem\",\n event[eventTypeHuman].item.item_type == 3,\n \"LaunchAgent\",\n event[eventTypeHuman].item.item_type == 4,\n \"LaunchDaemon\",\n \"Unknown\"\n),\n \"\"\n)\n),\n dynamic(null)\n )\n// Event Specific - chroot\n| extend Chroot = iif(\n eventTypeHuman == \"chroot\",\n bag_pack(\n \"apparent_root_directory\",\n iff(isnotempty(event[eventTypeHuman].target), event[eventTypeHuman].target.path, \"\"),\n \"stats\",\n iff(isnotempty(event[eventTypeHuman].target.stat), event[eventTypeHuman].target.stat, \"\")\n),\n dynamic(null)\n )\n// Event Specific - cs_invalidated\n// Event Specific - exec\n// Event Specific - kextload & kextunload\n| extend KernelExtension = iif(\n eventTypeHuman in (\"kextload\", \"kextunload\"),\n bag_pack(\n \"kext_identifier\",\n iff(isnotempty(event[eventTypeHuman].identifier), event[eventTypeHuman].identifier, \"\")\n),\n dynamic(null)\n )\n// Event Specific - lw_session_lock & lw_session_unlock & lw_session_login & lw_session_logout\n| extend LoginWindowSession = iif(\n eventTypeHuman in (\"lw_session_lock\", \"lw_session_unlock\", \"lw_session_login\", \"lw_session_logout\"),\n bag_pack(\n \"graphical_session_id\",\n iff(isnotempty(event[eventTypeHuman].graphical_session_id), event[eventTypeHuman].graphical_session_id, \"\")\n),\n dynamic(null)\n )\n// Event Specific - mount & remount & unmount\n| extend FileSystem = iif(\n eventTypeHuman in (\"mount\", \"unmount\", \"remount\"),\n bag_pack(\n \"volume_device_name\",\n iff(isnotempty(event[eventTypeHuman].statfs.f_mntfromname), event[eventTypeHuman].statfs.f_mntfromname, \"\"),\n \"volume_mount_name\",\n iff(isnotempty(event[eventTypeHuman].statfs.f_mntonname), event[eventTypeHuman].statfs.f_mntonname, \"\"),\n \"volume_file_system_type\",\n iff(isnotempty(event[eventTypeHuman].statfs.f_fstypename), event[eventTypeHuman].statfs.f_fstypename, \"\"),\n \"volume_size\",\n iff(isnotempty(event[eventTypeHuman].statfs.f_bsize), event[eventTypeHuman].statfs.f_bsize, \"\")\n),\n dynamic(null)\n )\n// Event Specific - od_attribute_set & od_attribute_value_add & od_attribute_value_remove & od_create_group & od_create_user & od_delete_group & od_delete_user & od_disable_user & od_enable_user\n| extend OpenDirectory = iif(\n eventTypeHuman in (\"od_attribute_set\", \"od_attribute_value_add\", \"od_attribute_value_remove\", \"od_create_group\", \"od_create_user\", \"od_delete_group\", \"od_delete_user\", \"od_disable_user\", \"od_enable_user\"),\n bag_pack(\n \"group_name\",\n iff(isnotempty(event[eventTypeHuman].group_name), event[eventTypeHuman].group_name, \"\"),\n \"member_array\",\n iff(isnotempty(event[eventTypeHuman].members.member_array), event[eventTypeHuman].members.member_array, \"\"),\n \"member_value\",\n iff(isnotempty(event[eventTypeHuman].member.member_value), event[eventTypeHuman].member.member_value, \"\"),\n \"user_name\",\n iff(isnotempty(event[eventTypeHuman].user_name), event[eventTypeHuman].user_name, \"\"),\n \"account_name\",\n iff(isnotempty(event[eventTypeHuman].account_name), event[eventTypeHuman].account_name, \"\"),\n \"db_path\",\n iff(isnotempty(event[eventTypeHuman].db_path), event[eventTypeHuman].db_path, \"\"),\n \"record_name\",\n iff(isnotempty(event[eventTypeHuman].record_name), event[eventTypeHuman].record_name, \"\"),\n \"attribute_name\",\n iff(isnotempty(event[eventTypeHuman].attribute_name), event[eventTypeHuman].attribute_name, \"\"),\n \"attribute_value\",\n iff(isnotempty(event[eventTypeHuman].attribute_value), event[eventTypeHuman].attribute_value, \"\"),\n \"node_name\",\n iff(isnotempty(event[eventTypeHuman].node_name), event[eventTypeHuman].node_name, \"\")\n),\n dynamic(null)\n )\n// Event Specific - openssh_login & openssh_logout\n| extend SSHContext = iif(\n eventTypeHuman in (\"openssh_login\", \"openssh_logout\"),\n bag_pack(\n \"source_address_type\", \n iff(\n isnotempty(event[eventTypeHuman].source_address_type),\n case(\n event[eventTypeHuman].source_address_type == 0,\n \"Unknown\",\n event[eventTypeHuman].source_address_type == 1,\n \"IPv4\",\n event[eventTypeHuman].source_address_type == 2,\n \"IPv6\",\n event[eventTypeHuman].source_address_type == 3,\n \"UNIX Socket\",\n \"Unknown\"\n),\n \"\" \n),\n \"result_type\", \n iff(\n isnotempty(event[eventTypeHuman].result_type),\n case(\n event[eventTypeHuman].result_type == 0,\n \"Exceeded maximum attempts\",\n event[eventTypeHuman].result_type == 1,\n \"Denied by root\",\n event[eventTypeHuman].result_type == 2,\n \"Success\",\n event[eventTypeHuman].result_type == 3,\n \"No reason\",\n event[eventTypeHuman].result_type == 4,\n \"Password\",\n event[eventTypeHuman].result_type == 5,\n \"kbdint\",\n event[eventTypeHuman].result_type == 6,\n \"Public key\",\n event[eventTypeHuman].result_type == 7,\n \"Host based\",\n event[eventTypeHuman].result_type == 8,\n \"GSS API\",\n event[eventTypeHuman].result_type == 9,\n \"Invalid user\",\n \"Unknown\"\n),\n \"\" \n)\n),\n dynamic(null) \n )\n// Event Specific - performance\n// Event Specific - profile_add & profile_remove\n| extend Profile = iif(\n eventTypeHuman in (\"profile_add\", \"profile_remove\"),\n bag_pack(\n \"profile_scope\",\n iff(isnotempty(event[eventTypeHuman].profile.scope), event[eventTypeHuman].profile.scope, \"\"),\n \"profile_identifier\",\n iff(isnotempty(event[eventTypeHuman].profile.identifier), event[eventTypeHuman].profile.identifiery, \"\"),\n \"profile_uuid\",\n iff(isnotempty(event[eventTypeHuman].profile.uuid), event[eventTypeHuman].profile.uuid, \"\"),\n \"profile_display_name\",\n iff(isnotempty(event[eventTypeHuman].profile.display_name), event[eventTypeHuman].profile.display_name, \"\"),\n \"profile_organization\",\n iff(isnotempty(event[eventTypeHuman].profile.organization), event[eventTypeHuman].profile.organization, \"\"),\n \"profile_is_updated\",\n iff(isnotempty(event[eventTypeHuman].is_update), event[eventTypeHuman].is_update, \"\"),\n \"profile_install_source\", \n iff(\n isnotempty(event[eventTypeHuman].profile.install_source),\n case(\n event[eventTypeHuman].profile.install_source == 0,\n \"mdm\",\n event[eventTypeHuman].profile.install_source == 1,\n \"manual\",\n \"Unknown\"\n),\n \"\" \n)\n),\n dynamic(null)\n )\n// Event Specific - screenscharing_attach & screensharing_detach\n| extend Screensharing = iif(\n eventTypeHuman in (\"screensharing_attach\", \"screensharing_detach\"),\n bag_pack(\n \"existing_session\",\n iff(isnotempty(event[eventTypeHuman].existing_session), event[eventTypeHuman].existing_session, \"\"),\n \"graphical_session_id\",\n iff(isnotempty(event[eventTypeHuman].graphical_authentication_username), event[eventTypeHuman].graphical_authentication_username, \"\"),\n \"session_username\",\n iff(isnotempty(event[eventTypeHuman].session_username), event[eventTypeHuman].session_username, \"\"),\n \"viewer_appleid\",\n iff(isnotempty(event[eventTypeHuman].viewer_appleid), event[eventTypeHuman].viewer_appleid, \"\"),\n \"authentication_type\",\n iff(isnotempty(event[eventTypeHuman].authentication_type), event[eventTypeHuman].authentication_type, \"\"),\n \"source_address\",\n iff(isnotempty(event[eventTypeHuman].source_address), event[eventTypeHuman].source_address, \"\"),\n \"source_address_type\", \n iff(\n isnotempty(event[eventTypeHuman].source_address_type),\n case(\n event[eventTypeHuman].source_address_type == 0,\n \"Unknown\",\n event[eventTypeHuman].source_address_type == 1,\n \"IPv4\",\n event[eventTypeHuman].source_address_type == 2,\n \"IPv6\",\n event[eventTypeHuman].source_address_type == 3,\n \"UNIX Socket\",\n \"Unknown\"\n),\n \"\" \n)\n),\n dynamic(null)\n )\n// Event Specific - su\n| extend Su = iif(\n eventTypeHuman == \"su\",\n bag_pack(\n \"username\",\n iff(isnotempty(event[eventTypeHuman].username), event[eventTypeHuman].username, \"\"),\n \"uid\",\n iff(isnotempty(event[eventTypeHuman].uid), event[eventTypeHuman].uid, \"\"),\n \"args\",\n iff(isnotempty(event[eventTypeHuman].argv), event[eventTypeHuman].argv, \"\"),\n \"env_vars\",\n iff(isnotempty(event[eventTypeHuman].env), event[eventTypeHuman].env, \"\"),\n \"env_count\",\n iff(isnotempty(event[eventTypeHuman].env_count), event[eventTypeHuman].env_count, \"\"),\n \"from_username\",\n iff(isnotempty(event[eventTypeHuman].from_username), event[eventTypeHuman].from_username, \"\"),\n \"to_username\",\n iff(isnotempty(event[eventTypeHuman].to_username), event[eventTypeHuman].to_username, \"\"),\n \"failure_message\",\n iff(isnotempty(event[eventTypeHuman].failure_reason), event[eventTypeHuman].failure_reason, \"\")\n),\n dynamic(null)\n )\n// Event Specific - sudo\n| extend Sudo = iif(\n eventTypeHuman == \"sudo\",\n bag_pack(\n \"TargetProcessCommandLine\",\n iff(isnotempty(event[eventTypeHuman].command), event[eventTypeHuman].command, \"\"),\n \"attribute_name\",\n iff(isnotempty(event[eventTypeHuman].attribute_name), event[eventTypeHuman].attribute_name, \"\"),\n \"attribute_value\",\n iff(isnotempty(event[eventTypeHuman].attribute_value), event[eventTypeHuman].attribute_value, \"\")\n),\n dynamic(null)\n )\n// Event Specific - xp_malware_detected & xp_malware_remediated\n| extend Xprotect = iif(\n eventTypeHuman in (\"xp_malware_detected\", \"xp_malware_remediated\"),\n bag_pack(\n \"detected_path\",\n iff(isnotempty(event[eventTypeHuman].detected_path), event[eventTypeHuman].detected_path, \"\"),\n \"remediated_path\",\n iff(isnotempty(event[eventTypeHuman].remediated_path), event[eventTypeHuman].remediated_path, \"\"),\n \"malware_identifier\",\n iff(isnotempty(event[eventTypeHuman].malware_identifier), event[eventTypeHuman].malware_identifier, \"\"),\n \"signature_version\",\n iff(isnotempty(event[eventTypeHuman].signature_version), event[eventTypeHuman].signature_version, \"\")\n),\n dynamic(null)\n )\n| project-away\naction,\nevent,\nprocess\n};\n//\n// Jamf Protect - Network Traffic\n//\nlet JamfProtectNetworkTraffic_view = view () {\n jamfprotect_CL\n | where event_metadata_product_s == \"Network Traffic Stream\"\n // ASIM - Common Fields\n | extend EventVendor = 'Jamf'\n | extend EventProduct = 'Jamf Protect - Network Traffic Stream'\n | project-rename\n | extend\n // Jamf Protect - Common Fields\n EventType = \"query\",\n EventSubType = \"request\",\n EventStartTime = unixtime_milliseconds_todatetime(tolong(event_receiptTime_d)),\n EventResult = case(event_blocked_b == \"false\", \"Allowed\", event_blocked_b == \"true\", \"Prevented\", ''),\n // Jamf Protect - Source User\n SrcUsermail=column_ifexists('event_user_email_s', ''),\n SrcUsername = column_ifexists('event_user_name_s', ''),\n // Jamf Protect - Source Device Hostnames\n DvcHostname = case(isnotempty(input_host_hostname_s), input_host_hostname_s, isnotempty(host_info_host_name_s), host_info_host_name_s, event_device_userDeviceName_s),\n DvcIpAddr = column_ifexists(\"event_source_ip_s\", \"\"),\n DvcId = column_ifexists(\"event_device_externalId_g\", \"\"),\n DvcOs = case(event_device_osType_s == \"MAC_OS\", \"macOS\", event_device_osType_s == \"IOS\", \"iOS\", event_device_osType_s == \"ANDROID\", \"Android\", \"Other\"),\n SrcDeviceType = case(event_device_osType_s == \"MAC_OS\", \"Computer\", event_device_osType_s == \"IOS\", \"Mobile Device\", event_device_osType_s == \"ANDROID\", \"Mobile Device\", \"Other\"),\n // Jamf Protect - DNS Specific\n DnsQuery = column_ifexists('event_hostName_s', ''),\n DvcAction = case(event_blocked_b == \"false\", \"Allowed\", event_blocked_b == \"true\", \"Blocked\", ''),\n DnsQueryName = column_ifexists('event_domain_s', ''),\n DstIpAddr = column_ifexists('event_destination_ips_s', ''),\n ThreatCategory = column_ifexists('event_eventType_description_s', ''),\n DnsQueryTypeName = column_ifexists('event_dns_recordType_s', ''),\n DnsResponseName = column_ifexists('event_dns_responseStatus_s', ''),\n ThreatOriginalRiskLevel = column_ifexists('event_threat_result_s', '')\n | project-keep\n TimeGenerated,\n EventVendor,\n EventProduct,\n EventType,\n EventSubType,\n EventStartTime,\n EventResult,\n DvcHostname,\n DvcIpAddr,\n DvcId,\n DvcOs,\n SrcDeviceType,\n SrcUsermail,\n SrcUsername,\n DnsQuery,\n DnsQueryName,\n DstIpAddr,\n DnsQueryTypeName,\n DvcAction,\n DnsResponseName,\n ThreatOriginalRiskLevel\n};\n// //\n// // Jamf Protect - Threat Events\n// //\nlet JamfProtectThreatEvents_view = view () {\n jamfprotect_CL\n | where event_metadata_product_s == \"Threat Events Stream\"\n // ASIM - Common Fields\n | extend EventVendor = 'Jamf'\n | extend EventProduct = 'Jamf Protect - Threat Events Stream'\n | project-rename\n | extend\n // Jamf Protect - Common Fields\n EventStartTime = column_ifexists(\"event_timestamp_t\", \"\"),\n EventResult=case(event_action_s == \"Blocked\", \"Blocked\", event_action_s == \"Detected\", \"Detected\", ''),\n EventReportUrl = column_ifexists(\"event_eventUrl_s\", \"\"),\n // Jamf Protect - Alert Details\n EventSeverity = case(event_severity_d == 2, \"Informational\", event_severity_d == 4, \"Low\", event_severity_d == 6, \"Medium\", event_severity_d == 8, \"High\", event_severity_d == 10, \"High\", \"Informational\"),\n // Jamf Protect - Source User\n SrcUsermail=column_ifexists('event_user_email_s', ''),\n SrcUsername=column_ifexists('event_user_name_s', ''),\n // Jamf Protect - Source Device Hostnames\n DvcHostname = column_ifexists(\"event_device_userDeviceName_s\", \"\"),\n DvcIpAddr = column_ifexists(\"event_source_ip_s\", \"\"),\n DvcId = column_ifexists(\"event_device_externalId_g\", \"\"),\n DvcOs=case(event_device_os_s has \"MAC_OS\", \"macOS\", event_device_os_s has \"IOS\", \"iOS\", event_device_os_s has \"ANDROID\", \"Android\", \"Other\"),\n SrcDeviceType=case(event_device_os_s has \"MAC_OS\", \"Computer\", event_device_os_s has \"IOS\", \"Mobile Device\", event_device_os_s has \"ANDROID\", \"Mobile Device\", \"Other\"),\n // Jamf Protect - DNS Specific\n DnsQuery=column_ifexists('event_hostName_s', ''),\n DvcAction=case(event_blocked_b == \"false\", \"Allowed\", event_blocked_b == \"true\", \"Blocked\", ''),\n DnsQueryName=column_ifexists('event_destination_name_s', ''),\n DstIpAddr=column_ifexists('event_destination_ip_s', ''),\n ThreatCategory=column_ifexists('event_eventType_description_s', ''),\n ThreatOriginalRiskLevel=column_ifexists('event_threat_result_s', ''),\n // Jamf Protect - App Specific\n TargetFileName = column_ifexists(\"event_app_name_s\", \"\"),\n TargetFileSHA1 = column_ifexists(\"event_app_sha1_s\", \"\"),\n TargetFileSHA256 = column_ifexists(\"event_app_sha256_s\", \"\")\n | project-keep\n TimeGenerated,\n EventVendor,\n EventProduct,\n EventStartTime,\n EventResult,\n EventReportUrl,\n EventSeverity,\n DvcHostname,\n DvcIpAddr,\n DvcId,\n SrcDeviceType,\n SrcUsermail,\n SrcUsername,\n DnsQuery,\n DnsQueryName,\n DstIpAddr,\n ThreatCategory,\n DvcAction,\n ThreatOriginalRiskLevel,\n TargetFileName,\n TargetFileSHA1,\n TargetFileSHA256\n};\nunion isfuzzy=true JamfProtectAlerts_view, JamfProtectUnifiedLog_view, JamfProtectTelemetryv1_view, JamfProtectTelemetryv2_view, JamfProtectNetworkTraffic_view, JamfProtectThreatEvents_view\n", - "functionParameters": "", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "location": "[parameters('workspace-location')]", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]", - "dependsOn": [ - "[variables('parserObject1')._parserId1]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'JamfProtect')]", - "contentId": "[variables('parserObject1').parserContentId1]", - "kind": "Parser", - "version": "[variables('parserObject1').parserVersion1]", - "source": { - "kind": "Solution", - "name": "Jamf Protect", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Thijs Xhaflaire", - "email": "[variables('_email')]" - }, - "support": { - "name": "Jamf Software, LLC", - "email": "support@jamf.com", - "tier": "Partner", - "link": "https://www.jamf.com/support/" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('workbookTemplateSpecName1')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "JamfProtectDashboard Workbook with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('workbookVersion1')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.Insights/workbooks", - "name": "[variables('workbookContentId1')]", - "location": "[parameters('workspace-location')]", - "kind": "shared", - "apiVersion": "2021-08-01", - "metadata": { - "description": "This Jamf Protect Workbook for Microsoft Sentinel enables you to ingest Jamf Protect events forwarded into Microsoft Sentinel.\n Providing reports into all alerts, device controls and Unfied Logs." - }, - "properties": { - "displayName": "[parameters('workbook1-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"b608e714-b3ec-4380-b666-1aa781513ab4\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscription\",\"type\":6,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"includeAll\":false},\"label\":\"☁️ Subscription\"},{\"id\":\"f408f1cf-dbcb-4f57-9409-272374bd3cd4\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspace\",\"type\":5,\"isRequired\":true,\"query\":\"Resources | where type =~ \\\"microsoft.operationalinsights/workspaces\\\" | order by name | project id, name, selected=row_number()==1, group=resourceGroup\",\"crossComponentResources\":[\"{Subscription}\"],\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"label\":\"🗂️ Workspace\",\"value\":\"\"},{\"id\":\"397d983f-ea80-4aa5-8c65-547d40cb312b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"_timetoken\",\"label\":\"⏱️ Time Range\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"value\":{\"durationMs\":172800000}},{\"id\":\"d716fb1e-0d71-4e99-9406-18ae7df6e037\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"changelog\",\"label\":\"📖 Changelog\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n { \\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\"},\\r\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":true }\\r\\n]\"}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Parameters Picker\"},{\"type\":1,\"content\":{\"json\":\"## Jamf Protect for Microsoft Sentinel!\\n\\nThe [Jamf Protect](https://www.jamf.com/solutions/threat-prevention-remediation/) for Microsoft Sentinel solution creates detailed event data from macOS endpoints into a Microsoft Sentinel workspace in a simple and easy workflow. The solution provides you with full visibility into Apple Endpoint Security by leveraging Workbooks containing [Alert](https://docs.jamf.com/jamf-protect/documentation/Alerts.html) and [Unified Logging](https://docs.jamf.com/jamf-protect/documentation/Unified_Logging.html) events captured by Jamf Protect and the [macOS built-in security events](https://support.apple.com/en-gb/guide/security/sec469d47bd8/web) that occurred across the protected organisational endpoints\\n\\n\\n#### Changelog\\n\\n**v2.2.0**\\n\\n***Workbook***\\n - Added System Performance Metrics\\n - Includes Energy Impact\\n - Added Network Traffic Stream\\n - Updated Workbook to make use of the newly added parser\\n - Added and tweaked querys and graphs\\n\\n ***Parser***\\n - Added JamfProtect parser for parsing and mapping all incoming raw data.\\n\\n ***Analytic Rules***\\n - Updated Analytic Rules to make use of the newly added parser. \\n\\t\\n**v2.1**\\n\\n***Workbook***\\n - Added Endpoint Telemetry\\n - Includes graphs and visualisations\\n\\t- Includes Endpoint Information\\n\\t- Includes Jamf Pro log parser\\n- Added Network Threat Events\\n \\t- Includes graphs and visualisations\\n- Added new Pickers\\n - Allows selecting different Log Analytic Workspaces\\n - Changed TimeRanger picker\\n- Added Changelog\\n\\n**Analytic Rules**\\n\\n- Added Analytic Rules\\n\\t- Jamf Protect - Alerts\\n\\t- Jamf Protect - Unified Logs\\n\\t- Jamf Protect - Network Threat Events\\n\\n\\n **v2.0**\\n \\n- Initial release of the solution containing a basic Workbook\\n\"},\"conditionalVisibility\":{\"parameterName\":\"changelog\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Text - Changelog\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Threat Hunting {_timetoken:value}\",\"expandable\":true,\"expanded\":true,\"items\":[{\"type\":1,\"content\":{\"json\":\"Set an type and provide values to search on File hash, CVE numbers or report on Alerts mapped to the MITRE framework or display latest alerts for a single endpoint.\",\"style\":\"info\"},\"name\":\"Text - Threat Hunting\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"5f5886d0-e83e-4ffc-a48c-bfed7370aa66\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"_type\",\"label\":\"Type\",\"type\":2,\"description\":\"Please choose the type\",\"isGlobal\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\n { \\\"value\\\":\\\"filehash\\\", \\\"label\\\":\\\"File Hash\\\" },\\n { \\\"value\\\":\\\"CVE\\\", \\\"label\\\":\\\"CVE\\\" },\\n { \\\"value\\\":\\\"mitre\\\", \\\"label\\\":\\\"Framework: MITRE\\\" },\\n { \\\"value\\\":\\\"endpointalerts\\\", \\\"label\\\":\\\"Latest alerts for a single endpoint\\\" }\\n]\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"15\",\"name\":\"Picker - Threat Hunting Type\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"49255f47-8f93-4746-8260-aad07befdb06\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"_hostnamealert\",\"label\":\"Hostname\",\"type\":2,\"query\":\"JamfProtect\\n| where isnotempty(DvcHostname)\\n | project-keep DvcHostname\\n| project-rename Hostname = DvcHostname\\n| summarize by Hostname\",\"crossComponentResources\":[\"{Workspace}\"],\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"_timetoken\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"conditionalVisibilities\":[{\"parameterName\":\"_type\",\"comparison\":\"isNotEqualTo\",\"value\":\"null\"},{\"parameterName\":\"_type\",\"comparison\":\"isEqualTo\",\"value\":\"endpointalerts\"}],\"name\":\"Picker - Threat Hunting Hostname\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"bcdd945e-4dfe-47d6-9489-f76ce012c224\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"_filehash\",\"label\":\"File Hash\",\"type\":1,\"description\":\"Thish value can be used for searching all alerts for a certain hash\",\"isRequired\":true,\"isGlobal\":true,\"value\":\"5e54bccbd4d93447e79cda0558b0b308a186c2be571c739e5460a3cb6ef665c0\"}],\"style\":\"formHorizontal\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"_type\",\"comparison\":\"isEqualTo\",\"value\":\"filehash\"},\"name\":\"Search - Threat Hunting Hash\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"0344768b-16c4-44ec-a4ac-73a8bc83d0e2\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"_CVE\",\"label\":\"CVE Number\",\"type\":1,\"description\":\"Please search on the CVE number\",\"isRequired\":true,\"isGlobal\":true,\"value\":\"T15\"}],\"style\":\"formHorizontal\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"_type\",\"comparison\":\"isEqualTo\",\"value\":\"CVE\"},\"name\":\"Search - Threat Hunting CVE\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"JamfProtect\\n| where EventType == \\\"ProcessPrevented\\\" or EventType == \\\"ProcessCreated\\\"\\n| where TargetProcessSHA1 has \\\"{_filehash:value}\\\" or TargetBinarySHA256 has \\\"{_filehash:value}\\\"\\n| project-keep\\n TimeGenerated,\\n EventStartTime,\\n EventMatch,\\n EventSeverity,\\n EventMatchType,\\n TargetProcessCommandLine,\\n DvcHostname,\\n EventReportUrl\\n| project-reorder\\n TimeGenerated,\\n EventStartTime,\\n EventMatch,\\n EventSeverity,\\n EventMatchType,\\n TargetProcessCommandLine,\\n DvcHostname,\\n EventReportUrl\\n| sort by TimeGenerated\",\"size\":4,\"title\":\"Matches on FileHash\",\"noDataMessage\":\"No matches found based on the hash value\",\"timeContextFromParameter\":\"_timetoken\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventReportUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Click to navigate to original event in Jamf Protect\"}}]}},\"conditionalVisibilities\":[{\"parameterName\":\"_filehash\",\"comparison\":\"isNotEqualTo\",\"value\":\"null\"},{\"parameterName\":\"_type\",\"comparison\":\"isEqualTo\",\"value\":\"filehash\"}],\"name\":\"Query - Threat Hunting Hash\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"JamfProtect\\n| where Match_tags contains \\\"{_CVE:value}\\\"\\n| project-keep\\n TimeGenerated,\\n EventStartTime,\\n EventMatch,\\n Match_tags,\\n EventSeverity,\\n EventMatchType,\\n TargetProcessCommandLine,\\n DvcHostname,\\n EventReportUrl\\n| project-reorder\\n TimeGenerated,\\n EventStartTime,\\n EventMatch,\\n Match_tags,\\n EventSeverity,\\n EventMatchType,\\n TargetProcessCommandLine,\\n DvcHostname,\\n EventReportUrl\\n| sort by TimeGenerated\",\"size\":1,\"title\":\"Matches on CVE\",\"noDataMessage\":\"No matches found based on the _CVE:value CVE number\",\"timeContextFromParameter\":\"_timetoken\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventReportUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Click to nagivate to original event in Jamf Protect\"}}]}},\"conditionalVisibilities\":[{\"parameterName\":\"_cve\",\"comparison\":\"isNotEqualTo\",\"value\":\"null\"},{\"parameterName\":\"_type\",\"comparison\":\"isEqualTo\",\"value\":\"CVE\"}],\"name\":\"Query - Threat Hunting CVE\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"JamfProtect\\n| where Match_tags contains \\\"MITREattack\\\"\\n| extend\\n Tactics = case(Match_tags has \\\"Execution\\\", \\\"Execution\\\", Match_tags has \\\"Visibility\\\", \\\"Visibility\\\", Match_tags has \\\"Persistence\\\", \\\"Persistence\\\", Match_tags has \\\"LateralMovement\\\", \\\"Lateral Movement\\\", Match_tags has \\\"CredentialAccess\\\", \\\"Credential Acccess\\\", Match_tags has \\\"DefenseEvasion\\\", \\\"Defense Evasion\\\", Match_tags has \\\"PrivilegeEscalation\\\", \\\"Privilege Escalation\\\", Match_tags has \\\"Impact\\\", \\\"Impact\\\", Match_tags has \\\"CommandAndControl\\\", \\\"Command and Control\\\", Match_tags has \\\"Discovery\\\", \\\"Discovery\\\", Match_tags has \\\"InitialAccess\\\", \\\"Initial Access\\\", \\\"\\\"),\\n Techniques = extract(@\\\"[A-Za-z]\\\\d{4}\\\", 0, tostring(Match_tags))\\n| project-keep\\n TimeGenerated,\\n EventStartTime,\\n EventType,\\n EventMessage,\\n EventDescription,\\n Tactics,\\n Techniques,\\n Match_tags,\\n EventSeverity,\\n DvcHostname,\\n EventReportUrl\\n| project-reorder\\n TimeGenerated,\\n EventStartTime,\\n EventType,\\n EventMessage,\\n EventDescription,\\n Tactics,\\n Techniques,\\n Match_tags,\\n EventSeverity,\\n DvcHostname,\\n EventReportUrl\\n| sort by TimeGenerated\",\"size\":1,\"title\":\"Alerts mapped to MITRE\",\"noDataMessage\":\"No alerts found that are mapped to the MITRE framework\",\"timeContextFromParameter\":\"_timetoken\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventReportUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Click to navigate to original event in Jamf Protect\"}}],\"sortBy\":[{\"itemKey\":\"TimeGenerated\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"TimeGenerated\",\"sortOrder\":1}]},\"conditionalVisibilities\":[{\"parameterName\":\"_type\",\"comparison\":\"isNotEqualTo\",\"value\":\"null\"},{\"parameterName\":\"_type\",\"comparison\":\"isEqualTo\",\"value\":\"mitre\"}],\"name\":\"Query - Threat Hunting MITRE\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"JamfProtect\\n| where DvcHostname contains \\\"{_hostnamealert:value}\\\"\\n| where EventProduct == \\\"Jamf Protect - Alerts\\\" and isnotempty(EventType)\\n| project-keep\\n TimeGenerated,\\n EventStartTime,\\n EventType,\\n EventMessage,\\n EventDescription,\\n Match_tags,\\n EventSeverity,\\n DvcHostname,\\n EventReportUrl\\n| project-reorder\\n TimeGenerated,\\n EventStartTime,\\n EventType,\\n EventMessage,\\n EventDescription,\\n Match_tags,\\n EventSeverity,\\n DvcHostname,\\n EventReportUrl\\n| sort by TimeGenerated\\n| limit 10\",\"size\":1,\"title\":\"Recent 10 alerts in the past {_timetoken:value} for {_hostnamealert:value}\",\"noDataMessage\":\"No alerts found\",\"timeContextFromParameter\":\"_timetoken\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventReportUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Click to nagivage to original event in Jamf Protect\"}}],\"sortBy\":[{\"itemKey\":\"TimeGenerated\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"TimeGenerated\",\"sortOrder\":1}]},\"conditionalVisibilities\":[{\"parameterName\":\"_type\",\"comparison\":\"isNotEqualTo\",\"value\":\"null\"},{\"parameterName\":\"_type\",\"comparison\":\"isEqualTo\",\"value\":\"endpointalerts\"},{\"parameterName\":\"_hostnamealert\",\"comparison\":\"isNotEqualTo\",\"value\":\"\"}],\"name\":\"Query - Threat Hunting 10 Recent Alerts Endpoint\"}]},\"customWidth\":\"100\",\"name\":\"Group - Threat Hunting\",\"styleSettings\":{\"margin\":\"200\",\"padding\":\"200\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"JamfProtect\\n| where EventProduct == \\\"Jamf Protect - Alerts\\\"\\n| where isnotempty(EventType)\\n| where EventSeverity != \\\"Informational\\\"\\n| sort by EventStartTime\\n| limit 10\",\"size\":0,\"title\":\"Recent 10 alerts in the past {_timetoken:value}\",\"noDataMessage\":\"No alerts found\",\"timeContextFromParameter\":\"_timetoken\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventReportUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Click to navigate to Alert in Jamf Protect\"}},{\"columnMatch\":\"AlertURL\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\"}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"TimeGenerated\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"TimeGenerated\",\"sortOrder\":1}]},\"name\":\"Query - 10 Recent Alerts\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"datatable (Count: long, severity: string) [\\n 0, \\\"Informational\\\",\\n 0, \\\"Low\\\",\\n 0, \\\"Medium\\\",\\n 0, \\\"High\\\"\\n]\\n| union\\n (\\n JamfProtect\\n | where EventProduct == \\\"Jamf Protect - Alerts\\\" \\n and isnotempty(EventType)\\n and EventSeverity != \\\"True\\\"\\n | summarize Count = count() by EventSeverity\\n )\\n| where isnotempty(EventSeverity)\\n| summarize Count=sum(Count) by EventSeverity\",\"size\":3,\"title\":\"All Alerts {_timetoken:value}\",\"timeContextFromParameter\":\"_timetoken\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"EventSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Informational\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"green\",\"text\":\"{0}{1}\"}],\"compositeBarSettings\":{\"labelText\":\"\"}}},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"minimumSignificantDigits\":1,\"maximumSignificantDigits\":3},\"emptyValCustomText\":\"0\"}},\"showBorder\":true,\"sortCriteriaField\":\"Count\",\"sortOrderField\":2}},\"name\":\"Datatable - Alerts per Severity\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"JamfProtect\\n| where EventProduct == \\\"Jamf Protect - Alerts\\\"\\n and isnotempty(EventType)\\n| where EventSeverity != \\\"True\\\"\\n| summarize count() by EventSeverity, bin(TimeGenerated,{_timetoken:grain})\\n| render areachart \",\"size\":0,\"title\":\"Events Detected (Count By Severity) {_timetoken:value}\",\"timeContextFromParameter\":\"_timetoken\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"chartSettings\":{\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"0\",\"label\":\"Informational\"},{\"seriesName\":\"1\",\"label\":\"Low\"},{\"seriesName\":\"2\",\"label\":\"Medium\"},{\"seriesName\":\"3\",\"label\":\"High\"}]}},\"customWidth\":\"50\",\"name\":\"Query - Events detected by Severity\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"JamfProtect\\n| where EventType == \\\"UnifiedLog\\\"\\n| summarize count() by tostring(EventDescription), bin(TimeGenerated,{_timetoken:grain})\\n| render areachart \",\"size\":0,\"title\":\"Unified Logging Events {_timetoken:value}\",\"timeContextFromParameter\":\"_timetoken\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"Query - Unified Logs\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"JamfProtect\\n| where EventProduct == \\\"Jamf Protect - Alerts\\\" \\n and isnotempty(EventType)\\n and isnotempty(DvcHostname)\\n| summarize Event = count() by DvcHostname\\n| sort by Event desc\",\"size\":3,\"title\":\"Most Active Endpoints (Total, last {_timetoken:value})\",\"timeContextFromParameter\":\"_timetoken\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"HostName\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Event\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"HostName\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"Event\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"100\",\"name\":\"Query - Most active endpoints with Alerts\",\"styleSettings\":{\"maxWidth\":\"100\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"JamfProtect\\n| where EventProduct == \\\"Jamf Protect - Alerts\\\"\\n and isnotempty(EventType)\\n| summarize Events = count() by EventProduct, bin(TimeGenerated,{_timetoken:grain})\\n| render columnchart \",\"size\":0,\"title\":\"Events detected (Total by date, {_timetoken:value})\",\"timeContextFromParameter\":\"_timetoken\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"jamfprotect_CL\",\"label\":\"Jamf Protect\"}]}},\"customWidth\":\"50\",\"name\":\"Query - Total events detected\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"JamfProtect\\n| where EventProduct == \\\"Jamf Protect - Alerts\\\"\\n| where isnotempty(EventType)\\n| summarize Events = count() by EventType, bin(EventStartTime,{_timetoken:grain})\\n| render areachart with(kind=stacked)\\n\",\"size\":0,\"title\":\"Events Detected (Count by Type, {_timetoken:value})\",\"timeContextFromParameter\":\"_timetoken\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"areachart\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"Events\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"Events\",\"sortOrder\":2}]},\"customWidth\":\"50\",\"name\":\"Query - Events detected counted by Type\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Event Types\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"JamfProtect\\n| where EventProduct == \\\"Jamf Protect - Alerts\\\"\\n| where isnotempty(EventType)\\n| summarize Events = count() by EventType\\n| render piechart\",\"size\":3,\"showAnalytics\":true,\"title\":\"Event Types {_timetoken:value}\",\"timeContextFromParameter\":\"_timetoken\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"33\",\"name\":\"Query - Events by Type\",\"styleSettings\":{\"maxWidth\":\"100\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"JamfProtect\\n| where EventType == \\\"FileSystem\\\"\\n| summarize count() by tostring(EventMessage)\\n| render piechart \",\"size\":3,\"showAnalytics\":true,\"title\":\"File System Event Types {_timetoken:value}\",\"timeContextFromParameter\":\"_timetoken\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"33\",\"name\":\"Query - File System Events\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"JamfProtect\\n| where EventType == \\\"Process\\\"\\n| summarize count() by tostring(EventMessage)\\n| render piechart \\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Process Event Types {_timetoken:value}\",\"timeContextFromParameter\":\"_timetoken\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"33\",\"name\":\"Query - Process Event Types\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"JamfProtect\\n| where EventType == \\\"USB\\\"\\nor EventType == \\\"UsbBlock\\\" and EventMessage == \\\"USBWrite\\\"\\n| summarize count() by tostring(EventMessage)\\n| render piechart \",\"size\":3,\"showAnalytics\":true,\"title\":\"USB Event Types {_timetoken:value}\",\"timeContextFromParameter\":\"_timetoken\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"33\",\"name\":\"Query - USB Event Types\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"JamfProtect\\n| where EventType == \\\"Gatekeeper\\\"\\n| summarize count() by tostring(EventMessage)\\n| render piechart \",\"size\":3,\"showAnalytics\":true,\"title\":\"Gatekeeper Event Types {_timetoken:value}\",\"timeContextFromParameter\":\"_timetoken\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"GatekeeperBlockedSigned\",\"label\":\"Signed\"},{\"seriesName\":\"GatekeeperBlockedRevoked\",\"label\":\"Revoked\"},{\"seriesName\":\"GatekeeperBlockedUnsignedOrUnknown\",\"label\":\"UnsignedOrUnknown\"}]}},\"customWidth\":\"33\",\"name\":\"Query - GateKeeper Events\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"JamfProtect\\n| where EventType == \\\"ProcessPrevented\\\"\\n| summarize Threat = count() by EventMatch\\n| render piechart \",\"size\":3,\"showAnalytics\":true,\"title\":\"Threat Prevention Types {_timetoken:value}\",\"timeContextFromParameter\":\"_timetoken\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"33\",\"name\":\"Query - Threat Prevention Types\"}]},\"name\":\"Group - Event Types\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"JamfProtect\\n| where EventProduct == \\\"Jamf Protect - Alerts\\\"\\n| where isnotempty(EventType)\\n| summarize count() by tostring(EventType), tostring(EventMessage)\\n| project-rename Count = count_\\n| sort by Count desc\\n| limit 10\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 Event Types {_timetoken:value}\",\"timeContextFromParameter\":\"_timetoken\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"Query - Top 10 Events\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"JamfProtect\\n| where EventType == \\\"ProcessDenied\\\"\\n| where isnotempty(DvcHostname)\\n| summarize Count= count() by TargetProcessName, EventMatch, TargetBinarySigningAppID, TargetBinarySigningTeamID\\n| sort by Count asc nulls first\\n| limit 25\",\"size\":0,\"showAnalytics\":true,\"title\":\"Process Blocked by Custom Prevent List {_timetoken:value}\",\"timeContextFromParameter\":\"_timetoken\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"Query - Process Blocked by Custom Prevent List\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"macOS Built-In Security Tools\",\"expandable\":true,\"expanded\":true,\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"JamfProtect\\n| where EventType == \\\"Gatekeeper\\\"\\n| summarize count() by tostring(EventMessage), TargetFilePath\\n| project-rename BlockType = EventMessage, Count = count_\\n| sort by Count desc\\n| limit 10\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top Gatekeeper Blocked Items {_timetoken:value}\",\"timeContextFromParameter\":\"_timetoken\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"Count\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"Count\",\"sortOrder\":2}]},\"customWidth\":\"50\",\"name\":\"Query - Top Blocked GateKeepers events\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"JamfProtect\\n| where EventProduct == \\\"Jamf Protect - Unified Log\\\"\\n| where input_match_event_subsystem_s == \\\"com.apple.XProtectFramework.PluginAPI\\\"\\n| where tostring(parse_json(input_match_event_composedMessage_s).status_message) <> \\\"[]\\\"\\n| extend status_message_ = tostring(parse_json(input_match_event_composedMessage_s).status_message)\\n| extend execution_duration_ = tostring(parse_json(input_match_event_composedMessage_s).execution_duration)\\n| project \\n EventStartTime, \\n DvcHostname, \\n Status=status_message_, \\n Module=input_match_event_process_s, \\n Execution_Duration=execution_duration_\\n| sort by EventStartTime desc\\n| limit 25\",\"size\":0,\"showAnalytics\":true,\"title\":\"XProtect Remediator Scans {_timetoken:value}\",\"timeContextFromParameter\":\"_timetoken\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"Query - XProtect Remediator Activity\"}]},\"name\":\"macOS Built-In Security Tools Group\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Device Controls\",\"expandable\":true,\"expanded\":true,\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"JamfProtect\\n| where EventType == \\\"UsbBlock\\\"\\n| where EventMessage == \\\"EnforcedRemovableDevicePolicy\\\"\\n| extend EventMessage = replace_string(tostring(EventMessage), \\\"EnforcedRemovableDevicePolicy\\\", \\\"Blocked\\\")\\n| summarize count() by tostring(EventMessage)\\n\\n\",\"size\":2,\"title\":\"Device Controls Blocked {_timetoken:value}\",\"timeContextFromParameter\":\"_timetoken\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"tileSettings\":{\"titleContent\":{\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"thresholdValue\":\"Alerts\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Notifications\",\"text\":\"Devices Blocked\"}]}},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":true,\"sortOrderField\":2},\"graphSettings\":{\"type\":0,\"centerContent\":{\"columnMatch\":\"count_\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"showMetrics\":false},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"count_\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"count_\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"count_\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"25\",\"name\":\"Query - Blocked USB Events\",\"styleSettings\":{\"maxWidth\":\"25\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"JamfProtect\\n| where EventType == \\\"UsbBlock\\\"\\n| where EventMessage == \\\"EnforcedRemovableDevicePolicy\\\"\\n| extend device_ = strcat(input_match_event_device_vendorName_s, \\\" \\\",input_match_event_device_productName_s)\\n| summarize count() by DvcHostname, device_\\n| project-rename Hostname = DvcHostname, Device = device_, Count = count_\\n| sort by Count desc\\n\\n\",\"size\":0,\"title\":\"Device Controls Endpoint {_timetoken:value}\",\"timeContextFromParameter\":\"_timetoken\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"65\",\"name\":\"Query - Blocked USB Devices\",\"styleSettings\":{\"maxWidth\":\"100\"}}]},\"name\":\"Group - Device Controls\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Endpoint Telemetry\",\"expandable\":true,\"expanded\":true,\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"JamfProtect\\n| where identity_signer_id_s == \\\"com.apple.sudo\\\"\\n and ParentProcessName == \\\"/usr/bin/sudo\\\"\\n and ActorUsername == \\\"root\\\"\\n and ActorUserId != \\\"-1\\\"\\n| extend Compiled_Arguments = replace_string(TargetProcessCommandLine, \\\",\\\", \\\" \\\")\\n| project-keep\\n TimeGenerated,\\n EventStartTime,\\n DvcHostname,\\n ActorUserId,\\n Compiled_Arguments\\n| project-rename Hostname = DvcHostname, Elevated_User = ActorUserId\\n| limit 50\\n| sort by EventStartTime\",\"size\":0,\"title\":\"Succesful sudo events {_timetoken:value}\",\"noDataMessage\":\"No events occured\",\"timeContextFromParameter\":\"_timetoken\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Compiled_Arguments\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"69.5714ch\"}}],\"sortBy\":[{\"itemKey\":\"EventStartTime\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"EventStartTime\",\"sortOrder\":2}]},\"name\":\"Query - Successful sudo events\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"JamfProtect\\n//| where SrcIpAddr != \\\"0.0.0.0\\\" and EventType != \\\"AUE_SESSION_START\\\" and EventType != \\\"PLAINTEXT_LOG_COLLECTION_EVENT\\\" and EventType != \\\"BIOS_FIRMWARE_VERSIONS\\\" and EventType != \\\"SYSTEM_PERFORMANCE_METRICS\\\" and EventType != \\\"RATE_LIMITING_APPLIED\\\"\\n| where SrcIpAddr != \\\"0.0.0.0\\\" and EventType == \\\"ProcessCreated\\\"\\n or SrcIpAddr != \\\"0.0.0.0\\\" and EventType == \\\"Logoff\\\"\\n or SrcIpAddr != \\\"0.0.0.0\\\" and EventType == \\\"SshInitiated\\\"\\n| where isnotempty(DvcHostname)\\n| where isnotempty(EventType)\\n| where EventProduct != \\\"Jamf Protect - Alerts\\\"\\n//| extend binary=parse_json(path_s)[0]\\n| extend Compiled_Arguments = replace_string(TargetProcessCommandLine, \\\",\\\", \\\" \\\")\\n| project-keep\\n TimeGenerated,\\n EventStartTime,\\n EventType,\\n return_description_s,\\n TargetProcessName,\\n DvcHostname,\\n SrcIpAddr,\\n ActorUsername,\\n ActorUserId,\\n Compiled_Arguments\\n| project-rename\\n EventName = EventType,\\n Description = return_description_s,\\n Hostname = DvcHostname,\\n Process_Name = TargetProcessName,\\n IP_Adress = SrcIpAddr,\\n Elevated_User = ActorUserId\\n| limit 15\\n| sort by EventStartTime\",\"size\":0,\"title\":\"Remotely Controlled Commands (Outbound) {_timetoken:value}\",\"noDataMessage\":\"No events occured\",\"timeContextFromParameter\":\"_timetoken\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"name\":\"Query - Remotely Controlled Commands\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"JamfProtect\\n| where isnotempty(DvcHostname)\\n| where isnotempty(TargetProcessName)\\n| project-keep TimeGenerated, ParentProcessName, TargetProcessName\\n| summarize Rare_Process_Count = count() by TargetProcessName, ParentProcessName\\n| sort by Rare_Process_Count asc nulls first\\n| limit 200\",\"size\":0,\"title\":\"Rare Process Executions (All Executions) {_timetoken:value}\",\"noDataMessage\":\"No events occured\",\"timeContextFromParameter\":\"_timetoken\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"Rare_Process_Count\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"Rare_Process_Count\",\"sortOrder\":1}]},\"customWidth\":\"100\",\"name\":\"Query - Rare Process Executions\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"JamfProtect\\n| where isnotempty(DvcHostname)\\n and isnotempty(ParentProcessName)\\n| project\\n DvcHostname,\\n TargetProcessName,\\n ParentProcessName,\\n ParentProcessGuid,\\n exec_chain_thread_uuid_g\\n| summarize\\n thread_uuid = make_set(exec_chain_thread_uuid_g, 128),\\n Hostnames = make_set(DvcHostname, 128),\\n process = make_set(TargetProcessName, 128)\\n by ParentProcessName\\n| project \\n Hostnames,\\n process,\\n parent_process=ParentProcessName,\\n thread_uuid\",\"size\":0,\"title\":\"Parent/child process with thread uuid {_timetoken:value}\",\"timeContextFromParameter\":\"_timetoken\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"100\",\"name\":\"Query - Parent and Child Process UUID\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Endpoint Information\",\"expandable\":true,\"expanded\":true,\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"JamfProtect\\n| where EventType == \\\"SystemPerformanceMetrics\\\"\\n| extend metrics = parse_json(metrics_tasks_s)\\n| project-keep DvcHostname, metrics, TimeGenerated\\n| project-reorder DvcHostname, metrics\\n| mv-expand metrics\\n| extend energy_impact = metrics.energy_impact\\n| extend process_name = metrics.name\\n| project-rename\\n Hostname = DvcHostname\\n| extend avg = toreal(energy_impact)\\n| summarize Average = avg(avg) by tostring(process_name), bin(TimeGenerated,{_timetoken:grain})\\n| render timechart\\n\\n\\n\\n\",\"size\":0,\"aggregation\":3,\"title\":\"Overall System Energy Impact on all endpoints {_timetoken:value}\",\"timeContextFromParameter\":\"_timetoken\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"tileSettings\":{\"showBorder\":false},\"graphSettings\":{\"type\":0,\"nodeIdField\":\"Hostname\",\"sourceIdField\":\"Hostname\",\"targetIdField\":\"Hostname\",\"graphOrientation\":3,\"showOrientationToggles\":false,\"staticNodeSize\":100,\"hivesMargin\":5},\"chartSettings\":{\"group\":\"process_name\",\"createOtherGroup\":15,\"showLegend\":true},\"mapSettings\":{\"locInfo\":\"LatLong\"}},\"customWidth\":\"100\",\"name\":\"Query - System Performance Metrics - Energy Impact\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Log Parser {_timetoken:value}\",\"expandable\":true,\"expanded\":true,\"items\":[{\"type\":1,\"content\":{\"json\":\"Please select a hostname in order to show the collected plain-text log files.\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"_hostnamelogparser\",\"comparison\":\"isEqualTo\"},\"name\":\"Text - Jamf Log Parser Note\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"f747e125-851e-45f7-b500-5d22049da6a6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"_hostnamelogparser\",\"label\":\"Hostname\",\"type\":2,\"isRequired\":true,\"query\":\"JamfProtect\\n| where isnotempty(DvcHostname)\\n and EventType == \\\"LogFileCollected\\\"\\n| project-keep DvcHostname\\n| project-rename Hostname = DvcHostname\\n| summarize by Hostname\",\"crossComponentResources\":[\"{Workspace}\"],\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"_timetoken\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"7d123ad2-1768-4d22-b438-565ab483c044\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"_logselectlogparser\",\"label\":\"Available Log File\",\"type\":2,\"isRequired\":true,\"query\":\"JamfProtect\\n| where EventType == \\\"LogFileCollected\\\"\\n and DvcHostname == \\\"{_hostnamelogparser:value}\\\"\\n| project-keep TargetFilePath\\n| project-keep TargetFilePath\\n| extend TargetFilePath = replace_string(TargetFilePath, \\\"[\\\", \\\"\\\")\\n| extend TargetFilePath = replace_string(TargetFilePath, \\\"]\\\", \\\"\\\")\\n| extend TargetFilePath = replace_string(TargetFilePath, '\\\"', \\\"\\\")\\n| summarize by TargetFilePath\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"_timetoken\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"/var/log/jamf.log\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"40\",\"name\":\"Picker - Hostname\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"JamfProtect\\n| where EventType == \\\"LogFileCollected\\\"\\n and DvcHostname == \\\"{_hostnamelogparser:value}\\\"\\n| extend TargetFilePath = replace_string(TargetFilePath, \\\"[\\\", \\\"\\\")\\n| extend TargetFilePath = replace_string(TargetFilePath, \\\"]\\\", \\\"\\\")\\n| extend TargetFilePath = replace_string(TargetFilePath, '\\\"', \\\"\\\")\\n| where TargetFilePath == \\\"{_logselectlogparser:escapejson}\\\"\\n| project EventResult, EventStartTime\\n| project-rename Logs = EventResult\\n| project-reorder EventStartTime, Logs\\n| mv-expand parse_json(Logs)\\n| sort by EventStartTime desc\\n| limit 50\",\"size\":0,\"showAnalytics\":true,\"title\":\"Log File Collection on \\\"{_hostnamelogparser:value}\\\"\",\"noDataMessage\":\"No matches found based on the hostname\",\"timeContextFromParameter\":\"_timetoken\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Logs\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"150ch\"}}]}},\"conditionalVisibility\":{\"parameterName\":\"_hostnamelogparser\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Query - Parse Logs\"}]},\"customWidth\":\"100\",\"name\":\"Group - Log Parser\",\"styleSettings\":{\"margin\":\"200\",\"padding\":\"200\",\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Endpoint System Performance {_timetoken:value}\",\"expandable\":true,\"expanded\":true,\"items\":[{\"type\":1,\"content\":{\"json\":\"Please select a hostname in order to show the system performance metrics.\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"_hostnamelogparser\",\"comparison\":\"isEqualTo\"},\"name\":\"Text - Jamf Log Parser Note\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"f747e125-851e-45f7-b500-5d22049da6a6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"_hostname\",\"label\":\"Hostname\",\"type\":2,\"query\":\"JamfProtect\\n| where isnotempty(DvcHostname)\\n and EventType == \\\"SystemPerformanceMetrics\\\"\\n| project-keep DvcHostname\\n| project-rename Hostname = DvcHostname\\n| summarize by Hostname\",\"crossComponentResources\":[\"{Workspace}\"],\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"_timetoken\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"LMAC-ZW0GTLVDL\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"40\",\"name\":\"Picker - Hostname\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"JamfProtect\\n| where EventType == \\\"SystemPerformanceMetrics\\\"\\n and DvcHostname == \\\"{_hostname:value}\\\"\\n| extend metrics = parse_json(metrics_tasks_s)\\n| project-keep DvcHostname, metrics, TimeGenerated\\n| project-reorder DvcHostname, metrics\\n| mv-expand metrics\\n| extend energy_impact = metrics.energy_impact\\n| extend process_name = metrics.name\\n| project-rename\\n Hostname = DvcHostname\\n| extend avg = toreal(energy_impact)\\n| summarize Average = avg(avg) by tostring(process_name), bin(TimeGenerated,{_timetoken:grain})\\n| render timechart\",\"size\":0,\"aggregation\":3,\"title\":\"Energy Impact on {_hostname:value}\",\"noDataMessage\":\"No metrics found based on the hostname\",\"timeContextFromParameter\":\"_timetoken\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":5},{\"columnMatch\":\"JamfLogs\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"100ch\"}}]},\"chartSettings\":{\"group\":\"process_name\",\"createOtherGroup\":15,\"showLegend\":true}},\"conditionalVisibility\":{\"parameterName\":\"_hostname\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Query - Endpoint System Performance - Energy Impact\"}]},\"customWidth\":\"100\",\"name\":\"Group - Endpoint System Performance\",\"styleSettings\":{\"margin\":\"200\",\"padding\":\"200\",\"showBorder\":true}}]},\"name\":\"Group - Endpoint Information\"}]},\"name\":\"Group - Telemetry\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Network Threat Events\",\"expandable\":true,\"expanded\":true,\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"JamfProtect\\n| where EventProduct == \\\"Jamf Protect - Threat Events Stream\\\"\\n and EventResult == \\\"Blocked\\\"\\n| extend blocks = case(EventResult == \\\"Blocked\\\", \\\"Blocked\\\", \\\"True\\\")\\n| summarize arg_max(EventResult, *) by EventStartTime\\n| summarize Count = count() by blocks\\n\\n\",\"size\":4,\"title\":\"Threats blocked by NTP {_timetoken:value}\",\"timeContextFromParameter\":\"_timetoken\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Count\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"0\",\"representation\":\"green\",\"text\":\"Threats blocked by NTP\"},{\"operator\":\"<\",\"thresholdValue\":\"15\",\"representation\":\"gray\",\"text\":\"Threats blocked by NTP\"},{\"operator\":\"<\",\"thresholdValue\":\"30\",\"representation\":\"orange\",\"text\":\"Threats blocked by NTP\"},{\"operator\":\">\",\"thresholdValue\":\"50\",\"representation\":\"redBright\",\"text\":\"Threats blocked by NTP\"},{\"operator\":\"Default\",\"representation\":\"gray\",\"text\":\"Threats blocked by NTP\"}],\"compositeBarSettings\":{\"labelText\":\"\"}}},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"minimumSignificantDigits\":1,\"maximumSignificantDigits\":3},\"emptyValCustomText\":\"0\"}},\"showBorder\":true,\"sortCriteriaField\":\"blocks\",\"sortOrderField\":1,\"size\":\"auto\"}},\"name\":\"Query - Threats blocked by NTP\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"JamfProtect\\n| where EventProduct == \\\"Jamf Protect - Threat Events Stream\\\"\\n| where isnotempty(EventSeverity)\\n| summarize arg_max(EventSeverity, *) by EventStartTime\\n| summarize count() by EventSeverity, bin(TimeGenerated,{_timetoken:grain})\\n| render areachart\",\"size\":0,\"title\":\"Network Events Detected (Count By Severity) {_timetoken:value}\",\"timeContextFromParameter\":\"_timetoken\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"Query - Network Events by Severity\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"JamfProtect\\n| where EventProduct == \\\"Jamf Protect - Threat Events Stream\\\"\\n and isnotempty(DvcHostname)\\n| summarize arg_max(DvcHostname, *) by EventStartTime\\n| summarize Event = count() by DvcHostname\\n| sort by Event desc\",\"size\":0,\"title\":\"Most Active Endpoints (Total, last {_timetoken:value})\",\"timeContextFromParameter\":\"_timetoken\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"Query - Most Active Endoints with Alerts\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"JamfProtect\\n| where EventProduct == \\\"Jamf Protect - Threat Events Stream\\\"\\n and isnotempty(ThreatCategory)\\n| summarize arg_max(ThreatCategory, *) by EventStartTime\\n| summarize Events = count() by ThreatCategory, bin(EventStartTime, {_timetoken:grain})\\n| render areachart with(kind=stacked)\",\"size\":0,\"title\":\"Network Events Detected (Count by Type, {_timetoken:value})\",\"timeContextFromParameter\":\"_timetoken\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"Query - Network Events by Category\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"JamfProtect\\n| where EventProduct == \\\"Jamf Protect - Threat Events Stream\\\"\\n and isnotempty(ThreatCategory)\\n| summarize arg_max(ThreatCategory, *) by EventStartTime\\n| summarize Events = count() by ThreatCategory\\n| render piechart\",\"size\":0,\"title\":\"Event Types {_timetoken:value}\",\"timeContextFromParameter\":\"_timetoken\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"Query - Network Events by Description\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"JamfProtect\\n| where EventProduct == \\\"Jamf Protect - Threat Events Stream\\\" \\n and notempty(ThreatCategory) and notempty(DnsQueryName)\\n| extend name_ = ThreatCategory\\n| summarize arg_max(DnsQueryName, *) by EventStartTime\\n| summarize count() by DnsQueryName, ThreatCategory\\n| project-rename\\n Count = count_\\n| sort by Count desc\\n| limit 10\",\"size\":0,\"title\":\"Top 10 Blocked destinations {_timetoken:value}\",\"timeContextFromParameter\":\"_timetoken\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"Query - Top 10 blocked destinations\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"JamfProtect\\n| where EventProduct == \\\"Jamf Protect - Threat Events Stream\\\" \\n and notempty(ThreatCategory)\\n and notempty(DstIpAddr)\\n| extend name_ = ThreatCategory\\n| summarize arg_max(DstIpAddr, *) by EventStartTime\\n| summarize count() by DstIpAddr\\n| project-rename\\n Count = count_\\n| sort by Count desc\\n| limit 10\",\"size\":0,\"title\":\"Top 10 Blocked IPs {_timetoken:value}\",\"timeContextFromParameter\":\"_timetoken\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"Query - Top 10 Blocked IPs\"}]},\"name\":\"Network Threat Events - Group\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Network Traffic\",\"expandable\":true,\"expanded\":true,\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"JamfProtect\\n| where EventProduct == \\\"Jamf Protect - Network Traffic Stream\\\"\\n and isnotempty(DnsQuery)\\n| summarize arg_max(DnsQuery, *) by EventStartTime\\n| summarize count() by DnsQuery, DnsQueryTypeName\\n| project-rename\\n Count = count_\\n| sort by Count desc\\n| limit 10\",\"size\":0,\"title\":\"Top 10 resolved destinations {_timetoken:value}\",\"timeContextFromParameter\":\"_timetoken\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"Query - Top 10 resolved destinations\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"JamfProtect\\n| where EventProduct == \\\"Jamf Protect - Network Traffic Stream\\\"\\n and isnotempty(DstIpAddr) and DstIpAddr != \\\"[]\\\"\\n| summarize arg_max(DstIpAddr, *) by EventStartTime\\n| summarize count() by DstIpAddr\\n| project-rename\\n Count = count_\\n| sort by Count desc\\n| limit 10\",\"size\":0,\"title\":\"Top 10 Resolved IPs {_timetoken:value}\",\"timeContextFromParameter\":\"_timetoken\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"Query - Top 10 Resolved IPs\"}]},\"name\":\"Network Traffic - Group\",\"styleSettings\":{\"showBorder\":true}}],\"fromTemplateId\":\"sentinel-JamfProtectDashboard\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", - "version": "1.0", - "sourceId": "[variables('workspaceResourceId')]", - "category": "sentinel" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]", - "properties": { - "description": "@{workbookKey=JamfProtectWorkbook; logoFileName=jamf_logo.svg; description=This Jamf Protect Workbook for Microsoft Sentinel enables you to ingest Jamf Protect events forwarded into Microsoft Sentinel.\n Providing reports into all alerts, device controls and Unfied Logs.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=2.0.0; title=Jamf Protect Workbook; templateRelativePath=JamfProtectDashboard.json; subtitle=; provider=Jamf Software, LLC}.description", - "parentId": "[variables('workbookId1')]", - "contentId": "[variables('_workbookContentId1')]", - "kind": "Workbook", - "version": "[variables('workbookVersion1')]", - "source": { - "kind": "Solution", - "name": "Jamf Protect", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Thijs Xhaflaire", - "email": "[variables('_email')]" - }, - "support": { - "name": "Jamf Software, LLC", - "email": "support@jamf.com", - "tier": "Partner", - "link": "https://www.jamf.com/support/" - }, - "dependencies": { - "operator": "AND", - "criteria": [ - { - "contentId": "jamfprotect_CL", - "kind": "DataType" - } - ] - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_workbookContentId1')]", - "contentKind": "Workbook", - "displayName": "[parameters('workbook1-name')]", - "contentProductId": "[variables('_workbookcontentProductId1')]", - "id": "[variables('_workbookcontentProductId1')]", - "version": "[variables('workbookVersion1')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject1').analyticRuleTemplateSpecName1]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "JamfProtectAlerts_AnalyticalRules Analytics Rule with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject1')._analyticRulecontentId1]", - "apiVersion": "2023-02-01-preview", - "kind": "NRT", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Creates an incident based on Jamf Protect Alert data in Microsoft Sentinel", - "displayName": "Jamf Protect - Alerts", - "enabled": false, - "query": "JamfProtect\n| where EventProduct == \"Jamf Protect - Alerts\"\n and isnotempty(EventSeverity)\n| extend\n algorithm = \"SHA256\",\n Host_IPs = tostring(parse_json(DvcIpAddr)[0]),\n Tags = tostring(Match_facts[0].tags),\n Tactics = case(Match_tags has \"Execution\", \"Execution\", Match_tags has \"Visibility\", \"Visibility\", Match_tags has \"Persistence\", \"Persistence\", Match_tags has \"LateralMovement\", \"LateralMovement\", Match_tags has \"CredentialAccess\", \"CredentialAcccess\", Match_tags has \"DefenseEvasion\", \"DefenseEvasion\", Match_tags has \"PrivilegeEscalation\", \"PrivilegeEscalation\", Match_tags has \"Impact\", \"Impact\", Match_tags has \"CommandAndControl\", \"CommandandControl\", Match_tags has \"Discovery\", \"Discovery\", Match_tags has \"InitialAccess\", \"InitialAccess\", \"\"),\n Techniques = pack_array(extract(@\"[A-Za-z]\\d{4}\", 0, tostring(Match_tags))),\n JamfPro = case(Match_actions has \"SmartGroup\", \"Workflow with Jamf Pro\", Match_actions has \"Prevented\", \"No workflow, Prevented by Protect\", \"No workflow\")\n", - "severity": "High", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "JamfProtect", - "dataTypes": [ - "jamfprotect_CL" - ] - } - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "DvcHostname", - "identifier": "HostName" - }, - { - "columnName": "DvcOs", - "identifier": "OSFamily" - }, - { - "columnName": "DvcOsVersion", - "identifier": "OSVersion" - } - ], - "entityType": "Host" - }, - { - "fieldMappings": [ - { - "columnName": "Host_IPs", - "identifier": "Address" - } - ], - "entityType": "IP" - }, - { - "fieldMappings": [ - { - "columnName": "TargetUsername", - "identifier": "Name" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "columnName": "TargetProcessCurrentDirectory", - "identifier": "CommandLine" - }, - { - "columnName": "TargetProcessId", - "identifier": "ProcessId" - } - ], - "entityType": "Process" - }, - { - "fieldMappings": [ - { - "columnName": "algorithm", - "identifier": "Algorithm" - }, - { - "columnName": "TargetBinarySHA256", - "identifier": "Value" - } - ], - "entityType": "FileHash" - } - ], - "eventGroupingSettings": { - "aggregationKind": "AlertPerResult" - }, - "customDetails": { - "Related_File_hash": "TargetBinarySHA256", - "Protect_Analytic": "EventMessage", - "Protect_Tags": "Tags", - "TargetBinarySigner": "TargetBinarySigningTeamID", - "TargetBinarySignMsg": "TargetBinarySigningInfoMessage", - "TargetbinarySign": "TargetbinarySignerType", - "Protect_Event_Type": "EventType", - "Related_Binaries": "TargetBinaryFilePath", - "JamfPro_Status": "JamfPro" - }, - "alertDetailsOverride": { - "alertDisplayNameFormat": "{{EventMessage}} detected on {{DvcHostname}}", - "alertSeverityColumnName": "EventSeverity", - "alertDescriptionFormat": "{{EventDescription}} - Please investigate", - "alertTacticsColumnName": "Tactics", - "alertDynamicProperties": [ - { - "value": "EventReportUrl", - "alertProperty": "AlertLink" - }, - { - "value": "EventVendor", - "alertProperty": "ProviderName" - }, - { - "value": "EventProduct", - "alertProperty": "ProductName" - }, - { - "value": "Techniques", - "alertProperty": "Techniques" - } - ] - }, - "incidentConfiguration": { - "createIncident": true, - "groupingConfiguration": { - "matchingMethod": "AllEntities", - "enabled": false, - "lookbackDuration": "PT5H", - "reopenClosedIncident": false - } - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject1').analyticRuleId1,'/'))))]", - "properties": { - "description": "Jamf Protect Analytics Rule 1", - "parentId": "[variables('analyticRuleObject1').analyticRuleId1]", - "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject1').analyticRuleVersion1]", - "source": { - "kind": "Solution", - "name": "Jamf Protect", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Thijs Xhaflaire", - "email": "[variables('_email')]" - }, - "support": { - "name": "Jamf Software, LLC", - "email": "support@jamf.com", - "tier": "Partner", - "link": "https://www.jamf.com/support/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", - "contentKind": "AnalyticsRule", - "displayName": "Jamf Protect - Alerts", - "contentProductId": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", - "id": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", - "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject2').analyticRuleTemplateSpecName2]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "JamfProtectNetworkThreats_AnalyticalRules Analytics Rule with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject2')._analyticRulecontentId2]", - "apiVersion": "2023-02-01-preview", - "kind": "NRT", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Creates an incident based based on Jamf Protect's Network Threat Event Stream alerts.", - "displayName": "Jamf Protect - Network Threats", - "enabled": false, - "query": "JamfProtect\n| where EventProduct == \"Jamf Protect - Threat Events Stream\"\n and EventResult == \"Blocked\"\n and isnotempty(EventSeverity)\n| extend Tactics = \"Initial Access\"\n| extend Techniques = \"T1566\"\n", - "severity": "Informational", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "JamfProtect", - "dataTypes": [ - "jamfprotect_CL" - ] - } - ], - "tactics": [ - "InitialAccess" - ], - "techniques": [ - "T1133" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "Hostname", - "identifier": "HostName" - }, - { - "columnName": "DvcOs", - "identifier": "OSFamily" - } - ], - "entityType": "Host" - }, - { - "fieldMappings": [ - { - "columnName": "DstIpAddr", - "identifier": "Address" - } - ], - "entityType": "IP" - }, - { - "fieldMappings": [ - { - "columnName": "SrcUsermail", - "identifier": "AadUserId" - }, - { - "columnName": "SrcUsername", - "identifier": "FullName" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "columnName": "DnsQueryName", - "identifier": "Url" - } - ], - "entityType": "URL" - } - ], - "eventGroupingSettings": { - "aggregationKind": "AlertPerResult" - }, - "customDetails": { - "Category": "ThreatCategory" - }, - "alertDetailsOverride": { - "alertDisplayNameFormat": "Network Threat detected on {{DvcHostname}}", - "alertSeverityColumnName": "EventSeverity", - "alertDescriptionFormat": "A Network Threat has been {{EventResult}} on {{DvcHostname}}", - "alertTacticsColumnName": "Tactics", - "alertDynamicProperties": [ - { - "value": "EventReportUrl", - "alertProperty": "AlertLink" - }, - { - "value": "EventVendor", - "alertProperty": "ProviderName" - }, - { - "value": "EventProduct", - "alertProperty": "ProductName" - }, - { - "value": "EventResult", - "alertProperty": "RemediationSteps" - }, - { - "value": "Techniques", - "alertProperty": "Techniques" - } - ] - }, - "incidentConfiguration": { - "createIncident": true, - "groupingConfiguration": { - "matchingMethod": "AllEntities", - "enabled": false, - "lookbackDuration": "PT5H", - "reopenClosedIncident": false - } - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject2').analyticRuleId2,'/'))))]", - "properties": { - "description": "Jamf Protect Analytics Rule 2", - "parentId": "[variables('analyticRuleObject2').analyticRuleId2]", - "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject2').analyticRuleVersion2]", - "source": { - "kind": "Solution", - "name": "Jamf Protect", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Thijs Xhaflaire", - "email": "[variables('_email')]" - }, - "support": { - "name": "Jamf Software, LLC", - "email": "support@jamf.com", - "tier": "Partner", - "link": "https://www.jamf.com/support/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", - "contentKind": "AnalyticsRule", - "displayName": "Jamf Protect - Network Threats", - "contentProductId": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", - "id": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", - "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject3').analyticRuleTemplateSpecName3]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "JamfProtectUnifiedLogs_AnalyticalRules Analytics Rule with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject3')._analyticRulecontentId3]", - "apiVersion": "2023-02-01-preview", - "kind": "NRT", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Creates an informational incident based on Jamf Protect Unified Log data in Microsoft Sentinel", - "displayName": "Jamf Protect - Unified Logs", - "enabled": false, - "query": "JamfProtect\n| where EventType == \"UnifiedLog\"\n| where isnotempty(EventSeverity)\n| extend Host_IPs = tostring(parse_json(DvcIpAddr)[0])\n", - "severity": "Informational", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "JamfProtect", - "dataTypes": [ - "jamfprotect_CL" - ] - } - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "DvcHostname", - "identifier": "HostName" - } - ], - "entityType": "Host" - }, - { - "fieldMappings": [ - { - "columnName": "Host_IPs", - "identifier": "Address" - } - ], - "entityType": "IP" - } - ], - "eventGroupingSettings": { - "aggregationKind": "AlertPerResult" - }, - "customDetails": { - "Tags": "Match_tags", - "Unified_Log": "EventDescription", - "Event_Process": "TargetProcessName", - "Protect_Event_Type": "EventType" - }, - "alertDetailsOverride": { - "alertDisplayNameFormat": "{{EventDescription}} on {{DvcHostname}}", - "alertSeverityColumnName": "EventSeverity", - "alertDescriptionFormat": "{{EventDescription}} has been captured in the unified logs", - "alertDynamicProperties": [ - { - "value": "EventVendor", - "alertProperty": "ProviderName" - }, - { - "value": "EventProduct", - "alertProperty": "ProductName" - } - ] - }, - "incidentConfiguration": { - "createIncident": true, - "groupingConfiguration": { - "matchingMethod": "AllEntities", - "enabled": false, - "lookbackDuration": "PT5H", - "reopenClosedIncident": false - } - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject3').analyticRuleId3,'/'))))]", - "properties": { - "description": "Jamf Protect Analytics Rule 3", - "parentId": "[variables('analyticRuleObject3').analyticRuleId3]", - "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject3').analyticRuleVersion3]", - "source": { - "kind": "Solution", - "name": "Jamf Protect", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Thijs Xhaflaire", - "email": "[variables('_email')]" - }, - "support": { - "name": "Jamf Software, LLC", - "email": "support@jamf.com", - "tier": "Partner", - "link": "https://www.jamf.com/support/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", - "contentKind": "AnalyticsRule", - "displayName": "Jamf Protect - Unified Logs", - "contentProductId": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]", - "id": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]", - "version": "[variables('analyticRuleObject3').analyticRuleVersion3]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryObject1').huntingQueryTemplateSpecName1]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "JamfProtect_macOS_DazzleSpy_HuntingQueries Hunting Query with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", - "name": "Jamf_Protect_Hunting_Query_1", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "JamfProtect - macOS - DazzleSpy", - "category": "Hunting Queries", - "query": "JamfProtect\n| where TargetProcessSHA256 in (\n \"341bc86bc9b76ac69dca0a48a328fd37d74c96c2e37210304cfa66ccdbe72b27\", \n \"4c67717fdf1ba588c8be62b6137c92d344a7d4f46b24fa525e5eaa3de330b16c\", \n \"570cd76bf49cf52e0cb347a68bdcf0590b2eaece134e1b1eba7e8d66261bdbe6\", \n \"623f99cbe20af8b79cbfea7f485d47d3462d927153d24cac4745d7043c15619a\", \n \"8fae0d5860aa44b5c7260ef7a0b277bcddae8c02cea7d3a9c19f1a40388c223f\", \n \"9b71fad3280cf36501fe110e022845b29c1fb1343d5250769eada7c36bc45f70\", \n \"a63466d09c3a6a2596a98de36083b6d268f393a27f7b781e52eeb98ae055af97\", \n \"bbbfe62cf15006014e356885fbc7447e3fd37c3743e0522b1f8320ad5c3791c9\", \n \"cf5edcff4053e29cb236d3ed1fe06ca93ae6f64f26e25117d68ee130b9bc60c8\", \n \"d599d7814adbab0f1442f5a10074e00f3a776ce183ea924abcd6154f0d068bb4\", \n \"df5b588f555cccdf4bbf695158b10b5d3a5f463da7e36d26bdf8b7ba0f8ed144\", \n \"f9ad42a9bd9ade188e997845cae1b0587bf496a35c3bffacd20fefe07860a348\")\n or DstIpAddr in (\"103.255.44.56\",\n \"123.1.170.152\",\n \"207.148.102.208\",\n \"88.218.192.128\")\n or TargetFilePath contains \"/Library/LaunchAgents/softwareupdate.plist\"\n", - "version": 2, - "tags": [ - { - "name": "description", - "value": "Use this query to look for alerts related to DazzleSpy activity, known to affect macOS devices via a MachO binary" - }, - { - "name": "tactics", - "value": "ResourceDevelopment" - }, - { - "name": "techniques", - "value": "T1587,T1587.001" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject1')._huntingQuerycontentId1),'/'))))]", - "properties": { - "description": "Jamf Protect Hunting Query 1", - "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject1')._huntingQuerycontentId1)]", - "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]", - "kind": "HuntingQuery", - "version": "[variables('huntingQueryObject1').huntingQueryVersion1]", - "source": { - "kind": "Solution", - "name": "Jamf Protect", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Thijs Xhaflaire", - "email": "[variables('_email')]" - }, - "support": { - "name": "Jamf Software, LLC", - "email": "support@jamf.com", - "tier": "Partner", - "link": "https://www.jamf.com/support/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]", - "contentKind": "HuntingQuery", - "displayName": "JamfProtect - macOS - DazzleSpy", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.0')))]", - "version": "1.0.0" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryObject2').huntingQueryTemplateSpecName2]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "JamfProtect_macOS_JokerSpy_HuntingQueries Hunting Query with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", - "name": "Jamf_Protect_Hunting_Query_2", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "JamfProtect - macOS - JokerSpy", - "category": "Hunting Queries", - "query": "JamfProtect\n| where TargetProcessSHA256 in (\n \"5fe1790667ee5085e73b054566d548eb4473c20cf962368dd53ba776e9642272\", \n \"39bbc16028fd46bf4ddad49c21439504d3f6f42cccbd30945a2d2fdb4ce393a4\", \n \"aa951c053baf011d08f3a60a10c1d09bbac32f332413db5b38b8737558a08dc1\", \n \"d895075057e491b34b0f8c0392b44e43ade425d19eaaacea6ef8c5c9bd3487d8\", \n \"951039bf66cdf436c240ef206ef7356b1f6c8fffc6cbe55286ec2792bf7fe16c\", \n \"452c832a17436f61ad5f32ee1c97db05575160105ed1dcd0d3c6db9fb5a9aea1\", \n \"6d3eff4e029db9d7b8dc076cfed5e2315fd54cb1ff9c6533954569f9e2397d4c\")\nor DnsQueryName contains \"git-hub.me\"\nor DnsQueryName contains \"app.influmarket.org\"\nor EventMatch contains \"jokerspy\"\n", - "version": 2, - "tags": [ - { - "name": "description", - "value": "Use this query to look for alerts related to JokerSpy activity, Known to use various back doors to deploy spyware on victims' systems in order to perform reconnaissance and for command and control." - }, - { - "name": "tactics", - "value": "Execution,Masquerading" - }, - { - "name": "techniques", - "value": "T1059,T1036" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject2')._huntingQuerycontentId2),'/'))))]", - "properties": { - "description": "Jamf Protect Hunting Query 2", - "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject2')._huntingQuerycontentId2)]", - "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]", - "kind": "HuntingQuery", - "version": "[variables('huntingQueryObject2').huntingQueryVersion2]", - "source": { - "kind": "Solution", - "name": "Jamf Protect", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Thijs Xhaflaire", - "email": "[variables('_email')]" - }, - "support": { - "name": "Jamf Software, LLC", - "email": "support@jamf.com", - "tier": "Partner", - "link": "https://www.jamf.com/support/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]", - "contentKind": "HuntingQuery", - "displayName": "JamfProtect - macOS - JokerSpy", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject2')._huntingQuerycontentId2,'-', '1.0.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject2')._huntingQuerycontentId2,'-', '1.0.0')))]", - "version": "1.0.0" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryObject3').huntingQueryTemplateSpecName3]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "JamfProtect_macOS_KandyKorn_HuntingQueries Hunting Query with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", - "name": "Jamf_Protect_Hunting_Query_3", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "JamfProtect - macOS - KandyKorn", - "category": "Hunting Queries", - "query": "JamfProtect\n| where TargetProcessSHA256 in (\n \"2360a69e5fd7217e977123c81d3dbb60bf4763a9dae6949bc1900234f7762df1\",\n \"51dd4efcf714e64b4ad472ea556bf1a017f40a193a647b9e28bf356979651077\")\n or DnsQueryName contains \"tp-globa.xyz\"\n or DstIpAddr in (\"192.119.64.43\", \"23.254.226.90\")\n", - "version": 2, - "tags": [ - { - "name": "description", - "value": "Use this query to look for activity related to KandyKorn activity, known to affect macOS devices via a MachO binary" - }, - { - "name": "tactics", - "value": "Exfiltration" - }, - { - "name": "techniques", - "value": "T1020" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject3')._huntingQuerycontentId3),'/'))))]", - "properties": { - "description": "Jamf Protect Hunting Query 3", - "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject3')._huntingQuerycontentId3)]", - "contentId": "[variables('huntingQueryObject3')._huntingQuerycontentId3]", - "kind": "HuntingQuery", - "version": "[variables('huntingQueryObject3').huntingQueryVersion3]", - "source": { - "kind": "Solution", - "name": "Jamf Protect", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Thijs Xhaflaire", - "email": "[variables('_email')]" - }, - "support": { - "name": "Jamf Software, LLC", - "email": "support@jamf.com", - "tier": "Partner", - "link": "https://www.jamf.com/support/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('huntingQueryObject3')._huntingQuerycontentId3]", - "contentKind": "HuntingQuery", - "displayName": "JamfProtect - macOS - KandyKorn", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject3')._huntingQuerycontentId3,'-', '1.0.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject3')._huntingQuerycontentId3,'-', '1.0.0')))]", - "version": "1.0.0" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryObject4').huntingQueryTemplateSpecName4]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "JamfProtect_macOS_PureLand_HuntingQueries Hunting Query with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", - "name": "Jamf_Protect_Hunting_Query_4", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "JamfProtect - macOS - PureLand", - "category": "Hunting Queries", - "query": "JamfProtect\n| where TargetProcessSHA256 has \"0b9a3b00302faf3297b60fff0714f2db87245a613dcd9849645bffa7c4a3df9b\"\n or DstIpAddr contains \"193.168.141.107\"\n", - "version": 2, - "tags": [ - { - "name": "description", - "value": "Use this query to look for activity related to PureLand activity, known to affect macOS devices via a MachO binary" - }, - { - "name": "tactics", - "value": "Exfiltration" - }, - { - "name": "techniques", - "value": "T1020" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject4')._huntingQuerycontentId4),'/'))))]", - "properties": { - "description": "Jamf Protect Hunting Query 4", - "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject4')._huntingQuerycontentId4)]", - "contentId": "[variables('huntingQueryObject4')._huntingQuerycontentId4]", - "kind": "HuntingQuery", - "version": "[variables('huntingQueryObject4').huntingQueryVersion4]", - "source": { - "kind": "Solution", - "name": "Jamf Protect", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Thijs Xhaflaire", - "email": "[variables('_email')]" - }, - "support": { - "name": "Jamf Software, LLC", - "email": "support@jamf.com", - "tier": "Partner", - "link": "https://www.jamf.com/support/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('huntingQueryObject4')._huntingQuerycontentId4]", - "contentKind": "HuntingQuery", - "displayName": "JamfProtect - macOS - PureLand", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject4')._huntingQuerycontentId4,'-', '1.0.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject4')._huntingQuerycontentId4,'-', '1.0.0')))]", - "version": "1.0.0" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryObject5').huntingQueryTemplateSpecName5]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "JamfProtect_macOS_RustBucket_HuntingQueries Hunting Query with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", - "name": "Jamf_Protect_Hunting_Query_5", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "JamfProtect - macOS - RustBucket", - "category": "Hunting Queries", - "query": "JamfProtect\n| where TargetProcessSHA256 in (\"e74e8cdf887ae2de25590c55cb52dad66f0135ad4a1df224155f772554ea970c\", \"ac08406818bbf4fe24ea04bfd72f747c89174bdb\", \"72167ec09d62cdfb04698c3f96a6131dceb24a9c\", \"fd1cef5abe3e0c275671916a1f3a566f13489416\")\n or DnsQueryName contains \"cloud.dnx.capital\"\n or DnsQueryName contains \"deck.31ventures.info\"\n or ((TargetBinarySigningAppID contains \"com.apple.pdfViewer\") and (TargetbinarySignerType != \"Apple\"))\n", - "version": 2, - "tags": [ - { - "name": "description", - "value": "Use this query to look for activity related to RustBucket activity, known to affect macOS devices via a MachO binary" - }, - { - "name": "tactics", - "value": "Exfiltration" - }, - { - "name": "techniques", - "value": "T1020" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject5')._huntingQuerycontentId5),'/'))))]", - "properties": { - "description": "Jamf Protect Hunting Query 5", - "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject5')._huntingQuerycontentId5)]", - "contentId": "[variables('huntingQueryObject5')._huntingQuerycontentId5]", - "kind": "HuntingQuery", - "version": "[variables('huntingQueryObject5').huntingQueryVersion5]", - "source": { - "kind": "Solution", - "name": "Jamf Protect", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Thijs Xhaflaire", - "email": "[variables('_email')]" - }, - "support": { - "name": "Jamf Software, LLC", - "email": "support@jamf.com", - "tier": "Partner", - "link": "https://www.jamf.com/support/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('huntingQueryObject5')._huntingQuerycontentId5]", - "contentKind": "HuntingQuery", - "displayName": "JamfProtect - macOS - RustBucket", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject5')._huntingQuerycontentId5,'-', '1.0.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject5')._huntingQuerycontentId5,'-', '1.0.0')))]", - "version": "1.0.0" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryObject6').huntingQueryTemplateSpecName6]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "JamfProtect_macOS_Turtle_HuntingQueries Hunting Query with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", - "name": "Jamf_Protect_Hunting_Query_6", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "JamfProtect - macOS - Turtle", - "category": "Hunting Queries", - "query": "JamfProtect\n| where TargetProcessSHA256 has \"a48af4a62358831fe5376aa52db1a3555b0c93c1665b242c0c1f49462f614c56\"\n", - "version": 2, - "tags": [ - { - "name": "description", - "value": "Use this query to look for activity related to Turtle activity, known to affect macOS devices via a MachO binary" - }, - { - "name": "tactics", - "value": "Exfiltration" - }, - { - "name": "techniques", - "value": "T1020" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject6')._huntingQuerycontentId6),'/'))))]", - "properties": { - "description": "Jamf Protect Hunting Query 6", - "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject6')._huntingQuerycontentId6)]", - "contentId": "[variables('huntingQueryObject6')._huntingQuerycontentId6]", - "kind": "HuntingQuery", - "version": "[variables('huntingQueryObject6').huntingQueryVersion6]", - "source": { - "kind": "Solution", - "name": "Jamf Protect", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Thijs Xhaflaire", - "email": "[variables('_email')]" - }, - "support": { - "name": "Jamf Software, LLC", - "email": "support@jamf.com", - "tier": "Partner", - "link": "https://www.jamf.com/support/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('huntingQueryObject6')._huntingQuerycontentId6]", - "contentKind": "HuntingQuery", - "displayName": "JamfProtect - macOS - Turtle", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject6')._huntingQuerycontentId6,'-', '1.0.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject6')._huntingQuerycontentId6,'-', '1.0.0')))]", - "version": "1.0.0" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryObject7').huntingQueryTemplateSpecName7]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "JamfProtect_macOS_AtomicStealer_HuntingQueries Hunting Query with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryObject7').huntingQueryVersion7]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", - "name": "Jamf_Protect_Hunting_Query_7", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "JamfProtect - macOS - AtomicStealer", - "category": "Hunting Queries", - "query": "JamfProtect\n| where TargetProcessSHA256 in (\n \"ce3c57e6c025911a916a61a716ff32f2699f3e3a84eb0ebbe892a5d4b8fb9c7a\", \n \"91cca8b573d9bfdbe2d7ff74ce31acee7a3a9f8e0034841af38d96a1d4ad02f4\", \n \"7668dcab16c2f16396dd0d3a580bca89a3675462c1e9f98e79d75d6e7e6c8c1f\")\nor TargetFileSHA256 has \"6b0bde56810f7c0295d57c41ffa746544a5370cedbe514e874cf2cd04582f4b0\"\nor DnsQueryName contains \"app-downloads.org\"\nor DnsQueryName contains \"trabingviews.com\"\nor DstIpAddr contains \"185.106.93.154\"\nor EventMatch contains \"atomicstealer\"\n", - "version": 2, - "tags": [ - { - "name": "description", - "value": "Use this query to look for activity related to AtomicStealer activity, known to affect macOS devices via a MachO binary" - }, - { - "name": "tactics", - "value": "Exfiltration" - }, - { - "name": "techniques", - "value": "T1020" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject7')._huntingQuerycontentId7),'/'))))]", - "properties": { - "description": "Jamf Protect Hunting Query 7", - "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject7')._huntingQuerycontentId7)]", - "contentId": "[variables('huntingQueryObject7')._huntingQuerycontentId7]", - "kind": "HuntingQuery", - "version": "[variables('huntingQueryObject7').huntingQueryVersion7]", - "source": { - "kind": "Solution", - "name": "Jamf Protect", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Thijs Xhaflaire", - "email": "[variables('_email')]" - }, - "support": { - "name": "Jamf Software, LLC", - "email": "support@jamf.com", - "tier": "Partner", - "link": "https://www.jamf.com/support/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('huntingQueryObject7')._huntingQuerycontentId7]", - "contentKind": "HuntingQuery", - "displayName": "JamfProtect - macOS - AtomicStealer", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject7')._huntingQuerycontentId7,'-', '1.0.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject7')._huntingQuerycontentId7,'-', '1.0.0')))]", - "version": "1.0.0" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('playbookTemplateSpecName1')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "JamfProtect_Alert_Status_InProgress Playbook with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion1')]", - "parameters": { - "clientIdentifier": { - "type": "String", - "metadata": { - "description": "The Client ID for the Jamf Protect API Key" - } - }, - "clientSecret": { - "type": "SecureString", - "metadata": { - "description": "The Client Secret for the Jamf Protect API Key" - } - }, - "jamfProtect_URL": { - "defaultValue": "https://*.protect.jamfcloud.com", - "type": "String", - "metadata": { - "description": "Enter the Jamf Protect instance URL ex: {https://fakevalue.protect.jamfcloud.com}" - } - }, - "PlaybookName": { - "type": "String", - "minLength": 1, - "defaultValue": "JamfProtect_Alert_Status_InProgress", - "metadata": { - "description": "Name of the Logic App/Playbook" - } - } - }, - "variables": { - "AzureSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]", - "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", - "_connection-1": "[[variables('connection-1')]", - "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", - "workspace-name": "[parameters('workspace')]", - "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" - }, - "resources": [ - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('AzureSentinelConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('AzureSentinelConnectionName')]", - "parameterValueType": "Alternative", - "api": { - "id": "[[variables('_connection-1')]" - } - } - }, - { - "type": "Microsoft.Logic/workflows", - "apiVersion": "2017-07-01", - "name": "[[parameters('playbookName')]", - "location": "[[variables('workspace-location-inline')]", - "identity": { - "type": "SystemAssigned" - }, - "properties": { - "state": "Enabled", - "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "$connections": { - "type": "Object" - }, - "client_ID": { - "defaultValue": "[[parameters('clientIdentifier')]", - "type": "String" - }, - "jamfProtectURL": { - "defaultValue": "[[parameters('jamfProtect_URL')]", - "type": "String" - }, - "password": { - "defaultValue": "[[parameters('clientSecret')]", - "type": "SecureString" - } - }, - "triggers": { - "Microsoft_Sentinel_incident": { - "type": "ApiConnectionWebhook", - "inputs": { - "body": { - "callback_url": "@{listCallbackUrl()}" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "path": "/incident-creation" - } - } - }, - "actions": { - "For_each": { - "foreach": "@triggerBody()?['object']?['properties']?['Alerts']", - "actions": { - "Add_comment_to_incident_(V3)": { - "runAfter": { - "HTTP_POST_-_Change_Alert_Status_using_Jamf_Protect's_GraphQL_API_Endpoint": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "

Jamf Protect Alert with URL @{outputs('Composing_Jamf_Protect_Alert_URL')} has been set to status In Progress

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - } - }, - "Composing_Jamf_Protect_Alert_URL": { - "type": "Compose", - "inputs": "@items('For_each')?['properties']?['alertLink']" - }, - "HTTP_POST_-_Change_Alert_Status_using_Jamf_Protect's_GraphQL_API_Endpoint": { - "runAfter": { - "Removing_pre-fix_of_URL_and_keeping_Alert_UDID": [ - "Succeeded" - ] - }, - "type": "Http", - "inputs": { - "authentication": { - "type": "Raw", - "value": "@variables('accessToken')" - }, - "body": { - "operationName": "updateAlert", - "query": "mutation updateAlert {\n updateAlerts(input: { uuids: [\"@{outputs('Removing_pre-fix_of_URL_and_keeping_Alert_UDID')}\"], status: InProgress })\n {\n items {\n uuid\n status\n }\n }\n}\n" - }, - "method": "POST", - "uri": "@{parameters('jamfProtectURL')}/graphql" - } - }, - "Removing_pre-fix_of_URL_and_keeping_Alert_UDID": { - "runAfter": { - "Composing_Jamf_Protect_Alert_URL": [ - "Succeeded" - ] - }, - "type": "Compose", - "inputs": "@replace(outputs('Composing_Jamf_Protect_Alert_URL'), variables('jamfProtectAlertURL'), '')" - } - }, - "runAfter": { - "Set_accessToken_as_variable": [ - "Succeeded" - ] - }, - "type": "Foreach" - }, - "Generate_Access_Token": { - "runAfter": { - "set_jamfProtectAlertURL_as_variable": [ - "Succeeded" - ] - }, - "type": "Http", - "inputs": { - "body": { - "client_id": "@{parameters('client_ID')}", - "password": "@{parameters('password')}" - }, - "headers": { - "Content-Type": "application/json" - }, - "method": "POST", - "uri": "@{parameters('jamfProtectURL')}/token" - }, - "runtimeConfiguration": { - "secureData": { - "properties": [ - "inputs" - ] - } - } - }, - "Parse_JSON_Response_from_Access_Token": { - "runAfter": { - "Generate_Access_Token": [ - "Succeeded" - ] - }, - "type": "ParseJson", - "inputs": { - "content": "@body('Generate_Access_Token')", - "schema": { - "properties": { - "access_token": { - "type": "string" - }, - "expires_in": { - "type": "integer" - }, - "token_type": { - "type": "string" - } - }, - "type": "object" - } - } - }, - "Set_accessToken_as_variable": { - "runAfter": { - "Parse_JSON_Response_from_Access_Token": [ - "Succeeded" - ] - }, - "type": "InitializeVariable", - "inputs": { - "variables": [ - { - "name": "accessToken", - "type": "string", - "value": "@body('Parse_JSON_Response_from_Access_Token')?['access_token']" - } - ] - } - }, - "set_jamfProtectAlertURL_as_variable": { - "type": "InitializeVariable", - "inputs": { - "variables": [ - { - "name": "jamfProtectAlertURL", - "type": "string", - "value": "@{parameters('jamfProtectURL')}/Alerts/" - } - ] - } - } - } - }, - "parameters": { - "$connections": { - "value": { - "azuresentinel": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", - "connectionName": "[[variables('AzureSentinelConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", - "connectionProperties": { - "authentication": { - "type": "ManagedServiceIdentity" - } - } - } - } - } - } - }, - "tags": { - "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId1'),'/'))))]", - "properties": { - "parentId": "[variables('playbookId1')]", - "contentId": "[variables('_playbookContentId1')]", - "kind": "Playbook", - "version": "[variables('playbookVersion1')]", - "source": { - "kind": "Solution", - "name": "Jamf Protect", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Thijs Xhaflaire", - "email": "[variables('_email')]" - }, - "support": { - "name": "Jamf Software, LLC", - "email": "support@jamf.com", - "tier": "Partner", - "link": "https://www.jamf.com/support/" - } - } - } - ], - "metadata": { - "title": "Jamf Protect - Set Alert to In Progress", - "description": "This Jamf Protect Playbook can be used manually or in a Automation Rule to change the state of the Alert in Jamf Protect itself, in an automated way you can mirror the state from a Microsoft Sentinel incident back to Jamf Protect.", - "mainSteps": [ - "1. Fetches the AlertUDID from the Alert of Jamf Protect", - "2. Generates a Access Token to authenticate against the Jamf Protect GraphQL API", - "3. Changes the Alert status in Jamf Protect to In Progress" - ], - "prerequisites": [ - "1. Generate API Client in Jamf Protect and take note of the CLientID and Password. [learn how](https://learn.jamf.com/bundle/jamf-protect-documentation/page/Jamf_Protect_API.html#ariaid-title3)", - "2. Use the ClientID and Password during the deployment of this Playbook" - ], - "lastUpdateTime": "2023-07-20T00:00:00Z", - "tags": [ - "Utilities" - ], - "source": { - "type": "solution", - "name": "Jamf Protect" - }, - "postDeployment": [ - "** b. Configurations in Sentinel **", - "1. In Microsoft Sentinel Analytic Rules for Jamf Protect - Alerts should be configured to create an incident", - "2. Configure the Automation Rules to trigger this playbook once a incident is status is changed to Active" - ], - "releaseNotes": [ - { - "version": "1.0.0", - "title": "Jamf Protect - Set Alert to In Progress", - "notes": [ - "Initial version" - ] - } - ] - } - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_playbookContentId1')]", - "contentKind": "Playbook", - "displayName": "JamfProtect_Alert_Status_InProgress", - "contentProductId": "[variables('_playbookcontentProductId1')]", - "id": "[variables('_playbookcontentProductId1')]", - "version": "[variables('playbookVersion1')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('playbookTemplateSpecName2')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "JamfProtect_Alert_Status_Resolved Playbook with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion2')]", - "parameters": { - "clientIdentifier": { - "type": "String", - "metadata": { - "description": "The Client ID for the Jamf Protect API Key" - } - }, - "clientSecret": { - "type": "SecureString", - "metadata": { - "description": "The Client Secret for the Jamf Protect API Key" - } - }, - "jamfProtect_URL": { - "defaultValue": "https://*.protect.jamfcloud.com", - "type": "String", - "metadata": { - "description": "Enter the Jamf Protect instance URL ex: {https://fakevalue.protect.jamfcloud.com}" - } - }, - "PlaybookName": { - "type": "String", - "minLength": 1, - "defaultValue": "JamfProtect_Alert_Status_Resolved", - "metadata": { - "description": "Name of the Logic App/Playbook" - } - } - }, - "variables": { - "AzureSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]", - "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", - "_connection-1": "[[variables('connection-1')]", - "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", - "workspace-name": "[parameters('workspace')]", - "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" - }, - "resources": [ - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('AzureSentinelConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('AzureSentinelConnectionName')]", - "parameterValueType": "Alternative", - "api": { - "id": "[[variables('_connection-1')]" - } - } - }, - { - "type": "Microsoft.Logic/workflows", - "apiVersion": "2017-07-01", - "name": "[[parameters('playbookName')]", - "location": "[[variables('workspace-location-inline')]", - "identity": { - "type": "SystemAssigned" - }, - "properties": { - "state": "Enabled", - "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "$connections": { - "type": "Object" - }, - "client_ID": { - "defaultValue": "[[parameters('clientIdentifier')]", - "type": "String" - }, - "jamfProtectURL": { - "defaultValue": "[[parameters('jamfProtect_URL')]", - "type": "String" - }, - "password": { - "defaultValue": "[[parameters('clientSecret')]", - "type": "SecureString" - } - }, - "triggers": { - "Microsoft_Sentinel_incident": { - "type": "ApiConnectionWebhook", - "inputs": { - "body": { - "callback_url": "@{listCallbackUrl()}" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "path": "/incident-creation" - } - } - }, - "actions": { - "For_each": { - "foreach": "@triggerBody()?['object']?['properties']?['Alerts']", - "actions": { - "Add_comment_to_incident_(V3)": { - "runAfter": { - "HTTP_POST_-_Change_Alert_Status_using_Jamf_Protect's_GraphQL_API_Endpoint": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "

Jamf Protect Alert with URL @{outputs('Composing_Jamf_Protect_Alert_URL')} has been set to status Resolved

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - } - }, - "Composing_Jamf_Protect_Alert_URL": { - "type": "Compose", - "inputs": "@items('For_each')?['properties']?['alertLink']" - }, - "HTTP_POST_-_Change_Alert_Status_using_Jamf_Protect's_GraphQL_API_Endpoint": { - "runAfter": { - "Removing_pre-fix_of_URL_and_keeping_Alert_UDID": [ - "Succeeded" - ] - }, - "type": "Http", - "inputs": { - "authentication": { - "type": "Raw", - "value": "@variables('accessToken')" - }, - "body": { - "operationName": "updateAlert", - "query": "mutation updateAlert {\n updateAlerts(input: { uuids: [\"@{outputs('Removing_pre-fix_of_URL_and_keeping_Alert_UDID')}\"], status: Resolved })\n {\n items {\n uuid\n status\n }\n }\n}\n" - }, - "method": "POST", - "uri": "@{parameters('jamfProtectURL')}/graphql" - } - }, - "Removing_pre-fix_of_URL_and_keeping_Alert_UDID": { - "runAfter": { - "Composing_Jamf_Protect_Alert_URL": [ - "Succeeded" - ] - }, - "type": "Compose", - "inputs": "@replace(outputs('Composing_Jamf_Protect_Alert_URL'), variables('jamfProtectAlertURL'), '')" - } - }, - "runAfter": { - "Set_accessToken_as_variable": [ - "Succeeded" - ] - }, - "type": "Foreach" - }, - "Generate_Access_Token": { - "runAfter": { - "set_jamfProtectAlertURL_as_variable": [ - "Succeeded" - ] - }, - "type": "Http", - "inputs": { - "body": { - "client_id": "@{parameters('client_ID')}", - "password": "@{parameters('password')}" - }, - "headers": { - "Content-Type": "application/json" - }, - "method": "POST", - "uri": "@{parameters('jamfProtectURL')}/token" - }, - "runtimeConfiguration": { - "secureData": { - "properties": [ - "inputs" - ] - } - } - }, - "Parse_JSON_Response_from_Access_Token": { - "runAfter": { - "Generate_Access_Token": [ - "Succeeded" - ] - }, - "type": "ParseJson", - "inputs": { - "content": "@body('Generate_Access_Token')", - "schema": { - "properties": { - "access_token": { - "type": "string" - }, - "expires_in": { - "type": "integer" - }, - "token_type": { - "type": "string" - } - }, - "type": "object" - } - } - }, - "Set_accessToken_as_variable": { - "runAfter": { - "Parse_JSON_Response_from_Access_Token": [ - "Succeeded" - ] - }, - "type": "InitializeVariable", - "inputs": { - "variables": [ - { - "name": "accessToken", - "type": "string", - "value": "@body('Parse_JSON_Response_from_Access_Token')?['access_token']" - } - ] - } - }, - "set_jamfProtectAlertURL_as_variable": { - "type": "InitializeVariable", - "inputs": { - "variables": [ - { - "name": "jamfProtectAlertURL", - "type": "string", - "value": "@{parameters('jamfProtectURL')}/Alerts/" - } - ] - } - } - } - }, - "parameters": { - "$connections": { - "value": { - "azuresentinel": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", - "connectionName": "[[variables('AzureSentinelConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", - "connectionProperties": { - "authentication": { - "type": "ManagedServiceIdentity" - } - } - } - } - } - } - }, - "tags": { - "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId2'),'/'))))]", - "properties": { - "parentId": "[variables('playbookId2')]", - "contentId": "[variables('_playbookContentId2')]", - "kind": "Playbook", - "version": "[variables('playbookVersion2')]", - "source": { - "kind": "Solution", - "name": "Jamf Protect", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Thijs Xhaflaire", - "email": "[variables('_email')]" - }, - "support": { - "name": "Jamf Software, LLC", - "email": "support@jamf.com", - "tier": "Partner", - "link": "https://www.jamf.com/support/" - } - } - } - ], - "metadata": { - "title": "Jamf Protect - Set Alert to Resolved", - "description": "This Jamf Protect Playbook can be used manually or in a Automation Rule to change the state of the Alert in Jamf Protect itself, in an automated way you can mirror the state from a Microsoft Sentinel incident back to Jamf Protect.", - "mainSteps": [ - "1. Fetches the AlertUDID from the Alert of Jamf Protect", - "2. Generates a Access Token to authenticate against the Jamf Protect GraphQL API", - "3. Changes the Alert status in Jamf Protect to Resolved" - ], - "prerequisites": [ - "1. Generate API Client in Jamf Protect and take note of the CLientID and Password. [learn how](https://learn.jamf.com/bundle/jamf-protect-documentation/page/Jamf_Protect_API.html#ariaid-title3)", - "2. Use the ClientID and Password during the deployment of this Playbook" - ], - "lastUpdateTime": "2023-07-20T00:00:00Z", - "tags": [ - "Utilities" - ], - "source": { - "type": "solution", - "name": "Jamf Protect" - }, - "postDeployment": [ - "** b. Configurations in Sentinel **", - "1. In Microsoft Sentinel Analytic Rules for Jamf Protect - Alerts should be configured to create an incident", - "2. Configure the Automation Rules to trigger this playbook once a incident is status is changed to Active" - ], - "releaseNotes": [ - { - "version": "1.0.0", - "title": "Jamf Protect - Set Alert to Resolved", - "notes": [ - "Initial version" - ] - } - ] - } - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_playbookContentId2')]", - "contentKind": "Playbook", - "displayName": "JamfProtect_Alert_Status_Resolved", - "contentProductId": "[variables('_playbookcontentProductId2')]", - "id": "[variables('_playbookcontentProductId2')]", - "version": "[variables('playbookVersion2')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('playbookTemplateSpecName3')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "JamfProtect_LockComputer_with_JamfPro Playbook with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion3')]", - "parameters": { - "jamfProClientID": { - "type": "String", - "metadata": { - "description": "The ClientID for the Jamf Pro" - } - }, - "jamfProSecret": { - "type": "SecureString", - "metadata": { - "description": "The secret for the ClientID of Jamf Pro" - } - }, - "jamfProURL": { - "defaultValue": "https://*.jamfcloud.com", - "type": "String", - "metadata": { - "description": "Enter the Jamf Pro instance URL ex: {https://fakevalue.jamfcloud.com}" - } - }, - "PlaybookName": { - "type": "String", - "minLength": 1, - "defaultValue": "JamfProtect_LockComputer_with_JamfPro", - "metadata": { - "description": "Name of the Logic App/Playbook" - } - } - }, - "variables": { - "AzureSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]", - "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", - "_connection-1": "[[variables('connection-1')]", - "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", - "workspace-name": "[parameters('workspace')]", - "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" - }, - "resources": [ - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('AzureSentinelConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('AzureSentinelConnectionName')]", - "parameterValueType": "Alternative", - "api": { - "id": "[[variables('_connection-1')]" - } - } - }, - { - "type": "Microsoft.Logic/workflows", - "apiVersion": "2017-07-01", - "name": "[[parameters('playbookName')]", - "location": "[[variables('workspace-location-inline')]", - "identity": { - "type": "SystemAssigned" - }, - "properties": { - "state": "Enabled", - "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "$connections": { - "type": "Object" - }, - "jamfProSecret": { - "defaultValue": "[[parameters('jamfProSecret')]", - "type": "SecureString" - }, - "jamfProURL": { - "defaultValue": "[[parameters('jamfProURL')]", - "type": "String" - }, - "jamfProClientID": { - "defaultValue": "[[parameters('jamfProClientID')]", - "type": "String" - } - }, - "triggers": { - "Microsoft_Sentinel_incident": { - "type": "ApiConnectionWebhook", - "inputs": { - "body": { - "callback_url": "@{listCallbackUrl()}" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "path": "/incident-creation" - } - } - }, - "actions": { - "Filter_array_for_the_entity_kind_Host": { - "runAfter": { - "Parse_JSON_Entities_from_the_Incident": [ - "Succeeded" - ] - }, - "type": "Query", - "inputs": { - "from": "@body('Parse_JSON_Entities_from_the_Incident')", - "where": "@equals(item()['kind'], 'Host')" - } - }, - "For_each_host_send_DeviceLock_command": { - "foreach": "@body('Filter_array_for_the_entity_kind_Host')", - "actions": { - "Add_comment_to_incident_(V3)": { - "runAfter": { - "Send_DeviceLock_command_to_given_computers_JSSID": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "

Device Lock command has been send to @{body('Parse_JSON_for_given_computer_based_on_managementID')?['general']?['name']} with passcode: @{outputs('Generate_a_randomised_6_digit_value')}

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - } - }, - "Generate_a_randomised_6_digit_value": { - "runAfter": { - "Parse_JSON_for_given_computer_based_on_managementID": [ - "Succeeded", - "Failed" - ] - }, - "type": "Compose", - "inputs": "@{rand(0, 9)}@{rand(0, 9)}@{rand(0, 9)}@{rand(0, 9)}@{rand(0, 9)}@{rand(0, 9)}" - }, - "Get_JSSID_for_given_computer_in_Jamf_Pro": { - "type": "Http", - "inputs": { - "headers": { - "Authorization": "Bearer @{variables('accessToken')}", - "accept": "application/json" - }, - "method": "GET", - "uri": "@{parameters('jamfProURL')}/JSSResource/computers/name/@{items('For_each_host_send_DeviceLock_command')?['properties']?['friendlyName']}" - } - }, - "Get_managementID_for_given_computer_in_Jamf_Pro": { - "runAfter": { - "Parse_JSON_response_for_given_computer": [ - "Succeeded" - ] - }, - "type": "Http", - "inputs": { - "headers": { - "Authorization": "Bearer @{variables('accessToken')}", - "accept": "application/json" - }, - "method": "GET", - "uri": "@{parameters('jamfProURL')}/api/v1/computers-inventory/@{body('Parse_JSON_response_for_given_computer')?['computer']?['general']?['id']}?section=GENERAL" - } - }, - "Parse_JSON_for_given_computer_based_on_managementID": { - "runAfter": { - "Get_managementID_for_given_computer_in_Jamf_Pro": [ - "Succeeded" - ] - }, - "type": "ParseJson", - "inputs": { - "content": "@body('Get_managementID_for_given_computer_in_Jamf_Pro')", - "schema": { - "properties": { - "general": { - "properties": { - "declarativeDeviceManagementEnabled": { - "type": "boolean" - }, - "enrolledViaAutomatedDeviceEnrollment": { - "type": "boolean" - }, - "initialEntryDate": { - "type": "string" - }, - "itunesStoreAccountActive": { - "type": "boolean" - }, - "jamfBinaryVersion": { - "type": "string" - }, - "lastContactTime": { - "type": "string" - }, - "lastEnrolledDate": { - "type": "string" - }, - "lastIpAddress": { - "type": "string" - }, - "lastReportedIp": { - "type": "string" - }, - "managementId": { - "type": "string" - }, - "mdmCapable": { - "properties": { - "capable": { - "type": "boolean" - }, - "capableUsers": { - "items": { - "type": "string" - }, - "type": "array" - } - }, - "type": "object" - }, - "mdmProfileExpiration": { - "type": "string" - }, - "name": { - "type": "string" - }, - "platform": { - "type": "string" - }, - "remoteManagement": { - "properties": { - "managed": { - "type": "boolean" - } - }, - "type": "object" - }, - "reportDate": { - "type": "string" - }, - "site": { - "properties": { - "id": { - "type": "string" - }, - "name": { - "type": "string" - } - }, - "type": "object" - }, - "supervised": { - "type": "boolean" - }, - "userApprovedMdm": { - "type": "boolean" - } - }, - "type": "object" - }, - "id": { - "type": "string" - }, - "udid": { - "type": "string" - } - }, - "type": "object" - } - } - }, - "Parse_JSON_response_for_given_computer": { - "runAfter": { - "Get_JSSID_for_given_computer_in_Jamf_Pro": [ - "Succeeded" - ] - }, - "type": "ParseJson", - "inputs": { - "content": "@body('Get_JSSID_for_given_computer_in_Jamf_Pro')", - "schema": { - "properties": { - "computer": { - "properties": { - "certificates": { - "items": { - "properties": { - "common_name": { - "type": "string" - }, - "expires_epoch": { - "type": "integer" - }, - "expires_utc": { - "type": "string" - }, - "identity": { - "type": "boolean" - }, - "name": { - "type": "string" - } - }, - "required": [ - "common_name", - "identity", - "expires_utc", - "expires_epoch", - "name" - ], - "type": "object" - }, - "type": "array" - }, - "configuration_profiles": { - "items": { - "properties": { - "id": { - "type": "integer" - }, - "is_removable": { - "type": "boolean" - }, - "name": { - "type": "string" - }, - "uuid": { - "type": "string" - } - }, - "required": [ - "id", - "name", - "uuid", - "is_removable" - ], - "type": "object" - }, - "type": "array" - }, - "extension_attributes": { - "items": { - "properties": { - "id": { - "type": "integer" - }, - "multi_value": { - "type": "boolean" - }, - "name": { - "type": "string" - }, - "type": { - "type": "string" - }, - "value": { - "type": "string" - } - }, - "required": [ - "id", - "name", - "type", - "multi_value", - "value" - ], - "type": "object" - }, - "type": "array" - }, - "general": { - "properties": { - "alt_mac_address": { - "type": "string" - }, - "alt_network_adapter_type": { - "type": "string" - }, - "asset_tag": { - "type": "string" - }, - "barcode_1": { - "type": "string" - }, - "barcode_2": { - "type": "string" - }, - "distribution_point": { - "type": "string" - }, - "id": { - "type": "integer" - }, - "initial_entry_date": { - "type": "string" - }, - "initial_entry_date_epoch": { - "type": "integer" - }, - "initial_entry_date_utc": { - "type": "string" - }, - "ip_address": { - "type": "string" - }, - "itunes_store_account_is_active": { - "type": "boolean" - }, - "jamf_version": { - "type": "string" - }, - "last_cloud_backup_date_epoch": { - "type": "integer" - }, - "last_cloud_backup_date_utc": { - "type": "string" - }, - "last_contact_time": { - "type": "string" - }, - "last_contact_time_epoch": { - "type": "integer" - }, - "last_contact_time_utc": { - "type": "string" - }, - "last_enrolled_date_epoch": { - "type": "integer" - }, - "last_enrolled_date_utc": { - "type": "string" - }, - "last_reported_ip": { - "type": "string" - }, - "mac_address": { - "type": "string" - }, - "management_status": { - "properties": { - "enrolled_via_dep": { - "type": "boolean" - }, - "user_approved_enrollment": { - "type": "boolean" - }, - "user_approved_mdm": { - "type": "boolean" - } - }, - "type": "object" - }, - "mdm_capable": { - "type": "boolean" - }, - "mdm_capable_users": { - "properties": { - "mdm_capable_user": { - "type": "string" - } - }, - "type": "object" - }, - "mdm_profile_expiration_epoch": { - "type": "integer" - }, - "mdm_profile_expiration_utc": { - "type": "string" - }, - "name": { - "type": "string" - }, - "network_adapter_type": { - "type": "string" - }, - "platform": { - "type": "string" - }, - "remote_management": { - "properties": { - "managed": { - "type": "boolean" - }, - "management_password_sha256": { - "type": "string" - }, - "management_username": { - "type": "string" - } - }, - "type": "object" - }, - "report_date": { - "type": "string" - }, - "report_date_epoch": { - "type": "integer" - }, - "report_date_utc": { - "type": "string" - }, - "serial_number": { - "type": "string" - }, - "site": { - "properties": { - "id": { - "type": "integer" - }, - "name": { - "type": "string" - } - }, - "type": "object" - }, - "supervised": { - "type": "boolean" - }, - "sus": { - "type": "string" - }, - "udid": { - "type": "string" - } - }, - "type": "object" - }, - "groups_accounts": { - "properties": { - "computer_group_memberships": { - "items": { - "type": "string" - }, - "type": "array" - }, - "local_accounts": { - "items": { - "properties": { - "administrator": { - "type": "boolean" - }, - "filevault_enabled": { - "type": "boolean" - }, - "home": { - "type": "string" - }, - "home_size": { - "type": "string" - }, - "home_size_mb": { - "type": "integer" - }, - "name": { - "type": "string" - }, - "realname": { - "type": "string" - }, - "uid": { - "type": "string" - } - }, - "required": [ - "name", - "realname", - "uid", - "home", - "home_size", - "home_size_mb", - "administrator", - "filevault_enabled" - ], - "type": "object" - }, - "type": "array" - }, - "user_inventories": { - "properties": { - "disable_automatic_login": { - "type": "boolean" - }, - "user": { - "properties": { - "password_history_depth": { - "type": "string" - }, - "password_max_age": { - "type": "string" - }, - "password_min_complex_characters": { - "type": "string" - }, - "password_min_length": { - "type": "string" - }, - "password_require_alphanumeric": { - "type": "string" - }, - "username": { - "type": "string" - } - }, - "type": "object" - } - }, - "type": "object" - } - }, - "type": "object" - }, - "hardware": { - "properties": { - "active_directory_status": { - "type": "string" - }, - "available_ram_slots": { - "type": "integer" - }, - "battery_capacity": { - "type": "integer" - }, - "ble_capable": { - "type": "boolean" - }, - "boot_rom": { - "type": "string" - }, - "bus_speed": { - "type": "integer" - }, - "bus_speed_mhz": { - "type": "integer" - }, - "cache_size": { - "type": "integer" - }, - "cache_size_kb": { - "type": "integer" - }, - "disk_encryption_configuration": { - "type": "string" - }, - "filevault2_users": { - "items": { - "type": "string" - }, - "type": "array" - }, - "gatekeeper_status": { - "type": "string" - }, - "institutional_recovery_key": { - "type": "string" - }, - "is_apple_silicon": { - "type": "boolean" - }, - "make": { - "type": "string" - }, - "mapped_printers": { - "type": "array" - }, - "model": { - "type": "string" - }, - "model_identifier": { - "type": "string" - }, - "nic_speed": { - "type": "string" - }, - "number_cores": { - "type": "integer" - }, - "number_processors": { - "type": "integer" - }, - "optical_drive": { - "type": "string" - }, - "os_build": { - "type": "string" - }, - "os_name": { - "type": "string" - }, - "os_version": { - "type": "string" - }, - "processor_architecture": { - "type": "string" - }, - "processor_speed": { - "type": "integer" - }, - "processor_speed_mhz": { - "type": "integer" - }, - "processor_type": { - "type": "string" - }, - "service_pack": { - "type": "string" - }, - "sip_status": { - "type": "string" - }, - "smc_version": { - "type": "string" - }, - "software_update_device_id": { - "type": "string" - }, - "storage": { - "type": "array" - }, - "supports_ios_app_installs": { - "type": "boolean" - }, - "total_ram": { - "type": "integer" - }, - "total_ram_mb": { - "type": "integer" - }, - "xprotect_version": { - "type": "string" - } - }, - "type": "object" - }, - "iphones": { - "type": "array" - }, - "location": { - "properties": { - "building": { - "type": "string" - }, - "department": { - "type": "string" - }, - "email_address": { - "type": "string" - }, - "phone": { - "type": "string" - }, - "phone_number": { - "type": "string" - }, - "position": { - "type": "string" - }, - "real_name": { - "type": "string" - }, - "realname": { - "type": "string" - }, - "room": { - "type": "string" - }, - "username": { - "type": "string" - } - }, - "type": "object" - }, - "peripherals": { - "type": "array" - }, - "purchasing": { - "properties": { - "applecare_id": { - "type": "string" - }, - "attachments": { - "type": "array" - }, - "is_leased": { - "type": "boolean" - }, - "is_purchased": { - "type": "boolean" - }, - "lease_expires": { - "type": "string" - }, - "lease_expires_epoch": { - "type": "integer" - }, - "lease_expires_utc": { - "type": "string" - }, - "life_expectancy": { - "type": "integer" - }, - "os_applecare_id": { - "type": "string" - }, - "os_maintenance_expires": { - "type": "string" - }, - "po_date": { - "type": "string" - }, - "po_date_epoch": { - "type": "integer" - }, - "po_date_utc": { - "type": "string" - }, - "po_number": { - "type": "string" - }, - "purchase_price": { - "type": "string" - }, - "purchasing_account": { - "type": "string" - }, - "purchasing_contact": { - "type": "string" - }, - "vendor": { - "type": "string" - }, - "warranty_expires": { - "type": "string" - }, - "warranty_expires_epoch": { - "type": "integer" - }, - "warranty_expires_utc": { - "type": "string" - } - }, - "type": "object" - }, - "security": { - "properties": { - "activation_lock": { - "type": "boolean" - }, - "external_boot_level": { - "type": "string" - }, - "firewall_enabled": { - "type": "boolean" - }, - "recovery_lock_enabled": { - "type": "boolean" - }, - "secure_boot_level": { - "type": "string" - } - }, - "type": "object" - }, - "software": { - "properties": { - "applications": { - "items": { - "properties": { - "bundle_id": { - "type": "string" - }, - "name": { - "type": "string" - }, - "path": { - "type": "string" - }, - "version": { - "type": "string" - } - }, - "required": [ - "name", - "path", - "version", - "bundle_id" - ], - "type": "object" - }, - "type": "array" - }, - "available_software_updates": { - "items": { - "type": "string" - }, - "type": "array" - }, - "available_updates": { - "properties": { - "update": { - "properties": { - "name": { - "type": "string" - }, - "package_name": { - "type": "string" - }, - "version": { - "type": "string" - } - }, - "type": "object" - } - }, - "type": "object" - }, - "cached_by_casper": { - "type": "array" - }, - "fonts": { - "type": "array" - }, - "installed_by_casper": { - "items": { - "type": "string" - }, - "type": "array" - }, - "installed_by_installer_swu": { - "items": { - "type": "string" - }, - "type": "array" - }, - "licensed_software": { - "type": "array" - }, - "plugins": { - "type": "array" - }, - "running_services": { - "items": { - "type": "string" - }, - "type": "array" - }, - "unix_executables": { - "type": "array" - } - }, - "type": "object" - } - }, - "type": "object" - } - }, - "type": "object" - } - } - }, - "Send_DeviceLock_command_to_given_computers_JSSID": { - "runAfter": { - "Generate_a_randomised_6_digit_value": [ - "Succeeded" - ] - }, - "type": "Http", - "inputs": { - "headers": { - "Authorization": "Bearer @{variables('accessToken')}", - "accept": "application/json" - }, - "method": "POST", - "uri": "@{parameters('jamfProURL')}/JSSResource/computercommands/command/DeviceLock/passcode/@{outputs('Generate_a_randomised_6_digit_value')}/id/@{body('Parse_JSON_for_given_computer_based_on_managementID')?['general']?['site']?['id']}" - } - } - }, - "runAfter": { - "Filter_array_for_the_entity_kind_Host": [ - "Succeeded" - ] - }, - "type": "Foreach" - }, - "Generate_Access_Token_using_API_Client": { - "type": "Http", - "inputs": { - "body": "client_id=@{parameters('jamfProClientID')}&client_secret=@{parameters('jamfProSecret')}&grant_type=client_credentials", - "headers": { - "Content-Type": "application/x-www-form-urlencoded" - }, - "method": "POST", - "uri": "@{parameters('jamfProURL')}/api/oauth/token" - }, - "runtimeConfiguration": { - "secureData": { - "properties": [ - "inputs" - ] - } - } - }, - "Parse_JSON_Entities_from_the_Incident": { - "runAfter": { - "Set_accessToken_as_variable": [ - "Succeeded" - ] - }, - "type": "ParseJson", - "inputs": { - "content": "@triggerBody()?['object']?['properties']?['relatedEntities']", - "schema": { - "items": { - "properties": { - "id": { - "type": "string" - }, - "kind": { - "type": "string" - }, - "name": { - "type": "string" - }, - "properties": { - "properties": { - "address": { - "type": "string" - }, - "friendlyName": { - "type": "string" - } - }, - "type": "object" - }, - "type": { - "type": "string" - } - }, - "required": [ - "id", - "name", - "type", - "kind", - "properties" - ], - "type": "object" - }, - "type": "array" - } - } - }, - "Parse_JSON_Response_from_Access_Token": { - "runAfter": { - "Generate_Access_Token_using_API_Client": [ - "Succeeded" - ] - }, - "type": "ParseJson", - "inputs": { - "content": "@body('Generate_Access_Token_using_API_Client')", - "schema": { - "properties": { - "access_token": { - "type": "string" - }, - "expires_in": { - "type": "integer" - }, - "scope": { - "type": "string" - }, - "token_type": { - "type": "string" - } - }, - "type": "object" - } - } - }, - "Set_accessToken_as_variable": { - "runAfter": { - "Parse_JSON_Response_from_Access_Token": [ - "Succeeded" - ] - }, - "type": "InitializeVariable", - "inputs": { - "variables": [ - { - "name": "accessToken", - "type": "string", - "value": "@body('Parse_JSON_Response_from_Access_Token')?['access_token']" - } - ] - } - } - } - }, - "parameters": { - "$connections": { - "value": { - "azuresentinel": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", - "connectionName": "[[variables('AzureSentinelConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", - "connectionProperties": { - "authentication": { - "type": "ManagedServiceIdentity" - } - } - } - } - } - } - }, - "tags": { - "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId3'),'/'))))]", - "properties": { - "parentId": "[variables('playbookId3')]", - "contentId": "[variables('_playbookContentId3')]", - "kind": "Playbook", - "version": "[variables('playbookVersion3')]", - "source": { - "kind": "Solution", - "name": "Jamf Protect", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Thijs Xhaflaire", - "email": "[variables('_email')]" - }, - "support": { - "name": "Jamf Software, LLC", - "email": "support@jamf.com", - "tier": "Partner", - "link": "https://www.jamf.com/support/" - } - } - } - ], - "metadata": { - "title": "Jamf Protect - Remote lock computer with Jamf Pro", - "description": "This Playbook can be used manually or in a Automation Rule to send an remote MDM command with Jamf Pro to lock the computer with an randomised 6 digit passcode.", - "mainSteps": [ - "1. Fetches the Host entity from the Incident created based on event data from Jamf Protect", - "2. Generates a Access Token using a API Client to authenticate against the Jamf Pro API", - "3. Retrieves the JSSID and ManagementUUID from Jamf Pro for given computer", - "4. Sends a remote lock MDM command with a randomised 6 digit passcode", - "5. Randomised passcode will be stored in the Comments section of the incident itself." - ], - "prerequisites": [ - "1. Create an API Client in Jamf Pro that is capable of reading computers and sending remote commands. [learn how](https://learn.jamf.com/bundle/jamf-pro-documentation-current)", - "2. Use the Client ID and Secret during the deployment of this Playbook" - ], - "lastUpdateTime": "2023-07-20T00:00:00Z", - "tags": [ - "Utilities" - ], - "source": { - "type": "solution", - "name": "Jamf Protect" - }, - "postDeployment": [ - "** b. Configurations in Sentinel **", - "1. This Playbook can be best used as Action while investigating an Incident." - ], - "releaseNotes": [ - { - "version": "1.0.0", - "title": "Jamf Protect - Remote lock computer with Jamf Pro", - "notes": [ - "Initial version" - ] - } - ] - } - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_playbookContentId3')]", - "contentKind": "Playbook", - "displayName": "JamfProtect_LockComputer_with_JamfPro", - "contentProductId": "[variables('_playbookcontentProductId3')]", - "id": "[variables('_playbookcontentProductId3')]", - "version": "[variables('playbookVersion3')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", - "apiVersion": "2023-04-01-preview", - "location": "[parameters('workspace-location')]", - "properties": { - "version": "3.2.0", - "kind": "Solution", - "contentSchemaVersion": "3.0.0", - "displayName": "Jamf Protect", - "publisherDisplayName": "Jamf Software, LLC", - "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Jamf Protect solution for Microsoft Sentinel enables you to ingest Jamf Protect events forwarded into Microsoft Sentinel using the Microsoft Sentinel Analytics Workspace.

