From dd0be8e9f430b4b5b513f159ad630648223df91d Mon Sep 17 00:00:00 2001 From: vinit-elastic Date: Fri, 15 Apr 2022 16:13:43 +0530 Subject: [PATCH 1/4] Added Cloud NSS support to zscaler_zia package. --- packages/zscaler_zia/_dev/build/build.yml | 2 +- .../zscaler_zia/_dev/build/docs/README.md | 67 +++++--- .../_dev/deploy/docker/docker-compose.yml | 36 ++++ .../docker/sample_logs/dns-http_endpoint.log | 1 + .../sample_logs/firewall-http_endpoint.log | 1 + .../sample_logs/tunnel-http_endpoint.log | 1 + .../docker/sample_logs/web-http_endpoint.log | 1 + packages/zscaler_zia/changelog.yml | 11 +- .../alerts/_dev/test/pipeline/test-alerts.log | 6 +- .../pipeline/test-alerts.log-expected.json | 18 +- .../elasticsearch/ingest_pipeline/default.yml | 10 +- .../data_stream/alerts/manifest.yml | 4 +- .../data_stream/alerts/sample_event.json | 17 +- .../test/pipeline/test-dns-http_endpoint.log | 1 + .../test-dns-http_endpoint.log-expected.json | 74 ++++++++ .../dns/_dev/test/pipeline/test-dns.log | 2 +- .../test/pipeline/test-dns.log-expected.json | 6 +- .../test/system/test-http-endpoint-config.yml | 8 + ...default-config.yml => test-tcp-config.yml} | 1 + .../dns/agent/stream/http_endpoint.yml.hbs | 22 +++ .../elasticsearch/ingest_pipeline/default.yml | 52 ++++-- .../zscaler_zia/data_stream/dns/manifest.yml | 42 ++++- .../data_stream/dns/sample_event.json | 17 +- .../pipeline/test-firewall-http_endpoint.log | 1 + ...t-firewall-http_endpoint.log-expected.json | 100 +++++++++++ .../_dev/test/pipeline/test-firewall.log | 2 +- .../pipeline/test-firewall.log-expected.json | 14 +- .../test/system/test-http-endpoint-config.yml | 8 + ...default-config.yml => test-tcp-config.yml} | 0 .../agent/stream/http_endpoint.yml.hbs | 22 +++ .../elasticsearch/ingest_pipeline/default.yml | 149 +++++++++++----- .../data_stream/firewall/fields/fields.yml | 10 +- .../data_stream/firewall/manifest.yml | 42 ++++- .../data_stream/firewall/sample_event.json | 17 +- .../pipeline/test-tunnel-http_endpoint.log | 1 + ...est-tunnel-http_endpoint.log-expected.json | 54 ++++++ .../tunnel/_dev/test/pipeline/test-tunnel.log | 6 +- .../pipeline/test-tunnel.log-expected.json | 18 +- .../test/system/test-http-endpoint-config.yml | 8 + ...default-config.yml => test-tcp-config.yml} | 0 .../tunnel/agent/stream/http_endpoint.yml.hbs | 22 +++ .../elasticsearch/ingest_pipeline/default.yml | 62 +++++-- .../data_stream/tunnel/manifest.yml | 42 ++++- .../data_stream/tunnel/sample_event.json | 17 +- .../test/pipeline/test-web-http_endpoint.log | 1 + .../test-web-http_endpoint.log-expected.json | 115 +++++++++++++ .../web/_dev/test/pipeline/test-web.log | 10 +- .../test/pipeline/test-web.log-expected.json | 30 ++-- .../test/system/test-http-endpoint-config.yml | 8 + ...default-config.yml => test-tcp-config.yml} | 0 .../web/agent/stream/http_endpoint.yml.hbs | 22 +++ .../elasticsearch/ingest_pipeline/default.yml | 34 +++- .../zscaler_zia/data_stream/web/manifest.yml | 42 ++++- .../data_stream/web/sample_event.json | 17 +- packages/zscaler_zia/docs/README.md | 160 ++++++++++-------- packages/zscaler_zia/img/cloud_nss_feeds.png | Bin 0 -> 31859 bytes packages/zscaler_zia/manifest.yml | 47 ++++- 57 files changed, 1176 insertions(+), 305 deletions(-) create mode 100644 packages/zscaler_zia/_dev/deploy/docker/sample_logs/dns-http_endpoint.log create mode 100644 packages/zscaler_zia/_dev/deploy/docker/sample_logs/firewall-http_endpoint.log create mode 100644 packages/zscaler_zia/_dev/deploy/docker/sample_logs/tunnel-http_endpoint.log create mode 100644 packages/zscaler_zia/_dev/deploy/docker/sample_logs/web-http_endpoint.log create mode 100644 packages/zscaler_zia/data_stream/dns/_dev/test/pipeline/test-dns-http_endpoint.log create mode 100644 packages/zscaler_zia/data_stream/dns/_dev/test/pipeline/test-dns-http_endpoint.log-expected.json create mode 100644 packages/zscaler_zia/data_stream/dns/_dev/test/system/test-http-endpoint-config.yml rename packages/zscaler_zia/data_stream/dns/_dev/test/system/{test-default-config.yml => test-tcp-config.yml} (92%) create mode 100644 packages/zscaler_zia/data_stream/dns/agent/stream/http_endpoint.yml.hbs create mode 100644 packages/zscaler_zia/data_stream/firewall/_dev/test/pipeline/test-firewall-http_endpoint.log create mode 100644 packages/zscaler_zia/data_stream/firewall/_dev/test/pipeline/test-firewall-http_endpoint.log-expected.json create mode 100644 packages/zscaler_zia/data_stream/firewall/_dev/test/system/test-http-endpoint-config.yml rename packages/zscaler_zia/data_stream/firewall/_dev/test/system/{test-default-config.yml => test-tcp-config.yml} (100%) create mode 100644 packages/zscaler_zia/data_stream/firewall/agent/stream/http_endpoint.yml.hbs create mode 100644 packages/zscaler_zia/data_stream/tunnel/_dev/test/pipeline/test-tunnel-http_endpoint.log create mode 100644 packages/zscaler_zia/data_stream/tunnel/_dev/test/pipeline/test-tunnel-http_endpoint.log-expected.json create mode 100644 packages/zscaler_zia/data_stream/tunnel/_dev/test/system/test-http-endpoint-config.yml rename packages/zscaler_zia/data_stream/tunnel/_dev/test/system/{test-default-config.yml => test-tcp-config.yml} (100%) create mode 100644 packages/zscaler_zia/data_stream/tunnel/agent/stream/http_endpoint.yml.hbs create mode 100644 packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web-http_endpoint.log create mode 100644 packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web-http_endpoint.log-expected.json create mode 100644 packages/zscaler_zia/data_stream/web/_dev/test/system/test-http-endpoint-config.yml rename packages/zscaler_zia/data_stream/web/_dev/test/system/{test-default-config.yml => test-tcp-config.yml} (100%) create mode 100644 packages/zscaler_zia/data_stream/web/agent/stream/http_endpoint.yml.hbs create mode 100644 packages/zscaler_zia/img/cloud_nss_feeds.png diff --git a/packages/zscaler_zia/_dev/build/build.yml b/packages/zscaler_zia/_dev/build/build.yml index 809e76063e9..d61527283ec 100644 --- a/packages/zscaler_zia/_dev/build/build.yml +++ b/packages/zscaler_zia/_dev/build/build.yml @@ -1,3 +1,3 @@ dependencies: ecs: - reference: git@8.0 + reference: git@8.2 diff --git a/packages/zscaler_zia/_dev/build/docs/README.md b/packages/zscaler_zia/_dev/build/docs/README.md index a54cd87b0e7..757d1aab565 100644 --- a/packages/zscaler_zia/_dev/build/docs/README.md +++ b/packages/zscaler_zia/_dev/build/docs/README.md @@ -1,36 +1,55 @@ # Zscaler ZIA -This integration is for Zscaler Internet Access logs. It can be used -to receive logs sent by NSS log server on respective TCP ports. +This integration is for Zscaler Internet Access logs. It can be used to receive logs sent by NSS feeds on TCP port or Cloud NSS on HTTP Endpoint input methods. -The log message is expected to be in JSON format. The data is mapped to -ECS fields where applicable and the remaining fields are written under -`zscaler_zia..*`. +The log message is expected to be in JSON format. The data is mapped to ECS fields where applicable and the remaining fields are written under `zscaler_zia..*`. -## Setup steps +## Steps for setting up NSS Feeds 1. Enable the integration with the TCP input. -2. Configure the Zscaler NSS Server and NSS Feeds to send logs to the Elastic Agent that is running this integration. See [_Add NSS Server_](https://help.zscaler.com/zia/adding-nss-servers) and [_Add NSS Feeds_](https://help.zscaler.com/zia/adding-nss-feeds). Use the IP address hostname of the Elastic Agent as the 'NSS Feed SIEM IP Address/FQDN', and use the listening port of the Elastic Agent as the 'SIEM TCP Port' on the _Add NSS Feed_ configuration screen. To configure Zscalar NSS Server and NSS Feeds follow the following steps. - - In the ZIA Admin Portal, add an NSS Server. - - Log in to the ZIA Admin Portal using your admin account. If you're unable to log in, contact Support. - - Add an NSS server. Refer to Adding NSS Servers to set up an [_Add NSS Server_](https://help.zscaler.com/zia/adding-nss-servers) for Web and/or Firewall. +2. Configure the Zscaler NSS Server and NSS Feeds to send logs to the Elastic Agent that is running this integration. See [_Add NSS Server_](https://help.zscaler.com/zia/adding-nss-servers) and [_Add NSS Feeds_](https://help.zscaler.com/zia/adding-nss-feeds). Use the IP address hostname of the Elastic Agent as the 'NSS Feed SIEM IP Address/FQDN', and use the listening port of the Elastic Agent as the 'SIEM TCP Port' on the _Add NSS Feed_ configuration screen. To configure Zscaler NSS Server and NSS Feeds follow the following steps. + - In the ZIA Admin Portal, add a NSS Server. + - Log in to the ZIA Admin Portal using your admin account. + - Add a NSS server. Refer to Adding NSS Servers to set up an [_Add NSS Server_](https://help.zscaler.com/zia/adding-nss-servers) for Web and/or Firewall. - Verify that the state of the NSS Server is healthy. - In the ZIA Admin Portal, go to Administration > Nanolog Streaming Service > NSS Servers. - In the State column, confirm that the state of the NSS server is healthy. ![NSS server setup image](../img/nss_server.png?raw=true) - - In the ZIA Admin Portal, add an NSS Feed. + - In the ZIA Admin Portal, add a NSS Feed. - Refer to [_Add NSS Feeds_](https://help.zscaler.com/zia/adding-nss-feeds) and select the type of feed you want to configure. The following fields require specific inputs: - **SIEM IP Address**: Enter the IP address of the [_Elastic agent_](https://www.elastic.co/guide/en/fleet/current/fleet-overview.html) you’ll be assigning the Zscaler integration to. - - **SIEM TCP Port**: Enter the port number, depending on the logs associated with the NSS Feed. You will need to create an NSS Feed for each log type. + - **SIEM TCP Port**: Enter the port number, depending on the logs associated with the NSS Feed. You will need to create a NSS Feed for each log type. - **Alerts**: 9010 - **DNS**: 9011 - **Firewall**: 9012 - **Tunnel**: 9013 - **Web**: 9014 - - **Feed Output Type**: Select Custom paste the appropriate response format as follows: - ![NSS feeds setup image](../img/nss_feeds.png?raw=true) - -3. *Please make sure to use the given response formats.* + - **Feed Output Type**: Select Custom in Feed output type and paste the appropriate response format in Feed output format as follows: + ![NSS Feeds setup image](../img/nss_feeds.png?raw=true) + + +## Steps for setting up Cloud NSS Feeds + +1. Enable the integration with the HTTP Endpoint input. +2. Configure the Zscaler Cloud NSS Feeds to send logs to the Elastic Agent that is running this integration. Provide API URL to send logs to the Elastic Agent. To configure Zscaler Cloud NSS Feeds follow the following steps. + - In the ZIA Admin Portal, add a Cloud NSS Feed. + - Log in to the ZIA Admin Portal using your admin account. + - Add a Cloud NSS Feed. Refer to [_Add Cloud NSS Feed_](https://help.zscaler.com/zia/adding-cloud-nss-feeds). + - In the ZIA Admin Portal, go to Administration > Nanolog Streaming Service > Cloud NSS Feeds. + - Give Feed Name, change status to Enabled. + - Select NSS Type. + - Change SIEM Type to other. + - Add an API URL. + - Default ports: + - **DNS**: 9556 + - **Firewall**: 9557 + - **Tunnel**: 9558 + - **Web**: 9559 + - Select JSON as feed output type. + - Add appropriate HTTP headers. + ![Cloud NSS Feeds setup image](../img/cloud_nss_feeds.png?raw=true) + +**Please make sure to use the given response formats for NSS and Cloud NSS Feeds.** ## Compatibility @@ -40,7 +59,7 @@ This package has been tested against `Zscaler Internet Access version 6.1` ### Alerts -Default port: _9010_ +- Default port (NSS Feed): _9010_ Vendor documentation: https://help.zscaler.com/zia/about-alerts @@ -56,7 +75,8 @@ Sample Response: ### DNS Log -Default port: _9011_ +- Default port (NSS Feed): _9011_ +- Default port (Cloud NSS Feed): _9556_ Vendor documentation: https://help.zscaler.com/zia/nss-feed-output-format-dns-logs @@ -72,7 +92,8 @@ Sample Response: ### Firewall Log -Default port: _9012_ +- Default port (NSS Feed): _9012_ +- Default port (Cloud NSS Feed): _9557_ Vendor documentation: https://help.zscaler.com/zia/nss-feed-output-format-firewall-logs @@ -88,7 +109,8 @@ Sample Response: ### Tunnel Log -Default port: _9013_ +- Default port (NSS Feed): _9013_ +- Default port (Cloud NSS Feed): _9558_ Vendor documentation: https://help.zscaler.com/zia/nss-feed-output-format-tunnel-logs @@ -117,8 +139,9 @@ Sample Response: ### Web Log -Default port: _9014_ -Add characters **"** and **\\** in **feed escape character** while configuring Web Log. +- Default port (NSS Feed): _9014_ +- Default port (Cloud NSS Feed): _9559_ +- Add characters **"** and **\\** in **feed escape character** while configuring Web Log. ![Escape feed setup image](../img/escape_feed.png?raw=true) Vendor documentation: https://help.zscaler.com/zia/nss-feed-output-format-web-logs diff --git a/packages/zscaler_zia/_dev/deploy/docker/docker-compose.yml b/packages/zscaler_zia/_dev/deploy/docker/docker-compose.yml index f76b2156e6b..52fca6aaf8c 100644 --- a/packages/zscaler_zia/_dev/deploy/docker/docker-compose.yml +++ b/packages/zscaler_zia/_dev/deploy/docker/docker-compose.yml @@ -30,3 +30,39 @@ services: - ./sample_logs:/sample_logs:ro entrypoint: /bin/bash command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9014 -p=tcp /sample_logs/web.log" + zscaler-zia-dns-http-endpoint: + image: docker.elastic.co/observability/stream:v0.6.2 + volumes: + - ./sample_logs:/sample_logs:ro + environment: + - STREAM_PROTOCOL=webhook + - STREAM_ADDR=http://elastic-agent:9556/ + - STREAM_WEBHOOK_HEADER=Content-Type=application/ndjson + command: log --start-signal=SIGHUP --delay=5s /sample_logs/dns-http_endpoint.log + zscaler-zia-firewall-http-endpoint: + image: docker.elastic.co/observability/stream:v0.6.2 + volumes: + - ./sample_logs:/sample_logs:ro + environment: + - STREAM_PROTOCOL=webhook + - STREAM_ADDR=http://elastic-agent:9557/ + - STREAM_WEBHOOK_HEADER=Content-Type=application/ndjson + command: log --start-signal=SIGHUP --delay=5s /sample_logs/firewall-http_endpoint.log + zscaler-zia-tunnel-http-endpoint: + image: docker.elastic.co/observability/stream:v0.6.2 + volumes: + - ./sample_logs:/sample_logs:ro + environment: + - STREAM_PROTOCOL=webhook + - STREAM_ADDR=http://elastic-agent:9558/ + - STREAM_WEBHOOK_HEADER=Content-Type=application/ndjson + command: log --start-signal=SIGHUP --delay=5s /sample_logs/tunnel-http_endpoint.log + zscaler-zia-web-http-endpoint: + image: docker.elastic.co/observability/stream:v0.6.2 + volumes: + - ./sample_logs:/sample_logs:ro + environment: + - STREAM_PROTOCOL=webhook + - STREAM_ADDR=http://elastic-agent:9559/ + - STREAM_WEBHOOK_HEADER=Content-Type=application/ndjson + command: log --start-signal=SIGHUP --delay=5s /sample_logs/web-http_endpoint.log diff --git a/packages/zscaler_zia/_dev/deploy/docker/sample_logs/dns-http_endpoint.log b/packages/zscaler_zia/_dev/deploy/docker/sample_logs/dns-http_endpoint.log new file mode 100644 index 00000000000..d4ec642282d --- /dev/null +++ b/packages/zscaler_zia/_dev/deploy/docker/sample_logs/dns-http_endpoint.log @@ -0,0 +1 @@ +{"sourcetype":"zscalernss-dns","input": {"type": "http_endpoint"}, "event":{"location":"Unknown","deviceowner":"NA","devicehostname":"NA","dns_req":"Unknown","resaction":"None","durationms":"34000","category":"Other","resrulelabel":"None","dns_reqtype":"NotFound","dns_resp":"NotFound","department":"Unknown","user":"Unknown","reqaction":"None","datetime":"Tue Dec 31 02:22:22 2021","srv_dip":"0.0.0.0","clt_sip":"0.0.0.0","reqrulelabel":"None","srv_dport":"0"}} diff --git a/packages/zscaler_zia/_dev/deploy/docker/sample_logs/firewall-http_endpoint.log b/packages/zscaler_zia/_dev/deploy/docker/sample_logs/firewall-http_endpoint.log new file mode 100644 index 00000000000..3c472cc3b4b --- /dev/null +++ b/packages/zscaler_zia/_dev/deploy/docker/sample_logs/firewall-http_endpoint.log @@ -0,0 +1 @@ +{"sourcetype":"zscalernss-fw", "event":{"durationms":"0","avgduration":"0","sdip":"0.0.0.0","aggregate":"No","department":"Unknown","nwapp":"NotAvailable","proto":"IP","datetime":"Tue Dec 31 02:22:22 2022","nwsvc":"None","dnat":"No","threatcat":"None","cdport":"120","duration":"0","ipcat":"Other","deviceowner":"NA","csip":"0.0.0.0","devicehostname":"NA","csport":"0","tunsport":"0","destcountry":"NA","rulelabel":"None","locationname":"Unknown","action":"OutOfRange","stateful":"Yes","outbytes":"0","inbytes":"0","ssport":"0","user":"Unknown","tuntype":"OutOfRange","numsessions":"1","ssip":"0.0.0.0","threatname":"None","ipsrulelabel":"None","tsip":"0.0.0.0","sdport":"0","cdip":"0.0.0.0"}} diff --git a/packages/zscaler_zia/_dev/deploy/docker/sample_logs/tunnel-http_endpoint.log b/packages/zscaler_zia/_dev/deploy/docker/sample_logs/tunnel-http_endpoint.log new file mode 100644 index 00000000000..61ae92fd0ba --- /dev/null +++ b/packages/zscaler_zia/_dev/deploy/docker/sample_logs/tunnel-http_endpoint.log @@ -0,0 +1 @@ +{"sourcetype":"zscalernss-tunnel", "event":{"location":"Unknown","sourceport":"0","rxbytes":"0","tunneltype":"GRE","dpdrec":"0","destinationip":"0.0.0.0","recordid":"7083020000000007968","datetime":"Tue Dec 31 08:08:08 2021","sourceip":"0.0.0.0","txbytes":"0","Recordtype":"Tunnel Samples","user":"Unknown"}} diff --git a/packages/zscaler_zia/_dev/deploy/docker/sample_logs/web-http_endpoint.log b/packages/zscaler_zia/_dev/deploy/docker/sample_logs/web-http_endpoint.log new file mode 100644 index 00000000000..329456f3000 --- /dev/null +++ b/packages/zscaler_zia/_dev/deploy/docker/sample_logs/web-http_endpoint.log @@ -0,0 +1 @@ +{ "sourcetype" : "zscalernss-web", "event" :{"time":"2021-12-31 08:08:08","login":"test@example.com","proto":"HTTP_PROXY","eurl":"www.example.com","action":"Blocked","appname":"General Browsing","appclass":"General Browsing","reqsize":"600","respsize":"65","stime":"0","ctime":"0","urlclass":"Business Use","urlsupercat":"Information Technology","urlcat":"Web Search","malwarecat":"None","threatname":"None","riskscore":"0","dlpeng":"None","dlpdict":"None","location":"Test DB","dept":"Unknown","cip":"1.128.3.4","sip":"1.128.3.4","reqmethod":"CONNECT","respcode":"200","ua":"Windows Microsoft Windows 10 Pro ZTunnel/1.0","ereferer":"None","ruletype":"FwFilter","rulelabel":"Zscaler Proxy Traffic","contenttype":"Other","unscannabletype":"None","deviceowner":"administrator1","devicehostname":"TestMachine35"}} diff --git a/packages/zscaler_zia/changelog.yml b/packages/zscaler_zia/changelog.yml index 77542ffe378..81bb5d33c3d 100644 --- a/packages/zscaler_zia/changelog.yml +++ b/packages/zscaler_zia/changelog.yml @@ -1,12 +1,17 @@ # newer versions go on top +- version: "2.0.0" + changes: + - description: Added input for Cloud NSS using HTTP Endpoint input type. + type: enhancement + link: https://github.com/elastic/integrations/pull/xxxx - version: "0.1.3" changes: - - description: Updated the image file reference in README file + - description: Updated the image file reference in README file. type: enhancement link: https://github.com/elastic/integrations/pull/3038 - version: "0.1.2" changes: - - description: Add documentation for multi-fields + - description: Add documentation for multi-fields. type: enhancement link: https://github.com/elastic/integrations/pull/2916 - version: "0.1.1" @@ -16,6 +21,6 @@ link: https://github.com/elastic/integrations/pull/2773 - version: "0.1.0" changes: - - description: Initial draft of the package + - description: Initial draft of the package. type: enhancement link: https://github.com/elastic/integrations/pull/2459 diff --git a/packages/zscaler_zia/data_stream/alerts/_dev/test/pipeline/test-alerts.log b/packages/zscaler_zia/data_stream/alerts/_dev/test/pipeline/test-alerts.log index 564e8e7178c..0ee51313e0d 100644 --- a/packages/zscaler_zia/data_stream/alerts/_dev/test/pipeline/test-alerts.log +++ b/packages/zscaler_zia/data_stream/alerts/_dev/test/pipeline/test-alerts.log @@ -1,3 +1,3 @@ -<114>Dec 10 14:04:28 [175.16.199.1] ZscalerNSS: Zscaler cloud configuration connection to 175.16.199.1:443 lost and unavailable for the past 2325.00 minutes -<114>Dec 10 13:40:32 [81.2.69.193] ZscalerNSS: SIEM Feed connection "DNS Logs Feed" to 81.2.69.193:9012 lost and unavailable for the past 2440.00 minutes -<114>Dec 10 13:44:07 [81.2.69.193] Hey, that's a new type of alert. Isn't it? +<114>Dec 31 12:01:04 [175.16.199.1] ZscalerNSS: Zscaler cloud configuration connection to 175.16.199.1:443 lost and unavailable for the past 2325.00 minutes +<114>Dec 31 13:02:05 [81.2.69.193] ZscalerNSS: SIEM Feed connection "DNS Logs Feed" to 81.2.69.193:9012 lost and unavailable for the past 2440.00 minutes +<114>Dec 31 14:03:06 [81.2.69.193] Hey, that's a new type of alert. Isn't it? diff --git a/packages/zscaler_zia/data_stream/alerts/_dev/test/pipeline/test-alerts.log-expected.json b/packages/zscaler_zia/data_stream/alerts/_dev/test/pipeline/test-alerts.log-expected.json index 69a341f40bb..54b51a184ea 100644 --- a/packages/zscaler_zia/data_stream/alerts/_dev/test/pipeline/test-alerts.log-expected.json +++ b/packages/zscaler_zia/data_stream/alerts/_dev/test/pipeline/test-alerts.log-expected.json @@ -1,17 +1,17 @@ { "expected": [ { - "@timestamp": "2022-12-10T14:04:28.000Z", + "@timestamp": "2022-12-31T12:01:04.000Z", "destination": { "address": "175.16.199.1", "ip": "175.16.199.1", "port": 443 }, "ecs": { - "version": "8.0.0" + "version": "8.2.0" }, "event": { - "original": "\u003c114\u003eDec 10 14:04:28 [175.16.199.1] ZscalerNSS: Zscaler cloud configuration connection to 175.16.199.1:443 lost and unavailable for the past 2325.00 minutes" + "original": "\u003c114\u003eDec 31 12:01:04 [175.16.199.1] ZscalerNSS: Zscaler cloud configuration connection to 175.16.199.1:443 lost and unavailable for the past 2325.00 minutes" }, "log": { "syslog": { @@ -34,17 +34,17 @@ } }, { - "@timestamp": "2022-12-10T13:40:32.000Z", + "@timestamp": "2022-12-31T13:02:05.000Z", "destination": { "address": "81.2.69.193", "ip": "81.2.69.193", "port": 9012 }, "ecs": { - "version": "8.0.0" + "version": "8.2.0" }, "event": { - "original": "\u003c114\u003eDec 10 13:40:32 [81.2.69.193] ZscalerNSS: SIEM Feed connection \"DNS Logs Feed\" to 81.2.69.193:9012 lost and unavailable for the past 2440.00 minutes" + "original": "\u003c114\u003eDec 31 13:02:05 [81.2.69.193] ZscalerNSS: SIEM Feed connection \"DNS Logs Feed\" to 81.2.69.193:9012 lost and unavailable for the past 2440.00 minutes" }, "log": { "syslog": { @@ -68,16 +68,16 @@ } }, { - "@timestamp": "2022-12-10T13:44:07.000Z", + "@timestamp": "2022-12-31T14:03:06.000Z", "destination": { "address": "81.2.69.193", "ip": "81.2.69.193" }, "ecs": { - "version": "8.0.0" + "version": "8.2.0" }, "event": { - "original": "\u003c114\u003eDec 10 13:44:07 [81.2.69.193] Hey, that's a new type of alert. Isn't it?" + "original": "\u003c114\u003eDec 31 14:03:06 [81.2.69.193] Hey, that's a new type of alert. Isn't it?" }, "log": { "syslog": { diff --git a/packages/zscaler_zia/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml b/packages/zscaler_zia/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml index 8f9acf997c5..f29273dfca2 100644 --- a/packages/zscaler_zia/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml +++ b/packages/zscaler_zia/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml @@ -3,7 +3,7 @@ description: Pipeline for Zscaler alert logs processors: - set: field: ecs.version - value: '8.0.0' + value: '8.2.0' - rename: field: message target_field: event.original @@ -23,12 +23,12 @@ processors: target_field: destination.ip type: ip ignore_failure: true - - append: + - append: field: related.ip value: "{{{destination.ip}}}" if: ctx?.destination?.ip != null ignore_failure: true - - date: + - date: field: _tmp.timestamp target_field: '@timestamp' ignore_failure: true @@ -37,8 +37,8 @@ processors: - MMM dd HH:mm:ss - MMM d HH:mm:ss - ISO8601 - - remove: - field: + - remove: + field: - _tmp ignore_missing: true - remove: diff --git a/packages/zscaler_zia/data_stream/alerts/manifest.yml b/packages/zscaler_zia/data_stream/alerts/manifest.yml index 1bd14b8c53d..6dec78145d8 100644 --- a/packages/zscaler_zia/data_stream/alerts/manifest.yml +++ b/packages/zscaler_zia/data_stream/alerts/manifest.yml @@ -4,7 +4,7 @@ streams: - input: tcp template_path: tcp.yml.hbs title: Zscaler Internet Access Alerts - description: Collect Zscaler Internet Access Alerts using tcp input + description: Collect Zscaler Internet Access Alerts using TCP Input. vars: - name: listen_port type: integer @@ -27,7 +27,7 @@ streams: required: true show_user: true title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` + description: Preserves a raw copy of the original event, added to the field `event.original`. type: bool multi: false default: false diff --git a/packages/zscaler_zia/data_stream/alerts/sample_event.json b/packages/zscaler_zia/data_stream/alerts/sample_event.json index 0749ca369ad..22f6aca8890 100644 --- a/packages/zscaler_zia/data_stream/alerts/sample_event.json +++ b/packages/zscaler_zia/data_stream/alerts/sample_event.json @@ -1,12 +1,11 @@ { "@timestamp": "2022-12-10T13:40:32.000Z", "agent": { - "ephemeral_id": "8c093fcf-fb2f-4baa-b794-40edb011194d", - "hostname": "docker-fleet-agent", - "id": "d03794ae-c5b7-46b2-8a63-42f00010ac23", + "ephemeral_id": "b7f77db9-92fe-4935-8387-b2cb545bcfc6", + "id": "638019f9-173e-4c24-9e28-64b128c92162", "name": "docker-fleet-agent", "type": "filebeat", - "version": "7.16.2" + "version": "8.1.2" }, "data_stream": { "dataset": "zscaler_zia.alerts", @@ -19,24 +18,24 @@ "port": 9012 }, "ecs": { - "version": "8.0.0" + "version": "8.2.0" }, "elastic_agent": { - "id": "d03794ae-c5b7-46b2-8a63-42f00010ac23", + "id": "638019f9-173e-4c24-9e28-64b128c92162", "snapshot": false, - "version": "7.16.2" + "version": "8.1.2" }, "event": { "agent_id_status": "verified", "dataset": "zscaler_zia.alerts", - "ingested": "2022-02-04T06:31:25Z" + "ingested": "2022-04-13T17:21:34Z" }, "input": { "type": "tcp" }, "log": { "source": { - "address": "172.21.0.7:32902" + "address": "1.128.3.4:32902" }, "syslog": { "priority": 114 diff --git a/packages/zscaler_zia/data_stream/dns/_dev/test/pipeline/test-dns-http_endpoint.log b/packages/zscaler_zia/data_stream/dns/_dev/test/pipeline/test-dns-http_endpoint.log new file mode 100644 index 00000000000..d4ec642282d --- /dev/null +++ b/packages/zscaler_zia/data_stream/dns/_dev/test/pipeline/test-dns-http_endpoint.log @@ -0,0 +1 @@ +{"sourcetype":"zscalernss-dns","input": {"type": "http_endpoint"}, "event":{"location":"Unknown","deviceowner":"NA","devicehostname":"NA","dns_req":"Unknown","resaction":"None","durationms":"34000","category":"Other","resrulelabel":"None","dns_reqtype":"NotFound","dns_resp":"NotFound","department":"Unknown","user":"Unknown","reqaction":"None","datetime":"Tue Dec 31 02:22:22 2021","srv_dip":"0.0.0.0","clt_sip":"0.0.0.0","reqrulelabel":"None","srv_dport":"0"}} diff --git a/packages/zscaler_zia/data_stream/dns/_dev/test/pipeline/test-dns-http_endpoint.log-expected.json b/packages/zscaler_zia/data_stream/dns/_dev/test/pipeline/test-dns-http_endpoint.log-expected.json new file mode 100644 index 00000000000..0448e767cf1 --- /dev/null +++ b/packages/zscaler_zia/data_stream/dns/_dev/test/pipeline/test-dns-http_endpoint.log-expected.json @@ -0,0 +1,74 @@ +{ + "expected": [ + { + "@timestamp": "2021-12-31T02:22:22.000Z", + "client": { + "ip": "0.0.0.0" + }, + "dns": { + "answers": { + "name": "NotFound" + }, + "question": { + "name": "Unknown", + "type": "NotFound" + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "category": "network", + "kind": "event", + "original": "{\"sourcetype\":\"zscalernss-dns\",\"input\": {\"type\": \"http_endpoint\"}, \"event\":{\"location\":\"Unknown\",\"deviceowner\":\"NA\",\"devicehostname\":\"NA\",\"dns_req\":\"Unknown\",\"resaction\":\"None\",\"durationms\":\"34000\",\"category\":\"Other\",\"resrulelabel\":\"None\",\"dns_reqtype\":\"NotFound\",\"dns_resp\":\"NotFound\",\"department\":\"Unknown\",\"user\":\"Unknown\",\"reqaction\":\"None\",\"datetime\":\"Tue Dec 31 02:22:22 2021\",\"srv_dip\":\"0.0.0.0\",\"clt_sip\":\"0.0.0.0\",\"reqrulelabel\":\"None\",\"srv_dport\":\"0\"}}", + "type": [ + "info" + ] + }, + "related": { + "hosts": [ + "NA" + ], + "ip": [ + "0.0.0.0" + ] + }, + "server": { + "ip": "0.0.0.0", + "port": 0 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "email": "Unknown", + "name": "NA" + }, + "zscaler_zia": { + "dns": { + "department": "Unknown", + "dom": { + "category": "Other" + }, + "duration": { + "milliseconds": 34000 + }, + "hostname": "NA", + "location": "Unknown", + "request": { + "action": "None", + "rule": { + "label": "None" + } + }, + "response": { + "action": "None", + "rule": { + "label": "None" + } + } + } + } + } + ] +} \ No newline at end of file diff --git a/packages/zscaler_zia/data_stream/dns/_dev/test/pipeline/test-dns.log b/packages/zscaler_zia/data_stream/dns/_dev/test/pipeline/test-dns.log index 747c8eb690b..f6590856485 100644 --- a/packages/zscaler_zia/data_stream/dns/_dev/test/pipeline/test-dns.log +++ b/packages/zscaler_zia/data_stream/dns/_dev/test/pipeline/test-dns.log @@ -1 +1 @@ -{ "sourcetype" : "zscalernss-dns", "event" :{"datetime":"Fri Dec 17 07:27:54 2021","user":"some_user@example.com","department":"Unknown","location":"TestLoc%20DB","reqaction":"REQ_ALLOW","resaction":"Some Response Action","reqrulelabel":"Access%20Blocked","resrulelabel":"None","dns_reqtype":"Some type","dns_req":"example.com","dns_resp":"Some response string","srv_dport":"8080","durationms":"123456","clt_sip":"81.2.69.193","srv_dip":"81.2.69.144","category":"Professional Services","deviceowner":"Owner77","devicehostname":"Machine9000"}} +{ "sourcetype" : "zscalernss-dns", "event" :{"datetime":"Fri Dec 31 01:11:11 2021","user":"some_user@example.com","department":"Unknown","location":"TestLoc%20DB","reqaction":"REQ_ALLOW","resaction":"Some Response Action","reqrulelabel":"Access%20Blocked","resrulelabel":"None","dns_reqtype":"Some type","dns_req":"example.com","dns_resp":"Some response string","srv_dport":"8080","durationms":"123456","clt_sip":"81.2.69.193","srv_dip":"81.2.69.144","category":"Professional Services","deviceowner":"Owner77","devicehostname":"Machine9000"}} diff --git a/packages/zscaler_zia/data_stream/dns/_dev/test/pipeline/test-dns.log-expected.json b/packages/zscaler_zia/data_stream/dns/_dev/test/pipeline/test-dns.log-expected.json index 86a5cb3258d..3b0ef70c21f 100644 --- a/packages/zscaler_zia/data_stream/dns/_dev/test/pipeline/test-dns.log-expected.json +++ b/packages/zscaler_zia/data_stream/dns/_dev/test/pipeline/test-dns.log-expected.json @@ -1,7 +1,7 @@ { "expected": [ { - "@timestamp": "2021-12-17T07:27:54.000Z", + "@timestamp": "2021-12-31T01:11:11.000Z", "client": { "geo": { "city_name": "London", @@ -27,12 +27,12 @@ } }, "ecs": { - "version": "8.0.0" + "version": "8.2.0" }, "event": { "category": "network", "kind": "event", - "original": "{ \"sourcetype\" : \"zscalernss-dns\", \"event\" :{\"datetime\":\"Fri Dec 17 07:27:54 2021\",\"user\":\"some_user@example.com\",\"department\":\"Unknown\",\"location\":\"TestLoc%20DB\",\"reqaction\":\"REQ_ALLOW\",\"resaction\":\"Some Response Action\",\"reqrulelabel\":\"Access%20Blocked\",\"resrulelabel\":\"None\",\"dns_reqtype\":\"Some type\",\"dns_req\":\"example.com\",\"dns_resp\":\"Some response string\",\"srv_dport\":\"8080\",\"durationms\":\"123456\",\"clt_sip\":\"81.2.69.193\",\"srv_dip\":\"81.2.69.144\",\"category\":\"Professional Services\",\"deviceowner\":\"Owner77\",\"devicehostname\":\"Machine9000\"}}", + "original": "{ \"sourcetype\" : \"zscalernss-dns\", \"event\" :{\"datetime\":\"Fri Dec 31 01:11:11 2021\",\"user\":\"some_user@example.com\",\"department\":\"Unknown\",\"location\":\"TestLoc%20DB\",\"reqaction\":\"REQ_ALLOW\",\"resaction\":\"Some Response Action\",\"reqrulelabel\":\"Access%20Blocked\",\"resrulelabel\":\"None\",\"dns_reqtype\":\"Some type\",\"dns_req\":\"example.com\",\"dns_resp\":\"Some response string\",\"srv_dport\":\"8080\",\"durationms\":\"123456\",\"clt_sip\":\"81.2.69.193\",\"srv_dip\":\"81.2.69.144\",\"category\":\"Professional Services\",\"deviceowner\":\"Owner77\",\"devicehostname\":\"Machine9000\"}}", "type": [ "info" ] diff --git a/packages/zscaler_zia/data_stream/dns/_dev/test/system/test-http-endpoint-config.yml b/packages/zscaler_zia/data_stream/dns/_dev/test/system/test-http-endpoint-config.yml new file mode 100644 index 00000000000..fc0df672c48 --- /dev/null +++ b/packages/zscaler_zia/data_stream/dns/_dev/test/system/test-http-endpoint-config.yml @@ -0,0 +1,8 @@ +service: zscaler-zia-dns-http-endpoint +service_notify_signal: SIGHUP +input: http_endpoint +vars: + listen_address: 0.0.0.0 +data_stream: + vars: + listen_port: 9556 diff --git a/packages/zscaler_zia/data_stream/dns/_dev/test/system/test-default-config.yml b/packages/zscaler_zia/data_stream/dns/_dev/test/system/test-tcp-config.yml similarity index 92% rename from packages/zscaler_zia/data_stream/dns/_dev/test/system/test-default-config.yml rename to packages/zscaler_zia/data_stream/dns/_dev/test/system/test-tcp-config.yml index aceefd2a166..c92d298cbf5 100644 --- a/packages/zscaler_zia/data_stream/dns/_dev/test/system/test-default-config.yml +++ b/packages/zscaler_zia/data_stream/dns/_dev/test/system/test-tcp-config.yml @@ -1,5 +1,6 @@ service: zscaler-zia-dns-tcp service_notify_signal: SIGHUP +input: tcp vars: listen_address: 0.0.0.0 data_stream: diff --git a/packages/zscaler_zia/data_stream/dns/agent/stream/http_endpoint.yml.hbs b/packages/zscaler_zia/data_stream/dns/agent/stream/http_endpoint.yml.hbs new file mode 100644 index 00000000000..483a999bf10 --- /dev/null +++ b/packages/zscaler_zia/data_stream/dns/agent/stream/http_endpoint.yml.hbs @@ -0,0 +1,22 @@ +http_endpoint: +listen_address: {{listen_address}} +listen_port: {{listen_port}} +content_type: "" +preserve_original_event: true +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if ssl}} +ssl: {{ssl}} +{{/if}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/zscaler_zia/data_stream/dns/elasticsearch/ingest_pipeline/default.yml b/packages/zscaler_zia/data_stream/dns/elasticsearch/ingest_pipeline/default.yml index cbad42a808a..b8701354a45 100644 --- a/packages/zscaler_zia/data_stream/dns/elasticsearch/ingest_pipeline/default.yml +++ b/packages/zscaler_zia/data_stream/dns/elasticsearch/ingest_pipeline/default.yml @@ -3,7 +3,7 @@ description: Pipeline for Zscaler dns logs processors: - set: field: ecs.version - value: '8.0.0' + value: '8.2.0' - rename: field: message target_field: event.original @@ -11,10 +11,16 @@ processors: - json: field: event.original target_field: resp + ignore_failure: true + - remove: + field: json + if: ctx?.input?.type == 'http_endpoint' + ignore_missing: true - rename: field: resp.event target_field: json - - remove: + ignore_missing: true + - remove: field: resp ignore_missing: true - date: @@ -25,8 +31,20 @@ processors: - E MMM dd HH:mm:ss yyyy - E MMM d HH:mm:ss yyyy - E MMM d HH:mm:ss yyyy + - yyyy-mm-dd HH:mm:ss + - date: + field: json.time + target_field: "@timestamp" + ignore_failure: true + formats: + - E MMM dd HH:mm:ss yyyy + - E MMM d HH:mm:ss yyyy + - E MMM d HH:mm:ss yyyy + - yyyy-MM-dd HH:mm:ss - remove: - field: json.datetime + field: + - json.time + - json.datetime ignore_missing: true - set: field: event.category @@ -37,7 +55,7 @@ processors: - append: field: event.type value: info - - rename: + - rename: field: json.clt_sip target_field: client.ip ignore_missing: true @@ -59,19 +77,19 @@ processors: if: ctx?.client?.ip != null allow_duplicates: false ignore_failure: true - - rename: + - rename: field: json.dns_resp target_field: dns.answers.name ignore_missing: true - - rename: + - rename: field: json.dns_req target_field: dns.question.name ignore_missing: true - - rename: + - rename: field: json.dns_reqtype target_field: dns.question.type ignore_missing: true - - rename: + - rename: field: json.srv_dip target_field: server.ip ignore_missing: true @@ -93,7 +111,7 @@ processors: if: ctx?.server?.ip != null allow_duplicates: false ignore_failure: true - - convert: + - convert: field: json.srv_dport target_field: server.port type: long @@ -101,14 +119,14 @@ processors: - remove: field: json.srv_dport ignore_missing: true - - urldecode: + - urldecode: field: json.user target_field: user.email ignore_missing: true - - remove: + - remove: field: json.user ignore_missing: true - - rename: + - rename: field: json.deviceowner target_field: user.name ignore_missing: true @@ -116,14 +134,14 @@ processors: field: json.department target_field: zscaler_zia.dns.department ignore_missing: true - - remove: + - remove: field: json.department ignore_missing: true - urldecode: field: json.location target_field: zscaler_zia.dns.location ignore_missing: true - - remove: + - remove: field: json.location ignore_missing: true - rename: @@ -138,14 +156,14 @@ processors: field: json.reqrulelabel target_field: zscaler_zia.dns.request.rule.label ignore_missing: true - - remove: + - remove: field: json.reqrulelabel ignore_missing: true - urldecode: field: json.resrulelabel target_field: zscaler_zia.dns.response.rule.label ignore_missing: true - - remove: + - remove: field: json.resrulelabel ignore_missing: true - convert: @@ -195,7 +213,7 @@ processors: for (Map.Entry m : ctx.json.entrySet()) { ctx.zscaler_zia.dns[m.getKey()] = m.getValue(); } - - remove: + - remove: field: json ignore_failure: true - remove: diff --git a/packages/zscaler_zia/data_stream/dns/manifest.yml b/packages/zscaler_zia/data_stream/dns/manifest.yml index a47e838e8c3..f50fa29323f 100644 --- a/packages/zscaler_zia/data_stream/dns/manifest.yml +++ b/packages/zscaler_zia/data_stream/dns/manifest.yml @@ -4,7 +4,7 @@ streams: - input: tcp template_path: tcp.yml.hbs title: Zscaler Internet Access DNS Logs - description: Collect Zscaler Internet Access DNS logs using tcp input + description: Collect Zscaler Internet Access DNS logs using TCP Input. vars: - name: listen_port type: integer @@ -27,7 +27,45 @@ streams: required: true show_user: true title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - input: http_endpoint + template_path: http_endpoint.yml.hbs + title: Zscaler Internet Access DNS Logs + description: Collect Zscaler Internet Access DNS logs via HTTP Endpoint Input. + vars: + - name: listen_port + type: integer + title: Listen Port + description: The port number to listen on. + multi: false + required: true + show_user: true + default: 9556 + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - zscaler_zia-dns + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. type: bool multi: false default: false diff --git a/packages/zscaler_zia/data_stream/dns/sample_event.json b/packages/zscaler_zia/data_stream/dns/sample_event.json index 86b91a6988c..81ea6eb73ce 100644 --- a/packages/zscaler_zia/data_stream/dns/sample_event.json +++ b/packages/zscaler_zia/data_stream/dns/sample_event.json @@ -1,12 +1,11 @@ { "@timestamp": "2021-12-17T07:27:54.000Z", "agent": { - "ephemeral_id": "d288c261-b8db-45af-99c0-a673c3c6d8e1", - "hostname": "docker-fleet-agent", - "id": "d03794ae-c5b7-46b2-8a63-42f00010ac23", + "ephemeral_id": "29f002d2-defe-484e-81f8-ec2dace901c3", + "id": "638019f9-173e-4c24-9e28-64b128c92162", "name": "docker-fleet-agent", "type": "filebeat", - "version": "7.16.2" + "version": "8.1.2" }, "client": { "geo": { @@ -38,18 +37,18 @@ } }, "ecs": { - "version": "8.0.0" + "version": "8.2.0" }, "elastic_agent": { - "id": "d03794ae-c5b7-46b2-8a63-42f00010ac23", + "id": "638019f9-173e-4c24-9e28-64b128c92162", "snapshot": false, - "version": "7.16.2" + "version": "8.1.2" }, "event": { "agent_id_status": "verified", "category": "network", "dataset": "zscaler_zia.dns", - "ingested": "2022-02-04T06:32:56Z", + "ingested": "2022-04-13T17:25:57Z", "kind": "event", "type": [ "info" @@ -60,7 +59,7 @@ }, "log": { "source": { - "address": "172.21.0.7:54202" + "address": "1.128.3.4:59018" } }, "related": { diff --git a/packages/zscaler_zia/data_stream/firewall/_dev/test/pipeline/test-firewall-http_endpoint.log b/packages/zscaler_zia/data_stream/firewall/_dev/test/pipeline/test-firewall-http_endpoint.log new file mode 100644 index 00000000000..3c472cc3b4b --- /dev/null +++ b/packages/zscaler_zia/data_stream/firewall/_dev/test/pipeline/test-firewall-http_endpoint.log @@ -0,0 +1 @@ +{"sourcetype":"zscalernss-fw", "event":{"durationms":"0","avgduration":"0","sdip":"0.0.0.0","aggregate":"No","department":"Unknown","nwapp":"NotAvailable","proto":"IP","datetime":"Tue Dec 31 02:22:22 