From 6cdb4a288d5118648bead2fb6a715927837cf5a1 Mon Sep 17 00:00:00 2001 From: v-rusraut Date: Mon, 30 Oct 2023 13:59:55 +0530 Subject: [PATCH 01/17] Repackage - Microsoft Entra ID (Rebranding changes Azure Active Directory to Microsoft Entra ID ) --- .../Data/Solution_AAD.json | 93 ---------------- .../Analytic Rules/ADFSDomainTrustMods.yaml | 0 .../ADFSSignInLogsPasswordSpray.yaml | 0 ...ccountCreatedDeletedByNonApprovedUser.yaml | 0 ...ountCreatedandDeletedinShortTimeframe.yaml | 0 ...nPromoAfterRoleMgmtAppPermissionGrant.yaml | 2 +- ...erAppSigninLocationIncrease-detection.yaml | 2 +- ...ionMethodsChangedforPrivilegedAccount.yaml | 0 .../AzureAADPowerShellAnomaly.yaml | 8 +- .../AzureADRoleManagementPermissionGrant.yaml | 4 +- ...urePortalSigninfromanotherAzureTenant.yaml | 0 ...e Force Attack against GitHub Account.yaml | 2 +- .../Analytic Rules/BruteForceCloudPC.yaml | 0 ...ChangestoPrivilegedAccountPermissions.yaml | 0 .../Analytic Rules/BypassCondAccessRule.yaml | 2 +- .../CredentialAddedAfterAdminConsent.yaml | 0 ...tenantAccessSettingsOrganizationAdded.yaml | 2 +- ...nantAccessSettingsOrganizationDeleted.yaml | 2 +- ...onInboundCollaborationSettingsChanged.yaml | 0 ...anizationInboundDirectSettingsChanged.yaml | 0 ...nOutboundCollaborationSettingsChanged.yaml | 0 ...nizationOutboundDirectSettingsChanged.yaml | 0 ...dAccountSigninsAcrossManyApplications.yaml | 0 .../DistribPassCrackAttempt.yaml | 4 +- .../ExchangeFullAccessGrantedToApp.yaml | 0 .../Analytic Rules/ExplicitMFADeny.yaml | 0 .../FailedLogonToAzurePortal.yaml | 2 +- .../FirstAppOrServicePrincipalCredential.yaml | 0 ...dinAADGroupsOtherThanTheOnesSpecified.yaml | 2 +- .../Analytic Rules/MFARejectedbyUser.yaml | 0 .../MFASpammingfollowedbySuccessfullogin.yaml | 0 .../MailPermissionsAddedToApplication.yaml | 0 .../MaliciousOAuthApp_O365AttackToolkit.yaml | 0 .../MaliciousOAuthApp_PwnAuth.yaml | 0 ...min_membership_removals_from_NewAdmin.yaml | 0 .../NRT_ADFSDomainTrustMods.yaml | 0 ...thenticationMethodsChangedforVIPUsers.yaml | 0 ...RT_NewAppOrServicePrincipalCredential.yaml | 0 .../NRT_PIMElevationRequestRejected.yaml | 0 .../NRT_PrivlegedRoleAssignedOutsidePIM.yaml | 0 .../NRT_UseraddedtoPrivilgedGroups.yaml | 4 +- .../NewAppOrServicePrincipalCredential.yaml | 0 .../NewOnmicrosoftDomainAdded.yaml | 0 .../PIMElevationRequestRejected.yaml | 0 ...PrivilegedAccountsSigninFailureSpikes.yaml | 0 .../PrivlegedRoleAssignedOutsidePIM.yaml | 0 .../RareApplicationConsent.yaml | 0 .../SeamlessSSOPasswordSpray.yaml | 6 +- ...Sign-in Burst from Multiple Locations.yaml | 0 ...SigninAttemptsByIPviaDisabledAccounts.yaml | 0 .../SigninBruteForce-AzurePortal.yaml | 0 .../Analytic Rules/SigninPasswordSpray.yaml | 4 +- ...SuccessThenFail_DiffIP_SameUserandApp.yaml | 0 .../SuspiciousAADJoinedDeviceUpdate.yaml | 2 +- .../SuspiciousOAuthApp_OfflineAccess.yaml | 0 ...ciousServicePrincipalcreationactivity.yaml | 0 ...iciousSignInFollowedByMFAModification.yaml | 0 .../Analytic Rules/UnusualGuestActivity.yaml | 4 +- .../UserAccounts-CABlockedSigninSpikes.yaml | 0 .../UserAssignedPrivilegedRole.yaml | 0 .../UseraddedtoPrivilgedGroups.yaml | 4 +- ..._FirstAppOrServicePrincipalCredential.yaml | 0 .../template_AzureActiveDirectory.JSON | 8 +- .../Microsoft Entra ID/Data/Solution_AAD.json | 103 ++++++++++++++++++ .../Data/system_generated_metadata.json | 4 +- .../Package/2.0.0.zip | Bin .../Package/2.0.1.zip | Bin .../Package/2.0.10.zip | Bin .../Package/2.0.11.zip | Bin .../Package/2.0.12.zip | Bin .../Package/2.0.13.zip | Bin .../Package/2.0.3.zip | Bin .../Package/2.0.4.zip | Bin .../Package/2.0.5.zip | Bin .../Package/2.0.6.zip | Bin .../Package/2.0.7.zip | Bin .../Package/2.0.8.zip | Bin .../Package/2.0.9.zip | Bin .../Package/3.0.0.zip | Bin .../Package/3.0.1.zip | Bin .../Package/3.0.2.zip | Bin .../Package/3.0.3.zip | Bin .../Package/3.0.4.zip | Bin .../Package/3.0.5.zip | Bin .../Package/createUiDefinition.json | 6 +- .../Package/mainTemplate.json | 0 .../alert-trigger/azuredeploy.json | 4 +- .../alert-trigger/images/AlertTriggerDark.png | Bin .../images/AlertTriggerLight.png | Bin .../images/Block-AADUser_alert.png | Bin .../alert-trigger/releaseNotes.md | 0 .../entity-trigger/azuredeploy.json | 4 +- .../images/designerScreenshotDark1.png | Bin .../images/designerScreenshotLight1.png | Bin .../images/entityTriggerDark.png | Bin .../images/entityTriggerLight.png | Bin .../entity-trigger/releaseNotes.md | 0 .../images/managerNotificationDark.png | Bin .../images/managerNotificationLight.png | Bin .../incident-trigger/azuredeploy.json | 0 .../images/Block-AADUser_incident.png | Bin .../images/IncidentTriggerDark.png | Bin .../images/IncidentTriggerLight.png | Bin .../images/designerScreenshotDark1.png | Bin .../images/designerScreenshotLight1.png | Bin .../incident-trigger/releaseNotes.md | 0 .../Playbooks/Block-AADUser/readme.md | 0 .../alert-trigger/azuredeploy.json | 0 .../images/Prompt-User_alert.png | Bin .../Prompt-User/alert-trigger/releaseNotes.md | 0 .../incident-trigger/azuredeploy.json | 0 .../incident-trigger/images/designerDark.png | Bin .../incident-trigger/images/designerLight.png | Bin .../incident-trigger/releaseNotes.md | 0 .../Playbooks/Prompt-User/readme.md | 0 .../alert-trigger/azuredeploy.json | 2 +- .../images/alertTrigger_dark.png | Bin .../images/alertTrigger_light.png | Bin .../alert-trigger/releaseNotes.md | 0 .../entity-trigger/azuredeploy.json | 2 +- .../images/entityTrigger_dark.png | Bin .../images/entityTrigger_light.png | Bin .../entity-trigger/releaseNotes.md | 0 .../incident-trigger/azuredeploy.json | 2 +- .../images/incidentTrigger_dark.png | Bin .../images/incidentTrigger_light.png | Bin .../incident-trigger/releaseNotes.md | 0 .../Playbooks/Reset-AADUserPassword/readme.md | 0 .../alert-trigger/azuredeploy.json | 0 .../images/Revoke-AADSignInSessions_alert.png | Bin .../entity-trigger/azuredeploy.json | 0 .../entity-trigger/images/playbookDark.jpg | Bin .../entity-trigger/images/playbookLight.jpg | Bin .../incident-trigger/azuredeploy.json | 0 .../Revoke-AADSignInSessions_incident.png | Bin .../incident-trigger/images/designerDark.png | Bin .../incident-trigger/images/designerLight.png | Bin .../Revoke-AADSignInSessions/readme.md | 0 .../ReleaseNotes.md | 0 .../SolutionMetadata.json | 0 .../AzureActiveDirectoryAuditLogs.json | 0 .../AzureActiveDirectorySignins.json | 0 142 files changed, 147 insertions(+), 137 deletions(-) delete mode 100644 Solutions/Azure Active Directory/Data/Solution_AAD.json rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Analytic Rules/ADFSDomainTrustMods.yaml (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Analytic Rules/ADFSSignInLogsPasswordSpray.yaml (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Analytic Rules/AccountCreatedDeletedByNonApprovedUser.yaml (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Analytic Rules/AccountCreatedandDeletedinShortTimeframe.yaml (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Analytic Rules/AdminPromoAfterRoleMgmtAppPermissionGrant.yaml (97%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Analytic Rules/AnomalousUserAppSigninLocationIncrease-detection.yaml (96%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Analytic Rules/AuthenticationMethodsChangedforPrivilegedAccount.yaml (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Analytic Rules/AzureAADPowerShellAnomaly.yaml (73%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Analytic Rules/AzureADRoleManagementPermissionGrant.yaml (93%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Analytic Rules/AzurePortalSigninfromanotherAzureTenant.yaml (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Analytic Rules/Brute Force Attack against GitHub Account.yaml (93%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Analytic Rules/BruteForceCloudPC.yaml (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Analytic Rules/BulkChangestoPrivilegedAccountPermissions.yaml (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Analytic Rules/BypassCondAccessRule.yaml (99%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Analytic Rules/CredentialAddedAfterAdminConsent.yaml (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Analytic Rules/Cross-tenantAccessSettingsOrganizationAdded.yaml (95%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Analytic Rules/Cross-tenantAccessSettingsOrganizationDeleted.yaml (96%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Analytic Rules/Cross-tenantAccessSettingsOrganizationInboundCollaborationSettingsChanged.yaml (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Analytic Rules/Cross-tenantAccessSettingsOrganizationInboundDirectSettingsChanged.yaml (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Analytic Rules/Cross-tenantAccessSettingsOrganizationOutboundCollaborationSettingsChanged.yaml (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Analytic Rules/Cross-tenantAccessSettingsOrganizationOutboundDirectSettingsChanged.yaml (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Analytic Rules/DisabledAccountSigninsAcrossManyApplications.yaml (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Analytic Rules/DistribPassCrackAttempt.yaml (95%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Analytic Rules/ExchangeFullAccessGrantedToApp.yaml (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Analytic Rules/ExplicitMFADeny.yaml (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Analytic Rules/FailedLogonToAzurePortal.yaml (97%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Analytic Rules/FirstAppOrServicePrincipalCredential.yaml (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Analytic Rules/GuestAccountsAddedinAADGroupsOtherThanTheOnesSpecified.yaml (94%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Analytic Rules/MFARejectedbyUser.yaml (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Analytic Rules/MFASpammingfollowedbySuccessfullogin.yaml (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Analytic Rules/MailPermissionsAddedToApplication.yaml (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Analytic Rules/MaliciousOAuthApp_O365AttackToolkit.yaml (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Analytic Rules/MaliciousOAuthApp_PwnAuth.yaml (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Analytic Rules/MultipleAdmin_membership_removals_from_NewAdmin.yaml (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Analytic Rules/NRT_ADFSDomainTrustMods.yaml (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Analytic Rules/NRT_AuthenticationMethodsChangedforVIPUsers.yaml (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Analytic Rules/NRT_NewAppOrServicePrincipalCredential.yaml (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Analytic Rules/NRT_PIMElevationRequestRejected.yaml (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Analytic Rules/NRT_PrivlegedRoleAssignedOutsidePIM.yaml (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Analytic Rules/NRT_UseraddedtoPrivilgedGroups.yaml (93%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Analytic Rules/NewAppOrServicePrincipalCredential.yaml (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Analytic Rules/NewOnmicrosoftDomainAdded.yaml (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Analytic Rules/PIMElevationRequestRejected.yaml (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Analytic Rules/PrivilegedAccountsSigninFailureSpikes.yaml (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Analytic Rules/PrivlegedRoleAssignedOutsidePIM.yaml (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Analytic Rules/RareApplicationConsent.yaml (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Analytic Rules/SeamlessSSOPasswordSpray.yaml (80%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Analytic Rules/Sign-in Burst from Multiple Locations.yaml (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Analytic Rules/SigninAttemptsByIPviaDisabledAccounts.yaml (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Analytic Rules/SigninBruteForce-AzurePortal.yaml (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Analytic Rules/SigninPasswordSpray.yaml (96%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Analytic Rules/SuccessThenFail_DiffIP_SameUserandApp.yaml (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Analytic Rules/SuspiciousAADJoinedDeviceUpdate.yaml (96%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Analytic Rules/SuspiciousOAuthApp_OfflineAccess.yaml (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Analytic Rules/SuspiciousServicePrincipalcreationactivity.yaml (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Analytic Rules/SuspiciousSignInFollowedByMFAModification.yaml (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Analytic Rules/UnusualGuestActivity.yaml (96%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Analytic Rules/UserAccounts-CABlockedSigninSpikes.yaml (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Analytic Rules/UserAssignedPrivilegedRole.yaml (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Analytic Rules/UseraddedtoPrivilgedGroups.yaml (93%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Analytic Rules/nrt_FirstAppOrServicePrincipalCredential.yaml (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Data Connectors/template_AzureActiveDirectory.JSON (93%) create mode 100644 Solutions/Microsoft Entra ID/Data/Solution_AAD.json rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Data/system_generated_metadata.json (85%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Package/2.0.0.zip (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Package/2.0.1.zip (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Package/2.0.10.zip (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Package/2.0.11.zip (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Package/2.0.12.zip (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Package/2.0.13.zip (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Package/2.0.3.zip (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Package/2.0.4.zip (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Package/2.0.5.zip (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Package/2.0.6.zip (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Package/2.0.7.zip (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Package/2.0.8.zip (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Package/2.0.9.zip (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Package/3.0.0.zip (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Package/3.0.1.zip (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Package/3.0.2.zip (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Package/3.0.3.zip (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Package/3.0.4.zip (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Package/3.0.5.zip (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Package/createUiDefinition.json (99%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Package/mainTemplate.json (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Playbooks/Block-AADUser/alert-trigger/azuredeploy.json (98%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Playbooks/Block-AADUser/alert-trigger/images/AlertTriggerDark.png (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Playbooks/Block-AADUser/alert-trigger/images/AlertTriggerLight.png (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Playbooks/Block-AADUser/alert-trigger/images/Block-AADUser_alert.png (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Playbooks/Block-AADUser/alert-trigger/releaseNotes.md (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Playbooks/Block-AADUser/entity-trigger/azuredeploy.json (98%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Playbooks/Block-AADUser/entity-trigger/images/designerScreenshotDark1.png (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Playbooks/Block-AADUser/entity-trigger/images/designerScreenshotLight1.png (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Playbooks/Block-AADUser/entity-trigger/images/entityTriggerDark.png (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Playbooks/Block-AADUser/entity-trigger/images/entityTriggerLight.png (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Playbooks/Block-AADUser/entity-trigger/releaseNotes.md (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Playbooks/Block-AADUser/images/managerNotificationDark.png (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Playbooks/Block-AADUser/images/managerNotificationLight.png (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Playbooks/Block-AADUser/incident-trigger/azuredeploy.json (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Playbooks/Block-AADUser/incident-trigger/images/Block-AADUser_incident.png (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Playbooks/Block-AADUser/incident-trigger/images/IncidentTriggerDark.png (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Playbooks/Block-AADUser/incident-trigger/images/IncidentTriggerLight.png (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Playbooks/Block-AADUser/incident-trigger/images/designerScreenshotDark1.png (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Playbooks/Block-AADUser/incident-trigger/images/designerScreenshotLight1.png (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Playbooks/Block-AADUser/incident-trigger/releaseNotes.md (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Playbooks/Block-AADUser/readme.md (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Playbooks/Prompt-User/alert-trigger/azuredeploy.json (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Playbooks/Prompt-User/alert-trigger/images/Prompt-User_alert.png (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Playbooks/Prompt-User/alert-trigger/releaseNotes.md (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Playbooks/Prompt-User/incident-trigger/azuredeploy.json (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Playbooks/Prompt-User/incident-trigger/images/designerDark.png (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Playbooks/Prompt-User/incident-trigger/images/designerLight.png (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Playbooks/Prompt-User/incident-trigger/releaseNotes.md (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Playbooks/Prompt-User/readme.md (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Playbooks/Reset-AADUserPassword/alert-trigger/azuredeploy.json (99%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Playbooks/Reset-AADUserPassword/alert-trigger/images/alertTrigger_dark.png (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Playbooks/Reset-AADUserPassword/alert-trigger/images/alertTrigger_light.png (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Playbooks/Reset-AADUserPassword/alert-trigger/releaseNotes.md (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Playbooks/Reset-AADUserPassword/entity-trigger/azuredeploy.json (99%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Playbooks/Reset-AADUserPassword/entity-trigger/images/entityTrigger_dark.png (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Playbooks/Reset-AADUserPassword/entity-trigger/images/entityTrigger_light.png (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Playbooks/Reset-AADUserPassword/entity-trigger/releaseNotes.md (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Playbooks/Reset-AADUserPassword/incident-trigger/azuredeploy.json (99%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Playbooks/Reset-AADUserPassword/incident-trigger/images/incidentTrigger_dark.png (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Playbooks/Reset-AADUserPassword/incident-trigger/images/incidentTrigger_light.png (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Playbooks/Reset-AADUserPassword/incident-trigger/releaseNotes.md (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Playbooks/Reset-AADUserPassword/readme.md (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Playbooks/Revoke-AADSignInSessions/alert-trigger/azuredeploy.json (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Playbooks/Revoke-AADSignInSessions/alert-trigger/images/Revoke-AADSignInSessions_alert.png (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Playbooks/Revoke-AADSignInSessions/entity-trigger/azuredeploy.json (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Playbooks/Revoke-AADSignInSessions/entity-trigger/images/playbookDark.jpg (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Playbooks/Revoke-AADSignInSessions/entity-trigger/images/playbookLight.jpg (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Playbooks/Revoke-AADSignInSessions/incident-trigger/azuredeploy.json (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Playbooks/Revoke-AADSignInSessions/incident-trigger/images/Revoke-AADSignInSessions_incident.png (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Playbooks/Revoke-AADSignInSessions/incident-trigger/images/designerDark.png (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Playbooks/Revoke-AADSignInSessions/incident-trigger/images/designerLight.png (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Playbooks/Revoke-AADSignInSessions/readme.md (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/ReleaseNotes.md (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/SolutionMetadata.json (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Workbooks/AzureActiveDirectoryAuditLogs.json (100%) rename Solutions/{Azure Active Directory => Microsoft Entra ID}/Workbooks/AzureActiveDirectorySignins.json (100%) diff --git a/Solutions/Azure Active Directory/Data/Solution_AAD.json b/Solutions/Azure Active Directory/Data/Solution_AAD.json deleted file mode 100644 index 0f0717984af..00000000000 --- a/Solutions/Azure Active Directory/Data/Solution_AAD.json +++ /dev/null @@ -1,93 +0,0 @@ -{ - "Name": "Azure Active Directory", - "Author": "Microsoft - support@microsoft.com", - "Logo": "", - "Description": "The [ Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis) solution for Microsoft Sentinel enables you to ingest Azure Active Directory [Audit](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-audit-logs), [Sign-in](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins), [Provisioning](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-provisioning-logs), [Risk Events and Risky User/Service Principal](https://docs.