\n

Data Connectors: 2, Parsers: 1, Workbooks: 1, Analytic Rules: 3, Hunting Queries: 7, Playbooks: 3

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", - "contentKind": "Solution", - "contentProductId": "[variables('_solutioncontentProductId')]", - "id": "[variables('_solutioncontentProductId')]", - "icon": "", - "contentId": "[variables('_solutionId')]", - "parentId": "[variables('_solutionId')]", - "source": { - "kind": "Solution", - "name": "Jamf Protect", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Thijs Xhaflaire", - "email": "[variables('_email')]" - }, - "support": { - "name": "Jamf Software, LLC", - "email": "support@jamf.com", - "tier": "Partner", - "link": "https://www.jamf.com/support/" - }, - "dependencies": { - "operator": "AND", - "criteria": [ - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId1')]", - "version": "[variables('dataConnectorVersion1')]" - }, - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentIdConnections2')]", - "version": "[variables('dataConnectorCCPVersion')]" - }, - { - "kind": "Parser", - "contentId": "[variables('parserObject1').parserContentId1]", - "version": "[variables('parserObject1').parserVersion1]" - }, - { - "kind": "Workbook", - "contentId": "[variables('_workbookContentId1')]", - "version": "[variables('workbookVersion1')]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", - "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", - "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", - "version": "[variables('analyticRuleObject3').analyticRuleVersion3]" - }, - { - "kind": "HuntingQuery", - "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]", - "version": "[variables('huntingQueryObject1').huntingQueryVersion1]" - }, - { - "kind": "HuntingQuery", - "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]", - "version": "[variables('huntingQueryObject2').huntingQueryVersion2]" - }, - { - "kind": "HuntingQuery", - "contentId": "[variables('huntingQueryObject3')._huntingQuerycontentId3]", - "version": "[variables('huntingQueryObject3').huntingQueryVersion3]" - }, - { - "kind": "HuntingQuery", - "contentId": "[variables('huntingQueryObject4')._huntingQuerycontentId4]", - "version": "[variables('huntingQueryObject4').huntingQueryVersion4]" - }, - { - "kind": "HuntingQuery", - "contentId": "[variables('huntingQueryObject5')._huntingQuerycontentId5]", - "version": "[variables('huntingQueryObject5').huntingQueryVersion5]" - }, - { - "kind": "HuntingQuery", - "contentId": "[variables('huntingQueryObject6')._huntingQuerycontentId6]", - "version": "[variables('huntingQueryObject6').huntingQueryVersion6]" - }, - { - "kind": "HuntingQuery", - "contentId": "[variables('huntingQueryObject7')._huntingQuerycontentId7]", - "version": "[variables('huntingQueryObject7').huntingQueryVersion7]" - }, - { - "kind": "Playbook", - "contentId": "[variables('_JamfProtect_Alert_Status_InProgress')]", - "version": "[variables('playbookVersion1')]" - }, - { - "kind": "Playbook", - "contentId": "[variables('_JamfProtect_Alert_Status_Resolved')]", - "version": "[variables('playbookVersion2')]" - }, - { - "kind": "Playbook", - "contentId": "[variables('_JamfProtect_LockComputer_with_JamfPro')]", - "version": "[variables('playbookVersion3')]" - } - ] - }, - "firstPublishDate": "2022-10-10", - "lastPublishDate": "2024-01-12", - "providers": [ - "Jamf" - ], - "categories": { - "domains": [ - "Security - Threat Protection", - "Security - Automation (SOAR)" - ] - } - }, - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]" - } - ], - "outputs": {} -} +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "author": "Thijs Xhaflaire - thijs.xhaflaire@jamf.com", + "comments": "Solution template for Jamf Protect" + }, + "parameters": { + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" + } + }, + "resourceGroupName": { + "type": "string", + "defaultValue": "[resourceGroup().name]", + "metadata": { + "description": "resource group name where Microsoft Sentinel is setup" + } + }, + "subscription": { + "type": "string", + "defaultValue": "[last(split(subscription().id, '/'))]", + "metadata": { + "description": "subscription id where Microsoft Sentinel is setup" + } + }, + "workbook1-name": { + "type": "string", + "defaultValue": "Jamf Protect Workbook", + "minLength": 1, + "metadata": { + "description": "Name for the workbook" + } + } + }, + "variables": { + "email": "thijs.xhaflaire@jamf.com", + "_email": "[variables('email')]", + "_solutionName": "Jamf Protect", + "_solutionVersion": "3.2.0", + "solutionId": "jamfsoftwareaustraliaptyltd1620360395539.jamf_protect", + "_solutionId": "[variables('solutionId')]", + "uiConfigId1": "JamfProtect", + "_uiConfigId1": "[variables('uiConfigId1')]", + "dataConnectorContentId1": "JamfProtect", + "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", + "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "_dataConnectorId1": "[variables('dataConnectorId1')]", + "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", + "dataConnectorVersion1": "3.1.0", + "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", + "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", + "dataConnectorCCPVersion": "1.0.0", + "_dataConnectorContentIdConnectorDefinition2": "JamfProtectPush", + "dataConnectorTemplateNameConnectorDefinition2": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnectorDefinition2')))]", + "_dataConnectorContentIdConnections2": "JamfProtectPushConnections", + "dataConnectorTemplateNameConnections2": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnections2')))]", + "blanks": "[replace('b', 'b', '')]", + "parserObject1": { + "_parserName1": "[concat(parameters('workspace'),'/','JamfProtect')]", + "_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'JamfProtect')]", + "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('JamfProtect-Parser')))]", + "parserVersion1": "3.2.0", + "parserContentId1": "JamfProtect-Parser" + }, + "workbookVersion1": "2.0.0", + "workbookContentId1": "JamfProtectWorkbook", + "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]", + "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]", + "_workbookContentId1": "[variables('workbookContentId1')]", + "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]", + "analyticRuleObject1": { + "analyticRuleVersion1": "1.0.5", + "_analyticRulecontentId1": "6098daa0-f05e-44d5-b5a0-913e63ba3179", + "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '6098daa0-f05e-44d5-b5a0-913e63ba3179')]", + "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('6098daa0-f05e-44d5-b5a0-913e63ba3179')))]", + "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','6098daa0-f05e-44d5-b5a0-913e63ba3179','-', '1.0.5')))]" + }, + "analyticRuleObject2": { + "analyticRuleVersion2": "1.0.4", + "_analyticRulecontentId2": "44da53c3-f3b0-4b70-afff-f79275cb9442", + "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '44da53c3-f3b0-4b70-afff-f79275cb9442')]", + "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('44da53c3-f3b0-4b70-afff-f79275cb9442')))]", + "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','44da53c3-f3b0-4b70-afff-f79275cb9442','-', '1.0.4')))]" + }, + "analyticRuleObject3": { + "analyticRuleVersion3": "1.0.2", + "_analyticRulecontentId3": "9eb2f758-003b-4303-83c6-97aed4c03e41", + "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9eb2f758-003b-4303-83c6-97aed4c03e41')]", + "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('9eb2f758-003b-4303-83c6-97aed4c03e41')))]", + "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','9eb2f758-003b-4303-83c6-97aed4c03e41','-', '1.0.2')))]" + }, + "huntingQueryObject1": { + "huntingQueryVersion1": "1.0.0", + "_huntingQuerycontentId1": "f0a1bacb-eb6a-4edc-99a9-839a77be3a33", + "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('f0a1bacb-eb6a-4edc-99a9-839a77be3a33')))]" + }, + "huntingQueryObject2": { + "huntingQueryVersion2": "1.0.0", + "_huntingQuerycontentId2": "8d9a199b-7968-476b-b02b-d030a010609c", + "huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('8d9a199b-7968-476b-b02b-d030a010609c')))]" + }, + "huntingQueryObject3": { + "huntingQueryVersion3": "1.0.0", + "_huntingQuerycontentId3": "60b1269f-374e-49dd-8b10-e4ef85d5bd65", + "huntingQueryTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('60b1269f-374e-49dd-8b10-e4ef85d5bd65')))]" + }, + "huntingQueryObject4": { + "huntingQueryVersion4": "1.0.0", + "_huntingQuerycontentId4": "ec2f21aa-a9c5-42fd-9ee1-c59f30b4fdd6", + "huntingQueryTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('ec2f21aa-a9c5-42fd-9ee1-c59f30b4fdd6')))]" + }, + "huntingQueryObject5": { + "huntingQueryVersion5": "1.0.0", + "_huntingQuerycontentId5": "223f6758-e134-45e8-a9d6-4ca8455799fb", + "huntingQueryTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('223f6758-e134-45e8-a9d6-4ca8455799fb')))]" + }, + "huntingQueryObject6": { + "huntingQueryVersion6": "1.0.0", + "_huntingQuerycontentId6": "09161cb2-f28a-437c-83e3-60b8545dc8f2", + "huntingQueryTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('09161cb2-f28a-437c-83e3-60b8545dc8f2')))]" + }, + "huntingQueryObject7": { + "huntingQueryVersion7": "1.0.0", + "_huntingQuerycontentId7": "2b0ec436-80d6-4e63-b3da-e35048724f37", + "huntingQueryTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('2b0ec436-80d6-4e63-b3da-e35048724f37')))]" + }, + "JamfProtect_Alert_Status_InProgress": "JamfProtect_Alert_Status_InProgress", + "_JamfProtect_Alert_Status_InProgress": "[variables('JamfProtect_Alert_Status_InProgress')]", + "playbookVersion1": "1.0", + "playbookContentId1": "JamfProtect_Alert_Status_InProgress", + "_playbookContentId1": "[variables('playbookContentId1')]", + "playbookId1": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId1'))]", + "playbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId1'))))]", + "_playbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId1'),'-', variables('playbookVersion1'))))]", + "JamfProtect_Alert_Status_Resolved": "JamfProtect_Alert_Status_Resolved", + "_JamfProtect_Alert_Status_Resolved": "[variables('JamfProtect_Alert_Status_Resolved')]", + "playbookVersion2": "1.0", + "playbookContentId2": "JamfProtect_Alert_Status_Resolved", + "_playbookContentId2": "[variables('playbookContentId2')]", + "playbookId2": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId2'))]", + "playbookTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId2'))))]", + "_playbookcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId2'),'-', variables('playbookVersion2'))))]", + "JamfProtect_LockComputer_with_JamfPro": "JamfProtect_LockComputer_with_JamfPro", + "_JamfProtect_LockComputer_with_JamfPro": "[variables('JamfProtect_LockComputer_with_JamfPro')]", + "playbookVersion3": "1.0", + "playbookContentId3": "JamfProtect_LockComputer_with_JamfPro", + "_playbookContentId3": "[variables('playbookContentId3')]", + "playbookId3": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId3'))]", + "playbookTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId3'))))]", + "_playbookcontentProductId3": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId3'),'-', variables('playbookVersion3'))))]", + "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('dataConnectorTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Jamf Protect data connector with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorVersion1')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "id": "[variables('_uiConfigId1')]", + "title": "Jamf Protect", + "publisher": "Jamf", + "descriptionMarkdown": "The [Jamf Protect](https://www.jamf.com/products/jamf-protect/) connector provides the capability to read raw event data from Jamf Protect in Microsoft Sentinel.", + "graphQueries": [ + { + "metricName": "Total Activities data received", + "legend": "jamfprotect_CL", + "baseQuery": "jamfprotect_CL" + } + ], + "sampleQueries": [ + { + "description": "Jamf Protect - All events.", + "query": "jamfprotect_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Jamf Protect - All active endpoints.", + "query": "jamfprotect_CL\n | where notempty(input_host_hostname_s) | summarize Event = count() by input_host_hostname_s\n | project-rename HostName = input_host_hostname_s\n | sort by Event desc" + }, + { + "description": "Jamf Protect - Top 10 endpoints with Alerts", + "query": "jamfprotect_CL\n | where topicType_s == 'alert' and notempty(input_eventType_s) and notempty(input_host_hostname_s)\n | summarize Event = count() by input_host_hostname_s\n | project-rename HostName = input_host_hostname_s\n | top 10 by Event" + } + ], + "dataTypes": [ + { + "name": "jamfprotect_CL", + "lastDataReceivedQuery": "jamfprotect_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "jamfprotect_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ] + }, + "instructionSteps": [ + { + "description": "This connector reads data from the jamfprotect_CL table created by Jamf Protect in a Microsoft Analytics Workspace, if the [data forwarding](https://docs.jamf.com/jamf-protect/documentation/Data_Forwarding_to_a_Third_Party_Storage_Solution.html?hl=sentinel#task-4227) option is enabled in Jamf Protect then raw event data is sent to the Microsoft Sentinel Ingestion API." + } + ], + "metadata": { + "id": "AF74EDD7-5534-46CD-B75D-7119BE1D161D", + "version": "3.1.0", + "kind": "dataConnector", + "source": { + "kind": "solution", + "name": "Jamf Protect for Microsoft Sentinel" + }, + "author": { + "name": "Thijs Xhaflaire" + }, + "support": { + "tier": "developer", + "name": "Jamf Software, LLC", + "email": "support@jamf.com", + "link": "https://jamf.com/support/" + } + } + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "contentId": "[variables('_dataConnectorContentId1')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion1')]", + "source": { + "kind": "Solution", + "name": "Jamf Protect", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Thijs Xhaflaire", + "email": "[variables('_email')]" + }, + "support": { + "name": "Jamf Software, LLC", + "email": "support@jamf.com", + "tier": "Partner", + "link": "https://www.jamf.com/support/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_dataConnectorContentId1')]", + "contentKind": "DataConnector", + "displayName": "Jamf Protect", + "contentProductId": "[variables('_dataConnectorcontentProductId1')]", + "id": "[variables('_dataConnectorcontentProductId1')]", + "version": "[variables('dataConnectorVersion1')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", + "dependsOn": [ + "[variables('_dataConnectorId1')]" + ], + "location": "[parameters('workspace-location')]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "contentId": "[variables('_dataConnectorContentId1')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion1')]", + "source": { + "kind": "Solution", + "name": "Jamf Protect", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Thijs Xhaflaire", + "email": "[variables('_email')]" + }, + "support": { + "name": "Jamf Software, LLC", + "email": "support@jamf.com", + "tier": "Partner", + "link": "https://www.jamf.com/support/" + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "title": "Jamf Protect", + "publisher": "Jamf", + "descriptionMarkdown": "The [Jamf Protect](https://www.jamf.com/products/jamf-protect/) connector provides the capability to read raw event data from Jamf Protect in Microsoft Sentinel.", + "graphQueries": [ + { + "metricName": "Total Activities data received", + "legend": "jamfprotect_CL", + "baseQuery": "jamfprotect_CL" + } + ], + "dataTypes": [ + { + "name": "jamfprotect_CL", + "lastDataReceivedQuery": "jamfprotect_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "jamfprotect_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "sampleQueries": [ + { + "description": "Jamf Protect - All events.", + "query": "jamfprotect_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Jamf Protect - All active endpoints.", + "query": "jamfprotect_CL\n | where notempty(input_host_hostname_s) | summarize Event = count() by input_host_hostname_s\n | project-rename HostName = input_host_hostname_s\n | sort by Event desc" + }, + { + "description": "Jamf Protect - Top 10 endpoints with Alerts", + "query": "jamfprotect_CL\n | where topicType_s == 'alert' and notempty(input_eventType_s) and notempty(input_host_hostname_s)\n | summarize Event = count() by input_host_hostname_s\n | project-rename HostName = input_host_hostname_s\n | top 10 by Event" + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ] + }, + "instructionSteps": [ + { + "description": "This connector reads data from the jamfprotect_CL table created by Jamf Protect in a Microsoft Analytics Workspace, if the [data forwarding](https://docs.jamf.com/jamf-protect/documentation/Data_Forwarding_to_a_Third_Party_Storage_Solution.html?hl=sentinel#task-4227) option is enabled in Jamf Protect then raw event data is sent to the Microsoft Sentinel Ingestion API." + } + ], + "id": "[variables('_uiConfigId1')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnectorDefinition2'), variables('dataConnectorCCPVersion'))]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "contentId": "[variables('_dataConnectorContentIdConnectorDefinition2')]", + "displayName": "Jamf Protect Push Connector", + "contentKind": "DataConnector", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorCCPVersion')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition2'))]", + "apiVersion": "2022-09-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions", + "location": "[parameters('workspace-location')]", + "kind": "Customizable", + "properties": { + "connectorUiConfig": { + "id": "JamfProtectPush", + "title": "Jamf Protect Push Connector", + "publisher": "Jamf", + "descriptionMarkdown": "The [Jamf Protect](https://www.jamf.com/products/jamf-protect/) connector provides the capability to read raw event data from Jamf Protect in Microsoft Sentinel.", + "graphQueries": [ + { + "metricName": "Telemetry", + "legend": "jamfprotecttelemetryv2_CL", + "baseQuery": "jamfprotecttelemetryv2_CL" + }, + { + "metricName": "Unified Logs", + "legend": "jamfprotectunifiedlogs_CL", + "baseQuery": "jamfprotectunifiedlogs_CL" + }, + { + "metricName": "Telemetry (Legacy)", + "legend": "jamfprotecttelemetryv1_CL", + "baseQuery": "jamfprotecttelemetryv1_CL" + }, + { + "metricName": "Alerts", + "legend": "jamfprotectalerts_CL", + "baseQuery": "jamfprotectalerts_CL" + } + ], + "sampleQueries": [ + { + "description": "Jamf Protect - All Alerts", + "query": "jamfprotectalerts_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Jamf Protect - All Telemetry events", + "query": "jamfprotecttelemetry_CL\n | sort by TimeGenerated desc" + } + ], + "dataTypes": [ + { + "name": "jamfprotecttelemetryv2_CL", + "lastDataReceivedQuery": "jamfprotecttelemetryv2_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "jamfprotectunifiedlogs_CL", + "lastDataReceivedQuery": "jamfprotectunifiedlogs_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "jamfprotecttelemetryv1_CL", + "lastDataReceivedQuery": "jamfprotecttelemetryv1_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "jamfprotectalerts_CL", + "lastDataReceivedQuery": "jamfprotectalerts_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "IsConnectedQuery", + "value": [ + "jamfprotecttelemetryv2_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)", + "jamfprotectunifiedlogs_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)", + "jamfprotecttelemetryv1_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)", + "jamfprotectalerts_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)" + ] + } + ], + "availability": { + "status": 1 + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + } + ], + "customs": [ + { + "name": "Microsoft Entra", + "description": "Permission to create an app registration in Microsoft Entra ID. Typically requires Entra ID Application Developer role or higher." + }, + { + "name": "Microsoft Azure", + "description": "Permission to assign Monitoring Metrics Publisher role on data collection rule (DCR). Typically requires Azure RBAC Owner or User Access Administrator role" + } + ] + }, + "instructionSteps": [ + { + "title": "1. Create ARM Resources and Provide the Required Permissions", + "description": "This connector reads data from the tables that Jamf Protect uses in a Microsoft Analytics Workspace, if the [data forwarding](https://docs.jamf.com/jamf-protect/documentation/Data_Forwarding_to_a_Third_Party_Storage_Solution.html?hl=sentinel#task-4227) option is enabled in Jamf Protect then raw event data is sent to the Microsoft Sentinel Ingestion API.", + "instructions": [ + { + "type": "Markdown", + "parameters": { + "content": "#### Automated Configuration and Secure Data Ingestion with Entra Application \nClicking on \"Connect\" will trigger the creation of Log Analytics tables and a Data Collection Rule (DCR). \nIt will then create an Entra application, link the DCR to it, and set the entered secret in the application. This setup enables data to be sent securely to the DCR using an Entra token." + } + }, + { + "parameters": { + "label": "Deploy Jamf Protect connector resources", + "applicationDisplayName": "Jamf Protect Connector Application" + }, + "type": "DeployPushConnectorButton" + } + ] + }, + { + "title": "2. Push your logs into the workspace", + "description": "Use the following parameters to configure the your machine to send the logs to the workspace.", + "instructions": [ + { + "parameters": { + "label": "Tenant ID (Directory ID)", + "fillWith": [ + "TenantId" + ] + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "label": "Entra Application ID", + "fillWith": [ + "ApplicationId" + ], + "placeholder": "Deploy push connector to get the Application ID" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "label": "Entra Application Secret", + "fillWith": [ + "ApplicationSecret" + ], + "placeholder": "Deploy push connector to get the Application Secret" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "label": "DCE Uri", + "fillWith": [ + "DataCollectionEndpoint" + ], + "placeholder": "Deploy push connector to get the DCR Uri" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "label": "DCR Immutable ID", + "fillWith": [ + "DataCollectionRuleId" + ], + "placeholder": "Deploy push connector to get the DCR ID" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "label": "Telemetry (Legacy) Stream ID", + "value": "Custom-jamfprotecttelemetryv1_CL" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "label": "Unified Logs Stream ID", + "value": "Custom-jamfprotectunifiedlogs_CL" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "label": "Telemetry Stream ID", + "value": "Custom-jamfprotecttelemetryv2_CL" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "label": "Alerts Stream ID", + "value": "Custom-jamfprotectalerts_CL" + }, + "type": "CopyableLabel" + } + ] + } + ] + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition2')))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition2'))]", + "contentId": "[variables('_dataConnectorContentIdConnectorDefinition2')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorCCPVersion')]", + "source": { + "sourceId": "[variables('_solutionId')]", + "name": "[variables('_solutionName')]", + "kind": "Solution" + }, + "author": { + "name": "Thijs Xhaflaire", + "email": "[variables('_email')]" + }, + "support": { + "name": "Jamf Software, LLC", + "email": "support@jamf.com", + "tier": "Partner", + "link": "https://www.jamf.com/support/" + }, + "dependencies": { + "criteria": [ + { + "version": "[variables('dataConnectorCCPVersion')]", + "contentId": "[variables('_dataConnectorContentIdConnections2')]", + "kind": "ResourcesDataConnector" + } + ] + } + } + }, + { + "name": "JamfProtectCustomDCR", + "apiVersion": "2022-06-01", + "type": "Microsoft.Insights/dataCollectionRules", + "location": "[parameters('workspace-location')]", + "kind": "[variables('blanks')]", + "properties": { + "streamDeclarations": { + "Custom-jamfprotecttelemetryv2": { + "columns": [ + { + "name": "action", + "type": "dynamic" + }, + { + "name": "action_type", + "type": "int" + }, + { + "name": "deadline", + "type": "int" + }, + { + "name": "event", + "type": "dynamic" + }, + { + "name": "event_type", + "type": "int" + }, + { + "name": "glob_seq_num", + "type": "int" + }, + { + "name": "host", + "type": "dynamic" + }, + { + "name": "mach_time", + "type": "long" + }, + { + "name": "metadata", + "type": "dynamic" + }, + { + "name": "process", + "type": "dynamic" + }, + { + "name": "seq_num", + "type": "int" + }, + { + "name": "thread", + "type": "dynamic" + }, + { + "name": "time", + "type": "datetime" + }, + { + "name": "uuid", + "type": "string" + }, + { + "name": "version", + "type": "int" + } + ] + }, + "Custom-jamfprotectunifiedlogs": { + "columns": [ + { + "name": "TimeGenerated", + "type": "datetime" + }, + { + "name": "caid", + "type": "string" + }, + { + "name": "certid", + "type": "string" + }, + { + "name": "input", + "type": "dynamic" + } + ] + }, + "Custom-jamfprotecttelemetryv1": { + "columns": [ + { + "name": "TimeGenerated", + "type": "datetime" + }, + { + "name": "arguments", + "type": "dynamic" + }, + { + "name": "exec_chain", + "type": "dynamic" + }, + { + "name": "header", + "type": "dynamic" + }, + { + "name": "host_info", + "type": "dynamic" + }, + { + "name": "key", + "type": "string" + }, + { + "name": "return", + "type": "dynamic" + }, + { + "name": "subject", + "type": "dynamic" + }, + { + "name": "identity", + "type": "dynamic" + }, + { + "name": "texts", + "type": "string" + }, + { + "name": "metrics", + "type": "dynamic" + }, + { + "name": "page_info", + "type": "dynamic" + }, + { + "name": "attributes", + "type": "dynamic" + }, + { + "name": "exec_chain_child", + "type": "dynamic" + }, + { + "name": "path", + "type": "dynamic" + }, + { + "name": "_event_score", + "type": "int" + }, + { + "name": "contents", + "type": "string" + }, + { + "name": "file", + "type": "dynamic" + }, + { + "name": "socket_inet", + "type": "dynamic" + }, + { + "name": "exit", + "type": "dynamic" + }, + { + "name": "exec_args", + "type": "dynamic" + }, + { + "name": "exec_env", + "type": "dynamic" + }, + { + "name": "exec_chain_parent", + "type": "dynamic" + }, + { + "name": "architecture", + "type": "string" + }, + { + "name": "bios_firmware_versions", + "type": "dynamic" + }, + { + "name": "process", + "type": "dynamic" + }, + { + "name": "rateLimitingSeconds", + "type": "int" + } + ] + }, + "Custom-jamfprotectalerts": { + "columns": [ + { + "name": "TimeGenerated", + "type": "datetime" + }, + { + "name": "caid", + "type": "string" + }, + { + "name": "certid", + "type": "string" + }, + { + "name": "input", + "type": "dynamic" + } + ] + } + }, + "destinations": { + "logAnalytics": [ + { + "workspaceResourceId": "[variables('workspaceResourceId')]", + "name": "clv2ws1" + } + ] + }, + "dataFlows": [ + { + "streams": [ + "Custom-jamfprotecttelemetryv2" + ], + "destinations": [ + "clv2ws1" + ], + "transformKql": "source\n//ASIM - Generic Fields\n| extend\n EventVendor = metadata.vendor,\n EventProduct = metadata.product,\n EventSchemaVersion = metadata.schemaVersion,\n EventProductVersion = host.protectVersion,\n EventSeverity = \"Informational\",\n //\n // Jamf Protect - Device Hostnames\n TargetHostname = host.hostname,\n DvcHostname = host.hostname,\n DvcSerial = host.serial,\n DvcIpAddr = host.ips,\n DvcId = host.provisioningUDID,\n DvcOs = \"macOS\",\n DvcOsVersion = host.os,\n SrcDeviceType = \"Computer\"\n| project-rename\n TimeGenerated = ['time'],\n EventOriginalUid = uuid,\n EventOriginalType = event_type,\n EventCount = glob_seq_num\n| project-away\n metadata,\n host,\n seq_num,\n version,\n deadline,\n mach_time,\n action_type\n\n", + "outputStream": "Custom-jamfprotecttelemetryv2_CL" + }, + { + "streams": [ + "Custom-jamfprotectunifiedlogs" + ], + "destinations": [ + "clv2ws1" + ], + "transformKql": "source\n//ASIM - Generic Fields\n| extend\n EventVendor = \"Jamf\",\n EventProduct = \"Unified Log Stream\",\n // EventSchemaVersion = metadata.schemaVersion,\n EventProductVersion = input.host.protectVersion,\n EventSeverity = case(input.match.severity == 0, \"Informational\", input.match.severity == 1, \"Low\", input.match.severity == 2, \"Medium\", input.match.severity == 3, \"High\", \"Informational\"),\n EventOriginalType = input.eventType,\n EventOriginalUid = input.match.uuid,\n EventType = \"UnifiedLog\",\n EventResult = case(input.match.actions has \"Prevented\", \"Prevented\", \"Allowed\"),\n EventMessage = input.match.event.name,\n EventResultMessage = input.match.event.composedMessage,\n // EventReportUrl = strcat(\"https://\", context_identity_claims_hd_s, \".jamfcloud.com/Alerts/\", input.match.uuid),\n // //\n // // Jamf Protect - Device Hostnames\n TargetHostname = input.host.hostname,\n DvcHostname = input.host.hostname,\n DvcSerial = input.host.serial,\n DvcIpAddr = input.host.ips,\n DvcId = input.host.provisioningUDID,\n DvcOs = \"macOS\",\n DvcOsVersion = input.host.os,\n SrcDeviceType = \"Computer\",\n // Jamf Protect - Event Details\n //\n // Jamf Protect Alerts - Process\n //\n ProcessEventType = \"Create\",\n ProcessEventSubType = \"Exec\",\n TargetProcessName = tostring(input.match.event.process),\n TargetProcessId = toreal(input.match.event.processIdentifier),\n TargetProcessGuid = tostring(input.match.event.uuid),\n TargetProcessCommandLine = input.match.event.process.args,\n TargetProcessCurrentDirectory = input.match.event.processImagePath\n| project-away\n caid,\n certid\n\n", + "outputStream": "Custom-jamfprotectunifiedlogs_CL" + }, + { + "streams": [ + "Custom-jamfprotecttelemetryv1" + ], + "destinations": [ + "clv2ws1" + ], + "transformKql": "source\n// ASIM - Common Fields\n| extend EventVendor = 'Jamf'\n| extend EventProduct = 'Device Telemetry Stream'\n// Data Field Normalization\n| extend\n EventSeverity = \"Informational\",\n //\n // Jamf Protect Telemetry - Endpoint Information\n //\n TargetModel = metrics.hw_model,\n DvcOsVersion = host_info.osversion,\n TargetHostname = host_info.host_name,\n DvcHostname = host_info.host_name,\n DvcId = host_info.host_uuid,\n // Jamf Protect - Event Types\n EventType = case(\n header.event_name == \"AUE_add_to_group\",\n \"UserAddedToGroup\",\n header.event_name == \"AUE_AUDITCTL\",\n \"AuditEvent\",\n header.event_name == \"AUE_AUDITON_SPOLICY\",\n \"AuditEvent\",\n header.event_name == \"AUE_auth_user\",\n \"Elevate\",\n header.event_name == \"AUE_BIND\",\n \"EndpointNetworkSession\",\n header.event_name == \"AUE_BIOS_FIRMWARE_VERSIONS\",\n \"SystemInformation\",\n header.event_name == \"AUE_CHDIR\",\n \"FolderMoved\",\n header.event_name == \"AUE_CHROOT\",\n \"FolderModified\",\n header.event_name == \"AUE_CONNECT\",\n \"EndpointNetworkSession\",\n header.event_name == \"AUE_create_group\",\n \"GroupCreated\",\n header.event_name == \"AUE_create_user\",\n \"UserCreated\",\n header.event_name == \"AUE_delete_group\",\n \"GroupDeleted\",\n header.event_name == \"AUE_delete_user\",\n \"UserDeleted\",\n header.event_name == \"AUE_EXECVE\",\n \"ProcessCreated\",\n header.event_name == \"AUE_EXIT\",\n \"ProcessTerminated\",\n header.event_name == \"AUE_FORK\",\n \"ProcessCreated\",\n header.event_name == \"AUE_GETAUID\",\n \"\",\n header.event_name == \"AUE_KILL\",\n \"ProcessTerminated\",\n header.event_name == \"AUE_LISTEN\",\n \"EndpointNetworkSession\",\n header.event_name == \"AUE_logout\",\n \"Logoff\",\n header.event_name == \"AUE_lw_login\",\n \"Logon\",\n header.event_name == \"AUE_MAC_SET_PROC\",\n \"AuditEvent\",\n header.event_name == \"AUE_modify_group\",\n \"GroupModified\",\n header.event_name == \"AUE_modify_password\",\n \"PasswordChanged\",\n header.event_name == \"AUE_modify_user\",\n \"UserModified\",\n header.event_name == \"AUE_MOUNT\",\n \"VolumeMount\",\n header.event_name == \"AUE_openssh\",\n \"SshInitiated\",\n header.event_name == \"AUE_PIDFORTASK\",\n \"ProcessCreated\",\n header.event_name == \"AUE_POSIX_SPAWN\",\n \"ProcessCreated\",\n header.event_name == \"AUE_remove_from_group\",\n \"UserRemovedFromGroup\",\n header.event_name == \"AUE_SESSION_CLOSE\",\n \"Logoff\",\n header.event_name == \"AUE_SESSION_END\",\n \"Logoff\",\n header.event_name == \"AUE_SESSION_START\",\n \"Logon\",\n header.event_name == \"AUE_SESSION_UPDATE\",\n \"\",\n header.event_name == \"AUE_SETPRIORITY\",\n \"\",\n header.event_name == \"AUE_SETSOCKOPT\",\n \"\",\n header.event_name == \"AUE_SETTIMEOFDAY\",\n \"SystemChange\",\n header.event_name == \"AUE_shutdown\",\n \"ShutdownInitiated\",\n header.event_name == \"AUE_SOCKETPAIR\",\n \"\",\n header.event_name == \"AUE_ssauthint\",\n \"Elevate\",\n header.event_name == \"AUE_ssauthmech\",\n \"Elevate\",\n header.event_name == \"AUE_ssauthorize\",\n \"Elevate\",\n header.event_name == \"AUE_TASKFORPID\",\n \"\",\n header.event_name == \"AUE_TASKNAMEFORPID\",\n \"\",\n header.event_name == \"AUE_UNMOUNT\",\n \"VolumeUnmount\",\n header.event_name == \"AUE_WAIT4\",\n \"ProcessTerminated\",\n header.event_name == \"PLAINTEXT_LOG_COLLECTION_EVENT\",\n \"LogFileCollected\",\n header.event_name == \"SYSTEM_PERFORMANCE_METRICS\",\n \"SystemPerformanceMetrics\",\n \"Unknown\"\n ),\n //\n // Jamf Protect Telemetry - Process\n //\n ActingProcessId = toreal(subject.responsible_process_id),\n ActingProcessName = tostring(subject.responsible_process_name),\n ParentProcessName = tostring(subject.parent_path),\n ParentProcessId = toreal(subject.parent_pid),\n ParentProcessGuid = tostring(subject.parent_uuid),\n TargetProcessName = tostring(subject.process_name),\n TargetProcessId = toreal(subject.process_id),\n TargetProcessGuid = tostring(exec_chain.uuid),\n TargetProcessSHA256 = tostring(subject.process_hash),\n TargetUserId = toreal(subject.user_id),\n TargetUsername = tostring(subject.user_name),\n TargetProcessCommandLine = exec_args.args_compiled,\n ActorUsername = tostring(subject.effective_user_name),\n ActorUserId = toreal(subject.audit_user_name),\n //\n // Jamf Protect Telemetry - Audit/Group\n //\n GroupName = tostring(subject.group_name),\n GroupID = toreal(subject.group_id),\n EffectiveGroupName = tostring(subject.effective_group_name),\n EffectiveGroupID = toreal(subject.effective_group_id),\n //\n // Jamf Protect Telemetry - Network\n //\n DstIpAddr = socket_inet.ip_address,\n DstPortNumber = socket_inet.port,\n NetworkProtocolVersion = case(socket_inet.id == 128, \"IPV4\", socket_inet.id == 129, \"IPV6\", \"\"),\n SrcIpAddr = subject.terminal.id.ip.address,\n //\n // Jamf Protect Telemetry - Binaries\n //\n TargetBinarySHA256 = tostring(identity.cd_hash),\n TargetbinarySignerType = case(identity.signer_type == 0, \"Developer\", identity.signer_type == 1, \"Apple\", \"\"),\n TargetBinarySigningTeamID = tostring(identity.team_id),\n TargetBinarySigningAppID = tostring(identity.signer_id),\n //\n // Jamf Protect Telemetry - Log File Collection\n //\n TargetFilePath = path\n| project-away _event_score\n\n", + "outputStream": "Custom-jamfprotecttelemetryv1_CL" + }, + { + "streams": [ + "Custom-jamfprotectalerts" + ], + "destinations": [ + "clv2ws1" + ], + "transformKql": "source\n//ASIM - Generic Fields\n| extend\n EventVendor = \"Jamf\",\n EventProduct = \"Alerts Stream\",\n // EventSchemaVersion = metadata.schemaVersion,\n EventProductVersion = input.host.protectVersion,\n EventSeverity = case(input.match.severity == 0, \"Informational\", input.match.severity == 1, \"Low\", input.match.severity == 2, \"Medium\", input.match.severity == 3, \"High\", \"Informational\"),\n EventOriginalType = input.eventType,\n EventOriginalUid = input.match.uuid,\n EventType = case(\n input.eventType == \"GPClickEvent\",\n \"Click\",\n input.eventType == \"GPDownloadEvent\",\n \"Download\",\n input.eventType == \"GPFSEvent\",\n \"FileSystem\",\n input.eventType == \"GPProcessEvent\",\n \"Process\",\n input.eventType == \"GPKeylogRegisterEvent\",\n \"Keylog\",\n input.eventType == \"GPGatekeeperEvent\",\n \"Gatekeeper\",\n input.eventType == \"GPMRTEvent\",\n \"MRT\",\n input.eventType == \"GPPreventedExecutionEvent\",\n \"ProcessDenied\",\n input.eventType == \"GPThreatMatchExecEvent\",\n \"ProcessPrevented\",\n input.eventType == \"GPUnifiedLogEvent\",\n \"UnifiedLog\",\n input.eventType == \"GPUSBEvent\",\n \"USB\",\n input.eventType == \"auth-mount\",\n \"UsbBlock\",\n \"Unknown\"\n ),\n EventResult = case(input.match.actions has \"Prevented\", \"Prevented\", \"Allowed\"),\n EventMessage = input.match.facts[0].name,\n EventResultMessage = input.match.facts[0].human,\n //\n // Jamf Protect - Device Hostnames\n //\n TargetHostname = input.host.hostname,\n DvcHostname = input.host.hostname,\n DvcSerial = input.host.serial,\n DvcIpAddr = input.host.ips,\n DvcId = input.host.provisioningUDID,\n DvcOs = \"macOS\",\n DvcOsVersion = input.host.os,\n SrcDeviceType = \"Computer\",\n //\n // Jamf Protect Alerts - Process\n //\n ProcessEventType = case(input.match.event.type == 0, \"None\", input.match.event.type == 1, \"Create\", input.match.event.type == 2, \"Exit\", \"\"),\n ProcessEventSubType = case(input.match.event.subType == 7, \"Exec\", input.match.event.subType == 1, \"Fork\", input.match.event.subType == 23, \"Execve\", input.match.event.subType == 43190, \"Posix Spawn\", \"\"),\n ActingProcessName = tostring(input.related.processes[array_length(input.related.processes) - 1].path),\n ActingProcessId = toreal(input.related.processes[0].responsiblePID),\n ActingProcessGuid = tostring(input.related.processes[array_length(input.related.processes) - 1].uuid),\n ParentProcessName = todynamic(iff(array_length(input.related.processes) > 1, tostring(input.related.processes[1].path), \"\")),\n ParentProcessId = iff(array_length(input.related.processes) > 1, toreal(input.related.processes[1].pid), double(null)),\n ParentProcessGuid = tostring(iff(array_length(input.related.processes) > 1, tostring(input.related.processes[1].uuid), \"\")),\n TargetProcessName = todynamic(input.related.processes[0].name),\n TargetProcessId = input.related.processes[0].pid,\n TargetProcessGuid = input.related.processes[0].uuid,\n TargetProcessSHA1 = tostring(input.related.binaries[0].sha1hex),\n TargetProcessSHA256 = tostring(input.related.binaries[0].sha256hex),\n TargetProcessCommandLine = input.related.processes[0].args,\n TargetProcessCurrentDirectory = tostring(input.related.processes[0].path),\n TargetProcessStatusCode = toreal(input.related.processes[0].exitCode),\n //\n // Jamf Protect Alerts - Files\n //\n TargetFilePath = input.related.files[0].path,\n TargetFileSHA1 = input.related.files[0].sha1hex,\n TargetFileSHA256 = input.related.files[0].sha256hex,\n TargetFileSize = input.related.files[0].size,\n TargetFileSigningInfoMessage = input.related.files[0].signingInfo.statusMessage,\n TargetFileSignerType = case(input.related.files[0].signingInfo.signerType == 0, \"Apple\", input.related.files[0].signingInfo.signerType == 1, \"App Store\", input.related.files[0].signingInfo.signerType == 2, \"Developer\", input.related.files[0].signingInfo.signerType == 3, \"Ad Hoc\", input.related.files[0].signingInfo.signerType == 4, \"Unsigned\", \"\"),\n TargetFileSigningTeamID = input.related.files[0].signingInfo.teamid,\n TargetFileIsDownload = tobool(input.related.files[0].isDownload),\n TargetFileIsAppBundle = tobool(input.related.files[0].isAppBundle),\n TargetFileIsDirectory = tobool(input.related.files[0].isDirectory),\n TargetFileIsScreenshot = tobool(input.related.files[0].isScreenShot),\n TargetFileExtendedAttributes = input.related.files[0].xattrs,\n // Jamf Protect Alerts - Binaries\n TargetBinaryFilePath = input.related.binaries[0].path,\n TargetBinarySHA1 = input.related.binaries[0].sha1hex,\n TargetBinarySHA256 = input.related.binaries[0].sha256hex,\n TargetBinarySigningInfoMessage = input.related.binaries[0].signingInfo.statusMessage,\n TargetbinarySignerType = case(input.related.binaries[0].signingInfo.signerType == 0, \"Apple\", input.related.binaries[0].signingInfo.signerType == 1, \"App Store\", input.related.binaries[0].signingInfo.signerType == 2, \"Developer\", input.related.binaries[0].signingInfo.signerType == 3, \"Ad Hoc\", input.related.binaries[0].signingInfo.signerType == 4, \"Unsigned\", \"\"),\n TargetBinarySigningTeamID = input.related.binaries[0].signingInfo.teamid,\n TargetBinarySigningAppID = input.related.binaries[0].signingInfo.appid\n| project-away\n caid,\n certid\n", + "outputStream": "Custom-jamfprotectalerts_CL" + } + ], + "dataCollectionEndpointId": "[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]" + } + }, + { + "name": "jamfprotecttelemetryv2_CL", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "location": "[parameters('workspace-location')]", + "kind": null, + "properties": { + "plan": "Analytics", + "schema": { + "name": "jamfprotecttelemetryv2_CL", + "columns": [ + { + "name": "action", + "type": "dynamic" + }, + { + "name": "event", + "type": "dynamic" + }, + { + "name": "EventOriginalType", + "type": "int" + }, + { + "name": "EventCount", + "type": "int" + }, + { + "name": "process", + "type": "dynamic" + }, + { + "name": "thread", + "type": "dynamic" + }, + { + "name": "TimeGenerated", + "type": "datetime" + }, + { + "name": "EventOriginalUid", + "type": "string" + }, + { + "name": "EventVendor", + "type": "dynamic" + }, + { + "name": "EventProduct", + "type": "dynamic" + }, + { + "name": "EventSchemaVersion", + "type": "dynamic" + }, + { + "name": "EventProductVersion", + "type": "dynamic" + }, + { + "name": "EventSeverity", + "type": "string" + }, + { + "name": "TargetHostname", + "type": "dynamic" + }, + { + "name": "DvcHostname", + "type": "dynamic" + }, + { + "name": "DvcSerial", + "type": "dynamic" + }, + { + "name": "DvcIpAddr", + "type": "dynamic" + }, + { + "name": "DvcId", + "type": "dynamic" + }, + { + "name": "DvcOs", + "type": "string" + }, + { + "name": "DvcOsVersion", + "type": "dynamic" + }, + { + "name": "SrcDeviceType", + "type": "string" + } + ] + }, + "totalRetentionInDays": 30 + } + }, + { + "name": "jamfprotectalerts_CL", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "location": "[parameters('workspace-location')]", + "kind": null, + "properties": { + "plan": "Analytics", + "schema": { + "name": "jamfprotectalerts_CL", + "columns": [ + { + "name": "input", + "type": "dynamic" + }, + { + "name": "TimeGenerated", + "type": "datetime" + }, + { + "name": "EventVendor", + "type": "string" + }, + { + "name": "EventProduct", + "type": "string" + }, + { + "name": "EventProductVersion", + "type": "dynamic" + }, + { + "name": "EventSeverity", + "type": "string" + }, + { + "name": "EventOriginalType", + "type": "dynamic" + }, + { + "name": "EventOriginalUid", + "type": "dynamic" + }, + { + "name": "EventType", + "type": "string" + }, + { + "name": "EventResult", + "type": "string" + }, + { + "name": "EventMessage", + "type": "dynamic" + }, + { + "name": "EventResultMessage", + "type": "dynamic" + }, + { + "name": "TargetHostname", + "type": "dynamic" + }, + { + "name": "DvcHostname", + "type": "dynamic" + }, + { + "name": "DvcSerial", + "type": "dynamic" + }, + { + "name": "DvcIpAddr", + "type": "dynamic" + }, + { + "name": "DvcId", + "type": "dynamic" + }, + { + "name": "DvcOs", + "type": "string" + }, + { + "name": "DvcOsVersion", + "type": "dynamic" + }, + { + "name": "SrcDeviceType", + "type": "string" + }, + { + "name": "ProcessEventType", + "type": "string" + }, + { + "name": "ProcessEventSubType", + "type": "string" + }, + { + "name": "ActingProcessName", + "type": "string" + }, + { + "name": "ActingProcessId", + "type": "real" + }, + { + "name": "ActingProcessGuid", + "type": "string" + }, + { + "name": "ParentProcessName", + "type": "dynamic" + }, + { + "name": "ParentProcessId", + "type": "real" + }, + { + "name": "ParentProcessGuid", + "type": "string" + }, + { + "name": "TargetProcessName", + "type": "dynamic" + }, + { + "name": "TargetProcessId", + "type": "dynamic" + }, + { + "name": "TargetProcessGuid", + "type": "dynamic" + }, + { + "name": "TargetProcessSHA1", + "type": "string" + }, + { + "name": "TargetProcessSHA256", + "type": "string" + }, + { + "name": "TargetProcessCommandLine", + "type": "dynamic" + }, + { + "name": "TargetProcessCurrentDirectory", + "type": "string" + }, + { + "name": "TargetProcessStatusCode", + "type": "real" + }, + { + "name": "TargetFilePath", + "type": "dynamic" + }, + { + "name": "TargetFileSHA1", + "type": "dynamic" + }, + { + "name": "TargetFileSHA256", + "type": "dynamic" + }, + { + "name": "TargetFileSize", + "type": "dynamic" + }, + { + "name": "TargetFileSigningInfoMessage", + "type": "dynamic" + }, + { + "name": "TargetFileSignerType", + "type": "string" + }, + { + "name": "TargetFileSigningTeamID", + "type": "dynamic" + }, + { + "name": "TargetFileIsDownload", + "type": "boolean" + }, + { + "name": "TargetFileIsAppBundle", + "type": "boolean" + }, + { + "name": "TargetFileIsDirectory", + "type": "boolean" + }, + { + "name": "TargetFileIsScreenshot", + "type": "boolean" + }, + { + "name": "TargetFileExtendedAttributes", + "type": "dynamic" + }, + { + "name": "TargetBinaryFilePath", + "type": "dynamic" + }, + { + "name": "TargetBinarySHA1", + "type": "dynamic" + }, + { + "name": "TargetBinarySHA256", + "type": "dynamic" + }, + { + "name": "TargetBinarySigningInfoMessage", + "type": "dynamic" + }, + { + "name": "TargetbinarySignerType", + "type": "string" + }, + { + "name": "TargetBinarySigningTeamID", + "type": "dynamic" + }, + { + "name": "TargetBinarySigningAppID", + "type": "dynamic" + } + ] + }, + "totalRetentionInDays": 30 + } + }, + { + "name": "jamfprotecttelemetryv1_CL", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "location": "[parameters('workspace-location')]", + "kind": null, + "properties": { + "plan": "Analytics", + "schema": { + "name": "jamfprotecttelemetryv1_CL", + "columns": [ + { + "name": "architecture", + "type": "string" + }, + { + "name": "arguments", + "type": "dynamic" + }, + { + "name": "attributes", + "type": "dynamic" + }, + { + "name": "bios_firmware_versions", + "type": "dynamic" + }, + { + "name": "contents", + "type": "string" + }, + { + "name": "exec_args", + "type": "dynamic" + }, + { + "name": "exec_chain", + "type": "dynamic" + }, + { + "name": "exec_chain_child", + "type": "dynamic" + }, + { + "name": "exec_chain_parent", + "type": "dynamic" + }, + { + "name": "exec_env", + "type": "dynamic" + }, + { + "name": "exit", + "type": "dynamic" + }, + { + "name": "file", + "type": "dynamic" + }, + { + "name": "header", + "type": "dynamic" + }, + { + "name": "host_info", + "type": "dynamic" + }, + { + "name": "identity", + "type": "dynamic" + }, + { + "name": "key", + "type": "string" + }, + { + "name": "metrics", + "type": "dynamic" + }, + { + "name": "page_info", + "type": "dynamic" + }, + { + "name": "path", + "type": "dynamic" + }, + { + "name": "process", + "type": "dynamic" + }, + { + "name": "rateLimitingSeconds", + "type": "int" + }, + { + "name": "return", + "type": "dynamic" + }, + { + "name": "socket_inet", + "type": "dynamic" + }, + { + "name": "subject", + "type": "dynamic" + }, + { + "name": "texts", + "type": "string" + }, + { + "name": "TimeGenerated", + "type": "datetime" + }, + { + "name": "EventVendor", + "type": "string" + }, + { + "name": "EventProduct", + "type": "string" + }, + { + "name": "EventSeverity", + "type": "string" + }, + { + "name": "TargetModel", + "type": "dynamic" + }, + { + "name": "DvcOsVersion", + "type": "dynamic" + }, + { + "name": "TargetHostname", + "type": "dynamic" + }, + { + "name": "DvcHostname", + "type": "dynamic" + }, + { + "name": "DvcId", + "type": "dynamic" + }, + { + "name": "EventType", + "type": "string" + }, + { + "name": "ActingProcessId", + "type": "dynamic" + }, + { + "name": "ActingProcessName", + "type": "dynamic" + }, + { + "name": "ParentProcessName", + "type": "dynamic" + }, + { + "name": "ParentProcessId", + "type": "dynamic" + }, + { + "name": "ParentProcessGuid", + "type": "dynamic" + }, + { + "name": "TargetProcessName", + "type": "dynamic" + }, + { + "name": "TargetProcessId", + "type": "dynamic" + }, + { + "name": "TargetProcessGuid", + "type": "dynamic" + }, + { + "name": "TargetProcessSHA256", + "type": "dynamic" + }, + { + "name": "TargetUserId", + "type": "dynamic" + }, + { + "name": "TargetUsername", + "type": "dynamic" + }, + { + "name": "TargetProcessCommandLine", + "type": "dynamic" + }, + { + "name": "ActorUsername", + "type": "dynamic" + }, + { + "name": "ActorUserId", + "type": "dynamic" + }, + { + "name": "GroupName", + "type": "dynamic" + }, + { + "name": "GroupID", + "type": "dynamic" + }, + { + "name": "EffectiveGroupName", + "type": "dynamic" + }, + { + "name": "EffectiveGroupID", + "type": "dynamic" + }, + { + "name": "DstIpAddr", + "type": "dynamic" + }, + { + "name": "DstPortNumber", + "type": "dynamic" + }, + { + "name": "NetworkProtocolVersion", + "type": "string" + }, + { + "name": "SrcIpAddr", + "type": "dynamic" + }, + { + "name": "TargetBinarySHA256", + "type": "dynamic" + }, + { + "name": "TargetbinarySignerType", + "type": "string" + }, + { + "name": "TargetBinarySigningTeamID", + "type": "string" + }, + { + "name": "TargetBinarySigningAppID", + "type": "string" + }, + { + "name": "TargetFilePath", + "type": "dynamic" + } + ] + }, + "totalRetentionInDays": 30 + } + }, + { + "name": "jamfprotectunifiedlogs_CL", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "location": "[parameters('workspace-location')]", + "kind": null, + "properties": { + "plan": "Analytics", + "schema": { + "name": "jamfprotectunifiedlogs_CL", + "columns": [ + { + "name": "input", + "type": "dynamic" + }, + { + "name": "TimeGenerated", + "type": "datetime" + }, + { + "name": "EventProductVersion", + "type": "dynamic" + }, + { + "name": "EventSeverity", + "type": "string" + }, + { + "name": "EventOriginalType", + "type": "dynamic" + }, + { + "name": "EventOriginalUid", + "type": "dynamic" + }, + { + "name": "EventType", + "type": "string" + }, + { + "name": "EventResult", + "type": "string" + }, + { + "name": "EventMessage", + "type": "dynamic" + }, + { + "name": "EventResultMessage", + "type": "dynamic" + }, + { + "name": "TargetHostname", + "type": "dynamic" + }, + { + "name": "DvcHostname", + "type": "dynamic" + }, + { + "name": "DvcSerial", + "type": "dynamic" + }, + { + "name": "DvcIpAddr", + "type": "dynamic" + }, + { + "name": "DvcId", + "type": "dynamic" + }, + { + "name": "DvcOs", + "type": "string" + }, + { + "name": "DvcOsVersion", + "type": "dynamic" + }, + { + "name": "SrcDeviceType", + "type": "string" + }, + { + "name": "ProcessEventType", + "type": "string" + }, + { + "name": "ProcessEventSubType", + "type": "string" + }, + { + "name": "TargetProcessName", + "type": "dynamic" + }, + { + "name": "TargetProcessId", + "type": "dynamic" + }, + { + "name": "TargetProcessGuid", + "type": "dynamic" + }, + { + "name": "TargetProcessCommandLine", + "type": "dynamic" + }, + { + "name": "TargetProcessCurrentDirectory", + "type": "dynamic" + } + ] + }, + "totalRetentionInDays": 30 + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentIdConnectorDefinition2'),'-', variables('dataConnectorCCPVersion'))))]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "version": "[variables('dataConnectorCCPVersion')]" + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition2'))]", + "apiVersion": "2022-09-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions", + "location": "[parameters('workspace-location')]", + "kind": "Customizable", + "properties": { + "connectorUiConfig": { + "id": "JamfProtectPush", + "title": "Jamf Protect Push Connector", + "publisher": "Jamf", + "descriptionMarkdown": "The [Jamf Protect](https://www.jamf.com/products/jamf-protect/) connector provides the capability to read raw event data from Jamf Protect in Microsoft Sentinel.", + "graphQueries": [ + { + "metricName": "Telemetry", + "legend": "jamfprotecttelemetryv2_CL", + "baseQuery": "jamfprotecttelemetryv2_CL" + }, + { + "metricName": "Unified Logs", + "legend": "jamfprotectunifiedlogs_CL", + "baseQuery": "jamfprotectunifiedlogs_CL" + }, + { + "metricName": "Telemetry (Legacy)", + "legend": "jamfprotecttelemetryv1_CL", + "baseQuery": "jamfprotecttelemetryv1_CL" + }, + { + "metricName": "Alerts", + "legend": "jamfprotectalerts_CL", + "baseQuery": "jamfprotectalerts_CL" + } + ], + "sampleQueries": [ + { + "description": "Jamf Protect - All Alerts", + "query": "jamfprotectalerts_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Jamf Protect - All Telemetry events", + "query": "jamfprotecttelemetry_CL\n | sort by TimeGenerated desc" + } + ], + "dataTypes": [ + { + "name": "jamfprotecttelemetryv2_CL", + "lastDataReceivedQuery": "jamfprotecttelemetryv2_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "jamfprotectunifiedlogs_CL", + "lastDataReceivedQuery": "jamfprotectunifiedlogs_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "jamfprotecttelemetryv1_CL", + "lastDataReceivedQuery": "jamfprotecttelemetryv1_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "jamfprotectalerts_CL", + "lastDataReceivedQuery": "jamfprotectalerts_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "IsConnectedQuery", + "value": [ + "jamfprotecttelemetryv2_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)", + "jamfprotectunifiedlogs_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)", + "jamfprotecttelemetryv1_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)", + "jamfprotectalerts_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)" + ] + } + ], + "availability": { + "status": 1 + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + } + ], + "customs": [ + { + "name": "Microsoft Entra", + "description": "Permission to create an app registration in Microsoft Entra ID. Typically requires Entra ID Application Developer role or higher." + }, + { + "name": "Microsoft Azure", + "description": "Permission to assign Monitoring Metrics Publisher role on data collection rule (DCR). Typically requires Azure RBAC Owner or User Access Administrator role" + } + ] + }, + "instructionSteps": [ + { + "title": "1. Create ARM Resources and Provide the Required Permissions", + "description": "This connector reads data from the tables that Jamf Protect uses in a Microsoft Analytics Workspace, if the [data forwarding](https://docs.jamf.com/jamf-protect/documentation/Data_Forwarding_to_a_Third_Party_Storage_Solution.html?hl=sentinel#task-4227) option is enabled in Jamf Protect then raw event data is sent to the Microsoft Sentinel Ingestion API.", + "instructions": [ + { + "type": "Markdown", + "parameters": { + "content": "#### Automated Configuration and Secure Data Ingestion with Entra Application \nClicking on \"Connect\" will trigger the creation of Log Analytics tables and a Data Collection Rule (DCR). \nIt will then create an Entra application, link the DCR to it, and set the entered secret in the application. This setup enables data to be sent securely to the DCR using an Entra token." + } + }, + { + "parameters": { + "label": "Deploy Jamf Protect connector resources", + "applicationDisplayName": "Jamf Protect Connector Application" + }, + "type": "DeployPushConnectorButton" + } + ] + }, + { + "title": "2. Push your logs into the workspace", + "description": "Use the following parameters to configure the your machine to send the logs to the workspace.", + "instructions": [ + { + "parameters": { + "label": "Tenant ID (Directory ID)", + "fillWith": [ + "TenantId" + ] + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "label": "Entra Application ID", + "fillWith": [ + "ApplicationId" + ], + "placeholder": "Deploy push connector to get the Application ID" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "label": "Entra Application Secret", + "fillWith": [ + "ApplicationSecret" + ], + "placeholder": "Deploy push connector to get the Application Secret" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "label": "DCE Uri", + "fillWith": [ + "DataCollectionEndpoint" + ], + "placeholder": "Deploy push connector to get the DCR Uri" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "label": "DCR Immutable ID", + "fillWith": [ + "DataCollectionRuleId" + ], + "placeholder": "Deploy push connector to get the DCR ID" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "label": "Telemetry (Legacy) Stream ID", + "value": "Custom-jamfprotecttelemetryv1_CL" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "label": "Unified Logs Stream ID", + "value": "Custom-jamfprotectunifiedlogs_CL" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "label": "Telemetry Stream ID", + "value": "Custom-jamfprotecttelemetryv2_CL" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "label": "Alerts Stream ID", + "value": "Custom-jamfprotectalerts_CL" + }, + "type": "CopyableLabel" + } + ] + } + ] + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition2')))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition2'))]", + "contentId": "[variables('_dataConnectorContentIdConnectorDefinition2')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorCCPVersion')]", + "source": { + "sourceId": "[variables('_solutionId')]", + "name": "[variables('_solutionName')]", + "kind": "Solution" + }, + "author": { + "name": "Thijs Xhaflaire", + "email": "[variables('_email')]" + }, + "support": { + "name": "Jamf Software, LLC", + "email": "support@jamf.com", + "tier": "Partner", + "link": "https://www.jamf.com/support/" + }, + "dependencies": { + "criteria": [ + { + "version": "[variables('dataConnectorCCPVersion')]", + "contentId": "[variables('_dataConnectorContentIdConnections2')]", + "kind": "ResourcesDataConnector" + } + ] + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnections2'), variables('dataConnectorCCPVersion'))]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "contentId": "[variables('_dataConnectorContentIdConnections2')]", + "displayName": "Jamf Protect Push Connector", + "contentKind": "ResourcesDataConnector", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorCCPVersion')]", + "parameters": { + "auth": { + "type": "object", + "defaultValue": { + "appId": "[[parameters('auth').appId]]", + "servicePrincipalId": "[[parameters('auth').servicePrincipalId]]" + } + }, + "connectorDefinitionName": { + "defaultValue": "Jamf Protect Push Connector", + "type": "string", + "minLength": 1 + }, + "workspace": { + "defaultValue": "[parameters('workspace')]", + "type": "string" + }, + "dcrConfig": { + "defaultValue": { + "dataCollectionEndpoint": "data collection Endpoint", + "dataCollectionRuleImmutableId": "data collection rule immutableId" + }, + "type": "object" + } + }, + "variables": { + "_dataConnectorContentIdConnections2": "[variables('_dataConnectorContentIdConnections2')]" + }, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnections2')))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentIdConnections2'))]", + "contentId": "[variables('_dataConnectorContentIdConnections2')]", + "kind": "ResourcesDataConnector", + "version": "[variables('dataConnectorCCPVersion')]", + "source": { + "sourceId": "[variables('_solutionId')]", + "name": "[variables('_solutionName')]", + "kind": "Solution" + }, + "author": { + "name": "Thijs Xhaflaire", + "email": "[variables('_email')]" + }, + "support": { + "name": "Jamf Software, LLC", + "email": "support@jamf.com", + "tier": "Partner", + "link": "https://www.jamf.com/support/" + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', 'JamfProtectPushConnectorPolling')]", + "apiVersion": "2023-02-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "Push", + "properties": { + "connectorDefinitionName": "JamfProtectPush", + "dcrConfig": { + "streamName": "Custom-jamfprotecttelemetryv2", + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" + }, + "auth": { + "type": "Push", + "AppId": "[[parameters('auth').appId]", + "ServicePrincipalId": "[[parameters('auth').servicePrincipalId]" + }, + "request": { + "RetryCount": 1 + }, + "response": { + "eventsJsonPaths": [ + "$.messages" + ] + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','rdc','-', uniqueString(concat(variables('_solutionId'),'-','ResourcesDataConnector','-',variables('_dataConnectorContentIdConnections2'),'-', variables('dataConnectorCCPVersion'))))]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "version": "[variables('dataConnectorCCPVersion')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('parserObject1').parserTemplateSpecName1]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "JamfProtect Data Parser with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('parserObject1').parserVersion1]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[variables('parserObject1')._parserName1]", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "JamfProtect", + "category": "Microsoft Sentinel Parser", + "functionAlias": "JamfProtect", + "query": "let JamfProtectAlerts_view = view () {\njamfprotectalerts_CL\n| extend\n ActingProcessCreationTime = unixtime_seconds_todatetime(tolong(input.related.processes[array_length(input.related.processes) - 1].startTimestamp)),\n ParentProcessCreationTime = iff(\n array_length(input.related.processes) > 1, \n unixtime_seconds_todatetime(tolong(input.related.processes[0].startTimestamp)), \n datetime(null)\n ),\n TargetProcessCreationTime = unixtime_seconds_todatetime(todouble(input.related.processes[0].startTimestamp)),\n TargetUserId = coalesce(input.related.users[1].uid, input.related.users[0].uid),\n TargetUsername = coalesce(input.related.users[1].name, input.related.users[0].name)\n };\nlet JamfProtectUnifiedLog_view = view () {\njamfprotectunifiedlogs_CL\n| extend EventStartTime = unixtime_seconds_todatetime(tolong(input.match.event.timestamp))\n};\n//\n// Jamf Protect - Endpoint Telemetry\n//\nlet JamfProtectTelemetryv1_view = view () {\njamfprotecttelemetryv1_CL\n| extend\n EventStartTime = unixtime_seconds_todatetime(todouble(header.time_seconds_epoch)),\n EventResult = coalesce(return.description, texts)\n};\nlet JamfProtectTelemetryv2_view = view () {\njamfprotecttelemetryv2_CL\n// Generic Fields\n| extend\n EventExpanded = tostring(parse_json(event)[strcat_array(bag_keys(event), '.')]),\n eventTypeHuman = tostring(bag_keys(event)[0])\n| extend EventResult = iif((event[eventTypeHuman]['success'] == true), \"Success\", dynamic(null))\n| extend\n EventMessage = case(\n eventTypeHuman == \"authentication\",\n \"A user authentication happened\",\n eventTypeHuman == \"authorization_judgement\",\n \"A process has its rights petition judged\",\n eventTypeHuman == \"authorization_petition\",\n \"A process has its rights petition judged\",\n eventTypeHuman == \"bios_uefi\",\n \"Collection of bios and firmware data\",\n eventTypeHuman == \"btm_launch_item_add\",\n \"Apple's Background Task Manager notified that an item has been added\",\n eventTypeHuman == \"btm_launch_item_remove\",\n \"Apple's Background Task Manager notified that an existing item has been removed\",\n eventTypeHuman == \"chroot\",\n \"Software has changed its apparent root directory in which it's actively operating out of\",\n eventTypeHuman == \"cs_invalidated\",\n \"The system detected that a process has had its code signature marked as invalid\",\n eventTypeHuman == \"exec\",\n \"A new process has been executed\",\n eventTypeHuman == \"kextload\",\n \"A kernel extension (kext) was loaded\",\n eventTypeHuman == \"kextunload\",\n \"A kernel extension (kext) was unloaded\",\n eventTypeHuman == \"login_login\",\n \"A user attempted to log in using /usr/bin/login\",\n eventTypeHuman == \"login_logout\",\n \"A user logged out from /usr/bin/login\",\n eventTypeHuman == \"lw_session_lock\",\n \"A user has locked the screen\",\n eventTypeHuman == \"lw_session_login\",\n \"A user has logged in via the Login Window\",\n eventTypeHuman == \"lw_session_logout\",\n \"A user has logged out of an active graphical session\",\n eventTypeHuman == \"lw_session_unlock\",\n \"A user has unlocked the screen from the Login Window\",\n eventTypeHuman == \"mount\",\n \"A file system has been mounted\",\n eventTypeHuman == \"od_attribute_set\",\n \"Attribute set on user or group using Open Directory\",\n eventTypeHuman == \"od_attribute_value_add\",\n \"Attribute added to a user or group using Open Directory\",\n eventTypeHuman == \"od_attribute_value_remove\",\n \"Attribute removed from a user or group using Open Directory\",\n eventTypeHuman == \"od_create_group\",\n \"A group has been created using Open Directory\",\n eventTypeHuman == \"od_create_user\",\n \"A user has been created using Open Directory\",\n eventTypeHuman == \"od_delete_group\",\n \"A group has been deleted using Open Directory\",\n eventTypeHuman == \"od_delete_user\",\n \"A user has been deleted using Open Directory\",\n eventTypeHuman == \"od_disable_user\",\n \"A user has been disabled using Open Directory\",\n eventTypeHuman == \"od_enable_user\",\n \"A user has been enabled using Open Directory\",\n eventTypeHuman == \"od_group_add\",\n \"A member has been added to a group using Open Directory\",\n eventTypeHuman == \"od_group_remove\",\n \"A member has been removed from a group using Open Directory\",\n eventTypeHuman == \"od_group_set\",\n \"A group has a member initialised or replaced using Open Directory\",\n eventTypeHuman == \"od_modify_password\",\n \"A user password is modified via Open Directory\",\n eventTypeHuman == \"openssh_login\",\n \"A user has logged into the system via OpenSSH\",\n eventTypeHuman == \"openssh_logout\",\n \"A user has logged out of an OpenSSH session\",\n eventTypeHuman == \"performance\",\n \"Collection of system performance data\",\n eventTypeHuman == \"profile_add\",\n \"A configuration profile is installed on the system\",\n eventTypeHuman == \"profile_remove\",\n \"A configuration profile is removed from the system\",\n eventTypeHuman == \"remount\",\n \"A file system has been mounted\",\n eventTypeHuman == \"screenscharing_attach\",\n \"A screensharing session has attached to a graphical session\",\n eventTypeHuman == \"screenscharing_detach\",\n \"A screensharing session has detached from a graphical session\",\n eventTypeHuman == \"settime\",\n \"The system time was attempted to be set\",\n eventTypeHuman == \"su\",\n \"A user attempts to start a new shell using a substitute user identity\",\n eventTypeHuman == \"sudo\",\n \"A sudo attempt occured\",\n eventTypeHuman == \"unmount\",\n \"A file system has been mounted\",\n eventTypeHuman == \"xp_malware_detected\",\n \"Apple's XProtect detected malware on the system\",\n eventTypeHuman == \"xp_malware_remediated\",\n \"Apple's XProtect remediated malware on the system\",\n eventTypeHuman == \"file_collection\",\n \"A crash or diagnostic file has been collected\",\n eventTypeHuman == \"log_collection\",\n \"Entries from a log file have been collected\",\n \"No reason yet defined for this event\"\n ),\n EventType = case(\n eventTypeHuman == \"authentication\",\n \"Logon\",\n eventTypeHuman == \"authorization_judgement\",\n \"ProcessCreated\",\n eventTypeHuman == \"authorization_petition\",\n \"ProcessCreated\",\n eventTypeHuman == \"bios_uefi\",\n \"Hardware\",\n eventTypeHuman == \"btm_launch_item_add\",\n \"Create\",\n eventTypeHuman == \"btm_launch_item_remove\",\n \"Delete\",\n eventTypeHuman == \"chroot\",\n \"Set\",\n eventTypeHuman == \"cs_invalidated\",\n \"Other\",\n eventTypeHuman == \"exec\",\n \"ProcessCreated\",\n eventTypeHuman == \"kextload\",\n \"Create\",\n eventTypeHuman == \"kextunload\",\n \"Delete\",\n eventTypeHuman == \"login_login\",\n \"Logon\",\n eventTypeHuman == \"login_logout\",\n \"Logoff\",\n eventTypeHuman == \"lw_session_lock\",\n \"Logoff\",\n eventTypeHuman == \"lw_session_login\",\n \"Logon\",\n eventTypeHuman == \"lw_session_logout\",\n \"Logoff\",\n eventTypeHuman == \"lw_session_unlock\",\n \"Logon\",\n eventTypeHuman == \"mount\",\n \"FileSystemMounted\",\n eventTypeHuman == \"od_attribute_set\",\n \"Set\",\n eventTypeHuman == \"od_attribute_value_add\",\n \"Create\",\n eventTypeHuman == \"od_attribute_value_remove\",\n \"Delete\",\n eventTypeHuman == \"od_create_group\",\n \"GroupCreated\",\n eventTypeHuman == \"od_create_user\",\n \"UserCreated\",\n eventTypeHuman == \"od_delete_group\",\n \"GroupDeleted\",\n eventTypeHuman == \"od_delete_user\",\n \"UserDeleted\",\n eventTypeHuman == \"od_disable_user\",\n \"UserDisabled\",\n eventTypeHuman == \"od_enable_user\",\n \"UserEnabled\",\n eventTypeHuman == \"od_group_add\",\n \"UserAddedToGroup\",\n eventTypeHuman == \"od_group_remove\",\n \"UserRemovedFromGroup\",\n eventTypeHuman == \"od_group_set\",\n \"GroupModified\",\n eventTypeHuman == \"od_modify_password\",\n \"PasswordChanged\",\n eventTypeHuman == \"openssh_login\",\n \"Logon\",\n eventTypeHuman == \"openssh_logout\",\n \"Logoff\",\n eventTypeHuman == \"performance\",\n \"PerformanceData\",\n eventTypeHuman == \"profile_add\",\n \"Create\",\n eventTypeHuman == \"profile_remove\",\n \"Delete\",\n eventTypeHuman == \"remount\",\n \"FileSystemRemounted\",\n eventTypeHuman == \"screenscharing_attach\",\n \"Logon\",\n eventTypeHuman == \"screenscharing_detach\",\n \"Logoff\",\n eventTypeHuman == \"settime\",\n \"Set\",\n eventTypeHuman == \"su\",\n \"Elevate\",\n eventTypeHuman == \"sudo\",\n \"Elevate\",\n eventTypeHuman == \"unmount\",\n \"FileSystemUnmounted\",\n eventTypeHuman == \"xp_malware_detected\",\n \"MalwareDetected\",\n eventTypeHuman == \"xp_malware_remediated\",\n \"MalwareRemediated\",\n \"\"\n ),\n EventSubType = case(\n eventTypeHuman == \"authentication\",\n \"Interactive\",\n eventTypeHuman == \"btm_launch_item_add\",\n \"btm\",\n eventTypeHuman == \"btm_launch_item_remove\",\n \"btm\",\n eventTypeHuman == \"chroot\",\n \"Directory\",\n eventTypeHuman == \"cs_invalidated\",\n \"Other\",\n eventTypeHuman == \"kextload\",\n \"System Settings\",\n eventTypeHuman == \"kextunload\",\n \"System Settings\",\n eventTypeHuman == \"login_login\",\n \"Interactive\",\n eventTypeHuman == \"login_logout\",\n \"Interactive\",\n eventTypeHuman == \"lw_session_lock\",\n \"Interactive\",\n eventTypeHuman == \"lw_session_login\",\n \"Interactive\",\n eventTypeHuman == \"lw_session_logout\",\n \"Interactive\",\n eventTypeHuman == \"lw_session_unlock\",\n \"Interactive\",\n eventTypeHuman == \"od_attribute_set\",\n \"Attribute\",\n eventTypeHuman == \"od_attribute_value_add\",\n \"Attribute\",\n eventTypeHuman == \"od_attribute_value_remove\",\n \"Attribute\",\n eventTypeHuman == \"openssh_login\",\n \"Interactive\",\n eventTypeHuman == \"openssh_logout\",\n \"Interactive\",\n eventTypeHuman == \"profile_add\",\n \"Configuration Profile\",\n eventTypeHuman == \"profile_remove\",\n \"Configuration Profile\",\n eventTypeHuman == \"screenscharing_attach\",\n \"RemoteInteractive\",\n eventTypeHuman == \"screenscharing_detach\",\n \"RemoteInteractive\",\n eventTypeHuman == \"settime\",\n \"System Settings\",\n eventTypeHuman == \"su\",\n \"Interactive\",\n eventTypeHuman == \"sudo\",\n \"Interactive\",\n \"\"\n )\n// Jamf Protect Telemetry - Event Process\n| extend eventContext = \n iif(\n isnotempty(event[eventTypeHuman]['app']['audit_token']),\n event[eventTypeHuman]['app'],\n iif(\n isnotempty(event[eventTypeHuman]['target']['audit_token']),\n event[eventTypeHuman]['target'],\n iif(\n isnotempty(event[eventTypeHuman]['data']['od']['audit_token']),\n event[eventTypeHuman]['data']['od'],\n iif(\n isnotempty(event[eventTypeHuman]['data']['token']['audit_token']),\n event[eventTypeHuman]['data']['token'],\n iif(\n isnotempty(event[eventTypeHuman]['data']['touchid']['audit_token']),\n event[eventTypeHuman]['data']['touchid'],\n iif(\n isnotempty(event[eventTypeHuman]['instigator']['audit_token']),\n event[eventTypeHuman]['instigator'],\n ['process']\n)\n)\n)\n)\n)\n)\n| extend\n TargetProcessName = tostring(eventContext.executable.path),\n TargetProcessId = tostring(eventContext.audit_token.pid),\n TargetProcessGuid = tostring(eventContext.audit_token.uuid),\n TargetProcessCreationTime = tostring(eventContext.start_time),\n TargetProcessSHA1 = tostring(eventContext.executable.sha1),\n TargetProcessSHA256 = tostring(eventContext.executable.sha256),\n TargetProcessCommandLine = event[eventTypeHuman]['args'],\n TargetProcessTTY = tostring(eventContext.tty.path),\n TargetBinarySigningAppID = tostring(eventContext.signing_id),\n TargetBinarySigningTeamID = tostring(eventContext.team_id),\n TargetBinaryCDHash = tostring(eventContext.cdhash),\n TargetBinaryIsESClient = tobool(eventContext.is_es_client),\n TargetBinaryIsPlatformBinary = tobool(eventContext.is_platform_binary),\n TargetUserId = tostring(eventContext.audit_token.euid),\n ActingProcessId = tostring(eventContext.parent_audit_token.pid),\n ActingProcessGuid = tostring(eventContext.parent_audit_token.uuid),\n ActorUserId = tostring(eventContext.parent_audit_token.euid),\n ParentProcessId = tostring(eventContext.responsible_audit_token.pid),\n ParentProcessGuid = tostring(eventContext.responsible_audit_token.uuid)\n// Jamf Protect Telemetry - Revealing Code Signing flags\n| extend TargetProcessCodesignFlags = \n iif(isnotempty(eventContext.codesigning_flags),\n bag_pack(\n \"CS_VALID\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00000001) > 0, true, false),\n \"CS_ADHOC\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00000002) > 0, true, false),\n \"CS_GET_TASK_ALLOW\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00000004) > 0, true, false),\n \"CS_INSTALLER\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00000008) > 0, true, false),\n \"CS_FORCED_LV\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00000010) > 0, true, false),\n \"CS_INVALID_ALLOWED\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00000020) > 0, true, false),\n \"CS_HARD\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00000100) > 0, true, false),\n \"CS_KILL\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00000200) > 0, true, false),\n \"CS_CHECK_EXPIRATION\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00000400) > 0, true, false),\n \"CS_RESTRICT\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00000800) > 0, true, false),\n \"CS_ENFORCEMENT\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00001000) > 0, true, false),\n \"CS_REQUIRE_LV\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00002000) > 0, true, false),\n \"CS_ENTITLEMENTS_VALIDATED\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00004000) > 0, true, false),\n \"CS_NVRAM_UNRESTRICTED\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00008000) > 0, true, false),\n \"CS_RUNTIME\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00010000) > 0, true, false),\n \"CS_LINKER_SIGNED\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x20000) > 0, true, false),\n \"CS_EXEC_SET_HARD\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00100000) > 0, true, false),\n \"CS_EXEC_SET_KILL\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00200000) > 0, true, false),\n \"CS_EXEC_SET_ENFORCEMENT\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00400000) > 0, true, false),\n \"CS_EXEC_INHERIT_SIP\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00800000) > 0, true, false),\n \"CS_KILLED\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x01000000) > 0, true, false),\n \"CS_DYLD_PLATFORM\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x02000000) > 0, true, false),\n \"CS_PLATFORM_BINARY\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x04000000) > 0, true, false),\n \"CS_PLATFORM_PATH\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x08000000) > 0, true, false),\n \"CS_DEBUGGED\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x10000000) > 0, true, false),\n \"CS_SIGNED\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x20000000) > 0, true, false),\n \"CS_DEV_CODE\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x40000000) > 0, true, false),\n \"CS_DATAVAULT_CONTROLLER\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x80000000) > 0, true, false)\n ), \"\")\n// Event Specific - authentication\n| extend TargetUsername =\n iif(\n isnotempty(event[eventTypeHuman]['username']),\n event[eventTypeHuman]['username'],\n iif(\n isnotempty(event[eventTypeHuman]['to_username']),\n event[eventTypeHuman]['to_username'],\n iif(\n isnotempty(event[eventTypeHuman]['account_name']),\n event[eventTypeHuman]['account_name'],\n iif(\n isnotempty(event[eventTypeHuman]['user_name']),\n event[eventTypeHuman]['user_name'],\n iif(\n isnotempty(event[eventTypeHuman]['authentication_username']),\n event[eventTypeHuman]['authentication_username'],\n \"\"\n)\n)\n)\n)\n)\n// Event Specific - authentication\n| extend ActorUsername = \n iif(\n isnotempty(event[eventTypeHuman]['from_username']),\n event[eventTypeHuman]['from_username'],\n iif(\n isnotempty(event[eventTypeHuman]['session_username']),\n event[eventTypeHuman]['session_username'],\n \"\"\n)\n)\n| extend Authentication = iif(\n eventTypeHuman == \"authentication\",\n bag_pack(\n \"authentication_method\",\n iff(isnotempty(event[eventTypeHuman].data), tostring(bag_keys(event[eventTypeHuman].data)[0]), \"\")\n),\n dynamic(null)\n )\n// Event Specific - bios_uefi\n| extend HardwareInformation = iif(\n eventTypeHuman == \"bios_uefi\",\n bag_pack(\n \"host_architecture\",\n iff(isnotempty(event[eventTypeHuman].architecture), event[eventTypeHuman].architecture, \"\"),\n \"firmware_version\",\n iff(isnotempty(event[eventTypeHuman].bios.['firmware-version']), event[eventTypeHuman].bios.['firmware-version'], \"\"),\n \"system_firmware_version\",\n iff(isnotempty(event[eventTypeHuman].bios.['system-firmware-version']), event[eventTypeHuman].bios.['system-firmware-version'], \"\")\n),\n dynamic(null)\n )\n// Event Specific - btm_launch_item_add & btm_launch_item_remove\n| extend BtmItem = iif(\n eventTypeHuman in (\"btm_launch_item_add\", \"btm_launch_item_remove\", \"remount\"),\n bag_pack(\n \"btm_executable_path\",\n iff(isnotempty(event[eventTypeHuman].executable_path), event[eventTypeHuman].executable_path, \"\"),\n \"btm_item_app_url\",\n iff(isnotempty(event[eventTypeHuman].item.app_url), event[eventTypeHuman].item.app_url, \"\"),\n \"btm_item_url\",\n iff(isnotempty(event[eventTypeHuman].item.item_url), event[eventTypeHuman].item.item_url, \"\"),\n \"btm_item_managed\",\n iff(isnotempty(event[eventTypeHuman].item.managed), event[eventTypeHuman].item.managed, \"\"),\n \"btm_item_legacy\",\n iff(isnotempty(event[eventTypeHuman].item.legacy), event[eventTypeHuman].item.legacy, \"\"),\n \"btm_item_uid\",\n iff(isnotempty(event[eventTypeHuman].item.uid), event[eventTypeHuman].item.uid, \"\"),\n \"btm_item_type\",\n iff(\n isnotempty(event[eventTypeHuman].item.item_type),\n case(\n event[eventTypeHuman].item.item_type == 0,\n \"UserItem\",\n event[eventTypeHuman].item.item_type == 1,\n \"App\",\n event[eventTypeHuman].item.item_type == 2,\n \"LoginItem\",\n event[eventTypeHuman].item.item_type == 3,\n \"LaunchAgent\",\n event[eventTypeHuman].item.item_type == 4,\n \"LaunchDaemon\",\n \"Unknown\"\n),\n \"\"\n)\n),\n dynamic(null)\n )\n// Event Specific - chroot\n| extend Chroot = iif(\n eventTypeHuman == \"chroot\",\n bag_pack(\n \"apparent_root_directory\",\n iff(isnotempty(event[eventTypeHuman].target), event[eventTypeHuman].target.path, \"\"),\n \"stats\",\n iff(isnotempty(event[eventTypeHuman].target.stat), event[eventTypeHuman].target.stat, \"\")\n),\n dynamic(null)\n )\n// Event Specific - cs_invalidated\n// Event Specific - exec\n// Event Specific - kextload & kextunload\n| extend KernelExtension = iif(\n eventTypeHuman in (\"kextload\", \"kextunload\"),\n bag_pack(\n \"kext_identifier\",\n iff(isnotempty(event[eventTypeHuman].identifier), event[eventTypeHuman].identifier, \"\")\n),\n dynamic(null)\n )\n// Event Specific - lw_session_lock & lw_session_unlock & lw_session_login & lw_session_logout\n| extend LoginWindowSession = iif(\n eventTypeHuman in (\"lw_session_lock\", \"lw_session_unlock\", \"lw_session_login\", \"lw_session_logout\"),\n bag_pack(\n \"graphical_session_id\",\n iff(isnotempty(event[eventTypeHuman].graphical_session_id), event[eventTypeHuman].graphical_session_id, \"\")\n),\n dynamic(null)\n )\n// Event Specific - mount & remount & unmount\n| extend FileSystem = iif(\n eventTypeHuman in (\"mount\", \"unmount\", \"remount\"),\n bag_pack(\n \"volume_device_name\",\n iff(isnotempty(event[eventTypeHuman].statfs.f_mntfromname), event[eventTypeHuman].statfs.f_mntfromname, \"\"),\n \"volume_mount_name\",\n iff(isnotempty(event[eventTypeHuman].statfs.f_mntonname), event[eventTypeHuman].statfs.f_mntonname, \"\"),\n \"volume_file_system_type\",\n iff(isnotempty(event[eventTypeHuman].statfs.f_fstypename), event[eventTypeHuman].statfs.f_fstypename, \"\"),\n \"volume_size\",\n iff(isnotempty(event[eventTypeHuman].statfs.f_bsize), event[eventTypeHuman].statfs.f_bsize, \"\")\n),\n dynamic(null)\n )\n// Event Specific - od_attribute_set & od_attribute_value_add & od_attribute_value_remove & od_create_group & od_create_user & od_delete_group & od_delete_user & od_disable_user & od_enable_user\n| extend OpenDirectory = iif(\n eventTypeHuman in (\"od_attribute_set\", \"od_attribute_value_add\", \"od_attribute_value_remove\", \"od_create_group\", \"od_create_user\", \"od_delete_group\", \"od_delete_user\", \"od_disable_user\", \"od_enable_user\"),\n bag_pack(\n \"group_name\",\n iff(isnotempty(event[eventTypeHuman].group_name), event[eventTypeHuman].group_name, \"\"),\n \"member_array\",\n iff(isnotempty(event[eventTypeHuman].members.member_array), event[eventTypeHuman].members.member_array, \"\"),\n \"member_value\",\n iff(isnotempty(event[eventTypeHuman].member.member_value), event[eventTypeHuman].member.member_value, \"\"),\n \"user_name\",\n iff(isnotempty(event[eventTypeHuman].user_name), event[eventTypeHuman].user_name, \"\"),\n \"account_name\",\n iff(isnotempty(event[eventTypeHuman].account_name), event[eventTypeHuman].account_name, \"\"),\n \"db_path\",\n iff(isnotempty(event[eventTypeHuman].db_path), event[eventTypeHuman].db_path, \"\"),\n \"record_name\",\n iff(isnotempty(event[eventTypeHuman].record_name), event[eventTypeHuman].record_name, \"\"),\n \"attribute_name\",\n iff(isnotempty(event[eventTypeHuman].attribute_name), event[eventTypeHuman].attribute_name, \"\"),\n \"attribute_value\",\n iff(isnotempty(event[eventTypeHuman].attribute_value), event[eventTypeHuman].attribute_value, \"\"),\n \"node_name\",\n iff(isnotempty(event[eventTypeHuman].node_name), event[eventTypeHuman].node_name, \"\")\n),\n dynamic(null)\n )\n// Event Specific - openssh_login & openssh_logout\n| extend SSHContext = iif(\n eventTypeHuman in (\"openssh_login\", \"openssh_logout\"),\n bag_pack(\n \"source_address_type\", \n iff(\n isnotempty(event[eventTypeHuman].source_address_type),\n case(\n event[eventTypeHuman].source_address_type == 0,\n \"Unknown\",\n event[eventTypeHuman].source_address_type == 1,\n \"IPv4\",\n event[eventTypeHuman].source_address_type == 2,\n \"IPv6\",\n event[eventTypeHuman].source_address_type == 3,\n \"UNIX Socket\",\n \"Unknown\"\n),\n \"\" \n),\n \"result_type\", \n iff(\n isnotempty(event[eventTypeHuman].result_type),\n case(\n event[eventTypeHuman].result_type == 0,\n \"Exceeded maximum attempts\",\n event[eventTypeHuman].result_type == 1,\n \"Denied by root\",\n event[eventTypeHuman].result_type == 2,\n \"Success\",\n event[eventTypeHuman].result_type == 3,\n \"No reason\",\n event[eventTypeHuman].result_type == 4,\n \"Password\",\n event[eventTypeHuman].result_type == 5,\n \"kbdint\",\n event[eventTypeHuman].result_type == 6,\n \"Public key\",\n event[eventTypeHuman].result_type == 7,\n \"Host based\",\n event[eventTypeHuman].result_type == 8,\n \"GSS API\",\n event[eventTypeHuman].result_type == 9,\n \"Invalid user\",\n \"Unknown\"\n),\n \"\" \n)\n),\n dynamic(null) \n )\n// Event Specific - performance\n// Event Specific - profile_add & profile_remove\n| extend Profile = iif(\n eventTypeHuman in (\"profile_add\", \"profile_remove\"),\n bag_pack(\n \"profile_scope\",\n iff(isnotempty(event[eventTypeHuman].profile.scope), event[eventTypeHuman].profile.scope, \"\"),\n \"profile_identifier\",\n iff(isnotempty(event[eventTypeHuman].profile.identifier), event[eventTypeHuman].profile.identifiery, \"\"),\n \"profile_uuid\",\n iff(isnotempty(event[eventTypeHuman].profile.uuid), event[eventTypeHuman].profile.uuid, \"\"),\n \"profile_display_name\",\n iff(isnotempty(event[eventTypeHuman].profile.display_name), event[eventTypeHuman].profile.display_name, \"\"),\n \"profile_organization\",\n iff(isnotempty(event[eventTypeHuman].profile.organization), event[eventTypeHuman].profile.organization, \"\"),\n \"profile_is_updated\",\n iff(isnotempty(event[eventTypeHuman].is_update), event[eventTypeHuman].is_update, \"\"),\n \"profile_install_source\", \n iff(\n isnotempty(event[eventTypeHuman].profile.install_source),\n case(\n event[eventTypeHuman].profile.install_source == 0,\n \"mdm\",\n event[eventTypeHuman].profile.install_source == 1,\n \"manual\",\n \"Unknown\"\n),\n \"\" \n)\n),\n dynamic(null)\n )\n// Event Specific - screenscharing_attach & screensharing_detach\n| extend Screensharing = iif(\n eventTypeHuman in (\"screensharing_attach\", \"screensharing_detach\"),\n bag_pack(\n \"existing_session\",\n iff(isnotempty(event[eventTypeHuman].existing_session), event[eventTypeHuman].existing_session, \"\"),\n \"graphical_session_id\",\n iff(isnotempty(event[eventTypeHuman].graphical_authentication_username), event[eventTypeHuman].graphical_authentication_username, \"\"),\n \"session_username\",\n iff(isnotempty(event[eventTypeHuman].session_username), event[eventTypeHuman].session_username, \"\"),\n \"viewer_appleid\",\n iff(isnotempty(event[eventTypeHuman].viewer_appleid), event[eventTypeHuman].viewer_appleid, \"\"),\n \"authentication_type\",\n iff(isnotempty(event[eventTypeHuman].authentication_type), event[eventTypeHuman].authentication_type, \"\"),\n \"source_address\",\n iff(isnotempty(event[eventTypeHuman].source_address), event[eventTypeHuman].source_address, \"\"),\n \"source_address_type\", \n iff(\n isnotempty(event[eventTypeHuman].source_address_type),\n case(\n event[eventTypeHuman].source_address_type == 0,\n \"Unknown\",\n event[eventTypeHuman].source_address_type == 1,\n \"IPv4\",\n event[eventTypeHuman].source_address_type == 2,\n \"IPv6\",\n event[eventTypeHuman].source_address_type == 3,\n \"UNIX Socket\",\n \"Unknown\"\n),\n \"\" \n)\n),\n dynamic(null)\n )\n// Event Specific - su\n| extend Su = iif(\n eventTypeHuman == \"su\",\n bag_pack(\n \"username\",\n iff(isnotempty(event[eventTypeHuman].username), event[eventTypeHuman].username, \"\"),\n \"uid\",\n iff(isnotempty(event[eventTypeHuman].uid), event[eventTypeHuman].uid, \"\"),\n \"args\",\n iff(isnotempty(event[eventTypeHuman].argv), event[eventTypeHuman].argv, \"\"),\n \"env_vars\",\n iff(isnotempty(event[eventTypeHuman].env), event[eventTypeHuman].env, \"\"),\n \"env_count\",\n iff(isnotempty(event[eventTypeHuman].env_count), event[eventTypeHuman].env_count, \"\"),\n \"from_username\",\n iff(isnotempty(event[eventTypeHuman].from_username), event[eventTypeHuman].from_username, \"\"),\n \"to_username\",\n iff(isnotempty(event[eventTypeHuman].to_username), event[eventTypeHuman].to_username, \"\"),\n \"failure_message\",\n iff(isnotempty(event[eventTypeHuman].failure_reason), event[eventTypeHuman].failure_reason, \"\")\n),\n dynamic(null)\n )\n// Event Specific - sudo\n| extend Sudo = iif(\n eventTypeHuman == \"sudo\",\n bag_pack(\n \"TargetProcessCommandLine\",\n iff(isnotempty(event[eventTypeHuman].command), event[eventTypeHuman].command, \"\"),\n \"attribute_name\",\n iff(isnotempty(event[eventTypeHuman].attribute_name), event[eventTypeHuman].attribute_name, \"\"),\n \"attribute_value\",\n iff(isnotempty(event[eventTypeHuman].attribute_value), event[eventTypeHuman].attribute_value, \"\")\n),\n dynamic(null)\n )\n// Event Specific - xp_malware_detected & xp_malware_remediated\n| extend Xprotect = iif(\n eventTypeHuman in (\"xp_malware_detected\", \"xp_malware_remediated\"),\n bag_pack(\n \"detected_path\",\n iff(isnotempty(event[eventTypeHuman].detected_path), event[eventTypeHuman].detected_path, \"\"),\n \"remediated_path\",\n iff(isnotempty(event[eventTypeHuman].remediated_path), event[eventTypeHuman].remediated_path, \"\"),\n \"malware_identifier\",\n iff(isnotempty(event[eventTypeHuman].malware_identifier), event[eventTypeHuman].malware_identifier, \"\"),\n \"signature_version\",\n iff(isnotempty(event[eventTypeHuman].signature_version), event[eventTypeHuman].signature_version, \"\")\n),\n dynamic(null)\n )\n| project-away\naction,\nevent,\nprocess\n};\n//\n// Jamf Protect - Network Traffic\n//\nlet JamfProtectNetworkTraffic_view = view () {\n jamfprotect_CL\n | where event_metadata_product_s == \"Network Traffic Stream\"\n // ASIM - Common Fields\n | extend EventVendor = 'Jamf'\n | extend EventProduct = 'Jamf Protect - Network Traffic Stream'\n | project-rename\n | extend\n // Jamf Protect - Common Fields\n EventType = \"query\",\n EventSubType = \"request\",\n EventStartTime = unixtime_milliseconds_todatetime(tolong(event_receiptTime_d)),\n EventResult = case(event_blocked_b == \"false\", \"Allowed\", event_blocked_b == \"true\", \"Prevented\", ''),\n // Jamf Protect - Source User\n SrcUsermail=column_ifexists('event_user_email_s', ''),\n SrcUsername = column_ifexists('event_user_name_s', ''),\n // Jamf Protect - Source Device Hostnames\n DvcHostname = case(isnotempty(input_host_hostname_s), input_host_hostname_s, isnotempty(host_info_host_name_s), host_info_host_name_s, event_device_userDeviceName_s),\n DvcIpAddr = column_ifexists(\"event_source_ip_s\", \"\"),\n DvcId = column_ifexists(\"event_device_externalId_g\", \"\"),\n DvcOs = case(event_device_osType_s == \"MAC_OS\", \"macOS\", event_device_osType_s == \"IOS\", \"iOS\", event_device_osType_s == \"ANDROID\", \"Android\", \"Other\"),\n SrcDeviceType = case(event_device_osType_s == \"MAC_OS\", \"Computer\", event_device_osType_s == \"IOS\", \"Mobile Device\", event_device_osType_s == \"ANDROID\", \"Mobile Device\", \"Other\"),\n // Jamf Protect - DNS Specific\n DnsQuery = column_ifexists('event_hostName_s', ''),\n DvcAction = case(event_blocked_b == \"false\", \"Allowed\", event_blocked_b == \"true\", \"Blocked\", ''),\n DnsQueryName = column_ifexists('event_domain_s', ''),\n DstIpAddr = column_ifexists('event_destination_ips_s', ''),\n ThreatCategory = column_ifexists('event_eventType_description_s', ''),\n DnsQueryTypeName = column_ifexists('event_dns_recordType_s', ''),\n DnsResponseName = column_ifexists('event_dns_responseStatus_s', ''),\n ThreatOriginalRiskLevel = column_ifexists('event_threat_result_s', '')\n | project-keep\n TimeGenerated,\n EventVendor,\n EventProduct,\n EventType,\n EventSubType,\n EventStartTime,\n EventResult,\n DvcHostname,\n DvcIpAddr,\n DvcId,\n DvcOs,\n SrcDeviceType,\n SrcUsermail,\n SrcUsername,\n DnsQuery,\n DnsQueryName,\n DstIpAddr,\n DnsQueryTypeName,\n DvcAction,\n DnsResponseName,\n ThreatOriginalRiskLevel\n};\n// //\n// // Jamf Protect - Threat Events\n// //\nlet JamfProtectThreatEvents_view = view () {\n jamfprotect_CL\n | where event_metadata_product_s == \"Threat Events Stream\"\n // ASIM - Common Fields\n | extend EventVendor = 'Jamf'\n | extend EventProduct = 'Jamf Protect - Threat Events Stream'\n | project-rename\n | extend\n // Jamf Protect - Common Fields\n EventStartTime = column_ifexists(\"event_timestamp_t\", \"\"),\n EventResult=case(event_action_s == \"Blocked\", \"Blocked\", event_action_s == \"Detected\", \"Detected\", ''),\n EventReportUrl = column_ifexists(\"event_eventUrl_s\", \"\"),\n // Jamf Protect - Alert Details\n EventSeverity = case(event_severity_d == 2, \"Informational\", event_severity_d == 4, \"Low\", event_severity_d == 6, \"Medium\", event_severity_d == 8, \"High\", event_severity_d == 10, \"High\", \"Informational\"),\n // Jamf Protect - Source User\n SrcUsermail=column_ifexists('event_user_email_s', ''),\n SrcUsername=column_ifexists('event_user_name_s', ''),\n // Jamf Protect - Source Device Hostnames\n DvcHostname = column_ifexists(\"event_device_userDeviceName_s\", \"\"),\n DvcIpAddr = column_ifexists(\"event_source_ip_s\", \"\"),\n DvcId = column_ifexists(\"event_device_externalId_g\", \"\"),\n DvcOs=case(event_device_os_s has \"MAC_OS\", \"macOS\", event_device_os_s has \"IOS\", \"iOS\", event_device_os_s has \"ANDROID\", \"Android\", \"Other\"),\n SrcDeviceType=case(event_device_os_s has \"MAC_OS\", \"Computer\", event_device_os_s has \"IOS\", \"Mobile Device\", event_device_os_s has \"ANDROID\", \"Mobile Device\", \"Other\"),\n // Jamf Protect - DNS Specific\n DnsQuery=column_ifexists('event_hostName_s', ''),\n DvcAction=case(event_blocked_b == \"false\", \"Allowed\", event_blocked_b == \"true\", \"Blocked\", ''),\n DnsQueryName=column_ifexists('event_destination_name_s', ''),\n DstIpAddr=column_ifexists('event_destination_ip_s', ''),\n ThreatCategory=column_ifexists('event_eventType_description_s', ''),\n ThreatOriginalRiskLevel=column_ifexists('event_threat_result_s', ''),\n // Jamf Protect - App Specific\n TargetFileName = column_ifexists(\"event_app_name_s\", \"\"),\n TargetFileSHA1 = column_ifexists(\"event_app_sha1_s\", \"\"),\n TargetFileSHA256 = column_ifexists(\"event_app_sha256_s\", \"\")\n | project-keep\n TimeGenerated,\n EventVendor,\n EventProduct,\n EventStartTime,\n EventResult,\n EventReportUrl,\n EventSeverity,\n DvcHostname,\n DvcIpAddr,\n DvcId,\n SrcDeviceType,\n SrcUsermail,\n SrcUsername,\n DnsQuery,\n DnsQueryName,\n DstIpAddr,\n ThreatCategory,\n DvcAction,\n ThreatOriginalRiskLevel,\n TargetFileName,\n TargetFileSHA1,\n TargetFileSHA256\n};\nunion isfuzzy=true JamfProtectAlerts_view, JamfProtectUnifiedLog_view, JamfProtectTelemetryv1_view, JamfProtectTelemetryv2_view, JamfProtectNetworkTraffic_view, JamfProtectThreatEvents_view\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]", + "dependsOn": [ + "[variables('parserObject1')._parserId1]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'JamfProtect')]", + "contentId": "[variables('parserObject1').parserContentId1]", + "kind": "Parser", + "version": "[variables('parserObject1').parserVersion1]", + "source": { + "name": "Jamf Protect", + "kind": "Solution", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Thijs Xhaflaire", + "email": "[variables('_email')]" + }, + "support": { + "name": "Jamf Software, LLC", + "email": "support@jamf.com", + "tier": "Partner", + "link": "https://www.jamf.com/support/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('parserObject1').parserContentId1]", + "contentKind": "Parser", + "displayName": "JamfProtect", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '3.2.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '3.2.0')))]", + "version": "[variables('parserObject1').parserVersion1]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2022-10-01", + "name": "[variables('parserObject1')._parserName1]", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "JamfProtect", + "category": "Microsoft Sentinel Parser", + "functionAlias": "JamfProtect", + "query": "let JamfProtectAlerts_view = view () {\njamfprotectalerts_CL\n| extend\n ActingProcessCreationTime = unixtime_seconds_todatetime(tolong(input.related.processes[array_length(input.related.processes) - 1].startTimestamp)),\n ParentProcessCreationTime = iff(\n array_length(input.related.processes) > 1, \n unixtime_seconds_todatetime(tolong(input.related.processes[0].startTimestamp)), \n datetime(null)\n ),\n TargetProcessCreationTime = unixtime_seconds_todatetime(todouble(input.related.processes[0].startTimestamp)),\n TargetUserId = coalesce(input.related.users[1].uid, input.related.users[0].uid),\n TargetUsername = coalesce(input.related.users[1].name, input.related.users[0].name)\n };\nlet JamfProtectUnifiedLog_view = view () {\njamfprotectunifiedlogs_CL\n| extend EventStartTime = unixtime_seconds_todatetime(tolong(input.match.event.timestamp))\n};\n//\n// Jamf Protect - Endpoint Telemetry\n//\nlet JamfProtectTelemetryv1_view = view () {\njamfprotecttelemetryv1_CL\n| extend\n EventStartTime = unixtime_seconds_todatetime(todouble(header.time_seconds_epoch)),\n EventResult = coalesce(return.description, texts)\n};\nlet JamfProtectTelemetryv2_view = view () {\njamfprotecttelemetryv2_CL\n// Generic Fields\n| extend\n EventExpanded = tostring(parse_json(event)[strcat_array(bag_keys(event), '.')]),\n eventTypeHuman = tostring(bag_keys(event)[0])\n| extend EventResult = iif((event[eventTypeHuman]['success'] == true), \"Success\", dynamic(null))\n| extend\n EventMessage = case(\n eventTypeHuman == \"authentication\",\n \"A user authentication happened\",\n eventTypeHuman == \"authorization_judgement\",\n \"A process has its rights petition judged\",\n eventTypeHuman == \"authorization_petition\",\n \"A process has its rights petition judged\",\n eventTypeHuman == \"bios_uefi\",\n \"Collection of bios and firmware data\",\n eventTypeHuman == \"btm_launch_item_add\",\n \"Apple's Background Task Manager notified that an item has been added\",\n eventTypeHuman == \"btm_launch_item_remove\",\n \"Apple's Background Task Manager notified that an existing item has been removed\",\n eventTypeHuman == \"chroot\",\n \"Software has changed its apparent root directory in which it's actively operating out of\",\n eventTypeHuman == \"cs_invalidated\",\n \"The system detected that a process has had its code signature marked as invalid\",\n eventTypeHuman == \"exec\",\n \"A new process has been executed\",\n eventTypeHuman == \"kextload\",\n \"A kernel extension (kext) was loaded\",\n eventTypeHuman == \"kextunload\",\n \"A kernel extension (kext) was unloaded\",\n eventTypeHuman == \"login_login\",\n \"A user attempted to log in using /usr/bin/login\",\n eventTypeHuman == \"login_logout\",\n \"A user logged out from /usr/bin/login\",\n eventTypeHuman == \"lw_session_lock\",\n \"A user has locked the screen\",\n eventTypeHuman == \"lw_session_login\",\n \"A user has logged in via the Login Window\",\n eventTypeHuman == \"lw_session_logout\",\n \"A user has logged out of an active graphical session\",\n eventTypeHuman == \"lw_session_unlock\",\n \"A user has unlocked the screen from the Login Window\",\n eventTypeHuman == \"mount\",\n \"A file system has been mounted\",\n eventTypeHuman == \"od_attribute_set\",\n \"Attribute set on user or group using Open Directory\",\n eventTypeHuman == \"od_attribute_value_add\",\n \"Attribute added to a user or group using Open Directory\",\n eventTypeHuman == \"od_attribute_value_remove\",\n \"Attribute removed from a user or group using Open Directory\",\n eventTypeHuman == \"od_create_group\",\n \"A group has been created using Open Directory\",\n eventTypeHuman == \"od_create_user\",\n \"A user has been created using Open Directory\",\n eventTypeHuman == \"od_delete_group\",\n \"A group has been deleted using Open Directory\",\n eventTypeHuman == \"od_delete_user\",\n \"A user has been deleted using Open Directory\",\n eventTypeHuman == \"od_disable_user\",\n \"A user has been disabled using Open Directory\",\n eventTypeHuman == \"od_enable_user\",\n \"A user has been enabled using Open Directory\",\n eventTypeHuman == \"od_group_add\",\n \"A member has been added to a group using Open Directory\",\n eventTypeHuman == \"od_group_remove\",\n \"A member has been removed from a group using Open Directory\",\n eventTypeHuman == \"od_group_set\",\n \"A group has a member initialised or replaced using Open Directory\",\n eventTypeHuman == \"od_modify_password\",\n \"A user password is modified via Open Directory\",\n eventTypeHuman == \"openssh_login\",\n \"A user has logged into the system via OpenSSH\",\n eventTypeHuman == \"openssh_logout\",\n \"A user has logged out of an OpenSSH session\",\n eventTypeHuman == \"performance\",\n \"Collection of system performance data\",\n eventTypeHuman == \"profile_add\",\n \"A configuration profile is installed on the system\",\n eventTypeHuman == \"profile_remove\",\n \"A configuration profile is removed from the system\",\n eventTypeHuman == \"remount\",\n \"A file system has been mounted\",\n eventTypeHuman == \"screenscharing_attach\",\n \"A screensharing session has attached to a graphical session\",\n eventTypeHuman == \"screenscharing_detach\",\n \"A screensharing session has detached from a graphical session\",\n eventTypeHuman == \"settime\",\n \"The system time was attempted to be set\",\n eventTypeHuman == \"su\",\n \"A user attempts to start a new shell using a substitute user identity\",\n eventTypeHuman == \"sudo\",\n \"A sudo attempt occured\",\n eventTypeHuman == \"unmount\",\n \"A file system has been mounted\",\n eventTypeHuman == \"xp_malware_detected\",\n \"Apple's XProtect detected malware on the system\",\n eventTypeHuman == \"xp_malware_remediated\",\n \"Apple's XProtect remediated malware on the system\",\n eventTypeHuman == \"file_collection\",\n \"A crash or diagnostic file has been collected\",\n eventTypeHuman == \"log_collection\",\n \"Entries from a log file have been collected\",\n \"No reason yet defined for this event\"\n ),\n EventType = case(\n eventTypeHuman == \"authentication\",\n \"Logon\",\n eventTypeHuman == \"authorization_judgement\",\n \"ProcessCreated\",\n eventTypeHuman == \"authorization_petition\",\n \"ProcessCreated\",\n eventTypeHuman == \"bios_uefi\",\n \"Hardware\",\n eventTypeHuman == \"btm_launch_item_add\",\n \"Create\",\n eventTypeHuman == \"btm_launch_item_remove\",\n \"Delete\",\n eventTypeHuman == \"chroot\",\n \"Set\",\n eventTypeHuman == \"cs_invalidated\",\n \"Other\",\n eventTypeHuman == \"exec\",\n \"ProcessCreated\",\n eventTypeHuman == \"kextload\",\n \"Create\",\n eventTypeHuman == \"kextunload\",\n \"Delete\",\n eventTypeHuman == \"login_login\",\n \"Logon\",\n eventTypeHuman == \"login_logout\",\n \"Logoff\",\n eventTypeHuman == \"lw_session_lock\",\n \"Logoff\",\n eventTypeHuman == \"lw_session_login\",\n \"Logon\",\n eventTypeHuman == \"lw_session_logout\",\n \"Logoff\",\n eventTypeHuman == \"lw_session_unlock\",\n \"Logon\",\n eventTypeHuman == \"mount\",\n \"FileSystemMounted\",\n eventTypeHuman == \"od_attribute_set\",\n \"Set\",\n eventTypeHuman == \"od_attribute_value_add\",\n \"Create\",\n eventTypeHuman == \"od_attribute_value_remove\",\n \"Delete\",\n eventTypeHuman == \"od_create_group\",\n \"GroupCreated\",\n eventTypeHuman == \"od_create_user\",\n \"UserCreated\",\n eventTypeHuman == \"od_delete_group\",\n \"GroupDeleted\",\n eventTypeHuman == \"od_delete_user\",\n \"UserDeleted\",\n eventTypeHuman == \"od_disable_user\",\n \"UserDisabled\",\n eventTypeHuman == \"od_enable_user\",\n \"UserEnabled\",\n eventTypeHuman == \"od_group_add\",\n \"UserAddedToGroup\",\n eventTypeHuman == \"od_group_remove\",\n \"UserRemovedFromGroup\",\n eventTypeHuman == \"od_group_set\",\n \"GroupModified\",\n eventTypeHuman == \"od_modify_password\",\n \"PasswordChanged\",\n eventTypeHuman == \"openssh_login\",\n \"Logon\",\n eventTypeHuman == \"openssh_logout\",\n \"Logoff\",\n eventTypeHuman == \"performance\",\n \"PerformanceData\",\n eventTypeHuman == \"profile_add\",\n \"Create\",\n eventTypeHuman == \"profile_remove\",\n \"Delete\",\n eventTypeHuman == \"remount\",\n \"FileSystemRemounted\",\n eventTypeHuman == \"screenscharing_attach\",\n \"Logon\",\n eventTypeHuman == \"screenscharing_detach\",\n \"Logoff\",\n eventTypeHuman == \"settime\",\n \"Set\",\n eventTypeHuman == \"su\",\n \"Elevate\",\n eventTypeHuman == \"sudo\",\n \"Elevate\",\n eventTypeHuman == \"unmount\",\n \"FileSystemUnmounted\",\n eventTypeHuman == \"xp_malware_detected\",\n \"MalwareDetected\",\n eventTypeHuman == \"xp_malware_remediated\",\n \"MalwareRemediated\",\n \"\"\n ),\n EventSubType = case(\n eventTypeHuman == \"authentication\",\n \"Interactive\",\n eventTypeHuman == \"btm_launch_item_add\",\n \"btm\",\n eventTypeHuman == \"btm_launch_item_remove\",\n \"btm\",\n eventTypeHuman == \"chroot\",\n \"Directory\",\n eventTypeHuman == \"cs_invalidated\",\n \"Other\",\n eventTypeHuman == \"kextload\",\n \"System Settings\",\n eventTypeHuman == \"kextunload\",\n \"System Settings\",\n eventTypeHuman == \"login_login\",\n \"Interactive\",\n eventTypeHuman == \"login_logout\",\n \"Interactive\",\n eventTypeHuman == \"lw_session_lock\",\n \"Interactive\",\n eventTypeHuman == \"lw_session_login\",\n \"Interactive\",\n eventTypeHuman == \"lw_session_logout\",\n \"Interactive\",\n eventTypeHuman == \"lw_session_unlock\",\n \"Interactive\",\n eventTypeHuman == \"od_attribute_set\",\n \"Attribute\",\n eventTypeHuman == \"od_attribute_value_add\",\n \"Attribute\",\n eventTypeHuman == \"od_attribute_value_remove\",\n \"Attribute\",\n eventTypeHuman == \"openssh_login\",\n \"Interactive\",\n eventTypeHuman == \"openssh_logout\",\n \"Interactive\",\n eventTypeHuman == \"profile_add\",\n \"Configuration Profile\",\n eventTypeHuman == \"profile_remove\",\n \"Configuration Profile\",\n eventTypeHuman == \"screenscharing_attach\",\n \"RemoteInteractive\",\n eventTypeHuman == \"screenscharing_detach\",\n \"RemoteInteractive\",\n eventTypeHuman == \"settime\",\n \"System Settings\",\n eventTypeHuman == \"su\",\n \"Interactive\",\n eventTypeHuman == \"sudo\",\n \"Interactive\",\n \"\"\n )\n// Jamf Protect Telemetry - Event Process\n| extend eventContext = \n iif(\n isnotempty(event[eventTypeHuman]['app']['audit_token']),\n event[eventTypeHuman]['app'],\n iif(\n isnotempty(event[eventTypeHuman]['target']['audit_token']),\n event[eventTypeHuman]['target'],\n iif(\n isnotempty(event[eventTypeHuman]['data']['od']['audit_token']),\n event[eventTypeHuman]['data']['od'],\n iif(\n isnotempty(event[eventTypeHuman]['data']['token']['audit_token']),\n event[eventTypeHuman]['data']['token'],\n iif(\n isnotempty(event[eventTypeHuman]['data']['touchid']['audit_token']),\n event[eventTypeHuman]['data']['touchid'],\n iif(\n isnotempty(event[eventTypeHuman]['instigator']['audit_token']),\n event[eventTypeHuman]['instigator'],\n ['process']\n)\n)\n)\n)\n)\n)\n| extend\n TargetProcessName = tostring(eventContext.executable.path),\n TargetProcessId = tostring(eventContext.audit_token.pid),\n TargetProcessGuid = tostring(eventContext.audit_token.uuid),\n TargetProcessCreationTime = tostring(eventContext.start_time),\n TargetProcessSHA1 = tostring(eventContext.executable.sha1),\n TargetProcessSHA256 = tostring(eventContext.executable.sha256),\n TargetProcessCommandLine = event[eventTypeHuman]['args'],\n TargetProcessTTY = tostring(eventContext.tty.path),\n TargetBinarySigningAppID = tostring(eventContext.signing_id),\n TargetBinarySigningTeamID = tostring(eventContext.team_id),\n TargetBinaryCDHash = tostring(eventContext.cdhash),\n TargetBinaryIsESClient = tobool(eventContext.is_es_client),\n TargetBinaryIsPlatformBinary = tobool(eventContext.is_platform_binary),\n TargetUserId = tostring(eventContext.audit_token.euid),\n ActingProcessId = tostring(eventContext.parent_audit_token.pid),\n ActingProcessGuid = tostring(eventContext.parent_audit_token.uuid),\n ActorUserId = tostring(eventContext.parent_audit_token.euid),\n ParentProcessId = tostring(eventContext.responsible_audit_token.pid),\n ParentProcessGuid = tostring(eventContext.responsible_audit_token.uuid)\n// Jamf Protect Telemetry - Revealing Code Signing flags\n| extend TargetProcessCodesignFlags = \n iif(isnotempty(eventContext.codesigning_flags),\n bag_pack(\n \"CS_VALID\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00000001) > 0, true, false),\n \"CS_ADHOC\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00000002) > 0, true, false),\n \"CS_GET_TASK_ALLOW\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00000004) > 0, true, false),\n \"CS_INSTALLER\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00000008) > 0, true, false),\n \"CS_FORCED_LV\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00000010) > 0, true, false),\n \"CS_INVALID_ALLOWED\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00000020) > 0, true, false),\n \"CS_HARD\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00000100) > 0, true, false),\n \"CS_KILL\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00000200) > 0, true, false),\n \"CS_CHECK_EXPIRATION\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00000400) > 0, true, false),\n \"CS_RESTRICT\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00000800) > 0, true, false),\n \"CS_ENFORCEMENT\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00001000) > 0, true, false),\n \"CS_REQUIRE_LV\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00002000) > 0, true, false),\n \"CS_ENTITLEMENTS_VALIDATED\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00004000) > 0, true, false),\n \"CS_NVRAM_UNRESTRICTED\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00008000) > 0, true, false),\n \"CS_RUNTIME\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00010000) > 0, true, false),\n \"CS_LINKER_SIGNED\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x20000) > 0, true, false),\n \"CS_EXEC_SET_HARD\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00100000) > 0, true, false),\n \"CS_EXEC_SET_KILL\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00200000) > 0, true, false),\n \"CS_EXEC_SET_ENFORCEMENT\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00400000) > 0, true, false),\n \"CS_EXEC_INHERIT_SIP\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00800000) > 0, true, false),\n \"CS_KILLED\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x01000000) > 0, true, false),\n \"CS_DYLD_PLATFORM\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x02000000) > 0, true, false),\n \"CS_PLATFORM_BINARY\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x04000000) > 0, true, false),\n \"CS_PLATFORM_PATH\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x08000000) > 0, true, false),\n \"CS_DEBUGGED\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x10000000) > 0, true, false),\n \"CS_SIGNED\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x20000000) > 0, true, false),\n \"CS_DEV_CODE\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x40000000) > 0, true, false),\n \"CS_DATAVAULT_CONTROLLER\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x80000000) > 0, true, false)\n ), \"\")\n// Event Specific - authentication\n| extend TargetUsername =\n iif(\n isnotempty(event[eventTypeHuman]['username']),\n event[eventTypeHuman]['username'],\n iif(\n isnotempty(event[eventTypeHuman]['to_username']),\n event[eventTypeHuman]['to_username'],\n iif(\n isnotempty(event[eventTypeHuman]['account_name']),\n event[eventTypeHuman]['account_name'],\n iif(\n isnotempty(event[eventTypeHuman]['user_name']),\n event[eventTypeHuman]['user_name'],\n iif(\n isnotempty(event[eventTypeHuman]['authentication_username']),\n event[eventTypeHuman]['authentication_username'],\n \"\"\n)\n)\n)\n)\n)\n// Event Specific - authentication\n| extend ActorUsername = \n iif(\n isnotempty(event[eventTypeHuman]['from_username']),\n event[eventTypeHuman]['from_username'],\n iif(\n isnotempty(event[eventTypeHuman]['session_username']),\n event[eventTypeHuman]['session_username'],\n \"\"\n)\n)\n| extend Authentication = iif(\n eventTypeHuman == \"authentication\",\n bag_pack(\n \"authentication_method\",\n iff(isnotempty(event[eventTypeHuman].data), tostring(bag_keys(event[eventTypeHuman].data)[0]), \"\")\n),\n dynamic(null)\n )\n// Event Specific - bios_uefi\n| extend HardwareInformation = iif(\n eventTypeHuman == \"bios_uefi\",\n bag_pack(\n \"host_architecture\",\n iff(isnotempty(event[eventTypeHuman].architecture), event[eventTypeHuman].architecture, \"\"),\n \"firmware_version\",\n iff(isnotempty(event[eventTypeHuman].bios.['firmware-version']), event[eventTypeHuman].bios.['firmware-version'], \"\"),\n \"system_firmware_version\",\n iff(isnotempty(event[eventTypeHuman].bios.['system-firmware-version']), event[eventTypeHuman].bios.['system-firmware-version'], \"\")\n),\n dynamic(null)\n )\n// Event Specific - btm_launch_item_add & btm_launch_item_remove\n| extend BtmItem = iif(\n eventTypeHuman in (\"btm_launch_item_add\", \"btm_launch_item_remove\", \"remount\"),\n bag_pack(\n \"btm_executable_path\",\n iff(isnotempty(event[eventTypeHuman].executable_path), event[eventTypeHuman].executable_path, \"\"),\n \"btm_item_app_url\",\n iff(isnotempty(event[eventTypeHuman].item.app_url), event[eventTypeHuman].item.app_url, \"\"),\n \"btm_item_url\",\n iff(isnotempty(event[eventTypeHuman].item.item_url), event[eventTypeHuman].item.item_url, \"\"),\n \"btm_item_managed\",\n iff(isnotempty(event[eventTypeHuman].item.managed), event[eventTypeHuman].item.managed, \"\"),\n \"btm_item_legacy\",\n iff(isnotempty(event[eventTypeHuman].item.legacy), event[eventTypeHuman].item.legacy, \"\"),\n \"btm_item_uid\",\n iff(isnotempty(event[eventTypeHuman].item.uid), event[eventTypeHuman].item.uid, \"\"),\n \"btm_item_type\",\n iff(\n isnotempty(event[eventTypeHuman].item.item_type),\n case(\n event[eventTypeHuman].item.item_type == 0,\n \"UserItem\",\n event[eventTypeHuman].item.item_type == 1,\n \"App\",\n event[eventTypeHuman].item.item_type == 2,\n \"LoginItem\",\n event[eventTypeHuman].item.item_type == 3,\n \"LaunchAgent\",\n event[eventTypeHuman].item.item_type == 4,\n \"LaunchDaemon\",\n \"Unknown\"\n),\n \"\"\n)\n),\n dynamic(null)\n )\n// Event Specific - chroot\n| extend Chroot = iif(\n eventTypeHuman == \"chroot\",\n bag_pack(\n \"apparent_root_directory\",\n iff(isnotempty(event[eventTypeHuman].target), event[eventTypeHuman].target.path, \"\"),\n \"stats\",\n iff(isnotempty(event[eventTypeHuman].target.stat), event[eventTypeHuman].target.stat, \"\")\n),\n dynamic(null)\n )\n// Event Specific - cs_invalidated\n// Event Specific - exec\n// Event Specific - kextload & kextunload\n| extend KernelExtension = iif(\n eventTypeHuman in (\"kextload\", \"kextunload\"),\n bag_pack(\n \"kext_identifier\",\n iff(isnotempty(event[eventTypeHuman].identifier), event[eventTypeHuman].identifier, \"\")\n),\n dynamic(null)\n )\n// Event Specific - lw_session_lock & lw_session_unlock & lw_session_login & lw_session_logout\n| extend LoginWindowSession = iif(\n eventTypeHuman in (\"lw_session_lock\", \"lw_session_unlock\", \"lw_session_login\", \"lw_session_logout\"),\n bag_pack(\n \"graphical_session_id\",\n iff(isnotempty(event[eventTypeHuman].graphical_session_id), event[eventTypeHuman].graphical_session_id, \"\")\n),\n dynamic(null)\n )\n// Event Specific - mount & remount & unmount\n| extend FileSystem = iif(\n eventTypeHuman in (\"mount\", \"unmount\", \"remount\"),\n bag_pack(\n \"volume_device_name\",\n iff(isnotempty(event[eventTypeHuman].statfs.f_mntfromname), event[eventTypeHuman].statfs.f_mntfromname, \"\"),\n \"volume_mount_name\",\n iff(isnotempty(event[eventTypeHuman].statfs.f_mntonname), event[eventTypeHuman].statfs.f_mntonname, \"\"),\n \"volume_file_system_type\",\n iff(isnotempty(event[eventTypeHuman].statfs.f_fstypename), event[eventTypeHuman].statfs.f_fstypename, \"\"),\n \"volume_size\",\n iff(isnotempty(event[eventTypeHuman].statfs.f_bsize), event[eventTypeHuman].statfs.f_bsize, \"\")\n),\n dynamic(null)\n )\n// Event Specific - od_attribute_set & od_attribute_value_add & od_attribute_value_remove & od_create_group & od_create_user & od_delete_group & od_delete_user & od_disable_user & od_enable_user\n| extend OpenDirectory = iif(\n eventTypeHuman in (\"od_attribute_set\", \"od_attribute_value_add\", \"od_attribute_value_remove\", \"od_create_group\", \"od_create_user\", \"od_delete_group\", \"od_delete_user\", \"od_disable_user\", \"od_enable_user\"),\n bag_pack(\n \"group_name\",\n iff(isnotempty(event[eventTypeHuman].group_name), event[eventTypeHuman].group_name, \"\"),\n \"member_array\",\n iff(isnotempty(event[eventTypeHuman].members.member_array), event[eventTypeHuman].members.member_array, \"\"),\n \"member_value\",\n iff(isnotempty(event[eventTypeHuman].member.member_value), event[eventTypeHuman].member.member_value, \"\"),\n \"user_name\",\n iff(isnotempty(event[eventTypeHuman].user_name), event[eventTypeHuman].user_name, \"\"),\n \"account_name\",\n iff(isnotempty(event[eventTypeHuman].account_name), event[eventTypeHuman].account_name, \"\"),\n \"db_path\",\n iff(isnotempty(event[eventTypeHuman].db_path), event[eventTypeHuman].db_path, \"\"),\n \"record_name\",\n iff(isnotempty(event[eventTypeHuman].record_name), event[eventTypeHuman].record_name, \"\"),\n \"attribute_name\",\n iff(isnotempty(event[eventTypeHuman].attribute_name), event[eventTypeHuman].attribute_name, \"\"),\n \"attribute_value\",\n iff(isnotempty(event[eventTypeHuman].attribute_value), event[eventTypeHuman].attribute_value, \"\"),\n \"node_name\",\n iff(isnotempty(event[eventTypeHuman].node_name), event[eventTypeHuman].node_name, \"\")\n),\n dynamic(null)\n )\n// Event Specific - openssh_login & openssh_logout\n| extend SSHContext = iif(\n eventTypeHuman in (\"openssh_login\", \"openssh_logout\"),\n bag_pack(\n \"source_address_type\", \n iff(\n isnotempty(event[eventTypeHuman].source_address_type),\n case(\n event[eventTypeHuman].source_address_type == 0,\n \"Unknown\",\n event[eventTypeHuman].source_address_type == 1,\n \"IPv4\",\n event[eventTypeHuman].source_address_type == 2,\n \"IPv6\",\n event[eventTypeHuman].source_address_type == 3,\n \"UNIX Socket\",\n \"Unknown\"\n),\n \"\" \n),\n \"result_type\", \n iff(\n isnotempty(event[eventTypeHuman].result_type),\n case(\n event[eventTypeHuman].result_type == 0,\n \"Exceeded maximum attempts\",\n event[eventTypeHuman].result_type == 1,\n \"Denied by root\",\n event[eventTypeHuman].result_type == 2,\n \"Success\",\n event[eventTypeHuman].result_type == 3,\n \"No reason\",\n event[eventTypeHuman].result_type == 4,\n \"Password\",\n event[eventTypeHuman].result_type == 5,\n \"kbdint\",\n event[eventTypeHuman].result_type == 6,\n \"Public key\",\n event[eventTypeHuman].result_type == 7,\n \"Host based\",\n event[eventTypeHuman].result_type == 8,\n \"GSS API\",\n event[eventTypeHuman].result_type == 9,\n \"Invalid user\",\n \"Unknown\"\n),\n \"\" \n)\n),\n dynamic(null) \n )\n// Event Specific - performance\n// Event Specific - profile_add & profile_remove\n| extend Profile = iif(\n eventTypeHuman in (\"profile_add\", \"profile_remove\"),\n bag_pack(\n \"profile_scope\",\n iff(isnotempty(event[eventTypeHuman].profile.scope), event[eventTypeHuman].profile.scope, \"\"),\n \"profile_identifier\",\n iff(isnotempty(event[eventTypeHuman].profile.identifier), event[eventTypeHuman].profile.identifiery, \"\"),\n \"profile_uuid\",\n iff(isnotempty(event[eventTypeHuman].profile.uuid), event[eventTypeHuman].profile.uuid, \"\"),\n \"profile_display_name\",\n iff(isnotempty(event[eventTypeHuman].profile.display_name), event[eventTypeHuman].profile.display_name, \"\"),\n \"profile_organization\",\n iff(isnotempty(event[eventTypeHuman].profile.organization), event[eventTypeHuman].profile.organization, \"\"),\n \"profile_is_updated\",\n iff(isnotempty(event[eventTypeHuman].is_update), event[eventTypeHuman].is_update, \"\"),\n \"profile_install_source\", \n iff(\n isnotempty(event[eventTypeHuman].profile.install_source),\n case(\n event[eventTypeHuman].profile.install_source == 0,\n \"mdm\",\n event[eventTypeHuman].profile.install_source == 1,\n \"manual\",\n \"Unknown\"\n),\n \"\" \n)\n),\n dynamic(null)\n )\n// Event Specific - screenscharing_attach & screensharing_detach\n| extend Screensharing = iif(\n eventTypeHuman in (\"screensharing_attach\", \"screensharing_detach\"),\n bag_pack(\n \"existing_session\",\n iff(isnotempty(event[eventTypeHuman].existing_session), event[eventTypeHuman].existing_session, \"\"),\n \"graphical_session_id\",\n iff(isnotempty(event[eventTypeHuman].graphical_authentication_username), event[eventTypeHuman].graphical_authentication_username, \"\"),\n \"session_username\",\n iff(isnotempty(event[eventTypeHuman].session_username), event[eventTypeHuman].session_username, \"\"),\n \"viewer_appleid\",\n iff(isnotempty(event[eventTypeHuman].viewer_appleid), event[eventTypeHuman].viewer_appleid, \"\"),\n \"authentication_type\",\n iff(isnotempty(event[eventTypeHuman].authentication_type), event[eventTypeHuman].authentication_type, \"\"),\n \"source_address\",\n iff(isnotempty(event[eventTypeHuman].source_address), event[eventTypeHuman].source_address, \"\"),\n \"source_address_type\", \n iff(\n isnotempty(event[eventTypeHuman].source_address_type),\n case(\n event[eventTypeHuman].source_address_type == 0,\n \"Unknown\",\n event[eventTypeHuman].source_address_type == 1,\n \"IPv4\",\n event[eventTypeHuman].source_address_type == 2,\n \"IPv6\",\n event[eventTypeHuman].source_address_type == 3,\n \"UNIX Socket\",\n \"Unknown\"\n),\n \"\" \n)\n),\n dynamic(null)\n )\n// Event Specific - su\n| extend Su = iif(\n eventTypeHuman == \"su\",\n bag_pack(\n \"username\",\n iff(isnotempty(event[eventTypeHuman].username), event[eventTypeHuman].username, \"\"),\n \"uid\",\n iff(isnotempty(event[eventTypeHuman].uid), event[eventTypeHuman].uid, \"\"),\n \"args\",\n iff(isnotempty(event[eventTypeHuman].argv), event[eventTypeHuman].argv, \"\"),\n \"env_vars\",\n iff(isnotempty(event[eventTypeHuman].env), event[eventTypeHuman].env, \"\"),\n \"env_count\",\n iff(isnotempty(event[eventTypeHuman].env_count), event[eventTypeHuman].env_count, \"\"),\n \"from_username\",\n iff(isnotempty(event[eventTypeHuman].from_username), event[eventTypeHuman].from_username, \"\"),\n \"to_username\",\n iff(isnotempty(event[eventTypeHuman].to_username), event[eventTypeHuman].to_username, \"\"),\n \"failure_message\",\n iff(isnotempty(event[eventTypeHuman].failure_reason), event[eventTypeHuman].failure_reason, \"\")\n),\n dynamic(null)\n )\n// Event Specific - sudo\n| extend Sudo = iif(\n eventTypeHuman == \"sudo\",\n bag_pack(\n \"TargetProcessCommandLine\",\n iff(isnotempty(event[eventTypeHuman].command), event[eventTypeHuman].command, \"\"),\n \"attribute_name\",\n iff(isnotempty(event[eventTypeHuman].attribute_name), event[eventTypeHuman].attribute_name, \"\"),\n \"attribute_value\",\n iff(isnotempty(event[eventTypeHuman].attribute_value), event[eventTypeHuman].attribute_value, \"\")\n),\n dynamic(null)\n )\n// Event Specific - xp_malware_detected & xp_malware_remediated\n| extend Xprotect = iif(\n eventTypeHuman in (\"xp_malware_detected\", \"xp_malware_remediated\"),\n bag_pack(\n \"detected_path\",\n iff(isnotempty(event[eventTypeHuman].detected_path), event[eventTypeHuman].detected_path, \"\"),\n \"remediated_path\",\n iff(isnotempty(event[eventTypeHuman].remediated_path), event[eventTypeHuman].remediated_path, \"\"),\n \"malware_identifier\",\n iff(isnotempty(event[eventTypeHuman].malware_identifier), event[eventTypeHuman].malware_identifier, \"\"),\n \"signature_version\",\n iff(isnotempty(event[eventTypeHuman].signature_version), event[eventTypeHuman].signature_version, \"\")\n),\n dynamic(null)\n )\n| project-away\naction,\nevent,\nprocess\n};\n//\n// Jamf Protect - Network Traffic\n//\nlet JamfProtectNetworkTraffic_view = view () {\n jamfprotect_CL\n | where event_metadata_product_s == \"Network Traffic Stream\"\n // ASIM - Common Fields\n | extend EventVendor = 'Jamf'\n | extend EventProduct = 'Jamf Protect - Network Traffic Stream'\n | project-rename\n | extend\n // Jamf Protect - Common Fields\n EventType = \"query\",\n EventSubType = \"request\",\n EventStartTime = unixtime_milliseconds_todatetime(tolong(event_receiptTime_d)),\n EventResult = case(event_blocked_b == \"false\", \"Allowed\", event_blocked_b == \"true\", \"Prevented\", ''),\n // Jamf Protect - Source User\n SrcUsermail=column_ifexists('event_user_email_s', ''),\n SrcUsername = column_ifexists('event_user_name_s', ''),\n // Jamf Protect - Source Device Hostnames\n DvcHostname = case(isnotempty(input_host_hostname_s), input_host_hostname_s, isnotempty(host_info_host_name_s), host_info_host_name_s, event_device_userDeviceName_s),\n DvcIpAddr = column_ifexists(\"event_source_ip_s\", \"\"),\n DvcId = column_ifexists(\"event_device_externalId_g\", \"\"),\n DvcOs = case(event_device_osType_s == \"MAC_OS\", \"macOS\", event_device_osType_s == \"IOS\", \"iOS\", event_device_osType_s == \"ANDROID\", \"Android\", \"Other\"),\n SrcDeviceType = case(event_device_osType_s == \"MAC_OS\", \"Computer\", event_device_osType_s == \"IOS\", \"Mobile Device\", event_device_osType_s == \"ANDROID\", \"Mobile Device\", \"Other\"),\n // Jamf Protect - DNS Specific\n DnsQuery = column_ifexists('event_hostName_s', ''),\n DvcAction = case(event_blocked_b == \"false\", \"Allowed\", event_blocked_b == \"true\", \"Blocked\", ''),\n DnsQueryName = column_ifexists('event_domain_s', ''),\n DstIpAddr = column_ifexists('event_destination_ips_s', ''),\n ThreatCategory = column_ifexists('event_eventType_description_s', ''),\n DnsQueryTypeName = column_ifexists('event_dns_recordType_s', ''),\n DnsResponseName = column_ifexists('event_dns_responseStatus_s', ''),\n ThreatOriginalRiskLevel = column_ifexists('event_threat_result_s', '')\n | project-keep\n TimeGenerated,\n EventVendor,\n EventProduct,\n EventType,\n EventSubType,\n EventStartTime,\n EventResult,\n DvcHostname,\n DvcIpAddr,\n DvcId,\n DvcOs,\n SrcDeviceType,\n SrcUsermail,\n SrcUsername,\n DnsQuery,\n DnsQueryName,\n DstIpAddr,\n DnsQueryTypeName,\n DvcAction,\n DnsResponseName,\n ThreatOriginalRiskLevel\n};\n// //\n// // Jamf Protect - Threat Events\n// //\nlet JamfProtectThreatEvents_view = view () {\n jamfprotect_CL\n | where event_metadata_product_s == \"Threat Events Stream\"\n // ASIM - Common Fields\n | extend EventVendor = 'Jamf'\n | extend EventProduct = 'Jamf Protect - Threat Events Stream'\n | project-rename\n | extend\n // Jamf Protect - Common Fields\n EventStartTime = column_ifexists(\"event_timestamp_t\", \"\"),\n EventResult=case(event_action_s == \"Blocked\", \"Blocked\", event_action_s == \"Detected\", \"Detected\", ''),\n EventReportUrl = column_ifexists(\"event_eventUrl_s\", \"\"),\n // Jamf Protect - Alert Details\n EventSeverity = case(event_severity_d == 2, \"Informational\", event_severity_d == 4, \"Low\", event_severity_d == 6, \"Medium\", event_severity_d == 8, \"High\", event_severity_d == 10, \"High\", \"Informational\"),\n // Jamf Protect - Source User\n SrcUsermail=column_ifexists('event_user_email_s', ''),\n SrcUsername=column_ifexists('event_user_name_s', ''),\n // Jamf Protect - Source Device Hostnames\n DvcHostname = column_ifexists(\"event_device_userDeviceName_s\", \"\"),\n DvcIpAddr = column_ifexists(\"event_source_ip_s\", \"\"),\n DvcId = column_ifexists(\"event_device_externalId_g\", \"\"),\n DvcOs=case(event_device_os_s has \"MAC_OS\", \"macOS\", event_device_os_s has \"IOS\", \"iOS\", event_device_os_s has \"ANDROID\", \"Android\", \"Other\"),\n SrcDeviceType=case(event_device_os_s has \"MAC_OS\", \"Computer\", event_device_os_s has \"IOS\", \"Mobile Device\", event_device_os_s has \"ANDROID\", \"Mobile Device\", \"Other\"),\n // Jamf Protect - DNS Specific\n DnsQuery=column_ifexists('event_hostName_s', ''),\n DvcAction=case(event_blocked_b == \"false\", \"Allowed\", event_blocked_b == \"true\", \"Blocked\", ''),\n DnsQueryName=column_ifexists('event_destination_name_s', ''),\n DstIpAddr=column_ifexists('event_destination_ip_s', ''),\n ThreatCategory=column_ifexists('event_eventType_description_s', ''),\n ThreatOriginalRiskLevel=column_ifexists('event_threat_result_s', ''),\n // Jamf Protect - App Specific\n TargetFileName = column_ifexists(\"event_app_name_s\", \"\"),\n TargetFileSHA1 = column_ifexists(\"event_app_sha1_s\", \"\"),\n TargetFileSHA256 = column_ifexists(\"event_app_sha256_s\", \"\")\n | project-keep\n TimeGenerated,\n EventVendor,\n EventProduct,\n EventStartTime,\n EventResult,\n EventReportUrl,\n EventSeverity,\n DvcHostname,\n DvcIpAddr,\n DvcId,\n SrcDeviceType,\n SrcUsermail,\n SrcUsername,\n DnsQuery,\n DnsQueryName,\n DstIpAddr,\n ThreatCategory,\n DvcAction,\n ThreatOriginalRiskLevel,\n TargetFileName,\n TargetFileSHA1,\n TargetFileSHA256\n};\nunion isfuzzy=true JamfProtectAlerts_view, JamfProtectUnifiedLog_view, JamfProtectTelemetryv1_view, JamfProtectTelemetryv2_view, JamfProtectNetworkTraffic_view, JamfProtectThreatEvents_view\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "location": "[parameters('workspace-location')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]", + "dependsOn": [ + "[variables('parserObject1')._parserId1]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'JamfProtect')]", + "contentId": "[variables('parserObject1').parserContentId1]", + "kind": "Parser", + "version": "[variables('parserObject1').parserVersion1]", + "source": { + "kind": "Solution", + "name": "Jamf Protect", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Thijs Xhaflaire", + "email": "[variables('_email')]" + }, + "support": { + "name": "Jamf Software, LLC", + "email": "support@jamf.com", + "tier": "Partner", + "link": "https://www.jamf.com/support/" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('workbookTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "JamfProtectDashboard Workbook with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('workbookVersion1')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Insights/workbooks", + "name": "[variables('workbookContentId1')]", + "location": "[parameters('workspace-location')]", + "kind": "shared", + "apiVersion": "2021-08-01", + "metadata": { + "description": "This Jamf Protect Workbook for Microsoft Sentinel enables you to ingest Jamf Protect events forwarded into Microsoft Sentinel.\n Providing reports into all alerts, device controls and Unfied Logs." + }, + "properties": { + "displayName": "[parameters('workbook1-name')]", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"b608e714-b3ec-4380-b666-1aa781513ab4\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscription\",\"type\":6,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"includeAll\":false},\"label\":\"☁️ Subscription\"},{\"id\":\"f408f1cf-dbcb-4f57-9409-272374bd3cd4\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspace\",\"type\":5,\"isRequired\":true,\"query\":\"Resources | where type =~ \\\"microsoft.operationalinsights/workspaces\\\" | order by name | project id, name, selected=row_number()==1, group=resourceGroup\",\"crossComponentResources\":[\"{Subscription}\"],\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"label\":\"🗂️ Workspace\",\"value\":\"\"},{\"id\":\"397d983f-ea80-4aa5-8c65-547d40cb312b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"_timetoken\",\"label\":\"⏱️ Time Range\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"value\":{\"durationMs\":172800000}},{\"id\":\"d716fb1e-0d71-4e99-9406-18ae7df6e037\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"changelog\",\"label\":\"📖 Changelog\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n { \\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\"},\\r\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":true }\\r\\n]\"}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Parameters Picker\"},{\"type\":1,\"content\":{\"json\":\"## Jamf Protect for Microsoft Sentinel!\\n\\nThe [Jamf Protect](https://www.jamf.com/solutions/threat-prevention-remediation/) for Microsoft Sentinel solution creates detailed event data from macOS endpoints into a Microsoft Sentinel workspace in a simple and easy workflow. The solution provides you with full visibility into Apple Endpoint Security by leveraging Workbooks containing [Alert](https://docs.jamf.com/jamf-protect/documentation/Alerts.html) and [Unified Logging](https://docs.jamf.com/jamf-protect/documentation/Unified_Logging.html) events captured by Jamf Protect and the [macOS built-in security events](https://support.apple.com/en-gb/guide/security/sec469d47bd8/web) that occurred across the protected organisational endpoints\\n\\n\\n#### Changelog\\n\\n**v2.2.0**\\n\\n***Workbook***\\n - Added System Performance Metrics\\n - Includes Energy Impact\\n - Added Network Traffic Stream\\n - Updated Workbook to make use of the newly added parser\\n - Added and tweaked querys and graphs\\n\\n ***Parser***\\n - Added JamfProtect parser for parsing and mapping all incoming raw data.\\n\\n ***Analytic Rules***\\n - Updated Analytic Rules to make use of the newly added parser. \\n\\t\\n**v2.1**\\n\\n***Workbook***\\n - Added Endpoint Telemetry\\n - Includes graphs and visualisations\\n\\t- Includes Endpoint Information\\n\\t- Includes Jamf Pro log parser\\n- Added Network Threat Events\\n \\t- Includes graphs and visualisations\\n- Added new Pickers\\n - Allows selecting different Log Analytic Workspaces\\n - Changed TimeRanger picker\\n- Added Changelog\\n\\n**Analytic Rules**\\n\\n- Added Analytic Rules\\n\\t- Jamf Protect - Alerts\\n\\t- Jamf Protect - Unified Logs\\n\\t- Jamf Protect - Network Threat Events\\n\\n\\n **v2.0**\\n \\n- Initial release of the solution containing a basic Workbook\\n\"},\"conditionalVisibility\":{\"parameterName\":\"changelog\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Text - Changelog\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Threat Hunting {_timetoken:value}\",\"expandable\":true,\"expanded\":true,\"items\":[{\"type\":1,\"content\":{\"json\":\"Set an type and provide values to search on File hash, CVE numbers or report on Alerts mapped to the MITRE framework or display latest alerts for a single endpoint.\",\"style\":\"info\"},\"name\":\"Text - Threat Hunting\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"5f5886d0-e83e-4ffc-a48c-bfed7370aa66\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"_type\",\"label\":\"Type\",\"type\":2,\"description\":\"Please choose the type\",\"isGlobal\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\n { \\\"value\\\":\\\"filehash\\\", \\\"label\\\":\\\"File Hash\\\" },\\n { \\\"value\\\":\\\"CVE\\\", \\\"label\\\":\\\"CVE\\\" },\\n { \\\"value\\\":\\\"mitre\\\", \\\"label\\\":\\\"Framework: MITRE\\\" },\\n { \\\"value\\\":\\\"endpointalerts\\\", \\\"label\\\":\\\"Latest alerts for a single endpoint\\\" }\\n]\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"15\",\"name\":\"Picker - Threat Hunting Type\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"49255f47-8f93-4746-8260-aad07befdb06\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"_hostnamealert\",\"label\":\"Hostname\",\"type\":2,\"query\":\"JamfProtect\\n| where isnotempty(DvcHostname)\\n | project-keep DvcHostname\\n| project-rename Hostname = DvcHostname\\n| summarize by Hostname\",\"crossComponentResources\":[\"{Workspace}\"],\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"_timetoken\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"conditionalVisibilities\":[{\"parameterName\":\"_type\",\"comparison\":\"isNotEqualTo\",\"value\":\"null\"},{\"parameterName\":\"_type\",\"comparison\":\"isEqualTo\",\"value\":\"endpointalerts\"}],\"name\":\"Picker - Threat Hunting Hostname\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"bcdd945e-4dfe-47d6-9489-f76ce012c224\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"_filehash\",\"label\":\"File Hash\",\"type\":1,\"description\":\"Thish value can be used for searching all alerts for a certain hash\",\"isRequired\":true,\"isGlobal\":true,\"value\":\"5e54bccbd4d93447e79cda0558b0b308a186c2be571c739e5460a3cb6ef665c0\"}],\"style\":\"formHorizontal\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"_type\",\"comparison\":\"isEqualTo\",\"value\":\"filehash\"},\"name\":\"Search - Threat Hunting Hash\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"0344768b-16c4-44ec-a4ac-73a8bc83d0e2\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"_CVE\",\"label\":\"CVE Number\",\"type\":1,\"description\":\"Please search on the CVE number\",\"isRequired\":true,\"isGlobal\":true,\"value\":\"T15\"}],\"style\":\"formHorizontal\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"_type\",\"comparison\":\"isEqualTo\",\"value\":\"CVE\"},\"name\":\"Search - Threat Hunting CVE\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"JamfProtect\\n| where EventType == \\\"ProcessPrevented\\\" or EventType == \\\"ProcessCreated\\\"\\n| where TargetProcessSHA1 has \\\"{_filehash:value}\\\" or TargetBinarySHA256 has \\\"{_filehash:value}\\\"\\n| project-keep\\n TimeGenerated,\\n EventStartTime,\\n EventMatch,\\n EventSeverity,\\n EventMatchType,\\n TargetProcessCommandLine,\\n DvcHostname,\\n EventReportUrl\\n| project-reorder\\n TimeGenerated,\\n EventStartTime,\\n EventMatch,\\n EventSeverity,\\n EventMatchType,\\n TargetProcessCommandLine,\\n DvcHostname,\\n EventReportUrl\\n| sort by TimeGenerated\",\"size\":4,\"title\":\"Matches on FileHash\",\"noDataMessage\":\"No matches found based on the hash value\",\"timeContextFromParameter\":\"_timetoken\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventReportUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Click to navigate to original event in Jamf Protect\"}}]}},\"conditionalVisibilities\":[{\"parameterName\":\"_filehash\",\"comparison\":\"isNotEqualTo\",\"value\":\"null\"},{\"parameterName\":\"_type\",\"comparison\":\"isEqualTo\",\"value\":\"filehash\"}],\"name\":\"Query - Threat Hunting Hash\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"JamfProtect\\n| where Match_tags contains \\\"{_CVE:value}\\\"\\n| project-keep\\n TimeGenerated,\\n EventStartTime,\\n EventMatch,\\n Match_tags,\\n EventSeverity,\\n EventMatchType,\\n TargetProcessCommandLine,\\n DvcHostname,\\n EventReportUrl\\n| project-reorder\\n TimeGenerated,\\n EventStartTime,\\n EventMatch,\\n Match_tags,\\n EventSeverity,\\n EventMatchType,\\n TargetProcessCommandLine,\\n DvcHostname,\\n EventReportUrl\\n| sort by TimeGenerated\",\"size\":1,\"title\":\"Matches on CVE\",\"noDataMessage\":\"No matches found based on the _CVE:value CVE number\",\"timeContextFromParameter\":\"_timetoken\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventReportUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Click to nagivate to original event in Jamf Protect\"}}]}},\"conditionalVisibilities\":[{\"parameterName\":\"_cve\",\"comparison\":\"isNotEqualTo\",\"value\":\"null\"},{\"parameterName\":\"_type\",\"comparison\":\"isEqualTo\",\"value\":\"CVE\"}],\"name\":\"Query - Threat Hunting CVE\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"JamfProtect\\n| where Match_tags contains \\\"MITREattack\\\"\\n| extend\\n Tactics = case(Match_tags has \\\"Execution\\\", \\\"Execution\\\", Match_tags has \\\"Visibility\\\", \\\"Visibility\\\", Match_tags has \\\"Persistence\\\", \\\"Persistence\\\", Match_tags has \\\"LateralMovement\\\", \\\"Lateral Movement\\\", Match_tags has \\\"CredentialAccess\\\", \\\"Credential Acccess\\\", Match_tags has \\\"DefenseEvasion\\\", \\\"Defense Evasion\\\", Match_tags has \\\"PrivilegeEscalation\\\", \\\"Privilege Escalation\\\", Match_tags has \\\"Impact\\\", \\\"Impact\\\", Match_tags has \\\"CommandAndControl\\\", \\\"Command and Control\\\", Match_tags has \\\"Discovery\\\", \\\"Discovery\\\", Match_tags has \\\"InitialAccess\\\", \\\"Initial Access\\\", \\\"\\\"),\\n Techniques = extract(@\\\"[A-Za-z]\\\\d{4}\\\", 0, tostring(Match_tags))\\n| project-keep\\n TimeGenerated,\\n EventStartTime,\\n EventType,\\n EventMessage,\\n EventDescription,\\n Tactics,\\n Techniques,\\n Match_tags,\\n EventSeverity,\\n DvcHostname,\\n EventReportUrl\\n| project-reorder\\n TimeGenerated,\\n EventStartTime,\\n EventType,\\n EventMessage,\\n EventDescription,\\n Tactics,\\n Techniques,\\n Match_tags,\\n EventSeverity,\\n DvcHostname,\\n EventReportUrl\\n| sort by TimeGenerated\",\"size\":1,\"title\":\"Alerts mapped to MITRE\",\"noDataMessage\":\"No alerts found that are mapped to the MITRE framework\",\"timeContextFromParameter\":\"_timetoken\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventReportUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Click to navigate to original event in Jamf Protect\"}}],\"sortBy\":[{\"itemKey\":\"TimeGenerated\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"TimeGenerated\",\"sortOrder\":1}]},\"conditionalVisibilities\":[{\"parameterName\":\"_type\",\"comparison\":\"isNotEqualTo\",\"value\":\"null\"},{\"parameterName\":\"_type\",\"comparison\":\"isEqualTo\",\"value\":\"mitre\"}],\"name\":\"Query - Threat Hunting MITRE\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"JamfProtect\\n| where DvcHostname contains \\\"{_hostnamealert:value}\\\"\\n| where EventProduct == \\\"Jamf Protect - Alerts\\\" and isnotempty(EventType)\\n| project-keep\\n TimeGenerated,\\n EventStartTime,\\n EventType,\\n EventMessage,\\n EventDescription,\\n Match_tags,\\n EventSeverity,\\n DvcHostname,\\n EventReportUrl\\n| project-reorder\\n TimeGenerated,\\n EventStartTime,\\n EventType,\\n EventMessage,\\n EventDescription,\\n Match_tags,\\n EventSeverity,\\n DvcHostname,\\n EventReportUrl\\n| sort by TimeGenerated\\n| limit 10\",\"size\":1,\"title\":\"Recent 10 alerts in the past {_timetoken:value} for {_hostnamealert:value}\",\"noDataMessage\":\"No alerts found\",\"timeContextFromParameter\":\"_timetoken\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventReportUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Click to nagivage to original event in Jamf Protect\"}}],\"sortBy\":[{\"itemKey\":\"TimeGenerated\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"TimeGenerated\",\"sortOrder\":1}]},\"conditionalVisibilities\":[{\"parameterName\":\"_type\",\"comparison\":\"isNotEqualTo\",\"value\":\"null\"},{\"parameterName\":\"_type\",\"comparison\":\"isEqualTo\",\"value\":\"endpointalerts\"},{\"parameterName\":\"_hostnamealert\",\"comparison\":\"isNotEqualTo\",\"value\":\"\"}],\"name\":\"Query - Threat Hunting 10 Recent Alerts Endpoint\"}]},\"customWidth\":\"100\",\"name\":\"Group - Threat Hunting\",\"styleSettings\":{\"margin\":\"200\",\"padding\":\"200\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"JamfProtect\\n| where EventProduct == \\\"Jamf Protect - Alerts\\\"\\n| where isnotempty(EventType)\\n| where EventSeverity != \\\"Informational\\\"\\n| sort by EventStartTime\\n| limit 10\",\"size\":0,\"title\":\"Recent 10 alerts in the past {_timetoken:value}\",\"noDataMessage\":\"No alerts found\",\"timeContextFromParameter\":\"_timetoken\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventReportUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Click to navigate to Alert in Jamf Protect\"}},{\"columnMatch\":\"AlertURL\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\"}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"TimeGenerated\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"TimeGenerated\",\"sortOrder\":1}]},\"name\":\"Query - 10 Recent Alerts\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"datatable (Count: long, severity: string) [\\n 0, \\\"Informational\\\",\\n 0, \\\"Low\\\",\\n 0, \\\"Medium\\\",\\n 0, \\\"High\\\"\\n]\\n| union\\n (\\n JamfProtect\\n | where EventProduct == \\\"Jamf Protect - Alerts\\\" \\n and isnotempty(EventType)\\n and EventSeverity != \\\"True\\\"\\n | summarize Count = count() by EventSeverity\\n )\\n| where isnotempty(EventSeverity)\\n| summarize Count=sum(Count) by EventSeverity\",\"size\":3,\"title\":\"All Alerts {_timetoken:value}\",\"timeContextFromParameter\":\"_timetoken\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"EventSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Informational\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"green\",\"text\":\"{0}{1}\"}],\"compositeBarSettings\":{\"labelText\":\"\"}}},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"minimumSignificantDigits\":1,\"maximumSignificantDigits\":3},\"emptyValCustomText\":\"0\"}},\"showBorder\":true,\"sortCriteriaField\":\"Count\",\"sortOrderField\":2}},\"name\":\"Datatable - Alerts per Severity\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"JamfProtect\\n| where EventProduct == \\\"Jamf Protect - Alerts\\\"\\n and isnotempty(EventType)\\n| where EventSeverity != \\\"True\\\"\\n| summarize count() by EventSeverity, bin(TimeGenerated,{_timetoken:grain})\\n| render areachart \",\"size\":0,\"title\":\"Events Detected (Count By Severity) {_timetoken:value}\",\"timeContextFromParameter\":\"_timetoken\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"chartSettings\":{\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"0\",\"label\":\"Informational\"},{\"seriesName\":\"1\",\"label\":\"Low\"},{\"seriesName\":\"2\",\"label\":\"Medium\"},{\"seriesName\":\"3\",\"label\":\"High\"}]}},\"customWidth\":\"50\",\"name\":\"Query - Events detected by Severity\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"JamfProtect\\n| where EventType == \\\"UnifiedLog\\\"\\n| summarize count() by tostring(EventDescription), bin(TimeGenerated,{_timetoken:grain})\\n| render areachart \",\"size\":0,\"title\":\"Unified Logging Events {_timetoken:value}\",\"timeContextFromParameter\":\"_timetoken\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"Query - Unified Logs\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"JamfProtect\\n| where EventProduct == \\\"Jamf Protect - Alerts\\\" \\n and isnotempty(EventType)\\n and isnotempty(DvcHostname)\\n| summarize Event = count() by DvcHostname\\n| sort by Event desc\",\"size\":3,\"title\":\"Most Active Endpoints (Total, last {_timetoken:value})\",\"timeContextFromParameter\":\"_timetoken\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"HostName\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Event\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"HostName\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"Event\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"100\",\"name\":\"Query - Most active endpoints with Alerts\",\"styleSettings\":{\"maxWidth\":\"100\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"JamfProtect\\n| where EventProduct == \\\"Jamf Protect - Alerts\\\"\\n and isnotempty(EventType)\\n| summarize Events = count() by EventProduct, bin(TimeGenerated,{_timetoken:grain})\\n| render columnchart \",\"size\":0,\"title\":\"Events detected (Total by date, {_timetoken:value})\",\"timeContextFromParameter\":\"_timetoken\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"jamfprotect_CL\",\"label\":\"Jamf Protect\"}]}},\"customWidth\":\"50\",\"name\":\"Query - Total events detected\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"JamfProtect\\n| where EventProduct == \\\"Jamf Protect - Alerts\\\"\\n| where isnotempty(EventType)\\n| summarize Events = count() by EventType, bin(EventStartTime,{_timetoken:grain})\\n| render areachart with(kind=stacked)\\n\",\"size\":0,\"title\":\"Events Detected (Count by Type, {_timetoken:value})\",\"timeContextFromParameter\":\"_timetoken\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"areachart\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"Events\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"Events\",\"sortOrder\":2}]},\"customWidth\":\"50\",\"name\":\"Query - Events detected counted by Type\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Event Types\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"JamfProtect\\n| where EventProduct == \\\"Jamf Protect - Alerts\\\"\\n| where isnotempty(EventType)\\n| summarize Events = count() by EventType\\n| render piechart\",\"size\":3,\"showAnalytics\":true,\"title\":\"Event Types {_timetoken:value}\",\"timeContextFromParameter\":\"_timetoken\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"33\",\"name\":\"Query - Events by Type\",\"styleSettings\":{\"maxWidth\":\"100\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"JamfProtect\\n| where EventType == \\\"FileSystem\\\"\\n| summarize count() by tostring(EventMessage)\\n| render piechart \",\"size\":3,\"showAnalytics\":true,\"title\":\"File System Event Types {_timetoken:value}\",\"timeContextFromParameter\":\"_timetoken\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"33\",\"name\":\"Query - File System Events\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"JamfProtect\\n| where EventType == \\\"Process\\\"\\n| summarize count() by tostring(EventMessage)\\n| render piechart \\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Process Event Types {_timetoken:value}\",\"timeContextFromParameter\":\"_timetoken\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"33\",\"name\":\"Query - Process Event Types\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"JamfProtect\\n| where EventType == \\\"USB\\\"\\nor EventType == \\\"UsbBlock\\\" and EventMessage == \\\"USBWrite\\\"\\n| summarize count() by tostring(EventMessage)\\n| render piechart \",\"size\":3,\"showAnalytics\":true,\"title\":\"USB Event Types {_timetoken:value}\",\"timeContextFromParameter\":\"_timetoken\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"33\",\"name\":\"Query - USB Event Types\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"JamfProtect\\n| where EventType == \\\"Gatekeeper\\\"\\n| summarize count() by tostring(EventMessage)\\n| render piechart \",\"size\":3,\"showAnalytics\":true,\"title\":\"Gatekeeper Event Types {_timetoken:value}\",\"timeContextFromParameter\":\"_timetoken\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"GatekeeperBlockedSigned\",\"label\":\"Signed\"},{\"seriesName\":\"GatekeeperBlockedRevoked\",\"label\":\"Revoked\"},{\"seriesName\":\"GatekeeperBlockedUnsignedOrUnknown\",\"label\":\"UnsignedOrUnknown\"}]}},\"customWidth\":\"33\",\"name\":\"Query - GateKeeper Events\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"JamfProtect\\n| where EventType == \\\"ProcessPrevented\\\"\\n| summarize Threat = count() by EventMatch\\n| render piechart \",\"size\":3,\"showAnalytics\":true,\"title\":\"Threat Prevention Types {_timetoken:value}\",\"timeContextFromParameter\":\"_timetoken\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"33\",\"name\":\"Query - Threat Prevention Types\"}]},\"name\":\"Group - Event Types\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"JamfProtect\\n| where EventProduct == \\\"Jamf Protect - Alerts\\\"\\n| where isnotempty(EventType)\\n| summarize count() by tostring(EventType), tostring(EventMessage)\\n| project-rename Count = count_\\n| sort by Count desc\\n| limit 10\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 Event Types {_timetoken:value}\",\"timeContextFromParameter\":\"_timetoken\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"Query - Top 10 Events\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"JamfProtect\\n| where EventType == \\\"ProcessDenied\\\"\\n| where isnotempty(DvcHostname)\\n| summarize Count= count() by TargetProcessName, EventMatch, TargetBinarySigningAppID, TargetBinarySigningTeamID\\n| sort by Count asc nulls first\\n| limit 25\",\"size\":0,\"showAnalytics\":true,\"title\":\"Process Blocked by Custom Prevent List {_timetoken:value}\",\"timeContextFromParameter\":\"_timetoken\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"Query - Process Blocked by Custom Prevent List\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"macOS Built-In Security Tools\",\"expandable\":true,\"expanded\":true,\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"JamfProtect\\n| where EventType == \\\"Gatekeeper\\\"\\n| summarize count() by tostring(EventMessage), TargetFilePath\\n| project-rename BlockType = EventMessage, Count = count_\\n| sort by Count desc\\n| limit 10\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top Gatekeeper Blocked Items {_timetoken:value}\",\"timeContextFromParameter\":\"_timetoken\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"Count\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"Count\",\"sortOrder\":2}]},\"customWidth\":\"50\",\"name\":\"Query - Top Blocked GateKeepers events\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"JamfProtect\\n| where EventProduct == \\\"Jamf Protect - Unified Log\\\"\\n| where input_match_event_subsystem_s == \\\"com.apple.XProtectFramework.PluginAPI\\\"\\n| where tostring(parse_json(input_match_event_composedMessage_s).status_message) <> \\\"[]\\\"\\n| extend status_message_ = tostring(parse_json(input_match_event_composedMessage_s).status_message)\\n| extend execution_duration_ = tostring(parse_json(input_match_event_composedMessage_s).execution_duration)\\n| project \\n EventStartTime, \\n DvcHostname, \\n Status=status_message_, \\n Module=input_match_event_process_s, \\n Execution_Duration=execution_duration_\\n| sort by EventStartTime desc\\n| limit 25\",\"size\":0,\"showAnalytics\":true,\"title\":\"XProtect Remediator Scans {_timetoken:value}\",\"timeContextFromParameter\":\"_timetoken\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"Query - XProtect Remediator Activity\"}]},\"name\":\"macOS Built-In Security Tools Group\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Device Controls\",\"expandable\":true,\"expanded\":true,\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"JamfProtect\\n| where EventType == \\\"UsbBlock\\\"\\n| where EventMessage == \\\"EnforcedRemovableDevicePolicy\\\"\\n| extend EventMessage = replace_string(tostring(EventMessage), \\\"EnforcedRemovableDevicePolicy\\\", \\\"Blocked\\\")\\n| summarize count() by tostring(EventMessage)\\n\\n\",\"size\":2,\"title\":\"Device Controls Blocked {_timetoken:value}\",\"timeContextFromParameter\":\"_timetoken\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"tileSettings\":{\"titleContent\":{\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"thresholdValue\":\"Alerts\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Notifications\",\"text\":\"Devices Blocked\"}]}},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":true,\"sortOrderField\":2},\"graphSettings\":{\"type\":0,\"centerContent\":{\"columnMatch\":\"count_\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"showMetrics\":false},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"count_\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"count_\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"count_\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"25\",\"name\":\"Query - Blocked USB Events\",\"styleSettings\":{\"maxWidth\":\"25\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"JamfProtect\\n| where EventType == \\\"UsbBlock\\\"\\n| where EventMessage == \\\"EnforcedRemovableDevicePolicy\\\"\\n| extend device_ = strcat(input_match_event_device_vendorName_s, \\\" \\\",input_match_event_device_productName_s)\\n| summarize count() by DvcHostname, device_\\n| project-rename Hostname = DvcHostname, Device = device_, Count = count_\\n| sort by Count desc\\n\\n\",\"size\":0,\"title\":\"Device Controls Endpoint {_timetoken:value}\",\"timeContextFromParameter\":\"_timetoken\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"65\",\"name\":\"Query - Blocked USB Devices\",\"styleSettings\":{\"maxWidth\":\"100\"}}]},\"name\":\"Group - Device Controls\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Endpoint Telemetry\",\"expandable\":true,\"expanded\":true,\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"JamfProtect\\n| where identity_signer_id_s == \\\"com.apple.sudo\\\"\\n and ParentProcessName == \\\"/usr/bin/sudo\\\"\\n and ActorUsername == \\\"root\\\"\\n and ActorUserId != \\\"-1\\\"\\n| extend Compiled_Arguments = replace_string(TargetProcessCommandLine, \\\",\\\", \\\" \\\")\\n| project-keep\\n TimeGenerated,\\n EventStartTime,\\n DvcHostname,\\n ActorUserId,\\n Compiled_Arguments\\n| project-rename Hostname = DvcHostname, Elevated_User = ActorUserId\\n| limit 50\\n| sort by EventStartTime\",\"size\":0,\"title\":\"Succesful sudo events {_timetoken:value}\",\"noDataMessage\":\"No events occured\",\"timeContextFromParameter\":\"_timetoken\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Compiled_Arguments\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"69.5714ch\"}}],\"sortBy\":[{\"itemKey\":\"EventStartTime\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"EventStartTime\",\"sortOrder\":2}]},\"name\":\"Query - Successful sudo events\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"JamfProtect\\n//| where SrcIpAddr != \\\"0.0.0.0\\\" and EventType != \\\"AUE_SESSION_START\\\" and EventType != \\\"PLAINTEXT_LOG_COLLECTION_EVENT\\\" and EventType != \\\"BIOS_FIRMWARE_VERSIONS\\\" and EventType != \\\"SYSTEM_PERFORMANCE_METRICS\\\" and EventType != \\\"RATE_LIMITING_APPLIED\\\"\\n| where SrcIpAddr != \\\"0.0.0.0\\\" and EventType == \\\"ProcessCreated\\\"\\n or SrcIpAddr != \\\"0.0.0.0\\\" and EventType == \\\"Logoff\\\"\\n or SrcIpAddr != \\\"0.0.0.0\\\" and EventType == \\\"SshInitiated\\\"\\n| where isnotempty(DvcHostname)\\n| where isnotempty(EventType)\\n| where EventProduct != \\\"Jamf Protect - Alerts\\\"\\n//| extend binary=parse_json(path_s)[0]\\n| extend Compiled_Arguments = replace_string(TargetProcessCommandLine, \\\",\\\", \\\" \\\")\\n| project-keep\\n TimeGenerated,\\n EventStartTime,\\n EventType,\\n return_description_s,\\n TargetProcessName,\\n DvcHostname,\\n SrcIpAddr,\\n ActorUsername,\\n ActorUserId,\\n Compiled_Arguments\\n| project-rename\\n EventName = EventType,\\n Description = return_description_s,\\n Hostname = DvcHostname,\\n Process_Name = TargetProcessName,\\n IP_Adress = SrcIpAddr,\\n Elevated_User = ActorUserId\\n| limit 15\\n| sort by EventStartTime\",\"size\":0,\"title\":\"Remotely Controlled Commands (Outbound) {_timetoken:value}\",\"noDataMessage\":\"No events occured\",\"timeContextFromParameter\":\"_timetoken\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"name\":\"Query - Remotely Controlled Commands\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"JamfProtect\\n| where isnotempty(DvcHostname)\\n| where isnotempty(TargetProcessName)\\n| project-keep TimeGenerated, ParentProcessName, TargetProcessName\\n| summarize Rare_Process_Count = count() by TargetProcessName, ParentProcessName\\n| sort by Rare_Process_Count asc nulls first\\n| limit 200\",\"size\":0,\"title\":\"Rare Process Executions (All Executions) {_timetoken:value}\",\"noDataMessage\":\"No events occured\",\"timeContextFromParameter\":\"_timetoken\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"Rare_Process_Count\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"Rare_Process_Count\",\"sortOrder\":1}]},\"customWidth\":\"100\",\"name\":\"Query - Rare Process Executions\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"JamfProtect\\n| where isnotempty(DvcHostname)\\n and isnotempty(ParentProcessName)\\n| project\\n DvcHostname,\\n TargetProcessName,\\n ParentProcessName,\\n ParentProcessGuid,\\n exec_chain_thread_uuid_g\\n| summarize\\n thread_uuid = make_set(exec_chain_thread_uuid_g, 128),\\n Hostnames = make_set(DvcHostname, 128),\\n process = make_set(TargetProcessName, 128)\\n by ParentProcessName\\n| project \\n Hostnames,\\n process,\\n parent_process=ParentProcessName,\\n thread_uuid\",\"size\":0,\"title\":\"Parent/child process with thread uuid {_timetoken:value}\",\"timeContextFromParameter\":\"_timetoken\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"100\",\"name\":\"Query - Parent and Child Process UUID\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Endpoint Information\",\"expandable\":true,\"expanded\":true,\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"JamfProtect\\n| where EventType == \\\"SystemPerformanceMetrics\\\"\\n| extend metrics = parse_json(metrics_tasks_s)\\n| project-keep DvcHostname, metrics, TimeGenerated\\n| project-reorder DvcHostname, metrics\\n| mv-expand metrics\\n| extend energy_impact = metrics.energy_impact\\n| extend process_name = metrics.name\\n| project-rename\\n Hostname = DvcHostname\\n| extend avg = toreal(energy_impact)\\n| summarize Average = avg(avg) by tostring(process_name), bin(TimeGenerated,{_timetoken:grain})\\n| render timechart\\n\\n\\n\\n\",\"size\":0,\"aggregation\":3,\"title\":\"Overall System Energy Impact on all endpoints {_timetoken:value}\",\"timeContextFromParameter\":\"_timetoken\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"tileSettings\":{\"showBorder\":false},\"graphSettings\":{\"type\":0,\"nodeIdField\":\"Hostname\",\"sourceIdField\":\"Hostname\",\"targetIdField\":\"Hostname\",\"graphOrientation\":3,\"showOrientationToggles\":false,\"staticNodeSize\":100,\"hivesMargin\":5},\"chartSettings\":{\"group\":\"process_name\",\"createOtherGroup\":15,\"showLegend\":true},\"mapSettings\":{\"locInfo\":\"LatLong\"}},\"customWidth\":\"100\",\"name\":\"Query - System Performance Metrics - Energy Impact\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Log Parser {_timetoken:value}\",\"expandable\":true,\"expanded\":true,\"items\":[{\"type\":1,\"content\":{\"json\":\"Please select a hostname in order to show the collected plain-text log files.\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"_hostnamelogparser\",\"comparison\":\"isEqualTo\"},\"name\":\"Text - Jamf Log Parser Note\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"f747e125-851e-45f7-b500-5d22049da6a6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"_hostnamelogparser\",\"label\":\"Hostname\",\"type\":2,\"isRequired\":true,\"query\":\"JamfProtect\\n| where isnotempty(DvcHostname)\\n and EventType == \\\"LogFileCollected\\\"\\n| project-keep DvcHostname\\n| project-rename Hostname = DvcHostname\\n| summarize by Hostname\",\"crossComponentResources\":[\"{Workspace}\"],\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"_timetoken\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"7d123ad2-1768-4d22-b438-565ab483c044\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"_logselectlogparser\",\"label\":\"Available Log File\",\"type\":2,\"isRequired\":true,\"query\":\"JamfProtect\\n| where EventType == \\\"LogFileCollected\\\"\\n and DvcHostname == \\\"{_hostnamelogparser:value}\\\"\\n| project-keep TargetFilePath\\n| project-keep TargetFilePath\\n| extend TargetFilePath = replace_string(TargetFilePath, \\\"[\\\", \\\"\\\")\\n| extend TargetFilePath = replace_string(TargetFilePath, \\\"]\\\", \\\"\\\")\\n| extend TargetFilePath = replace_string(TargetFilePath, '\\\"', \\\"\\\")\\n| summarize by TargetFilePath\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"_timetoken\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"/var/log/jamf.log\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"40\",\"name\":\"Picker - Hostname\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"JamfProtect\\n| where EventType == \\\"LogFileCollected\\\"\\n and DvcHostname == \\\"{_hostnamelogparser:value}\\\"\\n| extend TargetFilePath = replace_string(TargetFilePath, \\\"[\\\", \\\"\\\")\\n| extend TargetFilePath = replace_string(TargetFilePath, \\\"]\\\", \\\"\\\")\\n| extend TargetFilePath = replace_string(TargetFilePath, '\\\"', \\\"\\\")\\n| where TargetFilePath == \\\"{_logselectlogparser:escapejson}\\\"\\n| project EventResult, EventStartTime\\n| project-rename Logs = EventResult\\n| project-reorder EventStartTime, Logs\\n| mv-expand parse_json(Logs)\\n| sort by EventStartTime desc\\n| limit 50\",\"size\":0,\"showAnalytics\":true,\"title\":\"Log File Collection on \\\"{_hostnamelogparser:value}\\\"\",\"noDataMessage\":\"No matches found based on the hostname\",\"timeContextFromParameter\":\"_timetoken\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Logs\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"150ch\"}}]}},\"conditionalVisibility\":{\"parameterName\":\"_hostnamelogparser\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Query - Parse Logs\"}]},\"customWidth\":\"100\",\"name\":\"Group - Log Parser\",\"styleSettings\":{\"margin\":\"200\",\"padding\":\"200\",\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Endpoint System Performance {_timetoken:value}\",\"expandable\":true,\"expanded\":true,\"items\":[{\"type\":1,\"content\":{\"json\":\"Please select a hostname in order to show the system performance metrics.\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"_hostnamelogparser\",\"comparison\":\"isEqualTo\"},\"name\":\"Text - Jamf Log Parser Note\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"f747e125-851e-45f7-b500-5d22049da6a6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"_hostname\",\"label\":\"Hostname\",\"type\":2,\"query\":\"JamfProtect\\n| where isnotempty(DvcHostname)\\n and EventType == \\\"SystemPerformanceMetrics\\\"\\n| project-keep DvcHostname\\n| project-rename Hostname = DvcHostname\\n| summarize by Hostname\",\"crossComponentResources\":[\"{Workspace}\"],\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"_timetoken\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"LMAC-ZW0GTLVDL\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"40\",\"name\":\"Picker - Hostname\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"JamfProtect\\n| where EventType == \\\"SystemPerformanceMetrics\\\"\\n and DvcHostname == \\\"{_hostname:value}\\\"\\n| extend metrics = parse_json(metrics_tasks_s)\\n| project-keep DvcHostname, metrics, TimeGenerated\\n| project-reorder DvcHostname, metrics\\n| mv-expand metrics\\n| extend energy_impact = metrics.energy_impact\\n| extend process_name = metrics.name\\n| project-rename\\n Hostname = DvcHostname\\n| extend avg = toreal(energy_impact)\\n| summarize Average = avg(avg) by tostring(process_name), bin(TimeGenerated,{_timetoken:grain})\\n| render timechart\",\"size\":0,\"aggregation\":3,\"title\":\"Energy Impact on {_hostname:value}\",\"noDataMessage\":\"No metrics found based on the hostname\",\"timeContextFromParameter\":\"_timetoken\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":5},{\"columnMatch\":\"JamfLogs\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"100ch\"}}]},\"chartSettings\":{\"group\":\"process_name\",\"createOtherGroup\":15,\"showLegend\":true}},\"conditionalVisibility\":{\"parameterName\":\"_hostname\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Query - Endpoint System Performance - Energy Impact\"}]},\"customWidth\":\"100\",\"name\":\"Group - Endpoint System Performance\",\"styleSettings\":{\"margin\":\"200\",\"padding\":\"200\",\"showBorder\":true}}]},\"name\":\"Group - Endpoint Information\"}]},\"name\":\"Group - Telemetry\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Network Threat Events\",\"expandable\":true,\"expanded\":true,\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"JamfProtect\\n| where EventProduct == \\\"Jamf Protect - Threat Events Stream\\\"\\n and EventResult == \\\"Blocked\\\"\\n| extend blocks = case(EventResult == \\\"Blocked\\\", \\\"Blocked\\\", \\\"True\\\")\\n| summarize arg_max(EventResult, *) by EventStartTime\\n| summarize Count = count() by blocks\\n\\n\",\"size\":4,\"title\":\"Threats blocked by NTP {_timetoken:value}\",\"timeContextFromParameter\":\"_timetoken\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Count\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"0\",\"representation\":\"green\",\"text\":\"Threats blocked by NTP\"},{\"operator\":\"<\",\"thresholdValue\":\"15\",\"representation\":\"gray\",\"text\":\"Threats blocked by NTP\"},{\"operator\":\"<\",\"thresholdValue\":\"30\",\"representation\":\"orange\",\"text\":\"Threats blocked by NTP\"},{\"operator\":\">\",\"thresholdValue\":\"50\",\"representation\":\"redBright\",\"text\":\"Threats blocked by NTP\"},{\"operator\":\"Default\",\"representation\":\"gray\",\"text\":\"Threats blocked by NTP\"}],\"compositeBarSettings\":{\"labelText\":\"\"}}},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"minimumSignificantDigits\":1,\"maximumSignificantDigits\":3},\"emptyValCustomText\":\"0\"}},\"showBorder\":true,\"sortCriteriaField\":\"blocks\",\"sortOrderField\":1,\"size\":\"auto\"}},\"name\":\"Query - Threats blocked by NTP\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"JamfProtect\\n| where EventProduct == \\\"Jamf Protect - Threat Events Stream\\\"\\n| where isnotempty(EventSeverity)\\n| summarize arg_max(EventSeverity, *) by EventStartTime\\n| summarize count() by EventSeverity, bin(TimeGenerated,{_timetoken:grain})\\n| render areachart\",\"size\":0,\"title\":\"Network Events Detected (Count By Severity) {_timetoken:value}\",\"timeContextFromParameter\":\"_timetoken\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"Query - Network Events by Severity\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"JamfProtect\\n| where EventProduct == \\\"Jamf Protect - Threat Events Stream\\\"\\n and isnotempty(DvcHostname)\\n| summarize arg_max(DvcHostname, *) by EventStartTime\\n| summarize Event = count() by DvcHostname\\n| sort by Event desc\",\"size\":0,\"title\":\"Most Active Endpoints (Total, last {_timetoken:value})\",\"timeContextFromParameter\":\"_timetoken\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"Query - Most Active Endoints with Alerts\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"JamfProtect\\n| where EventProduct == \\\"Jamf Protect - Threat Events Stream\\\"\\n and isnotempty(ThreatCategory)\\n| summarize arg_max(ThreatCategory, *) by EventStartTime\\n| summarize Events = count() by ThreatCategory, bin(EventStartTime, {_timetoken:grain})\\n| render areachart with(kind=stacked)\",\"size\":0,\"title\":\"Network Events Detected (Count by Type, {_timetoken:value})\",\"timeContextFromParameter\":\"_timetoken\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"Query - Network Events by Category\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"JamfProtect\\n| where EventProduct == \\\"Jamf Protect - Threat Events Stream\\\"\\n and isnotempty(ThreatCategory)\\n| summarize arg_max(ThreatCategory, *) by EventStartTime\\n| summarize Events = count() by ThreatCategory\\n| render piechart\",\"size\":0,\"title\":\"Event Types {_timetoken:value}\",\"timeContextFromParameter\":\"_timetoken\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"Query - Network Events by Description\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"JamfProtect\\n| where EventProduct == \\\"Jamf Protect - Threat Events Stream\\\" \\n and notempty(ThreatCategory) and notempty(DnsQueryName)\\n| extend name_ = ThreatCategory\\n| summarize arg_max(DnsQueryName, *) by EventStartTime\\n| summarize count() by DnsQueryName, ThreatCategory\\n| project-rename\\n Count = count_\\n| sort by Count desc\\n| limit 10\",\"size\":0,\"title\":\"Top 10 Blocked destinations {_timetoken:value}\",\"timeContextFromParameter\":\"_timetoken\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"Query - Top 10 blocked destinations\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"JamfProtect\\n| where EventProduct == \\\"Jamf Protect - Threat Events Stream\\\" \\n and notempty(ThreatCategory)\\n and notempty(DstIpAddr)\\n| extend name_ = ThreatCategory\\n| summarize arg_max(DstIpAddr, *) by EventStartTime\\n| summarize count() by DstIpAddr\\n| project-rename\\n Count = count_\\n| sort by Count desc\\n| limit 10\",\"size\":0,\"title\":\"Top 10 Blocked IPs {_timetoken:value}\",\"timeContextFromParameter\":\"_timetoken\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"Query - Top 10 Blocked IPs\"}]},\"name\":\"Network Threat Events - Group\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Network Traffic\",\"expandable\":true,\"expanded\":true,\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"JamfProtect\\n| where EventProduct == \\\"Jamf Protect - Network Traffic Stream\\\"\\n and isnotempty(DnsQuery)\\n| summarize arg_max(DnsQuery, *) by EventStartTime\\n| summarize count() by DnsQuery, DnsQueryTypeName\\n| project-rename\\n Count = count_\\n| sort by Count desc\\n| limit 10\",\"size\":0,\"title\":\"Top 10 resolved destinations {_timetoken:value}\",\"timeContextFromParameter\":\"_timetoken\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"Query - Top 10 resolved destinations\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"JamfProtect\\n| where EventProduct == \\\"Jamf Protect - Network Traffic Stream\\\"\\n and isnotempty(DstIpAddr) and DstIpAddr != \\\"[]\\\"\\n| summarize arg_max(DstIpAddr, *) by EventStartTime\\n| summarize count() by DstIpAddr\\n| project-rename\\n Count = count_\\n| sort by Count desc\\n| limit 10\",\"size\":0,\"title\":\"Top 10 Resolved IPs {_timetoken:value}\",\"timeContextFromParameter\":\"_timetoken\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"Query - Top 10 Resolved IPs\"}]},\"name\":\"Network Traffic - Group\",\"styleSettings\":{\"showBorder\":true}}],\"fromTemplateId\":\"sentinel-JamfProtectDashboard\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n", + "version": "1.0", + "sourceId": "[variables('workspaceResourceId')]", + "category": "sentinel" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]", + "properties": { + "description": "@{workbookKey=JamfProtectWorkbook; logoFileName=jamf_logo.svg; description=This Jamf Protect Workbook for Microsoft Sentinel enables you to ingest Jamf Protect events forwarded into Microsoft Sentinel.\n Providing reports into all alerts, device controls and Unfied Logs.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=2.0.0; title=Jamf Protect Workbook; templateRelativePath=JamfProtectDashboard.json; subtitle=; provider=Jamf Software, LLC}.description", + "parentId": "[variables('workbookId1')]", + "contentId": "[variables('_workbookContentId1')]", + "kind": "Workbook", + "version": "[variables('workbookVersion1')]", + "source": { + "kind": "Solution", + "name": "Jamf Protect", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Thijs Xhaflaire", + "email": "[variables('_email')]" + }, + "support": { + "name": "Jamf Software, LLC", + "email": "support@jamf.com", + "tier": "Partner", + "link": "https://www.jamf.com/support/" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "contentId": "jamfprotect_CL", + "kind": "DataType" + } + ] + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_workbookContentId1')]", + "contentKind": "Workbook", + "displayName": "[parameters('workbook1-name')]", + "contentProductId": "[variables('_workbookcontentProductId1')]", + "id": "[variables('_workbookcontentProductId1')]", + "version": "[variables('workbookVersion1')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject1').analyticRuleTemplateSpecName1]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "JamfProtectAlerts_AnalyticalRules Analytics Rule with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "apiVersion": "2023-02-01-preview", + "kind": "NRT", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Creates an incident based on Jamf Protect Alert data in Microsoft Sentinel", + "displayName": "Jamf Protect - Alerts", + "enabled": false, + "query": "JamfProtect\n| where EventProduct == \"Jamf Protect - Alerts\"\n and isnotempty(EventSeverity)\n| extend\n algorithm = \"SHA256\",\n Host_IPs = tostring(parse_json(DvcIpAddr)[0]),\n Tags = tostring(Match_facts[0].tags),\n Tactics = case(Match_tags has \"Execution\", \"Execution\", Match_tags has \"Visibility\", \"Visibility\", Match_tags has \"Persistence\", \"Persistence\", Match_tags has \"LateralMovement\", \"LateralMovement\", Match_tags has \"CredentialAccess\", \"CredentialAcccess\", Match_tags has \"DefenseEvasion\", \"DefenseEvasion\", Match_tags has \"PrivilegeEscalation\", \"PrivilegeEscalation\", Match_tags has \"Impact\", \"Impact\", Match_tags has \"CommandAndControl\", \"CommandandControl\", Match_tags has \"Discovery\", \"Discovery\", Match_tags has \"InitialAccess\", \"InitialAccess\", \"\"),\n Techniques = pack_array(extract(@\"[A-Za-z]\\d{4}\", 0, tostring(Match_tags))),\n JamfPro = case(Match_actions has \"SmartGroup\", \"Workflow with Jamf Pro\", Match_actions has \"Prevented\", \"No workflow, Prevented by Protect\", \"No workflow\")\n", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "jamfprotect_CL" + ], + "connectorId": "JamfProtect" + } + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "columnName": "DvcHostname", + "identifier": "HostName" + }, + { + "columnName": "DvcOs", + "identifier": "OSFamily" + }, + { + "columnName": "DvcOsVersion", + "identifier": "OSVersion" + } + ], + "entityType": "Host" + }, + { + "fieldMappings": [ + { + "columnName": "Host_IPs", + "identifier": "Address" + } + ], + "entityType": "IP" + }, + { + "fieldMappings": [ + { + "columnName": "TargetUsername", + "identifier": "Name" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "columnName": "TargetProcessCurrentDirectory", + "identifier": "CommandLine" + }, + { + "columnName": "TargetProcessId", + "identifier": "ProcessId" + } + ], + "entityType": "Process" + }, + { + "fieldMappings": [ + { + "columnName": "algorithm", + "identifier": "Algorithm" + }, + { + "columnName": "TargetBinarySHA256", + "identifier": "Value" + } + ], + "entityType": "FileHash" + } + ], + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "customDetails": { + "Related_Binaries": "TargetBinaryFilePath", + "Related_File_hash": "TargetBinarySHA256", + "Protect_Tags": "Tags", + "Protect_Analytic": "EventMessage", + "Protect_Event_Type": "EventType", + "TargetbinarySign": "TargetbinarySignerType", + "JamfPro_Status": "JamfPro", + "TargetBinarySignMsg": "TargetBinarySigningInfoMessage", + "TargetBinarySigner": "TargetBinarySigningTeamID" + }, + "alertDetailsOverride": { + "alertDisplayNameFormat": "{{EventMessage}} detected on {{DvcHostname}}", + "alertDescriptionFormat": "{{EventDescription}} - Please investigate", + "alertDynamicProperties": [ + { + "alertProperty": "AlertLink", + "value": "EventReportUrl" + }, + { + "alertProperty": "ProviderName", + "value": "EventVendor" + }, + { + "alertProperty": "ProductName", + "value": "EventProduct" + }, + { + "alertProperty": "Techniques", + "value": "Techniques" + } + ], + "alertTacticsColumnName": "Tactics", + "alertSeverityColumnName": "EventSeverity" + }, + "incidentConfiguration": { + "groupingConfiguration": { + "lookbackDuration": "PT5H", + "matchingMethod": "AllEntities", + "enabled": false, + "reopenClosedIncident": false + }, + "createIncident": true + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject1').analyticRuleId1,'/'))))]", + "properties": { + "description": "Jamf Protect Analytics Rule 1", + "parentId": "[variables('analyticRuleObject1').analyticRuleId1]", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]", + "source": { + "kind": "Solution", + "name": "Jamf Protect", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Thijs Xhaflaire", + "email": "[variables('_email')]" + }, + "support": { + "name": "Jamf Software, LLC", + "email": "support@jamf.com", + "tier": "Partner", + "link": "https://www.jamf.com/support/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "contentKind": "AnalyticsRule", + "displayName": "Jamf Protect - Alerts", + "contentProductId": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", + "id": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject2').analyticRuleTemplateSpecName2]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "JamfProtectNetworkThreats_AnalyticalRules Analytics Rule with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "apiVersion": "2023-02-01-preview", + "kind": "NRT", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Creates an incident based based on Jamf Protect's Network Threat Event Stream alerts.", + "displayName": "Jamf Protect - Network Threats", + "enabled": false, + "query": "JamfProtect\n| where EventProduct == \"Jamf Protect - Threat Events Stream\"\n and EventResult == \"Blocked\"\n and isnotempty(EventSeverity)\n| extend Tactics = \"Initial Access\"\n| extend Techniques = \"T1566\"\n", + "severity": "Informational", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "jamfprotect_CL" + ], + "connectorId": "JamfProtect" + } + ], + "tactics": [ + "InitialAccess" + ], + "techniques": [ + "T1133" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "columnName": "Hostname", + "identifier": "HostName" + }, + { + "columnName": "DvcOs", + "identifier": "OSFamily" + } + ], + "entityType": "Host" + }, + { + "fieldMappings": [ + { + "columnName": "DstIpAddr", + "identifier": "Address" + } + ], + "entityType": "IP" + }, + { + "fieldMappings": [ + { + "columnName": "SrcUsermail", + "identifier": "AadUserId" + }, + { + "columnName": "SrcUsername", + "identifier": "FullName" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "columnName": "DnsQueryName", + "identifier": "Url" + } + ], + "entityType": "URL" + } + ], + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "customDetails": { + "Category": "ThreatCategory" + }, + "alertDetailsOverride": { + "alertDisplayNameFormat": "Network Threat detected on {{DvcHostname}}", + "alertDescriptionFormat": "A Network Threat has been {{EventResult}} on {{DvcHostname}}", + "alertDynamicProperties": [ + { + "alertProperty": "AlertLink", + "value": "EventReportUrl" + }, + { + "alertProperty": "ProviderName", + "value": "EventVendor" + }, + { + "alertProperty": "ProductName", + "value": "EventProduct" + }, + { + "alertProperty": "RemediationSteps", + "value": "EventResult" + }, + { + "alertProperty": "Techniques", + "value": "Techniques" + } + ], + "alertTacticsColumnName": "Tactics", + "alertSeverityColumnName": "EventSeverity" + }, + "incidentConfiguration": { + "groupingConfiguration": { + "lookbackDuration": "PT5H", + "matchingMethod": "AllEntities", + "enabled": false, + "reopenClosedIncident": false + }, + "createIncident": true + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject2').analyticRuleId2,'/'))))]", + "properties": { + "description": "Jamf Protect Analytics Rule 2", + "parentId": "[variables('analyticRuleObject2').analyticRuleId2]", + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]", + "source": { + "kind": "Solution", + "name": "Jamf Protect", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Thijs Xhaflaire", + "email": "[variables('_email')]" + }, + "support": { + "name": "Jamf Software, LLC", + "email": "support@jamf.com", + "tier": "Partner", + "link": "https://www.jamf.com/support/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "contentKind": "AnalyticsRule", + "displayName": "Jamf Protect - Network Threats", + "contentProductId": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", + "id": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject3').analyticRuleTemplateSpecName3]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "JamfProtectUnifiedLogs_AnalyticalRules Analytics Rule with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "apiVersion": "2023-02-01-preview", + "kind": "NRT", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Creates an informational incident based on Jamf Protect Unified Log data in Microsoft Sentinel", + "displayName": "Jamf Protect - Unified Logs", + "enabled": false, + "query": "JamfProtect\n| where EventType == \"UnifiedLog\"\n| where isnotempty(EventSeverity)\n| extend Host_IPs = tostring(parse_json(DvcIpAddr)[0])\n", + "severity": "Informational", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "jamfprotect_CL" + ], + "connectorId": "JamfProtect" + } + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "columnName": "DvcHostname", + "identifier": "HostName" + } + ], + "entityType": "Host" + }, + { + "fieldMappings": [ + { + "columnName": "Host_IPs", + "identifier": "Address" + } + ], + "entityType": "IP" + } + ], + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "customDetails": { + "Tags": "Match_tags", + "Unified_Log": "EventDescription", + "Event_Process": "TargetProcessName", + "Protect_Event_Type": "EventType" + }, + "alertDetailsOverride": { + "alertDisplayNameFormat": "{{EventDescription}} on {{DvcHostname}}", + "alertDescriptionFormat": "{{EventDescription}} has been captured in the unified logs", + "alertDynamicProperties": [ + { + "alertProperty": "ProviderName", + "value": "EventVendor" + }, + { + "alertProperty": "ProductName", + "value": "EventProduct" + } + ], + "alertSeverityColumnName": "EventSeverity" + }, + "incidentConfiguration": { + "groupingConfiguration": { + "lookbackDuration": "PT5H", + "matchingMethod": "AllEntities", + "enabled": false, + "reopenClosedIncident": false + }, + "createIncident": true + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject3').analyticRuleId3,'/'))))]", + "properties": { + "description": "Jamf Protect Analytics Rule 3", + "parentId": "[variables('analyticRuleObject3').analyticRuleId3]", + "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject3').analyticRuleVersion3]", + "source": { + "kind": "Solution", + "name": "Jamf Protect", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Thijs Xhaflaire", + "email": "[variables('_email')]" + }, + "support": { + "name": "Jamf Software, LLC", + "email": "support@jamf.com", + "tier": "Partner", + "link": "https://www.jamf.com/support/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "contentKind": "AnalyticsRule", + "displayName": "Jamf Protect - Unified Logs", + "contentProductId": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]", + "id": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]", + "version": "[variables('analyticRuleObject3').analyticRuleVersion3]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryObject1').huntingQueryTemplateSpecName1]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "JamfProtect_macOS_DazzleSpy_HuntingQueries Hunting Query with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2022-10-01", + "name": "Jamf_Protect_Hunting_Query_1", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "JamfProtect - macOS - DazzleSpy", + "category": "Hunting Queries", + "query": "JamfProtect\n| where TargetProcessSHA256 in (\n \"341bc86bc9b76ac69dca0a48a328fd37d74c96c2e37210304cfa66ccdbe72b27\", \n \"4c67717fdf1ba588c8be62b6137c92d344a7d4f46b24fa525e5eaa3de330b16c\", \n \"570cd76bf49cf52e0cb347a68bdcf0590b2eaece134e1b1eba7e8d66261bdbe6\", \n \"623f99cbe20af8b79cbfea7f485d47d3462d927153d24cac4745d7043c15619a\", \n \"8fae0d5860aa44b5c7260ef7a0b277bcddae8c02cea7d3a9c19f1a40388c223f\", \n \"9b71fad3280cf36501fe110e022845b29c1fb1343d5250769eada7c36bc45f70\", \n \"a63466d09c3a6a2596a98de36083b6d268f393a27f7b781e52eeb98ae055af97\", \n \"bbbfe62cf15006014e356885fbc7447e3fd37c3743e0522b1f8320ad5c3791c9\", \n \"cf5edcff4053e29cb236d3ed1fe06ca93ae6f64f26e25117d68ee130b9bc60c8\", \n \"d599d7814adbab0f1442f5a10074e00f3a776ce183ea924abcd6154f0d068bb4\", \n \"df5b588f555cccdf4bbf695158b10b5d3a5f463da7e36d26bdf8b7ba0f8ed144\", \n \"f9ad42a9bd9ade188e997845cae1b0587bf496a35c3bffacd20fefe07860a348\")\n or DstIpAddr in (\"103.255.44.56\",\n \"123.1.170.152\",\n \"207.148.102.208\",\n \"88.218.192.128\")\n or TargetFilePath contains \"/Library/LaunchAgents/softwareupdate.plist\"\n", + "version": 2, + "tags": [ + { + "name": "description", + "value": "Use this query to look for alerts related to DazzleSpy activity, known to affect macOS devices via a MachO binary" + }, + { + "name": "tactics", + "value": "ResourceDevelopment" + }, + { + "name": "techniques", + "value": "T1587,T1587.001" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject1')._huntingQuerycontentId1),'/'))))]", + "properties": { + "description": "Jamf Protect Hunting Query 1", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject1')._huntingQuerycontentId1)]", + "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryObject1').huntingQueryVersion1]", + "source": { + "kind": "Solution", + "name": "Jamf Protect", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Thijs Xhaflaire", + "email": "[variables('_email')]" + }, + "support": { + "name": "Jamf Software, LLC", + "email": "support@jamf.com", + "tier": "Partner", + "link": "https://www.jamf.com/support/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]", + "contentKind": "HuntingQuery", + "displayName": "JamfProtect - macOS - DazzleSpy", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.0')))]", + "version": "1.0.0" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryObject2').huntingQueryTemplateSpecName2]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "JamfProtect_macOS_JokerSpy_HuntingQueries Hunting Query with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2022-10-01", + "name": "Jamf_Protect_Hunting_Query_2", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "JamfProtect - macOS - JokerSpy", + "category": "Hunting Queries", + "query": "JamfProtect\n| where TargetProcessSHA256 in (\n \"5fe1790667ee5085e73b054566d548eb4473c20cf962368dd53ba776e9642272\", \n \"39bbc16028fd46bf4ddad49c21439504d3f6f42cccbd30945a2d2fdb4ce393a4\", \n \"aa951c053baf011d08f3a60a10c1d09bbac32f332413db5b38b8737558a08dc1\", \n \"d895075057e491b34b0f8c0392b44e43ade425d19eaaacea6ef8c5c9bd3487d8\", \n \"951039bf66cdf436c240ef206ef7356b1f6c8fffc6cbe55286ec2792bf7fe16c\", \n \"452c832a17436f61ad5f32ee1c97db05575160105ed1dcd0d3c6db9fb5a9aea1\", \n \"6d3eff4e029db9d7b8dc076cfed5e2315fd54cb1ff9c6533954569f9e2397d4c\")\nor DnsQueryName contains \"git-hub.me\"\nor DnsQueryName contains \"app.influmarket.org\"\nor EventMatch contains \"jokerspy\"\n", + "version": 2, + "tags": [ + { + "name": "description", + "value": "Use this query to look for alerts related to JokerSpy activity, Known to use various back doors to deploy spyware on victims' systems in order to perform reconnaissance and for command and control." + }, + { + "name": "tactics", + "value": "Execution,Masquerading" + }, + { + "name": "techniques", + "value": "T1059,T1036" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject2')._huntingQuerycontentId2),'/'))))]", + "properties": { + "description": "Jamf Protect Hunting Query 2", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject2')._huntingQuerycontentId2)]", + "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryObject2').huntingQueryVersion2]", + "source": { + "kind": "Solution", + "name": "Jamf Protect", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Thijs Xhaflaire", + "email": "[variables('_email')]" + }, + "support": { + "name": "Jamf Software, LLC", + "email": "support@jamf.com", + "tier": "Partner", + "link": "https://www.jamf.com/support/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]", + "contentKind": "HuntingQuery", + "displayName": "JamfProtect - macOS - JokerSpy", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject2')._huntingQuerycontentId2,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject2')._huntingQuerycontentId2,'-', '1.0.0')))]", + "version": "1.0.0" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryObject3').huntingQueryTemplateSpecName3]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "JamfProtect_macOS_KandyKorn_HuntingQueries Hunting Query with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2022-10-01", + "name": "Jamf_Protect_Hunting_Query_3", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "JamfProtect - macOS - KandyKorn", + "category": "Hunting Queries", + "query": "JamfProtect\n| where TargetProcessSHA256 in (\n \"2360a69e5fd7217e977123c81d3dbb60bf4763a9dae6949bc1900234f7762df1\",\n \"51dd4efcf714e64b4ad472ea556bf1a017f40a193a647b9e28bf356979651077\")\n or DnsQueryName contains \"tp-globa.xyz\"\n or DstIpAddr in (\"192.119.64.43\", \"23.254.226.90\")\n", + "version": 2, + "tags": [ + { + "name": "description", + "value": "Use this query to look for activity related to KandyKorn activity, known to affect macOS devices via a MachO binary" + }, + { + "name": "tactics", + "value": "Exfiltration" + }, + { + "name": "techniques", + "value": "T1020" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject3')._huntingQuerycontentId3),'/'))))]", + "properties": { + "description": "Jamf Protect Hunting Query 3", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject3')._huntingQuerycontentId3)]", + "contentId": "[variables('huntingQueryObject3')._huntingQuerycontentId3]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryObject3').huntingQueryVersion3]", + "source": { + "kind": "Solution", + "name": "Jamf Protect", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Thijs Xhaflaire", + "email": "[variables('_email')]" + }, + "support": { + "name": "Jamf Software, LLC", + "email": "support@jamf.com", + "tier": "Partner", + "link": "https://www.jamf.com/support/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('huntingQueryObject3')._huntingQuerycontentId3]", + "contentKind": "HuntingQuery", + "displayName": "JamfProtect - macOS - KandyKorn", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject3')._huntingQuerycontentId3,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject3')._huntingQuerycontentId3,'-', '1.0.0')))]", + "version": "1.0.0" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryObject4').huntingQueryTemplateSpecName4]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "JamfProtect_macOS_PureLand_HuntingQueries Hunting Query with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2022-10-01", + "name": "Jamf_Protect_Hunting_Query_4", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "JamfProtect - macOS - PureLand", + "category": "Hunting Queries", + "query": "JamfProtect\n| where TargetProcessSHA256 has \"0b9a3b00302faf3297b60fff0714f2db87245a613dcd9849645bffa7c4a3df9b\"\n or DstIpAddr contains \"193.168.141.107\"\n", + "version": 2, + "tags": [ + { + "name": "description", + "value": "Use this query to look for activity related to PureLand activity, known to affect macOS devices via a MachO binary" + }, + { + "name": "tactics", + "value": "Exfiltration" + }, + { + "name": "techniques", + "value": "T1020" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject4')._huntingQuerycontentId4),'/'))))]", + "properties": { + "description": "Jamf Protect Hunting Query 4", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject4')._huntingQuerycontentId4)]", + "contentId": "[variables('huntingQueryObject4')._huntingQuerycontentId4]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryObject4').huntingQueryVersion4]", + "source": { + "kind": "Solution", + "name": "Jamf Protect", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Thijs Xhaflaire", + "email": "[variables('_email')]" + }, + "support": { + "name": "Jamf Software, LLC", + "email": "support@jamf.com", + "tier": "Partner", + "link": "https://www.jamf.com/support/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('huntingQueryObject4')._huntingQuerycontentId4]", + "contentKind": "HuntingQuery", + "displayName": "JamfProtect - macOS - PureLand", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject4')._huntingQuerycontentId4,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject4')._huntingQuerycontentId4,'-', '1.0.0')))]", + "version": "1.0.0" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryObject5').huntingQueryTemplateSpecName5]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "JamfProtect_macOS_RustBucket_HuntingQueries Hunting Query with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2022-10-01", + "name": "Jamf_Protect_Hunting_Query_5", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "JamfProtect - macOS - RustBucket", + "category": "Hunting Queries", + "query": "JamfProtect\n| where TargetProcessSHA256 in (\"e74e8cdf887ae2de25590c55cb52dad66f0135ad4a1df224155f772554ea970c\", \"ac08406818bbf4fe24ea04bfd72f747c89174bdb\", \"72167ec09d62cdfb04698c3f96a6131dceb24a9c\", \"fd1cef5abe3e0c275671916a1f3a566f13489416\")\n or DnsQueryName contains \"cloud.dnx.capital\"\n or DnsQueryName contains \"deck.31ventures.info\"\n or ((TargetBinarySigningAppID contains \"com.apple.pdfViewer\") and (TargetbinarySignerType != \"Apple\"))\n", + "version": 2, + "tags": [ + { + "name": "description", + "value": "Use this query to look for activity related to RustBucket activity, known to affect macOS devices via a MachO binary" + }, + { + "name": "tactics", + "value": "Exfiltration" + }, + { + "name": "techniques", + "value": "T1020" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject5')._huntingQuerycontentId5),'/'))))]", + "properties": { + "description": "Jamf Protect Hunting Query 5", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject5')._huntingQuerycontentId5)]", + "contentId": "[variables('huntingQueryObject5')._huntingQuerycontentId5]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryObject5').huntingQueryVersion5]", + "source": { + "kind": "Solution", + "name": "Jamf Protect", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Thijs Xhaflaire", + "email": "[variables('_email')]" + }, + "support": { + "name": "Jamf Software, LLC", + "email": "support@jamf.com", + "tier": "Partner", + "link": "https://www.jamf.com/support/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('huntingQueryObject5')._huntingQuerycontentId5]", + "contentKind": "HuntingQuery", + "displayName": "JamfProtect - macOS - RustBucket", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject5')._huntingQuerycontentId5,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject5')._huntingQuerycontentId5,'-', '1.0.0')))]", + "version": "1.0.0" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryObject6').huntingQueryTemplateSpecName6]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "JamfProtect_macOS_Turtle_HuntingQueries Hunting Query with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2022-10-01", + "name": "Jamf_Protect_Hunting_Query_6", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "JamfProtect - macOS - Turtle", + "category": "Hunting Queries", + "query": "JamfProtect\n| where TargetProcessSHA256 has \"a48af4a62358831fe5376aa52db1a3555b0c93c1665b242c0c1f49462f614c56\"\n", + "version": 2, + "tags": [ + { + "name": "description", + "value": "Use this query to look for activity related to Turtle activity, known to affect macOS devices via a MachO binary" + }, + { + "name": "tactics", + "value": "Exfiltration" + }, + { + "name": "techniques", + "value": "T1020" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject6')._huntingQuerycontentId6),'/'))))]", + "properties": { + "description": "Jamf Protect Hunting Query 6", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject6')._huntingQuerycontentId6)]", + "contentId": "[variables('huntingQueryObject6')._huntingQuerycontentId6]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryObject6').huntingQueryVersion6]", + "source": { + "kind": "Solution", + "name": "Jamf Protect", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Thijs Xhaflaire", + "email": "[variables('_email')]" + }, + "support": { + "name": "Jamf Software, LLC", + "email": "support@jamf.com", + "tier": "Partner", + "link": "https://www.jamf.com/support/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('huntingQueryObject6')._huntingQuerycontentId6]", + "contentKind": "HuntingQuery", + "displayName": "JamfProtect - macOS - Turtle", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject6')._huntingQuerycontentId6,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject6')._huntingQuerycontentId6,'-', '1.0.0')))]", + "version": "1.0.0" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryObject7').huntingQueryTemplateSpecName7]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "JamfProtect_macOS_AtomicStealer_HuntingQueries Hunting Query with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('huntingQueryObject7').huntingQueryVersion7]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2022-10-01", + "name": "Jamf_Protect_Hunting_Query_7", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "JamfProtect - macOS - AtomicStealer", + "category": "Hunting Queries", + "query": "JamfProtect\n| where TargetProcessSHA256 in (\n \"ce3c57e6c025911a916a61a716ff32f2699f3e3a84eb0ebbe892a5d4b8fb9c7a\", \n \"91cca8b573d9bfdbe2d7ff74ce31acee7a3a9f8e0034841af38d96a1d4ad02f4\", \n \"7668dcab16c2f16396dd0d3a580bca89a3675462c1e9f98e79d75d6e7e6c8c1f\")\nor TargetFileSHA256 has \"6b0bde56810f7c0295d57c41ffa746544a5370cedbe514e874cf2cd04582f4b0\"\nor DnsQueryName contains \"app-downloads.org\"\nor DnsQueryName contains \"trabingviews.com\"\nor DstIpAddr contains \"185.106.93.154\"\nor EventMatch contains \"atomicstealer\"\n", + "version": 2, + "tags": [ + { + "name": "description", + "value": "Use this query to look for activity related to AtomicStealer activity, known to affect macOS devices via a MachO binary" + }, + { + "name": "tactics", + "value": "Exfiltration" + }, + { + "name": "techniques", + "value": "T1020" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject7')._huntingQuerycontentId7),'/'))))]", + "properties": { + "description": "Jamf Protect Hunting Query 7", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject7')._huntingQuerycontentId7)]", + "contentId": "[variables('huntingQueryObject7')._huntingQuerycontentId7]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryObject7').huntingQueryVersion7]", + "source": { + "kind": "Solution", + "name": "Jamf Protect", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Thijs Xhaflaire", + "email": "[variables('_email')]" + }, + "support": { + "name": "Jamf Software, LLC", + "email": "support@jamf.com", + "tier": "Partner", + "link": "https://www.jamf.com/support/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('huntingQueryObject7')._huntingQuerycontentId7]", + "contentKind": "HuntingQuery", + "displayName": "JamfProtect - macOS - AtomicStealer", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject7')._huntingQuerycontentId7,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject7')._huntingQuerycontentId7,'-', '1.0.0')))]", + "version": "1.0.0" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "JamfProtect_Alert_Status_InProgress Playbook with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion1')]", + "parameters": { + "clientIdentifier": { + "type": "String", + "metadata": { + "description": "The Client ID for the Jamf Protect API Key" + } + }, + "clientSecret": { + "type": "SecureString", + "metadata": { + "description": "The Client Secret for the Jamf Protect API Key" + } + }, + "jamfProtect_URL": { + "defaultValue": "https://*.protect.jamfcloud.com", + "type": "String", + "metadata": { + "description": "Enter the Jamf Protect instance URL ex: {https://fakevalue.protect.jamfcloud.com}" + } + }, + "PlaybookName": { + "type": "String", + "minLength": 1, + "defaultValue": "JamfProtect_Alert_Status_InProgress", + "metadata": { + "description": "Name of the Logic App/Playbook" + } + } + }, + "variables": { + "AzureSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]", + "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "_connection-1": "[[variables('connection-1')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('AzureSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('AzureSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[[variables('_connection-1')]" + } + } + }, + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[[parameters('playbookName')]", + "location": "[[variables('workspace-location-inline')]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + }, + "client_ID": { + "defaultValue": "[[parameters('clientIdentifier')]", + "type": "String" + }, + "jamfProtectURL": { + "defaultValue": "[[parameters('jamfProtect_URL')]", + "type": "String" + }, + "password": { + "defaultValue": "[[parameters('clientSecret')]", + "type": "SecureString" + } + }, + "triggers": { + "Microsoft_Sentinel_incident": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/incident-creation" + } + } + }, + "actions": { + "For_each": { + "foreach": "@triggerBody()?['object']?['properties']?['Alerts']", + "actions": { + "Add_comment_to_incident_(V3)": { + "runAfter": { + "HTTP_POST_-_Change_Alert_Status_using_Jamf_Protect's_GraphQL_API_Endpoint": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