2022","nwsvc":"None","dnat":"No","threatcat":"None","cdport":"120","duration":"0","ipcat":"Other","deviceowner":"NA","csip":"0.0.0.0","devicehostname":"NA","csport":"0","tunsport":"0","destcountry":"NA","rulelabel":"None","locationname":"Unknown","action":"OutOfRange","stateful":"Yes","outbytes":"0","inbytes":"0","ssport":"0","user":"Unknown","tuntype":"OutOfRange","numsessions":"1","ssip":"0.0.0.0","threatname":"None","ipsrulelabel":"None","tsip":"0.0.0.0","sdport":"0","cdip":"0.0.0.0"}} diff --git a/packages/zscaler_zia/data_stream/firewall/_dev/test/pipeline/test-firewall-http_endpoint.log-expected.json b/packages/zscaler_zia/data_stream/firewall/_dev/test/pipeline/test-firewall-http_endpoint.log-expected.json new file mode 100644 index 00000000000..07799cc1032 --- /dev/null +++ b/packages/zscaler_zia/data_stream/firewall/_dev/test/pipeline/test-firewall-http_endpoint.log-expected.json @@ -0,0 +1,100 @@ +{ + "expected": [ + { + "@timestamp": "2022-12-31T02:22:22.000Z", + "client": { + "bytes": 0 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "outofrange", + "category": "network", + "kind": "event", + "original": "{\"sourcetype\":\"zscalernss-fw\", \"event\":{\"durationms\":\"0\",\"avgduration\":\"0\",\"sdip\":\"0.0.0.0\",\"aggregate\":\"No\",\"department\":\"Unknown\",\"nwapp\":\"NotAvailable\",\"proto\":\"IP\",\"datetime\":\"Tue Dec 31 02:22:22 2022\",\"nwsvc\":\"None\",\"dnat\":\"No\",\"threatcat\":\"None\",\"cdport\":\"120\",\"duration\":\"0\",\"ipcat\":\"Other\",\"deviceowner\":\"NA\",\"csip\":\"0.0.0.0\",\"devicehostname\":\"NA\",\"csport\":\"0\",\"tunsport\":\"0\",\"destcountry\":\"NA\",\"rulelabel\":\"None\",\"locationname\":\"Unknown\",\"action\":\"OutOfRange\",\"stateful\":\"Yes\",\"outbytes\":\"0\",\"inbytes\":\"0\",\"ssport\":\"0\",\"user\":\"Unknown\",\"tuntype\":\"OutOfRange\",\"numsessions\":\"1\",\"ssip\":\"0.0.0.0\",\"threatname\":\"None\",\"ipsrulelabel\":\"None\",\"tsip\":\"0.0.0.0\",\"sdport\":\"0\",\"cdip\":\"0.0.0.0\"}}", + "type": "info" + }, + "host": { + "hostname": "NA" + }, + "network": { + "application": "NotAvailable", + "protocol": "none", + "transport": "ip" + }, + "related": { + "ip": [ + "0.0.0.0" + ] + }, + "rule": { + "name": [ + "None" + ] + }, + "server": { + "bytes": 0, + "geo": { + "country_name": "NA" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "email": "Unknown", + "name": "NA" + }, + "zscaler_zia": { + "firewall": { + "aggregate": "No", + "client": { + "destination": { + "ip": "0.0.0.0", + "port": 120 + }, + "source": { + "ip": "0.0.0.0", + "port": 0 + } + }, + "department": "Unknown", + "duration": { + "avg": 0.0, + "milliseconds": 0.0, + "seconds": 0.0 + }, + "ip_category": "Other", + "location": { + "name": "Unknown" + }, + "nat": "No", + "server": { + "destination": { + "ip": "0.0.0.0", + "port": 0 + }, + "source": { + "ip": "0.0.0.0", + "port": 0 + } + }, + "session": { + "count": 1.0 + }, + "stateful": "Yes", + "threat": { + "category": "None", + "name": "None" + }, + "tunnel": { + "ip": "0.0.0.0", + "port": 0, + "type": "OutOfRange" + } + } + } + } + ] +} \ No newline at end of file diff --git a/packages/zscaler_zia/data_stream/firewall/_dev/test/pipeline/test-firewall.log b/packages/zscaler_zia/data_stream/firewall/_dev/test/pipeline/test-firewall.log index b044d16f17e..73fa8b6ef30 100644 --- a/packages/zscaler_zia/data_stream/firewall/_dev/test/pipeline/test-firewall.log +++ b/packages/zscaler_zia/data_stream/firewall/_dev/test/pipeline/test-firewall.log @@ -1 +1 @@ -{ "sourcetype" : "zscalernss-fw", "event" :{"datetime":"Fri Dec 17 07:27:54 2021","user":"some_user@example.com","department":"Unknown","locationname":"TestLoc%20DB","cdport":443,"csport":55018,"sdport":443,"ssport":0,"csip":"0.0.0.0","cdip":"0.0.0.0","ssip":"0.0.0.0","sdip":"0.0.0.0","tsip":"0.0.0.0","tunsport":0,"tuntype":"ZscalerClientConnector","action":"Drop","dnat":"No","stateful":"Yes","aggregate":"No","nwsvc":"HTTPS","nwapp":"http","proto":"TCP","ipcat":"Test Name","destcountry":"Ireland","avgduration":486,"rulelabel":"Access%20Blocked","inbytes":19052,"outbytes":1734,"duration":0,"durationms":486,"numsessions":1,"ipsrulelabel":"None","threatcat":"None","threatname":"None","deviceowner":"admin77","devicehostname":"Machine9000"}} +{ "sourcetype" : "zscalernss-fw", "event" :{"datetime":"Fri Dec 31 07:07:07 2021","user":"some_user@example.com","department":"Unknown","locationname":"TestLoc%20DB","cdport":443,"csport":55018,"sdport":443,"ssport":0,"csip":"0.0.0.0","cdip":"0.0.0.0","ssip":"0.0.0.0","sdip":"0.0.0.0","tsip":"0.0.0.0","tunsport":0,"tuntype":"ZscalerClientConnector","action":"Drop","dnat":"No","stateful":"Yes","aggregate":"No","nwsvc":"HTTPS","nwapp":"http","proto":"TCP","ipcat":"Test Name","destcountry":"Ireland","avgduration":486,"rulelabel":"Access%20Blocked","inbytes":19052,"outbytes":1734,"duration":0,"durationms":486,"numsessions":1,"ipsrulelabel":"None","threatcat":"None","threatname":"None","deviceowner":"admin77","devicehostname":"Machine9000"}} diff --git a/packages/zscaler_zia/data_stream/firewall/_dev/test/pipeline/test-firewall.log-expected.json b/packages/zscaler_zia/data_stream/firewall/_dev/test/pipeline/test-firewall.log-expected.json index 89906aa930a..c0d68f85e7a 100644 --- a/packages/zscaler_zia/data_stream/firewall/_dev/test/pipeline/test-firewall.log-expected.json +++ b/packages/zscaler_zia/data_stream/firewall/_dev/test/pipeline/test-firewall.log-expected.json @@ -1,18 +1,18 @@ { "expected": [ { - "@timestamp": "2021-12-17T07:27:54.000Z", + "@timestamp": "2021-12-31T07:07:07.000Z", "client": { "bytes": 1734 }, "ecs": { - "version": "8.0.0" + "version": "8.2.0" }, "event": { "action": "drop", "category": "network", "kind": "event", - "original": "{ \"sourcetype\" : \"zscalernss-fw\", \"event\" :{\"datetime\":\"Fri Dec 17 07:27:54 2021\",\"user\":\"some_user@example.com\",\"department\":\"Unknown\",\"locationname\":\"TestLoc%20DB\",\"cdport\":443,\"csport\":55018,\"sdport\":443,\"ssport\":0,\"csip\":\"0.0.0.0\",\"cdip\":\"0.0.0.0\",\"ssip\":\"0.0.0.0\",\"sdip\":\"0.0.0.0\",\"tsip\":\"0.0.0.0\",\"tunsport\":0,\"tuntype\":\"ZscalerClientConnector\",\"action\":\"Drop\",\"dnat\":\"No\",\"stateful\":\"Yes\",\"aggregate\":\"No\",\"nwsvc\":\"HTTPS\",\"nwapp\":\"http\",\"proto\":\"TCP\",\"ipcat\":\"Test Name\",\"destcountry\":\"Ireland\",\"avgduration\":486,\"rulelabel\":\"Access%20Blocked\",\"inbytes\":19052,\"outbytes\":1734,\"duration\":0,\"durationms\":486,\"numsessions\":1,\"ipsrulelabel\":\"None\",\"threatcat\":\"None\",\"threatname\":\"None\",\"deviceowner\":\"admin77\",\"devicehostname\":\"Machine9000\"}}", + "original": "{ \"sourcetype\" : \"zscalernss-fw\", \"event\" :{\"datetime\":\"Fri Dec 31 07:07:07 2021\",\"user\":\"some_user@example.com\",\"department\":\"Unknown\",\"locationname\":\"TestLoc%20DB\",\"cdport\":443,\"csport\":55018,\"sdport\":443,\"ssport\":0,\"csip\":\"0.0.0.0\",\"cdip\":\"0.0.0.0\",\"ssip\":\"0.0.0.0\",\"sdip\":\"0.0.0.0\",\"tsip\":\"0.0.0.0\",\"tunsport\":0,\"tuntype\":\"ZscalerClientConnector\",\"action\":\"Drop\",\"dnat\":\"No\",\"stateful\":\"Yes\",\"aggregate\":\"No\",\"nwsvc\":\"HTTPS\",\"nwapp\":\"http\",\"proto\":\"TCP\",\"ipcat\":\"Test Name\",\"destcountry\":\"Ireland\",\"avgduration\":486,\"rulelabel\":\"Access%20Blocked\",\"inbytes\":19052,\"outbytes\":1734,\"duration\":0,\"durationms\":486,\"numsessions\":1,\"ipsrulelabel\":\"None\",\"threatcat\":\"None\",\"threatname\":\"None\",\"deviceowner\":\"admin77\",\"devicehostname\":\"Machine9000\"}}", "type": "info" }, "host": { @@ -62,9 +62,9 @@ }, "department": "Unknown", "duration": { - "avg": 486, - "milliseconds": 486, - "seconds": 0 + "avg": 486.0, + "milliseconds": 486.0, + "seconds": 0.0 }, "ip_category": "Test Name", "location": { @@ -82,7 +82,7 @@ } }, "session": { - "count": 1 + "count": 1.0 }, "stateful": "Yes", "threat": { diff --git a/packages/zscaler_zia/data_stream/firewall/_dev/test/system/test-http-endpoint-config.yml b/packages/zscaler_zia/data_stream/firewall/_dev/test/system/test-http-endpoint-config.yml new file mode 100644 index 00000000000..f51683b6d4f --- /dev/null +++ b/packages/zscaler_zia/data_stream/firewall/_dev/test/system/test-http-endpoint-config.yml @@ -0,0 +1,8 @@ +service: zscaler-zia-firewall-http-endpoint +service_notify_signal: SIGHUP +input: http_endpoint +vars: + listen_address: 0.0.0.0 +data_stream: + vars: + listen_port: 9557 diff --git a/packages/zscaler_zia/data_stream/firewall/_dev/test/system/test-default-config.yml b/packages/zscaler_zia/data_stream/firewall/_dev/test/system/test-tcp-config.yml similarity index 100% rename from packages/zscaler_zia/data_stream/firewall/_dev/test/system/test-default-config.yml rename to packages/zscaler_zia/data_stream/firewall/_dev/test/system/test-tcp-config.yml diff --git a/packages/zscaler_zia/data_stream/firewall/agent/stream/http_endpoint.yml.hbs b/packages/zscaler_zia/data_stream/firewall/agent/stream/http_endpoint.yml.hbs new file mode 100644 index 00000000000..483a999bf10 --- /dev/null +++ b/packages/zscaler_zia/data_stream/firewall/agent/stream/http_endpoint.yml.hbs @@ -0,0 +1,22 @@ +http_endpoint: +listen_address: {{listen_address}} +listen_port: {{listen_port}} +content_type: "" +preserve_original_event: true +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if ssl}} +ssl: {{ssl}} +{{/if}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/zscaler_zia/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml b/packages/zscaler_zia/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml index f27a8cfea02..7e06bdce65f 100644 --- a/packages/zscaler_zia/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml +++ b/packages/zscaler_zia/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml @@ -3,7 +3,7 @@ description: Pipeline for Zscaler firewall logs processors: - set: field: ecs.version - value: '8.0.0' + value: '8.2.0' - rename: field: message target_field: event.original @@ -11,10 +11,16 @@ processors: - json: field: event.original target_field: resp + ignore_failure: true + - remove: + field: json + if: ctx?.input?.type == 'http_endpoint' + ignore_missing: true - rename: field: resp.event target_field: json - - remove: + ignore_missing: true + - remove: field: resp ignore_missing: true - set: @@ -34,41 +40,57 @@ processors: - E MMM dd HH:mm:ss yyyy - E MMM d HH:mm:ss yyyy - E MMM d HH:mm:ss yyyy - - remove: - field: json.datetime + - yyyy-mm-dd HH:mm:ss + - date: + field: json.time + target_field: "@timestamp" ignore_failure: true - - rename: + formats: + - E MMM dd HH:mm:ss yyyy + - E MMM d HH:mm:ss yyyy + - E MMM d HH:mm:ss yyyy + - yyyy-MM-dd HH:mm:ss + - remove: + field: + - json.time + - json.datetime + ignore_missing: true + - convert: field: json.outbytes target_field: client.bytes + type: long + ignore_failure: true + - remove: + field: json.outbytes ignore_missing: true - - rename: + - rename: field: json.devicehostname target_field: host.hostname ignore_missing: true - - rename: + - rename: field: json.nwapp target_field: network.application ignore_missing: true - - rename: + - rename: field: json.nwsvc target_field: network.protocol ignore_missing: true - lowercase: field: network.protocol ignore_missing: true - - rename: + - rename: field: json.proto target_field: network.transport ignore_missing: true - lowercase: field: network.transport ignore_missing: true - - append: + - append: field: rule.name value: "{{{json.rulelabel}}}" if: ctx?.json?.rulelabel != null allow_duplicates: false - - append: + - append: field: rule.name value: "{{{json.ipsrulelabel}}}" if: ctx?.json?.ipsrulelabel != null @@ -82,54 +104,74 @@ processors: - remove: field: json.ipsrulelabel ignore_missing: true - - rename: + - convert: field: json.inbytes target_field: server.bytes + type: long + ignore_failure: true + - remove: + field: json.inbytes ignore_missing: true - - rename: + - rename: field: json.destcountry target_field: server.geo.country_name ignore_missing: true - - urldecode: + - urldecode: field: json.user target_field: user.email ignore_missing: true - remove: field: json.user ignore_missing: true - - rename: + - rename: field: json.deviceowner target_field: user.name ignore_missing: true - - urldecode: + - urldecode: field: json.department target_field: zscaler_zia.firewall.department ignore_missing: true - remove: field: json.department ignore_missing: true - - urldecode: + - urldecode: field: json.locationname target_field: zscaler_zia.firewall.location.name ignore_missing: true - remove: field: json.locationname ignore_missing: true - - rename: + - convert: field: json.cdport target_field: zscaler_zia.firewall.client.destination.port + type: long + ignore_failure: true + - remove: + field: json.cdport ignore_missing: true - - rename: + - convert: field: json.csport target_field: zscaler_zia.firewall.client.source.port + type: long + ignore_failure: true + - remove: + field: json.csport ignore_missing: true - - rename: + - convert: field: json.sdport target_field: zscaler_zia.firewall.server.destination.port + type: long + ignore_failure: true + - remove: + field: json.sdport ignore_missing: true - - rename: + - convert: field: json.ssport target_field: zscaler_zia.firewall.server.source.port + type: long + ignore_failure: true + - remove: + field: json.ssport ignore_missing: true - append: field: related.ip @@ -137,7 +179,7 @@ processors: if: ctx?.json?.csip != null allow_duplicates: false ignore_failure: true - - rename: + - rename: field: json.csip target_field: zscaler_zia.firewall.client.source.ip ignore_missing: true @@ -147,7 +189,7 @@ processors: if: ctx?.json?.cdip != null allow_duplicates: false ignore_failure: true - - rename: + - rename: field: json.cdip target_field: zscaler_zia.firewall.client.destination.ip ignore_missing: true @@ -157,7 +199,7 @@ processors: if: ctx?.json?.ssip != null allow_duplicates: false ignore_failure: true - - rename: + - rename: field: json.ssip target_field: zscaler_zia.firewall.server.source.ip ignore_missing: true @@ -167,7 +209,7 @@ processors: if: ctx?.json?.sdip != null allow_duplicates: false ignore_failure: true - - rename: + - rename: field: json.sdip target_field: zscaler_zia.firewall.server.destination.ip ignore_missing: true @@ -177,62 +219,82 @@ processors: if: ctx?.json?.tsip != null allow_duplicates: false ignore_failure: true - - rename: + - rename: field: json.tsip target_field: zscaler_zia.firewall.tunnel.ip ignore_missing: true - - rename: + - convert: field: json.tunsport target_field: zscaler_zia.firewall.tunnel.port + type: long + ignore_failure: true + - remove: + field: json.tunsport ignore_missing: true - - rename: + - rename: field: json.tuntype target_field: zscaler_zia.firewall.tunnel.type ignore_missing: true - - rename: + - rename: field: json.action target_field: event.action ignore_missing: true - - lowercase: + - lowercase: field: event.action ignore_missing: true - - rename: + - rename: field: json.dnat target_field: zscaler_zia.firewall.nat ignore_missing: true - - rename: + - rename: field: json.stateful target_field: zscaler_zia.firewall.stateful ignore_missing: true - - rename: + - rename: field: json.aggregate target_field: zscaler_zia.firewall.aggregate ignore_missing: true - - rename: + - rename: field: json.ipcat target_field: zscaler_zia.firewall.ip_category ignore_missing: true - - rename: + - convert: field: json.avgduration + type: double target_field: zscaler_zia.firewall.duration.avg + ignore_failure: true + - remove: + field: json.avgduration ignore_missing: true - - rename: + - convert: field: json.duration target_field: zscaler_zia.firewall.duration.seconds + type: double + ignore_failure: true + - remove: + field: json.duration ignore_missing: true - - rename: + - convert: field: json.durationms target_field: zscaler_zia.firewall.duration.milliseconds + type: double + ignore_failure: true + - remove: + field: json.durationms ignore_missing: true - - rename: + - convert: field: json.numsessions target_field: zscaler_zia.firewall.session.count + type: double + ignore_failure: true + - remove: + field: json.numsessions ignore_missing: true - - rename: + - rename: field: json.threatcat target_field: zscaler_zia.firewall.threat.category ignore_missing: true - - rename: + - rename: field: json.threatname target_field: zscaler_zia.firewall.threat.name ignore_missing: true @@ -261,9 +323,14 @@ processors: for (Map.Entry m : ctx.json.entrySet()) { ctx.zscaler_zia.firewall[m.getKey()] = m.getValue(); } - - remove: + - remove: field: json ignore_missing: true + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true on_failure: - set: field: error.message diff --git a/packages/zscaler_zia/data_stream/firewall/fields/fields.yml b/packages/zscaler_zia/data_stream/firewall/fields/fields.yml index c8b4137da0e..268745da78e 100644 --- a/packages/zscaler_zia/data_stream/firewall/fields/fields.yml +++ b/packages/zscaler_zia/data_stream/firewall/fields/fields.yml @@ -19,7 +19,7 @@ type: group fields: - name: port - type: double + type: long description: | Client destination port. For aggregated sessions, this is the client destination port of the last session in the aggregate. - name: ip @@ -30,7 +30,7 @@ type: group fields: - name: port - type: double + type: long description: | Client source port. For aggregated sessions, this is the client source port of the last session in the aggregate. - name: ip @@ -44,7 +44,7 @@ type: group fields: - name: port - type: double + type: long description: | Server destination port. For aggregated sessions, this is the server destination port of the last session in the aggregate. - name: ip @@ -55,7 +55,7 @@ type: group fields: - name: port - type: double + type: long description: | Server source port. For aggregated sessions, this is the server source port of the last session in the aggregate. - name: ip @@ -70,7 +70,7 @@ description: | Tunnel IP address of the client (source). For aggregated sessions, this is the client's tunnel IP address corresponding to the last session in the aggregate. - name: port - type: double + type: long description: | Tunnel port on the client side. For aggregated sessions, this is the client's tunnel port corresponding to the last session in the aggregate. - name: type diff --git a/packages/zscaler_zia/data_stream/firewall/manifest.yml b/packages/zscaler_zia/data_stream/firewall/manifest.yml index 6da5481a668..eee2e7be93f 100644 --- a/packages/zscaler_zia/data_stream/firewall/manifest.yml +++ b/packages/zscaler_zia/data_stream/firewall/manifest.yml @@ -4,7 +4,7 @@ streams: - input: tcp template_path: tcp.yml.hbs title: Zscaler Internet Access Firewall Logs - description: Collect Zscaler Internet Access Firewall Logs using tcp input + description: Collect Zscaler Internet Access Firewall Logs using TCP Input. vars: - name: listen_port type: integer @@ -27,7 +27,45 @@ streams: required: true show_user: true title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - input: http_endpoint + template_path: http_endpoint.yml.hbs + title: Zscaler Internet Access Firewall Logs + description: Collect Zscaler Internet Access Firewall logs via HTTP Endpoint Input. + vars: + - name: listen_port + type: integer + title: Listen Port + description: The port number to listen on. + multi: false + required: true + show_user: true + default: 9557 + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - zscaler_zia-firewall + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. type: bool multi: false default: false diff --git a/packages/zscaler_zia/data_stream/firewall/sample_event.json b/packages/zscaler_zia/data_stream/firewall/sample_event.json index d5914ddf13b..fdbd7e989e8 100644 --- a/packages/zscaler_zia/data_stream/firewall/sample_event.json +++ b/packages/zscaler_zia/data_stream/firewall/sample_event.json @@ -1,12 +1,11 @@ { "@timestamp": "2021-12-17T07:27:54.000Z", "agent": { - "ephemeral_id": "41987f90-74dc-4b4b-9936-4347028cf558", - "hostname": "docker-fleet-agent", - "id": "d03794ae-c5b7-46b2-8a63-42f00010ac23", + "ephemeral_id": "144c5748-0f0e-4cf6-845b-0b43cac1ca3c", + "id": "638019f9-173e-4c24-9e28-64b128c92162", "name": "docker-fleet-agent", "type": "filebeat", - "version": "7.16.2" + "version": "8.1.2" }, "client": { "bytes": 1734 @@ -17,19 +16,19 @@ "type": "logs" }, "ecs": { - "version": "8.0.0" + "version": "8.2.0" }, "elastic_agent": { - "id": "d03794ae-c5b7-46b2-8a63-42f00010ac23", + "id": "638019f9-173e-4c24-9e28-64b128c92162", "snapshot": false, - "version": "7.16.2" + "version": "8.1.2" }, "event": { "action": "drop", "agent_id_status": "verified", "category": "network", "dataset": "zscaler_zia.firewall", - "ingested": "2022-02-04T06:34:17Z", + "ingested": "2022-04-13T17:29:32Z", "kind": "event", "original": "{ \"sourcetype\" : \"zscalernss-fw\", \"event\" :{\"datetime\":\"Fri Dec 17 07:27:54 2021\",\"user\":\"some_user@example.com\",\"department\":\"Unknown\",\"locationname\":\"TestLoc%20DB\",\"cdport\":443,\"csport\":55018,\"sdport\":443,\"ssport\":0,\"csip\":\"0.0.0.0\",\"cdip\":\"0.0.0.0\",\"ssip\":\"0.0.0.0\",\"sdip\":\"0.0.0.0\",\"tsip\":\"0.0.0.0\",\"tunsport\":0,\"tuntype\":\"ZscalerClientConnector\",\"action\":\"Drop\",\"dnat\":\"No\",\"stateful\":\"Yes\",\"aggregate\":\"No\",\"nwsvc\":\"HTTPS\",\"nwapp\":\"http\",\"proto\":\"TCP\",\"ipcat\":\"Test Name\",\"destcountry\":\"Ireland\",\"avgduration\":486,\"rulelabel\":\"Access%20Blocked\",\"inbytes\":19052,\"outbytes\":1734,\"duration\":0,\"durationms\":486,\"numsessions\":1,\"ipsrulelabel\":\"None\",\"threatcat\":\"None\",\"threatname\":\"None\",\"deviceowner\":\"admin77\",\"devicehostname\":\"Machine9000\"}}", "type": "info" @@ -42,7 +41,7 @@ }, "log": { "source": { - "address": "172.21.0.7:58194" + "address": "1.128.3.4:43634" } }, "network": { diff --git a/packages/zscaler_zia/data_stream/tunnel/_dev/test/pipeline/test-tunnel-http_endpoint.log b/packages/zscaler_zia/data_stream/tunnel/_dev/test/pipeline/test-tunnel-http_endpoint.log new file mode 100644 index 00000000000..51866c5af57 --- /dev/null +++ b/packages/zscaler_zia/data_stream/tunnel/_dev/test/pipeline/test-tunnel-http_endpoint.log @@ -0,0 +1 @@ +{"sourcetype":"zscalernss-tunnel", "event":{"location":"Unknown","sourceport":"0","rxbytes":"0","tunneltype":"GRE","dpdrec":"0","destinationip":"0.0.0.0","recordid":"7083029673927507968","datetime":"Tue Dec 31 08:08:08 2021","sourceip":"0.0.0.0","txbytes":"0","Recordtype":"Tunnel Samples","user":"Unknown"}} diff --git a/packages/zscaler_zia/data_stream/tunnel/_dev/test/pipeline/test-tunnel-http_endpoint.log-expected.json b/packages/zscaler_zia/data_stream/tunnel/_dev/test/pipeline/test-tunnel-http_endpoint.log-expected.json new file mode 100644 index 00000000000..f489dad3937 --- /dev/null +++ b/packages/zscaler_zia/data_stream/tunnel/_dev/test/pipeline/test-tunnel-http_endpoint.log-expected.json @@ -0,0 +1,54 @@ +{ + "expected": [ + { + "@timestamp": "2021-12-31T08:08:08.000Z", + "destination": { + "bytes": 0, + "ip": "0.0.0.0" + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "category": "network", + "id": "7083029673927507968", + "kind": "event", + "original": "{\"sourcetype\":\"zscalernss-tunnel\", \"event\":{\"location\":\"Unknown\",\"sourceport\":\"0\",\"rxbytes\":\"0\",\"tunneltype\":\"GRE\",\"dpdrec\":\"0\",\"destinationip\":\"0.0.0.0\",\"recordid\":\"7083029673927507968\",\"datetime\":\"Tue Dec 31 08:08:08 2021\",\"sourceip\":\"0.0.0.0\",\"txbytes\":\"0\",\"Recordtype\":\"Tunnel Samples\",\"user\":\"Unknown\"}}", + "type": [ + "info" + ] + }, + "related": { + "ip": [ + "0.0.0.0" + ], + "user": [ + "Unknown" + ] + }, + "source": { + "bytes": 0, + "ip": "0.0.0.0", + "port": 0 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "Unknown" + }, + "zscaler_zia": { + "tunnel": { + "action": { + "type": "Tunnel Samples" + }, + "dpd_packets": "0", + "location": { + "name": "Unknown" + }, + "type": "GRE" + } + } + } + ] +} \ No newline at end of file diff --git a/packages/zscaler_zia/data_stream/tunnel/_dev/test/pipeline/test-tunnel.log b/packages/zscaler_zia/data_stream/tunnel/_dev/test/pipeline/test-tunnel.log index fc0a18ba331..2d626b1882d 100644 --- a/packages/zscaler_zia/data_stream/tunnel/_dev/test/pipeline/test-tunnel.log +++ b/packages/zscaler_zia/data_stream/tunnel/_dev/test/pipeline/test-tunnel.log @@ -1,3 +1,3 @@ -{ "sourcetype" : "zscalernss-tunnel", "event" : {"datetime":"Thu Dec 30 11:20:12 2021","Recordtype":"IPSec Phase2","tunneltype":"IPSEC IKEV 1","user":"81.2.69.145","location":"some-location","sourceip":"81.2.69.145","destinationip":"81.2.69.143","sourceport":"0","sourceportstart":"0","destinationportstart":"0","srcipstart":"81.2.69.145","srcipend":"81.2.69.145","destinationipstart":"81.2.69.143","destinationipend":"81.2.69.143","lifetime":"3600","ikeversion":"1","lifebytes":"0","spi":"123456789","algo":"AES","authentication":"HMAC-SHA-1","authtype":"None","protocol":"Any","tunnelprotocol":"ESP","policydirection":"Inbound SA Policy","recordid":"1111111111111111111"}} -{ "sourcetype" : "zscalernss-tunnel", "event" : {"datetime":"Thu Dec 30 11:40:27 2021","Recordtype":"IPSec Phase1","tunneltype":"IPSEC IKEV 2","user":"81.2.69.145","location":"some-location","sourceip":"81.2.69.145","destinationip":"81.2.69.143","sourceport":"500","destinationport":"500","lifetime":"0","ikeversion":"2","spi_in":"00000000000000000000","spi_out":"11111111111111111111","algo":"AES-CBS","authentication":"HMAC-SHA1-96","authtype":"PSK","recordid":"1111111111111111111"}} -{ "sourcetype" : "zscalernss-tunnel", "event" : {"datetime":"Thu Dec 30 11:40:27 2021","Recordtype":"Tunnel Event","tunneltype":"IPSec IKEv2","user":"81.2.69.145","location":"some-location","sourceip":"81.2.69.145","destinationip":"81.2.69.143","sourceport":"500","event":"IPsec tunnel is up","eventreason":"None","recordid":"1111111111111111111"}} +{ "sourcetype" : "zscalernss-tunnel", "event" : {"datetime":"Thu Dec 31 11:11:11 2021","Recordtype":"IPSec Phase2","tunneltype":"IPSEC IKEV 1","user":"81.2.69.145","location":"some-location","sourceip":"81.2.69.145","destinationip":"81.2.69.143","sourceport":"0","sourceportstart":"0","destinationportstart":"0","srcipstart":"81.2.69.145","srcipend":"81.2.69.145","destinationipstart":"81.2.69.143","destinationipend":"81.2.69.143","lifetime":"3600","ikeversion":"1","lifebytes":"0","spi":"123456789","algo":"AES","authentication":"HMAC-SHA-1","authtype":"None","protocol":"Any","tunnelprotocol":"ESP","policydirection":"Inbound SA Policy","recordid":"1111111111111111111"}} +{ "sourcetype" : "zscalernss-tunnel", "event" : {"datetime":"Thu Dec 31 11:11:11 2021","Recordtype":"IPSec Phase1","tunneltype":"IPSEC IKEV 2","user":"81.2.69.145","location":"some-location","sourceip":"81.2.69.145","destinationip":"81.2.69.143","sourceport":"500","destinationport":"500","lifetime":"0","ikeversion":"2","spi_in":"00000000000000000000","spi_out":"11111111111111111111","algo":"AES-CBS","authentication":"HMAC-SHA1-96","authtype":"PSK","recordid":"1111111111111111111"}} +{ "sourcetype" : "zscalernss-tunnel", "event" : {"datetime":"Thu Dec 31 11:11:11 2021","Recordtype":"Tunnel Event","tunneltype":"IPSec IKEv2","user":"81.2.69.145","location":"some-location","sourceip":"81.2.69.145","destinationip":"81.2.69.143","sourceport":"500","event":"IPsec tunnel is up","eventreason":"None","recordid":"1111111111111111111"}} diff --git a/packages/zscaler_zia/data_stream/tunnel/_dev/test/pipeline/test-tunnel.log-expected.json b/packages/zscaler_zia/data_stream/tunnel/_dev/test/pipeline/test-tunnel.log-expected.json index 54bb7c4ed21..d40c3bff5f0 100644 --- a/packages/zscaler_zia/data_stream/tunnel/_dev/test/pipeline/test-tunnel.log-expected.json +++ b/packages/zscaler_zia/data_stream/tunnel/_dev/test/pipeline/test-tunnel.log-expected.json @@ -1,18 +1,18 @@ { "expected": [ { - "@timestamp": "2021-12-30T11:20:12.000Z", + "@timestamp": "2021-12-31T11:11:11.000Z", "destination": { "ip": "81.2.69.143" }, "ecs": { - "version": "8.0.0" + "version": "8.2.0" }, "event": { "category": "network", "id": "1111111111111111111", "kind": "event", - "original": "{ \"sourcetype\" : \"zscalernss-tunnel\", \"event\" : {\"datetime\":\"Thu Dec 30 11:20:12 2021\",\"Recordtype\":\"IPSec Phase2\",\"tunneltype\":\"IPSEC IKEV 1\",\"user\":\"81.2.69.145\",\"location\":\"some-location\",\"sourceip\":\"81.2.69.145\",\"destinationip\":\"81.2.69.143\",\"sourceport\":\"0\",\"sourceportstart\":\"0\",\"destinationportstart\":\"0\",\"srcipstart\":\"81.2.69.145\",\"srcipend\":\"81.2.69.145\",\"destinationipstart\":\"81.2.69.143\",\"destinationipend\":\"81.2.69.143\",\"lifetime\":\"3600\",\"ikeversion\":\"1\",\"lifebytes\":\"0\",\"spi\":\"123456789\",\"algo\":\"AES\",\"authentication\":\"HMAC-SHA-1\",\"authtype\":\"None\",\"protocol\":\"Any\",\"tunnelprotocol\":\"ESP\",\"policydirection\":\"Inbound SA Policy\",\"recordid\":\"1111111111111111111\"}}", + "original": "{ \"sourcetype\" : \"zscalernss-tunnel\", \"event\" : {\"datetime\":\"Thu Dec 31 11:11:11 2021\",\"Recordtype\":\"IPSec Phase2\",\"tunneltype\":\"IPSEC IKEV 1\",\"user\":\"81.2.69.145\",\"location\":\"some-location\",\"sourceip\":\"81.2.69.145\",\"destinationip\":\"81.2.69.143\",\"sourceport\":\"0\",\"sourceportstart\":\"0\",\"destinationportstart\":\"0\",\"srcipstart\":\"81.2.69.145\",\"srcipend\":\"81.2.69.145\",\"destinationipstart\":\"81.2.69.143\",\"destinationipend\":\"81.2.69.143\",\"lifetime\":\"3600\",\"ikeversion\":\"1\",\"lifebytes\":\"0\",\"spi\":\"123456789\",\"algo\":\"AES\",\"authentication\":\"HMAC-SHA-1\",\"authtype\":\"None\",\"protocol\":\"Any\",\"tunnelprotocol\":\"ESP\",\"policydirection\":\"Inbound SA Policy\",\"recordid\":\"1111111111111111111\"}}", "type": [ "info" ] @@ -87,19 +87,19 @@ } }, { - "@timestamp": "2021-12-30T11:40:27.000Z", + "@timestamp": "2021-12-31T11:11:11.000Z", "destination": { "ip": "81.2.69.143", "port": 500 }, "ecs": { - "version": "8.0.0" + "version": "8.2.0" }, "event": { "category": "network", "id": "1111111111111111111", "kind": "event", - "original": "{ \"sourcetype\" : \"zscalernss-tunnel\", \"event\" : {\"datetime\":\"Thu Dec 30 11:40:27 2021\",\"Recordtype\":\"IPSec Phase1\",\"tunneltype\":\"IPSEC IKEV 2\",\"user\":\"81.2.69.145\",\"location\":\"some-location\",\"sourceip\":\"81.2.69.145\",\"destinationip\":\"81.2.69.143\",\"sourceport\":\"500\",\"destinationport\":\"500\",\"lifetime\":\"0\",\"ikeversion\":\"2\",\"spi_in\":\"00000000000000000000\",\"spi_out\":\"11111111111111111111\",\"algo\":\"AES-CBS\",\"authentication\":\"HMAC-SHA1-96\",\"authtype\":\"PSK\",\"recordid\":\"1111111111111111111\"}}", + "original": "{ \"sourcetype\" : \"zscalernss-tunnel\", \"event\" : {\"datetime\":\"Thu Dec 31 11:11:11 2021\",\"Recordtype\":\"IPSec Phase1\",\"tunneltype\":\"IPSEC IKEV 2\",\"user\":\"81.2.69.145\",\"location\":\"some-location\",\"sourceip\":\"81.2.69.145\",\"destinationip\":\"81.2.69.143\",\"sourceport\":\"500\",\"destinationport\":\"500\",\"lifetime\":\"0\",\"ikeversion\":\"2\",\"spi_in\":\"00000000000000000000\",\"spi_out\":\"11111111111111111111\",\"algo\":\"AES-CBS\",\"authentication\":\"HMAC-SHA1-96\",\"authtype\":\"PSK\",\"recordid\":\"1111111111111111111\"}}", "type": [ "info" ] @@ -151,19 +151,19 @@ } }, { - "@timestamp": "2021-12-30T11:40:27.000Z", + "@timestamp": "2021-12-31T11:11:11.000Z", "destination": { "ip": "81.2.69.143" }, "ecs": { - "version": "8.0.0" + "version": "8.2.0" }, "event": { "action": "IPsec tunnel is up", "category": "network", "id": "1111111111111111111", "kind": "event", - "original": "{ \"sourcetype\" : \"zscalernss-tunnel\", \"event\" : {\"datetime\":\"Thu Dec 30 11:40:27 2021\",\"Recordtype\":\"Tunnel Event\",\"tunneltype\":\"IPSec IKEv2\",\"user\":\"81.2.69.145\",\"location\":\"some-location\",\"sourceip\":\"81.2.69.145\",\"destinationip\":\"81.2.69.143\",\"sourceport\":\"500\",\"event\":\"IPsec tunnel is up\",\"eventreason\":\"None\",\"recordid\":\"1111111111111111111\"}}", + "original": "{ \"sourcetype\" : \"zscalernss-tunnel\", \"event\" : {\"datetime\":\"Thu Dec 31 11:11:11 2021\",\"Recordtype\":\"Tunnel Event\",\"tunneltype\":\"IPSec IKEv2\",\"user\":\"81.2.69.145\",\"location\":\"some-location\",\"sourceip\":\"81.2.69.145\",\"destinationip\":\"81.2.69.143\",\"sourceport\":\"500\",\"event\":\"IPsec tunnel is up\",\"eventreason\":\"None\",\"recordid\":\"1111111111111111111\"}}", "reason": "None", "type": [ "info" diff --git a/packages/zscaler_zia/data_stream/tunnel/_dev/test/system/test-http-endpoint-config.yml b/packages/zscaler_zia/data_stream/tunnel/_dev/test/system/test-http-endpoint-config.yml new file mode 100644 index 00000000000..8e51858e804 --- /dev/null +++ b/packages/zscaler_zia/data_stream/tunnel/_dev/test/system/test-http-endpoint-config.yml @@ -0,0 +1,8 @@ +service: zscaler-zia-tunnel-http-endpoint +service_notify_signal: SIGHUP +input: http_endpoint +vars: + listen_address: 0.0.0.0 +data_stream: + vars: + listen_port: 9558 diff --git a/packages/zscaler_zia/data_stream/tunnel/_dev/test/system/test-default-config.yml b/packages/zscaler_zia/data_stream/tunnel/_dev/test/system/test-tcp-config.yml similarity index 100% rename from packages/zscaler_zia/data_stream/tunnel/_dev/test/system/test-default-config.yml rename to packages/zscaler_zia/data_stream/tunnel/_dev/test/system/test-tcp-config.yml diff --git a/packages/zscaler_zia/data_stream/tunnel/agent/stream/http_endpoint.yml.hbs b/packages/zscaler_zia/data_stream/tunnel/agent/stream/http_endpoint.yml.hbs new file mode 100644 index 00000000000..483a999bf10 --- /dev/null +++ b/packages/zscaler_zia/data_stream/tunnel/agent/stream/http_endpoint.yml.hbs @@ -0,0 +1,22 @@ +http_endpoint: +listen_address: {{listen_address}} +listen_port: {{listen_port}} +content_type: "" +preserve_original_event: true +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if ssl}} +ssl: {{ssl}} +{{/if}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/zscaler_zia/data_stream/tunnel/elasticsearch/ingest_pipeline/default.yml b/packages/zscaler_zia/data_stream/tunnel/elasticsearch/ingest_pipeline/default.yml index a62b7ab78ee..1a16c0caf03 100644 --- a/packages/zscaler_zia/data_stream/tunnel/elasticsearch/ingest_pipeline/default.yml +++ b/packages/zscaler_zia/data_stream/tunnel/elasticsearch/ingest_pipeline/default.yml @@ -3,7 +3,7 @@ description: Pipeline for Zscaler tunnel logs processors: - set: field: ecs.version - value: '8.0.0' + value: '8.2.0' - rename: field: message target_field: event.original @@ -11,9 +11,15 @@ processors: - json: field: event.original target_field: resp + ignore_failure: true + - remove: + field: json + if: ctx?.input?.type == 'http_endpoint' + ignore_missing: true - rename: field: resp.event target_field: json + ignore_missing: true - remove: field: resp ignore_missing: true @@ -25,8 +31,20 @@ processors: - E MMM dd HH:mm:ss yyyy - E MMM d HH:mm:ss yyyy - E MMM d HH:mm:ss yyyy + - yyyy-mm-dd HH:mm:ss + - date: + field: json.time + target_field: "@timestamp" + ignore_failure: true + formats: + - E MMM dd HH:mm:ss yyyy + - E MMM d HH:mm:ss yyyy + - E MMM d HH:mm:ss yyyy + - yyyy-MM-dd HH:mm:ss - remove: - field: json.datetime + field: + - json.time + - json.datetime ignore_missing: true - set: field: event.category @@ -53,7 +71,7 @@ processors: field: json.destinationip target_field: destination.ip ignore_missing: true - - append: + - append: field: related.ip value: "{{{destination.ip}}}" if: ctx?.destination?.ip != null @@ -71,7 +89,7 @@ processors: field: json.sourceip target_field: source.ip ignore_missing: true - - append: + - append: field: related.ip value: "{{{source.ip}}}" if: ctx?.source?.ip != null @@ -89,26 +107,34 @@ processors: field: json.user target_field: user.name ignore_missing: true - - remove: + - remove: field: json.user ignore_missing: true - - append: + - append: field: related.user value: "{{{user.name}}}" if: ctx?.user?.name != null allow_duplicates: false ignore_failure: true - - rename: + - convert: field: json.rxbytes target_field: destination.bytes + type: long + ignore_missing: true + - remove: + field: json.rxbytes ignore_missing: true - rename: field: json.rxpackets target_field: destination.packets ignore_missing: true - - rename: + - convert: field: json.txbytes target_field: source.bytes + type: long + ignore_missing: true + - remove: + field: json.txbytes ignore_missing: true - rename: field: json.txpackets @@ -122,7 +148,7 @@ processors: field: json.location target_field: zscaler_zia.tunnel.location.name ignore_missing: true - - remove: + - remove: field: json.location ignore_missing: true - convert: @@ -130,7 +156,7 @@ processors: target_field: zscaler_zia.tunnel.life.time type: long ignore_missing: true - - remove: + - remove: field: json.lifetime ignore_missing: true - convert: @@ -138,7 +164,7 @@ processors: target_field: zscaler_zia.tunnel.ike.version type: integer ignore_missing: true - - remove: + - remove: field: json.ikeversion ignore_missing: true - rename: @@ -174,7 +200,7 @@ processors: target_field: zscaler_zia.tunnel.source.start.port type: long ignore_missing: true - - remove: + - remove: field: json.sourceportstart ignore_missing: true - convert: @@ -182,14 +208,14 @@ processors: target_field: zscaler_zia.tunnel.destination.start.port type: long ignore_missing: true - - remove: + - remove: field: json.destinationportstart ignore_missing: true - rename: field: json.srcipstart target_field: zscaler_zia.tunnel.source.start.ip ignore_missing: true - - append: + - append: field: related.ip value: "{{{zscaler_zia.tunnel.source.start.ip}}}" if: ctx?.zscaler_zia?.tunnel?.source?.start?.ip != null @@ -199,7 +225,7 @@ processors: field: json.srcipend target_field: zscaler_zia.tunnel.source.end.ip ignore_missing: true - - append: + - append: field: related.ip value: "{{{zscaler_zia.tunnel.source.end.ip}}}" if: ctx?.zscaler_zia?.tunnel?.source?.end?.ip != null @@ -209,7 +235,7 @@ processors: field: json.destinationipstart target_field: zscaler_zia.tunnel.destination.start.ip ignore_missing: true - - append: + - append: field: related.ip value: "{{{zscaler_zia.tunnel.destination.start.ip}}}" if: ctx?.zscaler_zia?.tunnel?.destination?.start?.ip != null @@ -219,7 +245,7 @@ processors: field: json.destinationipend target_field: zscaler_zia.tunnel.destination.end.ip ignore_missing: true - - append: + - append: field: related.ip value: "{{{zscaler_zia.tunnel.destination.end.ip}}}" if: ctx?.zscaler_zia?.tunnel?.destination?.end?.ip != null @@ -278,7 +304,7 @@ processors: for (Map.Entry m : ctx.json.entrySet()) { ctx.zscaler_zia.tunnel[m.getKey()] = m.getValue(); } - - remove: + - remove: field: json ignore_missing: true - remove: diff --git a/packages/zscaler_zia/data_stream/tunnel/manifest.yml b/packages/zscaler_zia/data_stream/tunnel/manifest.yml index 477b606f29d..d987ddda474 100644 --- a/packages/zscaler_zia/data_stream/tunnel/manifest.yml +++ b/packages/zscaler_zia/data_stream/tunnel/manifest.yml @@ -4,7 +4,7 @@ streams: - input: tcp template_path: tcp.yml.hbs title: Zscaler Internet Access Tunnel Logs - description: Collect Zscaler Internet Access Tunnel Logs using tcp input + description: Collect Zscaler Internet Access Tunnel Logs using TCP Input. vars: - name: listen_port type: integer @@ -27,7 +27,45 @@ streams: required: true show_user: true title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - input: http_endpoint + template_path: http_endpoint.yml.hbs + title: Zscaler Internet Access Tunnel Logs + description: Collect Zscaler Internet Access Tunnel logs via HTTP Endpoint Input. + vars: + - name: listen_port + type: integer + title: Listen Port + description: The port number to listen on. + multi: false + required: true + show_user: true + default: 9558 + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - zscaler_zia-tunnel + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. type: bool multi: false default: false diff --git a/packages/zscaler_zia/data_stream/tunnel/sample_event.json b/packages/zscaler_zia/data_stream/tunnel/sample_event.json index eebfed78d8f..c8d8bfe06c1 100644 --- a/packages/zscaler_zia/data_stream/tunnel/sample_event.json +++ b/packages/zscaler_zia/data_stream/tunnel/sample_event.json @@ -1,12 +1,11 @@ { "@timestamp": "2021-12-30T11:20:12.000Z", "agent": { - "ephemeral_id": "63ac98b6-0ff6-4943-820e-8505eff15937", - "hostname": "docker-fleet-agent", - "id": "d03794ae-c5b7-46b2-8a63-42f00010ac23", + "ephemeral_id": "74169044-8331-421b-8ea9-9e6bcc7c28f8", + "id": "638019f9-173e-4c24-9e28-64b128c92162", "name": "docker-fleet-agent", "type": "filebeat", - "version": "7.16.2" + "version": "8.1.2" }, "data_stream": { "dataset": "zscaler_zia.tunnel", @@ -17,19 +16,19 @@ "ip": "81.2.69.143" }, "ecs": { - "version": "8.0.0" + "version": "8.2.0" }, "elastic_agent": { - "id": "d03794ae-c5b7-46b2-8a63-42f00010ac23", + "id": "638019f9-173e-4c24-9e28-64b128c92162", "snapshot": false, - "version": "7.16.2" + "version": "8.1.2" }, "event": { "agent_id_status": "verified", "category": "network", "dataset": "zscaler_zia.tunnel", "id": "1111111111111111111", - "ingested": "2022-02-04T06:36:16Z", + "ingested": "2022-04-13T17:33:10Z", "kind": "event", "type": [ "info" @@ -40,7 +39,7 @@ }, "log": { "source": { - "address": "172.21.0.7:44374" + "address": "1.128.3.4:58370" } }, "related": { diff --git a/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web-http_endpoint.log b/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web-http_endpoint.log new file mode 100644 index 00000000000..c57f9e3211a --- /dev/null +++ b/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web-http_endpoint.log @@ -0,0 +1 @@ +{ "sourcetype" : "zscalernss-web", "event" :{"time":"2021-12-31 08:08:08","login":"test@example.com","proto":"HTTP_PROXY","eurl":"www.example.com","action":"Blocked","appname":"General Browsing","appclass":"General Browsing","reqsize":"600","respsize":"65","stime":"0","ctime":"0","urlclass":"Business Use","urlsupercat":"Information Technology","urlcat":"Web Search","malwarecat":"None","threatname":"None","riskscore":"0","dlpeng":"None","dlpdict":"None","location":"Test DB","dept":"Unknown","cip":"81.2.69.193","sip":"81.2.69.145","reqmethod":"CONNECT","respcode":"200","ua":"Windows Microsoft Windows 10 Pro ZTunnel/1.0","ereferer":"None","ruletype":"FwFilter","rulelabel":"Zscaler Proxy Traffic","contenttype":"Other","unscannabletype":"None","deviceowner":"administrator1","devicehostname":"TestMachine35"}} diff --git a/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web-http_endpoint.log-expected.json b/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web-http_endpoint.log-expected.json new file mode 100644 index 00000000000..32954dfc459 --- /dev/null +++ b/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web-http_endpoint.log-expected.json @@ -0,0 +1,115 @@ +{ + "expected": [ + { + "@timestamp": "2021-12-31T08:08:08.000Z", + "client": { + "ip": "81.2.69.193", + "nat": { + "ip": "81.2.69.145" + }, + "user": { + "name": "administrator1" + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "blocked", + "category": "web", + "kind": "event", + "original": "{ \"sourcetype\" : \"zscalernss-web\", \"event\" :{\"time\":\"2021-12-31 08:08:08\",\"login\":\"test@example.com\",\"proto\":\"HTTP_PROXY\",\"eurl\":\"www.example.com\",\"action\":\"Blocked\",\"appname\":\"General Browsing\",\"appclass\":\"General Browsing\",\"reqsize\":\"600\",\"respsize\":\"65\",\"stime\":\"0\",\"ctime\":\"0\",\"urlclass\":\"Business Use\",\"urlsupercat\":\"Information Technology\",\"urlcat\":\"Web Search\",\"malwarecat\":\"None\",\"threatname\":\"None\",\"riskscore\":\"0\",\"dlpeng\":\"None\",\"dlpdict\":\"None\",\"location\":\"Test DB\",\"dept\":\"Unknown\",\"cip\":\"81.2.69.193\",\"sip\":\"81.2.69.145\",\"reqmethod\":\"CONNECT\",\"respcode\":\"200\",\"ua\":\"Windows Microsoft Windows 10 Pro ZTunnel/1.0\",\"ereferer\":\"None\",\"ruletype\":\"FwFilter\",\"rulelabel\":\"Zscaler Proxy Traffic\",\"contenttype\":\"Other\",\"unscannabletype\":\"None\",\"deviceowner\":\"administrator1\",\"devicehostname\":\"TestMachine35\"}}", + "risk_score": 0, + "type": [ + "info" + ] + }, + "http": { + "request": { + "bytes": 600, + "method": "CONNECT", + "mime_type": "Other", + "referrer": "None" + }, + "response": { + "bytes": 65, + "status_code": 200 + } + }, + "network": { + "protocol": "http_proxy" + }, + "related": { + "hosts": [ + "TestMachine35" + ], + "ip": [ + "81.2.69.193", + "81.2.69.145" + ] + }, + "rule": { + "name": "Zscaler Proxy Traffic", + "ruleset": "FwFilter" + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "extension": "com", + "original": "www.example.com", + "path": "www.example.com" + }, + "user": { + "email": "test@example.com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "Windows Microsoft Windows 10 Pro ZTunnel/1.0", + "os": { + "full": "Windows 10", + "name": "Windows", + "version": "10" + } + }, + "zscaler_zia": { + "web": { + "app": { + "class": "General Browsing", + "name": "General Browsing" + }, + "ctime": 0, + "department": "Unknown", + "device": { + "hostname": "TestMachine35" + }, + "dpl": { + "dictionaries": "None", + "engine": "None" + }, + "location": "Test DB", + "malware": { + "category": "None" + }, + "stime": 0, + "threat": { + "name": "None" + }, + "unscannable": { + "type": "None" + }, + "url": { + "category": { + "sub": "Web Search", + "super": "Information Technology" + }, + "class": "Business Use" + } + } + } + } + ] +} \ No newline at end of file diff --git a/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web.log b/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web.log index c2a207b118a..58446934f84 100644 --- a/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web.log +++ b/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web.log @@ -1,5 +1,5 @@ -{ "sourcetype" : "zscalernss-web", "event" :{"time":"Fri Dec 17 07:04:57 2021","login":"test@example.com","proto":"HTTP_PROXY","eurl":"www.example.com","action":"Blocked","appname":"General Browsing","appclass":"General Browsing","reqsize":"600","respsize":"65","stime":"0","ctime":"0","urlclass":"Business Use","urlsupercat":"Information Technology","urlcat":"Web Search","malwarecat":"None","threatname":"None","riskscore":"0","dlpeng":"None","dlpdict":"None","location":"Test DB","dept":"Unknown","cip":"81.2.69.193","sip":"81.2.69.145","reqmethod":"CONNECT","respcode":"200","ua":"Windows Microsoft Windows 10 Pro ZTunnel/1.0","ereferer":"None","ruletype":"FwFilter","rulelabel":"Zscaler Proxy Traffic","contenttype":"Other","unscannabletype":"None","deviceowner":"administrator1","devicehostname":"TestMachine35"}} -{ "sourcetype" : "zscalernss-web", "event" :{"time":"Fri Dec 17 07:06:18 2021","login":"test@example.com","proto":"HTTPS","eurl":"www.example.com.com/join/","action":"Blocked","appname":"General Browsing","appclass":"General Browsing","reqsize":"218","respsize":"14230","stime":"0","ctime":"0","urlclass":"Business Use","urlsupercat":"Business and Economy","urlcat":"Corporate Marketing","malwarecat":"None","threatname":"None","riskscore":"0","dlpeng":"None","dlpdict":"None","location":"Test DB","dept":"Unknown","cip":"81.2.69.193","sip":"89.160.20.156","reqmethod":"POST","respcode":"403","ua":"Microsoft-Delivery-Optimization/10.0","ereferer":"None","ruletype":"SSLPol","rulelabel":"SSL_1","contenttype":"Other","unscannabletype":"None","deviceowner":"administrator1","devicehostname":"TestMachine35"}} -{ "sourcetype" : "zscalernss-web", "event" :{"time":"Fri Dec 17 07:05:35 2021","login":"test@example.com","proto":"HTTP_PROXY","eurl":"www.example.com","action":"Blocked","appname":"General Browsing","appclass":"General Browsing","reqsize":"600","respsize":"65","stime":"0","ctime":"0","urlclass":"Business Use","urlsupercat":"Information Technology","urlcat":"Web Search","malwarecat":"None","threatname":"None","riskscore":"0","dlpeng":"None","dlpdict":"None","location":"Test DB","dept":"Unknown","cip":"81.2.69.193","sip":"89.160.20.112","reqmethod":"CONNECT","respcode":"200","ua":"Windows Microsoft Windows 10 Pro ZTunnel/1.0","ereferer":"None","ruletype":"FwFilter","rulelabel":"Zscaler Proxy Traffic","contenttype":"Other","unscannabletype":"None","deviceowner":"administrator1","devicehostname":"TestMachine35"}} -{ "sourcetype" : "zscalernss-web", "event" :{"time":"Fri Dec 17 07:05:35 2021","login":"test@example.com","proto":"HTTP_PROXY","eurl":"www.example.com","action":"Blocked","appname":"General Browsing","appclass":"General Browsing","reqsize":"555","respsize":"65","stime":"0","ctime":"0","urlclass":"Business Use","urlsupercat":"Information Technology","urlcat":"Web Search","malwarecat":"None","threatname":"None","riskscore":"0","dlpeng":"None","dlpdict":"None","location":"Test DB","dept":"Unknown","cip":"81.2.69.193","sip":"81.2.69.144","reqmethod":"CONNECT","respcode":"200","ua":"Windows Microsoft Windows 10 Pro ZTunnel/1.0","ereferer":"None","ruletype":"FwFilter","rulelabel":"Zscaler Proxy Traffic","contenttype":"Other","unscannabletype":"None","deviceowner":"administrator1","devicehostname":"TestMachine35"}} -{ "sourcetype" : "zscalernss-web", "event" :{"time":"Fri Dec 17 07:37:28 2021","login":"test@example.com","proto":"HTTPS","eurl":"www.example.com.com/params?version=10.0.19041.1266&user=65792&Id=1","action":"Blocked","appname":"General Browsing","appclass":"General Browsing","reqsize":"297","respsize":"14135","stime":"0","ctime":"0","urlclass":"Business Use","urlsupercat":"Business and Economy","urlcat":"Corporate Marketing","malwarecat":"None","threatname":"None","riskscore":"0","dlpeng":"None","dlpdict":"None","location":"Test DB","dept":"Unknown","cip":"81.2.69.193","sip":"81.2.69.143","reqmethod":"GET","respcode":"403","ua":"Microsoft-Delivery-Optimization/10.0","ereferer":"None","ruletype":"FwFilter","rulelabel":"Access Blocked","contenttype":"Other","unscannabletype":"None","deviceowner":"administrator1","devicehostname":"TestMachine35"}} +{ "sourcetype" : "zscalernss-web", "event" :{"time":"Fri Dec 31 07:07:07 2021","login":"test@example.com","proto":"HTTP_PROXY","eurl":"www.example.com","action":"Blocked","appname":"General Browsing","appclass":"General Browsing","reqsize":"600","respsize":"65","stime":"0","ctime":"0","urlclass":"Business Use","urlsupercat":"Information Technology","urlcat":"Web Search","malwarecat":"None","threatname":"None","riskscore":"0","dlpeng":"None","dlpdict":"None","location":"Test DB","dept":"Unknown","cip":"81.2.69.193","sip":"81.2.69.145","reqmethod":"CONNECT","respcode":"200","ua":"Windows Microsoft Windows 10 Pro ZTunnel/1.0","ereferer":"None","ruletype":"FwFilter","rulelabel":"Zscaler Proxy Traffic","contenttype":"Other","unscannabletype":"None","deviceowner":"administrator1","devicehostname":"TestMachine35"}} +{ "sourcetype" : "zscalernss-web", "event" :{"time":"Fri Dec 31 07:07:07 2021","login":"test@example.com","proto":"HTTPS","eurl":"www.example.com.com/join/","action":"Blocked","appname":"General Browsing","appclass":"General Browsing","reqsize":"218","respsize":"14230","stime":"0","ctime":"0","urlclass":"Business Use","urlsupercat":"Business and Economy","urlcat":"Corporate Marketing","malwarecat":"None","threatname":"None","riskscore":"0","dlpeng":"None","dlpdict":"None","location":"Test DB","dept":"Unknown","cip":"81.2.69.193","sip":"89.160.20.156","reqmethod":"POST","respcode":"403","ua":"Microsoft-Delivery-Optimization/10.0","ereferer":"None","ruletype":"SSLPol","rulelabel":"SSL_1","contenttype":"Other","unscannabletype":"None","deviceowner":"administrator1","devicehostname":"TestMachine35"}} +{ "sourcetype" : "zscalernss-web", "event" :{"time":"Fri Dec 31 07:07:07 2021","login":"test@example.com","proto":"HTTP_PROXY","eurl":"www.example.com","action":"Blocked","appname":"General Browsing","appclass":"General Browsing","reqsize":"600","respsize":"65","stime":"0","ctime":"0","urlclass":"Business Use","urlsupercat":"Information Technology","urlcat":"Web Search","malwarecat":"None","threatname":"None","riskscore":"0","dlpeng":"None","dlpdict":"None","location":"Test DB","dept":"Unknown","cip":"81.2.69.193","sip":"89.160.20.112","reqmethod":"CONNECT","respcode":"200","ua":"Windows Microsoft Windows 10 Pro ZTunnel/1.0","ereferer":"None","ruletype":"FwFilter","rulelabel":"Zscaler Proxy Traffic","contenttype":"Other","unscannabletype":"None","deviceowner":"administrator1","devicehostname":"TestMachine35"}} +{ "sourcetype" : "zscalernss-web", "event" :{"time":"Fri Dec 31 07:07:07 2021","login":"test@example.com","proto":"HTTP_PROXY","eurl":"www.example.com","action":"Blocked","appname":"General Browsing","appclass":"General Browsing","reqsize":"555","respsize":"65","stime":"0","ctime":"0","urlclass":"Business Use","urlsupercat":"Information Technology","urlcat":"Web Search","malwarecat":"None","threatname":"None","riskscore":"0","dlpeng":"None","dlpdict":"None","location":"Test DB","dept":"Unknown","cip":"81.2.69.193","sip":"81.2.69.144","reqmethod":"CONNECT","respcode":"200","ua":"Windows Microsoft Windows 10 Pro ZTunnel/1.0","ereferer":"None","ruletype":"FwFilter","rulelabel":"Zscaler Proxy Traffic","contenttype":"Other","unscannabletype":"None","deviceowner":"administrator1","devicehostname":"TestMachine35"}} +{ "sourcetype" : "zscalernss-web", "event" :{"time":"Fri Dec 31 07:07:07 2021","login":"test@example.com","proto":"HTTPS","eurl":"www.example.com.com/params?version=10.0.19041.1266&user=65792&Id=1","action":"Blocked","appname":"General Browsing","appclass":"General Browsing","reqsize":"297","respsize":"14135","stime":"0","ctime":"0","urlclass":"Business Use","urlsupercat":"Business and Economy","urlcat":"Corporate Marketing","malwarecat":"None","threatname":"None","riskscore":"0","dlpeng":"None","dlpdict":"None","location":"Test DB","dept":"Unknown","cip":"81.2.69.193","sip":"81.2.69.143","reqmethod":"GET","respcode":"403","ua":"Microsoft-Delivery-Optimization/10.0","ereferer":"None","ruletype":"FwFilter","rulelabel":"Access Blocked","contenttype":"Other","unscannabletype":"None","deviceowner":"administrator1","devicehostname":"TestMachine35"}} diff --git a/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web.log-expected.json b/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web.log-expected.json index 843447fd7e5..08decef0540 100644 --- a/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web.log-expected.json +++ b/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web.log-expected.json @@ -1,7 +1,7 @@ { "expected": [ { - "@timestamp": "2021-12-17T07:04:57.000Z", + "@timestamp": "2021-12-31T07:07:07.000Z", "client": { "ip": "81.2.69.193", "nat": { @@ -12,13 +12,13 @@ } }, "ecs": { - "version": "8.0.0" + "version": "8.2.0" }, "event": { "action": "blocked", "category": "web", "kind": "event", - "original": "{ \"sourcetype\" : \"zscalernss-web\", \"event\" :{\"time\":\"Fri Dec 17 07:04:57 2021\",\"login\":\"test@example.com\",\"proto\":\"HTTP_PROXY\",\"eurl\":\"www.example.com\",\"action\":\"Blocked\",\"appname\":\"General Browsing\",\"appclass\":\"General Browsing\",\"reqsize\":\"600\",\"respsize\":\"65\",\"stime\":\"0\",\"ctime\":\"0\",\"urlclass\":\"Business Use\",\"urlsupercat\":\"Information Technology\",\"urlcat\":\"Web Search\",\"malwarecat\":\"None\",\"threatname\":\"None\",\"riskscore\":\"0\",\"dlpeng\":\"None\",\"dlpdict\":\"None\",\"location\":\"Test DB\",\"dept\":\"Unknown\",\"cip\":\"81.2.69.193\",\"sip\":\"81.2.69.145\",\"reqmethod\":\"CONNECT\",\"respcode\":\"200\",\"ua\":\"Windows Microsoft Windows 10 Pro ZTunnel/1.0\",\"ereferer\":\"None\",\"ruletype\":\"FwFilter\",\"rulelabel\":\"Zscaler Proxy Traffic\",\"contenttype\":\"Other\",\"unscannabletype\":\"None\",\"deviceowner\":\"administrator1\",\"devicehostname\":\"TestMachine35\"}}", + "original": "{ \"sourcetype\" : \"zscalernss-web\", \"event\" :{\"time\":\"Fri Dec 31 07:07:07 2021\",\"login\":\"test@example.com\",\"proto\":\"HTTP_PROXY\",\"eurl\":\"www.example.com\",\"action\":\"Blocked\",\"appname\":\"General Browsing\",\"appclass\":\"General Browsing\",\"reqsize\":\"600\",\"respsize\":\"65\",\"stime\":\"0\",\"ctime\":\"0\",\"urlclass\":\"Business Use\",\"urlsupercat\":\"Information Technology\",\"urlcat\":\"Web Search\",\"malwarecat\":\"None\",\"threatname\":\"None\",\"riskscore\":\"0\",\"dlpeng\":\"None\",\"dlpdict\":\"None\",\"location\":\"Test DB\",\"dept\":\"Unknown\",\"cip\":\"81.2.69.193\",\"sip\":\"81.2.69.145\",\"reqmethod\":\"CONNECT\",\"respcode\":\"200\",\"ua\":\"Windows Microsoft Windows 10 Pro ZTunnel/1.0\",\"ereferer\":\"None\",\"ruletype\":\"FwFilter\",\"rulelabel\":\"Zscaler Proxy Traffic\",\"contenttype\":\"Other\",\"unscannabletype\":\"None\",\"deviceowner\":\"administrator1\",\"devicehostname\":\"TestMachine35\"}}", "risk_score": 0, "type": [ "info" @@ -112,7 +112,7 @@ } }, { - "@timestamp": "2021-12-17T07:06:18.000Z", + "@timestamp": "2021-12-31T07:07:07.000Z", "client": { "ip": "81.2.69.193", "nat": { @@ -123,13 +123,13 @@ } }, "ecs": { - "version": "8.0.0" + "version": "8.2.0" }, "event": { "action": "blocked", "category": "web", "kind": "event", - "original": "{ \"sourcetype\" : \"zscalernss-web\", \"event\" :{\"time\":\"Fri Dec 17 07:06:18 2021\",\"login\":\"test@example.com\",\"proto\":\"HTTPS\",\"eurl\":\"www.example.com.com/join/\",\"action\":\"Blocked\",\"appname\":\"General Browsing\",\"appclass\":\"General Browsing\",\"reqsize\":\"218\",\"respsize\":\"14230\",\"stime\":\"0\",\"ctime\":\"0\",\"urlclass\":\"Business Use\",\"urlsupercat\":\"Business and Economy\",\"urlcat\":\"Corporate Marketing\",\"malwarecat\":\"None\",\"threatname\":\"None\",\"riskscore\":\"0\",\"dlpeng\":\"None\",\"dlpdict\":\"None\",\"location\":\"Test DB\",\"dept\":\"Unknown\",\"cip\":\"81.2.69.193\",\"sip\":\"89.160.20.156\",\"reqmethod\":\"POST\",\"respcode\":\"403\",\"ua\":\"Microsoft-Delivery-Optimization/10.0\",\"ereferer\":\"None\",\"ruletype\":\"SSLPol\",\"rulelabel\":\"SSL_1\",\"contenttype\":\"Other\",\"unscannabletype\":\"None\",\"deviceowner\":\"administrator1\",\"devicehostname\":\"TestMachine35\"}}", + "original": "{ \"sourcetype\" : \"zscalernss-web\", \"event\" :{\"time\":\"Fri Dec 31 07:07:07 2021\",\"login\":\"test@example.com\",\"proto\":\"HTTPS\",\"eurl\":\"www.example.com.com/join/\",\"action\":\"Blocked\",\"appname\":\"General Browsing\",\"appclass\":\"General Browsing\",\"reqsize\":\"218\",\"respsize\":\"14230\",\"stime\":\"0\",\"ctime\":\"0\",\"urlclass\":\"Business Use\",\"urlsupercat\":\"Business and Economy\",\"urlcat\":\"Corporate Marketing\",\"malwarecat\":\"None\",\"threatname\":\"None\",\"riskscore\":\"0\",\"dlpeng\":\"None\",\"dlpdict\":\"None\",\"location\":\"Test DB\",\"dept\":\"Unknown\",\"cip\":\"81.2.69.193\",\"sip\":\"89.160.20.156\",\"reqmethod\":\"POST\",\"respcode\":\"403\",\"ua\":\"Microsoft-Delivery-Optimization/10.0\",\"ereferer\":\"None\",\"ruletype\":\"SSLPol\",\"rulelabel\":\"SSL_1\",\"contenttype\":\"Other\",\"unscannabletype\":\"None\",\"deviceowner\":\"administrator1\",\"devicehostname\":\"TestMachine35\"}}", "risk_score": 0, "type": [ "info" @@ -218,7 +218,7 @@ } }, { - "@timestamp": "2021-12-17T07:05:35.000Z", + "@timestamp": "2021-12-31T07:07:07.000Z", "client": { "ip": "81.2.69.193", "nat": { @@ -229,13 +229,13 @@ } }, "ecs": { - "version": "8.0.0" + "version": "8.2.0" }, "event": { "action": "blocked", "category": "web", "kind": "event", - "original": "{ \"sourcetype\" : \"zscalernss-web\", \"event\" :{\"time\":\"Fri Dec 17 07:05:35 2021\",\"login\":\"test@example.com\",\"proto\":\"HTTP_PROXY\",\"eurl\":\"www.example.com\",\"action\":\"Blocked\",\"appname\":\"General Browsing\",\"appclass\":\"General Browsing\",\"reqsize\":\"600\",\"respsize\":\"65\",\"stime\":\"0\",\"ctime\":\"0\",\"urlclass\":\"Business Use\",\"urlsupercat\":\"Information Technology\",\"urlcat\":\"Web Search\",\"malwarecat\":\"None\",\"threatname\":\"None\",\"riskscore\":\"0\",\"dlpeng\":\"None\",\"dlpdict\":\"None\",\"location\":\"Test DB\",\"dept\":\"Unknown\",\"cip\":\"81.2.69.193\",\"sip\":\"89.160.20.112\",\"reqmethod\":\"CONNECT\",\"respcode\":\"200\",\"ua\":\"Windows Microsoft Windows 10 Pro ZTunnel/1.0\",\"ereferer\":\"None\",\"ruletype\":\"FwFilter\",\"rulelabel\":\"Zscaler Proxy Traffic\",\"contenttype\":\"Other\",\"unscannabletype\":\"None\",\"deviceowner\":\"administrator1\",\"devicehostname\":\"TestMachine35\"}}", + "original": "{ \"sourcetype\" : \"zscalernss-web\", \"event\" :{\"time\":\"Fri Dec 31 07:07:07 2021\",\"login\":\"test@example.com\",\"proto\":\"HTTP_PROXY\",\"eurl\":\"www.example.com\",\"action\":\"Blocked\",\"appname\":\"General Browsing\",\"appclass\":\"General Browsing\",\"reqsize\":\"600\",\"respsize\":\"65\",\"stime\":\"0\",\"ctime\":\"0\",\"urlclass\":\"Business Use\",\"urlsupercat\":\"Information Technology\",\"urlcat\":\"Web Search\",\"malwarecat\":\"None\",\"threatname\":\"None\",\"riskscore\":\"0\",\"dlpeng\":\"None\",\"dlpdict\":\"None\",\"location\":\"Test DB\",\"dept\":\"Unknown\",\"cip\":\"81.2.69.193\",\"sip\":\"89.160.20.112\",\"reqmethod\":\"CONNECT\",\"respcode\":\"200\",\"ua\":\"Windows Microsoft Windows 10 Pro ZTunnel/1.0\",\"ereferer\":\"None\",\"ruletype\":\"FwFilter\",\"rulelabel\":\"Zscaler Proxy Traffic\",\"contenttype\":\"Other\",\"unscannabletype\":\"None\",\"deviceowner\":\"administrator1\",\"devicehostname\":\"TestMachine35\"}}", "risk_score": 0, "type": [ "info" @@ -329,7 +329,7 @@ } }, { - "@timestamp": "2021-12-17T07:05:35.000Z", + "@timestamp": "2021-12-31T07:07:07.000Z", "client": { "ip": "81.2.69.193", "nat": { @@ -340,13 +340,13 @@ } }, "ecs": { - "version": "8.0.0" + "version": "8.2.0" }, "event": { "action": "blocked", "category": "web", "kind": "event", - "original": "{ \"sourcetype\" : \"zscalernss-web\", \"event\" :{\"time\":\"Fri Dec 17 07:05:35 2021\",\"login\":\"test@example.com\",\"proto\":\"HTTP_PROXY\",\"eurl\":\"www.example.com\",\"action\":\"Blocked\",\"appname\":\"General Browsing\",\"appclass\":\"General Browsing\",\"reqsize\":\"555\",\"respsize\":\"65\",\"stime\":\"0\",\"ctime\":\"0\",\"urlclass\":\"Business Use\",\"urlsupercat\":\"Information Technology\",\"urlcat\":\"Web Search\",\"malwarecat\":\"None\",\"threatname\":\"None\",\"riskscore\":\"0\",\"dlpeng\":\"None\",\"dlpdict\":\"None\",\"location\":\"Test DB\",\"dept\":\"Unknown\",\"cip\":\"81.2.69.193\",\"sip\":\"81.2.69.144\",\"reqmethod\":\"CONNECT\",\"respcode\":\"200\",\"ua\":\"Windows Microsoft Windows 10 Pro ZTunnel/1.0\",\"ereferer\":\"None\",\"ruletype\":\"FwFilter\",\"rulelabel\":\"Zscaler Proxy Traffic\",\"contenttype\":\"Other\",\"unscannabletype\":\"None\",\"deviceowner\":\"administrator1\",\"devicehostname\":\"TestMachine35\"}}", + "original": "{ \"sourcetype\" : \"zscalernss-web\", \"event\" :{\"time\":\"Fri Dec 31 07:07:07 2021\",\"login\":\"test@example.com\",\"proto\":\"HTTP_PROXY\",\"eurl\":\"www.example.com\",\"action\":\"Blocked\",\"appname\":\"General Browsing\",\"appclass\":\"General Browsing\",\"reqsize\":\"555\",\"respsize\":\"65\",\"stime\":\"0\",\"ctime\":\"0\",\"urlclass\":\"Business Use\",\"urlsupercat\":\"Information Technology\",\"urlcat\":\"Web Search\",\"malwarecat\":\"None\",\"threatname\":\"None\",\"riskscore\":\"0\",\"dlpeng\":\"None\",\"dlpdict\":\"None\",\"location\":\"Test DB\",\"dept\":\"Unknown\",\"cip\":\"81.2.69.193\",\"sip\":\"81.2.69.144\",\"reqmethod\":\"CONNECT\",\"respcode\":\"200\",\"ua\":\"Windows Microsoft Windows 10 Pro ZTunnel/1.0\",\"ereferer\":\"None\",\"ruletype\":\"FwFilter\",\"rulelabel\":\"Zscaler Proxy Traffic\",\"contenttype\":\"Other\",\"unscannabletype\":\"None\",\"deviceowner\":\"administrator1\",\"devicehostname\":\"TestMachine35\"}}", "risk_score": 0, "type": [ "info" @@ -440,7 +440,7 @@ } }, { - "@timestamp": "2021-12-17T07:37:28.000Z", + "@timestamp": "2021-12-31T07:07:07.000Z", "client": { "ip": "81.2.69.193", "nat": { @@ -451,13 +451,13 @@ } }, "ecs": { - "version": "8.0.0" + "version": "8.2.0" }, "event": { "action": "blocked", "category": "web", "kind": "event", - "original": "{ \"sourcetype\" : \"zscalernss-web\", \"event\" :{\"time\":\"Fri Dec 17 07:37:28 2021\",\"login\":\"test@example.com\",\"proto\":\"HTTPS\",\"eurl\":\"www.example.com.com/params?version=10.0.19041.1266\u0026user=65792\u0026Id=1\",\"action\":\"Blocked\",\"appname\":\"General Browsing\",\"appclass\":\"General Browsing\",\"reqsize\":\"297\",\"respsize\":\"14135\",\"stime\":\"0\",\"ctime\":\"0\",\"urlclass\":\"Business Use\",\"urlsupercat\":\"Business and Economy\",\"urlcat\":\"Corporate Marketing\",\"malwarecat\":\"None\",\"threatname\":\"None\",\"riskscore\":\"0\",\"dlpeng\":\"None\",\"dlpdict\":\"None\",\"location\":\"Test DB\",\"dept\":\"Unknown\",\"cip\":\"81.2.69.193\",\"sip\":\"81.2.69.143\",\"reqmethod\":\"GET\",\"respcode\":\"403\",\"ua\":\"Microsoft-Delivery-Optimization/10.0\",\"ereferer\":\"None\",\"ruletype\":\"FwFilter\",\"rulelabel\":\"Access Blocked\",\"contenttype\":\"Other\",\"unscannabletype\":\"None\",\"deviceowner\":\"administrator1\",\"devicehostname\":\"TestMachine35\"}}", + "original": "{ \"sourcetype\" : \"zscalernss-web\", \"event\" :{\"time\":\"Fri Dec 31 07:07:07 2021\",\"login\":\"test@example.com\",\"proto\":\"HTTPS\",\"eurl\":\"www.example.com.com/params?version=10.0.19041.1266\u0026user=65792\u0026Id=1\",\"action\":\"Blocked\",\"appname\":\"General Browsing\",\"appclass\":\"General Browsing\",\"reqsize\":\"297\",\"respsize\":\"14135\",\"stime\":\"0\",\"ctime\":\"0\",\"urlclass\":\"Business Use\",\"urlsupercat\":\"Business and Economy\",\"urlcat\":\"Corporate Marketing\",\"malwarecat\":\"None\",\"threatname\":\"None\",\"riskscore\":\"0\",\"dlpeng\":\"None\",\"dlpdict\":\"None\",\"location\":\"Test DB\",\"dept\":\"Unknown\",\"cip\":\"81.2.69.193\",\"sip\":\"81.2.69.143\",\"reqmethod\":\"GET\",\"respcode\":\"403\",\"ua\":\"Microsoft-Delivery-Optimization/10.0\",\"ereferer\":\"None\",\"ruletype\":\"FwFilter\",\"rulelabel\":\"Access Blocked\",\"contenttype\":\"Other\",\"unscannabletype\":\"None\",\"deviceowner\":\"administrator1\",\"devicehostname\":\"TestMachine35\"}}", "risk_score": 0, "type": [ "info" diff --git a/packages/zscaler_zia/data_stream/web/_dev/test/system/test-http-endpoint-config.yml b/packages/zscaler_zia/data_stream/web/_dev/test/system/test-http-endpoint-config.yml new file mode 100644 index 00000000000..d281dfc2f41 --- /dev/null +++ b/packages/zscaler_zia/data_stream/web/_dev/test/system/test-http-endpoint-config.yml @@ -0,0 +1,8 @@ +service: zscaler-zia-web-http-endpoint +service_notify_signal: SIGHUP +input: http_endpoint +vars: + listen_address: 0.0.0.0 +data_stream: + vars: + listen_port: 9559 diff --git a/packages/zscaler_zia/data_stream/web/_dev/test/system/test-default-config.yml b/packages/zscaler_zia/data_stream/web/_dev/test/system/test-tcp-config.yml similarity index 100% rename from packages/zscaler_zia/data_stream/web/_dev/test/system/test-default-config.yml rename to packages/zscaler_zia/data_stream/web/_dev/test/system/test-tcp-config.yml diff --git a/packages/zscaler_zia/data_stream/web/agent/stream/http_endpoint.yml.hbs b/packages/zscaler_zia/data_stream/web/agent/stream/http_endpoint.yml.hbs new file mode 100644 index 00000000000..483a999bf10 --- /dev/null +++ b/packages/zscaler_zia/data_stream/web/agent/stream/http_endpoint.yml.hbs @@ -0,0 +1,22 @@ +http_endpoint: +listen_address: {{listen_address}} +listen_port: {{listen_port}} +content_type: "" +preserve_original_event: true +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if ssl}} +ssl: {{ssl}} +{{/if}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/zscaler_zia/data_stream/web/elasticsearch/ingest_pipeline/default.yml b/packages/zscaler_zia/data_stream/web/elasticsearch/ingest_pipeline/default.yml index 035e7682c12..170360be235 100644 --- a/packages/zscaler_zia/data_stream/web/elasticsearch/ingest_pipeline/default.yml +++ b/packages/zscaler_zia/data_stream/web/elasticsearch/ingest_pipeline/default.yml @@ -3,7 +3,7 @@ description: Pipeline for Zscaler web logs processors: - set: field: ecs.version - value: '8.0.0' + value: '8.2.0' - rename: field: message target_field: event.original @@ -11,10 +11,16 @@ processors: - json: field: event.original target_field: resp + ignore_failure: true + - remove: + field: json + if: ctx?.input?.type == 'http_endpoint' + ignore_missing: true - rename: field: resp.event target_field: json - - remove: + ignore_missing: true + - remove: field: resp ignore_missing: true - date: @@ -25,8 +31,20 @@ processors: - E MMM dd HH:mm:ss yyyy - E MMM d HH:mm:ss yyyy - E MMM d HH:mm:ss yyyy - - remove: - field: json.time + - yyyy-MM-dd HH:mm:ss + - date: + field: json.datetime + target_field: "@timestamp" + ignore_failure: true + formats: + - E MMM dd HH:mm:ss yyyy + - E MMM d HH:mm:ss yyyy + - E MMM d HH:mm:ss yyyy + - yyyy-MM-dd HH:mm:ss + - remove: + field: + - json.time + - json.datetime ignore_missing: true - set: field: event.category @@ -94,7 +112,7 @@ processors: target_field: http.response.status_code type: long ignore_failure: true - - remove: + - remove: field: json.respcode ignore_missing: true - rename: @@ -103,7 +121,7 @@ processors: ignore_missing: true - lowercase: field: network.protocol - ignore_missing: true + ignore_missing: true - rename: field: json.rulelabel target_field: rule.name @@ -116,7 +134,7 @@ processors: field: json.eurl remove_if_successful: true on_failure: - - set: + - set: field: url.original value: "{{{json.eurl}}}" if: ctx?.json?.eurl != null @@ -220,7 +238,7 @@ processors: field: json.devicehostname target_field: zscaler_zia.web.device.hostname ignore_missing: true - - append: + - append: field: related.hosts value: "{{{zscaler_zia.web.device.hostname}}}" if: ctx?.zscaler_zia?.web?.device?.hostname != null diff --git a/packages/zscaler_zia/data_stream/web/manifest.yml b/packages/zscaler_zia/data_stream/web/manifest.yml index c7ec897dbb8..c9137ffacee 100644 --- a/packages/zscaler_zia/data_stream/web/manifest.yml +++ b/packages/zscaler_zia/data_stream/web/manifest.yml @@ -4,7 +4,7 @@ streams: - input: tcp template_path: tcp.yml.hbs title: Zscaler Internet Access Web Logs - description: Collect Zscaler Internet Access Web Logs using tcp input + description: Collect Zscaler Internet Access Web Logs using TCP input. vars: - name: listen_port type: integer @@ -27,7 +27,45 @@ streams: required: true show_user: true title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - input: http_endpoint + template_path: http_endpoint.yml.hbs + title: Zscaler Internet Access Web Logs + description: Collect Zscaler Internet Access Web logs via HTTP Endpoint Input. + vars: + - name: listen_port + type: integer + title: Listen Port + description: The port number to listen on. + multi: false + required: true + show_user: true + default: 9559 + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - zscaler_zia-web + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. type: bool multi: false default: false diff --git a/packages/zscaler_zia/data_stream/web/sample_event.json b/packages/zscaler_zia/data_stream/web/sample_event.json index 7d38b9cbfee..2f8048dfe11 100644 --- a/packages/zscaler_zia/data_stream/web/sample_event.json +++ b/packages/zscaler_zia/data_stream/web/sample_event.json @@ -1,12 +1,11 @@ { "@timestamp": "2021-12-17T07:04:57.000Z", "agent": { - "ephemeral_id": "ced1fd2e-2f17-4f67-b8b1-d38a1920abbb", - "hostname": "docker-fleet-agent", - "id": "d03794ae-c5b7-46b2-8a63-42f00010ac23", + "ephemeral_id": "72bf9779-2cf7-4d9f-ad44-f36c04cf1cb1", + "id": "638019f9-173e-4c24-9e28-64b128c92162", "name": "docker-fleet-agent", "type": "filebeat", - "version": "7.16.2" + "version": "8.1.2" }, "client": { "ip": "81.2.69.193", @@ -23,19 +22,19 @@ "type": "logs" }, "ecs": { - "version": "8.0.0" + "version": "8.2.0" }, "elastic_agent": { - "id": "d03794ae-c5b7-46b2-8a63-42f00010ac23", + "id": "638019f9-173e-4c24-9e28-64b128c92162", "snapshot": false, - "version": "7.16.2" + "version": "8.1.2" }, "event": { "action": "blocked", "agent_id_status": "verified", "category": "web", "dataset": "zscaler_zia.web", - "ingested": "2022-02-04T08:48:57Z", + "ingested": "2022-04-13T17:36:45Z", "kind": "event", "risk_score": 0, "type": [ @@ -59,7 +58,7 @@ }, "log": { "source": { - "address": "172.21.0.7:48722" + "address": "1.128.3.4:37608" } }, "network": { diff --git a/packages/zscaler_zia/docs/README.md b/packages/zscaler_zia/docs/README.md index c0373934ff3..12cc8dae92c 100644 --- a/packages/zscaler_zia/docs/README.md +++ b/packages/zscaler_zia/docs/README.md @@ -1,36 +1,55 @@ # Zscaler ZIA -This integration is for Zscaler Internet Access logs. It can be used -to receive logs sent by NSS log server on respective TCP ports. +This integration is for Zscaler Internet Access logs. It can be used to receive logs sent by NSS feeds on TCP port or Cloud NSS on HTTP Endpoint input methods. -The log message is expected to be in JSON format. The data is mapped to -ECS fields where applicable and the remaining fields are written under -`zscaler_zia..*`. +The log message is expected to be in JSON format. The data is mapped to ECS fields where applicable and the remaining fields are written under `zscaler_zia..*`. -## Setup steps +## Steps for setting up NSS Feeds 1. Enable the integration with the TCP input. -2. Configure the Zscaler NSS Server and NSS Feeds to send logs to the Elastic Agent that is running this integration. See [_Add NSS Server_](https://help.zscaler.com/zia/adding-nss-servers) and [_Add NSS Feeds_](https://help.zscaler.com/zia/adding-nss-feeds). Use the IP address hostname of the Elastic Agent as the 'NSS Feed SIEM IP Address/FQDN', and use the listening port of the Elastic Agent as the 'SIEM TCP Port' on the _Add NSS Feed_ configuration screen. To configure Zscalar NSS Server and NSS Feeds follow the following steps. - - In the ZIA Admin Portal, add an NSS Server. - - Log in to the ZIA Admin Portal using your admin account. If you're unable to log in, contact Support. - - Add an NSS server. Refer to Adding NSS Servers to set up an [_Add NSS Server_](https://help.zscaler.com/zia/adding-nss-servers) for Web and/or Firewall. +2. Configure the Zscaler NSS Server and NSS Feeds to send logs to the Elastic Agent that is running this integration. See [_Add NSS Server_](https://help.zscaler.com/zia/adding-nss-servers) and [_Add NSS Feeds_](https://help.zscaler.com/zia/adding-nss-feeds). Use the IP address hostname of the Elastic Agent as the 'NSS Feed SIEM IP Address/FQDN', and use the listening port of the Elastic Agent as the 'SIEM TCP Port' on the _Add NSS Feed_ configuration screen. To configure Zscaler NSS Server and NSS Feeds follow the following steps. + - In the ZIA Admin Portal, add a NSS Server. + - Log in to the ZIA Admin Portal using your admin account. + - Add a NSS server. Refer to Adding NSS Servers to set up an [_Add NSS Server_](https://help.zscaler.com/zia/adding-nss-servers) for Web and/or Firewall. - Verify that the state of the NSS Server is healthy. - In the ZIA Admin Portal, go to Administration > Nanolog Streaming Service > NSS Servers. - In the State column, confirm that the state of the NSS server is healthy. ![NSS server setup image](../img/nss_server.png?raw=true) - - In the ZIA Admin Portal, add an NSS Feed. + - In the ZIA Admin Portal, add a NSS Feed. - Refer to [_Add NSS Feeds_](https://help.zscaler.com/zia/adding-nss-feeds) and select the type of feed you want to configure. The following fields require specific inputs: - **SIEM IP Address**: Enter the IP address of the [_Elastic agent_](https://www.elastic.co/guide/en/fleet/current/fleet-overview.html) you’ll be assigning the Zscaler integration to. - - **SIEM TCP Port**: Enter the port number, depending on the logs associated with the NSS Feed. You will need to create an NSS Feed for each log type. + - **SIEM TCP Port**: Enter the port number, depending on the logs associated with the NSS Feed. You will need to create a NSS Feed for each log type. - **Alerts**: 9010 - **DNS**: 9011 - **Firewall**: 9012 - **Tunnel**: 9013 - **Web**: 9014 - - **Feed Output Type**: Select Custom paste the appropriate response format as follows: - ![NSS feeds setup image](../img/nss_feeds.png?raw=true) + - **Feed Output Type**: Select Custom in Feed output type and paste the appropriate response format in Feed output format as follows: + ![NSS Feeds setup image](../img/nss_feeds.png?raw=true) -3. *Please make sure to use the given response formats.* + +## Steps for setting up Cloud NSS Feeds + +1. Enable the integration with the HTTP Endpoint input. +2. Configure the Zscaler Cloud NSS Feeds to send logs to the Elastic Agent that is running this integration. Provide API URL to send logs to the Elastic Agent. To configure Zscaler Cloud NSS Feeds follow the following steps. + - In the ZIA Admin Portal, add a Cloud NSS Feed. + - Log in to the ZIA Admin Portal using your admin account. + - Add a Cloud NSS Feed. Refer to [_Add Cloud NSS Feed_](https://help.zscaler.com/zia/adding-cloud-nss-feeds). + - In the ZIA Admin Portal, go to Administration > Nanolog Streaming Service > Cloud NSS Feeds. + - Give Feed Name, change status to Enabled. + - Select NSS Type. + - Change SIEM Type to other. + - Add an API URL. + - Default ports: + - **DNS**: 9556 + - **Firewall**: 9557 + - **Tunnel**: 9558 + - **Web**: 9559 + - Select JSON as feed output type. + - Add appropriate HTTP headers. + ![Cloud NSS Feeds setup image](../img/cloud_nss_feeds.png?raw=true) + +**Please make sure to use the given response formats for NSS and Cloud NSS Feeds.