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk#risky-users) logs using Diagnostic Settings into Microsoft Sentinel.", - "Data Connectors": [ - "Solutions/Azure Active Directory/Data Connectors/template_AzureActiveDirectory.json" - ], - "Workbooks": [ - "Solutions/Azure Active Directory/Workbooks/AzureActiveDirectoryAuditLogs.json", - "Solutions/Azure Active Directory/Workbooks/AzureActiveDirectorySignins.json" - ], - "Analytic Rules": [ - "Solutions/Azure Active Directory/Analytic Rules/AccountCreatedandDeletedinShortTimeframe.yaml", - "Solutions/Azure Active Directory/Analytic Rules/AccountCreatedDeletedByNonApprovedUser.yaml", - "Solutions/Azure Active Directory/Analytic Rules/ADFSDomainTrustMods.yaml", - "Solutions/Azure Active Directory/Analytic Rules/ADFSSignInLogsPasswordSpray.yaml", - "Solutions/Azure Active Directory/Analytic Rules/AdminPromoAfterRoleMgmtAppPermissionGrant.yaml", - "Solutions/Azure Active Directory/Analytic Rules/AnomalousUserAppSigninLocationIncrease-detection.yaml", - "Solutions/Azure Active Directory/Analytic Rules/AuthenticationMethodsChangedforPrivilegedAccount.yaml", - "Solutions/Azure Active Directory/Analytic Rules/AzureAADPowerShellAnomaly.yaml", - "Solutions/Azure Active Directory/Analytic Rules/AzureADRoleManagementPermissionGrant.yaml", - "Solutions/Azure Active Directory/Analytic Rules/AzurePortalSigninfromanotherAzureTenant.yaml", - "Solutions/Azure Active Directory/Analytic Rules/Brute Force Attack against GitHub Account.yaml", - "Solutions/Azure Active Directory/Analytic Rules/BruteForceCloudPC.yaml", - "Solutions/Azure Active Directory/Analytic Rules/BulkChangestoPrivilegedAccountPermissions.yaml", - "Solutions/Azure Active Directory/Analytic Rules/BypassCondAccessRule.yaml", - "Solutions/Azure Active Directory/Analytic Rules/CredentialAddedAfterAdminConsent.yaml", - "Solutions/Azure Active Directory/Analytic Rules/Cross-tenantAccessSettingsOrganizationAdded.yaml", - "Solutions/Azure Active Directory/Analytic Rules/Cross-tenantAccessSettingsOrganizationDeleted.yaml", - "Solutions/Azure Active Directory/Analytic Rules/Cross-tenantAccessSettingsOrganizationInboundCollaborationSettingsChanged.yaml", - "Solutions/Azure Active Directory/Analytic Rules/Cross-tenantAccessSettingsOrganizationInboundDirectSettingsChanged.yaml", - "Solutions/Azure Active Directory/Analytic Rules/Cross-tenantAccessSettingsOrganizationOutboundCollaborationSettingsChanged.yaml", - "Solutions/Azure Active Directory/Analytic Rules/Cross-tenantAccessSettingsOrganizationOutboundDirectSettingsChanged.yaml", - "Solutions/Azure Active Directory/Analytic Rules/DisabledAccountSigninsAcrossManyApplications.yaml", - "Solutions/Azure Active Directory/Analytic Rules/DistribPassCrackAttempt.yaml", - "Solutions/Azure Active Directory/Analytic Rules/ExplicitMFADeny.yaml", - "Solutions/Azure Active Directory/Analytic Rules/ExchangeFullAccessGrantedToApp.yaml", - "Solutions/Azure Active Directory/Analytic Rules/FailedLogonToAzurePortal.yaml", - "Solutions/Azure Active Directory/Analytic Rules/FirstAppOrServicePrincipalCredential.yaml", - "Solutions/Azure Active Directory/Analytic Rules/GuestAccountsAddedinAADGroupsOtherThanTheOnesSpecified.yaml", - "Solutions/Azure Active Directory/Analytic Rules/MailPermissionsAddedToApplication.yaml", - "Solutions/Azure Active Directory/Analytic Rules/MaliciousOAuthApp_O365AttackToolkit.yaml", - "Solutions/Azure Active Directory/Analytic Rules/MaliciousOAuthApp_PwnAuth.yaml", - "Solutions/Azure Active Directory/Analytic Rules/MFARejectedbyUser.yaml", - "Solutions/Azure Active Directory/Analytic Rules/MultipleAdmin_membership_removals_from_NewAdmin.yaml", - "Solutions/Azure Active Directory/Analytic Rules/NewAppOrServicePrincipalCredential.yaml", - "Solutions/Azure Active Directory/Analytic Rules/NRT_ADFSDomainTrustMods.yaml", - "Solutions/Azure Active Directory/Analytic Rules/NRT_AuthenticationMethodsChangedforVIPUsers.yaml", - "Solutions/Azure Active Directory/Analytic Rules/nrt_FirstAppOrServicePrincipalCredential.yaml", - "Solutions/Azure Active Directory/Analytic Rules/NRT_NewAppOrServicePrincipalCredential.yaml", - "Solutions/Azure Active Directory/Analytic Rules/NRT_PIMElevationRequestRejected.yaml", - "Solutions/Azure Active Directory/Analytic Rules/NRT_PrivlegedRoleAssignedOutsidePIM.yaml", - "Solutions/Azure Active Directory/Analytic Rules/NRT_UseraddedtoPrivilgedGroups.yaml", - "Solutions/Azure Active Directory/Analytic Rules/PIMElevationRequestRejected.yaml", - "Solutions/Azure Active Directory/Analytic Rules/PrivilegedAccountsSigninFailureSpikes.yaml", - "Solutions/Azure Active Directory/Analytic Rules/PrivlegedRoleAssignedOutsidePIM.yaml", - "Solutions/Azure Active Directory/Analytic Rules/RareApplicationConsent.yaml", - "Solutions/Azure Active Directory/Analytic Rules/SeamlessSSOPasswordSpray.yaml", - "Solutions/Azure Active Directory/Analytic Rules/Sign-in Burst from Multiple Locations.yaml", - "Solutions/Azure Active Directory/Analytic Rules/SigninAttemptsByIPviaDisabledAccounts.yaml", - "Solutions/Azure Active Directory/Analytic Rules/SigninBruteForce-AzurePortal.yaml", - "Solutions/Azure Active Directory/Analytic Rules/SigninPasswordSpray.yaml", - "Solutions/Azure Active Directory/Analytic Rules/SuccessThenFail_DiffIP_SameUserandApp.yaml", - "Solutions/Azure Active Directory/Analytic Rules/SuspiciousAADJoinedDeviceUpdate.yaml", - "Solutions/Azure Active Directory/Analytic Rules/SuspiciousOAuthApp_OfflineAccess.yaml", - "Solutions/Azure Active Directory/Analytic Rules/SuspiciousServicePrincipalcreationactivity.yaml", - "Solutions/Azure Active Directory/Analytic Rules/UnusualGuestActivity.yaml", - "Solutions/Azure Active Directory/Analytic Rules/UserAccounts-CABlockedSigninSpikes.yaml", - "Solutions/Azure Active Directory/Analytic Rules/UseraddedtoPrivilgedGroups.yaml", - "Solutions/Azure Active Directory/Analytic Rules/UserAssignedPrivilegedRole.yaml", - "Solutions/Azure Active Directory/Analytic Rules/NewOnmicrosoftDomainAdded.yaml", - "Solutions/Azure Active Directory/Analytic Rules/SuspiciousSignInFollowedByMFAModification.yaml" - ], - "Playbooks": [ - "Solutions/Azure Active Directory/Playbooks/Block-AADUser/alert-trigger/azuredeploy.json", - "Solutions/Azure Active Directory/Playbooks/Block-AADUser/incident-trigger/azuredeploy.json", - "Solutions/Azure Active Directory/Playbooks/Prompt-User/alert-trigger/azuredeploy.json", - "Solutions/Azure Active Directory/Playbooks/Prompt-User/incident-trigger/azuredeploy.json", - "Solutions/Azure Active Directory/Playbooks/Reset-AADUserPassword/alert-trigger/azuredeploy.json", - "Solutions/Azure Active Directory/Playbooks/Reset-AADUserPassword/incident-trigger/azuredeploy.json", - "Solutions/Azure Active Directory/Playbooks/Block-AADUser/entity-trigger/azuredeploy.json", - "Solutions/Azure Active Directory/Playbooks/Reset-AADUserPassword/entity-trigger/azuredeploy.json", - "Solutions/Azure Active Directory/Playbooks/Revoke-AADSignInSessions/alert-trigger/azuredeploy.json", - "Solutions/Azure Active Directory/Playbooks/Revoke-AADSignInSessions/incident-trigger/azuredeploy.json", - "Solutions/Azure Active Directory/Playbooks/Revoke-AADSignInSessions/entity-trigger/azuredeploy.json" - ], - "BasePath": "C:\\GitHub\\Azure-Sentinel", - "Version": "3.0.4", - "Metadata": "SolutionMetadata.json", - "TemplateSpec": true, - "Is1PConnector": true -} \ No newline at end of file diff --git a/Solutions/Azure Active Directory/Analytic Rules/ADFSDomainTrustMods.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/ADFSDomainTrustMods.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/ADFSDomainTrustMods.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/ADFSDomainTrustMods.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/ADFSSignInLogsPasswordSpray.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/ADFSSignInLogsPasswordSpray.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/ADFSSignInLogsPasswordSpray.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/ADFSSignInLogsPasswordSpray.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/AccountCreatedDeletedByNonApprovedUser.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/AccountCreatedDeletedByNonApprovedUser.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/AccountCreatedDeletedByNonApprovedUser.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/AccountCreatedDeletedByNonApprovedUser.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/AccountCreatedandDeletedinShortTimeframe.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/AccountCreatedandDeletedinShortTimeframe.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/AccountCreatedandDeletedinShortTimeframe.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/AccountCreatedandDeletedinShortTimeframe.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/AdminPromoAfterRoleMgmtAppPermissionGrant.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/AdminPromoAfterRoleMgmtAppPermissionGrant.yaml similarity index 97% rename from Solutions/Azure Active Directory/Analytic Rules/AdminPromoAfterRoleMgmtAppPermissionGrant.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/AdminPromoAfterRoleMgmtAppPermissionGrant.yaml index 6086a7d37ca..b44060c9f32 100644 --- a/Solutions/Azure Active Directory/Analytic Rules/AdminPromoAfterRoleMgmtAppPermissionGrant.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/AdminPromoAfterRoleMgmtAppPermissionGrant.yaml @@ -1,7 +1,7 @@ id: f80d951a-eddc-4171-b9d0-d616bb83efdc name: Admin promotion after Role Management Application Permission Grant description: | - 'This rule looks for a service principal being granted the Microsoft Graph RoleManagement.ReadWrite.Directory (application) permission before being used to add an Azure AD object or user account to an Admin directory role (i.e. Global Administrators). + 'This rule looks for a service principal being granted the Microsoft Graph RoleManagement.ReadWrite.Directory (application) permission before being used to add an Microsoft Entra ID object or user account to an Admin directory role (i.e. Global Administrators). This is a known attack path that is usually abused when a service principal already has the AppRoleAssignment.ReadWrite.All permission granted. This permission allows an app to manage permission grants for application permissions to any API. A service principal can promote itself or other service principals to admin roles (i.e. Global Administrators). This would be considered a privilege escalation technique. Ref : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions, https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0&tabs=http' diff --git a/Solutions/Azure Active Directory/Analytic Rules/AnomalousUserAppSigninLocationIncrease-detection.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/AnomalousUserAppSigninLocationIncrease-detection.yaml similarity index 96% rename from Solutions/Azure Active Directory/Analytic Rules/AnomalousUserAppSigninLocationIncrease-detection.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/AnomalousUserAppSigninLocationIncrease-detection.yaml index 2c91cefa196..d1a84cc55c0 100644 --- a/Solutions/Azure Active Directory/Analytic Rules/AnomalousUserAppSigninLocationIncrease-detection.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/AnomalousUserAppSigninLocationIncrease-detection.yaml @@ -1,7 +1,7 @@ id: 7cb8f77d-c52f-4e46-b82f-3cf2e106224a name: Anomalous sign-in location by user account and authenticating application description: | - 'This query over Azure Active Directory sign-in considers all user sign-ins for each Azure Active + 'This query over Microsoft Entra ID sign-in considers all user sign-ins for each Azure Active Directory application and picks out the most anomalous change in location profile for a user within an individual application. severity: Medium diff --git a/Solutions/Azure Active Directory/Analytic Rules/AuthenticationMethodsChangedforPrivilegedAccount.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/AuthenticationMethodsChangedforPrivilegedAccount.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/AuthenticationMethodsChangedforPrivilegedAccount.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/AuthenticationMethodsChangedforPrivilegedAccount.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/AzureAADPowerShellAnomaly.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/AzureAADPowerShellAnomaly.yaml similarity index 73% rename from Solutions/Azure Active Directory/Analytic Rules/AzureAADPowerShellAnomaly.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/AzureAADPowerShellAnomaly.yaml index ddf46a4fd7f..17454ed649a 100644 --- a/Solutions/Azure Active Directory/Analytic Rules/AzureAADPowerShellAnomaly.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/AzureAADPowerShellAnomaly.yaml @@ -1,9 +1,9 @@ id: 50574fac-f8d1-4395-81c7-78a463ff0c52 -name: Azure Active Directory PowerShell accessing non-AAD resources +name: Microsoft Entra ID PowerShell accessing non-AAD resources description: | - 'This will alert when a user or application signs in using Azure Active Directory PowerShell to access non-Active Directory resources, such as the Azure Key Vault, which may be undesired or unauthorized behavior. - For capabilities and expected behavior of the Azure Active Directory PowerShell module, see: https://docs.microsoft.com/powershell/module/azuread/?view=azureadps-2.0. - For further information on Azure Active Directory Signin activity reports, see: https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins.' + 'This will alert when a user or application signs in using Microsoft Entra ID PowerShell to access non-Active Directory resources, such as the Azure Key Vault, which may be undesired or unauthorized behavior. + For capabilities and expected behavior of the Microsoft Entra ID PowerShell module, see: https://docs.microsoft.com/powershell/module/azuread/?view=azureadps-2.0. + For further information on Microsoft Entra ID Signin activity reports, see: https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins.' severity: Low requiredDataConnectors: - connectorId: AzureActiveDirectory diff --git a/Solutions/Azure Active Directory/Analytic Rules/AzureADRoleManagementPermissionGrant.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/AzureADRoleManagementPermissionGrant.yaml similarity index 93% rename from Solutions/Azure Active Directory/Analytic Rules/AzureADRoleManagementPermissionGrant.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/AzureADRoleManagementPermissionGrant.yaml index 07dbe1e781c..57820d9ba3f 100644 --- a/Solutions/Azure Active Directory/Analytic Rules/AzureADRoleManagementPermissionGrant.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/AzureADRoleManagementPermissionGrant.yaml @@ -1,9 +1,9 @@ id: 1ff56009-db01-4615-8211-d4fda21da02d -name: Azure AD Role Management Permission Grant +name: Microsoft Entra ID Role Management Permission Grant description: | 'Identifies when the Microsoft Graph RoleManagement.ReadWrite.Directory (Delegated or Application) permission is granted to a service principal. This permission allows an application to read and manage the role-based access control (RBAC) settings for your company's directory. - An adversary could use this permission to add an Azure AD object to an Admin directory role and escalate privileges. + An adversary could use this permission to add an Microsoft Entra ID object to an Admin directory role and escalate privileges. Ref : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions Ref : https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0&tabs=http' severity: High diff --git a/Solutions/Azure Active Directory/Analytic Rules/AzurePortalSigninfromanotherAzureTenant.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/AzurePortalSigninfromanotherAzureTenant.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/AzurePortalSigninfromanotherAzureTenant.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/AzurePortalSigninfromanotherAzureTenant.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/Brute Force Attack against GitHub Account.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/Brute Force Attack against GitHub Account.yaml similarity index 93% rename from Solutions/Azure Active Directory/Analytic Rules/Brute Force Attack against GitHub Account.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/Brute Force Attack against GitHub Account.yaml index 3eb26654b0e..14065db0d54 100644 --- a/Solutions/Azure Active Directory/Analytic Rules/Brute Force Attack against GitHub Account.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/Brute Force Attack against GitHub Account.yaml @@ -1,7 +1,7 @@ id: 97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06 name: Brute Force Attack against GitHub Account description: | - 'Attackers who are trying to guess your users' passwords or use brute-force methods to get in. If your organization is using SSO with Azure Active Directory, authentication logs to GitHub.com will be generated. Using the following query can help you identify a sudden increase in failed logon attempt of users.' + 'Attackers who are trying to guess your users' passwords or use brute-force methods to get in. If your organization is using SSO with Microsoft Entra ID, authentication logs to GitHub.com will be generated. Using the following query can help you identify a sudden increase in failed logon attempt of users.' severity: Medium requiredDataConnectors: - connectorId: AzureActiveDirectory diff --git a/Solutions/Azure Active Directory/Analytic Rules/BruteForceCloudPC.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/BruteForceCloudPC.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/BruteForceCloudPC.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/BruteForceCloudPC.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/BulkChangestoPrivilegedAccountPermissions.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/BulkChangestoPrivilegedAccountPermissions.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/BulkChangestoPrivilegedAccountPermissions.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/BulkChangestoPrivilegedAccountPermissions.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/BypassCondAccessRule.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/BypassCondAccessRule.yaml similarity index 99% rename from Solutions/Azure Active Directory/Analytic Rules/BypassCondAccessRule.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/BypassCondAccessRule.yaml index 821980265aa..0f61cf28beb 100644 --- a/Solutions/Azure Active Directory/Analytic Rules/BypassCondAccessRule.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/BypassCondAccessRule.yaml @@ -1,7 +1,7 @@ id: 3af9285d-bb98-4a35-ad29-5ea39ba0c628 name: Attempt to bypass conditional access rule in Azure AD description: | - 'Identifies an attempt to Bypass conditional access rule(s) in Azure Active Directory. + 'Identifies an attempt to Bypass conditional access rule(s) in Microsoft Entra ID. The ConditionalAccessStatus column value details if there was an attempt to bypass Conditional Access or if the Conditional access rule was not satisfied (ConditionalAccessStatus == 1). References: diff --git a/Solutions/Azure Active Directory/Analytic Rules/CredentialAddedAfterAdminConsent.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/CredentialAddedAfterAdminConsent.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/CredentialAddedAfterAdminConsent.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/CredentialAddedAfterAdminConsent.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/Cross-tenantAccessSettingsOrganizationAdded.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationAdded.yaml similarity index 95% rename from Solutions/Azure Active Directory/Analytic Rules/Cross-tenantAccessSettingsOrganizationAdded.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationAdded.yaml index d1bcee23ca3..8969ddde21c 100644 --- a/Solutions/Azure Active Directory/Analytic Rules/Cross-tenantAccessSettingsOrganizationAdded.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationAdded.yaml @@ -1,7 +1,7 @@ id: 757e6a79-6d23-4ae6-9845-4dac170656b5 name: Cross-tenant Access Settings Organization Added description: | - 'Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when an Organization is added other than the list that is supposed to exist from the Azure AD Cross-tenant Access Settings.' + 'Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when an Organization is added other than the list that is supposed to exist from the Microsoft Entra ID Cross-tenant Access Settings.' severity: Medium requiredDataConnectors: - connectorId: AzureActiveDirectory diff --git a/Solutions/Azure Active Directory/Analytic Rules/Cross-tenantAccessSettingsOrganizationDeleted.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationDeleted.yaml similarity index 96% rename from Solutions/Azure Active Directory/Analytic Rules/Cross-tenantAccessSettingsOrganizationDeleted.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationDeleted.yaml index dc99ed2bd13..4c36295a3bb 100644 --- a/Solutions/Azure Active Directory/Analytic Rules/Cross-tenantAccessSettingsOrganizationDeleted.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationDeleted.yaml @@ -1,7 +1,7 @@ id: eb8a9c1c-f532-4630-817c-1ecd8a60ed80 name: Cross-tenant Access Settings Organization Deleted description: | - 'Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when an Organization is deleted from the Azure AD Cross-tenant Access Settings.' + 'Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when an Organization is deleted from the Microsoft Entra ID Cross-tenant Access Settings.' severity: Medium requiredDataConnectors: - connectorId: AzureActiveDirectory diff --git a/Solutions/Azure Active Directory/Analytic Rules/Cross-tenantAccessSettingsOrganizationInboundCollaborationSettingsChanged.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationInboundCollaborationSettingsChanged.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/Cross-tenantAccessSettingsOrganizationInboundCollaborationSettingsChanged.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationInboundCollaborationSettingsChanged.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/Cross-tenantAccessSettingsOrganizationInboundDirectSettingsChanged.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationInboundDirectSettingsChanged.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/Cross-tenantAccessSettingsOrganizationInboundDirectSettingsChanged.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationInboundDirectSettingsChanged.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/Cross-tenantAccessSettingsOrganizationOutboundCollaborationSettingsChanged.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationOutboundCollaborationSettingsChanged.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/Cross-tenantAccessSettingsOrganizationOutboundCollaborationSettingsChanged.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationOutboundCollaborationSettingsChanged.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/Cross-tenantAccessSettingsOrganizationOutboundDirectSettingsChanged.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationOutboundDirectSettingsChanged.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/Cross-tenantAccessSettingsOrganizationOutboundDirectSettingsChanged.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationOutboundDirectSettingsChanged.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/DisabledAccountSigninsAcrossManyApplications.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/DisabledAccountSigninsAcrossManyApplications.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/DisabledAccountSigninsAcrossManyApplications.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/DisabledAccountSigninsAcrossManyApplications.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/DistribPassCrackAttempt.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/DistribPassCrackAttempt.yaml similarity index 95% rename from Solutions/Azure Active Directory/Analytic Rules/DistribPassCrackAttempt.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/DistribPassCrackAttempt.yaml index 4c0c66de22f..491fc18dad3 100644 --- a/Solutions/Azure Active Directory/Analytic Rules/DistribPassCrackAttempt.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/DistribPassCrackAttempt.yaml @@ -1,7 +1,7 @@ id: bfb1c90f-8006-4325-98be-c7fffbc254d6 -name: Distributed Password cracking attempts in AzureAD +name: Distributed Password cracking attempts in Microsoft Entra ID description: | - 'Identifies distributed password cracking attempts from the Azure Active Directory SigninLogs. + 'Identifies distributed password cracking attempts from the Microsoft Entra ID SigninLogs. The query looks for unusually high number of failed password attempts coming from multiple locations for a user account. References: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes 50053 Account is locked because the user tried to sign in too many times with an incorrect user ID or password. diff --git a/Solutions/Azure Active Directory/Analytic Rules/ExchangeFullAccessGrantedToApp.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/ExchangeFullAccessGrantedToApp.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/ExchangeFullAccessGrantedToApp.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/ExchangeFullAccessGrantedToApp.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/ExplicitMFADeny.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/ExplicitMFADeny.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/ExplicitMFADeny.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/ExplicitMFADeny.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/FailedLogonToAzurePortal.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/FailedLogonToAzurePortal.yaml similarity index 97% rename from Solutions/Azure Active Directory/Analytic Rules/FailedLogonToAzurePortal.