Jamf Protect Alert with URL @{outputs('Composing_Jamf_Protect_Alert_URL')} has been set to status In Progress

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Composing_Jamf_Protect_Alert_URL": { + "type": "Compose", + "inputs": "@items('For_each')?['properties']?['alertLink']" + }, + "HTTP_POST_-_Change_Alert_Status_using_Jamf_Protect's_GraphQL_API_Endpoint": { + "runAfter": { + "Removing_pre-fix_of_URL_and_keeping_Alert_UDID": [ + "Succeeded" + ] + }, + "type": "Http", + "inputs": { + "authentication": { + "type": "Raw", + "value": "@variables('accessToken')" + }, + "body": { + "operationName": "updateAlert", + "query": "mutation updateAlert {\n updateAlerts(input: { uuids: [\"@{outputs('Removing_pre-fix_of_URL_and_keeping_Alert_UDID')}\"], status: InProgress })\n {\n items {\n uuid\n status\n }\n }\n}\n" + }, + "method": "POST", + "uri": "@{parameters('jamfProtectURL')}/graphql" + } + }, + "Removing_pre-fix_of_URL_and_keeping_Alert_UDID": { + "runAfter": { + "Composing_Jamf_Protect_Alert_URL": [ + "Succeeded" + ] + }, + "type": "Compose", + "inputs": "@replace(outputs('Composing_Jamf_Protect_Alert_URL'), variables('jamfProtectAlertURL'), '')" + } + }, + "runAfter": { + "Set_accessToken_as_variable": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Generate_Access_Token": { + "runAfter": { + "set_jamfProtectAlertURL_as_variable": [ + "Succeeded" + ] + }, + "type": "Http", + "inputs": { + "body": { + "client_id": "@{parameters('client_ID')}", + "password": "@{parameters('password')}" + }, + "headers": { + "Content-Type": "application/json" + }, + "method": "POST", + "uri": "@{parameters('jamfProtectURL')}/token" + }, + "runtimeConfiguration": { + "secureData": { + "properties": [ + "inputs" + ] + } + } + }, + "Parse_JSON_Response_from_Access_Token": { + "runAfter": { + "Generate_Access_Token": [ + "Succeeded" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@body('Generate_Access_Token')", + "schema": { + "properties": { + "access_token": { + "type": "string" + }, + "expires_in": { + "type": "integer" + }, + "token_type": { + "type": "string" + } + }, + "type": "object" + } + } + }, + "Set_accessToken_as_variable": { + "runAfter": { + "Parse_JSON_Response_from_Access_Token": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "accessToken", + "type": "string", + "value": "@body('Parse_JSON_Response_from_Access_Token')?['access_token']" + } + ] + } + }, + "set_jamfProtectAlertURL_as_variable": { + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "jamfProtectAlertURL", + "type": "string", + "value": "@{parameters('jamfProtectURL')}/Alerts/" + } + ] + } + } + } + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", + "connectionName": "[[variables('AzureSentinelConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + } + } + } + } + }, + "tags": { + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId1'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId1')]", + "contentId": "[variables('_playbookContentId1')]", + "kind": "Playbook", + "version": "[variables('playbookVersion1')]", + "source": { + "kind": "Solution", + "name": "Jamf Protect", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Thijs Xhaflaire", + "email": "[variables('_email')]" + }, + "support": { + "name": "Jamf Software, LLC", + "email": "support@jamf.com", + "tier": "Partner", + "link": "https://www.jamf.com/support/" + } + } + } + ], + "metadata": { + "title": "Jamf Protect - Set Alert to In Progress", + "description": "This Jamf Protect Playbook can be used manually or in a Automation Rule to change the state of the Alert in Jamf Protect itself, in an automated way you can mirror the state from a Microsoft Sentinel incident back to Jamf Protect.", + "mainSteps": [ + "1. Fetches the AlertUDID from the Alert of Jamf Protect", + "2. Generates a Access Token to authenticate against the Jamf Protect GraphQL API", + "3. Changes the Alert status in Jamf Protect to In Progress" + ], + "prerequisites": [ + "1. Generate API Client in Jamf Protect and take note of the CLientID and Password. [learn how](https://learn.jamf.com/bundle/jamf-protect-documentation/page/Jamf_Protect_API.html#ariaid-title3)", + "2. Use the ClientID and Password during the deployment of this Playbook" + ], + "lastUpdateTime": "2023-07-20T00:00:00Z", + "tags": [ + "Utilities" + ], + "source": { + "type": "solution", + "name": "Jamf Protect" + }, + "postDeployment": [ + "** b. Configurations in Sentinel **", + "1. In Microsoft Sentinel Analytic Rules for Jamf Protect - Alerts should be configured to create an incident", + "2. Configure the Automation Rules to trigger this playbook once a incident is status is changed to Active" + ], + "releaseNotes": [ + { + "version": "1.0.0", + "title": "Jamf Protect - Set Alert to In Progress", + "notes": [ + "Initial version" + ] + } + ] + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId1')]", + "contentKind": "Playbook", + "displayName": "JamfProtect_Alert_Status_InProgress", + "contentProductId": "[variables('_playbookcontentProductId1')]", + "id": "[variables('_playbookcontentProductId1')]", + "version": "[variables('playbookVersion1')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName2')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "JamfProtect_Alert_Status_Resolved Playbook with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion2')]", + "parameters": { + "clientIdentifier": { + "type": "String", + "metadata": { + "description": "The Client ID for the Jamf Protect API Key" + } + }, + "clientSecret": { + "type": "SecureString", + "metadata": { + "description": "The Client Secret for the Jamf Protect API Key" + } + }, + "jamfProtect_URL": { + "defaultValue": "https://*.protect.jamfcloud.com", + "type": "String", + "metadata": { + "description": "Enter the Jamf Protect instance URL ex: {https://fakevalue.protect.jamfcloud.com}" + } + }, + "PlaybookName": { + "type": "String", + "minLength": 1, + "defaultValue": "JamfProtect_Alert_Status_Resolved", + "metadata": { + "description": "Name of the Logic App/Playbook" + } + } + }, + "variables": { + "AzureSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]", + "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "_connection-1": "[[variables('connection-1')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('AzureSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('AzureSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[[variables('_connection-1')]" + } + } + }, + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[[parameters('playbookName')]", + "location": "[[variables('workspace-location-inline')]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + }, + "client_ID": { + "defaultValue": "[[parameters('clientIdentifier')]", + "type": "String" + }, + "jamfProtectURL": { + "defaultValue": "[[parameters('jamfProtect_URL')]", + "type": "String" + }, + "password": { + "defaultValue": "[[parameters('clientSecret')]", + "type": "SecureString" + } + }, + "triggers": { + "Microsoft_Sentinel_incident": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/incident-creation" + } + } + }, + "actions": { + "For_each": { + "foreach": "@triggerBody()?['object']?['properties']?['Alerts']", + "actions": { + "Add_comment_to_incident_(V3)": { + "runAfter": { + "HTTP_POST_-_Change_Alert_Status_using_Jamf_Protect's_GraphQL_API_Endpoint": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

Jamf Protect Alert with URL @{outputs('Composing_Jamf_Protect_Alert_URL')} has been set to status Resolved

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Composing_Jamf_Protect_Alert_URL": { + "type": "Compose", + "inputs": "@items('For_each')?['properties']?['alertLink']" + }, + "HTTP_POST_-_Change_Alert_Status_using_Jamf_Protect's_GraphQL_API_Endpoint": { + "runAfter": { + "Removing_pre-fix_of_URL_and_keeping_Alert_UDID": [ + "Succeeded" + ] + }, + "type": "Http", + "inputs": { + "authentication": { + "type": "Raw", + "value": "@variables('accessToken')" + }, + "body": { + "operationName": "updateAlert", + "query": "mutation updateAlert {\n updateAlerts(input: { uuids: [\"@{outputs('Removing_pre-fix_of_URL_and_keeping_Alert_UDID')}\"], status: Resolved })\n {\n items {\n uuid\n status\n }\n }\n}\n" + }, + "method": "POST", + "uri": "@{parameters('jamfProtectURL')}/graphql" + } + }, + "Removing_pre-fix_of_URL_and_keeping_Alert_UDID": { + "runAfter": { + "Composing_Jamf_Protect_Alert_URL": [ + "Succeeded" + ] + }, + "type": "Compose", + "inputs": "@replace(outputs('Composing_Jamf_Protect_Alert_URL'), variables('jamfProtectAlertURL'), '')" + } + }, + "runAfter": { + "Set_accessToken_as_variable": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Generate_Access_Token": { + "runAfter": { + "set_jamfProtectAlertURL_as_variable": [ + "Succeeded" + ] + }, + "type": "Http", + "inputs": { + "body": { + "client_id": "@{parameters('client_ID')}", + "password": "@{parameters('password')}" + }, + "headers": { + "Content-Type": "application/json" + }, + "method": "POST", + "uri": "@{parameters('jamfProtectURL')}/token" + }, + "runtimeConfiguration": { + "secureData": { + "properties": [ + "inputs" + ] + } + } + }, + "Parse_JSON_Response_from_Access_Token": { + "runAfter": { + "Generate_Access_Token": [ + "Succeeded" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@body('Generate_Access_Token')", + "schema": { + "properties": { + "access_token": { + "type": "string" + }, + "expires_in": { + "type": "integer" + }, + "token_type": { + "type": "string" + } + }, + "type": "object" + } + } + }, + "Set_accessToken_as_variable": { + "runAfter": { + "Parse_JSON_Response_from_Access_Token": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "accessToken", + "type": "string", + "value": "@body('Parse_JSON_Response_from_Access_Token')?['access_token']" + } + ] + } + }, + "set_jamfProtectAlertURL_as_variable": { + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "jamfProtectAlertURL", + "type": "string", + "value": "@{parameters('jamfProtectURL')}/Alerts/" + } + ] + } + } + } + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", + "connectionName": "[[variables('AzureSentinelConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + } + } + } + } + }, + "tags": { + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId2'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId2')]", + "contentId": "[variables('_playbookContentId2')]", + "kind": "Playbook", + "version": "[variables('playbookVersion2')]", + "source": { + "kind": "Solution", + "name": "Jamf Protect", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Thijs Xhaflaire", + "email": "[variables('_email')]" + }, + "support": { + "name": "Jamf Software, LLC", + "email": "support@jamf.com", + "tier": "Partner", + "link": "https://www.jamf.com/support/" + } + } + } + ], + "metadata": { + "title": "Jamf Protect - Set Alert to Resolved", + "description": "This Jamf Protect Playbook can be used manually or in a Automation Rule to change the state of the Alert in Jamf Protect itself, in an automated way you can mirror the state from a Microsoft Sentinel incident back to Jamf Protect.", + "mainSteps": [ + "1. Fetches the AlertUDID from the Alert of Jamf Protect", + "2. Generates a Access Token to authenticate against the Jamf Protect GraphQL API", + "3. Changes the Alert status in Jamf Protect to Resolved" + ], + "prerequisites": [ + "1. Generate API Client in Jamf Protect and take note of the CLientID and Password. [learn how](https://learn.jamf.com/bundle/jamf-protect-documentation/page/Jamf_Protect_API.html#ariaid-title3)", + "2. Use the ClientID and Password during the deployment of this Playbook" + ], + "lastUpdateTime": "2023-07-20T00:00:00Z", + "tags": [ + "Utilities" + ], + "source": { + "type": "solution", + "name": "Jamf Protect" + }, + "postDeployment": [ + "** b. Configurations in Sentinel **", + "1. In Microsoft Sentinel Analytic Rules for Jamf Protect - Alerts should be configured to create an incident", + "2. Configure the Automation Rules to trigger this playbook once a incident is status is changed to Active" + ], + "releaseNotes": [ + { + "version": "1.0.0", + "title": "Jamf Protect - Set Alert to Resolved", + "notes": [ + "Initial version" + ] + } + ] + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId2')]", + "contentKind": "Playbook", + "displayName": "JamfProtect_Alert_Status_Resolved", + "contentProductId": "[variables('_playbookcontentProductId2')]", + "id": "[variables('_playbookcontentProductId2')]", + "version": "[variables('playbookVersion2')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName3')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "JamfProtect_LockComputer_with_JamfPro Playbook with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion3')]", + "parameters": { + "jamfProClientID": { + "type": "String", + "metadata": { + "description": "The ClientID for the Jamf Pro" + } + }, + "jamfProSecret": { + "type": "SecureString", + "metadata": { + "description": "The secret for the ClientID of Jamf Pro" + } + }, + "jamfProURL": { + "defaultValue": "https://*.jamfcloud.com", + "type": "String", + "metadata": { + "description": "Enter the Jamf Pro instance URL ex: {https://fakevalue.jamfcloud.com}" + } + }, + "PlaybookName": { + "type": "String", + "minLength": 1, + "defaultValue": "JamfProtect_LockComputer_with_JamfPro", + "metadata": { + "description": "Name of the Logic App/Playbook" + } + } + }, + "variables": { + "AzureSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]", + "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "_connection-1": "[[variables('connection-1')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('AzureSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('AzureSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[[variables('_connection-1')]" + } + } + }, + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[[parameters('playbookName')]", + "location": "[[variables('workspace-location-inline')]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + }, + "jamfProSecret": { + "defaultValue": "[[parameters('jamfProSecret')]", + "type": "SecureString" + }, + "jamfProURL": { + "defaultValue": "[[parameters('jamfProURL')]", + "type": "String" + }, + "jamfProClientID": { + "defaultValue": "[[parameters('jamfProClientID')]", + "type": "String" + } + }, + "triggers": { + "Microsoft_Sentinel_incident": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/incident-creation" + } + } + }, + "actions": { + "Filter_array_for_the_entity_kind_Host": { + "runAfter": { + "Parse_JSON_Entities_from_the_Incident": [ + "Succeeded" + ] + }, + "type": "Query", + "inputs": { + "from": "@body('Parse_JSON_Entities_from_the_Incident')", + "where": "@equals(item()['kind'], 'Host')" + } + }, + "For_each_host_send_DeviceLock_command": { + "foreach": "@body('Filter_array_for_the_entity_kind_Host')", + "actions": { + "Add_comment_to_incident_(V3)": { + "runAfter": { + "Send_DeviceLock_command_to_given_computers_JSSID": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

Device Lock command has been send to @{body('Parse_JSON_for_given_computer_based_on_managementID')?['general']?['name']} with passcode: @{outputs('Generate_a_randomised_6_digit_value')}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Generate_a_randomised_6_digit_value": { + "runAfter": { + "Parse_JSON_for_given_computer_based_on_managementID": [ + "Succeeded", + "Failed" + ] + }, + "type": "Compose", + "inputs": "@{rand(0, 9)}@{rand(0, 9)}@{rand(0, 9)}@{rand(0, 9)}@{rand(0, 9)}@{rand(0, 9)}" + }, + "Get_JSSID_for_given_computer_in_Jamf_Pro": { + "type": "Http", + "inputs": { + "headers": { + "Authorization": "Bearer @{variables('accessToken')}", + "accept": "application/json" + }, + "method": "GET", + "uri": "@{parameters('jamfProURL')}/JSSResource/computers/name/@{items('For_each_host_send_DeviceLock_command')?['properties']?['friendlyName']}" + } + }, + "Get_managementID_for_given_computer_in_Jamf_Pro": { + "runAfter": { + "Parse_JSON_response_for_given_computer": [ + "Succeeded" + ] + }, + "type": "Http", + "inputs": { + "headers": { + "Authorization": "Bearer @{variables('accessToken')}", + "accept": "application/json" + }, + "method": "GET", + "uri": "@{parameters('jamfProURL')}/api/v1/computers-inventory/@{body('Parse_JSON_response_for_given_computer')?['computer']?['general']?['id']}?section=GENERAL" + } + }, + "Parse_JSON_for_given_computer_based_on_managementID": { + "runAfter": { + "Get_managementID_for_given_computer_in_Jamf_Pro": [ + "Succeeded" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@body('Get_managementID_for_given_computer_in_Jamf_Pro')", + "schema": { + "properties": { + "general": { + "properties": { + "declarativeDeviceManagementEnabled": { + "type": "boolean" + }, + "enrolledViaAutomatedDeviceEnrollment": { + "type": "boolean" + }, + "initialEntryDate": { + "type": "string" + }, + "itunesStoreAccountActive": { + "type": "boolean" + }, + "jamfBinaryVersion": { + "type": "string" + }, + "lastContactTime": { + "type": "string" + }, + "lastEnrolledDate": { + "type": "string" + }, + "lastIpAddress": { + "type": "string" + }, + "lastReportedIp": { + "type": "string" + }, + "managementId": { + "type": "string" + }, + "mdmCapable": { + "properties": { + "capable": { + "type": "boolean" + }, + "capableUsers": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "mdmProfileExpiration": { + "type": "string" + }, + "name": { + "type": "string" + }, + "platform": { + "type": "string" + }, + "remoteManagement": { + "properties": { + "managed": { + "type": "boolean" + } + }, + "type": "object" + }, + "reportDate": { + "type": "string" + }, + "site": { + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + } + }, + "type": "object" + }, + "supervised": { + "type": "boolean" + }, + "userApprovedMdm": { + "type": "boolean" + } + }, + "type": "object" + }, + "id": { + "type": "string" + }, + "udid": { + "type": "string" + } + }, + "type": "object" + } + } + }, + "Parse_JSON_response_for_given_computer": { + "runAfter": { + "Get_JSSID_for_given_computer_in_Jamf_Pro": [ + "Succeeded" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@body('Get_JSSID_for_given_computer_in_Jamf_Pro')", + "schema": { + "properties": { + "computer": { + "properties": { + "certificates": { + "items": { + "properties": { + "common_name": { + "type": "string" + }, + "expires_epoch": { + "type": "integer" + }, + "expires_utc": { + "type": "string" + }, + "identity": { + "type": "boolean" + }, + "name": { + "type": "string" + } + }, + "required": [ + "common_name", + "identity", + "expires_utc", + "expires_epoch", + "name" + ], + "type": "object" + }, + "type": "array" + }, + "configuration_profiles": { + "items": { + "properties": { + "id": { + "type": "integer" + }, + "is_removable": { + "type": "boolean" + }, + "name": { + "type": "string" + }, + "uuid": { + "type": "string" + } + }, + "required": [ + "id", + "name", + "uuid", + "is_removable" + ], + "type": "object" + }, + "type": "array" + }, + "extension_attributes": { + "items": { + "properties": { + "id": { + "type": "integer" + }, + "multi_value": { + "type": "boolean" + }, + "name": { + "type": "string" + }, + "type": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "id", + "name", + "type", + "multi_value", + "value" + ], + "type": "object" + }, + "type": "array" + }, + "general": { + "properties": { + "alt_mac_address": { + "type": "string" + }, + "alt_network_adapter_type": { + "type": "string" + }, + "asset_tag": { + "type": "string" + }, + "barcode_1": { + "type": "string" + }, + "barcode_2": { + "type": "string" + }, + "distribution_point": { + "type": "string" + }, + "id": { + "type": "integer" + }, + "initial_entry_date": { + "type": "string" + }, + "initial_entry_date_epoch": { + "type": "integer" + }, + "initial_entry_date_utc": { + "type": "string" + }, + "ip_address": { + "type": "string" + }, + "itunes_store_account_is_active": { + "type": "boolean" + }, + "jamf_version": { + "type": "string" + }, + "last_cloud_backup_date_epoch": { + "type": "integer" + }, + "last_cloud_backup_date_utc": { + "type": "string" + }, + "last_contact_time": { + "type": "string" + }, + "last_contact_time_epoch": { + "type": "integer" + }, + "last_contact_time_utc": { + "type": "string" + }, + "last_enrolled_date_epoch": { + "type": "integer" + }, + "last_enrolled_date_utc": { + "type": "string" + }, + "last_reported_ip": { + "type": "string" + }, + "mac_address": { + "type": "string" + }, + "management_status": { + "properties": { + "enrolled_via_dep": { + "type": "boolean" + }, + "user_approved_enrollment": { + "type": "boolean" + }, + "user_approved_mdm": { + "type": "boolean" + } + }, + "type": "object" + }, + "mdm_capable": { + "type": "boolean" + }, + "mdm_capable_users": { + "properties": { + "mdm_capable_user": { + "type": "string" + } + }, + "type": "object" + }, + "mdm_profile_expiration_epoch": { + "type": "integer" + }, + "mdm_profile_expiration_utc": { + "type": "string" + }, + "name": { + "type": "string" + }, + "network_adapter_type": { + "type": "string" + }, + "platform": { + "type": "string" + }, + "remote_management": { + "properties": { + "managed": { + "type": "boolean" + }, + "management_password_sha256": { + "type": "string" + }, + "management_username": { + "type": "string" + } + }, + "type": "object" + }, + "report_date": { + "type": "string" + }, + "report_date_epoch": { + "type": "integer" + }, + "report_date_utc": { + "type": "string" + }, + "serial_number": { + "type": "string" + }, + "site": { + "properties": { + "id": { + "type": "integer" + }, + "name": { + "type": "string" + } + }, + "type": "object" + }, + "supervised": { + "type": "boolean" + }, + "sus": { + "type": "string" + }, + "udid": { + "type": "string" + } + }, + "type": "object" + }, + "groups_accounts": { + "properties": { + "computer_group_memberships": { + "items": { + "type": "string" + }, + "type": "array" + }, + "local_accounts": { + "items": { + "properties": { + "administrator": { + "type": "boolean" + }, + "filevault_enabled": { + "type": "boolean" + }, + "home": { + "type": "string" + }, + "home_size": { + "type": "string" + }, + "home_size_mb": { + "type": "integer" + }, + "name": { + "type": "string" + }, + "realname": { + "type": "string" + }, + "uid": { + "type": "string" + } + }, + "required": [ + "name", + "realname", + "uid", + "home", + "home_size", + "home_size_mb", + "administrator", + "filevault_enabled" + ], + "type": "object" + }, + "type": "array" + }, + "user_inventories": { + "properties": { + "disable_automatic_login": { + "type": "boolean" + }, + "user": { + "properties": { + "password_history_depth": { + "type": "string" + }, + "password_max_age": { + "type": "string" + }, + "password_min_complex_characters": { + "type": "string" + }, + "password_min_length": { + "type": "string" + }, + "password_require_alphanumeric": { + "type": "string" + }, + "username": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "hardware": { + "properties": { + "active_directory_status": { + "type": "string" + }, + "available_ram_slots": { + "type": "integer" + }, + "battery_capacity": { + "type": "integer" + }, + "ble_capable": { + "type": "boolean" + }, + "boot_rom": { + "type": "string" + }, + "bus_speed": { + "type": "integer" + }, + "bus_speed_mhz": { + "type": "integer" + }, + "cache_size": { + "type": "integer" + }, + "cache_size_kb": { + "type": "integer" + }, + "disk_encryption_configuration": { + "type": "string" + }, + "filevault2_users": { + "items": { + "type": "string" + }, + "type": "array" + }, + "gatekeeper_status": { + "type": "string" + }, + "institutional_recovery_key": { + "type": "string" + }, + "is_apple_silicon": { + "type": "boolean" + }, + "make": { + "type": "string" + }, + "mapped_printers": { + "type": "array" + }, + "model": { + "type": "string" + }, + "model_identifier": { + "type": "string" + }, + "nic_speed": { + "type": "string" + }, + "number_cores": { + "type": "integer" + }, + "number_processors": { + "type": "integer" + }, + "optical_drive": { + "type": "string" + }, + "os_build": { + "type": "string" + }, + "os_name": { + "type": "string" + }, + "os_version": { + "type": "string" + }, + "processor_architecture": { + "type": "string" + }, + "processor_speed": { + "type": "integer" + }, + "processor_speed_mhz": { + "type": "integer" + }, + "processor_type": { + "type": "string" + }, + "service_pack": { + "type": "string" + }, + "sip_status": { + "type": "string" + }, + "smc_version": { + "type": "string" + }, + "software_update_device_id": { + "type": "string" + }, + "storage": { + "type": "array" + }, + "supports_ios_app_installs": { + "type": "boolean" + }, + "total_ram": { + "type": "integer" + }, + "total_ram_mb": { + "type": "integer" + }, + "xprotect_version": { + "type": "string" + } + }, + "type": "object" + }, + "iphones": { + "type": "array" + }, + "location": { + "properties": { + "building": { + "type": "string" + }, + "department": { + "type": "string" + }, + "email_address": { + "type": "string" + }, + "phone": { + "type": "string" + }, + "phone_number": { + "type": "string" + }, + "position": { + "type": "string" + }, + "real_name": { + "type": "string" + }, + "realname": { + "type": "string" + }, + "room": { + "type": "string" + }, + "username": { + "type": "string" + } + }, + "type": "object" + }, + "peripherals": { + "type": "array" + }, + "purchasing": { + "properties": { + "applecare_id": { + "type": "string" + }, + "attachments": { + "type": "array" + }, + "is_leased": { + "type": "boolean" + }, + "is_purchased": { + "type": "boolean" + }, + "lease_expires": { + "type": "string" + }, + "lease_expires_epoch": { + "type": "integer" + }, + "lease_expires_utc": { + "type": "string" + }, + "life_expectancy": { + "type": "integer" + }, + "os_applecare_id": { + "type": "string" + }, + "os_maintenance_expires": { + "type": "string" + }, + "po_date": { + "type": "string" + }, + "po_date_epoch": { + "type": "integer" + }, + "po_date_utc": { + "type": "string" + }, + "po_number": { + "type": "string" + }, + "purchase_price": { + "type": "string" + }, + "purchasing_account": { + "type": "string" + }, + "purchasing_contact": { + "type": "string" + }, + "vendor": { + "type": "string" + }, + "warranty_expires": { + "type": "string" + }, + "warranty_expires_epoch": { + "type": "integer" + }, + "warranty_expires_utc": { + "type": "string" + } + }, + "type": "object" + }, + "security": { + "properties": { + "activation_lock": { + "type": "boolean" + }, + "external_boot_level": { + "type": "string" + }, + "firewall_enabled": { + "type": "boolean" + }, + "recovery_lock_enabled": { + "type": "boolean" + }, + "secure_boot_level": { + "type": "string" + } + }, + "type": "object" + }, + "software": { + "properties": { + "applications": { + "items": { + "properties": { + "bundle_id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "path": { + "type": "string" + }, + "version": { + "type": "string" + } + }, + "required": [ + "name", + "path", + "version", + "bundle_id" + ], + "type": "object" + }, + "type": "array" + }, + "available_software_updates": { + "items": { + "type": "string" + }, + "type": "array" + }, + "available_updates": { + "properties": { + "update": { + "properties": { + "name": { + "type": "string" + }, + "package_name": { + "type": "string" + }, + "version": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "cached_by_casper": { + "type": "array" + }, + "fonts": { + "type": "array" + }, + "installed_by_casper": { + "items": { + "type": "string" + }, + "type": "array" + }, + "installed_by_installer_swu": { + "items": { + "type": "string" + }, + "type": "array" + }, + "licensed_software": { + "type": "array" + }, + "plugins": { + "type": "array" + }, + "running_services": { + "items": { + "type": "string" + }, + "type": "array" + }, + "unix_executables": { + "type": "array" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + } + } + }, + "Send_DeviceLock_command_to_given_computers_JSSID": { + "runAfter": { + "Generate_a_randomised_6_digit_value": [ + "Succeeded" + ] + }, + "type": "Http", + "inputs": { + "headers": { + "Authorization": "Bearer @{variables('accessToken')}", + "accept": "application/json" + }, + "method": "POST", + "uri": "@{parameters('jamfProURL')}/JSSResource/computercommands/command/DeviceLock/passcode/@{outputs('Generate_a_randomised_6_digit_value')}/id/@{body('Parse_JSON_for_given_computer_based_on_managementID')?['general']?['site']?['id']}" + } + } + }, + "runAfter": { + "Filter_array_for_the_entity_kind_Host": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Generate_Access_Token_using_API_Client": { + "type": "Http", + "inputs": { + "body": "client_id=@{parameters('jamfProClientID')}&client_secret=@{parameters('jamfProSecret')}&grant_type=client_credentials", + "headers": { + "Content-Type": "application/x-www-form-urlencoded" + }, + "method": "POST", + "uri": "@{parameters('jamfProURL')}/api/oauth/token" + }, + "runtimeConfiguration": { + "secureData": { + "properties": [ + "inputs" + ] + } + } + }, + "Parse_JSON_Entities_from_the_Incident": { + "runAfter": { + "Set_accessToken_as_variable": [ + "Succeeded" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "schema": { + "items": { + "properties": { + "id": { + "type": "string" + }, + "kind": { + "type": "string" + }, + "name": { + "type": "string" + }, + "properties": { + "properties": { + "address": { + "type": "string" + }, + "friendlyName": { + "type": "string" + } + }, + "type": "object" + }, + "type": { + "type": "string" + } + }, + "required": [ + "id", + "name", + "type", + "kind", + "properties" + ], + "type": "object" + }, + "type": "array" + } + } + }, + "Parse_JSON_Response_from_Access_Token": { + "runAfter": { + "Generate_Access_Token_using_API_Client": [ + "Succeeded" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@body('Generate_Access_Token_using_API_Client')", + "schema": { + "properties": { + "access_token": { + "type": "string" + }, + "expires_in": { + "type": "integer" + }, + "scope": { + "type": "string" + }, + "token_type": { + "type": "string" + } + }, + "type": "object" + } + } + }, + "Set_accessToken_as_variable": { + "runAfter": { + "Parse_JSON_Response_from_Access_Token": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "accessToken", + "type": "string", + "value": "@body('Parse_JSON_Response_from_Access_Token')?['access_token']" + } + ] + } + } + } + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", + "connectionName": "[[variables('AzureSentinelConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + } + } + } + } + }, + "tags": { + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId3'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId3')]", + "contentId": "[variables('_playbookContentId3')]", + "kind": "Playbook", + "version": "[variables('playbookVersion3')]", + "source": { + "kind": "Solution", + "name": "Jamf Protect", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Thijs Xhaflaire", + "email": "[variables('_email')]" + }, + "support": { + "name": "Jamf Software, LLC", + "email": "support@jamf.com", + "tier": "Partner", + "link": "https://www.jamf.com/support/" + } + } + } + ], + "metadata": { + "title": "Jamf Protect - Remote lock computer with Jamf Pro", + "description": "This Playbook can be used manually or in a Automation Rule to send an remote MDM command with Jamf Pro to lock the computer with an randomised 6 digit passcode.", + "mainSteps": [ + "1. Fetches the Host entity from the Incident created based on event data from Jamf Protect", + "2. Generates a Access Token using a API Client to authenticate against the Jamf Pro API", + "3. Retrieves the JSSID and ManagementUUID from Jamf Pro for given computer", + "4. Sends a remote lock MDM command with a randomised 6 digit passcode", + "5. Randomised passcode will be stored in the Comments section of the incident itself." + ], + "prerequisites": [ + "1. Create an API Client in Jamf Pro that is capable of reading computers and sending remote commands. [learn how](https://learn.jamf.com/bundle/jamf-pro-documentation-current)", + "2. Use the Client ID and Secret during the deployment of this Playbook" + ], + "lastUpdateTime": "2023-07-20T00:00:00Z", + "tags": [ + "Utilities" + ], + "source": { + "type": "solution", + "name": "Jamf Protect" + }, + "postDeployment": [ + "** b. Configurations in Sentinel **", + "1. This Playbook can be best used as Action while investigating an Incident." + ], + "releaseNotes": [ + { + "version": "1.0.0", + "title": "Jamf Protect - Remote lock computer with Jamf Pro", + "notes": [ + "Initial version" + ] + } + ] + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId3')]", + "contentKind": "Playbook", + "displayName": "JamfProtect_LockComputer_with_JamfPro", + "contentProductId": "[variables('_playbookcontentProductId3')]", + "id": "[variables('_playbookcontentProductId3')]", + "version": "[variables('playbookVersion3')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", + "apiVersion": "2023-04-01-preview", + "location": "[parameters('workspace-location')]", + "properties": { + "version": "3.2.0", + "kind": "Solution", + "contentSchemaVersion": "3.0.0", + "displayName": "Jamf Protect", + "publisherDisplayName": "Jamf Software, LLC", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Jamf Protect solution for Microsoft Sentinel enables you to ingest Jamf Protect events forwarded into Microsoft Sentinel using the Microsoft Sentinel Analytics Workspace.

\n

Data Connectors: 2, Parsers: 1, Workbooks: 1, Analytic Rules: 3, Hunting Queries: 7, Playbooks: 3