** ## Compatibility @@ -40,7 +59,7 @@ This package has been tested against `Zscaler Internet Access version 6.1` ### Alerts -Default port: _9010_ +- Default port (NSS Feed): _9010_ Vendor documentation: https://help.zscaler.com/zia/about-alerts @@ -56,7 +75,8 @@ Sample Response: ### DNS Log -Default port: _9011_ +- Default port (NSS Feed): _9011_ +- Default port (Cloud NSS Feed): _9556_ Vendor documentation: https://help.zscaler.com/zia/nss-feed-output-format-dns-logs @@ -72,7 +92,8 @@ Sample Response: ### Firewall Log -Default port: _9012_ +- Default port (NSS Feed): _9012_ +- Default port (Cloud NSS Feed): _9557_ Vendor documentation: https://help.zscaler.com/zia/nss-feed-output-format-firewall-logs @@ -88,7 +109,8 @@ Sample Response: ### Tunnel Log -Default port: _9013_ +- Default port (NSS Feed): _9013_ +- Default port (Cloud NSS Feed): _9558_ Vendor documentation: https://help.zscaler.com/zia/nss-feed-output-format-tunnel-logs @@ -117,8 +139,9 @@ Sample Response: ### Web Log -Default port: _9014_ -Add characters **"** and **\\** in **feed escape character** while configuring Web Log. +- Default port (NSS Feed): _9014_ +- Default port (Cloud NSS Feed): _9559_ +- Add characters **"** and **\\** in **feed escape character** while configuring Web Log. ![Escape feed setup image](../img/escape_feed.png?raw=true) Vendor documentation: https://help.zscaler.com/zia/nss-feed-output-format-web-logs @@ -198,12 +221,11 @@ An example event for `alerts` looks as following: { "@timestamp": "2022-12-10T13:40:32.000Z", "agent": { - "ephemeral_id": "8c093fcf-fb2f-4baa-b794-40edb011194d", - "hostname": "docker-fleet-agent", - "id": "d03794ae-c5b7-46b2-8a63-42f00010ac23", + "ephemeral_id": "b7f77db9-92fe-4935-8387-b2cb545bcfc6", + "id": "638019f9-173e-4c24-9e28-64b128c92162", "name": "docker-fleet-agent", "type": "filebeat", - "version": "7.16.2" + "version": "8.1.2" }, "data_stream": { "dataset": "zscaler_zia.alerts", @@ -216,24 +238,24 @@ An example event for `alerts` looks as following: "port": 9012 }, "ecs": { - "version": "8.0.0" + "version": "8.2.0" }, "elastic_agent": { - "id": "d03794ae-c5b7-46b2-8a63-42f00010ac23", + "id": "638019f9-173e-4c24-9e28-64b128c92162", "snapshot": false, - "version": "7.16.2" + "version": "8.1.2" }, "event": { "agent_id_status": "verified", "dataset": "zscaler_zia.alerts", - "ingested": "2022-02-04T06:31:25Z" + "ingested": "2022-04-13T17:21:34Z" }, "input": { "type": "tcp" }, "log": { "source": { - "address": "172.21.0.7:32902" + "address": "1.128.3.4:32902" }, "syslog": { "priority": 114 @@ -351,12 +373,11 @@ An example event for `dns` looks as following: { "@timestamp": "2021-12-17T07:27:54.000Z", "agent": { - "ephemeral_id": "d288c261-b8db-45af-99c0-a673c3c6d8e1", - "hostname": "docker-fleet-agent", - "id": "d03794ae-c5b7-46b2-8a63-42f00010ac23", + "ephemeral_id": "29f002d2-defe-484e-81f8-ec2dace901c3", + "id": "638019f9-173e-4c24-9e28-64b128c92162", "name": "docker-fleet-agent", "type": "filebeat", - "version": "7.16.2" + "version": "8.1.2" }, "client": { "geo": { @@ -388,18 +409,18 @@ An example event for `dns` looks as following: } }, "ecs": { - "version": "8.0.0" + "version": "8.2.0" }, "elastic_agent": { - "id": "d03794ae-c5b7-46b2-8a63-42f00010ac23", + "id": "638019f9-173e-4c24-9e28-64b128c92162", "snapshot": false, - "version": "7.16.2" + "version": "8.1.2" }, "event": { "agent_id_status": "verified", "category": "network", "dataset": "zscaler_zia.dns", - "ingested": "2022-02-04T06:32:56Z", + "ingested": "2022-04-13T17:25:57Z", "kind": "event", "type": [ "info" @@ -410,7 +431,7 @@ An example event for `dns` looks as following: }, "log": { "source": { - "address": "172.21.0.7:54202" + "address": "1.128.3.4:59018" } }, "related": { @@ -535,9 +556,9 @@ An example event for `dns` looks as following: | user.name.text | Multi-field of `user.name`. | match_only_text | | zscaler_zia.firewall.aggregate | | keyword | | zscaler_zia.firewall.client.destination.ip | Client destination IP address. For aggregated sessions, this is the client destination IP address of the last session in the aggregate. | keyword | -| zscaler_zia.firewall.client.destination.port | Client destination port. For aggregated sessions, this is the client destination port of the last session in the aggregate. | double | +| zscaler_zia.firewall.client.destination.port | Client destination port. For aggregated sessions, this is the client destination port of the last session in the aggregate. | long | | zscaler_zia.firewall.client.source.ip | Client source IP address. For aggregated sessions, this is the client source IP address of the last session in the aggregate. | keyword | -| zscaler_zia.firewall.client.source.port | Client source port. For aggregated sessions, this is the client source port of the last session in the aggregate. | double | +| zscaler_zia.firewall.client.source.port | Client source port. For aggregated sessions, this is the client source port of the last session in the aggregate. | long | | zscaler_zia.firewall.department | Department of the user. | keyword | | zscaler_zia.firewall.duration.avg | Average session duration, in milliseconds, if the sessions were aggregated. | double | | zscaler_zia.firewall.duration.milliseconds | Session or request duration in milliseconds. | double | @@ -546,15 +567,15 @@ An example event for `dns` looks as following: | zscaler_zia.firewall.location.name | Name of the location from which the session was initiated. | keyword | | zscaler_zia.firewall.nat | Indicates if the destination NAT policy was applied. | keyword | | zscaler_zia.firewall.server.destination.ip | Server Destination IP address. For aggregated sessions, this is the server destination IP address of the last session in the aggregate. | keyword | -| zscaler_zia.firewall.server.destination.port | Server destination port. For aggregated sessions, this is the server destination port of the last session in the aggregate. | double | +| zscaler_zia.firewall.server.destination.port | Server destination port. For aggregated sessions, this is the server destination port of the last session in the aggregate. | long | | zscaler_zia.firewall.server.source.ip | Server source IP address. For aggregated sessions, this is the server source IP address of the last session in the aggregate. | keyword | -| zscaler_zia.firewall.server.source.port | Server source port. For aggregated sessions, this is the server source port of the last session in the aggregate. | double | +| zscaler_zia.firewall.server.source.port | Server source port. For aggregated sessions, this is the server source port of the last session in the aggregate. | long | | zscaler_zia.firewall.session.count | Number of sessions that were aggregated. | double | | zscaler_zia.firewall.stateful | | keyword | | zscaler_zia.firewall.threat.category | Category of the threat in the Firewall session by the IPS engine. | keyword | | zscaler_zia.firewall.threat.name | Name of the threat detected in the Firewall session by the IPS engine. | keyword | | zscaler_zia.firewall.tunnel.ip | Tunnel IP address of the client (source). For aggregated sessions, this is the client's tunnel IP address corresponding to the last session in the aggregate. | keyword | -| zscaler_zia.firewall.tunnel.port | Tunnel port on the client side. For aggregated sessions, this is the client's tunnel port corresponding to the last session in the aggregate. | double | +| zscaler_zia.firewall.tunnel.port | Tunnel port on the client side. For aggregated sessions, this is the client's tunnel port corresponding to the last session in the aggregate. | long | | zscaler_zia.firewall.tunnel.type | Traffic forwarding method used to send the traffic to the firewall. | keyword | @@ -564,12 +585,11 @@ An example event for `firewall` looks as following: { "@timestamp": "2021-12-17T07:27:54.000Z", "agent": { - "ephemeral_id": "41987f90-74dc-4b4b-9936-4347028cf558", - "hostname": "docker-fleet-agent", - "id": "d03794ae-c5b7-46b2-8a63-42f00010ac23", + "ephemeral_id": "144c5748-0f0e-4cf6-845b-0b43cac1ca3c", + "id": "638019f9-173e-4c24-9e28-64b128c92162", "name": "docker-fleet-agent", "type": "filebeat", - "version": "7.16.2" + "version": "8.1.2" }, "client": { "bytes": 1734 @@ -580,19 +600,19 @@ An example event for `firewall` looks as following: "type": "logs" }, "ecs": { - "version": "8.0.0" + "version": "8.2.0" }, "elastic_agent": { - "id": "d03794ae-c5b7-46b2-8a63-42f00010ac23", + "id": "638019f9-173e-4c24-9e28-64b128c92162", "snapshot": false, - "version": "7.16.2" + "version": "8.1.2" }, "event": { "action": "drop", "agent_id_status": "verified", "category": "network", "dataset": "zscaler_zia.firewall", - "ingested": "2022-02-04T06:34:17Z", + "ingested": "2022-04-13T17:29:32Z", "kind": "event", "original": "{ \"sourcetype\" : \"zscalernss-fw\", \"event\" :{\"datetime\":\"Fri Dec 17 07:27:54 2021\",\"user\":\"some_user@example.com\",\"department\":\"Unknown\",\"locationname\":\"TestLoc%20DB\",\"cdport\":443,\"csport\":55018,\"sdport\":443,\"ssport\":0,\"csip\":\"0.0.0.0\",\"cdip\":\"0.0.0.0\",\"ssip\":\"0.0.0.0\",\"sdip\":\"0.0.0.0\",\"tsip\":\"0.0.0.0\",\"tunsport\":0,\"tuntype\":\"ZscalerClientConnector\",\"action\":\"Drop\",\"dnat\":\"No\",\"stateful\":\"Yes\",\"aggregate\":\"No\",\"nwsvc\":\"HTTPS\",\"nwapp\":\"http\",\"proto\":\"TCP\",\"ipcat\":\"Test Name\",\"destcountry\":\"Ireland\",\"avgduration\":486,\"rulelabel\":\"Access%20Blocked\",\"inbytes\":19052,\"outbytes\":1734,\"duration\":0,\"durationms\":486,\"numsessions\":1,\"ipsrulelabel\":\"None\",\"threatcat\":\"None\",\"threatname\":\"None\",\"deviceowner\":\"admin77\",\"devicehostname\":\"Machine9000\"}}", "type": "info" @@ -605,7 +625,7 @@ An example event for `firewall` looks as following: }, "log": { "source": { - "address": "172.21.0.7:58194" + "address": "1.128.3.4:43634" } }, "network": { @@ -783,12 +803,11 @@ An example event for `tunnel` looks as following: { "@timestamp": "2021-12-30T11:20:12.000Z", "agent": { - "ephemeral_id": "63ac98b6-0ff6-4943-820e-8505eff15937", - "hostname": "docker-fleet-agent", - "id": "d03794ae-c5b7-46b2-8a63-42f00010ac23", + "ephemeral_id": "74169044-8331-421b-8ea9-9e6bcc7c28f8", + "id": "638019f9-173e-4c24-9e28-64b128c92162", "name": "docker-fleet-agent", "type": "filebeat", - "version": "7.16.2" + "version": "8.1.2" }, "data_stream": { "dataset": "zscaler_zia.tunnel", @@ -799,19 +818,19 @@ An example event for `tunnel` looks as following: "ip": "81.2.69.143" }, "ecs": { - "version": "8.0.0" + "version": "8.2.0" }, "elastic_agent": { - "id": "d03794ae-c5b7-46b2-8a63-42f00010ac23", + "id": "638019f9-173e-4c24-9e28-64b128c92162", "snapshot": false, - "version": "7.16.2" + "version": "8.1.2" }, "event": { "agent_id_status": "verified", "category": "network", "dataset": "zscaler_zia.tunnel", "id": "1111111111111111111", - "ingested": "2022-02-04T06:36:16Z", + "ingested": "2022-04-13T17:33:10Z", "kind": "event", "type": [ "info" @@ -822,7 +841,7 @@ An example event for `tunnel` looks as following: }, "log": { "source": { - "address": "172.21.0.7:44374" + "address": "1.128.3.4:58370" } }, "related": { @@ -1014,12 +1033,11 @@ An example event for `web` looks as following: { "@timestamp": "2021-12-17T07:04:57.000Z", "agent": { - "ephemeral_id": "ced1fd2e-2f17-4f67-b8b1-d38a1920abbb", - "hostname": "docker-fleet-agent", - "id": "d03794ae-c5b7-46b2-8a63-42f00010ac23", + "ephemeral_id": "72bf9779-2cf7-4d9f-ad44-f36c04cf1cb1", + "id": "638019f9-173e-4c24-9e28-64b128c92162", "name": "docker-fleet-agent", "type": "filebeat", - "version": "7.16.2" + "version": "8.1.2" }, "client": { "ip": "81.2.69.193", @@ -1036,19 +1054,19 @@ An example event for `web` looks as following: "type": "logs" }, "ecs": { - "version": "8.0.0" + "version": "8.2.0" }, "elastic_agent": { - "id": "d03794ae-c5b7-46b2-8a63-42f00010ac23", + "id": "638019f9-173e-4c24-9e28-64b128c92162", "snapshot": false, - "version": "7.16.2" + "version": "8.1.2" }, "event": { "action": "blocked", "agent_id_status": "verified", "category": "web", "dataset": "zscaler_zia.web", - "ingested": "2022-02-04T08:48:57Z", + "ingested": "2022-04-13T17:36:45Z", "kind": "event", "risk_score": 0, "type": [ @@ -1072,7 +1090,7 @@ An example event for `web` looks as following: }, "log": { "source": { - "address": "172.21.0.7:48722" + "address": "1.128.3.4:37608" } }, "network": { diff --git a/packages/zscaler_zia/img/cloud_nss_feeds.png b/packages/zscaler_zia/img/cloud_nss_feeds.png new file mode 100644 index 0000000000000000000000000000000000000000..ef223bbf2f2121e615828859ac98d2963ba39b8d GIT binary patch literal 31859 zcmeFZWl$Vj+cr8evUd_-2NDP#!8O61I1Dlbx8OdwyCftb3GVJp2KT`=1b3Igf(4 zb_nF^*T1fUBe&=kh`{EGgQDb1NI@_4D%iPh`a|iET|K zGbJw!iyTa?i?#{ftw`Sx>rDRqGVODDKiSGm4F%pO0%QJ{cA&q)RMDk6P4yc;)NYztqM^?Mu2%Jw4C91X0;L*n4_<8h=#q zBcKejhC5nhJqrfWhpja?R{PM0~f7z0!OdGLU_MQMYv*(mFMyXmz>D*~*db+}DHaRX#0h7{dQ2Z-TOHEsw zp>KWJ+4IWfvN*wL`}Ch8INi)3Ku^=_jd5XtF(sOjnJa@P8LEWOfZXCD$ctv zGj%kh=2@I03^ocDT2A3`IK5*1UN4%ZqeHvK`S$Jg5*PWY+`@WRQUwn|q3F1<(AbCH zU>sxi-h=#B=*{t}Crka05FPrn^~af+^t!qd6spnA_$3XioM1Gm8fI3i#Ja+IdVb#7 zX1qveSvB9uPAD?G1ith=weh*)6wL17@6Mg%+Y-|j34$e?CGBs{#Ym<~DRw!pkHV|OhlpptLCKL#!0 zwLd6h(}2GqX#aG2L?>jg3^j+!c2CaKx#Lbx-QC;{*2m;2ipw%HOVa1dC8os9`X91< z`SgjI)XrOxi>uEM3N=PBa7Wj|5q|6`#$7QkYvT$!h03fl=;r2E8p&z;`kng>6RoYS zuw-87iGcmtx|FJm(@4Hn1uTvsJ3A-mbhV9cQP+8Qk;SR}?`wbNBqH%)9Bacv-I5?9 zDa2a>6CEEs_QJ(~50;F4L!zc?V&Z;!7iAe^zY=<#16l;HdIZ*sxp_8EVFCpSb)ITf z<)_bIz*FIW_Dta_@*WQl&(X#NkJV|^F1z&2yAK|?j;N@0Ro*0G%vNy@hlNl>L%wMs zqp9q^Pg6em?KwRe3p%guzWQ2HG@?atwFH`+oQyl#QiH<+23AHZ_m?mO)?Q1;JV!Y`0iw_@UVmO~A^e9fDJY1Y%!He>34dS3n5J3@y-s;j4gFY9h zwTq5UvgXqK{O0E7`npGJLQ%Ej>R^Evjz*+h#JQ?WogH0a74`MOy?dF%yeo4b{7CFX z{3nT)9r>-Njx|b?4|jILe(&!));0Cls8tRw{zFMNTCZIbnMwN5SY17)i?fCuScKor z{v$bG5)CR^r4GBgJE?h@b6}!-dwV$aY%-;Qcde$l9I!8{xeP3;shZAq6QxWAatYsgEXDOhP9mBz_$wx7x*=_ zO#{lV`OEyg0V>}vT-LzQMcA5xf&%WBlrUf=<>+W&kp3jk#MngIgo@iS)^K)!;QoDb zl=)CAm>?V?1FMeG{T!_9mQ?@Dt*#=5MWl>&iT?^^$y(BUA{o3kids*9b2}+yFmEe! znx2Y@kzTN2?dQ*zi0s!+^)^?Cj#=Izp66CL422ncLgRPB4r^ zwfp{tknLP!6q{Oif<#|)v%~(%Gt*i;Dd@`c0GAvz)wQdWXG=}~n>AbKbD^OOGBLIL zg8?aChY}dEr|ak{hqjkYy;>vp>f8^aizw+D)L2?KzaJbCugv5pD2k@sA!v@`DG2|k z(po!k4{EU{Xf9AXQENB!_TUEE*d+NMWS=lJQ$fKG_?FwZERny3ocGPZ3L8#kMjQk} z0}}=944j+}&b@G)4fDIFOk0;OAL2hW9yT&Ef|3lOt(bO4-{z`4ZhsOYReySj7E)1B zfjfwSseaPU(f!u8;-tnHvmBB#j)6~dF{g!@NF@-Ucc z7s`^!PP^O^(@O(C*@ue9G&ZpDm#04T@%ee){`D`6g%dn&EU6>qCTN`R=yGKED^1PG zy*>$YU5^pzH^6G>6drB&JF@H69AaynvDIKE1KV`CIW1BY_UfOc11x&1dD^RGcd1iI z=05n`Cg*JL=sDOgqw$~^WsptZ3TFsNBK{J2&K>=tkeIm8Ly_)tlV0W7_pW@^_1&ee ze^;S!ZEfwBI~0$(N_(q(4qMyWe&rqP=XeONn1^|CesDvVV|OWO&{9`GBj?Tp5qcA8 zuW%qf!JMB47|BF*D66QTjQ5s-gUEL&)B)qFATpw)qocE!nVI?eXY8b^O!{hQT61_f z5v`Cty|82GXOmgv=mU$7ljtC}G zQ&X9`GHJS17Q9Ovw*KrpTYN0W*O#BCpgO0dM3F-vz1W(Mk1xCe%caKfrfneh)t5Wi z{^A8pijPUdqR9&#@ALGQ0PnNkZS7y%x04A?r+k$CGLMKrc80OZN zmX=?6PE*cXGh)E=5EBzGh2uYbcp>J#AKF_lF8=M?&8vPNTSMrW)^Ty*e-INi&q~Y{)NHOzRh3RQN8_&oPZye)$i7$WjE(2eDzB{ZnDX4? z082s1V>rR;%{#qNdQ*m#QyfmFhsC+8w=-PmTTqab_ei!sF)=l-RMoGq?71JV-BbpC zb0_}Qc<4!X zR+gE&$p*5UyOQD?m6o4y;ZP3$xrCls{4@kwu0>Px4uyGvqz z7BB14B<1CA8{bI&9TY5@Jv>ejS@Q1tq4nWSs^x`#{I2u6fKuvn6yWPur}h) zDD_(ky?O1VzPTPMt)@0MsgIac#@K9Ks{~dK)jt6_q|7xO zM~{aRMAB!ye#t;JNfqMXF-aL!jm&#TN$))Qwv3Q1q&z74P)rXRb$NsSUFd1V9W%7s zNN*TnR8StHg(gMjy8F`5xM*2b?4Nd+tne(p7%5?IMFN-YAB-FK}@*UnYUVfi?BjOG-w8+_XeBtln zVl#CYHFc*f=Q7f@%P%4Meqw*KR`rwJv0$U>^)CqGlR|mjYGeBM-h7d-nTPFZdI{Ia zWF%ddc8*hvG_l(Mp7$BsC?&%1a?+;FFMY5rt+&HtZLVMX@;kF07|VTr8g?q8jLTi$ zXl&WfREHuX9R1~PsyQKj8$r3cuwu5CZ`mI^kRP%6%XK{Ki_2#*JL-}@IeHm?TZGISvk3&2}{-65Z{34f}$*S+C{@@Z(ft25jaXckFQ)Z zx5KFXuTr5*?XPuvacu1Dn&qA+ld(=F5$5ClX-Y`#fiy1$ z#BI($hKG}&Hhw)bM%{rlY9R8)rltai3KKUMu=%5t9qumJ_*lOVXo)7ZpslZFt{i^E z%+>Yy>+fb!QPJUDjr2S%;~-J*DRop1RL+y|*reA**GCLj=Q6uCgbY!<1~FqSDJ?l5 z@Y5+2pd>6PC=gD{)!_;$2!HG(jJxOzO*+rkD2;sdSxjI0SJ|{oxiW377fhWzxj@Wg zfzEBQ7`PC3cUNinbeY>8$faf~Y*K(bkY4}!CP2V?O3-fpwFY)+aj|x96W0OlsB&|Y z45n7Gj*5zUB6-Kf#YG+}v|s2`7akh=)c)7kaw{||sT#Go4oQOTU*ai z+0@s0o_xP@?dJaGh)n*-k6yUrRVGozK3$x>?pB9mFHz^_xy*5+ zU*D>`dTL4(wK1=#u3Tof@HSh*FG&;Ai^u==r<0M9SL*_x#*W8UozK|jG&g3e{^-M$ zqSBBK{%GB0)}e5UPQ+OjYZ?=ggr5x&kN(j{=VRaUJ<6$`7Xo=`M2K?hirz0i}57#qAbxvX?Fz0D`s{EGYX2t56I>HSHqas|j+wyJ1CBZ6Dik5*e z*0q!v#R7uOlTUXP=@oY)8iLXkzudj}CCU^SB%8M(im5z=$Mtc57;_U-=C zE$hej!fw0qh4B}OlYO6)lM{G;M1(hCXgj_=L!KI>{}jCVk4~HrUQ>*ydUZ|B zjT<)$wJN-A&cxeHT6>d3-Vg@w9*Rf!Q57b*S?TC(7HGGP{rL9xH-Due>$-zzp7FEs zT(#qw{qsdD1hz`ru;o^v0G`4qq+~;iJjrsS$uj&9u$_Nn;3%8eAWxwX* zwjCBk#ZO2pDkw;QoO0oQ;&XuuJfMc82D8M-6WzIEKQp~7bviJvT`Vx;>ZKlAjey0I zap>&M`Gwpgj|qJ6Y^n>ro~_|?;k0R^xV5?Y%&l{gkV-&0IWpPJ?L@-!;#Ekp814X@ z8;Jh&>({4O{zMfvV=xvlbYcE<5oe4R1>$ucJ{S0-i!)3Y!q^zNIGfq}rluDqj5L%q zG?Z|(g_`0LM%R<2G;OF#>f*R=$7RZ`uXkL#GxOJ`c8!kDUVdt0Bmb2vrKWvuSd@T~ zB3vsU3@$Spm%N-@zRx*rX-jxwVq!u}uD}YSU6>paU*+H(h!`;27%px;C8TONKTTNb zQoBb^?&0oUW`!R0?nm|jdk__|>FVlwkBp2%yE+d<{G-oATv}Nx!ovqaUMAHS*xmgm zfNa)&FX#tc>F0-Q8InPf-@2rYdlR=N32wk@9Y5x=v;|RVVIIhscHa9Tm$0_7u(05@ z-Pp9Tk*JXIr3=o-CgO28HY*EKUxkdf?YEq!s|h`hS}(9R@>7lrgdh=rAZ~Cx&mglj z;eY2_w8|V)%2}Vmvxd_(wuQDJ8Xglz*FqgSpEGmE{W<6OKBwytGm6NA$?@WtPuFkC zuv3e{h%s{IWVMyy4JaOz?a4c48!nG=)4vmX>|Y~cG#*DpAtAF|x#vvDuJ28t!fkC^ z9t%Ac;CV}k?QXwn{z4da8R++P^-(?ZjO{Q2F0Cq8=c3T3-fXxwG2 z_~=p7p_@X|zJ+gX>-e~KjC>sRKmYWD#4*?8Jxc{}cQJQeu-_97h9gRBjkNo~qwZ~3 zb_ztSpewdaFK~-=7p|(izc*~^tJXI?E_P%5Nl8dYmfc4SXSYux~@;1YrJu7c)T1*s_3vS=OEmyLeS5EWEtz~$%6Z<2LM#NzlMucZFg5!ol&=0Qo!kxA1_rOm!6+@AOB6tq{F`yEV4OspDLGs{BxOw z%TSPj<#;7@e&W-PA&rFZC`Qn&Pfgd8ACoWIbwQ8(}R0WP-C` z2|A+$AP^J?^_gI?MZme?aippRI-t^G`z;=xkd&DhqwAIbv|$_EUaQ`6XOQ7`VePIo zs;8hV&k`Gt+T5hw*};9%^x#escB(b%j{WuNS6-fFK+EokS}CR{!DlSVg){a77eB(5 z?6XOM(iH=N8bO9aRT)at=`HNY!uR@IpTxyWg3ao6n1-1&!}@!O*?F&9k!Ym-O0?F+ z_Oy$HG_w-i=wU-@^58JY_H zh1Qaik{3)m2=}AS>1^}tPFrv94|!e9FJINwilWP{hO!-y!^6tDx^&QZ`-mvxx2?}O z9Iislng|FfA3S)l-z&0(ohsfNlwqm_(Ji5KTwI(#5n{>>gMIboHSYLWSxwE@)Hv7b zPz95tV&UAn>ArBF)~3U4a+tUUkk{dIMrdqzN6*f-t&4+8gwuNigP)nuh=O|ew|aV7 zbvi!#S?)ha2oBbVBiQJg7dV=;TZypTVXIW?(Stb=uHJT~XL@ z{^NXxJ54|B$rs|;Qd1i|omb!U2Jdpxb+7Fve+9pEVSi^u*89Tb(;izsm2P`v&}48< zYjWMrLaX*;jp4pNo3;BfT)0RqVL2c*uMLBPsNnue*3_U+hjuN znl!z+0}Xhq(XEC)I&n+&n$Umb<@N%xAd1D|cbZ?5V4lRlq1&x@4v zS^@F%Y-BREfOXy=ukmgsQ;MhOPPj2oVZ%;2dP@+@X#{ynNY;@y$S2b_tVyY-uafbUCr;b_}R%U94hsx2kbOPSm)K z4kO&b`Vj!lFOG-$7$dUf68QT>@yc5|zb}nmkig9DdSSz~&jp?FG&0y0emRQZsrH!c z<*4M+c^?=1(|RjcK@q&gy*GSKU~1|{HIpTIjT;Rflbp}esoy=4Wh{LY+w;hD;r$FZ z0|TAAhX-5Rya3(qyu|5oL~N{+P5p^`8xc*Uv_@FN*{%im_WqE3b@dt>t0m@XmIS6G zRa!Sra|Qq6ZK&3O6wF(pQbjN-K3H2^5^yta$=pLmvZ(1aheRe+FJRhuo<*#L31zphmgKKG~?NzW@?hXG+7Gj## z_*0D6%rU9{uR|q)@iYG(e5mR1U+Men|4ifm_q6{1#lF4%N8_Ngo2mEbdWd*m&yd&h z`I3dW2y4dNCS`ZprSnzw6%es~e4zCM)<*m4`EATTKa)5456M+2gB?btdUhGf{Z;m| z9F_7(R`sLVYOh+6k@l_U+X}v_P)uivI7Iwb|4+L>03&0RgQ943uT)l!OWZou4c>3^%o1)x2N8 zezoxf@%1vjGrMaL+f7^JyO1`af)`iIM6drrM0^?lyKVK)bOX1n;$kt)eAR#!O+$~e zcv+KxrwOknKaY!~yfQyAp0$Q)B*mKZR>J7|Pfk|~K8SC^wZukD*5ySMYi^zdZrsgN zy#lcv5O$qw1m0>9gK_Dj+j4SIQ}al?)ExKQu8?CQ zHZkMS)(+aiQn%MdXkU1bgKu;M#}jTZ9r+jlccA#n`Yp1wAr8B`l&?C0Kq9@4@Gc4p z3Vot`-Cjo*EYF_p9L+9kvXh}GK+3=T^JW(|+sy}O+$N(Y$>DiiVu~b=M5p_6)mX?L z8%kJ;MdmU>BU<9)wOEg&?>2sR5-fD=m@!;-x9NzdjG30)6`(hEaJw;g4@8|Rs;c6r zD;an3r`alp(_alnTVKC^EgR1(^e|PfqCmT_X0tkPV`F~)G3utTs$N_0I3X2(ye#8o zF8=;~t>Z*Vk5+kn&+^BgKU-v?ds7 zgS}ZIZ9rsHAm2+nmRt9tP^%VWHuf;(XGu=OdD%h+>YL=P&L<)_T&pP}S-yViPLCn` zRabAc6@N_wix&mQ*{IBY0_1S+O7@|JxIA5#^LjSzAIs*$=r)M0v@-%TdurZIP8D7| zML3{+Ra<)mPq!FhIFS6L0&g>&$ib3?c7Nk+sZ?Wn-S_Ru=_%2Jr~N}iYz#s|TwFG` zj%7`H%q%P#r6vcTc1R})2vn7or7A*0otyoMFG~ZhSNka~C(1cM<(vEQ%fbpTjr_cv zcpQ35LqmhKH3UF$tnFOtb?!k;JuCXN(0X7C(T6mE_2F@_$w2qy@NbAF0H-DnJ)Kb4 zE4ihmSYiv@7t@+jV%`L8eFqsfmmf>IcPBbhCG=ruqJc3-TeUnKg?W?I_sNcte|rg| zb|P^eT%g?jW4RIG5z;+jzmi=1+b6!?V`nC#uX|cUpPNn2f|SR!wt@B6*h1CnHGe0< z>b(HMT{*RhPl}4hI>i^`U_McyOQ(}E+}$5=o$+hU&6gZLS5vp2sCywi$y*S?onIM8* z7Lp&4*?D7+JTfwJ%5zBW%9V3?en3}$lV4%2ef$(C6HSV2oi%*?`0>}TYj7%CZ|ymC z6-9IBp_=leBgHOQ^^H@b`)bN@?AllB7^qJ@syp!Qv`w1?eCpK{`!=(Jj?%B&)-!7A z-J0M1oh5nOl5P6q?%I(mqo~VLBN9pUU>1o_X+84B{LoJ+l!(>HD+uq(W#5_=J?niY z)^-TTm@ksk%O6EkKKKuQs54N?{R1ay4E77!&mX^WvrMN7q zs5Kl;t`m#xzkB<(^~|loA&{Y8xWmKeq~tz@#)O)#ShJAI=`JMN5%qOt$CR zztHPnoC$ZG)eQB0kqI#gO$I2dNZCF%jzWIzNo3su)7*K|Rik6G7gdVXlVVvGp@rOc z<{Ue4nPS01TKU;-qMiWQnd) z5_0RCn#JIc7q|u#6nagsUh75Pre;UuJe-LSr=y|^qb=e%M)Upm2%N3gwQA&choR~; zgM3d{mn;Hi8d^>mb=^j2A-oQ~(YL_O%dcO*?&^WdL?W||$zwJ)Ho&6#I}uLtd_6QQ ztcr(!)Qq>?%UC5!bDds*31h1nKNU67o)zq2UO zp6#VXqIJ*Dm`XcpEl)0+a>MR-NO9tD;lkI=rV7t$=kv`cBp2KPtm0ZO+abC(r_Jq~ z86G(n?}#(%YbR@2CY-O3tan^BP}kbB$oOf3FEK>_7F~V+-rU_-VX98ohBdDUn{#uH zJ>2qSvU?@voOd%oq%D;7L#f$H=%W}N_f?nKUN->r)*sDyB#F4x+qbH8GTele(b9-G zJ`m=uwo2e%XbTCNMp;~(B0|J=?zw<~ z_%mCw#8D@9r_XQ7l}ON6Gp$~wa>#13hchh=z`5f%ep(WlyNDmwg;6jU@OFsecy|d^ zOmZhJ#SSbU#Bz*=vzB_UTUmYtMV{w-yhlfF3@t4J)2@CA2?_Vua&x@TPsk}^h4zGr zU5*Ufxa)D}{@-F?D+3ud%Bm_Vbh6Tum3B%EU+ZJ!lQ)hFh|R+OuZU#8Oe8;NQ5qVX zUUlj#qioC9wM#+X|hJetNZ1cT#Tgeq}FYk;inmppy`{PH(`QLY* zMhRT$pKPD(Q$dy@q-QQF$KTJbtMh+9BI)nkdE`4PYlB()PCNV9c0sum&r^Fnn!9g$}DIc19$4X!JXE%vym2Y!$T3wrbZ{M*J>WqyvfWbEBTVx1`s2>U-T3@^cb<0G%B}XnU zE>w=rg)r&S&JL}Bv!y=~jiYeVy@Xi7%c5zS=7h$CyWfk#F{&T}H8r)QUX{WaNi}F# zI3iLMF%_^^(Na>BwSopv=-D2Z&)F&lKzpcBPI2$qM4{P&*&@5WWezsA0{4ad3Y*H+ z=r;i|%=#4o_X3Ck5`kn(O6vH^rka;mz@KegBaBaCqAhiv_NVjqT#&2ad|!5)NeWg5 zn6lsZ$k|CrNsgH4i5~R(=z5+NXS5AZYKnOrdLCgb#BsAsvpxc*zdz1O22!7l#OTtA zM5pmvEW{pfOz3iI)NYr2Bb5ML-N?mzAl3(;)F!uE(PRO}>!Vnb?algiqPm$PFANNo z_6Xnsb@r!aW&8Wh+1c=si3Kc{&ua3%kWiJmxh3MVlI&YLCwil+_UsHR;_{l1@*V|+ zP^!-bsO>~WN9R}(?(FYJ;^qy|J1Lhp@?G8lKRy=Q@mC}QG5)WvE{pEi0gr_RVjAJR z@)5&g^>WLJK~S`yovzMSF_riBKCeC5^YilqB)}2YKUW~YJW*FwQ?r?@t+Gj(sl)9@ z8#H)(`CYx{vN4{WC@vY6l!OOW0&)DTDV@*ms_yyjHi!frdic~1RwiCqjWU9VabF1; zLhbZz>W5qd9B_w@W^iqrV%51lmp6bA_DU9sIg7JbyKY3HvvV~ z1!u+h-Tk=Qrzg3i&MnGUK?;Au#JSMlV1XY z`PPNo#WXa6)4{<(2_3Jjs;a7^P(Zc;O2hUJ4kI76rKH-eDyC1{JT}jVQZ_>r1rKb!G_k5KIF?Ro5c#uU~Z#@}aC6W{q2QEGx0d-QDQxBvOB zzr@t&_)eVo%#2!ZB{zeR@oLHaU~J<0n9VU*pEMQuTICw~@%)I(&OKjGV`DGTW>b6| zEoL;L&Y+<2zwsU%_83Yv00HY7@NNYKn1x1#%NCk7{Rf$Vq{LBJtxkuQ!D@n^l9h^x zCV^N>iXcL5-BdE?&sy0FeDE*V=hMH;t^WV7w~H@tbW!36pLey2(13NVB6!iHh>y-5 zDlWcf_B(NA`4{lqzR??^KWhF1wIP>F{ao76V`bxptI?IL1}!zq2B=J#PhF%qMAEmP&^9U0b|6(29=SPRVnCK3p)A_wVkP`yf z()-e^mnVza*){Yf9L@O=1F~PP3JR>F8BhYw1&FMKp0B3UZ+iNTi}?Vqf*R{(5ZMj0 zlE;*lmC1{rR03+`7eWHR+D~DiI!Y@xY33LaZ&M$~aa1vVcvDM_iLl-%ZWx#uCmi;I z9Mqp^>Q7JE5IT(a?~Oa3A!6PVez$i*;cffJjgmU<0kC~$ugzn6dir0Jmap!tT0W!K zzkcvG<3;%Ae?gzucamVH7rGQB7H_rK9ZE_=jH$bNdtov%D!H7RBtwAX{^VMXfg!_F zwy0Y!#32Ad!A+Q^;MOC25}y7Z1U&ve{DE4>7JM%*y!!<3iQA2qylwYGXP0}m>)cV3 ze`X;@k>^(Q&dv^Y5)}~mHB#z_rG!(cfw{RkK!uV*e`Mw4g#Wm7VDCeCN6hn;o-{lC z&_ii1QS_LUDk_^icXO_a(O(UXh={P;h#gELiqo{W-~IJ1W{G@JMo-lOOFsaL9#TYi zEYZ%tzTO>s@1Z^a;Tj2YWSIvsRCRiK+F@i&0gHXAKRIkJ;%pgnqMRTfSHf%*mb0W; z!u%ae-St{ZV3mungnD;(FRGKk<8qanHSNpy#3P6%p&v;)GmMy)n$T@pR^q1gDeO8W z^sMlA6`NxGHZ#KwK0bgxih$bp0_G~e&-ochHS%;DdWV{M*w`$Nw|@`5NC(ATnTF%} zJsJ_`Je|7g^b*CNIw><=^zT^~SPcvfeU5+Qu3RHv#<@vPo%Z>N_piRMcE+;y;jk4B z-X}}saX$g!7g+Pj8W)?40p_ZeA$f74+w18YUYgq4_!dlxn}wu4Zi^!RMVPXk**#iTwGJh0z2uH90UNE(o{cD}c<(`BX4z1<2 zoUPIPgc5TP8_zR;x^vT^A97Uuc`-g8iD-nc-?#zAuc_pYw*ImN#pZ$ZH#5mPyWCXk zmkhGGc|}!K6ZD?S#}6|q_8*D>6mic(`)5Z>a~CV+;{g<9DIS8 zF(_u&tb9k1?6K)qHGP4+Ie*l`CTFmfET&aqSp}k?6rXdt^y-qFtfF^T4uf?bE^)Ba zuqVRRiSfv;hCTa2Z05>Pd>(s>FTa(J>+cpo zJo(%a!DusC_Kb^5ehp|ha8{dzYT8aw!!qk2QCsd!(t7tUH83hXoc+V$!Psmpubcgl z*d=4HOu2_aeRHbnRk~&ZzZH;p(T8Kd1t<}TM5@~#Z>Oe3BVW&`WhIi|E=@>l5txwtxEhSqfteib=`bp z(>0PhcgHPSlJtXpsgV&CkE6}78zoNbqg?gJo;&j`fYx9!Pc3!Oah2kkL1ry;5=?-Z zwX?^Jor^2x6pOC#|MG>1@*cy%ps-0d1E|7ES{z;3oXN)lT~ZVsYy9TrG)P6j$(l+k zD+Pswgz{w680>%|iAKnsmyJg$o*w-mu(dJuIRa^h{*lkE$De>u2@h1fHzO`?ZB3Xs zJRBWKKpc$>{T34$NiFQi%nC2kDU2Ba#!lF2BlR%Caus7ytZwW*Z2zRTt~P%Bf$QA! z^n`?gp)Q$ZSTe%uU4QR*QgD8%N>mh>JQFfpb<7o9;uq zU=dd(gDb1S@}E@6wsD^~O$B%lnB@RrwW;5!u8sD=uczE3rj~+2!=C3lZf|e9uB7?T zx-Q67)$Mk&jcI#K$7%m=F2}0Sl!1UHrbB$MyHs9uXUx|ZqLB%2p6Ji;I5J25kWX-4 z2oiXExK&u5v@-m!!F$H(S)_buMgvOupvac?i=#>|PLzS)S?$f6&oMDE69ygj!sc*I z_jqo-rw=?my_A%QMMzYET)@pOj{CiTi9Z&QxPYpWF?+DDPo8yYMpJ1)bf>#pRzScI zU0xoP9;Gt!86|1inaE6jCYqfg8A5iCOzd#QFnH{-zP!%Dhil*9Aww9tfAqLj=!EQs zW`WpfYI-VC!)bYaUBr3H)h#Iw=zpU4fl#4XJr9o~{`#Ggy#f?kftsT5mH$G58x5@P z-!WeVMTL(aul{X_fBZOVVgDY8-dR{!dfVIox^o8@#Up@dnqn5EyriW&L8GIR-Rr!^ zw|@iuT687zL`iL}=V}R}Gc1nq``18O7);!Cdv302Ksu^D_(6nBMuvZTUQSZtot4?ySqZ(Kc)nm$-Z&+TkmZ{B2?AE`2P0~OgTt;{8~^qApqyt*Z-Loz-xx3cM#?0-b$4xPDb97y z*XRv2YP#AEzwhGSJzUkA+g zZCye%$e(;Dx6(_Mb?!?Rd-lwNMj%c($uxT}oxVo;eaP3Zkth2H2iX34KlZbeJq(v_ zy(k}t({lHEb93`jwo-URS7#@61Uwx%cxi|mTjt9+1=5ucx65uwq0ckRpPCm-B}e|> zbmXK_hiEvH0YN(3lr8`7EL~<1VbijCx^mzSO2!ng?LiU2gSynK zN3DKMq<&idu~KD@sxB@9kMUR*^R2UA{j)^Ne^v{sgy`Vd71 zIu5brf6rU<^H0{*n=mwa|FD)o#-V}P>94G|A}&>$%P(xx_}UEF85F}=2Y8o4J~dok zbS~Y2_M_Ptgq8KDTB%U%?_)h>n4@##F4NX9{F}|_^ zxIBTk zNDht_Y85Kq@*DVvf?^_9%|>nPOGN4ZY^`w@s73-=;RtID0DB_Ulmn>*dd+xQTgu9K z5gkoCnM7~iyvbF~ze7k!!)=tMsgm1!&lB&7ke8DB3PUR8uJzPDW)@VB3lipz*Bfyo7F)G&&PO%F92t`zBmoXc_ZvU3n5!+)&JCTXO@$oi53Ni;_f z^S9P8i(V{Q7oc!y7Z=|+xdE?IZ5_z4^Ed>wtK22cHf|mg5>oo^oF#Y4^@s9zYuHqi zVJs%5ramW2F%sw7en9;IUkg3wHVi%|0vdM`(nFan=X(jsbZ-m{=D!e90k-Bl1%))# z5&Ptiiw6K|t36q!n(d8KQc*!T{^Mj)Pvk^FmeW;KS-A+f-|m$;5(;#2dB-aa zbe)#+$)X5T*TVa3s(^w@Cq1PieA%T&A%qWnl-;Snw|=$cty^Sjx~MD8HMa)|E$IQ- z#lK>6Bq-R^Gtr5;JA%}OmX;Q{cc5Pj*qGI|Mldh{8es+g_aR_9LZ8w9Do5;R(!6$7 z9XAljgFXsM*ORJpsVPk_~8%&zcbWj2S8N%*g8yXrkjmgQ$)l@Wu z1cfK{o-)7bSPVugSqC$z#LE6)2q5=x^B})}9|+rpn3>hBiX4((g3=5~TAp}~7HBKI ze?MGdqsuTm7U#A!3PSuk9j^RN?nL*N;cqe8j0d0$5d8i7WVKW7gwfhaZj56)Kw1U1 zj)1D)eQnqr(EoreqYs3i0yZ=B7hizZuc!wYD1dVQC@JAa6G*F}zeqzlf0j=SlIdHz z9DdkCwd`J91GF)mGnR->JTJO0E^%WcFL9$oiP6PuRv);XL-iSEjZKnpq+EldyYxe4 z3wb3yJw0`Gb>Q+!Is_V0pZ~P7-QKALq&~Dit-EVCLrfOX8~}D&jOKBNhb$pYoSQQc z)Z- z*StJELCq@a@t-~@0fYI2TKFDS&Cp47SX^3p5>Fctl9!hJ^!S{+qva%)E@Wa8@~A@6b@L)$`{H`e~Zh zW+u0iG}i?kSKa~qa7(-{is#Oa8#lBadQf&XE)qvmd%9i+i0+UM$KC}XLjc`N3^8Oc zE#U?!JF##_Z!iCYJDty>;c7LJK(A6O+V&{;fN%7X2%E)Nfi}qq5j`WguL~|1%NEVG zHD0{1*r61;uj0QSGJQWGDv9B5xg@5Vv$Lxb61o^e_MySS!J(m%Wxty|+`(_&9s(Ds z_9G%Xz8WywS(G@Bj*enFhliU%N`c26RivOI|3}uRAri4q0Vk*a10p<2{(Lr1tfSz1fxJIs!{ru)%aHM#AV-n zhwL@m)RWO&K~k)^#fT7_+TX3`*9gE{CID#|4KgG@VsUlMl#rs&-1B)cpW3mosWr2_ z=H$xCLQ@~?!a_#k_79L(fi-8Z+r1#}sJ_m%?a^+6PdB6muP;}n>? zY{4Sb*H0tMRk6>=+yT7Jwx0aoF(&*8E*n!-dgrw}3rw}py*Sjq zX0Nv<*=<>)N^H9^#h;MIy?|>`T~QIFK92)-x6@uhJD~PmTn zsYJD{469w%$?o&HO6`Ys6;?hL6Z6vbtet!pVx_cQqz_(eAS)}I<@194a_|J#$5nQ_ zX~aD%)6?hcJ+_nv^RS0Urs)|ON1GE1o^hSR^oj-Q#pz1O-n6u&k({BsGd#6wuE%S9 z7Sv;P@9Qlmz`Ft9Kf*9F7$PG3cK%TX)f`8Hk1sJe(1TLUqOFe$79;5mrB_J4hP)6s8zPitc|4i z{!MxhM65lnt$RUw5EN zR5%uMelmED$C>sfvfNc${Ub%i3|EP{5%(eime!H(UN?hAqwW6TxE%My5326Fw65;% z0FVS=St#pe(3>d#e?pnd!TIl*dH>VnbBZ+SQM`$TZ-C5WBd=!$O3)5ZW)g@hze8BSkl))t&}o1BAxg%BVwN)}fjJzBso_ce5LurqHA zq5?o1WTE{&CpVXzL+3HwhIaL*j?S0)VhTXP#MRK-)6=yMkXcQqXh0n7OK8yBnmGmr z8Sq{}ir^c4Daspx6}m(n6xyOBsw>AgH?FPKnQ>~d@9pjak(^AG+V^l)iHrFz@ZuM~ zhYwTbQ)Z+QZ+8jjbT8b&J1}U&n52QM?Xp$Lg(NRt+N7wIJ+ zT{?<_^cs+kKG+e04no~rlxRKGq3aJ{~8kC7>OSZVq7P5_iP>vswTYNQush$27<($Nij zog@LVf#skVR}M3Z>)g*bOY7^RUK2k6bh)x(4$4p~`^}2*aMRA9RG4sAfkC7F@%}Jz z`6NlOto4Me<}yfgC=sRT2Youwja-a-VB`+`C?c)gK(he&qN8CdDW3&AmCtUM&M^Q9 zQ!FgdfafBGl>i-dfooA|DFGn3KC8&JE0?dp7%uAJ+fKI($WP=N#jr0gkkxZsjSK}P zMdwrrikCJFaxdcyRfqkB%JXnMjpY6GNp@l2SY_%u@cC`~OP`255I0y~Ee2sWbB9vV zDOWj!ft4Yr&CEOZl}~3-M3gikM^mv5q&aaOxE&oI`x1~uz~m8rf;k4LK}Q;en_hF; z9g;}N-}&lMlDPc5ygZ1Wy87;kon!Oq)~V4q;4-;YZoRvd2dFGT!EqF-2qXMOT5AeKE3j#u%5!sI4mqIJNqKWRZQ=?e7etCS{;k;Z&N+xf#d^CMQ25y zGe7tmXY9x0an&}7-S5l9qn@h6xl_3$eIQIH5sNjF?&rZMB2@PJ7?40#7Hh!r=n9|| zY6e(eVd2JL$`h(ch8qks4dvzX4lg|p3HWfT2hcTqb5v1`MT3ddbJ-44ySh zT*`u@E&4v^S&y#{V#TYsS?TpOHF+=$RlO3{Bkdo_FJ2A{onQf-@by7%-JnlFe!oXA zj_0YK{vIE82ZXk!en~=QXlTtNOlhm-D&VdAp&Jw2z{-gLjQfUdTwdPV$gf}jTEm>3 zU6$Q@6h;BeM^6VBw7+Vh;^uFEm)46MpGmv_o^CxlQqPv-k`vX|*77BGMge1G{}-ih z)druLQ{wUVx`So4e#uSrO#oyzudf=w+#+V@eYXQ+mtyxSoofKPU@fzMIRWHVk^6cb zww{)XcY5QF09^(f?`vw@m<7o9gYZ+|t>G{_-nX;!Ui)s+(x~_GqoaXn0*L7Ojt>D! zV6&G|mC9GhMk;?DoPdX&Nl}!I^{5FP^I?XZ8v+m5U#sgrko@x5(>cu`Aip~r%s zAP0xMjhO7e2B4{DV8SoiZ(J?nm%efhTMVu+S%kH52jqAWbSFE&gCp`Ko@ap?sGWf| z5TIgSY}n627ydfxA4DJ?aEn(J7V0-JS%J`zAj**WdO$7nrku*kxNc62KIR42cD&4F z;e8+lpI)V=)P6RFtQ#ek4OS^8FE4*f)OKa?$-;E0k$Cp#7ZbJUl$4@yhzTI?otz4; zPE1TN$-mO%k}ccW0b1tDF^GlHy}IVJ=CMkF9(cw%vZrRrI_0jPBU#RRq~}{)k$Y%v zZ3W=(+XW{0vKGQ>x}aXw> zxaaJObV`oF0H&|m#C09yx@^s7pOP%&p8E-)fdX0-iL;$-;ARDpR<@vS8To9V$(L{c=>SPwGij5ad-R*}GE;(xGEHun}k(Cz*yP3&MV z#i7xue+oK`U%n8BbY5WHR%bLcoT;|i9~f8tRDI@f6|CB_QnGZ%XZtgF`w22 zvUY`a@D!oHc6Z~fYxH?(?IN(Fwy|2J4^u37?Y4auVTp+;gO-kt+hRI2oE$u7s5n(O z%qTvjhea6V@bQvm3ad|D|HJA(I7UvG3-tP$VSt6MFEo_P(UD)9157?Ve{cu+JpqPm zl@62Zh6i4r@vvejc}8W-a795`l0$`kI6&hwGBR8Wi;D~U`uj~P-k{$H_R@4mECbHH zTE9%LW;hov|I6hd3P2BmFBR8IAS$RHBMBB{@$tN%$Ta-FI159#Zv4MyKsUnIMc~ zB&(+ISxP%c%MdUXs45}kF({~8=*XBBd99F4|3Y4rcV%A=(0WkwCKC-`9Twx%L%x{ux6;pC8_{zB`GrK z0*gJ+1w@(&pUa#y6Mk=5M1MgkjoaiV+0!n$H@-YHWN&}oyFRGAeTiDp) zxh#M%cy0RZ{SBjolb=6-e*O$BsJG!Slw$uw;RqDXlj|$!KH#~qx|W9bxA+lB5^7ZM z`R^Ds@Ou$y;eV6yLY_VAX#7$GNHN=ngpWmF+^1rF^vznRP>c7Q%>|{$nWSKub_MxD z!v<$r00DzkL(s1w%EBsid2F>XFa7|T0l8pmfzFnHZ7zOAk`@F92Sdt0`cI2*e2F{Y z|B%2xI#KtWROu!|G?pO{8v%o2TRq04$XCjz?4mA8MeeM<(#v+<+9@S)ElV&NizKbA z%@5w zKveKBi8ZzAAaYc)=VS2qT(l8BW0IIo?>jz1+DG)?I@(a&p-|(D|FEA2n!rEBdUmWz z;}vwo#XL0Nk6=sCNn*{Q{+giLaT16e9uC9rw(k0+cemjy?-8sQ4-X^kmI2A6X2oQ7 z352i6SHC%~EH37ucNotd%<0ttX&(SP2WpJF9gs3afBTHE-GC*E%6$}&95OO9Jx#xA zrps} zjhL<4yzNYO89tOsaVU3TcVi(QC1y zHaqm-xsLq~)6v&bGsaHKX;OsdOuZ?2YyejXV)l;e3%CI{*0;E^R*|Z36?1)a4V$ae zkBf+QOP5tABH_6?is>ycxnM@BzLMc{f%xAl-u3b=;pk?wLbGlL@2t(G!f(zRhp$=b z0cGq24|I(i5(piW`}(TT&)0zUknfpPO`8C#zpNYX$Ss_2I7=HTt^}7b!`~;fj#;s5 z@LAIVs?OtM&r6q1VWu`SEq00b+(Rp;7Y2m zhx^PDBKpSdjc$)XH5$_n*ktq?WPWmQY780wir!zE{ zbTUyUj+cy}E@HwndgB(}j1y`e^6|D6>v$6}6ds-{m8}>mOaF#D>v)4;Pljt2T9!6= z2h3L$Xfq``{%j#X-9O`TJ8CXd!rK+mE@}WNo=RRxjb#jS^*v~`wt*OL&U_y*anEga z!mB+A#B2_7qNvss>jpVR1(d*%wl>?n%D@rEzz1%uo0!pUOH$8F)xQ5dwK(TL?{w62 z+I{h)zF$`X*~LF_E2lZDjYx~??jJO-0B)YMZRkC*x{8Bg&H|sMJZws=%LkuXjeW(8 z^v6G2D_YFy`;?BXp>GgRGcGu-??rqaGspkN#Ry92vS*ib^90Z;RJK=IC|%jxx6o~^ zJG@H8`q;jn?E<_8gdiLg!Yrz;`Q2Q= z$hmhq2{8zWMt`6xfIa2t-LGqCGj^NQ8r%OwXUrsQJ2Bhf!tBq!d%Cnu948mRKS)2a z^D~~0WJbX&2{I}%1I=s$AOS_x(ivn$ntuI?ovG6a1>7vqXi|8JC9Rc@l#`Nt3AyZ3 zeEQXDdn;ALQiroH!_tKBCgV{#0MsZ7KTlQy0u^U3G>z*>J+hdKOWgLs^}YWJwQ^Lc zBwB7jbk&8uHTwAd8QKVrI-9P-ngRdZ}Y8Ay5@NS3oKu57eLZN(+1iv7E!Ye zcH_;02By>LN@LHC6$Z{(q<{Ke%euwPEm*scT)$WusT!QyG(y%r#tjd+W2nRBVf!cg-Q{cox=_p7971N^s=Y@o%^oK-&uh zE~LK80Z}@)vv_YMnBPUq_OLc7Z1kdVa009+_rR zhILh%oz{Y$+Z|&mUiE>5aJmRdP^uj#PkB z6XHdWZ*@+cAH88S)cmi7Z|n3mdJJd>S`P3HcW^r?1+8U3ctlC0`#O(gAXX1Zi2 z-2db{%Bv9wd)V1!vvQY(U&_e1ZqFN0n5Topm_!rZcWjc902~DX0)UK2>Jp*eGefWS z?|}*z)9TuQDM9GIg!%5hIIo(jlA~*0h*swFWBYyFSUDm2SB);NQ7X8Sx2-JQP5hTk z(xPLGAU2GHUFgORqq|~A+$X0ezZ{w8B{}m}Ugtth(ofh5@zvO!!Oq45Og_%vS#d=P zarN&M+BytwIqn z^+IZbY7N#}^@eyrG!ox{$wm?Dm7#B)cHN&S@wY!gXtKVZ-VpV!L80Du3CVa*@aOjW)SONC`Ib4D88ht7S^$m8 zj#=T{cdzQqS%?{y+SP|H-JQU~(!DI*tf&@0nfhvBd~oDWJB~XiD=i~WY=y13DjRFM^xUj(2cbMdPDPnP=A*UchT^Wle;*(^lu{A z+@k#vz#Llb>eg=x@*Ca`=|*kM2VHg2HU5_D|d&2>KAH({|~ z`Xv|A0k{iQ=~!b;&3b;nvX8Imji7Of8op=$m>x&IF7$O1=-6HEDXJ2I&P*;P+ch^c z95sTNz@D?Yb&Ulhn+n~G=DW^>K$?YS)BKs&3uC%a(R80z2@E}cb@dn(pg#sz%RWntqPT+wc9z;KDVY811uPzU6Jwd=kPLLobV_F*Xsi zQVNabEizvT^80upKwG{H5yd1d_ON_(&JZ2u3vxre4%f323^Ky*>*9WmYJ8iV;x$OE z6H=T=-N&YW`*8lrlR6LwTTl?pTmp1KpvU=YS_>2}jX>V@1MvY2M>4Y45>OxxeP#QF zsKt;dHSJW_+#DFeuppM3T7cQWQ1<1^pk*|Gtbsx1^x|LdJUx3e+(6iFylA|EjEp(( zY}6PIfW9+;*~XK~cxG*v^ZJV>3W}4|oiJk%h{Bz@NI?-49L#T6{}A|bPkv+_9W6)so$U5> zyHisHXnz}?yOok)0Wz>V7`Y`Hipyz`5(P<&4@$O`V6*KPE8HhaBA1@XP= z)bkeCtArN~@FBVz*9FK0DL%D|_$Lm;-iUKioHu0f?;PPHq${)6eY+gDGAzX$$@&`k z1?QK(Ctz^`?9=0k4JWoPl{}Z>lcqXe^KeI=5bus-`YV zhZY;tbywMd3hmdxxgK<9j>+ok`2g)7)FwSJ zM6MDbWqGpT<3iK)m8;PeJ5y%T2JE&zID|>ct6WNE@%eY15h+g`y*3KkdR-HEjGX7( z1kwC2v2&lrXw>ag^@xO88r*LzYIuDAqe%f^CPG1Y7~!BywfSi2ikJ?9(V@NrSPK4@ z^gV$ID1l+-gho|@u-DHI1PF$12a^$LQ-71`hoIyR@&ydUhzEHA!L7clb<^B;#S5>2 z46F1lU=}BW${e_+-G52bf#3;eV!d(X$Ahs+b?I$+SjD#t!el-|@`-Pzb7L~awRP&F zt-;RpGf(f7;8x7e5f#1c%_zeuM5YIH33=*vwf=EofAyiZ1RfJS}|L9umfQlm0s zAa-CHT$2`OwOwIFFrlhbfkv{5B5x%TTFkt!ZO*#?ys~d`BA~-Rc#AFU zIkZ%mLujX$GX_EQC>iiP?eUjL)xmvVkynV?%OXfYpBgv>*#*IgfR@{>J zE|7@;5-T)3oJo3d>{6mid@8cW;7My}SlFsq!VqY50cY0I(gM>E6pcgjadQKMl(+Mv7l|YP@W~lTx+!FF+x+}; z1PI1lgM3toz7ZEZc! zfJZCZh?Qt^vR#|H^pScRNYPa!wL-x+;=B|L24}meQtZgrz~w#IkU53<4aJl=IWWl-$T={KVHn{Q$l3z|2YD+`J9kF(ZkE~L@c>H^rqMc;sj|7kfJq*eli zGFYSk1_s_eAUr2>>vAsx-D2Rq;ppBgDGq7RH{!ZSW9mYL%vv7pH3Gso7sb z%}ps3bU@i|dwxxSf9_2$I3SfYJmxuu9ax7$?sNFxIg7~@wnGTmdh@b=wghNGwH<^NbX)BK$?Wy_ z!zmd`x?2a1SUn-@F z5%fnG!2j+e!Xqn+xe>*k5DyAnYchQ*sojxT;kAEl zWc7dl^Dp+B{9pCA(86myXzeOYyH}ZFf{TRNKHbme=HW^RW?)2R|L;?%?? z`?XE2uK#rU$+u=By{? z*Q}bp>5lK%G$7Jx=o*(KV5REazO%k`O?;0`(I5y|RY3~=-f>QG8J>Q$_#lZJ{dVwk zBmp!u`P#xcGxm5JIoreA88MO{CJSkxibD#$ye(3VVJV9rnM%Wdt(i7Elk#Nwvh$ak zc!NusCPXE^tJ0SWrA$74K;z{RJ)2GPSSerXI6Q@=G= z6rlC{KBF{TCY?)`E|0GP9O$MN@Nzk=U)Xntr!XL=l6AD%tGEtrkt&{{ z!k3a1EBfs5)`RbR9r;li>Nyi4;&aEN`4wFxZF6Q#!%l~QXwy3v#YlY-3xUw^d|Czw zw3aViDdQ1`5PMxt$1Qh1*PTNjd*?O~v=WV~e*ZOw871NAnFC=$-kTo$>4n*GP~4qY z^73$4W2CG&^l^$}BW(Wt zIOpnei7olX7c{3}zO29hXuLIh+XW|wc4IFXz3!F+~$_E6Jn`R zO1=ZH{r#(6h!9^fmLFVwyppD0-nu$a7=dI?q=DlEIRj~oFihZhPls~f6 z7*%R@2WT;|Ej>93-M*%TQnL#i5MGY51S>uNho@C;7cFK1(iZPUI#S;5PgDs*DKu+% z^jOxRqq;-ixddP_hK)TdxS{MAY?u*0*ASu8MoAc__{bL_z0n+25dIGDkEq{p1<>1T zwY6IRQ%||9@$O-8c|q=uLAf}7nC4_ws<4MR#hThAs0FoqTsSz@?Oq_s+51s&-sI*I zW_R}Y`_4v+x#O-NfZ4^{b1JPiQt2p}<54&9+bubWGI0%))HWqiRmgal>`8O2>vpk8 zoyilnR|&SJ4eN!(VhG_qK>Dhi#}etfu=0bx_RcaHl!QJG(l^o%zrxCswhop1@ED!L zd?WTl!j`01tB$v$M`yqglxHg0Xx&p$1BSdCV|CI#R5l!*K3&(DX67}NJSE-5smq7- z{;lTFyXFy@^oZkk-}|(MCeL@{*ZCyd?3JJA?n5z)vwbe^&u)ag<)(?0b+;YwAbyNP ziwQ|eUqDZ8m%Mtn)%RXimHA<->Zx?ZHhxICQ_95u;kX}+&LfbJWJA8tW-%TAIdX50 z=%h7K+u4A`VSAPN6Q+NEkoAuAJMD3Lat(W5NlUL56wFSk%^vR#Z_~@(N99TWS&PBi z2GG9Mx~i2ox4?JnMRsvEuqXbuebCtLves-j%t%hJC3l!o^8=qD z^|Pqe#G5)_6uAZ;81VqCHFAT6nq{fzh6PgP*Z3WRwW%I9y_$ND`3e)bQcthAEVf|| z-DaLRcV8^}6VWp`pPHrF7my7R;cvW=svW4c0WO%o}vBf1(C$r2bjkOa8mU-wTjYg`Y$*gEDJ_Ip8 z@$0QIGSrve8TBPqFw6V1#HV|g5QyJrH*}IM?)qln2P@<)-kmN=fcjBi9ZGns{4HOH zuEz6Mlhp8luLs)CqBxE(VPGjV%8Z(v^?3dfl2J-u1EPhUe&ZRMl1v(s4a51)5O_Z< zKG0Wk;u~k2y17iv+pKS)8#NaNjNBT(kn1V3DD`pna+S{dO}jHwwiFGSmlOyvOT%rI zBZii;(pz7yWeNT=QsP!tR5z_jf47>kKNNG5PC{h2q8I;d#;fRBo~kh+y7avQzX?Xf zUaKME5>?DoLdIl>w4Sk_xCk#>Fkr}`ZT0vjq$4E-@4!Gw z1ERGl@PTb!UwV?|UH<->_&|_Se41^A(P_EHVqwse#{TuhZm34Id3YtzQ z*;wy}$2KB`jfTO<2zBgTs`BGU?b<*fva5_IQbSH0`Gy|V)Y36|&~@Bo;mNf;k85)q z(+m1@!0!f^e$-u`3*2HvDDh5s*$}pr7Ie9u(5n^Mk|sIcRF0zh=UJoG=e{}w(HQH4 zK?*NMVXs&VHE)t?#F)k1CF~#@A5-~0*{Wd&l}6O2lTVyYnY$nBg4AB!bTuxDcDdriG0hEo^HG44$lrFv1k!l(poD4w691> znqw~`NOFf7eKv#tWPw+MA@@$kjsUK%)gN(+LC5%~Q7<}-6rsToUz?zr>?0ZOb~pby z?KAaHz4;yoHY+PdbmCQA`Vfm!;(7FNX8jl&|H8ufFMWQxbk_>aF9T?;gzf}VaTX9J z`yZC|j!CU=?@22t>`9tDc-Dby6EH^@et<{k?|0%R=vJ|Pl_nY$t?qv5!^5{+m!tU% z>q+-B*-$~4urAl0Vo@tHcJH7&CuftormqWb^?4hc?KS_nS=@^Lj}UtQ=MrTCWnXEb zK)WA|wBg(IH0^Tx*7wTa%rm2!X6669IFcIkM+HvyU$z4NuTr@SF#%CfnwYspw$z{N zs2{ehu=D-nbO6N%xEa$a8OhcK=JdQ|nq|}M)IfInKYx!@Q^YPSL{`LW&bU7OqhYC* z$h%1~`Py^oZ$+}2NlqdvjI>>Vc4q=NG(;_E6P-)hAko?dVSWLhK&GmZ-XyC&Kct{W zffZFB3|E8;A}H)Wjeoi3@$XxPig$0=Hc+kw(L`3b+LlK-sKO$Y|9sL21R0kZdj;B2 zUR$~7^X_?hae;b|OZfH%*AoPT&A(ey#-3xpq{yNvLjA^Uw0uanqc{ti|`zo2_V9o`LmMH$e03!>q-YrTo$jzl+Iys`8Dh{49M#OPzB84 z&mL%Bjb)fW?TIXpw9ntX$W4wjeo%g)pN7%i7i(5v1~haBUI?&M&i}V^i~WCI2WR`D zfk8HDtyYc~ee_;ThuY%w)%ugB|I;EpLz;iS4IMveksf4g!I-%!>~gPfZJI9h1@7uE zpY7ts*PLt$Gt2NB&_G-YycV(rORxQ~uUqpujkM)RaccC8{h}J7PFChLa7b1m3U`CE z7ebMvP*A1C!dirzNAAAnjQ8O<>|sr-w1AFY7lB=_DT4a!v5__x@~Azs><{bF$l`r@ zSy*m{B4k;0mQ};l2}{;Lxgr!BYX5{)yd72lkabU&OStwNoF_i3B?aGM(~i6Z7Wy$A zeRTU!Aer}h`qNwsyK0YeH|=SLKf50M;v(RhBg>9fh!YHX=j^zxjT*Kwv~mlCzg>B; zmYILGzs0QGn3udSyHEX(Qs3G^=ZmGVCt+k=%Buz7!7s`VbJd2yojelL&3y=~i^4sVs^LSz4+i5XA5bM^g+#>J*OAbVfG|y((cK9RI9M32;PwmB zGX|C})Q^EI7D}a`Px4~6{d2edT*}E6e_-3WE)oH<&`3WM9-w*qv-A9@|4X`zOwZ(> z!z9x$@A~t2{vT6T{!i&E|NZ)ZpEq#N{r7$I|7gLz_hJ1+@*S&DkL4H(ZPL@OAgdx% J`uz2W{{gY5K5GB~ literal 0 HcmV?d00001 diff --git a/packages/zscaler_zia/manifest.yml b/packages/zscaler_zia/manifest.yml index 333a0385796..513de6f32b1 100644 --- a/packages/zscaler_zia/manifest.yml +++ b/packages/zscaler_zia/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: zscaler_zia -title: "Zscaler Internet Access" -version: 0.1.3 +title: Zscaler Internet Access +version: 2.0.0 license: basic description: Collect logs from Zscaler Internet Access (ZIA) with Elastic Agent. type: integration @@ -9,7 +9,7 @@ categories: - security release: beta conditions: - kibana.version: ^7.16.2 || ^8.0.0 + kibana.version: ^8.3.0 screenshots: - src: /img/zscaler-zia-screenshot.png title: Zscaler ZIA web log dashboard screenshot @@ -66,5 +66,46 @@ policy_templates: # -----END CERTIFICATE----- title: Collect Zscaler Internet Access logs via TCP input description: Collecting Zscaler Internet Access logs via TCP input + - type: http_endpoint + title: Collect Zscaler Internet Access logs via HTTP Endpoint + description: Collecting Zscaler Internet Access logs via HTTP Endpoint + vars: + - name: listen_address + type: text + title: Listen Address + description: The bind address to listen for http endpoint connections. Set to `0.0.0.0` to bind to all available interfaces. + multi: false + required: true + show_user: true + default: localhost + - name: ssl + type: yaml + title: SSL Configuration + description: i.e. certificate_authorities, supported_protocols, verification_mode etc. + multi: false + required: false + show_user: false + default: | + #certificate_authorities: + # - | + # -----BEGIN CERTIFICATE----- + # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF + # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 + # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB + # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n + # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl + # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t + # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP + # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 + # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O + # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux + # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D + # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw + # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA + # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu + # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 + # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk + # sxSmbIUfc2SGJGCJD4I= + # -----END CERTIFICATE----- owner: github: elastic/security-external-integrations From df4250ab5a95211474b1d1ad8388c111b1dbb1c9 Mon Sep 17 00:00:00 2001 From: vinit-elastic Date: Fri, 15 Apr 2022 16:31:13 +0530 Subject: [PATCH 2/4] Updated changelog entry. --- packages/zscaler_zia/changelog.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/zscaler_zia/changelog.yml b/packages/zscaler_zia/changelog.yml index 81bb5d33c3d..fe848828d4c 100644 --- a/packages/zscaler_zia/changelog.yml +++ b/packages/zscaler_zia/changelog.yml @@ -3,7 +3,7 @@ changes: - description: Added input for Cloud NSS using HTTP Endpoint input type. type: enhancement - link: https://github.com/elastic/integrations/pull/xxxx + link: https://github.com/elastic/integrations/pull/3111 - version: "0.1.3" changes: - description: Updated the image file reference in README file. From 6b4e6f8bbb93b528fe03f73b73f5e33a03c0a33b Mon Sep 17 00:00:00 2001 From: vinit-elastic Date: Thu, 21 Apr 2022 17:07:18 +0530 Subject: [PATCH 3/4] Updated as per comments from Andrew. --- .../zscaler_zia/_dev/build/docs/README.md | 38 +-- .../_dev/deploy/docker/docker-compose.yml | 18 +- .../_dev/deploy/docker/sample_logs/dns.log | 2 +- .../alerts/agent/stream/tcp.yml.hbs | 1 - .../test-dns-http_endpoint.log-expected.json | 18 +- .../dns/_dev/test/pipeline/test-dns.log | 2 +- .../test/pipeline/test-dns.log-expected.json | 64 ++-- .../dns/agent/stream/http_endpoint.yml.hbs | 1 - .../data_stream/dns/agent/stream/tcp.yml.hbs | 1 - .../elasticsearch/ingest_pipeline/default.yml | 54 +++- .../data_stream/dns/fields/ecs.yml | 56 ++-- .../data_stream/dns/sample_event.json | 82 +++-- .../pipeline/test-firewall-http_endpoint.log | 2 +- ...t-firewall-http_endpoint.log-expected.json | 40 +-- .../_dev/test/pipeline/test-firewall.log | 2 +- .../pipeline/test-firewall.log-expected.json | 43 +-- .../agent/stream/http_endpoint.yml.hbs | 1 - .../firewall/agent/stream/tcp.yml.hbs | 1 - .../elasticsearch/ingest_pipeline/default.yml | 47 +-- .../data_stream/firewall/fields/ecs.yml | 18 +- .../data_stream/firewall/fields/fields.yml | 30 +- .../data_stream/firewall/sample_event.json | 52 +-- ...est-tunnel-http_endpoint.log-expected.json | 9 +- .../pipeline/test-tunnel.log-expected.json | 21 +- .../tunnel/agent/stream/http_endpoint.yml.hbs | 1 - .../tunnel/agent/stream/tcp.yml.hbs | 1 - .../elasticsearch/ingest_pipeline/default.yml | 23 +- .../data_stream/tunnel/fields/ecs.yml | 6 + .../data_stream/tunnel/sample_event.json | 17 +- .../test-web-http_endpoint.log-expected.json | 22 +- .../test/pipeline/test-web.log-expected.json | 110 ++++--- .../web/agent/stream/http_endpoint.yml.hbs | 1 - .../data_stream/web/agent/stream/tcp.yml.hbs | 1 - .../elasticsearch/ingest_pipeline/default.yml | 23 +- .../data_stream/web/fields/ecs.yml | 16 +- .../data_stream/web/fields/fields.yml | 4 - .../data_stream/web/sample_event.json | 32 +- packages/zscaler_zia/docs/README.md | 297 ++++++++++-------- packages/zscaler_zia/img/cloud_nss_feeds.png | Bin 31859 -> 30654 bytes ...-66597790-4ded-11ec-ad09-d9f49962d407.json | 4 +- ...-85380a00-4de3-11ec-ad09-d9f49962d407.json | 4 +- ...-9447f5b0-4eaf-11ec-9527-b704eaaa5c53.json | 4 +- ...-d4977590-4de8-11ec-ad09-d9f49962d407.json | 4 +- ...-48a188a0-4de8-11ec-ad09-d9f49962d407.json | 9 +- ...-0334d8c0-4de4-11ec-ad09-d9f49962d407.json | 4 +- ...-05cc16a0-4eae-11ec-9527-b704eaaa5c53.json | 4 +- ...-2958ae90-4de5-11ec-ad09-d9f49962d407.json | 4 +- ...-2c8eb9f0-4eae-11ec-9527-b704eaaa5c53.json | 4 +- ...-35612ae0-4de6-11ec-ad09-d9f49962d407.json | 23 +- ...-3faec910-4ded-11ec-ad09-d9f49962d407.json | 4 +- ...-4d4b4fa0-4eae-11ec-9527-b704eaaa5c53.json | 4 +- ...-4e583660-4deb-11ec-ad09-d9f49962d407.json | 4 +- ...-5b68c940-4eaf-11ec-9527-b704eaaa5c53.json | 4 +- ...-5ebff250-4de5-11ec-ad09-d9f49962d407.json | 4 +- ...-63155460-4e82-11ec-ad09-d9f49962d407.json | 4 +- ...-652829d0-4eb9-11ec-9527-b704eaaa5c53.json | 4 +- ...-68d16b80-4de4-11ec-ad09-d9f49962d407.json | 4 +- ...-6d29cc50-4de8-11ec-ad09-d9f49962d407.json | 4 +- ...-72169a60-4deb-11ec-ad09-d9f49962d407.json | 4 +- ...-7a0a40d0-4de3-11ec-ad09-d9f49962d407.json | 4 +- ...-8058c4e0-4eae-11ec-9527-b704eaaa5c53.json | 4 +- ...-91813c00-4de8-11ec-ad09-d9f49962d407.json | 4 +- ...-9e6d2890-4deb-11ec-ad09-d9f49962d407.json | 6 +- ...-a536b890-4e80-11ec-ad09-d9f49962d407.json | 4 +- ...-a9ac0260-4de3-11ec-ad09-d9f49962d407.json | 4 +- ...-bcddbd40-4ead-11ec-9527-b704eaaa5c53.json | 4 +- ...-bd00f230-4de8-11ec-ad09-d9f49962d407.json | 4 +- ...-c8b23580-4de3-11ec-ad09-d9f49962d407.json | 4 +- ...-da1734d0-4deb-11ec-ad09-d9f49962d407.json | 6 +- ...-db1241f0-4e80-11ec-ad09-d9f49962d407.json | 8 +- ...-dff0d0b0-4dea-11ec-ad09-d9f49962d407.json | 4 +- ...-e4f2aa20-4ead-11ec-9527-b704eaaa5c53.json | 4 +- ...-e54e9f20-4de4-11ec-ad09-d9f49962d407.json | 4 +- ...-f5a2e730-4deb-11ec-ad09-d9f49962d407.json | 4 +- 74 files changed, 748 insertions(+), 581 deletions(-) diff --git a/packages/zscaler_zia/_dev/build/docs/README.md b/packages/zscaler_zia/_dev/build/docs/README.md index 757d1aab565..43d3ca89c65 100644 --- a/packages/zscaler_zia/_dev/build/docs/README.md +++ b/packages/zscaler_zia/_dev/build/docs/README.md @@ -8,17 +8,17 @@ The log message is expected to be in JSON format. The data is mapped to ECS fiel 1. Enable the integration with the TCP input. 2. Configure the Zscaler NSS Server and NSS Feeds to send logs to the Elastic Agent that is running this integration. See [_Add NSS Server_](https://help.zscaler.com/zia/adding-nss-servers) and [_Add NSS Feeds_](https://help.zscaler.com/zia/adding-nss-feeds). Use the IP address hostname of the Elastic Agent as the 'NSS Feed SIEM IP Address/FQDN', and use the listening port of the Elastic Agent as the 'SIEM TCP Port' on the _Add NSS Feed_ configuration screen. To configure Zscaler NSS Server and NSS Feeds follow the following steps. - - In the ZIA Admin Portal, add a NSS Server. + - In the ZIA Admin Portal, add an NSS Server. - Log in to the ZIA Admin Portal using your admin account. - - Add a NSS server. Refer to Adding NSS Servers to set up an [_Add NSS Server_](https://help.zscaler.com/zia/adding-nss-servers) for Web and/or Firewall. + - Add an NSS server. Refer to Adding NSS Servers to set up an [_Add NSS Server_](https://help.zscaler.com/zia/adding-nss-servers) for Web and/or Firewall. - Verify that the state of the NSS Server is healthy. - In the ZIA Admin Portal, go to Administration > Nanolog Streaming Service > NSS Servers. - In the State column, confirm that the state of the NSS server is healthy. ![NSS server setup image](../img/nss_server.png?raw=true) - - In the ZIA Admin Portal, add a NSS Feed. + - In the ZIA Admin Portal, add an NSS Feed. - Refer to [_Add NSS Feeds_](https://help.zscaler.com/zia/adding-nss-feeds) and select the type of feed you want to configure. The following fields require specific inputs: - **SIEM IP Address**: Enter the IP address of the [_Elastic agent_](https://www.elastic.co/guide/en/fleet/current/fleet-overview.html) you’ll be assigning the Zscaler integration to. - - **SIEM TCP Port**: Enter the port number, depending on the logs associated with the NSS Feed. You will need to create a NSS Feed for each log type. + - **SIEM TCP Port**: Enter the port number, depending on the logs associated with the NSS Feed. You will need to create an NSS Feed for each log type. - **Alerts**: 9010 - **DNS**: 9011 - **Firewall**: 9012 @@ -27,27 +27,27 @@ The log message is expected to be in JSON format. The data is mapped to ECS fiel - **Feed Output Type**: Select Custom in Feed output type and paste the appropriate response format in Feed output format as follows: ![NSS Feeds setup image](../img/nss_feeds.png?raw=true) - ## Steps for setting up Cloud NSS Feeds 1. Enable the integration with the HTTP Endpoint input. 