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/FailedLogonToAzurePortal.yaml index 3efbca1eddc..ad517f5dd65 100644 --- a/Solutions/Azure Active Directory/Analytic Rules/FailedLogonToAzurePortal.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/FailedLogonToAzurePortal.yaml @@ -1,7 +1,7 @@ id: 223db5c1-1bf8-47d8-8806-bed401b356a4 name: Failed login attempts to Azure Portal description: | - 'Identifies failed login attempts in the Azure Active Directory SigninLogs to the Azure Portal. Many failed logon + 'Identifies failed login attempts in the Microsoft Entra ID SigninLogs to the Azure Portal. Many failed logon attempts or some failed logon attempts from multiple IPs could indicate a potential brute force attack. The following are excluded due to success and non-failure results: References: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes diff --git a/Solutions/Azure Active Directory/Analytic Rules/FirstAppOrServicePrincipalCredential.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/FirstAppOrServicePrincipalCredential.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/FirstAppOrServicePrincipalCredential.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/FirstAppOrServicePrincipalCredential.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/GuestAccountsAddedinAADGroupsOtherThanTheOnesSpecified.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/GuestAccountsAddedinAADGroupsOtherThanTheOnesSpecified.yaml similarity index 94% rename from Solutions/Azure Active Directory/Analytic Rules/GuestAccountsAddedinAADGroupsOtherThanTheOnesSpecified.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/GuestAccountsAddedinAADGroupsOtherThanTheOnesSpecified.yaml index dc5f52cdb46..1b4642ddee6 100644 --- a/Solutions/Azure Active Directory/Analytic Rules/GuestAccountsAddedinAADGroupsOtherThanTheOnesSpecified.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/GuestAccountsAddedinAADGroupsOtherThanTheOnesSpecified.yaml @@ -1,7 +1,7 @@ id: 6ab1f7b2-61b8-442f-bc81-96afe7ad8c53 name: Guest accounts added in AAD Groups other than the ones specified description: | - 'Guest Accounts are added in the Organization Tenants to perform various tasks i.e projects execution, support etc.. This detection notifies when guest users are added to Azure AD Groups other than the ones specified and poses a risk to gain access to sensitive apps or data.' + 'Guest Accounts are added in the Organization Tenants to perform various tasks i.e projects execution, support etc.. This detection notifies when guest users are added to Microsoft Entra ID Groups other than the ones specified and poses a risk to gain access to sensitive apps or data.' severity: High requiredDataConnectors: - connectorId: AzureActiveDirectory diff --git a/Solutions/Azure Active Directory/Analytic Rules/MFARejectedbyUser.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/MFARejectedbyUser.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/MFARejectedbyUser.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/MFARejectedbyUser.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/MFASpammingfollowedbySuccessfullogin.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/MFASpammingfollowedbySuccessfullogin.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/MFASpammingfollowedbySuccessfullogin.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/MFASpammingfollowedbySuccessfullogin.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/MailPermissionsAddedToApplication.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/MailPermissionsAddedToApplication.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/MailPermissionsAddedToApplication.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/MailPermissionsAddedToApplication.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/MaliciousOAuthApp_O365AttackToolkit.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/MaliciousOAuthApp_O365AttackToolkit.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/MaliciousOAuthApp_O365AttackToolkit.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/MaliciousOAuthApp_O365AttackToolkit.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/MaliciousOAuthApp_PwnAuth.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/MaliciousOAuthApp_PwnAuth.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/MaliciousOAuthApp_PwnAuth.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/MaliciousOAuthApp_PwnAuth.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/MultipleAdmin_membership_removals_from_NewAdmin.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/MultipleAdmin_membership_removals_from_NewAdmin.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/MultipleAdmin_membership_removals_from_NewAdmin.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/MultipleAdmin_membership_removals_from_NewAdmin.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/NRT_ADFSDomainTrustMods.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/NRT_ADFSDomainTrustMods.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/NRT_ADFSDomainTrustMods.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/NRT_ADFSDomainTrustMods.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/NRT_AuthenticationMethodsChangedforVIPUsers.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/NRT_AuthenticationMethodsChangedforVIPUsers.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/NRT_AuthenticationMethodsChangedforVIPUsers.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/NRT_AuthenticationMethodsChangedforVIPUsers.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/NRT_NewAppOrServicePrincipalCredential.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/NRT_NewAppOrServicePrincipalCredential.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/NRT_NewAppOrServicePrincipalCredential.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/NRT_NewAppOrServicePrincipalCredential.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/NRT_PIMElevationRequestRejected.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/NRT_PIMElevationRequestRejected.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/NRT_PIMElevationRequestRejected.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/NRT_PIMElevationRequestRejected.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/NRT_PrivlegedRoleAssignedOutsidePIM.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/NRT_PrivlegedRoleAssignedOutsidePIM.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/NRT_PrivlegedRoleAssignedOutsidePIM.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/NRT_PrivlegedRoleAssignedOutsidePIM.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/NRT_UseraddedtoPrivilgedGroups.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/NRT_UseraddedtoPrivilgedGroups.yaml similarity index 93% rename from Solutions/Azure Active Directory/Analytic Rules/NRT_UseraddedtoPrivilgedGroups.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/NRT_UseraddedtoPrivilgedGroups.yaml index 1e6952e7d4c..c483e85f4b3 100644 --- a/Solutions/Azure Active Directory/Analytic Rules/NRT_UseraddedtoPrivilgedGroups.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/NRT_UseraddedtoPrivilgedGroups.yaml @@ -1,9 +1,9 @@ id: 70fc7201-f28e-4ba7-b9ea-c04b96701f13 -name: NRT User added to Azure Active Directory Privileged Groups +name: NRT User added to Microsoft Entra ID Privileged Groups description: | 'This will alert when a user is added to any of the Privileged Groups. For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities. - For Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles' + For Administrator role permissions in Microsoft Entra ID please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles' severity: Medium status: Available requiredDataConnectors: diff --git a/Solutions/Azure Active Directory/Analytic Rules/NewAppOrServicePrincipalCredential.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/NewAppOrServicePrincipalCredential.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/NewAppOrServicePrincipalCredential.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/NewAppOrServicePrincipalCredential.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/NewOnmicrosoftDomainAdded.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/NewOnmicrosoftDomainAdded.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/NewOnmicrosoftDomainAdded.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/NewOnmicrosoftDomainAdded.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/PIMElevationRequestRejected.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/PIMElevationRequestRejected.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/PIMElevationRequestRejected.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/PIMElevationRequestRejected.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/PrivilegedAccountsSigninFailureSpikes.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/PrivilegedAccountsSigninFailureSpikes.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/PrivilegedAccountsSigninFailureSpikes.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/PrivilegedAccountsSigninFailureSpikes.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/PrivlegedRoleAssignedOutsidePIM.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/PrivlegedRoleAssignedOutsidePIM.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/PrivlegedRoleAssignedOutsidePIM.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/PrivlegedRoleAssignedOutsidePIM.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/RareApplicationConsent.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/RareApplicationConsent.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/RareApplicationConsent.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/RareApplicationConsent.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/SeamlessSSOPasswordSpray.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/SeamlessSSOPasswordSpray.yaml similarity index 80% rename from Solutions/Azure Active Directory/Analytic Rules/SeamlessSSOPasswordSpray.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/SeamlessSSOPasswordSpray.yaml index 01ade7dacd1..1eadf42a853 100644 --- a/Solutions/Azure Active Directory/Analytic Rules/SeamlessSSOPasswordSpray.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/SeamlessSSOPasswordSpray.yaml @@ -1,8 +1,8 @@ id: fb7ca1c9-e14c-40a3-856e-28f3c14ea1ba -name: Password spray attack against Azure AD Seamless SSO +name: Password spray attack against Microsoft Entra ID Seamless SSO description: | - 'This query detects when there is a spike in Azure AD Seamless SSO errors. They may not be caused by a Password Spray attack, but the cause of the errors might need to be investigated. - Azure AD only logs the requests that matched existing accounts, thus there might have been unlogged requests for non-existing accounts.' + 'This query detects when there is a spike in Microsoft Entra ID Seamless SSO errors. They may not be caused by a Password Spray attack, but the cause of the errors might need to be investigated. + Microsoft Entra ID only logs the requests that matched existing accounts, thus there might have been unlogged requests for non-existing accounts.' severity: Medium requiredDataConnectors: - connectorId: AzureActiveDirectory diff --git a/Solutions/Azure Active Directory/Analytic Rules/Sign-in Burst from Multiple Locations.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/Sign-in Burst from Multiple Locations.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/Sign-in Burst from Multiple Locations.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/Sign-in Burst from Multiple Locations.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/SigninAttemptsByIPviaDisabledAccounts.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/SigninAttemptsByIPviaDisabledAccounts.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/SigninAttemptsByIPviaDisabledAccounts.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/SigninAttemptsByIPviaDisabledAccounts.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/SigninBruteForce-AzurePortal.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/SigninBruteForce-AzurePortal.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/SigninBruteForce-AzurePortal.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/SigninBruteForce-AzurePortal.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/SigninPasswordSpray.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/SigninPasswordSpray.yaml similarity index 96% rename from Solutions/Azure Active Directory/Analytic Rules/SigninPasswordSpray.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/SigninPasswordSpray.yaml index c073071483a..404ee30a90c 100644 --- a/Solutions/Azure Active Directory/Analytic Rules/SigninPasswordSpray.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/SigninPasswordSpray.yaml @@ -1,7 +1,7 @@ id: 48607a29-a26a-4abf-8078-a06dbdd174a4 -name: Password spray attack against Azure AD application +name: Password spray attack against Microsoft Entra ID application description: | - 'Identifies evidence of password spray activity against Azure AD applications by looking for failures from multiple accounts from the same + 'Identifies evidence of password spray activity against Microsoft Entra ID applications by looking for failures from multiple accounts from the same IP address within a time window. If the number of accounts breaches the threshold just once, all failures from the IP address within the time range are bought into the result. Details on whether there were successful authentications by the IP address within the time window are also included. This can be an indicator that an attack was successful. diff --git a/Solutions/Azure Active Directory/Analytic Rules/SuccessThenFail_DiffIP_SameUserandApp.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/SuccessThenFail_DiffIP_SameUserandApp.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/SuccessThenFail_DiffIP_SameUserandApp.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/SuccessThenFail_DiffIP_SameUserandApp.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/SuspiciousAADJoinedDeviceUpdate.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/SuspiciousAADJoinedDeviceUpdate.yaml similarity index 96% rename from Solutions/Azure Active Directory/Analytic Rules/SuspiciousAADJoinedDeviceUpdate.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/SuspiciousAADJoinedDeviceUpdate.yaml index 0258af0edda..33f05d869a2 100644 --- a/Solutions/Azure Active Directory/Analytic Rules/SuspiciousAADJoinedDeviceUpdate.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/SuspiciousAADJoinedDeviceUpdate.yaml @@ -1,7 +1,7 @@ id: 3a3c6835-0086-40ca-b033-a93bf26d878f name: Suspicious AAD Joined Device Update description: | - 'This query looks for suspicious updates to an Azure AD joined device where the device name is changed and the device falls out of compliance. + 'This query looks for suspicious updates to an Microsoft Entra ID joined device where the device name is changed and the device falls out of compliance. This could occur when a threat actor updates the details of an Autopilot provisioned device using a stolen device ticket, in order to access certificates and keys. Ref: https://dirkjanm.io/assets/raw/Insomnihack%20Breaking%20and%20fixing%20Azure%20AD%20device%20identity%20security.pdf' severity: Medium diff --git a/Solutions/Azure Active Directory/Analytic Rules/SuspiciousOAuthApp_OfflineAccess.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/SuspiciousOAuthApp_OfflineAccess.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/SuspiciousOAuthApp_OfflineAccess.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/SuspiciousOAuthApp_OfflineAccess.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/SuspiciousServicePrincipalcreationactivity.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/SuspiciousServicePrincipalcreationactivity.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/SuspiciousServicePrincipalcreationactivity.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/SuspiciousServicePrincipalcreationactivity.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/SuspiciousSignInFollowedByMFAModification.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/SuspiciousSignInFollowedByMFAModification.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/SuspiciousSignInFollowedByMFAModification.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/SuspiciousSignInFollowedByMFAModification.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/UnusualGuestActivity.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/UnusualGuestActivity.yaml similarity index 96% rename from Solutions/Azure Active Directory/Analytic Rules/UnusualGuestActivity.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/UnusualGuestActivity.yaml index f209c3e72f0..5cdc6f7a6c2 100644 --- a/Solutions/Azure Active Directory/Analytic Rules/UnusualGuestActivity.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/UnusualGuestActivity.yaml @@ -1,7 +1,7 @@ id: acc4c247-aaf7-494b-b5da-17f18863878a -name: External guest invitation followed by Azure AD PowerShell signin +name: External guest invitation followed by Microsoft Entra ID PowerShell signin description: | - 'By default guests have capability to invite more external guest users, guests also can do suspicious Azure AD enumeration. This detection look at guests + 'By default guests have capability to invite more external guest users, guests also can do suspicious Microsoft Entra ID enumeration. This detection look at guests users, who have been invited or have invited recently, who also are logging via various PowerShell CLI. Ref : 'https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/' severity: Medium diff --git a/Solutions/Azure Active Directory/Analytic Rules/UserAccounts-CABlockedSigninSpikes.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/UserAccounts-CABlockedSigninSpikes.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/UserAccounts-CABlockedSigninSpikes.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/UserAccounts-CABlockedSigninSpikes.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/UserAssignedPrivilegedRole.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/UserAssignedPrivilegedRole.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/UserAssignedPrivilegedRole.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/UserAssignedPrivilegedRole.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/UseraddedtoPrivilgedGroups.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/UseraddedtoPrivilgedGroups.yaml similarity index 93% rename from Solutions/Azure Active Directory/Analytic Rules/UseraddedtoPrivilgedGroups.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/UseraddedtoPrivilgedGroups.yaml index 199d3dd23ca..41365b14026 100644 --- a/Solutions/Azure Active Directory/Analytic Rules/UseraddedtoPrivilgedGroups.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/UseraddedtoPrivilgedGroups.yaml @@ -1,9 +1,9 @@ id: 4d94d4a9-dc96-410a-8dea-4d4d4584188b -name: User added to Azure Active Directory Privileged Groups +name: User added to Microsoft Entra ID Privileged Groups description: | 'This will alert when a user is added to any of the Privileged Groups. For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities. - For Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles' + For Administrator role permissions in Microsoft Entra ID please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles' severity: Medium requiredDataConnectors: - connectorId: AzureActiveDirectory diff --git a/Solutions/Azure Active Directory/Analytic Rules/nrt_FirstAppOrServicePrincipalCredential.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/nrt_FirstAppOrServicePrincipalCredential.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/nrt_FirstAppOrServicePrincipalCredential.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/nrt_FirstAppOrServicePrincipalCredential.yaml diff --git a/Solutions/Azure Active Directory/Data Connectors/template_AzureActiveDirectory.JSON b/Solutions/Microsoft Entra ID/Data Connectors/template_AzureActiveDirectory.JSON similarity index 93% rename from Solutions/Azure Active Directory/Data Connectors/template_AzureActiveDirectory.JSON rename to Solutions/Microsoft Entra ID/Data Connectors/template_AzureActiveDirectory.JSON index 2121bd3568d..0cb9fe2fcbb 100644 --- a/Solutions/Azure Active Directory/Data Connectors/template_AzureActiveDirectory.JSON +++ b/Solutions/Microsoft Entra ID/Data Connectors/template_AzureActiveDirectory.JSON @@ -1,12 +1,12 @@ { "id": "AzureActiveDirectory", - "title": "Azure Active Directory", + "title": "Microsoft Entra ID", "publisher": "Microsoft", "logo": { "type": 3, "options": null }, - "descriptionMarkdown": "Gain insights into Azure Active Directory by connecting Audit and Sign-in logs to Microsoft Sentinel to gather insights around Azure Active Directory scenarios. You can learn about app usage, conditional access policies, legacy auth relate details using our Sign-in logs. You can get information on your Self Service Password Reset (SSPR) usage, Azure Active Directory Management activities like user, group, role, app management using our Audit logs table. For more information, see the [Microsoft Sentinel documentation](https://go.microsoft.com/fwlink/?linkid=2219715&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci).", + "descriptionMarkdown": "Gain insights into Microsoft Entra ID by connecting Audit and Sign-in logs to Microsoft Sentinel to gather insights around Microsoft Entra ID scenarios. You can learn about app usage, conditional access policies, legacy auth relate details using our Sign-in logs. You can get information on your Self Service Password Reset (SSPR) usage, Microsoft Entra ID Management activities like user, group, role, app management using our Audit logs table. For more information, see the [Microsoft Sentinel documentation](https://go.microsoft.com/fwlink/?linkid=2219715&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci).", "graphQueries": [ { "metricName": "Total data received", @@ -184,8 +184,8 @@ }, "instructionSteps": [ { - "title": "Connect Azure Active Directory logs to Microsoft Sentinel", - "description": "Select Azure Active Directory log types:", + "title": "Connect Microsoft Entra ID logs to Microsoft Sentinel", + "description": "Select Microsoft Entra ID log types:", "instructions": [ { "parameters": { diff --git a/Solutions/Microsoft Entra ID/Data/Solution_AAD.json b/Solutions/Microsoft Entra ID/Data/Solution_AAD.json new file mode 100644 index 00000000000..9c98363cfb4 --- /dev/null +++ b/Solutions/Microsoft Entra ID/Data/Solution_AAD.json @@ -0,0 +1,103 @@ +{ + "Name": "Microsoft Entra ID", + "Author": "Microsoft - support@microsoft.com", + "Logo": "", + "Description": "The [Microsoft Entra ID](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis) solution for Microsoft Sentinel enables you to ingest Microsoft Entra ID [Audit](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-audit-logs), [Sign-in](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins), [Provisioning](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-provisioning-logs), [Risk Events and Risky User/Service Principal](https://docs.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk#risky-users) logs using Diagnostic Settings into Microsoft Sentinel.", + "Data Connectors": [ + "Solutions/Microsoft Entra ID/Data Connectors/template_AzureActiveDirectory.json" + ], + "Workbooks": [ + "Solutions/Microsoft Entra ID/Workbooks/AzureActiveDirectoryAuditLogs.json", + "Solutions/Microsoft Entra ID/Workbooks/AzureActiveDirectorySignins.json" + ], + "Analytic Rules": [ + "Solutions/Microsoft Entra ID/Analytic Rules/AccountCreatedandDeletedinShortTimeframe.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/AccountCreatedandDeletedinShortTimeframe.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/AccountCreatedandDeletedinShortTimeframe.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/AccountCreatedandDeletedinShortTimeframe.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/AccountCreatedandDeletedinShortTimeframe.