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "", + "contentId": "[variables('_solutionId')]", + "parentId": "[variables('_solutionId')]", + "source": { + "kind": "Solution", + "name": "Jamf Protect", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Thijs Xhaflaire", + "email": "[variables('_email')]" + }, + "support": { + "name": "Jamf Software, LLC", + "email": "support@jamf.com", + "tier": "Partner", + "link": "https://www.jamf.com/support/" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentId1')]", + "version": "[variables('dataConnectorVersion1')]" + }, + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentIdConnections2')]", + "version": "[variables('dataConnectorCCPVersion')]" + }, + { + "kind": "Parser", + "contentId": "[variables('parserObject1').parserContentId1]", + "version": "[variables('parserObject1').parserVersion1]" + }, + { + "kind": "Workbook", + "contentId": "[variables('_workbookContentId1')]", + "version": "[variables('workbookVersion1')]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "version": "[variables('analyticRuleObject3').analyticRuleVersion3]" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]", + "version": "[variables('huntingQueryObject1').huntingQueryVersion1]" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]", + "version": "[variables('huntingQueryObject2').huntingQueryVersion2]" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('huntingQueryObject3')._huntingQuerycontentId3]", + "version": "[variables('huntingQueryObject3').huntingQueryVersion3]" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('huntingQueryObject4')._huntingQuerycontentId4]", + "version": "[variables('huntingQueryObject4').huntingQueryVersion4]" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('huntingQueryObject5')._huntingQuerycontentId5]", + "version": "[variables('huntingQueryObject5').huntingQueryVersion5]" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('huntingQueryObject6')._huntingQuerycontentId6]", + "version": "[variables('huntingQueryObject6').huntingQueryVersion6]" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('huntingQueryObject7')._huntingQuerycontentId7]", + "version": "[variables('huntingQueryObject7').huntingQueryVersion7]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_JamfProtect_Alert_Status_InProgress')]", + "version": "[variables('playbookVersion1')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_JamfProtect_Alert_Status_Resolved')]", + "version": "[variables('playbookVersion2')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_JamfProtect_LockComputer_with_JamfPro')]", + "version": "[variables('playbookVersion3')]" + } + ] + }, + "firstPublishDate": "2022-10-10", + "lastPublishDate": "2024-01-12", + "providers": [ + "Jamf" + ], + "categories": { + "domains": [ + "Security - Threat Protection", + "Security - Automation (SOAR)" + ] + } + }, + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]" + } + ], + "outputs": {} +} From 1c29349444966291945071861f9836624950ace2 Mon Sep 17 00:00:00 2001 From: v-shukore Date: Tue, 4 Feb 2025 17:33:25 +0530 Subject: [PATCH 3/8] MS 365 packaged --- .../Data/Solution_Office365.json | 2 +- Solutions/Microsoft 365/Package/3.0.5.zip | Bin 0 -> 40323 bytes .../Package/createUiDefinition.json | 2 +- .../Microsoft 365/Package/mainTemplate.json | 610 +++++++++--------- Solutions/Microsoft 365/ReleaseNotes.md | 1 + 5 files changed, 308 insertions(+), 307 deletions(-) create mode 100644 Solutions/Microsoft 365/Package/3.0.5.zip diff --git a/Solutions/Microsoft 365/Data/Solution_Office365.json b/Solutions/Microsoft 365/Data/Solution_Office365.json index 82a72354d43..6ef075eafef 100644 --- a/Solutions/Microsoft 365/Data/Solution_Office365.json +++ b/Solutions/Microsoft 365/Data/Solution_Office365.json @@ -52,7 +52,7 @@ "Analytic Rules/sharepoint_file_transfer_above_threshold.yaml" ], "BasePath": "C:\\GitHub\\Azure-Sentinel\\solutions\\Microsoft 365", - "Version": "3.0.3", + "Version": "3.0.5", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, "StaticDataConnectorIds": [ diff --git a/Solutions/Microsoft 365/Package/3.0.5.zip b/Solutions/Microsoft 365/Package/3.0.5.zip new file mode 100644 index 0000000000000000000000000000000000000000..bdd628059765533fe361f07890f7a1c4edcda67e GIT binary patch literal 40323 zcmYJZV~{AYwyoQ%ZQHi(?$x$!+qP}nwr$(CZ5wx;efE3jZ)((-Us6fc%t+)Ufq;<# z006)NY$Am;7>q_b_fP=Nwg#)44-B3_1Kxv^Utns<8@&5-Rk=EtKI5aC;Xl9gj1(;tf_+&CHkGDKaG$j z06Px(@;28?JLA@BEbJWo-tW(&r$?g4<6-T?`EvLICKZ4nYr^EED@N))8SK@p{wZE9 zbv4#1MuhIUY!{1a@i+((U2-W5wtIw*Lebctu1*b}1YzR_0~>k4ZP>jh8}SHNL1L)( z)vF@Avb@j9YHZ8YoMUh1nOfwzf*7pHGSTxp_Ua$$+sUHhQI%5DWbN#m zeW!0F!qUO$v^ux(eZ-~eW2Z%i!8|6Uj@&+PG*GsBuV@Nct6YRuTlRFh{n4i>2xpC! zlm~=H#*?hG%9pg#ETd2xb@~%>XsE?lUYa5uHIu5blWmq57$3>&`FE~Q_q8sb0u9nL zM6FJWycFXg);^gr=R|-Zhn)e*rk}k<%$ALMUg4qsh0Y}S2zFO5ohC8Lep1H&v}IPu zc&jfQbwWN+mM$Txk^*{mD&1h}*Zp*cj&issU+B^%S0I6c=2^*an6?=1cB>!kE?yDY zgM?;uwx4lEftN=+Skqb)v&BDGLY1@x_w*m3l@&wu>dELMFKhu&H(#=#WSiUOx6yp&>{gLd$A z_>aZn$5?pF3~yA!p5RLeb1=`U1iST`Y-uUk6@+UR&x(RTKrc=<_G-4Qvq9>I%;CK+ zti$dMct5j5`(Yq)3)5aOesYH+SrIpp*u2wkcg zY-~|G8eM*0+6Ck>*&kvBAu+3>*^|DKy)?U>iTngf9%F9)sRjw;>K&HOAZ&g$h7@@3 zR}$@5yeHAZNrU2FZ0X5GD1C&%?$D|9hIP3w(>GD8HWM%u<_zY)_t>7xnE{?IPaT*N zjjA^Cb2QJU<$65ajPLRUxR%FJDc7YL-jh=zD2%sQGrf zpcwRsfQ^1G01GOc;VL_3`j@sPLv2$vz%0(|Hj-hTo`Tr>I=?qNn<_}4K2-f3&iLcZ z4plp`va*|FS14P?Pa{H=L7m$r4mUS2!W+BhW`m`abFN+Rfqe*gI9ohzTy3AvdpAEb zJDWQlwVS;cR5N_{K)fsNHOqJ5^TS9ys@0t&c!5KktA+V--2PINON+azPu}RZW&O(J zV$rk;!~%{4B#Cd^%?U7K%<%erNQf&Kv`LMZC}0b^?bLs2Uv`eV)}H;go-gV<7ghYS zyZ51OZyW7)aXp`C1Y@Rx8#-n979HvLH{^;uy-|HNBYV5Mc{fpD9V|-sMh0y7=VxwB zbxusXLruH0c?UPo%6T_AE}v&TmJ**;`L3?6o8xinXrPNKSqmuYH;7qmA^APAszaUS zyq4VZl%*+0yKto?cRHOH)gF*#f(v)F+{xSw8V}A>U_L%_uHmq?+E9EQ%YCv2fJ@8nYWGAhhXJx^& z5G9d~S)O?oD+{_X+w0M0@;=woAu$Ncgi0+h`tU8PU0k@$@3k!|6lswRsqvJTaWE>( z>raxfR;@9j^F0H>7RjB0t$zQxC%L3$-tQ8479f+SCT6q+RvCk7R=}KxR@9n^A>zXh z9swJQHk_P<@oke>d-mP&>7Y{2H?=;k^H@(gG~JJBfuM!{nkW_{V!Gt10SM*q3W9op zwATJ?C(~dFUkRO@9{a%csrggx(c-?SuPP;aHC0ob?gZM9SN@(s!6LCdua~Vpca-i$ zYJL%s|5oN+7lSn_fmJ&cqg8mY8bIc}MVWjnQm%d8grGHYehVQ;U7{TJQ~8k~ma%U-!UWkAw??hG}1 zAL0URxZcj?E$4^K7)PT1rvT0tqHd50<-03Z15>U%TAwZ=LV5OOU8pRHWCJ}eznP(p z!>@qLdlQMkuuZ%OylEVe3lSrBr!W4IcZi3 zYW4tSo;9C=lYrwGz)BVr#|qk;=gcfbdCZ^I0kCE&YR6(nS_UIb^IE`A?KOInTj#KK za`_hl@%#?9yw?_pHkS9YkZSWa)x)-)b{Ml<4l~Rp6gfoFz)0<$-q|1tBMbo_#eDb} z@dC-^F^4r?6Fmog27y5@zKuF#h>*N8MVUsWHKEx)dd&?1Vu92ag&-|Y(BxnDE+5vy zT7i^H3~%TR*TJ*Zo-0|#k7u4QEfL*kD=c(xE>q;r5vlM++cAde;Fb@=M%M^G*3z5m zlq;5nCyk8OoRZQ#JJ=h>q!yev_9@p|*--ZfnW9*krv4yJmIc=&BG1(-u(O;M(R)|% z%h&{9b3OdTDMA#nac)5!v%%?r{$QZM^uJA|*&J0C^lT?}UQro6Oy%XJIAUxk7~~_$ zo<~w@M$>Tx>!(QpBTE#;1@rQ6;(!qFi^Jrytg}K1^MUeHhai*f8o;Q%pVvRzJRY#l zTfd~#OmUYOMOL(0q{xlwtgzb&a}>u(!mxt5#V-&$3>yHXN|cB(F|x85H{>R3Y(p6b zq1OrLeAeFJzbJAR@^Z;>a?D87_2<~7V4DGp;YW(Ml1>RpBYp#089CJXEcBUi&WGq7 zT7b5G*%~34Dt(OF88C;(8fq?6q>ZOqV}@Yu)zCV^?*rV1^BhJtF_CzyEmLr?*M4$h zI8~Fy@p2`LuJ=>aXe#A?(^0cWDcBE4Q4FmdOpw`$e z7EIa`$S?;*%t|IiOVEP^iZOrWr@Hr&9LDK$%1^bDwI+o1zNSbw062Xk*JXFtzxN4X zPjNNArKIZZOVjk>@{n1Pff`EwL?xebbb6Ox3 zQsz1J;s?cyxFv}}m-3nl3z(Hw#wL~8{FfI08eRpO!Le2@={lD!ks~9w(x(OGK+NRm zboH4RHK?HrU$r{o{8(T)rM-#|;vz;b~oH35%8g4{iD0yw!D0(dak=Y=7tkC@AZw}et= zmrv2rMa|3`%p>n`nh;sA;2KytMqZkATk@6Oy>;fCv&Pq`*ov2tu zBSu;^GS;{#6`{pGGAdxuU%F@&)7aWU#yf|uWVs(B4OtAG5=3h7%`EBh>LzXsdLgLfTL?#4_cjycyU6yw$-A+FUqNCM2j_P@*`^dIgBc*+>WO5kiO)1MyEf?_FEInKzL_`*0ICR8&VBDP~0gGs!if~r;;NxYr zzo{TJa^=9PCv}QEwDZk;KsrQI5JRk&xQ&-vNsfMYDO5n^h@2tW&`YF^E`>H82wo1HRr!qV`3b`T$6*Db- zQZt#T#BG0s7w&@m7&xaIyj`n6pDO4^*n)Op0>p%f@PdIZk1}9W2s-X=n8^szV&X4h zmu`KttKIGtNc^Vcsi3e-f4-ODuzuG2UWDHa0wsK^|S!VYytOsW)u(nI_nk z`kAE=+|pFG2MTt(@|J?^c&&mJGbW7Qp}O z{*cr-YWd5kjfNf!nKiFTqAB=Iqc#=acLl zv?B8U(eCMvgQ&<`0Tyi1Pz|gha<`z z#<4pF2BBnd`otj(!W}LJ8y>m;Q9gAW1;Bj24j|1vYxAZAZWVg#Pfa&KwFYf|J<}m+ zA*69?=a&iO2lN&<$FM&Tz@QC@j{A&{GkEH8X-1zm`V4L303wAG*oP2#9<0HU=xlRR zWi9d2Mdrj@8FezX~OMG%bbp`*$My|Humi8^9k8E*=NOB{)0F!Qr# zyinG7RV^zR0%>qI6_6uPi|6;1uoY*tVM>C6p+BYVzY4Gg4;Do@leWCtH(`0%V0pf) zEhzt08uf*C{<>1QnX)ws;EgD?)X- zsM0absbWdOax|H>bEfU*tKuu#Z++OmJmz;ST+SQ}puaWA7*D^`E3>t^*eA3qG_G%} zc`1|hM7{c;61CT?-$s{THzaFA3e7LDjv~IY4pC?6-3_rUcyCq~ZUuF2Y{s$t zUKMl&6{oCO2jzCrblgT}V-S=vhq5lwg21wcZyN z@Tob0CTOo#qCR4{{Z2AKz`P}3$MXi2n$S8@Ukv|fWIOJ*Y}P3yVtMM&3h$$>@{v=e zlok~)gEbN=^mE8Sr=C-~&w8s(faR4g-b+M+pI4vZfX!nN8K?QZ;0mR9>4VQ-fR?q67KV z?tI5eA8kKCa}>8OiO#E-IF+>qywYNHyx{|o)l<3uO{UPGYqyNILP6Y;vafR?G;=jj zMlx)$v`G9N&Zi{&0i!N0`GW;J*MX-0F|!hv7t+xLxU0lC9eY;)zVYgBn&aVH<#UQX zTxGgg)|h6enmU-1k6?3qZtK3jt{j*`1O+O_upy-YQc^phz5w@)x0?7;n7V#;@6)C$ zNz=p5BFX|%uQY$t&vHV|NsfjZ8j7GcZ>>09;+eqp)g()>XLok6e<7~cfLI^%5n zzj!9%MXegc|B+I1!=HOWnP`a~{by1^aqn`}h;+GU>p`%i6C zXxFSucKKT2$OL||qqI2xZ5flyGRQJ6YPNq5?yXASPu}I+paOXoE911ISiKTU9mv>e>VZ5++PJK1In-ARofwaa$S~jw^OXN8}j-XytqRHDsoz z6}=h3cj})ch)B<%1;V|{zqc@@`(=C0oHhj;d+4gWdUYYSXsR?635W~`Sv)n#ST$F% z)59HEY8!rHuVknP%u4zz?kBJCuply2TpjweD(w&`UON-#r{9|OWt}`lSb<-a(B@); zd$hGfIp*poO@{CH;`Ce3A>g95J}rVFDn%XWH?6^aj)H@X!wUBc#+aogxI=dSqv82= z_t5!mIWLBO#o8ed$#+4N8cph2{s*dUds;k$ikhukC46n&l^vUhT^x%xZUUw>dFYst z)gXXSYgvm0QA$!~;RS;fZq7$xyO<)f8mBt(#G$4a=&n5z&&bGm&mi1>Mf7d8*k$ST z8t=&m@qIz7HPjHbZ1j-Qi5F_269JkA2kRsiO(dzmbrK8bB4Qda%*!l8l(d|P`46Y7 zK);!iAwT%=I2OiB`m6yMt{We4ig#nwn5Fz{1fJOtU`~D{^6{WZvW#Lg-shg=v9{_S z7T+lgakNZDWNk<9D75Y)1pB6#SUjy*A*a*E!nr|n!k$e^JnG4|D~y;8L==`MQPdcX z;sXRRgF5KmtRj`+c`vR(DnXV5?$8oa%hjb*V3`|W6!CybT)gcR0rqx|95TfH(fifw zPsNC^8{?pdHdcN{R6E|5i{xORt%ifsFKI0$8{aQC9qr8wr_NLvsWK@m#Z(h7=G)Kj z$ANAAgg&!uNcvTq-+`enj>!k|o4!wbH@sge4(5kQP7f|#-pktD!JWV5Qkz15UCe#N4B!2^obO9-d~Ea@dxJqeD5+_zu=|& z4x?GUC}nCNzf*dC9Es06bm&RCjH7v_=QixFQt&+|3cpi(3OHR6W)tG@LA+7Q*Z^;1 z^{5R~pO*HTj6X!Khhz82rf_h7hL@@*Q4h1fDWUyR<n$8C-r*ii4cH z#^;i%Bc5O`G(1}*7rpz^Rj?As^$Wo^!V?-5tg0i{I-*NWO8Pg^i#Nm24KkV*Y+4ia zM-)RB0sO&Y915R(5ZG&gz!$E2aFtPe(PL3_?ejhZD77bI(wNcFZrHoHcLOw0tu*0(Y3!$ zy(IR|txlVjCpn?pcve2rHJ2{|;g04Vh||xYCVp?7ZSEMXO89Jf+i%Gzwob8lxyE#8 zXx{;Z*6%BPxAdWik2eFcX|4j4WMNAW0kG1_6TlZeQ-y$fR`i zNF}~yK&*Pr9B8CUdB96BOSkl$*P(e=1(ZFcEiUPllfWT@hlr*2+rhwiF8-&xU$Icc!> z@v0}N?E3i}P-}cSs1sgM>xNeAWJN~lpXBFGyfjkjkgvBWxKLG!FAx$acFhWqR(zUH zEcv=T6K;SmoJ{?*<5xReFF0?s?zVJ9L5he=P0&Yj9%-n*6>F1)Ydi8NakENeL|+eB)1BOuaIj7LujM>?Zjvfp(R5)o?CrlApxB-VW9G`}+aTEfKCWhq{AT9Upd*5} z(iMg!Y5~fQyHManK*7C!$8KY~C>%UJf;WO7_^7JBimM z;NK|VpD?QDy8c{QLJfjOG8}myQqro>W0*&Y4!c=WVCK1Ia_!XvUD5n_O4;D@sls~o znwzo+{s6nyN|N?kZU-Ny*rXj_A$st6 zmtbjYOIKdka*gi|y7>@Id*j*(QoaQU*9l@yqsXP@zg0>FPojz+JBKn>MinQoitmVG zlpq=@#TYYHlg=3n6YNK0UNO}nR^{5a*e2_SDRIY)OTZm1?}k};$DFih&aL5wd3bk~ zac)6l5k1*k>+bP5@rj}US5Iq2*?;nAGb0bCs$Wf-zpH^A9^HP(j*h`u9EJ({cM5u+ zOn~|VsRpY}{SO-k4zY0C#~jFxmT>UZP#?dZHO7e`Q4%R@&&a^3$F8@B<22?Fut5NgwfFgkcwCc38T1U{#Qs z-1tvb7W_l4=QYt4&o|o(V9lfNu}lxUpX0xa48~3csbhZQZPv>4EGaeH57_@BRaFpJ z5k4x}O3|EILYc4-b|2Xvxgp;>E5hMahAGbSEDq)wVP(q>AvFLR&(Gv^4J;Ie_SuH8P4E|) z1r*`5q?TOWVU@?r|D#m+r#yz#$VBhK5O5FAw+LNEcMLO}3NQl0k~!1EUYqy_!1BKU zlN{XnIaFrt2=HTsKt~9q6$E#5aT1~(`sXo{0&Mijshxt#PL!Nw8E#EQgGd$~0j$I! z#*rFGnR2M|yMXuDxB?O4Fc<33mo@no2ZGAZ|0}H;M7rn*P%)JetA}OjKKwfmK^v^a zqc?_++Z=uxfK*{4xhJUX^1s@qf3}?gDIHNEDdTeBqya&r{_Lm@c;`t$e~6R)_bXRs z-sG0EBVZ#)Neh>8(&e^Mnzr=gtoyqZBQL@*JK$Il$He+h0k@y6r<5zX9Lg?agu#@N zVpUv?1e{gp7_BnW>>~umX!XnQFdV#*5a0OWsKLN+_iO&GtnzmG*_@?;O3%ud2hL+p z;q1xd%RHG4R-1Sm1X92fl;E}#cYu`kX&9poq1aOX7c&pEaQrPuHB1C);dZT__41t$v7 z49Olcfz$}T6eT!TAv`HckhY;L_^pSt1z^zVh-&Cv;8iR%znfMh1pLk^PWddrzI-+& z{LO4wD}hzi-?p8fdJzI@ah?muStn?*rQuDi5_7`PPXflRxh4qLulE_(~A3729H0I&;#FEW6yZdy7a4V&#+d)x;Q1#_U<6XPu=>gO%LHHepPoGMDvJhyLFfAfRYi(G1K*xQoA9io_*NBy zZEM|6TH7xISnDqMtg1jb3fcYYL%t z#KSEJoGF)tk->5ck*+=1vaNB4ifZK8t4!G5@B=H`1XYYZoI!X-z8zo#78+81b1QSLrh9?h7j@`z_Y8^Z1uSNM*0*pTnJ^yy41RDgmbf90}sA zmX|YtjK%JC$%vPW2&wQ~^%a7-WTLf7)H%mr%Yc)~8=WD;4Z<30c;5?(PyGHu^i z>$QyxzS^0T67~V(<6X?jNJmrf`v8}^NJy~wRdp!(i^g6@ur1bW2&FW^GL=hXBPHP7 zyCB*-523&1ja$n&zLmEFi^yW^j^B+gVE2&i3{5HL%j}w(MyrKZn zFU8GkHZ(J6>mnrVjX+C~3fls(sug}14pw0nNT_aDaJuXqCWAM2R@!phUs_g4=1vw4 zO-B7{-x$YqXxL2RuS0w18wUs;cN-;lx)&P5LolZ@TvO zZZG>-0$=A9LM|Gy!@lrzU*e$Mg{0*Ue?}iB_I)_>qFQKqZFcmwsPeB;Mcuo+{Tp47 zNzVgH@2A6C+S5MW{6;OVhvi*{H+8Ym@om^YU8%kCh*uYeY-`#|2m?mGxIe(t77vaZ z5YQ&lr-x|13^w*}x#ts(jRC2$+Y&vf+-3^c7Zc3)jeSp7%%1i0c%xkV3N ztmxjQ4JY$B(%NP;C0x9d&FJft*yE<9bQ0hKex6Gd6wc;b;MMS{p0=7+UFUZFLU=V( zbcx{cu;KlY&4TIr>DH4|>y*fkO0|X*e6x?o1q=zdku3tM<^|G{p>!yqpAep+X(J=Q z_WkJx%U{^&e+b2gPvL^T9?IuB-arR7amNFObR);qz1sH6BKlIt&kJ4*5nKi@*)@86 z8$2F#4{pibM8I9NExwL9`Ly3|^YS||wL~&7q5AkdRYi7Oe;9pEO{pIX4;TLk>6BPG zKfkib7WRm#f1f*Z-HU1+C z_2`IRa`1hY2wVe zVSc~wwVt#Gr$&heCC2S@x{+zt-)y=O@a;nE^OZq2>@g8|Xp<_CM6O9nm_BPu{C?m4 zz85D><@$RCx;>Qat7AA0aKBEo94!iGQ>(+aYqM2w$?SC9qiwLAucfYp7a?Dk3ChND zLHnw7ncTgZ>jnSG4~QnZP8qY2DY=Pv<%cj4ozD|N6sLijq>vbR8`A_eF>^9jB%xOM z3e(bS!ZcN$E3X{XQc{-saH#!4E`b}|{#jZ{Ak|#V9v7>6W`)89)Kpz70&Oj-{p9AO zo3!P{R;&9%(+?VS@g20#`GF-7F_5%tj+q3?Em*#{!+IJ?3^HRiid^PRU9l*xWL_ZK zU99qSt>o-|5i7iMQX4(C#f&8c)K2q04I8D*476##skwsY-Ca4<(^~1qK4*(uG|g)a zz@Eqz3*$a4Qo1AB?pjuc?!|;kVe%K4AbZ{f9H~>!|Rosv>`pq zfwDH2ZcJyYVC40)_dv%_+3MpyQ1o_{M=boyb`lP+=i90z;SDZ=NMgu%&EnN&E^!nw z7^QgslTlu?-xJ-BVPwyT!7iqio;{xCQYrOGBI^Blq-!@hT*#njgoFfuP49W0SAtV& z-1f^d=xlf3(!Y;3c3%&pGGR9k1BFfvkEh`?xn!KNheD=D#HOBtCb8Kb!$_Imt*52e zLoOBN_dI2t<=kF~jlBbbWc0b3>HbJ5-z*p$>gK8S+2|9Xvv4iTJC|L1KCG6d`H%T6 z4x{l6qwam*=vVu*e_q%|=6rs?)ehu7zdE;SG{Qt-X+v8dL}4jiapYz~;7I9~SkQfM zO$B*#8g>bAUidaGQw`dBZf$)Pa-!YnkIdz?mE9=6UKDe8d9eU`FWYCMe3#5 z7dV^|oUti+-}vDPU|GWl#n2VT`OW3@p~MLgBUXifTokATf_>I4fAn$u@%ROEYTET^ zP(KBl^|bYlxd=!Zv$YGMe4cjel)Ax#nWB{lP+5 zmI4?2$(HbeWU(#F;HHM-fSWm5@YFeRE`q~vV8dm|agElQeO}YUaX6o*TC6L*T>dnI z&J(r!5U?ptK=dYiOT5X)@Jupm9c{z}mi0pz2yGQzw6QZs!E3g3gMD3e5n3L^Lhsqu z$2^`%1(+|s>BH1eq)(H?`i;&D7OU!~5A} z-&a}>KG$0Cyv}s5%P@O-Oe+Q>&%j@}Se-!xZrKg(;_>%y!z2h~1kIP~^yXe|N+qt^ zFW)m1g}V*(3Aj3)--o;HT1PUTlknfmOe z(_9`M*BL9<{PA5p6xkIkM%F?))cwqv`+S~5gO9S(qlNXi2_De@rQF4*4o&h=)Bb1K4A`d?{{5|D-7Q_<-K~>HaTKe4ggSDK z<A0-7=ah}#KQs11-F=0N3@j(L z2LE?;r_+`#hUh%-_m<-m*6j64qb7wep;ldahB7sq5HDq-B*P6yN@*4uo+iddR#4!)*i5Cm#_JB z*UM-^hWyA?TfrN{yd9R`ybob?;=;=yxc1~ChTMuHDo-4+9J(ZdTAHw{AKa)alpjIv z&*%|s?rV>yPXw0XOJ+)zMGKb1fUK5J z`ioh{N~8o?y)CB6mvmNgrtI8@))ur z#~>0_+zH&|G^&jKNY&Di_~e+ph^AGKq;l6Z`?@YM(}}Ei4mW z_s1(AEW~2T?K5k^cH<$dr`sW4X=-GWfqLd1-Pj!}kp*R1jyB;Z#`^aCe&wI&q2yK+&#`!YiRj9V z)T;O-yJLB5A4w=wn}C-$P51DZVlm1n|_(GKKp)oc_fM$?gm-YH;6H{OG7r`w9ww;g-*n zKkLYN83YIlPR6nrZx^^P_Og)f;_5A~yfX+%UIFqNxio{4vB~|3OZ0B;$~Je;q)s+_ zrQwyfFCy#1`VfwBT{0Kq{=UT5F6~$j6asO5B+>(+Q@7ID83DQ zc0RT?A>lda<>lE&8AzY_x9v&9=F@S_)K?%byE?A=^K_J(Q73^ z?}gwG$n+b=Ngwcf+g28cK$j)C6;7R21F!53rou`AQ6Z-~b@%0msmxpR zn`thKvM+P5u!9Fy4zuVot(T1Dp;37bu#9PDfq0yCI@|UMPfAca;|gPn^*2T^YaZXh z)QF(;K$o1KTSgAME^j3U!@4v@rn^~dI=cJq1cdE20z^LQGp8vgY5>Iy(L7}Db9N0D z)}nyPR!d#Z>C~9AZ4KdJ@*{V#2I$a|qUN9X^=h6;(S<`Bo#{bQmwD&to|dyi^bZJ&$GXrr!q(&sKQX#@8U@?hp;j?wqVdz&=M_ zi+%N$-#(TOPp=QQT=smna?(^?VuGi5q6UHI4xhIwO@GhvJFK9*s{rKL~~WBjdh z$pXUNacuL4_B6gx%b!-eC1Xo6yctHw6$F3r)si+1dWNS2Grw=kB*|U?K84}GTU|$~_osTu;-|=|%U~lHCjI!#V8~M% z29R;BSt3l^#)uKFQnRiJ+MY1*E@?yH`crs+Hf@RtuIoHGz#JuDotjc7+wmk%e$rOI zZFpOoek%1gvyL3%ovEeep3vJ{BRTIiA)S3;@`i8q-Qa zx!Z+Za^Ec5$pwipC@#Io!WKhyI16k&_x!9(2f@trY2i` zd)a6+dk{dB4(>FK-LT9|vB_@bHPXWxDq;q=pSz{P@C!)Sxo-Dm zGbc8PXrOq+-=ESd&@xhqSY%!+iQIQQY;$%YAge5Ur@gL(JNw`$0!7L25eHl=d zy(UxhSFm$ha+RBhgJDk8eO?B49_8xVO<0)$)_w|m2S%|KUiJ5OD*c`tZhabLoeuju zSc&x<`DdA&@R?)073&)^<(ngtOH4F>lsqNzQ;tf)i6%+8{&)@EZusXz6d!^L)8(3@ z0;l{9;U5q>nc*gl*}tk-G<@MrwauPv6Um7C4_qiwC6ZOzUH9 zCpwcav!bMUD{tflhXF1l)Y=3-jFqhYORVHAn8+kw+}DH=#jYB=b-V`Uy)K-*rNUS4 zQNeuB+<}Ql4Qpf59kG@$J+&VdS+~1k z0`KhttXp#pR>H>zoZR}3vyr0T@UTY4L%k?O#1lAv z9nxaDlpK=2sanJgLc*6X+M_8QAv;(ubYO}GfFM+ZW-YO&P5VQvzXe1S<)6`5)2srI zXgG+Fw$&*Yk3%K5o>flQT^usxQJXgeicITgr|Gz?1yB^1X!iW}t7?2Do>#x1 zptVxEbdJ@mDHOMxk=?Wqxu9-+mf>&t`Wf*W9y90TI;r=$glX#YRF7tS=x7*l$bVog zr@RWQCI@JtYzYArl2r~qzXR}jJV$TL%5U?*B~Hv(ZOr6!c1)_I`B|G-d=kpdghhwa zslAU54wv`T!-jXoV|4=$%ZijyxA4omH=vSRiD;uOaySn_Ua;ak7r820u^S(jxR5nk zT`(S;7+)P<&AXF{%oWO#QF4;{@ET+zT)3740dI1eK%(O2`(^kK1-36my(A z-ANFAji9JCjuzh;=jU;hD}@MtRPdvybknvjOxuLFm$}?%xDUh{}wN(yv-lPBD9F8`d&HDWQZ_ zd^R$`W;2R9Y>Qj}Q=vEX1ZGpA1TZOy;s9lu`2uB&dtn%>&>K;vKcq~vKNwZ9 z|DsUNqD-rI`@IUl$aGOT$>vC_XGtnd(&0_BugD?^z$kr4NeeKlIYpRqYlSr7F4Y@x zfccsar5N`{K!|pY)*s3d6gqS&CckYW5`=J5K!`pxR)@xL?4I7{*tjzeWp#lF)!1Z> zbMX)Cd(|V+E2$OC=lr%u<0FFjQ!2=x@j}AM#Cb=E$#+05Z%{Z!L@1Y^7eP)y1^ZpEBA zV{>}8mp6{kM~D~AvxlfwR3?Tprq)vqhynG?<<{KUdC0moZE~pR>NxAZyzZ2RW$Jiq zce*@n)9Sf&c_W?gV=>)7Z;4>W;xBj^u|6d?6&##J!*5q)9^6#j;y%;4Wqd_hPjfxsF-9v=b-M<`N%T^jfv^&>^JVtxkPWvf#kftH z+HZua=7{_Fr6nRJUn!cMUCx=z!Lr41$9$COQ+V!;=c{@I?XoX&}#y#)o!aQOj645I33e{--^_)W!3peNlGcUy)YZ&8cq zsZT7I=wp(pR`g-^FyEMkLJumh-|yb@l@$-{ zo>J*t^)k65x+*AqY+JmVJ1`~!x=DcPy=`I2n%+=MbaCLJb*ge>(^Ao@;5#Fpl)dN8B zD`!T@0e8&{jeBSL#^@u>)x)77i}@jVT&y{Ncrhg3wp-6I8nc6NW4r_|UHugHh4h8e zj8K%N{GpqAD0#+lbl)V8P<^UC4y?{d8Z|Fw&d8bf6N5YB*!tS&KHf29KP<&=`R(L3 z7MiB1g|b5y9SZ?NvnEpT5X?qWWnd{+U+Eg){fQV&QtSm18{nDlO)U0i1$GX5YiqtI zmS)D}J%DOc%W?;%_hQY8wEze?gKa$1)fjd3!}{xw<&{aZq(W@zXPNdxFaK;aMa0jN zf#g+O)3;0^ZNckrh+`jG;jMA5_NFT@7{=oKepX50Znm7ZLIG%|i~Xn-6DZr^#Dxnn zP+LsyaccJw7(j-TbtIrnX`_WhdtvKK(IkkrJ za?QED(u1qq;6G?oh?akLv3?w$NJpF>eH8HKsHlElOcKnj>z^7Vie}74rk>QTu~zYY zQr3*oYT!wSe=AAs1cnz##|Bo$e3HXacmT$M|LP@jqBVfdt~DUb2jV7!Di0RKb4e|- zc)SPq9IPfNGm2xqx5U?XFhAiKDyLZ!n?e3R!rmz`vq0w>u5H^>+jcv(ZBK1;YPVBO zZQHhO+qT_)&z$$1i~s7s+4noySu4p(vWW%qJ?gY|e;{YSy{lt}s*3Q*E3(!<3+9!v zaCoc1hl%tFOn{|5YJ_IOzFApZwtod~1QcMWrcftTiz`?yt;`;aKkU(Ra#YPVgw_Te zIP3CT{+ZKq(&d~k5pumU3>OMCifyi1zlD&?HZdE5iP+ZchYME_rbjFO*ZNUq5DPwG z3uSsRsC*^dOZ^cwE2`l(7CZ_P2>auxKX?F~go>pqPG813hqkViiEz8|^0J&Kx!nq! z&qXF+ze2l$Tz|$P>b+gC!@t!WY*o~ei*0I1=kP?A{{_whq`T6p!}-E?t@fY6sX4*KZiV&Y$o1$NmrDWnEs;Qj{5dxCPkpcQyIq~XES#r zt0HGJ>Z0G4M!cwqd7}uZ4iuM?@~8fXAodd2j)DOMv8N0m2onCn|09USh!ToLbw3_3KisnJzJld146?>oV^5zi^uiuVIO~! z+?NE!ZQk-4#ROGF6Kfq@$Nd;RZA(t7bO`Y&j%KgZyyZx%NP5%N8+O-=+jJ$XLiVfo zAdrSqv9%`ec?78+27CNVosPDOZ-`65&4v&1lsEJOF@jU&HHNSXlO8JDk622LQuDKL zy04v44?(DgMjK%$JTZSTc|xX1Rzm$2mcDOerM&~)mtPNu1->-4U&6g;0u}4X{r27F z!`~UfH-2a4ETo{|ELSfEMae$iMiZu`n0mbzygxgz25eGVr%*XUHw6b8(6+-OX+IGz zKr|1nn}cZ!Y;<`N!(M&DAKkz=UbpF5O3oH>*fKyF{=8NKGFdZhciu!Pd1(=daQA1j z@^Xfpz6#)P!()}glpfF%pH=C344Zw^vE3t8>??6bZg$6hg+wXbC|2rY$Es(f{853^ ziI4>zwxUkhFTV{Tl)OmNDUU?kGjyH%Wz0nKQCWuR^BAJCAC0zDVShwcZNDFLrMq0s z)hs0IYievob7h(iyK*al9cqIN9V-Xsw4@a|@0+(4$Q@%4q;NORMCQ~!YC@VqbG2DR zUKAYrtWYtHNyvUHbH0Uc7e-%Z+kLQ!Y z=gO?z_Pk~tY!TPj7z~5X=UN4V6t~-8@v)(6W)ku(>xWanb?(Hkkx)zqUuK?E`r&(R zW-L4WiXfAT>@;wdZ71ER&tP;WSo2x##^20EH-Db%lx$*P2~^{j9c|>Tmfgn=8dd6$ z)1<%L&(@*n%k9HwydU5;yPR`8&k^bNzb!P&h0~#1O^OfjMj_ODl$=8=p;7vMs;GV;+WgEx^5VxXavznI3;B6 z=8LniT+@rq&>l}q{x;d+v*h9i)+%aXoiy5W8%Y&<4j;_YfZc)lowp1BZabufG@SgS zw&}y(o33~w1z|BaX>GlJ=i#VJT}=Z z=|UITw~CZI;9!eYFW9?Q4iq>e9C6cL1*PtwX3{|gd8*UrbOb2Xh`)@Tyo@c`c*X=I zb-mLMBjJ8h%*G1x^6P#AYy6_t$M$cnV!s_=Yz?Oya3|T3kqJ4?$1w-u`6gn9UT)ps zM%yXR_+by%$GIXDsaxxmf+H~UQcWhwE#4F|Y}|mb0{V;A)@#e>jc&(GA<-!Rlhx!2 z^3*d*X7+0MR)!Q=ORYOu9>%2K;qQq`*6}K?yXs+Qa!_g`E?K{UF*b=e3TFJ?*^RXH zEWFY)pGO970p$p%7%6T~Mx0*37H8CHy2z3Xfq`5%{7$7%BT>EK7^L1_xBfdK(`EoGtXZ1_U1cuWV75pMcwtk!ZT3_h$CdAx8H9|wSKnJ9M4X33Wv#VZ z&tU&=lLXEghMY=3+&NFk1nzpoK>0V(4SX5Tra*@B23wUhE`5C*`RRUY=0v^;A-%0R zfb7Z*7^=$jZeM{&jW^gAC=jc#eldUrCg{Lqo*vRb{}m~o$e#^@*Vn4QUBMK?l`ELC z;U-AJU^$J(MwL?(ntvy!aSH)t|G z;y4!R?y$H^Zqw3WLVbeOY&?Re9P2>+JoT8Q*&hspGSekZ!A}VO(AiTIlQYik8ahTL zppWpl$yb83y(r?Ho~k`~G>4==t`tiLc{^GDIT2QJy^tjn`7+g(sY`dkQOu@}^PbtJH;wVWnfd$kN^PZ@!|noe`W`@<0wK)} z$Xzf-FUwx3f2vD^?>gkbU#UmjmgDW#ZcD&qHcBRdUX_4&Ltn2t!}tgsE@b>63Lc+) z1{(fcD|1WPQ`Y}E_QG8Q;!Bj~al^bdVgNG62=tA{N`J|^({FR`%f|U*oVmV^b%w{6 z5B+roW*Bxtn3pnUm~Ob?5ls98WX27YRfTE<&8M#MnlSyae3&vzQ0d1X>dY}0qU-#x zK{TM0-@xm55CeW+n!m#wA}y{?+a&tSaRbLr?3{YuEH++_mxh)17o@FK6=6T6{raGU zZWZc)n$TH!p&Mus;lI`C$?&j;bg~dz_X%Flxwk9{^ujt{4nrPux9f9^b)~4Z*j-m811a<7yNe0w_m?mD5#(pGb*pv(EDkWuqbl`~Yv6XDDMk#}}VSQkx zboUEl5Rn1%d=Cw6y@)z<2W^+Ci z%w5Pf*jDC7yaPkg{YwGIn*JT@6c#3R_qyHI1&7AQ>6@ zL3h)EU0cB6l5c_U#2cNp%u+3|nDX7*~O4il9EWJEws(t7<4x zMD^?c_~Gon1L-;bY(}jh*4Ox|cyp|bo|N}>#H060G!xE+QHY1Jxl*pr=96sP9nxt)Iw5hBZ~>KWu!MS;GxxUWkHvdhusC{4 z`697`@vB;OSpO-D&Lr`i;;Q9(v7BcLqM3JekjqJM{~ytHs0Dj!Dd-LYzl6E4uMw^J3!{>pkQe7D;xx?}FF6BbEJf+2A~dX{)h0gQ zV)j>hZ-KudVzDcN;mp=#kHQAMFGerIv3eftN#k^auye4m70{YSBgY=v$VIziaP{O- z$31+kok8Wv73EOm7cpEaC=QlwT(nTWQof8JKrCci&bG?>EMcn`d71^H3a-yU+iP*b zs!-N$`IuF)27`5KkHh=W!NJ%<7v4@$p)|eR6@IGRs0Kq;5fHRww`Q*B;}DpOMg9$d zJObF3ml0swo1Oq^RpO>TP=IYA)!YsKXIn&CfNcjsBd@~LU?C?g8k2^A|JimB7?FJE zHzYd3$s{^t0gtvGGm5!o#)!MU&4^F0#E$=u?FM6c=#-XM%3v@OxjqQFWz&M0mPUOH zyprvC3cRcZF`owu57`{dTNH@8pgoi>`UV}y?#bR>|NBl^$pvuDcIQI^9=82qB^7Z! zxDTUkXgj8{%HpflcBjMLt*~I@Y;Z<*a9R(@G!yS4wFMv72&dERfUfcJY~IYNZ4BO= zsfH-R4X;E=EqfZVJs^Whls_Hn}_qvs5#u6!*z)Ndtn1q&gKNcUQV?=RIe;3Gj*^WZbbP)2k0 z)#@SmO<5Ao$z-vOO^d^PXc}>KFeX0_j5Lcn1eGf-<;FKrn6r$mM?}vZp976a4l@|HXlz3Hwi-nx*}AJwaPtEXk0$4; zTP7#QEq-?f%h**@WX038H~+W$F({)`zK3rsnr*XNgZ}Wh+E+A9*cQH7)i+{t$d+c2 zOB3D$J-{CMZvX7Dg|4FvQ;Y8T^OX9bO89#2zxFuM{bvtPjzPe#FJngrgpLKA-I*t! zHr%y2NQj$?q5BpuV+Z1u&)v#?r1*_YB`S7o6(Ie>>gB0BNO%390!Do%DMadsdLq{4Wjy*A-B44@rx&jnx%xwt@~uhf6v(4`tcg=q0?Fb9to!1 zpKO84U4<#&6Qv#4)V#`5LN~N3GPv^a5w_WmCw!+{g85mPtRrIkVf= ztpMxNIEa6~v^g@b#p6LRGQAN~S+T|MWq}YufW%-$)^&5(e+u;KTel~6gg%c|_7z=; zf?3_!L#2~bGkcG2Xe1MNhR4iNA{jhMZ?TRk6pjl1Wj z{IP}J{XB5(bNep%!H?D*J8-T3^1eB!D)M0)vE9D+ob}Sl;7b^`9lG}%_ws4^$sO%q zhfSma@6}1h;xAi*BQK5B{bS)q{@dj5L(_qS{0yCN-6MxRmj#q8xrC=i)P6D}r5~(<4Lp-CiRPKsM6zFO=T+6G*s=c&qQ{Lb&JUe1OmM*h1#w zdK$g)bX=p4+4yp>2fS`q^(3KIk+rDihsc|~Yxb7%xVbgrZ-*@X3EN=V#6B-vqSY2)RC-mS9rv(M=ckI2UqIFC5E?;Sk;SU`rx3NBL3V{xFRSn{SJpMKP>$|#U`XgEAI3qgGrLPHxmKv~7Oo@}*kC+Ssw zzX{O2tP1aM>J3{R#3+omHB~jAwGbuC({WZK2Rs_~o3T_{ohMY>X)`IDPt)eq91# zzMvL`wDejmKh3aYzn3DJJY@}qL9;?kLXCT@uI@l_&p6Fr9t(t-b+jPOCRwtOivJo% zY4N})1wpnuf$I(~L90>2v4B=?9I`*2qYyo9cw&@>$^OiOuH@I5;NPaWs{ZU+NuiMu zKLZUeh&!e>L|z}Lp$4+V@SzRY*6mCLw~k^JU|!f%GV7VWaA&uz6Xa5r{Wh-Eu1Het zeW9;Yd~$MJ8XhO~7L7}TknHYX5ggKSD-`}`-odZmQ_!2RQ8glIx3g~3!dOZpb@{?@ z_zKnkD!V*7R|JbUMWQ{?@KM!)L>xqi3sDkkKHCvWqRxFM-G0{dKO(ji=YLi~=Xvc3 zc9eC&goK(iyOwiL*O4O|e;WGB8_tC`arTaLeJWx-9BYO-g56B{ihWiQJib$-Qu{Wt zo-GI5)f_5xdo*UJzD*)`(VjIE4Nwl;kvBb4l$UHryj7NL4;T1Gt|eHMZnqMzmWzQL zvz|*O^e8W%ug3R8XF}838yDyKcY4h9YzXi0rQ5xtA4;5t|MeS9w37lAn+n>CJHV8A zV|S&+F2;`n5D&aG)sni5zjK0h#h$gYMZGmrdPOPpR$i@ajHcBk;I;(D$uOOfOk%cs zi}TNPjo|bhFRN(AB-q6|IG6QaRK#-!a0bZyT%gV+rg#UWGv@Fu%}~>UqgF%`f#`So z3FVi#muvVp8MDfb+oHDEjNel5>GUe)6KvIUEl3%2#@ z3a$FSNLl2q##}yn$rgWKh_0F0WQabm{1yZ4;tY3qiT0dAhHnW6XxpO=k%2$DBR zZP(nJ)KS(3E_XWv<;I@%%AUoJR3$YVt$|tUj zM(Na&wDtrm^NKT0TX{P8uk{a=wC2Bg&_QNMO11~@@gtDm_zmIiRiABNhvP0~psaDr z!UrMrDh#jSAsfhpHm^;0W{Ie5oJqUVzTnk#T-v^S52?NClEQ+^RE3z(u>pzn3zK@K zu$QIEg~U!Ln{z23q>((;3Z4u%!JxkEY%c_HUoZG`MfDog!1q$J-U}nP3^ZM(_gm~N znXhqm2oChjh&F97jYABg(Qh->&<>m{=YY;yIy}<@raQGQiWpfIRwb}xqj=o648)q`yJgq+W-&@VmIm1kvwS$cqgQ#3gP}$yz~QEPGPS zi>%}4u;7B(5Sj>WYZSx@qwecX61o^c@H$~(FsQ)p4x}%K^Or3@ha(Hp}7EJLBV(&OT9PeF%$wyw;-0+C?M2qk|i=OJmy&%VR`$ElJY|AHakK7?Ly%NP+;VoWwVs3`0M8}6z z@0*RQNV7nh&IH)%p+@4@AN4{_QS%5wfFATy0UE9-4&8vD(b+tfsg4kzS^RyM{1n7p#hA?}-EUWC_5MBpp_06XzC4M8q!srU zlm24louY*Fz0Irv9yZH0afq4B$EY**^Wt3M*TppbT*;ps6CKuqCqRzOrtzK3;{2Nd za~={2acM5ZU>eb=47$x5%4MYEVz1-xZ~JOVG*YgM4|2^k1`YBUCSj}<@pc?mwLFag zg|>S7JnMvT+WMD4df*Z9TH5Ku0O{ej2k1FHP{|NIWC}`Xf4DbdnyY{O@in|>uv*U$ zuQk)GvyH=5RcK%Q38TK2cV?x|)=7bn!ZAHI{Y8azr^iuDpKzF)S_zMeoog4Exg&Fz)`-a{-NA9_MX4UMdOM zs~G4=5yY67#{Jr#k9gpNq96MWfr@}4N|g$nC_eyKQPsle0Rpu7+`r9$Qw_NhXczPy z!$=E@3tii$Cd^9(8O7(C#6Wy`>_!D7z0Vt@Ls;LEVNdVwjwyvWi{-7(sq^u5Pek`{ zi1Ge?)Nd)8c%GK(US?P$7oiwcib_tk<( z@dM9rs+KnzRzd$)bwafKT6yOe*XtWY_>6KMbNW>0eU49YE|moN2F=a*yaOu?gq`5& zPsAM2+CQqpELp#;-LfEwVoA~8?a(3XON?1ci8BTuCSMMBw zfg$6Ck5GD!8@c-bLYUDK!AK%d-Pzj@nYCbQq z-g-a{u6)93d~t}nxO(+|klKyHFsU6~?Q{~fyu!AdvW1m}O^JTewHkhu0lR&p(Imsw zo*EdHgR!t?yfp|;xvv<4seGKsNXIrJ=i5PKQXr!H>OphR_?n)dpnZ4yoff37+=@?6 zh4+aX&x?uh1n|_H657W)!i?yQXwP~{twSn238lVzvz$Y0UnLs6x;ud!{|cZB_Z_kM zy?PqTdn=t!7;)tgyc6M@2Ug$&yH+^63eMMe-z$Xj{ehPC^}o;RHH1%k$O1AKh0$SH zDZ;rgCxD&0e}26es#YUST=Q zZM>hWU*g8omUYihC^8Sz*y>VCcXZM&>{98)pYj!&r9_k-QGt^j;@P357GmWLXUI-8 z3n?zOx5*lsm|c8VegLb4ecqv+bC!u8CUdG}N$dSCTYFi+de-k79LHifin^AGSV>|n z+be>Tm{+0mD3VXr`wu*+phWG{XvAGEB(_DEx1`N1E+!!@BUab}bc_vN5AI1atJ7}> z5we(cLdt@wQgLdtu&{nbe#@{UdU>(f&4XW#@zXK5D5S5WdFMcNltK_{^jqY!j<2kU z^c*a5P&k11AR)+l`$GNM!SG_l(Z|#Hn(^EB!k~$JKaTYHPlx7@K522bnfAeBY%>0q zIC?A=lN(C&$JF&e%NDyXt_55tS|O?u&tJ`ViTYwCo(x`u?ajO;Yjv!q(g9`vprV8u z02MiBdF!OaEdgZ!s8Cf`aQPopl>LK>;Id!qA=OyonagSA(Te||B2w{MzOUq&CTcAm zQv9<0*`}E1#yj+yxlnpKa;Q}HG6A;s(@Nw{dZ?5xa-bA458%>vC79x&^9Ff^*3=o> z!`dN|<;P&B_0Im!=+oIu%;OF`Y%Q8?_q(&_Ur%CD%Cj~ zwj0SYx4K6MK8apDK_Nhuh6&e#Y_!$M!e}V`SNE+CxKHc60pee-kL4Y%w)Pn+4m&<+ z`|$AXXYm3!$mAz2o+CE+mj-I}S!H8=%*(Sl3S9KKcLbli%%{e@fsA7F%w-RjdR%F& zGL*A#r;1HelW01w?PDR#By57NL4FNR{1j*6)o-KQ9?HLRs5`95e|yxpewX>+Zwtq^ z5c}$RO=XlQFO!{YBaUXZfL0$aAFYI$;bAKCNU^d@$Sw%jz633I;G<68mM*tRxsfb) z9GUJm7_6VdVhYSQ#w#Swa`I5JW%2JYH?+I>>B{RSQ+0!0likV4(@NAKAj<#9vdz`i zZw{NHVa+-lL6)fwww6u1Bvn7t8^q>sNYD&#<;k*g+|R>J^4P24<;vUk`s8nSdKcmL z2TCxfcnJxu`GkZx7dcufo^gLFNKF9Q+5u{sD%7U?7LC{s5M__uM#i2?2|s!1ho_|i zWb`g3Xr$BMA?j6IbD+FpAwQ%;d;Fsk-E0r>^3=&7m~CilwBYXc%@Yk&INeO z<_}}h_qqeZzJ1xLYr1&{wj;n8AaADuuz~yyfDMt4NL$w69hlo^nTwjS8#J|O|Ap&+d_7}fmbhY(ELu0uf#^fbl-FBk9^;{_P79{rg~9*A1&?v z4X_okV`{a3az`BSYvXnaXf!GP{xuj17g+q38q1#>ar7{&zxGX=nu?M$iGlm*cja=q z!vNdR-)A@1CpT>?r7Vf*7?+@BJ#qNWgvmYdjzQNIL~-CIms1B3b8LOW^vc*#K@lN; z?)(Ynuqpp9AfJpjk&8KKb$OR}@jRWf$#V~}jCec)ZEdAqHqRWHjA!RW*D3UrpP*-@ zGnZ?Sh3|ZahjccSC)UL7{K)Hlu_O}i%%%Q+k*HFIRLFtgW!KLO{YR4B+>O-kCyxxp zn+_cVd;-B?SS&8vLBr?4=AV?luh!Xt6rT-~Tk+`x0U0x$4)dhc@d#+72|pwA`&9?#tZcs$TE z(v~7<2j;BM8GS)psPlgwFKPbg@v}^e^){m&TRr0{_7xX`{=x@I*D zcb-3AL+_unx0|5@Iz-Ww`?`{|<>j|^^vDHwGb@Wgf@PD9-TCNXN_+dpPErKdQ{+k? zhft*XFrmk>?*G$FqG5mJ=R^@F5?3U=GW^aENC{PIeL<)_fmLX&i-smp~c8;DhrMf zGBG%&ED;BsX?CcO8%av`(Co^ox_#5Da__1|zus}oXze+q9P>Fv^Q^~xG?AXOy z)&r~CEdAV6qwu|W53`s(qn%;$Xw_qO48&(HAbT@Mixb${_TMJQyOU2jAYGE(kl|uD zPymHi^=B0AuiW?gz8o=4p^FNnWJEu^9}I0%+weqKdh(v_hJNoax_q45>1?if8(^_L zfDVy=fG+fQ6duryfJD6LHL^BhFC4^flzE9Gx!BWieFPNs1 z^g|Q8QVB*a5rDR?n*Bfd2VJ;10%}w7DdN-I11i%L!Ax5C#1X)rLG%FjL~6@B7bI>G zKB3eNo>7I;{U3Yg(g4^~>}2eMLk-Sr+^T(XXshU7O1Gsa+qb2sx{}U;cwvLJAu@Wk z;oFTLWU~^z8Pw~eV(741M!9TIUG*=+i}W%b<-9CW0U^Iqkur3^EICasIdxyh+Cvat zgq=u|I*PC50%3JDY+cYa@5a0tjVL~nk2SW5>uaW882NXfZob>&tN2+MBe@HwC9BMp zyo*DXb&*=*`~Y#VSBv7pHN9zBx*vDC=gnC>j%m%ykkPb0PxUH5?K`pAcV*QXLJlr!?^#! z18vPG5sS#~#S>$!ADb_>4euYlZ<#G~*G=wQ-O z2CN9{D-8fVKmp(ZH%UpsB#YGNX9z3pv1Bzr8=LSe*i_rF!<0bw!G>ki!2ZmR+G9Rn$`Rp(KNQ;E;M;Nwz<}P`vj>jnfo+Qf!emf4e&;=>z?( z8d#rz8|((!fWg->M~Vs58Zd)Ew=&WvKDSO|+vy45VssqoE?R4blAZ|$C!y*r^#=BT zNNC~)^9oU1%>J{shyqhbv6=52MV|3~aCH74N}+VLhv2M)7@7|)(F1ggp4xDpI?4&) zQm+rs!iFZ!jD_}Y%^^_czv_M_6;Ry^{@PV-Lec@wOsoRorpaOXZwUe7jL}Rr50VMH zGFgf7mAXDa6YV#p0La$-*vWUZqhY=uj{N<)LUju{f-1SQY`g;N=hulk+=N#e^}&-B zZdf`Lmy2<_%ykwPBwCHEba3PKndvRZIWKqqeSB6@yLn2xgBEgHe~1%%TnO?z#s0** z7&kUwbDH@Jp2q5(^x1U>GO^&IWEOBJXfvGj?f2X6GR9ULh9FvMxxzcJdt zO@TboZ_XCoL>-iDK|cH5Z-ff`YoqxESv34yb7N5XRnJ3Vxo^4wg>l!^1>^oCZ@Ua@ z_w+*x!0Kl4sw3~DQ0#X^6{oqR)Q*866pxMJI7t|o_x z^Diu#uMZ4>3DL(?Y{e&)2KDMZvA(c&c(Mo>C0h4ubcb*A%;eMdS5j+ zyUwact|bN~+ur zE=EHucpp3Tfe+K;H6=?vDWN*@4Hr!C!vbU`xTCU2ra#!$tH|L+ zRz+qXFo`;P)J2Rj9TImQMNSI2QzqUZ$GIbta3ZhlzzA5ONQYd!gP_I{UbU#7%BW(*Rj*>nx$NS=YSDFe z5jp$&UK^*Z{VwVpGe3M4p7OzC^zvL!qDO93Jn~{?`5=V-;9x?k7ZE$r^reAK zvrfHeiJkVE&emuf{B_X>+4h%p9>L>B&P7w$Oe8&i;ZNBoxRZffXqdcQ(HYPJwfxcD zeJZF^x1iy}pR8>sIgn%rzIo4XddD%$N)>X>qP_;8CX_D^dS06=t2y3xAz4t$p;tsN z><580n9>a=6LX(2%hGQ9@IADZTpN%gcNl- z8ed`Rp;FPLgnv6~Ol2A(REy5@s|;hGGkg!$;>p6w2sSH&3A@^0H`{Y!e^coqsIx9X zIm%krC?uPRf))i`?F_-ow;eE73Hh!$;RoT7l+KBhD(_Q~h|)Ln>wC`_c=6d$ASqH< zRyGQBzv`>|VIXz13`A10NqJ-lCZ2mTBFhp$#(leDj>JpyqMcJ2${ni305jgWGF_?K zHW3;hYAHzDS@p~7D4LF8uQ7ei9Q++<@YK#~%@HlsRz9d}qA(UcJ&lMb5;fggcF-s1 z-fdC9OyopC{?%5Xd5{20zWsi*M`!LPSMZ!!BT;M~ry%DlKu|m-f8b1NN0vn-vU)?I ztNoE$Hsm?fvfxl#SSnSV)fC+ll|m5FZA5J7F8c~MhAYkxkowp-I5NsxVD%j^EYuV) zTwC>xk{7-$Kwe7_ z0nsEOo-EK=gexvA9y;MiU08~sY~g{%IGK!ioKkqflH-p-8TwSJ$T73b1`Batns9-P zG=?gi?q3w0Igb*yZ6m=pAX%ZIqSqkfeSaLh;kejmn(G}()PAor??2d)GqB`{+1hRX zDQ5*vu=>VnV-yHdcZ=!77sbFUK#oxwsW+w@8NrSw)nf5+>fpy1q(;0fKTj^^!{La*#Rly=Q!dQATDTvqF6ub@J3WhRbzowXsGr8iuerp#eZ8Kor(uM#0PDV@FFgIxIDVfqN zgQC9T$1vt{9gV+wSl(o>0 zg<5$zvC1P-$fw2bG*WI&D3?FHcQF>U6ws_h3JKNtWiw&~F5&wV&dvMCwsUXpcBh_zYxIcez+w^{|5yk+fgo72C$_O73u_{%^{R>jhrc zPC=$RSH_E3er@WCl~vUz5h`D63&doqH(tu3{7P#+V@GSgLdUAZqit!2An2(#;G6du z+T3TAfE6&`DSw>2BQ!tJaBcP|dBXCTbNZOM9>%K~fY9I)_RK7L5*7cDugIYoHDW>T ztZd8HM?A!VZwRO;+;TvJc{R7l1f;SBdzFeDD}>zA^iqJG5}!4#LfWTjV^~iHiKG+usELX3m)llpqC0-`a`~cW z@m;eg58ZN9uE*}-br)W+IDH%vX*VIobQ77-52)b@6qa*-MeNJ}cW%)BLkxaw0q@&7 zXb6qgPc0hYP9rgmuR7*q1L?vB)nBh}6g401=;POufrrBqX~(2)NRq`k1#I+GM|b09 zFS6ih*lvJ9-08U8?a79#e{OX$d}(ygiy?%|;D<=O`H(x|j*I*@V(#OJ-8$WE3D4IB zn?n)R#-dv|^dHtFT*buezo`EHirI|n{4z(amM>!9H75X<`)2=5&s zv9IrQ-(o<(_y7?BN<)SzGY<7j@?+}|t4KmXQ|p=M1j&%k-=9_NMt=kMc+ za11==-tu@17ZL36o?aMjpa{Zhu`Gm@GLx)Qw3Xk*kH}@+Il@tGRKcAyuX2g$aNpb# z==pZN2xc))skXlt1q`P2jKpRUC!BbVG3|WYPCt~5N|BQ<<(v%SAdi3c8HJ9F<&B$?fpsO>_4NE#cwqk>DY< zq=XPBq=r_eNI_lE+kwd`PnAlm5+{~Rx!cmbhfu9RSA~qiSfW1>(BMsUClkl!AHv`@ zGkWzP@dyU*_{8t_oUom6|8l9h#+A$+uM_)7cQ8oZ9{tMBGmJYL#FD|N{%9B z4a2Y^Is;!T|IqC=V1xug!;=B)_lO%;VO&S}zfH3wyxQGNGC5&NjY^zs&# zyd|JiVvZW*o07pa1x1siwFb*uZCfrb`QCrIgeOWY%VxM;^0GI)>04^50_d{rqw6mc z(@1rUr?ceTg1oL>J8RMXs=RmO1vF`|oV)BD$28&HT9jR&#TBm`jkfHgJM-=~ijUxj zhpRJNkg*AR7x%-t-Bhmd-sEpxS&}V(tX(>6a1*rmHvH&Iuq%J)9|JeLqGu%cbJ*I{ zO@p1Na#>W|03T9%O4T(ObHK4Cre_4_`a#^}2*}ctU}X+L68tAsfdh2=&Ppr;}$1Grvv{MBD~SUQhC;N2R!Uu@GXTU|lRO`|*t?&Yjvh#Thk} zPa_>$$Sz}m?^k# z#MmCR@im0i#;Jyu@60(L304j=K(CnyP&(m^qk*0!dp9pF^hg%jOq*S^G+Qj`I8%F@ z{`#klDc_20%`oIkR?uNT8*wB0NI#w0F}k)D_ulMM?{vOOnjd;;%=!lp4}bh6W4Hs& zkQYZ}io2L(w4J<^hBAf= zirTbP)hN9gr#>h3i2>j1(8hD?5u-1eLz>!H4EY}2aTvx-$Wr4#?09L2@@(Jcf z;gX>upLlnQVs#J4q{w82UauCRS^w9{rmyh6KF;n*-b|N4AKB?h{#HqKAmfcnBAwU5 z$kqjmYn+jtP?dJRf;Isfw&$m72crFfclTj*QF^5@| zR{6i(x*$_(ONAn{)G-ocdKygZF`iyJo|QO5r2+%;4_x^AlsDOERQP(#4U-Z|Xw=f3$!WFO%}Ms>iY z62pP`FVGuMcsF_0@2QS$l%3a6tdnRm0;pYSfg{I*^bOWzvb#6K78ZY-4L z&Q{5Y_xcG%(i<+4rD*MZtZs9`4QKdj(iS{;dmy7TF#aYnAHO%zQb8~j)rZNdPKzDe z=62!g#K|bxReqLGl9O&Hi}C|*(8^MDSanzVy*dIK`xqW{qP8c(kMWUfg5jNd)kVme zO&CM_8Gnae)L58{)9muIJXNMGE?6afj$-V+$Z*&t`NvBk6HUA_3$<1Z%9v({k|&2A z#r+HDUXV*mMVUml%Yz2Ncy&t8Ew1?+y)Abcxb#RZpPN_riQFn@I(914>--9w}mT*Oj>xi z*$4HDZ}nZie4yAm{EjoiMLmUe$wBhRJIc557p7*4ap*8=8?ec{eu~6bNi59irNO$U zH+n<}q3lF2CalaG`_r(#e(`S+cA(W_$e4D&RN8mop1$Q5C|Q;}(;m=nnV>DAvCMy_ z*GcfDnS3Cpp4sJR$q$0@>vahn*sqP5e?Rb@AbWGfJmSaroRBh#yUSI>{Vc~3xaM~- zGT80RQSc~Bu~dYU=I=B*R6CP_I-D#HMvcDqP%{+eTEoJOBhhVsukzz*D?fE)UpZHS zWysd3E!z@K{c|?8_cKRG?PO~29(aO~y~feg%=nrTmbJ&NI>L9nG6nuze$aX%jO~~i z7vqqXQ1$nH#qavo!rzAvb3n(S=hljN_DzXCW<9MN?16M(_Vg{2s75qBsdK8ooxnMZ z?`2h#_@;${j`JW)J$qU|)VyHexXW<>%$rVv<*b?N#F(SBR%SdCipqG>4-@!w#xPb2HHw36U$ih>DH)4a3PFNv9(?bg zvB$cV+n^eZrNkZ%Gr17BR6Lp`^0h2zB#)}bwwC+CUq1qLnoERh>G(5?q5H3WEb58!-E*|Q4w{wbYts=zYjC@4&5<$dRMg%Mq7Y))b$YtOB z|96We1rQgsB8g^WU)nmzumh35!x}YdGCBpKB%<+ZYbgfhKgkk33j+zu>Qz`E=`&~+ z4-NC(#KY*aVV0`L5vd(oG=n7eoYLPA4WUShuIK!kMBrhTEMV9L}IyvyHa&kDBPX(4IQHv@CM}b=DGdt4QIY zQy<(wH@d1I`CDS**hM?5x0sstOWGmr_oBzMy#?BFt_ujgoP!o1q6ak*28>{HIbj3B z01@q=)D{6)d!72eRGI(8s3j`=lG?Xjs>M9hbZ^u-FhlMZ9u4;EiRjY}fQbdDG#NSC0l?y1#LU z7uFZGj~TS@^^m~J_qRAp52bL*b2vr-W!Kvh8jI|?{|Pqd`>SDUJU0qe+>EyuD$2z74bkNYTh)Gr z&U^kiu^2NvU_Uo^HWT;OQ?cdeFyf9RWs&w`-`&GZkB6WchUeryT?}Lx9!7MAHX8Xm z@Go--z|y~XfS+S3H3Es#|EuaN!{Sz-x1qQdC@k*oP}~Z|T^DzkVx?$-;=Z^QcQ1=W zkp&9H+QLGS#ogUq`rn>&e%JNB$%iMCYclzgOeQn;J%h|*5bgQ2x_n?7jF>NH+!LX# z0s?p>>t)%p%pAE?PAE#()@t;vzm;gEM7J@b`SpWLUW)Ox5WWpPG><}Qo|H-DtTMSg*AR6hK(#r1xI^kH zASzk)?zC6W0zyg$+p72yiD*QQ-L#KJ<(cj5O%%skUo|L6kD#6!zKb=?IY=NwC8CMp zej0mW^5NUm9L_M1I;<$VfR8VxHc8u7%U!hqTPpO_*s_R#(m9kIeMeo@I;^GD5S}CA#53p{{XZ#zh$MP- z1mUL09j|U8X`#QU*L$A#B}(Zp&X}3Mo+{*-hGI5LMvdb@Dho_9TfP}NCe~j%ysXa* z!sSuqGAOi$`S{bL-N#L1?yts+bqoo&2~5eB&5=7hu@~i#U$~jXSM#%1rAB5DeFJ)n ziM3;wD)#LwU8HW3jb?knOG8TEtJln?o z0)+ZxFtD0LXt*C(9R~b50$fFDA zKad#abo9DZiC;96EU#XC)x^j=w(`MB&>8fD(mM(gNKv(a6Mk5r39lUwR}4xV@AB&T zQfvO_Du@TRO*DUWeUB>i#p*g}HIL;T77!Vgz}pv>ottB>3O_9&zUb)f8hvxD1Gt{7 z2>ULV?J#TRfYu|cl24vLU7(Do=3j~ftHQq&hfkgp!BvG&W*57-(#=_-jTaTY*_M4% zc-cSH3b)ux0F2$`bG%oKjsmHy*2ZMSKc>Jo3F2WifT;|6J+oxURv1oZ1s-;* z$nl7FZu*UwaQ2~(CgltGn2Ippn-(@#G>fIjV~pi`6{}cVAX?|P5ZzWNT*?%FfHIOUUQY-TlmYb>4e|o+=c5F>C z+DLaO4_M#e=x1MSjFW-U|@{FJuSx|M{03JZGD%%$a5`8XJ$7Q+*vf4qL=5WPh)C zNo^1vL?;!-&|05(dP3XdKsXRb|5fNXH76Rf)0~7h#LQ~AGka24@E3!V&6THXM~a&; zqWC3t^y)FFk<5wqnogs}ylw3py+Ize-L#o|N}sC5o1I*4XI=LJwcD2fmc1r*pSDS&-!l5O-AA!o4>_K>^Ael z^*5YpYz^oRFqZfHcrRNe+UO0aI@|9~d`_a$3bAC$S1yXhL}R#fBV|V-u5ga=b<2UT zT=LtFG+($;CpW=Z3hxR)Q1KToQ~_pB8_l}T3l)k^VB}P<5D$mruE2Txh2j+sY4fe6 zy(oJpEO<1s%YL9CXFeKTq<;x`B6J2xa6#z1P z>@wEJO_qu6{E^$~URm0?MGf#cC9-^RIfpa6h&B2XdILa4W{)kh+{)p9%sgy0tuS5z z89pon0Th{3U24X@N#*yh*iH^{xNj!= z2L;cqfTOM>K*tYHxidp<}0s zX1Vbn^6G?e{R6|ek1@Pe_vpbJBFrK1ER7aHxvWo$TCkv_e!!>U%BCdy0FsD@>Uf?*y3WrF73sPuP3*(LahZj#dDWQ@o=Vy46YW#(e>5DoHdikfcV-5np&GOBm7&bh`&J9`Wj#~2BIXaT%3Zw1Z(dYpP4*P>wJC33;OsF zpS$k+Z}X{Kupy7N8jtdU0gH~8!Rc`pj! z_{L{K6h)YBs+E7fqrn>3`wG(1a?8gzW9zQiig(<>L&Slse<)D)W%eMp>woPI>SqSx ze@;DKslL4>ME15zPs47qlVdqN*WR(xE`y|3G?1q{9LmdC`-93F08`g}bIw4(*89I8 zkOIb>rD4HaJEWvp`%ydpH|ie};62BqDNKZRs9!)G*SLsny!cFkl zXrq1wBSL-W&rwVaybzUr8nRU)m{!Us;}`C0>%{*gZ5{h#l%^bHZ(C0MmS^Q7oEZDV zP3l}v2ZO9oc7E2u*3P;LAO`*+>kvFm=6{+Pg)TCTgGGe(W?)az;oaT%rxLv z?F&@!Wl)qR6l)cF$r>8i7$%9ed`am89In+88C)58gERRDD6NlEK3n`H*KcI)t|@KW z=AK%E@d|mLm6(uyIdZOzPmV!w)@)8?eSdxPm(IJ6PtsUS`O39ymRKwaR|tS%3>pqp zl@Svauh&a>Rv$#G-ZU#eyUln8B5|J3Jr(SLk`7!8amkk{SrfxbMb*y*SEYF&*c@Pk zZ*##WTfWHed8q4Y)=W3ui~2bZGXb18y?hGBHk zkQ+u~)adxuGK%t3dU-_}^PKO;0(TW|(9UF){(8e1PXiE_9rO`{Hn{Q1ES2Crui1;+&NUUhIoo>GxZqZ}-@U!+)aC z{`V1wmu+S%Ir>p7MdfYCdcte`2C0zcy|C^W(=tSf#n`vN5OZmd6m#jObCuKWwa=@u zZF&FHo1RvQ23agcxfjWMb>4~$XT!0k_IvT;Bdt&WJoUTrZ+)y@9kI!ym*DqVM2}O# zeC@Yz)a5>Wd;7A^gSoDIP-eoE0-$~yY?+jd+BbQ8EK~tPqf+3KYnBy4-7#ME8d#b! z{fg#2#7V?$IJjubY|!Y_%PB@++px{G!I(r!Dk3#NV-3?DZ~!+57j1e7H$^n~p-~NP zyMXh&`g=sQ)ZBe3143Qg7jRv3pPBxUBdLO5YJ!1-U7g~G+_-N!j5gumrDe_@R6{EM zsTC}Q2g%%L;a>aTMmbk^v7W<&M4uGI@NSp*nn;Zse_qZrtRg zO|F4j_QrJE@MWBaFPxpw?8m~^g8tMTG|s^`2Hs^p(C|X_mTz5EBG4Sv0T$1lcV6DL z&i>T&hPypdfgs+W$QbYaA>zE%j;4NTG$qah1$l97F_iTKNm_Dea%9%=HLmVgZR1Iwtt7u9vBhbqy;BHS0?)I27y_xY%nGx|aPpgBqe|!8;G#3as|V~k#=4M4MIOVN&W&2cqJ|(g-Tm1N&@|@ZJiFQNA1=R9LkQXj( z^^RgqOZqnB#W?1BZIgUqtrGNVB7@p|^7Ss4--)UTb*|$vaki5@ZBefl+n=7VX})#O zX2i`45<){Bm(;|cw&MyVk+dR@#wn3k7S+($g!+F*B%Ki-9$IJldl9{MQj=UsKU;hiVDIl9SE3yhQ6e_ z~100mDv?u$Ixl^co);pt440W1^t z?PZqEw-c{V^yXrdrh>MIA9cfREc+^pXLc(roOCbettXtAltXX7o$t1o9`Kulnl%A} zy#2rozI{Y8bpVw5@YPte5>G&v-fyS>!NvT*^;%ikX6(UzYTv=O0CBtCxO3uln6gS9 zXf5qrFW-0}ryqQzyO=G6>&n@OlqQ4826_!xC>cL1$tQ31m!j_MI$A_tS#9X2F%v$p z+b^T=hu5Pv?SFI}*)I4tAu1m7*(?!0_m?EU++gRc>mSBPOMus0C6a`_e>w0sybM?@ z0v+3|0&l-t#(!cUV3F8KdOHfv7~{I<8eHz@2~Jw>MK5UUvO(&0*~Wi)hOQNkOv7Mp z<+AC0z=1hM%a6%~PTgy4R@A(*8;uvJXEI=DeMr@BIF zAEFrpLR2qLcbo#>RfzZbcG>5_7+Y|I>T7wlK8U6J@w?_@Z=2+K zrOr|tBwvyuv0k;Br%=YCP(HMhaLs=xw+7--EapsHz4{G4@Pvl|qi?XJFrQITDu+pt z{O9rqayCEHt5#hC9$%LcO+=v99j-P#^xr*ROv1wghV;>C_+eo?I*D2>E-2OtGD^ zR5-)K=6ngCw0`{4&77lvIt!oW0Opxz;t$M$Yg+-|qJaSsXFd0q@Idbs3!n~|Sykyv z`A?uHFi~VAlIBnq04}J?dXFKLs&pJzqQxWZVflS(Y__%t1)$=3p4NM!Zsa>>92HBx zW`toIovx{+Nhu*a>ZgoIzupqs)lZqdJtjw`D2O@K%J_l--WL7!J4M=F-X}L)w|aUA z2H%I}!m&M@c6Yy%gyUQ3gNdW>p3aHn(uVg^r&oh}0cy3y*WfQKKk-hYd2=Gy&QY$< zpB*Km7i(eJ&FgT^2Z6|ojRm>)nSJ&9e2ivlh1j&kTljVUuyj|9^=ZAwxtN)hTT)}} zGb6(9grV%~=@YvBPI8d)e{;!J(KCJWw({#k!LnvM60E@Nb zj6Qu6ls(-v~_Q$~3Itd#?-xV{w6`vd$aB9|17Ed|Yqc+L*or^`LKhyRkqS~kjQFT9ykVS+9J>1LidZjp@rhiWW`U?RrP^_~#+$+59?2lruT_ z>5zxSt!pEL7y5O1*EK+f=nfe}<9S8Ru;&OqY-Rz;ps#(c)%lsl4CC2+l+pomq`?Is zKX~PW(*bUoS;r_*kaQEPBe3nHgBUO3eCA5Kn4Tk(T}WmL=Lo!2^3V&smV#EgUh zh@%Rr<6KuY(EfnK@NyCF2OB;KLcVKZl5tcq-8o|X8a|Ty%$F6w898N4oG43jcLEy! z!>9VXP*W)*q8_{khsAc8z>M%kr34m-@Am1=hL&jYGVMd$DsL52jVi3*l$WV*xKmW(%$s!LMN?yv z9y&w1I-dQ60y*_@nkSW`XA=pYB(7NxcX|?+##Kt+30i#`;RQ_5OqjhLSZP<^Z9;tM zN`khLYzxs&eAZ~aQi|4LLhtBjGRqpAo!SDIoHI3!$R!#vWn+xWS^L=n#hs!w@+JMl zjEN#B!G_X1fuJ!Whmi2X!x)(nQe}bGF|@Yj*+Ak&)ZgATGf^&@%NFeS-U~+7H)cMb zXy)RJ)PYfwCnglO`zJF48J!}ay_(Sgb)pA#@4lChlvBE0#>vC1W&Iq9|lwzw_Sc-VW3QVa<2AZ-%e~_;F5^D3y{*l|H6% z8K-voL4hrDO%D{d&f>3lH;L%uB~%C5ZM`;wxpY(glO2C54!YP6_t|G7WdWXYB_#)LpCrD=)O{@)GT;FOs{U3h-Oi@g6+BD;Mo)oVl9@R(e=7 z`)f7w0l`X*W%Df87*k^QuLU>WaX5)wGr+9l4^gtNT&G`MK@Cy_^82%ElDk-%%#HLQ z%cQ>=2U86`3p5hjUDqcM9OO0dJBi1%7}EQ@+ev2Y{#9s#D-^&L9OCEn9OB~`jW(2O zev{3Cng^Y~G|Lb2g3lOWj`4>PM%JzAM)cNIFyB{BE%Mh^;MWW9z{w3JaC=uqeEwaq zT$e7`h(Vn|LBAh3tINy@+G^%xS2L5%S2M%Z#%rg)xbEGQzjv=wJn!8u=$6l{wRd>X z_p3(h=mTeZzGZ~ykg~n`x~5&oyU$Klm)O51Mf60)f|awTt4wRlCirU9b`18MeFk|| zfSo2PW%dS{(1r=LtaPp>u9jadI)0J5dlc-SG7a~5LE8T+q`(yv{wmP@t8leT!T!Y7 zG+~=j;@zI1JXTMVXI&=Z=K%I%z2uQ;EL(0WjJl}tg*G}5dKtp{4jpSo$mUdVKab`vC+v8b)G1~^5^WNvp5Np{1UtQ?9KXqxW|y^!L}>_oyl zy?H6FyVON9!p#78V{PgeqU$0e{1l&Z^*uOA5+gV8aiy+kqb;p0>JAb5Kt!N{9|7PtT`V14b!=VUJHt)=cR32`U#%DLJsiI7<^Gla E55Oc882|tP literal 0 HcmV?d00001 diff --git a/Solutions/Microsoft 365/Package/createUiDefinition.json b/Solutions/Microsoft 365/Package/createUiDefinition.json index daed1e6ff9b..e74f1f292dc 100644 --- a/Solutions/Microsoft 365/Package/createUiDefinition.json +++ b/Solutions/Microsoft 365/Package/createUiDefinition.json @@ -208,7 +208,7 @@ "name": "analytic3-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies anomalous increases in Exchange mail items accessed operations.\nThe query leverages KQL built-in anomaly detection algorithms to find large deviations from baseline patterns.\nSudden increases in execution frequency of sensitive actions should be further investigated for malicious activity.\nManually change scorethreshold from 1.5 to 3 or higher to reduce the noise based on outliers flagged from the query criteria.\nRead more about MailItemsAccessed- https://docs.microsoft.com/microsoft-365/compliance/advanced-audit?view=o365-worldwide#mailitemsaccessed" + "text": "Identifies anomalous increases in Exchange mail items accessed operations.\nThe query leverages KQL built-in anomaly detection algorithms to find large deviations from baseline patterns.\nSudden increases in execution frequency of sensitive actions should be further investigated for malicious activity.\nManually change scorethreshold from 1.5 to 3 or higher to reduce the noise based on outliers flagged from the query criteria.\nRead more about MailItemsAccessed- https://learn.microsoft.com/en-us/purview/audit-log-investigate-accounts" } } ] diff --git a/Solutions/Microsoft 365/Package/mainTemplate.json b/Solutions/Microsoft 365/Package/mainTemplate.json index 0b9ecc066fb..1db3d788322 100644 --- a/Solutions/Microsoft 365/Package/mainTemplate.json +++ b/Solutions/Microsoft 365/Package/mainTemplate.json @@ -57,7 +57,7 @@ "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "Microsoft 365", - "_solutionVersion": "3.0.4", + "_solutionVersion": "3.0.5", "solutionId": "azuresentinel.azure-sentinel-solution-office365", "_solutionId": "[variables('solutionId')]", "uiConfigId1": "Office365", @@ -208,11 +208,11 @@ "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','bff093b2-500e-4ae5-bb49-a5b1423cbd5b','-', '2.1.3')))]" }, "analyticRuleObject3": { - "analyticRuleVersion3": "2.0.5", + "analyticRuleVersion3": "2.0.6", "_analyticRulecontentId3": "b4ceb583-4c44-4555-8ecf-39f572e827ba", "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'b4ceb583-4c44-4555-8ecf-39f572e827ba')]", "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('b4ceb583-4c44-4555-8ecf-39f572e827ba')))]", - "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','b4ceb583-4c44-4555-8ecf-39f572e827ba','-', '2.0.5')))]" + "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','b4ceb583-4c44-4555-8ecf-39f572e827ba','-', '2.0.6')))]" }, "analyticRuleObject4": { "analyticRuleVersion4": "2.0.4", @@ -292,11 +292,11 @@ "_analyticRulecontentProductId14": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','8a547285-801c-4290-aa2e-5e7e20ca157d','-', '1.0.6')))]" }, "analyticRuleObject15": { - "analyticRuleVersion15": "1.0.5", + "analyticRuleVersion15": "1.0.6", "_analyticRulecontentId15": "8b4f03e7-3460-4401-824d-e65a8dd464f0", "analyticRuleId15": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '8b4f03e7-3460-4401-824d-e65a8dd464f0')]", "analyticRuleTemplateSpecName15": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('8b4f03e7-3460-4401-824d-e65a8dd464f0')))]", - "_analyticRulecontentProductId15": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','8b4f03e7-3460-4401-824d-e65a8dd464f0','-', '1.0.5')))]" + "_analyticRulecontentProductId15": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','8b4f03e7-3460-4401-824d-e65a8dd464f0','-', '1.0.6')))]" }, "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" }, @@ -310,7 +310,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Microsoft 365 data connector with template version 3.0.4", + "description": "Microsoft 365 data connector with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -505,7 +505,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SharePointAndOneDrive Workbook with template version 3.0.4", + "description": "SharePointAndOneDrive Workbook with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -593,7 +593,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Office365 Workbook with template version 3.0.4", + "description": "Office365 Workbook with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion2')]", @@ -681,7 +681,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ExchangeOnline Workbook with template version 3.0.4", + "description": "ExchangeOnline Workbook with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion3')]", @@ -769,7 +769,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AnomolousUserAccessingOtherUsersMailbox_HuntingQueries Hunting Query with template version 3.0.4", + "description": "AnomolousUserAccessingOtherUsersMailbox_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]", @@ -854,7 +854,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ExternalUserAddedRemovedInTeams_HuntVersion_HuntingQueries Hunting Query with template version 3.0.4", + "description": "ExternalUserAddedRemovedInTeams_HuntVersion_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]", @@ -939,7 +939,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ExternalUserFromNewOrgAddedToTeams_HuntingQueries Hunting Query with template version 3.0.4", + "description": "ExternalUserFromNewOrgAddedToTeams_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]", @@ -1024,7 +1024,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Mail_redirect_via_ExO_transport_rule_hunting_HuntingQueries Hunting Query with template version 3.0.4", + "description": "Mail_redirect_via_ExO_transport_rule_hunting_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]", @@ -1109,7 +1109,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MultiTeamBot_HuntingQueries Hunting Query with template version 3.0.4", + "description": "MultiTeamBot_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]", @@ -1194,7 +1194,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MultiTeamOwner_HuntingQueries Hunting Query with template version 3.0.4", + "description": "MultiTeamOwner_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]", @@ -1279,7 +1279,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MultipleTeamsDeletes_HuntingQueries Hunting Query with template version 3.0.4", + "description": "MultipleTeamsDeletes_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject7').huntingQueryVersion7]", @@ -1364,7 +1364,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "NewBotAddedToTeams_HuntingQueries Hunting Query with template version 3.0.4", + "description": "NewBotAddedToTeams_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject8').huntingQueryVersion8]", @@ -1449,7 +1449,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "New_WindowsReservedFileNamesOnOfficeFileServices_HuntingQueries Hunting Query with template version 3.0.4", + "description": "New_WindowsReservedFileNamesOnOfficeFileServices_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject9').huntingQueryVersion9]", @@ -1534,7 +1534,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "OfficeMailForwarding_hunting_HuntingQueries Hunting Query with template version 3.0.4", + "description": "OfficeMailForwarding_hunting_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject10').huntingQueryVersion10]", @@ -1619,7 +1619,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "TeamsFilesUploaded_HuntingQueries Hunting Query with template version 3.0.4", + "description": "TeamsFilesUploaded_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject11').huntingQueryVersion11]", @@ -1704,7 +1704,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "UserAddToTeamsAndUploadsFile_HuntingQueries Hunting Query with template version 3.0.4", + "description": "UserAddToTeamsAndUploadsFile_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject12').huntingQueryVersion12]", @@ -1789,7 +1789,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "WindowsReservedFileNamesOnOfficeFileServices_HuntingQueries Hunting Query with template version 3.0.4", + "description": "WindowsReservedFileNamesOnOfficeFileServices_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject13').huntingQueryVersion13]", @@ -1874,7 +1874,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "double_file_ext_exes_HuntingQueries Hunting Query with template version 3.0.4", + "description": "double_file_ext_exes_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject14').huntingQueryVersion14]", @@ -1959,7 +1959,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "new_adminaccountactivity_HuntingQueries Hunting Query with template version 3.0.4", + "description": "new_adminaccountactivity_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject15').huntingQueryVersion15]", @@ -2044,7 +2044,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "new_sharepoint_downloads_by_IP_HuntingQueries Hunting Query with template version 3.0.4", + "description": "new_sharepoint_downloads_by_IP_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject16').huntingQueryVersion16]", @@ -2129,7 +2129,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "new_sharepoint_downloads_by_UserAgent_HuntingQueries Hunting Query with template version 3.0.4", + "description": "new_sharepoint_downloads_by_UserAgent_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject17').huntingQueryVersion17]", @@ -2214,7 +2214,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "nonowner_MailboxLogin_HuntingQueries Hunting Query with template version 3.0.4", + "description": "nonowner_MailboxLogin_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject18').huntingQueryVersion18]", @@ -2299,7 +2299,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "powershell_or_nonbrowser_MailboxLogin_HuntingQueries Hunting Query with template version 3.0.4", + "description": "powershell_or_nonbrowser_MailboxLogin_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject19').huntingQueryVersion19]", @@ -2384,7 +2384,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "sharepoint_downloads_HuntingQueries Hunting Query with template version 3.0.4", + "description": "sharepoint_downloads_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject20').huntingQueryVersion20]", @@ -2469,7 +2469,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MultipleUsersEmailForwardedToSameDestination_HuntingQueries Hunting Query with template version 3.0.4", + "description": "MultipleUsersEmailForwardedToSameDestination_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject21').huntingQueryVersion21]", @@ -2554,7 +2554,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "External User added to Team and immediately uploads file_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "External User added to Team and immediately uploads file_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", @@ -2602,64 +2602,64 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "MemberAdded" + "columnName": "MemberAdded", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "MemberAddedAccountName" + "columnName": "MemberAddedAccountName", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "MemberAddedAccountUPNSuffix" + "columnName": "MemberAddedAccountUPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "UserWhoAdded" + "columnName": "UserWhoAdded", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "UserWhoAddedAccountName" + "columnName": "UserWhoAddedAccountName", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UserWhoAddedAccountUPNSuffix" + "columnName": "UserWhoAddedAccountUPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "UserWhoDeleted" + "columnName": "UserWhoDeleted", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "UserWhoDeletedAccountName" + "columnName": "UserWhoDeletedAccountName", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UserWhoDeletedAccountUPNSuffix" + "columnName": "UserWhoDeletedAccountUPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "ClientIP" + "columnName": "ClientIP", + "identifier": "Address" } - ] + ], + "entityType": "IP" } ] } @@ -2715,7 +2715,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ExternalUserAddedRemovedInTeams_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "ExternalUserAddedRemovedInTeams_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", @@ -2757,64 +2757,64 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "MemberAdded_Removed" + "columnName": "MemberAdded_Removed", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "MemberAdded_RemovedAccountName" + "columnName": "MemberAdded_RemovedAccountName", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "MemberAdded_RemovedAccountUPNSuffix" + "columnName": "MemberAdded_RemovedAccountUPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "UserWhoAdded" + "columnName": "UserWhoAdded", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "UserWhoAddedAccountName" + "columnName": "UserWhoAddedAccountName", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UserWhoAddedAccountUPNSuffix" + "columnName": "UserWhoAddedAccountUPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "UserWhoDeleted" + "columnName": "UserWhoDeleted", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "UserWhoDeletedAccountName" + "columnName": "UserWhoDeletedAccountName", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UserWhoDeletedAccountUPNSuffix" + "columnName": "UserWhoDeletedAccountUPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "ClientIP" + "columnName": "ClientIP", + "identifier": "Address" } - ] + ], + "entityType": "IP" } ] } @@ -2870,7 +2870,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MailItemsAccessedTimeSeries_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "MailItemsAccessedTimeSeries_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", @@ -2884,7 +2884,7 @@ "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Identifies anomalous increases in Exchange mail items accessed operations.\nThe query leverages KQL built-in anomaly detection algorithms to find large deviations from baseline patterns.\nSudden increases in execution frequency of sensitive actions should be further investigated for malicious activity.\nManually change scorethreshold from 1.5 to 3 or higher to reduce the noise based on outliers flagged from the query criteria.\nRead more about MailItemsAccessed- https://docs.microsoft.com/microsoft-365/compliance/advanced-audit?view=o365-worldwide#mailitemsaccessed", + "description": "Identifies anomalous increases in Exchange mail items accessed operations.\nThe query leverages KQL built-in anomaly detection algorithms to find large deviations from baseline patterns.\nSudden increases in execution frequency of sensitive actions should be further investigated for malicious activity.\nManually change scorethreshold from 1.5 to 3 or higher to reduce the noise based on outliers flagged from the query criteria.\nRead more about MailItemsAccessed- https://learn.microsoft.com/en-us/purview/audit-log-investigate-accounts", "displayName": "Exchange workflow MailItemsAccessed operation anomaly", "enabled": false, "query": "let starttime = 14d;\nlet endtime = 1d;\nlet timeframe = 1h;\nlet scorethreshold = 1.5;\nlet percentthreshold = 50;\n// Preparing the time series data aggregated hourly count of MailItemsAccessd Operation in the form of multi-value array to use with time series anomaly function.\nlet TimeSeriesData =\nOfficeActivity\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\n| where OfficeWorkload=~ \"Exchange\" and Operation =~ \"MailItemsAccessed\" and ResultStatus =~ \"Succeeded\"\n| project TimeGenerated, Operation, MailboxOwnerUPN\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe;\nlet TimeSeriesAlerts = TimeSeriesData\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, 'linefit')\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\n| where anomalies > 0\n| project TimeGenerated, Total, baseline, anomalies, score;\n// Joining the flagged outlier from the previous step with the original dataset to present contextual information\n// during the anomalyhour to analysts to conduct investigation or informed decisions.\nTimeSeriesAlerts | where TimeGenerated > ago(2d)\n// Join against base logs since specified timeframe to retrive records associated with the hour of anomoly\n| join kind=innerunique (\n OfficeActivity\n | where TimeGenerated > ago(2d)\n | extend DateHour = bin(TimeGenerated, 1h)\n | where OfficeWorkload=~ \"Exchange\" and Operation =~ \"MailItemsAccessed\" and ResultStatus =~ \"Succeeded\"\n | summarize HourlyCount=count(), TimeGeneratedMax = arg_max(TimeGenerated, *), IPAdressList = make_set(Client_IPAddress, 1000), SourceIPMax= arg_max(Client_IPAddress, *), ClientInfoStringList= make_set(ClientInfoString, 1000) by MailboxOwnerUPN, Logon_Type, TenantId, UserType, TimeGenerated = bin(TimeGenerated, 1h)\n | where HourlyCount > 25 // Only considering operations with more than 25 hourly count to reduce False Positivies\n | order by HourlyCount desc\n) on TimeGenerated\n| extend PercentofTotal = round(HourlyCount/Total, 2) * 100\n| where PercentofTotal > percentthreshold // Filter Users with count of less than 5 percent of TotalEvents per Hour to remove FPs/ users with very low count of MailItemsAccessed events\n| order by PercentofTotal desc\n| project-reorder TimeGeneratedMax, Type, OfficeWorkload, Operation, UserId, SourceIPMax, IPAdressList, ClientInfoStringList, HourlyCount, PercentofTotal, Total, baseline, score, anomalies\n| extend AccountName = tostring(split(UserId, \"@\")[0]), AccountUPNSuffix = tostring(split(UserId, \"@\")[1])\n", @@ -2912,39 +2912,39 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "UserId" + "columnName": "UserId", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "AccountName" + "columnName": "AccountName", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "AccountUPNSuffix" + "columnName": "AccountUPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "Client_IPAddress" + "columnName": "Client_IPAddress", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "SourceIPMax" + "columnName": "SourceIPMax", + "identifier": "Address" } - ] + ], + "entityType": "IP" } ] } @@ -3000,7 +3000,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Mail_redirect_via_ExO_transport_rule_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "Mail_redirect_via_ExO_transport_rule_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]", @@ -3044,30 +3044,30 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "UserId" + "columnName": "UserId", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "AccountName" + "columnName": "AccountName", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "AccountUPNSuffix" + "columnName": "AccountUPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "IPAddress" + "columnName": "IPAddress", + "identifier": "Address" } - ] + ], + "entityType": "IP" } ] } @@ -3123,7 +3123,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Malicious_Inbox_Rule_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "Malicious_Inbox_Rule_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]", @@ -3167,39 +3167,39 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "UserId" + "columnName": "UserId", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "AccountName" + "columnName": "AccountName", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "AccountUPNSuffix" + "columnName": "AccountUPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "OriginatingServerName" + "columnName": "OriginatingServerName", + "identifier": "FullName" } - ] + ], + "entityType": "Host" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "ClientIPAddress" + "columnName": "ClientIPAddress", + "identifier": "Address" } - ] + ], + "entityType": "IP" } ] } @@ -3255,7 +3255,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MultipleTeamsDeletes_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "MultipleTeamsDeletes_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]", @@ -3298,21 +3298,21 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "UserId" + "columnName": "UserId", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "AccountName" + "columnName": "AccountName", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "AccountUPNSuffix" + "columnName": "AccountUPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" } ] } @@ -3368,7 +3368,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Office_MailForwarding_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "Office_MailForwarding_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]", @@ -3412,30 +3412,30 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "UserId" + "columnName": "UserId", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "AccountName" + "columnName": "AccountName", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "AccountUPNSuffix" + "columnName": "AccountUPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "ClientIP" + "columnName": "ClientIP", + "identifier": "Address" } - ] + ], + "entityType": "IP" } ] } @@ -3491,7 +3491,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Office_Uploaded_Executables_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "Office_Uploaded_Executables_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]", @@ -3535,48 +3535,48 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "UserId" + "columnName": "UserId", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "AccountName" + "columnName": "AccountName", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "AccountUPNSuffix" + "columnName": "AccountUPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "ClientIP" + "columnName": "ClientIP", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "Site_Url" + "columnName": "Site_Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" }, { - "entityType": "File", "fieldMappings": [ { - "identifier": "Name", - "columnName": "FileNames" + "columnName": "FileNames", + "identifier": "Name" } - ] + ], + "entityType": "File" } ] } @@ -3632,7 +3632,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RareOfficeOperations_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "RareOfficeOperations_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]", @@ -3676,39 +3676,39 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "UserId" + "columnName": "UserId", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "AccountName" + "columnName": "AccountName", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "AccountUPNSuffix" + "columnName": "AccountUPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "ClientIP" + "columnName": "ClientIP", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "CloudApplication", "fieldMappings": [ { - "identifier": "AppId", - "columnName": "AppId" + "columnName": "AppId", + "identifier": "AppId" } - ] + ], + "entityType": "CloudApplication" } ] } @@ -3764,7 +3764,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SharePoint_Downloads_byNewIP_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "SharePoint_Downloads_byNewIP_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]", @@ -3806,39 +3806,39 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "UserId" + "columnName": "UserId", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "AccountName" + "columnName": "AccountName", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "AccountUPNSuffix" + "columnName": "AccountUPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "ClientIP" + "columnName": "ClientIP", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "Site_Url" + "columnName": "Site_Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ] } @@ -3894,7 +3894,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SharePoint_Downloads_byNewUserAgent_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "SharePoint_Downloads_byNewUserAgent_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject11').analyticRuleVersion11]", @@ -3936,39 +3936,39 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "UserId" + "columnName": "UserId", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "UserIdName" + "columnName": "UserIdName", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UserIdUPNSuffix" + "columnName": "UserIdUPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "ClientIP" + "columnName": "ClientIP", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "Site_Url" + "columnName": "Site_Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ] } @@ -4024,7 +4024,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "exchange_auditlogdisabled_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "exchange_auditlogdisabled_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject12').analyticRuleVersion12]", @@ -4066,39 +4066,39 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "UserId" + "columnName": "UserId", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "AccountName" + "columnName": "AccountName", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "AccountUPNSuffix" + "columnName": "AccountUPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "AccountNTDomain" + "columnName": "AccountNTDomain", + "identifier": "Name" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "ClientIP" + "columnName": "ClientIP", + "identifier": "Address" } - ] + ], + "entityType": "IP" } ] } @@ -4154,7 +4154,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "office_policytampering_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "office_policytampering_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject13').analyticRuleVersion13]", @@ -4198,30 +4198,30 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "UserId" + "columnName": "UserId", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "AccountName" + "columnName": "AccountName", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "AccountUPNSuffix" + "columnName": "AccountUPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "ClientIP" + "columnName": "ClientIP", + "identifier": "Address" } - ] + ], + "entityType": "IP" } ] } @@ -4277,7 +4277,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "sharepoint_file_transfer_folders_above_threshold_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "sharepoint_file_transfer_folders_above_threshold_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject14').analyticRuleVersion14]", @@ -4319,39 +4319,39 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "UserId" + "columnName": "UserId", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "AccountName" + "columnName": "AccountName", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "AccountUPNSuffix" + "columnName": "AccountUPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "ClientIP" + "columnName": "ClientIP", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "File", "fieldMappings": [ { - "identifier": "Name", - "columnName": "DirSample" + "columnName": "DirSample", + "identifier": "Name" } - ] + ], + "entityType": "File" } ], "customDetails": { @@ -4361,13 +4361,13 @@ "incidentConfiguration": { "createIncident": true, "groupingConfiguration": { - "matchingMethod": "Selected", - "enabled": true, - "reopenClosedIncident": false, - "lookbackDuration": "PT5H", "groupByEntities": [ "Account" - ] + ], + "matchingMethod": "Selected", + "lookbackDuration": "PT5H", + "enabled": true, + "reopenClosedIncident": false } } } @@ -4423,7 +4423,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "sharepoint_file_transfer_above_threshold_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "sharepoint_file_transfer_above_threshold_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject15').analyticRuleVersion15]", @@ -4465,39 +4465,39 