2. Configure the Zscaler Cloud NSS Feeds to send logs to the Elastic Agent that is running this integration. Provide API URL to send logs to the Elastic Agent. To configure Zscaler Cloud NSS Feeds follow the following steps. - In the ZIA Admin Portal, add a Cloud NSS Feed. - Log in to the ZIA Admin Portal using your admin account. - - Add a Cloud NSS Feed. Refer to [_Add Cloud NSS Feed_](https://help.zscaler.com/zia/adding-cloud-nss-feeds). - - In the ZIA Admin Portal, go to Administration > Nanolog Streaming Service > Cloud NSS Feeds. - - Give Feed Name, change status to Enabled. - - Select NSS Type. - - Change SIEM Type to other. - - Add an API URL. - - Default ports: - - **DNS**: 9556 - - **Firewall**: 9557 - - **Tunnel**: 9558 - - **Web**: 9559 - - Select JSON as feed output type. - - Add appropriate HTTP headers. - ![Cloud NSS Feeds setup image](../img/cloud_nss_feeds.png?raw=true) + - Add a Cloud NSS Feed. Refer to [_Add Cloud NSS Feed_](https://help.zscaler.com/zia/adding-cloud-nss-feeds). + - In the ZIA Admin Portal, go to Administration > Nanolog Streaming Service > Cloud NSS Feeds. + - Give Feed Name, change status to Enabled. + - Select NSS Type. + - Change SIEM Type to other. + - Add an API URL. + - Default ports: + - **DNS**: 9556 + - **Firewall**: 9557 + - **Tunnel**: 9558 + - **Web**: 9559 + - Select JSON as feed output type. + - Add appropriate HTTP headers. + ![Cloud NSS Feeds setup image](../img/cloud_nss_feeds.png?raw=true) +3. Repeat step 2 for each log type. **Please make sure to use the given response formats for NSS and Cloud NSS Feeds.** diff --git a/packages/zscaler_zia/_dev/deploy/docker/docker-compose.yml b/packages/zscaler_zia/_dev/deploy/docker/docker-compose.yml index 52fca6aaf8c..307924c28e7 100644 --- a/packages/zscaler_zia/_dev/deploy/docker/docker-compose.yml +++ b/packages/zscaler_zia/_dev/deploy/docker/docker-compose.yml @@ -1,37 +1,37 @@ version: '2.3' services: zscaler-zia-alerts-tcp: - image: docker.elastic.co/observability/stream:v0.6.2 + image: docker.elastic.co/observability/stream:v0.7.0 volumes: - ./sample_logs:/sample_logs:ro entrypoint: /bin/bash command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9010 -p=tcp /sample_logs/alerts.log" zscaler-zia-dns-tcp: - image: docker.elastic.co/observability/stream:v0.6.2 + image: docker.elastic.co/observability/stream:v0.7.0 volumes: - ./sample_logs:/sample_logs:ro entrypoint: /bin/bash command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9011 -p=tcp /sample_logs/dns.log" zscaler-zia-firewall-tcp: - image: docker.elastic.co/observability/stream:v0.6.2 + image: docker.elastic.co/observability/stream:v0.7.0 volumes: - ./sample_logs:/sample_logs:ro entrypoint: /bin/bash command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9012 -p=tcp /sample_logs/firewall.log" zscaler-zia-tunnel-tcp: - image: docker.elastic.co/observability/stream:v0.6.2 + image: docker.elastic.co/observability/stream:v0.7.0 volumes: - ./sample_logs:/sample_logs:ro entrypoint: /bin/bash command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9013 -p=tcp /sample_logs/tunnel.log" zscaler-zia-web-tcp: - image: docker.elastic.co/observability/stream:v0.6.2 + image: docker.elastic.co/observability/stream:v0.7.0 volumes: - ./sample_logs:/sample_logs:ro entrypoint: /bin/bash command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9014 -p=tcp /sample_logs/web.log" zscaler-zia-dns-http-endpoint: - image: docker.elastic.co/observability/stream:v0.6.2 + image: docker.elastic.co/observability/stream:v0.7.0 volumes: - ./sample_logs:/sample_logs:ro environment: @@ -40,7 +40,7 @@ services: - STREAM_WEBHOOK_HEADER=Content-Type=application/ndjson command: log --start-signal=SIGHUP --delay=5s /sample_logs/dns-http_endpoint.log zscaler-zia-firewall-http-endpoint: - image: docker.elastic.co/observability/stream:v0.6.2 + image: docker.elastic.co/observability/stream:v0.7.0 volumes: - ./sample_logs:/sample_logs:ro environment: @@ -49,7 +49,7 @@ services: - STREAM_WEBHOOK_HEADER=Content-Type=application/ndjson command: log --start-signal=SIGHUP --delay=5s /sample_logs/firewall-http_endpoint.log zscaler-zia-tunnel-http-endpoint: - image: docker.elastic.co/observability/stream:v0.6.2 + image: docker.elastic.co/observability/stream:v0.7.0 volumes: - ./sample_logs:/sample_logs:ro environment: @@ -58,7 +58,7 @@ services: - STREAM_WEBHOOK_HEADER=Content-Type=application/ndjson command: log --start-signal=SIGHUP --delay=5s /sample_logs/tunnel-http_endpoint.log zscaler-zia-web-http-endpoint: - image: docker.elastic.co/observability/stream:v0.6.2 + image: docker.elastic.co/observability/stream:v0.7.0 volumes: - ./sample_logs:/sample_logs:ro environment: diff --git a/packages/zscaler_zia/_dev/deploy/docker/sample_logs/dns.log b/packages/zscaler_zia/_dev/deploy/docker/sample_logs/dns.log index 747c8eb690b..3064437fdc3 100644 --- a/packages/zscaler_zia/_dev/deploy/docker/sample_logs/dns.log +++ b/packages/zscaler_zia/_dev/deploy/docker/sample_logs/dns.log @@ -1 +1 @@ -{ "sourcetype" : "zscalernss-dns", "event" :{"datetime":"Fri Dec 17 07:27:54 2021","user":"some_user@example.com","department":"Unknown","location":"TestLoc%20DB","reqaction":"REQ_ALLOW","resaction":"Some Response Action","reqrulelabel":"Access%20Blocked","resrulelabel":"None","dns_reqtype":"Some type","dns_req":"example.com","dns_resp":"Some response string","srv_dport":"8080","durationms":"123456","clt_sip":"81.2.69.193","srv_dip":"81.2.69.144","category":"Professional Services","deviceowner":"Owner77","devicehostname":"Machine9000"}} +{ "sourcetype" : "zscalernss-dns", "event" :{"datetime":"Fri Dec 17 07:27:54 2021","user":"some_user@example.com","department":"Unknown","location":"TestLoc%20DB","reqaction":"REQ_ALLOW","resaction":"Some Response Action","reqrulelabel":"Access%20Blocked","resrulelabel":"None","dns_reqtype":"Some type","dns_req":"example.com","dns_resp":"Some response string","srv_dport":"8080","durationms":"123456","clt_sip":"89.160.20.112","srv_dip":"89.160.20.156","category":"Professional Services","deviceowner":"Owner77","devicehostname":"Machine9000"}} diff --git a/packages/zscaler_zia/data_stream/alerts/agent/stream/tcp.yml.hbs b/packages/zscaler_zia/data_stream/alerts/agent/stream/tcp.yml.hbs index 49e3770cb1d..6910573304d 100644 --- a/packages/zscaler_zia/data_stream/alerts/agent/stream/tcp.yml.hbs +++ b/packages/zscaler_zia/data_stream/alerts/agent/stream/tcp.yml.hbs @@ -1,4 +1,3 @@ -tcp: host: "{{listen_address}}:{{listen_port}}" tags: {{#if preserve_original_event}} diff --git a/packages/zscaler_zia/data_stream/dns/_dev/test/pipeline/test-dns-http_endpoint.log-expected.json b/packages/zscaler_zia/data_stream/dns/_dev/test/pipeline/test-dns-http_endpoint.log-expected.json index 0448e767cf1..a893ab0c5b6 100644 --- a/packages/zscaler_zia/data_stream/dns/_dev/test/pipeline/test-dns-http_endpoint.log-expected.json +++ b/packages/zscaler_zia/data_stream/dns/_dev/test/pipeline/test-dns-http_endpoint.log-expected.json @@ -2,8 +2,9 @@ "expected": [ { "@timestamp": "2021-12-31T02:22:22.000Z", - "client": { - "ip": "0.0.0.0" + "destination": { + "ip": "0.0.0.0", + "port": 0 }, "dns": { "answers": { @@ -18,13 +19,19 @@ "version": "8.2.0" }, "event": { - "category": "network", + "category": [ + "network" + ], + "duration": 34000000000, "kind": "event", "original": "{\"sourcetype\":\"zscalernss-dns\",\"input\": {\"type\": \"http_endpoint\"}, \"event\":{\"location\":\"Unknown\",\"deviceowner\":\"NA\",\"devicehostname\":\"NA\",\"dns_req\":\"Unknown\",\"resaction\":\"None\",\"durationms\":\"34000\",\"category\":\"Other\",\"resrulelabel\":\"None\",\"dns_reqtype\":\"NotFound\",\"dns_resp\":\"NotFound\",\"department\":\"Unknown\",\"user\":\"Unknown\",\"reqaction\":\"None\",\"datetime\":\"Tue Dec 31 02:22:22 2021\",\"srv_dip\":\"0.0.0.0\",\"clt_sip\":\"0.0.0.0\",\"reqrulelabel\":\"None\",\"srv_dport\":\"0\"}}", "type": [ "info" ] }, + "network": { + "protocol": "dns" + }, "related": { "hosts": [ "NA" @@ -33,9 +40,8 @@ "0.0.0.0" ] }, - "server": { - "ip": "0.0.0.0", - "port": 0 + "source": { + "ip": "0.0.0.0" }, "tags": [ "preserve_original_event" diff --git a/packages/zscaler_zia/data_stream/dns/_dev/test/pipeline/test-dns.log b/packages/zscaler_zia/data_stream/dns/_dev/test/pipeline/test-dns.log index f6590856485..1d49ab95b7e 100644 --- a/packages/zscaler_zia/data_stream/dns/_dev/test/pipeline/test-dns.log +++ b/packages/zscaler_zia/data_stream/dns/_dev/test/pipeline/test-dns.log @@ -1 +1 @@ -{ "sourcetype" : "zscalernss-dns", "event" :{"datetime":"Fri Dec 31 01:11:11 2021","user":"some_user@example.com","department":"Unknown","location":"TestLoc%20DB","reqaction":"REQ_ALLOW","resaction":"Some Response Action","reqrulelabel":"Access%20Blocked","resrulelabel":"None","dns_reqtype":"Some type","dns_req":"example.com","dns_resp":"Some response string","srv_dport":"8080","durationms":"123456","clt_sip":"81.2.69.193","srv_dip":"81.2.69.144","category":"Professional Services","deviceowner":"Owner77","devicehostname":"Machine9000"}} +{ "sourcetype" : "zscalernss-dns", "event" :{"datetime":"Fri Dec 31 01:11:11 2021","user":"some_user@example.com","department":"Unknown","location":"TestLoc%20DB","reqaction":"REQ_ALLOW","resaction":"Some Response Action","reqrulelabel":"Access%20Blocked","resrulelabel":"None","dns_reqtype":"Some type","dns_req":"example.com","dns_resp":"Some response string","srv_dport":"8080","durationms":"123456","clt_sip":"89.160.20.112","srv_dip":"89.160.20.156","category":"Professional Services","deviceowner":"Owner77","devicehostname":"Machine9000"}} diff --git a/packages/zscaler_zia/data_stream/dns/_dev/test/pipeline/test-dns.log-expected.json b/packages/zscaler_zia/data_stream/dns/_dev/test/pipeline/test-dns.log-expected.json index 3b0ef70c21f..21b35962c29 100644 --- a/packages/zscaler_zia/data_stream/dns/_dev/test/pipeline/test-dns.log-expected.json +++ b/packages/zscaler_zia/data_stream/dns/_dev/test/pipeline/test-dns.log-expected.json @@ -2,20 +2,27 @@ "expected": [ { "@timestamp": "2021-12-31T01:11:11.000Z", - "client": { + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, "geo": { - "city_name": "London", + "city_name": "Linköping", "continent_name": "Europe", - "country_iso_code": "GB", - "country_name": "United Kingdom", + "country_iso_code": "SE", + "country_name": "Sweden", "location": { - "lat": 51.5142, - "lon": -0.0931 + "lat": 58.4167, + "lon": 15.6167 }, - "region_iso_code": "GB-ENG", - "region_name": "England" + "region_iso_code": "SE-E", + "region_name": "Östergötland County" }, - "ip": "81.2.69.193" + "ip": "89.160.20.156", + "port": 8080 }, "dns": { "answers": { @@ -30,37 +37,48 @@ "version": "8.2.0" }, "event": { - "category": "network", + "category": [ + "network" + ], + "duration": 123456000000, "kind": "event", - "original": "{ \"sourcetype\" : \"zscalernss-dns\", \"event\" :{\"datetime\":\"Fri Dec 31 01:11:11 2021\",\"user\":\"some_user@example.com\",\"department\":\"Unknown\",\"location\":\"TestLoc%20DB\",\"reqaction\":\"REQ_ALLOW\",\"resaction\":\"Some Response Action\",\"reqrulelabel\":\"Access%20Blocked\",\"resrulelabel\":\"None\",\"dns_reqtype\":\"Some type\",\"dns_req\":\"example.com\",\"dns_resp\":\"Some response string\",\"srv_dport\":\"8080\",\"durationms\":\"123456\",\"clt_sip\":\"81.2.69.193\",\"srv_dip\":\"81.2.69.144\",\"category\":\"Professional Services\",\"deviceowner\":\"Owner77\",\"devicehostname\":\"Machine9000\"}}", + "original": "{ \"sourcetype\" : \"zscalernss-dns\", \"event\" :{\"datetime\":\"Fri Dec 31 01:11:11 2021\",\"user\":\"some_user@example.com\",\"department\":\"Unknown\",\"location\":\"TestLoc%20DB\",\"reqaction\":\"REQ_ALLOW\",\"resaction\":\"Some Response Action\",\"reqrulelabel\":\"Access%20Blocked\",\"resrulelabel\":\"None\",\"dns_reqtype\":\"Some type\",\"dns_req\":\"example.com\",\"dns_resp\":\"Some response string\",\"srv_dport\":\"8080\",\"durationms\":\"123456\",\"clt_sip\":\"89.160.20.112\",\"srv_dip\":\"89.160.20.156\",\"category\":\"Professional Services\",\"deviceowner\":\"Owner77\",\"devicehostname\":\"Machine9000\"}}", "type": [ "info" ] }, + "network": { + "protocol": "dns" + }, "related": { "hosts": [ "Machine9000" ], "ip": [ - "81.2.69.193", - "81.2.69.144" + "89.160.20.112", + "89.160.20.156" ] }, - "server": { + "source": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, "geo": { - "city_name": "London", + "city_name": "Linköping", "continent_name": "Europe", - "country_iso_code": "GB", - "country_name": "United Kingdom", + "country_iso_code": "SE", + "country_name": "Sweden", "location": { - "lat": 51.5142, - "lon": -0.0931 + "lat": 58.4167, + "lon": 15.6167 }, - "region_iso_code": "GB-ENG", - "region_name": "England" + "region_iso_code": "SE-E", + "region_name": "Östergötland County" }, - "ip": "81.2.69.144", - "port": 8080 + "ip": "89.160.20.112" }, "tags": [ "preserve_original_event" diff --git a/packages/zscaler_zia/data_stream/dns/agent/stream/http_endpoint.yml.hbs b/packages/zscaler_zia/data_stream/dns/agent/stream/http_endpoint.yml.hbs index 483a999bf10..443fe325f7c 100644 --- a/packages/zscaler_zia/data_stream/dns/agent/stream/http_endpoint.yml.hbs +++ b/packages/zscaler_zia/data_stream/dns/agent/stream/http_endpoint.yml.hbs @@ -1,4 +1,3 @@ -http_endpoint: listen_address: {{listen_address}} listen_port: {{listen_port}} content_type: "" diff --git a/packages/zscaler_zia/data_stream/dns/agent/stream/tcp.yml.hbs b/packages/zscaler_zia/data_stream/dns/agent/stream/tcp.yml.hbs index 030459f2582..bc587e50a3a 100644 --- a/packages/zscaler_zia/data_stream/dns/agent/stream/tcp.yml.hbs +++ b/packages/zscaler_zia/data_stream/dns/agent/stream/tcp.yml.hbs @@ -1,4 +1,3 @@ -tcp: host: "{{listen_address}}:{{listen_port}}" tags: {{#if preserve_original_event}} diff --git a/packages/zscaler_zia/data_stream/dns/elasticsearch/ingest_pipeline/default.yml b/packages/zscaler_zia/data_stream/dns/elasticsearch/ingest_pipeline/default.yml index b8701354a45..db3c13014f7 100644 --- a/packages/zscaler_zia/data_stream/dns/elasticsearch/ingest_pipeline/default.yml +++ b/packages/zscaler_zia/data_stream/dns/elasticsearch/ingest_pipeline/default.yml @@ -47,6 +47,9 @@ processors: - json.datetime ignore_missing: true - set: + field: network.protocol + value: dns + - append: field: event.category value: network - set: @@ -57,24 +60,32 @@ processors: value: info - rename: field: json.clt_sip - target_field: client.ip + target_field: source.ip ignore_missing: true - geoip: - field: client.ip - target_field: client.geo + field: source.ip + target_field: source.geo ignore_missing: true - geoip: database_file: GeoLite2-ASN.mmdb - field: client.ip - target_field: client.as + field: source.ip + target_field: source.as properties: - asn - organization_name ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true - append: field: related.ip - value: "{{{client.ip}}}" - if: ctx?.client?.ip != null + value: "{{{source.ip}}}" + if: ctx?.source?.ip != null allow_duplicates: false ignore_failure: true - rename: @@ -91,29 +102,37 @@ processors: ignore_missing: true - rename: field: json.srv_dip - target_field: server.ip + target_field: destination.ip ignore_missing: true - geoip: - field: server.ip - target_field: server.geo + field: destination.ip + target_field: destination.geo ignore_missing: true - geoip: database_file: GeoLite2-ASN.mmdb - field: server.ip - target_field: server.as + field: destination.ip + target_field: destination.as properties: - asn - organization_name ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true - append: field: related.ip - value: "{{{server.ip}}}" - if: ctx?.server?.ip != null + value: "{{{destination.ip}}}" + if: ctx?.destination?.ip != null allow_duplicates: false ignore_failure: true - convert: field: json.srv_dport - target_field: server.port + target_field: destination.port type: long ignore_failure: true - remove: @@ -213,6 +232,11 @@ processors: for (Map.Entry m : ctx.json.entrySet()) { ctx.zscaler_zia.dns[m.getKey()] = m.getValue(); } + - script: + lang: painless + if: ctx?.zscaler_zia?.dns?.duration?.milliseconds != null + source: | + ctx.event.duration = ctx?.zscaler_zia?.dns?.duration?.milliseconds * 1000000; - remove: field: json ignore_failure: true diff --git a/packages/zscaler_zia/data_stream/dns/fields/ecs.yml b/packages/zscaler_zia/data_stream/dns/fields/ecs.yml index f1d44f3f15e..3a983be9735 100644 --- a/packages/zscaler_zia/data_stream/dns/fields/ecs.yml +++ b/packages/zscaler_zia/data_stream/dns/fields/ecs.yml @@ -1,21 +1,25 @@ - external: ecs - name: client.geo.city_name + name: destination.as.number - external: ecs - name: client.geo.continent_name + name: destination.as.organization.name - external: ecs - name: client.geo.country_iso_code + name: destination.geo.city_name - external: ecs - name: client.geo.country_name -- description: Longitude and latitude. - level: core - name: client.geo.location - type: geo_point + name: destination.geo.continent_name - external: ecs - name: client.geo.region_iso_code + name: destination.geo.country_iso_code - external: ecs - name: client.geo.region_name + name: destination.geo.country_name - external: ecs - name: client.ip + name: destination.geo.location +- external: ecs + name: destination.geo.region_iso_code +- external: ecs + name: destination.geo.region_name +- external: ecs + name: destination.ip +- external: ecs + name: destination.port - external: ecs name: dns.answers.name - external: ecs @@ -25,31 +29,33 @@ - external: ecs name: ecs.version - external: ecs - name: related.ip + name: event.duration +- external: ecs + name: network.protocol - external: ecs name: related.hosts - external: ecs - name: server.geo.city_name + name: related.ip - external: ecs - name: server.geo.continent_name + name: source.as.number - external: ecs - name: server.geo.country_iso_code + name: source.as.organization.name - external: ecs - name: server.geo.country_name -- description: Longitude and latitude. - level: core - name: server.geo.location - type: geo_point + name: source.bytes - external: ecs - name: server.geo.region_iso_code + name: source.geo.city_name - external: ecs - name: server.geo.region_name + name: source.geo.continent_name - external: ecs - name: server.ip + name: source.geo.country_iso_code - external: ecs - name: server.port + name: source.geo.country_name - external: ecs - name: source.bytes + name: source.geo.location +- external: ecs + name: source.geo.region_iso_code +- external: ecs + name: source.geo.region_name - external: ecs name: source.ip - external: ecs diff --git a/packages/zscaler_zia/data_stream/dns/sample_event.json b/packages/zscaler_zia/data_stream/dns/sample_event.json index 81ea6eb73ce..ae3effed418 100644 --- a/packages/zscaler_zia/data_stream/dns/sample_event.json +++ b/packages/zscaler_zia/data_stream/dns/sample_event.json @@ -1,31 +1,38 @@ { "@timestamp": "2021-12-17T07:27:54.000Z", "agent": { - "ephemeral_id": "29f002d2-defe-484e-81f8-ec2dace901c3", - "id": "638019f9-173e-4c24-9e28-64b128c92162", + "ephemeral_id": "88d27df6-beee-4299-bf35-56742db35e98", + "id": "f6f3ddbc-7ab7-4a74-aeeb-152405dea56f", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.1.2" }, - "client": { + "data_stream": { + "dataset": "zscaler_zia.dns", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, "geo": { - "city_name": "London", + "city_name": "Linköping", "continent_name": "Europe", - "country_iso_code": "GB", - "country_name": "United Kingdom", + "country_iso_code": "SE", + "country_name": "Sweden", "location": { - "lat": 51.5142, - "lon": -0.0931 + "lat": 58.4167, + "lon": 15.6167 }, - "region_iso_code": "GB-ENG", - "region_name": "England" + "region_iso_code": "SE-E", + "region_name": "Östergötland County" }, - "ip": "81.2.69.193" - }, - "data_stream": { - "dataset": "zscaler_zia.dns", - "namespace": "ep", - "type": "logs" + "ip": "89.160.20.156", + "port": 8080 }, "dns": { "answers": { @@ -40,15 +47,18 @@ "version": "8.2.0" }, "elastic_agent": { - "id": "638019f9-173e-4c24-9e28-64b128c92162", + "id": "f6f3ddbc-7ab7-4a74-aeeb-152405dea56f", "snapshot": false, "version": "8.1.2" }, "event": { "agent_id_status": "verified", - "category": "network", + "category": [ + "network" + ], "dataset": "zscaler_zia.dns", - "ingested": "2022-04-13T17:25:57Z", + "duration": 123456000000, + "ingested": "2022-04-20T06:45:24Z", "kind": "event", "type": [ "info" @@ -59,33 +69,41 @@ }, "log": { "source": { - "address": "1.128.3.4:59018" + "address": "1.128.3.4:32902" } }, + "network": { + "protocol": "dns" + }, "related": { "hosts": [ "Machine9000" ], "ip": [ - "81.2.69.193", - "81.2.69.144" + "89.160.20.112", + "89.160.20.156" ] }, - "server": { + "source": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, "geo": { - "city_name": "London", + "city_name": "Linköping", "continent_name": "Europe", - "country_iso_code": "GB", - "country_name": "United Kingdom", + "country_iso_code": "SE", + "country_name": "Sweden", "location": { - "lat": 51.5142, - "lon": -0.0931 + "lat": 58.4167, + "lon": 15.6167 }, - "region_iso_code": "GB-ENG", - "region_name": "England" + "region_iso_code": "SE-E", + "region_name": "Östergötland County" }, - "ip": "81.2.69.144", - "port": 8080 + "ip": "89.160.20.112" }, "tags": [ "forwarded", diff --git a/packages/zscaler_zia/data_stream/firewall/_dev/test/pipeline/test-firewall-http_endpoint.log b/packages/zscaler_zia/data_stream/firewall/_dev/test/pipeline/test-firewall-http_endpoint.log index 3c472cc3b4b..c5948c64707 100644 --- a/packages/zscaler_zia/data_stream/firewall/_dev/test/pipeline/test-firewall-http_endpoint.log +++ b/packages/zscaler_zia/data_stream/firewall/_dev/test/pipeline/test-firewall-http_endpoint.log @@ -1 +1 @@ -{"sourcetype":"zscalernss-fw", "event":{"durationms":"0","avgduration":"0","sdip":"0.0.0.0","aggregate":"No","department":"Unknown","nwapp":"NotAvailable","proto":"IP","datetime":"Tue Dec 31 02:22:22 2022","nwsvc":"None","dnat":"No","threatcat":"None","cdport":"120","duration":"0","ipcat":"Other","deviceowner":"NA","csip":"0.0.0.0","devicehostname":"NA","csport":"0","tunsport":"0","destcountry":"NA","rulelabel":"None","locationname":"Unknown","action":"OutOfRange","stateful":"Yes","outbytes":"0","inbytes":"0","ssport":"0","user":"Unknown","tuntype":"OutOfRange","numsessions":"1","ssip":"0.0.0.0","threatname":"None","ipsrulelabel":"None","tsip":"0.0.0.0","sdport":"0","cdip":"0.0.0.0"}} +{"sourcetype":"zscalernss-fw", "event":{"durationms":"1234","avgduration":"1234","sdip":"0.0.0.0","aggregate":"No","department":"Unknown","nwapp":"NotAvailable","proto":"IP","datetime":"Tue Dec 31 02:22:22 2022","nwsvc":"None","dnat":"No","threatcat":"None","cdport":"120","duration":"1","ipcat":"Other","deviceowner":"NA","csip":"0.0.0.0","devicehostname":"NA","csport":"123","tunsport":"0","destcountry":"NA","rulelabel":"None","locationname":"Unknown","action":"OutOfRange","stateful":"Yes","outbytes":"0","inbytes":"0","ssport":"0","user":"Unknown","tuntype":"OutOfRange","numsessions":"1","ssip":"0.0.0.0","threatname":"None","ipsrulelabel":"None","tsip":"0.0.0.0","sdport":"456","cdip":"0.0.0.0"}} diff --git a/packages/zscaler_zia/data_stream/firewall/_dev/test/pipeline/test-firewall-http_endpoint.log-expected.json b/packages/zscaler_zia/data_stream/firewall/_dev/test/pipeline/test-firewall-http_endpoint.log-expected.json index 07799cc1032..85fa703c017 100644 --- a/packages/zscaler_zia/data_stream/firewall/_dev/test/pipeline/test-firewall-http_endpoint.log-expected.json +++ b/packages/zscaler_zia/data_stream/firewall/_dev/test/pipeline/test-firewall-http_endpoint.log-expected.json @@ -2,18 +2,28 @@ "expected": [ { "@timestamp": "2022-12-31T02:22:22.000Z", - "client": { - "bytes": 0 + "destination": { + "bytes": 0, + "geo": { + "country_name": "NA" + }, + "ip": "0.0.0.0", + "port": 456 }, "ecs": { "version": "8.2.0" }, "event": { "action": "outofrange", - "category": "network", + "category": [ + "network" + ], + "duration": 1234000000, "kind": "event", - "original": "{\"sourcetype\":\"zscalernss-fw\", \"event\":{\"durationms\":\"0\",\"avgduration\":\"0\",\"sdip\":\"0.0.0.0\",\"aggregate\":\"No\",\"department\":\"Unknown\",\"nwapp\":\"NotAvailable\",\"proto\":\"IP\",\"datetime\":\"Tue Dec 31 02:22:22 2022\",\"nwsvc\":\"None\",\"dnat\":\"No\",\"threatcat\":\"None\",\"cdport\":\"120\",\"duration\":\"0\",\"ipcat\":\"Other\",\"deviceowner\":\"NA\",\"csip\":\"0.0.0.0\",\"devicehostname\":\"NA\",\"csport\":\"0\",\"tunsport\":\"0\",\"destcountry\":\"NA\",\"rulelabel\":\"None\",\"locationname\":\"Unknown\",\"action\":\"OutOfRange\",\"stateful\":\"Yes\",\"outbytes\":\"0\",\"inbytes\":\"0\",\"ssport\":\"0\",\"user\":\"Unknown\",\"tuntype\":\"OutOfRange\",\"numsessions\":\"1\",\"ssip\":\"0.0.0.0\",\"threatname\":\"None\",\"ipsrulelabel\":\"None\",\"tsip\":\"0.0.0.0\",\"sdport\":\"0\",\"cdip\":\"0.0.0.0\"}}", - "type": "info" + "original": "{\"sourcetype\":\"zscalernss-fw\", \"event\":{\"durationms\":\"1234\",\"avgduration\":\"1234\",\"sdip\":\"0.0.0.0\",\"aggregate\":\"No\",\"department\":\"Unknown\",\"nwapp\":\"NotAvailable\",\"proto\":\"IP\",\"datetime\":\"Tue Dec 31 02:22:22 2022\",\"nwsvc\":\"None\",\"dnat\":\"No\",\"threatcat\":\"None\",\"cdport\":\"120\",\"duration\":\"1\",\"ipcat\":\"Other\",\"deviceowner\":\"NA\",\"csip\":\"0.0.0.0\",\"devicehostname\":\"NA\",\"csport\":\"123\",\"tunsport\":\"0\",\"destcountry\":\"NA\",\"rulelabel\":\"None\",\"locationname\":\"Unknown\",\"action\":\"OutOfRange\",\"stateful\":\"Yes\",\"outbytes\":\"0\",\"inbytes\":\"0\",\"ssport\":\"0\",\"user\":\"Unknown\",\"tuntype\":\"OutOfRange\",\"numsessions\":\"1\",\"ssip\":\"0.0.0.0\",\"threatname\":\"None\",\"ipsrulelabel\":\"None\",\"tsip\":\"0.0.0.0\",\"sdport\":\"456\",\"cdip\":\"0.0.0.0\"}}", + "type": [ + "info" + ] }, "host": { "hostname": "NA" @@ -33,11 +43,10 @@ "None" ] }, - "server": { + "source": { "bytes": 0, - "geo": { - "country_name": "NA" - } + "ip": "0.0.0.0", + "port": 123 }, "tags": [ "preserve_original_event" @@ -53,17 +62,12 @@ "destination": { "ip": "0.0.0.0", "port": 120 - }, - "source": { - "ip": "0.0.0.0", - "port": 0 } }, "department": "Unknown", "duration": { - "avg": 0.0, - "milliseconds": 0.0, - "seconds": 0.0 + "avg": 1234, + "milliseconds": 1234 }, "ip_category": "Other", "location": { @@ -71,10 +75,6 @@ }, "nat": "No", "server": { - "destination": { - "ip": "0.0.0.0", - "port": 0 - }, "source": { "ip": "0.0.0.0", "port": 0 diff --git a/packages/zscaler_zia/data_stream/firewall/_dev/test/pipeline/test-firewall.log b/packages/zscaler_zia/data_stream/firewall/_dev/test/pipeline/test-firewall.log index 73fa8b6ef30..c6ab96b1171 100644 --- a/packages/zscaler_zia/data_stream/firewall/_dev/test/pipeline/test-firewall.log +++ b/packages/zscaler_zia/data_stream/firewall/_dev/test/pipeline/test-firewall.log @@ -1 +1 @@ -{ "sourcetype" : "zscalernss-fw", "event" :{"datetime":"Fri Dec 31 07:07:07 2021","user":"some_user@example.com","department":"Unknown","locationname":"TestLoc%20DB","cdport":443,"csport":55018,"sdport":443,"ssport":0,"csip":"0.0.0.0","cdip":"0.0.0.0","ssip":"0.0.0.0","sdip":"0.0.0.0","tsip":"0.0.0.0","tunsport":0,"tuntype":"ZscalerClientConnector","action":"Drop","dnat":"No","stateful":"Yes","aggregate":"No","nwsvc":"HTTPS","nwapp":"http","proto":"TCP","ipcat":"Test Name","destcountry":"Ireland","avgduration":486,"rulelabel":"Access%20Blocked","inbytes":19052,"outbytes":1734,"duration":0,"durationms":486,"numsessions":1,"ipsrulelabel":"None","threatcat":"None","threatname":"None","deviceowner":"admin77","devicehostname":"Machine9000"}} +{ "sourcetype" : "zscalernss-fw", "event" :{"datetime":"Fri Dec 31 07:07:07 2021","user":"some_user@example.com","department":"Unknown","locationname":"TestLoc%20DB","cdport":443,"csport":55018,"sdport":443,"ssport":0,"csip":"0.0.0.0","cdip":"0.0.0.0","ssip":"0.0.0.0","sdip":"0.0.0.0","tsip":"0.0.0.0","tunsport":0,"tuntype":"ZscalerClientConnector","action":"Drop","dnat":"No","stateful":"Yes","aggregate":"No","nwsvc":"HTTPS","nwapp":"http","proto":"TCP","ipcat":"Test Name","destcountry":"Ireland","avgduration":486,"rulelabel":"Access%20Blocked","inbytes":19052,"outbytes":1734,"duration":4,"durationms":4861,"numsessions":1,"ipsrulelabel":"None","threatcat":"None","threatname":"None","deviceowner":"admin77","devicehostname":"Machine9000"}} diff --git a/packages/zscaler_zia/data_stream/firewall/_dev/test/pipeline/test-firewall.log-expected.json b/packages/zscaler_zia/data_stream/firewall/_dev/test/pipeline/test-firewall.log-expected.json index c0d68f85e7a..c6aca3f6086 100644 --- a/packages/zscaler_zia/data_stream/firewall/_dev/test/pipeline/test-firewall.log-expected.json +++ b/packages/zscaler_zia/data_stream/firewall/_dev/test/pipeline/test-firewall.log-expected.json @@ -2,24 +2,35 @@ "expected": [ { "@timestamp": "2021-12-31T07:07:07.000Z", - "client": { - "bytes": 1734 + "destination": { + "bytes": 19052, + "geo": { + "country_name": "Ireland" + }, + "ip": "0.0.0.0", + "port": 443 }, "ecs": { "version": "8.2.0" }, "event": { "action": "drop", - "category": "network", + "category": [ + "network" + ], + "duration": 4861000000, "kind": "event", - "original": "{ \"sourcetype\" : \"zscalernss-fw\", \"event\" :{\"datetime\":\"Fri Dec 31 07:07:07 2021\",\"user\":\"some_user@example.com\",\"department\":\"Unknown\",\"locationname\":\"TestLoc%20DB\",\"cdport\":443,\"csport\":55018,\"sdport\":443,\"ssport\":0,\"csip\":\"0.0.0.0\",\"cdip\":\"0.0.0.0\",\"ssip\":\"0.0.0.0\",\"sdip\":\"0.0.0.0\",\"tsip\":\"0.0.0.0\",\"tunsport\":0,\"tuntype\":\"ZscalerClientConnector\",\"action\":\"Drop\",\"dnat\":\"No\",\"stateful\":\"Yes\",\"aggregate\":\"No\",\"nwsvc\":\"HTTPS\",\"nwapp\":\"http\",\"proto\":\"TCP\",\"ipcat\":\"Test Name\",\"destcountry\":\"Ireland\",\"avgduration\":486,\"rulelabel\":\"Access%20Blocked\",\"inbytes\":19052,\"outbytes\":1734,\"duration\":0,\"durationms\":486,\"numsessions\":1,\"ipsrulelabel\":\"None\",\"threatcat\":\"None\",\"threatname\":\"None\",\"deviceowner\":\"admin77\",\"devicehostname\":\"Machine9000\"}}", - "type": "info" + "original": "{ \"sourcetype\" : \"zscalernss-fw\", \"event\" :{\"datetime\":\"Fri Dec 31 07:07:07 2021\",\"user\":\"some_user@example.com\",\"department\":\"Unknown\",\"locationname\":\"TestLoc%20DB\",\"cdport\":443,\"csport\":55018,\"sdport\":443,\"ssport\":0,\"csip\":\"0.0.0.0\",\"cdip\":\"0.0.0.0\",\"ssip\":\"0.0.0.0\",\"sdip\":\"0.0.0.0\",\"tsip\":\"0.0.0.0\",\"tunsport\":0,\"tuntype\":\"ZscalerClientConnector\",\"action\":\"Drop\",\"dnat\":\"No\",\"stateful\":\"Yes\",\"aggregate\":\"No\",\"nwsvc\":\"HTTPS\",\"nwapp\":\"http\",\"proto\":\"TCP\",\"ipcat\":\"Test Name\",\"destcountry\":\"Ireland\",\"avgduration\":486,\"rulelabel\":\"Access%20Blocked\",\"inbytes\":19052,\"outbytes\":1734,\"duration\":4,\"durationms\":4861,\"numsessions\":1,\"ipsrulelabel\":\"None\",\"threatcat\":\"None\",\"threatname\":\"None\",\"deviceowner\":\"admin77\",\"devicehostname\":\"Machine9000\"}}", + "type": [ + "info" + ] }, "host": { "hostname": "Machine9000" }, "network": { "application": "http", + "community_id": "1:hQwW1HWTOUYlk7y4+T2D+UPDU1c=", "protocol": "https", "transport": "tcp" }, @@ -34,11 +45,10 @@ "None" ] }, - "server": { - "bytes": 19052, - "geo": { - "country_name": "Ireland" - } + "source": { + "bytes": 1734, + "ip": "0.0.0.0", + "port": 55018 }, "tags": [ "preserve_original_event" @@ -54,17 +64,12 @@ "destination": { "ip": "0.0.0.0", "port": 443 - }, - "source": { - "ip": "0.0.0.0", - "port": 55018 } }, "department": "Unknown", "duration": { - "avg": 486.0, - "milliseconds": 486.0, - "seconds": 0.0 + "avg": 486, + "milliseconds": 4861 }, "ip_category": "Test Name", "location": { @@ -72,10 +77,6 @@ }, "nat": "No", "server": { - "destination": { - "ip": "0.0.0.0", - "port": 443 - }, "source": { "ip": "0.0.0.0", "port": 0 diff --git a/packages/zscaler_zia/data_stream/firewall/agent/stream/http_endpoint.yml.hbs b/packages/zscaler_zia/data_stream/firewall/agent/stream/http_endpoint.yml.hbs index 483a999bf10..443fe325f7c 100644 --- a/packages/zscaler_zia/data_stream/firewall/agent/stream/http_endpoint.yml.hbs +++ b/packages/zscaler_zia/data_stream/firewall/agent/stream/http_endpoint.yml.hbs @@ -1,4 +1,3 @@ -http_endpoint: listen_address: {{listen_address}} listen_port: {{listen_port}} content_type: "" diff --git a/packages/zscaler_zia/data_stream/firewall/agent/stream/tcp.yml.hbs b/packages/zscaler_zia/data_stream/firewall/agent/stream/tcp.yml.hbs index 030459f2582..bc587e50a3a 100644 --- a/packages/zscaler_zia/data_stream/firewall/agent/stream/tcp.yml.hbs +++ b/packages/zscaler_zia/data_stream/firewall/agent/stream/tcp.yml.hbs @@ -1,4 +1,3 @@ -tcp: host: "{{listen_address}}:{{listen_port}}" tags: {{#if preserve_original_event}} diff --git a/packages/zscaler_zia/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml b/packages/zscaler_zia/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml index 7e06bdce65f..1648f4b32f0 100644 --- a/packages/zscaler_zia/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml +++ b/packages/zscaler_zia/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml @@ -23,13 +23,13 @@ processors: - remove: field: resp ignore_missing: true - - set: + - append: field: event.category value: network - set: field: event.kind value: event - - set: + - append: field: event.type value: info - date: @@ -57,7 +57,7 @@ processors: ignore_missing: true - convert: field: json.outbytes - target_field: client.bytes + target_field: source.bytes type: long ignore_failure: true - remove: @@ -106,7 +106,7 @@ processors: ignore_missing: true - convert: field: json.inbytes - target_field: server.bytes + target_field: destination.bytes type: long ignore_failure: true - remove: @@ -114,7 +114,7 @@ processors: ignore_missing: true - rename: field: json.destcountry - target_field: server.geo.country_name + target_field: destination.geo.country_name ignore_missing: true - urldecode: field: json.user @@ -151,7 +151,7 @@ processors: ignore_missing: true - convert: field: json.csport - target_field: zscaler_zia.firewall.client.source.port + target_field: source.port type: long ignore_failure: true - remove: @@ -159,7 +159,7 @@ processors: ignore_missing: true - convert: field: json.sdport - target_field: zscaler_zia.firewall.server.destination.port + target_field: destination.port type: long ignore_failure: true - remove: @@ -181,7 +181,7 @@ processors: ignore_failure: true - rename: field: json.csip - target_field: zscaler_zia.firewall.client.source.ip + target_field: source.ip ignore_missing: true - append: field: related.ip @@ -211,7 +211,7 @@ processors: ignore_failure: true - rename: field: json.sdip - target_field: zscaler_zia.firewall.server.destination.ip + target_field: destination.ip ignore_missing: true - append: field: related.ip @@ -260,24 +260,18 @@ processors: ignore_missing: true - convert: field: json.avgduration - type: double + type: long target_field: zscaler_zia.firewall.duration.avg ignore_failure: true - remove: - field: json.avgduration - ignore_missing: true - - convert: - field: json.duration - target_field: zscaler_zia.firewall.duration.seconds - type: double - ignore_failure: true - - remove: - field: json.duration + field: + - json.avgduration + - json.duration ignore_missing: true - convert: field: json.durationms target_field: zscaler_zia.firewall.duration.milliseconds - type: double + type: long ignore_failure: true - remove: field: json.durationms @@ -298,6 +292,14 @@ processors: field: json.threatname target_field: zscaler_zia.firewall.threat.name ignore_missing: true + - community_id: + source_ip: source.ip + source_port: source.port + destination_ip: destination.ip + destination_port: destination.port + transport: network.transport + target_field: network.community_id + ignore_failure: true - script: description: Drops null/empty values recursively lang: painless @@ -323,6 +325,11 @@ processors: for (Map.Entry m : ctx.json.entrySet()) { ctx.zscaler_zia.firewall[m.getKey()] = m.getValue(); } + - script: + lang: painless + if: ctx?.zscaler_zia?.firewall?.duration?.milliseconds != null + source: | + ctx.event.duration = ctx?.zscaler_zia?.firewall?.duration?.milliseconds * 1000000; - remove: field: json ignore_missing: true diff --git a/packages/zscaler_zia/data_stream/firewall/fields/ecs.yml b/packages/zscaler_zia/data_stream/firewall/fields/ecs.yml index de7ee2cff2c..711d967f427 100644 --- a/packages/zscaler_zia/data_stream/firewall/fields/ecs.yml +++ b/packages/zscaler_zia/data_stream/firewall/fields/ecs.yml @@ -1,13 +1,23 @@ - external: ecs - name: client.bytes + name: destination.bytes +- external: ecs + name: destination.geo.country_name +- external: ecs + name: destination.ip +- external: ecs + name: destination.port - external: ecs name: ecs.version - external: ecs name: event.action +- external: ecs + name: event.duration - external: ecs name: host.hostname - external: ecs name: network.application +- external: ecs + name: network.community_id - external: ecs name: network.protocol - external: ecs @@ -17,9 +27,11 @@ - external: ecs name: rule.name - external: ecs - name: server.bytes + name: source.bytes +- external: ecs + name: source.ip - external: ecs - name: server.geo.country_name + name: source.port - external: ecs name: tags - external: ecs diff --git a/packages/zscaler_zia/data_stream/firewall/fields/fields.yml b/packages/zscaler_zia/data_stream/firewall/fields/fields.yml index 268745da78e..49a98954aa8 100644 --- a/packages/zscaler_zia/data_stream/firewall/fields/fields.yml +++ b/packages/zscaler_zia/data_stream/firewall/fields/fields.yml @@ -26,31 +26,9 @@ type: keyword description: | Client destination IP address. For aggregated sessions, this is the client destination IP address of the last session in the aggregate. - - name: source - type: group - fields: - - name: port - type: long - description: | - Client source port. For aggregated sessions, this is the client source port of the last session in the aggregate. - - name: ip - type: keyword - description: | - Client source IP address. For aggregated sessions, this is the client source IP address of the last session in the aggregate. - name: server type: group fields: - - name: destination - type: group - fields: - - name: port - type: long - description: | - Server destination port. For aggregated sessions, this is the server destination port of the last session in the aggregate. - - name: ip - type: keyword - description: | - Server Destination IP address. For aggregated sessions, this is the server destination IP address of the last session in the aggregate. - name: source type: group fields: @@ -93,15 +71,15 @@ type: group fields: - name: avg - type: double + type: long description: | Average session duration, in milliseconds, if the sessions were aggregated. - name: seconds - type: double + type: long description: | - Session or request duration in seconds. + Average session duration, in milliseconds, if the sessions were aggregated. - name: milliseconds - type: double + type: long description: | Session or request duration in milliseconds. - name: session diff --git a/packages/zscaler_zia/data_stream/firewall/sample_event.json b/packages/zscaler_zia/data_stream/firewall/sample_event.json index fdbd7e989e8..1d138bf5253 100644 --- a/packages/zscaler_zia/data_stream/firewall/sample_event.json +++ b/packages/zscaler_zia/data_stream/firewall/sample_event.json @@ -1,37 +1,46 @@ { - "@timestamp": "2021-12-17T07:27:54.000Z", + "@timestamp": "2021-12-31T07:08:09.000Z", "agent": { - "ephemeral_id": "144c5748-0f0e-4cf6-845b-0b43cac1ca3c", - "id": "638019f9-173e-4c24-9e28-64b128c92162", + "ephemeral_id": "2c292e52-b6ea-4ca0-bfc7-692dadde1a7d", + "id": "f6f3ddbc-7ab7-4a74-aeeb-152405dea56f", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.1.2" }, - "client": { - "bytes": 1734 - }, "data_stream": { "dataset": "zscaler_zia.firewall", "namespace": "ep", "type": "logs" }, + "destination": { + "bytes": 19052, + "geo": { + "country_name": "Ireland" + }, + "ip": "0.0.0.0", + "port": 443 + }, "ecs": { "version": "8.2.0" }, "elastic_agent": { - "id": "638019f9-173e-4c24-9e28-64b128c92162", + "id": "f6f3ddbc-7ab7-4a74-aeeb-152405dea56f", "snapshot": false, "version": "8.1.2" }, "event": { "action": "drop", "agent_id_status": "verified", - "category": "network", + "category": [ + "network" + ], "dataset": "zscaler_zia.firewall", - "ingested": "2022-04-13T17:29:32Z", + "duration": 486000000, + "ingested": "2021-12-31T05:06:07Z", "kind": "event", - "original": "{ \"sourcetype\" : \"zscalernss-fw\", \"event\" :{\"datetime\":\"Fri Dec 17 07:27:54 2021\",\"user\":\"some_user@example.com\",\"department\":\"Unknown\",\"locationname\":\"TestLoc%20DB\",\"cdport\":443,\"csport\":55018,\"sdport\":443,\"ssport\":0,\"csip\":\"0.0.0.0\",\"cdip\":\"0.0.0.0\",\"ssip\":\"0.0.0.0\",\"sdip\":\"0.0.0.0\",\"tsip\":\"0.0.0.0\",\"tunsport\":0,\"tuntype\":\"ZscalerClientConnector\",\"action\":\"Drop\",\"dnat\":\"No\",\"stateful\":\"Yes\",\"aggregate\":\"No\",\"nwsvc\":\"HTTPS\",\"nwapp\":\"http\",\"proto\":\"TCP\",\"ipcat\":\"Test Name\",\"destcountry\":\"Ireland\",\"avgduration\":486,\"rulelabel\":\"Access%20Blocked\",\"inbytes\":19052,\"outbytes\":1734,\"duration\":0,\"durationms\":486,\"numsessions\":1,\"ipsrulelabel\":\"None\",\"threatcat\":\"None\",\"threatname\":\"None\",\"deviceowner\":\"admin77\",\"devicehostname\":\"Machine9000\"}}", - "type": "info" + "type": [ + "info" + ] }, "host": { "hostname": "Machine9000" @@ -46,6 +55,7 @@ }, "network": { "application": "http", + "community_id": "1:hQwW1HWTOUYlk7y4+T2D+UPDU1c=", "protocol": "https", "transport": "tcp" }, @@ -60,11 +70,10 @@ "None" ] }, - "server": { - "bytes": 19052, - "geo": { - "country_name": "Ireland" - } + "source": { + "bytes": 1734, + "ip": "0.0.0.0", + "port": 55018 }, "tags": [ "forwarded", @@ -81,17 +90,12 @@ "destination": { "ip": "0.0.0.0", "port": 443 - }, - "source": { - "ip": "0.0.0.0", - "port": 55018 } }, "department": "Unknown", "duration": { "avg": 486, - "milliseconds": 486, - "seconds": 0 + "milliseconds": 486 }, "ip_category": "Test Name", "location": { @@ -99,10 +103,6 @@ }, "nat": "No", "server": { - "destination": { - "ip": "0.0.0.0", - "port": 443 - }, "source": { "ip": "0.0.0.0", "port": 0 diff --git a/packages/zscaler_zia/data_stream/tunnel/_dev/test/pipeline/test-tunnel-http_endpoint.log-expected.json b/packages/zscaler_zia/data_stream/tunnel/_dev/test/pipeline/test-tunnel-http_endpoint.log-expected.json index f489dad3937..0dbb202cad3 100644 --- a/packages/zscaler_zia/data_stream/tunnel/_dev/test/pipeline/test-tunnel-http_endpoint.log-expected.json +++ b/packages/zscaler_zia/data_stream/tunnel/_dev/test/pipeline/test-tunnel-http_endpoint.log-expected.json @@ -10,7 +10,9 @@ "version": "8.2.0" }, "event": { - "category": "network", + "category": [ + "network" + ], "id": "7083029673927507968", "kind": "event", "original": "{\"sourcetype\":\"zscalernss-tunnel\", \"event\":{\"location\":\"Unknown\",\"sourceport\":\"0\",\"rxbytes\":\"0\",\"tunneltype\":\"GRE\",\"dpdrec\":\"0\",\"destinationip\":\"0.0.0.0\",\"recordid\":\"7083029673927507968\",\"datetime\":\"Tue Dec 31 08:08:08 2021\",\"sourceip\":\"0.0.0.0\",\"txbytes\":\"0\",\"Recordtype\":\"Tunnel Samples\",\"user\":\"Unknown\"}}", @@ -18,6 +20,11 @@ "info" ] }, + "network": { + "community_id": "1:y8Yi03w0LBfVdMLE1UG7vvaUt5w=", + "iana_number": "47", + "transport": "gre" + }, "related": { "ip": [ "0.0.0.0" diff --git a/packages/zscaler_zia/data_stream/tunnel/_dev/test/pipeline/test-tunnel.log-expected.json b/packages/zscaler_zia/data_stream/tunnel/_dev/test/pipeline/test-tunnel.log-expected.json index d40c3bff5f0..e32d8473920 100644 --- a/packages/zscaler_zia/data_stream/tunnel/_dev/test/pipeline/test-tunnel.log-expected.json +++ b/packages/zscaler_zia/data_stream/tunnel/_dev/test/pipeline/test-tunnel.log-expected.json @@ -9,7 +9,9 @@ "version": "8.2.0" }, "event": { - "category": "network", + "category": [ + "network" + ], "id": "1111111111111111111", "kind": "event", "original": "{ \"sourcetype\" : \"zscalernss-tunnel\", \"event\" : {\"datetime\":\"Thu Dec 31 11:11:11 2021\",\"Recordtype\":\"IPSec Phase2\",\"tunneltype\":\"IPSEC IKEV 1\",\"user\":\"81.2.69.145\",\"location\":\"some-location\",\"sourceip\":\"81.2.69.145\",\"destinationip\":\"81.2.69.143\",\"sourceport\":\"0\",\"sourceportstart\":\"0\",\"destinationportstart\":\"0\",\"srcipstart\":\"81.2.69.145\",\"srcipend\":\"81.2.69.145\",\"destinationipstart\":\"81.2.69.143\",\"destinationipend\":\"81.2.69.143\",\"lifetime\":\"3600\",\"ikeversion\":\"1\",\"lifebytes\":\"0\",\"spi\":\"123456789\",\"algo\":\"AES\",\"authentication\":\"HMAC-SHA-1\",\"authtype\":\"None\",\"protocol\":\"Any\",\"tunnelprotocol\":\"ESP\",\"policydirection\":\"Inbound SA Policy\",\"recordid\":\"1111111111111111111\"}}", @@ -17,6 +19,9 @@ "info" ] }, + "network": { + "transport": "ipsec ikev 1" + }, "related": { "ip": [ "81.2.69.143", @@ -96,7 +101,9 @@ "version": "8.2.0" }, "event": { - "category": "network", + "category": [ + "network" + ], "id": "1111111111111111111", "kind": "event", "original": "{ \"sourcetype\" : \"zscalernss-tunnel\", \"event\" : {\"datetime\":\"Thu Dec 31 11:11:11 2021\",\"Recordtype\":\"IPSec Phase1\",\"tunneltype\":\"IPSEC IKEV 2\",\"user\":\"81.2.69.145\",\"location\":\"some-location\",\"sourceip\":\"81.2.69.145\",\"destinationip\":\"81.2.69.143\",\"sourceport\":\"500\",\"destinationport\":\"500\",\"lifetime\":\"0\",\"ikeversion\":\"2\",\"spi_in\":\"00000000000000000000\",\"spi_out\":\"11111111111111111111\",\"algo\":\"AES-CBS\",\"authentication\":\"HMAC-SHA1-96\",\"authtype\":\"PSK\",\"recordid\":\"1111111111111111111\"}}", @@ -104,6 +111,9 @@ "info" ] }, + "network": { + "transport": "ipsec ikev 2" + }, "related": { "ip": [ "81.2.69.143", @@ -160,7 +170,9 @@ }, "event": { "action": "IPsec tunnel is up", - "category": "network", + "category": [ + "network" + ], "id": "1111111111111111111", "kind": "event", "original": "{ \"sourcetype\" : \"zscalernss-tunnel\", \"event\" : {\"datetime\":\"Thu Dec 31 11:11:11 2021\",\"Recordtype\":\"Tunnel Event\",\"tunneltype\":\"IPSec IKEv2\",\"user\":\"81.2.69.145\",\"location\":\"some-location\",\"sourceip\":\"81.2.69.145\",\"destinationip\":\"81.2.69.143\",\"sourceport\":\"500\",\"event\":\"IPsec tunnel is up\",\"eventreason\":\"None\",\"recordid\":\"1111111111111111111\"}}", @@ -169,6 +181,9 @@ "info" ] }, + "network": { + "transport": "ipsec ikev2" + }, "related": { "ip": [ "81.2.69.143", diff --git a/packages/zscaler_zia/data_stream/tunnel/agent/stream/http_endpoint.yml.hbs b/packages/zscaler_zia/data_stream/tunnel/agent/stream/http_endpoint.yml.hbs index 483a999bf10..443fe325f7c 100644 --- a/packages/zscaler_zia/data_stream/tunnel/agent/stream/http_endpoint.yml.hbs +++ b/packages/zscaler_zia/data_stream/tunnel/agent/stream/http_endpoint.yml.hbs @@ -1,4 +1,3 @@ -http_endpoint: listen_address: {{listen_address}} listen_port: {{listen_port}} content_type: "" diff --git a/packages/zscaler_zia/data_stream/tunnel/agent/stream/tcp.yml.hbs b/packages/zscaler_zia/data_stream/tunnel/agent/stream/tcp.yml.hbs index 030459f2582..bc587e50a3a 100644 --- a/packages/zscaler_zia/data_stream/tunnel/agent/stream/tcp.yml.hbs +++ b/packages/zscaler_zia/data_stream/tunnel/agent/stream/tcp.yml.hbs @@ -1,4 +1,3 @@ -tcp: host: "{{listen_address}}:{{listen_port}}" tags: {{#if preserve_original_event}} diff --git a/packages/zscaler_zia/data_stream/tunnel/elasticsearch/ingest_pipeline/default.yml b/packages/zscaler_zia/data_stream/tunnel/elasticsearch/ingest_pipeline/default.yml index 1a16c0caf03..24d8942b2f5 100644 --- a/packages/zscaler_zia/data_stream/tunnel/elasticsearch/ingest_pipeline/default.yml +++ b/packages/zscaler_zia/data_stream/tunnel/elasticsearch/ingest_pipeline/default.yml @@ -46,7 +46,7 @@ processors: - json.time - json.datetime ignore_missing: true - - set: + - append: field: event.category value: network - set: @@ -191,6 +191,18 @@ processors: field: json.tunneltype target_field: zscaler_zia.tunnel.type ignore_missing: true + - set: + field: network.transport + copy_from: zscaler_zia.tunnel.type + ignore_failure: true + - lowercase: + field: network.transport + ignore_missing: true + - set: + field: network.iana_number + value: "47" + if: ctx?.network?.transport == "gre" + ignore_failure: true - rename: field: json.vendorname target_field: zscaler_zia.tunnel.vendor.name @@ -279,6 +291,15 @@ processors: field: json.dpdrec target_field: zscaler_zia.tunnel.dpd_packets ignore_missing: true + - community_id: + source_ip: source.ip + source_port: source.port + destination_ip: destination.ip + destination_port: destination.port + transport: network.transport + iana_number: network.iana_number + target_field: network.community_id + ignore_failure: true - script: description: Drops null/empty values recursively lang: painless diff --git a/packages/zscaler_zia/data_stream/tunnel/fields/ecs.yml b/packages/zscaler_zia/data_stream/tunnel/fields/ecs.yml index eb68acfb87f..3e24464163c 100644 --- a/packages/zscaler_zia/data_stream/tunnel/fields/ecs.yml +++ b/packages/zscaler_zia/data_stream/tunnel/fields/ecs.yml @@ -14,6 +14,12 @@ name: event.id - external: ecs name: event.reason +- external: ecs + name: network.community_id +- external: ecs + name: network.iana_number +- external: ecs + name: network.transport - external: ecs name: related.ip - external: ecs diff --git a/packages/zscaler_zia/data_stream/tunnel/sample_event.json b/packages/zscaler_zia/data_stream/tunnel/sample_event.json index c8d8bfe06c1..83379d7618b 100644 --- a/packages/zscaler_zia/data_stream/tunnel/sample_event.json +++ b/packages/zscaler_zia/data_stream/tunnel/sample_event.json @@ -1,8 +1,8 @@ { - "@timestamp": "2021-12-30T11:20:12.000Z", + "@timestamp": "2021-12-31T11:12:13.000Z", "agent": { - "ephemeral_id": "74169044-8331-421b-8ea9-9e6bcc7c28f8", - "id": "638019f9-173e-4c24-9e28-64b128c92162", + "ephemeral_id": "b187ac54-dab8-4e34-b72d-36772d818767", + "id": "f6f3ddbc-7ab7-4a74-aeeb-152405dea56f", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.1.2" @@ -19,16 +19,18 @@ "version": "8.2.0" }, "elastic_agent": { - "id": "638019f9-173e-4c24-9e28-64b128c92162", + "id": "f6f3ddbc-7ab7-4a74-aeeb-152405dea56f", "snapshot": false, "version": "8.1.2" }, "event": { "agent_id_status": "verified", - "category": "network", + "category": [ + "network" + ], "dataset": "zscaler_zia.tunnel", "id": "1111111111111111111", - "ingested": "2022-04-13T17:33:10Z", + "ingested": "2021-12-31T05:06:07Z", "kind": "event", "type": [ "info" @@ -42,6 +44,9 @@ "address": "1.128.3.4:58370" } }, + "network": { + "transport": "ipsec ikev 1" + }, "related": { "ip": [ "81.2.69.143", diff --git a/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web-http_endpoint.log-expected.json b/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web-http_endpoint.log-expected.json index 32954dfc459..de31572f0e5 100644 --- a/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web-http_endpoint.log-expected.json +++ b/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web-http_endpoint.log-expected.json @@ -2,21 +2,17 @@ "expected": [ { "@timestamp": "2021-12-31T08:08:08.000Z", - "client": { - "ip": "81.2.69.193", - "nat": { - "ip": "81.2.69.145" - }, - "user": { - "name": "administrator1" - } + "destination": { + "ip": "81.2.69.145" }, "ecs": { "version": "8.2.0" }, "event": { "action": "blocked", - "category": "web", + "category": [ + "web" + ], "kind": "event", "original": "{ \"sourcetype\" : \"zscalernss-web\", \"event\" :{\"time\":\"2021-12-31 08:08:08\",\"login\":\"test@example.com\",\"proto\":\"HTTP_PROXY\",\"eurl\":\"www.example.com\",\"action\":\"Blocked\",\"appname\":\"General Browsing\",\"appclass\":\"General Browsing\",\"reqsize\":\"600\",\"respsize\":\"65\",\"stime\":\"0\",\"ctime\":\"0\",\"urlclass\":\"Business Use\",\"urlsupercat\":\"Information Technology\",\"urlcat\":\"Web Search\",\"malwarecat\":\"None\",\"threatname\":\"None\",\"riskscore\":\"0\",\"dlpeng\":\"None\",\"dlpdict\":\"None\",\"location\":\"Test DB\",\"dept\":\"Unknown\",\"cip\":\"81.2.69.193\",\"sip\":\"81.2.69.145\",\"reqmethod\":\"CONNECT\",\"respcode\":\"200\",\"ua\":\"Windows Microsoft Windows 10 Pro ZTunnel/1.0\",\"ereferer\":\"None\",\"ruletype\":\"FwFilter\",\"rulelabel\":\"Zscaler Proxy Traffic\",\"contenttype\":\"Other\",\"unscannabletype\":\"None\",\"deviceowner\":\"administrator1\",\"devicehostname\":\"TestMachine35\"}}", "risk_score": 0, @@ -52,6 +48,14 @@ "name": "Zscaler Proxy Traffic", "ruleset": "FwFilter" }, + "source": { + "nat": { + "ip": "81.2.69.193" + }, + "user": { + "name": "administrator1" + } + }, "tags": [ "preserve_original_event" ], diff --git a/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web.log-expected.json b/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web.log-expected.json index 08decef0540..0526a059941 100644 --- a/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web.log-expected.json +++ b/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web.log-expected.json @@ -2,21 +2,17 @@ "expected": [ { "@timestamp": "2021-12-31T07:07:07.000Z", - "client": { - "ip": "81.2.69.193", - "nat": { - "ip": "81.2.69.145" - }, - "user": { - "name": "administrator1" - } + "destination": { + "ip": "81.2.69.145" }, "ecs": { "version": "8.2.0" }, "event": { "action": "blocked", - "category": "web", + "category": [ + "web" + ], "kind": "event", "original": "{ \"sourcetype\" : \"zscalernss-web\", \"event\" :{\"time\":\"Fri Dec 31 07:07:07 2021\",\"login\":\"test@example.com\",\"proto\":\"HTTP_PROXY\",\"eurl\":\"www.example.com\",\"action\":\"Blocked\",\"appname\":\"General Browsing\",\"appclass\":\"General Browsing\",\"reqsize\":\"600\",\"respsize\":\"65\",\"stime\":\"0\",\"ctime\":\"0\",\"urlclass\":\"Business Use\",\"urlsupercat\":\"Information Technology\",\"urlcat\":\"Web Search\",\"malwarecat\":\"None\",\"threatname\":\"None\",\"riskscore\":\"0\",\"dlpeng\":\"None\",\"dlpdict\":\"None\",\"location\":\"Test DB\",\"dept\":\"Unknown\",\"cip\":\"81.2.69.193\",\"sip\":\"81.2.69.145\",\"reqmethod\":\"CONNECT\",\"respcode\":\"200\",\"ua\":\"Windows Microsoft Windows 10 Pro ZTunnel/1.0\",\"ereferer\":\"None\",\"ruletype\":\"FwFilter\",\"rulelabel\":\"Zscaler Proxy Traffic\",\"contenttype\":\"Other\",\"unscannabletype\":\"None\",\"deviceowner\":\"administrator1\",\"devicehostname\":\"TestMachine35\"}}", "risk_score": 0, @@ -52,6 +48,14 @@ "name": "Zscaler Proxy Traffic", "ruleset": "FwFilter" }, + "source": { + "nat": { + "ip": "81.2.69.193" + }, + "user": { + "name": "administrator1" + } + }, "tags": [ "preserve_original_event" ], @@ -113,21 +117,17 @@ }, { "@timestamp": "2021-12-31T07:07:07.000Z", - "client": { - "ip": "81.2.69.193", - "nat": { - "ip": "89.160.20.156" - }, - "user": { - "name": "administrator1" - } + "destination": { + "ip": "89.160.20.156" }, "ecs": { "version": "8.2.0" }, "event": { "action": "blocked", - "category": "web", + "category": [ + "web" + ], "kind": "event", "original": "{ \"sourcetype\" : \"zscalernss-web\", \"event\" :{\"time\":\"Fri Dec 31 07:07:07 2021\",\"login\":\"test@example.com\",\"proto\":\"HTTPS\",\"eurl\":\"www.example.com.com/join/\",\"action\":\"Blocked\",\"appname\":\"General Browsing\",\"appclass\":\"General Browsing\",\"reqsize\":\"218\",\"respsize\":\"14230\",\"stime\":\"0\",\"ctime\":\"0\",\"urlclass\":\"Business Use\",\"urlsupercat\":\"Business and Economy\",\"urlcat\":\"Corporate Marketing\",\"malwarecat\":\"None\",\"threatname\":\"None\",\"riskscore\":\"0\",\"dlpeng\":\"None\",\"dlpdict\":\"None\",\"location\":\"Test DB\",\"dept\":\"Unknown\",\"cip\":\"81.2.69.193\",\"sip\":\"89.160.20.156\",\"reqmethod\":\"POST\",\"respcode\":\"403\",\"ua\":\"Microsoft-Delivery-Optimization/10.0\",\"ereferer\":\"None\",\"ruletype\":\"SSLPol\",\"rulelabel\":\"SSL_1\",\"contenttype\":\"Other\",\"unscannabletype\":\"None\",\"deviceowner\":\"administrator1\",\"devicehostname\":\"TestMachine35\"}}", "risk_score": 0, @@ -163,6 +163,14 @@ "name": "SSL_1", "ruleset": "SSLPol" }, + "source": { + "nat": { + "ip": "81.2.69.193" + }, + "user": { + "name": "administrator1" + } + }, "tags": [ "preserve_original_event" ], @@ -219,21 +227,17 @@ }, { "@timestamp": "2021-12-31T07:07:07.000Z", - "client": { - "ip": "81.2.69.193", - "nat": { - "ip": "89.160.20.112" - }, - "user": { - "name": "administrator1" - } + "destination": { + "ip": "89.160.20.112" }, "ecs": { "version": "8.2.0" }, "event": { "action": "blocked", - "category": "web", + "category": [ + "web" + ], "kind": "event", "original": "{ \"sourcetype\" : \"zscalernss-web\", \"event\" :{\"time\":\"Fri Dec 31 07:07:07 2021\",\"login\":\"test@example.com\",\"proto\":\"HTTP_PROXY\",\"eurl\":\"www.example.com\",\"action\":\"Blocked\",\"appname\":\"General Browsing\",\"appclass\":\"General Browsing\",\"reqsize\":\"600\",\"respsize\":\"65\",\"stime\":\"0\",\"ctime\":\"0\",\"urlclass\":\"Business Use\",\"urlsupercat\":\"Information Technology\",\"urlcat\":\"Web Search\",\"malwarecat\":\"None\",\"threatname\":\"None\",\"riskscore\":\"0\",\"dlpeng\":\"None\",\"dlpdict\":\"None\",\"location\":\"Test DB\",\"dept\":\"Unknown\",\"cip\":\"81.2.69.193\",\"sip\":\"89.160.20.112\",\"reqmethod\":\"CONNECT\",\"respcode\":\"200\",\"ua\":\"Windows Microsoft Windows 10 Pro ZTunnel/1.0\",\"ereferer\":\"None\",\"ruletype\":\"FwFilter\",\"rulelabel\":\"Zscaler Proxy Traffic\",\"contenttype\":\"Other\",\"unscannabletype\":\"None\",\"deviceowner\":\"administrator1\",\"devicehostname\":\"TestMachine35\"}}", "risk_score": 0, @@ -269,6 +273,14 @@ "name": "Zscaler Proxy Traffic", "ruleset": "FwFilter" }, + "source": { + "nat": { + "ip": "81.2.69.193" + }, + "user": { + "name": "administrator1" + } + }, "tags": [ "preserve_original_event" ], @@ -330,21 +342,17 @@ }, { "@timestamp": "2021-12-31T07:07:07.000Z", - "client": { - "ip": "81.2.69.193", - "nat": { - "ip": "81.2.69.144" - }, - "user": { - "name": "administrator1" - } + "destination": { + "ip": "81.2.69.144" }, "ecs": { "version": "8.2.0" }, "event": { "action": "blocked", - "category": "web", + "category": [ + "web" + ], "kind": "event", "original": "{ \"sourcetype\" : \"zscalernss-web\", \"event\" :{\"time\":\"Fri Dec 31 07:07:07 2021\",\"login\":\"test@example.com\",\"proto\":\"HTTP_PROXY\",\"eurl\":\"www.example.com\",\"action\":\"Blocked\",\"appname\":\"General Browsing\",\"appclass\":\"General Browsing\",\"reqsize\":\"555\",\"respsize\":\"65\",\"stime\":\"0\",\"ctime\":\"0\",\"urlclass\":\"Business Use\",\"urlsupercat\":\"Information Technology\",\"urlcat\":\"Web Search\",\"malwarecat\":\"None\",\"threatname\":\"None\",\"riskscore\":\"0\",\"dlpeng\":\"None\",\"dlpdict\":\"None\",\"location\":\"Test DB\",\"dept\":\"Unknown\",\"cip\":\"81.2.69.193\",\"sip\":\"81.2.69.144\",\"reqmethod\":\"CONNECT\",\"respcode\":\"200\",\"ua\":\"Windows Microsoft Windows 10 Pro ZTunnel/1.0\",\"ereferer\":\"None\",\"ruletype\":\"FwFilter\",\"rulelabel\":\"Zscaler Proxy Traffic\",\"contenttype\":\"Other\",\"unscannabletype\":\"None\",\"deviceowner\":\"administrator1\",\"devicehostname\":\"TestMachine35\"}}", "risk_score": 0, @@ -380,6 +388,14 @@ "name": "Zscaler Proxy Traffic", "ruleset": "FwFilter" }, + "source": { + "nat": { + "ip": "81.2.69.193" + }, + "user": { + "name": "administrator1" + } + }, "tags": [ "preserve_original_event" ], @@ -441,21 +457,17 @@ }, { "@timestamp": "2021-12-31T07:07:07.000Z", - "client": { - "ip": "81.2.69.193", - "nat": { - "ip": "81.2.69.143" - }, - "user": { - "name": "administrator1" - } + "destination": { + "ip": "81.2.69.143" }, "ecs": { "version": "8.2.0" }, "event": { "action": "blocked", - "category": "web", + "category": [ + "web" + ], "kind": "event", "original": "{ \"sourcetype\" : \"zscalernss-web\", \"event\" :{\"time\":\"Fri Dec 31 07:07:07 2021\",\"login\":\"test@example.com\",\"proto\":\"HTTPS\",\"eurl\":\"www.example.com.com/params?version=10.0.19041.1266\u0026user=65792\u0026Id=1\",\"action\":\"Blocked\",\"appname\":\"General Browsing\",\"appclass\":\"General Browsing\",\"reqsize\":\"297\",\"respsize\":\"14135\",\"stime\":\"0\",\"ctime\":\"0\",\"urlclass\":\"Business Use\",\"urlsupercat\":\"Business and Economy\",\"urlcat\":\"Corporate Marketing\",\"malwarecat\":\"None\",\"threatname\":\"None\",\"riskscore\":\"0\",\"dlpeng\":\"None\",\"dlpdict\":\"None\",\"location\":\"Test DB\",\"dept\":\"Unknown\",\"cip\":\"81.2.69.193\",\"sip\":\"81.2.69.143\",\"reqmethod\":\"GET\",\"respcode\":\"403\",\"ua\":\"Microsoft-Delivery-Optimization/10.0\",\"ereferer\":\"None\",\"ruletype\":\"FwFilter\",\"rulelabel\":\"Access Blocked\",\"contenttype\":\"Other\",\"unscannabletype\":\"None\",\"deviceowner\":\"administrator1\",\"devicehostname\":\"TestMachine35\"}}", "risk_score": 0, @@ -491,6 +503,14 @@ "name": "Access Blocked", "ruleset": "FwFilter" }, + "source": { + "nat": { + "ip": "81.2.69.193" + }, + "user": { + "name": "administrator1" + } + }, "tags": [ "preserve_original_event" ], diff --git a/packages/zscaler_zia/data_stream/web/agent/stream/http_endpoint.yml.hbs b/packages/zscaler_zia/data_stream/web/agent/stream/http_endpoint.yml.hbs index 483a999bf10..443fe325f7c 100644 --- a/packages/zscaler_zia/data_stream/web/agent/stream/http_endpoint.yml.hbs +++ b/packages/zscaler_zia/data_stream/web/agent/stream/http_endpoint.yml.hbs @@ -1,4 +1,3 @@ -http_endpoint: listen_address: {{listen_address}} listen_port: {{listen_port}} content_type: "" diff --git a/packages/zscaler_zia/data_stream/web/agent/stream/tcp.yml.hbs b/packages/zscaler_zia/data_stream/web/agent/stream/tcp.yml.hbs index 030459f2582..bc587e50a3a 100644 --- a/packages/zscaler_zia/data_stream/web/agent/stream/tcp.yml.hbs +++ b/packages/zscaler_zia/data_stream/web/agent/stream/tcp.yml.hbs @@ -1,4 +1,3 @@ -tcp: host: "{{listen_address}}:{{listen_port}}" tags: {{#if preserve_original_event}} diff --git a/packages/zscaler_zia/data_stream/web/elasticsearch/ingest_pipeline/default.yml b/packages/zscaler_zia/data_stream/web/elasticsearch/ingest_pipeline/default.yml index 170360be235..aa47aedd596 100644 --- a/packages/zscaler_zia/data_stream/web/elasticsearch/ingest_pipeline/default.yml +++ b/packages/zscaler_zia/data_stream/web/elasticsearch/ingest_pipeline/default.yml @@ -46,7 +46,7 @@ processors: - json.time - json.datetime ignore_missing: true - - set: + - append: field: event.category value: web - set: @@ -57,27 +57,28 @@ processors: value: info - rename: field: json.cip - target_field: client.ip + target_field: source.nat.ip + if: ctx?.json?.cip != ctx?.json?.cintip ignore_missing: true - append: field: related.ip - value: "{{{client.ip}}}" - if: ctx?.client?.ip != null + value: "{{{source.nat.ip}}}" + if: ctx?.source?.nat?.ip != null allow_duplicates: false ignore_failure: true - rename: field: json.sip - target_field: client.nat.ip + target_field: destination.ip ignore_missing: true - append: field: related.ip - value: "{{{client.nat.ip}}}" - if: ctx?.client?.nat?.ip != null + value: "{{{destination.ip}}}" + if: ctx?.destination?.ip != null allow_duplicates: false ignore_failure: true - rename: field: json.deviceowner - target_field: client.user.name + target_field: source.user.name ignore_missing: true - convert: field: json.reqsize @@ -250,12 +251,12 @@ processors: ignore_missing: true - rename: field: json.cintip - target_field: zscaler_zia.web.client.internet.ip + target_field: source.ip ignore_missing: true - append: field: related.ip - value: "{{{zscaler_zia.web.client.internet.ip}}}" - if: ctx?.zscaler_zia?.web?.client?.internet?.ip != null + value: "{{{source.ip}}}" + if: ctx?.source?.ip != null allow_duplicates: false ignore_failure: true - rename: diff --git a/packages/zscaler_zia/data_stream/web/fields/ecs.yml b/packages/zscaler_zia/data_stream/web/fields/ecs.yml index 8e88de3f3f6..f25be184205 100644 --- a/packages/zscaler_zia/data_stream/web/fields/ecs.yml +++ b/packages/zscaler_zia/data_stream/web/fields/ecs.yml @@ -1,9 +1,5 @@ - external: ecs - name: client.ip -- external: ecs - name: client.nat.ip -- external: ecs - name: client.user.name + name: destination.ip - external: ecs name: ecs.version - external: ecs @@ -32,6 +28,12 @@ name: rule.name - external: ecs name: rule.ruleset +- external: ecs + name: source.ip +- external: ecs + name: source.nat.ip +- external: ecs + name: source.user.name - external: ecs name: tags - external: ecs @@ -54,8 +56,6 @@ name: url.scheme - external: ecs name: url.username -- external: ecs - name: user.email - external: ecs name: user_agent.device.name - external: ecs @@ -70,3 +70,5 @@ name: user_agent.os.version - external: ecs name: user_agent.version +- external: ecs + name: user.email diff --git a/packages/zscaler_zia/data_stream/web/fields/fields.yml b/packages/zscaler_zia/data_stream/web/fields/fields.yml index fcfdd76d8db..d85e5a570e6 100644 --- a/packages/zscaler_zia/data_stream/web/fields/fields.yml +++ b/packages/zscaler_zia/data_stream/web/fields/fields.yml @@ -16,10 +16,6 @@ type: keyword description: | Indicates whether the transaction was throttled due to a configured bandwidth policy. - - name: client.internet.ip - type: keyword - description: | - The client Internet (NATted Public) IP address. This is different from the cip value if the internal IP address is visible. Otherwise, same as cip. - name: ctime type: long description: | diff --git a/packages/zscaler_zia/data_stream/web/sample_event.json b/packages/zscaler_zia/data_stream/web/sample_event.json index 2f8048dfe11..6c8fd65b273 100644 --- a/packages/zscaler_zia/data_stream/web/sample_event.json +++ b/packages/zscaler_zia/data_stream/web/sample_event.json @@ -1,40 +1,36 @@ { "@timestamp": "2021-12-17T07:04:57.000Z", "agent": { - "ephemeral_id": "72bf9779-2cf7-4d9f-ad44-f36c04cf1cb1", - "id": "638019f9-173e-4c24-9e28-64b128c92162", + "ephemeral_id": "6f164483-9eb8-4219-bb09-cd2ff3532390", + "id": "f6f3ddbc-7ab7-4a74-aeeb-152405dea56f", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.1.2" }, - "client": { - "ip": "81.2.69.193", - "nat": { - "ip": "81.2.69.145" - }, - "user": { - "name": "administrator1" - } - }, "data_stream": { "dataset": "zscaler_zia.web", "namespace": "ep", "type": "logs" }, + "destination": { + "ip": "81.2.69.145" + }, "ecs": { "version": "8.2.0" }, "elastic_agent": { - "id": "638019f9-173e-4c24-9e28-64b128c92162", + "id": "f6f3ddbc-7ab7-4a74-aeeb-152405dea56f", "snapshot": false, "version": "8.1.2" }, "event": { "action": "blocked", "agent_id_status": "verified", - "category": "web", + "category": [ + "web" + ], "dataset": "zscaler_zia.web", - "ingested": "2022-04-13T17:36:45Z", + "ingested": "2021-12-31T05:06:07Z", "kind": "event", "risk_score": 0, "type": [ @@ -77,6 +73,14 @@ "name": "Zscaler Proxy Traffic", "ruleset": "FwFilter" }, + "source": { + "nat": { + "ip": "81.2.69.193" + }, + "user": { + "name": "administrator1" + } + }, "tags": [ "forwarded", "zscaler_zia-web" diff --git a/packages/zscaler_zia/docs/README.md b/packages/zscaler_zia/docs/README.md index 12cc8dae92c..acb933e22c8 100644 --- a/packages/zscaler_zia/docs/README.md +++ b/packages/zscaler_zia/docs/README.md @@ -8,17 +8,17 @@ The log message is expected to be in JSON format. The data is mapped to ECS fiel 1. Enable the integration with the TCP input. 2. Configure the Zscaler NSS Server and NSS Feeds to send logs to the Elastic Agent that is running this integration. See [_Add NSS Server_](https://help.zscaler.com/zia/adding-nss-servers) and [_Add NSS Feeds_](https://help.zscaler.com/zia/adding-nss-feeds). Use the IP address hostname of the Elastic Agent as the 'NSS Feed SIEM IP Address/FQDN', and use the listening port of the Elastic Agent as the 'SIEM TCP Port' on the _Add NSS Feed_ configuration screen. To configure Zscaler NSS Server and NSS Feeds follow the following steps. - - In the ZIA Admin Portal, add a NSS Server. + - In the ZIA Admin Portal, add an NSS Server. - Log in to the ZIA Admin Portal using your admin account. - - Add a NSS server. Refer to Adding NSS Servers to set up an [_Add NSS Server_](https://help.zscaler.com/zia/adding-nss-servers) for Web and/or Firewall. + - Add an NSS server. Refer to Adding NSS Servers to set up an [_Add NSS Server_](https://help.zscaler.com/zia/adding-nss-servers) for Web and/or Firewall. - Verify that the state of the NSS Server is healthy. - In the ZIA Admin Portal, go to Administration > Nanolog Streaming Service > NSS Servers. - In the State column, confirm that the state of the NSS server is healthy. ![NSS server setup image](../img/nss_server.png?raw=true) - - In the ZIA Admin Portal, add a NSS Feed. + - In the ZIA Admin Portal, add an NSS Feed. - Refer to [_Add NSS Feeds_](https://help.zscaler.com/zia/adding-nss-feeds) and select the type of feed you want to configure. The following fields require specific inputs: - **SIEM IP Address**: Enter the IP address of the [_Elastic agent_](https://www.elastic.co/guide/en/fleet/current/fleet-overview.html) you’ll be assigning the Zscaler integration to. - - **SIEM TCP Port**: Enter the port number, depending on the logs associated with the NSS Feed. You will need to create a NSS Feed for each log type. + - **SIEM TCP Port**: Enter the port number, depending on the logs associated with the NSS Feed. You will need to create an NSS Feed for each log type. - **Alerts**: 9010 - **DNS**: 9011 - **Firewall**: 9012 @@ -27,27 +27,27 @@ The log message is expected to be in JSON format. The data is mapped to ECS fiel - **Feed Output Type**: Select Custom in Feed output type and paste the appropriate response format in Feed output format as follows: ![NSS Feeds setup image](../img/nss_feeds.png?raw=true) - ## Steps for setting up Cloud NSS Feeds 1. Enable the integration with the HTTP Endpoint input. 2. Configure the Zscaler Cloud NSS Feeds to send logs to the Elastic Agent that is running this integration. Provide API URL to send logs to the Elastic Agent. To configure Zscaler Cloud NSS Feeds follow the following steps. - In the ZIA Admin Portal, add a Cloud NSS Feed. - Log in to the ZIA Admin Portal using your admin account. - - Add a Cloud NSS Feed. Refer to [_Add Cloud NSS Feed_](https://help.zscaler.com/zia/adding-cloud-nss-feeds). - - In the ZIA Admin Portal, go to Administration > Nanolog Streaming Service > Cloud NSS Feeds. - - Give Feed Name, change status to Enabled. - - Select NSS Type. - - Change SIEM Type to other. - - Add an API URL. - - Default ports: - - **DNS**: 9556 - - **Firewall**: 9557 - - **Tunnel**: 9558 - - **Web**: 9559 - - Select JSON as feed output type. - - Add appropriate HTTP headers. - ![Cloud NSS Feeds setup image](../img/cloud_nss_feeds.png?raw=true) + - Add a Cloud NSS Feed. Refer to [_Add Cloud NSS Feed_](https://help.zscaler.com/zia/adding-cloud-nss-feeds). + - In the ZIA Admin Portal, go to Administration > Nanolog Streaming Service > Cloud NSS Feeds. + - Give Feed Name, change status to Enabled. + - Select NSS Type. + - Change SIEM Type to other. + - Add an API URL. + - Default ports: + - **DNS**: 9556 + - **Firewall**: 9557 + - **Tunnel**: 9558 + - **Web**: 9559 + - Select JSON as feed output type. + - Add appropriate HTTP headers. + ![Cloud NSS Feeds setup image](../img/cloud_nss_feeds.png?raw=true) +3. Repeat step 2 for each log type. **Please make sure to use the given response formats for NSS and Cloud NSS Feeds.** @@ -287,14 +287,6 @@ An example event for `alerts` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| client.geo.city_name | City name. | keyword | -| client.geo.continent_name | Name of the continent. | keyword | -| client.geo.country_iso_code | Country ISO code. | keyword | -| client.geo.country_name | Country name. | keyword | -| client.geo.location | Longitude and latitude. | geo_point | -| client.geo.region_iso_code | Region ISO code. | keyword | -| client.geo.region_name | Region name. | keyword | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | @@ -311,11 +303,24 @@ An example event for `alerts` looks as following: | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | +| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| destination.as.organization.name | Organization name. | keyword | +| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | +| destination.geo.city_name | City name. | keyword | +| destination.geo.continent_name | Name of the continent. | keyword | +| destination.geo.country_iso_code | Country ISO code. | keyword | +| destination.geo.country_name | Country name. | keyword | +| destination.geo.location | Longitude and latitude. | geo_point | +| destination.geo.region_iso_code | Region ISO code. | keyword | +| destination.geo.region_name | Region name. | keyword | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.port | Port of the destination. | long | | dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | | dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | | dns.question.type | The type of record being queried. | keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | event.dataset | Event dataset | constant_keyword | +| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | | event.module | Event module | constant_keyword | | host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | @@ -337,18 +342,20 @@ An example event for `alerts` looks as following: | input.type | Input type | keyword | | log.offset | Log offset | long | | log.source.address | Source address from which the log event was read / sent from. | keyword | +| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | | related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | | related.ip | All of the IPs seen on your event. | ip | -| server.geo.city_name | City name. | keyword | -| server.geo.continent_name | Name of the continent. | keyword | -| server.geo.country_iso_code | Country ISO code. | keyword | -| server.geo.country_name | Country name. | keyword | -| server.geo.location | Longitude and latitude. | geo_point | -| server.geo.region_iso_code | Region ISO code. | keyword | -| server.geo.region_name | Region name. | keyword | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | | source.bytes | Bytes sent from the source to the destination. | long | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | | source.ip | IP address of the source (IPv4 or IPv6). | ip | | source.packets | Packets sent from the source to the destination. | long | | source.port | Port of the source. | long | @@ -373,31 +380,38 @@ An example event for `dns` looks as following: { "@timestamp": "2021-12-17T07:27:54.000Z", "agent": { - "ephemeral_id": "29f002d2-defe-484e-81f8-ec2dace901c3", - "id": "638019f9-173e-4c24-9e28-64b128c92162", + "ephemeral_id": "88d27df6-beee-4299-bf35-56742db35e98", + "id": "f6f3ddbc-7ab7-4a74-aeeb-152405dea56f", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.1.2" }, - "client": { + "data_stream": { + "dataset": "zscaler_zia.dns", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, "geo": { - "city_name": "London", + "city_name": "Linköping", "continent_name": "Europe", - "country_iso_code": "GB", - "country_name": "United Kingdom", + "country_iso_code": "SE", + "country_name": "Sweden", "location": { - "lat": 51.5142, - "lon": -0.0931 + "lat": 58.4167, + "lon": 15.6167 }, - "region_iso_code": "GB-ENG", - "region_name": "England" + "region_iso_code": "SE-E", + "region_name": "Östergötland County" }, - "ip": "81.2.69.193" - }, - "data_stream": { - "dataset": "zscaler_zia.dns", - "namespace": "ep", - "type": "logs" + "ip": "89.160.20.156", + "port": 8080 }, "dns": { "answers": { @@ -412,15 +426,18 @@ An example event for `dns` looks as following: "version": "8.2.0" }, "elastic_agent": { - "id": "638019f9-173e-4c24-9e28-64b128c92162", + "id": "f6f3ddbc-7ab7-4a74-aeeb-152405dea56f", "snapshot": false, "version": "8.1.2" }, "event": { "agent_id_status": "verified", - "category": "network", + "category": [ + "network" + ], "dataset": "zscaler_zia.dns", - "ingested": "2022-04-13T17:25:57Z", + "duration": 123456000000, + "ingested": "2022-04-20T06:45:24Z", "kind": "event", "type": [ "info" @@ -431,33 +448,41 @@ An example event for `dns` looks as following: }, "log": { "source": { - "address": "1.128.3.4:59018" + "address": "1.128.3.4:32902" } }, + "network": { + "protocol": "dns" + }, "related": { "hosts": [ "Machine9000" ], "ip": [ - "81.2.69.193", - "81.2.69.144" + "89.160.20.112", + "89.160.20.156" ] }, - "server": { + "source": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, "geo": { - "city_name": "London", + "city_name": "Linköping", "continent_name": "Europe", - "country_iso_code": "GB", - "country_name": "United Kingdom", + "country_iso_code": "SE", + "country_name": "Sweden", "location": { - "lat": 51.5142, - "lon": -0.0931 + "lat": 58.4167, + "lon": 15.6167 }, - "region_iso_code": "GB-ENG", - "region_name": "England" + "region_iso_code": "SE-E", + "region_name": "Östergötland County" }, - "ip": "81.2.69.144", - "port": 8080 + "ip": "89.160.20.112" }, "tags": [ "forwarded", @@ -502,7 +527,6 @@ An example event for `dns` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | @@ -519,9 +543,14 @@ An example event for `dns` looks as following: | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | +| destination.bytes | Bytes sent from the destination to the source. | long | +| destination.geo.country_name | Country name. | keyword | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.port | Port of the destination. | long | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | | event.dataset | Event dataset | constant_keyword | +| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | | event.module | Event module | constant_keyword | | host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | @@ -544,12 +573,14 @@ An example event for `dns` looks as following: | log.offset | Log offset | long | | log.source.address | Source address from which the log event was read / sent from. | keyword | | network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | +| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | | network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | | network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | | related.ip | All of the IPs seen on your event. | ip | | rule.name | The name of the rule or signature generating the event. | keyword | -| server.bytes | Bytes sent from the server to the client. | long | -| server.geo.country_name | Country name. | keyword | +| source.bytes | Bytes sent from the source to the destination. | long | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.port | Port of the source. | long | | tags | List of keywords used to tag each event. | keyword | | user.email | User email address. | keyword | | user.name | Short name or login of the user. | keyword | @@ -557,17 +588,13 @@ An example event for `dns` looks as following: | zscaler_zia.firewall.aggregate | | keyword | | zscaler_zia.firewall.client.destination.ip | Client destination IP address. For aggregated sessions, this is the client destination IP address of the last session in the aggregate. | keyword | | zscaler_zia.firewall.client.destination.port | Client destination port. For aggregated sessions, this is the client destination port of the last session in the aggregate. | long | -| zscaler_zia.firewall.client.source.ip | Client source IP address. For aggregated sessions, this is the client source IP address of the last session in the aggregate. | keyword | -| zscaler_zia.firewall.client.source.port | Client source port. For aggregated sessions, this is the client source port of the last session in the aggregate. | long | | zscaler_zia.firewall.department | Department of the user. | keyword | -| zscaler_zia.firewall.duration.avg | Average session duration, in milliseconds, if the sessions were aggregated. | double | -| zscaler_zia.firewall.duration.milliseconds | Session or request duration in milliseconds. | double | -| zscaler_zia.firewall.duration.seconds | Session or request duration in seconds. | double | +| zscaler_zia.firewall.duration.avg | Average session duration, in milliseconds, if the sessions were aggregated. | long | +| zscaler_zia.firewall.duration.milliseconds | Session or request duration in milliseconds. | long | +| zscaler_zia.firewall.duration.seconds | Average session duration, in milliseconds, if the sessions were aggregated. | long | | zscaler_zia.firewall.ip_category | URL category that corresponds to the server IP address. | keyword | | zscaler_zia.firewall.location.name | Name of the location from which the session was initiated. | keyword | | zscaler_zia.firewall.nat | Indicates if the destination NAT policy was applied. | keyword | -| zscaler_zia.firewall.server.destination.ip | Server Destination IP address. For aggregated sessions, this is the server destination IP address of the last session in the aggregate. | keyword | -| zscaler_zia.firewall.server.destination.port | Server destination port. For aggregated sessions, this is the server destination port of the last session in the aggregate. | long | | zscaler_zia.firewall.server.source.ip | Server source IP address. For aggregated sessions, this is the server source IP address of the last session in the aggregate. | keyword | | zscaler_zia.firewall.server.source.port | Server source port. For aggregated sessions, this is the server source port of the last session in the aggregate. | long | | zscaler_zia.firewall.session.count | Number of sessions that were