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/AccountCreatedandDeletedinShortTimeframe.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/AccountCreatedDeletedByNonApprovedUser.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/ADFSDomainTrustMods.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/ADFSSignInLogsPasswordSpray.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/AdminPromoAfterRoleMgmtAppPermissionGrant.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/AnomalousUserAppSigninLocationIncrease-detection.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/AuthenticationMethodsChangedforPrivilegedAccount.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/AzureAADPowerShellAnomaly.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/AzureADRoleManagementPermissionGrant.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/AzurePortalSigninfromanotherAzureTenant.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/Brute Force Attack against GitHub Account.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/BruteForceCloudPC.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/BulkChangestoPrivilegedAccountPermissions.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/BypassCondAccessRule.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/CredentialAddedAfterAdminConsent.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationAdded.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationDeleted.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationInboundCollaborationSettingsChanged.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationInboundDirectSettingsChanged.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationOutboundCollaborationSettingsChanged.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationOutboundDirectSettingsChanged.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/DisabledAccountSigninsAcrossManyApplications.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/DistribPassCrackAttempt.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/ExplicitMFADeny.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/ExchangeFullAccessGrantedToApp.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/FailedLogonToAzurePortal.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/FirstAppOrServicePrincipalCredential.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/GuestAccountsAddedinAADGroupsOtherThanTheOnesSpecified.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/MailPermissionsAddedToApplication.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/MaliciousOAuthApp_O365AttackToolkit.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/MaliciousOAuthApp_O365AttackToolkit.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/MaliciousOAuthApp_O365AttackToolkit.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/MaliciousOAuthApp_O365AttackToolkit.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/MaliciousOAuthApp_O365AttackToolkit.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/MaliciousOAuthApp_O365AttackToolkit.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/MaliciousOAuthApp_PwnAuth.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/MFARejectedbyUser.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/MultipleAdmin_membership_removals_from_NewAdmin.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/NewAppOrServicePrincipalCredential.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/NRT_ADFSDomainTrustMods.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/NRT_AuthenticationMethodsChangedforVIPUsers.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/nrt_FirstAppOrServicePrincipalCredential.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/NRT_NewAppOrServicePrincipalCredential.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/NRT_PIMElevationRequestRejected.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/NRT_PrivlegedRoleAssignedOutsidePIM.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/NRT_UseraddedtoPrivilgedGroups.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/PIMElevationRequestRejected.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/PrivilegedAccountsSigninFailureSpikes.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/PrivlegedRoleAssignedOutsidePIM.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/RareApplicationConsent.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/SeamlessSSOPasswordSpray.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/Sign-in Burst from Multiple Locations.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/SigninAttemptsByIPviaDisabledAccounts.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/SigninBruteForce-AzurePortal.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/SigninPasswordSpray.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/SuccessThenFail_DiffIP_SameUserandApp.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/SuspiciousAADJoinedDeviceUpdate.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/SuspiciousOAuthApp_OfflineAccess.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/SuspiciousServicePrincipalcreationactivity.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/UnusualGuestActivity.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/UserAccounts-CABlockedSigninSpikes.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/UseraddedtoPrivilgedGroups.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/UserAssignedPrivilegedRole.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/NewOnmicrosoftDomainAdded.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/SuspiciousSignInFollowedByMFAModification.yaml" + ], + "Playbooks": [ + "Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/alert-trigger/azuredeploy.json", + "Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/incident-trigger/azuredeploy.json", + "Solutions/Microsoft Entra ID/Playbooks/Prompt-User/alert-trigger/azuredeploy.json", + "Solutions/Microsoft Entra ID/Playbooks/Prompt-User/incident-trigger/azuredeploy.json", + "Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword/alert-trigger/azuredeploy.json", + "Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword/incident-trigger/azuredeploy.json", + "Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/entity-trigger/azuredeploy.json", + "Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword/entity-trigger/azuredeploy.json", + "Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/alert-trigger/azuredeploy.json", + "Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/incident-trigger/azuredeploy.json", + "Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/entity-trigger/azuredeploy.json" + ], + "BasePath": "C:\\GitHub\\Azure-Sentinel", + "Version": "3.0.4", + "Metadata": "SolutionMetadata.json", + "TemplateSpec": true, + "Is1PConnector": true +} \ No newline at end of file diff --git a/Solutions/Azure Active Directory/Data/system_generated_metadata.json b/Solutions/Microsoft Entra ID/Data/system_generated_metadata.json similarity index 85% rename from Solutions/Azure Active Directory/Data/system_generated_metadata.json rename to Solutions/Microsoft Entra ID/Data/system_generated_metadata.json index a145fa873ef..373db96f769 100644 --- a/Solutions/Azure Active Directory/Data/system_generated_metadata.json +++ b/Solutions/Microsoft Entra ID/Data/system_generated_metadata.json @@ -1,8 +1,8 @@ { - "Name": "Azure Active Directory", + "Name": "Microsoft Entra ID", "Author": "Microsoft - support@microsoft.com", "Logo": "", - "Description": "The [ Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis) solution for Microsoft Sentinel enables you to ingest Azure Active Directory [Audit](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-audit-logs), [Sign-in](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins), [Provisioning](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-provisioning-logs), [Risk Events and Risky User/Service Principal](https://docs.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk#risky-users) logs using Diagnostic Settings into Microsoft Sentinel.", + "Description": "The [Microsoft Entra ID](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis) solution for Microsoft Sentinel enables you to ingest Microsoft Entra ID [Audit](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-audit-logs), [Sign-in](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins), [Provisioning](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-provisioning-logs), [Risk Events and Risky User/Service Principal](https://docs.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk#risky-users) logs using Diagnostic Settings into Microsoft Sentinel.", "BasePath": "C:\\GitHub\\Azure-Sentinel", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, diff --git a/Solutions/Azure Active Directory/Package/2.0.0.zip b/Solutions/Microsoft Entra ID/Package/2.0.0.zip similarity index 100% rename from Solutions/Azure Active Directory/Package/2.0.0.zip rename to Solutions/Microsoft Entra ID/Package/2.0.0.zip diff --git a/Solutions/Azure Active Directory/Package/2.0.1.zip b/Solutions/Microsoft Entra ID/Package/2.0.1.zip similarity index 100% rename from Solutions/Azure Active Directory/Package/2.0.1.zip rename to Solutions/Microsoft Entra ID/Package/2.0.1.zip diff --git a/Solutions/Azure Active Directory/Package/2.0.10.zip b/Solutions/Microsoft Entra ID/Package/2.0.10.zip similarity index 100% rename from Solutions/Azure Active Directory/Package/2.0.10.zip rename to Solutions/Microsoft Entra ID/Package/2.0.10.zip diff --git a/Solutions/Azure Active Directory/Package/2.0.11.zip b/Solutions/Microsoft Entra ID/Package/2.0.11.zip similarity index 100% rename from Solutions/Azure Active Directory/Package/2.0.11.zip rename to Solutions/Microsoft Entra ID/Package/2.0.11.zip diff --git a/Solutions/Azure Active Directory/Package/2.0.12.zip b/Solutions/Microsoft Entra ID/Package/2.0.12.zip similarity index 100% rename from Solutions/Azure Active Directory/Package/2.0.12.zip rename to Solutions/Microsoft Entra ID/Package/2.0.12.zip diff --git a/Solutions/Azure Active Directory/Package/2.0.13.zip b/Solutions/Microsoft Entra ID/Package/2.0.13.zip similarity index 100% rename from Solutions/Azure Active Directory/Package/2.0.13.zip rename to Solutions/Microsoft Entra ID/Package/2.0.13.zip diff --git a/Solutions/Azure Active Directory/Package/2.0.3.zip b/Solutions/Microsoft Entra ID/Package/2.0.3.zip similarity index 100% rename from Solutions/Azure Active Directory/Package/2.0.3.zip rename to Solutions/Microsoft Entra ID/Package/2.0.3.zip diff --git a/Solutions/Azure Active Directory/Package/2.0.4.zip b/Solutions/Microsoft Entra ID/Package/2.0.4.zip similarity index 100% rename from Solutions/Azure Active Directory/Package/2.0.4.zip rename to Solutions/Microsoft Entra ID/Package/2.0.4.zip diff --git a/Solutions/Azure Active Directory/Package/2.0.5.zip b/Solutions/Microsoft Entra ID/Package/2.0.5.zip similarity index 100% rename from Solutions/Azure Active Directory/Package/2.0.5.zip rename to Solutions/Microsoft Entra ID/Package/2.0.5.zip diff --git a/Solutions/Azure Active Directory/Package/2.0.6.zip b/Solutions/Microsoft Entra ID/Package/2.0.6.zip similarity index 100% rename from Solutions/Azure Active Directory/Package/2.0.6.zip rename to Solutions/Microsoft Entra ID/Package/2.0.6.zip diff --git a/Solutions/Azure Active Directory/Package/2.0.7.zip b/Solutions/Microsoft Entra ID/Package/2.0.7.zip similarity index 100% rename from Solutions/Azure Active Directory/Package/2.0.7.zip rename to Solutions/Microsoft Entra ID/Package/2.0.7.zip diff --git a/Solutions/Azure Active Directory/Package/2.0.8.zip b/Solutions/Microsoft Entra ID/Package/2.0.8.zip similarity index 100% rename from Solutions/Azure Active Directory/Package/2.0.8.zip rename to Solutions/Microsoft Entra ID/Package/2.0.8.zip diff --git a/Solutions/Azure Active Directory/Package/2.0.9.zip b/Solutions/Microsoft Entra ID/Package/2.0.9.zip similarity index 100% rename from Solutions/Azure Active Directory/Package/2.0.9.zip rename to Solutions/Microsoft Entra ID/Package/2.0.9.zip diff --git a/Solutions/Azure Active Directory/Package/3.0.0.zip b/Solutions/Microsoft Entra ID/Package/3.0.0.zip similarity index 100% rename from Solutions/Azure Active Directory/Package/3.0.0.zip rename to Solutions/Microsoft Entra ID/Package/3.0.0.zip diff --git a/Solutions/Azure Active Directory/Package/3.0.1.zip b/Solutions/Microsoft Entra ID/Package/3.0.1.zip similarity index 100% rename from Solutions/Azure Active Directory/Package/3.0.1.zip rename to Solutions/Microsoft Entra ID/Package/3.0.1.zip diff --git a/Solutions/Azure Active Directory/Package/3.0.2.zip b/Solutions/Microsoft Entra ID/Package/3.0.2.zip similarity index 100% rename from Solutions/Azure Active Directory/Package/3.0.2.zip rename to Solutions/Microsoft Entra ID/Package/3.0.2.zip diff --git a/Solutions/Azure Active Directory/Package/3.0.3.zip b/Solutions/Microsoft Entra ID/Package/3.0.3.zip similarity index 100% rename from Solutions/Azure Active Directory/Package/3.0.3.zip rename to Solutions/Microsoft Entra ID/Package/3.0.3.zip diff --git a/Solutions/Azure Active Directory/Package/3.0.4.zip b/Solutions/Microsoft Entra ID/Package/3.0.4.zip similarity index 100% rename from Solutions/Azure Active Directory/Package/3.0.4.zip rename to Solutions/Microsoft Entra ID/Package/3.0.4.zip diff --git a/Solutions/Azure Active Directory/Package/3.0.5.zip b/Solutions/Microsoft Entra ID/Package/3.0.5.zip similarity index 100% rename from Solutions/Azure Active Directory/Package/3.0.5.zip rename to Solutions/Microsoft Entra ID/Package/3.0.5.zip diff --git a/Solutions/Azure Active Directory/Package/createUiDefinition.json b/Solutions/Microsoft Entra ID/Package/createUiDefinition.json similarity index 99% rename from Solutions/Azure Active Directory/Package/createUiDefinition.json rename to Solutions/Microsoft Entra ID/Package/createUiDefinition.json index 612818dd777..e0f67a24068 100644 --- a/Solutions/Azure Active Directory/Package/createUiDefinition.json +++ b/Solutions/Microsoft Entra ID/Package/createUiDefinition.json @@ -766,7 +766,7 @@ { "name": "analytic46", "type": "Microsoft.Common.Section", - "label": "Password spray attack against Azure AD Seamless SSO", + "label": "Password spray attack against Microsoft Entra ID Seamless SSO", "elements": [ { "name": "analytic46-text", @@ -822,7 +822,7 @@ { "name": "analytic50", "type": "Microsoft.Common.Section", - "label": "Password spray attack against Azure AD application", + "label": "Password spray attack against Microsoft Entra ID application", "elements": [ { "name": "analytic50-text", @@ -892,7 +892,7 @@ { "name": "analytic55", "type": "Microsoft.Common.Section", - "label": "External guest invitation followed by Azure AD PowerShell signin", + "label": "External guest invitation followed by Microsoft Entra ID PowerShell signin", "elements": [ { "name": "analytic55-text", diff --git a/Solutions/Azure Active Directory/Package/mainTemplate.json b/Solutions/Microsoft Entra ID/Package/mainTemplate.json similarity index 100% rename from Solutions/Azure Active Directory/Package/mainTemplate.json rename to Solutions/Microsoft Entra ID/Package/mainTemplate.json diff --git a/Solutions/Azure Active Directory/Playbooks/Block-AADUser/alert-trigger/azuredeploy.json b/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/alert-trigger/azuredeploy.json similarity index 98% rename from Solutions/Azure Active Directory/Playbooks/Block-AADUser/alert-trigger/azuredeploy.json rename to Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/alert-trigger/azuredeploy.json index e1d3d642d72..8f8a4b189ec 100644 --- a/Solutions/Azure Active Directory/Playbooks/Block-AADUser/alert-trigger/azuredeploy.json +++ b/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/alert-trigger/azuredeploy.json @@ -2,8 +2,8 @@ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { - "title": "Block AAD user - Alert", - "description": "For each account entity included in the alert, this playbook will disable the user in Azure Active Directoy, add a comment to the incident that contains this alert and notify manager if available. Note: This playbook will not disable admin user!", + "title": "Block Microsoft Entra ID user - Alert", + "description": "For each account entity included in the alert, this playbook will disable the user in Microsoft Entra ID, add a comment to the incident that contains this alert and notify manager if available. Note: This playbook will not disable admin user!", "prerequisites": ["None"], "postDeployment": ["1. Assign Microsoft Sentinel Responder role to the Playbook's managed identity.", "2. Grant User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All permissions to the managed identity.", "3. Authorize Azure AD and Office 365 Outlook Logic App connections."], "lastUpdateTime": "2022-07-11T00:00:00.000Z", diff --git a/Solutions/Azure Active Directory/Playbooks/Block-AADUser/alert-trigger/images/AlertTriggerDark.png b/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/alert-trigger/images/AlertTriggerDark.png similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Block-AADUser/alert-trigger/images/AlertTriggerDark.png rename to Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/alert-trigger/images/AlertTriggerDark.png diff --git a/Solutions/Azure Active Directory/Playbooks/Block-AADUser/alert-trigger/images/AlertTriggerLight.png b/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/alert-trigger/images/AlertTriggerLight.png similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Block-AADUser/alert-trigger/images/AlertTriggerLight.png rename to Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/alert-trigger/images/AlertTriggerLight.png diff --git a/Solutions/Azure Active Directory/Playbooks/Block-AADUser/alert-trigger/images/Block-AADUser_alert.png b/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/alert-trigger/images/Block-AADUser_alert.png similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Block-AADUser/alert-trigger/images/Block-AADUser_alert.png rename to Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/alert-trigger/images/Block-AADUser_alert.png diff --git a/Solutions/Azure Active Directory/Playbooks/Block-AADUser/alert-trigger/releaseNotes.md b/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/alert-trigger/releaseNotes.md similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Block-AADUser/alert-trigger/releaseNotes.md rename to Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/alert-trigger/releaseNotes.md diff --git a/Solutions/Azure Active Directory/Playbooks/Block-AADUser/entity-trigger/azuredeploy.json b/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/entity-trigger/azuredeploy.json similarity index 98% rename from Solutions/Azure Active Directory/Playbooks/Block-AADUser/entity-trigger/azuredeploy.json rename to Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/entity-trigger/azuredeploy.json index 37d4e21eeef..14ffed2fb32 100644 --- a/Solutions/Azure Active Directory/Playbooks/Block-AADUser/entity-trigger/azuredeploy.json +++ b/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/entity-trigger/azuredeploy.json @@ -2,8 +2,8 @@ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { - "title": "Block AAD user - Entity trigger", - "description": "This playbook disables the selected user (account entity) in Azure Active Directoy. If this playbook triggered from an incident context, it will add a comment to the incident. This playbook will notify the disabled user manager if available. Note: This playbook will not disable admin user!", + "title": "Block Microsoft Entra ID user - Entity trigger", + "description": "This playbook disables the selected user (account entity) in Microsoft Entra ID. If this playbook triggered from an incident context, it will add a comment to the incident. This playbook will notify the disabled user manager if available. Note: This playbook will not disable admin user!", "postDeployment": [ "1. Assign Microsoft Sentinel Responder role to the Playbook's managed identity.", "2. Grant User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All permissions to the managed identity.", "3. Authorize Azure AD and Office 365 Outlook Logic App connections." ], "lastUpdateTime": "2022-12-08T00:00:00.000Z", "entities": [ "Account" ], diff --git a/Solutions/Azure Active Directory/Playbooks/Block-AADUser/entity-trigger/images/designerScreenshotDark1.png b/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/entity-trigger/images/designerScreenshotDark1.png similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Block-AADUser/entity-trigger/images/designerScreenshotDark1.png rename to Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/entity-trigger/images/designerScreenshotDark1.png diff --git a/Solutions/Azure Active Directory/Playbooks/Block-AADUser/entity-trigger/images/designerScreenshotLight1.png b/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/entity-trigger/images/designerScreenshotLight1.png similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Block-AADUser/entity-trigger/images/designerScreenshotLight1.png rename to Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/entity-trigger/images/designerScreenshotLight1.png diff --git a/Solutions/Azure Active Directory/Playbooks/Block-AADUser/entity-trigger/images/entityTriggerDark.png b/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/entity-trigger/images/entityTriggerDark.png similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Block-AADUser/entity-trigger/images/entityTriggerDark.png rename to Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/entity-trigger/images/entityTriggerDark.png diff --git a/Solutions/Azure Active Directory/Playbooks/Block-AADUser/entity-trigger/images/entityTriggerLight.png b/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/entity-trigger/images/entityTriggerLight.png similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Block-AADUser/entity-trigger/images/entityTriggerLight.png rename to Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/entity-trigger/images/entityTriggerLight.png diff --git a/Solutions/Azure Active Directory/Playbooks/Block-AADUser/entity-trigger/releaseNotes.md b/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/entity-trigger/releaseNotes.md similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Block-AADUser/entity-trigger/releaseNotes.md rename to Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/entity-trigger/releaseNotes.md diff --git a/Solutions/Azure Active Directory/Playbooks/Block-AADUser/images/managerNotificationDark.png b/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/images/managerNotificationDark.png similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Block-AADUser/images/managerNotificationDark.png rename to Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/images/managerNotificationDark.png diff --git a/Solutions/Azure Active Directory/Playbooks/Block-AADUser/images/managerNotificationLight.png b/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/images/managerNotificationLight.png similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Block-AADUser/images/managerNotificationLight.png rename to Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/images/managerNotificationLight.png diff --git a/Solutions/Azure Active Directory/Playbooks/Block-AADUser/incident-trigger/azuredeploy.json b/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/incident-trigger/azuredeploy.json similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Block-AADUser/incident-trigger/azuredeploy.json rename to Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/incident-trigger/azuredeploy.json diff --git a/Solutions/Azure Active Directory/Playbooks/Block-AADUser/incident-trigger/images/Block-AADUser_incident.png b/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/incident-trigger/images/Block-AADUser_incident.png similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Block-AADUser/incident-trigger/images/Block-AADUser_incident.png rename to Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/incident-trigger/images/Block-AADUser_incident.png diff --git