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "UserId" + "columnName": "UserId", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "AccountName" + "columnName": "AccountName", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "AccountUPNSuffix" + "columnName": "AccountUPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "ClientIP" + "columnName": "ClientIP", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "File", "fieldMappings": [ { - "identifier": "Name", - "columnName": "FileSample" + "columnName": "FileSample", + "identifier": "Name" } - ] + ], + "entityType": "File" } ], "customDetails": { @@ -4507,13 +4507,13 @@ "incidentConfiguration": { "createIncident": true, "groupingConfiguration": { - "matchingMethod": "Selected", - "enabled": true, - "reopenClosedIncident": false, - "lookbackDuration": "PT5H", "groupByEntities": [ "Account" - ] + ], + "matchingMethod": "Selected", + "lookbackDuration": "PT5H", + "enabled": true, + "reopenClosedIncident": false } } } @@ -4565,7 +4565,7 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.4", + "version": "3.0.5", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Microsoft 365", diff --git a/Solutions/Microsoft 365/ReleaseNotes.md b/Solutions/Microsoft 365/ReleaseNotes.md index 7d00a51ab90..4a29eaff3de 100644 --- a/Solutions/Microsoft 365/ReleaseNotes.md +++ b/Solutions/Microsoft 365/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|---------------------------------------------| +| 3.0.5 | 04-02-2025 | Updated **Analytic Rule** MailItemsAccessedTimeSeries.yaml | | 3.0.4 | 27-08-2024 | Updated **Analytic Rule** for Same names | | 3.0.3 | 12-06-2024 | Updated **Analytic Rule** for Bug Fixes ExternalUserAddedRemovedInTeams.yaml | | 3.0.2 | 09-05-2024 | Updated **Analytic Rule** to get expected result and Entity Mapping exchange_auditlogdisabled.yaml and fixed typo description in **Analytic Rules** ExternalUserAddedRemovedInTeams.yaml | From fe4de1a0bf6b9ac383d0a9774b2cbe8ce79cc4af Mon Sep 17 00:00:00 2001 From: Mike <44847443+mgstate@users.noreply.github.com> Date: Tue, 4 Feb 2025 17:13:51 -0500 Subject: [PATCH 4/8] Update Machine_Learning_Creation.yaml query and mappings Fixed Entity Mappings and modified kql based on mappings --- .../Machine_Learning_Creation.yaml | 33 +++++++++++-------- 1 file changed, 19 insertions(+), 14 deletions(-) diff --git a/Solutions/Azure Activity/Hunting Queries/Machine_Learning_Creation.yaml b/Solutions/Azure Activity/Hunting Queries/Machine_Learning_Creation.yaml index 2ea9a3f3b4e..84d44cc28f5 100644 --- a/Solutions/Azure Activity/Hunting Queries/Machine_Learning_Creation.yaml +++ b/Solutions/Azure Activity/Hunting Queries/Machine_Learning_Creation.yaml @@ -14,27 +14,32 @@ relevantTechniques: - T1059 - T1496 query: | - AzureActivity - | where ResourceProviderValue == "MICROSOFT.MACHINELEARNINGSERVICES" // Filter activities related to Microsoft Machine Learning Services - | extend SCOPE = tostring(parse_json(Authorization).scope) - | extend subname = split(Hierarchy, "/") - | extend ['Subscription Name'] = subname[-2], ['Subscription ID'] = subname[-1] // Extract Subscription Name and ID - | extend Properties = parse_json(Properties) - | extend Properties_entity = tostring(Properties.entity) - | where isnotempty(Properties_entity) // Filter activities where Properties.entity is not empty - | where OperationNameValue contains "write" // Filter activities where OperationNameValue contains "write" - | where OperationNameValue !contains "MICROSOFT.AUTHORIZATION/ROLEASSIGNMENTS/WRITE" // Exclude role assignments - | extend LLM = tostring(split(Properties_entity, "/")[-1]) - | distinct TimeGenerated, tostring(['Subscription Name']), ResourceGroup, tostring(['Subscription ID']), Caller, CallerIpAddress, OperationNameValue, LLM +AzureActivity +| where ResourceProviderValue == "MICROSOFT.MACHINELEARNINGSERVICES" // Filter activities related to Microsoft Machine Learning Services +| extend SCOPE = tostring(parse_json(Authorization).scope) // Parse Authorization scope as string +| extend subname = split(Hierarchy, "/") // Split Hierarchy to extract Subscription Name and ID +| extend ['Subscription Name'] = subname[-2], ['Subscription ID'] = subname[-1] // Extract Subscription Name and ID +| extend Properties = parse_json(Properties) // Parse Properties as JSON +| extend Properties_entity = tostring(Properties.entity) // Cast Properties.entity to string +| where isnotempty(Properties_entity) // Filter activities where Properties.entity is not empty +// | where Properties_entity contains "deepseek" // Filter activities where Properties.entity contains "deepseek" +| where OperationNameValue contains "write" // Filter activities where OperationNameValue contains "write" +| where OperationNameValue !contains "MICROSOFT.AUTHORIZATION/ROLEASSIGNMENTS/WRITE" // Exclude role assignments +| extend LLM = tostring(split(Properties_entity, "/")[-1]) // Extract the last segment of Properties_entity and cast it to string +| distinct TimeGenerated, tostring(['Subscription Name']), ResourceGroup, tostring(['Subscription ID']), Caller, CallerIpAddress, OperationNameValue, LLM, _ResourceId // Select distinct relevant fields for output + entityMappings: - entityType: Account fieldMappings: - identifier: Name columnName: Caller - - identifier: UPNSuffix - columnName: SCOPE - entityType: IP fieldMappings: - identifier: Address columnName: CallerIpAddress + - entityType: Azure Resource + fieldMappings: + - identifier: ResourceId + columnName: _ResourceId + version: 1.0 From c92e37b89040be2a00ac1bef865dffa23d15e35f Mon Sep 17 00:00:00 2001 From: Mike <44847443+mgstate@users.noreply.github.com> Date: Tue, 4 Feb 2025 17:21:56 -0500 Subject: [PATCH 5/8] Add ID field to Machine_Learning_Creation.yaml added id --- .../Machine_Learning_Creation.yaml | 29 ++++++++++--------- 1 file changed, 15 insertions(+), 14 deletions(-) diff --git a/Solutions/Azure Activity/Hunting Queries/Machine_Learning_Creation.yaml b/Solutions/Azure Activity/Hunting Queries/Machine_Learning_Creation.yaml index 84d44cc28f5..ab8a4765784 100644 --- a/Solutions/Azure Activity/Hunting Queries/Machine_Learning_Creation.yaml +++ b/Solutions/Azure Activity/Hunting Queries/Machine_Learning_Creation.yaml @@ -1,3 +1,4 @@ +id: 26d116bd-324b-4bb8-b102-d4a282607ad7 name: Azure Machine Learning Write Operations description: | 'Shows the most prevalent users who perform write operations on Azure Machine Learning resources. List the common source IP address for each of those accounts. If an operation is not from those IP addresses, it may be worthy of investigation.' @@ -14,19 +15,19 @@ relevantTechniques: - T1059 - T1496 query: | -AzureActivity -| where ResourceProviderValue == "MICROSOFT.MACHINELEARNINGSERVICES" // Filter activities related to Microsoft Machine Learning Services -| extend SCOPE = tostring(parse_json(Authorization).scope) // Parse Authorization scope as string -| extend subname = split(Hierarchy, "/") // Split Hierarchy to extract Subscription Name and ID -| extend ['Subscription Name'] = subname[-2], ['Subscription ID'] = subname[-1] // Extract Subscription Name and ID -| extend Properties = parse_json(Properties) // Parse Properties as JSON -| extend Properties_entity = tostring(Properties.entity) // Cast Properties.entity to string -| where isnotempty(Properties_entity) // Filter activities where Properties.entity is not empty -// | where Properties_entity contains "deepseek" // Filter activities where Properties.entity contains "deepseek" -| where OperationNameValue contains "write" // Filter activities where OperationNameValue contains "write" -| where OperationNameValue !contains "MICROSOFT.AUTHORIZATION/ROLEASSIGNMENTS/WRITE" // Exclude role assignments -| extend LLM = tostring(split(Properties_entity, "/")[-1]) // Extract the last segment of Properties_entity and cast it to string -| distinct TimeGenerated, tostring(['Subscription Name']), ResourceGroup, tostring(['Subscription ID']), Caller, CallerIpAddress, OperationNameValue, LLM, _ResourceId // Select distinct relevant fields for output + AzureActivity + | where ResourceProviderValue == "MICROSOFT.MACHINELEARNINGSERVICES" // Filter activities related to Microsoft Machine Learning Services + | extend SCOPE = tostring(parse_json(Authorization).scope) // Parse Authorization scope as string + | extend subname = split(Hierarchy, "/") // Split Hierarchy to extract Subscription Name and ID + | extend ['Subscription Name'] = subname[-2], ['Subscription ID'] = subname[-1] // Extract Subscription Name and ID + | extend Properties = parse_json(Properties) // Parse Properties as JSON + | extend Properties_entity = tostring(Properties.entity) // Cast Properties.entity to string + | where isnotempty(Properties_entity) // Filter activities where Properties.entity is not empty + // | where Properties_entity contains "deepseek" // Filter activities where Properties.entity contains "deepseek" + | where OperationNameValue contains "write" // Filter activities where OperationNameValue contains "write" + | where OperationNameValue !contains "MICROSOFT.AUTHORIZATION/ROLEASSIGNMENTS/WRITE" // Exclude role assignments + | extend LLM = tostring(split(Properties_entity, "/")[-1]) // Extract the last segment of Properties_entity and cast it to string + | distinct TimeGenerated, tostring(['Subscription Name']), ResourceGroup, tostring(['Subscription ID']), Caller, CallerIpAddress, OperationNameValue, LLM, _ResourceId // Select distinct relevant fields for output entityMappings: - entityType: Account @@ -37,7 +38,7 @@ entityMappings: fieldMappings: - identifier: Address columnName: CallerIpAddress - - entityType: Azure Resource + - entityType: Azure Resource fieldMappings: - identifier: ResourceId columnName: _ResourceId From 5707108bcc45b666a54af7b61e8bca6959184a59 Mon Sep 17 00:00:00 2001 From: v-prasadboke Date: Wed, 5 Feb 2025 11:57:49 +0530 Subject: [PATCH 6/8] createui corrected --- Solutions/Jamf Protect/Package/3.2.0.zip | Bin 50565 -> 51491 bytes .../Package/createUiDefinition.json | 7 ------- 2 files changed, 7 deletions(-) diff --git a/Solutions/Jamf Protect/Package/3.2.0.zip b/Solutions/Jamf Protect/Package/3.2.0.zip index b24c462c863483f2ff70d91e43ca825013367e14..d979e61f5e696eaf9dd3405e755b2be9127fa79e 100644 GIT binary patch literal 51491 zcmZ^pV~l9QqGsE+ZQHhO+qP}nwtd>R?LKYWw&vWIdGjWdOes}K?d(65%9mP8K^hnY z1pwk-1=bhU0{FiQIsgHHv6HExi>a!mh^d*Sou!MVy&avEv%Q_G2Q&a6$ba_!*PyBb z3jpp1Qfxl>uQ%xUnqO=C+HbO9{r(1g!iBhpuLaVUTXx|^U53$|*J>}ZrnghWNgB)} z**YhRq?R0X_5gg+d|JFp-grtV(x>Gt$M%$oMz9C&F5SjMk{({h&*oeiTjNRsP1k&1>6~Ch0n|`MaAQWA$=T4$OAK zxT-U}6V0;xwL1PO8~K*4wi?4)>WIJ;Y235diy{@%(q?XwPGXWvpQ%Cs!L1H9g-5Qk z7-4w^!n&nS# zornqlgkr+)mC+r#NqLxDIeXj39X)q&eXSp27T?x3p*UV)B+|&3ECO9r9up&q5rr8~ zZZbS7#58DJYKdV4&8JQz<46||Ir*`B>z`m;JUl7vHAl1%7q(M1J*HTeO1Fr~3;1qQx8P?O!m_5Uz!($EnuJVjx zX`K-XA-a`pzyMh8v3-kz6}B%S=Xro4p&=tqsBA)~Gz=z?v8W0&96?t}g3wDKl)U3|^1-Rn!Mo(zo@0Y-{Y$OpLOqo7#7a_%qpJzchFc>bUxuYV!&z@Bky%W5> zEsiS^OWy>L0N5P{Su)93yT7j|Gt>cwP5dXcTLJPp)0{GPe!MrrSb(-f$nDl`;)QJw zD4Xf^^$u?r8`4p+nIrRv19Zgj(bvW=?H~jB;WkCmZWA9fkTCZY=;m;*JUnJHL!|x3 zg+ysPpnH`6@D~S?`>3ykj`Z~Rnf`Puu;rq;lXR|lQE~k_B?pNI1du3|4_Ha(p`WW~ z$q8P`t&)C#2nKvPdMg~ghBm(QN)+n{h1x}|ir?9~{38;(M}8pIx(Q@eqB?@1+CkRb zAz_Q1cWiG#rF!eWyS;;|ng)f>Rs|gd3=3ck4c`FfK(If?-hXs~CIWeplv#{S2DxrR zBWk=J%ZIg)GuByEWnNd6Y^C!kDp;}0qY0!_dmg`3A{omsO7HtzyDnk*PGzc@W?a_{ zUCsep`i%}!UI-DlY!jhY4 zh5lk>n;)qwP#_k1A_GZJc}Lb{EOzDxrKYamMNZLRIYup+w3$v&OqzdV8zbk86Q& zwlx|iC!|=j+h|ektGU{#dF_~aZ7tn^-AOIoI+wNUoEDhm<5D#(f^ToX@)27)O~q$K z<0w?R%1sL5^_C~R#9s$6jbm`#6+ptG&KhF6Ssi$vSme0JjY zrR9s->cNcCCx*Z+J^_l(vL0e&Y*vdx(18PtxW_4#u2v;XF(TT8W2Q)b&W`61f5PWG z3tM4%(%XCGB0?Ag2qvKcQ35&JNn(err-?lbi>?}&OJr?=l8p8N!4$vkWH$gxj=Q3c zj1u1b+E`5HT1t_GZ9~qTmg>5aRbk<8#^Ir% z8u1lCVM>r$^tA({7e6@;l7l3f`c#P0>Ra51_8c=^T6dxu2z6I{&PM)S$BL{&2ZIfT zZJ~WuQ$r)GVaO1YD^nzB?UX{bmdu(oX99Bz;e%iie&ta&zK zyXNl8LVD6b&uc6qjRsR{o17ynY>4|B!_Q(mlGlgNbG)&Y^o%4XGckgFtN zfEU~EQkgeD&^lBQ;qw|aSj1nQ?f$w)s4g`)98cXX9F7+(e1Drg3!JO8z+%k(sz73K zH*_FzSNSzTVx|$Acu|FgeY&ey$s)?8DNG~LqzwZWisttb@!){M{Ihjlla;3PpVvR& zdPne{cSjIk08f+VTrAnQLl5Ce&*JdqKe3|mcu9&KFM3L2WVL?B)3#Q9X*~`2 zQ&~%Gq4ZX(HV3+^&MPKWQCBynDwuppfZdGANtNrXYBu+>%72BEDH$433@o)o?ef)W zDPE*y>l!WX2$-oT9eQuBDjW(BpY`+lf8o!%+zGiQPplt{P`~o0lY5oc?V1Jx#Sl8F zHb;dh0vg01?-c7mgajkgb>_N;@sI~LJb1)XHAB}AGy+=`ga*RC&ZU_S7()qTG}B}4 z;d+qKz$ZJb%fCZm@7VBa$K}*uUg0Bovjz4h0Hlj%^O2jUrdn@8YUR4}M?jOajke3B zH`I)BmjokS=5WuI5L_fl(JO-zZuJucAS``29jH*8i;~`Bq{L!Q!(NG7M3;30&uzQA z5(0TcQy3yWL1LmqighR-Jwd7ML_qUs2d%%duirfMk&;()gZ^fI;i$0t)0upaxGKCa zl@_fkavoY|PIqASb}9gW4U9&*gS?LuTKE!od*5~3&06kLU&GvmW0!9`Rz1O2`VU+@ zFLFh^-Z>NM6^8#=X72CX=6D9H9L^1poxj_($7Z+?A}c~|DDS0O3ucv#`udeRiCI?d3Hw& zhNdQSoB{e0q|6_s59P2i-)p}MJt!CU)iO3dGb%uym}Yss8(jB@asM}m!`YhcR95q3 zaT@B~fucnW>L;8t0`M$c1v)?m>DH^96@$r>6OGddRC798L3@97bQFFji;YLoj?b4i z(<4nTt)cYiAXxp26Z;=iT`Vn-_i|VE=NVrednd&gB7QwurQDJg;>!`jAHDN(n%X7C zbg4G}ha)b98sF%pOWhZ;(n2TujKfpAH%-QeK}L6HmF<~ACz&4A%*-xJ^-dIiihe%W z;*MQ$jNC!~yWL+v1!-`Iu@=1LI4A&sUM>Ith5r+Iss5kHi})|{+8SEgshHY2*!&B= z|KG4X{x9hMr~fDHUiDl%9kwS?y!jKI;MVgYuf9M^rU zL&1p(A#I{mo`mb(@bw^e(L4Ct4Bz~0ny>kP^1On&;Tt9bNCc7e(_ap4E9WtQRW$wTU_>q;n`u|x(pBO&y2n6iM ze@A1El^8awF-z)JHW1T&O%^Z9vmngQTWNX*yBkJfhY0$4e&iiO1_9SyEV_IU1E8O zYv()9yW}9*^lL%jq=R{J#=*WXb4NFNaUyg>Bi@`X<|xw8j_k#NdK5MB^*tnPE(mNPb7 zuDSF~Jg$C=K&{y}u{TIJvVF!?ynZjf)BM~RI~pv9Mm-I7O-db(7VH~`cw@Z`zAZU$ zW06RD0F{q4m?x$F4!7BRp%ENv6cCK88`#d^E6)Y~k}$E$PWyw%qZPQxd-)Ov#}!U) zx0{p07Pz2QLD6_zX>t6a%SAM5wP+fuOtFc2kTDZoP*~Hy+CkcIYd`soG88MI$cgukSUv&rNTM=7)P| zCjSW*xq6reL@%{FoMH(_P>T?`N-lb=(3p@(5oMC(advFFdcdenRCQs|+n3f?Xs)&% z^}n5_Shd$Z^9_EGj7=omD^R+t_I^={f-pbOJ%1-^f1z;am-#-`>|a4hzc|hB2&uIR2CoI3QPVq zMdwwTes0;W*Hb6%Uq?9dG-E(!UYN*^*dI+sykNL$gjA}RVo{XEtv%Iwwd-LZJL%8L z9=aV5aN6g$?SgH3*qP zLG!K3ddOpFGxuaKzPqavXl495 zvK#7$vH2<4Ls^{UVqw8wI_R@wRo%sG|+2hoMH*b0p$c8Pph82IC)3)SJ{w z2YRLbAtltZf)Lj4nLx++ESwnb+M#>L@=|%Sibqb6@`O6Gt~~Ie2`Q=8j7LtlPYfnO8a`1P|EYlJU6m&yE)BVxxtQ?cLmP# zT$~JXTIFM0Z1AzOfP7a}s&9M8R63!4uBd!#2~g^nqOkua-B9Wm$pwSFl~8j+5e;&` zXhyf1ClV32O>rS-M%F|I8;Kb%Pd6IuqqIDHi`wBCHivTZ&&q?>m3}@vqu?I{fdP^t z&55c$FVb@URW5}^9^R%0*Q)6BpuCLo&o}4i?XEsvE{j||d{}LxxjXHqZg5;)<(q`n zEsBcW)|!SS2epf#Q3t#f$hU&7_jnBK9$VMAxpG?IW8uT=oUAi{C)zhH_l0>lJ&k)Y zv&HSHqTFf!$`kES=~hte3^Co~sr~!ah?xE2<%O3tKkH62oHuflYm{S~X*Xvsj>~8` z@)A$gzn!p=ZBpn|QLnO@9=j_4KDmB|BNMNe*t;1pyu5?uBh<+fuN4;N=k$3zd3$nU zs-xIp$40VGrBgw^9^l(__I`0oio-wudF}R@hxhr$_aN6R|!NE~S zxxFuIZWBT;IY2Fnz;c~wF)RQt`~!>g;31Xc#gA;G5;RiS5XCWKpdCt9snAi&Z*E+6 zu&(x`hsj8L8-f!$?u;iiYUG%3v6!m`7TYIh^Gb>ApNg2EuqFesO&8TC#VJ3cPaI)7 zoQvjmh&xAXPK?i&>Pm>tH*;ZFmM#?<94!8cm>sHx37jfVgQ#C>iONcmq0+M`naZ0@ zZLA+x;2`yUq+CT|p=K}jOeI^{a;0G#ngNS5l zC9lR1O(vm6zY?%msT!fq+LICsRkkL0j>2s*kII=eXz50fZzdYph9@}NnerJLLmv?sphbF1#xaTkz`2p`R#dI-$u4e9C zXLfQO0ea52Sw_e@KbktuHX86Ul=SHPiK_?L4Y#1>?yfjAA4DNfw`x{A1etv!LL z_gRw*SxfSuWo>>K`YPimHaQ}cZ`a4jpd`HWzChlQjagwCj4<&lIw5<%Bc!1piCNb( zT^X~v@<}IwlZmL1n4xWABto1mgCZFesH3y`9`{OfbSw}=jFngf)QHCKsAI~B1IY524KIslmy=qUx;_~!e>3QYTrntgb~l`yHjlNpk6HteFOF}ff&D3z zuhpg~+<|d4SX&_PC*+P;k==~%j5Q-gwE<`1IJmWlTUlOznqb*vqD<+D7#D3L&jL;{ zfa2co2&^;qL(G6zi{T+g6drpG$;}Fhg)PsBT(0ZXXknHPIxEH%e+eVAB(;0twsB1V z$m!nI=;IC=MA_t3yTX3c2ElivUje6YyvzNzz@K3E8HmMCjMzHvoQ1?~LqtGz#Tzs? z-9<1waWn#Ed$2`s9@EWq)Y0%BI?tUZ{EELh^Rmgm-^cog&V?&yE)ww#wHTTUcqhpd znQLH{PC{rSs)&4hDpb$Qi_7CAs zzpln;1Pygo{7$dvCRf3hSf{ZWsXS}4;LYTYxp)|)jju5>1EOegQ^+}-8x+@;MV0uC zsOb{u>inMAATE0h6tma|)mH>kn4~-j%WB_E$;q!>DH(JI7gkr>Qf#;4%MzlbCUt_CabNOvv%Bll~Jo%YrTb)ZS66UG$r$^VI8k zC?qR<;*{SM?n)7&$_2DDP4P==k8ulI={kR#PlQg)xF5>AayT^19&!Z-5}z+=OC=7WX^TLvk05x zP4X|gJI-0!lGKY|+By-}E)k0xwxwGo!)n2D=fHM#85V^Rf%*S<*t>UJx%N+ImGSdqIw%|wCU?#uBP1& zAN0?3fmeL3@SdG}I;Zzg@BH@3c}ZliIvHKK;{uX(d|Cm z=JY+Pi9dhKRYUE3KX>u*^>Xs@+jhDGQ3{Kj9{+Y7vY*x-+Pyw)i@tVyFY~I)rqqhx zt9i5IGRgpoHDs%#NI=e{T@{_95yu3TfaYl*QI>~6!kGBsSlzTHA+a9&d6k99>Pq>w zYb4AV5?1ybO(jUG%!P4is20L_js)_$czUYMQ`E)ucTAwlCp0(Eo(jf5k2$9uuKg*# zN(%1~&jix^&eugA;|;{w)bUq+ly&WF8VyreZCI znpXh?T1otiJ~5o0*@r}2%~J35w`4@OxxG_bG)=0;(e_enwQ;lzPX|NX^vt=H-IYSY zz+c+7>aBb)H>#1yEg;Y8N1;F$G3J1S-v8iR^zVn3Q+-a=Y_WxURlX56-*foW5tHh4 zc`_%3Z)IWx!k2;>aqILGoCGUlTgf?`)Tq-$wB`>9xbZW>a*L(nlFV^c=@HwJ`kfdj z>>q~_wNqY{;v_RH7P(%9GK#PFt&sG&FQv9U(wl%mSPIP_YMRgI^v`83Lj9d;+RK&n zM-<7C2VKwgx=tN*`lXii(_LxU{W2#xtD~$MqOp<=PpWZB#q7F8oFpnv0@DtB|D>Gw zB%Sy#yD!rYTvjJ8t0Sk9@9k-ZN_fW=PQ%jfp2ndKB0v?M6xA`^NqEC(IDP%s!prmv zCmPA0iK$!A3BD=G2TJ%_TGGr@`SjsOrH&Qpzwc=!$q>B;AE>7+70#GZ&KOLP!=aqe zsZOXRh^wT>WHl7zg^F}SBZnJYW6j5$;H4d4rkr5!{hDwyjbQa8;d|OQ0W$rl&R}YV zKBOIhri82XplYRG(|s>@?&wr>(yIvO>$j}^z|J|Vrt|XT5!hipg$!0$@1RJpO#(*PS z>l{?t@!YcEPuxh0H+FUUrRh;7zr=!-V8Q7xsx1(&AI|8`+qj(4-5B=(*wF-S1Z(ZY zixg_2behE*ncD1BVjXr~WqYL7TBSPYu{5^q&Q;f9BYCQ{4yYa_ioJxVh?{Eb%JX;n zt9Yt3+^UKYZVWt26^1n=;%2Zla98&YYpp!gd{{iM(cFb85Fg$}Y1DD~>myE~o~(1V zt1@;)QqM94*t4hiZR_Yw&6vJJcUTQUi5N?O&e}DIi9&lIU9~#^$vZ(xStPGBkN}0> zL2-)`Wd%Qt1XWBd2hr~~Dq}E~2~89Xcw!@(Z!@`U`o*P8#_JdT7#V7RL2sWfsB#>2 zu!+@$n~AJ8ly@4fKcRW(k@!M@v!h4K`DG{dHYF=eWfoC)#=k7sqR=1eIu%9PvHfCj zJ_tSdoPJ%|sZ&u*Vs?73@(Z)e52FOD@O>Qh`3B4QKJ4UZ!(juaBPv2m7kaS9>@(5P zj4h1WVdpaHUhL`?o*9gkvqf$yVr_RFKH^0p>tD02@Y9r*7b8e62fM^DJWU+hmlywA zUko6il+6dB%4sm(;DaVd+q!(nltQp@jsZUT6Y^K!BY8^$qtTq;IbDKzNydvX1Sukg z2q<@ENFraa_c)9B`2%VqsB-mjgi= zRhuo0U3A#pYl_y#GA`lgLrwX`p+Nr2iV?&oR1Wy{#jUq@#X1tv)Bc%!D@q6lT1H-h zdpUS8W#kDKT1AiTLdPZG`V9ng&~Z|SLl}zHQKqUqv_+c3AA~;RYtK8Of(j8joG?_s zJ#H0*dKg}|ZWzxp!;uEg5-17P^U59N8M*-DR+8CrGb*kkWTcrv!$TXKyUv3SOml)h_> z?vdX2L$9*ML`%y_j3TD$B(8#LxOb}xkN4GeU}gWByVZhohb?;avv>)*%_*hu9~7^< zfNd6Kjp8_$jNB_~d#UxMxhl2~_xnILN>;Tq;3kGvE(WDAE*+3Ll%fj_-{Wj{KJHEJ zOQUn=bD5p4)w{NORibvy$I^~lGDb9HqmR{9=QKWcHH(H{F1%&Tl_Zu@*9g3 z4_7%Tqbzx1l9TRKlMpG+L8KuU+;(%NN zvevUTv02Tmi$Xje6&M_|G8KxcAoQv54bJI?Q-w8SakqOssHiCyNn`-kgT*(rP(=p+ z{J4#3kMLPUrw;!T&24TNggCn3O;Evmv{pb6_J@Ts3J89OdMf}eN;BqDE36t69P$@Z zUFo5mk@JC_!u^SYoyj==YrQ5rJ)Wihv=H~q2$Z@)V}8&Jq=)A)5L)KCjtmc8_==@6 z3_r$yDm7sjf;<&6y@a0rPbC! z{;Tz3y=F-BB%r8bT5D53nU`hXPTHoX*7tt6aG}mnOrBOV8W$3citW4V(O*x1ZVp#x z3#a)f7?vqDlKS0h8p;h%ADVi4uwm#@y+8Q|(OA0e4Api@iu`%a$=BA%)0rc5*+b%x z)nefi5@=BEelbfM5HpmJ>}9QHbY;Vsj|TRPe;@BdyIuUqSa?70OIWljK%Pu#BC_gQ z?hx8bb`kVI`H+N@(wl<@kdkjJK78HpiuZjxJ?})?v>5#3we_>)s;To12uBTF?kY*y zYD9v1I1yKrb;Zb%@*X_z=1t-1BV1qO0vfl-+uXm8A4jJU?I6EGa94Yc?c4hlKZ2|z zvnB$J*8Ml~>)cDhDj46k1^+ym7ck5}O%~*!6j8Kd+5JXDL*IvRAe$wSKq-4l7l@w( z8*bc=IN?!7UD-HrN*lAZ6Lyf%pLKfWQl*0l}9rfSA{x zWs)!~p~YDI*7rmG!L9x*y9~Xj1+DjP62^^JPW5XTEP5{6#PMr=M+tIG5^UN46hQw9+vm0@4@Wr&sa*Gh$rmV+}mBoFD;3| z7WeBU#C94sn1~+DGlrRZF^|nVQHu^VX`az{Chaos%tX`*zj4;h2sRXtu?_>Ybd%z; zqlJ2#O4yC@OKCD&gW70JM%dZ5_VRkN22)AU4bW5RrwYgta0a!F)_ym{6+l0q#u6sL zvBny0#uAM2mm+$LErO)^wTMm1TSg+GbUgJvyAXFmWW20C{)|h0bNFqAKqf%)Gx4K2 z{*BfUekGi4B5pF@2qv24P^-ZbC|{Ho#&At19~-BP*!~SeNrc~%fgwQ?w$kzKp^cJ3 zl2~0Ym=+55DvWm9NiQ2SD}JZIk}T{dtZbI^B%R2Wc{tipS9XHg@5I--gCNRNkAo&n zNHn@Qpj3wl6vKNc6YsZPy$)0a6>V0e3$v36J_Q$f+Hm8y5q*fhx#a-xT3dPH`_L1J zVT+~F1JN`C&X@tZegh(K1LIM_*Qa>kRI4(#C+vw}h_0qJ)nh-Y%-Tg7a8;KHp0^Ut zt?(4hiGa$kiZanp$4y4M0+=A%I|r~W#D(N$I37rI(grZ71ei0Eul=(D*{i6*=d@%! z?-g`zI8@v2-+i74Pf&l1Q$WXCz~x|>lbXkbd+b(2I6HHF^1LCowvcsgugw$`S~p?J z0&5Lo+e`Hg)5<>&LAX*vxfv*anb?pNi?x|)`W1h^Lv&^`tS(?)#^55*m~DniCXQ{a|GcJ|7pmBTyod#=cBXUw_XimR#23bY*2fc-l(D`+9d^;8PVsY}! zj5^*d3l=fsJU~?8bIIEK`Z_)hNoD%_FrNA0R9?#HTJgcsshEF^5Ov_filZ-6<)jY8 zk@A%VgKYk6Pn57tlJ{FpXc|gbH+in`FNL8KU%%X(*qldi;KZCbzaQCI>2Usp-h7&r z9L+?w-mRK5Z)dWRDH#c6x$R$^9JW}M`3D8d`+zR2cUo+Ny7~B*X@!5U1K4@6XL7X# zI~xgzeeYY@j9e8@GEf ztI#6L(hP!l3|;K<#@yMj@GoDS6f+|e`nrGV=2x01;#*v}-rhU0V^DfOgk^xUpY?0+ zP<8DE99-DDI5_!y?2QsXL18{rLGR&*2Cnd~7Mjs#&$}XkAv)?^Jg=LnhsVa1Hk`+@ zcgEP@WK%)A74^`4!x(fz4E`oDdvdefK_ckB(buIxJs-P#I6g0Cwr>>pUc--pQ{Ug& z)_Vb8Eso9?+c=)_Zv5`-CfTI7qUP77=n}Hocuk9akNx!m3HK-OJxX=+b`&@9U+Lo` zj{X=qvvW}EhVC7~+XmwXJ5k+NrA~a@o2Sh4%gmum3I9{FaNP@7X_!>c)R#a1Qs3u* zyNk7{aY(313khAGWp2D7N+IBcn53PxqY)HxEMS#jLTgKY$ZM5+mu;048(^MAIkYQ< zM(V2^cHI<<(%i^HrdfD#_jM=S_j*zhF_d{TwEPB~RvTHGOTCPn5-u`Z5_#JJTnd$~odD=p_?B!%76d5+%4Z zgHj8{$06@DHjoUcFXBT(f*?^OPX#MD#;mo)!$Ok|saH^ro#Qq5ZBIeM%U&Bg;uk3x z0iWPwp!O1Ub>AnZsoz0tYJdZ=;1;VcS7grei&J!<#QdQL*(<>B6EY2*1eoI(K>SL9 zi!&C_YogGcq$r?Ph|N;=V_xpHFe+sy@$X&bgbOqq`&rlNS4}Kj{$?0uW`ptH$t
    ipg!OjbuF;V)EFFO}MW5=dADC=7GaBa z$22R-q7saOs5);@K{7i4K;%&&cS26}5yRLl(o>>JXhgbWjzn{HKSMbrbp-#Ox0;lu zu_FrmObL6cXh=pTjKV-3dv|vi<0~tMl3%q^1U}>f?{nHWTdT80C5SV)Jo@m_3_&)B zTftl%qTb0zHY>R_{QKwFd}`tO4nli~j$j($ZeC5qUjy!oFzkU;!CzOlDx`t*Z_?RQW;h5VzUOl3Tad60#hMbXa;3HiRe=mQfIreCD&$B~ zrdr(M4CKl+)U+qD``mDIbR(7wTvX$eVW9!e7ya&6pc?7Acvuw&a`6GXMaN(WXY^C% zQ3)vHcZbmGVH({L2z^yt!~ytt&hnHfw>x{EQDM=!Vjar4)G_>w)_84%?--zb4St($ zJU^PujLos8RRp?BO1ktnjG84eDU}xpnbjhEw&7+=Gmb1X=nu4DU?z;MzaF;YSTnCw zgum<=rb}f;iHwU&;Fed&bSNwdpmoK{u#psRISOs3B2PPlxoDxcLs}e(WxVm$j zB_-Tr{RBRySsh8207lRO+G%3Qmz6X;HaIEZE8qx6P(ZcVfA099G`gDI>>z!bLQ zV6}QleWZ1^3Kfag0?c%YA%ielXL^rwdp{CKvmi571t?h#s@-u2tG9We>IvWU zteH`Id|3X_L3Luh${tW+#ctr=DDr3Xu^cA~86q5V7=m&ka7=3u_Osj-f3xKp8n4dG z)?;L&2A^PJy@@>C3XL^8g7Prdz$k8bq%fciOd`O-!W)m}cL;*Yz<5XmJXX+I1i)l} zw`(M89qAVqDI*Q5t>wBLX~7&&!NyyRIJc6=xt-R=o1iALr)CnIFBZb_qGP6_R7tss zV#fRlYio3@3@e=ORT)w;GpaJAY-U4ONeixt<2RM!SC^2U6VXf5EZ=H+Z|=PRD0H9>H|+j2B(jk1a^`7_#`T=!s~*ZC z*?X`2ff^PuLSuA)$o+ns%kr}m@}cKh8ZYOz&%Xz{s(ts3;V*v&&e{YZ+DZRCq%e-_HhudtZf>&+f$1n9$QEKd{f8F4Ai}aL$Hzr zE`P5ER^ymz^fM^kI^T{V#VpM3h|BD=`CSn_SM?e@DfWuJHd*r^t#V+FWishin$)E8 z54p1fbysNhlWetjsP&%FBil>ro1v`RiuL-w`ld{6N@{71AH8v4skUtfq+eY9`MyMH zp6z0*|7NF2`&+B)`@g1ar;F8;IMd{Vn{(GZIm4JN9qdC|qmtF0K+&SbwuA2HE*_qwwcV4p{3$LC6{iTIb$yWKdKkE7NC_BzeG zEIm$A&3)_?MZVXMQ<_P3#M6)&8Is zNyz@(1=u8WQFrzUfv27l*aw6au`L2R5gEd35Rktu685}LyJ9MB;ZP_P4s}s8>qMhF^$+pMrH77X9^u*O3P96h7 z;f3tD!fhWVO?H`hnsjVfCJs?e7FOoav{MX-!A#Gj|tx$ z=E2?*{4*__>0G~_i(<21)l-olPbGLY@ugLn<<;`mI&x%~*ALY*0g)T&?bmLev`1n< z3`8**Ob5%ZdsAmL@Q8P0T|E(l4-rbTCjt{hJBh(#=9%|JzlKQFaEo#Grw4N#SD4=&wI(cEnVEThIj(+CKhI4Xmfv^ z&z`;6akKt!73C_}AM!rI_cMxEv9(-w?wlPHC)^5Ph=`40WYs)oB@mOJa}0T^0l+w( zSVZX3<*;c}!>OywY5#twnj;O0PIn}Wh2O$`BNyeU*heJwic~*$uM@RWiKp-29VIs9 z02s}CbI_e3Yz@LN7z^AcD_RRBlqO-B)7G`KHdI{A{);5wFB}Q!?xRFQIs>tXWNfgs zqC%uU_Q(gS2vN6MXsQ4x20uRS;Kp#4nX#BQ+6eTn@Ik(CC+xQjiW7A`5Vp9%y?HVK z!U*mxi)M)N=7afKbe8E(HpfrWWa7N=*hs67U(Fe-G6UzAsKLnvb4#UXuxaIv(C!G{( zKrA5GRtMa;mtrf+>COD18^%QPA+wK%3TPU*nF5Q?w6bX6BFi&kJ#%jx{}EVV?zs_I z=1XDAC$<^3UlXQI7t_^#Kz)2lzX55VYihM3_wXOq58At zMGDJlD#sjZQ6DnsF~As1YmTZ|z!R8)m97o0`~dD}aM){J!)6_&9rC_OIZw~*NS8ukz#EwR@5y>!u^Hh&KP8Q&N?kh#TC#DY-n}lijKdhPi=_13! zq7fuIk}_Y?K@xju%~M7n>?QKsxyH(kUd3X`kEr!pu6jK{YSh!wt`3=|57N&QCHxm@ zGyjBEfSfrrlEnItp`ofK%S_x!}vBIZ;EWS#m8Te-UmDtEjoA-2VZpi~(diGK0VFasc(JMRHdk{n$J62Etg|1wDn8vSrpv{?4>idC~k)| z+}0lUgZL^UdXhQ!*|{6H(x3vI!Y=o3W|v118Pq2%rxeBAfCz?*Z09LMBsa{&ZU&|( zB?A$fa04hx;~@ZgD$g57maoQqzg^dKe1DYt_J2}DzojF;?bcC5z0 zTh>hkZ_J3`L9$?qFnrDOR`TT5784gj*)kDWUGfF669x;8vH_f2sV6s-pL4X6+fSfc^bdSnL%Je&;Fa zU5dVz(Yo4ms@>U|$NMUrmiehcgatkbo{c`j4>fof^sl}UJg80!@zDEX!bHIX>$Acn z*{CNWO~^UyvjVI~-cEnkbLHsCiA%qR9_AmR={#FiEf>1~dmi#nNYd=Vsazzfyje^x zk?3>XYmj-eK?|2565y&;fQHllI%Ln}kkG7y9Y)w&*edP&wD7#{{tK%_AB6 z1GmUBOW{aU%0fT=jjY`SIBuFMdZ@&!t(ZfO$}AjuGjd)v*p0HjJY;a<#mRP9vim=t zb0gq6Ezc?~_ZWsRRhf{P#K*qTzE@xpS!@VQWR;-f#eZCYGNLKQZ*LT^8Piine5k=3 zxmJOGG?CW5T9(*2;~n+qfnn%3hHzsEx*9u7R=Gm`5);H8vnAjY3pXu?n8cUi!pA2X z&9ra-z>XtdynRl`4CRsK$Cr6a=j`Vgy|flt z+B7dEysNlGJREnHmkwfMFc`k4x365=%4I*FWZP1+p_)torG%SY5uIu~rWaNjQn>`3 zR}nwP8b|L@O->-`=A9Md`W*DuUooia)4a8pn?cTR?bt50>63`TtC3v|GihnIwF_C(xML%HjC!a=p=IXa)} zUJyz{=~lv-H|bX9*&5|u!RWIu#~N1EWgPpdvqZ0%i7K|4dFgUb(@q*qta*Q|7ic5A zs-5X7yGf!M_LT%>XnRbLvbb8xrgP1Prmuc91HDZKwZEj{64J!5R;QraVxIa^W~>(> zO>1Aw#9u0>t}2vSmKqyo1uv{G_EC-n;zp;}DXYkW+iQ`p)DoQV9_ibn+6@fL;VjHm zw>>HG4XSCnGKJYi_p&=aicQW`N8n1aMghM;8-tHF!jguhN4cwP0M~SlcdTi|s{X@o z> znKj=xQ4V^mBH}`BZ-Y)#%o1^}HQW#^)Ak3K_sah-ue|?X8>|3T!0RHk3qQ+Gz;$9E z(T9I>{1v(}&9i9=jPYNS#^hdQiqFc?p}xW!JSy=QAWat%-x>i%G5F_D_vn4%!cu9i z6-?PB*vN*874Sro&sN|^^E&X+8re38Yl6h<9$=rF+o9iL8OA6J z{7jV+gM>`I*btJz13S}O;&ND#nO;X;quo~9^1Zu3R`mOnw|n1%rkH3%`*Dyw~^J*n~Wzfr@cnu9NbPXt3A4_`M}L@8NGy1 zfnqRo^BVaU@UN@K^kH16Rz-hQL_K8Se0r8V2F%7{G2V6|!^~d`ipAqRJ zm_JtUd+4SbCL&eLmeV||s+6WEZsljOnKv@~HUdvE8p|4FJoy< ze@2xgGA)c5ErEck;I*W0GucVsM0jAlR&o_s@uDne&*m}VGqy`eR#FtQl{KQu&_VdzM&O3DO? zC8r5_{*drAT&?MhgaxuyGP>(16E_VujSgoe;89nKGCWGeZH8l_O+7JEKyLSKU`&MH_k@003zbY7vgqeXE za3)1JDDZ4M>zI^&F>z8dj0Ub;B1*Gl_`l}xRR=4~1nPB#f) zsn8QqP+$pT56A&;1(ZHYGVkUsy9s&>L-g>7!N7#!XDZm81UUq@=)yM+XSCzJEh<d{CgEfOj%^N;b=_cK^peflgyA=-+lZNP$uoG4hk18Z3C9KFR?DNIZ-G{)!f)4;@ifgb$9ddKx zA)(b918vbC{{m=%eQ@yuqh>DPa@8s12Ez^?vNw~s2;rNM6gI_x{+Oo;=>sp5ZXH8~ z*tOSPtb=|P;hV(}vp3>oxGYEoO$IN@-nK8%E}h}?zeWXF8?WsQO{hQ@M~6pKN2Rrw zD54?z7JQLWI71!k#;mG}(8*hbT}lL+VNDH^YS_mvjQz)}I2~>`$Vd;lw}O+lfM7e_ zKmp&sl2wTcRORoW^aYTwb@WIok+$*@c|Uv7g(k*w$*6r~-Z$DC=0e-8C9BdnLsExo zTFset0S0R=S8H|O`*K%Xt6G7w6Eu|!7EUd4OED{hC99Bjw*}(pc@<-Ha^HF!x&rVJ zqKxgRc?2`}OsK}@v`al&=qUj+x7(om`ZCmSBO$~)PB}o0C#B`Pb&=Z3XB@U54J)(E zT#^DL#~S17NpsE?z@cxqR9=c$g92G;$r)9|J^tX);=5(k7~XA_7trU4;QtLSiblCpBepq zHlRUBccfSQ@iur=ca+CrBkXVFOtt)Z_yU_UdkKont7UT3xhxUa3eg%YgkTY1g40ab zh)7y}fplbRu`J=XDqdEOrAxCi-eh@7gLl*9OwC&#r0ZskYuN?!O&BCHB+B zbUV6D)YkXYc#fUTnweZ8%^T3X>5}$0urj931c`H%IE=$LSVW z{$S5ak;bnDyER0hex>fJ5MK7NRD}fb|8m=%nFdZsy@gL}7Fs=&`SD&<9_G((rN9FB zG?{{LX~bW0!&a6EVe?5QI<)*@Bqrg6poSqXAAoQGJ!=FU+`a+jR#jFt4>6b{)hK&K16) za{7G;YR4^%E|uqF#$;5G2ZLYn{Ef;AFW{?@)}IK~Tw*axu}lrs53nnI_teOi^eY^8 zdEN=(o)kWodU3L)yBSQ;$&zr{pjnLS-GJH;wKou#-Zl*Rb=xO)){XTAMUl6k9dmq@ zNj1q3UG9f7_&T=9jmW3=y}q!!o1>p@ z9G9^&?OfA{9=O;sxprur;#|`PeZhbIW&O8xO%rtb%h}T|4?EgWa%cH;vcK|mKV7)n zFXO=2S1%8L94J3`bz#KagPP{wU->klcF|Xt8g+Da>f&4rk0%k|cKP6L=vFL||4i;@ zL;PXrEEYPgmG)~ETl8qp*3Ef&Nd7tqnIjLZOWHgAUS6K+{o1{s?LUa$ zy5~!n{Tg|OJ3Lqav;b%=Jq6n~U|4v)hf{CGS6 zYHB;2h-`;h4OtenebAz1o0_*NtgK~ffLWPJ)gBMjOV$j(pV|@HYkN(l0D@H>?(UJ9 zKjE3?V~;V-+*C?2?FtZeix8XxMc9MxsPMxsDi7yPS&FxIvyJvo$ugz%Eu=_B`ep}e zkcs9UG3GP+^wYD4+Ks8{i2 zO@v-5ZFvWBywi7-@!ZqTU%U5v18CZazGu%HPYQBZ20s>NJKeWNNTG3-fZIq~g@Hk$ zJ&mv~YH&tlwpYgj;#cQIg`j!4@sj16X0@p}5dcw+vlHX8(w5>1Qbx>L1}tTQ?sA zSFYM-{$B#{pJYP>j19>|eaUo7u%pyI?vhZ#QHBz`BCE+`T68+JQeZ#eT4b+8zpbY} zdeh4e2Yf2$n2IU;aZ4zc6^)v*2vVK#N;CFDH>*j^pz86q2_17HX#H$?Y%_NaMUTw-yxxHJ2Wbl$uPq45_n z2pCflySWz5&!6tp0A2XPlqXkVTpY3v{b{OS>=w7Ok_H@oO8m_Tqd@Qvi zNQZOoBBB_NQG)l})l+7yQbfEb(md;xQ4nx?KkpEsZwT9T*bJz3JgoH_D0m;aB z*0@*@94c$HhA0_Wfnl4u7u$iLm1^8{nk0V?&7?XRhcex8DzYx?2}*pO!;16e~92|zPRidoxz zcx*z8$PYNILWzHSS6z6Y!J&7iDJ0oN(GrCB@^QX`wQm%V*VJ*bb7Z_!==!kHvRXE; zRjlx*jtS>TZzc$2ht9FMxuY2!+4aj`8>p@8vgCF|{PxjzXnR#T&(W1Kw zm9+-@pXCkLf{|GfP=D#vvXX#FPzA!*XO}J|rugb66o1y}bPYj{r2|#?GNQ2FL$%$l zr?Oftm5(#C0w-!85uZv8M<6^y9E|Z;PFKXYf?MJuh>i^B6%!zeiKcs1w);LJ>Z35E zG!X+-X*zaP+&yw`&1fQi7mxx{E)J~siF8G(wN$vQ%HX8L5u_HbxCyYdXRvA88pui& zRP{WMrx&B{wrIGGl#M0T^nfrfo~2`Kn;y_C0f~&HmGRHRslXs(T`sWkVu-mdsT`k( zlYNj?X)19ABYH$DP5B9w7_o`AI|*=!VAGc`Oh;Z(--1zrz9UmRng(TRb*BNWN?W*s zGXbYU9B4m50tjDc#B?o7HmNivf{t6yEFG8QETs|3+b%rUw%Uu`*jU9$m(_U5DC>>D zdal*aA zh>%?-w#0JGE0yt z7|8Tl8}CqX7ML+7mbi;6q}-3ee$;(bn9j@mTUwheUlD(KA1gt=gk7Du`c~L2`$+*i z%yS4aTF4pEXcD9rapahV@+8CwXpI4u&+t6@uHARip^Sm=j5^9b6fyx{0>D6|!mcrk zGY$QM^m4W~n^&WzeJ-+fxpoAjpi}Mu>%WQ#LPk?CHnbMn(_7oqL_J03!1HA|8cB@B z!ikW4C%fgrSuIl%&$gRBMrg`VQ0k7DM>XPr7+24&672LngwV-8#h9XqYjezd{n;G! z_OKH7PAt|!LG<4#>Vr32x4{8;mg z5~YDT4cVd?7LTnP(ZZJXf@yra$n2|+Ima?OV5n`$d~sl5WelN@&T4m;toEq~?)7I$ zxRefA2?*;T3M}5cRBINcA@qVwnSzD;m<`j)Z4xdG@_-z$ap^XF zl!lQnkOI>0$FEq@QAY2C!mguMt7-#71mjXD!56VR9xKTZLp@EOVbTj5YR0e@z%hAp z&cW*`uYiXk0zuVAw+%tO4gyWmn9eYb@*VW?J}^Xz)k704>OF2Zk~O_kBW5vXEAJK6 z(!Pp8r1CvWk}RT(geH-C`R0uk)hi`V-Ql0AL%J(nh(@p(B$)ar z2nF;yB+I!rmZ?w+Y$Juow)@l{5sCjSKWISf5gN3tI>9GyM zilE>!p-63-A*Gdz)pvp_7A3is_y6iOBtmm@RQjI8Li}*2t;=oqDPW}oL;a{qAz-~p zOM$SS`_qv`KqLfO=vKQrdvo-zojqO?+fcxL9^gE^#FE<&p+eHEgje+CEwux_8Q}R` z4CL+KlI~XZ^L7Ix5VxH#*ceB><-Nb>3-XS7T*}_u@4=Pu{)*E7c}q*gc-GrD+uvE= z_&D_w%E+scJW~kRxxh<+)wKDnxt&WzNe2HM|H!>^&6h8@KK-N)_D$j?u@$iP&ox*u zDaQ2V$Ss;02k@Qc|4j5r4tV1grW`#&JE{Q~rk=dh+06mD&H{aIzvXc7K2QPs=8F#M zorAr)MgDVdks%`YG0#T5n?vhk=o2a0v3&XHRU?P~-FC+iom?zQQZ^fUiQ!e>6fSOU z&P^tN_5AERaDjkLxE7o~d(FG!l?B6=(MW4_WxEaU_8DRe%Ka;M>93IsbQ0X%jqZPT zZFAqm`oqBRH+bNg?(L1paA64A=;ISxycSeDk6Q6H5qpQ;Q%PjTga8OSXhbsEI!cui zGhM~P#IdO7tZ!?*mM6LAJA9fjRLcS*RWxO6oh)^>(>B8Zf*WjWCi0Ck9{A&f2IzKT zo>v2Icxa@-q){z@bXid_22!5RLXcgQU63!rxF^hnR&DmF#-h1#Dv1`##?yYql zQ?@}6s_-(Ukv~(D|KqGIgRjALau90eESGK+-A5~klwYS$NKdv{xUkyc{cji@{p`fr zLHZBwfk6Cffj>F(=phsehZ8K3LhCUPz!D7v+PC}1hrGP}HN-t%Su_2mbH+aE4@z}2 zMHTHB+g#ae7*I-t0pGYQuNwL{A2a7~_9nqLg*7BC(yip3vUMNKKq7iv2mO`zHzI?J zc?2yh8hip?QnGfC#$F4mn>4ipf#`0)sqIY&`5VwFLh9Seg42v2BWmit`_;raWPeD9 zhgF}Dj~3X-Wij<=K43K(9JRu4bi0{z|JAY8^b3_^VYx#D;{z|EMBglU=aaW8kkLr) z;M|6DbOu2XXL>@(1uU;9KhQSOmd_}>E{Src29lH&E4i%?5r0Ri|7w|M+0RNzKAS`M z=Za%PJpLKQbK7Hk?u%%ZDFX{rn7|2%AP49I24W6)Zs2*Lotk0)cf=C?A{yE& zcK5j+_Rk)h{8az9xz?RfQv)-s8CAaSlF&B&m3BiBMJL{=b#aeah9S-P2>ttir6PJE z^in+nXtXf3xA!?5$I|q2_b`oTIHGJVDhjHmxbc(FIV@81%jXxce$YZ9r zTs-$YQLM3Q=!d2eMNmU5Z^?wAu-;}srfw$}k|<09n>nTCN`eDQ8Ld-Ked#Th5S6$j zjkHp>e;uYkz1a!gsw-Lk(qbzsxKkq#Jb)FN?Y84h*ULTkUZddX{YGk5vSjGgSi11w zgk~+F6a0BWP-(sCkWK0Tr2JVg>Lv*+>F1sdp9LYs?S1W>!z~vk@PO0oV6RA>(&r|@_o zX#(_|W@_tng0g@*H47j2_BbYvrmR~?@a?09uiGoH;yKRj-AE8@Fquth-ig<@U;TrV zrOdmr0ou?awH^j7zyiK+D}khFvX7kWkQ9LtMVgGEAo+5YC}Zpm~fw zFed;5^ySiB2mN6@TyGYJEsk}5O&AT0VH7(=oz~NQ?)rU!8hm9HN`fQUBa=fi^>O+uvAM@R~BsgV_9nj;nD7+ zpgU194OQ2|MOR95v4YY<`^=U8XMnL1MMWfQAaE>byP*#ZG3IIpy7*zLwUWEIsY3BoEg?^(;| zMT<6ckvAMYM~Xt$*kfcCslJ(x-=o(^sLv*!fmP-dVo+?PYG6BMIxnZ1Fp(Hb-mgSy z4%Mo5!D`*avcc-r%`$O*(Uc<5L`GkhL*=9$!D4;yG*KOC+dm{;U1|M)AQh>?Y#LlT zn9Tim9v+65BS>OqH<>F(n%X9l_mWRUfkLTq7Q$lP(4+h3^|1XHb_w)Di z#HG0~p(B-8;iZ}ITwfuFO(s@X;heQkPBpHY^}j}REWWE~*z1X!7)I+%Jpq5Q-G?H_qQg2Jb@ zw~t@u0OG`&HOmza?VkHI%b`~PL$gl%Z}uLpACE&w^peT~x-CW)G3^#Vt6Vii*Mzt^ zr8SX$q{~E8WlOaO!F_+F5%Q)JlB#MQfezHCMI^DrD?f%rZy4S-usv`xo$KUq_g(A% zmO~7&Q|(nk&WX1vb{xMl0UcAnEl~_+B$LrsF@Je#>(jLE^A}ixYVGkEm~;CG3(cF< z@m2WmkW@<3S}pq%kYE9Du2xH{*t`J^WNR>Q;Jk|-2^*WS-gs|y0Yb-n8p^sJSgw@N zwI0RiwRuLqJ)=MGXFUEaw3#WP-+G)Ey_&^w=x)%+;u2}us=4U}8W>PzLFZV}H@+Nu zJiHXB!V0GUbtLcQq8Jrf1hCK*p@h@xs8E4Y=#dQZU$&_X3>297ljuzwWT3Q;W`8ky zm}|v{^`$#5fWRXidY5y2w(~HT$yF@q*MN~-1v=*6d__>K5M9ql--j5#3I$?*iofTg zyS%_)e$-OE-`9(gyNX_z6Paoz^)>G zz6bRK)*S?K{V%t&3)o9QJ6Tagjl3v35woH!4D!JrfXJN4O8$B&lhrVdc}}x*tK^VI z`S1w-4EkJ^xBmtniic6F*n_06ZO|-+46Z>OM%$W+%O6?>eLEdex|_u9y>AG$h#Tbi zDHp#U;MvVDO*-2^N_X|6n-%?DgI0RGy51afw(#i!KKh>=L@;{WwaE|3r42qmvi>$j zIbZ)<#KOFFOC@sTV$bN*sdkQiPVN5=``*U#ym3qIe}E5~oP4_9(uSHf$ETa|oul*Z z#NB!l56ZfHy7y~G`M#wKE&AKPZsFsdM-y@zWo@NdOIN!($~FJ*IQ-KdAKV@NvN@vr z*g-Cs7eiO6zV3k)!wZ{6Gd93EnAYk}Bn0DMSD8eM6h;;gbC|O!|6o?|pE1+d!oG z$4&M#k0#1*F3S~Dvh-h#UIE6!(aQj{UQ}J`}B+}lC zx4m6W%i&yjBg}g6_uib^WH)!lq|$Wozrlw2vK{HTb)-Hr@{V!#D4W+;`k(nehS5hQ3P@ZuI120oJgW4_B5SUV@RTSc(W0Gh+A z+DeiKSds;4kVLw8jpyT+bi1!dm3#6RpO>kzSw{xvB$*PcUC&kEoc}=^svkuiUn}lZ z9bXm8O`IHA5Pe-VRbC}@4iPDO(zPhO-vf*(%KsBr6TO6DAVb(Eld=ZI|tNG+$azX6zz7LW>JGP2BWJo?gPI(H7W?n)s2I+SU;gn z!3h_T`Zp~hE*oVjt{`>btVPgL+Fw@g`5TkQk&xUOQQr2j6UbquA)7H+a%#(T$s)5w zQ7n0yMJ3tKf~L$|_C_?M0Td3_XdhB4!K_xxNhi;&BU1Y;k1WJ4I-^Hx(SA8tY348? zhJ!=GS)zC<(`W}&MV&MRo9vLI(QF(*faHXa{Wwxsr9B;^jMk0lSI6-3Z6RaaH-8kw zh1PQu6}O5g;u^wYS)AI!&6R2jBwe671^Kg`ifO<<2iyzEC?P{r0>MxM?K*fbwX2&r zFlU6Zz&_7P+L#Kh9+lYt6Oano6J74nxiKE*Utz*SVzKoupTk zv==~?R3{btr+rK_y7uOPaxh;79Mi#cxV!)d6iTRDi)m-8m$X+@-8Si7u68vww#mi2 zsOqmo*QoYzS!(P&vG*&QIDTL#fJiqYP!Q++CbI1f2m)`xu8LwzJPe2RE~oGVhs#Pf z{%XY(EU@aGP@UBMwCN0H)y(`**vPVmlmRNw+e)468;0m^$(yp_4#kP|^8`@_ z!@tSUf9N*S<2w%5CA35o`y`-QrX+lv<)floGLqb(V@fD-qE=#bA*mN*B>>5!wz1eC zu^z;vg5P}7QEOnU%-D}g7Ujj1eMdvs+F@WoaxJP+9H6CU`2lX`Sn39XmCLc#Z0CNz zd$EUVEXESMI^&`hKgK+m2x7tUld#)kd!(#W|D*8x+nuUE-m?I6nJS)rKV~a5ZlD5V zBzdP2Ya+Q}HlV3kU&;VgERYo34AvGGHtp~zf+IfdKoU?Bw;Gf;htN}<80?&kNJ;X2 zK2JZ!icebLb3Bi@Q7nFZP!-T183pUta zr0mI>NgjlZ4ptjR0LigqR@J0x^+RU&!@yRv5N=-jq$tFTvpGb>yLak^5o-*CuftE^ zHZaQi#{tRMgCD2x`#N9mVbLVA;S5`98I>j*pS6`&!jW0gaCO+q*~z~c2!in=!wWZJ z{Zy6n0)MlFIy&E5GJb;GSy6b`;nFU~bCJ!qQpZ_YVLgSfaEE0IgRl<4ZYtpeWH z{+UrRn1_ao3MoLP_zk@R+k+p`4N;hqny5aKbT#V&uI^zwn)G);ny6k$*PB+SI4WE< zN=p2CN$?y(NHWt0T*P?Nv*?&@WeBBmg1WBD(+e>-%T(OPie`L58bEm4x1zz;ZHI_f zK*YxKf*4nEn4mvF&S$X5(S%%rzD=U#3S5NBOt@GZy;!&yut}?X z3Zs`OuU@E6f1b(REq%PD3R7UZSuIR~*}ns!HYAUL0c3Z*oVvzEn-tozehZD4w)UOT z782-5jTb%(J8fyE^rXCaqjHo4RBfuSZTq5XtEQG~7blO)|S0_>?4^YM}e@y?)m(&f#A~RJ)JZlNBmmx#VV1oW=T4enAE6Pib%a=AQN@o z2%&>Si*d0FZ&^i|^cY1YwbKE<(2OcZTTat|{7I|rYHn~NI~~MFt8KT75xS_HI~RyL zdJ%06x+I2SJ2{16djnE^LMcWms(?ycP2LU6x*P?|@8_C{Hh3bhPSl1yKhILfVJ0BvmZx0QCFa#JMLq5 zi0xt=#9f6v?HKvLtV_g|)_@ON%rRPG-2QUX{*Lejk-}$-LPacBCLvEi>GV+i`-hMh z?cQJxOKKG4<&#uceH%8NQIbtabRnBNZ*m7)b}A)_ z=!}3GP}{1EzkfA<`=>Sp@5#W{Orb6kO#P#u*eMQ8shHzEwtwZPjHCqjspx{bo+to< zws+9ZPlnk|0vh93iYS17_1rw^$fw6OfRuW%X0jG{!@KKdOO|4wU=Y*0Gl~1xZ@iK! z!9WHi7|GGOi(3L9r|feo821n2#9mnAD)r2%O%T8_J8D^u6tHY(3#We$PBMF%vLhz* z4^kIS=lAYVM&f;EpnSVerjm{6ySNzqSUuP?$j-_O&|DyC8@)D$wiS3GnuuQSx1wu~+SI z4)8Z%Otcqc!M}0sFnc4qG5@Be2C8cP4r7i5qsI#uqE&^Bl&;)7eRyMWSq!4lAM7=T zaf63-5GfDZJQ)-353pW>P802i*zPgy%y2_JbFKd7b0p}4F^y;78mqj1nBj@*_z zQVB6;2^JpWR?iEx2)buVfUzY{3)*E^j7sp<7r$Gr4(erGV{=nGHfZ!ohr5H3B8f+ zlbP&7)r80`_(5h{YG6YKskhCg8f)>BRELHoa8+m4m1wSa%wGa|^vwdT>ClUZH3nDf zJETap2Cd3|V+OOze_ZeDnh_6z(QDDYA5B`xF95#M{KtGUyZZja>)aR*W^!^2A{Otd zc9*TU?)|O8yeCCjBD$^c_xjWrB=1qe?&y@UK5}Mg?Fy79zpe zrfJ8^@FS(;VtB`TB}|QTpl&S9m-<0s+&lB!SCpL#jPAa`xcvmq#nlYj`;@2GG`1=G zVcBDvs-^aTxpzBwwAx7H(Gzu%(T$>V&wpIufURmy#WfR^FC407iJ4Xp4-I;Jt|C8WU}>MfcrZtXumpYn>}ZDa+)pq^EKM954M?%R5VwJ8zs_Q+@d z92^Sd0bQLQAqw?I_#t4-f%TE6Qz5bn!;jh~m%kpo9L3Sk*L|+v;t0#wK>w2h7)&ws zsJ)d7e4YmSv(<*p!RPo6zvVCf&hE61`G65B@SI10#c^HoxhbKs$Zt(2uH#xU)3*KF`ZD`xsrO zhA|hPpHPUW@zD~The2xqrm$G*hlzOZwY$LU>g869Im!IM0U}HIkM$wOJiYpZ$$5zw zzH83_cjbWg5B%8q{hXgy;1X_}roRmHRWBquqW-peyg6cInt`I+<}Pq1Xtiw8gZBZP zj8}ca6@pg5sV&%T7qPH~OS=0NNwfYAF|afsT2%p<74!`_W$avx1o4%4s5BY3<*p;6 zi`3S6TjgGU+gx4bM))2XiT~=Mg#pp|4njeG)%@3T6MOORwm8Yoi@>mDGO* zsB5Mr`8VI|3c@m;7u>&n>lS%UCmQ8L$KCQy17lnKo^?;@GbH;>pC#>XiF6}rbVd-G zPzmovd_Q=~4{|$^^k~i%8di|hNpAJ1K(1@@E521i>hO36&%{O5e_KBtnm&(VB z1!#Jt5fG?h)p}{c1xy`U?JmO0BQt}iG4gc2++)_;Z65vf@9qfG3$S8|eCl*2q=?m^|I@*9V z&z}88e3s<*>jRG92EduKI(gA{Zd_~$HEA*i86VUaVmCNzrG!J?T-hq@ufIJ5j%9zl zV+$X2g5hRy+-)7-Wzl)$4rqE}Y_XAOpuuo>a?dnPF_a z#g*N~X_tfNCa2wfxYK{XzsAEbMMm_-n0a2vvqN#zpJd(>6qo8eiI%rtFZ2F`xxI_r zF-$fkt0qX@3k5_YxR=;*($8yw1r}?J4T1Dm^SMNR6d=o<_eIiKs2sbo>Eqef9e%!% z%AQ#GBNsh}uu}rVziTPvvOXWw7=7u=_mW+4s(07kC*qyW=!+ctX3gzE{5O57{#ZEM zleQ-pbN2J%_l5sM4P&V_!1JqEhByfy{NvzdlbeepqoqMU;ah%buSGsGpS6-TX#7xb z91Y*u?HIIQVlMJ1U5!=HcvAY_-UHQ^9f8&8fQ2eSuS{<@zT_8TGPzuolTw zM)u#0?8}kD)6MJaYj`iP>@wkiH`;pu_o?v1-+YaWou~^lJoh-VLpnRxG5Z=}Z!f5o zV2m|nT>Pvg;w?@NyL`J57?p9ivW||s-mlv;ny17ntu|%dRkNE#&fK#hiYPV|9zKnB zih|jfmmOZs9KRyB@bTc!f4E-{w^IjK^ZXdj>+T?g;slm{*Hl?ibwtLZy9*jyw=n1E zf%sr^@VT~R^gdHkCMDDIWow_wYbs~LOhl3>u-jTAz|~4B@PR`MC8^hWK74C_Z_*p= ziGNgokk8THcK@R$kN7zm>kU5fLjKJcb+dSlm+zFLmb@h6ySuB(>4*q4L>2ZnRvgwp zR8;7Jz!48|lTP53E0)dY45-f%(Z!58qv00+dyIC8v>|13SgSu~AD@D!+Svm2Mquu2 z=^n_>eJzlXc5mnZ)%-T>1zAeg!m47=0-FK~zi_JE*n&r%DBI%`ZZDM06Kpc~_RX={ zWJxSLL-WFsd@b*Tp*&Cr*uo{_hW~6f8Q9$}_ zzPdGOwj%T3^WmZ6OOYd(y17|)8h%Ofc%e2@*%lf2KiW;4LQYDH71S}}Tiy$4#j;cEJsck*uv zo9EFXZ1TLDFzz{G`x|fxRz9znjP8QK23B;2cq&fl+DrrktR%YC=FC5G0o<1GZEBTYW{06@7b z{NGukRV8lj^G;U=4qlraSs8fE;Nf7=isWti;(}|FGtUUJ^Ohycav`>i%Mz0_om9{G z%wLjD@>j1HhqwD5`&-?tO}18%`P;UOZ*Z8?Y+_1MMF5Gr1YGk%3AsXCewNg1UiVEp z6<`a6H8MyzfC)u!9arDUFUyy-Engtmd_bT*;bPc0@=cIV>?-v-y<0t5Uhe@(3c`@n zU?dH$-^$p%Cp}(XG37#J{6mH1OJp`$)I1A4Hh(CSavu zG|low1#x~1SgW0&arye-4n_-JdA_+e@EIIfXw3;5I9sRh1LAHU)%#ll7&ksT273EEScbIiu_uy;oR(*)oU92uS9X)1Li^k3x{)=f_i^7xj2O zhkimWFJ|z|P@FzVqd_DK`&DX25V(CH^UPeYPpaB15WfT_Vvb+9qR-o1$r!$R<#4G= zW!Zwsub*ha@O=IU%E_;&E2FwGV)3#AI=M-h1i5t@GAYhaw#yOTtR+#~N^~o+%Gwpv zRESO!wB|Tt^DqPX)^L+&(bq$3Ft4&ymE+hgWsOKo5~s0v<9Re)zVRKvTYNLYe6++p z*s=ZMEn5dbt}t>-KFgEjoMa8!vF?glvJE>r5Fx-Edgo+ISW^6o8m{lLfEotT| zB+-``6VUR$I2k8hZ|;xm0bwFLlvheu5{wh5E(iSn12{q{!bmQ41$yHf_zo~qAMz_t zb3aOP175F6qdh6{Jp}(P&3Ec_?!SLg9nO+Tp&{ps>LfcUUX)qA=o=980reLd;!Fyb zcg#_4c*xUyqd$HFCD23$7Q3^&IvlX`3`ExevJbE1TW8zD>-_!e`uKCbyWDvn`ez6i zltvPU!BNxDOTJExl&C@|X)57Llqp_rDeXvdi`b0cnDSMndpjjYju_506?R8PjV$G= zdJrCPS!IIh*uoP)59wiOja~dy!{;SNiUYEB|yD)36T`SMMr4v#!W}nNwD1d z-tMuToW$mrj2Q30Hqs3(sLb#1SV_?dqDe5tN%&L+oKr-^sgd0bV&t?k>Z>3;`rF?= z<1Y}@Q8+Co8>c5#ICF`jKBSpFmSi;Ii%HaG;wC@E0nn zR*oXrF!#x#u~+|ow3$!IAyHaOJ3k9@)Za_LFs@`YOrH%H#G$QG(U6CN|N2 z1C*JF1)O98fMk*gWqIZoCyyjH5^A6;C*?tI@0BP?MjM0wb9+uo+fw1}~}M z%Rc~#{gssUCY&N$9`x}v(dfloHqaS)H65ob6hV1o1nhR(eNVHw4*L$Uh z;YQ(JyIHUL5jqYbuSfF-*>PO+T>X=PbG&;-T|-vuoE_-w6UShq>OF(wxRvjQpP_pR z9`W!86U5SsWZcNT3ptgqxERQ#NQtQX2)(i-0vQ?_Deg0br^E;GCwi^tQ8ZDuaRA5S z53`u&WIP%{J{5T#;r{f!?S0!0NS=BlAX8hyI`XfU{EEqQ{Sq%1&d}7t^vv_tqm>Hr z5Xm+*qJI)Vz4#8Gf;K0^jfU(^`b%0$MQ?Z^`r(f^eS6~7Ww&Cw`gpEVh-N%@p#eoA zYgy#+bll=Mdcv1H(B5?KTpidLj4%f9m`(r7r@-#6gVBaefP$}Y^u3SMnNnyz zL0;q!ketIOGodz%HU?6Pn#Jc0vmY{cU2VcZho zs?g|Y-g&_DP*H)(-dy5KMw2KJ;ld=e^0UCrYy8=rfKI z8)EuGX9*G)Hz$rzlJ)C=;Ld_@>5>1EC2GqLyBZH~or>2NRWOinXBJdsX%0tESx_g$2Q3Q`m8?~CES)nIZ z835X+M$Y@2*fO*3A>{Pz(Bua1qh(Ad{{9MbXyJ$ym8eS#ZYv zw;iHHto3>{fuK}a9UC$W)IrWPpEQS1|Cl9=^lHW2p&w`6DcwwTzC1j>NX zGrpWQFa6-vhTZ z!$0#SzutJ5_yP*%HZRwg_o+(|Qif1ak%^Ll+n}#Ls>G>kMr9_XpO7v|CDwZe_P`SN2P<`nM zkW_IiJ0&+TRJ*q|nKD^{7FIOwOr%&!g%tmnW;hf4Jdumzf+0_b25nV+f!!Tps>3LCt^=0Sx>&2K0%P%z5X+X=Jjs^V zOHU=1pP3g;(4i60kQYsLK2$sRZov8OXrH8~f;<`gGpm8MEC*LX)YIlbN4K@l?%YeA zM5!0wmea0gb=>`d`CN+uLTC=&8YkkTN|TZa?}lg@C5+G=G`mn~Y7$=t=A)wZ?`YkR zJAIp}_Cm)Ov(9Xfhp4Q}slIzYqTxqboy9kfAI3}}DBM=nsk>rqF#@g7ljv)n<1l829rfOn)|%FW+ohbW?vq9wC)W-?vz?{u(TKA6^u^xC}|$+-Voxl=-pmFE|!#4R)N zlkaW*)hz}(GbJA43SBI}|AHAiGENg10!Nw7jeDxm+MX250GW_&O{x4(4sk=Qt@B7@ z>=JTjCUSZ?byF0zF-RIAbzYL{40O%-4vdv_qd$y#E5hKt8{M2!T&o z1a4O}(A;+*87Mh`BLKmMxe@4=9D{m8Hi^_7t{ZYe&N*ltAgbna!o%&*<+LqfNN-ri zx-ybRhzCj3W7Y)y+wn;O1geXY^mH_t!VU{+>(Cx0f-t2mv%WIJU4G@oslr6!Gv2ql zAzzvamzA{f{bYwMYGoT^P+?;*K~yI%M;=I!>7TVPYua9(TK-16{ZWuTQoJ#GG)Vw3 zFg-_R`iD!$&!kx+Qlzd2?po%(&X-|uZh7-_Nhf5>_`%x{26Lf9;QLWgyK9G^3p~@Z zTm};-zGKw92qxr8%rLKb7nbBz*g1W!UMq=WyJZHL2T@luWT>A;@R~FeXcjLvD@PIxBt)W-Sd~`&GR?EyngfY z;??DI^X2oqH`kXXecoK$JvU!mzr4P?e)X$)adY$H`uSBxX{&*pvI{yebHZ-7+M~Vj zC%)^hJIZZ%Pb=HzuM8=Rfz~L{#GU2;wmK64Qy!Bw7KwyD6Fj~P5ZxmU^qu-)|7B9H z=3oG$WiU5|JA2He-fS*rTrAn*1R|KbzT+PL|t262emE+gT$ij8J3d<6FRgzjNk;)LX z#SmOAzLcY@{Pxal?7X6Vny1c;9sCA$F*!v`sx?W{LULb8(Wqp=lB^F^Eumsu{y9#$ z<`E`Dz_@%<@_VObd@!Z#3U#>r`sDPuRdw5{4^jD;alu+Y$zGJ44$hH$YA+TGy+YZL z->I?}zb?I44B`;0Y2O2HZsLFdaLgroYfjSpnKc$#pzS;ZACX1@qvN76P8Cfbon)n7 zD0WR5m11ia9~Rq6cn0plIv^e)=OCHbb__=5OYu)K2#-%cE5xWU(_&sjd!O6)-qeYw zL{7QW?g~NW20U;3$UtiCREjBji3PzH-?eYwUSI7fh#b4ggu+34NoX#0%{T?1@O4DQQ{ij!;n#sD#K?JSrSSC5pG-)h&A7@A&aCq6 zR|v3MRt8_ikluR_Fnq}?TN?#|)(K6)!FdM)H8S*Kr_1XIu@;u7^Sx%AN-D5bkIdF9 z0mH~rU|$O3U-)2#NUS?z|1bOr7DL!@F4zo><$#t2`Cq)8dVERo6zeEJ;q}*Xb!N&= zBVWO5LJDl#*rp_f5f)R#FwXF{RHg`Sd@W?yO~OuOY>%u^QN8-&n}RtEXka2R0v6UT zDm0(6g>fZHw1C8`C14bl^Oy%raE<%y4vF z?T;NW00Z*5n%7#(F)UOJOfeRU2Tb;|>#EncNMxQ=oN9i_sV!D0iu8l(p`(lpMFKN5 z*P2Wp!JH?hI4>#T`hpar?RY-vOWaS*G})z~Bb3glZRluv4>;sJP5QrH#mSiJO`AiSz%#mP{-Dv0&?oZl&Bx5}0s zlPG%6)V}naB9}RTPrc*s5=VLBCtqW{4;vis2#;`-9W1r+GRWv`ZbJ=+!+}cvJmJnd z6|W{ae*nQbqM>tK;H!)N!HP&H!gAqFS>DD*cXwVP>Swm+jc0#E0`g2?guBbX+RB#v zrnVGCY;G`)tUT}i9)>npK&%1gxEQ}AD@5DvRCYH@M#kdmuRJD2dr2+w?0F7SG&XIK z3!VY|_N2x+3nS-jUwO`giy4Ix9*&)%zZK}K&;ws`yYziZo2uzmdjnmZC;js>ipZwp z8M}MvaFcrMS7wjI6@=H#7tsur<%$&E6}`62A>KVD4Z#s}gH=VYd7D&XtrX`2Zr~=V z?Yl1}mi4|GwDhbWzD6Jhl{@lUWA?y|*@`yo7VOoPj_}rQ-Kuu|;^oEV*+2iG{(AS~ zkE<80YF&jWE2-E8nspn{IqZN=jUY}gYLh39VwISY$);7}uS4(6UlS-Qz=rfLM7;H- z`m)wUUshv%d5h7T<{DE&4ZKVZ%?EbssputRZ(e6FC>bVA5-4b#K5w%>2ZCO~2yZuD zFHJZfxJRiD3X82NBM&i!#E(k4f=s#3YZ)`{fS9pQdgN%L)}l ze&!7Pd7Sd>e0L(ryOosEN+(THDD#N`{nXl0#DugpE!gzx?&i?r`oH1WNa~&E6m?&373pZKuEQgQX<$t5m)zCs zWXj-VhZjMvt$|gm8p???`bQ6}|H$CL9Ld zPbw4d-Yp`s^vkPxNamZIPh(CKj1F93NkTOe*)EJySMN;sm3&Sb8Cb9EahkYU>2_W^ z2=zqP8m(;i%@8}ofhEDg;gY(n$yFH9L-lJ=J0GGpsq>CcLf6+f-yAs$Q_p$vrCxG; z(+rKc?59UR0IuuVhvm!90KeLnWCEekkYw+h3YydSUl{G#lf+x!j(ERJAHH!pBSpf~ z3Yywv8VeGd>A`>U%0EI;`GXfBZ}@V3gEB;%d$ABEspF-3aEHFbOA z*n>BR(=&mduRwTj`5>VA4F4mv@8JxP*7s4g2){o+pLo&z((2m&?EEFi;Q7U3F=dsS z&#oB?&oEZ7FbdC+%4eO=K!}#=oDNCwi(htW-shM1^Umr2{eLN$KYT-WzE?VEA4;3> zQ?yMOStGOx5t;MF1Z>_({?QlM=xW;&r%` zZIa(9VCm@O^e9=;E-%F&!+CVddLQw1Jv*XK&EpU)esr8cJ#KOBXk^%<6ZA)ddYqPm zP!f4CMDXP>h#ClGu<#6i`pk#^9X>u2=$6CuH+-1Y$0q}@(0zsv>);a}6~;uK`G<&a=W55cPVpaDLiJ%l#2H%Be= zV|5W5y&NjtVRpXs<9-rp3$(4R>Wie56# z^9G{-dJp7?%QG3aVDY9oxX9BQAce~X-j6F` z$`j-&u-M2yku!uyf)=z#{19UV7ypUo=%4adNLTrYTXDhs>C>k!ANZVo>AdQk9f2hj zPMoJQ;ICf1x+;LnX7P2@>Yc2CL{uhy#Z8ANv!JACUcQijjr8I)e#MxfWYT2fvd14J z2wEli#h*fd5wVE#*dGxC{k>%S@iu?R89=UWzQmADdEPOpr^PSE+;(o=`N$h~*Ao=G}RqP>cw?J_|IaQ8I zG-pl|bl>4|iZ-3F=pT}q6)DMCy0&!*BF8FI1Kq{EXyYO6BwK1iubF^|(|8XXeBhdo? zJ`1H?QWARMNY3_Hf`31NIlNa%?oXWw}7oz>SrDxQcXXFLCK@{otU(seLwfm zwxZ`7?T;o10`Pc@NFQG@cKp-(&by1Ve}c2WKD>YLeC}i4vZ9`5$(B&-2_KYg&NRK! z3(Gj1w=-m~ao;TZjrCV|>VKkgmT%i+is|0$GHh~^Od+T5KC%9%O8kx#sbwr8+YFx^ zk$XWx#sDyr`3=b$c_U;o;-c^fBz}D=u|e;&-&VDMzM9F=>s^WA$V){@M-5n!sH>F2 zs>qZqFeE#%SFG3uRdV*Fyxj*0l%%)Kp`(_Bz`Ug+NsLd~&>cvwGI|LXI90y(#9f@V zzN&M{0BmOXQ~;NCLPBh@2~Lb647$r)7q|-f=cWg~0=%Mg@2964Mpg zUi46N)ldb^t+;{_(j$vMM@bfdc3@88-A!5#y}^)D4Ssyeid`GI0Gt z?s48KQ2g5G$}q7$+XE``l~jRAXk7r2?6F)XQCOH8@G>Jd$-^>Y=044I$CSIXDg)sD z;!A(-dXvQUA?E-SChsb>CZ2HrqXq1bX`hNA^{J2!qzozgz)Kk2`%FwupJVCm6)#c+ zKQn0-K(zGp%c&ni=bFu%_o=SivEo6(065Q3g6{02HieF*(8Yl`9GfZ5qgx%+x^}cp z=GUboCFy9PRx87*66iHEuhxxo31O?$0@O*%Y8+=|!?x*KN$WOUt4g}oDkduaY_pLn zW+OFcCD|;cLQYaUXuL8*sXEX}{?V$;rS-?$0Hfri9eSpdz9Q2}Z!?`Xo$16*$FS;4 z-*(1Rmi$;p{aeU*(hJ#lcKU@||7*#3lIA@fg^KJnGCP9EPMmZbBtNA`eX1-d=@EV* zCn{T!GcLbbFKk`J2r*NVoy)3jc%>UevXO!DnylGLQqLrK<%&xW_z8o5Ezn7R#YoT@>5 z2{mv99NeockiP+PXRy`WiN7qT({DAEM64iH17*cgu642X_KjQ;eigy{OW{0zx?IwZ zqq-TDd6O~Si>yA5(||1q@yLR<`sGXAkF{amQn(Y-bhz3D*oTYO0obZ}j^ zZ#xQ|r9IZM_bo)BdxcCqJN?3af51^_A#}N_3J2RQfM6%x?bj#bpNO}7)P zsOTGD!?v-Cq;(ssXk!(76RW7oN;Va%D01pF2vih-9uLv0AE>B1<_6d$AMLOL757W* z*PD<`%H&L-__VDJzV$$bIRp0VTk{J1_16^P`O*9>!9N;DVLugmN7dI9t5{8b`&J`d zMs*>0fX*!h0m70jQX$dUH5K8oL{rDqVRG_d>u(Z-n6hr$k21hJK%6+=RgC~7vVu@I z`rnwo<$AM_VJs4Sf!(+wB#`nM(aK=hC2~y9mc8%v`kG~r29`axh67*^#*PhC&>w-G zK60Jj&>8ma@xaz$Z>Vc(Pwm?-7z}LNvEWd*^dYJB%f{;4gW*scx{j+^z!;6}kp&03 zHPCuPd#pRXejf~-zS|#Idfx?xZa@P9&~sp~r&`*;7RNG%s_hI1mfIiOuAxKKwtD>` z7>q2(c2#4nS~>*KhFY%=HA{mQ7{ZY=80Z7dLa+_Qu?Bk29gl4b>MC$Y))4*Eg<$CR zM~2fMBDe;+GuDTi(R1{^4eb7~Z#YA>-?KGippAhz*2o1=b&SzK1)$%z411^#ROk)? z0%$n2Y{vm`WUIQ3KH&7g*w)6b2Ks6bp+iS-h+`p?Yc6mQrd8YR4GdLtp{A)2?Tb<0 zuyoYfwa^564#Jf>9E>3{g@<+ztybS~hpIRh7@%nk9Cd8>zyRpRcmT#DgxP^Q>RAIv zAB^1IxCiv1JG6!)4I-36Ydk`eF%002Q|oA12tNbeb~Qs)2ddVGJ!3E$8Lnjy`~4y8 zVZyL`!+sC-)^$sBM?HjE$3V}8{in)E&=s`3iOYaSw9(2%D)qxEVNO0f| z`mR2Jx}j-9XE1_jQB`Yf*#p%ciDNm&c-%pL@j)BwH!Ps)pKhWn#a6BHO6|?~&P1P6;F%=I$58=mhU0^%9 z>OwUCA*P~Ue?-b-D~cZo*JzSG+Ce+6s~bkQ-|q_b@6mI;*VVe(Q0;1lE(%Jzx$E+62$cw5sz-Pwz9DbQFVmx^ zij$I~ohl#a{--&930xQRa>~i+9eAPg-~k0FFM)mkTA|enHxL}+ z6OGC;zQsv$J@E=Yz^T8$3dttHSeXqkSIMVRC9A#x3_qcv_^GaW3jwteL@!{$#e7J4Zvu*is|L%W; z!8h*0%~IdK6+L@;7p~;s1r0+V4WO+L(RbV-!f@i7e&6XEx;^UYKpUcA+<^uh!|mx1YW8^OAlw^617T59 z4d`f&?Wj)A9yr$6wG1!@5D2rwj!@U_LscK62F}nzlUIiW+l7t+^`2(9Xbo)ynme`! zMh~q5TGz2VM(@z4`Zn?6VXvW30Y>!TO}yyrera`Q5PRrK8iK{5>&@Niat4BrFzWij zg!P~|N8nsGvHia=^@oecugmer_q5>m`a205H_%t zh7(&KJk);{9x35th-6!ccdH*D-3K>EoCzO=K;Oj~{J;xCFt;Ho@`s_a>3vS*w@q)U z>^_AvF}~FF^d$%}@_>W5*pvAaRbzaL{@WY0zQn`xCF+G{iM}geVubuFeIzwF>!trpZ z={#L4@KJWRMM+xw1cjX}>+)t;)m!0qYdp*2ul*HwpF-_;#!G}QYB z7-&7mcE+Rrc+fZSamk_G2R+9fTT&;F;1JTry{1oY27+|Jm zL-p$<1pbt{LmfEm!;$T{qtOsR-GRDcj8)q(Y|GFc;0y+?s`U)u^nvEMy583e!yOJ$ zt3Cwdp-K3uL}W4n%KL)QQn>_OGmhsI#2jkN*L+#WCxd|IzR8uzt9 zmBb@^>MxzHGyk(|BQlJ@RCG)g^l_m5vD?$|X*$FJLVViJ7rGrEQ{?_k+%&h|WR8~V zVzIcsN`2U$b-`jWh24eY{((dh3=q8JtQhNW#rWrOmsrxeb&0huvAuDLRplg` zb&1Jsfx~i&m0<3monnpW_0>AX1}mImgVrgwC8yZkGKi+|TXu+LX^(Xrv<@-u5E~q- zLyQvllcqW0%M;u_80bA?H0o(CGqG??;d*h<1%1JisqRDHghvl9r!P-H)XByAzt98!|SGZ?}t$Sum?wO0opLzCe z1aX1dZ`n(eB|+A4*m`NWmu7gVUYZn*KV{|;DOO~|o^1@_z*co*tZ4w}1r0PX)CR8G z(_MWq9=ko*1EW5)RA^anG}eLP^sSL=jqM>2ii~Tv4MvtR>^Wo0bu6emL)RVR3h5fc zJRE`^7`r2=s=fZGuK~9=a>fIoIep-$x+|1W9}Wg1#|HRTOx@K6z45@omBfKDQZ4j} zG3X73Mt`8&8XUXh5gd-4q2UZ5p2o=5TwWSHx!y13qZ(MMH0@iWK&G@tsw359Cng{7PVV4)Sp zk}AYphBud<@*5dlO&xUcVLzi^TBaNjG7Bl0eQj>F)E;WRYpr+f8}Y6U3w8D3uDoj! zxw|9pTG`~+_O6u-zANuqMV*fg+j`fM)~$D~^{(xWcdaTX*{pZ1(5g5rCtC^f4%*4q zcwS$LlMNHFg*5uCD@{xL#9C(>W54S;(=PD!PUdX{qGf1a&(Y%vnscb!uvPe~oM)W0 z*lR84*~vJ`(o(NuPd%~^(SJOb3gBW3hH?mrf*so_mDKCId#GHJ?<&_<#K?`%la$hZ zadWNw4)X@;3ge4S2T@@FrJ77K6-=mb^An<<-t46QCD8WUH!q~~a-a*A)94Rw<8qSx zuDhT;iIPN*uSr#~O)v6uM6?ndc=IqKx1OPiDDY1-6o=GBLW`K_a)`gwMjPMmOmk>L z*53RDoKK>A)Jn_0&f>fR4_X_o#C_(w1hFstiDxSpi^Vyg>Pj4mKg-A* zm$Kf4kcc|oQS4{SUWN`X)>>6<7LbY7x1F)P(3{vm1;QpC?W zVU&>Rnvok!0SW%A#A&p_nK~$s)1+3nWUt7hE-9_=T{Vi7jl+E&f5<>x?E*`iS!+#6 zR5}QEykqNdF-1@2Xetl#JY9tQLjMCZaZOr6*<<-EI%u59q?}^ojb(D7VS00$aGFX4jFhZI${>k-k5${^iF)(JGAi8~sFCG6 z1w2k@WP|AxU-4`%1LC><>GRYJqf7SmZ7@AP$=e~xpQ3dqW8eE>>Fg;0@w8Vp6-38R zB7KP5;^^dES|dOD@J`S^ubm^A$Q0(&aH6Nm(p8asX_;JM|makJq zR!ADwVTYu{)>$H%-5G_a78rq{bISlA-ii+oEE1>;Jq1}x2xF%2jdNpq&?+Y$9Z5s305<( zaenBX{}IlQPS)jbm4$`R-DKSDvRpXGC?+diVJ30r>ued3VHBai@)@U-3J=0#vIYn) zWx4d65E0S)jvz4V(I65Z?>iq(naKEF5#nrLXdONBeMKR=n*UJ9r}@8WU;66{{vY%o z^mkqKC;Sy}^OgK{8F*CJFE9$JtURA!7VzKGt?=C1+kaz>rvkU%FIH1qsswN`1vWgc zp%|sy(*h-sCalF#DVr!HgyLCNTs36QN2b87Oc0tJ+Et5HX`u=isRVSsIKMF4sis@x zS2)Lf5D8*3FOy8H)JUs{E2P$%lJ(mwoR!PYO*%KIgOB>r)7&oh{UJuTVrL01tjr+% z&Cwb@5(u19*Ai=YN&T#6Jg$H%qcVlz9Q$XRe!sfps46ugLdwm!LFCOKnyKqemO%w& z2vIwB^j#Ikl7*%z=llu=&q=VXRS9P=W`#Am#0>~SX#V~7^(*rY3>V0lgQgq!vyF3& zB6jq&e1c5>?_rrsqZ+edK?*{>m~k8*NhgftTN(YwL6;hYwo>({pO028WZZ${CME#Lkg_v)%!Ry1>pn{)tX-?vo_hFo1Xdx6feIls#N-sx*NS*!&!TKSLGv5 zyWOvGxDiafzu+Hy?rZLQF~O&FZdKzB!WykKvNGhls(E6gQw~*W&4|NDN}!R;XRn;UPN*lKk1^^2;7e9!d}1tWE-`m;w-^rxO*U8Si*W#Q`-02|6mibv+TM2DGPSb(IP%BogvA8V2XMZvs<0X|cF z&2xvE`oy-i&9aXq=}GKtw=6N~-gD5z&Nyksd5hQi3^Ykvq%04uJu}QU8czYvoEMgy zXSjB>qxBB;rViy6eWB*bS(A6Z+O%La4Bg32<4j)H{d5=^I$ z_!=c|t^nm?8Tm6B3461gLi|;mgm}q$36gNi4^L3AP_OjylqiH#_mqr={?g&lmp*|< z<WrjJPmy(EkD3~i*x`jABul2rlx@1+-dk=%B{h~m>DXRg@Mtn6p;-C6jgtTOi# zvbcOfGFY$3+Z*Q5?kex55Cn7O-v9LBnD06ADA{$^a_&swIsSddPB5K0zP-eW8q_nr zK&sPuI_7k9-Mx=y(|^Yt%X7}iKI%yvZ+OXQkr;l`ECZtAEU^Ve8YJfm>8!lu=;JEn zVwwDwgpBVz%IN4>*WsD2-l^*M1S{9M zNbb#5j43Jf-+iZ8h>k@UJfYrre}5+_goViuk+XywTp-=;5p65Nn?iC%FvBmY*{X#1 z{&MPIHfOVM)4D$-ixOha6sOZlDTPB!=_SJyLp&18Nu$KUwGG9`2lGI}wa`1hWkbeD zY5gIaoZwioqya=bB!sX0f_*B}*>dN-WionQX+s8?7lB3IGIt9<8!VBetLg%!-V5*A zdJ^mD*V(!eGWEKoW<-^Pnev(uGAOeRbHI9Q^sQkV@Lpd>RRq1Qim>gf2zcVt2gJ?4 zg_;O@TN9zJiO|+WzyR$}O$5$?+KLEmMTE8@LR%3*9Hp&@AmYBz7u{AwNcC$gBJd_{ zMFiHct%%SF=(Zw4TM>aZYAYh7=hJYiZAApxz->i@wj#n|RYc%ki?$qsFuygY-tK0=(QCPwon1#g>Qev`7TQYtceqZP4@PisDjX|Sp|Xlk-3^xs*`NIW`LvyLemlf zPf_?FOjkUJ=Oh>;O{Y`8*uj$*IjB_N;E)R&6f%~!xItUope=6D7B>(_X^R_(xG(fA zx5W)o{o3LNyh&T!fHhpNxWP*8IBr>~R=}o@->(3BBlQioT-u<50aXuPKGG(DmOXCE z8?@yOnoV_Y%NuxD12I7mfJYNq<0i7BOez3PtUsB*tyrT5X|&Jr@JI~OluZ1=>triD zZ5r)=k^_=!?kha4jx-syc;+k8=Re)UfD$(R?Mn@lzg@f0rsipx?cY_-IC7C6rD|F5|fF8=n@=iKJS6q{aG(*hxM zOn+`BiZxa~5WEwTS1={86D$717wS6aFyZ5Gw(r0gpzryI*ai~rPM6u&-SuTlg%c!E}u`;X6KZQ&d<&GVl=XUf}@s$#O*H*SEeVP{HQm`MI? zi8)0nR zj}IAb4{NGl{v)L7%d=mfzk2@W;>A|>UNcF(vHe$n>+jb_tZ+h}w6DAyWhdopp{U#m zK)zA!96f1T=PW(xz^J%d>jobnog8RSK|ms2REoWf@x#L&l?M|R)AIc(1gn@1|Fequ z#KXgR;7<`ue|X@6C-_sapOZJU75>{@!|TzE)aUakc)XHiUR8pvQjLK6phe3$3~v#? zg%`H%FOlI-vxD~teOO@p?9D;&m_)4h1%Ei>9_PCPJ7OvK`vlo@wo&$s=rCy4iwnmg zH<;}gTyG#gb_Jd5#U24BNULUycuQb8vrDj8RsJB?t%-yp9qsxbBmJ83C;X=>Dn#(! zh830nRA*vV*6r1Fh3TIhYozzN-V{E^)r2ZnFwKFt zoozQS$Q6AeaB!YC(x7L11X2KJekACyyJ1f(_i~r)>EO0jK*Z~w=_B|o>TXEHYfc@t z8GJ3-RhOr%3EIKYZMaiH%bSa6LM35t!GKR25Q?wy*AydW!5{L1fZS^;Ub3auLfbs5=vjneYN5S4(eZ)?4NVbrkn#!zFG`!Ru_(1}j~?N4C^R>DZ0b`bLIB9lus(4c!*2 z&zKA9RoZL0Qr|?~EtB>_6T5dFns|c0dInezKzxnQH_oBG3W<-Y4h?uYLGv0!-f~vi z;BhG!6GVs*t>vEU>-)}EXUl2iRZCnh0kmbS@t5`&z;ze7W&G8;5PUV?g-sTl9OHHk}DrIvv|F zb+d=}1NK?HT)<5My?vi*T?bU%P2>cT} z7T0c)h_hxYP6M9TGPy?IX?RdC1>lw~xUhjQW;c7W&dIe6fL68X-W&p*;45rG9<-{L zZP>i%1wV*IzHZJSX6E6&w`gljH2Vy>lVsXx6-oD|SX@VF;S3mO=FM@I1c-{STVFB8 zdPYZmDTY3YJq8c>jtCRhFC-?6^8}#Z`^`k~xF0UYB4a&4ytfgY>uI5Q z0Pa4%_izs1BaZGz4G#9R;nw8aO{9!Ci5d9Qq*s$1Ciot$)G>vBn)W>ifL(q|-->bf zU^Y{Jm+?W)fQfk%Oc(cHzMR3pYfwspjrufmStr6m23Q~L9VnV>$kBcEk{+Bp4e=}I z69{%xdXMIpn-1EZHj!Hm)8ck?-su5&Q=*&%U}lC>zk#D_N3k#qL`dj7lC&VZK~F#)sm>{t4ksfGA%X+SpCjoY^&BY9u z`)o8OpziT$kq~EI+R$78`{TZX=q>i!WC&;Wo^ztmcO&e!HJ1yL|L%~R7tOuB+5|@_ z8-)0Fqlkyg1wKg-nx0QgFB6-LU^;D1o?EuOB0s{WENJed+%l((0c?;~wksI_MC=?( z@F&>m2Nxys7We+VW@*>078Atj!?kaOYaF&BDm`A~{ba5VT!0{Ibo6pJ0KysYrh8ti zgHZTB!?xc?$QFL+?XlAzr(y21>Dx3(cvs;0dm9gJnkw@xiEkwJkOaroclStyFP4FQ z55k&ab&cE;98%aRN7zb6b zV*#2T)_nqC8%En%@3z87t{YkX=IcGR`GyzZkM(Vp|i4L=Z8`RmabO3QolvfqTJbm zq%J~Oh27Y>hrp>=R-kjSjPCuw`->k}===gLVJ=D1#l_9Fc{%k~9C@j@`73Sw4kjx+mQ6lu zdd@Q`(Nm}}F@5=8tZ4}C07mlWx8xmeJi$?WaxbTu0vtGPyG#^RWJjG#A1BO3 zXLnqE5Lm~bXP-WOI>Xn@oh^eYoZ}5xMh~U3sX7m-!au;mJNE%%qvsK(fI^_kw-dh5 z`m%a?Di#900ufk=*OW7Fh1BD;R@SOS+!gbZnwv{tkIyl`K){=B;LivLxt`mk^h@d9 zs>q^lVPp#8%><#z1>ci1CW3^&hhS*Ar$g6 zfK$ZY9FG5^52ZULwC~|;H8EDSv1)ptD__`E*H){bYhyw7WFN2Ytlq-M>qZG0gcUlq zPh~c-#w(g~Zh+*TGkttjD?-o+pbBPU1(@p^pVckPZ4lg=mO-81cBjhS6%`}ibe$!*Rd+#s!2cP?z3@G+0uA18__P{jXj<7~6y@45WUDcd>iaD#S zv}VLhC-N?2H#PLk6|Y6jwkAT0Hh_zzh z(R@|zb|?AfHF4RzdlxWo?X`1!^wP5fAID6)|A5xH0N>H6A~>)w@CR?%2QTARSdl+E zIVm@6?NoCLLe-(mNA}o+&=+hF9Uq;CODnVkj}$8p&(Rdb2gfH}@#nR3svMmoiTdDS z@7j496TAQs8AX8hlOKEx7r=&Ryv3O}pCZtYPVjKl-RxW}yzo4=NUNrjAnB&EjPGEl z86LlCt)zJWzNBE@(m?OELtV<7cYv?C&9aa3`>qp#NdcZZ_nw0$cE(BTAAIHbHju6A zn|N#B1SqGK*%VkpQ#%Dy9nTe2R})=aAwc9is+4vKaWWGNZ1Cq?BG-k=g}$OXg5>vX!-ufGqgFT zAdHT~#ng+A1&l6Oi)*JxhDBUL$|qK;w3x4AhdW)gqAy4{7gyHveNEo^lD8-vgL$Vq ze9F>BN&cV|M7COm-=H*CC^k3R3&UkbPLt3JDH;M6h!oMT_wJ^Yc%iK6UxP=j==8vN^BfOybY9 zpQ95qmK<&n(9twULdu!)2F}nw6@0Qy;UQM#lNa49ykT~J9S6pOmaToL@GYd+V6IqD zS%%P2ki=Yq>GV&w zVg^v$I}R)>1BC>Z6&{N2=HSQGCvGFSkgC}ot*iV3BV@COK#C?qDWplLyT6{mvNfVM8*upPata34d6@k3N&h3Lu(aWmkDH`fYvG+-PEdI40x z1mFxq0#l4A)L!zXUKcGjQtc6dbYdj4M8SA|8OPDzzD18xa4RlaI}(78kuDj$-&Jr< z3!XwC&{J+PLD@n{#x)SoNeA8#jWwNOBEyww(Q`yvctV%xOSt?JA}OM5DZWdddwj9H zD1=kDo7r<&S0R#Gkhn{620Rd7HCXcahBK!B<~%#nEH=+REkhxv#-J=Rv+GygBEul<;h5)>7A*=GhMw? z)$hsQf9Ccl)BEyxe;avIPvZT}eYjZYCT4D-z?BQza`h0`P>il(Oi7{t?mNXogd@hW zLrgMUiB-P)P67;~H7SF&AlmnY%YqQ`4MOmr?!76dceKSL%WvA(@bkFMvoLK<`-UY7 zm$mmdd`Q)rvp_C0cI#@dsSD0>%I|V;Wtg=6jQ-++6Q6pE_BHo(`0f?I*SY#!|B*j& zi-7m*)}IJH5uu#?-dGFhljv)k)(HjA`X0TKsjGH|Rjqf;Ri-_A-^^OKxZ?A^{nKCE z{Sjwmb3r>%*r>^{uSpOx7qI@|jFl4q%J3_TYvyucu`@$&0el3d!GJF^5F#V_EiWzYv3^&4l#9E9oyD*FH{y%rSOw;tpHR_u(9*rQqA&fAed$!imw$Q{_;wjT zuYK3nZs^pix!WU^+!Hw@(cgq*tPk?oa(a{UmhOc`9Jer>qDWo7s5}b zJJmnZ*O<{TVVd`bN5OxaooiOB=%^HF&8N;Y!Jl&ZWB;6+cKvL^ZVpYY+Fdc$(M4)c9giJI1*t$!6n%zElpeQ;CRG@)vx zs{Y3ZGvTlN7KbcqmW(=OM^Wk^s zx9_1}KTrMrJ?r<^eM_dcu^N3>G&=Fg?qi?-6sxAI=Z>ykeWrZkrbdqI%$2*<^Pd#G zI`GFdZN1RrO*7hLH>R(-kR7C7K5^Y_spgegQTHzHwz{%u?MoHGlL7g5n@^vXKG=|L zWv=z~l~0yq)gCoZd5*QQzpNuyOMRZme{}kqpG$U>tlJtkKVo@X$no9zO%IY(*;ezH zsxd~m-_dtmt!cMyw$7BAn2#@ib#FW9`MP!Twd=FC=*{1rvd4@MQsop^3@qur99 z`?*a__BrRDbK0|C9B;L>QeCw~!e+;eLkdRuC+}{3X6koz_JhO0TT4#&e6Q2JTeMmD z(8=7(>@!N`ugvQEx8$-W&$~6oOXsC{J@Qw)G=0q zFJIB~=t&-3%a-r8x6ztx`mpmgu+PYIrmSGm@gw{xe9Xs>uhg03kJwBR>6(cNmGtGu$M3OxDU#Uz-`Mf?G9kgEQ|?SL){67`RM@qIPusY$uvu>L{{Qv? z-s~Llk0;$^-^;+z5XQz3;LXS+!YsnT0ffx)u2ILg%3bN>Vqn;3#lRrWAi)3w+ZsWv zZYGq!EpK4aUqZGU5)v2EMdJNN$o%galev}wAUoo1)mU29cA z8Wao_2nYxYD8Niq3q-EM-tiX@5F!r{5XQe*V<%HX7gJSBQByNZJ4+W!dpmk7XM4LN z?JuVdcI2NO`G&#m7_vA~E~oiT5BjTiw_3{sR(@^CbuB;X6Nz*O`p37q}cYuRGKpZ>EI&xr^4&}oqH*)!f`!3qT2&B(%USfT-$|Lll>SVmoqz6~U#7=__fFf$9{Qi9v?0F(n9J z{`r1Ik<0m{M%epARbFRJ>99DImQCyMvQ;BFhT)wE&zP>G#r^_xc^9S(_qj2z$2Jp$ z$Qpr#CvAhV2@jbuigNZQTTut#Bqehhq)o=jjGC|<2V`fV z4^1dVrG^}#r~{w}xEv9%Zk+i`7b@icO84v2F3CaF!zT|FB-+Lxg=Wv)$T`#RCCn@M z<2eC?NU@_@7?dLK$4oF`YaapQo+U~Mqos2(JQm@Z7s9K?#}||?5HL+Z{3v<-bs0PI zFj(@3^FpZ|?1x@(W9Mv=YGQ(SGJHe9iMXL!Vz|F1LxtPkin6uyP0DHaHyO+`B9WXmqiG= zd&k)cNLoxYeewuREqoy03H6(S2k>Qneqv^%A|`yVDUh{>K9GHKjiv?FL;r-BQiFf* z{5S>VD1ghJ3^R`!CmOCjOzI;0m(7)nLV6S~p&=-{yX#>CnaaQOieCX4`RJ zS8W^bV_1$MWlXcKWStGYZQ_wDXj6PI4N;?JgQ&&vsTt$92apt$j?lz(QTpkpiIS=G zoe!ZFm=ZPF?D2=-;)kB%zN5&s0&zv4%OH(d1ZZPgqH$5eutBI9w8aZ$G$8Y!mbCAQ z1bF&am~yY|&1jL`5uZeNzaDUGB8CHe>$#~E*QkH;=CUE{aG^>F$u&hMJ&c=2Aw#ZG z=FH3+aF|wv1N46ce?u|}sLWfDQ8Q4Hd1a@+cpaMj)={_&*|VW11$7&sC9DB&ce&@C zN`<$(GEguuV4_WePlnYU5FDBrrH7k^3vjZbh>1MKmd#6DvAJSr_>0QgBR9K>EhB>( z;&*d03it&9NMDP{qE}!xXjN?O6JIznwC)OiM_@}P(45@RT)!{x+Ssza`7Q!@+jn{H z(OEaQXt^&SC~p)*5|e$A)a;Y6r5yDK!YR(4YJm*}f^#Yo%dj-Cl%X1swfFvhC{S~h zxbylO0wmO_rj%@;ARN$v2OGTTNN`5U|T$we29K%lQ7`Gq7O3i0><;=&UYGY)iF`^&fWP^E5=0gp) z0BJ$395IRX3tu{3ta|JSqS7PNh1P=q)}2`dv<`E)F$Gq$hT``$2tcFh(DxK%+cF5# zkcp!l-cI`(<`O0=Tp`{%Q z3rY|JP#4%EQIPPV-R(+S>y zJ}m3wbZ6gcNS+i*>sNJsroRQ^r8#3MyX;oFT|r7ubH>K zpPi1jH|%Lc+y@|}?qI!9t4Z*5yY+N%9f zUHI(mKstIM130Isy z-p%dhpE4|l1{FHDhB_#4EKr05X&u{P!2inS_vS2TpL6aJq)5&)M1>Kzy}()ES*fQy zaYK_b6XExxAE{d#4U?$N&v{;#<)JI}^I3W*GUyxpO(CUCzCKJ1X_sWAuq~x!Ei)F< zQ;d>}{5Zps%4{y3!9NkoC{ili*&_*TO8{a)fxm?9{tCC*P9?X1;$G^$vi7cIO$}kl(n5MKt3Kmw=0lGkG{p}3VxWLR{ ze=XUPlu`Gt?|#fCC<7}h;bBuM>@1)XlkEsBKY?(hoyl$@(8_S1T0v2?_e_7;{jL}O z^4b=&OFjeETs|fB0`g`%4RRZ{!1NUz&jX=%yJ0+@2HM^3 zByq{k#pwDVPe4l~Vh{h=R^i!O{&-v3= zP19+V|g`;h_1cxR>{%K1-J~QHV3F09TYn`_4&?#Mlh?18hTNwKyV?qP^MN}Wyg!Ny=zjPt zRK#ccDGUf*oJ{e}5Ss7a?%aMCQ276#c%(*S=6Yj+Idyipt8iLSi2h_Az_q7yar~P z=3UBRlxOgBU3B?y33EwfLkg5g2z@J^c$8bg?cCWlBx**SAVG>8F(lw8SpGz?n4JV} z2N0|A#C(6e`sV*B>FT4;O#pWsr2jU?imyGR8{+8P5jX{$;o`c&dwrna;oTtZj+pH6 zaFTBAl%IUBu7iG-o`ep;2_*Ti=faqHZGpZDe0vHB+w38p{v1FCBUv!%H>VIEwbf<%8!(x!M0`XHe<9kjsH}heH1k$iRfjsu!8AaBD zGLV|Bz5^EsU}5mX-v$Pg=0g+2nj2XV`~)h{_&h@ImKqv#u?V4g8Frlv<%B#eYcEFq zX&FOh$hl>4ORZi?^H;FPN5}3Z|k#2#ClGxPo!hO4AEZP1f+XXoO9W z4i}?E^%@&ZCdQ@ZHuMM+78ZHjISCXsXMIVHUFvuonC6*(3kRKeq&50-$0*Q;YShI> zwgFZ{orZqDfn;be;%AqnFuL!Z8{A|+87mzl4)B$yWrgbo2NfX5ZwHn@`~DpNo;r+D zpoy!C)M-MlrYd77J;~(UwA_iuS^z_EG!Z_Kv_P9&bNlCGe=OdP0I{1tsmyg5wcOL&0+W`sPdznnr0W4~I;g2NZ7cqC)ycT!mVW1^$0v@bY=9LSYs8&B{r(dm~ zFTMXU8z|og4Z8vg52ZKH*cTh~bvp-Lvpwc z{+?ZrnCzQfw;XLM@;*xP*EGI_)wP;ACfbUdVz9j-T5}pDSnulcmKb0rK4z{T9K{ri zq!A=}l3a1Oyf!~nCQk>65UpJrqaZK0me<>1_1&<(!EmVos4sUKXXHF@&$s;1N48^i zt8~>z7W^e4Lp1VX*p@a~z)HWztOuFf!fI@byczl$Tf7=?KC&GJy4wX2AR5=bYu2{5{ljmqv+*#O7!D=F{mc%uyo1SHraWOcgOzW zB2(UI2}to9Vb)sAO7@^>rnur8`XO4wC4fu@Q%~9n$9gt7>EG42O3!`P(?-@1CJ{oPx+F*U z&D-}jih+Wk^h`LvA)>>`j;O&@6BvW9oishkbR>^6n6z6DCbyG-&DU)NUrwFZPM&)< z6+r~Hm@~s2Y8SfOEfq)YW3jf*t+p91tkcHo3X_~0Qemdg!fp{XO%n_u-tohWIvgy% zBgTUB_VZO~$kWDd@=8NTM$cN#DiJ|#mH4Kmp|3VzAf+K0gm#4H0`Ph~tPi~Av+#Kc zasU3k95sCi&VSl{hL@NYhT^m8{X{NAdO)RikiyS;lucSKr;D&ZjrA+2rk5)43 z8Khc+LWNR_osfcx2^oXN2_Fr_fGgcX?-*!XYSaCPDk^hj%P-=ZISgnPFXfCrh?l$Z zHcI57o`o+P*Cm#`4xZbCJIAfGZu?Omz(`>q8~e_^byZi}r8=g*y!D;x(xydGd13eG zqf@&=I`JA`b$)9Qd5bUFrA@!I3-%r^>^IWQf20?vhc|1ICN2}Dj*57?7h@a$7k{Iw zmx5&DZ?Z(bN?J__$;t2Lox%2?opc87-(M9=o+1);#yuV^e7xznvUC@w{~)&i3t^BV z{V4nwo=NW?PG9IK;4?gY*I2#y6}-<8uQe{_yNeu3Bsh{O7adxQJ;;W?NIAHFN~q|1r_i&FiEQvHXz zl!p)Zba`!jcn2EE=;pnYfv4Lf3S)qe)$2VckVVi}O}ebIJ+leHrzE8T2Z1|w#wkJ! zleU80y6DRS4{j`XMysdnQ$;GlWvZGLjdkRCWx{z#o-Qn$Sr0e2L|DW$34K8P^&Kf9 zd$K*ruKDV6?tzeTTk-2pZl9a*j-2AF%6L02e+WN^EzAVrz)9}ZHwOgb&7X%bHb61{+hN^m+;%jKq<@U)Ox!)S?l zSS&px&&0XY{;G>yAe0Uq`P4QH?xyB8Xwr^{+$=`M*h-E?Cm%0weX|XFuTM|%obPK1 z33AJedkGiANL-_h8_I`=5s%v|RGSP)yEMu!r08`7O*D9ya$+M ziHdo2|&wzbFJASq8-a+iu`^0Rzck&Ntb+eFr z!QjL&2;?&XSPoN)fOu(}%V3Ufd|)G*$PFZZurUv?;fg1}7pqB{Xe`XSXyZ|Eu2iY< z%x^%DXs*w=`5a7Vq=m>#+tgi=JZxlaoFWeB2>U>7N(#5K1bj!;doCUteRUa5TD&wR zc7`eiCnnjcZO}L#7lP^(>gI7^^$(6A2pjpua*FnNV~AyJ>>S9S4auq3EgKa6WA>OZ z_&#@av=oh`zHEV9FgFPh91cY7!+zKb2XSIa3vhRa>*xw-rua%?-ceTG7qdA;mBi9n zB~qs7Sm*R_l)a2LXAc9*!|2%+w4=D2hO6)+{R52t$YG=G`2@kivEGp-I~g+w&WLIy3grA$AtE3$D&0mWNkf{2ZR94cmGj;HI4bHlTl%gohb<5hQ5YmOClMcpJ zzp}+}k&PEYDjzeydR|!9>*Y^4372OM9nps4mxvw_M{I`@~=v2%+S=O(_e2CdbwK?`76y>COHcz636w=~6%_OC3h)HCM~d~Z#nUzi|B9${^wPuvW!Ryd&uViZroJ;b9a zZPs(bU{3x_|UZ@b36f2ntkpN~Ct;JJXOe$S5 znnSgw6bGyO-h<&EvC>t}u5V52B##@ep_)7*p)T)x3>#wc zNFmgFVjzznUZXkv>7Y(8g>b2fGl34Hm9AzjpH;bHPZ4;#&f!*J*kUAGbRvs8zmhrC zYHV@XXRAZWr&`70IFhbnIg)x!DV1|CM4q}y*~alAb2jssh5dLpr5#&2x2djz5U@Rx zsxeKV;#W#qkUA5G{Ac+>39OJyVuFDFk1A^{uZOAhYq_0TWwa6sQ~&SFZbsE1@o78V zEo9NFKlDssbTk0ZIhnpx<`TgPReA!(!EAuhN2i*!YL+G58fZsIhvahKgLZgJ1^93{ zYS^2sGmeWS(2o<%&)A!$lgWrIhyl zUpnpg%esy~w5+b$e-FxYdm93}V@B8|^2!R>2ETm{{MKEJq`l{38%=?}OOu7emAEzyR;(x1<#}AN1Jx zbnwyt=7uo+L?iF1y&UD{DC#iWwFw9FQFK~-jqv{R?8+G(fCL0^HN zTZa~hjhO5p{`b{%DJZ&k)s|k9@5lAV*)q~sy<>mr2DjTYkwy>N8mIfxwXwLMt^Nnd z(e|?^trN&c&8JeK*bo2jreE)U%YF*OKH_T$VVXWxGi;ID%a=F?fca|0NuFY>Nxqh^ zB?3GSZ!R-O`@S@mqbP8xJ(5G4vZrGKIC~ayhEJoukQ0GqZ)0j5=CCTo5)^(8-|V z64i$fXDwq_Zs3}^lfC-g*N5-s&5I+4D}nl3mr{~pis2sqx=cjj5m$t4c86hn?^n^w z7YdUIV{qOH;U)3q2PGj3j-K$*36T?6u%gi50zJ0Cdus&V3DZ0Y_8(Eu9e0~M^ao3q zI~ed>k$8;!4!*1;LFb_QwVLB@P6)&bTUvOT3O?sKaDm|FEv!xhZ-dC%qQ2DASR6ET z=b@wpN)2wXtL)s(OX`pzOc9P72#VA5ellQ*LliP#>~!)1RJiJpE2p!;fb0{C>qEXU z?RH0>`V}z>ogfGf3`*{!{K;1+>v3WS4x?BS&qV95f_L+jO9$jYUrw2@yVT^_o3Ny# zu%z{d_~eo?6SOHME_?!TZn;Rk_OAHgqw^I zB5eHPpH%8$*>sy;yDgMa_M1M4z8$TBpAOps$PGsY%+)5Wy*1>?aA6$#OwYf%r(}qu z+1HXrjCQ0!ju-GE0hpmIOcU8m*^I4WgjZQ}e0&`NNUei>;sMB|u;J}Q0UhEIScvH3 zq55Q~x2&`ChEd-6~Blx}-e5kW!zh#55{sIleKoe);PDC7+%*o7v_~SY^-a&1R zq?H1j{0GlhyDsw#CGqnZWy+m z3p}{6(5U{6!C>Qz5_Xmi9i&*)XaJm6t8}~sBUUhKPmPh?io6Wd^t7O-`q0P3zXH44>Q`+blpmn6>;2ZD(-xwp3;)ppDnMthKOs0tLrurkkX`9^Gt`Z%U`3Z3cu1 z4i^=b&{LQ{-22C;8bjb@t5p+WvSaFbV##LonEZO^xtysb2po3Q5AGhjHFn(Soc?H+n zf-<%4lKRwE)sYU!z9~gxc&Uiz6L_zZU$y zLb>;h-&&HvkhUgse0e^FNXa%{l3~TCPymM|2vK$|Vh4zy=rwe)bAhqT26pGHa{`Im z2C~D)$6W71+Y`4#-X^=}oV$Wd`E@KJ_JM);!0BjsNI68epqH0@sz@}U>u^Mm@^jna z#Vmn_8lrEDFST!DaqiB>tmQ_IFE?H;Iiq^=lV`wGmExxQv$wd1Ua$vhdiSWpMI;;l z9r`yjX}>KDDv>UXJ`{|~f<)GEVH+5XUs=lFnXvGkJQJI z15>!JM6$G3N-IMzn4O{_WJauzE~0qsH!A-l|4?9)pq&xT~RB=c@|1WoJtUfH_df?Pm5w{2lr_kj~(gxrQHuFI6u}noDuy zb39aCE^*{Y7wg&$j9jt4)X1Rj>(73TKKb`4ARdbgFV-tO8h2jYUnY5cPGji!Q1j_QrQsVhQMbFr}&K%q=I);XBgQ zvmz~a;27jxF+=3^6A=T&Nd~ChmM9$9n70w^>HV-av$67K?8FDFCK5sqPZL5-h-L~h z7v=bK;q6(+cA8-JFt+)enXC%|9i7-|yDh7g3OG+oM@MVp9!17|Fp_A~H0&AegGOwk z`uW+6);Po`VptQN0;UeKb7{BRh;M6k<`j7|tR5sBWf>aNet5A_NO1*Yxf@_FA5~d- z90QMGO?SHs3g-6bMjxIYemzu3*$BT6nkHi8q(-wmrJtCA5&|#U?I~FL5Le%=e+nGsd6rs4Y>&hzK+P1PrN+dzt7EhF>Oaeb@XFGd;gteKSLT$ zKS6wmyF4r%Yftiy{xuWK2In$UG?`$fM)W#o zqSWL4z%J%Cg}IcEk*Gr&Nd~+bTE41fu|GTuh=?Q`iU^ zIk&|^aJ{K9C-S9ScEG+;lKnczvJ}qCT2tjw7N>fKeSY@uefpu}dC+}PT+nw^ni%dh zQ%+e{U|Eq70`4}hJrJ#M3>R{BfEvizLm=nxv>XIX2PJbJ(nwMGRpm7B;xU)M+qZi> zAEg^M;8)H9j7#BP#mcb9Mx_=^w|kbk9PpV?pS0)3L;<46o=TRm z)R}9`_ll++5e#1_{C;@jP0WrKOx;R1b{YosFmJlV<56P~zb+zryx)wpB z0yOEu#vzw#-*)u(@Ex1mx*Tq@(G5rE+^RiKk_F&K$7%O}ppzP`u{ctTe5ye5#W)8hG(0)sRrxyP1e%$IZ>(wWlBHDJv% zKg<=#jJy%+bh9f2OZM4H!^_}og*n8vo?N7tM?8W{o;YOl}q ztQjsVs+SR2wHG1vF?qG59a0wxON<Ofv`;*`KsMB&(TyF7C#!`}Z1Hl#OYM#mx`^Yy4@-xHPu)jVZx>^>SI;<=u8TpV(q z*Xsppe_Q}jfP_0xoTX841Zv1HAoy6UBs3Bd8ONCkMfUdMGbMt`GR}A2%u2FH15FI^ zcxTW%XRNr7Nx`d3aM0oIhO|tIzsB|se;sO)AX@+mK?3q$K ztSU&whFs;2i&3@3`>Tq`1Fab=(vLq>9RplD8WR2eG$Ur6K!X5VuS3*ETMc$Qa0g!}f(U3$ey0-Tqr`j_ImM=~R7eEZHQVacI2;6abHBm znDl{l$~f{$!@(W|j9BVzX)C{ch1X~K9>GC%S*FlW7O%ok(MQ5*eqFi!Hm$u9+>Ywr z&lo@h3LosC9A?vOMcijYJfQW_K=!N(6e&t`=w6$-BaJr`P@Uh)tas!YvMn@xf+mIk zuqQ8Rf0+ZmO0ndp((le#l(k5wSdK2hOyx~c(iu;Kc00E$S@AkA+#<~6sxK3JVJGBo zEZyvE&UWNuA$gjqW=$YsBY5B^ni{`vI5xsq;vXIZ!(ezvvf z>wax3)hmx1M@R8j%)~*6UU&`;h*fSH)1^tI zwcd9ZXR@kpN6cGd3SWn;^R4}j0Nd)GonM)*Wl<9s`*M9^jd1P>t8D@>Qu)p?V)1=v zt7%=YJzdX#+c#S)I-KShIi+15OhQyUp16}|(2Rc!brMQqB>NbMNtmr9OQU6^c4lRU z%&={=1iijv7V!90oCNvB9hZZmtpfWD52Xvuh!CHtj7E06i&S$I)svaIV~F_@$AsXNxjV;% z%o)l)&Qi#IStUny5&jD5CO2p(S6hy4$XaD@!WWniDj!ylt{glK&6aN9lJ)RIs=N&>h)=wMZ(5O zo^oOP3fimA(7*pjsVrB0ZxY-8O-}FNVD5<^gMGjyq;G<)?|y7}y3qFVfq;OZ8&2UW zYY#jh+9Ch4mlg}fbahkMUMCR^DYlnQ_+QcT7TxKTh;lO)=*o3kw18eRE! z)q%>xrp#Xki3*-!m>r^&C*8~gu7x=v&`~4=r6aCyK=_6>#uthr1Jv9hQb}Pg6ylgzG}SB-jsC9n*$?Ue^Un$dBaVFs-4t)9pewm+>ucL zs0R|_d-(qdi>~e*8;6E+Ab~dLUPPL&dnBMcwzltrWm5VJoVoV;6O$?c$1A>z9`x0A z>aAqDv7|=@o|KR*qn(Yt14)B0#30(dr388I;(?RM&WxlHKDSg+&*)_n?mT1cT<<1{ z=9EJcJt-07x>L@uGXbPrPoBE!&&+6S*^w(}EmvyWyoFy)dsOM41(dr5c|x!F8?m=% z&SkT7-{r;^bmw3BOq_IiU@%$t)@L2hb5(9DM#^RBQk6juV4e3pifj_d)@AHZc%Pi) zJHmZ`-RM_aWka|E%tGI~X;%jMtrdU2_Vy>$tdfd9V! zGYA^ilm0~odM;P%caP#E9f?PXMT6*Oz9DOsX^kmeg5c1KP2}6lz=6;pi;I@e2nT1+ zGZS=>Ky*WT_C<})kQJ#VIK!hDj14W*W%YZsMd6t?X6<494&Rkj%=-OH;j^0J7jGCL zgP^lFJB1Jj&!`j8kkl65X90bg;-;?59+9leUWePMP&AzGt#-#L_b)^!H{Bj2j)OEJ z#d;U0buPY+HPv4MOu=^BaB{OtLDC?nOow}g0nl@rto7)v6D1dp#5G1wv+KV$N(}2w zWMYK()gAf{JS6L)>S>Z?jSO`)g7?KIiAd!OH#>8Yo;>W7sSbgi!=(0L z`zBDL6*xx?xw{*Rg9AqlB~SLF2~cNV{-a_RGT_$zuZoGB-oTqgo{*s;IC3we1{p$i z%KvIU@_`wI=SYZH*fo2f=F#(^gs}=a$^H{<&@3x;5!qBi^MkR$1hltU67&R|@TP{^lQHPM6(Y)M;rq-0r7%OoXKa0-Nc|3%1-JE27M!jXKI&6S~J?FATTSya3 zHvLgYIE!g6!Wvh+#X6@mLI@qBZ?~9XRm;C=-9TTcwKn|HMvDmmrv3(P{x<5-W|vMW zT1)cDS%(!ToZFz$f0#vWz%dr0MVOReY^H6~`qZU#qI?Ywn}$}*E8U=~_x^|TuazAVMVc-s;h*@_($G*jM&uu`t285bQWMvI03 z{Bzb#{$u!V&yDlyShh}on$h{tn(vBQr1YuhbXra7kZFVcv-T&v0R6i;Pgt0d6Y>8Zf z>|G=ls3G-GSIH(osY9CoGEFv1QA%4vJ}e&5d0oS;wveDMdl+vj(%LRwY~oB}$p}LZ z^T3)05Kb6ogYdNdDLP%@%H>|277f-m39zLYMfp(uiz1U$B)#(zsPH>Zj9h%1HCSoD z`}FfuR77d_t&S2kW6Izl7Eu&?YjXGz9V~sfh-okp})OJjIP(*sF z>u~f=T@^*N(^0XyofK$Ze`055mTzA62oY3~{|MXk{l3ZXP1>vXTe#o>D4%{^E3=vR21OV1H`vAUtkuyp71 z;?+E^Kq>pwiMQdjqBdvb3aQ)nq-_eb>O-SpD6QdgpwJ;!-J)6zFr_v64G5|3N~!KB zscvqu=^T#s)*hW(O|B8Unmnr4II80tZP?0is!_Kce$Q$wu-s^B2$ZVXTxyqc)4Bmd z*Xyd*E!O|hK_XI@7ve(p`bM6dFRzxY#{3-h%1c+{!&GpBn? z&C#rSW#`?{pgfxX&39b|Nu#5o?#;z!U;DeE>Q5NX#S9rUmFw^*Fj+s^2J!QHm+tpV z_~aPH<+8<%_hh}@q=F+b>#w%@$0ciWi(D3*UydXN_NVn5@-+JoaVHgMl0ee$MNsEx zV1#OM5UBM~H&2SlCa9lOf1QzOc~+cM2hZkBNB-=trmGR6>W8{P^*Rz7cpe7=r@|K)4}AlgqP`t3DsPJa z$=E^0cORw|D?F%JwRI3(f?q$zXeM9Ab9UiaDX`@6D!;fPax|tE zKO9gPhekPaTCi+$%x>^3PulE)R>ECm={XT0V)Z0MK0fhSWNhNKO0+m>q@{#B%K)g` zDzUvHT51D*ri(+n)Bx`WDiwnz2m$-~%xkkV1Br;PbGBDwj%Z9XEy@V?h-s1FcQu;^ z2|Mnd`24m@AA4Q~=YM(G`&n>D=5|!ztH|pkVgW?ONe_P7DzmexC%(Gy^WxugQ9o0KIXmy4o9}H@5p4DruWP@CyeOIa1Xc|}+de`<10qC%u(ETYbFthH6C&fh%m01w^NZ=6@(VUXAxML{ z{AJ}!UZRED$gB`ku^op>t%*`yg^8o0f7m<98 zsXKW?6c9nucrYS{;Y1}#5Ue(^rpJqkZgzq_J9sbUATfnfj-)fbN3I-Ikpq{A{d5CQ zP*y5Y$c5|Vi_k2l<{f}|Lkz)rBb$WBMmcybigKC+L>`013}71GZRvVlZrJs*+R*QF z0fBZNI`{jRQ9ab^oQ4!tO|J2D*O?|*|F8+}0ADRQ{B?MU;1yTN-^qUC?e(|A#4uD> zcFtL&ii_~bA-p$qZv5p+mQE7j_S?H}+$+H(-A8|_z)&_zx~-8#j|J>UTzj)Fh!67! zB6!UVG)z?lyXAn?yRM86Y3xgR8+ZM5Cxei=t46=2@$1|!lPyl0$Yr&jr0WGu+USCjh61P&|qmY8pUJw097#q2+)SV zUJeHY(9yE#K)%()R`6-aZcafx38d(V4lBsH>vA@=MuUBsi|IVMrn`)=m*dP}C#uqP zfrf1*eCh1nDj?O2J?WzA{Emt~Y|U8za!P2f6NhCWRY48cXmAp>u9Zo^2yiIUW0(6n z>=s0{Kn+HLRs~{jToc9aQtpFXox;qppj5ZgJ+*GJa{9DRxq&L2-XifpUbS$n3U?kK z``4^mDg(}VZs<1*h<(4QkA)r3GRrt8%M$T~ZQ=Gp!|GtcDR4@M;59b+E!n zfbO=AuL*jtsXPH3f%5wy*6XVeRK3vQT5O5h15BjZpDDBxWfd3{C?(S< zVuf6f`J(wzd7%#2*P_>vB8n$yG20l*FCZvjsw1`7|F|#V`L<#jn_RrE!Z~Yilo;-9 z56<*pC7lFW__f(bA6~&GEq#5WVV}p))oMcOLsZQpBnOOevUSfz4ws_xIOx<#ScC^` zC$6QD4(dK+$reXfD_8GadLjx_C>L5Rq>^TH-WR0i`xpo2Qcz_yypW8Hs6xM}&kt7@ z2?`qeh@_Fq@G!uJ+}iN&Nc}_bf3eS^hucDsJOr= zQr3c1n&_73bUTSU*j_uWdXw)-=TXAov9uMY3ExUUP>gnD&6Z}1+4ULN#-8y1uy;@0 zp@vE>Z`8qG3u!Mw4a}FKWFP&bFSXsn2rT{ znuop9o1VSW+wRCcL}aLZn5 z3b37Jw3K;R^RaqjsNRLl5~RNhKYLa+heJE$eA82x!Dj z;db-(ET$gs!Cs@Y=rq6;fPt}L%$VmC0RzA9fa~7PAKSUuAfI@qAT+|n#_!gprdO|i zxS|!z)N)fvDv(SI%&&X(d1oN|_U%#y86r&zMCAnsR5921Cx}N^M}jO53wbhjB_*tg z0_p;1Vfkrn2VK)eC5nXZP3bh)aB$nO0d(xnoU_;GF01khcc^E+Vp z-wjnP%C+L~iF$j)o7$SRWWG$Uy3*;73I4mM386@Qxt6;!GoB z8C@3tM!6wW5#{QO}4dI44M}*#=i(&je{)+9rdFfGmK_890X`Vo0M$H7{|=v zT-27!(_?ICW}*x!wHK+l8%MSb;L=T^t&kh*nb;1c?I*gJQb$l)eWnVjqTk{)s=gEP z6@uj;N1s?DNM?s8ZpN6-=|3R1lo%wX($j#0E zS=lOZyC(4JVee?hlx^7Tb?-jh2-c$qb?E2mau7W$D#t;?SW%biL9Vs?d1d-@0qe7% z=~>_H?e5ZqomF(;f@~iza%%mvzJxJe>tdzv>1=04F6!c;@AYeGYG{FeM;Ge>VQ08w z?`ZeD_v_-yWHG7@(+(@$esJ~XCYUusM zMryA4F_i|;$|3#&BMG8N4{Nr+7y=?rl*GV%7j)5Y$)b>Wl(b8-jNjSZVk6vyyAI!x zUsDR~KnPLcy1{2>m(=tL*EknzlyUmHT#|8zpP)+^{|qR+^U$yk!z?vh({4S^+Ll_J z{Uu(Sq}Ite-e5-h^7`yttGqAo)!1rsoZ78Cy9iggAbxCUPWW}scrI_^8nBWXXb4RS zDwywu92te>gtdZ~N?WIj*sbm88kZ6b5iw?okrLfJto-t6RA{6_cO4-B!iHA>`z!H7h4`DK{fkx$n&4lRcn*_?Rfm~aN~}(z673G_ z+!$fWqaTgL6+M1m{&uSgre!F@pOhtr-N2WHmnh@iMMEG>7ZE8MFvi$qFQ$2g1%q{j z#AJ3~zP#c-(^8QMgLfctscix#D_+*zX)IKv6MBy}sUgV zh$HgABjkkO#{SJ_-Zt0jmtDpcnv+rUNbT^x6?6~#CQ^nyvdd6T)XvL@=y^mj=P(#E zlR@XOiz&!#@ro>@PbR5?37UHXSaT$U*i>~%1U*T#^N@q2?vBDB{UQ29-F!>QQ!-+0 z8cEO}Q&rMe>T1NzUb>@;HYYqv$EdPN+c9%UW>&YVk}?|Yv2qi(0~e18j6m)<+oZPX zARocD5AL&_)!>9pIXg9C3=Wfdx3-PAQgl`0+r~esJ&r|fu7%wqMcn`@BwEQ>Kdqx0 zk=57xW&OD-U?_IRL#27xAdvl?nvX~oO(Q>4?G_o4t`1$zPMJvuSlU}MTL)G9N>n4K z+m6Xlt(8zQ1oiNWT?jyd97S7Yb#_8w*|lscPDF)3)9bE%@D~#ipKdnBHteM#Xf7&} zRdw){$e3z|6#h%M!dHCh_YD5cN7VGSk`E>QopX~Zmq{XzNQ%0w%D%gQCBJ2= zKjPnmRj`ftMvYY!d&Kb-Rgk{_X+;vJ4a(OscXw}k)v0K$QMcP_IA|zp0Enryi)uKF zs?dpQoQo(F7ByS;N~JC4Y)fQjIrSyy_#ZcQybTER_{Grr?p|S$VsGUzj zNVJO&m|{fyjqo23+7uVz2pLg~j}WpDr6@{yA1VTk$2XJ00Ey+tCFj0o7oor}KvjZv zC1P5bOVV@P4KL^U`zcvJ5z6|XVVLD^r46H~%Ud*EXvnw7_(ZU!u4VT|I01kod+TFIV}=W46hZy1+~MmpBkh&9Nd)M+C5V!pssA zRP8-|DKKG6=vlgX|I}kd6W2bSIlNL~_DxXgy9+~(`NFJ1IZTO3Sm?St6|$ZwaD12` z0>PnD-?DkuX$^`LOC2T%q(;tA*ylBWAI9-yslZ7w3XUncv!s&+BB6m+hvGx9iyp0< zH~Av8^kk^Jm=7{7yc-L8bJ$xUZN-gvpz92w|E8RTk)(?p10~UQM$ma9Ma}GZDpx*b z7>C>*qmuAzSotihJY$bd@`tM@mW~$zBtYOFl|EZG>#|D66@FG}we^J+5DV|ev=(F2 zb+)SN%+`%%nk;P~DLdxH7BfOHhz?Ququgi3aMmChEc5I|irAhnv^j|J4H^yiPQD%l(zH+ zXZe!~wYPo<2qbhnE&7|}*s#zL4?Jo*e-E1v%VPz2`SyJUArKmLk z?Y>dXIkItHs6%Z}Oz|&TeqJd(N^V%6qLwQgn$t*Mw=s)*DYN6u6I9%~Tv+oKSU$Vt zl?rHm8Rmhth$pDdhO|!-R$pypMcJ+lLk%4znHx_#ekv_ax1cD=tzRtiglADQj}LiQ zP6sAkv9#iv@I!|Zq{v>nYB8G}Ab*c8>4iLK1bG&;B%-D>CZVoz=}&4_E|@ns9Zz0L z$Qr}42qx|J<&zeNMOyB{Q%DpQ<0Ek9cn}`&c@iP05>@ba=5X;wdD0~K1~*J#VreV; zHj)V$iyV$01j*Rq>V4w%T=heTk7;XT^8h;eYt<-l9cZbQGeWbSy0wXAk6YKXOz zMtma+;`AjlS?z;+y;}~hZ_4g)y%+kWbK`8% z;619kh>h)opa&%4hhC*6aEe^*adnyFV-M`v8&aO+J2=ezd6s*mCj;E8_s@_+uO`Lt z+0~F@VkU37!@!*-hX&UXc6NDrnbTwLCZbI0F}@gXj~9Bt~@ZMU0v+O+XljQtxwme(T>@zLAQjxXf{v0W7|~krEUFflq`- z5fM$P{(^}J$AsGON6V0zX(~nVfHw%-aTT1o%O?yL<(D@2sI1bzx;8=BscrB-r2yMD z0y>KwWF*~>l5EwOh&t^3UF5f6NXoTCNfFWkgZ3L}-eBD7d==%E2W@+VSS6?53k7M; zGDK4B)EdaH--X&TcRZ&q2mlBY*wA3i?