aggregated. | double | @@ -583,39 +610,48 @@ An example event for `firewall` looks as following: ```json { - "@timestamp": "2021-12-17T07:27:54.000Z", + "@timestamp": "2021-12-31T07:08:09.000Z", "agent": { - "ephemeral_id": "144c5748-0f0e-4cf6-845b-0b43cac1ca3c", - "id": "638019f9-173e-4c24-9e28-64b128c92162", + "ephemeral_id": "2c292e52-b6ea-4ca0-bfc7-692dadde1a7d", + "id": "f6f3ddbc-7ab7-4a74-aeeb-152405dea56f", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.1.2" }, - "client": { - "bytes": 1734 - }, "data_stream": { "dataset": "zscaler_zia.firewall", "namespace": "ep", "type": "logs" }, + "destination": { + "bytes": 19052, + "geo": { + "country_name": "Ireland" + }, + "ip": "0.0.0.0", + "port": 443 + }, "ecs": { "version": "8.2.0" }, "elastic_agent": { - "id": "638019f9-173e-4c24-9e28-64b128c92162", + "id": "f6f3ddbc-7ab7-4a74-aeeb-152405dea56f", "snapshot": false, "version": "8.1.2" }, "event": { "action": "drop", "agent_id_status": "verified", - "category": "network", + "category": [ + "network" + ], "dataset": "zscaler_zia.firewall", - "ingested": "2022-04-13T17:29:32Z", + "duration": 486000000, + "ingested": "2021-12-31T05:06:07Z", "kind": "event", - "original": "{ \"sourcetype\" : \"zscalernss-fw\", \"event\" :{\"datetime\":\"Fri Dec 17 07:27:54 2021\",\"user\":\"some_user@example.com\",\"department\":\"Unknown\",\"locationname\":\"TestLoc%20DB\",\"cdport\":443,\"csport\":55018,\"sdport\":443,\"ssport\":0,\"csip\":\"0.0.0.0\",\"cdip\":\"0.0.0.0\",\"ssip\":\"0.0.0.0\",\"sdip\":\"0.0.0.0\",\"tsip\":\"0.0.0.0\",\"tunsport\":0,\"tuntype\":\"ZscalerClientConnector\",\"action\":\"Drop\",\"dnat\":\"No\",\"stateful\":\"Yes\",\"aggregate\":\"No\",\"nwsvc\":\"HTTPS\",\"nwapp\":\"http\",\"proto\":\"TCP\",\"ipcat\":\"Test Name\",\"destcountry\":\"Ireland\",\"avgduration\":486,\"rulelabel\":\"Access%20Blocked\",\"inbytes\":19052,\"outbytes\":1734,\"duration\":0,\"durationms\":486,\"numsessions\":1,\"ipsrulelabel\":\"None\",\"threatcat\":\"None\",\"threatname\":\"None\",\"deviceowner\":\"admin77\",\"devicehostname\":\"Machine9000\"}}", - "type": "info" + "type": [ + "info" + ] }, "host": { "hostname": "Machine9000" @@ -630,6 +666,7 @@ An example event for `firewall` looks as following: }, "network": { "application": "http", + "community_id": "1:hQwW1HWTOUYlk7y4+T2D+UPDU1c=", "protocol": "https", "transport": "tcp" }, @@ -644,11 +681,10 @@ An example event for `firewall` looks as following: "None" ] }, - "server": { - "bytes": 19052, - "geo": { - "country_name": "Ireland" - } + "source": { + "bytes": 1734, + "ip": "0.0.0.0", + "port": 55018 }, "tags": [ "forwarded", @@ -665,17 +701,12 @@ An example event for `firewall` looks as following: "destination": { "ip": "0.0.0.0", "port": 443 - }, - "source": { - "ip": "0.0.0.0", - "port": 55018 } }, "department": "Unknown", "duration": { "avg": 486, - "milliseconds": 486, - "seconds": 0 + "milliseconds": 486 }, "ip_category": "Test Name", "location": { @@ -683,10 +714,6 @@ An example event for `firewall` looks as following: }, "nat": "No", "server": { - "destination": { - "ip": "0.0.0.0", - "port": 443 - }, "source": { "ip": "0.0.0.0", "port": 0 @@ -763,6 +790,9 @@ An example event for `firewall` looks as following: | input.type | Input type | keyword | | log.offset | Log offset | long | | log.source.address | Source address from which the log event was read / sent from. | keyword | +| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | +| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | | related.ip | All of the IPs seen on your event. | ip | | related.user | All the user names or other user identifiers seen on the event. | keyword | | source.bytes | Bytes sent from the source to the destination. | long | @@ -801,10 +831,10 @@ An example event for `tunnel` looks as following: ```json { - "@timestamp": "2021-12-30T11:20:12.000Z", + "@timestamp": "2021-12-31T11:12:13.000Z", "agent": { - "ephemeral_id": "74169044-8331-421b-8ea9-9e6bcc7c28f8", - "id": "638019f9-173e-4c24-9e28-64b128c92162", + "ephemeral_id": "b187ac54-dab8-4e34-b72d-36772d818767", + "id": "f6f3ddbc-7ab7-4a74-aeeb-152405dea56f", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.1.2" @@ -821,16 +851,18 @@ An example event for `tunnel` looks as following: "version": "8.2.0" }, "elastic_agent": { - "id": "638019f9-173e-4c24-9e28-64b128c92162", + "id": "f6f3ddbc-7ab7-4a74-aeeb-152405dea56f", "snapshot": false, "version": "8.1.2" }, "event": { "agent_id_status": "verified", - "category": "network", + "category": [ + "network" + ], "dataset": "zscaler_zia.tunnel", "id": "1111111111111111111", - "ingested": "2022-04-13T17:33:10Z", + "ingested": "2021-12-31T05:06:07Z", "kind": "event", "type": [ "info" @@ -844,6 +876,9 @@ An example event for `tunnel` looks as following: "address": "1.128.3.4:58370" } }, + "network": { + "transport": "ipsec ikev 1" + }, "related": { "ip": [ "81.2.69.143", @@ -923,10 +958,6 @@ An example event for `tunnel` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.nat.ip | Translated IP of source based NAT sessions (e.g. internal client to internet). Typically connections traversing load balancers, firewalls, or routers. | ip | -| client.user.name | Short name or login of the user. | keyword | -| client.user.name.text | Multi-field of `client.user.name`. | match_only_text | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | @@ -943,6 +974,7 @@ An example event for `tunnel` looks as following: | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | | event.dataset | Event dataset | constant_keyword | @@ -979,6 +1011,10 @@ An example event for `tunnel` looks as following: | related.ip | All of the IPs seen on your event. | ip | | rule.name | The name of the rule or signature generating the event. | keyword | | rule.ruleset | Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | +| source.user.name | Short name or login of the user. | keyword | +| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | | tags | List of keywords used to tag each event. | keyword | | url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | | url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | @@ -1005,7 +1041,6 @@ An example event for `tunnel` looks as following: | zscaler_zia.web.app.class | The web application class of the application that was accessed. Equivalent to module. | keyword | | zscaler_zia.web.app.name | Cloud application name. | keyword | | zscaler_zia.web.bandwidth_throttle | Indicates whether the transaction was throttled due to a configured bandwidth policy. | keyword | -| zscaler_zia.web.client.internet.ip | The client Internet (NATted Public) IP address. This is different from the cip value if the internal IP address is visible. Otherwise, same as cip. | keyword | | zscaler_zia.web.ctime | The time from when the first byte of the request hits the ZEN to the time in which the last byte of the response is sent from the ZEN back to the browser. | long | | zscaler_zia.web.department | Department of the user. | keyword | | zscaler_zia.web.device.hostname | The obfuscated version of the device owner. This field must be changed manually. | keyword | @@ -1033,40 +1068,36 @@ An example event for `web` looks as following: { "@timestamp": "2021-12-17T07:04:57.000Z", "agent": { - "ephemeral_id": "72bf9779-2cf7-4d9f-ad44-f36c04cf1cb1", - "id": "638019f9-173e-4c24-9e28-64b128c92162", + "ephemeral_id": "6f164483-9eb8-4219-bb09-cd2ff3532390", + "id": "f6f3ddbc-7ab7-4a74-aeeb-152405dea56f", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.1.2" }, - "client": { - "ip": "81.2.69.193", - "nat": { - "ip": "81.2.69.145" - }, - "user": { - "name": "administrator1" - } - }, "data_stream": { "dataset": "zscaler_zia.web", "namespace": "ep", "type": "logs" }, + "destination": { + "ip": "81.2.69.145" + }, "ecs": { "version": "8.2.0" }, "elastic_agent": { - "id": "638019f9-173e-4c24-9e28-64b128c92162", + "id": "f6f3ddbc-7ab7-4a74-aeeb-152405dea56f", "snapshot": false, "version": "8.1.2" }, "event": { "action": "blocked", "agent_id_status": "verified", - "category": "web", + "category": [ + "web" + ], "dataset": "zscaler_zia.web", - "ingested": "2022-04-13T17:36:45Z", + "ingested": "2021-12-31T05:06:07Z", "kind": "event", "risk_score": 0, "type": [ @@ -1109,6 +1140,14 @@ An example event for `web` looks as following: "name": "Zscaler Proxy Traffic", "ruleset": "FwFilter" }, + "source": { + "nat": { + "ip": "81.2.69.193" + }, + "user": { + "name": "administrator1" + } + }, "tags": [ "forwarded", "zscaler_zia-web" diff --git a/packages/zscaler_zia/img/cloud_nss_feeds.png b/packages/zscaler_zia/img/cloud_nss_feeds.png index ef223bbf2f2121e615828859ac98d2963ba39b8d..14a098f2c9251462881c434c32a64e38d6d57d0d 100644 GIT binary patch literal 30654 zcmd432T)X7+a}tG;z808l^jHJR&vG&G*Pl-k=*2*gQ6mmq?-oGNKQ@8QA9<$$vNj7 zCC7$Y?fJjDQ&WG<-1`1|XU3{ieR}m~hqd1IhUaw#8K2j-7{S zAv?38W3^*oa4_!)xIsvej$%e{?vtFQLYWl2cq9C^zi^{pv!E)T9s@T!U0x=#;07Sy zUfaX}{Lf$TKLcMMut0I&gUl5E8E^Zu;VOUuyt$DNdvl(iKfbVahH2aU94xc=bn;4dN`+fBR= z9xN_e;JtorCKp9WMC9rr!%2m4VPj$WZWr3#joI7Xjir{8BOY2e8t6Uf7QQdl;5Z!s zLk^ajQIA(Sriz)SH#axm?kl2LfNEn@IQjTaf47nao_N2`OrC1=u}!YrTMpb?wMx~|*3RQiN-{q# zC~is;-L^%v+_m@f_oukn4O3?A&*xo>+iPPC?C8X378EYLQ)mp={%AF#{IS$m?KW*e zK>>pJWUGEVGdt65dy1JQbNu4CX4u$Q#WKCB#8pa?`vIr=y(Il2tIN#IvFhnYE6=rP zW;914{&jLV0@2v$Z~j7WJYv`i^+kkFrl_Sk`t3M)-tRv)!$L=SlnRC<#Oa|bM%5lF zLCvxcaJCoJ(-prLF5v|u2%cTOMkL|B=C;jvIg%mY?J!vvMfKnwyCnP0%3}mMJ-yN3zza+bh7Tbw|Lobp>bRqlva++Y z^W_Crm?k1K?O9j=7-%?}l2uLi$*Ksg_&8b4&dTcEllB^o;KJw`870RhS{2-`6&EKY zBve;_f<(Q;P3HAmWK(Yaon}8HD;w8Rq&>V?%MUq($E`saBx7M5|a|DFY&93h=_Qg7uwOy(VHgn-)hUtE&H=o z(D$G!Dk`07vKMzR%QUl zY^j}{oqj7r-tKgvzb`H>h7Da&%DyX3W%?GZ&if;!;VUaDu#?+eC8K!?G}9Fi>Ks#L z;!I@PW82JyRhwRw)z_c31YbwegsdF!Vb2c0N|%@$RifKDxw$3RkDWvFs_a&CXItg3 z9-kE()_$`VQgq&K@~`#wCKt26JOz&g8LJUggoDY1Z_Uje-no4{R~yV*Q4yG7tH$Vj zgK7tQ36F_J-#B}IMMQgr?J{ZmTRc2GMHK`oqXbWUm2Jslkh1T5o7!i=WomwYe(J7Y zzk1f({LkKUW!SxW@>s%Sr&%1M6*%+t zb$WWbyX|l|wV<5%6$;#we5YP~h|=-x6dqnVI1Ri!tMr`m_5}uMW0NPbHNf)m`_HY? z$+EJtftxyfK5<{v)uB*mm0JQLnU~3arDV2h@=>CehJIg>k))`oXr-NeMlVNuRc1|1 zV`^%BeTar5Gj;oLx7t!#?0N)^aGm_o7ABUrQns(Gv|j{qKPl$3^<{ooSQt_riA0v! zZK9T!Yzj}}CW!U!FflO!dq>|ymc0xiV-IHB-8#df$zufi)jG4bs4 z1G8=)B6jd3K|{;R)f}fMm1meIWYd9{_^%&5;?^nhI$4a9xjYX%l++ffvg+Q-^4O?O z?$Q#Uf94Ra8HBUcZfw)H9;t^s_Jm&HNLK~yT!cb z1}-F8W9UXi2S-P1b&HKXCj#2S_?z}uGNKgIP7lXVgoTCIR^%)v@2`(qrIt_f)!QXW zq^Cqhsd;&M*==MmGk>)t`CR7BIn>wwwa zJU%-!5w;&&>P*yBojR&~y_8s6SJ#!|UyUu;8ZK@YK#%G%iKxS}{W&2S5KX ztkS`udEKjllwQ(fd&*x)xg(NZ^7L@Cz;LeF8%(69tGiLTPo;~c`ZI0q!M-e|-QB&( zN!~WK_ijYdh4rs~xSZkBWHl;h^~0V#p-l;u|I)u&)Uc*lKHA`O0ISUBv>GYI1L?(= zCn0Ezozu4zEFocUFYTl>4MX4R--HYBPo7&7ti`=mcW&eEu?qnlMY4qZ#+b0zEWfPM zXCW$Lu;$~{_GbsfCTEAM{b1)*sxyOGV)a0y(JcOX^J`EFdI>u(m)%*jw#aACNTd<{ zbzZ){YE7?P4E-i1YF(q~F`vZQ8D-9Q+8C{@tkhDZ^hW8}kATZ<@9aeSP;=X7W>rj6 zR&S#VieQ%U*z>W@hNXnHHCUzJjU1Sct}Z*?_^FGwMg_gPIPiU{$&!IPKbD7-OepT$ zrr8q}Ak+2ACPBj{ktA~)%+x@7isaaWxs2XqbKf8DD z-o(U2jP2st+4cRkK_wbrUvE}c`dzZWKHoQOkcuAo_12}>5ZVl-mvmq2&*`3OJTo^H zahRy_?RGFRX|CUHss}y*Mx->dM=R#^9GDKz-p>fyD#z)qwKWfr>X1;~e`w!pU3v%a z0*@StGzWW}Ti9xZN0ePYmPJHl=t4V(URpxz-s9Tckir5G4h9E?&^HX51F%afiII%5 zGB$m8Kupu58BtP!a&mA`k>44786&0i`0<-f=pBLOvcA5Bm<8Zh?VN;FE$lHc#}XNf zS>_#tf$CugN0`jS|$>xHIXUaz&3l$8GCx=)LF`T4K_)57K2 zJU35I-N%kf&vkWm)zz6wPdtqa@NtvOccbl}oEegobPG4|@8{6}b`mb9siB`uDgk1f zD*d1Q-tdhOO@ze4U)QUkiVk)U>Hj4EH9~o-U6B&$dR7%GW%1t0v;DZ+h3F?(iYSOQ zqjvY9eKOo4T@fC_R^`w?`@*RuPrS(4u%g(8&nkrrD)LuERl56Ef!3dSf2swi_UIt1 z2v7H_m65woL?UBU*r8`Jxx|=8_br(J{GV%n&B}6i({f4GsL;M~X4?A{ZYRLX)#~C% zTcU#r+RZH+{4c|} zSG;7;d3vA@^%g*GBo*f;+h2x&R&YUNE%F# z28CkpSjXve*`BBH!e(6p-VV#X&^PpX6_FatxuC+s%>+-q@(V^H+Gs^9tL0PEthuLV z7=HwGcY%uY8ew=_d*euJ;dOe|c zorbj?A^0VM-u^+KkKmv#y0NcMqa-yy#bOBeXF(M6nFHB!PlQ?Z8IUs^M_pa|)D>ii zU8h%E7H`-PndFr3i1h_C-?f_$tsn65`6R36D3krU-Zd6{nuwoc`oTSlpS1K`vL&=q znUKE1(6K9-_7BrDTuhpU%ep2fJAeFm_VbS&=x2?MjR6y07lB$}GV8wVK7C(7`l3pm zYqc~bYlxg2D7LlMz17pZ8LcLMrfVq!uqWMD+NV;)PG~@pCvJ4M+COPNekw)RF;h?I* zRjm;}xYm5O{+~lDNIF9vow2l2{CVDodpzx>q4w~q2^;#m#<=NyIG!mk&XCfxKZRl! zy{G(V$iVd;p~#2mIia?HD(xP~e^yyL^@19oIzp}z0;zGc{-~t5_(-M=74m#2zS9!X zZfNB#L`y7(xK9%-aaE5twQ+6^u3ez(7(Qh#MD?DGR>b~PJ6Xa*OU{0TDmgh>dT)&y zWVznnCz!b6+&q-J9A`sgBeK+Hb+teTwFPRO0ZxRGq2WNUPGw~!w=OF7L^)od)GysS*1(ymR!s*)J;RXl6o7Sxo~y4}Bb_qA+MnbVUsOs7tYWo}`?*U2<& z15SI=;l2t{)bOcTCo8m7ghfTVDFB_}R4%TzP*3$nl zkz|Nc%^8Fp_#~H?m&?r;4x%&4GZi9!LeKV-#9>dkZ8Kw(ZEEB0=Sg|_BoCa3a|Hx` z%ZQQzF^JSt)H5{C;7=%?K0VqVu64Ddu6G;V_ z%2A^M>#xqs!}_$euZ~SAl1E|P3x}KM-d`Gh{Z9@W`ZO?0JwLY+uz{(U+nVE>i*XmT z^Ya;z2qTlwZMV423esmj?%agK7IwY+AXD)33Cv z^xSUx{{3mClj>+)?=_+Tud_{2as(;Ls9KeNn9kMok*SVO?C8XAsqN-An`Q##c&QUa zlB;5L?QF*Y{#Vyt<( zW_jvt;o^8_9wu4PFfnl%a2^`&GZ&gORH!#TV*obaW1n36@oKBg)D>G8EML?ya&@FM zqq@3UpB36=7dy3FyL|b@jr+j^17$YEfYN;RbimOM%1fKGYePfYoIf;st%X3Dx!s#l z@1GNoOh)Y+9?AZm5#4L%=I4)7jNen@Z!U8muUc4GkZ17qn-ZPoim<>le_(E!uyOUr z?2{1WwTu1o%R3Yl`IR23XTlE!4l|;py*FND3-FYeHIK>>o*F`|)w_J*Ztm`ce-Teq z*z8@r#jhd>HLCXrr6XTm^%l9#F?E0a^v#>|Mqf3zRA?wvzQ5108Cz98@^vIfZRO(a zTmQ4UnDmyHBW3OdE!Jy&wPCyK8!00rf#>tA)OQ#ts=W7>+8BHVgbzOSy&$;Q?a45B zRYgiIz;d7Ccj~3jA}Ae`B1s@UUkA8zj?b=-Y(ID9VHWgo+~^dYrXo*w2t%l2VvD_2 zzQ`*nVdNs|W@lG-_LG_~%YN(TdAhqN3b-qF#PX8g&9Zp(XqIgHvIkTXc-S-Uei3F) z&YfS;8T68F&p-CLN}v9kCm+dNUK_67J_1!$UZ}tCQPa-QINrs@=J`1&m@ZG(9npmY&Ie#_ z)6&ZXczIDfP|t8SO+`h;fJaR_Immnde2@yEWvm#q(Rez`HK+4|LDR));$XpWOl)jj zeSM|l^psC#_K&XQ`WV5*n%deslyQZIwfTjG$`VLv-&aTjJw5NEt;tLa9go8@3yfp^ zf#nkv(@xKq2O0A19a)s|vX}LTcozu1R1TwgV2Cty>^5rgt)S+zvu|jSB4d z+5c-*-qpo**&o}PiQ#9I_Q~8&OBDIBF`fFmx>?#A(MJoINQZy? zI4EsnOcpb3*teaMkpaln`ieSpz1!+UwWIapZ;w__Q~h=c^;m3@J~`q1;>lj><^BpY z85yIDGA@g+N-KG}@L`r9*mQ7huuFfl`Ql`EF;1;v?juyyT@@FP^sZgIrXTmreXJO7 zm&VNO$XML{V`{2N6oYh8ym#eK=3 zwqT!NmHo7g&D{5L$!i75!hXlUYmSc#3+Xu7=#}AGoYDyQYkF@(^f+24>)q?^Ha^!J zixF0jii`WcGRrbRo^wi9PtQo*>nxWnZzq(vIut?t9e%;dLtV4>odAPXX#eeM@3g?WJRlARigua6Z zAY~rhzdr-qal&48j=4IL0Kc^r|H`?=!zS~mq@hxSg>+b&yP($IyEtPs_M8-sj=rgp z*?ldDV&yRlbarV;#2p<2yu;vNflkBGmO++9*5$=fVvdA-mteP4qdSIee6yQOCM_~| zm|aMSh2?1-HK?^gaA^*F`1Jcr_oVrI1Y`p7;X7wXO4W7t%cP-^(mrmwZQ|l5Cnu{1 zYdcAO(e-t;0EDBUq@>NPF07Pu^T7VW@CjR$Y~3 zQKPuMU?SoX{u7EF)L=^fmDDUNX*!n))m3g>FY-P7`7@un@Qs99&Eitxt13IBl!)^; zv2p&Ch|#W^y}^m@&XH%D6xza32aV3Z7+p|H3hhhfdMV< zXN|_Pz-SU38y<*@*Y3PNv*Nh>H4v=2h@7LMva&|NkaoZ=X-T8t`loVFK~|tNe5aZp z)W#T)uM9Z%A&27ab3(Nb50G}N>+5EXWgoWyP+-(#7mBq%H1f}fQ!oI;gWn;x{#XR&fPj3{i{Z~kDgAhy`Bbbqa&Sf@=7sjFo-QPMj&$jdYv z^xRf0M=7o=E`mNW=5q`JVJi^dbPAhFe-^e4u;})=X^}#cy>ENn`I|J(9v(xh2WZyp z!Tj>Mm0<|9!Nl)@F2PolZ&jgC7W`jNAC<{ayLl+b3cfk?Dm`;ZYn9MX}%{S3d`Ih zB_uuk?c_M!WE59q1W+`Pxw7b^ReahC3+J1y0E>ls0qiUAGRSk%L=;4pdnB(9*^k_+Kk5`Uru7^h@dgo`i%X+TSgFs< zI3Oi4u^_A5bHi%~vqyv)`;!CCSjM2n}fW+uszVeXBZ3Oe!UuUHHz-RJ(+;Oc`!@gg79Mdr~Qv-<)d## z17qPp-iSafVaa61s_g5Zc8X4U34&bscqa~eyuY&(?=gr397Y^#M~74jJZX1(c-m{B zmtAA6d*cQqNZKMK;d^GLjQ<%2Hd6W$a;cgu!K+ud;iaP!5YSRReNiILCP%-#5R;Pf z;4<+9?HpV^<)O4x+QF(6J6fiPe>k}^eIc@3JxvisCDZWa`KS7N-{DU)yblZxfBc}N zjKlfU&W4jUAyrjAz9Innd}7xxb+J%{V&fv4cFQ91eRz_eop?AFQcqgKZ3jq2qCyTc%NFxG=q=^8CNcG@V4RJWV zWOj=NNhFoqW=Fy0NwF@&aewL&JBt){Uvs`KN>ffHS>PluC*?)ctHDBA$ENwN`p8TM z?~^RbZ#4empq}H99JoqApiC#*v|~{K;6ShL$?~I((8k&KiAD7Rv6g6m@iz8DubZw?uZRXbkJ z1P9i_#==u6&RveAJ@fisP^wuK#Kz+9M_kf!vfIM>aUG$IwXbdKdj|B2tlGA_jBrN)|5BF+$ z!fF*un|?EE(p}8nS^c)_u5b{}F+~!^u^40n6h5%wcV95sMV48PYW1WCW_yF}53Ipk zER=u1ciUc=~XM4kz^FwG(16@BsgYH@FJRR6V&cCTA__H>L_tTAf~ zwpnsph1XP!=(n$@ArI}pe;8VR%nCg~T}>lFkl~%GSEvlBK5x?LyLH9> zQ`Qke3(EdM2X};o8stsXl?o`0)x|#EZ}p&|_wz!4@h@KM*udQQ+TMPu{xt_rpA7e` z%gFbge?#6LWCV5NS1^D&&V>XhEq<24Y01<2Pu=zXf&fWi&zCgtpnkO}&_ky9*vb^2As9Y+6gdhV-74eAv zO<_cL#{RdDj@4O3YUrW$BrD=IA2Th_Kz?0!L*`1kJ+=CN9|Et4wL7^wco3&{3BQ$| zH`ioOj*lnK+RhA(2Dj9>0`-oSjEz%Nb7)2EM#8Ce$K}A0cneDlFn0-*PC?wKrH#T~ zG26=B6+3aV((G$?h?uKqds`Kli$=fsFB_#_9x?k|J+D|_IUd%vgSKlLh>2${A-gXG zgMbvotT9%cS z6??e;7}1^?NdTF7Reub1(baF64w%C3Rz@o^*3Q*Z2QOA_M00O3(4HQXNk%Rd^!C0K z$XSfTG-_ORa;E3yFe$yPDeW~VE9$bDF8%g-!LY~&lJq4hDQRtO4ODqNc3&Zt=(>#O z`#)DoN=n)hImaiJ>%EOa^m5txa+_p?sbQvUHTpuN0CJ2b+uwd0Ecu4 zEMiGicZ-p3;vyP~t&H8wq>!*$F5wF>fV+lq*~%Z>IJI{?)g4ROat#>W8=oSMPpmh#O}_G#dNfhp>&&Xx)eJ6e=&n9_o}4_m{;Hk5 zt?by$^W3rjd^68z-1n`gLr%jgM5uLq+_xvKWowHekCPLW8BfyFfqnq+{qITE*;PM} zOiefE=PM>$yXFo;$lLn*dVxDZRWHxFk^z4WxGa6tA_nHJ()rCK5YyfsFJ}5CBt%}_ zwD<&70CPk>-w@IcTpiq+M-nHv&)YkKf>XpdGkSg8~2uT%U~H{L$w*jA^KJQt<&5& z75P73t}ShI+Vl)hKHCB&<2INF?R%Evzr19s*(xzjHHbwezK7oH`io zSZnE4rWN{P(k832a<;|W+C1VXRb+zn!^fx+boh>&4AGKs#e)VZm#>PYV!R zdql&LZm~WBiSPyW@1~hK{*gR&2S=70R!y4bL2296{7{g|DC1)_c{gC|hDI z+rr=MqV-!Bu@Yke3-lvD)ZPn*aUthQQt&468<3`uNchpDt?1LykoNi|hpMRP)C*Is zIFDu9IIpyb`!o@NJ|rOnawdz5*U3!wV&iliI_M>&etip?RwpJc% zBT$sRVkigi!Onp?=Bu|yG$M0IPgBp9r@&!uX6DT<3{z{lPSyhJz^D|HCKpzW)v&S_ zU%ED*%Iu?D5VJ<|MEN9ZYPI^9fW{=Ut75(+-xm66%)Tqk(Dkh!Y;A3|v@pR&U6RZ{ z6%>SFLq#DK*WBIRAAtIEyvhvdNQ~;;)NMC6Cd%c-=exd5Q(%whyVawk4|BG!bQOdp zu}GfQ9TD$OB^u|(u2ZWl(aRGNc-n6pH4pA|KqctMCS^~M>q;^;ofmA=&Vv+?0MWDi zd3WWmEQ3-%H77?`POc7sf9TFmR9+tPEgeJU% zSw%$-1HYm@r%pop;C&z$&dQC<^&A|?Bg3Akp*Q&hFA%*i4J&u8S;sK6 zqLO3n2^#>?ICX{xcwYQ2C+)b6oG(Oh!tYBC?52N-~7Pg*|d+ zcXoHfX#~u_e=wDxr)6<=_?MEiRt(xFc2@)Nz3l9huV1+1q@i(dmJkcIvg_gI3a?m# z2x8O-Waz-Keu!%l%SpmtY2JQ{X%Ttz4U`bOLdL&hv5?m~GZT)8t3gYHy`ky6c?E(6 zPatDbGJp3ZBw<+Evk4$pkC`v=0A-eLuyz;nJ3dHf!H^Bwm5T>?$ULMuhG)H3$au|< zA?@JhwhkZ@xFZBZ6t8?Lo{WvUB16*SlQhrLZV82S&TC$=f1VtV`Wtf0@zB<_sfc~_ zYP@XoH;6s;pInzGku585Q3X;V+;=8!D-=uBe#RJ=K;$pot~u90B@a&pQErvB7 zo+!)mQFDP|J%&z#;9i#SpJ}9zhJH4ONwxeW=?&3@XQZdUe=3(-sY5Fw$0+0Xf>%tu z^2pY6)WQs4aL+&f!#+|;d3~CQp`nexFDdD}G$;sU6a)Eko3tGh7>w(AjWgKLebz!6 zc9u)HDy+v6)QJCN=ELhr$;rYrRwx~YWY%Yjv2{-4EMZEDP1vn^{-)zyP#kLkHEX2~ zA>s9KpSCa+m6K(lFiUT_5 z*YM1C^RZI1IF>r!ttO>{!OgL9dHUX%!_9FMX)_-Hjr3LsRjy6!?C*b;!R9wKobS6; zJ;9O3Uq@>mLd()hoQ6{-qi^1vot+IPAe|sDuWV>Aq#wTR>FHU^&s#~?`bV;Dtq7m)H>Qyc zdxkM#H~}O~QTWk`F!FoR9hVObg{;NMIFSfg6tt<82 z_qT6RQ8}I2S5NsL8TIEFvHr+O@zEfNDG0)y8A9jI1YZF6Syo<7Mkglbxupxgv)q}O zni3ri3M4o@y~@eu1`%zE-zXeqAi}G6J{~CJ<+!`RZ3u{P=gxdUvlixS5$S+34ItF8 z7A_8sl}Jg4%lXEm^Hnvnr*g!`wJ>)*y?6;y+~sC)&~HJ0zQ@)Sy|55$@naVGZRB{j z?Bz(MZ5%+X5|r60C-qiu(fI6Jj};lQd&D5Ai%gmyX;^n>N0#m%Im+4&k(?cFjZ-y3 z|6}%78ra*z_rq)aou7md?;IZL00phY)oUcQ5^g{{E?!#;8`PtI@M`4uZ0oewd}knb zeeg4{fv8>h#rX8n`R{qP>IoN3+4TqU5hRQc{5n?Di2^QIfp7{1*o}W7j`B zoNAG|-{eW{dI^=RUM0UbC-;AeGO1e13+a0F3hSs*VGY|kY>&aXgzkN0RxMxCVv#l8? z?phVEa1mFSmQ_jv&}etpukb@O?(9xY(e=2`{~y~KI({g^-G^v{h9W#A05G`j zHjBtSt<=acb>-+mk2ZF;Bf#ZR=xgDw?z@#5%$`GUvWp@eV;^!``6n7o?GAZ1zZV1B zv;oHkK97lJKJB7!(-)tzJ9QW8~(-*B4Na30I09m zjuqRk$wHD|)(hbV_>AoSc)I^dt4G2dT*EuJyhJMDKNFvr0N!qk(nL#3X9B2oft!KZ zGw(P%H}mT6_dFpxIX%tSJ^%oDN)Tq#NCGt&3CtS66ka(WSF1VS{q;e?$_m4OEhhmb9sk5_|EKSzS1RaL(8o3Tq>*4c+XvU& z^iev+!_cxG>!eD3@0br?dad>QMB0I5U|z4y)z!7XzkeWKDRyD^_}GhjgqD_@P%lrb zrml9<|46!9`smyw^>qAuXq@9zgZC_dv%*VV`BYxQ_$Zmv+zy?skf$VA_t|d;>%#@} z;F6G;B-kUU0231snv%|%&ca(_cr!&bcz{}*lhfuC`ZhoZ1OPCp$SZm;gC^YmIddz? z(o2!VMWFr3(9oiI=iO;|38D&4$xSK&(|N)Vkv{NcExSH72IUX_jB$1e^|~ z<^so_%>xCqWyj}ecmhm_%J*Om*op0Ewd3?m%T4w}O;kZx*f=Ex1)DHv2tfW{eeQo2uu zIgz%Y3E-Et5Y$5(v;1qPaGpGoJ^@w8*zB=s?6;EzWF2Vyk^QgI#UJ+lj-mx4 zfWFj)eFdZmts!KNOW&VGwBMi>cZq4>h>*K=lX^9MSXW0!5ephN-UJ7O#txM1W3ecD z-}r(8152z!qqOfnosf0OL0o8m1umBLz$!kl=;`Yxz~SV5sCx2J;LRc}ESJo!FdT$} z5{*-`UrlT{L4{sSOcfzV&E5Nq^M)EfKV=-7sx&NA?#cUKn!h?gT?=~5$f?Dj77U^n z0QF)d;i)kW{k*>;65mlK1-fUXq@@x@Cp=f4!^6U+CR?ARsHSB3Km3|9B3-qaBs@51 z;&rjytSWB-Fe+M?#!4Za4`(Ykz6 z{o~_fv|XzIVJ&;=c>zF=3N_rn*Y*@xb*~;+DyISki)aWLU2df0XnZwpEu2>Cj-eW( zQ1|2CvyKfr+3?~8Aa@uT8EFKL65S(pW1KF$8tLPxroW0#cRV7JSm=-{bk;pq} zCw#POInMJn+U9&$U}R*>i}7_eO2&2oUd+gFe{) zj84ky?%n%$?{hroHAu}eP^fjF*@OZ&H&GJPA##JIp0SwMX}MR0GBEMo9Nc#k z?jD!iiv_C(;j^K<=kpGhEh&@Ft?9$c~yWCZ|KBS24`J!HSf3n_S zDJcc|RBGDWH3D6{-t_~AqN3i!bk>%tqocUdpKWdO z@{Sdg<~k%PSuJ7k60Q>|9v;Kk{_*j8%{JAtT}pmq(DAZX0ow4&9f(OtkU6RCBIhRs2(t#(i8WzLKu)F;>AMhv7?)-M1Ei2F1vix4aZ0%y^L7x-DJ4vduo44Ql27 zeof<0eQh=IgGc}s?ol@0r-I2|&V^lIPoWUaf;DPl0t>aVpR>;A_|V>$o3M4tNTo6M(*wshrwosKuHCd6<3(}Ndbmig&;d49fM zIXouD5Wwv09**jd9=-UyI7dhFt3n{;=K~GUi&Bv!mf4`e&tDu?rT`!8{{62@DD|=; zSOTL!zwyzOuVb%cvudJ<^xeA;QMgnPl7v*U#6eP^sJ_;JK82zbg3?@nn*Zb>a~*!^ z8cw|*6oz_6$IeL&rwU!-3}iV^#vRN%eN6%GZjLYZR`&ByrwluSj`F;u=`0ji3ZdHG$*O8#`Pz}d8+UKntA4

@QGdW2v7$ zB_v6Cqj3;TRz&GgT4ebx8SCd>FGg%=e|-gnLZYa>4%a)?Vj?oK?f#tNa@T%!y)j47 zVm0?R6l6J|OFj1UXLNr4&V1YYflt=wl$4_IvQp_h70~Eh=WZJu91L2svULV+?_YOh zbhNp3`*vopH9*#givRkHSc@W~1>-p+5%T^$x}bmED29gV(hDeu(?uPA{rctP=}If& zcbu!9u|bP7@t`Lzt}c}l$vOpt>+a-*LVqwfR#Uycj+03?J$3ccKW*m$P>sZ<5^g zk{3oHSy>jc7svgeam?WPi`)T)aKn1b&bCXe0);O+Ca>|yS)pF}lI-P)!Y-;0_b`wy z-pzj3rQBehp$LRKI)mlbKef!}T|&Wn&uvmNqV1k9!TJ_RkcP#_i@*B*7bs{zUmzYn z!CNvqj_TdAvbFqt$qOf|r%&JB4t~Qk{#b4NAo( zf<5;GVJN+#lzsCSIXM7CPjTh14k$1{s`ZCiPS%JSu=kZ%wDi?@*Yfg3sb6hKjujN@ zJX~aif91;HO`StmDlw-S&<~r{3F0bXT7e?E*e>3#7P0pMt$wEfbhGZ60YwYC*|gZWk%tH; zd4Z4ufUCsrja!x7$C!nCJhW`QH-EYe!=exy6Cm7>(t}JnKejs&6vdz!lv6XuZEXZ} zBTpr?szG&XGv`(Xi(+HpkU{^? zRM)9*kY-5Q-NrCXWU?eNfxDw=-Vtb91xkJ&9gV6_;c%KCYyA6gj109c8iLD0l z6eKbkachiSi&ylOKs=oM7A?;Ub@kRK5*Re*XlvZcwnUbxg<|9>$m+hm#{crAk+tez zV^s5=vCFQh`$S%Cy>G?Q9yceS4n~DnxpZ=b03_G&q@;;z6O+Y?hoJR)*vQj=qRAh? zdf#+S{5dgZ_mhs!iNWop@z(#{23=Y(&&kZBt3m(`VgG8(Jj-CV&OfSxs@B`IlG?!& zNlA^qM~WhnF)I@jec(DbQ2r-R=oJa%;fHz=xDucHTfLBpyWoOZMVlbeIGVLH-j)H`= zK}*2_S6wv+2D#9gA&7A1NavDQ*!unZ_s^d@dwYA=hl{7nShLkqWp*>G;wWz47V_Dr z0(G4^p2#zK$B~jpTo$BNKX7vm2@wiRS~zLE@!@+3(4j9ZB|0$RU>u7|pTYc1Ne?Li z^pL1}F&~7GvQ7f2jh#B`wWjcgsIW7isbPRlp!Hxt+$QTb^843^mYh2B_Z643ZH(aE z5donFz_W=?cOb-IiGjhd@XOE?JjcM!n$)J7B&;xdK;XN)xQy!p2gHEJn2>k~c(DdR zTDn&N`xjYBhxW>Ur_QnNG*U9l#MHu8uJC69K<+Kgn1vAm@c2a`DkHbk(ZZOMiIpT79P%1{cUaz zG~Bk=!NN4f0;I~z%F5ai=oCeu=)1=pLL5Qkv#70WVQx;RpzvH?=+)?mq~GyOOE3aX zPHSTIC(j6wJq(cYm5*XT<>%L3Hk~1lVYOK7C_tC7J3EJQVRjD%77~PQ>)cjp=q9vL zE>Equdt|SbNM3L_3SwC0x!HDy?XU( zpvUx|_r@&aLwAJ)1o})ak8FYd5WY##=$tV?dHXhqx z;(nRosYD8HeVv?~93CD9IzcKNBQn!)?|&se`>*Qy{?D;={}<*+|8HM0B!_G9TT9bU zMgq95A4vn=zu_{twi1zOXk--p<_Z!$4K?ls^bQ~} ziu%_iJT}sXu0ZswfP=jz%g@8dwKde32yzbFTEE8AT* zp;)544PIQMf|8KGK}1B!Yg`r>__#Yodf%r}p9u7&g68*GyR1P8rAzK4RFtY}Y<+B* zN?BUkZ}8%W7~d?82fJalCQZ9&+kk)o0N81B1+uU1ULF+dGWr~=d#CS*6IW6|dgi>( zj_H&Yfu>&cq+ijk*j+ZScaSS&w`wzNV3^LNTH(I{&RGE+YdW05a!F$Okk4nH_mtb z($=;V(o5VAAnucaZh9qfw~OSou)_`PWiC7ULj`| zw(cuiz@(;Z@2{@fsi{SP^yL%B@uZlT%!)34j?r7?tQ-REZ8)QR4Fz-nHb(0_7b^&v zK~dklDd4%02D~yLmJrQwI3E!b0is(Ksc1)Fou4M2t%4jIf2}j{qky_SV9OCCyoO4? zhS!#+sXGX!MI&vIK!@bm7c9D^zqt<{JHBGR2c@7b;WMW4Ls@)~u(QVThlv@Y;@5Ni;V-9Kooa?smw?9DD(?rJDEY4Q^d5 z78}MOo{^Ko=1=s`Mhtw-nwV$^rfD;qkp{KvQcOq)CNJ_H!Q-D8wKHJz1j#XmFgb|} z2%tj_oB)53dGPY_MJ7&R-DbXQfMhVh zOMNjc`3or(`?p!@N)8!CUL zvNKC)8*2i0D+ID@s0#o*lxGKXR90P|&cFkIeX3DDUpP_ahK>#ho0|Ac78T}nf5cVT z=n)%c;$DCI2J-V@2!Y1+@4Q!1!^sKIU^PLwLL=uAq=Mm$fTLoft`y}{g%KmHm}NeG z6!7liSWsyBm5{I=aIm?U=*Z|Z_9kCXl{h0qbaQ>2F=kg%Pz3DA8@$z1B|8tCeL!jz zqln?+=EBN>wWBFU5e48Ivq6r8;{$Wy9CddzwEfjhtOZ<8*5VYAiQxE^-SQN5d$$saqBkFdC69K&` zZ3GVrh^_7I7&wDcZ#xGsZ`>=eOnD54D`o@hRswJ=YnYyYecT*89OyjtBOsDKLnBz> ziQrZSN`y2>3Ys=rCSM0~m%5SB@e!kAOWS&HN5|o8Tk2Xf@!=s`y0E*G6Fsnge~94* zQ@(`d4hN3jj092~T3x;0cjqyP3fCj>!vM8bQ&$JiE-X|6b(zQdc)2}(@8?hI6;9aM z0Zq2w#Q}f7^`e#}p01CKpm7`1ME{1OChluM<69XkTuO9oEVsw)f!Yay(UaP0H{V|D z7G(%KCmyJy-?G8OeH0PM;iI(`*kqOB(7jG$LxTb;1(-i{_sfuxv*ljt-bH2j;=14JwRbX zN_WV?#dn6&Qrlm~Zg;e?4B~ffc|k#>ar8Hsm#vltPgHFMZqA=+pFUMlansQW%grTY zx(p8ZBgUc{cD$2!iW$Pnb-5!3It;6pEBowGxj%uqWp2)#1@;!ky%&LZ@#F3lmdQ`N2Cvx@&%*EX+AOI7KIYf#os4bBV=)MFb@2 z!50tQERKAi8;uyX_8tzbRDhgIlId?|Mo+MAr3ccy6Q%$vl|SH$8Uen;KiI>XFNV&j zqVg$lwlg&AJf#DW3MSv5=`A+#a818dYhgRVOMPskeiNHdXO;U@Al639Y<(9hOJOxV z&Ko(PA;+-5BMSgW1~O|rEPlgk53f$ss0KS+kWG9d`ieG>l@*R>d@{wJBu*xq$jb6E z7JVg_tdf-d{GGPJJ2_XRLGzs!>p{@(K*285?E=VDK!0W+#o=W=U8;%@_1>e%_S_8V zI&z5ED~AhoCKx!%n35WzTIvtos)Z?VrEuBfOa=?!FopBZ;KC6JY`UcGw$d=|_m zih+Qg_3!qKB`~q{w_{@DtuX618O|5h2a~=mN4jgk;j6-VLAFp^Tf2hO+uX_NvtbE) zZGn75%00R8A#n5P6!!U|EE2`e|6S6%AML=nDjXh}0o1Jr4-nfq)?gW-TS@X~b!n{% zM56Q7*oVvX!z-=;Zl~BNmkFFxWp?Q<&R|(MIyI`F-NbtyJLyZRlgKTz4eYnj#WY8B z$uI65^M}QonU=5X&l;GSmk(R>q3;)5f_z!Y%7Ox6xc#Lmn&pA_PH3T36>{42g2i;x zX-Vzg_*8njpfR8?bw|&!<6bMRiggstwb7k4+`f13F>UYn@8%OVpiLJ68f`=U;X*el zz;hYgZo{X3y_(xX2935@Ah2LxC%=FHUUKaq5RgPFpgN>;kGDN09^~wg_N9&Pyhaks z&!)>W9O#E1GZFsou)9$yXXepZzDtMSA7)OfKiqf?9RE!7#lm8e#7RJUG5398`^gY? zF_CJisgz@{?U?+lMnSMicqN8{(uEWQU1kN3_ZU|Y-O zy)d7JA@0mf(X)mbtA**+RVcI6!IaNB$d2bPln9s6*#l;3;kp=S8? zeab7_v4`Hp+cZ&R4Ss_HGW#xoMU&NCgUv3L z{{AWjO;ghniVE*IWmI%hm3Q|q&;pon$Jw7#u(pw+-d&%-^vb@X4qzUSZSUb1zXBE3 z#!e)4^lE-i4oHeA0vtxGBBPNXXb6}j55*~7%+_q5ewZIapaM6d>KU8Gx7KYLtg;;_ zM;6wVJ$;T9!uK~e)IVtQZ-3?uRgYD-wNuOGfd|HAeq2Ja+HBE-Sqt@EN8MCQ+W?6p zXpt&r4O^5vNI*nW;N1U?A>mYP42^-W=9aP77V4!%UnC+*WYtGI+R2CqGd zeC<89UH3s?q3<6je80OZ7<1Z`Q*}uaOS2F=d|i*ho7B6bRO+oV_tmU;;aGUI$Yq3X z7#`waaU%z?GCR9Yi2+0#A>Q=X?Y+^WghJL-8IQlYq2Y2373c!@pt+qc(0egt-w zhK^Tzpn0u6d=QC(^2awC&Helt%VTf?vWa`!+W-a1n2;%IzqPx`EC^LJ{gR{7&#hbZ z@eN?A%*_#YgCy4hBuzh|*tGIjdw=Glgv;>eTxBJxo?hHo`TE*$abks8xnUQJaO$r z#=~Qu&1wKj?$6@8@%4d_73D2qg%4#LW&yj|an<`p2BKVKE1hQZpntK^=0jX&`PXeV z(c3(}ZQ%qg?E`=RCScSL0PQ4{<(4t15gxyIks(#j(~SL(mN+p9f2xh)mVDvg>#^vIt`0Cb~9WG{q~{oTYZzWpM{T_Ua%}x z_w;?%hV6!8&HRt`s~%og09)rk*A&dE8KKzaG#?%>83UB4vnh4 zT<<+I^Fd;zFkfS7hMN2|<2zTMoeyVVEc??(oqQ#HpWLncz>pbw>d+R+N017ik2#%Q zo(f2XwGZm#O8IDe5D#%$-HUb64P}Y%+ye;jIOww*MnMKhW*zRc-TEB(_q}kM9!%YF zmN?CAi^y@GI$y8-QGX`CY=h@dyM>y6@J$Es)HEV!mI?Q~`9}SA&gT!G+D`3`+HC%w zP<7M(>3}f%rP&t(@gTxM+z*d5!5NG%#puW!4we*idXbox*j!rZRc3J|*1*ar7g&88 z?&sGxkDzKO4qMgj1p?fc^5R)aqTr+TH)IQ;2G6hsF;CyV737)5`2@YAWPv?Gy%wx$ zXz)F)t9-f}B)_*V^9;BeJ2$dRVpb=;rSP7);Y_T>`3P<=9U6A!k2g8L11BO#@YMj^ zYSYFy8B_nmg;#;30sE64h+Ur~FoG!_IwIF z?-kRiojsV-m)mI#>x2SRv%ONcSsA}MAxcYB+HE0asf78~g#T2P1wJB6wMFN_c2&;V zNiKOJ(H(n6hmPFX?tcfxwN`uRv3L@W@_1cxTAIaNp7ef+qgzK>-ouqtysjR(rGGH< zBe}OneZ2Ye-KJJ+32eC;BmGuS_jeGZJ3X3t5*+!^}($8>Ct>V$tvE0nwlqK}k@wYBtV3ep|m6^zE>dHQQIZ%eJw?J9=o2E>)w9uY13dAeddk|Kqn*$=4 zV+ZdnyVg0)wZfNCNjbuQlaqsH=tm2y#woHv0dW@hI7dj%WL05bD7 z)5TxEV!ezB4M9|l%-5~OIamQq*YZ>3)RQ>7lIb8_4e&UzBiL)MPo)pQ=00Vc^YQWm zN^XpujZfI~=g)zWBAUct5j^(kXz5rm?Hn8&Vy?@5F?yy8v$JF@B9(D(LE9OYR22yk0~)o~GOxQ@|S~ zE&2wiLtEQ?*(=_{pL?)t$M~%`<`|8M~*Zay8(v?v8h{i%_pW zR~e*`(xUTQ`(60w#$5d4s3WwvXG7Yf$ydLqGKUbc$B~T}<{}F91h~=nncKPO?My6N zbY@N3b|?p|c|u&D5_{ld*}Bh)lT?B_sY| zH8}ry516{&Tr|iodt{L!SRns$Pt^VO^aPP3~a}m!p6X*tv$@x*;u4nw?a%<9mLMWuK*`SLsq`8p7g% zXQZfzf?zLxTB11z@LLNDF;U6I*Zq8bjg3{4^uF+zaVK2%WX(SJETNl@I)M;aHZkRW zT%44&TGXYCuuFR&H~y(hg(vh!J1_;T18q{%!OTy*IzDs>kH>+KQKQdZ`!|J@Xl>3h zO(rXN^W@MSc6K0&G)PG=JhIC@-0(NwJk_|Cr!M^c|SGh7CJX%Xs-V97%=dn*k#lJxj_}TMF$dg z_kooe{9=yGrcxpF@yepb*&1J+s()-M(+wuy3G5xoI|S+VMxLE`^xH4q^`cHf%(euYn)fzikk0Rfq1pUL{3NrB}log4`hc>wD0c$Mms=( z>Nd^OU7zPaBIp4lYH$Kr5~3dR&{UAbsiJoFdojJ}Qd5c{xwAW3T3UlbL-v7{?pA1V zB(TpVnL4)atN=oR%fXjdz&mz(b^|nD{IFMIGiB zexs8SUIBqn!0*9PBURWl!oO-;;VN~sM^f6uQ17F&hC+WushMP2FODTX7akegnvGZL z;-cJgu9msjm!H&e!g^y`qG9PQuEfvT)>9Y0@IzF$XF8?eO$S4KO}?247_S4im6>u8 zoBJ{gDTP}tO#ws_zvEpkjQtm2FafqwUK`uCJ;EN2n$@U>=pDN^1Np$pecubXj z!Ch`{%pS-mTtOm{ey1lOCNsZY1KJCn)SbLMJPl^kP0dRg36Q?atE&8-%Uk|x%2yeO zC#R?JS*aVgp*a<=X{-h?9AH^yfpih8?i&7V5vLuaJ3{JRpT7_VqI_S^m^a%#*b%ld z$f}(Aj*~>MJ*`MfwsP^zJWXCnagZ(FcE)<_*ssMs?D%rO!^_;8>{mtZ%2&UMUFu7O zrPNP48I)s@Bbo-tEfdFQ3ozGHxJfT=>k5ht+gke?3sjaxL%yDAt@~tMO9(A6{)1*A>n*X3 zL#tHMgX4W*{yh_y550Mfg{2ue!bhG2YAQgWj)8mcl-{x$r69Lti@MK^uPO6b{^J(w zy!6}xhO2V$1HdfcER1Q*9eBn@8EJF8LvB*|`ozP{ZB%CA z1Rgs8RJ#mHCI$u|$qh_Q7~9+{{0VxXXDe+iYL(Ockcw-tlB3a`Z)LWar!eUDiR1Qj zw>PeC4BhoeD#dJyTsqx`I;pkJ4ZgD!+o@wqqt3b?Jn;p2WqZXsNC zIdkS?8Y=~7bDmH7P9}!fw&;+OC!IjpPE^%EQE zFU2+2-sLM-k8LOzu9;IXMN^utdE299(d{4i(0n0r*t?nTw>pT<$Ssw}KBKDJ7a{f^ zLD}mwh7j$lb5a=U`}pzW%*-?L*tyoQ=FObM1@5}>yzZLlqrmrHuX#-F1^|Hl8QzTO zy;f@lfMzaY+6|aCI#5(&a?##0KaQMwYbHeQ3ZQTDx`tz9sTkuwtN-19luPTW=*G~ z8@37n)#YRtt=6z+Y{tN=Ey7FS;hqd)EQS+I>=G8sFW!!V3v0#B-A9#w5-o;`@ z&GiMt1_c~SnFcB`HmZ>tlP;@sK8 z{iSZi6aD6nDAvaPH$p-XXJy*_y`dj<(!)#WuB{S>hBg?9^%}7ab2Ku{ym_9^iZwr; zdTD@4Ag?huq==T@ZDisTJ6llL%A~F;0Je5-Y;62ZMU^VBxfL9zhI%&EC?8REsB?m< zP04BmA)oQ_bIEk!FU38J&wzjgf={Z6cL?;wxg!9+igyhzDB$v1*}5JkYMQDz7oU_4 zRAjT>u7a8GjWHB1F)yU!a{qhW#C87=qL(+*6R(IgQRiANm-R_I}PGs z4fcA06oeTQO~gNglJ$5jl`Zb+J=WVXx{MV)4CtdPA|h&a@c0;0{6w1HoK^MxPhFZL z^L+W#{M@!-QzdnSYo%O^V8zUv@BOF8u_ah|)e>|=PD$aoU1&@OkB33n=S^;E71gOv zZ**#xyit(8gbEZMJ{}dlOdw2($z9Hm)}U-rxU-3Vcp>@?ST(pU-q#dP>9Bz_@bK|X zl{x_&OtM{EWCi<`+adkncrQNS;(Y;yj7Hst#^-iWIj%r(UNxgHvZQVJwUVEQUhgbo zsCHZ&W6etD;^1O`DIIl_^FH=5u-xPo8p4FOP%$)JTrG7HnAv2>i21{sl;wx>V~M^` zGrrCPh8f?u2z>6Pg4^G5Jb!YzhFmz2jwU8-h$3#Z3Lbvd{;{Mz7rHJjW3kyI)b4B* zM)@4<<5B_Zc8qHH8;+tFJNg$VNm|%F_yt+~U>OQ}zpU~PT(%g_Ev5R0ynM|BbW!a- z+O>?bktex;RxK=SL4&s%?s`k?#u3v?hYL$aSH{^of?$v&ar}N@m69OzK6SVH*`tGd z4~>Rf>&cB>fjJSv8=KR8HlQr^C4LTl$zC5vVC$ncUIwAv4&C4Y-I=8FTmPg@kU;wW zp8SiiF2r5BqqV5sd)prZ38^}XY-eK=`@kaHPrBJn56}oMYr_&kj-(Lv%7ut0nk0}U z+UX>x{>rR5=!314(zB+FSkNPhq>{y;eb3vV5C~%(dBrW>)lkW;ro6)PCh;f93w{?M z_AhtmdbawlPOlfu9g`%oIxQX`9~#M?H&ib%v5&n+v3q4gtgjsWki1eP46!Fm^{n}u zFMbZn7+HOJofZUvQ$4L-#gL{EW@xB*Rh3l#M15o5|4(gn^M9wr=Pa;w7-rU{HOK+M z5g>5Dk0Ip0wrNJUdy|HCkiNn=;`OOA*~ETX5_ zzvpAY|0g;yGu(8Xy~SUbL(y>6s+ zh0E4LW5JZyh*RzJo%=?d!#BHG9L0nel6A<+6{8t^!ufjFUH|P2umC6|$Xe}cWSe3r zW-b`4oJX6Wi4^7!!+fH@mXu&NY_V1+AaPhH14Dcf8YJzoKbo1@=pm%k2^w>T|GKf9 z;nL*y1Z<`;jqt0l+WrU}54%cwS8bo5q@SZO1ugm8}{>16EjplYu}gT3vkJv$feURsNCg3 zst^rQ#dediqGuj+txz|gXIIh(CDeY69IC6r{SVhehrm4L=@<2VAt5f4aoJ`r^J$jZDj-4w+3>_o39Q>;xun2O%7 z^C4ke$LEi#n0{8X%pVu$`%j{?7A5Ms;IqPLQpId*f2Fy_`H2#O6shZ0GK|9$@hIoi zG*fUERCY5({U?4$Y41x2#Hwc=sL93d4-9j2GONaA{BylD$CKi9BSaAv(;9XarjZvz z4BffoN_!R1zj{udnS89qZ3~f7tuqVwICKH}km9H42QJ^`@vNC=go0Q5Cc{f{;K9N> zRhTr9cZj`fZ)#Q>(8FKvaFgLKva)92pYDKRPNJ-(i;4HcLvGAZ_uK^;7;BLkyBXs5 zTpw2wk_si*@CG@GELB{+PVJ++)|=Fqo0(hapg!Wx<}x`IdI6yw)(@q(YMm)@?D~)} z)I7NQxp7IE<&$k3RByFc3T3v}vie!*-fJ}T#O|q)ym0E6;AL(Rs3mUN{Z=;`<~YI` z*;OU7>FF8gp6sh8kzK5^jRBqPCt?-vZAJYNQOr<$V(fcDeRx3LU&E-Td`MYGm}3JI+j4Zfn06;V9cOrGk9~ zts2YCqQL^RbW!>AK@(HVtYM}XAa-$Hl)yO~N>atyTvU^|Vf$Mlsjx^rB{bt{m?U2H z+1RV}_#q6Eoa+hY%U(uWL{EdfHx_O?9SLSB|Bmgk6;^yZ_=V43Fv(_;zS1gf#O?7T zs9FO47u3a)RySIgzOx`K*Mzq|d@*8;{yM{a@pZ(c>govRo${It|0R9+Zq<$Rkob(I z$7b`yel>2=X)y?YE{4^1<6;Z6J6{%SGH}Fv^MB;y=B5goHrSiW(*%VWu$52esW_`n zA(e$Ct&vE*4x_TSRakYRsSOWw#&a2~ZCN0sH~i_f>eR#%Vx;D?k^GMS{=D`v4rnNn zDZW>`rdO;Vwj^9MaK@ofqGeVerQY%$i431?0hS4Z?KJfmTcwEb9O=Jcz$;i)FnrMe z?nghG7rDRTahhUsFf|_7sSQ5WShh~;6ZS)yqelBGQNM=tqMYF>l`RTUw)5~v4b=E# zegC4w(RpS0R_OP@pS5Vwsbr)=NFs&%gPfxwu}ONdT854IyoIfshE`!;jrGjMoPG}0 zNrZL4rI!G`HFHoRPLDA<4!bax#`n7hKI5c}MEi23;C2`K)0sOpyAy@l?^UsK=kVGN*3n#JSQ=`X18Mpz=q% zZRY*^g%*3GeVcxgbw;8Cihk+4%1^=fcv140(9ID|fsQR69A`NH@~jcyq;_1f(gIEB z)SwWc-wo)q*=)%^%xR){_|E}xMYriM+($j%?p zHay?K`9cg+X`Ob)+fzvPBi1u%e>FCEPJ>b=I*}qzXE*D!at5s`xX`Qy)<B zK>CExXy#CBrEKk^=C(hys28Gq*3WcLslb-3X(Lfta<6jXyU$+}q9qZ82H5Y9LZjjo zyl~;B8!hlPjMUK10ZH z{3w2-?6P73g?DlJ2&ZbKcfL?U7a**)@~fXwfG)_^mfz%VPuS}j8$G3%ulfe&64>7{ z^ndc(|09MjE~zB;&pE}QX$cACsECGgLUAXh+=P~=J}yNgB6k0=o(jW*h!BV?dAW5! z;ZGlWb&KM(nx}w0-6%&_Tzr>utI5T6T~cmm-Z<_2xPM5DU%&_C#*Vc~M|FNbC-_Pi zqbx8g)+pxFM&kv!P>=)yTaCQ^_?yJ>-{0Wz|8Cv;Kek8Z|Nci1PKE-RQ^Gh%#D`kCRBy9K3ny%4{qNr9|qp((M;R5XW zo4g!W6--MY<<0u}L|dDgVQtbjGdlWThDJzrqw_yQ3?(~WR!Mm}YgYVF?BAFuRw2y% zvIDU~Br?YG{O>Pyl?PHSWN}T!Rd#u+<6IY=9pR`>b!m(OQm7K3XLSqRN(u_t{%o#- zXRB2^KN|j85vpC5?v`cGqQ|ZRw}}_bO44m}cdSA^EH_{RZYJ->sg|ec!IfWD=c52X zGvK6PLnN?C4Jk5ITVF(>;PEhpb-kkm{Bm&kuoUN0Oxmtx0UG#zv$LPc=tw)WoxiGr zgFRbBiLCpX%7Rgu)jxyN>SQpb-94vc>p(0~4K*YT@ey!zI!h;Tq(xZ4G^ql+-ShwOGPafWQt?n4hh1>L$g|?A(yOW3 zV`A{j$FkNT;ezodFYSK2cOW$t!m7cFYg!+w6rani&d=`aj% J9zA>g{{V1E!xR7j literal 31859 zcmeFZWl$Vj+cr8evUd_-2NDP#!8O61I1Dlbx8OdwyCftb3GVJp2KT`=1b3Igf(4 zb_nF^*T1fUBe&=kh`{EGgQDb1NI@_4D%iPh`a|iET|K zGbJw!iyTa?i?#{ftw`Sx>rDRqGVODDKiSGm4F%pO0%QJ{cA&q)RMDk6P4yc;)NYztqM^?Mu2%Jw4C91X0;L*n4_<8h=#q zBcKejhC5nhJqrfWhpja?R{PM0~f7z0!OdGLU_MQMYv*(mFMyXmz>D*~*db+}DHaRX#0h7{dQ2Z-TOHEsw zp>KWJ+4IWfvN*wL`}Ch8INi)3Ku^=_jd5XtF(sOjnJa@P8LEWOfZXCD$ctv zGj%kh=2@I03^ocDT2A3`IK5*1UN4%ZqeHvK`S$Jg5*PWY+`@WRQUwn|q3F1<(AbCH zU>sxi-h=#B=*{t}Crka05FPrn^~af+^t!qd6spnA_$3XioM1Gm8fI3i#Ja+IdVb#7 zX1qveSvB9uPAD?G1ith=weh*)6wL17@6Mg%+Y-|j34$e?CGBs{#Ym<~DRw!pkHV|OhlpptLCKL#!0 zwLd6h(}2GqX#aG2L?>jg3^j+!c2CaKx#Lbx-QC;{*2m;2ipw%HOVa1dC8os9`X91< z`SgjI)XrOxi>uEM3N=PBa7Wj|5q|6`#$7QkYvT$!h03fl=;r2E8p&z;`kng>6RoYS zuw-87iGcmtx|FJm(@4Hn1uTvsJ3A-mbhV9cQP+8Qk;SR}?`wbNBqH%)9Bacv-I5?9 zDa2a>6CEEs_QJ(~50;F4L!zc?V&Z;!7iAe^zY=<#16l;HdIZ*sxp_8EVFCpSb)ITf z<)_bIz*FIW_Dta_@*WQl&(X#NkJV|^F1z&2yAK|?j;N@0Ro*0G%vNy@hlNl>L%wMs zqp9q^Pg6em?KwRe3p%guzWQ2HG@?atwFH`+oQyl#QiH<+23AHZ_m?mO)?Q1;JV!Y`0iw_@UVmO~A^e9fDJY1Y%!He>34dS3n5J3@y-s;j4gFY9h zwTq5UvgXqK{O0E7`npGJLQ%Ej>R^Evjz*+h#JQ?WogH0a74`MOy?dF%yeo4b{7CFX z{3nT)9r>-Njx|b?4|jILe(&!));0Cls8tRw{zFMNTCZIbnMwN5SY17)i?fCuScKor z{v$bG5)CR^r4GBgJE?h@b6}!-dwV$aY%-;Qcde$l9I!8{xeP3;shZAq6QxWAatYsgEXDOhP9mBz_$wx7x*=_ zO#{lV`OEyg0V>}vT-LzQMcA5xf&%WBlrUf=<>+W&kp3jk#MngIgo@iS)^K)!;QoDb zl=)CAm>?V?1FMeG{T!_9mQ?@Dt*#=5MWl>&iT?^^$y(BUA{o3kids*9b2}+yFmEe! znx2Y@kzTN2?dQ*zi0s!+^)^?Cj#=Izp66CL422ncLgRPB4r^ zwfp{tknLP!6q{Oif<#|)v%~(%Gt*i;Dd@`c0GAvz)wQdWXG=}~n>AbKbD^OOGBLIL zg8?aChY}dEr|ak{hqjkYy;>vp>f8^aizw+D)L2?KzaJbCugv5pD2k@sA!v@`DG2|k z(po!k4{EU{Xf9AXQENB!_TUEE*d+NMWS=lJQ$fKG_?FwZERny3ocGPZ3L8#kMjQk} z0}}=944j+}&b@G)4fDIFOk0;OAL2hW9yT&Ef|3lOt(bO4-{z`4ZhsOYReySj7E)1B zfjfwSseaPU(f!u8;-tnHvmBB#j)6~dF{g!@NF@-Ucc z7s`^!PP^O^(@O(C*@ue9G&ZpDm#04T@%ee){`D`6g%dn&EU6>qCTN`R=yGKED^1PG zy*>$YU5^pzH^6G>6drB&JF@H69AaynvDIKE1KV`CIW1BY_UfOc11x&1dD^RGcd1iI z=05n`Cg*JL=sDOgqw$~^WsptZ3TFsNBK{J2&K>=tkeIm8Ly_)tlV0W7_pW@^_1&ee ze^;S!ZEfwBI~0$(N_(q(4qMyWe&rqP=XeONn1^|CesDvVV|OWO&{9`GBj?Tp5qcA8 zuW%qf!JMB47|BF*D66QTjQ5s-gUEL&)B)qFATpw)qocE!nVI?eXY8b^O!{hQT61_f z5v`Cty|82GXOmgv=mU$7ljtC}G zQ&X9`GHJS17Q9Ovw*KrpTYN0W*O#BCpgO0dM3F-vz1W(Mk1xCe%caKfrfneh)t5Wi z{^A8pijPUdqR9&#@ALGQ0PnNkZS7y%x04A?r+k$CGLMKrc80OZN zmX=?6PE*cXGh)E=5EBzGh2uYbcp>J#AKF_lF8=M?&8vPNTSMrW)^Ty*e-INi&q~Y{)NHOzRh3RQN8_&oPZye)$i7$WjE(2eDzB{ZnDX4? z082s1V>rR;%{#qNdQ*m#QyfmFhsC+8w=-PmTTqab_ei!sF)=l-RMoGq?71JV-BbpC zb0_}Qc<4!X zR+gE&$p*5UyOQD?m6o4y;ZP3$xrCls{4@kwu0>Px4uyGvqz z7BB14B<1CA8{bI&9TY5@Jv>ejS@Q1tq4nWSs^x`#{I2u6fKuvn6yWPur}h) zDD_(ky?O1VzPTPMt)@0MsgIac#@K9Ks{~dK)jt6_q|7xO zM~{aRMAB!ye#t;JNfqMXF-aL!jm&#TN$))Qwv3Q1q&z74P)rXRb$NsSUFd1V9W%7s zNN*TnR8StHg(gMjy8F`5xM*2b?4Nd+tne(p7%5?IMFN-YAB-FK}@*UnYUVfi?BjOG-w8+_XeBtln zVl#CYHFc*f=Q7f@%P%4Meqw*KR`rwJv0$U>^)CqGlR|mjYGeBM-h7d-nTPFZdI{Ia zWF%ddc8*hvG_l(Mp7$BsC?&%1a?+;FFMY5rt+&HtZLVMX@;kF07|VTr8g?q8jLTi$ zXl&WfREHuX9R1~PsyQKj8$r3cuwu5CZ`mI^kRP%6%XK{Ki_2#*JL-}@IeHm?TZGISvk3&2}{-65Z{34f}$*S+C{@@Z(ft25jaXckFQ)Z zx5KFXuTr5*?XPuvacu1Dn&qA+ld(=F5$5ClX-Y`#fiy1$ z#BI($hKG}&Hhw)bM%{rlY9R8)rltai3KKUMu=%5t9qumJ_*lOVXo)7ZpslZFt{i^E z%+>Yy>+fb!QPJUDjr2S%;~-J*DRop1RL+y|*reA**GCLj=Q6uCgbY!<1~FqSDJ?l5 z@Y5+2pd>6PC=gD{)!_;$2!HG(jJxOzO*+rkD2;sdSxjI0SJ|{oxiW377fhWzxj@Wg zfzEBQ7`PC3cUNinbeY>8$faf~Y*K(bkY4}!CP2V?O3-fpwFY)+aj|x96W0OlsB&|Y z45n7Gj*5zUB6-Kf#YG+}v|s2`7akh=)c)7kaw{||sT#Go4oQOTU*ai z+0@s0o_xP@?dJaGh)n*-k6yUrRVGozK3$x>?pB9mFHz^_xy*5+ zU*D>`dTL4(wK1=#u3Tof@HSh*FG&;Ai^u==r<0M9SL*_x#*W8UozK|jG&g3e{^-M$ zqSBBK{%GB0)}e5UPQ+OjYZ?=ggr5x&kN(j{=VRaUJ<6$`7Xo=`M2K?hirz0i}57#qAbxvX?Fz0D`s{EGYX2t56I>HSHqas|j+wyJ1CBZ6Dik5*e z*0q!v#R7uOlTUXP=@oY)8iLXkzudj}CCU^SB%8M(im5z=$Mtc57;_U-=C zE$hej!fw0qh4B}OlYO6)lM{G;M1(hCXgj_=L!KI>{}jCVk4~HrUQ>*ydUZ|B zjT<)$wJN-A&cxeHT6>d3-Vg@w9*Rf!Q57b*S?TC(7HGGP{rL9xH-Due>$-zzp7FEs zT(#qw{qsdD1hz`ru;o^v0G`4qq+~;iJjrsS$uj&9u$_Nn;3%8eAWxwX* zwjCBk#ZO2pDkw;QoO0oQ;&XuuJfMc82D8M-6WzIEKQp~7bviJvT`Vx;>ZKlAjey0I zap>&M`Gwpgj|qJ6Y^n>ro~_|?;k0R^xV5?Y%&l{gkV-&0IWpPJ?L@-!;#Ekp814X@ z8;Jh&>({4O{zMfvV=xvlbYcE<5oe4R1>$ucJ{S0-i!)3Y!q^zNIGfq}rluDqj5L%q zG?Z|(g_`0LM%R<2G;OF#>f*R=$7RZ`uXkL#GxOJ`c8!kDUVdt0Bmb2vrKWvuSd@T~ zB3vsU3@$Spm%N-@zRx*rX-jxwVq!u}uD}YSU6>paU*+H(h!`;27%px;C8TONKTTNb zQoBb^?&0oUW`!R0?nm|jdk__|>FVlwkBp2%yE+d<{G-oATv}Nx!ovqaUMAHS*xmgm zfNa)&FX#tc>F0-Q8InPf-@2rYdlR=N32wk@9Y5x=v;|RVVIIhscHa9Tm$0_7u(05@ z-Pp9Tk*JXIr3=o-CgO28HY*EKUxkdf?YEq!s|h`hS}(9R@>7lrgdh=rAZ~Cx&mglj z;eY2_w8|V)%2}Vmvxd_(wuQDJ8Xglz*FqgSpEGmE{W<6OKBwytGm6NA$?@WtPuFkC zuv3e{h%s{IWVMyy4JaOz?a4c48!nG=)4vmX>|Y~cG#*DpAtAF|x#vvDuJ28t!fkC^ z9t%Ac;CV}k?QXwn{z4da8R++P^-(?ZjO{Q2F0Cq8=c3T3-fXxwG2 z_~=p7p_@X|zJ+gX>-e~KjC>sRKmYWD#4*?8Jxc{}cQJQeu-_97h9gRBjkNo~qwZ~3 zb_ztSpewdaFK~-=7p|(izc*~^tJXI?E_P%5Nl8dYmfc4SXSYux~@;1YrJu7c)T1*s_3vS=OEmyLeS5EWEtz~$%6Z<2LM#NzlMucZFg5!ol&=0Qo!kxA1_rOm!6+@AOB6tq{F`yEV4OspDLGs{BxOw z%TSPj<#;7@e&W-PA&rFZC`Qn&Pfgd8ACoWIbwQ8(}R0WP-C` z2|A+$AP^J?^_gI?MZme?aippRI-t^G`z;=xkd&DhqwAIbv|$_EUaQ`6XOQ7`VePIo zs;8hV&k`Gt+T5hw*};9%^x#escB(b%j{WuNS6-fFK+EokS}CR{!DlSVg){a77eB(5 z?6XOM(iH=N8bO9aRT)at=`HNY!uR@IpTxyWg3ao6n1-1&!}@!O*?F&9k!Ym-O0?F+ z_Oy$HG_w-i=wU-@^58JY_H zh1Qaik{3)m2=}AS>1^}tPFrv94|!e9FJINwilWP{hO!-y!^6tDx^&QZ`-mvxx2?}O z9Iislng|FfA3S)l-z&0(ohsfNlwqm_(Ji5KTwI(#5n{>>gMIboHSYLWSxwE@)Hv7b zPz95tV&UAn>ArBF)~3U4a+tUUkk{dIMrdqzN6*f-t&4+8gwuNigP)nuh=O|ew|aV7 zbvi!#S?)ha2oBbVBiQJg7dV=;TZypTVXIW?(Stb=uHJT~XL@ z{^NXxJ54|B$rs|;Qd1i|omb!U2Jdpxb+7Fve+9pEVSi^u*89Tb(;izsm2P`v&}48< zYjWMrLaX*;jp4pNo3;BfT)0RqVL2c*uMLBPsNnue*3_U+hjuN znl!z+0}Xhq(XEC)I&n+&n$Umb<@N%xAd1D|cbZ?5V4lRlq1&x@4v zS^@F%Y-BREfOXy=ukmgsQ;MhOPPj2oVZ%;2dP@+@X#{ynNY;@y$S2b_tVyY-uafbUCr;b_}R%U94hsx2kbOPSm)K z4kO&b`Vj!lFOG-$7$dUf68QT>@yc5|zb}nmkig9DdSSz~&jp?FG&0y0emRQZsrH!c z<*4M+c^?=1(|RjcK@q&gy*GSKU~1|{HIpTIjT;Rflbp}esoy=4Wh{LY+w;hD;r$FZ z0|TAAhX-5Rya3(qyu|5oL~N{+P5p^`8xc*Uv_@FN*{%im_WqE3b@dt>t0m@XmIS6G zRa!Sra|Qq6ZK&3O6wF(pQbjN-K3H2^5^yta$=pLmvZ(1aheRe+FJRhuo<*#L31zphmgKKG~?NzW@?hXG+7Gj## z_*0D6%rU9{uR|q)@iYG(e5mR1U+Men|4ifm_q6{1#lF4%N8_Ngo2mEbdWd*m&yd&h z`I3dW2y4dNCS`ZprSnzw6%es~e4zCM)<*m4`EATTKa)5456M+2gB?btdUhGf{Z;m| z9F_7(R`sLVYOh+6k@l_U+X}v_P)uivI7Iwb|4+L>03&0RgQ943uT)l!OWZou4c>3^%o1)x2N8 zezoxf@%1vjGrMaL+f7^JyO1`af)`iIM6drrM0^?lyKVK)bOX1n;$kt)eAR#!O+$~e zcv+KxrwOknKaY!~yfQyAp0$Q)B*mKZR>J7|Pfk|~K8SC^wZukD*5ySMYi^zdZrsgN zy#lcv5O$qw1m0>9gK_Dj+j4SIQ}al?)ExKQu8?CQ zHZkMS)(+aiQn%MdXkU1bgKu;M#}jTZ9r+jlccA#n`Yp1wAr8B`l&?C0Kq9@4@Gc4p z3Vot`-Cjo*EYF_p9L+9kvXh}GK+3=T^JW(|+sy}O+$N(Y$>DiiVu~b=M5p_6)mX?L z8%kJ;MdmU>BU<9)wOEg&?>2sR5-fD=m@!;-x9NzdjG30)6`(hEaJw;g4@8|Rs;c6r zD;an3r`alp(_alnTVKC^EgR1(^e|PfqCmT_X0tkPV`F~)G3utTs$N_0I3X2(ye#8o zF8=;~t>Z*Vk5+kn&+^BgKU-v?ds7 zgS}ZIZ9rsHAm2+nmRt9tP^%VWHuf;(XGu=OdD%h+>YL=P&L<)_T&pP}S-yViPLCn` zRabAc6@N_wix&mQ*{IBY0_1S+O7@|JxIA5#^LjSzAIs*$=r)M0v@-%TdurZIP8D7| zML3{+Ra<)mPq!FhIFS6L0&g>&$ib3?c7Nk+sZ?Wn-S_Ru=_%2Jr~N}iYz#s|TwFG` zj%7`H%q%P#r6vcTc1R})2vn7or7A*0otyoMFG~ZhSNka~C(1cM<(vEQ%fbpTjr_cv zcpQ35LqmhKH3UF$tnFOtb?!k;JuCXN(0X7C(T6mE_2F@_$w2qy@NbAF0H-DnJ)Kb4 zE4ihmSYiv@7t@+jV%`L8eFqsfmmf>IcPBbhCG=ruqJc3-TeUnKg?W?I_sNcte|rg| zb|P^eT%g?jW4RIG5z;+jzmi=1+b6!?V`nC#uX|cUpPNn2f|SR!wt@B6*h1CnHGe0< z>b(HMT{*RhPl}4hI>i^`U_McyOQ(}E+}$5=o$+hU&6gZLS5vp2sCywi$y*S?onIM8* z7Lp&4*?D7+JTfwJ%5zBW%9V3?en3}$lV4%2ef$(C6HSV2oi%*?`0>}TYj7%CZ|ymC z6-9IBp_=leBgHOQ^^H@b`)bN@?AllB7^qJ@syp!Qv`w1?eCpK{`!=(Jj?%B&)-!7A z-J0M1oh5nOl5P6q?%I(mqo~VLBN9pUU>1o_X+84B{LoJ+l!(>HD+uq(W#5_=J?niY z)^-TTm@ksk%O6EkKKKuQs54N?{R1ay4E77!&mX^WvrMN7q zs5Kl;t`m#xzkB<(^~|loA&{Y8xWmKeq~tz@#)O)#ShJAI=`JMN5%qOt$CR zztHPnoC$ZG)eQB0kqI#gO$I2dNZCF%jzWIzNo3su)7*K|Rik6G7gdVXlVVvGp@rOc z<{Ue4nPS01TKU;-qMiWQnd) z5_0RCn#JIc7q|u#6nagsUh75Pre;UuJe-LSr=y|^qb=e%M)Upm2%N3gwQA&choR~; zgM3d{mn;Hi8d^>mb=^j2A-oQ~(YL_O%dcO*?&^WdL?W||$zwJ)Ho&6#I}uLtd_6QQ ztcr(!)Qq>?%UC5!bDds*31h1nKNU67o)zq2UO zp6#VXqIJ*Dm`XcpEl)0+a>MR-NO9tD;lkI=rV7t$=kv`cBp2KPtm0ZO+abC(r_Jq~ z86G(n?}#(%YbR@2CY-O3tan^BP}kbB$oOf3FEK>_7F~V+-rU_-VX98ohBdDUn{#uH zJ>2qSvU?@voOd%oq%D;7L#f$H=%W}N_f?nKUN->r)*sDyB#F4x+qbH8GTele(b9-G zJ`m=uwo2e%XbTCNMp;~(B0|J=?zw<~ z_%mCw#8D@9r_XQ7l}ON6Gp$~wa>#13hchh=z`5f%ep(WlyNDmwg;6jU@OFsecy|d^ zOmZhJ#SSbU#Bz*=vzB_UTUmYtMV{w-yhlfF3@t4J)2@CA2?_Vua&x@TPsk}^h4zGr zU5*Ufxa)D}{@-F?D+3ud%Bm_Vbh6Tum3B%EU+ZJ!lQ)hFh|R+OuZU#8Oe8;NQ5qVX zUUlj#qioC9wM#+X|hJetNZ1cT#Tgeq}FYk;inmppy`{PH(`QLY* zMhRT$pKPD(Q$dy@q-QQF$KTJbtMh+9BI)nkdE`4PYlB()PCNV9c0sum&r^Fnn!9g$}DIc19$4X!JXE%vym2Y!$T3wrbZ{M*J>WqyvfWbEBTVx1`s2>U-T3@^cb<0G%B}XnU zE>w=rg)r&S&JL}Bv!y=~jiYeVy@Xi7%c5zS=7h$CyWfk#F{&T}H8r)QUX{WaNi}F# zI3iLMF%_^^(Na>BwSopv=-D2Z&)F&lKzpcBPI2$qM4{P&*&@5WWezsA0{4ad3Y*H+ z=r;i|%=#4o_X3Ck5`kn(O6vH^rka;mz@KegBaBaCqAhiv_NVjqT#&2ad|!5)NeWg5 zn6lsZ$k|CrNsgH4i5~R(=z5+NXS5AZYKnOrdLCgb#BsAsvpxc*zdz1O22!7l#OTtA zM5pmvEW{pfOz3iI)NYr2Bb5ML-N?mzAl3(;)F!uE(PRO}>!Vnb?algiqPm$PFANNo z_6Xnsb@r!aW&8Wh+1c=si3Kc{&ua3%kWiJmxh3MVlI&YLCwil+_UsHR;_{l1@*V|+ zP^!-bsO>~WN9R}(?(FYJ;^qy|J1Lhp@?G8lKRy=Q@mC}QG5)WvE{pEi0gr_RVjAJR z@)5&g^>WLJK~S`yovzMSF_riBKCeC5^YilqB)}2YKUW~YJW*FwQ?r?@t+Gj(sl)9@ z8#H)(`CYx{vN4{WC@vY6l!OOW0&)DTDV@*ms_yyjHi!frdic~1RwiCqjWU9VabF1; zLhbZz>W5qd9B_w@W^iqrV%51lmp6bA_DU9sIg7JbyKY3HvvV~ z1!u+h-Tk=Qrzg3i&MnGUK?;Au#JSMlV1XY z`PPNo#WXa6)4{<(2_3Jjs;a7^P(Zc;O2hUJ4kI76rKH-eDyC1{JT}jVQZ_>r1rKb!G_k5KIF?Ro5c#uU~Z#@}aC6W{q2QEGx0d-QDQxBvOB zzr@t&_)eVo%#2!ZB{zeR@oLHaU~J<0n9VU*pEMQuTICw~@%)I(&OKjGV`DGTW>b6| zEoL;L&Y+<2zwsU%_83Yv00HY7@NNYKn1x1#%NCk7{Rf$Vq{LBJtxkuQ!D@n^l9h^x zCV^N>iXcL5-BdE?&sy0FeDE*V=hMH;t^WV7w~H@tbW!36pLey2(13NVB6!iHh>y-5 zDlWcf_B(NA`4{lqzR??^KWhF1wIP>F{ao76V`bxptI?IL1}!zq2B=J#PhF%qMAEmP&^9U0b|6(29=SPRVnCK3p)A_wVkP`yf z()-e^mnVza*){Yf9L@O=1F~PP3JR>F8BhYw1&FMKp0B3UZ+iNTi}?Vqf*R{(5ZMj0 zlE;*lmC1{rR03+`7eWHR+D~DiI!Y@xY33LaZ&M$~aa1vVcvDM_iLl-%ZWx#uCmi;I z9Mqp^>Q7JE5IT(a?~Oa3A!6PVez$i*;cffJjgmU<0kC~$ugzn6dir0Jmap!tT0W!K zzkcvG<3;%Ae?gzucamVH7rGQB7H_rK9ZE_=jH$bNdtov%D!H7RBtwAX{^VMXfg!_F zwy0Y!#32Ad!A+Q^;MOC25}y7Z1U&ve{DE4>7JM%*y!!<3iQA2qylwYGXP0}m>)cV3 ze`X;@k>^(Q&dv^Y5)}~mHB#z_rG!(cfw{RkK!uV*e`Mw4g#Wm7VDCeCN6hn;o-{lC z&_ii1QS_LUDk_^icXO_a(O(UXh={P;h#gELiqo{W-~IJ1W{G@JMo-lOOFsaL9#TYi zEYZ%tzTO>s@1Z^a;Tj2YWSIvsRCRiK+F@i&0gHXAKRIkJ;%pgnqMRTfSHf%*mb0W; z!u%ae-St{ZV3mungnD;(FRGKk<8qanHSNpy#3P6%p&v;)GmMy)n$T@pR^q1gDeO8W z^sMlA6`NxGHZ#KwK0bgxih$bp0_G~e&-ochHS%;DdWV{M*w`$Nw|@`5NC(ATnTF%} zJsJ_`Je|7g^b*CNIw><=^zT^~SPcvfeU5+Qu3RHv#<@vPo%Z>N_piRMcE+;y;jk4B z-X}}saX$g!7g+Pj8W)?40p_ZeA$f74+w18YUYgq4_!dlxn}wu4Zi^!RMVPXk**#iTwGJh0z2uH90UNE(o{cD}c<(`BX4z1<2 zoUPIPgc5TP8_zR;x^vT^A97Uuc`-g8iD-nc-?