a/Solutions/Azure Active Directory/Playbooks/Block-AADUser/incident-trigger/images/IncidentTriggerDark.png b/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/incident-trigger/images/IncidentTriggerDark.png similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Block-AADUser/incident-trigger/images/IncidentTriggerDark.png rename to Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/incident-trigger/images/IncidentTriggerDark.png diff --git a/Solutions/Azure Active Directory/Playbooks/Block-AADUser/incident-trigger/images/IncidentTriggerLight.png b/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/incident-trigger/images/IncidentTriggerLight.png similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Block-AADUser/incident-trigger/images/IncidentTriggerLight.png rename to Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/incident-trigger/images/IncidentTriggerLight.png diff --git a/Solutions/Azure Active Directory/Playbooks/Block-AADUser/incident-trigger/images/designerScreenshotDark1.png b/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/incident-trigger/images/designerScreenshotDark1.png similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Block-AADUser/incident-trigger/images/designerScreenshotDark1.png rename to Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/incident-trigger/images/designerScreenshotDark1.png diff --git a/Solutions/Azure Active Directory/Playbooks/Block-AADUser/incident-trigger/images/designerScreenshotLight1.png b/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/incident-trigger/images/designerScreenshotLight1.png similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Block-AADUser/incident-trigger/images/designerScreenshotLight1.png rename to Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/incident-trigger/images/designerScreenshotLight1.png diff --git a/Solutions/Azure Active Directory/Playbooks/Block-AADUser/incident-trigger/releaseNotes.md b/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/incident-trigger/releaseNotes.md similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Block-AADUser/incident-trigger/releaseNotes.md rename to Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/incident-trigger/releaseNotes.md diff --git a/Solutions/Azure Active Directory/Playbooks/Block-AADUser/readme.md b/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/readme.md similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Block-AADUser/readme.md rename to Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/readme.md diff --git a/Solutions/Azure Active Directory/Playbooks/Prompt-User/alert-trigger/azuredeploy.json b/Solutions/Microsoft Entra ID/Playbooks/Prompt-User/alert-trigger/azuredeploy.json similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Prompt-User/alert-trigger/azuredeploy.json rename to Solutions/Microsoft Entra ID/Playbooks/Prompt-User/alert-trigger/azuredeploy.json diff --git a/Solutions/Azure Active Directory/Playbooks/Prompt-User/alert-trigger/images/Prompt-User_alert.png b/Solutions/Microsoft Entra ID/Playbooks/Prompt-User/alert-trigger/images/Prompt-User_alert.png similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Prompt-User/alert-trigger/images/Prompt-User_alert.png rename to Solutions/Microsoft Entra ID/Playbooks/Prompt-User/alert-trigger/images/Prompt-User_alert.png diff --git a/Solutions/Azure Active Directory/Playbooks/Prompt-User/alert-trigger/releaseNotes.md b/Solutions/Microsoft Entra ID/Playbooks/Prompt-User/alert-trigger/releaseNotes.md similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Prompt-User/alert-trigger/releaseNotes.md rename to Solutions/Microsoft Entra ID/Playbooks/Prompt-User/alert-trigger/releaseNotes.md diff --git a/Solutions/Azure Active Directory/Playbooks/Prompt-User/incident-trigger/azuredeploy.json b/Solutions/Microsoft Entra ID/Playbooks/Prompt-User/incident-trigger/azuredeploy.json similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Prompt-User/incident-trigger/azuredeploy.json rename to Solutions/Microsoft Entra ID/Playbooks/Prompt-User/incident-trigger/azuredeploy.json diff --git a/Solutions/Azure Active Directory/Playbooks/Prompt-User/incident-trigger/images/designerDark.png b/Solutions/Microsoft Entra ID/Playbooks/Prompt-User/incident-trigger/images/designerDark.png similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Prompt-User/incident-trigger/images/designerDark.png rename to Solutions/Microsoft Entra ID/Playbooks/Prompt-User/incident-trigger/images/designerDark.png diff --git a/Solutions/Azure Active Directory/Playbooks/Prompt-User/incident-trigger/images/designerLight.png b/Solutions/Microsoft Entra ID/Playbooks/Prompt-User/incident-trigger/images/designerLight.png similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Prompt-User/incident-trigger/images/designerLight.png rename to Solutions/Microsoft Entra ID/Playbooks/Prompt-User/incident-trigger/images/designerLight.png diff --git a/Solutions/Azure Active Directory/Playbooks/Prompt-User/incident-trigger/releaseNotes.md b/Solutions/Microsoft Entra ID/Playbooks/Prompt-User/incident-trigger/releaseNotes.md similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Prompt-User/incident-trigger/releaseNotes.md rename to Solutions/Microsoft Entra ID/Playbooks/Prompt-User/incident-trigger/releaseNotes.md diff --git a/Solutions/Azure Active Directory/Playbooks/Prompt-User/readme.md b/Solutions/Microsoft Entra ID/Playbooks/Prompt-User/readme.md similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Prompt-User/readme.md rename to Solutions/Microsoft Entra ID/Playbooks/Prompt-User/readme.md diff --git a/Solutions/Azure Active Directory/Playbooks/Reset-AADUserPassword/alert-trigger/azuredeploy.json b/Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword/alert-trigger/azuredeploy.json similarity index 99% rename from Solutions/Azure Active Directory/Playbooks/Reset-AADUserPassword/alert-trigger/azuredeploy.json rename to Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword/alert-trigger/azuredeploy.json index 7526b007167..6d58c9ef7dc 100644 --- a/Solutions/Azure Active Directory/Playbooks/Reset-AADUserPassword/alert-trigger/azuredeploy.json +++ b/Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword/alert-trigger/azuredeploy.json @@ -2,7 +2,7 @@ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { - "title": "Reset Azure AD User Password - Alert Trigger", + "title": "Reset Microsoft Entra ID User Password - Alert Trigger", "description": "This playbook will reset the user password using Graph API. It will send the password (which is a random guid substring) to the user's manager. The user will have to reset the password upon login.", "prerequisites": ["None"], "postDeployment": ["1. Assign Password Administrator permission to managed identity.", "2. Assign Microsoft Sentinel Responder permission to managed identity.", "3. Authorize Office 365 Outlook connection"], diff --git a/Solutions/Azure Active Directory/Playbooks/Reset-AADUserPassword/alert-trigger/images/alertTrigger_dark.png b/Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword/alert-trigger/images/alertTrigger_dark.png similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Reset-AADUserPassword/alert-trigger/images/alertTrigger_dark.png rename to Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword/alert-trigger/images/alertTrigger_dark.png diff --git a/Solutions/Azure Active Directory/Playbooks/Reset-AADUserPassword/alert-trigger/images/alertTrigger_light.png b/Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword/alert-trigger/images/alertTrigger_light.png similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Reset-AADUserPassword/alert-trigger/images/alertTrigger_light.png rename to Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword/alert-trigger/images/alertTrigger_light.png diff --git a/Solutions/Azure Active Directory/Playbooks/Reset-AADUserPassword/alert-trigger/releaseNotes.md b/Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword/alert-trigger/releaseNotes.md similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Reset-AADUserPassword/alert-trigger/releaseNotes.md rename to Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword/alert-trigger/releaseNotes.md diff --git a/Solutions/Azure Active Directory/Playbooks/Reset-AADUserPassword/entity-trigger/azuredeploy.json b/Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword/entity-trigger/azuredeploy.json similarity index 99% rename from Solutions/Azure Active Directory/Playbooks/Reset-AADUserPassword/entity-trigger/azuredeploy.json rename to Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword/entity-trigger/azuredeploy.json index 47f07a364b3..b1a46465f45 100644 --- a/Solutions/Azure Active Directory/Playbooks/Reset-AADUserPassword/entity-trigger/azuredeploy.json +++ b/Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword/entity-trigger/azuredeploy.json @@ -2,7 +2,7 @@ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { - "title": "Reset Azure AD User Password - Entity trigger", + "title": "Reset Microsoft Entra ID User Password - Entity trigger", "description": "This playbook will reset the user password using Graph API. It will send the password (which is a random guid substring) to the user's manager. The user will have to reset the password upon login.", "postDeployment": [ "1. Assign Password Administrator permission to managed identity.", "2. Assign Microsoft Sentinel Responder permission to managed identity.", "3. Authorize Office 365 Outlook connection" ], "lastUpdateTime": "2022-12-06T00:00:00.000Z", diff --git a/Solutions/Azure Active Directory/Playbooks/Reset-AADUserPassword/entity-trigger/images/entityTrigger_dark.png b/Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword/entity-trigger/images/entityTrigger_dark.png similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Reset-AADUserPassword/entity-trigger/images/entityTrigger_dark.png rename to Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword/entity-trigger/images/entityTrigger_dark.png diff --git a/Solutions/Azure Active Directory/Playbooks/Reset-AADUserPassword/entity-trigger/images/entityTrigger_light.png b/Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword/entity-trigger/images/entityTrigger_light.png similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Reset-AADUserPassword/entity-trigger/images/entityTrigger_light.png rename to Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword/entity-trigger/images/entityTrigger_light.png diff --git a/Solutions/Azure Active Directory/Playbooks/Reset-AADUserPassword/entity-trigger/releaseNotes.md b/Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword/entity-trigger/releaseNotes.md similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Reset-AADUserPassword/entity-trigger/releaseNotes.md rename to Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword/entity-trigger/releaseNotes.md diff --git a/Solutions/Azure Active Directory/Playbooks/Reset-AADUserPassword/incident-trigger/azuredeploy.json b/Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword/incident-trigger/azuredeploy.json similarity index 99% rename from Solutions/Azure Active Directory/Playbooks/Reset-AADUserPassword/incident-trigger/azuredeploy.json rename to Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword/incident-trigger/azuredeploy.json index bc3cb986f70..488ddf25943 100644 --- a/Solutions/Azure Active Directory/Playbooks/Reset-AADUserPassword/incident-trigger/azuredeploy.json +++ b/Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword/incident-trigger/azuredeploy.json @@ -2,7 +2,7 @@ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { - "title": "Reset Azure AD User Password - Incident Trigger", + "title": "Reset Microsoft Entra ID User Password - Incident Trigger", "description": "This playbook will reset the user password using Graph API. It will send the password (which is a random guid substring) to the user's manager. The user will have to reset the password upon login.", "prerequisites": ["None"], "postDeployment": ["1. Assign Password Administrator permission to managed identity.", "2. Assign Microsoft Sentinel Responder permission to managed identity.", "3. Authorize Office 365 Outlook connection"], diff --git a/Solutions/Azure Active Directory/Playbooks/Reset-AADUserPassword/incident-trigger/images/incidentTrigger_dark.png b/Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword/incident-trigger/images/incidentTrigger_dark.png similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Reset-AADUserPassword/incident-trigger/images/incidentTrigger_dark.png rename to Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword/incident-trigger/images/incidentTrigger_dark.png diff --git a/Solutions/Azure Active Directory/Playbooks/Reset-AADUserPassword/incident-trigger/images/incidentTrigger_light.png b/Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword/incident-trigger/images/incidentTrigger_light.png similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Reset-AADUserPassword/incident-trigger/images/incidentTrigger_light.png rename to Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword/incident-trigger/images/incidentTrigger_light.png diff --git a/Solutions/Azure Active Directory/Playbooks/Reset-AADUserPassword/incident-trigger/releaseNotes.md b/Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword/incident-trigger/releaseNotes.md similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Reset-AADUserPassword/incident-trigger/releaseNotes.md rename to Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword/incident-trigger/releaseNotes.md diff --git a/Solutions/Azure Active Directory/Playbooks/Reset-AADUserPassword/readme.md b/Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword/readme.md similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Reset-AADUserPassword/readme.md rename to Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword/readme.md diff --git a/Solutions/Azure Active Directory/Playbooks/Revoke-AADSignInSessions/alert-trigger/azuredeploy.json b/Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/alert-trigger/azuredeploy.json similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Revoke-AADSignInSessions/alert-trigger/azuredeploy.json rename to Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/alert-trigger/azuredeploy.json diff --git a/Solutions/Azure Active Directory/Playbooks/Revoke-AADSignInSessions/alert-trigger/images/Revoke-AADSignInSessions_alert.png b/Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/alert-trigger/images/Revoke-AADSignInSessions_alert.png similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Revoke-AADSignInSessions/alert-trigger/images/Revoke-AADSignInSessions_alert.png rename to Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/alert-trigger/images/Revoke-AADSignInSessions_alert.png diff --git a/Solutions/Azure Active Directory/Playbooks/Revoke-AADSignInSessions/entity-trigger/azuredeploy.json b/Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/entity-trigger/azuredeploy.json similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Revoke-AADSignInSessions/entity-trigger/azuredeploy.json rename to Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/entity-trigger/azuredeploy.json diff --git a/Solutions/Azure Active Directory/Playbooks/Revoke-AADSignInSessions/entity-trigger/images/playbookDark.jpg b/Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/entity-trigger/images/playbookDark.jpg similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Revoke-AADSignInSessions/entity-trigger/images/playbookDark.jpg rename to Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/entity-trigger/images/playbookDark.jpg diff --git a/Solutions/Azure Active Directory/Playbooks/Revoke-AADSignInSessions/entity-trigger/images/playbookLight.jpg b/Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/entity-trigger/images/playbookLight.jpg similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Revoke-AADSignInSessions/entity-trigger/images/playbookLight.jpg rename to Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/entity-trigger/images/playbookLight.jpg diff --git a/Solutions/Azure Active Directory/Playbooks/Revoke-AADSignInSessions/incident-trigger/azuredeploy.json b/Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/incident-trigger/azuredeploy.json similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Revoke-AADSignInSessions/incident-trigger/azuredeploy.json rename to Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/incident-trigger/azuredeploy.json diff --git a/Solutions/Azure Active Directory/Playbooks/Revoke-AADSignInSessions/incident-trigger/images/Revoke-AADSignInSessions_incident.png b/Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/incident-trigger/images/Revoke-AADSignInSessions_incident.png similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Revoke-AADSignInSessions/incident-trigger/images/Revoke-AADSignInSessions_incident.png rename to Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/incident-trigger/images/Revoke-AADSignInSessions_incident.png diff --git a/Solutions/Azure Active Directory/Playbooks/Revoke-AADSignInSessions/incident-trigger/images/designerDark.png b/Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/incident-trigger/images/designerDark.png similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Revoke-AADSignInSessions/incident-trigger/images/designerDark.png rename to Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/incident-trigger/images/designerDark.png diff --git a/Solutions/Azure Active Directory/Playbooks/Revoke-AADSignInSessions/incident-trigger/images/designerLight.png b/Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/incident-trigger/images/designerLight.png similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Revoke-AADSignInSessions/incident-trigger/images/designerLight.png rename to Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/incident-trigger/images/designerLight.png diff --git a/Solutions/Azure Active Directory/Playbooks/Revoke-AADSignInSessions/readme.md b/Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/readme.md similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Revoke-AADSignInSessions/readme.md rename to Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/readme.md diff --git a/Solutions/Azure Active Directory/ReleaseNotes.md b/Solutions/Microsoft Entra ID/ReleaseNotes.md similarity index 100% rename from Solutions/Azure Active Directory/ReleaseNotes.md rename to Solutions/Microsoft Entra ID/ReleaseNotes.md diff --git a/Solutions/Azure Active Directory/SolutionMetadata.json b/Solutions/Microsoft Entra ID/SolutionMetadata.json similarity index 100% rename from Solutions/Azure Active Directory/SolutionMetadata.json rename to Solutions/Microsoft Entra ID/SolutionMetadata.json diff --git a/Solutions/Azure Active Directory/Workbooks/AzureActiveDirectoryAuditLogs.json b/Solutions/Microsoft Entra ID/Workbooks/AzureActiveDirectoryAuditLogs.json similarity index 100% rename from Solutions/Azure Active Directory/Workbooks/AzureActiveDirectoryAuditLogs.json rename to Solutions/Microsoft Entra ID/Workbooks/AzureActiveDirectoryAuditLogs.json diff --git a/Solutions/Azure Active Directory/Workbooks/AzureActiveDirectorySignins.json b/Solutions/Microsoft Entra ID/Workbooks/AzureActiveDirectorySignins.json similarity index 100% rename from Solutions/Azure Active Directory/Workbooks/AzureActiveDirectorySignins.json rename to Solutions/Microsoft Entra ID/Workbooks/AzureActiveDirectorySignins.json From 0e0c63a0d6b6b49fe16badd99b7c59230b4fe252 Mon Sep 17 00:00:00 2001 From: v-rusraut Date: Mon, 30 Oct 2023 14:03:13 +0530 Subject: [PATCH 02/17] updated Release Notes --- Solutions/Microsoft Entra ID/Data/Solution_AAD.json | 2 +- Solutions/Microsoft Entra ID/ReleaseNotes.md | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/Solutions/Microsoft Entra ID/Data/Solution_AAD.json b/Solutions/Microsoft Entra ID/Data/Solution_AAD.json index 9c98363cfb4..6416d9b2d8d 100644 --- a/Solutions/Microsoft Entra ID/Data/Solution_AAD.json +++ b/Solutions/Microsoft Entra ID/Data/Solution_AAD.json @@ -96,7 +96,7 @@ "Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/entity-trigger/azuredeploy.json" ], "BasePath": "C:\\GitHub\\Azure-Sentinel", - "Version": "3.0.4", + "Version": "3.0.6", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, "Is1PConnector": true diff --git a/Solutions/Microsoft Entra ID/ReleaseNotes.md b/Solutions/Microsoft Entra ID/ReleaseNotes.md index 289c4c88429..59dee99a6a7 100644 --- a/Solutions/Microsoft Entra ID/ReleaseNotes.md +++ b/Solutions/Microsoft Entra ID/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------------| +| 3.0.6 | 30-10-2023 | Changes for rebranding from Azure Active Directory to Microsoft Entra ID | | 3.0.5 | 19-10-2023 | 1 **Analytic Rules** updated in the solution (PIMElevationRequestRejected) | | 3.0.4 | 16-10-2023 | 1 **Analytic Rules** got added in the solution (SuspiciousSignInFollowedByMFAModification), modified workbook query to fix duplicate locations for the query. | | 3.0.3 | 22-09-2023 | 2 **Analytic Rules** updated in the solution (PIM Elevation Request Rejected),(NRT Authentication Methods Changed for VIP Users) | From 9190cf5c5b74536ae39be71682512e336eec045e Mon Sep 17 00:00:00 2001 From: v-rusraut Date: Mon, 30 Oct 2023 14:19:30 +0530 Subject: [PATCH 03/17] update text in analytical rule --- .../AnomalousUserAppSigninLocationIncrease-detection.yaml | 2 +- .../Microsoft Entra ID/Analytic Rules/BypassCondAccessRule.yaml | 2 +- .../Analytic Rules/SuspiciousAADJoinedDeviceUpdate.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/AnomalousUserAppSigninLocationIncrease-detection.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/AnomalousUserAppSigninLocationIncrease-detection.yaml index d1a84cc55c0..196d7fbbdc1 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/AnomalousUserAppSigninLocationIncrease-detection.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/AnomalousUserAppSigninLocationIncrease-detection.yaml @@ -58,7 +58,7 @@ customDetails: alertDetailsOverride: alertDisplayNameFormat: Anomalous sign-in location by {{UserPrincipalName}} to {{AppDisplayName}} alertDescriptionFormat: | - This query over Azure Active Directory sign-in considers all user sign-ins for each Azure Active + This query over Microsoft Entra ID sign-in considers all user sign-ins for each Azure Active Directory application and picks out the most anomalous change in location profile for a user within an individual application. This has detected {{UserPrincipalName}} signing into {{AppDisplayName}} from {{CountOfLocations}} different locations. diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/BypassCondAccessRule.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/BypassCondAccessRule.yaml index 0f61cf28beb..7a6d28fc845 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/BypassCondAccessRule.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/BypassCondAccessRule.yaml @@ -1,5 +1,5 @@ id: 3af9285d-bb98-4a35-ad29-5ea39ba0c628 -name: Attempt to bypass conditional access rule in Azure AD +name: Attempt to bypass conditional access rule in Microsoft Entra ID description: | 'Identifies an attempt to Bypass conditional access rule(s) in Microsoft Entra ID. The ConditionalAccessStatus column value details if there was an attempt to bypass Conditional Access diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/SuspiciousAADJoinedDeviceUpdate.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/SuspiciousAADJoinedDeviceUpdate.yaml index 33f05d869a2..4095d1129cc 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/SuspiciousAADJoinedDeviceUpdate.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/SuspiciousAADJoinedDeviceUpdate.yaml @@ -73,7 +73,7 @@ entityMappings: alertDetailsOverride: alertDisplayNameFormat: Suspicious AAD Joined Device Update {{OldDeviceName}} renamed to {{NewDeviceName}} and {{UpdatedPropertiesCount}} properties changed alertDescriptionFormat: | - This query looks for suspicious updates to an Azure AD joined device where the device name is changed and the device falls out of compliance. + This query looks for suspicious updates to an Microsoft Entra ID joined device where the device name is changed and the device falls out of compliance. In this case {{OldDeviceName}} was renamed to {{NewDeviceName}} and {{UpdatedPropertiesCount}} properties were changed. This could occur when a threat actor steals a Device ticket from an Autopilot provisioned device and uses it to AAD Join a new device. Ref: https://dirkjanm.io/assets/raw/Insomnihack%20Breaking%20and%20fixing%20Azure%20AD%20device%20identity%20security.pdf From 178d183a7d44197eb91a261e2d819cd16cc8caaa Mon Sep 17 00:00:00 2001 From: v-rusraut Date: Tue, 31 Oct 2023 10:36:44 +0530 Subject: [PATCH 04/17] update text --- .../Playbooks/Block-AADUser/alert-trigger/releaseNotes.md | 4 ++-- .../Block-AADUser/entity-trigger/releaseNotes.md | 4 ++-- .../Block-AADUser/incident-trigger/releaseNotes.md | 4 ++-- .../Microsoft Entra ID/Playbooks/Block-AADUser/readme.md | 8 ++++---- .../Microsoft Entra ID/Playbooks/Prompt-User/readme.md | 2 +- 5 files changed, 11 insertions(+), 11 deletions(-) diff --git a/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/alert-trigger/releaseNotes.md b/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/alert-trigger/releaseNotes.md index 9549ab00e13..6c96138b059 100644 --- a/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/alert-trigger/releaseNotes.md +++ b/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/alert-trigger/releaseNotes.md @@ -1,8 +1,8 @@ ### 1.1 Added manager notification action -- Added action to check if the user has a manager assigned in the Azure AD and notify the manager that the user is disabled