`kCrkB|q51PV-^Q%c4P+x-Mhmn8D>uodkQ zWlXw^{7%(i-sZ6nJAo6@H2lLr$!t{+_c5L-9Ggu*BEySHAC z*OvI1eG zwwLs02Iy5E*eWFemR8QTTAe}i^`9jO?glj}oSD($KPVOHZBDP8|HO9h7waf1b={EI z=l37aod{Rt*OEH3b9AB&#AGlDQ@&xWQVnW{tbj;5mF0>TJdr4e>b0&}Hqu=`g|_E~ zq5p9%U>4KZ`dh0FF~T$@5Lrm!qfQ>UHOrxh4?Bu8bN3OX-3^Mv6t9*5WSZ!GK$iqi z%#i`moTW(hy?go(JqZP$hpbdr1%(Sm3u4ng;dDV>rd=7F3>Uke9A>k7R1#R~g)Nx- z({~{5AnZ#qUxK{xYa#mmN!K24HH`gIc?DX_5g<-aQtx;!Uzz49dQw|kt(=?G?A;Ai4tJ4p#s~dzi`!5qP7|{ zR=KNH2vvDzasJ2on#Mc`wF8f_eug5Fjyn=xcjB2M-WtCq`y~QG#S@YI_IDi|qQ4t0 zC!nNPft@X=Nd$!H`cY?;oJX=-&ImH=;=NN9jsKT=yQlWd+Y2a;~M(`2sZsfi* zkekaji#8Ww;{>I>%QI{}hIMi_f$}=x?lF#TNPn1en;M~dogCS?O^u;??My#I=R#Jo z>op>`&xlcTN@w96wa1xh{Egjv56wO#K(=m|-qjSi!!*&flB+Cm2oPmQPze618C2#U zz>B01SoFP96ns*yc6avW>RLa!4I{Cofqj3*xqpl#w;y4FtXT}H?8%;Q2Kw5={hSZx z>5?g#;QMyt21O$3IGMEGkABPk{2)u=8S}oLy5HFcQ@r*R!TWfNi9mnW*)!Q&w!ZrE zWAxQrD4IBQkNVSzPXJ+dL1R&dFVfocg!+V{E5sd`tm~i){~o%}7NnU=&o5PP0$HEQ zj6KQFjlAG=iv`fV1g||_{qPsHd0vEPd7i8b%wj= zYaLHMeJ9~b5_SL7iRWyyt?pq!5`mJgP;BV|oO3RhR>zn>Sl9ORSbiZ1EacMA4=1sjL&)(bI+6%b{jLg`-$F@~nJ z4&Yw&$$xANS195poP|*SHL@48G=X)eE`nlNbrd)+8G^0Ozy;E%_s0j(|0Qwt+A4)$ z|BpI11C>0IW@+&dNJ(N{VO%{|Ze|_B4AG2+#Yt0cGFpOwNJAb7;xx;Yv|b3*JakuX zfu*<$wZUE^}{@lohY?0(UO-SaPp zU~)G~;470lC2F4Zb`QM`8|e)>uQ}Elo)#DOeB|zm5JD0VSvMT;e*xA^TOV1%gk^a5~N+ zx-#TvOSwq;i?$X7kkyF?y+&W2zIVU;uO*qU+}|Y`SW{o!c!Zi=3OlomhT=@i?amN< z_O@sJmK`3yCUO$=58Yfi7@1eN`%0t+YDV^_uhd0MbjK10Z4a=lKph~24$7ko9I|i@-c^}T@ERP7r2WHDmmOQysy^-53Kla+-;0k4jbOosRn5*XnzQF=#^xM(?>C3+_*{a}kbr5#Rr<9u>;*<+rmo_Hfj; z9QNW>yraYiY~nI-TtVp?((us5x*mi-f1j@S52H-$hWm~UI=OF@0#lEo9R_QErloTy zhc)@ald)&-OwQ7jV{Mg-X`ryvA87yKJ0JYX-`dKbY-C!w&%5-!rz~gWpus|%b)`zg ze*n!l*$Kj(f@l_>{a?gkq*#`}2P57Jy;m} z^N5VY_i=29HV!UMw^mOw`Wody3rBb3lc%p|Kwg5gJ0cC^uzKOV(QyWJtw`Ha?ZQE& zl&w;yt`$2}L4!LZ1>M*q2#ggVRk`l2=!TyqoaSkriO{}V_B3~+!}6;ZO!cu+btd7EQp3@-m$CVNZ8W1~c~j_m=;`q>wcIFA z`}H?=+Xw7HWU%f^szJE=D}o9v_UamT&IaT2o8vzHJbkPpH?{6yPYtUNc#p8!wUU#7 z4m`<@R(W>OLcnK7^4;)8j0A%stM%uj{A%c4G?^l3s!Y@lgiC4Er4gPR5v-TcT^u9V zk?PW1`RlEfv)~by2ZF5M|5eEZyMf%N|HEUCo0ksPdTAxVC$ne!(ItMyXgq z>NqmK=WsD9S$_S$VM2t&4om((#&XsWC3T-uS|lVjWyoLQDfVEBe*CKSSp8TU}Wvr8Vd1e zDPwR&eqv5qBt!>h5&LxrVtySzH*%*U6 zPw{YX?e61=96WKnIiv`ED*fOh8-taG|?r6s1rwC9!|i`i00kDV}0k1Vj9c7LfBwNV4_i` zDPwt|y?9ev*3zYOMF^4qhc(E^gjoEyGte=yj(K3A>T!l9t<~R6KAD+ic;O@Vq!E>& zy_1u9ABXt=-=U#MvGX*p_f*Cj&7=!0*Um<1TEppv;yr=$BbKhOn&JPb408!g~{dn|@ zQha6kCE{-8xD!>B`GVo^p(*i=i?$UhrG{zzN(AF_ri^o72n(57)9Vh{tLjR*GUSbb ziR7O_lzi7nQ`#ufQYkl^fL8A3Vfue=8y-TIes7VX3(FWBe;WUUB}MU&-mruY0(`;j z1oyyoiU=XTOH9M-gvrmpAE?d|A&`B_dsO+Cc@#G)_LddT(Z!Hxlfjo|5VlO{jMVg1U#Zba-$cKwU$K1XjVVOc_$%TO!miMXNj@|7X9boovhy?Nr_JZvaNr z2+xui_jgCKKfRYS^d8s7P~X95c3U$S*6a7JG95pxkr5a{uz~b#K7g3`tzh8p;UiII z^@V2oGPV-QgOCR+r@d9}*R0#VyKH-z42&R5f`2K378iREI_6IYZWP^aB*dRZElQdd zBSLeBb4f=5PoIh5*~wDm z_VO8-p@-f3-T5I!+I5Zp8Jwx1AvgM$74-B>jgPzJbs7VQi!! zAt$OqwM8$$~{hn8r`w;#7tCjr#E9UG2rIy=I8 z_QSc>o451x?Q$3$hEIz(Zc^Z8CI7W2I}5#_;ZBLRLi*g&_#0wn<$FEN*CWukahVsI zjxT!)dSuwl?MwJGuudaG_gPu=x6y#JmG|r8t<2t=7ro~tRRV{XExs4rT@!dyqNBD#ay2tNwsf|@&Ln1e=t+<3 zh3mzMhef8Aa*$C$1~uKe{E~-xxAnRNv9vIkCf#I(&RW)_{j?X%>68$)99fN!$|=RoS!TmXP>f)OO-}T@#0W>c7cVe2 z4yrc_pzZ$D2bb05#1AmY^HRX^w6W^Xb{~*uWx+EIrlLLq{cWa8Ud1?}Zmx1_CyFqz zLv&O;;5v5-b|yGWlxbSnGC_FSs7c#ymfZi74`#N>LO9p|w;mKd z4&}^IG{ze3>J)MQpTqdk1}Ue;VIpoVNf{0(vHBv`inQSsy~%DpC#cu0&wF8o%Z}Y?}T<9ia1eZ7O@{+=Moz zs%93w)H-?o_<4?{c)t=9Mf#E#f;lyyP>_22pkfh5r79SM9JQ`U^{WDk$m2Uk1+C)$ zj|cx}Jiy(qBAMfwhW9IF6V#(GY2;!-wE>?)dM=Kz2~zIW_@G5M@YaaKo2ih$n4U`%Jg}f9sm07L{Ss5+C7o@~1OZhw|5i?AOMi>+st@xKJf8?Thx3ve z>lt&_RqUya2)qPqo0L39gAgva==Y8L7e}0cPMJKsl9EB!96^;K@l zzm%JzC`2OzK}xp0%E=6GS6-zvNI}o@2d0s0p%n;9vdV?0LgMGZM6;b?5b26tk!?j^ zKyrs&4z+OZ)X?Ff*nkcO@o9wMx5ZS2GCQW`i)%TiYg|0k(7th zbVpinw=V$X+k`IpU+bt-xECXM!W{<*?c#C{cYR62xxR!bxjSWz=!22net+*1JTc%% z>8EDbGu{5PE7AmQl$(iWk8~*=S+sRN*S$L2Kn41MSWJjnK$(+`JjB2S`atL$I81fu zQ+kg?F?vjQ9pd5Au~?Kf-2A5W;;M7odL|}*89;zf#7{C;Gm;9&Io?JQRV2A&fHH5| zKTO4iiVhZ3nU2abmnj(mW3~4%j|F)H!gfo-DxbE zmO9d6c@-V^rKyE~xBZk{1`CD~s@otgDXSVwtE^nM3aI#kd_{O?VU(Z}(N52@ahNq^%NUlU(zR7sxkSc zn^(c*nE*HvXk~Eo>w#~tl~PqX{iT62uiZrDp{agnum%D8Qssfmz)D%1E~z|h?DqR5gdih!Zp+>o*i|pJXtLtYr_v)Bg2OSkv1|2QQw$3M8C~HD% zuho0hGr0>@%?`fYghGtz_qV?gMa-X`k`>aLW}B_nbdwh@k(bxdj#Ss=>rf5i>03Dz zld>)4RF28NJv4<~fj%-tK~1kI+O;WZ5%d@Lm3Vo6DcHa=pA4)sp$&LPnY`dSOg&XQ zp*loK5dH+opV$sUbG-ucZMVxeFFU^2Xb%r=S5ZaSZnyh>%cYvU1vuh3N%a4g7YiK# z$d#~8lyo}dATqK8lIj760d9~4MI(H?Ow+!Dncn`kG)KIdW@bL@e23#66XR>K+C4xF zED;aDaa)>)fF7~(4*dDAW%bhO>u+An$Pl#Bz}{R>+W%_xKmcTTN&|V5)|!BtWw7}3 zVvRD&LWa|KNY7AKq!tDdib>C7nT4oHTkLAJ&&vVq9 zA&rj{uRbi?sQ|%d*%pV*9{tiwQ;djQz3(u3;Rk59>hiZZ18pY^Y#cv@7Z3}C^s~0N z+0jZcBE@o53Dql)%UU+eSQ*}r-i%91v=QxvSOEdjPeE^%(PP}<4?^Y+zmoZ&+|AVK zig{Ae+C~QL8QM-GG0i6QiQ!)j_5}(CEW~(71#qQq5^YSMS9rhMU4Foy+N|wqZ7*JR1JQD zvIP>;%+$$}J;bE!h+lbFm{7PZl@L0d@9~FGf^JTg$qh<5A9M1s6)aLup6D|9`w;Cr z`ZqmHU%^y!pz(;N_NrXHIM2mF*cxImz#V($xeRE`4K_T4jGdS%8@;R#`2*Q+0op2O zPnn+N9XOZd%Yj1Om#((er&NCHcD*Ty-hNaeY@n#SK+T`0LHlxZ_3=7$6G<$F#Rvx4 zo|6XNL~Wl-&?`Ko3m-2`3doMXK?=hay1oZe7ypAPOt=Bjaz*E9y{)A2n-VL7C0*m9 zq=EKL1SXmLNwH)Wc`8Vr!oxqithin$W&DZoUMjn`*jd7!_r&O;v@a3X4Es z^(Ej|X&2ea@9RNnx70hmvlkQ=LeNQ4(29%0Kh6_zm4NA5!nEvlsrFR@aH1uAg1DAR zuP}fcXw>mW;N^?t?`pU)9U5os3c&qb_LMU~*B=bRkyV$jr-Q22^Pz3a<^Lhr0;bhG8&{>Vq^?I=Jo{bPpdzz!fZ(Z)fJ3yk-!zA`4D3vq2>W5wqQ- zR7kVeKn9Yq-%bC;L2wu#Ho`KOzW}D0=!%l+l&tW}T+f0|n_uo(caqpT_L%tscgn@0UP3q0| zsxG|z@1|m@l(D;Cj1&+=oc*n1k0%gz`;QzH{mQ|gQMx-i@Gqfv+g~{V_miquMAVGN zgk4AHIeXzd`1yVh{G7*#5l^Hk~GAV9qV4NWON92EMQipMd?RrQ;VKrO#)dgyJ2#wSiR>^gcAlKoNFRg0Hi+;Bt9Y|3}WPD zgfY`oAh{sy*v;lgbgssc+qo7emRY0uV{Fc-$6{=*2o5SU8u#L0G$X_gy*+e#Mvj>n zB>N}84BUvVuum`p*Z^FJjU|MB#`*=8cY0v9#P;O{4;Qx`A>G^GRd?S65g?o zKM2Zx=kRYRmw~%It@iIg?U-fetQ-S~97C2IH@5mI8iC!TUZ^87WF3({&Fp`~AT|mB z__UyJOg88z_c)Wfwle1vO@YN)V6*n$k2+{j1=WY>%LiB&o0ix!%|6#QQLhMddym4* z7XuGOP$MymQklHbz`RTH#>ZgUYbbNy+B)6sA)g3joHKnrZHR+GQ6fmIl!^3axfw6< zG4Do}3aRjPn9wm_-TjVZLi-Ab+ZM;^5rH8YX%&`56!wgD`gYIIIr|e3@;|sJ{JKFB z*!?6Na*xMk^2gY#X>gbY^40Eepa3xJUKN=Q7#@)7YZ_1X_wD9gMv>lU+QdJGBLb;! z6P{sWx!cPebnYl;lp#B;P|1_m&ywQRc{U=uxL$C`( z2&>CgU-*kesqUwk4YRHu>#pFBECN94kFIM#Bj(0j8|*IYuCM!;zr~d;RV}v9HU;6% z8y*<~w+}b6mk~n29q0=E6}_PP#VsvWV-tZZhblLvOdP}}C#Sbh0;c!(M-#Ge2WmB* zbRMB@{fJ!^3VRSfwtLwZ#H#quBJ@9q@4~jDH&R@FdgFgp!#|sw)H(Bb2w@op4o7xU za64zdpPQFV*s1qdp)x?~x9jnMw-4v6;6ty{r{@X(jI>#I8Rup5z1aMP&4z#7YkvCq zy+?KO^YZhlOFp%i;~6eqECyCn!sEDJM|xc7$n1Sr{&0M{D^v1Q?)!RfW`L8fiWK*W zIAy1SOUHZuK)-{4UnjaLDNv@?*GPM z!o)XXwXLU9mZOKOfB6~^1ppC?EJC5Kt<5I<>ah9sdUvp+fsNGb9}i{avhbFka~zs6 zZOY5q3v9z#QzV4QCR<*cb04^$BOW`gK)EW>vlj8~`};soJ$>=0rm1fp-JtlSJ)Psd zcA(xvR|bn{9h8EaEw&e$YDzF-DArPOMwa16B){kzVIJQ8^Vajz!;f7DtDUc>uI}4p z@@2Y~P74jbw4<-*g~g@RetxqH7GC^DRzTw=|CkOJU%u?6fYNp>rCU=$gyDb#QqTH( z-vDi?T{E5<_FOzgrL1|Zu_eMbeNpYA8zV%Z0}0Ph2_biYY=IqO#L67kAyS3!ox6i0 zq_877s3YG{TpI-r6kq1CdQoiEP7CK>L>+L)8j&6eANKTR@Xx^yvMeMXMumidqYhTE zYsspJ65rT_{Os-SE+LM0dt11T4bUD{oRE{O&F|Zc<@`vHOcT5XBC35q+l^wCmj3Wo zR%QPT2BW-5+BJf$pPppEYV@+Vy_|Uw{3~vujKH(+e$~KN(uZD)FoI9D+gsD!O(gW{ zE$Q*H8nB9w@O_g~petW4{k}RTZEb_77E^ysr2BU7d5;*YCcHxsIUcKmO@|DmbrpZ^ z-#yKh^*?|CXTDIQ=8r8qF$_Jo20D!f8Vm&=L?zwrP3yHJ)?%u#V9MgUr4|#sj3VPD zjldMW<9WM$-_w@!Qz!U{?{5m7#vQWoEHJvni?#PMAg3wK zoZUgRu1A$#2C~egm|#u!TVNg&Qq;pdMX5=s6RbPG)wZOHp0 z-`LU5p#o&MN8LMjtHX{b7n^m6Rc2pJO2Ru|`h6Ln5Y&(E-52{L1g_1v4zTm~0z_!7 zKux>DsS(W;*{vsr4-~pB7KS@eEbw~WaYO#DhN*M?KBGzMiTn*Q33(McXC(N2^$~!! zx|g~cIg7KF)K&R)0Pyw_ZVHv6gg0W&=jAmtGbOr)B>n)Q%V2)zQRKwRI*n20h8J zSaM*TJ^R9-w_1SOs3H5jLPMpU3_G6&(U<{|^pSq7J#&riNTs;vVSlK`tGL|D`JDII zNK-qm9YaRrF8Rhv4=>e_?k<*2cy)x_u;p@gEQl$-ADs=}UELId9l6jTg@WjLQ@u!1awQQNF zShY&owLebG>8rB+17dMkt@)QTB-ok!Yq~b84w40)xclb_FbHhbbQ0J5U!AQAKjd@g z1S)7Ts4jy3MMWZ!V%&hrB^tRaTlh#IH8ACx)W)&EzqW$cLqPn$Ld0FG+iQ2&qA_t@mEVUj-Ffl(L}EqD(Dwe^ zVuQzec`w8@61L18*qZo4Gr&i?--xz$gXtw_liW^9_6PxT(f~C_C;(9yZ>O%3(j?M zJnbWIPbNl|956(5@-b+ULKZe>+zkf+z|th^HUjY?NQwAF_uF&6slab=u6>3##}Bi2 z3MSkshS{p7jU9eO5`h*^#&sn7}k$)Dbj4%gO-PMlppL@ zTd;e$=01aIugqFgOV-m&Oys_pc(9|ixVexX#S=0U2Oh~WK; z5>cn>vUMieQtc>@5MUB^S&^6DssD%|GH}OW1-&X6?aQs`A!~mpL^V0rFTM*5NiBPq zsyksZL)rlijVrSq)T%TZ{yPq|O-cPsctwb2@DpN|M@=V<>I*Arg1&^xO%O&;k!;x< zYZ&6Doxtv&kuklZ>~_CFdEuw}7T#$(gymYC8@;U=pGWPiZ%) z5b)RuE!c|QeGr}rE>0M!q0g2H3M=zG84Pp#hers5e_rb^aMt4`9QuGW_*kFgyjfI# zQPVwlBzH+Ew~{=QE8%R|AI9LI^mzyV9CMsn{bFBV{QL|SDA;hPD+!`b($7y;E-0@V zQZrXSn=XRa6p}o6#uPV`*Si3qSJwr1x7W|x+DO#D@@3hQ2~$}gAUMe(S8VJrE0h^y zlo`7?GX(OquyQ_po>mg6&foDy2dI%2d5wwZg(PY#>yYD-+T)PxvL?LQlh__DF*Hop z$3wTu`|;()GQ>v*ly%Ml@c{M2O3x|Evh}Mz-33>J4GWDNZ7!|n?xMIiq^cs(3&}p^ zrHLJMg-zo+yiB4=z6G{zbso;&1Uu^X_7VY+LgmT?Iqw8JS0(kxTbQ02KGgzf22c~?svBf4eq#y*A=%?>&6rdRIAqG_7ifQ z;cfAe_ufdivX1LyT3Awd=p}vHPht%NMtb@(r2R&w?xoR5@KQOnJYGL*9j;DHuX2}n zO)TIxxMPZ64;^b0tHVH)jNa-~2fpVAC6JdY>_OVkVv*=g|4EDNCgkAIotmxs9fr~o zJBY>(z8mf$Zs5}s$3eNp=#Y?+%TjVjhk2KWoM7VMbTIt}mgn}arB@R{I*Ye7eqxW2 z*|;5u74$Mv${aRDP|wvoezyV}@a-k6E(zE~5!`p4o@B&KXk=pl%%uhI9COWA?G!FO zs#mx)QsCIMxh!Zo|A=DIn)n>RIL!U!CbTfFX^pttf>@_Yyt}`m zG*Sq^^5Cr+Q$3>~d5w&vlqzaE9faTE$1V*1LUKbmX##NHAh1fho?8JD;e-XgHiIip>1tzvrK?`boRAk6#E+S~LA=A+Oj?Ia<6$en&XAIDBJF3b??G zUsK4ZU`PYQPm_+{vce?(087I+l&Ph3UsERyL@P3ul<5gCF>E(Lu|65hR}>`m@+n*b z?<2cMv!WSL{{;8#eq@n{okMqmKKhe92{1t{;9G`l7Ys28g;=IbBY}@hj~m>LWXhM& zEcDK-THQ;BU@r`$z)wb0==gptQ-=>BN~$}arl}u5h7j$pheg30WJ+ZYwFvcC{Gj6X zO36ciHd{-Ve$iAP>Ipr^R^b{~{IBYgB(h%o`ZrqkW<>Q7R{Nj?+_}=2v3S({wdrf( zVUF$z@eLs&;zK-b059Cvq-fA_UzagytXRKenuY`mWf1e3_9=NG`-e{dgK@IK>KNr% zZv%^II(?WK5Kx7~9TtMlFJ-%?lVFf)ja*!|D-R3|?ks@^SocZ8e-B>and{!X)0I=x z&d;lK-eirz4N*W85-zTDwn)EZg!qS?4>@{#;gR{^9(Vf@wcfjn1@a-k!L+(RlgsrU zOlV8Pkz8G;R(DYMe%}|JfX*$qOO)L&5|z9keEU=;$O9+C_|HjrZ5j~4r&G@KOP?d3 z@hI|S`+m=mP_3_t)juM*5#gdK6i@}Zp28HhxpL z6-nc=#Y56Z3*Bi9@5CzKcdPUynorU!ng-_VhZbRr2C6@yU@?t+l5rPa-PsSxW&^mv z_$!*b2Qdahe*?^JvHJ5j1kOAun#pIv9{2kCz4b`F$l=_;cd2x0Mth(Rg#98rS~NmJ z)K`08kq#G-3sJmWZZ}yzweW8?@s$wqhfXZ3MM0qWiwrc%EDB@eiqfm7)OJuwM@Jx} zdV`B0;L59%wulQVJEj&|8G|oP?euQ@@xMs<;4O8rR_P4{&Z)ijkbKxnCs*BnzSZsB905Sw*WQm@n~ zP6tV{hB1wE0tH8G|$YQ1Cb10z| z0gN8Adu*u&{X>+XyCP?GUJXRSH35`>Hn}W{+$+RKs#O$wbV>=uL+-Kr#&6EZ1Nw;Y2}=ioL!+ z@?hW=BXhWtr`cm|$qbk%*u!Y^PP9Xj?3z3& z`rC1UQenI;tz1w9FOk8vrQ0)2T-eXKQ%uJNMS<>Njd@Q57>Z!kaRT=4j2wJ4-;OW~ z?%vEnO!HS!d$oB{wdf)euoK2LF_5ghko3XO&VnoH(Wv_W)@)C`4cS{aoUO_m=%>?s zlf~0~bC1R!>xL3c__aDI?pZG}&{}pj11-#6Gk&tz*-Atux86n}C*-sMt7kQywXiq)H z?`DlyS4u}28Ou)$+RMl=K_Y^4C|`lC5uHm%+$V)(wtL=MA-l!rOyN1RMY~9&TaU*Y zQL@1+H_|l0cWG!$Imq=;t41|u#|@8kFfC&mP8j#tmKRf> z9b{0*o#@a3a5yH_PJ=jw*i0%rvza50$G_S#>?E@Ix0MbYHk?F}@eBrZk%DdQApx^} zg?ZEfWMaUU$Alv-#L(yQR`HVTndTf!U>qsAW&WiYhrm_6W-UCB^+TM$A+Ug7pb$Qx1>7)*Pzwm z4-Qd_5v3Irg^5lj-2hOd-o+b-DEca+4LOr`U(|=I4rfA?$@P`@;Y*N=Noiz-JcMWJ zGs=Fj9_a*Svtt2~QYugz%g%24PZ$ESYlV|!F#yiEIQAOOC~GGPh9lvv((s;#KPXuR zVF3e>*uLCMHPhAA(|nz5HPtb6H5dPMI(c|~eZ8OYR*pB|dQ!>ow!3+_+Cn@`dvdyR zlx|8M;M9(1PEu~Z?Y-PhzI|LEvb2{{dfsO$E*e~qht`f}@Mw2%diXe)cCxf}vvVfP z9NoRVO}cq}U46X2ztJ9E_xG>f*32c$Eg3i-a8CjDfNTF=EN_Pl%sQ)CA5r4YO*TtV zVVV5{mcgd}X&K4}=ykuWtP3M~l!3j=$~7_?2Fn?o+3+QuI>e5&V~he~dNGMfJIcta z!&u3&Is=-)cD`W$xnER*F?1nrQ#WN?cseNOkX}<`)k%0#;(|CqJFY|Wmw2AKJk7|O zh;LqOgJ!D%{&>-v`X5YvV~{9Ku;tjcZQHhO+qUP9ZQHhuJDxkXZQI)U-oB04A6-$^ zofXj$T~U>NGV`2}l_kuVp@Hu(OCv$Nx*+@g;#!`BW7%2a%w4VV63pJrt?iN+-YN@c zZ`onLXl0s9;rG(Zo0!JC zCP`EEs==vR`HODbsVoZ|Go7Yo`9^f=!XR^v-g@*4_@4D9L$@+D-&fP~l2L+m4O#Et z?tYLU0H?{bMdwLFNB*XP4x|BW!(Vuad1TyA7dtGFNk4Nf?7@`U z1Z>d&wfX}KQmN6l%p}=M>W3u8;o~uD9djzCS#NoEUHp0MA;(36Bpy!4d z;Jj7Yd`4lMM*P}-*Ym;X!vZX3f^s@d8iz&HpT@N+D97ZEe#8Q{dd9YjWCJRJ&r@us zjt$_CIT?jd(qjR)E#;}O?wG+yovo7K!;~k9zjwB2(^`A#*Jnt(79RFqhqx%K&&?8b zx8A)#F9e2Itn~U1jgLC0JUcX5XAm{v!0k2{Jq17EiFYGdwiX^XjeO)@2Qf3 zAovv(=|t}-?R-?}8IhVcd;q?^c_XNa4G@n7m>wR`y`~-Pxy+wC4CYftSyUP)(>aqY z>KC4UTUGLZFwlJpVM6U>)k zBYxWU5Ml}2IaX{!OJ)EoWSGKt_lbx3PAMdI-&P2@nNiCmDf%R;u zg_o|1#kZQ4YYVV65?k!_lN{8Sbc(Dk3s;wLG|`p-R3)g|GxHqmq){WezVbWH%3VUWUMxFIgTKFu15=dxie=7EdKViu?r86Q5?4{( zXlTB;FzP6^9oZ)NQHQKd;9HA}XS`M2^wLGP+)JNP`xXU{Kes`ypn0(WNj(A8kl45#xqlT>Ktu~Ai-cA#3Jv+8}}>n zaMXIHl(>uuKd9Rz=d@DT@11zSC9$--6Hej*U%h6DrUOHenj@NaN2B{O;BCweXM_7v zJ#{nL+fgdrB6M$)zAZCJOcosDwrD{%Qy=gonIY=V>4_|f9#B0!nz_ZluPUUFaXRek ztH)^dlm6LJ$Gs;m9t@_TvR~Nt%+71@dx#N`rT}|(O`_H9>_bLFdl7|*dJuPDJbz*u{+%It zV~xD~{`3l4;=ffN{1*ll8G4NIm0b(Uy91Ody*e957~a9! zgjbkmZF=|P3jId03Dwj%7=ECRCa`rXYcjJrpt(hVCUxICxu0^~cgtSKyp9Ub%(D+i zTq>U+BwnaujR{Sv)wF*Jx%0m%m2OAU>ie;!#>5BHZkLwK)x)Yr<884??Ucmc+@Idz z=++;kYtEnUSpFGR9euQeY+;RR`JOwOs3xnr+Q$?K#~NQ-hY~ zQPE?wiVe?m0`SoY^w~+b9hjyj&U&ij-M2LM02X6a9)~bg{`GJ)a^c@`T zlTf~(ef7e_+j*Flb{q0Se8QEG%g`Cf33|l7SGsYy;PohykKRkcU;Rz!(jFYi&(jUW z=P3V=m^|i`q}yh2S!*^~c%<{Qzdwf={!Wrdd0&W5<7pSzJi_~5TDFn?HhOpj76m45>1f$__(mV#x1O#E**Rx zV`p~f?o9TZWTv*9*+O*FQ8}Xbi6`J|iWno2ad79z#y+9A2Z>VoI}U;Qq- z(YTc4tEv7PTNR9zX`^^LXbpdOpS|C;aJfIj@u{~MFw4Sd?JCbxqIy$&eks@-SywP5 z(9LRb@%O-EhULsStLN8Hwg-I!Se zfG1cs3<5B%n%U)aoUL(lY)+sxjxyhtsa)eWu6z4%c6p;rY{rrIrd_5T<49$5BU!rL z?C$0pP5;F-4J;ZObUb;Qyo3}YPy2v6{kfyIe`WXiAsemEF8rw zg7Ch(x~&tcZDC&_rbmMk%4j2OHzX;3AkbkHLvRoPBi{^DzU6)nB#ccmLZ)$z!xnR= zaH=Qv5JXaIUh0C(pRNJ#B}Sk|5|fmH7AD~(YNwcaq+aFeqm%fK1N8qPx&BfG03+lW zr_2TDL|Vm*-BE~3-3EsqdMcY~UX{cE!BFy`rI<)R^@$GUIA+#VjI|wOXFBZvs1hiC z&H4xVRTa**UXTe4F2Rk6&!;DFJ=Ys__=X^BYF? zaAo9hXaVxFU-WU(X%{F_ql-ULK#&_p9bKLWMi~&&FA+d|Da42V6)5C&&D-65j;JH4(`lvtW|(%GI_R{f1`@xjigvTO zgUW`oHk>Y%SPig2PtgG~VXW#~jUJIZ7G2&)#6WZ2Pg6MHUJ2dJ$aUkgl{Ku>=`T~l z_Pwfh_?@~ZoH5RD+c?!a5plxBlcUsjb!)kcXp5BgWb@D_1_E?XclLXF?$`XbApH;Z z&AnBitp*=u7M8@7P5>qH0ePW&xS>ZmspkT8LAL1uUXkx|v$0wWn_2ms~PJ54V zffy(s2g>vDX@55IDPNG=Ih$tda^8aBl0}y(EqfV;B6P<%ut5SmGaj_1KsA7W6ODrn zZo3f~1#d@t(C8TSt5pgJf8Wkg9LBq}eKZiuQ2bJB*mt&AdM?MIwhu|v{GY~!gdlQ1 z5BMVwe34&DK*9WnD=lJFbZ6`xY0(f0^fEAD>TIu^=C3vRZ1?>P;_AP$cA=bOMn`QT zt(!h0Fd-t0k1pHDv`g${dI!+68-epCYU3*T%9s#m?4rBY$P%n^7 zeTQ_wfcZ^rl~lMLF10FTW3`py^xh1TES}3YkbzVwtrs{D^7t=J!C-mxA`rUGLK|A#b)5#aVo@>QIgF=2&Ko)&X@>BA2Q+k$R zI&xj)n&HJw3keE>7zLU=hlP>q&XoR}Q<(!_z=`AGMdl9L;GW|zi;(eiSO%26B9P_9 zc1W9u-<%XG|FjBE1cRp}$lK_lE`V0kE%lFQ={2RBBf>$Gw#ePV;J+O+aCFZ$JRTfZ zv<(Qm@ou}RunaH{j7h`2ohIQT&f+-WFw#^r<0Af|fte=b2P5uo(%l!sw;9bqiSv&E z7`0EA1xZcljiUaKm1GlFP}yY>#o+6gJABA)@YbIL*^>pwmp+A;nHhHWX?4^;27;5k z(s_yw4*l4sSxsYgkFJbzCrcQjkl;!o*oC>Bejeg+s=c;NglN`HX;qS|X#zq=*BW2K z-<7PcfX76IIxqt~RC7`3SN`#geO`l#rWt1-I->zquhM0QRGze7o%ye8LV)5shNSEQ zxeFDQQ{kk}T(kx!N)Yy7Lnh_8!Q^fTK^TvS1AI%oCd5~USFr*>Wn)MZVv;9I5?rJ@O_1 z{}QS@ZFKh|!eZH(k>}?^mvIQ@>TjSooEnajFw50_hOq8xURKgVbh9Nhi8BaKr6I6^ z&4KPcOI^SoypeL+fR#MV3{2OFN@e=cE^N{)rBK{G2GByNPl6?Xg%-WP%P_OnDIH~f zG1YOisc$oQpu?M&A_S5J5f)>lb8kA~c9K(Rb&gp0_^r>*g8PhWKsb$w=PFy*7n?G7 zhlZvDA^y@Lt6%I1I(UdckubhxF8Jc(Rf3P6N(7W;v^wwL;Ss!G%kmzBw(T;pfeg9G z4ZZ+kc|VKdy;@l!5?|GWT`%B%pjG>|fHCgFrQ9Eq-VwcGOnFpKqSj177Jfsqbcicw z`jNvE@#6`8-W`@c)>FlaD1aHTIKR>bHl5qEC9QP)^#|67ZMa^4xpu++@Lvvxf>Y<70iIy_|2S33S) z=X~JF?55y;Ta1WmMOzDjgld>YNcB3! zcEg}@#;r;>ZcRI7AX$MroA1|e9#kmVnAM|E0o`c~=SH)hv%cY0v3a!24yPJia;6hK zx=gaH9Cx!5=d8(f-%G+0)3GuwK~aOEHHW?v1k(ch_;ZJTteHi}))E0k5QKwT;c z=wr#Uo5pCTAO+dLKNP%jB?}#E`S3{HdJNf-Yn`g#b)5^6$rx`@?F`Eyeb&@A>I?Yu zkY=Xi182B6vvEIA^wW5VztpBkW;E4C7!gkm?yIU^Sm4hC)P_T(1D#I~gS+W-sl(WN zl`wFuR1_aWHqJuyWffdm%F)ww{HybKnY zDqAZ^z{d{!*8&P-Bc21pjM4T@-yO0Le@?(4HsNdUACIX2_t`s2GvbheX0hZ4pLn!8-6(YJ<^OVtIJw6_IY6?dU+L%{bWj>%Vm++bsr?L06q| zA+0|97uxEHR65E~-gsP5)r7tB+Dh%lb0XR0`cOnAoN9_f(lfVS+9?Fv(OFt`+|^n# z}G;CmZ!eutHMfU|SkWs#F?C?XiAe@fB0uMjYsiw^kQTM{wYcfyVI7UQ-yG ziQzGarQYN6(4z9rOBfU3c@%LqTa&8LO3u)7s@CGOd4Qvh^Dc;}*yR<`V3nnL8{uWq zODu_IlfinMQNecmsK%ItJqim0X<&7s%JRpLRvK!%-kJbY2|6c~4*K=lLhHgqBT1wN ziV0uUro#Z*Usm1n$fEH~i&Nle9Fx^ZyS2(=ETdl9V(Q9T?)`qX_*fI${35}fzmas$ zsM78xJvUUqpyQ#|8e;kbnb8fbr^GZ?SWe&}uFW(P!<{x=iDZ$T6crkCkAC{jv>OVl zz|{R1tw!ZgXsnv8ByDwLL{2Q)j9`hpV{N8gSZ+2es-m)g@B3R#MBPy?CFsyxv0+hy zUDeffHAfrCBtwf{7*kQ^urylf*1vqTW7#k`#PpRCj0vS(NL5pGVI>PK$~91QK`}$^ zj4SF4SmISp)?(=_E2+5(x7%o1W>c#)wfb(XGR-zx4=PiS&Vgm;-&0AnGK&bNR9%M! z!PE@iX}~!~g$g%DV~f$&oxsNwOZw~(UpH^kY)SE14A#4(~FdBDbmOM0wNp48>f z?P?GfTE6cpQ>B95iuFDvehBYLBW#1-B6iS0I8qIq9hf#aTo3|6-o*316U^dxRB2hh z5_p>I7Xmuz-lFUn@n`=zZeT+~$&9qO$w1d>(t z4*FG9UZQ@HYW96X1NsjOpPgniD$46)pGHZZ;ohy@q^k8~Ao1p#H7j77DJ_{@*=4_ZtWM$2#77c!ua7>&UwD z9W?8rR<4Rne0W=vHO(TFOUZgNhhWu!B6?emVfA9~eds^hN1zTDbW_Xkd&_-c`VNn@ zMKz|S8-+C5@-eOdW)N+UV7`if>5#>p8%$tCblDk}hk8R{hmlxS7hJ`aKUS4gg&R!g z+`v1lPkl${P@oZLd1h5L*-YR#w_K6~OxF_WfJCZ*#LhX!6v10*D*g!|tBO0is;Ag) zwBm^3lw&30uDQ}IjQ{|Z?k>rK7X*;45j`G8CLV_Sstb08lgy>!I2ve%b}6W~w?=OLM-;iXz)aqTcpVd$HbWYbcxa z!PRPNOrTx6w~rI;v!KYjc1_Kc2%|cut1A?HOvN;k$jg8uy~rY*OV?8mJAt)VP)q?XxE#PW z)WAZE)m0)_r*}G^WLY( zr2moM{qk`7F=F8A&2UE8vd1aR8cD}V*keKKACz+#V2Ip<=A{VsaDr#2b3p9*WuCB{1fN~E8GchkZp$e-j z2n=rMn-52$jTK&4U0!Q=+IRp2H4Gp!?x=FPUQ1Y^p-zj+SxIPIY}t7vC6NrHj+(%t z5MPV63^3t4p~~WG0OKNy1RLb(t0>=uLP6q4Mxvq=~ zl;mpSpsMWMSp5PU5`o@qy=pPXb${iMvD0b{ zi-K3;_KjraVv@)~N9U)C0E5q+8^k1BfM)?jv{uzkMV6q!VwsS^ag2{Dh?(5R?=Z6h zv3dy?s7cu1*ASVA0d{y;3o#vP_|X%P!I|ue6PRHF?gA8uVI2rSYy*(N8r*=c%<+C< z@jEcd9xafv>DT)`X#MTY;Ik{}1 zl8Oq)Mv{!Cn5xdRtT33!Dl=kX5XI145NKak6>g`!ryf<(rK(1YECIpeuPDHF@yEj~ zInijX$CGaLw{keRthwn(t2_zrsBH$oS;QT#t|qFo7}$2jni#7Kqp8(fOoWzV&kM{a z98yUvxT-5HehZ{Ll3nw(;>+daB7e>`%?(M%=Z(f&opY>y&nuHakY|Z;ggP`asN4GI z$z98XsCC?j2B5>lktaPY2#xNwhmj%UzmUa#bcNkGxGZoIASze)rYw&ldeR*4>^7tu zmpd<1?gGJhv-dVzg39H>KYgBPRT7~Id z%~p|%)L}(NwG^tSaD6=t)E&!gIFHn&;x0oE)jfi~rt}WhEywEX$`=id?$EfYnsNRv z5X;|Q3BUMdWa9%e7rdaHpSoygwZ&I2QHO>y3@)Lp8x167W~pW&uY!%_3ahl5sdh7| zI_|H3be?D>{CtZZR6g6XT0qIoauiZX=~Z)HY7Ztmmj@-A!G5ngm&|GVJG3lCu2*xn z_y;GuRzN8qUdn=kZY`>8);xI1w-P0HLYJ5KK%7)-e#J z9@_ELl1p;V8}7ES*s)fJXxNy}v<5BI50zyO9(?tu9vvzevn8{w0h3_TgNndrdrTd4 z;JCR5lb||-Zd7Xv(2$$J20WOT5MfzCry3QastcEgp2uc-lGmKaX3db-n+N7~8ETN; zbWxgWSDky)T6OaRL+^{R4k=m2_<^TAe84dHK%?E@;m65=Zd&ovb(;x8d7ugEL~Hb! zxADRu-h+-;&)S|y1!uDI-1FaKTrtBgfBV!~N()n<}wWeN?I6J$GM*6WV7jdjV?1`fu8ArAp;f z?S*FiZscEY!R&bVIzGK#)LZa^!$*LTNIm8xE&y1HVZ@L*g9Zeqt zh#cC<8pIDZC!yS=!G-)V!zt)*=9~9wRcxLqa<$H20E`F@{a5)Pp$`afF=P-*k`)0W<{_AwPmYf>mWEATg&4l#46F`zn0J8nAM z-Zp%9;ZSLt>dr!5p9x`9aR(Ser8ybK#jIh&kg8GK=70*i8JKf_YtcPy!c($mmEvj> zKU{E~vDh{?&*sfkR4i7VS!|sqXmlVmEtl7J?}aLARqP^8zuNx|C>U=@r073##sUUw;?g4N~ z9>Rt>W3p_CknzLG(AP)sSPs;UBGYs8eFxMao|d%;KL(DoWVFG96c~rdwO~x7G$h;% zK6D?m5CPoB>HE^l$*tDm6Z`)d9D_AD)JRSgG034k=fZgij&C;H8t0PU3mM+*Dl1lO ze|%Dw3FUHoqn;Sp(MZQQ1&*nfIS-|ET8p>;zU+>?vzQ39h{4GT0~2GT_(S?MEU{Yg z1M$ISp3sTk&#rymvk(!-3*XPxf}WdA0{=KF?RHkv0~(?@6fSoxBLf(2c6djPUgVDM@mVmp|TX8{~*nrL9c z5y)4AKYpw+AvXskP(gd}CjtF;AvbZW_B;5pe(8N)&g$hEL)O$!Y(#Hkt7=$p801Cq zw?iPu27+fQX1UCD%{f+4x0kUOpQnGhpFg~H&~9)irIZ=U zNbP%eC%Tt1*jrtt+F2pDqs zO?ZJ&eP9iUOJC+fkOCGQBFuQh&UMTECUu<>V7HT3_Rw)IajVHjGIPQECryHJ&@<$4 zk_{TWqr?+_wL;4vEk(yv(R%|AOs~T{@?^fP_o^6jyyQN$UR@T(b0Du??QVAWN*~_h zbD-)%vNbOPjva}=pn=wgKj8yhrha5E=KJt=e|R=Q;MoPuWt~u3pNKfQVgQiOKVMsp zxx{A%iU==X{ogLqYHHX&GJ|D+GkSTAO0NDQ?nT7ebngglQSJ_PJdulPMD%zn71+I5 zi?7-=aH(@JItPx6G>lW~){Dt5pEz4rzGZ$++VR)iM(H~M+{0y!nuw5L&UbUGHE~8d z8mU#UEl)0O8aw(jfPijOBb-jru_RkXv~?4bA)u(S>8 zcpb>Gf8k4R4kCQ*DR@mn|q4ZVQD zJ%9nKeE9Kls}_q6A;FPLwwIonMOVfbDralNNeT!w1f3)ftx(yWj}n$JwCWBoX&vy# z!g&?(dbY;_UrzGIm_AYi0NNJu8X^8FAc`{}4+iL^0-=8cs(jpinOYubNI{p>L#af? zy*T%lS&kr=ml*$&uKC4Aq(J-BM2+VkZ$J?vqYP%pImF?$@Vur8I3L<9LZdfH(;e01 zB#a<;6E6jCz&mwt z`Kz}euy=}c-Oi5N*rdik^aMFPWzx@aP6{1bEQXMA1yqU@9LnuK@j#l%IJn7aA$L=G z8XWfgNY5Cks5J zksP(zr4P!Y&+a>rYVs8MJHfgOQ=eNlU}U@P5BXLn_~2uG@;q5%1?eK)DI&x@mQZ&T z+3#@SELpCy57P+z!Z1n{PfRsNaB}pf35lOk1%$`LqHh5g2tp8l%_xu+^s=vK)5m2p zzrm2Uci*Tn4e^UG`rxbDOhcg9kaKk$KWjaT75FL$BYaHKA>u5rnq_2?elmU6j<__G zgy~LL$`#^I4w)?w^fYp2@*{_SBgG~EMT*Ox=}C?Bw?!}c^@jMO*ZYR2C*oG<>k*TT zyF9*hyT9r5{DJS@btW$hpWNr(yDYwRo4@I_{LyRrqLz0=FK!B-G`D_l88Q98r+%Ut z|6}rl9lLz8J3yzB7i(LRa3l02xu;wHO{e0IUitGW^rY;)OsCMtINT-hHOj%}7VzGD zPN(3{eQbqZE|2n|oBvIxz+Ys5Ufu`2xC45A1N7t`@SbA&Yq#eA+x*UYrHOIn>pq(4#xy zdl$l&Zn)paU@+4-9iPAT!NbvL)J&a0#8J`1(eE{(s(t!EPs*jgCVEoG%JpMw;SVUE zU>Qh^jAItjHYSSF`w8&{L`@q#YaULwlFo*auaB75r-JY?5_ErH#Nx-5xoK)t5zq`b z2mD`fL?OghmK{dMI7HT?2D2bMlYdSh z)76&LOui%h=%OZK=YeC3{JGlu4N1R!2`vb4rQ2*Z{)125T^C|31^$7*Yy$p`aP-di z-!fi}%$}LB0X!Oc-)0r=8yUPW>j66!V;qiSO0Y2UcE_Yo@NkNe7$=rlPKzNu=VODc zd1f6|d5A}jM>|IVegp*~wjV#&7Sp`}dQNEInFN6qu|LC-3nUOWDfe%v{Wf^tFa43^ z{=Yl#q#h_8ZEcxl0S31jMtX)F%=yp`-xX{`#x{9z(!}!#IFzn)CPDfH9Bww!W2Srd zh)n4m$yl_)Zm==D*MjUQwpWB?d}mKkm~L-aTKY}F-}O5AKeT@juS`}4d_S1)Kd+*U zzM+)+=<%R}g2GaMG~|B1K*=9x%e64+C5kGtj(;@t-NMcO78jo~-g!KJ%QU3qF+@6$ z{GQEp4}+f=n)4LNc_df+${XXs`qOGsdi_GQ-+r#c37bVKh#Wv`9*+krN?s`)P-?2z zsOn;)OI7)}(FmmjEW4wM-vC5kf4zV<0pEgRZd+u9cUxLZ
    <2UY2gwX zI{7OVc8_ln*R;>@^Q570PIKY?qbk(ykJFl7%+p5gSNc{`xkFc)ch>D6uhu-G4mz~2 zdMn$n)smQBuD5y4yKE2HDQ8|=75AQ}lDObneL=)VwPoZh+|L#r7K9gCouVv43gYH~ z02dTyi(?K5pnUPU`@F+DVvWM)eZ+bh^w+KkQddRd{n1F~zRs$5=GXVvv=>rjfN}Im z4TIxsxwF9_oin#mBZ7qY$ms>eoE;!V-3D-G+Cpjm{j9E$i2-*`laIy< z(ykWk94S}9v((fxbWiV2?}MEzR|NcPGD4aqBj4zXu=jd zuq_}TIA9pBD9VZ#o>X;ob~@F(Dh|)i{!OeCa5y4+9nj7sU5~tFBUhF_YrxW-iBvu~ z18MXa(suFA8R6i{{S$@jw#|7kT6VFNX<^@^0IOx&TcE{klk}^%OZ@y}CHk&4^)hG- zl=jf@&T5nb8)LMCA+ctnmWz~QGX_1;D*y2Zica!+7D~jz|4vJdJs+774%j*3z$3_= zH+KqIexSqtwwk!-gzGe$?D<*lcr*XcXa`j@spG-sD+LvuWC0Q)t6jol-B#j6&E>pI z*FddJUw;gB^1MN{F0;PagFPTO>r$hq7E<7SI&$QP&CU4SyIzN+o}_mY6*_xb+nSUX zqNq+2ArmVXdm*5;n(S^&sDx%o z;*4<5;s)ON`58BC2>iDD5^dz+xEPOCkSHxXWOExk=YG*xKICPuqK)>=H>&O>yggsY z>fz{XGDq8dx7VvBcq@o)C0xTIxE0JVMO{cDk~(GMw0ylFQni$2p-oF>UCL2C(Wsuk{*W*$)?mE8ua|u4r+}}JnprjWoyK?7B1Zxs$EA2`;4JY7ZiIE zb6|LJBHt`y7$9yu&qK~t-PB;WU3&{+|BNMV({DA7}SOmDz;;{4)gz{}BYu4cXx z0@s$418ooK{-GLYZC=u?B8Q3x*I{HgO{uBXkB5!~>)4tl3O%VAtl>=7;qUzK4W$(`+^PuHlZ-bEl9a!mDjr7Fqj!6mpU)@=P6EsMRD?s-uQXjB>_ z=0ix+GzeDBBcK}(Mn-bN=j{&L_q|!`3zjDqw`J3C9mzV9iZ{$g?)!eiYrN_+5>5Y) zRyDL4>1>iW#OOJEGT(uH%=zoNWMsbY!Dev^q36w))mC2$KL4=iw}crvN94C8M5t0@ z9M3CfVxBz#H3pCBuw!v`yfl8wHl#5hwb>O2(P>;FdJA5^WTd-MHeC7vHqOk{2j&e4 zklEiX@IrSH3!4$YRXp|eaLIo{l7U6u`!2?9@)eDQM84fibjoTNWMsbSb{80PnImRA zeF2T;#Xg*`Ya&S{+A=SA0A< ze@1h7O~a8se}7A3TVI2p13B)HkR~F0m4*8C`!Wt}PdHtz98KTq1V>>D5TR9>*w@}C; zFB8%XxHDPcSWtDeggi_LXveX)~PF{Pp19t&gVz)N~<$vpNoqbYv8jSU)?{aIN6 zMb2@#o1a9}r-f;44|1EQN~S{k8kbcmaBRYdjbl|NhH^x=v0qy`L5(rcH^c zbg{*KaUCYWU#1X2?j+{s!rZj#j;x5mB2DoTabY81#dc$*KeYu1aS2Dw4O+B3h@3(y zHG*>!#ML93$3JU94k342YoL`Q(F$o~yVdA+ceK65eVLTknq64CJ;!W}G)JK~A;>e3 z*q$lSq;A8BL%uYDSIDu8*x7Rwj=^@-;bd)E8%_$zByKl+TkPOht%y%-18eehn9R78 zmNb46SC+q#N93oxWBeY(&e6j=VVV}!;e|JCHv9?%^x5s5Te07$iqr@r%NQgHA-{k7 ze2W>fjm;XA*fy$-rOZK^{efij_yd*ussE;bTkcyrg$M7m`$(k`q-I0nh!!q;IbjvM z;1W({hM;4|j8M1KF-mkFrXnjjX69TC+t?ec<$+S4mgSEb{NvzJOkteY+@F;mA_q2- z?|r`BEx9!Mm8e_X`!CWa78^4+kMh&?YZ?D7!%MnjQuZyfwZ5 z{&%ExK=UXv1|KB383m=mO6;=dk6<>c@988*CJX6%0Kz8hx7Aqt_FND(Z%xM0t@Z!Cbg%*D{&y9pT7EsF?VY@5>+3J=!wN#e!&;tDhfBOK)dDt${H+E= zL?hYZ%>7-L_rLnJpE>{Q2|l5T;;o&2c#nk|bY9#-!#%^{p$(AZQt$&J+vAn;zMJFF z^`D^MI+;f&DMC;vpX?7VJpplXEsO;f^84lFL&PxFuYTk4bb2F(;M4D1uk-vD8|x51x9R1rplP$!cgYDe z)3$edCKn!fDbsA}(Zf0O5~=M9ix%FQcDcNpiA!?-Klju%-dmbG$%9MD$y<*|q-F~tXoHPU<{0MH zDpR;7t&BM<>LZd}%rQ{-(NgRXVtkH9w#BwGJ(I?syL+EYxj+BZX2zUckn25M%~&` zIWEEG<5Fp=diC%*Q?`Qqg0u0i#}#i|@cD-DM^5WpnDl0L)>hx<*kHiHPM>|yJiYK# z73=KAee3EgUArHewq%{XAwO8dtPL@1R+QO({uEfIzqAem^3+P#T8?NcVo5TsQgWb+S-aN;_klu0zY6$G2u^P-NnN z^BXZ~!1W~Qa`kC;r}+QFCPk7c+g^WMa8XYJ%!deT4#Rt(i|Fq_*4iheUH*%obh`sg zHJlv8k?Z-WXcY96D!a@*Ze9ZfgVwOiY$e&PxF?TLTM6=#TNpU?nVov3*gjePWxF7; z(BS3HNjTx)ICZjn2iK>aepRI&rv*QOqfzR3Pu86c(W*lOdkY89HnMPnXwLd0xASW#v zM6aHuJ~n7!Fsa6k=5~r`l>&i=M#lIO!Wcy+;bsTgki;Y4Pq6Xxu096DF9jI1B*hSi z0|*KPBI&`_8Fv7tRg{Q;rjRky04Z02n^gs>OMr$IsNKd@%6J$Fq&j4-3gtiC3i8ir zWba_(c|;91P%j3k{NzOZ4ng61Vwl-30hw+g3?Y43V`o141vtsgYTj~|@yge>ny(pZ_#{p&z2i&hIb~1E zA}?=xk*jkR7+^;G$#n2hdq3<_5h}=4B9)*=AydjI&|)crc4Bz&Uq8@BBiKbC5zz#x zGSD2nf+h9xUkq7`{Bx>qBzPOh)ht=9xeZPm7ZJqym@Y+jO?tFkrs(nV-s;xUHklq) z<95zf8TClY64j~HFTE9!4^tMr9aN{*qUh^d71AbD4WaH(0i&FUs7g$A1f7pn{j1co z_r@tLLg6vgavj4Vb2Z2}wV_@IO!TQc+rx#-t!9WDb?RlR+I*JKq<*S+oEb;^@N z2+0%f1&=$Jy*X7n3$qW_Yni4nn*v>_Tq>tc ztlso^2Iee9-?)zW>n6T4qa*Hrz7E6wHyB1hsPFGT^o>LpzKTM0xeu|($U(6+`!dKK z--qTl2ocN#8MO;exszVk$DjG>fb7Hnw&(v{_Y>zJiB_T@@QMdn1kq)0H{UfdD=nrR zh4Ti2Q}mNnh$Su={99=@3>h2yiZUwBu=^v5wuXYMdmQX*f4S-6XV3?6SauUP3lBP9 zE6y=6fUz~W#w?Be9_V%O8h)Ue{r>u2#-SdLyra*;TfisjEPnwwpa!_-ZlgT;bQGxE zT>(Qz&dS}T%d-+wow#Z;s=eBo3kmV;+87@|=3qYd9-|x2dG;?GCgF@i@Un}jz>h4u zrJKjXB3i?5tRO&(9%BHKS2`Yf-BAp2WqGU+g{76)0fN~du812YKn|jJajYB9Gr@RZ z>wdetkn&5G&$LI8>G>xy|5aK&#k7b8!V9+G;d)*zqBc8NwWxp{c6TT;ZWQqT26-kn z1Vv~fHQ)w`06!U5fNqdt+7{zYVK)R~Qva306u-a`p@21y6ZLRDoxaG#)DP6W+koQp z17*{RwBgKQ+at%@=$e-SH&pE_J#w- zh>3cJ9|z2TwRfe&o1St^Ud{`Q&Exp&xQ4-d46;Ap1sMa%RWeI^iBGIl_GAx)y~DG5 z))Mq}>uN$CG5K91@w&ZTR^hdjEGr0!S>%F1|PsLwiO18A8Bofww+DN6?lVu=|* z#-3+_IoUdgc1F^$QMm@RBg}-Td zM$CHNrf||rND2^IvvC@{<*8Gp89!@!MxK>fQ$L;iN;US~PFEgBsw33uaq52ecT_D0 zs%n^ZO1yfe<9AF)s4goXXoI*%l}D?bKMzcoI$Jj1E2wLpwu33wVH<&2RarF{wV#WF zs#d?FjQ>X0Nz6@J+&Zo)dzDLrs(D`RT2~G&|7W3Xt3&z2t6x2Qwe|4TaLILXwlRNK zwr5}AyB?9c!|iK9Z))istNGI{trF!<+kY#ZG9&!S+`!K=b8fT=s9kaM)H(R_w038< zEVo7b&+RuN6IDJ2(56EfQ*K_|vue|Zr}>xHi61@5di14#rkK^M<7%C;D;s_` zi&kz^FwF2MVx0JJ*~Ck(vl+N0Yc07m*ypIXC599(E_eFC+nN6EjqE!S^^(?XCiUWo zv}=pz=+7=Lzq$WcK~3d^`5W$tY^+}zyjAb`-aUu27^NP0v)fKy`EtV-b^~Sp^>T54 z{|9(8GKnyYFfcH1Ff^vQL^1iT%rE3(U=XloU=Rn2!oZS75G%PTHL)Z$G}9$DEi*5( zBr`uxFRM5|58V)5o4rrPb}=wmI Date: Wed, 5 Feb 2025 14:40:18 +0530 Subject: [PATCH 7/8] Updated version for Okta --- .../Okta Single Sign-On/Package/3.1.3.zip | Bin 0 -> 51205 bytes .../Package/mainTemplate.json | 56 +++++++++--------- 2 files changed, 28 insertions(+), 28 deletions(-) create mode 100644 Solutions/Okta Single Sign-On/Package/3.1.3.zip diff --git a/Solutions/Okta Single Sign-On/Package/3.1.3.zip b/Solutions/Okta Single Sign-On/Package/3.1.3.zip new file mode 100644 index 0000000000000000000000000000000000000000..11d7e6b7470233c97314de65522f427803b53d52 GIT binary patch literal 51205 zcmYhhV{|5M&@CL>ykpz8ZQHhO+t$R%B$H%f+qP}n#y8LT-uJB2y}Ex@?X~ObuB&%d zm!b?P7#a}NzZ1n(OdII`Igo(}f$WT|>{ZR|9BqwU&FHON9PHgZVS#|b{U1x&cbh4`Ow_`MRb)p2Ct=ytbN#DC@$i;Yt& zChAKpe|VVk3lWmUZ!O5nVW}&Y(!lgW2#Q&YMHUs6%a@CX74`ISp@F_xP)z8YAl1Gj z9!1R2AfCb97nV_ljIrWeH$1@ztX;4QX3DccbXa@>!~0|02;&=>d~>vUk9!m6z^{^# zU3G8DKvbnPG#!g1+dEqbIC}2Oy8e>Y1ML1(^-qZByJshhpHc53{0XX7A_l_UrIaf& z6<4DY&l+UCLRJ=9D(^WTmN4F`D}mL8Q;)+7TBRy>tOBe2LN6<)5xgs^01g-VtGo_S z445K4QcA_!%;6;f}$N0TkoE!KdpuwO#$@ z?-B4bb6dv~j?2g#U?0PJNb}&63dIwRDXfRB)Hn*|5@(^tnIQac^Am5 zRo??OQ%)VPw2LhIM4w4`FcMVCTXtx$scc%NBs_W`GI{Dyom6eIn;w3cyr(R-p9K_n zb%Po7NnX5D|tcaRSq1O%-`i+LjuRCVl=)nJFI!fy>ZlY&&r-m<+*sbGv$I z^^V@qEo|kOP3cI&L{4rNM3Gf>hS#mU!%?<`A3&#A&kj1nn;blRZ~gjA5~b zQr+~4-wky}g_#Lv4`ISpthn_|?73zQS{MjH6L0m7?@zS2M;~)qoL@q;xOQkXwT|xx zTAcHl%Z7Wh09cEn21a_AdGL6eKwa9LF-+rHmoY#JKAN!z20tC67`fIo#iNstmxK`Yp(mV-#JdjE(P8zeWq$ zp({CZpS91JHh$cSCiyR->;I+m^1pPh|9?7({cnsI(-Ia&x~Xy}GGRhY=rnLbROxuf zFm=Ew`^LDV$7`Rpso3e7|G4!050{hw%O&7HE(_SSx=<#2!v8I;%z$w=m8mlmgelAI zV9MlR<{lx=!7lZLnIOz`P7fM==l?)p^8Zgb^uGTK0cWyj{2zo61pOc2j0E@?FYcFzfcVUsMA*85y zVsT~uLZ&tajFn~HXiSm!vd~7U>si!+b!v#nK)^H$u>=oUV`vnH?GD&~B(?%?o}Z#y z5A#oT7uV-Z^Nt)zWD{olMn;93Y{@WT13!O>?=@Dhm6XRQ=hPlJUans>8Q;KKkRuZ9=7nM?%8(bt^}jAvz!70xF@d3Y9<%qm0jq=jcr}2 ziBb&Lk0I;oK3=647KfRroJL;P7sany8qYyM2{2nR0fz~{kykr3jl$eYFWm~=8Um4m z^m)0wsnvCQt!|ZJ;2Pbft|ylBLcpknCd(*sdzss+En4A@76pdK$aKV9BjDSX$BK%YHzxN9x_+xU+yH~Iv# zqYR)#3yB6JV$8UDu>OxJHL=&ukoTU@Hl;|UE2bG3*rHo5TGu+ft$kWqpsc)`F(!Xz1Mi7>~(C(J#ti+6t*_ZB5 z@}G-pH*wpZIu?gZUnWi~9e%nhS37!i`zvJ#iZoz?93wPFa(Cmjj8V%AYx%7;GsJmi zChE_RlgWVQY$Rn?3v*<2i^VUIDx+a$;%$g0TxxS^^l@I)3RDA!Z-cFw8desu2&y8vYc=9Z4^#L&RvQK$zACSaV4IaP%Q=?M1^!WDa zWhbSKu%;EQjZ^VZw=@I;jcX-i{}7Q7W8AyUq2OkTY4iiyjz(UL8qj57a#uQ25T1QK z-o!hW?O1|C@E+^~3u3144nYALW`A<(gPMcYZ~oYPXbayLN+uV#Kx&yHn0TU;Cmj)abR8^@TCSIHexjO&}}c%RY8sZ7Vg+?Da{@!yUWsG}Upoi%oU$ zBcC5takj7PjtTQ{gKl}N3oj7Dq?!Q^l*wfy^?)EIUcIENHVCvm3OGU9X6oxo~~?0z4x%5 zZ}hoss&L)>`s~S@wDh@T%&2NwhS2~t5OGtIzYNWIgAU%LhC6@35Hs5_bmG7{YuRVI z??`90aBY;NoWYHefvv&HdNDSjvn8u={vIPq=)3mkWlY?ePHrw?;Su1|;%k;XGOif~ z#)|y4j)IxmKO?X$G-E0k?q@3AdsS#*fuv)dEnsJ(m}EG@x}C>20H`OS8DScL4HU89 zRT7h!?0%(`W~nP(9Hb(-#ho9%mSa#57gQ-+cb+Qf`GZvxhnbc2I~0*p!XEDP40<5u zn3vl}tjlkm`a)#ltWy0zROSBb%z7ou{+!@MMuHx7g(u<2`up?hbHU|J{5He=*>yK65ZkXY}q}kpi?}@$AX2 z@S=T^AFJ9@HP3LwXREMlhoM?SYk_i1rO3lDJA!iug+G zVoML6L`qz;Gi=?7U439U-E#B03F|U-f*4PeR8xe@x zb3ZH?(npwU71X;tf?x~%rQK+@@%TViWq?;~GulJoNI&(9WpRk!T2O}x){~%C8@lqu z_N=m-76DWz%+XXAgiIe>V@m>-P#PLMJf|`^%vdbXoJ-SQscRL`Yt86B+tPKZ{8vnK zP``|>As4zlSMt5)Gidw@#rBY^mO2!Us_Rg4_V*P1xW<4O81H7hxFX(w1irBZZ%`~a zRxyWpr<9RuojPh&%Hw6^uqC(n@+p-remPCv6;aVW%r0*HB|Z_ zCx2uN34wm&x^GX2OriSq#1q~PNPsur_sBy`<&$^zwqVcPsm9sM{eS?U1;IFir|jd$ zr##j)sqzyb$b1i2^650hqazRxHEpToOrJVUTHFrtNhpT{pcTHpF}^8k{Supkg$tc5 z)Sbe77}Oi)N4@LPifl`FXr$tajDHavhzP^KGpH7+$})qBFT522%xi)3WgA$Wn_Ahl zlVUk+-vlx>$>+cldT%KALZX4iVOMMknUv;36J-)=!pFY=iGM-&WK43J#xjYtN7StP zi-yWU(TQs?iu;A5h|=>g#+7D-YQ_$39<)-avNC_WVnw(nZr$9qY5I35*KuFNq3eKk z(;V$wVi(0wwHS75LK7pAnA?t8+oa??)skeP_ochz%b!^Oq{Jy#=b7!{0CJ z?hBE*Ow8rtH}JekG_??@g1eSyT6$@$B7_m}I=e#>ki4SZ$R7R!CXYtOOW$R35F39W zFliz7r$GTzv8c@fZQ zQ-*{*d6YleBwDMhzd-kQ3Z~$plpEMIicT3UU?n3~LFRRIdc|#lJ&g*@!qO9?{r}t! z5D8MCgADg#AQgQ?t1R`DOpTPVU>N>NvI95Dj@e6QH>uO8JzKexGy})w2NDsp zKZO{J&+D6aI%q<$=Cl!Bf%VBH^1;-0pqr812mpD%3G5ca!e_E96^w+&_PctvYt1){f7!I^0xK!LmgC#=ILN2k?C z=_q&inlAbSfwKCe96llICU)N&rXF2UHvzd5dr0pJ>6@L>UX*Oq(miH>ecVoI^PerW z(q_4`nH}1ToAw2^W%W)ZhEiT-aa(0`8*tFO-t494CwIMJeF1dT;doHiz9mdynlEM>2m4ZF8n`?BTEl8dHszc!V> zsySWQdNLG~@gtm8_uIu|Y@MTc1oy$y0*UUcxRG@?60dHx*ysW& z6sd#Me9*t%%gdUx%-q8+wo)&-TaC;UXb-bb_#12)c%2_B_cKU$78ak91 zWajD6e#{CyTd2X8B0a+QS@P!jxzTQzf;B|$Dyg&_K!+q$o#V_~6g&TJVnpu<-{m7k zCs3;`hwp3j!Y=o2eYN*UGPiJFcU$M+Bg$^ROUp)dY4~_<^_jymrfc$C%vU>Vr`aF;n+S9@3M?p54oPrmVzPsR#%<c|X zVEuEK2X=s=SuBh)g47BsD3r+CxQ^V_E%`=;D~G#lx^26(_5Cdwxt^#GFH%+RjF}%| z|9yuulIsoI$7?lP$TT&dvsHtZD4ld`-^`&tRLS9%-?aAFcj1s1%_i+n9UP7pxkR=h z4?Lz-Av<@iipf4bweNQu7%L@=`@T| zu*Qg{QQPE*sRzd{GseEc8#)b)o`)x?ZEOa9e$t00=|&onwy?$84l>SzHNgBL!pJP! zV7`P9PN;JFT2DveAjp0R_<>1J{#7IU-yQ|w>m(CZdXU`*P7PF)WQjk55@{$N2Lz)* z$R`Ofq!}t-go6Tk&*&@V>>PJ|cUa9SERmhP9>T7SOP)N!pqqfxZAQ~-fre#MpEJS` zIlK#B|)*i++$JnZ7uC=`twKzFN=N)U8?v^gWw)xR~kPfjY-x6N#br6=re zjR;tWMp2xUaw91*Vm93uiFKxfU;M&{VJ+BV3En-mOND?7S^YAMFS5IK|7KMI5FLU+ zmI*g=>?1%uL<~24YLbx6A$mv?5AZfb8;#S@8jB4qU+?@}u7l{@e#yPO`di2`(}&gb z>6G4my#mE%Q87@RfBWNB%ah8%wF_6E!Zhk^Y1g=GH7%U~{cr>+$)uX*ZzKur@NKWH zT|zk4MB@iRgE&AQF&-Q9o2evOuAlH;CyVniO^7l+eC*yLKF2edn~Y16EkT|f&L6eB zWJ7tK-2A%P^Sa23(Z~Ky@KN}vd6D13797q5p_k1pN@UYm`bs-Ib>FkaoIb`tFg4$C z39@)BK-@SG6b``&!J1${(NT#0OA)4KeIZr1_-LJnww)M&69ld3g``z`_se(N;Ih=Y z?Jq&NlJ7+XGJDZq0*JRaU4KCL3c?Q0HD0`RlbB=0TnENx6uPASj(&1K>@`n%Ds=JN zo?F0=-S_*9z(t5h48Jzv@qPnN5HsGFF2PEu#Ba9A2A!G=wJ!Zlj2P?;AB&odO`0x! zUh!M&nv5k|EQf<9l(}?M){ZCdy0i`NF552s^mD(?6&ck(_0202;+MWQo&&G&lh(v7 z?HrR8cJ_kR*?;}q95Q_)Ib{7W;2V$~GKZP`;5r26`)aP9_K!J=jlVT+y~jSrU0-hf zR^Bxpy@RS0;Gu7D*65_9W!?D$ci2wlkVAJE-x7@_Gr(pN;l1K?8^Q8M;8f4&yb0U5 z-GmNI248QO(+VzQ%!d`^_VzgTHlU?GrAXrj=m_3UQx;|H}(}3XoCkaLR!4$6A^xdlzb4B>K$xk zQdq@nO^*<9j1XvrSECV?u1zVE19rhsecY3k+55j3d*TX38gQsgO@8O*gg#j*&0ns( z!vn!`U<raJIOd zE*tG&Hx^{pLgmC^5AH$&Q1l6~pwawJQ)m1qdDdZ?v77JM)oUYHljkm%Va#b-nu6{A z8s^W!V5n78*@43jPcJh%ygjX26Zf=x*(|Yh5Hj|}cvT`9Z&TY&>EJLq6x!@2Ve(GN zc_xVqc|x^(meT3jFSAf%_=C%6^l8|4MBH>-_7s&?T4;NtwW3iH#(N?YM#@DqQQ!Yn z9D@ax4GN@F2{alBFDn5i!1frX!^!|O*4pwXq?X*)VtwqEWFtw6K-SUwy^N~#C84XiM6QgkHL^6s5#oQ8Q+) z&oTLfd?19u)b#=6G?hj(@#BGBW*xa8p+Q5Az7d;j2FI`3;jn9_p+3=xPn(ULa$sU~ z`cBPno4lwa-Ni_aFZ4*vfHIkb;}--{Hi0`93zIZAknMXqe)x({lRCF|5)R^mb$>jy zdAQ)^=?!&G*o%o=>$sJ!Y#xEqw_DPOAMwShbQi^4vvjvvYEIkGZu)1cV7V0kPk%LAO90=j)Y^SK zZCDr8w%hsq_t@EcV(dBq#vAnZb{jZ#b}5u+2mqn2)Y#%aDBcN~c5R!Vb#{9WSZwr| zp5VBSQ<|Zzffv1RgN5NMvpn`>@(oPrI_Z^lG!a!rSE4GdAQ3Hp@?&aYNdbPVXU26~ zS#?sDrW=pHWYS)h=QJBtbU5i#nsT&|PK4CSgu7yv*nxBl)h3euT$6u$l|foY#@O1` z$L$~JqN3SQ<$SvO&F#kDU+WKr2@qQPu_)iT|5PdI6295Sbr|%WgN?9))E<51j|m)* z0$QSNDLy`&d{P``YOm8;GZxu(`ze_g!}(2{AO#LymKN^3F zbYybs*8a*Uh_SzYNlI`(7BA*V(5aP5h>{4~;}3T?^Z0dZ9ok&&tBjX|ZjRBs;Id|Z zLAb%Zu@>PWDa1ur0e3yXr@%|qS<+gTv|s{LTl%mABFOzSPb{eXxdXFpbCvrFU?HE^ zY7w9Oi|k@ExQWfwA}(7qqC;}bF8h1|K--#CjHBsp5SnAb{D6TF`!ClETCpu3*&&7^ z3v&PEdVwWP3mc_9e02V70pPz}SJcHa*BfX*<$$V;+CN_&`cIv~ebFxuDMz~1H8#=P z54J}Jk}hmb;gdew;9zWRTBy=~!GsSb*RcK*WgbTXVgtl-&YkgCY5f@VrlcjYmJH*_ z0$!4Fget|o8YnkbRbfoE=pjvGW~9%VN+>$87N~!zjp842Q9sD|Gm-&1#d4|s3V1T@ zy-LYY6Y+)2aE21$xA4C(^@n#19V5|$?RO25XwxmbREC4gaB2Jz-S(f_bl@lH&zqX2 zM^*86^1^5{JuM5}dqjgP_$SIKiGQ?OmP!Es`od5fJ8X0s9cbaGj=c{oy!^Grtq=0H6WIQ@F!B$=`%fsF}t#<=WJMj}~O{7sW4XqPeuq87}XZhE3Rzs=pJ zCU0UC=uU(Fdc@eL07sdKhnD41)!c*X3lfcov>CNWk#1ajhlbdLJ(#f*_LOb5?D*G$zq_{+hZ0QI_Pa z(=pvre~}4ISV0|={6*{@xB7poW?9}pvg~=X=Iqw&!FKO~+=pAsC8046a?=04BhN{3 z8xot?^o!TqYy8UIrGEb@|K^0M-yhv^ex$_D|CE1I!awDIMWXXDO3|3`pYq?3PzQEf zW{i7%+OaNbY_~G~Z$shl`E3>2Q0ZV#BROt0y}B+0r`6PsH+az-EUBPXaoED_#o0Pe znW7CczcbcdSIAPA%Y=JCle5p>bm7;or(JZ5ln>26(j%qPOq7A#NpEe8nr8V2;R$2veowRI4r(8gHw>k>y z2YZ&$WP7xbQF;;<=-dh^j5G`+eJ7`rd(t;ONYEzu z=^bCrQ!iMlS|GN>GeuwsLAs8}mhdM6Sw1(uWNd$7B5JITGHDsi5TOW3|F63ztst%e^>54>WitX6#l{maIZ(D+Uxx+}}XlZj8gTL7Oc| z$1uHC`};hU0acTN{3i~pY%0_i42}YT27{9$)FhGp=O-BgTeZ&w)-LMA*b#Yfm*aV5 z|5DMo8&oBwU{k}f;04y9PBx1RZG}CMKIrg{hA}WZ83LEzDah10cY^!7AMQR~MoBaQ zZYr!UugHY4{nL+5-_4JZxdCAc8+z0?Ck+vy0e&9E=M+0q%~CohwV^(RckWLy9jm1; z4fuSKVkJ9sq3u1Ci>Bplq%$-)+}<7nH59b?G3udw3_w*CbnIwglIHS_S5*cLZ$?%F z^qyR`TEPF~@7lRqz|R%O{#l#igj=fraEyo)^dn87UQ3vNhMQ11@v%xj~m|~bXbtl}>nejdp_L-?;v1$Kp zsLX06?hWFwOAnTBQ~a@l^774%0XJWPtw=eLMA>64{JM|=0aIrCkHjFdN z;y4=WBH8V5Eb`rCVmJa-d7j8pKCuMwK1FmgH(_uR+hGCu<)C8!2k{#c_3y%J>>W>; z`O7BL5O5@$8xdloRy4wV6L`1rX19T$q9Fy^+D}-mJ;$<5kujWI@q|#2cf6y!0npGK zBDXO?`DeD}HqhA-BPYJS5EE#ls(NY!t?jDgjFs-&ZN>eSI zQnKw8(;*db0Uedqd+A2?g)=js5i_NXb)0+ULU9fssZBzpY=aCdj)V3T0g6$KzBZ(B zg?gWX9p(fArWsH2JLVkw!>9Kv1L8|uzn-<{$y z)9-xS-n|`vd??;Wh`iBsS#u$=x|%{lU7_aem|V*Aa{$_FFVTWVrX5`?e=!$U6(1Mv|m6 z!m)^cq_kpH#g+ostd0SR1VAWje>m%P0TiD*{*{3F9mT{#ID*sc@PsnO+F>fyBl(Xv z0fD$+zT$$b*Pqcrii$n=0;$(lvGr90>JsdB=yfh9A!VEF_^dqa545J&%+lt3$%S3S z_>!~to!Gwh4-aGPvj!0LmSIiQzz;5vrd|9>#44`$s}_;h!R%L5*DvA{?Dcm4kEuy+ zNDp7hHrZbl(Uh~%iR<(-QZz9Xia?1H%Xeee4Lg65jtN(u)OOcbqCg|v5I$uzUVBEP z-aO73Qc!*vj1!|naTUIMwI5m21S<}HAhSZj1-^rQ;oi{Q4;XyLdPco4&&3rD1`>9$ ze%&H4w^Wt4jg(MvJBMiP8*uXy5?O*E=AMR#=ml-HJPNyp;}kbknv$F4ruZAmQ{)y_ zk=G{SYy?m$6^R1Xo?%h9E6&U&LPIYM@U97Ym5miQx(B zK}Yx{L+rH=RB+hV@6f1>?W9QAz!d0*=%(JmA`nEY-RKjhMLA*@;fW#C4vQ9}Uf-zN zNv?I_VnjnN<`qPX#{a}}avTB8r6TP!hrO4}XCBr3=o#A9f^YWfV{*)Dyb=WDYZTP>=WArHHQVg zf8WN(tT3yZNx;+|1JlnyNBs_~Pa!1X?8TIrA?8kQ%3vuycIau^YbOx#1EyEJc)Uyy z%@XM2d2Q!G=6)IYD-p4&<#Y){e`uZ?H!8B+E62v3IWpUW5H?>b?rAH5x+&FKRV(Rq zAnnsUt>6{jeyD~Qg33K2qj+;9$Vl%1PxM}ALe_rJticuS=|Od0XnHh_wNt+e>IY4r z5*xP&?Ib}|`d1CppchnBEITTA&{3a~=w0v?-*!KU_Sc3LcC{J4wSnpqRFC;CjEFu} z;@{duiEUd&?i4!+7wA;1dV~|=_?9d1d7&>>9dVFNL!OVQF&s!Nq3T6QO_aU4#GheV zN;amzb6?|r!C?)QX-_HTd1JGB0OlobzT*$G51I&Z+#_Z4snXvC4qsq~&=DcH>@3Ji?ip{P}xtBgHrd3S7<6iTt7raE7 z9VI|>eZXL9nPPr_a4j9J@gygw{h+FMJ&3bEh|TE_V7$X7mmKfO$(37vR}kj&IR|t- zga;u{y;#nZT$j_Lj~ZJzRju)ZF=Rjt6_S#QIa}XDX%lx7&B_zMAG1A&)@baBNZZDz z&97#Cw6ph45w>stV|LuEj|NID1=xwe1s4`cvlyh+D~38@`}!xo5$Z}lq)gDakt{$9 z;PQ9h8)ydQ5c*K;9+uZus}JFJR`^N^BCxB6590@WWdG{VD|(r+O;YO$@+HZ>0Jt+M zKGgk>SrwyfNlgD(IvM^nPTjhbB(I>jF}T#pJ|F;cW|id$DWlhanbylMvZ@ziQidGs zl&dQb;OwtGPFx%4i`G#4ONYl(FR(lcBTgRGVpS;D9 z(=}Is$q?BJ2)P}9{Vb6k%e2==%OGQMoDD-)oi;nhcXoi^ zpKTw=Vu@7D>rod2r@eSy0~TinR;aBt2amJTYada<>gC>w`I)MBjJm@KpD%5u!+b}F zmjo6>`*D_fpDRO;oy6N4j{?swLnuDM&g0!(7egp6N>KsADt|`DOY&{VpjuGD$GDw4 zru;bnGUL~(i3cp-L z?)GocDZ15tJqMB2)r2hu4thlndIt8pGlVKj&Dq(CiJZ1JJnb1kBw`QzVUJ;>RuDpX zwwNG572nIQ&~XF^6f&Bfw>E!J!VAObUpS7s)r75r=ZU+dcyHL_J#a=k;tsYTXl)NX zd(3ceyrEyWiS=J#N6xCz@^R9yOqx75*$x~@#Axi|fwc{i(G9%=Ha=YXXaq?iu~e*IMngA31Np&~4~%TMipmd3qgG7}0H~ z9L9=4C)nyR7++85L0X;6I`|Wna2SYokTB!Pq;H?ZkBXgaKQ>D`C+RR_Vvsiuo3uleGA<7<=^BX+URyX{LXIW$K?&tx&!mRGfs8 z_|ko~G?J540Vp+nQmK1zh#g8J^++EA%Cy^$_%AVw3*}~TL$RKOKYeCtk)m<_b=MSF zNjx-L|H>h8(j}?qNv;B`nhfeqDbqM@pk;R@MALQgjJ$=y zKf0d8*Y0}egL5_xwf?p|>(FhB5vPfb`u6__=!KquwGa{f1Be-*P7$mrO@V_Rz@rV2^ z&;ah(YG9b&b!$hEfJ7hA)`c)nf--o2*rR=a zxU>BYP`q7g5vV>zY%c70VRxa!eNJ{;1EW)PGO=%ylyUFa&sIXY@M&!)A>b9EAuyO-8i?aEFqXp-VBPcjQ+(ecV4i2@ zM7dCKDFw?DweCxM#K``eaY2jOXG0=O;!y&TUDITX1xa%Ll~VC<)Ua9ZD!%wF=v@KV zxoOE*GsFlQd%)18_3{y07c1$L%AHzMk>0U3F`*`^y(YkGwqHqoaW`+(d@zwmSG}`9 zoDJ8r_>$Va$H3Hv{CJcRL#u$8W>M*>k9%nqJk2{VhLIU-<#8seet!F28Yo3?_RWfr zPeM+x`&tbIgU1k9e)44XjmZ1>0ngR~PX?q#a?02tY8~`W>0cQ%IVNIrvT3k~L#{Qu zS)(|`n~ron5Fl2GLp5UGIM|l&cRUva%k@*kw^zwwh@fV!if#=c>ZmBL;3{?$@rLVS zoBE7m&)EyxX6LxWF8f5BVfbAB^RwJsCdyu3vOQUVk|_8_LxJ6#6|T=Blrtub+c$3A z)U`G^2uvQyEP2;-U9+L^T90I5QTLiIfm+hBbym5`RLtgPJ&jYA)4-oMM zjo_@ZH+Xh?61d^BNf%k%Va$#)yEZ%58d{9}p$FOS3*C#j>$aMjRd#$`Rm4fdNp)&O zhjPi*C|NOhP-1m4Y~EWfyLnrS!l9typu|##@2Nbb8da|>bs#z*Y%X|LeL#oMJQJYg z%ok9;$r#m*F$34kyJjBxnqkkmJaP%H^s9fd{^cy@>;@^0b~FxvHN8{LvPv8u6pUCF zL&Yr6NkUBu!`9P@jH<|aPF z=7kW;$!fWRma=@q;tuAGkDat9*ug=7drS)I^AElz%mrIZ8;v@8c${!ud*|h2hU3aP zi~3i}hnT9SLEsy7q<2&wcv^8|X(Sy;*#s)TzW>?8y@BS5y+SY^T=kogJM844jlpvLxRA*P&qy5XdZT%`4qn%V9 z5D;IzqN6d9K(llV@8vyt8(a-EA9wBbcdJ@`(_#0<_3!qLYKB3o!X9SD6zYLmPS7|m zKGkRO4zELVb?h9w)k^`jN;ShC)m=zLa7vEQPb>Oe4^%^X6hI+S9wF<%4K{mIPDONT1yP|Nj6WuaB{ zCkB>i~4v%WUjMoN{~_o5oaE2O1U<8G2@awnsfdsuQ%6|nhP zqxQIYzYBXAv6BYp+NUImZHFz(;6D_bA>J4NFd3JF)M6Hf|VEBT1c)a+Vriu|~i;o>0fP&|B*DZ%G$vSQzY@G%}E|5ooCxB6o}voJ?Xy zkn#=$&MPuOHoHgeWXmi7eupjNFXxUD`kwT|^4#W>CkNRu9=#UCOAyJV zo~i@j&ttCc@Pq3%=DQvFiX=4 zzlGPNdBVcFXp;fY$)QwARyst^$$X6$V)4K_3?P|_?GHo1$i6TfW%SD{9{wJdM;TTE zrJJCtxAR3FzaYdHa6GX-ZfP=}nQvOd*i$<{H8>N!lem;d;!P0zmr&w8q?Rdt5dA~h_ejXc-40iYj5q*QOyv0QT z@LoU7paU6~p+XR2RX?do3?SkH3awfMj|{9PA>O|x;NSkuU%!y(#p+!5cc`y_HK7DC4<&$s4_a=kw_A_v&WNe{Yra z6Tw}ZD8BGP z5(K>C6=_~863SEr2(RH3ra?LQh<8FJyU+DX8?5u)Ku)gByy4+xiyj$Y!Nr03c*_fM z5yh35i&0pb+4@22YEHc9M0A!HaxF7i9-TRV^!c!KJ}uSvO^|1SI6 zog2)<+~)bTnQOXS96K{qppLC`b6I3=_fQm5j^#MTTVm&oS%lnTPMRnFl6CcVw98lG zJoYuPwR*irKXScqK&f|_?>ft7Y#~L`{p6%3VXr(t-hLJ*g-N{i+;Jn1sC{h^}K$-#Emy?Atb%62WGccj1gbS>hRhw}>*uIUur5%xVpRb^D^9RfS#^Tg3-{{3R{LJ)P7EkEK(|gMG(TAty z#Vvem=BeSFFDL1mJI1-jTygkt>1J+o_A9GWe+}m> zZ!+@5q?_Es<#sb%e-&V-OtS6LHvW}fxoOk3@0X6#HsW0RK@-C1o%TUJaE+sPm)?)= zK;b*(m+Ih!cohAjQ0;$Xx;qrq_af_`juqnzf4Kf4QSIb#X#FAvF%$eFv*UwjkVCce zHL5m;nH0dF`DAxvr@PlZJhi=WiWvHB{KDKlg|e{;9i2b=Gy%H3a{L< zY5m5(g-NoCUF*yegHK+|(qz7%Yv5>ve$y77x-N7(FYy+=_~XZ*y>Tp_sb&`?AN~op z5n+W)!EW?YZG;)a-gj>is^=UcV;tdP>`Me8`mk`)Co`%Knma2euZ2SX(|lh+Pm1o3 zlFvv?iXHrGe^oTBj_h7ut|a9TiqQwyFMpwI1=~upczd+B3>kdvujjj{Na{oo#2ZCK zw4i!H0Y3ScM6Ei=XmB%6m-d!bm`Ut|WuwaqrPO#;C2uNgCFpu;Z`AdeBM?;mDp04A zIHNzRk`(ZNiKHP-#~)`0M-FJyzmzJVSAcG8yy1V`!dm!x5qTpP^_+OA@t{e<;c0GY2?6ucd&tD6ng4lc@$5)28v-r8)RU(nmQ6K zq|e?Z5+IknWP=D4h#beaCa2vGENPpV=B;ej6fDzEoro{$R4&a{?dNN5=}C>Tl?{9> z_j0rr@?OH-sF{&uRDW3ZRIgN8^{F2%HSLjkds+@1C!G8Z+t$8UPVilnt<*LB%T>$5 zuiY5n@Y!^BlqWV@@mHE?y-Cepjcx<`YaRo&vkgMhm_g~1HGLipzB>QBP&9obcGvD6HO$?)nZ!C4Yi(|BpyY%chR=1#TNwi1^m-Jm0c;dqW%bUH=A$W(gCE zaGP3~S%}30Zn~3K$geIG>GMD!unN>yBYbfpn2&Kak-+0xXuruM&lg&U??sWr76Nd{ z3@Y|m7eq`@Pu*+&HNZoe^hb40@|GF$qbSDAK*BF{7mmHwHqAjyS(A@OkIb|CyF0&0 z#H#(>{QGS%ujuEQQ?`d{Zw}E@qvor~**!@$T(-%SPGVJEMx7ehA3hjoQ@IezBaWE; zKW@Mz+tpF`^vR-djlVh-AV)H%f^~5$)4}V-V^f#W>!2q;{PTb*+mvES1w`R`&q0Sj z>?s7ShAFY{GaCn^$2zDP-b-yafQe7EAeCYA42kbCYKj(nR0I-Q>_(G#4kf+BCX-t3 z>x^%cptF92g(UJvn2m8}0e@MXLUaE=0D3@$zo=Un)=9zBjQy$k(XI?|3_xmYzgW+H z;dXW9CcM~I_$iNKB~BDZ)b39gbVrdQ#-9|P2WrM^V@fk-!@PBn%EVLg%$GAggtMJd zF%@i!2*Md(1NlW;t12@ETo*73q>`6fw!)Qxc9-dU0;S&@P`b$#_n0pCUbSDX|Ap#x zpvRzN@Xl}E%A3=ihFP1EP2Q$Ph`9kr;p-?p9piRj=fFrJfgE#c1GpN|Z-{+HrQBp;7U17RZ2^CnbhG-jD&BiLrwV6dOp>1sF;qssk7Zc(jw1a$y%QUlH zmV9qrmV7TeHV*(hViMz!C`YgpcOvC^+xh*{weG0LHZDJO-Mx&S*lwLQNP}X}?nmC2 z$J)+NX|LBBGxF8${j?g(1=hBg`l&Nh)A~oYPbj0=M-|5}FhoAtqJvBcrAa7W6`r`T z_<#e1q92Ip8Hc%oLt|p_=8PMHN|vhPpoWFC0|H!|_-5V}w5PBEYl!TuZ#uojVB3i3 zs)nLaHu-tLj*VVdR^&YDdYp0GcEb;#!HRail^PGW_t|-2 z6)WG`$84k75VPNs`7PMM7s*Y;_T5m`eg%|uYwdGa`fzLC*GA#q7JhmIq2hL8^ph#; zD|4?vCM{rc{IoVMX&=xM8o3hPNDp>XXj+!sZH%Ne-)~&DJp`BdHi%|A1kp@y5zUPt znq?e7Pq%A0-2YbwGu<3#R7`KdOc$8x;S2KFz)Zr`i!>JRiei!+5-8CBo}|MdNh;nB zrTo-Djx#j~$?1Zj8I*QwfpU=q6hMWV0^qJ-v<{;WwKjb=Hrpz-&@g(990L ze^Uc^eq+ZU;-f^?jzDAYsgFaWO1Ui>_4UxGjPG$a^Ui3L$1e3wXjBjlUX4ZtH2z*_ zRK$al(d-tDvX$GSQCl?X6QWU3h03~U)XK;4uZ2woknc-lQ)`dw+hSAM5Ns;D#illb zO?BWgt#M3Sqxh9^DL2m<6|-Ah%7sg1KR+&o_?m)@O<6=!-ye*c44L>4$Hc{TnX~XG z!<)(WmIDYgm^u+E^xkmExgX3?T7K6{qcY?w99}1EgEqH8n;#vt=@X-Ac%tEE|7q5N^j?(z-bk>d+bOaHi9 zuxY>7xt33{{?*vx|(csl^bwK0q1y@JZ zpNwX=aJ8-67OvjH)t?Zqjw)2vg{z}!>0b+@4xrhW#;DgG*SE!}b0HXYZi`WG1fxb; zc-y#@vV*~{Ul^ozGo4W}w*{$PAa(BZgVczzDf7Nn0u#JDMr|elBq*}knP1c)k+uOa z1e$@XotJeiNlfU)mh#LGAR?L7?D4diyf~?vHQ|_oSZ_hey0?Ii``cSU=Q9I3Ip5=8 z?wtW04?+JJ69PI>h03~sPNWm<*TQoG zNcN@ioVCaGZSkCZ2%eMQ;yD|^bDCgQfiuK{4j4i0W9xY6W;~-}ev9e2FrED8$8;cb zQyk`Qxcx2In;I(81Pb*bGvNiEQ7Eh1?*jFZ9>syENP>X*+>t>IRa;(?s13@3fT&Om zi1G)4emFrO%5w5UIm5`8YuvrvZw|W{-V+}~uV<#;;m_osaSp2Hyii5nO8fh9dy`P& zS<>cSQrmFJq8sow^dYM~_!-A{49?%wXN>0dEr&MjrRUeWqoqapeLLCf2KT`>U<>GM z5$b^khj_OGTR={z;Vx%~QOa5#W~6VM_JEAy=NRnN=WyCvb|!T5Ir3~=JY(Q&csl#} z_&y5Ks3i(>b6dvGf_(3Mn$gB+Wp{NIo?49CFw7Q0JRE~O8CAII6@w4FR@9*v|GT^~ zEv7Rh4*GUo8u3KXct{$@#8Q7y%t+cxWx0JHVT7S(N31=*i_Z`^5%K9yzDD3?g-#4B zaJV@PNOTVoj~jiEpd3f|%ntz!H3sfC)E;tOrEF6K|Asw))UX=#bSJhGkS2ineexdl z1(MODfA;dVHY{o^I9Pgl4SsU#fz1}co0o{HIEAKhAQ%9&k&|NqPHBJ-1&nnTFnClO z17a!QBvfD0;Qy2f&W0eMxxm%7<^tEZx8{P+Y%a+Aq7C_XHWzs45btCz2%^EO%>@CC zzn8fnq8e*7yEPZs%5BXBTXVrDG#5k_D(jjHUIUhVEh|C*CBL*4VeN5!TPs2##EMYZ zS`jv4MIdVFWxLxprukR4Ah?;%s94xq5L_07!soXj7?7Bx@bF&-voPKdA*)j+uX~#T zUS&3@weJyrNd2Jp%)n}-zwQ~Kr@s@VdH+uQ`M-A-_bbdSK7uPtA0WWO;9AW4G+G7Z zzp*X?Lqs4X;9`I+C%Oz|eenOJljwtqV*ofc0Y`V=G@@MNtUA5h`ID^KJp?Z@+K;;( z{B%FmFEs!LTqWUwnWKQ0r`dZ!k{)$=&!CYvK5P&Q#rtZyBHrsF>^9_Wln!9X2r77! zF#ipM+!0XANI3YL!QfF*?@htowuBVX@XYTBXF9G4Qg!V6Jk$jQMe&c>Bi}yo- zK|Cie%5%T-qISs3_Y47aey0dTdPvZc`$sUxVcx%+j@XArZ{Wv&Hy@!XvMQ2$ zC@VY*@Hd76GcunV{($D6<_wq(Qt%1G{Z7GZ)Zq{?8eDYN*N_V#6%D?%j+Tjus`0Fe z+#-@dio`I!q67l9hZLMJNdd>aqG}z$!kRyNiVofj!2Lyl*0*yw{s^RX;fV@4SVRz_ zV-3Qs>EFmjHNH$y6l3sj1&Pr3Vo7en+a>UpNKp#sDTQQrNmJ`s7{3#HV?fC|RD4x{ zAX`l`y;|Xl5a)LH469Ky;f0}{*xEa!v@xUME4vW(3%5eV@xt7~YAI$SLE(&e1c#L% zfLBsRjL5%`o6@#e?$WonSng-Wa*Mv|U-6x>T#wV;J7Kv&G)XP(r4Sgmw1sgu2jdf$qO-3n@@CI+Kh5g%^=>tZlbBY+=@D9>_c z3JfT2jOX}8+Ij&Qd?JbWR;Lgcya-qKiB}&0Z3ck2XMHaoH$H%I*hIny``lfIK6lAi z3~b8m2HEo>MW>rV!3O7W*}_Sj@{%GVu|tusq7wy`PLe;& z0D9+F&51@xR&68mn@ITODEOB1i*Gk_zeL+N-iz?3f|@~jWZa7k8wwB|Y3@OXJOG(N z1qg=JbPc$xbu0nc^Bg?3=B(9G$9qKcJHFt zABzs4qRzAsj+PJ=t^O=#z@sG2=7Yzu?^r7_1)xob*in8s7J-9r(VKHHhXjC>+{2|0 z7vwkEv=DyEg!pl)2}ciI->r(A^Q+ioQ+KYCWhsK>h}9>FAj;T406)fAPQ@-RYAhjWE&qwiNJUUpW!9ANgi?t$7uG)uVPcQ<+riY;xno$u{=H+;Z5H< z%R8m1fqcR9-4GxH1Z8K&#kn7CMhpcvI7OqN!of=%me}Z+^%0i9vUNY?2O9%ZspQre z`1Oo|C0`J+^v=dW4^-ftjDbNkc(pMwpz-%I21W#?jApmSKwG)3F>q@P{Dj89s6u63 zW8iA==hrd^2GH(Hn*-M#*S9qXrjjA{z*KT;5ZsJG5R4dhPCN9eU)dD6#Cb+d2g4a# z$}esVOeH<4e@1H{NpWkr66-2rX2SRs;{44T1eXF4e2_Nc2!kM z%+w*^64;p<>;{D={GfJ?=!D&0COE;K{QDbaggK-lrR@ay4$_~hcPMx>JOj0k!i4c-Y73?{>?LBYW0 z-wPIud`LAK-U5TRa$8_<3k-fjU@*F1c@;FciZ1lE(7`|gerbI06(jp52q9wQfh0XH z!GKOUZ;JyOVt92N5DAB}u4>W*DwHBXsv^}ksQ#@WKa-WrBhwNJpQS;Y^ZYk*twj{5;B+May#2`G`~zh%Zn(H*)N7P*<#)=jTl=9@vHux___~NE znX;kA#ZG{R03y^$^H(>m?|sVuwDYk?84p0!@#(&dygJR+Y<~rIz*)<;4~t@9-M|2v z$eAtL{|xMitDbL9Y~?~JBC5_toezTP;;!pY8hgpGE_Kii=WXM@bJVQ!L134b>iTxc zQ8KJc278?-k}j(@#x)*9Vc$jFFeWA?!@5)!0HdJdT@v(wn_hkx*fq~Ke7m<)I(#B0 z(iAknWB?RoipK*Z6YBLMWMX~V3YcJz8ev_gIn1Ix$!g#AB(RgqwS9Z%EE?9WIcmByvQUatpJiSFb{Xk<64;&P+P+4VW;fkA@BP0=#%R&6{E$h#h}vu*U2!snwQ z1=L+=Wy}4Y1gd6NcGb)_h0bm{v?}zoSyR4~kP++{seCM%54PL?{24kMUN!)S>ipA_ zATBOl(|pg8zQA_c0eaSA{3z+6-+LQTRiror)kk|U3hR6Y40)7+3lG$%&1K|_Zr7-D z;0fBB6`bk^N_1va!a34N2$;+Vw4g~6^3+4Mjm#Y+ATj*gkfP|CJE-3H64LwzGpLCi zc=j>YE?PuqogR2bS{}Y3B#>S5U&r{z+bzY-ALP;!%j!(lDHVVXEOX_0D;>d| zkYoA^k4@}QqyC+rFe8wV#nFFI+;cvA$X_0{I z`gfuvg*19{b9~getX}q&W<8Nel-f_)apQ?AKO}W<^4!ej^pf&?(0;DUY9e=#$jGI( zP(BZTqm+7S_^gv3wzyRxHd7!5c z&XW(trrJ6v4y3lApWf#4!^G93J9-?S&_~a-Nnlho6&l#(;$11&c?Yc!@MHr3}J z=;|3m&nC3=+_}2Vl-g%gvB%9Sw^M!6durFljoXKgaLhC_(~MBd9;u1>g-rJbkIHHJ zteR{okJIisD9eg)re0qax~kfdFK#(Cqho=RO#GTGU9mdO>4 z%3QixWeZwHO%GZZr;W$N`OAcVJZI0u$GTR~*kU<*K5w6LmEp-#>xFO6KqFl`8>c|` zc%HcJJ=4Xb%0XWp581v@0|`3&G7uW`dNa#Ep60IkgKXuteZZFZ)N^T=XipQ|X=1>Z zCkG>idl(!)O-J)=t61o`{@{k2)nD>Gz4>r780T*f zI*HRBl+$%C-IpFZx#{&m>ExQ0r*gh}TFppDpw^~`#gmzOF=UUfOP~#k{Aie#2D9|d%gdt%gsZG} zlCNn}B_U{)qA1mqVyaCSs{Cu9cxH=jSkJO`V;(Xe;zIb}LxtPpO$GTP$#F2K^ z@6OV6_FC)=s|~H$sXWo0Au}x1<|XEmnVrn#L>De+e%Pn4^4AS9b5YJbbEmaNt5~N; z#grr}?Y7R$DhY)-I_U8=W}Z@;lX6K(JkdS5rQAL~pUt#`+0o3W-+ne_A8h%i3Jxpm(OI~tENBu{AGCiss-SQWYPi3A>j~dCR zlLNRu`0TJORc^2NsZ^^8N3~fc|CCRUMunp({V>;VXW4Oe_E2eGlptC9N2SNhY--fF zIzPyb&*bCs(ewCfm`ELndG)+`Q&A?#ZY}$Cb6IH}9VD-E`K#Pz;S3xJrEY3gtxqJn z-WWcemn*g72CayCW0;k03tf>;+$u$;A{}KeBze}pJv}&8%9o>?n?#Ym0Y_}AaXl+5 z+CdH6Nb}oVo^HQXPcp*Q`KX#nrsfF&ikJtwe3M8P`;C!wahf?#6;9O$rFB_n>5F0l z@y)65K(lSJbM#a^D+tFI&0>XnNR8#*L6xIZ4~f%BrAfE5>~*qKqYrKpw~cGIb6qD>t}e>rp?~)18|K zxx{y?T=}e?zs;xX+@$m}stU*4SmBSeMKw9P%r}a%kSxjk(YRcG5ObF^D1~}gmF!XB z_~ok4-dw2kxGWqzYolEHe4QKfj?)Nfev=pr?(_r{&PG^{2Lt~>3c3||=3 zm7@c?n7nCK6PK)hRcswS7l)bob0XQuUtB&<` zAM~E(Os>z@&eNKD^w?nQlN@(G9Ooy~>$CCoQ~BjF`+Pl=kJFh#`J#XRa+{Pok7A|X zdYS6U4t+^C%I(_|MxiC)rg3vbKjzQR6KzR;EXbYVxG~5wmo@HbP^2r@YKK;*&E&Av zzYuD5dN9b>u4($Db(uKru>B0jUg@(&Vkj}wQGIwkc(@rD`6ykx=_fPnMSs+PIVgdAxpLe+I;%J94{$#^8znC4dj3(Z zw4cVpRIazWN7wB_rc$^qYIN&(^q9z8A05M`*C`yO&dT&z=HN=|bT6KA2kpvL@@mwc z3x(NnS-EIbZ>zIe>O?v^7(U%*UerlBS*bsqmL{|F_T)0Fx524UWIHFb(=>BCeMy!& z{KZ49*}Y0LLURhn9XkDxdTb2g@ayxF7xM(63q#o0lw zo*X|UPl{(!B6ZPwDCCY)6QS6X8cZWQ1kJ%?DRp^!d-QU3ke;50 z=i?HiNY~S(Am(PAaK&9UugOW)*bSHtGz!Ra&oqO!&3<^^3D96gkuZcAgj(K_knhRwQi zD&?|GmA=aM=5m3iZ-;|}(+vHn+&*8tFym@Mzj+!qF1Yz@cABkfXT9X8k&q|lp(g96 z$;x2XC?`5s$AwEJ+dBrAGy36%oi@_#ZaLM{uC7m0;7GcvpBGP4G#I@kkFHvD`c{P} z6gEGrF+(9O9ZjxEgL1o3;>1qrCYk9Od)w;Nub!)=YDJW~igr`3YGP3+rw*#h zQ*TN?o}CZ7%xyp0zUXwuGTrSLipmvT?Oh-6qkgv6Y;g2({h4o`Px)E}Ts*XsjYpY= zL@Cz0m2|3JYO*7`Hi7%UqMawC)9LN(^7(>RpNgCy(|K)r(tj!z`nA%*NsfM!s)PK| z{Q9ygmhxj zjk=|dFdG~kmElG@o6L?cp0Am+!jtfjKTdSAPw8|;eac_Z0B%^)i=sY&@lO|{dMAL^x6i+|2M ziO(hR;`*6M3_F(>V!A(K8uiv~rq!Ky&n^y5m?x3vuQlOZKD~yruXL;&bgqQLWTcC? zJj1J+Tsg@%Ct`NSH=Zva_^f<<(md&%-#lvRX+=L5Z(FnG)4ay1b^0<@mNfmUK_{5J zHasa-Ple<3^<;P?OqG*rKAGaKYMtzCc0D_2&a;(~Xl38=@QGjEPELQ+su%#eS~ z!Q=4wp(zNr`N{!*K_5Rfr&BdoOJ0lBLb6|xrFp5-y=gXE&z0=>;pOqN(aJv!Zl?M? zU!&#LP3dNsu3jCtPHt-ncuE-F_6q%iJZV?YlTt4=(PmGn13vv+9$pQ&hi9>OGb!t5 z#p81!e_iRGq|Y?<=Hy`dP|QD`ii5;aSH6^(@xxhlo)(7E@l)bhX0q+0+r;Q8cUwrY zO!uaI%s(sDiL8Je2X%;s*d4soI#RNpEu`94LccQVWe*DcdG<*z3nvqPbUeB`s6O)D zVODOR*K5kjRq`pzT@KDOnQJ;x6U3L~wLU($Jx!Nn`tjo6iPO{N-o*nb4qud9R@HCW zM6NsR6l!Wgn`CF1-sP-#^7yPYW=VD2yROlTcMWH)dYFaL)Wxk!s-xLM9(|O9@7Uu25Nqzj>9Vu{?(cD8je@mx% z=2#xyJTmE2r=C8YrKC2Ozezso#Up*B4&~WpQaT#HJaWZ{GkCPikNEtpc3Ze8^gHS5 ztkus1A0c8^u9+ zCLW)k46bTV$1fm1NuAD~2BXJOQ-2mK=a&qZ*Ri{s7FluK? zxlZ-ss@Gr-W*zyWGp(xfQ8_8)>9b^OcA`BdXJWhj@K7prJJa)L?zUSJIQCQ@cV)T^ zh3m~Z+?QT*lfp~(R$_YRU0R+$N*U12KsvFLqo+i1));qdFLG(rQ~2|nYgU414^g~& zgvU4f;%s)CD?t6Nd^S?2;=@awo}a1o3wQiPS4O2%Nh&@-EpMD_!arborg>*BSV zEsWHxE{X@`i~MLh9aM7VLW|B-YE0wg=BStLblRuj`t(L_&L54}7VaI%AuB zc3P>G3(r^c_GRPp=}MT12bW;3&rT2evedfLn{;DDpPx$NFnM%w(iloN!+G^q$dBYU z$JP!it=#D3fm0vg5mrAN&a;hKzIAgof#;A%Wso@L(#6|xbEKc~M>9E9>(a-0rkH2W zp@KIOj`dOFvYoqVFx+v8)#?Agy>DG^TW1pdzg7DVTpB~l?N-_E3J-eKQhA8npwaV0?#AVG?J+nck&>z5xk%{N=^*>(Nb*I%QCeKQ#DZ>)dRUk;}SpHIv; zuUf~47v0O-_XjWDe{}1nyZhf8;6@eKfT^L-5JfckKgToxHy;&cRn1>1{W6_@6^*T z$2Tupmi?tYJ2Ch5Ixxl7pS}dU<5R!id9!hTVqTrUIXZcLX`Ektcz1mL<;4|XWzAO~ ztS{@A$0yVGmoE+`2X9U;pMKQ_x2EnMG;UsfxYj-&wE>ccGf)5cZepsxK3Ls1w)u7Q z%k-uzbP(Rw=dUO0)pZ&U? zeR%8ayKg?d9;i>9SE~I}-~IgBQ|oWmw^~5^{PJq^L_a$^|9P|X`peHR2RGideRI8i za;G_N1yUyo#ke)w8zzU_bAXnr_;+uU$JzX7vaKi_!WIBs}Pt>dp-zqIp>!^1a6gOS@lnLX9t zy!KwUZ+EA+&7t0K%*{jV&GfQ8vR`ZO54^$o#_@|^gUPP*;nmLI=-utj^~K=mtl#-G zeEDuNygEPsxUsLkx0>T4b>I4Y+W$CFzkJ@Q&j1+%MeX+B*M~Q|n@?Z0+E?9IJMEXJ zAHI(3yRY8w9}P}UZofX&_b;Zc_s+2M`rY8^$@P`zzVH94??3%{aHH>Zn&yYk^{byB zb~c=w+bjEYywiU(yn5f>-gY+a^;d)b@y)yO`p%2%mi4r;?VYvX%r=KN@7qUpwSLn5 z+SzjI>eHVaFJ8YmeEI9_OaFG`@N?(%;%sx+U%%YH-8lc*@_E zTwT20UibEA`$wHt>&tX~+qU0cd>!u8U(ec?AMER`FYk{|UUYX(F5hmx7<6yG{CxlU z)79CR8vyX&#iy&&+iMT#LHj2+ulnmd`o`Jt#rEin_Dk2D(ZfC8@u-U$6uq3&aO9Zba%Sr z!RJY5|8nwWVj1Vtqs^~3o!uc2N8atLe&gxwi|ygB{hQWIJHDAb{h+xA+83*S`*Zxh z{%T~se|!D;-H!F@u+{qT%Q^ngwmzR-)?dFl{i$Bue0cTY-PPBh(~f#N(dx$5d-Lno zcystp8y~c8?aR;3m&T{b=-|D2?he%c#^uh|uV3}?E6=!kY4zW|xVk<6`T5{XYks)w z*vB8X2fBHFTW_nc&o0kjz1lzQci>rL8(6bv7v0&1NvFdPcE3`GLqi-V9=xwKYutMZ z@QBnJ*hyXo(;K5R*nJ%Fq~Hf4zk}fPSH;0eTGF8}>K~5c%y2QNGO}HGh+p|Pch)D_ z)6x#V*LIXA0<6H};S<#x!4d1Cn12|z$8(4UbAsVlTp)h%hlCD}86Gnf%15IBfzk)I zjN_;`f)j7-m(pk2oMQmc6I?8nx;i!MmyJ3~cv$}j{&T4RPINR44dE36(!w#^DS%(( zPh(n==)1IbaeAa36TCdAn;*cLGCt#$vrzzZ+Q<@q!&nCtvn|n(^${j|2P2&#ID$bJ z%Hh6bXP-ZSS*Ca3@7>6d@RsaM5;;Y}+{NF`2sfE+L9lD^-mP)B3*N!sRA5viN)ne9 z1$5E{;Q-wTzjG{LQDy1y%B+Fhm5{3`ZZ4t-Kqz!ibVe`<>D}T5VL`(mMrg^0kuU%S zVFg|_MHztZ6eGb`GvXlVSRnj38u@N%;s|_KL99ZV;m_x19xMz6p=C-!(e7ird>R>+ z65BIVLCl?KA{04MNQy#`V-L)+Fo+~RpNu*V{YWM~2Xz|2f~TUZCaLqwvT&#)PYpQm zryxI$zhJ@q<@(Aj7y1I+CijaMI0MDXi5GwR1*3&tB)%t{;Lqp42kuxjjbsspcs@lU z1LxwCwH)yGefp3Ti||Jp9}~L|xZKIew(e)!yhGnttQichr?=B)oa;78bD@<{RdZ=R*)AZv7?+wS$>`R#245j8ui4u!HX&-5n?&MESum~8d+$q5BIJwrM;>Ub45X3a zWAxI){Q-wWd^YtD&w&asOJ4nhKXx7p{u(4OqVmE7e z_hg062QnVc@`&6$?2GCed2a{`kHsa7H@3ujaixP|afn&*Pva>BlqRF8#8v;}^S&rnn58VkI|lGZ#M z6N#?F$=Fa`L%~@J5dKYFS^bC-$pq;OL)x*xC&zpPEe}H=1V=f^I+ohc?<2m6G@X^+ zEYzX&W~B^yU*4>Fj_Dt=Hwyu;u`VrG_U(^#Yt2CmkI0F|V1b^?|G^F{=MBc2BBWuZ=SXs>dJ3K9v*Ka}-E93;;SF7_JFiWXC@MnQ`u;dBK z19x)Xub*bcT|Q6E{kweuR*>U2uY>dPI({L&ETik!GPR5Q^@zh6{esaFPMvX2 zm?4wMjT{z;g7H&E3^1d+hGtv(%lk!%Uw+6cRc9I9m4%@Tet6z!6d!>&55%Bwt}&y*{;_?j>vn#8tV}6 z18H@^%ix+c58p2lz)`qv49gA}#(Na8_^`1Qfu&$f-FIjy_Hx-4thq-5Oz$YDR9-bS zp?m(GQAB1zQI$^_WB@7J{_-5d@JQjwd%+T|gE^-@7zU(h#*IU8?jAWE@L`IXv;d^& z6nt(CCto<(aLUdkPp8OD)kUArMJ2Ff!N|BZryX0rM|7xU3xSDfa3VPnLt!Xf<3aUw z?-xB}5(>l(De-K&${47|`4mJJsC#!VVSYCt>&Z@i!5&Gi&k;h9| zctBi&TQmd8;mdmzyg8KjDAH&02<}lZVeL4OEdA<3?%N8|cQz7B-i3xtzJ`Hg>|A7K zuDHHm%SI8qbmd5?UbxvbuZp`Ut}y}7m|F6^jq>_M5!WwrlC}6A1^;OoXY`(R$YVMIFLgu zn5~mg+?cdwFq>A77`3OU?b|j$Q)-kl!^WkCk1WOEKv8_Sp&K6$;%huA+D@bpGzkl( zn-V@TgN;{PR#7{I)#nrC#G|iepu*}95@OW^Y*kjGW_N?;aDZmIeVx;-7hMO*d()B* zt&F#pbNiQbdY5zfPv`KSMp2!~^_knBc|WkRe@cTW*D%Aqf}FukQd4=@Ix0z9_Xn`1Og~%r~FdUZ-JKs5q28XNTJ+G+au|k8q6jx^2 zrJMvsTk`sE` zo~00VDC4XAjciF=TpE^cJK6F|7le&-^y!?qVCG#QHnNpoX?dAZGuM)!?)jGmbyvq@`zlY*?B@-f5i*=WBz&LHNA@wYtuXm&gsdVm-Z2DW+Hz1#+lN;36vB0$z_nZt})KYc1r$O^2c!Zl0RnsYRMnxm|S#Xh=nbH zHKOY+C2JIQFIl5R_mVYc{c6b?=a?L?H1;A`qm}=#?rvFQo=nPxvqp6AMx5?BvMRF& zOBwSjXXmn|C=vH7MM)`2Qky?kQDQB~HF9Y<<{(q$q*Bi=nPaqj$sDtOwPcQSOfEVx z!o-%u)kpktMSA*R$g!^HiW<2aXCKO&ow*|Oy@?XfoETltn9jjy!Co+i*&NiU|G;)8 zsz*j>HRqK_X8;ly>NQCWbLT_i*V3WbSfE^UN2+7!T|;xyBAfYhEmVki;bastncQd# zfwVx>8J1@25bFCz+eaZz0t$p;{X(ez>*u~Z+&zuq5Ni~ z$Fj(9U*bxM@$^Q^e#aGFZ^9{O4#@SC!fs8$QOTflEW94=whH$ zRrzJQn)N4M%}o0SS{{Zp`Q_eo?uR?N+*SVv|57Hf;pE0XNWH%!lfawd0SdMrAel*3 zD9@O69MAUwUHB}yO8gs%%acgPH^J)0uN&3^3oS$$Aql*Gh;Fx1JUtvGWBlS(9fG>!53kP z@3ZC5jO!^-lgoN&k4uX~hn49D75!rIN?f+|4u!xhott54wNSKb*%LD?ObI2fhdahX z@YOk+x||mfwFAiOa6I?JD7BVSjd=h zq!2u0OBEt#FcI;6A4DGg_M^7}2d3kC+449QX!c+~B%DHSYcK$yV3QD1_WdFT@tC}L z@uy!fS`1X>^4@SFRb-R>xF3pwIu=bMS>z6$Pm##L^2d~v!}$9?eMm|l_#=&vi4AN? z;{;}9xj(FEB(aQ@F|ka58y1X*bb=yj3y{=8*)5vIiz6A+y^!gljsoFd^saCW&Av38 zn_iv-WBH-W8#bFW5852t7xphG67w%Nm47W~o6}Juqg{rHb8ed*W9_OG5*|*L0X0y89fd5S$5k%r&G5xb3J>~u`SDhQJvM5 zH3c3euDVkoAK5Pftl#u)`{Gbt+ z=MHTl9OJ^YP^O-scVmCXrJ>p1f_)I3r|(LK&*@n z@Xyey9*cV5?{d)Pk}nxh;i4%a2$;t0vgAygUEu|mHZZSo^wftWv7vIbmHyHJP5+XPNP+nn=xk-w+O z`v_dL_j@W%cwOHkDZ=fS%0$>cgim)-91}C&R&71JJo9jL+V^b+hF;N47Y_WMVWmmU z$tO-6Tc2r3vy3*3P1c;FZwBc@dl5RLH0E!adGs1GPpX44A&haord3_v;OaGjKEr{8 z4&9v^8eF1g2osgDt`rn+Zd4wV$qS{m(GBrdw3N6(f738RPchqn)Ufq&N|U z22jKOTpiC0IXv^EQ_5jMf*j|qHJmIxctK22fm~6cbPa`h-%vymcPW-qCBiNHoP65jP*WR{dl#OKS;m-Pfk@qug|~wC zg-aS%Bg}=R$rX+fR)Lya(&$jD(^!)))99K%act^q7zq24qbjoKXwHoe z5s*}>p;5T@KW$MpEnsNCqW~}*=CnFOPKcyLCTJvzl5f$~C5-`8 zE7p(Xaeci(AZQc%2ErY~#Y*@|qJ;m%O8A6>mx$dO;R*D69D_pU;0ckrkAI#3iK<_X zt?D}XuaS71#DEj$7<{WJq=0>sBg9;XL;xV6Wp8r)P|;m_Hz$INUzh}mvDg)&M^fj! zsirPp#LAirBvwU3$^2?;i*bbNdzj$SZ#(1e-&wAyhRlZbDnYlq_D>Wp#9Lsj&R={ zBJnL>7I4n4IiiL~Lh+N#3ig$H0`HPfFx?v$SY&M%$R&%Xw8sY)*u4Jxuox6FwXodd z2@1ic%{6`^bKoE}?m9|mPVim|!s$y3ewFJdhSm%53<`NjMhlmx+u_a6*uF$O`1~N4 z2G92OrxLe;8}Ou!zY|hy-T*#Uw8{8Bk8wa6zg-q5C9wU5!{o_*8W~m(QA>}KOV1<* zcMqAiVA?%rHa2=!s@o$Y8hUT_#6fqodMEf~s%Kl{nG4TS2T4z?yK5GZ{{HP#PfgPmEsP0`q3G$KKY&CW>1U?8l~Qh4H-FUO&KBd zoRvW=F|9oL7PfF#etcsL48S^b=K)Iu6-Cj2iPb5gR4JikzO0Gd4> zgOyIdSXgmpR(s&d#9~))ww>PVvv)^559$y-{K1|*=s_=N4`q7j(M%615rb&R?o87R zBRw;zFe(cEB*)NYZjt{d&tBOijVeQ13fwi= zZJyj2chsLLeyjg&_1)>ep8tb)58N`a4caac;@_P9kkQ3PP`E=dvC5QXBh3^2fzGSA zUqE-n0!a8{llw_%DAa*J7K)@`rkgqz4*%eeh3}E4O$@i14onJs zMN;&D4T#(N+b}Z!Y#e*#$?w=m!Grqr?-VATcEvzS4?+#I=t8K&!u25p-<;sf>qe-# zuOCs5s$1`19bh4vTW0BAm|j8EH0Co)r#zfNj1;9b0PSoxv7|I48R92V)z3)IIk{Aj zl}qZOehw=RAq@m~m)Z)cU&t|W*(?CUsiX6ct8Y2CgBGcj8sQYur{{=|U>!WsF_%>nME7(6jBaq>h7veFi{!IMlAn8Op8y`x%0LS-(wA0wFA7+lH*)^O?6Vd?*HO|RP#cIl&yfpgg z5hQCNq$;?pB%7y&2CvBEWoZ_fmqql2xzn-;$DkKZD9Cf9VG(|#OvA#oE7P!KOT)s1 zeN&7m(Y9^dwr$(CZQHhO+qQRi@3w8*-fi3c`kZ@T^8Q{`QdyO`My0aqqcY|ibIe{+ zfNrur8QHx9RDuWqUDS>@N<-AV9vGj6GBj2!8Am!aOK30!AobAwg z+v!?(a{yR7T=8vH)oQ3C+vUIXFx7B>>4YJ*3cu@ z5?6FcTHEJW8|0HG?e4z&d0UzYCx*mqviVsX6jk&i$=D7mMY=@9?mfltPgtX-S%vkA zHFjanaju>??y;IDy2M0}S%Fa4GQA|)ejp`dv>0c4B1pslm2N1F6}L~kF=xT4%)_`G zQwfqtaE;cCB{t}Bw3ry77(UsgJm6+u?*ljbyO{y7A2m4IAbR$^H3?}RWWUzm$`C@y zVQ>1uO!=ts3z+g%VPMxEG#PKSCu6`wJ}viJlltPVk)<+cs%1`8%O0o}J?Ftpx#%DN z;;;v{cTIt+_Fe!iq_5?rlqbhMPuhQ zqWRm#$Zv|)x@Pf`HVmuK5f@_k=TC>h#vVF{r3)-N%~>Bw14|`I8lin3PUN9iRq3GT zFTJA{onC)w-lbpMwpov{HaQyjTUY1^J>E59;w>fHG}83+P_=JjF>oZG^J&#^Dc2vs zF^@I=hm5^UWuQ4kK92aU6N!Ihx-X5vg9SDFanDbxC8S@{j%|EC7{?Y;cqF;GbU%-b zNE#z0y_?o?O#!V{1!PXdJoC1%gj>1@R?e?=s9)G~M+q#B+(#NWOY-wS4+74ic^hW# zzvB=3>6L{-@H!7Q?7x+=5(!xg;Rk_@86eE52U%DPdm2$aULivi0IT(c!3tg_c2-Ir z`vCJdnV6K`MHGwuyMrv2drbn56VytOVloLC-f=VqP0o0+^fB#$4nhUeWd{{mX+E+2 zHIw02q48z9&WuPKJyQbccajBsX07fwDpz5=xgZa_JWS3-4>O6QH4%B0HMdx(l6pOr zo0VlbtMhMoN?A`&-m%B1a+dG?Z7IAmn`DwygC9g|C46W$ca-GVe@L7|J0Z6BEy-gU5cV{vV@yJ^0m zJuAG|6jgkTfU_5y%rIbF!J`2}uPQGx1X{1}a}WOu!|n?A^<%Xb_iClds`^Xu_Ud zjA4%RQr{Pt_aT>Z$a^nR?$Au*9_j|I6Qp$E{<7CL*|<0A(+#v}L`*wFnQGpIj5UN? z_LqS5FaXo6B#f`{)XVE7FogT}Xy4wsgPgeE9(ji%!IY%mq_S=R_(8J0hT-?+`v>V4 z2j^g}?nF1#>b??#)D~<6XveCWTR3RxVBU@Z+AX$@_9^VK-1m_?BopvLE$amx!4RiX zvCo|fRf8|%q$&z}AUiBk;%qvbiQQhmWT9N*s-zcNd*lR4PRBtIfd)r`$H(HZh;s6Q z9+vxrzjO~qPG}Z+z?Wbg(2)mRY#dO6`I^mOyc9G9fAg{+e;%s^vX&j53JT+6u}cuUK5Moj;~){hil>-?gb4bhJ{orT`9*Pu-5>0z*c2f1UP!5^f_?FT0Mt z-8-N9>uLNG_Xx@Q+FvgCLq6yg#ZFe9-a8n;;3%uXEewpb)Id)5_&JXJ^=qqlY@(CUbccxRILb+bs`*NzdENwG9b}Dx1kd7tKR{} zg9`Al#Fy;J_$gAu5+GQhws7Fy<}8z5qrZ(k^^ni<115qr_aVd<%{<>-3gnZ!+=EeV)q#FfjoR+a*uTd-vx#@a9GEP zG*^&~{ho1HUICiPh5K!NG*Q>+2KmKdj@7z0V}iJ%*t`%V?tHtp_B((zq|e`B4d6rz$g@RKpkLjgkCB=?cY}f+CaeNBoa`uq}YD$MRxb zFYCibYeI@hacLV1DblXq3{&u(x3i|+=S}Zz_qX^a_onZ+m2TObcc0HqK8kzyn@tz9 z3Pr0vKw#b5w8>qxep(e4NZMhQ-dLG&BJUw&;tdsel3FP(G|k6p36VQB1G1@)<+LIe zqi)pv0`jOa4=8arPR%`oD32Y@BUNF^cb>wlovPq3%Z7ZQ-n6^e=S(TYlntw$MCs3Coh29d;V^;F_Xfhea8Tw(L57eYi?uPtcs&Y z?~qW9EZx{z6#(F^r8-9P?E?B~d}=6+&A4R{55%XDj|uVXlby>6A1E; z6vUA`%yN7(4}La?u(VZ_N3YPx<#kP+SIJBv6#L$$5Q?AXgoGjogA$xo$(vR;Fxxq@ zNUe#zq0hkUMJ1PsL$x17$BNy`2~n}}8OiJ@Em9%zh{Ne-)@=>upnp(!0m?t~{oiu| z9PcUJPffBJ)tnTh^WZgG(7!ZL_DDGxXZ_Ul?k=SgwyCbtbQDJ+Ips%4;h>^9Vda~V zuh%suyw7?6c&2>BU{`(317C}na{W3sc1u+te)UDK;3u%Se1@5FJ~!fcYsPicjOwKs z&)!l+UI^`bp{Gzweer@1PoVJ`i0Rl#Jz2j%pgYMGV)&{Epn{$iW%+G4J#s-$lhss= zQ&*k2-(Aoqq@tj}YH3%JFO}$M7P|;MWb_#sGQ7Jk=f=s}r)od-goc3*O_J_DiaZ%q zZE@8X(%&Xun^zE0;~WwdM%3&|)FD*g{$^w$Qfs0^HhObd#o|`#EMZ5%Ud=63<3)Le zObdoUeMpx@$5w{5w7ZhJ4V3(z-sfWK6Dj#ImD2S5*rZ0?1mIZ#`@g5g_GSlJZ$LFa zWlgk7f?&UnP+KB^zQt%iVI@x;HDL!AkcJ$88)o+b$f(*3L@c{XB?)#XHAyA*n}=p6 zog7OeDI{&mDF8wf#=m43$CgR~JfZoRxeC6DLYJ;ho&nx;*8N0%L6t$D_Qh4Q@V|k!O3K|hnB|6)MBgXlR41tI zHkJ{Eh!ulE1r<}#R@PR&9Kfk|*BpVWDlOFlb`@T1gEBjPA=HhwD*i~D7z@%&sRXsN zsUaNXQ*2m`)yj6~mY#2zuNT%Z%dElt=p#1v--ctBO2w2r`017>B`J}xf;hZ4w(+yz zns5WO<0v+YY5k9*Rj&QjSds9UZwA5c;q?)*TxH8mhps+IZBP&3llOsMAygr~vU7+Q z*n+M$`WwkF^HdKdt@g^d9ZoTj8}zE(1|JCfbE4$?Q$E`BOneWgZcR6vAj@=Gf9VTL z*m2>ymd&*mVv1mmk(p0UvjxFRyCGy1z3y8_dEB5g$!k4FhNwob($MJc@mjTkyhDK@ zaXYwKS=xB831vd0ha9hPb{k>bQI?3R|2JDJxZR}MBbgslI@XV6>@K*-)_+@M9nY?E zR6@{{oiPlXQ8+geRfQTcCNDWO4M^aI^L%AqE5fu!d|Iv}W4VmgtQLV1m}fJu8r8U6 z13H+|XwaFVa~@byioc%XqV^lscR^W>O>0tC&vq?l_yd-`V3WH5!dnp zN@4YaZ*tOONHI`rN7@Ly6u8^tc1{Py)dnaxRRFRaB0h|15Ut~g02KdH@J5CPN9C7Q zkbSlYU56imG!JeCB>}UYHaIvS`t-jv3XM5xOWZ7~7_Wpc)A}VF$-@|r=*9-LK-b{) zMF#jD8qrO`4#_l15wo`W%8l*YLe|CJIy#K0D#S*#Ixwos@!q$U)9`RLnfcI|;N?1R z;Ns!s;+^2<(>8n&e7P$IcsWMAg5F?v9o*YApPD{nmUy-bSy+%27G?&8tuPh$yXTSw z?n(jWyJzSk&ICO1*7!stv0K6vXg2tf#9v^80m*U|+81<>b~`1DpnfA)4>%**-E|!x zrb+jXa^h;lO`IkbLcB|cOMrN9vc@CYTo<=uWi?MYGdl;cz8Rne_aN zz8K^{b!-B}qaE(9LQM|CzPmfo?q#ntm)W3Gz@?F!BR4nbZ!iAw>ko`|N7GcdAy9Go zthf;m1MZh1vzXV@y0y*`hV>CJ&@xjh(OMyv&C`othjCt$Tljb~v*-MVPH)ZQ*?7&E-B-2FT4Yc1Pk-c6VtM`h)@lL@DF4Aji@}13$jonE- ze;$hn+tKEARFKWtfpp`4w6XSi5P|BkL1$%7&6Tf&lDDIJG;6=6C)t_(3Z7W_a7U&1 zPYM(TS$d58cuC6@)rEYEb&l5F)+9S?J{XhRrEkpTV`9L)=O@M> z)=6Gq;F3D~Lrl3KS2cC~X_|It?nU84oeIZn;$g+&h+R9pvTh=^TAH?OvXMlU!^_E0cSd+4Gt>^l>1hgM5)WC+F037NP&O~ovF-|y=fnLo-yg??Yl#j zF--cFB)OQ;x?!qU+B^lOZWi2mVdHRGH-4L^G%&4M*f<5Ho-&fpPo2Xguf1VO1vs^`z7K2y$3a|n(Z7aaBKdxUyd95!r3l{lrFMQtA|=$wZY{PvK3 z2PM=1(Jl?uw%F*tTzrh8|!HwRK>%Ps<6e;Lu#wh_Vw*6RM6jfNX5O-*%QXxOv39IojaPP!lC4 z&s!SjffO z6NVv0$dqGnRkqQ}08-+pw_|tcK>ANc`q`x?0MCKTbAQ++!3!Z2A?c|5`5HgvyZaf* z0Y?xaGiEkjoNDl}A#!ZB!o4Gp`42~R6;6fm?cR`^tVexTJ-Py&o)Kcmdw?K-bt7&; zpO=(3OpI3!LqI1}&i*hqtKo(@z)s9xI9EVn2J%K*r9jI}VH zX+8wJ5Jo`}5MX(O^f;Ie(fCDkA%D%(XyYFBfKer{H``1d_4ykA9P!0qp}lPTZfe~{ zoYSxaWdgOz$>u6#mowY~^ zb`ndmLJXy_(IT^=>EOLHXS*<=m=Sq?GP)(thb(z$zrsiR+bP0h@WN4VnQ zBY7y|`*eu|c8?o_bS&A6w`lQ1L)a)hwf>MQ#ssoI&s#3aJRL-}WNHyeI1<-j(Lc0( zur<5i;%7@TJ%olgD03Lj&9f4;P<(uFw zrt@dwJ-FC>9F#tTX8D-sYS*hyy<}JF;EBt^+jY7=-&C&Sh)>1Ytos=4x4GG_NfpZN z_LIKZP4y3fHWw)}~zC{(kZI~u)vzu&vqja-kxkvXg=AHuI1(3!0 z^mWRjj+UXEDvOk7yV574CEium0Ig<#xBhXk=*E>OZ(vX~_c)6sUAYV8Zlw7|H4Yi{ z&g7PaOS)H;M0a@f)P{^MG{oB#4u(ZT^vfiO4`8QRWRZl2QUK zrJqy$Q$zyZWsr$0u&_R?oM;H+2fKE1i#KldI72PhN#4IsXBpdIfWw>%I#oO;s`LhM z1y@g%@q(atD{dW5*IXpsUl#W#cu<{T4{(Kea1#2k<`h>0Io+XbQ#x={8gNJ~O31kT zOs@^-@2B+N-eFo|YG5vkdT`B@TOm<3;AMYd*BV^mmp}LDf5n7WkVme!ILn49Q*Ye& zp=4KmNW%t_APL$JjBq+2oCH0QP+-Fd%jac|}=4~}9*_1PbUWIqI zNG7Nx&{S_j!#pPMsMN@i$)urDHE5d#sAC*@CTk%{HT`2S6Vf2P3`)_R6FkRa+M@qW zEAEN9<^Em$rgG}PX=p0}kR+#cwbEe9033%KN#_NIgwoo#bb~!v2yqdx!rU%&3^$Uy z333ue4L&Z=SU<3wikOtG^!t+E7n-3&DUOG#7#gXbIt#vJTD!NVFJHB?W~;t{eceS_ z1vqfIvu;WJ<#Twt+J*z-aD@hSq=f|07FD2*Fc7 zWTv4N#8C&x2ZQO8xt;qT&X+mZWcBc0&S(BW3P~|;OI}eFoiOS>#n`P(3ix5(7NI|E zesqWR^qraGf3`{{hRby%K&~laCGObAjsdw=cQBw7166~C#Kn7O<5IG~d%dTKdH~TM z&S+DJ&}=`;v&4}B%cTdsP*((;o#iA32C}Pe$cqH*FV@WClx`YN!-2s0!$bY2@ELaQ_*N$h_-`|-ZcULjW zEL|z-k~X)Zlz%r*fd1TlmyZn1$?8RRu3?bm&UtShIt!$^J6N}YWha}`el=L>-dfF2 zpZ+%9pjPG#QKeu0Uky)SK7)V#6dr}x2IySqE|~>*(==zk;=5B`SA3tS_s0szAL`MV zf-fah=oWZHXk8c9luUbStrus!+PG)m?1CjxYCqu?g;JPzfchg0@v>qdWQ|`D4{|hH z%=GMkL_DM^&qO7n;}g524;XYNc};3e!If?M3srUY4zTHc29X(I2uNHm?p78KsaU^U z@IuBJ7I(MlKU|RE|0;I`yZ@>7$o_{5j$;{n2yXtm-~V#K7uBN*f~Lw}F6dD-Hx_k{ zn6T3D4*)jYSo%#wAx;$}o*=K0u~gN1NsEvu#C+bxx5$UxI?}K#;g*gp#f!lDOxzoH}`wxIAr3ty7kSTm2)F<>3L)`eU+e_!Dya6eMfYxEQ z_N|jFVJMd3JWs()5sza)#NO^zrrp8N0zG{pm3iNfyY((@iMH}5m|muIfz0zXV@*zA znE+JSo}(g@7Y~raw@N|%z|f-sw44k)MUAz9ISw!Z&MUP7$p-^DsW1aX0%L$6n zu|kb|y^8ok>7DNe=El;CRki&EirZ^IHFC>ZR<7EsuC~&fdb_Hv&U63x?#~*VRzZ5@ z%#3G;=EVW;zOn+RBe-e{o)iAc?DfNWwS;{KW0Kg-?Mn2y$M^cTegm%^B||0^NxT9m#e~bu#CIqYkXLLNU zXR&y>$n{J<7cKG+dT4(aEx|p~GuQe1{wZKBeVgpt`e2*!)jVZiONGJ6 zQc}&jHSHt9jwQkKG|@sQJclTQ^#IeO@UW0r4>OAy1q9MfihGi|`ka3E5*>o`TE@SQ^z&HZ4$v9(ynMDWJ`KQ~`;DJ^KfLMisL@JCzEJLT{T&uybxDm^1eEth(!=Gw4XjZ4`8nlg7xAc%>{dmZ zc`v^SeC`eae1(UBYOOo~{Udl~i7{XtC~Us)+P|+E7k*iUIMz#sSk$#yl+l+5K*=va zDAXp|I=+~qRy?auIW5^Bc^IV`oC2W_t^|Yog%&&p%D=k1ypwRkUtvLc)Mea_X*<2w z?EG~Ku2$P5JEByASD1ifRf^Q3V4lq?;qT4$w?ih@1j=dkx2Y{AmnqryxwdW+&7d_ z8%O8qyH-LAeA!v64t7Rng_guE?NoYN>I7kC#x)FkS(x~DENQD)> z4R~qXa2D3Ea5yQN&dXlzxg{|Rl^`z`3b!4D3oOLf8iq$?_q^7~2iq4oV74H)IZT<1 z8=X{de1#v_gCuUjaohG(kSAuKEzr)!B>?i%M$Q!3?HGXWpT;g(C2t*zE{8{ByLQByYT4J zVCR%MT+bcyJ~7~g2H%2|Ik5r3S2OJG!w0*fj#Q7v{jlhr=xuKtZ+E-*GX`A0sQ)va zY%@D%#mh7eCK=^0u4BKD=JV@yL2Z+8-%kTilAw+sS$hk`u{1mY(H4;Z1p>aU{~b6)LpO(S=@o7TP-r`9W%od*379_#9r}Aq(4fqIi{4wH4{*Yk_io6uf3^k!)3K92I;qLX|z2;p-mqDD_sby+eSUSnD`vI0DSJzQiI`j zca>M^`-Cis7XgzgMjo|Uuthnwt?uaRUn4}E$qCqWrwgUR?KRD;uX7A!49YulTg`FY zsF(7!Ui9^x_Lib0m0LJb-o@uLN-fzW?%J*D;mhTJ43*B@_Knu3T^KB%p%NbYM;{HX zm{0C*;17>4H0RuI%g`>RraQmu8u5Y_OxCTR^-pZPTk(L%r=&w8EIe-TP&so|v~z7+ zBBw==M!FsM#)doXpqk@u7!m;4qB7EPOH+8DzB}yD7=PiI(tY&)DvoEsG>|)rLMQojR6=0xPXfXWigwJUmd^wE<%r((S4SH4cf`}5M)3~rGxCnL z@(EZzquhE-@zT2OVNllX_3_)!oY={|sBY<&`K_Hbz15H9{uzVvj)vvAs;W9$b@mqU z5i{rR_1&dA&^a6T@iEwr!7m99bkDj3^cR=Nm_fRfAHa4z6PD{(XaO&|MNYyUX7lO=Q@beKJn6QrI&_Es`?>tF9sQAV*7{_~sFMUSMiG;abVoGlv`$|74r9&GE?tO@!*VPnNyY)R4dVs+{9L;lFkSFwbYpd$!@_!>RxBb49A_9Q0n>tvjAF$x zJ1&Uz#Ts~Lcx+~$i8+Da#+Z@Z1mf}Hx-``quH^0c7nl$HbH*$N3oYnox;#((LKv`U z8)Zgz)!I3maL>dkpo?J?&LwOQ7f~^o5Tg&`-@}&bcvZbcC*(8pu_6(T zWnQb{1xfP8ps{jigEUdGfGH$k2@9C~6+)3OBJqV~NAiJBH^OzD;)z9@UVwS|82m~Z z4P9I$^;p`(A^l7$@JhArKO|McIftP}ouX&dXqte|nSfQ4z|em!ivenTv_KmZ)%FC0 zlYp==XiI{?3JT_H;-So5LrKnKqLfNSNvm8aT6gd_zurY$0jVTXVS5iis>%V&z=ptD z;qr?#VIZv54>_*OoyL1&hCpQ2%MJ>V^aQk ze8c0u*E;@1rzH?3f2JpB3V#Mn;B>gS>W2u#^HFl95C2ihAbj}_V8RD55Rj1I-!z9} zy>?Z66}f7I|Ksob5t#j!daAU6q{W@n2PB9xpW|loam{Kq?N2GuapO4mPT#vSOF6Jr z>R9Aeymn7yc1N!Pf)W2nAH@OA`lV|eDXL(Ur#(R}Ql}Z+DTOv@ShcReG_AD7+8l*& zribQkx{*4pdsERy-2yuorMhwR0{W0u4q{{RBiMN98i!=nti-iTUL&uPsLCJ|<_QpZ z+joqZGOc@LLYFNnYfh-@JV}+Fq)Mketlcz0D&O&s9yv|#D#A3?2n-t-C6 z#AnrpWPtYp437Zo(?aI9fkZi{=X56+w(){9L*r(&jFz33S@6Fyz_4Lq<7Fwp+ja7S zI*FJ*Mc&W4NB6Yb08AQ0`5?_9iH+B(_i97Ue%-=+n5+b?wuyX6U)t_j_NL{NcImr78bZO_wdaF zKFyF~b!P;lE2K2jRIq zK3C?u1@PrJJK!*SCVipl1)9QdTYHT4+ZCf?nj06x9G9x&zwx`uT3b*vd+i?0g`x1@ zfumj|u&2Ox_MN+LxkvQ-`S7rXRXaV${W-G%U0~PA1IrabjkveC&O=RhIl=Z)>4u!m zLvRi*rPC>-_;ww3iTO1$gbr%sat-eVmOk>9zzS$;0r!Mg*}K1)3!>vCkqZQdTQFi< zAb6csCWq-b28MJUgDGqqZw|JyP9465UoXd7@qY%YrAp+K30#FNW%2^u!CWqi9OH4F zEr5E~!jy_|$4H+yPq+ODQt}cdxQ|T3D?;Zkc9IO8>ZOQ=}do3trwU* zu;{MmBFBr(p&k;6y)CqFVC+pU3Qr)Qdu$+k4}6akq|#I%;372=Z7@X1L|wogvwTT3 z)?ReQy-n8`{DK}(qN84;i4QRR${4uQx*BT>Z~sNkZVF=z(96dX0+78M{U}B6A@lHv zd~$aH?5#e#L|HKKjWu9MbJ?%0LfFzB_RVGg%q2eI-^VD)HO%l~=JM_kksgs84HM1F zf51Ain{V(G6tUQC5Go=zrl$fSGL_g}PY{tw>aFOQFetD-Nx;UW#R#A*0F3oVN-BdK za~k)1>M)2Rn73(ktkOnoUQZ)w98=r}!UvPwlm&8x;D*$;vP96QBML*)n+K87-02E* zL3!hH1A2UAYGqYV1IWB(;JL_%E1I_j9rZ9NZ5@w#zxa6_FZCV>+IANGl~Qa&PXZia z)5=?gIH6(XStv_r%VLxGU8raotzJt%*<*lp|5+oI$ZG6rcnPXUwiR8G0prk)zDnO= zx{J4=sGs%gxeW_^7YRl|FeQPUQjE~F2k1#;30E`Pne?`tY&|6g zPRb=S!m%A))k4V3ETFai*N@4@15DQlOTG(zBa(1g+#uyzw5g!p6{-oR2$FD8rR0u9 zBle^*@(0vw*8PJ0RD4!VJs$$-?X=+v(tAyRpA9z0R(8i)9@h!(^De$m{0jfOTm)i& zcCb&Hg;NhWj+^T^hK?9ivV?$d1bq||>XSa)i62>M8^7kXO z$PXRyIX=W%Bq-omrWo^+fe$A#6kD!`QBCw&V_OH@04g#+v7{;3Dh?qp3*c=!wL+oTQ4$_IBB!X})qqkEBUI#cga?u6Ex0g*Ppl`(=%zh>p5i*Gg9`O(9AJ;?Pxn9H=A~C(>-0`OgA29^OU(uO zpol!zhb7SG;EyDr^$_5Saw$b_(uoafZF>BjWhF}~)rPvC$s$_5v%bI370?58Z(qDOne)C> z$^9wGjSJAR1X8gv;ttlK>g!VidGR*YZ|lqKVFH4{oF@UZ4Pf&7UR;QS49ooeTl@BY zp7MX>IYp(>tqML%sfZaK@z^1av5%ele)LOkmw87SECxh7Anb67Zv9zT8KLIsAtIlY zfo1Urj#kLtUnX{sB7^Y0RMmgrrte_>f#+4Q12D}TEkQT40s7>~gaz&EX*{Qf$|$1y z0DYD2@$aJ>;BgnYYeMiM1eaCMRRaGyMctCbt!DAdGKkJh)z#HmHE9uS88HNb$e`>O zp9|Ua>7@8WKYSN@zE1+>Uf}Gu=TE}d6_&}V9wdSP1rr8x<+C-qT{3`xZ#?g)oi-qX z6UlX5?5^oxzh1*rL&SrDc7kHiUzTTzkRi{Q%aocq4bP+Ud8p<_ry z@dnroR5fQ#padiE6#x!-m)W`QJChaK%DTVhVgVg>9U!c}J;V4XqByEruSo`xPyR}) zXKRr+XcL8;f{wK5eEU}rm$$J7L2E8J`j`f$b;kHBJ`4 zrUN^ZHwfa#-_=N)jN$d%A@xFGxi;xDxkVY22rwo#Bk&%sRaq}TH+PSR8FvG&j^l6j zg#j7l!+z1C!yaaWcKLId_D}vZsgH%u8#712%~3CDNUl?I2bhfREC9nrfOtFIYp4nQ zhr9e$r#FYU?9+lubro~vf(zGA^*SN!Jhgz3YK*J|3IpQzE-q8SK{+w7j_#9zo`q@i zBBv)3c#&QFpm&%-rrDec2uS^|1#yjhBRzJ%G`~6B533Z&WoDKW7qGMG#wD1o-k=b+ zfx2%7ATsAtMFU>bc>&1)lwJjK{S!+mZ*IruIx{l>M|-4PJt_lyB7?wKnKeYcFUX^} zbf&;_?ekUU=)RK0$5*&UPe|BfC=3C?&TS6@j9OxO3JI8h85vP=as*q-m@wJ4>fpqJ z{;^3#Tii&&u;L#p4f+6ZR}+GUD1jzm52))EVMwQ5^%Uw19jut{Zq9Bn|2UYj&(GeU zH0D;MB4tre4djj#FlB~iaC?SOR9i>C`J=8P$TyKgb{mR91+;S^G%VgODI)V!myoXv zXQbzb5q>EGVrV(o*TY8n!}&%>mL1GFS;D#L_5i#4Ks!3n-(r!u+TWYIKs#E{Ic%W< z_G2KgVED%oC4g>95HDxC0`@ln``>xmLIthAp=kKWmERC8h?h5ALF;db9(0adsKEU< z6b}D5^BbZD@p7jtaDNlHIR@v-f#U|A>sGi5>nrV-2cZgJU;(2qzVi(h&J*CS%fx3g zm|{kMydMyox`aO+kp`O+li?SOHNihoB7XaQ;S+V@=-_tB5YA|{ar|`P2OKREM~2oA z26IKCw?ij`JmE+hxMNttDNPrN?>3x_lR3iZU{7TTXEf9#emd}DPL;6(gB_%S9MRyT z_{l&|IM_yxjMmU!IKltG1ApPTzwk%#|AFKG!qtD_Pl^A9FO34ZCb>2!HS*=FHPR_a zuRILKexlF$26kh;smOVV;GE@4j^-fEN+3otKQ)?w6}&Gv$=JGBSdzuK{g`+WV`NGT zDW3$Ed-C7ra6Frw3t}8+`ds*t`CGLq8&qR}R~(mdWm*HW9R~{PINE&=xOrL~n&<%w z!W9WQ<4tD|1_2CzQ%bQhGvKar_XA3Qw8cS3%Gj!AV;kyY!h%M7aV987zj0)DN0E8# zy{R}5u#*RC{X^JJxHD=j77|uXrRvgvd@r^LU%qzyc$5?cq5on9=&E2?e=OoTJ;WeH z^*)w0$D_l4*!{tNz4-xFkOqfvUV<3TXa)e__XGn_kOl@p0f6{D|2m6m0sKD)IsgHH zv6HExi>a!mh^d*Sou!MVy&avEv%Q_G2Q&a6$baVk_oAu-3jpp#QEbjmS!^EK18=^q za}l@6hW6dt*8{xohRA(un#9r#l8v?_xd_57xphY}Y(xfO5!upC90?`4?$`nNtoc0u zEcu)xd~P<$oH^pWPPtJ@s(7@&?|xn4_w$gCVeM-h)E?n^foMHlD?44>-?x1>%Cpam z7(Mj-HYyYCS77ur1@rv=^8Vsoi3UxX7VJyghWaO;A5l3|f?9RKKT%YzC-UQmh3c(p zxwPS!2a>qZu?C%KZla>{3cm723clw~$O0JG@NmQ6+i`+5J~UKp?!dhZlpQ!#=3h-0 zU~9>ntltq=NVYN_<~(hlOj}}LC0kf_AwytVIk!$%k68)Ufl8Ix6Fno+jz_z zLy;&Pp}hs!wY@zIyD3o-AOmy+4o*cT6R@k*TPK9y^R$uMf{`@l2Iu3~_TVG1&P-^| zw5{XUp`=sN*01rW=H2PFE?X1`dypj~YL@2krA~ci6j5`^c#Q0jieqayu&3obFezYc<$d@`#{21^+=($IV$g6Y23Lgxk8X17>w z8q^IZ00KF@H)7by@$*KPWZyfo)prS0grPV`tSQ-`H_G~FkIyP)q-GtukG7JbLX~O; zXqq{Rn@5X2#oT;s;MIkA~6{8*$;9o zw3zl@_nRI$p~7O+7Ak#yq<$VnhKP{20G|*D9iQMGt^riaHN!VbmIE4;%7C6EgW+2{ z*yWZ5{d5ci6`G7JBW{i916>?>03AbH-UO08uOk&PP_Yu51EIGBsmTQuOYVrF7;)e~ zrd}TGL|3E5cmOuBO1wd&q7MwVd;e?gEcyFwOkV4#`2}j?81u?Ag5tw}f zJLaP#a+je%sgSn$xVW)v$Z%6T;cw9ZH-MYc2Zn;vSXV6gFRkdEeqa!Bf)HPiL0$QH z@}{G)Ir03IBmP;Wfa43CHb`ECh|G&!UwhQeec48uH{1brFRBm+b}&<e0} z)!XYc&_gd6Da7jHI<7?Vc;#WD$}njRyJaR2>n-`-1A<=+E!