#zAuc_pYw*ImN#pZ$ZH#5mPyWCXk zmkhGGc|}!K6ZD?S#}6|q_8*D>6mic(`)5Z>a~CV+;{g<9DIS8 zF(_u&tb9k1?6K)qHGP4+Ie*l`CTFmfET&aqSp}k?6rXdt^y-qFtfF^T4uf?bE^)Ba zuqVRRiSfv;hCTa2Z05>Pd>(s>FTa(J>+cpo zJo(%a!DusC_Kb^5ehp|ha8{dzYT8aw!!qk2QCsd!(t7tUH83hXoc+V$!Psmpubcgl z*d=4HOu2_aeRHbnRk~&ZzZH;p(T8Kd1t<}TM5@~#Z>Oe3BVW&`WhIi|E=@>l5txwtxEhSqfteib=`bp z(>0PhcgHPSlJtXpsgV&CkE6}78zoNbqg?gJo;&j`fYx9!Pc3!Oah2kkL1ry;5=?-Z zwX?^Jor^2x6pOC#|MG>1@*cy%ps-0d1E|7ES{z;3oXN)lT~ZVsYy9TrG)P6j$(l+k zD+Pswgz{w680>%|iAKnsmyJg$o*w-mu(dJuIRa^h{*lkE$De>u2@h1fHzO`?ZB3Xs zJRBWKKpc$>{T34$NiFQi%nC2kDU2Ba#!lF2BlR%Caus7ytZwW*Z2zRTt~P%Bf$QA! z^n`?gp)Q$ZSTe%uU4QR*QgD8%N>mh>JQFfpb<7o9;uq zU=dd(gDb1S@}E@6wsD^~O$B%lnB@RrwW;5!u8sD=uczE3rj~+2!=C3lZf|e9uB7?T zx-Q67)$Mk&jcI#K$7%m=F2}0Sl!1UHrbB$MyHs9uXUx|ZqLB%2p6Ji;I5J25kWX-4 z2oiXExK&u5v@-m!!F$H(S)_buMgvOupvac?i=#>|PLzS)S?$f6&oMDE69ygj!sc*I z_jqo-rw=?my_A%QMMzYET)@pOj{CiTi9Z&QxPYpWF?+DDPo8yYMpJ1)bf>#pRzScI zU0xoP9;Gt!86|1inaE6jCYqfg8A5iCOzd#QFnH{-zP!%Dhil*9Aww9tfAqLj=!EQs zW`WpfYI-VC!)bYaUBr3H)h#Iw=zpU4fl#4XJr9o~{`#Ggy#f?kftsT5mH$G58x5@P z-!WeVMTL(aul{X_fBZOVVgDY8-dR{!dfVIox^o8@#Up@dnqn5EyriW&L8GIR-Rr!^ zw|@iuT687zL`iL}=V}R}Gc1nq``18O7);!Cdv302Ksu^D_(6nBMuvZTUQSZtot4?ySqZ(Kc)nm$-Z&+TkmZ{B2?AE`2P0~OgTt;{8~^qApqyt*Z-Loz-xx3cM#?0-b$4xPDb97y z*XRv2YP#AEzwhGSJzUkA+g zZCye%$e(;Dx6(_Mb?!?Rd-lwNMj%c($uxT}oxVo;eaP3Zkth2H2iX34KlZbeJq(v_ zy(k}t({lHEb93`jwo-URS7#@61Uwx%cxi|mTjt9+1=5ucx65uwq0ckRpPCm-B}e|> zbmXK_hiEvH0YN(3lr8`7EL~<1VbijCx^mzSO2!ng?LiU2gSynK zN3DKMq<&idu~KD@sxB@9kMUR*^R2UA{j)^Ne^v{sgy`Vd71 zIu5brf6rU<^H0{*n=mwa|FD)o#-V}P>94G|A}&>$%P(xx_}UEF85F}=2Y8o4J~dok zbS~Y2_M_Ptgq8KDTB%U%?_)h>n4@##F4NX9{F}|_^ zxIBTk zNDht_Y85Kq@*DVvf?^_9%|>nPOGN4ZY^`w@s73-=;RtID0DB_Ulmn>*dd+xQTgu9K z5gkoCnM7~iyvbF~ze7k!!)=tMsgm1!&lB&7ke8DB3PUR8uJzPDW)@VB3lipz*Bfyo7F)G&&PO%F92t`zBmoXc_ZvU3n5!+)&JCTXO@$oi53Ni;_f z^S9P8i(V{Q7oc!y7Z=|+xdE?IZ5_z4^Ed>wtK22cHf|mg5>oo^oF#Y4^@s9zYuHqi zVJs%5ramW2F%sw7en9;IUkg3wHVi%|0vdM`(nFan=X(jsbZ-m{=D!e90k-Bl1%))# z5&Ptiiw6K|t36q!n(d8KQc*!T{^Mj)Pvk^FmeW;KS-A+f-|m$;5(;#2dB-aa zbe)#+$)X5T*TVa3s(^w@Cq1PieA%T&A%qWnl-;Snw|=$cty^Sjx~MD8HMa)|E$IQ- z#lK>6Bq-R^Gtr5;JA%}OmX;Q{cc5Pj*qGI|Mldh{8es+g_aR_9LZ8w9Do5;R(!6$7 z9XAljgFXsM*ORJpsVPk_~8%&zcbWj2S8N%*g8yXrkjmgQ$)l@Wu z1cfK{o-)7bSPVugSqC$z#LE6)2q5=x^B})}9|+rpn3>hBiX4((g3=5~TAp}~7HBKI ze?MGdqsuTm7U#A!3PSuk9j^RN?nL*N;cqe8j0d0$5d8i7WVKW7gwfhaZj56)Kw1U1 zj)1D)eQnqr(EoreqYs3i0yZ=B7hizZuc!wYD1dVQC@JAa6G*F}zeqzlf0j=SlIdHz z9DdkCwd`J91GF)mGnR->JTJO0E^%WcFL9$oiP6PuRv);XL-iSEjZKnpq+EldyYxe4 z3wb3yJw0`Gb>Q+!Is_V0pZ~P7-QKALq&~Dit-EVCLrfOX8~}D&jOKBNhb$pYoSQQc z)Z- z*StJELCq@a@t-~@0fYI2TKFDS&Cp47SX^3p5>Fctl9!hJ^!S{+qva%)E@Wa8@~A@6b@L)$`{H`e~Zh zW+u0iG}i?kSKa~qa7(-{is#Oa8#lBadQf&XE)qvmd%9i+i0+UM$KC}XLjc`N3^8Oc zE#U?!JF##_Z!iCYJDty>;c7LJK(A6O+V&{;fN%7X2%E)Nfi}qq5j`WguL~|1%NEVG zHD0{1*r61;uj0QSGJQWGDv9B5xg@5Vv$Lxb61o^e_MySS!J(m%Wxty|+`(_&9s(Ds z_9G%Xz8WywS(G@Bj*enFhliU%N`c26RivOI|3}uRAri4q0Vk*a10p<2{(Lr1tfSz1fxJIs!{ru)%aHM#AV-n zhwL@m)RWO&K~k)^#fT7_+TX3`*9gE{CID#|4KgG@VsUlMl#rs&-1B)cpW3mosWr2_ z=H$xCLQ@~?!a_#k_79L(fi-8Z+r1#}sJ_m%?a^+6PdB6muP;}n>? zY{4Sb*H0tMRk6>=+yT7Jwx0aoF(&*8E*n!-dgrw}3rw}py*Sjq zX0Nv<*=<>)N^H9^#h;MIy?|>`T~QIFK92)-x6@uhJD~PmTn zsYJD{469w%$?o&HO6`Ys6;?hL6Z6vbtet!pVx_cQqz_(eAS)}I<@194a_|J#$5nQ_ zX~aD%)6?hcJ+_nv^RS0Urs)|ON1GE1o^hSR^oj-Q#pz1O-n6u&k({BsGd#6wuE%S9 z7Sv;P@9Qlmz`Ft9Kf*9F7$PG3cK%TX)f`8Hk1sJe(1TLUqOFe$79;5mrB_J4hP)6s8zPitc|4i z{!MxhM65lnt$RUw5EN zR5%uMelmED$C>sfvfNc${Ub%i3|EP{5%(eime!H(UN?hAqwW6TxE%My5326Fw65;% z0FVS=St#pe(3>d#e?pnd!TIl*dH>VnbBZ+SQM`$TZ-C5WBd=!$O3)5ZW)g@hze8BSkl))t&}o1BAxg%BVwN)}fjJzBso_ce5LurqHA zq5?o1WTE{&CpVXzL+3HwhIaL*j?S0)VhTXP#MRK-)6=yMkXcQqXh0n7OK8yBnmGmr z8Sq{}ir^c4Daspx6}m(n6xyOBsw>AgH?FPKnQ>~d@9pjak(^AG+V^l)iHrFz@ZuM~ zhYwTbQ)Z+QZ+8jjbT8b&J1}U&n52QM?Xp$Lg(NRt+N7wIJ+ zT{?<_^cs+kKG+e04no~rlxRKGq3aJ{~8kC7>OSZVq7P5_iP>vswTYNQush$27<($Nij zog@LVf#skVR}M3Z>)g*bOY7^RUK2k6bh)x(4$4p~`^}2*aMRA9RG4sAfkC7F@%}Jz z`6NlOto4Me<}yfgC=sRT2Youwja-a-VB`+`C?c)gK(he&qN8CdDW3&AmCtUM&M^Q9 zQ!FgdfafBGl>i-dfooA|DFGn3KC8&JE0?dp7%uAJ+fKI($WP=N#jr0gkkxZsjSK}P zMdwrrikCJFaxdcyRfqkB%JXnMjpY6GNp@l2SY_%u@cC`~OP`255I0y~Ee2sWbB9vV zDOWj!ft4Yr&CEOZl}~3-M3gikM^mv5q&aaOxE&oI`x1~uz~m8rf;k4LK}Q;en_hF; z9g;}N-}&lMlDPc5ygZ1Wy87;kon!Oq)~V4q;4-;YZoRvd2dFGT!EqF-2qXMOT5AeKE3j#u%5!sI4mqIJNqKWRZQ=?e7etCS{;k;Z&N+xf#d^CMQ25y zGe7tmXY9x0an&}7-S5l9qn@h6xl_3$eIQIH5sNjF?&rZMB2@PJ7?40#7Hh!r=n9|| zY6e(eVd2JL$`h(ch8qks4dvzX4lg|p3HWfT2hcTqb5v1`MT3ddbJ-44ySh zT*`u@E&4v^S&y#{V#TYsS?TpOHF+=$RlO3{Bkdo_FJ2A{onQf-@by7%-JnlFe!oXA zj_0YK{vIE82ZXk!en~=QXlTtNOlhm-D&VdAp&Jw2z{-gLjQfUdTwdPV$gf}jTEm>3 zU6$Q@6h;BeM^6VBw7+Vh;^uFEm)46MpGmv_o^CxlQqPv-k`vX|*77BGMge1G{}-ih z)druLQ{wUVx`So4e#uSrO#oyzudf=w+#+V@eYXQ+mtyxSoofKPU@fzMIRWHVk^6cb zww{)XcY5QF09^(f?`vw@m<7o9gYZ+|t>G{_-nX;!Ui)s+(x~_GqoaXn0*L7Ojt>D! zV6&G|mC9GhMk;?DoPdX&Nl}!I^{5FP^I?XZ8v+m5U#sgrko@x5(>cu`Aip~r%s zAP0xMjhO7e2B4{DV8SoiZ(J?nm%efhTMVu+S%kH52jqAWbSFE&gCp`Ko@ap?sGWf| z5TIgSY}n627ydfxA4DJ?aEn(J7V0-JS%J`zAj**WdO$7nrku*kxNc62KIR42cD&4F z;e8+lpI)V=)P6RFtQ#ek4OS^8FE4*f)OKa?$-;E0k$Cp#7ZbJUl$4@yhzTI?otz4; zPE1TN$-mO%k}ccW0b1tDF^GlHy}IVJ=CMkF9(cw%vZrRrI_0jPBU#RRq~}{)k$Y%v zZ3W=(+XW{0vKGQ>x}aXw> zxaaJObV`oF0H&|m#C09yx@^s7pOP%&p8E-)fdX0-iL;$-;ARDpR<@vS8To9V$(L{c=>SPwGij5ad-R*}GE;(xGEHun}k(Cz*yP3&MV z#i7xue+oK`U%n8BbY5WHR%bLcoT;|i9~f8tRDI@f6|CB_QnGZ%XZtgF`w22 zvUY`a@D!oHc6Z~fYxH?(?IN(Fwy|2J4^u37?Y4auVTp+;gO-kt+hRI2oE$u7s5n(O z%qTvjhea6V@bQvm3ad|D|HJA(I7UvG3-tP$VSt6MFEo_P(UD)9157?Ve{cu+JpqPm zl@62Zh6i4r@vvejc}8W-a795`l0$`kI6&hwGBR8Wi;D~U`uj~P-k{$H_R@4mECbHH zTE9%LW;hov|I6hd3P2BmFBR8IAS$RHBMBB{@$tN%$Ta-FI159#Zv4MyKsUnIMc~ zB&(+ISxP%c%MdUXs45}kF({~8=*XBBd99F4|3Y4rcV%A=(0WkwCKC-`9Twx%L%x{ux6;pC8_{zB`GrK z0*gJ+1w@(&pUa#y6Mk=5M1MgkjoaiV+0!n$H@-YHWN&}oyFRGAeTiDp) zxh#M%cy0RZ{SBjolb=6-e*O$BsJG!Slw$uw;RqDXlj|$!KH#~qx|W9bxA+lB5^7ZM z`R^Ds@Ou$y;eV6yLY_VAX#7$GNHN=ngpWmF+^1rF^vznRP>c7Q%>|{$nWSKub_MxD z!v<$r00DzkL(s1w%EBsid2F>XFa7|T0l8pmfzFnHZ7zOAk`@F92Sdt0`cI2*e2F{Y z|B%2xI#KtWROu!|G?pO{8v%o2TRq04$XCjz?4mA8MeeM<(#v+<+9@S)ElV&NizKbA z%@5w zKveKBi8ZzAAaYc)=VS2qT(l8BW0IIo?>jz1+DG)?I@(a&p-|(D|FEA2n!rEBdUmWz z;}vwo#XL0Nk6=sCNn*{Q{+giLaT16e9uC9rw(k0+cemjy?-8sQ4-X^kmI2A6X2oQ7 z352i6SHC%~EH37ucNotd%<0ttX&(SP2WpJF9gs3afBTHE-GC*E%6$}&95OO9Jx#xA zrps} zjhL<4yzNYO89tOsaVU3TcVi(QC1y zHaqm-xsLq~)6v&bGsaHKX;OsdOuZ?2YyejXV)l;e3%CI{*0;E^R*|Z36?1)a4V$ae zkBf+QOP5tABH_6?is>ycxnM@BzLMc{f%xAl-u3b=;pk?wLbGlL@2t(G!f(zRhp$=b z0cGq24|I(i5(piW`}(TT&)0zUknfpPO`8C#zpNYX$Ss_2I7=HTt^}7b!`~;fj#;s5 z@LAIVs?OtM&r6q1VWu`SEq00b+(Rp;7Y2m zhx^PDBKpSdjc$)XH5$_n*ktq?WPWmQY780wir!zE{ zbTUyUj+cy}E@HwndgB(}j1y`e^6|D6>v$6}6ds-{m8}>mOaF#D>v)4;Pljt2T9!6= z2h3L$Xfq``{%j#X-9O`TJ8CXd!rK+mE@}WNo=RRxjb#jS^*v~`wt*OL&U_y*anEga z!mB+A#B2_7qNvss>jpVR1(d*%wl>?n%D@rEzz1%uo0!pUOH$8F)xQ5dwK(TL?{w62 z+I{h)zF$`X*~LF_E2lZDjYx~??jJO-0B)YMZRkC*x{8Bg&H|sMJZws=%LkuXjeW(8 z^v6G2D_YFy`;?BXp>GgRGcGu-??rqaGspkN#Ry92vS*ib^90Z;RJK=IC|%jxx6o~^ zJG@H8`q;jn?E<_8gdiLg!Yrz;`Q2Q= z$hmhq2{8zWMt`6xfIa2t-LGqCGj^NQ8r%OwXUrsQJ2Bhf!tBq!d%Cnu948mRKS)2a z^D~~0WJbX&2{I}%1I=s$AOS_x(ivn$ntuI?ovG6a1>7vqXi|8JC9Rc@l#`Nt3AyZ3 zeEQXDdn;ALQiroH!_tKBCgV{#0MsZ7KTlQy0u^U3G>z*>J+hdKOWgLs^}YWJwQ^Lc zBwB7jbk&8uHTwAd8QKVrI-9P-ngRdZ}Y8Ay5@NS3oKu57eLZN(+1iv7E!Ye zcH_;02By>LN@LHC6$Z{(q<{Ke%euwPEm*scT)$WusT!QyG(y%r#tjd+W2nRBVf!cg-Q{cox=_p7971N^s=Y@o%^oK-&uh zE~LK80Z}@)vv_YMnBPUq_OLc7Z1kdVa009+_rR zhILh%oz{Y$+Z|&mUiE>5aJmRdP^uj#PkB z6XHdWZ*@+cAH88S)cmi7Z|n3mdJJd>S`P3HcW^r?1+8U3ctlC0`#O(gAXX1Zi2 z-2db{%Bv9wd)V1!vvQY(U&_e1ZqFN0n5Topm_!rZcWjc902~DX0)UK2>Jp*eGefWS z?|}*z)9TuQDM9GIg!%5hIIo(jlA~*0h*swFWBYyFSUDm2SB);NQ7X8Sx2-JQP5hTk z(xPLGAU2GHUFgORqq|~A+$X0ezZ{w8B{}m}Ugtth(ofh5@zvO!!Oq45Og_%vS#d=P zarN&M+BytwIqn z^+IZbY7N#}^@eyrG!ox{$wm?Dm7#B)cHN&S@wY!gXtKVZ-VpV!L80Du3CVa*@aOjW)SONC`Ib4D88ht7S^$m8 zj#=T{cdzQqS%?{y+SP|H-JQU~(!DI*tf&@0nfhvBd~oDWJB~XiD=i~WY=y13DjRFM^xUj(2cbMdPDPnP=A*UchT^Wle;*(^lu{A z+@k#vz#Llb>eg=x@*Ca`=|*kM2VHg2HU5_D|d&2>KAH({|~ z`Xv|A0k{iQ=~!b;&3b;nvX8Imji7Of8op=$m>x&IF7$O1=-6HEDXJ2I&P*;P+ch^c z95sTNz@D?Yb&Ulhn+n~G=DW^>K$?YS)BKs&3uC%a(R80z2@E}cb@dn(pg#sz%RWntqPT+wc9z;KDVY811uPzU6Jwd=kPLLobV_F*Xsi zQVNabEizvT^80upKwG{H5yd1d_ON_(&JZ2u3vxre4%f323^Ky*>*9WmYJ8iV;x$OE z6H=T=-N&YW`*8lrlR6LwTTl?pTmp1KpvU=YS_>2}jX>V@1MvY2M>4Y45>OxxeP#QF zsKt;dHSJW_+#DFeuppM3T7cQWQ1<1^pk*|Gtbsx1^x|LdJUx3e+(6iFylA|EjEp(( zY}6PIfW9+;*~XK~cxG*v^ZJV>3W}4|oiJk%h{Bz@NI?-49L#T6{}A|bPkv+_9W6)so$U5> zyHisHXnz}?yOok)0Wz>V7`Y`Hipyz`5(P<&4@$O`V6*KPE8HhaBA1@XP= z)bkeCtArN~@FBVz*9FK0DL%D|_$Lm;-iUKioHu0f?;PPHq${)6eY+gDGAzX$$@&`k z1?QK(Ctz^`?9=0k4JWoPl{}Z>lcqXe^KeI=5bus-`YV zhZY;tbywMd3hmdxxgK<9j>+ok`2g)7)FwSJ zM6MDbWqGpT<3iK)m8;PeJ5y%T2JE&zID|>ct6WNE@%eY15h+g`y*3KkdR-HEjGX7( z1kwC2v2&lrXw>ag^@xO88r*LzYIuDAqe%f^CPG1Y7~!BywfSi2ikJ?9(V@NrSPK4@ z^gV$ID1l+-gho|@u-DHI1PF$12a^$LQ-71`hoIyR@&ydUhzEHA!L7clb<^B;#S5>2 z46F1lU=}BW${e_+-G52bf#3;eV!d(X$Ahs+b?I$+SjD#t!el-|@`-Pzb7L~awRP&F zt-;RpGf(f7;8x7e5f#1c%_zeuM5YIH33=*vwf=EofAyiZ1RfJS}|L9umfQlm0s zAa-CHT$2`OwOwIFFrlhbfkv{5B5x%TTFkt!ZO*#?ys~d`BA~-Rc#AFU zIkZ%mLujX$GX_EQC>iiP?eUjL)xmvVkynV?%OXfYpBgv>*#*IgfR@{>J zE|7@;5-T)3oJo3d>{6mid@8cW;7My}SlFsq!VqY50cY0I(gM>E6pcgjadQKMl(+Mv7l|YP@W~lTx+!FF+x+}; z1PI1lgM3toz7ZEZc! zfJZCZh?Qt^vR#|H^pScRNYPa!wL-x+;=B|L24}meQtZgrz~w#IkU53<4aJl=IWWl-$T={KVHn{Q$l3z|2YD+`J9kF(ZkE~L@c>H^rqMc;sj|7kfJq*eli zGFYSk1_s_eAUr2>>vAsx-D2Rq;ppBgDGq7RH{!ZSW9mYL%vv7pH3Gso7sb z%}ps3bU@i|dwxxSf9_2$I3SfYJmxuu9ax7$?sNFxIg7~@wnGTmdh@b=wghNGwH<^NbX)BK$?Wy_ z!zmd`x?2a1SUn-@F z5%fnG!2j+e!Xqn+xe>*k5DyAnYchQ*sojxT;kAEl zWc7dl^Dp+B{9pCA(86myXzeOYyH}ZFf{TRNKHbme=HW^RW?)2R|L;?%?? z`?XE2uK#rU$+u=By{? z*Q}bp>5lK%G$7Jx=o*(KV5REazO%k`O?;0`(I5y|RY3~=-f>QG8J>Q$_#lZJ{dVwk zBmp!u`P#xcGxm5JIoreA88MO{CJSkxibD#$ye(3VVJV9rnM%Wdt(i7Elk#Nwvh$ak zc!NusCPXE^tJ0SWrA$74K;z{RJ)2GPSSerXI6Q@=G= z6rlC{KBF{TCY?)`E|0GP9O$MN@Nzk=U)Xntr!XL=l6AD%tGEtrkt&{{ z!k3a1EBfs5)`RbR9r;li>Nyi4;&aEN`4wFxZF6Q#!%l~QXwy3v#YlY-3xUw^d|Czw zw3aViDdQ1`5PMxt$1Qh1*PTNjd*?O~v=WV~e*ZOw871NAnFC=$-kTo$>4n*GP~4qY z^73$4W2CG&^l^$}BW(Wt zIOpnei7olX7c{3}zO29hXuLIh+XW|wc4IFXz3!F+~$_E6Jn`R zO1=ZH{r#(6h!9^fmLFVwyppD0-nu$a7=dI?q=DlEIRj~oFihZhPls~f6 z7*%R@2WT;|Ej>93-M*%TQnL#i5MGY51S>uNho@C;7cFK1(iZPUI#S;5PgDs*DKu+% z^jOxRqq;-ixddP_hK)TdxS{MAY?u*0*ASu8MoAc__{bL_z0n+25dIGDkEq{p1<>1T zwY6IRQ%||9@$O-8c|q=uLAf}7nC4_ws<4MR#hThAs0FoqTsSz@?Oq_s+51s&-sI*I zW_R}Y`_4v+x#O-NfZ4^{b1JPiQt2p}<54&9+bubWGI0%))HWqiRmgal>`8O2>vpk8 zoyilnR|&SJ4eN!(VhG_qK>Dhi#}etfu=0bx_RcaHl!QJG(l^o%zrxCswhop1@ED!L zd?WTl!j`01tB$v$M`yqglxHg0Xx&p$1BSdCV|CI#R5l!*K3&(DX67}NJSE-5smq7- z{;lTFyXFy@^oZkk-}|(MCeL@{*ZCyd?3JJA?n5z)vwbe^&u)ag<)(?0b+;YwAbyNP ziwQ|eUqDZ8m%Mtn)%RXimHA<->Zx?ZHhxICQ_95u;kX}+&LfbJWJA8tW-%TAIdX50 z=%h7K+u4A`VSAPN6Q+NEkoAuAJMD3Lat(W5NlUL56wFSk%^vR#Z_~@(N99TWS&PBi z2GG9Mx~i2ox4?JnMRsvEuqXbuebCtLves-j%t%hJC3l!o^8=qD z^|Pqe#G5)_6uAZ;81VqCHFAT6nq{fzh6PgP*Z3WRwW%I9y_$ND`3e)bQcthAEVf|| z-DaLRcV8^}6VWp`pPHrF7my7R;cvW=svW4c0WO%o}vBf1(C$r2bjkOa8mU-wTjYg`Y$*gEDJ_Ip8 z@$0QIGSrve8TBPqFw6V1#HV|g5QyJrH*}IM?)qln2P@<)-kmN=fcjBi9ZGns{4HOH zuEz6Mlhp8luLs)CqBxE(VPGjV%8Z(v^?3dfl2J-u1EPhUe&ZRMl1v(s4a51)5O_Z< zKG0Wk;u~k2y17iv+pKS)8#NaNjNBT(kn1V3DD`pna+S{dO}jHwwiFGSmlOyvOT%rI zBZii;(pz7yWeNT=QsP!tR5z_jf47>kKNNG5PC{h2q8I;d#;fRBo~kh+y7avQzX?Xf zUaKME5>?DoLdIl>w4Sk_xCk#>Fkr}`ZT0vjq$4E-@4!Gw z1ERGl@PTb!UwV?|UH<->_&|_Se41^A(P_EHVqwse#{TuhZm34Id3YtzQ z*;wy}$2KB`jfTO<2zBgTs`BGU?b<*fva5_IQbSH0`Gy|V)Y36|&~@Bo;mNf;k85)q z(+m1@!0!f^e$-u`3*2HvDDh5s*$}pr7Ie9u(5n^Mk|sIcRF0zh=UJoG=e{}w(HQH4 zK?*NMVXs&VHE)t?#F)k1CF~#@A5-~0*{Wd&l}6O2lTVyYnY$nBg4AB!bTuxDcDdriG0hEo^HG44$lrFv1k!l(poD4w691> znqw~`NOFf7eKv#tWPw+MA@@$kjsUK%)gN(+LC5%~Q7<}-6rsToUz?zr>?0ZOb~pby z?KAaHz4;yoHY+PdbmCQA`Vfm!;(7FNX8jl&|H8ufFMWQxbk_>aF9T?;gzf}VaTX9J z`yZC|j!CU=?@22t>`9tDc-Dby6EH^@et<{k?|0%R=vJ|Pl_nY$t?qv5!^5{+m!tU% z>q+-B*-$~4urAl0Vo@tHcJH7&CuftormqWb^?4hc?KS_nS=@^Lj}UtQ=MrTCWnXEb zK)WA|wBg(IH0^Tx*7wTa%rm2!X6669IFcIkM+HvyU$z4NuTr@SF#%CfnwYspw$z{N zs2{ehu=D-nbO6N%xEa$a8OhcK=JdQ|nq|}M)IfInKYx!@Q^YPSL{`LW&bU7OqhYC* z$h%1~`Py^oZ$+}2NlqdvjI>>Vc4q=NG(;_E6P-)hAko?dVSWLhK&GmZ-XyC&Kct{W zffZFB3|E8;A}H)Wjeoi3@$XxPig$0=Hc+kw(L`3b+LlK-sKO$Y|9sL21R0kZdj;B2 zUR$~7^X_?hae;b|OZfH%*AoPT&A(ey#-3xpq{yNvLjA^Uw0uanqc{ti|`zo2_V9o`LmMH$e03!>q-YrTo$jzl+Iys`8Dh{49M#OPzB84 z&mL%Bjb)fW?TIXpw9ntX$W4wjeo%g)pN7%i7i(5v1~haBUI?&M&i}V^i~WCI2WR`D zfk8HDtyYc~ee_;ThuY%w)%ugB|I;EpLz;iS4IMveksf4g!I-%!>~gPfZJI9h1@7uE zpY7ts*PLt$Gt2NB&_G-YycV(rORxQ~uUqpujkM)RaccC8{h}J7PFChLa7b1m3U`CE z7ebMvP*A1C!dirzNAAAnjQ8O<>|sr-w1AFY7lB=_DT4a!v5__x@~Azs><{bF$l`r@ zSy*m{B4k;0mQ};l2}{;Lxgr!BYX5{)yd72lkabU&OStwNoF_i3B?aGM(~i6Z7Wy$A zeRTU!Aer}h`qNwsyK0YeH|=SLKf50M;v(RhBg>9fh!YHX=j^zxjT*Kwv~mlCzg>B; zmYILGzs0QGn3udSyHEX(Qs3G^=ZmGVCt+k=%Buz7!7s`VbJd2yojelL&3y=~i^4sVs^LSz4+i5XA5bM^g+#>J*OAbVfG|y((cK9RI9M32;PwmB zGX|C})Q^EI7D}a`Px4~6{d2edT*}E6e_-3WE)oH<&`3WM9-w*qv-A9@|4X`zOwZ(> z!z9x$@A~t2{vT6T{!i&E|NZ)ZpEq#N{r7$I|7gLz_hJ1+@*S&DkL4H(ZPL@OAgdx% J`uz2W{{gY5K5GB~ diff --git a/packages/zscaler_zia/kibana/dashboard/zscaler_zia-66597790-4ded-11ec-ad09-d9f49962d407.json b/packages/zscaler_zia/kibana/dashboard/zscaler_zia-66597790-4ded-11ec-ad09-d9f49962d407.json index 7148c61b14a..6bec1ec3877 100644 --- a/packages/zscaler_zia/kibana/dashboard/zscaler_zia-66597790-4ded-11ec-ad09-d9f49962d407.json +++ b/packages/zscaler_zia/kibana/dashboard/zscaler_zia-66597790-4ded-11ec-ad09-d9f49962d407.json @@ -227,10 +227,10 @@ "title": "[Zscaler] [ZIA] Firewall Logs", "version": 1 }, - "coreMigrationVersion": "7.16.0", + "coreMigrationVersion": "8.1.2", "id": "zscaler_zia-66597790-4ded-11ec-ad09-d9f49962d407", "migrationVersion": { - "dashboard": "7.16.0" + "dashboard": "8.1.0" }, "references": [ { diff --git a/packages/zscaler_zia/kibana/dashboard/zscaler_zia-85380a00-4de3-11ec-ad09-d9f49962d407.json b/packages/zscaler_zia/kibana/dashboard/zscaler_zia-85380a00-4de3-11ec-ad09-d9f49962d407.json index 60e83c67697..081b00ab99f 100644 --- a/packages/zscaler_zia/kibana/dashboard/zscaler_zia-85380a00-4de3-11ec-ad09-d9f49962d407.json +++ b/packages/zscaler_zia/kibana/dashboard/zscaler_zia-85380a00-4de3-11ec-ad09-d9f49962d407.json @@ -182,10 +182,10 @@ "title": "[Zscaler] [ZIA] Web Logs", "version": 1 }, - "coreMigrationVersion": "7.16.0", + "coreMigrationVersion": "8.1.2", "id": "zscaler_zia-85380a00-4de3-11ec-ad09-d9f49962d407", "migrationVersion": { - "dashboard": "7.16.0" + "dashboard": "8.1.0" }, "references": [ { diff --git a/packages/zscaler_zia/kibana/dashboard/zscaler_zia-9447f5b0-4eaf-11ec-9527-b704eaaa5c53.json b/packages/zscaler_zia/kibana/dashboard/zscaler_zia-9447f5b0-4eaf-11ec-9527-b704eaaa5c53.json index 0210e194eee..35b0cd5de83 100644 --- a/packages/zscaler_zia/kibana/dashboard/zscaler_zia-9447f5b0-4eaf-11ec-9527-b704eaaa5c53.json +++ b/packages/zscaler_zia/kibana/dashboard/zscaler_zia-9447f5b0-4eaf-11ec-9527-b704eaaa5c53.json @@ -134,10 +134,10 @@ "title": "[Zscaler] [ZIA] Tunnel Logs", "version": 1 }, - "coreMigrationVersion": "7.16.0", + "coreMigrationVersion": "8.1.2", "id": "zscaler_zia-9447f5b0-4eaf-11ec-9527-b704eaaa5c53", "migrationVersion": { - "dashboard": "7.16.0" + "dashboard": "8.1.0" }, "references": [ { diff --git a/packages/zscaler_zia/kibana/dashboard/zscaler_zia-d4977590-4de8-11ec-ad09-d9f49962d407.json b/packages/zscaler_zia/kibana/dashboard/zscaler_zia-d4977590-4de8-11ec-ad09-d9f49962d407.json index 333284bf917..cc87d6b271c 100644 --- a/packages/zscaler_zia/kibana/dashboard/zscaler_zia-d4977590-4de8-11ec-ad09-d9f49962d407.json +++ b/packages/zscaler_zia/kibana/dashboard/zscaler_zia-d4977590-4de8-11ec-ad09-d9f49962d407.json @@ -100,10 +100,10 @@ "title": "[Zscaler] [ZIA] DNS Logs", "version": 1 }, - "coreMigrationVersion": "7.16.0", + "coreMigrationVersion": "8.1.2", "id": "zscaler_zia-d4977590-4de8-11ec-ad09-d9f49962d407", "migrationVersion": { - "dashboard": "7.16.0" + "dashboard": "8.1.0" }, "references": [ { diff --git a/packages/zscaler_zia/kibana/map/zscaler_zia-48a188a0-4de8-11ec-ad09-d9f49962d407.json b/packages/zscaler_zia/kibana/map/zscaler_zia-48a188a0-4de8-11ec-ad09-d9f49962d407.json index f40e79e9ebf..3a0528acbbe 100644 --- a/packages/zscaler_zia/kibana/map/zscaler_zia-48a188a0-4de8-11ec-ad09-d9f49962d407.json +++ b/packages/zscaler_zia/kibana/map/zscaler_zia-48a188a0-4de8-11ec-ad09-d9f49962d407.json @@ -11,12 +11,13 @@ "minZoom": 0, "sourceDescriptor": { "isAutoSelect": true, + "lightModeDefault": "road_map", "type": "EMS_TMS" }, "style": { "type": "TILE" }, - "type": "VECTOR_TILE", + "type": "EMS_VECTOR_TILE", "visible": true }, { @@ -34,7 +35,7 @@ "applyForceRefresh": true, "applyGlobalQuery": true, "applyGlobalTime": true, - "geoField": "client.geo.location", + "geoField": "source.geo.location", "id": "636e2366-af59-41da-a0af-83b10b7a1b47", "indexPatternRefName": "layer_1_source_index_pattern", "metrics": [ @@ -106,10 +107,10 @@ "openTOCDetails": [] } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "8.1.2", "id": "zscaler_zia-48a188a0-4de8-11ec-ad09-d9f49962d407", "migrationVersion": { - "map": "7.14.0" + "map": "8.1.0" }, "references": [ { diff --git a/packages/zscaler_zia/kibana/visualization/zscaler_zia-0334d8c0-4de4-11ec-ad09-d9f49962d407.json b/packages/zscaler_zia/kibana/visualization/zscaler_zia-0334d8c0-4de4-11ec-ad09-d9f49962d407.json index e5b35d65cc1..5ad790e4f13 100644 --- a/packages/zscaler_zia/kibana/visualization/zscaler_zia-0334d8c0-4de4-11ec-ad09-d9f49962d407.json +++ b/packages/zscaler_zia/kibana/visualization/zscaler_zia-0334d8c0-4de4-11ec-ad09-d9f49962d407.json @@ -153,10 +153,10 @@ "type": "horizontal_bar" } }, - "coreMigrationVersion": "7.16.0", + "coreMigrationVersion": "8.1.2", "id": "zscaler_zia-0334d8c0-4de4-11ec-ad09-d9f49962d407", "migrationVersion": { - "visualization": "7.14.0" + "visualization": "8.0.0" }, "references": [ { diff --git a/packages/zscaler_zia/kibana/visualization/zscaler_zia-05cc16a0-4eae-11ec-9527-b704eaaa5c53.json b/packages/zscaler_zia/kibana/visualization/zscaler_zia-05cc16a0-4eae-11ec-9527-b704eaaa5c53.json index 906f9839d74..e863df872a5 100644 --- a/packages/zscaler_zia/kibana/visualization/zscaler_zia-05cc16a0-4eae-11ec-9527-b704eaaa5c53.json +++ b/packages/zscaler_zia/kibana/visualization/zscaler_zia-05cc16a0-4eae-11ec-9527-b704eaaa5c53.json @@ -55,10 +55,10 @@ "type": "table" } }, - "coreMigrationVersion": "7.16.0", + "coreMigrationVersion": "8.1.2", "id": "zscaler_zia-05cc16a0-4eae-11ec-9527-b704eaaa5c53", "migrationVersion": { - "visualization": "7.14.0" + "visualization": "8.0.0" }, "references": [ { diff --git a/packages/zscaler_zia/kibana/visualization/zscaler_zia-2958ae90-4de5-11ec-ad09-d9f49962d407.json b/packages/zscaler_zia/kibana/visualization/zscaler_zia-2958ae90-4de5-11ec-ad09-d9f49962d407.json index 6d78fd2c782..7ff761b44fc 100644 --- a/packages/zscaler_zia/kibana/visualization/zscaler_zia-2958ae90-4de5-11ec-ad09-d9f49962d407.json +++ b/packages/zscaler_zia/kibana/visualization/zscaler_zia-2958ae90-4de5-11ec-ad09-d9f49962d407.json @@ -130,10 +130,10 @@ "type": "horizontal_bar" } }, - "coreMigrationVersion": "7.16.0", + "coreMigrationVersion": "8.1.2", "id": "zscaler_zia-2958ae90-4de5-11ec-ad09-d9f49962d407", "migrationVersion": { - "visualization": "7.14.0" + "visualization": "8.0.0" }, "references": [ { diff --git a/packages/zscaler_zia/kibana/visualization/zscaler_zia-2c8eb9f0-4eae-11ec-9527-b704eaaa5c53.json b/packages/zscaler_zia/kibana/visualization/zscaler_zia-2c8eb9f0-4eae-11ec-9527-b704eaaa5c53.json index a66f7bb47b5..26a843495a8 100644 --- a/packages/zscaler_zia/kibana/visualization/zscaler_zia-2c8eb9f0-4eae-11ec-9527-b704eaaa5c53.json +++ b/packages/zscaler_zia/kibana/visualization/zscaler_zia-2c8eb9f0-4eae-11ec-9527-b704eaaa5c53.json @@ -73,10 +73,10 @@ "type": "pie" } }, - "coreMigrationVersion": "7.16.0", + "coreMigrationVersion": "8.1.2", "id": "zscaler_zia-2c8eb9f0-4eae-11ec-9527-b704eaaa5c53", "migrationVersion": { - "visualization": "7.14.0" + "visualization": "8.0.0" }, "references": [ { diff --git a/packages/zscaler_zia/kibana/visualization/zscaler_zia-35612ae0-4de6-11ec-ad09-d9f49962d407.json b/packages/zscaler_zia/kibana/visualization/zscaler_zia-35612ae0-4de6-11ec-ad09-d9f49962d407.json index 3a0c98abeed..3f69687d7e6 100644 --- a/packages/zscaler_zia/kibana/visualization/zscaler_zia-35612ae0-4de6-11ec-ad09-d9f49962d407.json +++ b/packages/zscaler_zia/kibana/visualization/zscaler_zia-35612ae0-4de6-11ec-ad09-d9f49962d407.json @@ -12,22 +12,7 @@ } }, "title": "[Zscaler] [ZIA] Distribution of Web Events by Action, Malware Category, App Class, Response Code, Department, Username, URL", - "uiStateJSON": { - "vis": { - "params": { - "colWidth": [ - { - "colIndex": 5, - "width": 137.71428571428572 - }, - { - "colIndex": 6, - "width": 194.0408163265306 - } - ] - } - } - }, + "uiStateJSON": {}, "version": 1, "visState": { "aggs": [ @@ -43,7 +28,7 @@ "id": "7", "params": { "customLabel": "Username", - "field": "client.user.name", + "field": "source.user.name", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -172,10 +157,10 @@ "type": "table" } }, - "coreMigrationVersion": "7.16.0", + "coreMigrationVersion": "8.1.2", "id": "zscaler_zia-35612ae0-4de6-11ec-ad09-d9f49962d407", "migrationVersion": { - "visualization": "7.14.0" + "visualization": "8.0.0" }, "references": [ { diff --git a/packages/zscaler_zia/kibana/visualization/zscaler_zia-3faec910-4ded-11ec-ad09-d9f49962d407.json b/packages/zscaler_zia/kibana/visualization/zscaler_zia-3faec910-4ded-11ec-ad09-d9f49962d407.json index f179b75d26b..b48ec098080 100644 --- a/packages/zscaler_zia/kibana/visualization/zscaler_zia-3faec910-4ded-11ec-ad09-d9f49962d407.json +++ b/packages/zscaler_zia/kibana/visualization/zscaler_zia-3faec910-4ded-11ec-ad09-d9f49962d407.json @@ -191,10 +191,10 @@ "type": "table" } }, - "coreMigrationVersion": "7.16.0", + "coreMigrationVersion": "8.1.2", "id": "zscaler_zia-3faec910-4ded-11ec-ad09-d9f49962d407", "migrationVersion": { - "visualization": "7.14.0" + "visualization": "8.0.0" }, "references": [ { diff --git a/packages/zscaler_zia/kibana/visualization/zscaler_zia-4d4b4fa0-4eae-11ec-9527-b704eaaa5c53.json b/packages/zscaler_zia/kibana/visualization/zscaler_zia-4d4b4fa0-4eae-11ec-9527-b704eaaa5c53.json index ff3e5c593e6..7f5b0ebfc06 100644 --- a/packages/zscaler_zia/kibana/visualization/zscaler_zia-4d4b4fa0-4eae-11ec-9527-b704eaaa5c53.json +++ b/packages/zscaler_zia/kibana/visualization/zscaler_zia-4d4b4fa0-4eae-11ec-9527-b704eaaa5c53.json @@ -73,10 +73,10 @@ "type": "pie" } }, - "coreMigrationVersion": "7.16.0", + "coreMigrationVersion": "8.1.2", "id": "zscaler_zia-4d4b4fa0-4eae-11ec-9527-b704eaaa5c53", "migrationVersion": { - "visualization": "7.14.0" + "visualization": "8.0.0" }, "references": [ { diff --git a/packages/zscaler_zia/kibana/visualization/zscaler_zia-4e583660-4deb-11ec-ad09-d9f49962d407.json b/packages/zscaler_zia/kibana/visualization/zscaler_zia-4e583660-4deb-11ec-ad09-d9f49962d407.json index 007cd4468ff..7049307a2c9 100644 --- a/packages/zscaler_zia/kibana/visualization/zscaler_zia-4e583660-4deb-11ec-ad09-d9f49962d407.json +++ b/packages/zscaler_zia/kibana/visualization/zscaler_zia-4e583660-4deb-11ec-ad09-d9f49962d407.json @@ -55,10 +55,10 @@ "type": "table" } }, - "coreMigrationVersion": "7.16.0", + "coreMigrationVersion": "8.1.2", "id": "zscaler_zia-4e583660-4deb-11ec-ad09-d9f49962d407", "migrationVersion": { - "visualization": "7.14.0" + "visualization": "8.0.0" }, "references": [ { diff --git a/packages/zscaler_zia/kibana/visualization/zscaler_zia-5b68c940-4eaf-11ec-9527-b704eaaa5c53.json b/packages/zscaler_zia/kibana/visualization/zscaler_zia-5b68c940-4eaf-11ec-9527-b704eaaa5c53.json index 5a2d639ce6f..16121ffdc94 100644 --- a/packages/zscaler_zia/kibana/visualization/zscaler_zia-5b68c940-4eaf-11ec-9527-b704eaaa5c53.json +++ b/packages/zscaler_zia/kibana/visualization/zscaler_zia-5b68c940-4eaf-11ec-9527-b704eaaa5c53.json @@ -157,10 +157,10 @@ "type": "table" } }, - "coreMigrationVersion": "7.16.0", + "coreMigrationVersion": "8.1.2", "id": "zscaler_zia-5b68c940-4eaf-11ec-9527-b704eaaa5c53", "migrationVersion": { - "visualization": "7.14.0" + "visualization": "8.0.0" }, "references": [ { diff --git a/packages/zscaler_zia/kibana/visualization/zscaler_zia-5ebff250-4de5-11ec-ad09-d9f49962d407.json b/packages/zscaler_zia/kibana/visualization/zscaler_zia-5ebff250-4de5-11ec-ad09-d9f49962d407.json index 08b89ee2974..892d02814ae 100644 --- a/packages/zscaler_zia/kibana/visualization/zscaler_zia-5ebff250-4de5-11ec-ad09-d9f49962d407.json +++ b/packages/zscaler_zia/kibana/visualization/zscaler_zia-5ebff250-4de5-11ec-ad09-d9f49962d407.json @@ -151,10 +151,10 @@ "type": "line" } }, - "coreMigrationVersion": "7.16.0", + "coreMigrationVersion": "8.1.2", "id": "zscaler_zia-5ebff250-4de5-11ec-ad09-d9f49962d407", "migrationVersion": { - "visualization": "7.14.0" + "visualization": "8.0.0" }, "references": [ { diff --git a/packages/zscaler_zia/kibana/visualization/zscaler_zia-63155460-4e82-11ec-ad09-d9f49962d407.json b/packages/zscaler_zia/kibana/visualization/zscaler_zia-63155460-4e82-11ec-ad09-d9f49962d407.json index cb1618b5e46..5433d10be85 100644 --- a/packages/zscaler_zia/kibana/visualization/zscaler_zia-63155460-4e82-11ec-ad09-d9f49962d407.json +++ b/packages/zscaler_zia/kibana/visualization/zscaler_zia-63155460-4e82-11ec-ad09-d9f49962d407.json @@ -134,10 +134,10 @@ "type": "histogram" } }, - "coreMigrationVersion": "7.16.0", + "coreMigrationVersion": "8.1.2", "id": "zscaler_zia-63155460-4e82-11ec-ad09-d9f49962d407", "migrationVersion": { - "visualization": "7.14.0" + "visualization": "8.0.0" }, "references": [ { diff --git a/packages/zscaler_zia/kibana/visualization/zscaler_zia-652829d0-4eb9-11ec-9527-b704eaaa5c53.json b/packages/zscaler_zia/kibana/visualization/zscaler_zia-652829d0-4eb9-11ec-9527-b704eaaa5c53.json index 91f7e48e029..14200e1db93 100644 --- a/packages/zscaler_zia/kibana/visualization/zscaler_zia-652829d0-4eb9-11ec-9527-b704eaaa5c53.json +++ b/packages/zscaler_zia/kibana/visualization/zscaler_zia-652829d0-4eb9-11ec-9527-b704eaaa5c53.json @@ -55,10 +55,10 @@ "type": "table" } }, - "coreMigrationVersion": "7.16.0", + "coreMigrationVersion": "8.1.2", "id": "zscaler_zia-652829d0-4eb9-11ec-9527-b704eaaa5c53", "migrationVersion": { - "visualization": "7.14.0" + "visualization": "8.0.0" }, "references": [ { diff --git a/packages/zscaler_zia/kibana/visualization/zscaler_zia-68d16b80-4de4-11ec-ad09-d9f49962d407.json b/packages/zscaler_zia/kibana/visualization/zscaler_zia-68d16b80-4de4-11ec-ad09-d9f49962d407.json index 24060d75d86..546771149eb 100644 --- a/packages/zscaler_zia/kibana/visualization/zscaler_zia-68d16b80-4de4-11ec-ad09-d9f49962d407.json +++ b/packages/zscaler_zia/kibana/visualization/zscaler_zia-68d16b80-4de4-11ec-ad09-d9f49962d407.json @@ -153,10 +153,10 @@ "type": "horizontal_bar" } }, - "coreMigrationVersion": "7.16.0", + "coreMigrationVersion": "8.1.2", "id": "zscaler_zia-68d16b80-4de4-11ec-ad09-d9f49962d407", "migrationVersion": { - "visualization": "7.14.0" + "visualization": "8.0.0" }, "references": [ { diff --git a/packages/zscaler_zia/kibana/visualization/zscaler_zia-6d29cc50-4de8-11ec-ad09-d9f49962d407.json b/packages/zscaler_zia/kibana/visualization/zscaler_zia-6d29cc50-4de8-11ec-ad09-d9f49962d407.json index 3d02ae30426..66719ab2f17 100644 --- a/packages/zscaler_zia/kibana/visualization/zscaler_zia-6d29cc50-4de8-11ec-ad09-d9f49962d407.json +++ b/packages/zscaler_zia/kibana/visualization/zscaler_zia-6d29cc50-4de8-11ec-ad09-d9f49962d407.json @@ -73,10 +73,10 @@ "type": "pie" } }, - "coreMigrationVersion": "7.16.0", + "coreMigrationVersion": "8.1.2", "id": "zscaler_zia-6d29cc50-4de8-11ec-ad09-d9f49962d407", "migrationVersion": { - "visualization": "7.14.0" + "visualization": "8.0.0" }, "references": [ { diff --git a/packages/zscaler_zia/kibana/visualization/zscaler_zia-72169a60-4deb-11ec-ad09-d9f49962d407.json b/packages/zscaler_zia/kibana/visualization/zscaler_zia-72169a60-4deb-11ec-ad09-d9f49962d407.json index c0d4bf656b6..9bd5c1fa51f 100644 --- a/packages/zscaler_zia/kibana/visualization/zscaler_zia-72169a60-4deb-11ec-ad09-d9f49962d407.json +++ b/packages/zscaler_zia/kibana/visualization/zscaler_zia-72169a60-4deb-11ec-ad09-d9f49962d407.json @@ -55,10 +55,10 @@ "type": "table" } }, - "coreMigrationVersion": "7.16.0", + "coreMigrationVersion": "8.1.2", "id": "zscaler_zia-72169a60-4deb-11ec-ad09-d9f49962d407", "migrationVersion": { - "visualization": "7.14.0" + "visualization": "8.0.0" }, "references": [ { diff --git a/packages/zscaler_zia/kibana/visualization/zscaler_zia-7a0a40d0-4de3-11ec-ad09-d9f49962d407.json b/packages/zscaler_zia/kibana/visualization/zscaler_zia-7a0a40d0-4de3-11ec-ad09-d9f49962d407.json index bd2e6dab644..08b9cd4fba0 100644 --- a/packages/zscaler_zia/kibana/visualization/zscaler_zia-7a0a40d0-4de3-11ec-ad09-d9f49962d407.json +++ b/packages/zscaler_zia/kibana/visualization/zscaler_zia-7a0a40d0-4de3-11ec-ad09-d9f49962d407.json @@ -81,10 +81,10 @@ "type": "metric" } }, - "coreMigrationVersion": "7.16.0", + "coreMigrationVersion": "8.1.2", "id": "zscaler_zia-7a0a40d0-4de3-11ec-ad09-d9f49962d407", "migrationVersion": { - "visualization": "7.14.0" + "visualization": "8.0.0" }, "references": [ { diff --git a/packages/zscaler_zia/kibana/visualization/zscaler_zia-8058c4e0-4eae-11ec-9527-b704eaaa5c53.json b/packages/zscaler_zia/kibana/visualization/zscaler_zia-8058c4e0-4eae-11ec-9527-b704eaaa5c53.json index 313c4077ad7..b988b8b2883 100644 --- a/packages/zscaler_zia/kibana/visualization/zscaler_zia-8058c4e0-4eae-11ec-9527-b704eaaa5c53.json +++ b/packages/zscaler_zia/kibana/visualization/zscaler_zia-8058c4e0-4eae-11ec-9527-b704eaaa5c53.json @@ -73,10 +73,10 @@ "type": "pie" } }, - "coreMigrationVersion": "7.16.0", + "coreMigrationVersion": "8.1.2", "id": "zscaler_zia-8058c4e0-4eae-11ec-9527-b704eaaa5c53", "migrationVersion": { - "visualization": "7.14.0" + "visualization": "8.0.0" }, "references": [ { diff --git a/packages/zscaler_zia/kibana/visualization/zscaler_zia-91813c00-4de8-11ec-ad09-d9f49962d407.json b/packages/zscaler_zia/kibana/visualization/zscaler_zia-91813c00-4de8-11ec-ad09-d9f49962d407.json index 563accac21d..92ded91328f 100644 --- a/packages/zscaler_zia/kibana/visualization/zscaler_zia-91813c00-4de8-11ec-ad09-d9f49962d407.json +++ b/packages/zscaler_zia/kibana/visualization/zscaler_zia-91813c00-4de8-11ec-ad09-d9f49962d407.json @@ -73,10 +73,10 @@ "type": "pie" } }, - "coreMigrationVersion": "7.16.0", + "coreMigrationVersion": "8.1.2", "id": "zscaler_zia-91813c00-4de8-11ec-ad09-d9f49962d407", "migrationVersion": { - "visualization": "7.14.0" + "visualization": "8.0.0" }, "references": [ { diff --git a/packages/zscaler_zia/kibana/visualization/zscaler_zia-9e6d2890-4deb-11ec-ad09-d9f49962d407.json b/packages/zscaler_zia/kibana/visualization/zscaler_zia-9e6d2890-4deb-11ec-ad09-d9f49962d407.json index 78319bdfc54..2bde940e35e 100644 --- a/packages/zscaler_zia/kibana/visualization/zscaler_zia-9e6d2890-4deb-11ec-ad09-d9f49962d407.json +++ b/packages/zscaler_zia/kibana/visualization/zscaler_zia-9e6d2890-4deb-11ec-ad09-d9f49962d407.json @@ -28,7 +28,7 @@ "id": "2", "params": { "customLabel": "Server Destination IP", - "field": "zscaler_zia.firewall.server.destination.ip", + "field": "destination.ip", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -55,10 +55,10 @@ "type": "table" } }, - "coreMigrationVersion": "7.16.0", + "coreMigrationVersion": "8.1.2", "id": "zscaler_zia-9e6d2890-4deb-11ec-ad09-d9f49962d407", "migrationVersion": { - "visualization": "7.14.0" + "visualization": "8.0.0" }, "references": [ { diff --git a/packages/zscaler_zia/kibana/visualization/zscaler_zia-a536b890-4e80-11ec-ad09-d9f49962d407.json b/packages/zscaler_zia/kibana/visualization/zscaler_zia-a536b890-4e80-11ec-ad09-d9f49962d407.json index e6d2153278a..d9f80f29584 100644 --- a/packages/zscaler_zia/kibana/visualization/zscaler_zia-a536b890-4e80-11ec-ad09-d9f49962d407.json +++ b/packages/zscaler_zia/kibana/visualization/zscaler_zia-a536b890-4e80-11ec-ad09-d9f49962d407.json @@ -153,10 +153,10 @@ "type": "horizontal_bar" } }, - "coreMigrationVersion": "7.16.0", + "coreMigrationVersion": "8.1.2", "id": "zscaler_zia-a536b890-4e80-11ec-ad09-d9f49962d407", "migrationVersion": { - "visualization": "7.14.0" + "visualization": "8.0.0" }, "references": [ { diff --git a/packages/zscaler_zia/kibana/visualization/zscaler_zia-a9ac0260-4de3-11ec-ad09-d9f49962d407.json b/packages/zscaler_zia/kibana/visualization/zscaler_zia-a9ac0260-4de3-11ec-ad09-d9f49962d407.json index 4ccd7d951af..d6c82373827 100644 --- a/packages/zscaler_zia/kibana/visualization/zscaler_zia-a9ac0260-4de3-11ec-ad09-d9f49962d407.json +++ b/packages/zscaler_zia/kibana/visualization/zscaler_zia-a9ac0260-4de3-11ec-ad09-d9f49962d407.json @@ -77,10 +77,10 @@ "type": "table" } }, - "coreMigrationVersion": "7.16.0", + "coreMigrationVersion": "8.1.2", "id": "zscaler_zia-a9ac0260-4de3-11ec-ad09-d9f49962d407", "migrationVersion": { - "visualization": "7.14.0" + "visualization": "8.0.0" }, "references": [ { diff --git a/packages/zscaler_zia/kibana/visualization/zscaler_zia-bcddbd40-4ead-11ec-9527-b704eaaa5c53.json b/packages/zscaler_zia/kibana/visualization/zscaler_zia-bcddbd40-4ead-11ec-9527-b704eaaa5c53.json index b226e833e29..df07c7ab593 100644 --- a/packages/zscaler_zia/kibana/visualization/zscaler_zia-bcddbd40-4ead-11ec-9527-b704eaaa5c53.json +++ b/packages/zscaler_zia/kibana/visualization/zscaler_zia-bcddbd40-4ead-11ec-9527-b704eaaa5c53.json @@ -55,10 +55,10 @@ "type": "table" } }, - "coreMigrationVersion": "7.16.0", + "coreMigrationVersion": "8.1.2", "id": "zscaler_zia-bcddbd40-4ead-11ec-9527-b704eaaa5c53", "migrationVersion": { - "visualization": "7.14.0" + "visualization": "8.0.0" }, "references": [ { diff --git a/packages/zscaler_zia/kibana/visualization/zscaler_zia-bd00f230-4de8-11ec-ad09-d9f49962d407.json b/packages/zscaler_zia/kibana/visualization/zscaler_zia-bd00f230-4de8-11ec-ad09-d9f49962d407.json index a8dfa30d257..77b55dc97ec 100644 --- a/packages/zscaler_zia/kibana/visualization/zscaler_zia-bd00f230-4de8-11ec-ad09-d9f49962d407.json +++ b/packages/zscaler_zia/kibana/visualization/zscaler_zia-bd00f230-4de8-11ec-ad09-d9f49962d407.json @@ -131,10 +131,10 @@ "type": "horizontal_bar" } }, - "coreMigrationVersion": "7.16.0", + "coreMigrationVersion": "8.1.2", "id": "zscaler_zia-bd00f230-4de8-11ec-ad09-d9f49962d407", "migrationVersion": { - "visualization": "7.14.0" + "visualization": "8.0.0" }, "references": [ { diff --git a/packages/zscaler_zia/kibana/visualization/zscaler_zia-c8b23580-4de3-11ec-ad09-d9f49962d407.json b/packages/zscaler_zia/kibana/visualization/zscaler_zia-c8b23580-4de3-11ec-ad09-d9f49962d407.json index 8b2e5a40ae1..6119cb80edf 100644 --- a/packages/zscaler_zia/kibana/visualization/zscaler_zia-c8b23580-4de3-11ec-ad09-d9f49962d407.json +++ b/packages/zscaler_zia/kibana/visualization/zscaler_zia-c8b23580-4de3-11ec-ad09-d9f49962d407.json @@ -55,10 +55,10 @@ "type": "table" } }, - "coreMigrationVersion": "7.16.0", + "coreMigrationVersion": "8.1.2", "id": "zscaler_zia-c8b23580-4de3-11ec-ad09-d9f49962d407", "migrationVersion": { - "visualization": "7.14.0" + "visualization": "8.0.0" }, "references": [ { diff --git a/packages/zscaler_zia/kibana/visualization/zscaler_zia-da1734d0-4deb-11ec-ad09-d9f49962d407.json b/packages/zscaler_zia/kibana/visualization/zscaler_zia-da1734d0-4deb-11ec-ad09-d9f49962d407.json index 97d6454cb18..7dee1854458 100644 --- a/packages/zscaler_zia/kibana/visualization/zscaler_zia-da1734d0-4deb-11ec-ad09-d9f49962d407.json +++ b/packages/zscaler_zia/kibana/visualization/zscaler_zia-da1734d0-4deb-11ec-ad09-d9f49962d407.json @@ -28,7 +28,7 @@ "id": "2", "params": { "customLabel": "Client Source IP", - "field": "zscaler_zia.firewall.client.source.ip", + "field": "source.ip", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -55,10 +55,10 @@ "type": "table" } }, - "coreMigrationVersion": "7.16.0", + "coreMigrationVersion": "8.1.2", "id": "zscaler_zia-da1734d0-4deb-11ec-ad09-d9f49962d407", "migrationVersion": { - "visualization": "7.14.0" + "visualization": "8.0.0" }, "references": [ { diff --git a/packages/zscaler_zia/kibana/visualization/zscaler_zia-db1241f0-4e80-11ec-ad09-d9f49962d407.json b/packages/zscaler_zia/kibana/visualization/zscaler_zia-db1241f0-4e80-11ec-ad09-d9f49962d407.json index 18ee199633f..1aadd82cd7e 100644 --- a/packages/zscaler_zia/kibana/visualization/zscaler_zia-db1241f0-4e80-11ec-ad09-d9f49962d407.json +++ b/packages/zscaler_zia/kibana/visualization/zscaler_zia-db1241f0-4e80-11ec-ad09-d9f49962d407.json @@ -28,7 +28,7 @@ "id": "2", "params": { "customLabel": "Destination Country", - "field": "server.geo.country_name", + "field": "destination.geo.country_name", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -102,7 +102,7 @@ }, "times": [], "truncateLegend": true, - "type": "histogram", + "type": "horizontal_bar", "valueAxes": [ { "id": "ValueAxis-1", @@ -131,10 +131,10 @@ "type": "horizontal_bar" } }, - "coreMigrationVersion": "7.16.0", + "coreMigrationVersion": "8.1.2", "id": "zscaler_zia-db1241f0-4e80-11ec-ad09-d9f49962d407", "migrationVersion": { - "visualization": "7.14.0" + "visualization": "8.0.0" }, "references": [ { diff --git a/packages/zscaler_zia/kibana/visualization/zscaler_zia-dff0d0b0-4dea-11ec-ad09-d9f49962d407.json b/packages/zscaler_zia/kibana/visualization/zscaler_zia-dff0d0b0-4dea-11ec-ad09-d9f49962d407.json index d2526e4cd62..1b3b9419c4f 100644 --- a/packages/zscaler_zia/kibana/visualization/zscaler_zia-dff0d0b0-4dea-11ec-ad09-d9f49962d407.json +++ b/packages/zscaler_zia/kibana/visualization/zscaler_zia-dff0d0b0-4dea-11ec-ad09-d9f49962d407.json @@ -81,10 +81,10 @@ "type": "metric" } }, - "coreMigrationVersion": "7.16.0", + "coreMigrationVersion": "8.1.2", "id": "zscaler_zia-dff0d0b0-4dea-11ec-ad09-d9f49962d407", "migrationVersion": { - "visualization": "7.14.0" + "visualization": "8.0.0" }, "references": [ { diff --git a/packages/zscaler_zia/kibana/visualization/zscaler_zia-e4f2aa20-4ead-11ec-9527-b704eaaa5c53.json b/packages/zscaler_zia/kibana/visualization/zscaler_zia-e4f2aa20-4ead-11ec-9527-b704eaaa5c53.json index bcc6c6fb628..628743893bc 100644 --- a/packages/zscaler_zia/kibana/visualization/zscaler_zia-e4f2aa20-4ead-11ec-9527-b704eaaa5c53.json +++ b/packages/zscaler_zia/kibana/visualization/zscaler_zia-e4f2aa20-4ead-11ec-9527-b704eaaa5c53.json @@ -55,10 +55,10 @@ "type": "table" } }, - "coreMigrationVersion": "7.16.0", + "coreMigrationVersion": "8.1.2", "id": "zscaler_zia-e4f2aa20-4ead-11ec-9527-b704eaaa5c53", "migrationVersion": { - "visualization": "7.14.0" + "visualization": "8.0.0" }, "references": [ { diff --git a/packages/zscaler_zia/kibana/visualization/zscaler_zia-e54e9f20-4de4-11ec-ad09-d9f49962d407.json b/packages/zscaler_zia/kibana/visualization/zscaler_zia-e54e9f20-4de4-11ec-ad09-d9f49962d407.json index c2d451fd945..1ff2792c917 100644 --- a/packages/zscaler_zia/kibana/visualization/zscaler_zia-e54e9f20-4de4-11ec-ad09-d9f49962d407.json +++ b/packages/zscaler_zia/kibana/visualization/zscaler_zia-e54e9f20-4de4-11ec-ad09-d9f49962d407.json @@ -130,10 +130,10 @@ "type": "horizontal_bar" } }, - "coreMigrationVersion": "7.16.0", + "coreMigrationVersion": "8.1.2", "id": "zscaler_zia-e54e9f20-4de4-11ec-ad09-d9f49962d407", "migrationVersion": { - "visualization": "7.14.0" + "visualization": "8.0.0" }, "references": [ { diff --git a/packages/zscaler_zia/kibana/visualization/zscaler_zia-f5a2e730-4deb-11ec-ad09-d9f49962d407.json b/packages/zscaler_zia/kibana/visualization/zscaler_zia-f5a2e730-4deb-11ec-ad09-d9f49962d407.json index 75be53e9698..9055494a87e 100644 --- a/packages/zscaler_zia/kibana/visualization/zscaler_zia-f5a2e730-4deb-11ec-ad09-d9f49962d407.json +++ b/packages/zscaler_zia/kibana/visualization/zscaler_zia-f5a2e730-4deb-11ec-ad09-d9f49962d407.json @@ -55,10 +55,10 @@ "type": "table" } }, - "coreMigrationVersion": "7.16.0", + "coreMigrationVersion": "8.1.2", "id": "zscaler_zia-f5a2e730-4deb-11ec-ad09-d9f49962d407", "migrationVersion": { - "visualization": "7.14.0" + "visualization": "8.0.0" }, "references": [ { From 9fe5bf928363b6f8fa1ae71a4702d8caeb2065ba Mon Sep 17 00:00:00 2001 From: Andrew Kroh Date: Tue, 26 Apr 2022 09:00:17 -0400 Subject: [PATCH 4/4] Remove community_id defaults --- .../tunnel/elasticsearch/ingest_pipeline/default.yml | 7 ------- 1 file changed, 7 deletions(-) diff --git a/packages/zscaler_zia/data_stream/tunnel/elasticsearch/ingest_pipeline/default.yml b/packages/zscaler_zia/data_stream/tunnel/elasticsearch/ingest_pipeline/default.yml index 24d8942b2f5..3391e5bf916 100644 --- a/packages/zscaler_zia/data_stream/tunnel/elasticsearch/ingest_pipeline/default.yml +++ b/packages/zscaler_zia/data_stream/tunnel/elasticsearch/ingest_pipeline/default.yml @@ -292,13 +292,6 @@ processors: target_field: zscaler_zia.tunnel.dpd_packets ignore_missing: true - community_id: - source_ip: source.ip - source_port: source.port - destination_ip: destination.ip - destination_port: destination.port - transport: network.transport - iana_number: network.iana_number - target_field: network.community_id ignore_failure: true - script: description: Drops null/empty values recursively