+- Added action to check if the user has a manager assigned in the Microsoft Entra ID and notify the manager that the user is disabled
Note: Additional permissions must be assigned to the managed identity - Grant User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All. Full instructions available on https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Block-AADUser -- Update to readme file - stating what API permissions are needed to be assigned to the managed identity as well as updating info that this playbook is not supporting block of the admin users in Azure AD +- Update to readme file - stating what API permissions are needed to be assigned to the managed identity as well as updating info that this playbook is not supporting block of the admin users in Microsoft Entra ID ### 1.0 diff --git a/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/entity-trigger/releaseNotes.md b/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/entity-trigger/releaseNotes.md index 9549ab00e13..6c96138b059 100644 --- a/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/entity-trigger/releaseNotes.md +++ b/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/entity-trigger/releaseNotes.md @@ -1,8 +1,8 @@ ### 1.1 Added manager notification action -- Added action to check if the user has a manager assigned in the Azure AD and notify the manager that the user is disabled
+- Added action to check if the user has a manager assigned in the Microsoft Entra ID and notify the manager that the user is disabled
Note: Additional permissions must be assigned to the managed identity - Grant User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All. Full instructions available on https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Block-AADUser -- Update to readme file - stating what API permissions are needed to be assigned to the managed identity as well as updating info that this playbook is not supporting block of the admin users in Azure AD +- Update to readme file - stating what API permissions are needed to be assigned to the managed identity as well as updating info that this playbook is not supporting block of the admin users in Microsoft Entra ID ### 1.0 diff --git a/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/incident-trigger/releaseNotes.md b/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/incident-trigger/releaseNotes.md index 9549ab00e13..6c96138b059 100644 --- a/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/incident-trigger/releaseNotes.md +++ b/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/incident-trigger/releaseNotes.md @@ -1,8 +1,8 @@ ### 1.1 Added manager notification action -- Added action to check if the user has a manager assigned in the Azure AD and notify the manager that the user is disabled
+- Added action to check if the user has a manager assigned in the Microsoft Entra ID and notify the manager that the user is disabled
Note: Additional permissions must be assigned to the managed identity - Grant User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All. Full instructions available on https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Block-AADUser -- Update to readme file - stating what API permissions are needed to be assigned to the managed identity as well as updating info that this playbook is not supporting block of the admin users in Azure AD +- Update to readme file - stating what API permissions are needed to be assigned to the managed identity as well as updating info that this playbook is not supporting block of the admin users in Microsoft Entra ID ### 1.0 diff --git a/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/readme.md b/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/readme.md index cb36e605de5..824749dd99b 100644 --- a/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/readme.md +++ b/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/readme.md @@ -1,9 +1,9 @@ # Block-AADUser author: Nicholas DiCola -This playbook will disable the user in Azure Active Directory and add a comment to the incident. There is an option for incident and alert trigger below.
+This playbook will disable the user in Microsoft Entra ID and add a comment to the incident. There is an option for incident and alert trigger below.
Note: This playbook will not be able to disable users if they are eligible or have active admin roles. To be able to disable admin users as well, please deploy playbook - Block-AADUserOrAdmin.
-If user have manager, manager will be notified that the user have been disabled in Azure AD. +If user have manager, manager will be notified that the user have been disabled in Microsoft Entra ID. ## Quick Deployment **Deploy with incident trigger** (recommended) @@ -27,7 +27,7 @@ None

## Post-deployment 1. Assign Microsoft Sentinel Responder role to the Playbook's managed identity - https://docs.microsoft.com/azure/logic-apps/create-managed-service-identity?tabs=consumption#assign-managed-identity-role-based-access-in-the-azure-portal -2. Assign API permissions to the managed identity so that we can search for user's manager. You can find the managed identity object ID on the Identity blade under Settings for the Logic App. If you don't have Azure AD PowerShell module, you will have to install it and connect to Azure AD PowerShell module. https://docs.microsoft.com/powershell/azure/active-directory/install-adv2?view=azureadps-2.0 +2. Assign API permissions to the managed identity so that we can search for user's manager. You can find the managed identity object ID on the Identity blade under Settings for the Logic App. If you don't have Microsoft Entra ID PowerShell module, you will have to install it and connect to Microsoft Entra ID PowerShell module. https://docs.microsoft.com/powershell/azure/active-directory/install-adv2?view=azureadps-2.0 ```powershell $MIGuid = "" $MI = Get-AzureADServicePrincipal -ObjectId $MIGuid @@ -56,7 +56,7 @@ New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.Obje -ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole4.Id ``` -3. Open the playbook in the Logic App Designer and authorize Azure AD and Office 365 Outlook Logic App connections

+3. Open the playbook in the Logic App Designer and authorize Microsoft Entra ID and Office 365 Outlook Logic App connections

## Screenshots **Incident Trigger**
diff --git a/Solutions/Microsoft Entra ID/Playbooks/Prompt-User/readme.md b/Solutions/Microsoft Entra ID/Playbooks/Prompt-User/readme.md index c5abd77b606..1360e4d3861 100644 --- a/Solutions/Microsoft Entra ID/Playbooks/Prompt-User/readme.md +++ b/Solutions/Microsoft Entra ID/Playbooks/Prompt-User/readme.md @@ -28,7 +28,7 @@ After deployment, you can run this playbook manually on an alert or attach it to ## Post deployment 1. Assign Microsoft Sentinel Responder role to the Playbook's managed identity -2. Authorize Azure AD, Microsoft Teams, and Office 365 Outlook Logic App connections +2. Authorize Microsoft Entra ID, Microsoft Teams, and Office 365 Outlook Logic App connections ## Screenshots **Incident Trigger**
From 1db9dc2c70b5b08f7997cee76d3785d12b88be3a Mon Sep 17 00:00:00 2001 From: v-rusraut Date: Fri, 3 Nov 2023 13:51:37 +0530 Subject: [PATCH 05/17] updated text in azuredeploy.json --- .../Playbooks/Block-AADUser/alert-trigger/azuredeploy.json | 2 +- .../Playbooks/Block-AADUser/entity-trigger/azuredeploy.json | 2 +- .../Playbooks/Block-AADUser/incident-trigger/azuredeploy.json | 2 +- .../Playbooks/Prompt-User/alert-trigger/azuredeploy.json | 2 +- .../Playbooks/Prompt-User/incident-trigger/azuredeploy.json | 2 +- .../Revoke-AADSignInSessions/alert-trigger/azuredeploy.json | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/alert-trigger/azuredeploy.json b/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/alert-trigger/azuredeploy.json index 8f8a4b189ec..fcc39066f70 100644 --- a/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/alert-trigger/azuredeploy.json +++ b/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/alert-trigger/azuredeploy.json @@ -5,7 +5,7 @@ "title": "Block Microsoft Entra ID user - Alert", "description": "For each account entity included in the alert, this playbook will disable the user in Microsoft Entra ID, add a comment to the incident that contains this alert and notify manager if available. Note: This playbook will not disable admin user!", "prerequisites": ["None"], - "postDeployment": ["1. Assign Microsoft Sentinel Responder role to the Playbook's managed identity.", "2. Grant User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All permissions to the managed identity.", "3. Authorize Azure AD and Office 365 Outlook Logic App connections."], + "postDeployment": ["1. Assign Microsoft Sentinel Responder role to the Playbook's managed identity.", "2. Grant User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All permissions to the managed identity.", "3. Authorize Microsoft Entra ID and Office 365 Outlook Logic App connections."], "lastUpdateTime": "2022-07-11T00:00:00.000Z", "entities": [ "Account" ], "tags": [ "Remediation" ], diff --git a/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/entity-trigger/azuredeploy.json b/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/entity-trigger/azuredeploy.json index 14ffed2fb32..271de72309d 100644 --- a/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/entity-trigger/azuredeploy.json +++ b/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/entity-trigger/azuredeploy.json @@ -4,7 +4,7 @@ "metadata": { "title": "Block Microsoft Entra ID user - Entity trigger", "description": "This playbook disables the selected user (account entity) in Microsoft Entra ID. If this playbook triggered from an incident context, it will add a comment to the incident. This playbook will notify the disabled user manager if available. Note: This playbook will not disable admin user!", - "postDeployment": [ "1. Assign Microsoft Sentinel Responder role to the Playbook's managed identity.", "2. Grant User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All permissions to the managed identity.", "3. Authorize Azure AD and Office 365 Outlook Logic App connections." ], + "postDeployment": [ "1. Assign Microsoft Sentinel Responder role to the Playbook's managed identity.", "2. Grant User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All permissions to the managed identity.", "3. Authorize Microsoft Entra ID and Office 365 Outlook Logic App connections." ], "lastUpdateTime": "2022-12-08T00:00:00.000Z", "entities": [ "Account" ], "tags": [ "Remediation" ], diff --git a/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/incident-trigger/azuredeploy.json b/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/incident-trigger/azuredeploy.json index 302dc099d3b..c8d069e538b 100644 --- a/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/incident-trigger/azuredeploy.json +++ b/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/incident-trigger/azuredeploy.json @@ -5,7 +5,7 @@ "title": "Block AAD user - Incident", "description": "For each account entity included in the incident, this playbook will disable the user in Azure Active Directoy, add a comment to the incident that contains this alert and notify manager if available. Note: This playbook will not disable admin user!", "prerequisites": [ "None" ], - "postDeployment": [ "1. Assign Microsoft Sentinel Responder role to the Playbook's managed identity.", "2. Grant User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All permissions to the managed identity.", "3. Authorize Azure AD and Office 365 Outlook Logic App connections." ], + "postDeployment": [ "1. Assign Microsoft Sentinel Responder role to the Playbook's managed identity.", "2. Grant User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All permissions to the managed identity.", "3. Authorize Microsoft Entra ID and Office 365 Outlook Logic App connections." ], "lastUpdateTime": "2022-07-11T00:00:00.000Z", "entities": [ "Account" ], "tags": [ "Remediation" ], diff --git a/Solutions/Microsoft Entra ID/Playbooks/Prompt-User/alert-trigger/azuredeploy.json b/Solutions/Microsoft Entra ID/Playbooks/Prompt-User/alert-trigger/azuredeploy.json index 5f5545febcd..ccf07024b91 100644 --- a/Solutions/Microsoft Entra ID/Playbooks/Prompt-User/alert-trigger/azuredeploy.json +++ b/Solutions/Microsoft Entra ID/Playbooks/Prompt-User/alert-trigger/azuredeploy.json @@ -5,7 +5,7 @@ "title": "Prompt User - Alert", "description": "This playbook will ask the user if they completed the action from the alert in Microsoft Sentinel. If so, it will close the incident and add a comment. If not, it will post a message to teams for the SOC to investigate and add a comment to the incident.", "prerequisites": [ "1. You will need the Team Id and Channel Id." ], - "postDeployment": [ "1. Assign Microsoft Sentinel Responder role to the Playbook's managed identity.", "2. Authorize Azure AD, Microsoft Teams, and Office 365 Outlook Logic App connections." ], + "postDeployment": [ "1. Assign Microsoft Sentinel Responder role to the Playbook's managed identity.", "2. Authorize Microsoft Entra ID, Microsoft Teams, and Office 365 Outlook Logic App connections." ], "lastUpdateTime": "2022-07-11T00:00:00.000Z", "entities": [ "Account" ], "tags": [ "Remediation" ], diff --git a/Solutions/Microsoft Entra ID/Playbooks/Prompt-User/incident-trigger/azuredeploy.json b/Solutions/Microsoft Entra ID/Playbooks/Prompt-User/incident-trigger/azuredeploy.json index ee2dfd05e14..65d20ad7900 100644 --- a/Solutions/Microsoft Entra ID/Playbooks/Prompt-User/incident-trigger/azuredeploy.json +++ b/Solutions/Microsoft Entra ID/Playbooks/Prompt-User/incident-trigger/azuredeploy.json @@ -5,7 +5,7 @@ "title": "Prompt User - Incident", "description": "This playbook will ask the user if they completed the action from the Incident in Microsoft Sentinel. If so, it will close the incident and add a comment. If not, it will post a message to teams for the SOC to investigate and add a comment to the incident.", "prerequisites": [ "1. You will need the Team Id and Channel Id." ], - "postDeployment": [ "1. Assign Microsoft Sentinel Responder role to the Playbook's managed identity.", "2. Authorize Azure AD, Microsoft Teams, and Office 365 Outlook Logic App connections." ], + "postDeployment": [ "1. Assign Microsoft Sentinel Responder role to the Playbook's managed identity.", "2. Authorize Microsoft Entra ID, Microsoft Teams, and Office 365 Outlook Logic App connections." ], "lastUpdateTime": "2022-07-11T00:00:00.000Z", "entities": [ "Account" ], "tags": [ "Remediation" ], diff --git a/Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/alert-trigger/azuredeploy.json b/Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/alert-trigger/azuredeploy.json index 08532942b22..904173a18a2 100644 --- a/Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/alert-trigger/azuredeploy.json +++ b/Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/alert-trigger/azuredeploy.json @@ -4,7 +4,7 @@ "metadata": { "title": "Revoke-AADSignInSessions alert trigger", "description": "This playbook will revoke all signin sessions for the user using Graph API. It will send an email to the user's manager.", - "prerequisites": ["1. You must create an app registration for graph api with appropriate permissions.", "2. You will need to add the managed identity that is created by the logic app to the Password Administrator role in Azure AD."], + "prerequisites": ["1. You must create an app registration for graph api with appropriate permissions.", "2. You will need to add the managed identity that is created by the logic app to the Password Administrator role in Microsoft Entra ID."], "comments": "This playbook will revoke all signin sessions for the user using Graph API using a Beta API. It will send and email to the user's manager.", "lastUpdateTime": "2021-07-14T00:00:00.000Z", From 604302b8c38a0debf900f4f9036edd38b4c2a497 Mon Sep 17 00:00:00 2001 From: Github Bot Date: Fri, 3 Nov 2023 08:40:12 +0000 Subject: [PATCH 06/17] [skip ci] Github Bot Added package to Pull Request! --- .../Data/system_generated_metadata.json | 4 +- .../Microsoft Entra ID/Package/3.0.7.zip | Bin 0 -> 87803 bytes .../Package/createUiDefinition.json | 400 +- .../Package/mainTemplate.json | 20548 ++++++++-------- 4 files changed, 11040 insertions(+), 9912 deletions(-) create mode 100644 Solutions/Microsoft Entra ID/Package/3.0.7.zip diff --git a/Solutions/Microsoft Entra ID/Data/system_generated_metadata.json b/Solutions/Microsoft Entra ID/Data/system_generated_metadata.json index 373db96f769..8c562a0bc4a 100644 --- a/Solutions/Microsoft Entra ID/Data/system_generated_metadata.json +++ b/Solutions/Microsoft Entra ID/Data/system_generated_metadata.json @@ -7,7 +7,7 @@ "Metadata": "SolutionMetadata.json", "TemplateSpec": true, "Is1PConnector": true, - "Version": "3.0.5", + "Version": "3.0.7", "publisherId": "azuresentinel", "offerId": "azure-sentinel-solution-azureactivedirectory", "providers": [ @@ -41,5 +41,5 @@ "Playbooks/Revoke-AADSignInSessions/incident-trigger/azuredeploy.json" ], "Workbooks": "[\n \"AzureActiveDirectoryAuditLogs.json\",\n \"AzureActiveDirectorySignins.json\"\n]", - "Analytic Rules": "[\n \"AccountCreatedandDeletedinShortTimeframe.yaml\",\n \"AccountCreatedDeletedByNonApprovedUser.yaml\",\n \"ADFSDomainTrustMods.yaml\",\n \"ADFSSignInLogsPasswordSpray.yaml\",\n \"AdminPromoAfterRoleMgmtAppPermissionGrant.yaml\",\n \"AnomalousUserAppSigninLocationIncrease-detection.yaml\",\n \"AuthenticationMethodsChangedforPrivilegedAccount.yaml\",\n \"AzureAADPowerShellAnomaly.yaml\",\n \"AzureADRoleManagementPermissionGrant.yaml\",\n \"AzurePortalSigninfromanotherAzureTenant.yaml\",\n \"Brute Force Attack against GitHub Account.yaml\",\n \"BruteForceCloudPC.yaml\",\n \"BulkChangestoPrivilegedAccountPermissions.yaml\",\n \"BypassCondAccessRule.yaml\",\n \"CredentialAddedAfterAdminConsent.yaml\",\n \"Cross-tenantAccessSettingsOrganizationAdded.yaml\",\n \"Cross-tenantAccessSettingsOrganizationDeleted.yaml\",\n \"Cross-tenantAccessSettingsOrganizationInboundCollaborationSettingsChanged.yaml\",\n \"Cross-tenantAccessSettingsOrganizationInboundDirectSettingsChanged.yaml\",\n \"Cross-tenantAccessSettingsOrganizationOutboundCollaborationSettingsChanged.yaml\",\n \"Cross-tenantAccessSettingsOrganizationOutboundDirectSettingsChanged.yaml\",\n \"DisabledAccountSigninsAcrossManyApplications.yaml\",\n \"DistribPassCrackAttempt.yaml\",\n \"ExplicitMFADeny.yaml\",\n \"ExchangeFullAccessGrantedToApp.yaml\",\n \"FailedLogonToAzurePortal.yaml\",\n \"FirstAppOrServicePrincipalCredential.yaml\",\n \"GuestAccountsAddedinAADGroupsOtherThanTheOnesSpecified.yaml\",\n \"MailPermissionsAddedToApplication.yaml\",\n \"MaliciousOAuthApp_O365AttackToolkit.yaml\",\n \"MaliciousOAuthApp_PwnAuth.yaml\",\n \"MFARejectedbyUser.yaml\",\n \"MultipleAdmin_membership_removals_from_NewAdmin.yaml\",\n \"NewAppOrServicePrincipalCredential.yaml\",\n \"NRT_ADFSDomainTrustMods.yaml\",\n \"NRT_AuthenticationMethodsChangedforVIPUsers.yaml\",\n \"nrt_FirstAppOrServicePrincipalCredential.yaml\",\n \"NRT_NewAppOrServicePrincipalCredential.yaml\",\n \"NRT_PIMElevationRequestRejected.yaml\",\n \"NRT_PrivlegedRoleAssignedOutsidePIM.yaml\",\n \"NRT_UseraddedtoPrivilgedGroups.yaml\",\n \"PIMElevationRequestRejected.yaml\",\n \"PrivilegedAccountsSigninFailureSpikes.yaml\",\n \"PrivlegedRoleAssignedOutsidePIM.yaml\",\n \"RareApplicationConsent.yaml\",\n \"SeamlessSSOPasswordSpray.yaml\",\n \"Sign-in Burst from Multiple Locations.yaml\",\n \"SigninAttemptsByIPviaDisabledAccounts.yaml\",\n \"SigninBruteForce-AzurePortal.yaml\",\n \"SigninPasswordSpray.yaml\",\n \"SuccessThenFail_DiffIP_SameUserandApp.yaml\",\n \"SuspiciousAADJoinedDeviceUpdate.yaml\",\n \"SuspiciousOAuthApp_OfflineAccess.yaml\",\n \"SuspiciousServicePrincipalcreationactivity.yaml\",\n \"UnusualGuestActivity.yaml\",\n \"UserAccounts-CABlockedSigninSpikes.yaml\",\n \"UseraddedtoPrivilgedGroups.yaml\",\n \"UserAssignedPrivilegedRole.yaml\",\n \"NewOnmicrosoftDomainAdded.yaml\",\n \"SuspiciousSignInFollowedByMFAModification.yaml\"\n]" + "Analytic Rules": "[\n \"AccountCreatedandDeletedinShortTimeframe.yaml\",\n \"AccountCreatedandDeletedinShortTimeframe.yaml\",\n \"AccountCreatedandDeletedinShortTimeframe.yaml\",\n \"AccountCreatedandDeletedinShortTimeframe.yaml\",\n \"AccountCreatedandDeletedinShortTimeframe.yaml\",\n \"AccountCreatedandDeletedinShortTimeframe.yaml\",\n \"AccountCreatedDeletedByNonApprovedUser.yaml\",\n \"ADFSDomainTrustMods.yaml\",\n \"ADFSSignInLogsPasswordSpray.yaml\",\n \"AdminPromoAfterRoleMgmtAppPermissionGrant.yaml\",\n \"AnomalousUserAppSigninLocationIncrease-detection.yaml\",\n \"AuthenticationMethodsChangedforPrivilegedAccount.yaml\",\n \"AzureAADPowerShellAnomaly.yaml\",\n \"AzureADRoleManagementPermissionGrant.yaml\",\n \"AzurePortalSigninfromanotherAzureTenant.yaml\",\n \"Brute Force Attack against GitHub Account.yaml\",\n \"BruteForceCloudPC.yaml\",\n \"BulkChangestoPrivilegedAccountPermissions.yaml\",\n \"BypassCondAccessRule.yaml\",\n \"CredentialAddedAfterAdminConsent.yaml\",\n \"Cross-tenantAccessSettingsOrganizationAdded.yaml\",\n \"Cross-tenantAccessSettingsOrganizationDeleted.yaml\",\n \"Cross-tenantAccessSettingsOrganizationInboundCollaborationSettingsChanged.yaml\",\n \"Cross-tenantAccessSettingsOrganizationInboundDirectSettingsChanged.yaml\",\n \"Cross-tenantAccessSettingsOrganizationOutboundCollaborationSettingsChanged.yaml\",\n \"Cross-tenantAccessSettingsOrganizationOutboundDirectSettingsChanged.yaml\",\n \"DisabledAccountSigninsAcrossManyApplications.yaml\",\n \"DistribPassCrackAttempt.yaml\",\n \"ExplicitMFADeny.yaml\",\n \"ExchangeFullAccessGrantedToApp.yaml\",\n \"FailedLogonToAzurePortal.yaml\",\n \"FirstAppOrServicePrincipalCredential.yaml\",\n \"GuestAccountsAddedinAADGroupsOtherThanTheOnesSpecified.yaml\",\n \"MailPermissionsAddedToApplication.yaml\",\n \"MaliciousOAuthApp_O365AttackToolkit.yaml\",\n \"MaliciousOAuthApp_O365AttackToolkit.yaml\",\n \"MaliciousOAuthApp_O365AttackToolkit.yaml\",\n \"MaliciousOAuthApp_O365AttackToolkit.yaml\",\n \"MaliciousOAuthApp_O365AttackToolkit.yaml\",\n \"MaliciousOAuthApp_O365AttackToolkit.yaml\",\n \"MaliciousOAuthApp_PwnAuth.yaml\",\n \"MFARejectedbyUser.yaml\",\n \"MultipleAdmin_membership_removals_from_NewAdmin.yaml\",\n \"NewAppOrServicePrincipalCredential.yaml\",\n \"NRT_ADFSDomainTrustMods.yaml\",\n \"NRT_AuthenticationMethodsChangedforVIPUsers.yaml\",\n \"nrt_FirstAppOrServicePrincipalCredential.yaml\",\n \"NRT_NewAppOrServicePrincipalCredential.yaml\",\n \"NRT_PIMElevationRequestRejected.yaml\",\n \"NRT_PrivlegedRoleAssignedOutsidePIM.yaml\",\n \"NRT_UseraddedtoPrivilgedGroups.yaml\",\n \"PIMElevationRequestRejected.yaml\",\n \"PrivilegedAccountsSigninFailureSpikes.yaml\",\n \"PrivlegedRoleAssignedOutsidePIM.yaml\",\n \"RareApplicationConsent.yaml\",\n \"SeamlessSSOPasswordSpray.yaml\",\n \"Sign-in Burst from Multiple Locations.yaml\",\n \"SigninAttemptsByIPviaDisabledAccounts.yaml\",\n \"SigninBruteForce-AzurePortal.yaml\",\n \"SigninPasswordSpray.yaml\",\n \"SuccessThenFail_DiffIP_SameUserandApp.yaml\",\n \"SuspiciousAADJoinedDeviceUpdate.yaml\",\n \"SuspiciousOAuthApp_OfflineAccess.yaml\",\n \"SuspiciousServicePrincipalcreationactivity.yaml\",\n \"UnusualGuestActivity.yaml\",\n \"UserAccounts-CABlockedSigninSpikes.yaml\",\n \"UseraddedtoPrivilgedGroups.yaml\",\n \"UserAssignedPrivilegedRole.yaml\",\n \"NewOnmicrosoftDomainAdded.yaml\",\n \"SuspiciousSignInFollowedByMFAModification.yaml\"\n]" } diff --git a/Solutions/Microsoft Entra ID/Package/3.0.7.zip b/Solutions/Microsoft Entra ID/Package/3.0.7.zip new file mode 100644 index 0000000000000000000000000000000000000000..c2b30500a11645649791dc3d682ea62430e5147d GIT binary patch literal 87803 zcmZ^~V{~O(*EJg3b}F`$idC^~+qP}nwrxA9*tTs{cvH`L-gdwH-Sht0tF_tIntP5u z`sjVEx#yOZ00uz;004jh02MM&S=;4m>7@VwxI_d5K>r>!us70kG*U7XG%_}`Hghzy zv8FY5u(7`MdUII+xpZ>5@%!IL#5D6<{~&6l(p}pYdgKxGn}iq!