$^KYga&P2QXtTaV!6! zsH9n{V)xL}^Qmg0RR*v(LVse$1$BM{=#pawWeKMrWx^opd6Mh4pxBTJKx?us2hgkh zem?^ZFFXb#AZ8%f8VGCO-~&f6KyUuM#P5YG2@+;*`_+uK z>qp11+-toP+v=I~m%XJmvV#b<%otp0pguhISdIfo$gc%x9vcW z$Qto^?xXm-yPdtOn;$)`?l*7oa#?PlG1-XOyRPRZtG$$nrm*mTxqx^0b%rSqwJZ^B zEg`DLrBYRHi~(QS*6|X&OU$a`Rj5M$>1QdnoJOu-%@W~35nn)JHE%(gvD~V6xq#}< zZ1mpi_Nm8yHmml*5xnRPq~zH45G|dtvdciagc}_L%&(r{fpBt!NE(Lfpm4E-hC4^o=VFaBy6ATv74eF}_@R3CnCp7eB%K@@z9d6V;9`JD~rXZ2xC>RR$wl)c- zqBoAzBol^HgkRXhiD5z$ByZWRVm?=XYP6%}w`cSgct87^)RVy}ITJ+Pz_!aLM_L!6 zafUJ+oG;X4qOD#poOM|3UX^8(*m>|8&7U!H^Hh9QILS_hRj;+9V8ah~<+-IjKgTc< zP#6wK+X}it4-h7>yMxxI1o3!!$*U+ick$h*Q_7<3s$im|==5SWVq21sli74(NM}S> zjB1=UGbpG>ZO5eh3D9X~(X3XV3a=$1k=#~5IjI6~tFt0~5W4JodCS3pmXfmRQeY_Q=dxwlA+v{VVq4s#a5qQpK?Qo; zz+`aP_QL!G4TbW9PN)tY8=jP0U6CQ%5QjqM9~iWwbEjalPzNq;j^NORj|MrKO$jJr zDLFH)Qb|kFD`OgWb+(itB19W0*i!6Ggpu=wpUKoS`bHN@(9lYFr-K#+NuGN}j^$ty z54li^`tjic_p-O1>#SF$6goAlX0q}56t9&!G|;zD{m(L}{w@QgT4^5sjHEG_F#4SN z_tYC6iRh8)OT$WXyNI%))5A)3l!C@1@D)zGtrs2I>sf2DA5K^D{vqN&L+@dkT}7)$ z-DZ@wU)#XH{^@1^DAN%=s578tVkQT=<#ceNA6Fkt0uLtjunXPI9HT6CvWE%ZeDWb3 z)?ffAGJ=;3GBQjW=BSu49t=%~id2fq-0k!%Qni;-E!rPl|w7w+#mc4#gF|@IeBt4Zv@{rK*M6(b#m0hhiA+iy-~laU*bYVl*ijoDtKOnuYyZJQ z{YdZM?v3;tp0ik}Y8p&bK)^vF2%;jSOaa_58ouB)g03Q|!U(j>!NcBM9C z9QY+RiWuEakdnXGG0-+( zoTzTw-?L5VrN@IC^r#VG25Q~={xM(w*IC2I+qS-MT=wfIXT!aPNJAC?lPCZHvejBK z1^65!8M6-aK+H#in6&o6X(*g?cI%kHe8?f$#D1buqo286I&wNz4hq((SJQYTgsmn~ z)Ws4Fe_3ieL150>K$wvaj2l7_vxiQ09c)=ujv9-n0rIiglS}%NI;RAmadXw29FiMl zQM_i2jw;CM1M^g>Tj+s1*^IOfYhm{aVPW>jW`{fFI0aTXL4!>s7+`9Xv%a@e%=ZLc z?T`huMw193tO{HV!KK#`o=9UUB7lM;V?s;k#J3!l#_>S2a+9DU`8I2k4C&by2tiCK z@W?`cyl*P;iiL*214?gS)%f%S*Jun=1pz$)?1E#T><6f5GeBqMq&OG&`~%xepw(&r z4T4?H%Aslwby6Q<-em+dn2b7no_OJppZ5f+@j#jdc7=<|o+uP_y;^QzL$s||!9Tu?fDrYVRg~tfrY$a zsyWG&r6QX0%x(^(Ntt8CCJR-jg)VY62;+|xL(VAR3=a#uNpE-&3^>t^wVfuY)Q*rm zgkg6I!5#XFr3;4LNTpKGv#wg3Bb7_6t2Hro5PMf#5Atn%wcfb=f^`uY-Kuw&$)l?D z=95J+H@NUWmB$XA>31xQ#JT}1l=IgccCol3uEq?Sd|+GHarGwdW>albBae3B)980= ze%~LX9p)|2!DVy8CtW<@He*SeAm92_bH+9cn5hq?3=t3&MsDFXs2jeriF$Nw}T- zK2LCsLK|E6wq=KBE=QapAehB4AX8sZAx{c~-wbD1b?ir-oXb@T%5VLPvCs+n=XZ&7~dlF2WBN(J=RVFyr7_A36~R_yp$3Q)_w40?2=g60hYmrle+aQJ6pHQ@NE;5 zJ5<2~?vpfEn-+i6NKjAS8T-Qz3&`7&J-u{0f@L{SS4&l7iAC8lqWe?{zD+;@;rSr= z6Q-Vzj0Sa`S{EFs=2*{D+(lB3KYHjz^P%XKHLg*s>{VF0M>fZZb{)&uj%}ZR5BAQ1 zJvW2288Rw4tF}=ZNH0r5gc`h-XWq*z|M1MTk3u{;Rz^QKWHT^>dk{uR%^MeAdj>Is zLex4`%h%de+~!&tiD(CF#Lhj9EM0MdXMl>%A&y{syX&Bz*tb66Rcj_cJ#`{UUpjJ# z*n2FrX3rhUL1F%+iGe0&0h3$D2L&eP7&MCzLbVvg=hKcYE|5sGfJ?K@4IJ$t&UNe5 zuM0Fe-3xQF=9-o*4KD3OJX3px0)T$_8N}wr_YM1W&h1!Hl-tPU^RVE>1O#FLkTq*J zZ}ZMLWOwZ}JFzbRk^P?9l!qntgl_V(yOZ%5n}WJiq9vPWO)o7l z+SzkA!#lgjo96i1Vht}h*j(9O{}K;JdhMeL;&>4eZ1DIQ}^Z&i_d&2g*eakChiUpA~2$-Me^gwvXLU;CSc1@q<5ttg$hzqhn=J(h5`WYmi}8&6oYIo z{pc%DDV2Xrr8;Ws>ErJ0izoT`-;&76e`^Xz3ZN&ElpkZaaOTIAd;b;tO@cZ9mue*8 WTU2un3j%Nb1}LdYNw?_On*IVP Date: Wed, 5 Feb 2025 15:42:12 +0530 Subject: [PATCH 8/8] solution packaged for added new Hunting Query --- .../Data/Solution_AzureActivity.json | 5 +- Solutions/Azure Activity/Package/3.0.3.zip | Bin 31516 -> 31460 bytes .../Package/createUiDefinition.json | 16 ++- .../Azure Activity/Package/mainTemplate.json | 111 ++++++++++++++++-- Solutions/Azure Activity/ReleaseNotes.md | 2 +- 5 files changed, 122 insertions(+), 12 deletions(-) diff --git a/Solutions/Azure Activity/Data/Solution_AzureActivity.json b/Solutions/Azure Activity/Data/Solution_AzureActivity.json index c778d63e6fb..66156b1f9e8 100644 --- a/Solutions/Azure Activity/Data/Solution_AzureActivity.json +++ b/Solutions/Azure Activity/Data/Solution_AzureActivity.json @@ -20,7 +20,8 @@ "Hunting Queries/Creating_Anomalous_Number_Of_Resources.yaml", "Hunting Queries/Granting_Permissions_to_Account.yaml", "Hunting Queries/PortOpenedForAzureResource.yaml", - "Hunting Queries/Rare_Custom_Script_Extension.yaml" + "Hunting Queries/Rare_Custom_Script_Extension.yaml", + "Hunting Queries/Machine_Learning_Creation.yaml" ], "Analytic Rules": [ "Analytic Rules/AADHybridHealthADFSNewServer.yaml", @@ -43,7 +44,7 @@ "Workbooks/AzureServiceHealthWorkbook.json" ], "BasePath": "C:\\GitHub\\Azure-Sentinel\\solutions\\Azure Activity", - "Version": "3.0.0", + "Version": "3.0.3", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, "StaticDataConnectorIds": [ diff --git a/Solutions/Azure Activity/Package/3.0.3.zip b/Solutions/Azure Activity/Package/3.0.3.zip index 4b73e37997257e84b8d7aba0d8dd3d3c4a821173..01b2c49492b1c53d2c7e6e40091923d757db2293 100644 GIT binary patch literal 31460 zcmY(pW02_3(zZR=W81cE+qP})!5-VTZQHhO+qU)2Ip2AHd{s%+s#LOa^_|tdx;iZ{ z1^fpY0000SV8Bg8vmjY|Jp~B>0L2ji0PXjxk%NhWlZlFju!*UKt%Z|?oh_}Uqn+)Q z&V?;jTl}|=uUm-!KeT3G9cwaK#=dEeTM1J}(91}+e~8rk`uxr*?QWB#9^%c$CbGU> z$zF|K@ggW6lw;FJqiE=FM(T(eI+fKEYH0O8pL=uwT|O=f;c2Hl0lMd2*V$2`dl?3# zjpFn|S0VdG27l4hDnF;9nnSn-wghbdQvPLiw^eZUbi4&3Q#aPBg@CG!HAjfl)1 zEqnvYCEMb9Q&??%fhHB?xLoOp3`$VAu>58eMbk+8xS#%^X!w&E<;_{qW;A4-DxQOS z(4Q9-`8-Il4^u<@iIbW8tXP0)((l$-;4+*Y6UE_D5Fkx_DjGt{U^^Iz5|^TMcG5$Y zkeZi4YQ~c~wpzlM^^|>igl5Jgu0UE=!}s$fopS~Tr;8CYgUjt}6x2_ko|y|`*INRP zRFIe^k=2V%HcTjf)hQp|owt*v08(|2F{}Oa!uJDJlh&1mxA$cQ?YL0288Q_P;Rl#f zv#vF0c}8|*Obh)Uvvu|5&{yE_FWWP9NJ|(Jo~DFCGf;ZcAoBKGJ0lJBOna_aATz?? zShTv+Or+sp&fpgH(7Y=)T}>u34wlmWJ(li)M$2?1wvQjGUN5Hi4aX5OGp-Qk#;b|0XoLCE{gKSu^3Pb)cl6*v+Aef^Pe3~NJDYsLZ-xqs= zCZ}Cciqho(glJHbx9rbaStPu-NS^04f|Uq5Z)sImXmSt)A-vVIF*7 z^d1YR((1dVYmM}NxBJwyC7Ymc;jDPQG5SwsVw%`^$Zm5y^#Ce zKBzqqZZ=J$!zkxMXf7|;+gw$)chi*awH3iBi{q7`e)?MiuOBM`B+^?w5KWEmTCs#4 zK4AkEV`6ASYsen|a1w(<6BWcZke|RK4NK?N_kGPwBP1J;47GG}wa5+Da+59q_hwJ+ zk!5KU?8<|WXK?e4?Hvc=zYOa*OT*sEJ8fPo6ST95B6Y7SPNdXnYQv=dbaL(6>;{p<7qfu0&&k*M;z~1N63H9>zV&i_^ z1UcjPwwZ35&E=H8w7!*OHe0(jnb&#cBO*)BNlxKjc9x_pl#Wg~;4E;ZXqE@OGOkYU z+vc`0m%7H$ohdC)x|He%k;+E>23)u8C;jAtzzSLX7AH5?K^c&G^ZG}PHq*EmIZY1* z8hYf=Wmjc_IPcC(L&7q&gf#b5eLOCN%pfCtkWW7;2_#?uL$@b#^56uAi@;^*_$^JX7Y1kFOF-O*%4-9M6 z_$(Vqs{XuN7+FYNn%hx|q$X zhoQ?AnORn2hlPJF$Cqd^pH@(8V7PYPN_`(Iez6Zh{kWLqKNLwpQ+>sk2A!SaCiSWn z*Y~Fy-@}Jem!27tuZp+|z1k`96Ekz=fIOn1OlL%H!OIb|p z|#3HA`aI&I!ew5b%GJ zJI|YiU}9J)Ks>_=QsjCPrg9R)$+}2RVrHL>zfdK&?CPj$FM`=AjL>chm?uD(K!Pby zl3V>Tl`Nx8+lzJ3tgpk39koa@lpOPt5K;C3t|QT&2G3f-geaO7OzVt82X_`phM?jj z96SwBNdqsVyroAiBneUA&lkPid9%yrq@!{58%K`^1X$ zN_03Pjz8{-%B~4+*zaE#&*EPS1>S;#RU`1H8?$rqEp2JHXdJ#8th2Intp{9JRq3^9 zx2X7%);GnrET0g@S|AS8v<*=i^VK@H|1A4o;(Xee4iTY6tJ@8N1pOs&4r0p|eqg4L zhYROq{*KA#LS3D1sX*8K&KmCLcJ*ZyUZ3)%9+|&I?(NLF79bei?#kQhcx%1I2ip$}q)8~t&&Ga=m3=Z$vLgJtS#L-3e;B&s(wJKHtVs6smX%3(`hOlYlY02^O zG2TJJxRJtQQy?I0N7_=SG-~)O@YG2NzTsP{5z% z!!m;$v~veAt(&P5&SGiw-g!%K6ZeHqxiIE~siI<}6IEk{1#5lg&JOI5Lt|le%-J#);$x9X64?Sp%g1{M zJnz9M>7LW%CcMRy&~fs4C#L-BBnuaR4D`rJQIOsIAbF~Fq+D)dl7|QL5YN1tF#jc? zb6e(pv78>OP-0L%o>88kcJmJ9+EGI=g!+is%J&9!$6!=$pPa z+T8YF$Kdml)QCtOiFRpz!9BPJz~g!QdwV*94hDpG4V}%swT6;#m8BDz6aS1t%f5?E zV?pw|$ZlOEY)if-FR@#|a;_?6;S?7|vB2b4p1SI%%5XeBDdDUcmeypoQlPa^4UCgO zofm+S=8&h=Ru#-*7h_r6D%A!=8V)(1$!H*OoE_w&paF3rF_IR;L0l@4+sX%MK#ff) zu`1&lll)~`D2-6#%9;5JTxP_P^p^m6!i7nvE77f~kpsCMKL|Kw!f`lFMK&srj7YlO zA9VnSe96^_pv8d_g%sVZUceP!<2(#ydV}yjvkU%Ybgi4eHM9&t zVD$~=;&-Qe3N@N_SaOX^!O#}G1mW?QL|(3@^Jpod>r1d7u0{%y;fIiNgO^;w+%O#3 zAOg#BF?ia8%kRvct1oNJF1&iX!)j4siUH7*(rk5W2>ko!IsG;Ui(~Xa`N5b_ zvIw?KBr`l!fBg>&hkX0^UqPCKa987#Hnu~4XCOBN$Aj439lGIut}-Jg#{!|U2q@Q# zzOc{GYB*Q~-i#}93k>DPNYf+hK{7Bi&eiZ1v0F)Fr-u_!B}%Tt&7LdN1?yb5dVxjh ze+`n)ukM*Dh9als%t#IsX-l! zQxNS_YSo{sSzKBTE*l%Xcy2pvqwVhTF6b0&cL>Jn9_cSsT3V`tt^ljJ;mLelC&nn1 zaojU(HKCU^I=y8o&0W@^k!2N{KE|u3xNbHbwm6N?k)J~9tKjMTFxVYNpcB<@dymkPcr^ zXJj{8BN&@v?yKhsS&}c#uF$o)^l)q1X!Q_RC~$r@laN_-2Kr5KKtkr5-_BznJ%d~L z{h`sGP6M$hAS9ye!}3+p%1Pgkj}H3`3?N?@rQ-;Fk8;3}*6a}qGGgq1g0ko-50z+F zR`to~Pom044x|cT1y|5YTEu^Z!Yxpq;DZdbH}$u-UtXh!E&B`!oi37{cBi_>FflbY zgv0?p(nv1^m5~7hMNWUtcRpa~VJq)J=l1Mm+jV6U<;rCqC8ue`la9n;wn%q{hXp@< z`~!y`19x5~YQ!)q28U8ZQL+-dLGi=u^IgZb7()2TClt&3+T zp|`~Rz4oo6WgiheFhu1hq?G3s*3f$QIB%-^y3*l>hVG%KU1HRPlX3%qE`m$oQ z-XZ&uvzyqy+iVM(+>|q{>GHZ5MM8jH2?9Zh5eHt-Y#0 zg0Vb{xd{*J32}#AQYyqc^i)PJ>C<~p+Bno@QKd@5o_jFR3VT4W{j}M@PKZWZODz zdG?Bc2!Tk`nQIBo9!c%K5^@j_fZv{%`SV;_d5RQ$>;$hf>Q4vABGqfAh^O|Qy@_;S15}Nn{KR}a6TL%j`BBj zn%MoS^6wPE^g|$h0=iO` z!yil@8$FsRFDmY(U_z7L2xa8x6WEY1>GqY7i*aOf6ZhVK1q^Y64Cv_?r91%;ZRq~1aL?JwMJ(&PpQ}oe@(O@`4;}X^eI(98e}PE zX8bXt#Exu3iu)EH#!SrhdD__V;pKL9bm}?u$+C&2%6~pKZ@^;hm%C0x(CteLO4v~) zOuRwGyz19>(lNHH!K! zKDry>3e}`Lm~_!{)42D}igGc~)|eh5U2>Ii4!Pn=CXA-l^3Gy74ahH!;{=hKfYewE z6r71=qjhZCJRP)|Cy3fu2i+=fSqKKmEB`iCfiF#3HL z=YWOZEO=!@r|y@NVO_@oH>HAh1%*WzPseVYu#1mvL+9DmZJzD`Y}WoHlR$(PR^6 z!mQR3SnAYawiU47{#NV;#FtmeQj(6Yk;PNH`NPkXv~2F(uQYD&!DNFtLimUsT6h?iizVnt5Rq3_!w0pPM?Pw4flI_rihR9qBKz;jyfoJU|v6avgf9Ye; znmC;kz|<`{Na)u5zG}uz#T>rWE zLX%N9M57B8(=KN2F9r=3>=y&ia&?gcVxgaD%1qPac~dc-P4p>D^7@66rvKHq)e~mK7= zVK4&kfSP)!juT4_`F`lC6z<4eNV2iSD=XaX3;VXF!yHqLE4(8F^Z-RmfqK78x&Sbp>@4~DIp*26+`>>MEijUj+&LIAN4%I z!W*p$xrh+J0rohWH)A}=7l?z`9`v-h>wytU4@L(p1DNysev1-`TpjfFNh;4-L5 zQ=MqiNt1W4vXXza&7o(-W1B9@TLQX;$?Bi&xd2)`PiT>1goFDoch(C2lFLYB{0G9SEIdk|YX6kv5{yk><9Jyl|n4eB^vt<+P)7Iqp`Q2?M{Yv$NmmsZNu!-a?zAvy$x;bEBg3k@}A|LZ0II8z?`Hzc?jFmg_;rUN9wt zq66^1Jw->8KZGP37kgHS7NMLn$XT$6>MOd z8<$8nv)PC?^Jk5iHeE)~5@Hk*G^gYaY(Hk&*OG4S0KgY^Cf#Omc8&|TtVsK59G%=2 z9VXJ4RsZBNQiJoFBzlVWEWoTl)1)Uwt!5Xdyr=hUa4lRPoCr>Cn^|G(Ch&B<4sP!Y zaT?Yzp^Jf|c3~TUdxJQi-7AK>WZ%H`g> zwtLadT^VgGul{+I?-lbdtygUq^5HPo&JA;fw0ITnO)Ugv4s5J3cV>MKOeDk$Y+OEb z>e$S#z*O@J56~HoXV}cPw!n}OT8SQ3jPjkF?Gf5=PS=Rf>X#yl;-VP zpevi8=NHz$1k|vkKagzJnKipuNw;JhQXE}7#I)8~U4D&u{xycK=kdPKy=HBe;o2(7 zZ+mGyN>^_n%2enAVY5HLv}Nt)WT~smh#~}AXOyG!OJ-nWhVNG{u!{wOmW8><@7$s$ zEMT3B3{jyA8RxA_XOAt}f(%F3j}gsvhyUmW%L;RY|MM$WmTt{X_HOj@1&mYGmNlYH zu1kq#i%@Z`$Kuo&@$Y@nES((fv5u}!!^4guL_Yu#jZvmGa+(RX~nETvbqg;a-F}ClhLX!*o!@f>hTiwg2|421G%8_7NVDe=i zC7@h35}tFD)Ivr4#L)l02e4x7xJ9-Jjx9d6f(`b)wJz?CSv>6DEn1ocO8Cw&K(Aej z-PjQFdx@a`X7e86>_>^QXA|DQKQsd8w{(2zsu5L*N?F0(DrY?Ib*`DiO5?b6e91E1 zz~fyYrTIT>25C!-qJ$yDUnhRyi8PK82*V3e#JF^*@9dl<`twQTI zf{F2q{+_<yvu?f!v?QZMMkB-Kq+d~`S|md%GjD5Du#~kcjbM92*Y9>dL)U*r6lUM8YfaF9 zbr4}+%}YVJIZe@@B}2G5RukklFHo~Yl2umyM5^QxfIi4}}TEc`oi%)vOq?Vau!xbMFbFN>(h7*M$)qIGdKH z;r1>*2-8YF-U!#Y5`hm-hETr)y+Fq&34}dUS%hmF#64Yan#lyj0-jl|t>oo2AO@*o zC7b!HU*EM&A1++U!d$Q|27h@*+v9#ZLEGDo6K2<=Ylh$3z7t_r%lS9k|MhFluciL_ z*Rm1=naqv0HEgr%TNKNrGzA4Lm|LPfVO&+BEm;)(Utc2Za$j#Etv1)!mU1@ z2-8a?IKr;A5`kcEBB^9o>0QO!tYDb>i<%uavMiA$Nc1P>(x8PA5>!}dxR?JEHQ@h5 z4fwC9SNQ!5LSf9d1#x%@@D^YT5+!1sUR5HK-OJgJV3^sMN>ir^x;+~fk7Vs}Q?|^o z_JtF3zBH#%!*$b6ZS8e1J#(&qLfW~r)&WyO(+Ub9?pdj`#5WivI;3h%8#8dKqC9wP z=C7TaqN|POuU$AzU1DiQ!FJE?nf0Lrcu^HnYOprI?}_x!9h@!EqB`Tsp`yGU%#E{? zQ?Hf>Gas4#?}V+8HkU~Y7Z%$CqIp@0Tg3?fsW1re0%)a_0BV8X*PXU|Zmo*O;sNTV zR48?rA4Uac)!O>I0>7II99wL770g|xdsVU7_)Sgb7Qk@+2AZt%E7O6?e-afb{~@{j zABn~Pkz6@AOF}ZDwJQreceONpv3((1eFh(V9|>eX9djXs=!)Yy4$3TJ|LuFy!yDp1 z`By*f$J%s+@Ur))pn?;+Fdq6ZyM^>IS2ps|unO(z#;vndNz)UYDSu;ZTB$Fksqn#e z-IwI^-@!fZ2W{QT6uzMJvy(aKf`F(Fya3wrWY{smi7?Yjra5mv$J{16nQ#T$BX3A3 zD_&J7D_exQVd^L3LDyzp!sK>ag135sF&UBtQ6Gxo9h>nSY2FER>J;r#fagw&4Nhj4Ox6d~P7oJLa?X**wW#9;qnU1XO2I z%sG(0QlbI8e@<3z5A=h}QLmZgi0eUU?Y+qdJ_Y7paPU6VrQ{eP)JnPiNs=0@o$Ol~*>0)VP% zLN3mw;5?G=F5D#JD=G5EW6bwz829DeIRj-Yg)a$MeB~{nhTt``yI2`j8~ZB4Z0b0| zhQ}tvD|dh%xMyXt9iLwX-zwOY5eHj zwwSIh9Zf)Y4gF`V=~mWg|DxBCbP0n&q@aQ8A5p=m$>Pw0@H>~oqRUUvs%2eo z^%I@{w$X7{NyCi8=NvrEZOeU96Fwgj7%3}G>IJ^8L9~s~aq;)877kyl8SyH5X27mc%G!K$en^FJX{%)!F3*!q z1Dm>G%1w!@T()Onm-q^hCwE=R8g>}HGaTxha2bW&^IHA{nLBKDLYuc+8J3&!XIiOFLtOi|#>>Y1|pSGUAKD9I5_(puS26(Yn zUpwAgF_kE17oWvXJU{KYWzg^rLSSd}Pn* zQTjH+nkxpCF&J83=|0G8OtKr5xiRr~a$ypx<%`Rppj43nuttA!H3jRH91S>7A9BUm zh)*%Geh|GO)!h!|2KlBM7*STK!@da)*_VOeis=T}20MvYS&q+{VI(D_SBi_-8iTXr znd>Q|yiCra22yHx5wrSX z>rwGVX1e24;Xp>gfpR)RNFQ^)J6nYNbRrb7*NH6ckYALoVrHK_7C>W z_OBptP@nWDtl=d~rY_c;Ij|sP=##vi3NtSt7u=oQ6d+|MD69x2a3O2-Bbf8LPB?dj zy%uQ+9V%F8QS_EFS#JzhC4Z}yvr_6|>QSjYUJQ*)EIC=&zF30v^&};ppdAdqE;8%%^Xm&2ok+bICx%y1xk@r!HHDa^X$_pyOsJN-QyR8aY1junS^Pi!Go@S-XZ*rlC6;On0>1Q+4s2 z7O!M^zCM-N56i3~@e-R=T5De$wmN=)X&ZAy*$&OWKw-@NeL2Wm$*>b`F{XfWz)s^8 zd}$%hYoYYyp{ok-V{Lq#-Vo5R?o*C%0#VYTUm7thcTpq%d(SDAv$;}sa0oC>@!)fP znVJ8OZ7;Wesg$%JsR;gdrdn_OoDc|@7cI5A4Y1e>m43@lpR>J}RfnM)1f281FMZH^ zY*$=I@p$sj3LjZQLk?4e+I&GoFJ&YuErKZRsp*V;v~Tf?^I;B z|Fb~WAy6-Wn1X4g(mM->a7jC|>U^i;=6E1Ei%4z}M&r`yboNJ%Is@tQpe!o5^it+h z?Wjk!{M5->{v!zhpyJf|5RK_Ho?MQS=mbvTI*A$>#C7`>8D`I@8g+U#J>CxWK|Kvk zSENX>D15j^39(ZZ>GoU^5oBr?;;Z^^?p=Z-1(S}*s@(VeV)MYur$ieNczNk49zlw% ztezS2Eobr_ayvrfW6vyK=@CBrO+G>W*kS=yOlxT+YZZ_xf&eIoI+~GgqnJ#4`l_%o zyO&Pc$a+;Xf**Y7Few%!lTj1+cv&$tz-&)li9t#Hl@zO;&V_D`)z*cV<_l+)^H`r0 z4wrmXzQX=a8eSwBq8=rB6t;$L1a-}UM!&)*iY8>i8=qSR%l8pcqX!CZ)`W4*1=_*k z#mY&^-o=7C$xT%mSz#C%xsZuZkhH?Tp73vAEYN>4Bs6w8dYLm{VkVv8#jHiNiJBr& zngw&_r%AVa7mXn$XL3F=KAzRws5T1Wd~#(f|JdIMFZDYIW4Z4Z)gpC<0$(3Ub!w?Vn=U)kfsMC#D zho^BUQ)tzK1<+%L27e@^4U?6ZNx8*y3F?a%>W74*4sK3%4u7}6{u#$hgiF;K zPeL_q z{tm9U>|lG!BC%teB9)IlJ40~*hVYLN1TuZqgb@gH=| zAdnUyPrIwll<6PqJ{g}?{G>X~-eu`Rq>qG$70JF=)8t9=MKtM0@h-kTZrNq!n8JB} zRn*swRN0B&B@_-&L`CMP0#F2*a;G0QdrJdq5LSYgA9t`&LcJLN$Cz#f%A;KkzGTg*hA~rs|M?&_4zAAI;Xg7&7-~dK~_?gd? zI$=Hakvk_j>9S2%U=NW$D^mEw6EaV@`4trdqn=OHJvg!^k9hiyW4UPh6Bmog#1mfS z%=VR9;j8mwWNp8}`cA;XJG>LmU}8^?@79~jH6zF=1SQo_3EwPOnpl)0j{Lm|F{h#a z_~VUEk-0Km`lSSK<@P+IxLzHg7`++B<4^K;9R!rf*q{rE2~sAy$J3~&LV z)hEl-$MQh|i-+-)%`*4iHY*BFRX=W)(&`pXb| zez7okDkisgeveo2hp7NlYuDb%41S!o@@3kRfxwpI4r8td<|~PvkTXffd1Cv}GDJLM zJ>8-E__iuF6IlS0LyR)NuAVn!^Bow6#i_E|PL+q=ST~%S98IPx@ zBx_`VN$BuYUBpa~PZxTifIv)n6w7BAZmA7Vg)f}FP(1iPNs(9Gb2niCoeQZbyHI688#oFjvtNad_uBM?4-OrALV}(*<6OoKi-VTe z;bEI<*NnX=xN>%$ZF;}2WRSI!LCtp(-wrl-1H4pARp=xen-x^h7rL%nZSD=^2M>GA z^!7`jV9%Elx6MDa1Vsavu{MCTHV+7`9L1A=l)tO(d}Ykl z2EjIbDcT_D6Ib?f^_$<0eM*&+f!TfnFOSizih|T@$Hw@BJC*@=pIWR3` zmc7|0k53h7P}W?0ZzqpiLHdwO9c4B%)UWm{Y7|mYCqYRajhL5Zs^wi;mURX|EH5xh z>N5F;-`O6FVUXNx)}$&p9IT;}w6Ol3kOhYWm?SYfT9H_p-s#bFJm>ou7(ZE?U8l8x ze+d#XRMv#(wir3?vtBY|UQE&^(S%3?F?ABSgfo`}VYdvf;+U*U<|8e7J9szK#+H8z z{p#$=4ed4zH|d)U7ETqMyCoVDcZ$FjrE?JB`tL%<9I&-YKu6LLRgQEps!-Ew=5a$K zvOC^d_ov)`D6{mYD9F3_eogrL*tzky;|0N8hP{Tq&d|Po1P$jQJfX;-{2uwkr92ZP zx2N9Fq!VF780Gmb(PG|bp=%<_Y> zuIlzla`lK2rFf}CxrzXT#5>7}2!o+}h@mVlf4yn>=hGr^;J%PX(LV+WH7i1f1v zLeFP-02*iL(EqG4Z6+BQbPPv5fHZO?AdUh=B`Ns>&QZ1kgKxqI79r83uDcG;juSXA z;-AB-3Z*17HH4w&R+~Phv_R9-*0twdCFO5MEnyQfhH!S~vi<*P#&~Cbl z9H`*qFnTuq6;4p{-XI{mffc*(&o2}A`do$O7Rq_M&FOAq=twG9`e2@nsa!Bbm(zIN zn=sbGUNKCP1BgMaM@O4*NA(WZzam>Nvgkn*gE{;{A4|5x~#tG_H81>J)LuNqI)98|nttqb0X)P@G%jMOcB}OB6(Ky*!G+LzcYeBQYo9b~fSZV_JkLsjVQ|U)F&0KN75Y{d;_Gl~62_zR@s>{E7*ky) z!QW>~Zecm#EP2w{N8=ppYyEV4vC4>cF;a4N0oL_l>*lEJp8zd+k{tPu6?w*PyM{TD{I80T;YA z*ceriwO-$+pZg>SPJho5FjVq{=x|Cdcu_L1Tj1hctq-vnRDI9v7YO1GKY$_Sg>V@6gjpqR!~eUQ zEAoXM2p&3*OvjMD7SyLrwvP%kM#lLJ8zHn~!S}c8ik`+e(wx)b5ZC27!m6!$sl*f2 zUu`(eQou`usw$+Wsy=_>Zu%v4m}(R( zN>*2HB4Ss^5HkJd1$DttIe1^E-qAyk5+zC<1+8h$ zrdd<)vfO{aD_B=}y_X#MNflHF>^}q06vK2K7bc1Yzq6llVmOfCQtu}kK!^90tQ4_o ziej))+>+a_3cU_Oc;2sk^hS^ZEh7K@v|j+en{gF@SEdh5+9`F($OzgcAKj^JVDp1m zrhcsn&#fWD25XnU*8^BzBNe+XS2CEd0{AcOM~Vrk{09}`m_6|3#E;8l@wUY;6y#nx zYEesuf(>Jpm8TR?{FvP)c7eKL$(eYlle4-bn+R-oGjEZEN11RKtWIx`V2Y#RZ|`LOBq3Y}6ObPq zzN_DmJiypP8JAxNHTvhwz8@HWn&;=^`_;#T9v^a^PQ+~WOla|`X+FkQNC8E=SOLZI zuYac-{`$9w(jhnYgdtSAU?G)xxPP&0B(un`f8)v2F@ZibzJ{>`VC=rWBOQ|cyH*R# znax4qo7?D>dxZ4fxBm>hdG!><2|>qo)-ce?6e9igb>ulIGaC1poF?!W?h9c-k~HCj9J-w`j`#|9o-_;VowuDSj2%rHthFTzPcSa zcTH}2-R#}AZ_nMfJ8$h^)o3Zb3hg;_v;@_!0@Wa$L3UR6Uf>exru^>r;VU@1k9Upq z9W21_g*M?X*DDQ86xVjWm+v5^F0PZ;F6X*(_?23y#xL;*9j(ISk>&XLDbcG>ImCu& zp#SN$KnK4*@Xz+b%TU%b|8-(NiKUp#F1>W%x;yT;jemV>v# zx&H>3x%NKLMqBw@=MbTbLb!}bQiry5_Q46(dZKM9(5roa3a0Y=P+d-QHrLPGEN1DH z>sbM89D?@|v8(t!_9CWcpANaKuwqd7ZC1B^dt9(V*G9nTHGz*ZDt)e3mtpcNkAT^( zJa-Z088VC|CM!l%Q@6WxsLY$U1J8g-qQ2cd`|iFu`|khfdh%agJvmz9e!)+E!82=m z-*Abh|D)@fXvd7jkp-Za73iY`u-AV=Jdl^W5%7Eo8)WGXzC2#*j*{8$PYA<7?2j+6 zIo$?`y95p*#osMAw?s^Jn5Sf)hrnI1GcFd%FyDR^E`06ig*MBGH8|Jgs3%HR@JuE0 z`a2oC?zE=@KM}}-A{7m6iEs|UNP&jzE;LjH2MF)ok@piV1|9c1(A9aYTljkLd0;_? zzJpX(1MrmkSbi3HJ4?7<7+>J1PETfEgjtXXSwg2Z%*`Q$Hq@$@XCimHdE+!onH7ohPgy39MDV&wZ zAu}HA?w|ozgTUCrm?CZ0_MWo7$_lZQU!Efnop~;DCs#%2iP|UA%G$LBL8cYh zm4s2I$K&N&e&#!Aq7t3_^gwRre6oe-`7B8DS$NbC4Ap_$0?@s5l8DboQFyMlfiC@F z86V(i!USh8my&mwAKl&P9wJ;!Otin`Mdzp~&68ns)H;BPrMgko5g#CBE^0dwpsFU)Qx-yN?}MG}NL0K;?=Z?+qdL;(DWqVc3430oI<+ zZa5T$J1K1|jz{Ymv)RNwTtp6R~=SP5fi^ncqe2hcSC0mF-~(EeG&sXwb^b(rP> zm?I6mlk(U-C#4(wdHuq*hl5JjKft63vr_nPn-6STZHTphT8R7Tpi59xp5||d9gk(J z%*=M#1sr(G*+{^~a&+&v{YLvf9<=R5$4&wWntg`2TCWYr<}>+T^QNSUS*y*6;}DY2 z?sC+@g6QtQo3#g#-SiCjR#U%ToIidaYePWdZTQvP91V41Bi|U0BtmvmkyWXb9u7@z zeY08*cS3gEvA~$SP#pYV>fmn!1vdS}@}N78Wis%l`W$~4E8jOnD4v$;oy5U80(<+N0c5Sa()D8 z!1~UNz>8*4wDq;Ud-KLxJuzYC(l1K(Z1#c9;R&T9ZG!a3I!t$uTIOzPo}uQDAfA*n zCUeJP-n@UjU)+`l^m8Vv;OHyV%f zK)QhghP2MzAGpXD9BjcKDlzEx$YW1HJT;CHM(~%QR@&>V8Hw!D{Dy{plTJab0B^q_ zUIFUHG%r(2UVPMbZd}y%e}A4w1Xoag^wrI`VOptMdj&<>fuLw=XT`#Tj#Vi;4D+SwGu6X0qu%*Vg~|G()~V;NPBrICsfO?ZZFdI2YJ@(_y?>n^<=$*Ckj@ zK#B4a<+#tZxyp@_jk5WI!7>y{BoC5#GVpmu3fFe+7pn;^GWm=~a-loJd|QO}a?Z?X zjh$5RaMmUFS1s$T1wwcTlRA%`+|D_$)X^M#3g*jwACw)%YgunFHrPALmccm@=iC+` zSxk}xF-%jK&@+1j2n}L!6M*V60P#;^Lm@+?`^)moG?7xpU^QbrL+X!Dk;WO=3lCE9 zoNNzZQwn>x#2!goEYYE8Wcv@$)J=qPz!pKm3^g#2hdcPfP|nc$H=@v=X$vB+tt@s{ zC|epZSfb3$B{@RF#Q9+;NFMA=>6a#E=P5_AirP5Q@JJPLa>gYW-8HX%Q-APxa1}G2w8c&pit3)DoLj-u`0HJ zOtiQXtFuI=_;S19M5?%vEso;KUz!6v?H;4U*t6LXS0|G0E#gkA=Y}p_*22uXTe&ac zVgjmIX+0)K77#*Aus<%=9$EZ#FAW(KKa)(KHKzaT^0q+x{U8P)o2%#Z@yi3kHrO9} zkU=Rys*yJR)oXMi5XC~=E`!nUwB+=7!)|a_69`5@S8${TKPHdO`3vjxtM!d>QJB5E zznBZJDo-9=vRG=r4@{pjz8DeDihe;Fw@}fjURf7u219l5XcSxZ<5bgW(h&;Q})ZvjjsUY$Q7)7vMN#3%bQ#K$Yq&`;+ zJEC8ikTNHr`b4ra(hgawEUi8U7{+hjU<=qz4HlqOF*c^R=9B6f6K^hljxJUfiKc&H zw&)y&^QlavOeQ*xHyO&Q9`I@wZH>}3klf`EhOCZ{Rd}g3N2jKSmIHyGrpuD5aj)fz zJM#{2#izX36y!1LJA^@5lZA+K3pHxY$qF(3Hnf&$&y%%wS!!?O!YT{yYTc^h7Bk0u z?gEldI%kY1fqN4(b2&IO7@z(+BO&O*%#M)YN1$!_cW(03cF1idP7g2ocqYKMq)mOBNVmgwQ2|AD$Q zHh6-zpFpSDY?h^$YjAt_#c}m=PByp|jLL@j)(m~2+M_^^Sf_SgAB!Eu0=RD!Fx*1^ zTU8lbPyS}_tSKI6?bKR(#@fGQzzL>#r(?HO8o`q~q5|_~8(%r3qD9&f4+hA&M|^_{ z5oE>UR+sisbZE&oD14qGQWL0~{i)N4%Of_H+YyZOtX;60s$?93qtShSyXWJtfeDaA z4437+3(JN|N?v{ycDBs#{g6pn;#^!?teC9(G&m$*`+s%41CT6T)GgSyZQHhW+qP}n zsP=8!cK2=Fwr$(IZQGds{x=gd@g`nnR#j%?$rBk-QL)$FYn{D5ujzUE>6y?{pj4pR=6`sU#%BM}@rX!#p<>%=4oOa1WfLn~Tr)|wlF!{RFn>{4o_$s*>Bg-l`(zVfH zc*1F(lO!I^$lM;(BQ#!_p_c9T2L=u7_m}d!VG-Gep)%7;Fs`YhO5nCGXYeV|e zhY{m2Xp;+s*FB}da}>aOxE_-1Z)!3eehvI`@`K~B8ZkNL4F+Tc049BTaVH%FiCA|8 z2v~c5VvWVof3arLSKm<+Lzn5EM6YiWbMm9e^vLDs-=Fc?Nj8W|dbkp^u|RR?@dF3Q z4|%gBU*(0z2}6?8_|{+e`)WXKs|XqI#98lhqUF+P+?@5i`l5Z0Z&~k*LC=$hy5oy> z`V<)dIY0Wq-X2vY!d57wb9N&hTjUAq`Fne)y*qk8O}vh@T<_%ie|di09#6F71@H>` z_;B+GJ6;~~UQLyYq~LjzQiw4_ai&Fn>7zUkvyj+(rCH=LY*+TC_y7F-{H+HZH0qn1CkV<>q7P~{2(4&lABdX}T6Qo+YPsVkU8 zznxxBO{|qndh0rQAB#d5ZT3s3p5XB0P_AFh>iak)cmGBHrom<*zxI_wV>F4no#zT9 z&_&ET0kPDz<%a8X8#5h)YMVye`*Wr|p?UsVbr7H1YEw0-*1rz(Ehj}dy|-Xc>;L-j z`ti-*#q<48|Mj}?-cpv9b}Sh1ar5+V$?Wra=2*kQY+~C#Ng#htDC~^S@B2#>rCT1Z zRj@!Pl@{3u;Uf_%!|5eOUZoooQkyvCP`qTcvG<#P>RF>F;Je`WqE2cX2JuhD80^w5QqG`&Ba;K`~ zb@4x1@(6kIkwVpq3I)`B-=HxsBOoPn;`xT>!mu zX3C>+iX)|)&sEb_K!=Xp{#c+MEmKb{(1qhUt?1$Z(n%QZ?*y{f0A14pSxBAt@&0j=QBd;u1#j!!O{M~SWMz{$ zAg}{%LM3e0ky?Wl8HR6)yb)QXD*-wBw^MghL_Pu0wG_LatyoUIK!AA9&=ZT#3Wk$} zLkR#eSh%0|gS-q2F9tCp_N337?=MRr5E@&BSt*AHV&6{=MS&lA4|j`lVjLl`j-nH= z@>#Qd!>~UDiA*5?DWf1KVqVGH^7w@Mf{W;EA@J?tfXa%Ty9mU(2w-_i;ML}a&yBqb z3nc1Hdn0i+Dem|3fm-DmXC>&JWV2EmB@VwjsQ&(KXhnK|zjJ1dy7Zb@r!=m3D-VUI z#lyaXtWx7Lc0g_D7W;OljF<5p2OcB?qNVrpCmBt5y{^8=@Vl>7CAmK^`}P>w=j`wf zkAw~a$uYetEKNpcwb8|w*?zsc7>r!2Vmt5FW00Eo4<{(yQU7i148+K;vU5Stn7mhC zZH9hYbOJ62EhMIsv3AvB5t*PX$X{!v<0goy02pOm|NZ_e1;+6~qWR zYD{9*=g0I4Hxh(~UpyPAq}fSp$zF26o$VZl|CzrF;JhCo1m-hrf)x`A$QH^J26wz>X>-ryf|# zR(LeR6`WWFiDiV+)P04@iHAa^01xe#q=mWrnWADy?sybl<0Rb`o5cu8m zu$knaQ~3JGU-}$*$Y~-O^{*%|(dMOL3LQNSyR3g-;82f{k6BAMP%)I+LA?h1Vm%P) zhI#Hlpr8OpR@K4YUEIi%U@Mpu{VGgH&3t3-tBV=PX-Ncwy1!JTv&mHYke=p7q3oRK zmPINh$XreObT9gKp}48be@C#Psfr7$@u61&swp(M*M9#nV>DRt0AOk?BrW^CKs2~f zQ6{3>;PbXMUoME^HcHUM`Ij#2_)GbQ=YhZjF;vrfa8QzYbU4YrKt2fwvRa8Y2M99U zq}3qsu`^XgF&7^U(+w8He1$w%*!lHdK)FXKI^C#|Ry?{+E<+k))_252-sGw`^v5q+ zm7X%acC8yis}D#C+o4nvBDVgC61&J!5g?dd%tU>Bf~_F3f*Mn;Z0s`KdFtf#(btsf z)*di2=?c-p5Mgp5Lb1##i}zPtQ`rvlIM?^}#)9W24l6_WX9{{b2Y0EWg-rQ3Kjhy8 z^YRZ8WipvKR?iUHK87gpNvSoDZ{Da1xZX+Weug}rFSd+u1S9~rkUmlC@B`-lT4x-0 z2M2*7{TcpB?Hc9-rRZg}ibEVdCpBPwhQl1hqnu#ORHZNF@r5wursT53d5v$8sNJN# zUq+EU&#t%S_EU{FVf>htW6oc=DM_TdUc;`5Sg>=;0S$PnsfoIdax89r?EJtrr<3Hq z8oQ8gA=KkVK3lbSg{#dp=5O z7KOeF*BFnSA2o*6mnx?HZ=82@r?P&G^L6LEM6@NOKXsLhFmmfZGYkhU?HUp$5=-jG!E-Y;+9h>Ze(Qyi-Lo_6B2+o3(}Y z_mhix&NMzM1{U&L9^_O1m#i>C9`&xk{YE$u4;E^%f}>T1vlkG1G&++s%OX!}wxcqY zys@wAC?`sIE4KSpBXTFifv)~XA<#}{x~#n4h%BV ze`|zb8q##I@I+piq|wGLI?%1?80mz$o4I*8f$5GRQ6Q)S3Ks#zz)b_Y#+C}YpPQ_Q zqWkH030H!E9hG$UGtt(9y+i{AP%35|^F)?}D!kbc&z2Cb@=4k<71W)S+vwkUib^E_ zYxd$!w-dWIbHu2|?CWq6aBG@D-k60MoyXdScQW>`6(N5RcZ@yHnO zNa9tQ0?Rc&zMA`3_=svvEAp zM)pxQDN%%P#??8_@0I55sTA3lM8pLDBnYoqYdu|#=0u~${F2+>j+oqf;8+-y$jG!M>Xk3H90w9;eJfEz?eYoIkKgrb`z_Rc0*-M*PHw%qPoYO$2f-=WZ**YMImVm-UJl&+b`TD%=lP9L#8BDr|9M8%8R z1PP|&k#F75j)^w6om;upJPB&Kd@Qo$&Y{?JMsEqO*1@PIlf#@7`@^e?lsSyP$T~vX z+H#w8CwAM0aWF))m>iQcHRi}R?RYK2RR&*tOy zi49ZE6alCvk72j`J!$-dw8+-%xo)#x{wG;?bE_57pinOvoSr3_@7(epZJqgY;MF(( z+e4CFLR%vxN9wO%xI3?}=X2ll!_ydwgST+!7UiwFZUs3kHB{^6h6Bh?EC{!Q1j`3fSpTIa?Va&OJwy?#KC zgfXI{j!So7Si_YrP9l`iw4LjRZ9)^!DXq?`*!{N^P$RqX8u|d#nWHnT>-{lhctkW= zWC?sD*Tuc}Cv^ho5d(K>x4{{b5RP!@xmwJZ@8tK|Zscfhi)?0cwt9x_VmqA)krPjfw$tXW2ZJ(?Cv$;vjp^I%YwU;yTd$-mf^j(d(ZS=zdS%(2Wx6|8j>4Y^EbTtn64qbs$SL2rcE<(7=0Lf0?m4 zFT)!*|I6c1U85@=*ECa(`w-}ZW{Q&*#;iHST1MH}Je=%}9+cuI5*dLIB`3G4s9Z#m zF{lV#T2AKk?MczTVR7i&6H!vRBg;MkNCTftY|%<~`t=ZL#OB&D@Krk$-grJUz_+*Q z@F`tg-7Kzc8D_z%WX`Bi3cz6cE|4AJ?i)>*XYmlJzAZY_wdG82qmw=+k-eoH}KtXtKL2CYE(V zeCzzkCXdDwX1-_hH2eyZ{UItJA9GZvFqPS9uP!YQWUl~S~~mxqMfnH@5EwEY~&CMCig)ox23P1?a_-fsUs2DZN^eI&yk1AF5mC{dY* zT!Sh8=Vw>4u}^s~(pV0cNS~2uTD$?IkV9!i42o&K>%CA%*tBk$p)%BrmL%jV$fJg& zN?ZH)ANF1@`i55&C2&gCm`U}ZEbZ}@H6)W(dRiMX<@Wtows3D0H0J?_Cg>R!b2FnQ zmIrp5oKDR98x-;6XR99AcNkly zar1-(P`S_CTsbI*+5eWFIfa!0TxMlg`+E@*b{-~cbB?kmGmRrsiA&Di%M0?!QiEKV zGOP%jj*=)+Nx&+u_#@WZ5pZgZ8h>zdS2i1~NaCBuHBr85+)eu;_NPMkxe1k7ghMh_<7i8BR7F%KWqy8nPF zjUNMrVHf<*yC3X=h{BLi(7=kClQDp-#Sxv%$)NdALl@>p2k??xeW<~x(l^r4Q+v2F zGNUnbwR~vl8%87xf(T96 zoV9P0=>E;Bqs;SY(`e4e0{V~(IpX2f>HCxVM`&&s#$L{c4iz1dp7nBu8^~I*I@yqh zBQmqOiu5jr0s%9-+!_b9h1Flb$N~50>gf?#$@XJ<_@?l5=J1%!v zV4s+I5!kz|f%8YhlNC-zt9dZG0uV_$C<%D(Nns0g*JTJES_Izgtk3YGhBu#i zt^Wey^g2RRDM3-@EjubBQX0y@Q*5gA7) z&~lSSsL+XGhTn&%hzL2z5tq{;#;M|R6PB9ic!lBH_Hl#3!{@2eJ0T17JXh=Li3(?tnlRSH#K zsVs&j)j~Fk7;+PMPy=M5!8Xd^qwsuju=I?HP3rYHZWp|FAR{GxR2^k zNIqx=-h1*Ku{PyLNBcz%WzFptVnTf2HwN^R)R%B$a%!ZLut{6y>L%ak zP0vo;Mda|wiwY}Dz-jBZjjMND(Q$hs>|nKYJ+!p7y<1&q(&ME1$N!cldZ5_r1kkE+ zI&0qYf~rZ|RNXy1+{xFE-O93R|33*5>E@n_qbc~W)IN(G#?;jt1nKxD$SnX7>=zoC zmT-Iy80{biD8`XjB&fP4ANu0H#3)p6VmK-0Ba~qeXh-_`SJ&&1T|x1?5thq<*WX=$ z3EC-4Z2c}4A?ZlEK^5Nq-#mDt3xp68^Y>tu{jIvIlEq-ESqo9#vnIb*Lp6arsJsx32C8MPenNDRC(WM6%%!(i%B!nr7^R~{S zwqiuac%s>ipcg#uRGu>qgTR1T-=DSty4ExJg&6(3(yE}FlF9d?B=)kYNw5u5f&>S_u$9aGF0(b3*@@D&u`N)|Ha>HY6ZW`{W zSTta-0H9>>4h26fgvwjhb}?!lSLslV%Uo%`+I*O70SzJ!AtPq6M(x0-m^7An3A-oA zMHQCbMgBc(2zef`2Z|D;CPP~Kjs4*tEHJrbTx1?`p)8WgT^h1J0m#GO?uO~bL5c88 zHa}Q*?$7Zcu)!M%+OwE8Aw|3t_6!u#2@+yyfZo?sF+sLC)RrX%h8xmACE`}onJDH> zukb=JclOww`CQCtS8eZ#+!)J9G_=2!Yog^cN3P$`Vmz^bh{94kxIGt~F_^p(g76I# zW1ot1PBTM+Q4jc6ZC?WAYzuvV20#hj1$k_*)`{1F^}9K}{Hs8;KAk_*A{rFe0qHR7uk zqL{1QxBREtfsQddNLgrqtd;3LE6Sw*-J7Xptyv2S0L`SR z(bpd%r-ic~8384HV<()>;7#lBj5^Dn53>Zhfws)l@m&znndiHrxLt|(+gs_O=3mS1 z-%=&9=YL}*aMR_X-YlqK((9cM{~e=?ki@bPmD+g}g-DB?lh3}QD0NNe zAB53OfrDx?iBiE=KsevKN-!-5vtH zPARqjnCFQuuC;e*!Dhf$!p1!P4D($T&rWNz6o1 zV~;C1)9ext{78YcJAc)VOhDTnuX1q4sRvRp@I#=i69t*`@_5GMN0Ko&H`>TesGsmbQ@tv3(`yZvF&d}1r(CmuHSH!wdcMVHbVZBi*Xwi7gGX03>)2wCOr`LFD9bqc3TKxou6F#)D~ho zTE}RwDYPvDDZ`=@6h|l;=F{>( z#dV}P{i8yAS?v#Xqw4LRZ36w=^EG0j&eB>?sby--Ro4Jxqt% zeboqh#z(W89Wp-D+}5+5IdMDd1Fc@Vw4}&Df&94mfuc*tv?B|pi%Wr1PN)6*4Bj`l zO_Gf&F$M)?;NnY^nmWrmTM`NmrMS8j{q$7)Q}L0(OmRwVc$>tS0`E|T&S7cUD);~$ zLWi)MJrrfNulZRB%`E@VqHjIeudV4@hpyKgh45gsLBDI3Y%qEY2`q!EKm=+H)0=tA z7Icf&Q8oMd0R?%}C48olEzfbxKeer>^{s{s`?^$CF*hu2%uKitLmWmBz<)v#nCa9H znWV(KeC_{u-)T)2)NOiu9E!ncEs$H}?utTgMrAfO6GiV~D>Zb+zyKap2uwB@s#ugC zCt_7c*Z~0z1o0dTR$5l2+8mz$s0Dl2y8W$u!2{;0z#kyG%Sic#-03wGs67sPFXA^f zLgGYEd2iz(^&hG8Hop@`d?1JNpp_?qqd z(5XJ&{p!JqDE#T;l1!;vJ1oYw4s%B9@|}OVOl0VxAQtACX6NmmaAvic4zFYZvH!Fw zlY8-EW0bY~ll}|SAtIcfx1%Qc5_mD~i3?vh)?N#&AJ;1pb3eR$Y}vn^xW*=9Ejm;d z?*eP*HaMEgzCUzxP(0v+_-N+&`c4Rm|D_9uoAfwN@POdr-Q&ee0DaHio>>&(5zx_H zH42Doy7u)MA0%es(uq_NqW2?2ZRF+a2)T^SHq6&MGn?4yAvKA`XSze91mbXZ4?2g% zaJ9i;L(m4+y$__bv@yV7tNwg%$kzdAJr4qoz|qY5z+q|T(djJv00Pn&Y%S_*q;%)* zTzd?I7B-~fYwJNTo9&Ci<#T0Hz9Md@(zU1;=E)^=CsR46Q&d6s9eCFk;)ZV`2Qy({ zxbAG3EF?^`gPnhh^S@3Lf6>DbT3QpdCLP_#A_}eW>%fS zM5e?f6$MlQhyR?YDtHHC9~tL7$Hc-m9IimZFFOLXrr|y;WKCay53{l34o7BEtioLOTKMPjMt|Dyf``x0~whK4p3r6-Nn41KeEh^C zPY#yS1SNdme)Lc9m81dPaq{{@FfZ?dm#{rr#{^nn;7%MtlzV~$%@h6fNj(>AKYf1I z9BjN>*k{*2!wTeNH|Ho+igvOx{knFn??9Z@U`+Z{0+p66;-S7Y-HYKrP4dVc1$n#< z+h{?=?>+rHZAuSl1cX>SV%&Rx1G*^EW%?2sLAm4%-oc%{g#2Zb&Uhaj5UAAhO zloUB>e|6;CmTp;_cbS9x6(G2Idtd|fW8MjfP|dntv5r3j%`3(zlhaigw!VP6t_qC=1I_v@uo2V zh~+cdJMV!gMYqqWG`|l?*+CrZBn>yDuV4$D3fLMus`VkC+qDr<^=z{E3*m7-OP7}+ zy~|3@g9QjKh~N`i%i|=d606sxITncnEY=F~1IkGWZN~xmb0o?Q7bw1Wn8b#ihub;y zEDZD;=HZye;+y^A=vL*_rnN(C2Y;maZh+0F7*tZv=%| z$I+eMG(g_sRGy;u3LvjhK|odcEIPtDwz5T%uuCtSlkD!q=MZv^2rKu1?;mk^3Kwvs z7o|(NQ+XNfM(NMmb11%3<{cR^6WSh>FxC`C^1Vx)%EI~0%&9$xtnJipXU_A*-@b9r zmOUY_(idw;Dbn?xGu{`Ri1_s0=~_afr4_}GOU`&bdHd|YhqMCix>)=vGWJv8AK6)q z89tC@4>UH-zIbhqQo;wBd!mG3#|JW^=#PE&&qpa7aAe_k_BG}CF=TpYh~@lHgd0_& z47eRv87CxeUNPa6n`ibNo(_L94sQpv**!lI;IR6jrUOm%wb2^Qr5?Xz^%GUFTn0@aa zRycYV?TU7~IE$p2KUO2#$BLX&Vz)H$fv;qv6uS0A30_w%@6Cw1&dp~CB@!CO>kv_x z((TM1L96`3>vwcIG`SIQ)a7-+s?cUa$({9ZX|bS%*X93kZ+@h0?y3zIl@nJ%f$@!W zq>MQ%vHdA7oe<Ae1VB25cdzv_XHsqJzlsh_kCT5XG{c@}W07>4F3#_1u9xaJKfaQ5b44Kr`_vjD zz2?p)L`%))OUg?=hUK{%6$EqqKu>Z`0sVVx=_R4V4QfvC(nPR76N&zBI zI+k|rR+jbUuxX*uLbheFIxcP!26Ox6m4P8JL9W(hepy;sKt>Io$qVw1ChJXEA?D&w z9w6^}%UDN-SVRc#xDbuV^Y848;qmeL8ib>`=J{>K&A_L*loJec=9Z^Zqq9V^_KmE6R&*RHG9FR}#P)_}AJdkKtJZ3_SM_Qfgb zaf7>%kyS&5)(NJ>pnX>N4F+a|d)m9)-P9~>-%BWuEh#k8!`%*d4}^HYuQVIPv;C?g zankwNe=bZ4nuri$hQs`I=;4_Mo4$~-JoUrxw4&?0ag0^iuP^%#37H4V_PV$?PHn^f zewas+?m-^!pzanJZ1qVsBkPGez`M6J?JvxZTuu?y;&I%Hjcj4RYZCq=ZC=i>u)voT z(qwdoy_bDKiRm?a&rq}E&tNC{_NAjLdc7kyBx2;d<2K=*Wrh+JC8^=rWP7@l_)~{h z0?sfIN{Ik3BUCZ*9ryqqoo#Y#es?X^adf>p{7soJ$)g$RytDO?tYts`yqYOAWX?`~ z=_IWg+>d-JfS15=e&5=ml*zNRHS1Lrr!?CeGNI5(W)s(`Lnk^jL0hin364Kcdy?47 znJVm0y!vz$WHBq_i2P&Q!0Lo7?QUJGbqA#zBA*~^S2vlmVhk)qTKkb;4dn!-j5qgE zAbat<#FUhH9csWZ>b;MoxOd=nitT#GK_YJ85`@m1o#*vAATF_+HD~`>ivWz z3cQlY91^bA2IXpJ${{=;gEepDZmEWCA$D;2g+aEdfzQWVZ$7;_i@tip;i<{pVSS$I z%A-lXVa=|QGAVK{=gQEywppmD?%G+@>o8?TH$URvU&5}~iESSql|l)}N1RU*mdT>S zvG#e{7tum8W7pd8$2M%v@x!Mpq?suf;3N=%e1Z&UH&4|V3}xU>YYgy9l{Y+Mo>{k_yB4_$VDZ z?_k@({|rtxA$M>#IJ)@%5x1bJY<>`OOa!P@P^8&R*N7xsCM~pnqiZSg;$j>exfVY2 z42um+Nom+*nakid`p{SJT<>>tTj3t{u8IrkA@`hrOudklzI?sdi!f*&U z?*ky2pJVb}%+0ZM7$s4#@X|5F0)uHKf<2%Q%agMeq$mU*y4sx7Jr6Wu~CR^ODg*3zZU6!AWb$N-6^p-T1Ws#*otSb?7h(E$ zLUU5Q+5XzF<1ou1~7&9?Mx_3A&C<#8m)1m^+ztg7N}-iE_u48frO%p~pvqkhhry2YbzP zEuHmRmQvamkhE=%H;K6^Vxo%pC-2VdB1#3TscYX9J^Lz3#WdOn>K}(q3zm&aEv?fQ z8!SzEZUX(CR>V}u;Ws1?-X8m78BEIC7jgeXZoRfYi7Tk&MQv=ZU3xvpXTOKe&Y$r= zt4-dILVjBxw!lo^Kw?}T(;u@p8;=C+NVEj8xk{wXlS0Ys*!-yx<@`fRsEy#fiHOK| z9?K;~C&Z>&k;Kbf?m15DAOEQj91yPj0RKy?J1tC<0FHP$Zq;<^B6?z{%vJ1GPB!ah zJd%cw=M|b%qy{FZ)5Uy6$$MWyi?BxP!7GX^%a!3w~ z|LNFvM!qRr%fY9@aGvT%QCj)9O6~BE;A1oweA!MKezbyHo97;b64hHL51uq?3DH&F-yVYv>HY$)|)qDdQ&! zY48W?W9H+Zwa8kFf{GL=IGZ2u0d!O&FR(}AzQM)RkrMLpy&Enfe>CscpkoZDdYj2> z;|}n&mmN*Sq6Dah3`ugu(sU>dSL(5^cr5B>;u$yGc^lgXcxrdjI7`m`JuTDA8BJvD z;*E&=7a7U*zpl;B#0X)D7i)^zMrkmY4^T}iHkg;HR26jOkBU5%`p>ZFPT%>RiEL%G zYBHO<)vEN=&5|YKMpPYj=1o9zK;Kdo+RC13%1vk`64DBXAI*^KJv%{9FpJja6kZO) zJ{Obfo)Vt>e2~4q7G0uw-^sn{R;3oAt;D925gM^tOBya(PxsIx$3pDe$JUPds^ygjy!uall(fdoSY;0qqD*Gua)7y_T^H! z9JI6issy){FWO)1ZU5^>KT#o0sh#b8p|FVDDYsZSY9ungA8OaHs7yOkH{D@TOyN5J zd(#JXhs@rU0{Y|W6z%oxZEhcD!#e{lmn@W0YEMepGx6t8sh);U3PvHZKdJbJj60E1 z3Wophmp%0AeDpxqyr#k?V*%`UGAMe|1D;oq;SxX5zYc<<1taF~n;dQRyVaaw^0I8} z0q3Q(0a=f)2NhfGM_^};5@9EQU(rro8f5t6M`iX&gE7=}lPcC7R~kU{uQzAi{axZ% z_qFiq=qzd>BPcVBKjnSMGTb4bXZ=k(*giBF!>v=fZw&VPy#oU zOH`E_4M+?VB-?rb;yRYAi?p$K=URIMnwG2K3w1u$;(oBzSX<1_pdSl*+ z!c^>FthL3h@>F+at@4)P=OLNT{yB=3AH!E@zqbioubFcQhf;XF@1%1y-v|1}yNxK_ zT<>*Tf*B6^L@ZqEfoRh@L^per2#kC?aB(vc9YGb$@rU5~Nc5aQ75>+5{k0E~`}y$N zXTNJj@C1>2M8J7Nc4uD?$KMOj_hrZ2q1W4RPtTL#F-29B)Jbo?h0_rlGE7G0LoJ|H zL(x2RH0XyqmAFZ#HaCnexrOq*PyYh*@b9jSFymO+;t3UO(eKej?@I)eqc55$O?L0E z)Hr9A3QRpIk@RDTEVVAe9uwjQ2j5SB)q#Awgp{ zk1^MDZ-E2Q9|_3oXH{_c?*NR4k-SK;0DF#)xvBt)&aGK&b)EF0q`U*vLBdbX5kYYr zk0It(@NQAm#CaOu7#mpi=Qwx&ckHqz`eDzLm%JB7GJg?xC{tLSkH4}4t{9^JSyh%9 zcx&R$LN>yzwMSO;tQCF6QGz2WgWpa6)Bn${-*cmW>a4q<%zR<( zYAqf$oEFxpk4hY4Q{rss+Jc)MGu7ntdn!lHAxj7;>^k9&P+hlDn$74{!kS)uydcF{ zvWP%W4N3)aj3c2>j+Fho%Q#JeHCU?_(M2W@|DKMi^ZF{Ee*6sLBS~G{YaTK47el|P zN0zHW<^{Ff-6h9X^&q~@-x1#=atDeI-ej+YLEN?%%YQ?-h|cbD5&jAuQr@%z60`?b zr7o$%#!0n@YJ6x*;GHx3j|`0CbVgIHk&W*E5YB3}?iJN41KlL5pM9N@*dd!h3A(o2 zTRN~eOccW9c%b%NA^obC6?UrEJglVNe|c?b89le00FEdOaH1gVh3wdWq;AT*=IHzn zaZ|8s0-RNRLH#X=uFt;mU1?=^j9>0{^7}8n*o-S{a;O>if)*R>v`3`^~V9 z8YnY+yB|Xgat>9NK2L>+2K*nA5p%8uAqB%;+CYf# zT6&raN_%aKCYv!D;8{1&((#km=8WA9&BH+&qF6e#CmAL$lntL0%@v~7f;0GGCI!YX zY?$Af8We)Kg)%_tkATb(sF=d3T*`;=`X`COkD$zA8`DYCxeI$I>2;Gey(Y*PD!(7c$nt83K{=%!EV^eY4~yR zzY8`e4b3EVIP9vxapz%b9l2u{4gwRV{Z8*Xk8(%g1$JoK?n;&^wh$xW`Fbd`1TfW!9M2F5B{qBlVQ+)0YFKiIz%`Flf*MD%U25LkeCg3S$^V$za|^_0`dk>8Gj zM0A&JF@r6esWn#sHG$X>J~V7aq$>HOVrmf|z1~W0Uhn8*&-u#b_s!XTp32)R?*`^! z(I5PdxQWL1?Saq1fxQram3R+6{EaNGD~@lxMa0DkBp}w_DqmcS4kg*)Xa_+}9TH8r z)iGpLqLAEke_d9@BhyJFCR7alK=n! literal 31516 zcmY(qbBrj>^F6%AUE8*8+qP}nwr$(CZQHi(ySu;pk=m> zZs?f`t8>kg3`GRc2)6DduXS#bVFuNOxbdL)UU^B+g?Yqioo?)4sxEir7^IzJ;VHe4 zWd#}Emq zC4gkfbwq*3lzbcIz?@__gcAqQw2 z&m_bGhroXW3n8hx8(!v8sK_ z8`P`a5y-kJGs##kf5b>#=w?3dp`1qD`3}!=Rs>hIBlCXo~>D z4*eKYLT^WuF#k>^BwA393PU&M8J7Y^f*Ky1oFI2l{LrF`QLG<)&Vq6P4`r#Iav+p6 z`KpMj6r<^u+IGn<8e@W~a{5-Z!mDh2L9GY5>EWRb_Nq;5=eTHyVc?8r8YkWA0G)Xf z`dr@<=kOn0Ui z-}onpzX8!54NREe10TnsVptvn0h2*Ii9t%*9&~*qF&!0@(sEu!fDjbz623d0s+1)E z4C|9srf~x3Z@m1(NfuQ-5B{)LlIcpoqhF`rF>qRC9ezwDY;=LT#g6*X!q1r@g-ZFf z^`Ok84aIn8S6=KJ8A1ADv4rwn3h{!5c$GRAkpwpck>Y+K9~DDsfUHGuAxppqMn?#= zAu$9@%>fq5@@Oa_?D}K=LLc--wm2Ih3fzo&QRr~Y3~h~lQ&Y=F3#)MD4_J;tX1H;3 zJYd7?>x@PYqd{mo!d&==04|ow>9DZDyhfeCTOITT~j`cK@0@Sp634qOl_YsHPRpL~mrd2NR1lAvXpI!m4WrAGyPFK}3|u`8Hxm#jtt&&I||TdkN8X$KC#hY-{zv?fUD623<4%mzmq- zOt)aGHVWU*Bz$0arE{1hY=hzDo}pPgSK*)Pgdf%geIjPd>7)MK70V%oh0nV))Uz|I zy4kf=E_fEp=^jqQZ|@qX-qCpGzHcKOp*8ZY1=n;S0Vu}8$Oc7X6)XdWVn)A+2Ks^|ZHgn}vP5E}Ik7F2`zo3=- zh6PfC(tZ4vuI!maWbfL_r>vwA+$0dx3jHIc`a6SHk-s6|XH)4ZbJ;IvW}Eyd37Cfg z{iOA%STz%Yb)ANO0E#-N7|y{iW#+hzAT=nKHs>7r1pQKeM(H5|!4+ck>P>~r_7g+r ztI38Uu`@|WGHvs~=V)ARJt52zOHq^pbm(5N;(|~`(~$w7PoZJ~ExIp*X_~7YA?r>- zUd)YYaol|Ocxwb*e;-~>CyfXAtE$3A*5)I`YDIJ)hKj-fz*>$yzgz_Dg~O$)2U;Mt zgFX9#h-))7{ixB1XW(~LgOTHR`tIkU28qB;fp2NOOA;bUuPI;)Qp-`W&{pFJt1)$} zB?y@M8>?9|l+bjl?IOUrWn-LnD!*L9qV))KHyldTdvQux?|YSoAsp8>h!|$6eYsY9 zQ8?S|VkLr6(yvarkRd9lN<&wc!~OsU1tj&`NE{?;m2i<56Kp12{e)l4 zSf+)_)^i}3LEiga(i|C67ZEQFid~~95GC|i!INTBK~Fpu>u(aEo(M|sn{2=l1!7u3 zDK<`R2%fbNGJ}-qw(r9jl5(fajv8fz_6@`fD5sW8@`ozea%%%wYL;ou0nyOOKMe-e z?aA$O)g-y`6q7pEEONHoaih1~om~bLyD`H1H9as8LY&S0c}1nppf_MH6h(Ai9jy5r zrHSvaiAf{mU9#>zMi_LBP8*&05jiTs7~I0712wMF?_O3y;V>r@8HP`tL{9*fgz;Wd zIIx#nk*bI(zMChcX!tm%L8MyeVIs7)n(NH=`|)1I`RWTDkRyXsq)AY#epX8b?^9*+ zy3wNN_}psNmsEO(F-%v)#tnCC^2G$}klx~h=gW(H6HiU37n-l4Y0#@a9T@J78GjH( zO6u>l50y3;lm8L3UT%`9hm6J~rC{Vp&J*0;4i3U#qG%$$idQy966X=w1j(g0nr&=` zLhbMDAh>KBFWq_RFKZP*GhoV3OBOC=Q@L6cOHlL~M-r?6R2X(K9<&glW%woW9 z{1&Xb>wG4rMjM*wHtQF zW?;mJNI37nBcd+5V2!EAN|dmT#P-LFvCNTj!-Y!&3nnnT*vW*sl7?=di7m^$?Rn1ag-#}0xovHGGxQQG{Ehvi3;zbVRPB!dOi&9F4e4x; zf!I-|FC-fvr*&NOXK8q&T`nOPusBi5M^&bZU#8Glv|0&rx_MSd4llY3HerWMRiHmo zm_xiL+9sv^!&w_≷5K+*?^Rp}Z9k3h_<)@6)uTEADv|As*B5wjm*Tt(-g%h9RgP zbZZv#JaILf4*(MLH7xiKy^enXa6Q738;5p7vPN%n#`s}0I_xEF@F&%Ax@3YBT5y$9!@%Cur%)ccJ2 zf*={Qw;6G{E#qR>L7gg9RS{A9i6glSsK>?goPFG0?7j_|!9=bsbk_KU8H(7!f-U)J zh&Xw%1v%>SeLNrI*F${8SMrV<%+fFlTUN|l)bV0qdLf$a?n@aC#@8vgcxaCCqZ4Bo zQhp%1hD=g22=_o8Z~({+l%4_G9rQ_zhrXOy_~-gioMak*to|GnJiVKBe?ec03aHkPDSWwG02!jl^1RA{8n1=<8Oc`A0bS^;1VX`!;s`B@Dr=|OfQ^pByu%7<-C`pg$ zP6v7Ta;$$dZaj4_eT3Q=M`>i5==^1Fh!}T#no&a z0j99SgZsUYOC+h-SY_R2L2pXy`r#`pQ`vMwu&61t)LzdvKfMB<)z}o%7Jka7qKM-O z1Q*5&5Z$xc2uIb39l7hucN&KD_zYj@M$(p3MOY$-d~#+^pqOo1h_@r3qXZ*2*jC|^ z`#vm)^2i!-EEEk_yJefDi`Ckw2TfCOR#AONSp&JZyKaNt>W@206>1pG2M(j5oSGa( zpi9Jr=f@oP6Y#_LYTL2MsAMZc3Hmtff$Un|stvCB=)|?0UP#f*<|B_Y5Fgar4OQMG zeE^gB_A%k>5MGE0e}0X(&op0Hh@c8&OWVLgIrzZBY+!qSC3k&ZEc{*nOe_yodRLK< zO>~9?LW_bYr<9378?_%J5)^Jv_^jXQs3w#CwwBfmgaZ&$@uf_Xs%HoIi7#4oj>bI% zcls5K&;YAZ3KC>OZ~fI?r;{^ObR9GCn;K4;&1WliRj@Z0+V>Da(CG8u!W$s~39fe| z&42K?>2F65@e2VH=zD4jH6&C^W#;#0x&E>l5Qt{DUtm6gGc4 zSE?e}GEAU@H(FwOE#G}nopPAo=~7w)$nF+fTfYerqdoBL9^NO@ zHf-BI$|=#OTaGbUzOi2LC@cPRppB?|)mdAUT8l@Jh`%VUoR0wYsjxQU-vAPwD-7X`+Ih zZnYE2)V&>Os)*52vkg7`xl-W>NC;b@*_M=mwC@BWac}-Xh3uN@mO|S}@~XTl0VHB+ z{k1Vqpr`NVOfX+r28;<$fQOl=%pf}-3iMV1ADEQ-RuxeqPpS|PBY@9Jr?t;*O9@2N zI`a7YV#}*FU#*Zm@y|sD2#%wFh{tE$CQkToGDG#Y7)j~GL=EzCTomjUH8Qm%MOA4| zClJqL4Ir_qby8#djVy#c$t7sTb{7Ic31VGQsd#kSdO&o|>v7kNwLymz8p26FDYkP2 zJ6=i8jRhqe{dJHpgd@05?!1dh_8-2uiES|kc1ypBRfl73F!TiXzz3O>@MrMNfIlt? z8t%VSdb`*-zTCdr&wHjBMnP-3x;CzJg6?)D!S=wWr?$RU&GNqD=GVqqB)%|T^4i%h zb0D3FD1K8DO~O-+{97_IVB9{^Kut4(>}7a64he()GoSV>w^_J)wfQTZ&`f;BCyo0) zSs`w%IZ|hXl2nMDZb@$Inho#`ebyf$!}-8`zlGd;gD8rulw8DXOQSJ5)M-#T@7ozL zN2;*`YL7S0&w8RC0S)9tMXbfZF(cRpu;_#npytk*(J^adCRweTeCjpVdXAH?v5?+g zD2DoLG+$fbbsvP#s56b8x$oRy1xq*Z&mUm(wK864(j%~FDs+w*_$h(G67s50gfoJB zRrH2%$Q)kA401r3`Fz;0MksM zLBT?}2MGxtSsk36_A&A}UBhMw7?V+ZccJrcYDM>WhxR}q>zbVj!6$PI<&?bdvP&Mt z?Nss?SvV#1KH9>s%{NaVbvHMUW!e>FyX#!`cjS28-}W5zljF1+mL59cP??0}{W9si zyf{M10-LamUg8n79*>l%0STXhi%qp+x+W5W4wMBa24>1p{85vBt)Wqh^X95Dm}=7Y zyg!G%0Qv=!cNC-}YQb?&c0lFsn57cadaha~gLahb*P3PxO-p(s6J;L z2JoOq>+~_^yjh?If7>h`p}B@B3udGnpb&grFr-fzm`#Vfg+|#SVwkXl9ZrXL&FFgh z`tN!hX{WE}Lv8utLS&_Z#zrL@#qQ~Q^AM~FB8BGqBrwMm+<&wV_lDcX7-*{rqF#OBQ-2#?YWs zy%KI0@qp(h@J^Ar0n3nN`xEBicE!;aiiSZ8*)unP%nn`J{JzCR^zE;R_UmoJM=v;p zAE}aBWS1LHm2?GsPr$6si{qos>uNC$C0cscswnisV=;GMP~;5L4PzV4w3oX*mWwo?ji`>Wf!P%d zdi-G=xP+D9&a1_qtN`!bC|&K@Lor=5R$^6g+$bIzNuA;Bbitm96?c>voX3OzA~&2n z+%|eAF%`#2El}#yDl~^H6HdO!@92fZSsGI4oSym>zpBVp367egq2LYVnO&9EEy^F)G#u;J+ z;aD|aJA{P+A~9*!_NTic^^VicVPgB^HKy-y%wy&ZVV4&qtvV8Bup@t#4;V1WxTxsi%Y z!71^kaMB5m6Gu^OV_m6jeCDDmyj*JZZ3CZ;wbHBfu$PXz@3U=`YqeM^q|-D^di}^6>}{d_jv?MM5;~5y`3Mk+&kDQXh6s;Y?I#0i7jo>UDE)b zmg5qUEgG|B^A@kuaTn|+nNOM}TsP|_f}(^ia~RLmEjo$a)7Wt>QwWlYEltr~Rgc>e z5iZ*%7W8Ov(gv>eHe0yT-W7(LhwX0fBv4coS{(w*i})2{{kZqX}=eGdVCu{w5 z?-l>vXzIypXOC^!0*%D(Pi<=}q7b>n?f~N>>||0J>dmv~_v`p=dOerAY1c-uP|*rb z)($Mj(ZzzJSW)6J&UIur$$zX>jV^i$8wN)LQ*D^Nd=@cZ46M-m8@i92r+@M{*t}vw zfwh9Rg8L?SsWG_-9Woe_Ngf`nwkX}$G*@k*#oJauKUQv{_1{{;E!qSycp61%y0&mz zz-t<%rzy7qBc`GYs3X#J_sk<2iAznsbkZ%l_E^1|y=HKCeK&2K<}czrV~yUpjvB)t zR1aXqwN0T-B)Xsfh)E@rFwk(}t9EVOxyUS9_Omk7kDZpsz0HU^?Q6QWZQU_XCAzD% zwKE!#OC6T1v1=AmM_6q1vbc8nV8NZyVmn*2SG|ea&NYA94_>ne2^8tQmJU#EgQBIO z2PF=(iiPjakqMWGAnl#CnA0Tm8wzMdt=`3L<*d3x^I*cSlZg^F-KpE}Sv!Bm?hxeX z5DLl|ibQ}Z)%4KL-&zX}qW4Lig1XFwnQWpxk9E*q3n!R`jbPBS{1FhS%t(%L9&&AO zwPg<>Y@n-7bu==B!Bq^Uni!lhq28vR8}u$}!m7C~w;0rgo~n`%CEeZ;z*s?#&Jpd~ zx_Y6efnsaxA0*kNn;V?bX|S(QsO}$};n6=}G|~(T(V9|kSIG^rP;jF+f5}-L57vUu zUfr@;!{(SFHCF|H?Qg^^W^iqx-rmd(nQGR{4bkEwm zC9RR3X7f_B)+!;@f&+E?0^A36duG5MJ z%8k|Rfbk~H>|i!ly?vWpRsUf2R-=76eKme?$Ao%1p=i{>i2`b=u&C6?CBKO@dqcqB zaI=1OpVY1uQ`K#`WecZkWx3Jb%?Xuu$=3t*_BK3ZD#j4>-%W0aRE&iFfvE)QEsfEE zt_Ov56e4(QxN4h;>u5MOVtYVrr#=RgEt`(n@>Oh(gWA+!&x}U9^w)_-dm9ldEn6gt zdV8A}DlJPXOR>El2GrYB6TJ|Bm(ilV7z~nay1n^btc}w$5D1tw6sG+%;8Cru*3{tl z{~-GQ2hsO`5bEyr(IMa`8tJGvojs*1t_5+d`JwhVAXh|Ku{;1FZ2I6Ao5dw-P;mdV z$H4#WG4Ox(&_BRVtQ%y-JaIv+zSifyd=@XWYYm6;!Fd_Tgms0azryd~MR#}>ODz&( z!_;bDOgZoWb1!P7=GLh=qz<}gemzi9JDtBeFLiuPq8#1*M{;bkReSLkv0lfPjjR6A z6JWk|z`empgVo}V3#W~1p6L#BxQK*@$PTcEYAFB(-9yb@r^BFnaNNs( zEd_I#6VZc0e{9;Wy4xT!Gr?lRb!>DVWG+#*@yHqO#jjFR-B!5umX(9^mKCStF-hiDML~a~_eXTB+W`No!mT z^Bq_;kN3*2+K+ZBN-EFxDk}tVxv!*74>aZIiEZwCN^x4j^J6f+}K^cgUg6N9|i1_T&c z6aD*j$NVZJnVM%W0vrvKT)5hTHM17=b^-^~gjw7+q=?5kybpEYpe=D;T(CGhI9{?8 z1xzZD-+3a&!_GMx9}$#K@0UItB;MvM*;nXl(GeJd?(CSgF}=uq!#dJXTKQn%IDr^+ zapwWCG23nTJ8Kl+ONLAt!3b_aimc6?+^M+j9RiSX35-J~q;{D}xpf)hdH{m#ACngq zUy707i5?~DhT}M4xQrvVEgscq07B>ddQO_A1;yIg=OmcnVC+s|g||*B_L}{qGbIfl z3?YKEH75~-okaMLu$Ox^+(c0wSV_;2eRjiOEE6~k$R77bdgr9=gAemVkv3u2<5CLh z>MJ+b_X(I=gpgHy6glT)ugFW{6$xNij3~A{1sW_rn zg?#`$K?zj6T39}gqz))AUByT+03#fU;fjY?+V6P?M%2Q=GFxG8*kzh1;E~I6EVuqo zVk%ghA=_&#^ziFch=j3xytn(J<%>>(FIpNjK(A>cB6KY7M+EyIK$qAcd&zBQ__0x} zc;6)e&+Cu(*wzRiqktV=azWpY046bnk-==AYLdoVQufqB;hg9@(%jz*W7o&Nd%Zax z8`c^?bIBiXG(5Q+0&ej@mIam^M-paun2u;H&L87*Vb^1Ku`$fpcF3Cz8qQ^R%8cZ{ z3XJUExT*T*3pc137nI>2$bbzvfeBa3H;Z;;$6&0hgE_7PXhd9u%U@;h37=TFjZ!~J zH~xwz*`dvyY2)JcwrhnFgurt|w6oz;oHcmsX1J%)OQjk_d*5jGkIsJrPxFS| zt;86r_usOAMk^Rv`j%_EDLxY3+v&r-l7BH%nJpKg3&!qsdQ0)3zevkpwuxXG0vfaC zfEedc;O%K9$+%24d^7tY7#tNDg<0$_EMk;tMD$UC=cE1tz)3#v(9{+cWonOvg*bMA zKW+%Q46f_9$pT-du(O)Oy=?Jb-q)R&tGmMuM%0QlMUd&$Mm9|6gMO^GO>O{q%FHP_ z6U*@;XEQe|^XalLQNyK_aR*5#6;pqBBoT4e1tn;C2}{8R|E(uu2rk*Dhe<&M#?Yt7n$P5rXPr)deG1o|b)+60N7NG`%I_ z=8{m8e6_i)cBv0FNAW`uZW3pO2Y=T6c>|SBOJd ztXBT^Ve;km;iF?I-4sW+)u*=6rnXt9wpZ3in-bQgm|L6A>;qwP@u?_ThrI$-UotuG zI618-IW6g-K|v=)K@(*e%aWXYl9F_ilK5CcFt+X4l7@?}x!UxtXh(zTE3s3h8`Pq` z)+s*LIoG)ocT&-g?VxD_z9TiPhmdxCf9`IeUq1<<&m{^_NMh`KD$BD6Y(%slHb-m{ zZT_yriUN`Kpa;XrGB>HL&p}3-7Qdqom#o#B0JC_OxK1E15z>K{YPHmi$v*_j=}jpW z7C|qAZYVCn*o+IbrdOFxrpAgZ1NT#?jCj^8{%4(4>Qp#mFTP`Md|j`G3mmKqa($Mn z7W}%dl6yUZoI1~w#X~yQK*99%f{p7)HF}Bd*z=A^<5wOihfinXP-Ynl)I)=!yP86-BVb7jhjKW zoi~R=adM!vwucV)3(~fyc9BFI)l3W$lJSuo7%mEH;LHTG}wv%NHBf8mYl6U&= zREKj^D!u55s2lny!k#xt_;sy76&N^_@tr^wZg7fqbn=hwEwZ`X%OOYlP`(sxza6c5 zk?h-nc9W9IDB1o`3K2{+YfV^b^mv{VlD5G`fX#gVyk!2^0C!2|$7h$3_ zRgjp8mlonLAb)|$07l}3z{LqtJ8Y?{*4u2Svm{SAAxU0W6xJk+Kdgybvk}7Vt2NTFRAY-JrLho^cLSFePd_bW3tY%Jhj&yfHTo%=gw(-EQH%0$FCP>9B#c;;s|G zF9G%Q4%~rSRt^`AyEgUs5!_jWG2UY-0Io)%F51QeUhugCBEExGyhg6*6@7N^p>YKk zK9=!3jUGW^{S;zUVaXuaGtr08B7x|Jftoo)3YxK+^%+!0j0}y#|m{oVvGS!i9hBaDlw0 zdvf1FmkY!n*1Q7KmN%b5*@OeC2h$&C(ZrCwhgi@HpKtt`2g?OjxbYwaQg zlt#(BMj=EZ>|rLB7oWPE&dfn4{ZJpXYH|-#YiTfXwfg+# zd~q6^Ew+5uS#J#$XR>MnU)xRBYnpp}fe>^T#jo6|eQt+as|uPU2b1ir4x+nAp@KYi zrcRGit&2XAMqbK4?%_*wGC_2(L+85*tb7>Lq?k!zrjyWD#-sV%vCRTM!`Oq!TPw9h zGfT=02<3x}a`FOey86Tio)`YvuES;glJBiL4;OSLj=~r*?ioXdlb;y=+jJxd`vzz8 zn?!GCV9z!zW*rnV0XXY*u(J)%4D5!~Xh31cJ5q!}H8x9jMi(4;GsiXpm+?LrLfi5M zTzh0FMW#rBPD$F;4yQ7|kLn-D6mU%Ff@X zV>KI)p}tUk2Nk~wn=Nrh^ngCSOCpu~Jql4wJGU$Fu?^l1fqZh2b=WvJ`M9DZr58cP zzLy|)V9e-*7m=gj2b{B5_d-Op1+=eSL)$!|Oi$1_sBO+WFBkd=JYx+JA|*XmxVZVD z{+VDZC|uBGtZDqw{c~JRPeUaw{;zVy1xc0Y$8eCOJI~8>JBw+*QQ%((tsAb;Aupa= zGw6&$eJ1G(p_nXB+rY--1pblD_TBe~GsricbkPG{*@P^0!|Xz1>xa4I zOHhi+YpH52*E9Jjnuum-9l|?N^I1|?@cd$mS_|4FTfFCMjeW7=s=_)s3QGwZiU~}i z|EjNcEtXVeqS|tx=Q7K>zbSp8xK9P7CEAgf{3D)LJt6;YlM$s~qDpDU<=F-TvBwW9 z-QJ$c+r#xNz7EcT8Yv!~Y*Q7%N_o86L?j=|S}(OPh^xGPD7{o9?yxW|xS zB`86BzWxtYWx^vHRcypPy)o%_5)L%tsobrCVM&`k!zVfnTq?I50(88e$FP}3S7h6w zi^JTER~>v_L44+cNoubLGF%zrZT9^rsE|y5-JurqHYHwDL{MJ?VSs~ zcd6e&$_>~V9!X}7V916wKMX%-`^sRji2ad>zI1Y@)K+d6G>>9h*AEg$RB#Ka9v{4Bb@n=mt4H*E((?J! z{>fS`by99lv7>^;%#t^^#L>wtbuucnuc72Ia1w7yv7^`qx~{cR+0?n5I)zH=#HU%A zmP&rLMOk+U;@~+nrT(qK4$(m?Zb;5}g=o)AtSqE9;96 zOS2CF4dD38)$v=G^-UOoU5*of`vHA$npv6lpC0>Y0#;Sjp5B*1|zcl)-UI<0)I1GyCtT z3a@y?!$zT`T{C|XFXZ(804d@<`&FRKTg+0DuS}J#29_W3Cm7Ei^=C{I2{X)df~5pt zG-e8O$5RT4com3j6By6f@78&l5y8MrqDJHi6ip0i^>=0BPMxgfFg*K9R`Cq8Ea?fF_B!r zm`fWSwYh;&)1-G81zn{+2ravqN-i7U6bNE1*Q8?)L!QB!qs3J?@G9Nx+QUZ6V@;)j zG@sdD0|2uXUofk~jUwSAV*3_EQPZmK2mLI!2jfbIXIN^)c!02AXxN|PA&N`R>_jzGm1Ww{gglIe>&sJ19l|{oO z!!$4C-xR_$Rr9NBglN1pyfrhIK#jc?53pBp*P39?=5-4>Y}7KBZp>vXUWFn4BEH)V z>VIyHoU~Ol&N$)y${TYYX{lwj=7mo(_f(8)+u~(qSg{j zqm4?He-MjC8smQA{kZ1P2F&+z^#+`<;1x&)Hqq(;ICEdyF-06Y15p84@^&-_{7&?- zV6E>@V95)LlC?+rnaYTa$v%I4?h|RXvz+?5dHV3@DZc$B2~Y+lDWlA^tgI}i_0ezs zw&1OLI6!-LGdGa%QUPyjb;tc2>VVq;92E(=Y2b;NM^aK&F>NRp)+rhcXzEQ+MS6+H zEU_+e^0v-7($X&sr+_@^HGk)EXTnd@Z|b%NFp@XA2|?H7=TCaRJKeg~Q3cm-KC{zM^X6iXLy z7xNUh4eK9DcD?kdx|a_m7v;>}r2)&#iH7XcF#PuV{|iTB7~&{y3_iJZ{d0 z2yw!`Q;Q3)=rV<9z^@i}nl(Z?xQJ6=?y$Jmak ztew17HgVI`kXTvBz2u53E4sRt7Hj*D$2sah9-N(tWkUaW6dC>F;hYj{i|69}kB8~2 zZf6oS*;h}n@2O{^39T%{@4=?7Vv3DoF6%3 z&O^=BMW>vI+}jox1uoVHkQNCisNxcV>hWKoX2|7NtFJ$tlYK(Aa?Y0Gq5-osygwPD zYkz0O7eCmO^lwf36iWo2bqaTdmIfG8gDS?JCXlbQvxm*^4S6%&VVO|9-9An){~q$( zY)+7%(|W)zvSBs~I#ZB<1xI}EA2{zd8?cjaS3FV0PHL^(2O*mJ=o=(4{zf!N2*_ei( z{#{Il=?H|9CO(0vD2D6n0;p+DDTRuQcgpO%oQX-P8N8Ze`#Yne9J@i8P}7v{kFe*J3{QF}KY>>{ z2~kc7wJSd-%=)K%l9*^LYyasXRQ6p?`kAp%L?{#890|ER*}U4hmVH>E6>JT-zGCP@ zFXS(7-(dlSWuNZfX`uH@pZgN9Q1d~kMP5RoWGI%467(xJ3Br`GPj;AG>QpS#4D<85 z@0;KQe}=%pKCVSkn|lp?xwM)F)+~%eFcSb`143oaKOy zr}84kDJCuLapcogPmNOO?Aa%nL&T!P77nU;&|v#PG?A84b0G2E9YHyEzJB0G11{JkzRzLLmE=2Pjys?2q~*{gCfKNPl#86DN*0$H<$&=qF*W z-}-un_CfV6vNLBEOSlHLQ4xMXS*PWx{v_r3c|3gHeAL}l&ey7#uN^XaG?otQ)UXzP zxzmfdnbD6F9@s%EQJ4R1(2q<^Gt#vIRifuqrWXNKx+aoVP|ddnQ>v~B^3Z%A1~M%5 z^uB^TM6!yL8YHVW3zmCM-AC&Aledn`o50Q+6gmaI32vaQftI!}G5bJBg}KLRxv=H8 zOh}TRaNm=_@WY#dibk7L9z5My$x5sHs<7LwE&zk6Cx9=Z;dB(nL{v*1mgj$B4=JlC zf?GZvDb@AU2EH@-@_TV{<+-`!bNBG<(vx#>g$m=j^(*w($+y#5-7T%bBv% zW^I;zCjL_}9zNPu+i=Av5u-Et+NHK`QW3|kfV{LD!PyydB3XWtNWeG34v+$5=ZE6% z`J&T0?kL%nas<$SsrXVJ3Dp1VJ*^a$2kH{6>E@)6iy+Xx6^@v^WxelT&Pl|J_te?@ zs=w#Q?V{sncG)R1w5P7qmj5`WxR%0=^k_-tf>R_^Qd_m`@>O0-MJ3-_UaR$R`Ow_# z0(JgT+~Q&tceP=81t!((5+teB#$$u?W^lA1yuWyzq;6*{c4((zk!B|Sk3rl&2F+O4 zeT%VJrA}_=%(1XW-#b<}kq7J@Os-brd_3L)q*to$yn>wfZy@+~+& z)dh>C82>VRm72(lccKE1OH>2n)D}6BoJr~%@ryU`O^W`#yJzpf?6dcOi9FZtzeIjU z_nqUy=}FOkowU3|PM%&GnJmUGdr37ZoOiceJdX9=p${}Q>%vqlU_CU2EO#b;~b zrO=xfeY=;)i{UU%uN<<>UL$8+zwckEh^uHjodPqKSG}UKbu4IKbT2H7jkd}rsyiJ| zD={HxP1Uch7lF~9zy%!cIWf26yI5$Uf>%UmUF8Z=5#VW&7VHxu!c`h*@AT@AYcfm* z?k|+16_hc;lVRDxrI_n;qzJ3Pz}bIlFNuivToF|xf8gLzamFANhaizEMsRurMyR8} zJ}_TsMohLR?JFs-S7Jn`#<7Vk40+xH9`Cqs!R1E0G%)*`LB9;9tdlV5K#qVAm#qB= z2JV!U4^saDywDsdy5(#-7{M2WWFTkS59Z*C&HxCvtvBimLLV@y;h6ZfFyqLCvA3UP zGZvWht=H0YrE1FGgXQx{5{Lov0U0~1OqF*4)D?c;o`M_xb{#7V;=bi;WT zTXV1)qa$us?5!}3VSazwEj{4$K6q7o<|k~rbg^#GY&&4%f3L||qhUVIU@o`B+Ffjv z^i^#|e{#*PRl>fANqd+#+3w(%ocqjN+KZv$SYWOT3x1>R?OXcvf}N{I9rLBRSQ9LqpbP zf|>g!-P4ef`aMkz-^M>+eLT&%S3a5h;vaN2sO zD|fgAcDbf&^ohx@QKlOl9a1Sq&z(IhzagaLuuT6X2ZvJSYp)jM$3G$YG;F-NNLHA> zZKboVbvY+^1Ax}heo%ZxfQ(|U(Q22?9?3{DcN-&N@8o?GBnz8tPL!^z++=WB%D(iw z@E12d3{-h{mJHZ^8;alVzeb_=6dWuhph|=yv-Ve?6b0>frHZZB&C&Q=5N0x$D})uB z)!StoD2n=yP8)@nxKdjxuiYaQwM*82f5(pMzp08ls+#51HMUw$x(~z5_EG2W%`Em; zan~P~`eZ749?arP{wk;wG`2W)5N=-@-gu%9$qSgb5!3<+=Vw*O4IoB37e zDV2`h0tlH@blGnz{qw%bYKk}>bQdxJqKrLXg@xy#{@j+rVgf28C^YR`C81r_00e?m z_ePu>#t%U*N3$q+=#Qb7Ttb=~&w$C?!QBLeNiB1O&f?EDGDy&fMMllBk*bAttHN%Qvm_h49XeUt;O%o%U0@RMwX%;5}3M3%5?L% zptLB>8z(%P)|PI8-r@PDIY?s|GBq0z8WDLA8coRgl+{bt`Nx2aZ z%Z^7`SeM`G6pRCS()xQEG)NLMU&2GQdcezTl$2YV@={a`O<;;d(xqpa`^cGNo@l)u;w^);R=nf%*EW^l5pi zwk=}DvP??PJb8JL{F3mFc#?sD&ryEv@*fx|Pj>x*@b;nTDt*oKCW1eanw40{xjMxr zar4Dap$f)&Ah+KO3l6F=>%r1Gy`%X!W3l1#SUGHDjIb+s*sCYA;W@mjevZmv75b?q zAHC9vDzCBrsnaw|S=(eMpGjZjHwdyQd2q&b^<2_s|Bk?=jOz_Y999bZ@M#2u^cadn zDkHG=fWknOptcewE3twe1}cJ>%y}_)>uj4Ayf=Q5EX(t>|V1r+RCFy6d4XI_0=_^U})5OdE-g#DS= zFaX%<(yIT?9XJ+2#_tGOBD`K1PKy;Ajd{yBo)Z@Z0QU|JH%&e2;#Zh&LYyTx>-|D} z{dX+j>P(4UakMK)&QtY!@^ZefYQ9B|(V3>_%Ho->Ml4uSvnxmuRZ-uG+~i--04quE zS$K-1A`e+82vnpbH=!#?{?7x+O-N=Ikbsp?5$-I4DE^BXffP3;`jTBhO07Vp-C;wU z_b1$uK^OOlz39E7B4DzoY%pcbEMasB5AQ#ZFhdkK-(gDeLolNUU`O^uC-*l*6!~L+ zj?ybO4gsE;j_6v3_+S!G$L z*Yx&hCs8U*0CS217(;jM`}Z-$o8)QWyLf_JNNYsJ zjFs>XtCH4|%sw{e{eWj9TRL1M3@ec{L=Ng%VEb(XP?S~N7l}{_l`I)f5fKE6=|^Mo zPa~7z$8-o4sSkMa-Fd&bygcL)kTKPkQ$x*zNjiYPFZZF3|Hw zy-*)zKSQIlgG^c4w4Iu^31b@q3OXC7dGvxUML0t-$P`SAQ0C^#1=*Nrno@+_00S4t zB{wsGi1e+e?)M8r`mbg7<2Dea%mT%)IM{Tb8u#yDa_;mE;h*xnWE_!zqXic77&62m zhayfq7&wYyfVb19|5w*HMrYCl;l|b`d1Kqo#WVf2@1ugcHs(5aF>MEZ_*YNq0YX_naD-_)UUnyS4q6|O zDevD{nxyn$sMuC;V(|?gnb}3VBrB6VNpE08Eo!0=@k_9Iiv~(lm>Mbc3iy@R-tzy> zP@t%jl(q8Cd^qmC?nGq$V?{mbeCk0uNwMif`cr}z;yHa;(%>1?|ECZ#28UMiV$G4N zwIA0(T#WAV*GAP_R5g zMgos$5GKQ5eShYy5PN%rhTEa>r;$_I>J_$6MXFKc%S7B3m(wwp%->ca6dIV=80aNx ztUT{i%FS+>EkM8$rJbCMLRF=EbACP|nd8WAjNHL)GFlK7$`Oa?*h=ITn&?|4|5L~( zh%O)OTOpG|;ncNroXl;v3Ja}3EJf2acMh;M#DurPx70=mcguc=x*(Wb%k#jJ@91$t zuIVdzZo-6G4Dh6^{dGcY=RxIXp~%I>FJ#(NqjA_q_#?yN3Ms?j`)ic&BDN%e!(yP$ zHA!0=?Ug0~hHb^e`%p}B8p4U{(*t5qCn0!dvms9+X|GtUq!Xs5JhWW5rTMkic> zw-a1UT<#a}WCra~*@4F77=NSSk{Nqn!}j)Ni7IN*DwnoZYd;6Lu%Fa1aU4B@E{-t3 zr%+FXNhjH177-H=%uRe>M#~SBn<=qAe~6>*ct`kP%u2x+30PdSLm9D?boK~>gI;I< zq9$aft4f%rFaOH7-+xc(UoP#(D06xo_jHjGc*Kh-bcc#HgfH(9&0{VPZjCsV$lEY_ zxt}-}DOHggk2T_;yN7m(n+7|kahU76x#B#&8P3nr3>ba(fmK(+@hIGCDLvc@yUx^GsSsM(;sRidWmo)KIz;$l709no{J zMd)T071^4lWD=Bxl2xx!0Mf{@KHcqgMMP8Z>O>@4z33q?|2(qiaCxQE_bjtk*xx``Dr zOS~G|2S{5*eJHc>cgJV^(@_y5@N$@3W0q%x2rZ0#7LK=t$|uzE7*AZN`8RFFT`o)W z6(3I;__DlYedL|qe9L(Y$l#=?o(=o&$(~7VG|=wjSpML4;`oL;kA*%+8{7s_G;6BT zk@Qve86*!!o=ugV8sA}88{?23EM?0v)jW*9T4}xfozNnPaCH$89^nxh4Qk4lg{!l- zV<)F8SmTsI6_;z-6X7=_l8&jW4ftED;ivD}vULiD6O|kswGtMZ5+n;I(7OS4bA;dZ{8= z9x9d{7}RLcK1O`L#eYbZ?7`)X_sl)YHX*pu#xf(smQE-;gR_-1V9uP?O!X5S1!EKQCqcC(dz6vUd7vabNHl*-! zvyn0ba?Yj36>bi4iCE5LzE^ie04kj&(sHHD7N}%(BkG%kn&l2itykUpm_t;$B5Acd zLrti^?A;`W($YP4yreUs?}LYJKnu1ORDA&T?*Ud<&#>sTh&}B6B~W%s6TO>LlWN{;pR-hhkqiZ@!oU~+ z0APiQdK0eh4;K&yN;K>{Yv!blx(rzGmTVZAmL(ch_@qQH(X_g21jwM&34Jz8(+)Af zYWFNZEQsRbpMe@W#6&Sj05D}@qPGZOatal4Eb!P3)h3^)Q>a9ZO+!LRy~YLp_P!&Z zsD_+MGNs{kS25m;4SZt70rzY4j_|AgfqsXOzQ$K0^r`k58SrU@`-6@Y!+QXvs~5JK zv~smg5A!CpPy_lfMHib46e6U6PLW)g!5RhmjXAIO=D+kjom(0JL)3iFJ6; zbo<$(QO*p$kPdDz`#aLu#Czn=gMTN2L%m&d+ zDKDA{B^VNTxl%t7kO7Yt`SDUu28}-IWl6&clV-I}l6Q+mLw|C(-jvtHG|$HIVNznx zd^r@U7hlh@KKkyCom(1wK`PGT9Q_-or{Ka=wP$|2!nk80yH_<-V0tT@HvSUow#f98 zE4r>-DCf0l%~Nu`0EV?A}f>}v0y zjoAxM1#4*K!^T{ zr~p8jYy4&vqRA$+H<@5@K5RPWvocUn7@kZlFqx48JDAE-;Q?LgrtnUA)t#uMB_ljN3>YD5e$AOt9&LLWQ5+n{#lSKDK7+gLSa@kXK>9QAmT>Jklsf*JCXpz zjFHasmwl8;D3KNT1Olw_1;oq5xOIjoWS-xQp^UKMLAKgaY;#jnBQR)kzit&^F(X7> z4_*atQSzotoNqJ81@=2;4F86<$kZaAhG}vFV1pE8qDyDv(s^r-Fi?lI#z^1sBNzmR zV$gw3AlOWviB6S}W*8+Ua3i&T22Bn@bTUhG2~NJYFb*F(wNRM12b|KmiP5NPH~08# zCkT%5u#@5MUVx##bS-Vhbl;A*1my>LoX3KZrkz@vtx0Ywq;aB*Hug@c3= zMv71Gk3{-lm_N7=-7TbG)nKz{EK;F;^J$pXQmn|k@%eDLgmW1FPt{|_OPK!lLnxOW z9T3-lpzx5Mt%6jE^p?X<%}te<67?S2;QrDp4ZTV1^vVK$+@9z(3~pL0iZZb!ygLVguKf&~1>x7gJSjzfs!! z)VTt%@5Y@laIF#5%r4(OdVHBZUwiXqd#sVD!lT$S z5%her3?ew@ja`!uq81iFuh8ZC_1J~{oQZiCNr29y7ha!>`gp(2!xYXsh)Qi@i`|t+ z-9jN1cH=o0Bhz9_pI)-QJSQt4z(;7LLe{xGXPI8b{=~b&KDOtFW(=# z*-l3f#I(-H>;9y7Ie+Za?shv1@%0J_IBVMWu2yW5`?6{(wEM)R-Q&Ta{l_EsIPeuC zfS&Vk>+cO8|L-JBvJnbh=ky|#+t2A2ll~yN+~y#EzM!^f+A2H6B~cSrU-ErYwCfxz z!qFYNmUhgrpB*N^t6d`r%0)0kN>8{1 z?+AQD{UMdsNF|=lf7sRn@zv1Mb^^zGu@|WxYNw%9MBiF3+@GJdTDG7(6n>VZmYhqb zDBH;N1glBY%SX_ZsNa@JS3DSkk_QA$87;}$4G=sCqToGNN(;5Z4OgO@@(gX?;-JnV z@e+J4uc8E~xcZyC+p)Kd4emIQFRA}tgA3SKE|C^eFCkhNd9SG!)xr(X5ut5`nl8l^ z*A}yI%eGtMZX*)PgP&g33un*Yp^_#!iz>%gSsNLq(I5Y3z0#L>>3lRp z@85t$bhBFv7{9>#QB-q|fg^HXm(EPb0YLyqyK~<(c#&nn9uEi;?Y}F-CS#3YSM7@6 zU$IGv&+0hI1cqv0()V1JXS>)O)LgxNec9!_a$w4}r|6PzVU`%S8BMlEclEhHXUKX0 zjDr1u8EYHg8+rNJ0%bv*CdbS$J~%@Ti;&QsF%xL{XveF5UvvM%y0Os^bxu&-CR?nH zScMwZRlGzDvtk?LmueW_myT0RI$b zsoUpwz}Ly>^L5+Vq9{@GRh$C|Xy&hY%ID02dSbhz4?BI5q!&|Xuy6AB`B(|!M9RBP zQ=q;Zr2~wU5&hAt=ecMe=%6u^ee8i1Pd9(Q!Wq;o3CtKSW6a)Dy{gF5Jxz8Jgr&(S z{jzgvB7JvnF3tgS!@^hU&d>jnXA7Pbv`-<9$g@(>-S_=QwJB?79|vmb-6oRpapnL` zJ058rMdbF06%s`-_l^*fyQ=0LV3&U$CGH;<9I+4H{)1^p50hXa&qcV&b+c!osp>#m zpj~;tvk3+vUjX2AFwtP80Ej|GcVXasg$ALt91(5}NLrT?I1N2X;ns};SqecY`VU(A zd&xW4I212*noghto&yxL?0JKU1R3%vF$y=t@K}N3eLX{SB5i91yNIzg)u8>^N}xK)BiM~FeM>do2Q?2k2fJ05bm zFdr&a5OdWz!9Y zBD2eP9JV^J1Djy(U20W!LVTymB)Z^uQix_fLKSK!NYCB!s03fyOvSc}_SoiFBrQga zC1qxuP!-T%;uZ{d>OqI`RRf(P8m>Z-pYo{74azv?YDHLSk*H0bd55ai)tZ~@rr8BI zbsZaKUhcpYgb86^rH@hyoDM5O8NOx^{x=vE(Km#t{%hp%aEB!F^MTvhmV%=dC$5lL z6NRLAvrbse)I~pZv`+Y+2Jvkb%8LxBsbCes%xzUy!9iN#9j=al4b(ng%z=g!R*Hs> zmOnGMYN|oX!C!uD|CAJ}^@!i~EQQ@+u<7=^R)EbVxxW9Fq=ok#>A;87?~4Ylz9t>` z@%}lkYO4R4v0+3biR!=3jB%?wDuAAGwW{s^(EOj{lcVniLO=B%MvE6JEC}SEsHq}o z5`r?2n^`QG>ZR_p78{{jNb*guReD(k=5y#!Cb1-A?xUK4k*71ZIyVJEys&USgH zM}3tQK4u|jc6Sw>T@EDz0nOqeqE{UNi3!dC^Y85JWNK%I-TbFT1-FkMcKqmTeiz~j zIWVlb{|!~>;ZzY@y74@Rj7MP~&nehb<2z6@3uZsxNMR>&8%{JPf$hy3-a4Cfbsi;> zwTt>p%+m?%`wl2SUsvlPR+4re_mb9f7EcS9=%NYvS=+GWz^Dlx4A%~ zsDcRnck7>z#@DqbKqfl2gF&I6tpnMYs{!=_B6;xC&tVTq! z^%XDxC!a;6sVQvZmaezX(TOjcfh0d>6oP#PNY~RR8)`zDJ!)7;PG6D`^6T{F*8!ei zb_LM-^5Oox#|$#>pA^E4>4uut3bSYsXQXj%s$Ng}KR4KpK^8~3PQohnvySD_%royt z(9GXVpQ!a~0kT_EFF-Ud{{%O^;tpshqLnxzf#ED2g8w#ikx&2uGD@*jl2`GemxOZ&Mn^ z1m~yiD3EG@(NgZAgSf;}d69PSwXdHcNEB@8B z)A><{U9}tK$^v^{xYz)zx9KJko*80sSEpOZ)w(!H7n%Vn-Zd`xI$qz=6!%=DMJJ5P*3p7wwgUJ7_xUF7vcc7~pAOh-f z03Z$YAj0!M#OliR^V-v$Z*-tY;OItslR2+eg@3r-TVv}J^|3;e3J*aivI~={jo}=` ze8uzyVn-_esFE&?=r5LRw>}(dKB&%#6$(p21Fs#z0;3~SnRHJtrDlugGlVb&n*}c) z-|cWhzQE;O0-4J7u>BpV5Sknrfee)Q4C8uaVjag~4Th+&K;T9C$hJYanc`9)lT5nH zAbnnB*Lsw`kB;0uk!lp4G{t3UQvU*sjw!E-ekCW5rK^v2OCaNxJqj&u_L}~Lj})2i zT096pxn%ZGROc-4A%jUT5hE4qB`E2(2x5PEG)a7^S1py!tc2!dlDjSv;#yV^E{{z; zc=^r=x^31Ybtr&?pduk*OW7SfqU4opLK8PV#b&2(Y^5XJ6*u+SV6$?on$x6J!}(Gi z7e}+YE4i7!brPnd4_0zM(H$19ZqvO=D={vLTv6W{78{#aJzzdk?Ief>rX0m`T@D#9 zf<88*4~`!ppcB`moHi{!g5lv83f{oGu={AYgfuoHM1W@GrrR?Ktw7)13=V&aQ!e@3?vq&WrMs5B=JI>#Sc(N_u>zUqad~Nn^ zmryTQ>Vg2EUKeyi&2)4sIWIrBeonD01}EfH5TjB^IdrntY5w;Byc*xHh$QW-z2eGG zhq$ELau^???B;5gL=D~D;_r`!y!LLfPh?VRDviy4v5mFfUr@Q4lIzkID9cXg8l8mF z87MY825`A7fMq9OHu?0M=`CEyDv%D=AATj6#8aF*TM=gS90gSF5LSb?&7k8;z|CW< zTw9F(;04X4t@IvDS^TloOWMkI<7+$#l0Zg`XdycY5~MA_ez{8uFarJq$|2P zd%;?TytQfz=}f8g#XoptzC|f$MpBN5E}c&zApVR@#QYeVW(X$b1++9LW@9Dhuo4|d zmpI5Vgcu-L|2+dt3UgeCGx8azl1Iq2=V-t4`eTRbLG>Som05^lw2Q79>LyxwY~gFtY)@xUd`k8=lG=tcr{K73%RH z=Z2?BF%Qf>m|1Kw=l~}jzzrQw`~jkgn^w6ID!QZ~Lj*Juk9l+*!u}aZ6}aIsuJ-Cr ziluYR#Y@Z@I6%DxYC4&q*oSRRP5U<%hKPA+{rQx8VCC0+Q2{)O1vfkii){4YW1>^> zD*JTxP0k_45q;lL7|svdL`GI!E8FT>BlOJwiB!>pF#P)g54q#PJ=s}5iN3wCRjFS* zPwc}1`;O~m4o{>Tw@e*G?VIFw2wg-h*NHW!lI|;?U(7S$m^clOU#R*j)Qu4zbCRDp zLj6efM`{VVe)3s;=Mk(_XXZB_0EWTkb@4Trq>QGpvNYQ_xwdFeIw4i_pu2-v^C_-< z%U2tcs|Jsga3Zj2yTY;cULmwejdOj$Wk+>1_`OIsgEud&!#LnfP)8p+sO?JvVl6WZ z%QwE?%or9NE_T+fsVY&gVmTpw?- z7c1q*ZLeuTu(wfjTvy-u$*eWaa~0Mwz;Ri*GEc{paFokfzC0iO{B2}}+vxt#DwjDj)siL^Ab$4OaDKesn6vMVGR5Oq}?FCPTHTlz1PM_BV!2cnA zATVd)?wG2)ExdDwz5_rsb0&)wTzKg}MSsQrz za;1F5Q;kD5?0PwP{_pqo-n7(fpRF5Dsmw_J5M==uSY!6a0AMRbTvpTt#Q3&6nn1pX zT8xL?3XYGp=G4?Qt0_snZLTTPI(S039nz>6CwB$zma3~ZpXVQ&5MhFv{u*mkMQ))E z;RV#)uCcD#+bk1wE7#|<#8*|u=LW+~)6%RdP6E(#D%>sr}s zC5SaUc|6wV`6iUE6FhY^mU41uESvjB6NF2m3$cW5qp7oqsC`Z!RK*#}VhV_9M3x#o zEtq4RrvCA7OweGU>8~rBP}JWgGEuyn(LM6UbNkehBrB@J3i=Zu2b9Nzn|z5bTIAz!n3sz^I8a7POkxyEP9Hq@uxk4|omZOmg| z@KK+Ld^#0>G;>nWx<`^jD+V>a0vf8OyOfbkG^WBj4FSToVxZfY%>Kgb=- z6nF;l39TU{*ypFBC8)i*6zv=K{mpl*Pyj)#z(GO$Kvor0cgg>3EoGT$|Gqef$9b9v z)B>2$k$>T>aBvWJ6zI4Y9(9EvQ-o|u0PvL>1_D`s?HRtp^-((%I>Ud3#s?NM=uO*;_1WnPN3d^_(xpuWW$|w)W@{d2q+2 zLnAgK#Py*wv&tWs20b_gzWJ5R=kD(NHRRU*&o}jSDLcSI<~Oi|ja{%l8Y8&Y;)dMt zz;EpF$V2|h0@9E|Hn}AP4_p zq1%VyDah6CZA2&FeTP=$D2$Dv2Dmi+a$qWx#6i@I1m!+zI3)#v+!b)ML6AgNvma0$yMr`8XO3Kgov}hvPkq90pf+jq z;&rF%EI1EzxX)U?dLK#<_AfL+L_UnZA26uhcjpf%@8KD~|AgB0(^s}G*(P_m!$K5Q zreO4}K~vA&IA2=NIh(|O!n#A2dK){_`bU^aoNkv%+=zTHhx?m)?@}=!*&5wSNG4xt z+27iV2)!WD^yBnXSJ5=W@gfM`{_9s+l zEysFl>v%K!a97-t!`aq@H{Y`E{@I_pdv*&pVR8Jw*vPW;g!fbKe+ja{|5#^U_BliI z)o(d(EaSwC-2H&lU0!rt{mumGmKkSV9sJ531SNx-8_{-@3$-7ByYY~MiW*SU9jm z!efk4S6A|GVHDs6jujwnJUm|#EaArD58q4qCJ;a-4kFJ18}B*nLhR14ALib+bhgr6 zyV?|K*1Ac+3?1vg01?;BO+SHif6jnsfWC4x`AKvL0yBt7N@jV758o!enn^0{mae430Ew*pB?{@7m;ZCVNGj!%_33R;N6oK zlhpmw*$LxXlW`Wgde;^u?z*@jvg2B!GrqTo;m+WOiIF$twWm=Ken5nY^6|Ycbahux zUtD&f2RxrzfvUn`40B_#3`JB&i*E&5c!GTkw)0b&ZVyi}`HAjks=G6vQ9a(BASOO+v1O8q*?7=m6BqGR3@Eia5G7DD*;$;nXz z^efWVmDDAfpu`kA(K&2Wr)Rj(6FW4KIpxHNaY?U*>u~g4Zs>DLcGAHIltE;Zd{(h->y7VRF1q-bF{tIOytRpYL-cj)4jEi;p`$ zS8IaHcn{DR{_L>{m@Wf7@F%&6-liJUhhu=5eTt>wB6QLxLoFBVHUOtLU@| zXAP4M6XLi32|KQg00t2?7C%OfHFW-yQqgPuG{r)V*5NMY$$Ca3H{PVIJ+pdAV`1X= zqxaR{Da7=uu?dpRbJQGbqq~_!-Mx_&DxV%j)eIJmf@Sv#ZKXd6s{~OJ=x#pLw5fIq z8(S84jw2TSgZ7SL`ekSpid*&YtA(0%m?6(~=htW-Sn1~rDfn9`rgvxHomO5*9I>)8 z*%H}v2C}wkrkf0WD4wLCL1UGL2~WOJ$SgAQuS&|v{%J;Q3AK_zU@|Fvia}ritv*Z>o zJM>(bEZ2~L;G62bu*1S9r;x}D0bVah%#Li?w~8pa6z%T!7NW_m^B7&qMtp(b0cFc5 z*DgOVMMwJv(f5W+@oZ)rB26CGx*JyQW5g*e$s`W*ms)d_qB%F+pJv)Y^Lp+{C^@@$ z-|jpwdCCOV^Z3&JodLQ)lvYZI6_l?S+@}g&t8$Jd*<(b2#?$y;NBn$ik@C-Bzo1yq zu}`GGhIB7wxO>PF?wtQ<-9{DR=)T|uesfSS-f%+0>`Ucs&ak#k(Unu$?m1ZPxNe21 zMmTKrx_D~b!3Iph_accL=ao|VNx@(40TJcogK&ePqyA>Mf);oRsr=*XC-s1615B1ybisejMYuSaIa{EUg!bYcnCT2Q;Z$=Te6Mbyw7s=P&jZNo! zV=maK-QjO$`-gcmzVx>QCdrULM!%g$@1Y#mZwoCExHlA~n%KqF_=dAuqj|_~@us5VEl49ZpWu?w%ZA+J~2`{%p zcSTaKSo=_}Cxhtk>}&3{B*#ISWAQhn2{70rDQL3DLTR8dSbr@Cu6b}CyD z`Z-aOTSHXugz}q;)V(#|!F)Q?#-qmmWoml#I9dsHbtpZr&NL%s5H{%U!9 z6MRmh+6*&ym*O-|Jv{|?%7jJD!H{WrzH(v;g}2+a^@x0ob@}E8fM&V6d>K^#N4(qr zxR!RO*!T49Fk>P`kT|qV%HD7pEg@wr}QIE5Dz(-x{DGVw}q-BT4Z&N+6^)eI97yf_G*|Ijp zeb{igHg9k!9*vPj;olh8lQH$lM?;CZ7%1n?sIEYlLd$=s{vKx?807V4c91a}$O9!$ zoa-L_n_o4FeW2{)5p#qQUY;b(yCbR%OZi;RpaC`uMnnQbZfUI$i?8)Capcl*BXIi5 zfZ0S*Nv8)3ee^xrG_x?I`Ux7m4YJsE2+6*2ZO%j<)7e4ogE zbF3A5hwxyu8m)mS)wVKr`^*w%EzxyZHiPR{kl)|+FcmtdTm6o~5|++@C83*mZd0vi zt&>7se_7r>YBxP3?Ec_$o-tXD7TVIr(+(re61zI3(cH>9orKXNXNDCle6kFF#(BH*|*=kbw0dXBom|s zPqcw#H|!AV;(E|1;bo$2dUh|H0-G_ZF8Wh z898#8DmLpYRrR{*vOm-ub|ETPt!;-$6EW$l!sn)vwd%`oUcR*KagS=Ne<+ruR#kUt zmR$@JCmKwTtWMK5E5H2(qcT)R5*Tf{x}fsS<7=+C!{%UwjAbDBXd1J)VQn9U3bXS4 z7zC3q2&P#Dx!w53n&&5mHvfi7U-Dg;rPB%pRZfjCO@0+@%XnfHm;tZ#dNpwFmb|S5 z-qW3K)&EmTg7-I+J^y~BSW)Q@d-et|o(#l{LO>#Rp53HM?<-qZcw7w|0=OkZSfRPI z5948;n>Q^3IxvFFB@ufdOb+cv|8MjkV1Hq9&!&*Hxou7;!mr)5z`5MIh|!v zm9D6o&*ssJL#wx_7$1mTJDb2Ix5KcOeVGaM+PBqEi#b49IlLi0V69jl zp^*Q8$2;M}JLD57{1&&;?8V#DTRNEd-$;T^^;&<(eYY`DkVB#ME<8u&`DrqGa_W0i zq;0+Ir&dWJhGHiY2aL{jyAYgo6a-XS`Q#(5R=tlFQMQqrb069`T>{h#T7xqBj!rYO zr1Vt|UAkA0$*1<7;qKJVdORc*TzrHVI-H#F7KscTBY&~OES-qg*l4&<{!#D-$NUH7 z+fFV~$k1<~S{}7MwzLPwrKFa2pPEJP2iF~wU-n~p((`P+G2PIZuoUI-6U1K`Ar-py zV~}G8U!}-S>BWP8$QrZK&Jy%BWOkKQ0N9%rmdb8XakWD0U!nj^d~Pj3!;{QEG+I?{ z!5ro+nNQcNA@nDsVTdcztSY7|msM7PdXDozWulgXhPhNGl@@DN&7capx`rh2Z&bIE zgWDxv!Hc}=w_!>`1?Ew>sNsTWCwpWid|%C9!T+4(*z=2w1FLt7P&>Jv2vUQNBBa_E zl<2)E$j%N;pg;mAo=Ig9{IYGXsm|u^o1}UsXW_Z)Hpj6&D4GmrQh3b23Yp4nq_jCg z=vrSdXx>S-1N$u_;LJy2)p*1LId~%O4um=mA1QV(5eS;kM(pzRbx@WAM43SY~ zdA!(Av%_^sH7RvqH2PzLKd_mU@kMgan2Y~v9$+cwh(8{)p@I|9U4CTZGY>e+Jn)WT z6t1P}Pm9C^6Qle5j933zEbY}DK3~xi=UN$(EHBBI8pF*cMPuglRo^3GFYlo#Pz>d8 zU1u2W>e-Ax%3z~a4Rj;&0;7j-hkvIKAq`hJ_-qYq4QPVD07R)>Nbow0=&XPq66sp) zvS9W(dvx1ve}#Nk)>vp#nM7fUk<^{gTKX%a^|$~j@mG*f;LzK<09{?54^+`PO+m~% zWk^Zq{r7d4{ccCNG5o5Ew+lTEw2EI}P?ld0j=Re!Uovp-ou{PVpl3pNrs~wi_(8(Q zIvgYmiE^kn(!plD5}r?8{|(-**a5x<##eKv(bsIkm1=y1ec21Sx?(K5x%fB7i^!g` zMdG3Zp)4_~S9hCttXj7$jY8shQt>TW1+Ucq+3mh2Q|cp)c9F?KS0_kw7I zSs2et;{jRm$XXbm{E+6FSNFw~(g%v_`vW<-l9P|8t0$RcuW%oUy0Z(YO*N5G3U%E0 zgx2Aprqs%xqXlWpP{d|1=4+BE@{+GAC1~2DIf{4v z3$WBL9BC?&(**ZB%sEdaC2?x96-j3S;&gst_~dRA#p{71>B*p^u_x$qlviyDffD#e zzAZ6`QxcBpXMf0qfL(SrG3KZibrPB#Ezn5B<= z2vT#jZ%KZx(%N zLCa{OV~qGQ{fQG{ltMqcYs&5b&IBeRU|+Lp((9vI5DY|nUt%b6Oj8J!a$iHc`om#j zjW@XMlcakhp$lXMr%rTMT(HTZ%1K%oNb_+?>>>?Bv`3!0V({pBsn! z2zgm3X#2|2lNwgOsMg^AEG3gn$CJEH1^#FaG{Q#oL7y}k)}#*ooS@P$>$EqFQ(Y>9 z=hn%KemoGn)#&Y_$Qi|?Yv@S*M2AysIF)mVp>l<240+sSPI7W#N;?Fc4CAM{YFXR4 z`w4)m>BpO_vMt>_1UiM&h*`G$&F~8}aDct+JGl}_=A}A8BR;)ch38k=)=4vsp--W9 ze?VwZj*@m0Uop!toY)p98SxxgJg7NwcW5xvU)?4%N~1-v$a0)xQf%s07T2)ijAm(P znBM3lGO=Mk$mZ_0Qo=2_Fq2YhB}-|%w4_@q7+2IHo88-WG>UC}^-r1GfZJy7#&_NK zq~e$FZBfU{@6^AsVmbB0a#7(qJQO#vul%#I5zgG!Y+`T6c9`ltS@SK@;W>Q#7FGS( z*a~O%Xg0aDWjl=Xp3M0cY499gikn=1kJ=1pe)<-DkIMC)?EV%R@Em@Ai@rx~hchEL zn-F}D3iO@~_QPsgnkAIR$;y$&$uyBNVI1k+VQSsAlJ&q_kG@MU5s25y${Dqss&u*< z&X}Ah9Iu{|H)}RuYJb|(H9tW%UpA*?)o!xhz|Edgp5R=}tzmJ@3W(T-O{2fL(N3dx z>)ux+dV-sGDN z3U4j~i9)jbXe!rC+4Ra%pMzC;U?c@9I7JYU?C44mXAl_D2`bp?Um)-4;%`=5>YTv# z(}`*9*J`8_cEpxo;ili@`RWT= zQ3ezY9pwLCgZjG=&Hr}%e=1V{-;?~`rELD!44>cSt^c3GHi|NkQ2(ibeV-xUZIJhW GPyYijhRd@6 diff --git a/Solutions/Azure Activity/Package/createUiDefinition.json b/Solutions/Azure Activity/Package/createUiDefinition.json index d0abf6cd829..df21571a6ad 100644 --- a/Solutions/Azure Activity/Package/createUiDefinition.json +++ b/Solutions/Azure Activity/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Azure%20Activity/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Azure Activity](https://docs.microsoft.com/azure/azure-monitor/essentials/activity-log) solution for Microsoft Sentinel enables you to ingest Azure Activity Administrative, Security, Service Health, Alert, Recommendation, Policy, Autoscale and Resource Health [logs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azureactivity) using Diagnostic Settings into Microsoft Sentinel.\n\n**Data Connectors:** 1, **Workbooks:** 2, **Analytic Rules:** 13, **Hunting Queries:** 14\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Azure%20Activity/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Azure Activity](https://docs.microsoft.com/azure/azure-monitor/essentials/activity-log) solution for Microsoft Sentinel enables you to ingest Azure Activity Administrative, Security, Service Health, Alert, Recommendation, Policy, Autoscale and Resource Health [logs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azureactivity) using Diagnostic Settings into Microsoft Sentinel.\n\n**Data Connectors:** 1, **Workbooks:** 2, **Analytic Rules:** 13, **Hunting Queries:** 15\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -558,6 +558,20 @@ } } ] + }, + { + "name": "huntingquery15", + "type": "Microsoft.Common.Section", + "label": "Azure Machine Learning Write Operations", + "elements": [ + { + "name": "huntingquery15-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Shows the most prevalent users who perform write operations on Azure Machine Learning resources. List the common source IP address for each of those accounts. If an operation is not from those IP addresses, it may be worthy of investigation. This hunting query depends on AzureActivity data connector (AzureActivity Parser or Table)" + } + } + ] } ] } diff --git a/Solutions/Azure Activity/Package/mainTemplate.json b/Solutions/Azure Activity/Package/mainTemplate.json index 0c319dbeeb6..0eb9a577166 100644 --- a/Solutions/Azure Activity/Package/mainTemplate.json +++ b/Solutions/Azure Activity/Package/mainTemplate.json @@ -62,7 +62,7 @@ "dataConnectorVersion1": "2.0.0", "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", "huntingQueryObject1": { - "huntingQueryVersion1": "2.0.1", + "huntingQueryVersion1": "2.0.2", "_huntingQuerycontentId1": "ef7ef44e-6129-4d8e-94fe-b5530415d8e5", "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('ef7ef44e-6129-4d8e-94fe-b5530415d8e5')))]" }, @@ -131,6 +131,11 @@ "_huntingQuerycontentId14": "81fd68a2-9ad6-4a1c-7bd7-18efe5c99081", "huntingQueryTemplateSpecName14": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('81fd68a2-9ad6-4a1c-7bd7-18efe5c99081')))]" }, + "huntingQueryObject15": { + "huntingQueryVersion15": "1", + "_huntingQuerycontentId15": "26d116bd-324b-4bb8-b102-d4a282607ad7", + "huntingQueryTemplateSpecName15": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('26d116bd-324b-4bb8-b102-d4a282607ad7')))]" + }, "analyticRuleObject1": { "analyticRuleVersion1": "2.0.3", "_analyticRulecontentId1": "88f453ff-7b9e-45bb-8c12-4058ca5e44ee", @@ -422,7 +427,7 @@ "eTag": "*", "displayName": "Microsoft Sentinel Analytics Rules Administrative Operations", "category": "Hunting Queries", - "query": "let opValues = dynamic([\"Microsoft.SecurityInsights/alertRules/write\", \"Microsoft.SecurityInsights/alertRules/delete\"]);\n// Microsoft Sentinel Analytics - Rule Create / Update / Delete\nAzureActivity\n| where Category =~ \"Administrative\"\n| where OperationNameValue in~ (opValues)\n| where ActivitySubstatusValue in~ (\"Created\", \"OK\")\n| sort by TimeGenerated desc\n| extend Name = tostring(split(Caller,'@',0)[0]), UPNSuffix = tostring(split(Caller,'@',1)[0])\n| extend Account_0_Name = Name\n| extend Account_0_UPNSuffix = UPNSuffix\n| extend IP_0_Address = CallerIpAddress\n", + "query": "let opValues = dynamic([\"Microsoft.SecurityInsights/alertRules/write\", \"Microsoft.SecurityInsights/alertRules/delete\"]);\n// Microsoft Sentinel Analytics - Rule Create / Update / Delete\nAzureActivity\n| where CategoryValue =~ \"Administrative\"\n| where OperationNameValue in~ (opValues)\n| where ActivitySubstatusValue in~ (\"Created\", \"OK\")\n| sort by TimeGenerated desc\n| extend Name = tostring(split(Caller,'@',0)[0]), UPNSuffix = tostring(split(Caller,'@',1)[0])\n| extend Account_0_Name = Name\n| extend Account_0_UPNSuffix = UPNSuffix\n| extend IP_0_Address = CallerIpAddress\n", "version": 2, "tags": [ { @@ -477,9 +482,9 @@ "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]", "contentKind": "HuntingQuery", "displayName": "Microsoft Sentinel Analytics Rules Administrative Operations", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '2.0.1')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '2.0.1')))]", - "version": "2.0.1" + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '2.0.2')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '2.0.2')))]", + "version": "2.0.2" } }, { @@ -1587,6 +1592,91 @@ "version": "2.0.1" } }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryObject15').huntingQueryTemplateSpecName15]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Machine_Learning_Creation_HuntingQueries Hunting Query with template version 3.0.3", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('huntingQueryObject15').huntingQueryVersion15]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2022-10-01", + "name": "Azure_Activity_Hunting_Query_15", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Azure Machine Learning Write Operations", + "category": "Hunting Queries", + "query": "AzureActivity\n| where ResourceProviderValue == \"MICROSOFT.MACHINELEARNINGSERVICES\" // Filter activities related to Microsoft Machine Learning Services\n| extend SCOPE = tostring(parse_json(Authorization).scope) // Parse Authorization scope as string\n| extend subname = split(Hierarchy, \"/\") // Split Hierarchy to extract Subscription Name and ID\n| extend ['Subscription Name'] = subname[-2], ['Subscription ID'] = subname[-1] // Extract Subscription Name and ID\n| extend Properties = parse_json(Properties) // Parse Properties as JSON\n| extend Properties_entity = tostring(Properties.entity) // Cast Properties.entity to string\n| where isnotempty(Properties_entity) // Filter activities where Properties.entity is not empty\n// | where Properties_entity contains \"deepseek\" // Filter activities where Properties.entity contains \"deepseek\"\n| where OperationNameValue contains \"write\" // Filter activities where OperationNameValue contains \"write\"\n| where OperationNameValue !contains \"MICROSOFT.AUTHORIZATION/ROLEASSIGNMENTS/WRITE\" // Exclude role assignments\n| extend LLM = tostring(split(Properties_entity, \"/\")[-1]) // Extract the last segment of Properties_entity and cast it to string\n| distinct TimeGenerated, tostring(['Subscription Name']), ResourceGroup, tostring(['Subscription ID']), Caller, CallerIpAddress, OperationNameValue, LLM, _ResourceId // Select distinct relevant fields for output\n", + "version": 2, + "tags": [ + { + "name": "description", + "value": "Shows the most prevalent users who perform write operations on Azure Machine Learning resources. List the common source IP address for each of those accounts. If an operation is not from those IP addresses, it may be worthy of investigation." + }, + { + "name": "tactics", + "value": "InitialAccess,Execution,Impact" + }, + { + "name": "techniques", + "value": "T1078,T1059,T1496" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject15')._huntingQuerycontentId15),'/'))))]", + "properties": { + "description": "Azure Activity Hunting Query 15", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject15')._huntingQuerycontentId15)]", + "contentId": "[variables('huntingQueryObject15')._huntingQuerycontentId15]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryObject15').huntingQueryVersion15]", + "source": { + "kind": "Solution", + "name": "Azure Activity", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('huntingQueryObject15')._huntingQuerycontentId15]", + "contentKind": "HuntingQuery", + "displayName": "Azure Machine Learning Write Operations", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject15')._huntingQuerycontentId15,'-', '1')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject15')._huntingQuerycontentId15,'-', '1')))]", + "version": "1" + } + }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", @@ -3167,8 +3257,8 @@ "SourceTenantId": "SourceTenantId" }, "alertDetailsOverride": { - "alertDisplayNameFormat": "Subscription {{SubscriptionId}} changed tenants\n", - "alertDescriptionFormat": "The user {{Caller}} moved a subscription:\n\n{{Summary}}\n\nIf this was not expected, it may indicate a subscription hijacking event.\n" + "alertDescriptionFormat": "The user {{Caller}} moved a subscription:\n\n{{Summary}}\n\nIf this was not expected, it may indicate a subscription hijacking event.\n", + "alertDisplayNameFormat": "Subscription {{SubscriptionId}} changed tenants\n" } } }, @@ -3400,7 +3490,7 @@ "contentSchemaVersion": "3.0.0", "displayName": "Azure Activity", "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation", - "descriptionHtml": "

    Note: Please refer to the following before installing the solution:

    \n

    • Review the solution Release Notes

    \n

    • There may be known issues pertaining to this Solution, please refer to them before installing.

    \n

    The Azure Activity solution for Microsoft Sentinel enables you to ingest Azure Activity Administrative, Security, Service Health, Alert, Recommendation, Policy, Autoscale and Resource Health logs using Diagnostic Settings into Microsoft Sentinel.

    \n

    Data Connectors: 1, Workbooks: 2, Analytic Rules: 13, Hunting Queries: 14

    \n

    Learn more about Microsoft Sentinel | Learn more about Solutions

    \n", + "descriptionHtml": "

    Note: Please refer to the following before installing the solution:

    \n

    • Review the solution Release Notes

    \n

    • There may be known issues pertaining to this Solution, please refer to them before installing.

    \n

    The Azure Activity solution for Microsoft Sentinel enables you to ingest Azure Activity Administrative, Security, Service Health, Alert, Recommendation, Policy, Autoscale and Resource Health logs using Diagnostic Settings into Microsoft Sentinel.

    \n

    Data Connectors: 1, Workbooks: 2, Analytic Rules: 13, Hunting Queries: 15

    \n

    Learn more about Microsoft Sentinel | Learn more about Solutions

    \n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -3500,6 +3590,11 @@ "contentId": "[variables('huntingQueryObject14')._huntingQuerycontentId14]", "version": "[variables('huntingQueryObject14').huntingQueryVersion14]" }, + { + "kind": "HuntingQuery", + "contentId": "[variables('huntingQueryObject15')._huntingQuerycontentId15]", + "version": "[variables('huntingQueryObject15').huntingQueryVersion15]" + }, { "kind": "AnalyticsRule", "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", diff --git a/Solutions/Azure Activity/ReleaseNotes.md b/Solutions/Azure Activity/ReleaseNotes.md index 0a5aa944bfb..4c10fa37a46 100644 --- a/Solutions/Azure Activity/ReleaseNotes.md +++ b/Solutions/Azure Activity/ReleaseNotes.md @@ -1,6 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|----------------------------------------------------------------------------| -| 3.0.3 | 30-04-2024 | Added new **Workbook** Azure Service Health to the Solution | +| 3.0.3 | 05-02-2025 | Added new **Workbook** Azure Service Health to the Solution and added new **Hunting query** Machine_Learning_Creation.yaml | | 3.0.2 | 21-02-2024 | Modified Entity Mappings of **Analytic Rules** | | 3.0.1 | 23-01-2024 | Added subTechniques in Template | | 3.0.0 | 06-11-2023 | Modified text as there is rebranding from Azure Active Directory to Microsoft Entra ID.
    Optimized the **Analytic Rule** query logic to achieve expected results |