^j|3T$bVja7-=%y?gY;!jmm^~+Nmfb6* zVt!DD7}=NY70M3Cqc^})Y@DT!-wrJ)A*CR{JnaX(&krT1mKt(Vd~Ex4jndX%_k4+^ zoP}KXpyN-GmCNc=n&{^a(&00CC4~*9il^zcY+f9StjNtXIlBv&pjI!=%)j46k1END zuk=|`i_`oT(;rOpswKKp6e|$S6E5FbH;2NK`H&aCe19*UMrC_-8>gitC!5(mqZ{bC2o*`Xho-C94bEa)*c zWq_!6=BQoq?kvF%amY|0mw1>N14O@eNr&vrxSJ==y|?SPG)WV-{tl=cXgc1lq4Scm z%s*t$PdAS`+Ei+W`r#-<;O&$to+f_!kc82eE`wjl5d~~mTEx%8Cb8A z2#h`HRQ=qpS}H@bh{8h?c0Q1J2n0+%&@h5?WLvJgv-df$JZ_sFjND@|cO3H_K%yC% zaDGNdSL@u6cLl_JI=rd|AZvc-IiSXwFsFTTyFsO0J5TOjeA>adS^?O1pR)4933?CV8 z%!zeydn%n!=H#%~T6sP0Dd;17>>8^n_K|M~eYF@Y-OUsH`XR!!v)HPtx^n(G?fuzj z`CF|zox^uz+qx(9>HYx1&?0YsSVFzz7*g8%9A{{bTukmgqOTGx9uVTUJh>)xEJNRY zmR5Ui6Lf+64k9I72-q+hne^2cBdJv3inP*CTC#Q68LMkYJ2%d(%`BZ3teX$A&}n-} zX-Q^te2p6IOjcV2lvMj)IRe#`ZSzEA)c+teh8s9yrbwUdoj3TZY>P}WQgmb|8f z?*Um?Bs^P)Pi?rj7d1dh!Y}@-w2u}Tb+ymBJ^Z2V77}vS;CL(2;w(jWd|xc)>w8lH zK05TBbj{waEABIhFBn~mi14({9OxR%35PB|J^%t=Yl6~(Cb6BjKui$1N)1^%h{IJn zG${a&tY0t*s>691tqr#5$YP7io<7I6lRO#WZK7N?guc;0Zo4)))%IZPNh>HKZ! z-+c>y)KF?vZMvRV2DpQ)O$!#WQ~WmIQ}ztUfVB{Yn229eLu2AQNu+>;vf|a-Iqdi{vHdx9#1>D>sH1wuv*HM@3)#0mu*bzX z_4RSCLU`=`HfmP&#K|}P!Hemh4j^CkqZFHdP)-4s>=%}>w#ySgvK<&2S79-u-|7$p zxzey+2^)JA9VGWJITiYRXWKz4&~TD>ACPN*!-}{JJ8ZPl@L%Xl8{`p&T*|q$v$&q% zQdhjeC)<-cU1A!~M|<)lQhp4(C?1{>0=F43o8T;>G>V#M;$09h%UNv6Q^3tXI2 zexgR7TmAyZ7L*te?=69Rbd$ZI7c%_vxrFx;LP%s@>lVuj+EbA+H?pW@rS1tv5euFc zL7sl+lZXKj(63M<+5QFb5%ZzRRop3HwwGS`7t`s20GfF@9Sw9-jP~xMWI*L_KG#sm zGS#8Yh>I+&F#JLMhjGD={WBcu^+kt7ube6d`Y0p z?C%Oc-gd!Ozwh^@gf_ivbux6(fS7T~U`++IZ4f=eILy=Uk94m4xOK1n2;93Bc2vKT zO`RI6p%->yCnkPp5NCV|7+@EUs7))t8hm7X;xB(lhZUkJr*;@A|Eg4Ea5zvz6@?9A zRDw!urj*o1UE(o=wb(wvc&0ebV6b)(16V0~y{s00c9DMo zo|~=e-9nx=1$1QO!L9rCcGoa_p?PNFSfZgimsCB-ev@t!{fVG9X}d3GmIYdPvEZ&V zOIq9uaPK+cpOk$PavZ8HEM8uHBu97-Ch0=tz_KHGcjdl%y;v|_P8)p zcWmveq@Zeg5U+fvwoxTlp12&oLFCYv4+yYYQ^X2+QVN0$1D@UmT~?YL(BXo+`fio8 znDFWlz_G;{o3lxYaXnqvwTJ3>>LryU0c&vP zuCg#gE=IR4g&1&|B+qyHHIG+AR`&ez8bu1NckKfd&m? z(CV(Wc473{#&=oMc=y%lU6u#;i>j@NEa2X;v)yD*aS=ze#q+;I2rATTZ}Fn>q0s*J zb+S{Gl%E-n!`@?>YMA!)2tSo_D>o+@39-dqI6FrG-dXMKjgteumiHG6T7)0&N*|8Z zr+>1B%lSwsHaVVB@bQy_5aCe%^iv|Z+_LuIV6?ZNxq47U?vk*N>6r&u;|Sq<0A}zk z4>!}NA6Dz6G;H3v{|eBa*km~)K%w##JwAx5>+e|d28TklkA!X^Aai1a^CikbxGxBD;x@Ib@uM5j@`DC_%qd5^o0ez?BQBPGgEF&j?zF zF+C_)KMcken0ty{c+Wobz+VN`tJ}AZ%AB(UCghJjM{$RmS8Q|G5Q_-x$-hZhd+-yK41KXLK<-BI_}<_**QuLkejfb=d3yON zKx0>r9>fHbJ5o2q@^gE~m)37Tw_xC!NSbDh(Kx@?l(XL;eU4}ee6%d3QTkNC^FRSH z=7Sb#oYfSg0kO$dZeC^KMxCR5V|vW#lBb%EKah&zbK&BuEQ zgh>nIAoA&}f0XT$)YXpY(irTe6VmtJSCOI=qd`$~g#c0mO<{4?H$}RhVAKg}FgY9e zVNqp02*}46L{k*ntkJPsY}^70_)Lkq`f^Kl;_fc(@uSh;xcgMc zfFG#kX1Gk-IE9_+nxldeb}Au`Jd~#@Er^M1)8|JNx&`qu6xWdFbEi+^Jl9;&0$lGS z4oo$8akKF3jsNseDh&-q9O5CpEenqoJgEyd@C#T#N-MO6Lb)=qHAzIzTx$E{=yssk zqJAdq7+mx%nOabOxb!7o5t;J1OlC!;*PM<*u9Pn8;)wVU**I%qC0MW-=0#?@sCf$P z+V=drU#@Ae>0!c@F4_5qeAJMkSrHS*lAvVy%`-wDS~xLaVxiDC2xKK%v*?)>e*IGS zC2^^{vxB8OYM(f#fUQ%|gzH>w3xXM34BlXyqI?hblHweEILIL}IIulbnYmXONdh)J??u)WwQxQsgx>v>2Yz#UW+6Nz5J! z-QoQZF^2Ws9xrYjDXOJ_Bk8X_5zE3Z(^#A}M2I)^WU{LlzM0J@)|q3|}=p?L~+$)V0CiwA=+u!!n`=pDn`%Jop7;PJqQa9RZj3rL8gi?B^#gP;#^6*#V zghFC|o!5M}x0=$X`8Lls3)_pn*ag%40EZZHZWvL;1tSIXo1?PB@L|Q&BIV0(+wQJV zzwRV(fUQ25p}d=>+Ct7X{T##kiC42Uh$VcX9~Ov^Kis^DL~9kNqB?e)cWp(z!6FRhbr+wU z?%kgxFD?W1Adf;KF2=*ieU%59PV)x9tj20Euh2x~Xkax$fZF_s%I^?hoho;TSbMEh z9^CgT>pSd`eQ*1|_dsksZSnEn#nxNFQMX@i1Uy@RkLq>T6K_2M@kK)kp^z(JgO4Kq zxR?<($+iy>`{=kczp7z63Q%&N`|6^UStN)BtGeux6+i_pqgj9vQGNrMY*S#C-E%ai zaS5jW6X{PDE7nTX0k$C2cc?B4-#E+-2P_F>MX<^|`RGfz4vNG%%K2kpR1xEM>Q3(? zJBCNiekwdDvGTw;d9TA%OE3#2qLAeUm44U zI#UDss_y0YTZi6-c1dru^g=trY(~hl(ZZ^WC}iH#`BW;y#cR-`Y)~=bsi4a&0o%bM zKwgD|$(Rf2{j~i~b$ip6!^(@Dh@?eN;P<{i=P4bCQw)Lg!3?pK#(Fvq$aN?t5KHTl zfmE#fmi>@HNugtx*W2zfu%)I=TV!-n91b(t(h=qX_PgpN=y4&Yrjqbo>@7^d>Fr^L#2+-lgu2(5R$9 zZaHa-!SCyk187B%g=qAOu)E7fXRa&R!F8DicN079$GiCG6?CJnz(nmfj}wdJ3u6+w#qoBZJX1Sm)N}M*`3L z&L0jW)-B2jcyzxTWO_1|+8TH&Kh(wwh#x(+)&rFseZF$P*#ShpyX$T^_V)rFxe8lm zW!xhMDILW#GW-@aL=}$JuM8)dZjbPN!`a~`QD(I-^V)r)_xXJ|UKy5&2c-JOLbBT} zo8BvHUt8-`1rU1N20#)rMNS)>(91qzQVNZv^newNfR4wd^?3m3c}Lta7=HGtERu^2 zqkz3ok|~dKq|E`N?N87E#iWkAQjiX#U$sJZv2K`#q~P7gtf-$EajffN!;6DVr_fcd z+pP#eWQRXlD?&D6MC;+|6j|5>5Qd%;yGmB%dS6c$t@QJ|d8ni~@EZ)Mw*bxuHTKH{ zLQhjMp1VymJpfH8f?aZ&1>sQ}4ti2Y^3pYrY`|o9s=YdU`qK00K1GzB1%ER2j=iCq zUabMQ;O!Ccc^GhdEwJe7IJ!m&Y=?*t-t`q$1G@XHmucKJ7p5IGLlU_#(2j@If7=Sm zHrz3y<5_joxHw^$$pO%zLl$H5xV^_bnoFozJXRodKOd9|4)KRi4@8=*rHXGI1!Lm8 zUGu=pw`6mv-~f#%v!G`_##iLXPaayDPQASm127YfcU2W+zKWowh%g(<31{&}1q zB2~(`hMer*^in`dF`mE)@FbTmnZQ_&&~VE}MKti_SwrWAaIabZE46rr5wd!0zuk0g zqKYGJdRsleh-Q561WM8|g9WIcj**wTIOwEI9gB`f=kDlW;gCjyJ&(RyA?4?tUM)hN zRnu@TySN`nICpXFoN|$<-5vlX5@jlqxj>v&UpM|z?$@RN9?BrEMrxk1BY=x0FF8sC zB&CUvP;stSOl1&3^A3%G7DRRAYVWULK-+>qW{ej^?|2MCDM3?e4b_DJo|g{!wp9BF z5{_gyS)Y!nt9>rq(*#G|^a|vjOSf_z(jW@2?=m4jrr z;dHL`afQYzT$_Z(pzh!O=>!;dLq)*AqbtnA>wrygs-QPV{!$p+zzL(eLXv2?~ z1tDQHRxdf298Xfh(I3akhaM~1Yy(u5u(&vU?fZ_EsC_20_jTeNzz5An80$||T$&0m zKmvK!dGyz+rkQ6s>ylCvyNaOtS*?SgzP&o)X1%0h?Wqz~49{36F9}%f&h;28pg6Kg z16L*+5C-Y7k9>i*4HC>1>z2qV&~u4Nl;MM(2g4zXDSdTKYoEQ^sfr+&7qN>3P7zHg zeC!2;fO_(YEm7Bu%5S^r`e;XtWyj|ot9uoSE+JD3Sx&98EO{YCXwFCHeTdYE<@%g~ z3jf%pmZ>A@&HP(?+z})>6qk4?}q2uwDfCOq$3elFg2pw zUUbr$Gt&IxSHqLD2zk7^reMOO`r3A|MFLQBn+u-w+9%l*c_WDg1>~;t1_aJ@O_uvxB+<%_^{@4cE_E^w%J>%Z< zh*`p{Z~r^x_waMpbrU+gr$@I7)Eh+OI%AE733BD*U3-eJA)WE>zD1@CqfBd%>GHI* zRTG=(`6F+A zG!B7}tV9K(x3$KFMlcxIimgKi$jFj+ln=~3dBB*n1j7SAfeq|R={bjm(iMvFgL>L- zoXxWh9U!s2puF1N15auOlRYqtuyrv!3UXGpl|X;wa9iFouQ?s`+w$P3*w$5|NIT!VQf;=O<7Ww(M=OGf1CeRKlW2hIQMX#Wrwa4B}jIKubHd^x#K$HshsrWzVOIdD+}b`qNy#|^t|omeIK_j+ z^dbP|T=>*JuI0v)kk>Di4B_?-5k_~mzX^OE9h*GupG_yq{p=cQGyqsW zh!Yv6ceOKupQD}*XuFT|^SCLkgBkAkbM_b**+03jt_*n&ocZQ6(nW`f5{|haU2hb} zM&Jv&N@Sc1MBtyZ1!dq5^-#tG0!m`Caq#eXur@YUpQb0f)+5e@ue>6_F22~G|d*%4ER?=N<_+2vJqyyz#3}ZB7lrlolcxg4fjj(|B+JJC0|9RYjQk z5|q12K8Q`#=Ve|vNHqj%Ry$C(x6(6?jkYfQz{bNkqJisA>DtkWMK}Z!;1iZ6I_*O8 zwiAQN1s9C&KC!#Ysu0g*v-1w0ekh(Z9rXS*Id#>bF}`n>$-7c@9QXwqD%#hYo4=AV zY7pF*qzs_y&$-Y-ghjrAIX%c`cmO1^Qze**!>uP{p%b63=mthgQ#w~uSn-E+!oZ*6 z59oQS9(DNF2bwQElQ^cBRaXkB;Niy+Rfl?C=ok+CZ;WB4u ztYGGWlM1pn0Im8|uu^_RVRlilM^Hucp$<*>o9x9_3Q>eJP3cG~uFmGj9MmKLRL)~` zp_9wT%#O9l?De)B_7fj*M0f#vxE!JzH5F2G?D^0;zFNPEv!^u4!SQ`wjr1%*ladZh zm8*BfLjsh=_L9`~K-Rp(yve4B`n(|%;r-ZAQhwaY{*Y@2AAO%TiQnL5GB)ze?IH)- zMi@N+y(rpb4m0BA4^v&z<{L8;|M;BRYM!88Qp2_ull@r-hn&oV~`>hu@rrDHfdSs&Xt4|Ii46u?QwRng@VW1GLoTv(EsLzD_Q0 z1@m?qF$~7`+9}b`KhvOLo5B3JWi)qX0D_g$)3Pehhyp1F{kf=zpWP(kYRWeSA_R`rgd#e=$F5#6(4Ht8YQnh2rP#1wjnX#oW`)5@w zydj20$?(xAVv0o?iJM`ZI)?Nj|rS)7B!18A>rV0zI+ER>{hEdKU zla%---;L+PH%8j(VO*1wN}@2e@yC-3QLoxNN{E|FkVU|S|FI8(M~8Q3^a?M)ANRDE z>anO{M;Flos)4$?CX3f>M!Z}r0 zPL2G&ZIhV;c$ozvTBc*NC21hVlRRe|<<~?zBMxH9JE4f+uyh_AK z!%o~l0Dk@1ylG9=2luFL(=$f>e!QlDoMEMm%aXO9NW>?9q8#zJtMZr6L<((dDf zM*zK9hT^u@E`)=lL9gXAG_~ndl08+eA52ZE>}ly;w<`1g*|QGc6PJ5OYBbzRaXerv zyDzMP>Vw-tgP{aA%7J`|>GZAA zN>EJsVDO1<;Yc~e1`GcgHPtfyqNNpY6x; z=aoY$w>kX{RU|O4$Qaq@JU$cd0DLym`yL_Bj>>Vz#nG*)5%Hq-!iWh}8^PA9xenSH z4e|;{MBj!SK?`YTXh%W;JpH}ZJ(^UnSN_9g{@8ga(c&qpp9#_fy%wsX5mYump->55 zzZ#MX2Nnb3&&BC!RIQ8*rsaY-hSJP79Ab)dl?)C`3p;kaX7o)Y**AScm?XY@11bxk zX34Yj%0Oh4?{{+h9`$5NlM-GhEIGht55p2WAd3n?Cm^ac$vnljyjUn*YB}us0-&JF z=7tniib_7i%Ssr(wFoV@+c5iP`Sngz%jUwy63qqm>=>OC(4c{?JF_yy3&Fz z*g@gn7TOZQwyvEy)~=8OcdeurDRnlNL*;Z@J0uQ!7QT7?@dL<{mbu$#PSvM1v?%Fb>y}Zm#}Ge$M1OJHu!s!yghh@qw;zBS^MXZy3?Upn?v^wOe{MKXAZRXDrH5&l>OSs#YO2a*F`K+Qpa6o1|IDUEMe9oG<>2zk z5)XI{iA<_8Iw9IPC9lXmEw29^oLWm@uZsA=m^iNq6i;-{^Q4h_gBV+Qr>J`8DcXAg zY^?uLSYvxj?*Rtdu7>nx`k9MHti(hhE8A-$JBF}*z2eYxC!c3eCOd(GGv*x6?$U67}Jv7I*q ztgrAj0kIdLg#Cd;^X3=Ek|(Rr;=UX#ApA2|QUf3@o39qaR{ceF8CcCFFo9^x-LH=T zNQgS1EuMP7K2NBw3yGKHpGNmh23ciT0Dy>=u=2Wa$6{&a7Gy54Pg(-p-qPc-SL29R zV1^ci>2-i3Kn8lFG{S3jSy6mCmS>uFiBSo<6l(E%Oj>$f1RA&xR(^GqM!QG>t**De7q+y;_|JhZ?qVTlNAPUMX}Djd_Ef4XP8SmLwl8vg3}*@ zR)b>nfNPb-`4^$1#R@B<$mp!r+`$SO^2;Jiwo#i{#wet4`*>!QN_5_pU=ASnZ|ID( zSg-&{&>3r#STo?sxB2NOe@}opR<}gv^mXqG5ww(2R zcy49E@eufjgEIGyM|WK&kuc>q6VTcD|?~DY|z0GStLJC~~dX z+0^%Ry~sPNB;v`NHOvKI_LAiofT+XKqa>oWu3=v8tJ2VX1KYK3pT|eZ2lF#vnv}2Q zLGHcie5tnKzG8c%YPf#`e|;C(ThZNcti}6~o6q#~bMt!p!$DwrAd3g^)rcX$Ev>e86XY4%hu35~b93F{4Q;dF&)vl5 zF(sc#v=9CVT6Tt(L8S{#mqliWDZ@R!Xxs9MH$y|p$;EXZ@7Mk;h1vG)vBdj)4LJn2 zk90f3RQthKUC#CFobx5g=@;^6WKW&SI4AE9P@kvFUignw`S~W>Ce@d|yHl@sTufLi z|0g?{c6hNO3!i57z3fIKW(=z{aP_qXmwO{!3zZa+)-w~1z#!ZeR}5F*(;vp&26U^g ztE?{_hu^R5c>P8@lQsq2V?l;Satmqnc{>5W9tgVp z!Hsv&V}^gtbu4}VYf{MX8PJ6t_T5AMy#$)3%oYXqjp<{1diFDMJ)qLU4wPj16tpZerd$;p4rJ|dD|GI4{Kh4rnY|U5F{6}{sG%2*1~g{ z)8Qbio8ag-@nbEJP$kK+iPv8RJ55Pzj_=NCu;SQ*xYVDWsGA!I`AtuILvu9!{5mvr zNJjwW=n?E+6wUhQ32io^=*pDo_n2Qr+p0P7+R*D+aCLIpkN8pm%$4AqWKz~3ql3>GW0<#_s@EL4k}IL z*;RJ-%ghpkR^chin`C&E`VDLRaA@lk1UKbVV`l4COlqZkG4B=!}nKv!Q z>nVz@B)E@|;bNc3V*Dn8O6iL3$lyM#QVoVB=ny=8`Dr@y?BXy_b)L|+h8xZt?(wM5 zKTJBx6S>B?0qHw^cNNO^rDKP(4GeHB1UTl+u>zA^43O-@mNX-&k2nU(c9EqskB-anEo%0rvF760hr%kag?tI^uWEc0xPK8wB z?1c~gvil~s+n8GqAT4pN-E6laV*RLAjS;6l|-%U;q3W~fraqhfwsR#-!mUYor5GBC|zEaqWF zU3)SR{1oAC#Wkwz2D|K_jv-}aIO=ufIG8gnp=0uG6K5+y-50kXYqMJp2#B0lV0>FHy>1 zwivQk7Ivbb#Kr!|W$_`90(*u4&4NhFiGt!M zqax5ttGHs}Oz=D)(O%ig@>#BW8w!VY_E=dQ=$35=Uyk<;t;C~Rx+KdwcT*smM8lFC z#S54xm@53Gr4X}_FwZ9|Ae$(4h0|rFAo8w=jfLZ7BN&+8S*nQ@k$;t*4{lrp%epbJ z3dv8<#p8m?^r%nHM2u}SjA5>>>|RW}rLA+H7uEH#uG&jW(@K&88|*|&Zk|LJx3f5U zysijE^WZ&58MG@sW6NS)RrtKVEF)SmwE1__wN!l;Uq`mwnZXa zHM?;(Boea#w?MW<%9R=JSND?&b6Uw896m~ccB7lGRukwTO?94>GHVehz7BA9A*^-b z>o|wl4#?fqhP{01ZCqbZbgs~cc;@fmgk;pn!(EuU0+8$o`2Ir5 zbSwPEjs)8l+?gwmJR5NSjsdJS+~G!xrCC}Uc3W_6<|gph8HTrZ7CV~FW?|sXX7B{F z9!{s(QM6fWrA~}kXM)WDGZ!*IBb>D$DIn>NbC47k$&OqKBhzJ&*{jlEXAy==ET={Z ziRia#gVoZKf~$pvs@cIsvi(~=7tLj6vi&PZOBta?4ODH=LM_o}-L*}zchnGPy#(L+ zD~>u<*m+u0am+OqzDCaKyiJBwXR|Typ5=^uITd`DH_?`1YaRTk;pQvp$vg{=u3Ouk zaMKn_OGwd<*sH$pxLQf!F8fIVOE#VKGqH-bW)cg{QikIdImp^|qf$__qT8=pZB{t! zwM1GX^ZeWoX?c@1wb?^E*P3qbFg*09|HZjT{{RSze^8?nvL9S?7mfTy+I-e)6P> zpF!kl?)cVx+P-<(NTui#1@>+k`?-tKNhgABiH3x-0VIQMDvgQBC#I%YS|h^(IP1yQtE$&&lGNBfI8ni>fLQP% zdl{O**{q^pwoqFs=deGaA)&1Ou3?!=BJp4vg%;SiO#yeLqS0{Stz1mmlX;vr8SqSO z%4NV3%C=1>gl)M~ z(O9Bp9cP^4u2O*~%s%p}WQ2(n@MCU8J&p`7IP@_$eCgo+K{4{b7({)es10B3FoJ2o z_RR=x500NAUitfxA_tWx=gk(;w`zLN!^j=yFcWdH{@6F8|Eyip{-3pb+UK&1Db%VR zCom!BXjZXAq2fA+EUnbvawDs~RARuAzP57Wo(lKGOfyzON6iSPI?wvbe6N7(T3?5U zeTAABiB5ed;cp_-jhFr$Ob{PeEur;=!@UVG*M=B)?WA*0n3?9rh$!o{Xs$B^Z}R)l zpF&f#LgwJ)`mljsPm+PB2Z4aL^pSz5B{*sZs%5+w_fw>z2_?jFJHv>K{B8?-eAHIK z#}p7@jopvF;74yOsQw$q*gs)-{vTnCDcEMoOkMPSKkg*F-#wob`FOQ}d7`|`pE`e| zJ8NnfDGcmj-u@TEzY+XpV#0qh{2M^F|M~apDQJnV`T`EzMmNLNSr=lrv%2Xo+KjGj zo>QsdBa{mMf$W)dzuX&Z0FZbfP03A8%z_MoKFT z;2MXc7qKI)^fUuk|M$g{a?wSj;y%S~y0{y7Z3w(%vt!9Tg!#dE(WkEgn_Q$@FC)p@ z0`su{!+#mLfA}v0$4usCq5cgW&R^)VB*}uAuB0F3QUv{;CU};X$wXa(=PB%{o@i8H z2Il|wZ$HA2?rSWyN*Abz!0|f6P}Ol64vt2B_Pa_oFwuSNXkJIvn8*6Jyoo8;)=ZHt zOL*Eh#c@}fZvQG~7pjgP31_zox5+HX);lZS#C95aYGuWJ5JcIq=p_R`#g8UyqRaVP zKfdxbH)DQBiFvxJhBE&%jU8fTsoB$p*fxWs0V6IVN<W z9ql^i7eJn^Dmc*Nzy-3lX(RKn^ZgaGjPE4=6|(>tI7TuzsOtN%$GzwLb8f846GzLa z3%nz`c^m{yXkaRi>hrU!)|la7PQ3gvRnfkGg@I8WWTIfU;(HP>TPQqB$-j4{7yYF> zR>@zoHw*TCqqKz}-8T?L(F&NO+3@WQIhy<5zL2w#Oy2sPOzb`i*G7iFT(?O6TW1!T z-+G_0js&{==fM42r(#%(cfdUDC*^OtJ?*0uY@t2v*Yk8MrpQd3`cNjqt$+0?Bd;V$ z$=5cqUi=QGSTXmLv6lGO$b^O+H~UIc8_P(M{p=!m$&Lz*fw;UFYA#g|!_>xu( zGl`&1Q~GEE@L!SWIvn%+$9caeAf^kjz>jFyai^!@z?z`q2ySxL(Mk4ybk`myo9B9(M7wkX`%kbi^`HKJuuO5|{$@8#wHFl%Ue zJ~fJoHSA~@)1lA(o!I|BI};oOJCwe&5YN@Nb|S9q$cPam4CmLF8Xu{+ewM&?l+9BI zmY`k3Nq>gZb z+F;)lqJGi%X2EurDrp!{mO63HG>&@e7=20J?Lu0r!8m=1K9uzy%Ri;D?qL7_#xHi> z_rZ~)*#lj?Q(DS`+v>bLH+hN?Gyh8zKjUSM-5F;jHP>&EB{tOm?Vrln{@P0UE0kg2 zz2E%(AD8$TBvbkF<{qfNkj~0mWqF|RGBeYMe;mWuEhw;%8V=A~PQ~ia(CmS{5dTkk zVmp(V{-EUcHIZ0|4TE0FiziyQzOx8=nC3qC;fqMS(DG*}iJ$VS4`1L_vf3$m?SsdH*XJVT;+vL)a4Z(UE;f>ps-Qv_SWhFbh8(qzb~UUlaz6g- z(w+$x{r{cf{+}|i`gVY$#9K;WivO(O?Lc+*)bK>t80&nr7H9KpuP^!)xGz_nwWaIoFAU^GQe*=*7a&T5<)>yiZ9n%hyzV0+ai)o^Rk3Fo24@a7O zD6JL3#YCR}S7`nPf~CgqEaY$_g#@{Od^dfUE*;Ucm#gkACXr6i4m~`-_UpDBVwvnk z0cC{E#MtHIO`lcwp(x}%)DHP zmk9qC@4LyJB4ZW(_C8j2&Zw!8Q^_A?3Al=_8W$kMr+Lf}N36z1G`P+XT z{X?tu?+GXV>AwQLE6W1jSO~nJ`!re$`9LwsZQucVlZ zPgZ?6*RzFHk5iq^rLq))v18 z8pf&?TbwvAUz`q>&M2~^4=N0w46 ztj3nvxandOyd`*(_S9N%MrTWxTPJJV)Q!y-5{Jvl7OB=IO-jVg`Mtx_WGW8N?~ix(`%?$&)Um|h1)V=ETQ#FX!^z=QG%q~v2EM7 zZQHhO+qP|+cWmFWZQQXvZ+5?Zf2y*xt1F@-I;#_PPBB!Y7p|U&NhWG2!-X0YXidbj$Rok#}4ugW{cUXC?G)bDmZ+%PxzqDTlPU+ry(jbQ% zwAP@F_>&gut0j-ul|$pFiTWu*GJ$!a|KuyuW!C7sDR%<(cBhHTp25bva?C)mL>#%V zLQizQ`xFl}x$e6K_}_0SO|gq2s#m?dRaedC%Wt+dvY!59Yk%!wFQ@*bHm}LH`N2}2 zq%u@V^}@9s9)a;^9#eh`$STEqP*jK)(6_2KNWi!j%ii3aIQc%>^@8j9Cu{yKK7IoC zblqU)Jo0||+~#7r3&oZ!cW2ZHk-wk4T8qy!r!DQGetfl_d-}(sZY&31f5XUXd^^t0 z=K4xvOUjI~d2i<+DpJcqwG2IOWuP!?wsd6h9na3^tzW+(L#hs6$j7x8qS22@+|IY! zhg;;q{s?!K%i8BJ?HNs~UVH#_-SXQ$#$b~oD_ zvCFYEsiZU5-P?eP)EFZ2Z?MR8N%0u(@+=clW+05KwvZYQ^gcWyXL0vN`+2%P zP50@)I_sQpAhGWn(ed%U$=h>90y*Y3f4S`B`tZ$aN|qwn%fM+pvN87pQN^Uqtu+BE6eCFKhhdBHWj5*I`=r?glsk4 zr+)V!&uERuXzy*G4Rd&DZIyVia`WI)ReqB;eFsfr4t`K*4LWBh8Zn!E_uy|4Y<5-` z{j0X2R&CYKK=s%JAGLZ*xSzyjtULUAP;t`&A#q9Bafeg8?+ zzgwkLrzq@zAJ%xwJ?lG!T1W|~WwJ3j+l7?W&u{fKp0c0eB{P><*T`Ke`D%zKD{hFE zb=SDv*}9|-n)~C(qvu9UgWrQ+J>l|^-2JRqm-^e&-vP>63KNe-uzAiQ85f~pBez1U zrKtQoki1T9a(>+O9sJ|wI|1hLrxk$a*I22*a@U~EAYhsO2PP6?p&{s?E}{LtaSvzN z=q(xzc_QO&HropBAF2vr5*{&g9*9PUQ@!r2PJ9B4*5rP=om_VIb?BcdKRCi}Qn7C( z2<|q%nh_(QBTmOW5*O!EK*;jva`Q|M|<6l5UpyAs4hg`&97I$)s->cpI_RlJ{ z*}w9(OEXV`+rbzAfcT@<{7#jcQgMExQchS(>)g?%w5HDi9&(+91U^OOA~!iFs6j0kQtk7-<3pq(lZ~4+ZmR$kEO$pURb+x1A)Y@!exNQO_pZ2tZQDZQ+E`q>u)u)s;T%qK1BUV9t3 zz!?*Ca-er#L<6vp>+eL_Lq@_Rd^~Eex{p!cjs)>5Y1@Vh-=Fuzq8`wO%5 z<_T6eg8VTTMez=7MB`jPZRsSZiLErd#+%CmGzb??!+bTjquau)X3VDVi zFDUdnXW*O*(hr2ueO7^tUG4%Uk#nzVsczJ_KzK+B$~`p@v8h+x{%n*!^%%5ycdIyw0H{WY|M`Cs5 z75+O~1mY3Ot{Ac**Dp`=%EW$5TSO21ZcNDw@|C}knRwO0+7JWo>KRLkf12yu^|$YI zTR9`UN55Q(yUu$_{tWY?cz}bB(^gKI(C}AzAhhxKdmGi7wUsu5IjvSh1=a94Q4@b3 z%_5#b0`YRk6;VucjGb89Mp1&;y37DXv1<;r9RnoH)Tv=Mn$qWT@#}61@lXZ%gZ4!X zH5$$z9yC0DfhPFlkAOQ*IVLMh?K*N*${z)lI^z09?Ae6e%^;qu)BB`R#z{rMX^$Hn zJ$6$H2rii9IBm&wB*2)&u*jydG~-@gcx4vPed$66?j^Ws#l#V7l%*?ZN7oFv0Uuf= zlM5nkHUMwbPKxN|o0T>oCW&pzR&yc{&*#}Wf%vIDY2wWT!nj4uYG6|zxLI0H8ibPx zavcTWlCdIPhKt?uBhNtq#j!OH9Xobpcyg9ZtWh`~W3{Y9;45)i;=!j7HQ_DG_+Pr z`@P|Or$XE&g4+%T%MS!?p;wL`C*FaJ3>ixo7w!guBZcNgi3LH@0K}AZr_6o=v|C53 z^JDt31eJ5XVD-VFncOt{b#mCX?YXC*ie}1lx6`3`fp~3*I;ju#u~;QWD%z)pUAR)0PhGcTxE`4*3?e{Pi+J!b6YW5 zphz>L6!_P4&uKdm>^KCTzM|#quDXwqeL8q%0wmpUF#Kf+dmD@<@edX9SsXnLM|*81 zSz<*q$Ysdl*ol_#eRfS&8kGKrdgl7%)vIP zZ8pK)<#e9xjaNe%(8@osAv1^YxX8v zWA`U3HDC5wg=aiI8;(gC4rvF|PSex|(y3paK=tePrcix4gXrZ`h(Pu8YNE&MO8=*c zm!^8XpO%N}%~9jFdA-llPU>I(5YUurN%38tX19Sus=C~(FC- zR7npgUP`H1MOl;bp0*;)t@q%NCS;O;u=_9K8kYc@J$Rcs+6+eCxq1%jVjz-zYReib zK|^W!6m|c3;sv)MHKeY~AH&ddL_H9i+F{=<2)Z7cCI=if?KGm+2=)fV9K%VfO-OqU zLA}G$7to_Hc@%Mne`ldAV_;6XM^r(o@?rsa=L_YTp=R{C#&c%4J;Zw%ag2$376()$0SC2=etU)QM zoz}l0$#(D+H8?J;X_^^9v7!AU)54}TRbtQn_9C(VOhWWLDc$k`<$~)2q6$pmVvipY_Qq%I;)xxd6{yda z&5}(0Vl}qt<-cSr_5$#Xi>Iw`e~KaM7-}1XmAaf`pJqKMtJ(m|w)&s3DvoUe-R^9% z3-Qiv<@*EUlf)xU;4hSeh+*qfyn7{>fb;}ttoJK`CCddOK8g`D^kXeik(%fTFyZQ=l~|1{-6N75pP(63g}^k0uk5~*HQu8y8$O;Yl9J- z3Rui%AqC_Vk!1lBpg$D=jI)9Y_(1?1U7pm@c1lo)BFypxxw|~T6-!)V^0_BWZSejT zPR+js9Gi_W<+G299}V2h1pDqWn^k^woP6n{pTJgw;ps-I{geS<$2%1#VGMWa)()ao z&p3RWzr=Um>LHOM^R0>Hqyrk&!uRgx5Q4nCGg5`jy{x8@#ASH) zfD>0Wj8{%fl(DA0yjyesd^H@C#^}}#!Hri}C5)pUb`0gHLl{Fn=n%q@S0N1L_>aLR zl>SfiYp}z2zXt30AA|iJ%2)?^g)lJ-WvpWuLmlI2=Z_O}x3&z5Stf*8Pf>{rGU?I1 z{Rf#Kj<~WeAM9?pFS^@={T+4yKN`oFz|E4crZeZ?XcMF7z!@OXX*G6y9~1mFG!df% zmKxwa9{qmj%tO=)tOUyX&u@%`;4(-hmGv&DLh{!ZDS=qjQ-Uv|T?^^0H;!Z_phF*8 zTEB`}%fq_kMJb}JWprb2xup%HpYkm@U?{*L8V-AppBRnT-8jG>{@<5|-w2L$W-Z7U zDyGJWsXS|vY>6mn**Z|?Fk$E`eyV!J53SH=J^q-N#&OFDoT+Segah%X(|tSbLa<@x zqSRh@eHn-e?<;4nGcn0F3Idm{jGn88c(h{He}V+FMt6xPDpldYa_ZYhx1e(69Zh6` z+?AQY3iZ2wwf%*21vkJm3B4+|O1iZ7`v#MZ{%l6jstKKU8bw4A+fuJN)sW z{<_5^C_G#ZWAEQ>Z|z|eOOLo40w`90Y#^U<2r8R_A*@&8y{sDGLOppi{%s*x71mi= zX1>go5Y`uK!4Bx1nzh3{vc4sIqgCJmWveBG4%l4^gc+DEYTAp$Wbc_Tf*q-xKRLEo zx^kqk(ZUTZlKIa}fMK+;)e;Tm&KTM(p7e8UwzQC}u+=ux?XcC-M0d*mpA#9hXD{rv z^TTXtedx5fQ9Dp?|4G|e#?WPH{7=u|n6BOleYI9si+%X6u4A1KZ`kf0Jefo3W%=p4 zio3U*jXZX>Biqh}emk9IcPd#@34KCLp-)q|f!nB7t*zAAY|%VsB?#&76AZs_e|-zU zEUf0V-o3i}$p1XJ@%WiKRRL7%a?aZ=$aW9;OBgY`*MM-EMpgQA%vBJi=5Ws*sb*d-T;YiXE{4+kw+`xyQ; z7^L-Q2oU=7i9EwQp`o;5g%jFBEN}{e9}UmKG4W7dueh7OWrB7nj82BEFJNN#@IQtW z1}2~}I#oUe{o}lT_}0M0&T^4YjET{~$^9a9YN>ORy^~6dfW}1HP{^LfGA1(eFVUrP zk{>}-aPfF>>r^{3SfRpnv=t;sPWv6+v6mmWQRawf|2n#TN2x%dDzJpKmneoQI~h>n z^Jm0AF8}`SuCsv-j?>!lS<{EKx(2t)YJ&;P`in`q3CcX<)?0K;N?Fifjq2gLOhj>e zaRJ(}(G8F?WKCwTD%598J78g4F$z}s$h*8{u+0nfqfZVor*H!mjcBK zu(Gm;HA+0Jph$SH^abcAhrQww<-HSYCn3EenO(@icrTjLCeow(FD8Wroa;3e{pL=! zjp>HYs50rQ3JZ>x3cx?Hrt~F)*5l%^w>Ofl1)|4GR)cl+K}~zcn0LIl3Qq`E!kPYi zR**qQ{|PMY1P%}aJ-EMLqcy~G3tkwJp>3jrWZ$7MPcp{+*|TPTXEXNB zcMbv;b`X~lB2hP7kiFXI1`|5iny}|3JFrS#`)jxWh(IeSz)eifdd3{iQy0m>CzJcio5c5hG5l{D6 zUvdL-6nXv3quV5Fj*@~G4Dmbc>AroUl492~)J^5$BHaQB7AZ6nsR_xX)vTfuCqyD} zAeARF_V_txTu4n)*mV~U?hN!Moz|?a6|vhvEi9w~SPEr2@q``2QmSI*T#LQ>ps&Oe z?5_cXrS4Ng*^oQrq_Ve*WZ+=Q3jvqh77-``3A(~Y0w9PhoN4TclE!%*jrKS-tGj#9 zIYUKnzgXh=GbVT(9&!9)mMqJ?U1ukGqUqxF%ZY%L%mg<_-#e!FCoEq96f<5?VI-)C zL1eR+01$Xg4M;_4dW%lH$IWhs31GcH~ z0=0kdX9kGk`wEXlQ$y@9byQUy!@KJ=$H)+0y2P;o}u9n-f}w z&|Z*RS~P8N9SIW|e7wx^#g+c$utWm&2L5?~K0cq7^vEyJ7-qyB{}4=Q7P;rl_wt1Y z%cgm;ljlvjdybp2r98L_Cka;Mmz5?B3-(^>x2?Q?c~TtPbI7}_tpUA@-Du9{2-E@^ zbCzaaLt&>?!@jUNRTyuk$9AvzHtj4^9BWb51B6^+L~sQZHAXGG!>mBe3Ld=t%F&qu z1VP^=9Tz<)x+hB1Ap%O9`AdgzejI4=LCWv!#qA+|DC!Yv(Vot!+UpWavC=uMi$YM= ziGL^fb@(seUrIf^2p-6)?ul$=K3dd9WHJx2Tq0y| zkN3fz)GX06m)a9GzOMU|mUey!aQj5>U{ZHyt=cqucQfByY1bc;VrOhoo|#^Uui3mg z@~V4GA8++Mx^^^kYj2=#hQyC(*f>z^`SMfW$&uxsv~Gu55@*k5anuo9^zPhI9LZ_) zEX)A?!CCOhZtPFe9#f~I=kcX=RP%u7#vFh}78Zg$GjlRJ>iExXq{x`zNJkRzCmCOV zvBrT}P<2&tG0}i`vz9oHx~00ln2j2d8?hiaq8=@&aXM9Licqd67-)uIV@Osdy}pW% zx@C{6#lU*XVgN@4R%~VOhpKK1x3pNdoD=xnISZE*(DbIQVoRukl^3O z{s+v#O$*UWpciyf40sUSv?H#?k#EZ!f2rU~iEnra&FNhrq>&ArV8(LR$5abeBtbuD zQ2-E>y7d0a+R&~7wMV3 z9c+s&w?SxifR8-$uA=Utir~jJ#D;qupA|jk0JFkC#wBX^4dLL2)+Zmyo^Le(_p10a zZJadFdb@_IQ1CmIv;=s}W%kgV@_4U`0?DEl@H%@Wz3<~*FX`h*ZQut~Ui2JFZ~frQ zaZAmuFY13J)z@CAU3PWN{SPvKs9p8_kCQHy*Irqhp8wtY)u64I%*g(ZyBd2@9q-MW z`^@~TN$^E&x)~t&xW-ysDt`lEp{-6RMI|6&(*gC$inF3GD2Eblxwj9eC_?QnMi42S zdKWGHrUaS)Wuir}g$=SGR+1?USNq#)$yqcf-02U+`#3izoQ=Q-OQ8tGsX`b&881Z` zZimi^VwYVZ3>(^Bf*=f7+Xljj(p&A*qTt~hiZc0Q9qFMiQ7B-lC6}uvQTQPU6}y+o zG3Sp97Q|jm7LGnoSsEaU+ECGu1B6yfS@R#6;?{~V45xM#2fHhY!bVAeSaq$$+TtsK z4wcT*)H77N%0UwJi$X^!RCvd3Q9B>iDD`l%sQfKS_O=Wm#Lt*Ybk}F@9^MtF!9}@8iz!N1 ztE(gRv3SEAiRl2=W+tG6fH2P&tbz_cwnK$fGGMcYu2&d9iz*2KwKc5RiJS#Vh|`4B z8TTi%TnCs7dYCj&=(_<3Ukz2I=Ghfa=#TI?7~@He*-hn{Y$pI&BZhg@x2PlH)BL%> zYDbe++Il5Y`i-%4Q{%ICBIJ86|0etf{czP#63EAco*p4p>Pyara%A!LaWY+_ctR#rl z=9mRWM_T@XYv&U*mxDWRu1Qn8+QD!~_8y4KQ^MMvKr(Iyv)8y=<9y$#k^3wv97sm8 z_>NB@kB)#!oZZ${7Iz*2#N>rX})n?3PV740IN*=r4XD21<3c=qCf*_Mvo&3rWZ=*In$uEf68 z8jsXDBy!EMe$i^5kKQ+7m6<0{7eDA}9tmFnA0blPgln@5xRf!uj)l`6b{$tc;GzxQ zr!sxn^OFs7!qS zTFN$yW71~m6`hauGQQ+aB)gCva!{iE?VKEGLR9kb)$O=*jJ#ayMTPm#f}>21y*5~f z${%s{dUIj|Ojb)GY#_6xHoyKoOsIx%_9$JTXNaUYwh~RlYH*oqg8n?&VYB`0`=N2` z-iV%2>TU3s2)86EiI|hSeGF5her@mJc&njZ-QCfL&40NGGtwyML{ zSyR-<#y=>THOEWDju7p+Rwa*-ux!2U$+15R25Vs2VTRO&2qLVc3UVT{EZ{?A7lH!~ zmQZ1}unaaTp(g^Cj0SBQ zAuX48W8AZy#PJ;)S_ZSaKYGMrw6u-Rxx*DkkGSy+kVf+@K9`WOjuRlc1a{MrEK3{C z{(9pOJ0L=|njg?FJK5eIVb2R=)Zszi@uRc}m;j8600lM+SIo%Wz1_w*5E4K+3Q%u`PUmv>X$V&a6hNkgyiiHLJJ`Tv`i- z)UDxkX|0zQE2rM~qXRXt(QaTj12vH88wWL&Ijl*GBmdh&nal3iTp^p+4$7)wlmKZ} zQ&hHM4w1#nJoJlON9`L>8OgN64YdI##Ly_kYGOY%kt<}S9s8v#KSf0-s%IjlV;44? z;Hw)CdrT+*azQzW0@guT*}yuKO2Md;+4UnAwgFJKe!*1sn7q&UG89XYf?B~svMk8y z5_o*7rz3S(BAtFGfw2PzDkxQ@w@qmEiCV}E;VcSSxSyZIeShd1nIuuF){z3C( zg&`v$tY8O6+*s6pnsGp2L5~MUQ7K)dyu{y^vcr5a2hZSltqc>`R#&^(<{Fh(hD-za zQiEDFf3b{Ta6*XKR*v2z&KFXPUIy;IE(Ze%xUNp{_pr4e%9(2r6a;(=NYep)TUuTx zPLQ9OAaaZZ*FPjg_pGe${xt3F{MS7lisw`cjyY~6rShWGew;An+iV4rFb;5}>bw+G zS)vJ3!Sz`_*`*V_A-nxIDgn5JhQ&#$kfd$VEfAQh(M=#vsuJZ)?ACSVZ&4VpnPTiZ z3GAg(sl~D&!!KrZe2A_#-VKqslj6V@_)e$@)MTIl3n0h}0mRA}ph7mkqY~KHN`;Pv z7#_t05q6D>X1vHsv#XH6{;=Acmb{(EUMP|-h4>H1ckIW}n(!&^xA_HEF+Q;ZM-U`< z{Stse4$w(ezMk4Ug#jJtv?@Os=rpJn8R)cVH06I3r2(B(0i9Mz)5En?0d%r}E+hW5 z0UAmGx{mQs1=4^nlmT^HDDdC~)*Yq+bxLsFD#}1i!b>8~0J=qZC<5ta0Ds`13ZgAn zH}0jy&XjJo6g+5w^JRj8gI1|>ck!#}Ln(nxO;=6KW_QDNa3y1MRKv5MJh|mvL0ogpM6A&(MKWSgD{Mt^iCU z(KH53C^Kr3&V~Nd)BI9M8Z-pjWWJh2?0A>Aeeh^Jv4yyxh3zBw?VGRcZFf?rkNC(v#9V}Mp`vQq}AAt=# zxIP_GBd-gwH*az2VG}AwKJd=b+6FeJo@~N^d5>`;1m_i_mWUV`3y`pwHZXA9!cvlf zNy}VUfJsXeEhXlYHGF{pSOM(Zlex(Tqamh^(%r-!PG^+t9yEUrN1=HXPAN1%t@BY^ zOt9G31|Kr^6E_B^36KdZ_p}!k9zaR!i^DzetBW$qq?V^fSdrKty8vL7uxefj3OIK2 znXS&}qx+GvpJncwqQB)2mp6!vwm#A|FuX1ldadRX^}TwykLb4*J&-n6CL8E4=8`s@ z?~!!A(PBAwUtApsZazt2&0^xyq!#nGaLeRKIoFiIr&_Va!ccQKXEg2~*BUL?qAZ38 zP*Aj*^8fyDwz_DSQED4Fw^hBElylWvDjIu1Jh!NC)=(K;a3IlWyV%<8&_Fskxea{; zK{v$c4DC5Vh}Btt0|z1~14?ZSK^sZ{(op)53^IQk+Oq%1NkAG^l6h7rB}$%A;lPzF8%!lil$)GYl!5gGzwWXG>94!2B&nPr1rAz?!u`bR z*Y<-BRE0u-Rfpu|6OdDU`i-M%{6?We#z2SMTZJ(SxX*-&eSl+)4~4nb-AuSI+kHj1 z6TpFPeofzFY4Uf$Mv+Aa)FW99dRL{*`BYT)SsnB&g}x(fuo1EV86ecum!tfEgLE(F z_k(^csc#B#?RStf20dK@$XNvc;UxQ-f43|~ia3^E`QO)DN2z7?(WF33SY1p_b;K6Kdr z2Go_opMHn(V2?Hk5U%We@U81;QQqSEmG1p`d71ggZ-3S?bKzq#5~b_!HnSy??llqF z|4+}g(flVpM>QYlN{lFJ)vz&Gp*#--y@%XUD$0pvy_aqWaT2ex=Kil6}LW*7ybA;FFg zG%>8kM+8t1oY13jJ6_>^ILk49eW#}o_qa|Q7C>>0v@j@8)VNTjjjq6ar!9*!Wk&*Q zpitJJ-Q?jrqEcm|Zp}&^0uDe^O<7|x5j6{`-?P*%=;HSdM7LITX(;kLnH64dVd$HS zQ{4M%3IZsRILojki1b0@og7QK*z0kkkdDb5nx0NOhHz*l+#5jn(>hUjKogp!BYa-& zMQC_<7?x78MHTWw!!`tJDpi=H^xN4EXVl#h6Hml=fz4-ikH$1n8H`~-nI^-czQ0L6B66jT6-?FGkig>ATdi`4FZw*TW{W6`cd?{D2% z1&-x2N$C z4*KMIe)a%0rgy4k$F>InR9D!q2WYf9{wKH%>`dq|kV6jqdlbRPLz>lzY9cq+I>U?{X>F(A-6^~$=Z#D7;eF>90Y4XPEM_a&5sS^9uEJ_Glgs?#!CtPw^)gJG+Go|QW zn^SAicYVVIo%q~2m|CB@03|M!i&^AEy*OFxSU22d0>RjN(1;u)a}RV zLVRb#$Xl!G5gu4Io?D%GFuWMv03Y~92PDW8SmD8>c0|a^osgIyX>Q$!=j$IY<2P{l`$j2q$-L$l+t_y(7Z_ko@?^)A+rmFE+461kb|L+Bjw zq8TBqcQKlFz$_!(1GrWHc!w!HjJl$PUKuUc)`yLnDdX%T@#OA*44Ey#;Bm)DGvjgK zypRpOQ9wTD89WU-7o?h)3+5SJAU{&0kG^}m`eKF-^TA3oTfD=GE*ir~Z)J)5|D<(l zaPT0#q9hK{nuxdp}3@YnluJ2XT2H`l-<`fzO zHoZS6o;Ume4FgKeHQXM)6@knt(E&9$E|-ucYS5oRl%kUsmXRecAWIIYD##Olwcti~ zYVrh?|CKKwNuEF!((gf%paAFEj@H!U@lCr_alpMu>w5)NtRMP{)5lTv3P^z-zR_jg6>~+lEp74)9=`-b5UMD z70!C!ii-c6qbio4LG2}--%*{c>R{dwEl0VB;TDQ ziO;HwW+AEyQ7VSESe1TBtpZh3Csa{emIxJs3n4;O3#iJ1Pzg|VXIf7nN%?8d@ZTcq z=e6QrJumDv53`&SAB6?qLh&cL_{l~73Lf9!T}fp4Cx;{}c8PgHSmwt{%hN$ZPZLP3sgcR2H2$~tef#-A>j{25*)%^HWk%yAl5_Qv zV)hK)%wjwyF1Zz1)Zh}P2EKf-zl4%s8t(8nx1?n`JPIdHHKZ{ekb**2vENz*^Y{#m zhQ6`1u;1WnIuy%RF*eF6gh6d6n{W-2BY|8-dy0%`$dHQ~NiP_cOfJ@kH$g4L-2GBf z*zT^Cp>SD;q%T9vS64X|I&f;+4N-{GtlkIpX)>D+#+nFuNVv{nT?F%ycgXQ30PQ3w zy3&zfD$a(QbfYD)x@6KqYH)}l@XMElzQ*)$QWt_VE^%fZyk^bP^W$Ka2hP;yzLQ z`!|sIiyQu*#((b5`FeQYW2_St=Y^zciW}+d6Y3Ym#zw@Ni{Cf-&FBv+_4WZti>1*C zu!>F>ppeViS;!ZA?f%47Yg<_TYvaB6XKc+R5M0SC8YYSj@RS6Td$v%2`9@o$FHYP( zP8C`o;TMkyXs%VF}Jnv zVb;m!rTBI5Vm$CNDsd}pPf%s38Khs6NBL^Xg0RdOR%QWW=1*f~Ki4YK3e(Ju2D{w? zW0)*ypR@ZuI*#;}w%+3Iv3mP8|MO~tO850)F~q;fh4@xzH=7evF5F|UX}mpHT_2Cz zTn+!xf$D7)5572nbtHZrra8$Bn&RG<^~)P2C3c?vqhYvGHsfM}O_$~QlF=Kukms8lW)buDsS1d{Q0%@ z!$JPTV|d8LAAgz%L$fH(^X%a2A0Hp%PjrRZd3#W}7=3dG$yu2cLsk|Cw*0 z?2X36i2|L)KF{Cxjg@@5S?sQJZq#)tOXQ7aJx-s2o4X5uEQa2^Uav^*(KlhQ;$mni zk($1nj>EW0i$WL>3F+%xLRs3g8q?7A>Rgj7s^249_&)oo;`%aKWqd0qxt!s{}7ULZMG7@)X(vZF7{V|f44g4$7P`+j#3nm;LzB$pTy{AFD`r7y z`4X=G`}85InDg?CD2Ob!@sC{gWHhjhdmoA?+N?y_(1US}6+5v=i);x%`(2FAYZ$AX zn|Uqr+YO&x%vxSV)t|xD(&Z!r$K>a;Z8lDWKC^0<`?3dSr=DeAK+CS75{Ykg{U)v( zITn9CD?T*3i8A9ro?N_g{CtaCxhf!xbAEZb1GO<+u)$6Ml z3Gy;j6svk*k?2urG`Cm~nk)+rh~7Wqhsf$4*AY59@5)DNU~H_T{h z7KvZ?Yz;kcr304t_)XPG*z$qh%+}gAcC6%RM~5xalOyY_h{)1yDocyI zyTl98iC>hOFXUUQyAPA-;7S<~rJDDF%!fPjNI#ONd!LRSBf;d$VdUiFZ}^I@D_wd*C?lxgZEWH-(uWIo|3p}oK6 zNK6e*?Uf1mdqnPu*(_&~zQ=x)hL|OzS^1;cy#0~BCunfpb@OH5X+ml4j}3ip*L}$Z zHTZKw63Iqgw)AM|G|im+Q?36hiJViyS?)y3%NguHEllj9HKFnhqCMD8JHNcD4Ly z8LVtz%rw`5)QpmU$2tiRdSZxL9XqL4DRk70?xxl&FB_tgh_JNoS#2yrN$INZx7gO`$g{H* zFS-)#oB~tV!b?v>Djk`ZpDg`+uo4009#@rbr{1~G->mqas##v-Q_L|G6X=mfiGND1 zyg#4v$Nl-pxi;KedRD*P`?xLASTEQ-fjeM%*z1qUvrI38>8T3UO<`N$Rc}1GXmQbV}tM~A!ccI<6t~J1Fds2s+ zqD^n)hlK^}bTw|1vhcbv$Cmt0_h(>py25$py{?(L@@N8^K2xV(Itl53Lzr|zGFQpq zr%a=m>C9J|!^L<%PdcU9HVxS|H`8}`aP`gyP1xKGg`_vL5v?OX0=n*S+%O3a$QgC` z_`IEY8TxtFCt1wtt>Ye8ENoJZ*kJ&P)z*+{nqttAQ zd~`b`;;gS-1KAr&5PhhUiZaO}fC^{SnWyncz(uI55Gw0#{~%O!$Tsh_*}6i*bGpBx z4d|$e{%%=&O)`#L+N>0*VtQ)X+T5M70n_l|@sU>V z2;}zbH4HgPce~YFYI;SJyIH;Z!<(+M=!de$8jCQq;4(@P7Asnp$PmVndmS~RPZnRQ zMh3Z{S6srUMLQ7jl;&OyDSIHT)cBWPX-4E(8<+Uv^h~j~MB9z;> zQ!sz`UIF@|sgs(42qd254uHd{UPQD*4@#~Sq#Vh<97B$DM>(sq129X9Q2F+}ykozw zFr2(#X~kYbFY~8|z4-iE-eQNcYx0j{F1FGE&8NdhY})xvq?9yGDXE|E4YEi`XgW(Z z)_yf1RDJ_ZK64n^+X*f;8X)_dpzL~tRsFRjl1sN@j#DCthfz+Z`L;bv6*Z4!+BuQt zl6}(WvATsA{+v%_dPkO4#pPRAfN-PPL^#rPpunu~o6~}_t)%2HFK~{$w zq)i!KIhdB}L4+p_1#6j5)>Qk`Cze&UNh9)oG4^**KL9WfDnYsd!5 zs;J!w6(&DmMIk}Iy1=JA_kfYeCAw1hp7RaF)#w)e#*AwVJqrc>BZva~wyn@MMvtXG z0|wT+LqKSTX{PXY+g2hU#$y@p>NOW~c^`d6HjUJjnF71X1dxc1q=|t`h=yIf%g|ix zjJTEiYiN6^(rr2$)qGQ&$Anhevt8%jL2#CLBxI6ML+}5;9aS1$N8=MEh z$_f}#;9H9U38I$*v>4J5YO4VSBcBp<7!oj3VEDrB4%i5U!d@dx8(SI(NEN8DBtxAR zLz;?Cy8#2G61oS&P#G9-!0UzVdz^8muCK}A(8|T3_31F1_@C|eQ8D*5e3-F+1k<`S zX!~&ja%-wI*r95fd-39KnN%jJ8U$}esu=`tNu)Lj2eU>o2yiTDS4w!?A#|A5m#y*@ zp>w+@0Yv^*+&L0x%+>}N;{)kz?gs9zQ+P72n;9JM20>n7ro}t`dfV#wXMW{t4@Xm?a8rQNmE7(lko%x_RPBw~L_L7z@u< zNTTrzh6*Y$#F}6}^h2LPW8;(P!HLCc2NDIiz%QSa6JilSJ`2cYur;i>a^Z)D?nN)+ zafRB#)>ZLcYV!CQWy{X8t3q{MWY&$&#$w~dV|G#V8$%X0vT<*psiR+IO7{7lO3kB%RxMP)tADXwEX-%@Gil_d zOz7q1=&0F)rjr5XCpYw7l(9?`H7|k`$|_(8+L$ZN&ACiglB<*RYWed`Lfqb=INUgs z8rt{a(ZlLCUyVvg$=8|!Kq%S=tG2Jp+4SoAxfq8KdEIO&S6c9UnhS>QU*{5WJ1YjK z7?z2ABKTp`B=k^E3K4b@FdTG08Z$w?#oJpS)Ms4sWT}3hxBd1o^#hl2i?XHY`)T)y z_a@9dQvGA;rb<%k!!<&#ze|2XC=gVN6VU61By!H6@7s3%!%#iLv`F&HRAA7zmJ6$v zh24g()l=wP{a%9tRX}+28b%_(Is*w8{g-aE>xfUsR2XSC@WRS%K`QWI^NA+Z613En zbICfS&J@~$Zurw!N>uhaOE_X;s|i|aN`h905}?Z5wKW3YAH2>D3oNpl34d!a0D)c2 zs7noU6H5pwa_=10C0dQCJcE~wF!K`fivh(2^12C!)fM=yjpSg*D8Ud~+ zs(l>*@;l#-1^B2}l8*OK)vBN_nKfPYin05B{mw1&L9@sr@*S4|4D%krIk)8h`ZGg0 z*Pm~?R2|*}@YOGd@F_y+#Z^%y-F~+ai+Ukj%r59`fZueYsmOoq^OiRFhgcH?->=W^ zRtyga_~(Iayy;_5f6xBh_5JK_%rs}7c9SO!tU#nDdI!ro#ZANph)5-x$P)!^^=HqF zhr0cNlE_$t<&Urk`1xV>zbmNoP*v})2p)WjwFDla&*YnX3*FaqiSnD$)q_B`u^7CA z%OX^s1wlXQTCY;;o$^a|Mj7Y*E|jr|4`n&|SsbZEfK;)Afhs;^#m<|ad)!un8HW*z zgM_GcR<7lwXpWL9gDd%@P4Qa?EnuFRUOFA*!=?|Bx=8Z=9ujA}5k%iaca{#+WYCHI zQWN%9mM+Wkw^$C-J-R{mX(H+0^IWe!l#J|&4U>#|I3f(f z;{{UPXdhO-uN7NyF{c#=O{sY|2k+qel(9j_lZX}xPaLetekO7*YrInmQH4n!Fo|ln zN4aav!ZWJ@znJ;dJjT#hS#mdJwFB;+$lBseqc_Z+a}wvt6v}G}qxfaL{kwUh*M;&g z%GuA;PC}E0(gVv;Y1NF%y{G(zFgx4Rl?~T2pc?gwNsAmHgb8EZC>KP1IKVnD&1MqJF=`fA1&^02t4^61-pJBBb0q5K zaT2U!Khf(cBd=u^^8*>6b2QRLv+v1ldK63=SgfWd*J?7y)o$Msh5yIdI|Wx3c3q=M z$F^)d>GZsyghy~Y~r!Q5lbXUrq6J=&&D zZ(PS%dneD|M`**+vLRe;57%H=jjMaF0>~H*6^9d&BhKdK7FKBT*Qs!L78;x6i|<>0 zn+e-G?-4n(5ZD0R)j{`E=K%fs&!y1of?=yAeN?%OH8I1?LynxgyXX6kN+|af_NxWx ziYF@m;XTT67|AJy&$MI4$!lqQ{knt&sqph5?uBflGb7*8w3&(2#dydRT*Hr)AFp1V z`B#?*iw-wnylwbj@4F_!M=cW_`@e>A5q(cet^;Zd{q!uVTh!Yc3xC z8$v8fW?UhBnhCpKmE019p8~RJbC2*<7#w1bsO=}4KtoaP`I^=bD@7vAiY&&(6;FfTu z9-6%d0xLDTM42r-h&`pn8XT#{2L-<))QeQ_Uo#&v%ZsPQr<}GFT8ZKfS;;c!M~D*@ zB?X?9=Q^a)JC#vuHcu{isC5UT(kCa+ShUr-8~IG!7|Au+f_#&#A8EBgy{AV7*Rknr z{`b>%JqRDu2iKhl&z?H=KAo})~i&fTL@1xVGhva9? z&^B3yH0tV8%u`rUr&hwYW+#bmp0gnyZJu)zePdhm3hLc(0TAWL;<)iMBMnBe z`laoJIc7na_|5EAId&|*g#4+SMf+@sauiI@d$lw=RFfD(`#wk}sv@{{At4EYqX!;+ zJ%2#MREB@w?q3j>+uSIOGXz1@s}TD{jcWaYceA`~$XwR|h9^_~Dc(*h{CtC4q8&I$ zJ6!)~vO>DT`t)=hp*ZhxR5ayuq9CsSFw_@>s?!!sd4lqCLW$=2>MF+s!NSekdN>;; z6k2T**$Jjp$tYZp3zLRMZj1HyZ@8vX@m+u)n*}0X1s@EDv1j(2HLiuV8DP&-0r_c! zmjtuuoS!ei(KK9UHk%c#4whK{cOD%y5udy}3mR70FVDd*j~ZTSNS}J5vwpIIQyML# zY>!bHw>W%&HNdzI#kKD@rP!fjT1`T6~>omA3^Q zy*+6JcMTbx8VQsdZ;OhcwarBQXss_fBSgUlo3PE~q(Do)Kra?d9kNnPgs2hW7bXae z1_mD$8b+JXAc-%wx}lHv?eRx4N2Kuqv7O)+1bjhDUc;X;Sxx@s5`Fx_JecS^b><2y zGf+$KPUDZ*frf}qYtdXEeZG{;Dg9x|gt|3p)rOM_t5(S;xeZ#rmy**Z#x9z89@tmd zSIv&&ww^&4&ilRT(#^RNV6D@XjHq6ixle;vLX9;Pfs#G&v1>QaFu>H*R`E4}k)$Qn zE5h?zNNF^_xuiFxsuhW{pH;8t`vgsIB1yf;wfEFRlpg5z~E33Qtty zmgO6NA#GF37vr0>yEQ`UvgU<7`>?QepMZc|XU8JQLBl5#C&r&wS@R6r7w3flk?nTG zzoME#@dC`RyLe-$ZmHLwZrm2Jl@|Pb+}OJ$Fo6zj}9B6DW#qOQz>cirf8L@&(%ZK#eE{(T1 zaOmd-Re_Hjl}`8@b!fM5M(r+$65#9eHWm{xdTtgN>?s^hB5(p zxDF|23lqU*2Y7{1-N!nWJa94o#_yNwZ{>IXiV)kTh0&B3g73?3;smnsYY|6mSDEcs zyI*sNTDL2#@+4v+r=Xt2MpvVitntaI(+pIKA5_ zp`lehx9T>Zl;*d?A?KP9XJ8ds6 zHqkq8Ag-2~h+N=FO@it)iA{SEO)8^pa22K4+qqj(O3ih6-0V0M%Q_2#X4X+_Z&Ql1 zK)=Zb1m$UYafsM4Ya9I|9zy>fkQ`JgDWJGZWY~)TgHbAXe`56P?Y*b>;{@bqnn`DLZR{3jt>G4Amcbo1@|9-R~oAg~Ybq(YO3nfvI^jO`ik(_LWm4lRVx6D6`UHxT4mskoX>N zlmG=%)6_alOOnxSZCZ6>+~H^p+@zG2qWR+A#|iS>p6l{T!N(V1p;ySO6~CVTj-d4? ztUv`p-;LhOEfNGxu3APEf#whPghTaz2`-s`3u6zxHFH=Q%2hLX5h~SW^C6-V6QmI? zYBT>J5SaURg%^=}+QkeRdAbcXc^r^#571OM;bj_m-ISvz-0h;RY>pVj^JfArr;|{a z6X@8}{n{bDg`tW6Hc5CDh{IueBV9gfFsQC9HrC!*Sh6}YyySEUP~sy?@%?1$kjv~G zBiC1z{`-Lo*L5Gwozzf;hPLO=dqnPwG2aoT*zDQ~l)tuFIx6v~$O`wsHN;(_;_$jJ zr8;*S!+>t4;PQdN!5q`2UROS;udCKjo}p3y)hSwV6VvF}0trq_&)0d%kNRKH+WtSH^)L5hA{ORrctk$&2tLg7U$Q3tOeb=g-zGMCT_D}k)~HoE z1-DHMikfiq+xY)W05b*ihxA2`&lvuiYjrp-uzLYqW`%acgYHtjV_wyReXcN6^vRN7yvM@}c4M(mu$F7sSx zAC!@UJxb{3r(LpNHB=(15VWbYX<@f;-Qm9|S-6xW_5>h~UOV;diVl+474n7rH6Iq=Bc^g5PHMVBSjoqRDMu*uh zAy#{}TnE#0d%Wv+zGV{AZg4&u8Ri^FnlLfeTs^1OFvt+wgws`p#ApAg#Qpebqud&FbX)2w#dpEl3eR!48lFyAUWwKju zM*A;B1S~O64J$n9KfzU>QfFJZ(^1Cx+M=Kyk|v_|{|Nxeh}u6-RMuDoYBh6w%R9-T zK;_;tdu7L|Y_rlOJ6ISG)+$@pk+)Ea~0IimZ3UUb-4wFLRY`!rGcJ z^kTY69tmQjAgk6&U|%PK#5iOF^e+sZ*A0fi;Op2w-dv|CMMr-Bzas3C5e~u~j`h*@ z+qNf*@Siyf_OiiAVjHc~;6zRsz=lr(pGwY$o?#cO%GeDc*#}l-u##G$-OJR6H->$j$omM%t6-Th+IS zi@iGXLa%xi#W$%J)hvuU?D77;lIAGt)}VQWPRSaX^R11f>yD9w5K zQ?!61m}1O9*R&bp8xv|u74jRy_Fbw|9jy>Uk?AQ49nf_f7#V*1kPyhopJNP_K@x_! zOs1Pm<~5X}KY6B6?SZo5jh=$YCQ!dCewi9zG00@=73YQg*n7a3a>(+jyFZ{(`x`4Q z*tWb4~XJ zZ8>{VW*!<%k{9M3L)PJ{5EmYeNngfU&?eFOVY9V2|J5 zXApNh)z1tyErPbPspMweKOf@mN;xSdxJ{qTH=9XHZ0!bpdxTw&6_S}uy2ezr`K76b z>Qwo*6 z_AQCi0x=OrDXhrpKL(ew|M0rb(OYi3?}xzL^hHb z)H~H|lPw@?5r?OQz=W(#=IB5AhG|un>*QnMmz_`5-0F9e28U2#eaKiTHJcid2-4Lt zSst)Na6~utt0gT$8X`0-Mj(v3cZLO_Pf0-P!~zAq-gMU;b1o%&E6=%}-GlcW5G*Wt z!eYP~+HfC6W#?~R75)qD17suBLe!H3T*JFQ}at){il*y-8j-1_UQ`#~FnJ6MAs(d02I0RWWg!AhA{uA}QaH^DWLpwSC%uXvI}z{?vH z>5wy6F3co_#<@8X(aA8kx77~Wwik!(D-3iQ7jTK&Q}<}DO3?GZ$O6duDA{iSAi)yf z|6ygCE|e8dp=iq`lEmHS7xwuqEURd1d9Zpzu?|`IXRg6>`=!dhOP8;>fyB51Xkp(9 zY=AAwF#8a95;ukLU8)+c1N81a%;a|Yy2JSlZ-%>nHF*o*4CP3oP zj+Th*wddfSo1Sj`7%tWizMxb~7)V&dv2&XrPRE_rO;zfX%q~7(gk3mBk8L3?X~W7c z-UpKmEA$FV6ko}emHZMooVjKJaz*i;B@Qp_)oBL?h60JTh7 z)Diyq-Jg-Kmt7vsGSpL{+(c|U91&@L3n6LIcg~a1@k=3U#TD4^F)MDkqfhP1}plqry)d7$lX*O-lhP~J~CR;J#};K0qP zfsD6>6!jizFOOQJdKI)z>~M92U(BapP!n}!2WlDV_MVIYFdUQk)pWpaEE$h&Q665g zK+c;2tB1Y%k#k>zB4Lg`j;O12@(m3QLpzUbC?O2(_1he6uC#D8-g@eMv=UK!yftvt zQcu+r9Z&a0nK~zFU9Gwz<#%!w`?qgg9dg)hEN1c`Fv??dE6s`-eQf>(E1d=x999df z*@MH?8Qhc;R)eMu1gY2RdAeAEN>YsGYb%-8#<(N4^6G|Td-DmU#~+dS0wx^Wsth## zq(Z2I;m>ya1h~+N0oRpuwx7;1ZI($LF6&oo#7M(PNHOc$me4_MWgAW7+7U46OKYU%mkJFdH|pocM*|MT3qTFaJCeNOC9`47PVMPOe^cUWOR zuBKbttKQh6-)!od+Gxt0vpuU$VqUNw(uQG)5v`(jt#VkQcD3f&X!<>84|%0A_a~m* z<9{G&ve;-!{?8?s&6`ak#F5k*|DgmbsIBOK#m0Z1;eS%1@k5Em|Bez;8MXfbXsauOCW2|F@L9{SPE~i>;Or{}TzP+Yb^y`Ba4epD(BH z2T8#H776(OM6%p!88WWDUfRK~;FR-z9|5*%e}HT`h;dO#7q9on{-rgmNhpt!fM3z{ zQrSxcRte$aZd%8JAPkQCY3NO0FDQ%GjQxx8@#tk>5+)@buypj5$q7lhf0NlgsC?eO zHa}wRNmRiuphVz`RC(m+HBi*8W>FN;)i>B0>?^u!(G2T)6q;n$euq)gh>GK(Ju`DU zzf{ersfAi|Ir%N#4W*>}@jbJ(&e0M@a$fMABj@*c^*OXgGM2o}=g8ah$T?OyLyn@F znc3ActVFL-Xk|mHC?e^?+Th6lerW>)3h9qrhB1=7D>?O#6lkvs#|R+j>WI6sz=JTb zeHUb(GB?<_NLW7ZU$f2R`wK2)b4s^*R%gC#&8)s6>Xz~B;zGwdR{~vM_ax)Z1C zvmZgUwXVXn4}&jy-L@(7<>d3USC5`<=4=PW(^Xp|YfHRAK;5BGHBgMt>bysqc_r@S?0 zc~S2h3ho3!zh{OwQ{<}Uz&?QydphLius3HIyl#f>-3;RjtQ*le8JwhX4oRKB_LWpv z?frgMtPc_61`Yx6Ane#hieLNOI5w8}o!la>qiCDwaI+M!1e?Aw%-|7%hbBtDx;7th(+}S}yiG}yTTttJ*GBNl^1%Y{ zi(KaOWP|-kD&a9k9(mP~k}~+$H~)hNr*8+uyNoD#Gr7wnFLo5k3mcq&8KtCjQ{LS& zW!MO%tE)XPbw70{psEstZp#n7X4@Zpu=xfIBbz*h=2!BL1$6G%xl6#V_$JPf?#@kq z^t{nNyWUOlt+W3(-q2?24Ewfj^Ud3kNI;QYu1N&9x0#)WfjQ^i@5=p<2M-_JoXH68j5r2gx<`*ngh3wx_76aKi*38C7Dq&NLBB~Ido4wdRSb< zE{@94#s6B?+%C$r!3WWq$K; z(*SErQ&Q7l(E6S+G_{3#R%DLjt3>C8GUX~U`}`7OlHlzR0^0*~LUk8|9MU4`W7CW@ z8I({_z70w1T5SVQy<(fw*SSNbjX>uLAk`0F2w7W%=-$zh2CB|6_tI z?euQO+r|IfdO-y{W+`Dt#j+;$-eB2 zUq{JH(@`8ozD;Bkh;K4j5LPYRA(o4V=^FjXA-smgh(X^Mq4O)0hc~O+#Fhby(5A0! z5G0y-yPRM|7tyen8IrzNMV70T5A#`Ux0ZlXm9ssP(kPt0_Z}wDXKX$^KA0176%K0z zr7Zy);sg~jtaeX(mH?YUKz+LJVZQzm|JO#K2v-4A+nD~O2)6`d_3qf<~Faic*L zcykj!lrh)fNOWE@r0#di5Far3?v8_v!MaRy&*tj-{*^)7^wGs;3ncsyl7{KrJl%J9 zaj6@ZDP7k=Bw>L9?;7q5!n!)n2ZJj9{UK@_SG|RkK?CejwIc2*Ov!TY1*eXeC&uW9;O&Y<&%OfHo z&KW}lG4z2Oc~k3#aXbjUk4U@_^1W)56Z>MHT})Vp`!Ppvq$$~XZV#jVSo*hP{klSr z%y=~Tp4N-CmDE?IipxZCXrOjs)h8H8+S{-@f~m!X-0MC9u3H^{A<(xo6>9ruT*|yO z@gJ!e^w&Hg(P=o7dztpTl7E!w_t*RkOt#$_b3p1qxGsBaW!V0j%76DMb$(wOA5+g@ zte%F;iJI ze)Xfe0pt^mb=Y-*jL*dwTRqy6_HEU*-ysZ{U{3Oey7@0e@uruvLRezHl&u`HBRV|@ z$2V}!@-I_prsL-nj1N$8H)F~coP%XtGDr`M#Yc_XDnOaxJ3dzA&$5SJj!{jwlU;5C7fCO zBVOVN^WF%cG(-Dn-r}`m@3jQIZhE#J-hGO(Dyh^8;I{Siu+ybfw(Im|02_g3;9zD5Kh@SO+dw7ACPB%ML`h`SX(W#IWUYWw$!kh}=Li zts*_(r=F5%(|f}A@=F2m$%72Sene!FS_2Kt6K3S-yYp|U3*Ncauv273czp^lqF2G6snV+s8r%=W|-|(S&3SbKw-eZssocA{^%BFT|EI-6IDw)cHg;bUYmqa(7hd|kk;~R9VtMzhK zPiwwk%ekB#ls9#8&~q4y<$OPvAB!w^-knW7H9b6_62k%WUTs;~B{MoBh>ReI^(%2U zA@c&G8j@N;pIUprRkfaUXK&+3IYBtrYaGwbC!;-r)vq^dzA3-D-M-o%xQ=)eP0?u7 zbJDPeFCNQ{c^X!xUQGnLHnycEJ>9BEzC5Bn=3-UZoTovl&D*QOQ2gM5PctbAte&R= zlECnWn}`{-kADmkY3&40w5uE?3HxV`nHX?nm^x~h^jNKrXQA1K08oSTVj1EL9YBk}Z@UQi{^GgV10sI9~eiv^nVZ>7-XeKf)YK5ExXQ zaGI7m5bCgE8c;(RA_(hJ=vxQVOE7DaR&tk<1-CH^nZ_C(3al~y{E160cWx{!dix_% zrkvsa?_VO^M?5+;m3}^J$#Sri?k24JYfaf+;TG}h{Y&Ormh~&&BDpU}kpO(NM-f$b zv*^@xO`BGM())JimyTj5op!=h3jDrzfqBl7foEG`7R&Ud0k9PJY}v7$5VISm0H~d z3=|2eapWM)x!KxO-8nza87M+=%3?2qhA2aM$VH?h+UDrQB--YQ^~5A;X=DRwE(J<- zT0n>fPj5MxX_{KNaV?5oB&ix0tBNHea@pRfQDn?af%oR^mXoZda`z^Fk6bFI@*YwN zrBGlZWXpA|><-Lve)5tssH)*8vr)Ef{<@NdBB}&0N*`q%Q*Yi+>n@bB(LJZ3Z;(zl z2)gqMFQ$bqKSNg}Ji7S45HTMoc$0x@xR-2enNW64N?Dxpe9L`~&V6b;Z%<+sM&N?e zG#a0tZ?=F2(Fg!q#V0D6>LHINEB_?THGUDsk-)nT=UMgsTdbuaTbX0*w1-gzb}0Hf zsKxLXVcJN|)(`@%2%U_=ewlP}nOZ9Jvx5R5>7Zjt7elDX$;4Z*=Ql|JNVC$(6;QWeCnUb7Ag_wPpl-vqowe1mg`I%_}>I)e@LgW-VOq-EkUsdsLtvIq}F|KCKqb7t+ZR5XMG!(CJA&<^)-nX+x4%bJZOhU|7nch&<17Vv!g9sd>99 zGB-10I&L^-xR-n3jQs>=Yi;fEOA?*!&dDR$^J2y*uU@xEuZg2^QN5#IQED1&zIt8m zw24iR5%|;zNgnjZH)IOfZ#A1+cClV2rI0XH&^T(5bkrghqNy-+T@ofVLd^z^IfhF= z0R3Sw+W-NO6(kp9AWJxISH{SNowbA^jwu_C$E+=*D)>$vJ(e!Jhw`}Na5T|KC?q|U z;VzjR|M%nJlFdK`{Xbx>S<7YU^ZqLgr@u!k(n0u-XhlO27|ye=6m#zd zi0<$@U_~jIyZcS9;I}Osmkto=?vyrujxiYmHLzy;)xHvrG>p6YXge6~ z3#EX+tnZnfReIqPR)Hfc!a-#EbOQ*SX302wB;_t(^C)SZmRc>!xS|e}7ch6Y$$afRWx;n9ecw+EN?D=uVOyC!;(pUT*RS^d6 zAjQ82hHnB@sdLimw0g3CPew+rdZ(zqc@zi%{^Enw)$RG#aRYnZkD--Q!|cO3z3w?q z0l8AjZQ1ta*v{CQM&oT0!{;xkY%pJcqfV#_u+XR)c(Aqhtf}&@f(z#S-G-iPmHs{Z z@sp7_m=YzwfXtT@XX&iX4+`1>vhy+q_w&ct@zJn8CP|S zYUPv1GMvUzVKRz#4TPSU7zpYc{%J_e7Coy!B_!#k_i|hh9pA+5$yn1qX3t3;6p44o zD+it>J6oAo;;1*dL|4*RmJ(f3>(eig>&P$8ACF+Fm2;KQ}jQiHHsWK(LOYv06JfHMhD!Ncv10|YzZ1{9` zjabd>zQ)C9E4l-IHIvjs(@N580Xh;k;8PuWBYzuwm}<;H-w^FeSW4u;<~ATZBs$;t z@B;|n$~FY$+U@S@4#Hj_W4V7)ED<53zjJ@`W9Ai%AC5xk#dV^0`dF$izfFinT7;^t!J)-=>UT?e$PrrG$9UeJSH(+(Bas+KLy4OVF8Y+0 zUz#Dw6Na=JkOkky84e_h!Y)r-$mZn|w#eb$C=dG(=uiJh@mUZo2JnS?@zWuKJRvB^ zJH#BhqH8EJimM{aR#)9)990+_6RdE7jjeQ1kCt8BK2M*S$biq@fG0~K<vp(Z`g-8zB`6k>3vUTM^n8tqo& zf;{gKpdzO4a7cDo?>Q#-(vxHypaZa_P}X~q^Eq2GUIaIzs(#z-cDKs#b&c1n{~GA5 z5~|D6{PG0&2x`$|$!HjP#A?k73*LDb*n_~~$W{kPMlBNG1pD1)ti>*3~O**b!O9&i`be(xQE1Mrzyf?1c zMkiv?tBO|7nZj~sGz&CF@ll_2HV~dz;q>7&vuexUhC7>kY_pQ#2)??^|g5a0W$hD+`SAn)|Q2!rwHjUnMmRj4lU< z+OyY=#a3!|rR8KlA!%6Rrz#(A}o7Bhy2t^a({sIeBq2A`%ht~!k z7U@DE^+5+d*HcDoY@8Gm<1`2l$x4rG@{qGgBfh>9^aXzYwC}zP=|H@K?}Q>o--qOm zc@iB@LArGvyJ-Q+JLkFPk4$(%V_r~S!SUeG&)GrRGbG9uys%bBv`_RpLs%ySXQD^u z76wY;Fnh0CH_;n<>u@9r!PHK;~};n;4{PfFjpe z0+8<4{OTsP-<*hdSjd1ze)%Q%fP&Qg?K&Fa-Ko+D2Ej8_)%U4o(}C3AF}@jJp6K?_ zi|AV7r&AtyXjY$|@RRiRf{vhkTjG!}ZjO+S^^teas_DKtAIs|_yBcS&g?r8JmCe=F zdwARE=;vy7%(v*{fwmmoqfFFB?W*A#;GZKp1H^6|S==?ww9C@`lS+2F)>iif@^m)? z-wR1SV+8O~p#YbX6sw)kgMmo>&yU@NaV8sry^t7_cHGU^Bt4K{8Kj?ob>~(7>Y70? zBk*xm8s-Sco6&jM&_L~hZnZhpsM1|F7$bi8>jS5_vt z&o`Q=6`Bf2Op227)984NtN+j19Z(Id*vtV#weBdssu)|p@@f=JzvOj_p7^V|_Q#dzb1P_tO1gHzaUK2^4zkV>Bzy4<*-B$x{7QFe`&2WZ(!U!&h2{yp17hVchXFf*2Dk23xc5hW>Q;=^ z*q!@E24=nrZSHOUZ1=^mP*Sccj)26T)w&^0P-KD{2ue&(`@ z%NZxT)b>~<0c-xNr=oNw&(Al6?a{+5w!da9DQEufM$R!RY+EMutM)`eb!2q*Obnj< zf=*;TE9v~z6Hl>f$El+1joQ?6QYH+ zvt4gMmj7ANcvgV)HgmvguXz4CV*#Cml`7WEq%Ehi_D2{vq2zn!_@4wBRvytOGB@`e zVV?W6Ic)1HMJi9wEX3?H;Ce~7#mL)kP}mAPi9U!LY0DTBYFxDp4vD8$-7?F)IAD-u zmd7{UbkYhA3oju_V68bK1^2ZdV?e6qUq*#kMcOVo*6~@8lC~ys*!#?xl*psg*_^as z+>4P|K#L5p&W_)W#6^%q--qAK>AMl2gb(oyPZUf ziJRf42U{sNgHur!({Y0CjA>%*<6s_YswFy|e;%&O9bCuXJ zZ+sAd*%%}OEI$mR!Qmgk;Vsx1JC9CS&ppg*%Yclx*kFg-?0ZK19^OHKV=Ce*j2atq z!WT&KUD3RK(af)cDPgYr1;oP`e~UVXgQJp;Tl_MGC%!7={Kt3{mfCjy^doKN-(5#T zCE*UYz6(w+h#VlEqVcg|I2^sduMN^YZrL%qj^7#M6TnO}lRN_L507@*rRy=OJ1d%( z$cU%&@=%NS-nUupl7dQr=NV?SBj=(vt@@jJcL7?#q0YC6IKzAcPn|LQGKK; zoYQL8?&?`TudAd*{rm{JsNt9cUF1^|3#6s8YNDi@d-eo<+KmPm0|N+^PF#-d@r&D~ zfUb-ZFUy7Nt`3*0t|f})?vu_?#iIx^52`4Ctn`MLP_9Y4+ zU5*-cY-`4-T`v`~?r_JZ`Sa_=F#DjF{an^uV@I(8p@lBxae@q9ht9g6)u-V0S-~9T z9cG@~3PdfHU15f`8+%PyL`|^q+zcg}eb)>{E|6V8*?SUiz+Fen7=KuJRS&gIzlYy2 z-=;uHA;Ypal{0lHmD4UV3=9heK)$cgyTgXDRVPO!Lv?S%w6Yiai5mUI->pwiXQxjf zNyVe)I6WxPW&%)CnjS0@U&@$=U?h*nB}4J+*o?jni0W*)-RJcN^Uo@tMF14pjhpw{ z$Y*NsAycG@VOlEUOG&awEbSjGNAz#E%5jk?4~l8&`0N<`@glQMmk8gTNYOYF48QBO z|HuHsCnpSHf0w>Q{=h2$@O%x?p(bi^o*+PpA-QBhwGYR5zkqPB%lu*>YwU!uwYZ6s zq0}@H3H9`XFGnPyK2HVXLJHmQf$0R5A;Vw>zR8>XekY;Kj{O}IE&cIsuhlBtM!O_3 zY!to|intVu%j>%Kp8t|Dsv1?=PPf`fP0pi2`JN-1qinXyeVbNS@Fd*A@zb4$sZ3_l z)zYc3Z_S##Is%^qdtq0nX*Y6q0-5P6;ddm`rA1L{0GqL`IZT%j&yVM^Sse$I{?v0) z&ys-eozi@+9{8(Gy%Q>IgGf_=Y0llhOY#{h#C)1VV-DHe!I;_+rXF(;BD%BlCW72m z8d;E8ul$$dt?%M)tn|tyKPB9ZlOU1=%Qzf%jrUxDz3oEGNUc?BCmV-b70`!_R|fe+ zyH$l;K<#Gi!2H#t;Xls9j)M@CbUm()HT+R-!p*aWVc#8?s@w;}D%bISEMKelKbuvx zhAaY9s})1TCf92QS^Zy25twNU)M*nPnc4?zkqX}JOp3K2oNCZ!wLykF)fL)j^qRO- ztxth|)bdN<57W?%8c1@6>c)VjWXOuNC!|IMUg}DhTEfczEeCJ~pdQIWUG(X$s z5^m*@UK7QyivQ$U{TBCXhera74+vZa#>8O+?I~U|r`S66$rvhp>ZKOeah0R|BIV2S=lGD~iwnbcZ2bh0jI4&%V z!)emB7ZvxKE%HV@C0bh4DJJZmw1E9~rmFlZ4`wpaQTqkA5YpCEG@_>*F{=hGJ;DP3 z%ie!U`E_E(Ecus<|4Iz#P_nk!AH}&zrf{~^XBG!)M5QgxS*EXMaS@|FUacGL4x^O%Ok|Q~WI_~~ zV+_;pX7)Ygmr9muYpDt6-R@;C=g!$;y<)@AX6!Uv86h-lH1pSbYyx_&axanNEV>=~tI}iqWnSiV#`|I{VF28P(?rg4U}Y7+K>(r<6>efJ>`D zRBH}!wUY(vYDaMc%osz=BcBYWsGrPuLm12og$z17%C&b7WQLhX{E3P#jYpWr3T=V_ z4d2Lw`sKUPT2K%pOtQ8i^D%a%JK_T}??@$(914MqEU{<8KSaTO`n!6FFR4#efWFya zg-9{3Hk#1EhMWqm0C*hX1zyYrvJX(^`I66q=Ihkqfm^0YUGnl`+(a z+g#?r`ZU_sUcP9j8PqXnuNx@wGm-_MN>>}^a(ismL-`-Q(f6skf*Smofd)QzG0UoG z*>Q6)yn~va@m*C5JbX|?&8*) zT~LF!Cw@|>c~l_LiU9=-?*tr>>~t?B^l`qeRt_E#(`vMo6h}P$+~d>~rR*77Hy3xU z=OSPM2BNv*c?~&ec;?1^sb4{7RXK-*Zi+DKF4JC~A-p)8OtNCPzhkY&t!4}?i@hXY zbX_`XnOr8ET5mEchL)tIpfsTI(Nr7A?5hJRR>5l-t5s&A>#?<}^5LW!&+XVkD!8;R z!*(o`f7JQbwNCa{ccA9_K1$k)QvP0*mbs$RDK?;g(WbywBk+2fsCpTCkbMoDcU;!U zC9h zfq9gcTE*>s5r=yM+^_m+txd!wXi#FQW-f-{u7j3w_b;_YQn`L=8h9I?7j0x=&j)lUIe4(J|g8# zev}Cq61$duN^Ql4FkIJVyNC@hjm>{zoMz*l)`sZ6PnS5V^dMj)Yx>N=Tx)k`YVAsd zUNYf6%7R?$ZaCkNhY(a68nA{tYg;5;TD?6PfH!a@KsbllKk+@k@o!t8wa`OAjHW^FP*q5|w<*x#BB=ZuRgj5u^WY7fdmc&$GL+I>1Y60*jL}r!C`}V|gaO zl3Gh{Gl`_*nvmm<9gjAxeKE|g0onT9WHoCE zhCG_vox6Ru;mbwi-Vndy-Sd2cZ?nf#8Ise+rRl9@&0W2fP6qCSr9m|V(@sj4nkMPM zvE&gG6RtT=f{sYrO$Ji*OPBr#z+K)+9{zfp8P^aS03`(oz+{+%E z6yhSO_tW_W1>O>dk;jr9A{Z)0AW5{3{}&Zb-Dre7rL6)oA;u$6(v2i?5SN0sdv`i~ z+#HjKSlpYmhH4F@orpb?>;BGeV)i-FwE_VzQocAUbONMNyy^q3e->s`o6F$bt=X=XcIFx(kQ3 zd^GFFw_6aG4?5m_4p}p}sBF_}eXD;ZtX1ZSlXF>RPOu0$bI3#;LJ{$l-Ld9MV=e64 zoo#UA9G%UXQiSYoUfg>O9Cp8uOa1HW8l=nLHaU>$2yU{6+Sb!i8veBptB=Y$9oo`P z3n5dmNrSFOI+b<0Q4c8AEVgMvN|Q67Q=BMNSBJ4-(OJ^i+CNWoIDdIa3grPBxi`;O`YAcdAwl4OL{#$FD(_nCiR=O zNAxP(SH0fOuEhNt@A;oj-&a;%3LKkeD>?naCNUE%q6MFO1XTyC0pz*KN6vq1jwQj<_{bMH0)BI;^sin*>a&@bl3fq6%NT7$mpEW#l#di5agIO+`?<# zCd|++JSxS+H1Zb$&*Dt8IEL)L3004--RJYOc}I#Z{KHRO)51A!9qhhCpbx?Gq=RL@n`6o0X-+(l!|L zE)R<5r^Yjwy)h-dFts!#vBC*cAp1kUnDO-`(O|@PXilOE9FpGYq;}Gs2sowGt7ng- zPiPFB!X^1Ai>%Gp+moy&5F-`MHF5N6A%q>l2xs>iJ&vq!k=iW47MLpI4R6&DO3|!twhrsyO z*v+*dM{-RmLlmo|)vPm?Mq&W`nVryAlv0ZyB5- zmyW0QbVWxz-mQZvjh6%S6z5v!SpUn(KJ}X5=Uz6M>$x=@TN1tmpnLN^l69@SE4KZPg=; zEl-XllKF;{%A;wvbM=}0%Y;WAzlZ%ix`g+5VgQZg^n3@FJ<{Vb!tTX_vtK9rZ93wc zMG0W3)cTGBELE3Ee>nKpIiCnW02DK+0N}cF$9>E-M3br^Fhua99Y>&w&GbTt3u8?E zZN23lIatU}679gV!3<;d1-+gcu0v11CoK)L@~xWYuToi7xi*_WxeGgA$1{1N@DD?Iq7?k_Jnz_BxCBy(*7vvtB8Tb#zXJe` z)Pg1oMLnW{VPa`Eq5&I~qUc+c#ZsOK5``1hEV^Jsd3o%MV!o%W?A^AoX@R1GTnPZ6 z0`!57C)s+#+{|`_d60;`Fno?(1p=h>e+Zdeic(whSjV7TBvw2ThN18g29F+*zKSRi z=P_Xo`qBvDyc^<%{_Z~kab9$l2o?U3iuea5!x<_b^~o3gk3(zl00jZV?~V%x*f42M z9V0JStNtCd(=?=%)KA-pEw$K4>2tbp>1CkL#-MmL?#$LIGF0O?TmA1}I}Q=w1Ep0| zi7Q4ZB8THV<09&Bs89?`06!Fg?X{R<6QFc6|AyXyl;(k9vYVNqI=u_<>4slq7{B2? zWW;M?dMZoo-(VA`cNF2#zB;%4FiWWQG}@r!`YNv5*O$_!m;L95G&O{(4Z%AoB6KQ&XR}oFp`d z2jy1c?<=}=Bqg`s5OdcIp^jx8MV*WtDF$ee%N4b6)Q2uD_}>BRr}Et$k=m_#Zq8%%F)(tIDJQT27yB5HsI`FYj{blR@d^9uk_eOg2mN}30hvu27aS4*TS<`l&v9EboSa#0cQU?2I z9R(ORPM_xny%0RPE1!qXDL(HbK^P|R%V3Bv(E-6p@;VXr2h z1AqB_#1Qf`k^@`xv;N|iYG$jkqzdef)_ZfVw}%?p;do2g@isw;h47Ph^zZJozGeav z2puR0JbLlBpND+VpxiJsf*WX&_pANFXeL zNDPVrpY@~_NpEEG4SD^c_f*3WoHK4)4fK^`4vovT`%8{%r}YIg>H2Iap&*f=6)VkW5+ z%SgqXq~VNa-Eo9Mb^;zs&yWY9h{GR>oDdNtXNpLAR{EkfLD|rd%My4CFj}-&NwFc& z`#Jc2DsuHp?|GZPg2!C;7h z(tfVRIu1~aBX^uT9R}dNKeefP~vU2vZECrzTVhi<&a;HTmD=!?3@Zdg*S zac1JzPC)QvW!6?8rUPOwjv@6bHb%b1naVNx>u?hx2#oo|FCUCbi{%LYXcKOeeSat+ z>A$1B-r@B^f4QxGYI0By%APJo|2|Q&Y17~BTV)78Ss_6SUt_VbowCi17-@=YpC17J zY}3cY5bRqbiISb(EoASC4S@_tl=~J+_*jJf(+u`n;aotpuuo4>2;RSRaxhlI zLcpeSvI5aBLSXP$D9sB?=mOD!RCadvp}L{0ME*^k#)nP?ASPTg?s2&1gPjYPVo%^- zT(=s*!-WQv=urvj+Jm)M_#%Hqkk=~Jrvj9H{^`*<#4#CefK$NqcQ>a%(Z0E%fN1tC zlGq=%*JwkGyC7`-XCh27u13OQHUo?`5UfzeQ(vSSD6uk&NR$h1oS{A{Br#7?CMnei zX2$3rVPz&nafLQGaMPTX$ngt6_y^7zQ6RoRljP5Da7ip^Nij(e=bfSxT%Qa-RHMiE z8x-dy$uw>)XWso%ogm^WexhAxK^!tlW(dol(65zIqyg1GaAoGCcR@XWYUtf1C6)VP z<_Tt;hgSkK(v>bxFn-O~EnUek6IK#M4F_eA7&^)aGOsu{jPy;7jLa*u9E(nY*e{Sl z(|CUR(q5Zjn?0%EKDMF5cEGk1-N#Tyd%-H(7y+2UJ#!qC*_UXEHcy6Of0LBr$uLB# z$jN8$I}sCk5^Z>YC`{@kKw6jtnM3G@S){Yl5?UnX{;^oUs<5=LgMXqJH3g<7_Q<}IB_jV)5P&koEBxE9YEZDWs@FxeRWWlS zmBZ$mS9s42O=%0?;P>TKhNHZ>7`|N~4NPdZ)tU)}0kyTQ<7majwH3RZz5iLQU5jd% zlXu-0&4g?ZiGC|14W^RVh&VJXf~%q}xAp_87e2cuA{@K&ZBb15r+$YzzRYKL4TCW3 z2JQhH)v(<)H%>q+`oylh!OOs9u^;#*9K)Y?K-C~m9@uk;kK$hTW&m=Ef|7kX;hkoT z9piUun+(b~<_Kbi{b(nS_xitBSNpgV?J+nv6}EH89*p?EHs^gbr=NsBA5Bi`2qq|0 z16CEVC;2tWhAq|#1LOaM?HfD5r{K3@Xt$CUv7wy9&?KJq$5^u_!*Y*(M;Ue}y&irC zvRk=lQW+P{ZS2XI(pG35^5IMhmEc@h9j4B?6aVa`9>A1X%mqG{L?pwk_0=}#dFYJ9DbwJBJyjExNa3?V&j{CO@;L4v88(WU6bmSAPH8Rg)~q4Cqt{D z>Wy~eb<)pY!^Vdb0t*RAE!2MWz` z2xpHUOH&&sk=v0dZGp2zstaGjz7^9+r3Q7R;)ykI){9w-S+;JGuJldd0_3Q|r% zlocEke{ekgH#A37gUb2x!j}NtI3EHzA2Mo=QBh-n=!Gw#NJ2`qd`5@t*xXI}-u%eH z>br;Rjpc0$+~D6Uc^n^hQZ+=O-q5}KYFP0oc|ReCb(Gu1So@vEK8Ij}4hTq*8|+!8 z3f@Y+BDgyO5A;UA0j$vOZ*-cl0g1a3x`F{ZV3n=p_KhDG7gKWLEQ`)ezeZ>{f7C+azw4Sq1LJBUy!={=FK zukSZm1879V(oFm)H{d6VbwC)T4gxst45OX;0;-{;OP@~|R$Vm$2ha$TuSIHufv~e4 zongADDbdf|%AT=ge;s0y(zRnH);<4Yo@Y%kh>kTDkiZRFXcRgGlxq=w`w`!pfH&pc zKIad4=FXjNgU;OA7ZF+CX;|3~H4o5VYt?m=d21n`xVw;IV{`|eVi7q4KdL>sv#pUo z5yKExiGoe)OgKOTVOn&|X4r1-$g71kj(E@s;KjfOizhz zDz?m(1aQ02HwN_uVXlN@y&ey9Qh*eIOjo`MKDNt(J)AxwM=Bn&2ADp8pfm13EV~=# zhK$IFr{52{GGSb=EzxK$Tc#C*U!NuJ^~gR4o&(nw2*wgj@C5VfsAk6P-!3rkztaJ? z>D2r2=TLjv3@U+mHr?Ti_aJo%xs&|I=0&dlKnJ~#x81{lAg5IXuC=G>3d=+a?6?xV z?I>W#i+mW;5MMf!>iG<-0a*tMwjJ4Vq>9BQYg{JNE4P;ga>Rid0WkknE6(qO!9Eea#W?o#GoQ`sPBitn|i5 zbJk&$?`2Df!+so>_OxMC*4yG6-Qz{si9(63kP;p29dTgCi59?;eAs<177 z3EWzgORo@_$n@2!4L_1hx%zEz$LceNCQQop3TBX18|CEbxaP5B(}q*%B5o$jk{}$x zawI6(tE{^yw=yO(r7TXzH&~0?HF2Egmw(CnGG~P7Do#`m|H>OOt6~3y>bOq1(7#)L zj^54Er!}6YfT@KAq<{_~`MRaeN!=_g2_oyU1#vtP`9{$p7Hw>~Q(YMOI#SvGna-!O z{mgwXmXl?Vv&@Xy4e*$z9zfY&N%ht6EvZhr+^Gy!V7ZTKGH??!n=h(X88DiuCLO*8 zjmd#XuC$@cw=vW7kfs*R^4&>W#-1Yk9IS@E+UohT>%Mxw5&z3P9w{j9_ochls*stF z{3o<9@$+V6HyPpVO|2Ppajk6ir%1SNf2!4hc}$=}SfD~JSHa{1Gc`=dTJzG>DF(zD z2v!lvLZd`YaG(MvBG3YLzUYM32jutB1L)Bi|NB4q8o3O(oLL8c+=yl*QRcx67gWjKTUpVWBP$QzF_TZ~YY==;_t zhlAv!LtzR`0|YrDB6nnBNlJoKn5YgC-3Y7uMgBm8QG=}70Z@is+6Nnm7g9_B&Rf!4 zc58^8nxl%Z^@iiMhA$a?pC_g+H-G%gNwBLAE-FV%&pS*8WHsTKwI<1^^=uP*v%VAj z!xsetW;cK_cX`S!Pv=|mQ4AGYF~2X=OW%5Qk4;NV*I)adPrrL{+Be^t{;RAk{%ZDe z(VHUDo|``yo^I40-z!PO<)1UI*P6Vp4h6&zl20~{{^1? z^rxds)OCRVa!^P>-k$gB^=UnBSz5?rMJVB09bB$jXog=*ec*QlMYHM*adaJ8P9~+q z-R+8HfNZEO=?2>#={^X0?G0bK&JN*^B2GxaP#WDCDPWNp4DO%r! zS(jlx-_SB241R$uZ=aV5RrGluU0&k~8CFZA))6u$oT!lBxD#$UN~5ophN#cFC-w_} zwop|kuzIoNL?}oP2n{blEh!oFPv-hNimjb&;nQB=^522VS0!&{8v|&Y9cgY%aoJh`3%2Vjf z_79J#ZoA_@<0%#8e%3t}_V4tBGx3M947_(nMGgNLsaN4=7>*jQt0a_*N3Rwc@>Mh_0(Oo*f&<01l6h<%0ogz-%CC;tKet zDPcld{2(Jw*Hh(@Q}%WY+cv0$x-89wIzn+m?L=-YN@_8S_qbGsy;J2YiuutAdMZd8 z^GQn+o`ZHDb6HChk#AlwZ@yxef|Q)Z#D-(nzi}%7d#g-_Li@O& zaW1a%*$*0AON93!!mWzd-%&K{&8H_hCs)pPcb`rnN77zn*)G_?;|fvw|>0q?OT>ZoTFK4DZ3lZwIh~M??YN$ ze(w$;NHLWhat>9Ke&$H~Hp|E}c?^hwrYsM%OPdT{ zqZmgn+8WLxsBL6N5o7!iPhW$*BzU(j8tbNS3{lWrWP8C2IE@2 zL<1r3$E1lulo}kJmX#@Bt$z<6xE^s2M-?tjAE_{ty*@cj4O8AK-DBO-q)Q`Zp{~-V zf5+@=BJ9(|xj2c!#R7slVf&3z@lQ9?_=+(B=3_9Mg;HMCn~wseqWUpLX+V{a1d}yF z$>$=%ow9fjTg3^hH~#~Sq$?O%lDmT$wRB}6LBY3{*bL9SQnW4!e!ui)3d_~uEfx4J zy7Eo4V&RN*H5)wqE^5e8|)NqD4S=rs6)Da^C_uxWC7U$0{ z*goNb7)Mz$_l#-I26j@^P94@$T+8(QxNb{{&I0{?g)R!w*nV;macso#+Kh1idtsOy zD`@q|(*hW2`L;jdix;gO(g~x$CUKI%g#(Moi|AuCH(cXyy?9V0$Yd+LQ#6=`V8`cKKt7*hH+p8GV}#NE04;kuQz_1o zfkWONAu^Cx=sr=9epG{+^t*e$N5{5v;CtK{UxCIVFsGQ`r+bDnSGbI&7-P9@^%;}z z*-YpOhkXx|0FwzZ2w#V9`NuLNXYTQj?>i>y^dRWFe7vskZ827fQEdu!M%*#!D~!OP z$p{)~KvIEbw9Xg5xC0a-6`~>o4TjIYLR^7f_#mO&uq0*^OfecYu>upk{l4XoDdU#w zIj{0Kp6DqY*>L`wm)rTUr}Kxfr;;Q7h8+2=o)?x_wc8_(ud5P%_|w6$aJW`4tkQb| zam?qO5NTgDB=)bzQ>#7IhG<#^9cB1r0ENAh?rAR=myZP4TDt3Oa9ScT~(+d18=w`hs_)I%uqLrM7viTK0 zs*WaKm)1vzisDIqwC)oo%dVTFIy2xx{&lVXu73)Mo873+&xC|#iw~*0V-KqT%bC)z zGKbPe?ADrvpk8%-E+0@Q?0yxwUi`Os^>K}0U-I0Zuiv3AbZ!CoX#Ioa=e}k*-tU6t zpUnD7ypaI9C;;EsfOyq8V=x8&A-u313bLZZ&xE_t#+Ay5`L)cX@$Sb#o3D4fS-S; z(XX27RD!&J$Ji_V7>Rj>NVyJk^ORB)l7XCw6xar4I!AiUcl}w=^XAw~+^d2TOFtl} z0*f;9U7Rm6FKZSvEo-hn#Bv_s3;NS7$~o`C=3C>rZguE+nOxbya*_(M>+9DXtQD`U zWe`YE2lIOPy|(t4oOn}=fLhohEukY6?X7JUB_KjSuB8Td1>8#l@Flq`Tm2^J!qd)j zQ%}0SXuw}%*Fp~ZNTYSltb$(TlN^{`NLG0uiNzcE}Gy8l5~$Spdz z+tpK;)>(M01o%!`%8@6jUo6Rql=|@^&$$AIj^Z=L(9jmX+z_%ciei9V zse73_rm8UYlE|($j}qI%4$lIfvTt=r1-+a*<`Q=>o$L8Gk=2;xo{SWnrkHxqXh7)+Dt=E1QQM^ix6T{-h7qqzj6;OM~U*p3=Vmy1GaOt&KLS9hu{9 zjqZp=N5!Shdh*0qH~Z_#r@H6PU~5sxZB6=Q^y#e^d4&Bed7%4X8h)VL)xg_x^x%rz;&S}85bj$*!Cfk9t8bXArv7wEk(FBYh8Z>1u+OYLniAEJ!EP+-a zX}I>DqJyecl*f7oEOJ#f-~B8#6;|{(((^@W`j_6EZVi%uISr=xL>S)A6b=^{6yt@PxlUky^rTfb&`c? zF_Ag_EM$x67CAN@-N0sBtBpfSLr)(u`irV2#AZJ_@Vm<&(Rxe)1UE&1QY6k+s;)KU zaF~M}5}Y5gop=34Hqb9pn|Z;;Q>B4zmks}d_MXJtZ{`kVdY%Z;2m(FvpppTg!`j#G zo(i5>bn|o0qWIh_n%c#Xzm{qDPmiOwfchM}%b@*SVTAq-z5IJ*Oh~85+SyYETAOST zYC7*r7Id(D`f($+1-8lydu33~mc3K#^tnA9oN=@E>AVfs97zk@Kh>ePyV&yv1oLfd4R&PXCWg)_uwjK}x z$kkVW@HOidTiY3{^D=dvxjGKZ2ACNfB(2_Al?w@V^sJ z@)XHvJ7b>pw$o+1#2Mx|Nx!iVrH*JL4w|Y54Igc!S6BF6j_Q82?L3m)q|jljz?>Hh_4L%TY9wkjMoXhChOZ9)gXY#hrX< zgCK{g5_p!X^fk(iA^xVA%XwYx_stEbD>sL+EgD(~3wl)IeZaknUm{i)~i8Nk1`471IAJ6yaMsZWg79IW+YP<~vf* zm%*5-GWN8Y;b#=r;hlG}<$Xoj*%uh52s#41CmGpC@Ai*X@pR0+W74b>#k@fgF+oWKFb{{Nbf8vSM&q<}%qlnc`j|@&S6$ZF>hKd|x z(nyEsmDQUZCrK3sAsrJ2NsLL3P_PxxmfS^grToNf-p~nr^hn(A-z>uAoh;$0ki$&o z7ae11%BX^6P17b;)yd{c_GA4e2KP#w&GXBq_1;+qyFa}o-PL1Qk;ApIEx`eG)5tIt zGcD?`SH%v);{do5o~d+C;18FGo}rKYAtB*iQxj!MTIQ@%GFnVi&on=3wI+lTtF2gG`x>M5&JiM z!WN9@<4z2a(Bo&2dS5P?$NkG|)^b6_DTHnSeqsbqaSAI;;?j8(#+LfhStO9hRNn)P zkBk9w>1-01OMIU)9r%9@SkbdJa9+O0@8M8zzLC^xTg!&&6Huv1bngTZS zIHIJAXR`lu+yA-u|Nnt)tMflq9AUHm_dn5l{xpu8o1Wia;esl&`O7Rp7^L#a33cLZ z825k7MbL_e@03Xb=+dPMYQ+-Q;z3!8+J#yy{VNJ=QVvW|WBIE`48mM}9d-SYqA!%? zzu>><(oaDz-Y7w@^MBpcE(KNA243VtSi==`->Nf2%=16A6JYPW93K3ug1aXd*uwv7 zES7)334#*+vMHyhm?cab{`2H+M}WPn7Y{U(EY+-Zp#6*h8ww%- z@y?7}=)Kmw*UcTY!2MGcw~*}xlon_m2mjvEe_c)(bZ^NdL0b`PK1xDQs11~F8Kgm& zTLlKuqN+iI8d;(QSAi85u}Clyk-k4r+=)&4elIF-IP9F2Ycsmy+&nJ#D6k(O_h5ld zMd^%gwKV=ksz{y+p`CBz>Q}nLIY-8tZN7fiH?HPz@jF6x&lgUtL~PTCCRkRytFZ?? zBFWFC{eau?!-h(qhROIFO$^4dL;#Cqz}fI$77b5GGyHe|hF;039C|2uO=F@Iv}mrp z<-!I&9`;=06|UqB7L%1l0}S7WhV{BLJ<5)1_LfVU^jMuIonQkta&GZl?KlDTH0~B0 z%PGY}JxbF{-|aAC{Ln)QXCUSDkgkZpa>{Sx_u=us6MkBfNiL*iDJ}!b^e~IR1x~%( z@J_w|h;QI($YVqf~R{QzP;VgNGs!%PVW*O(JCVIeoE5QEj#>Du+A@!j)&E~9C4uN zhsTi)PqEhzm^!VyI^3px82){gr{nqILW`+gjVTS8(p;-gf0KDX9r<_RbV#xSy2dqN z3r~E{<@`arROJdV?QZOO z1Am0e&Nn8xL@6OHeA~Y@WFAH_g9j8d;($dGkG;=Qv>rHYO&SsM!#pV+un-#9dB&6t zPS~m8g4QMD?>6Rd-px&}r(f2YG0*W^9<6M-M^6?pFb=fgG5Vq@OiAGkCpZh@?UJ2g z3Fyr|T^lPW7L*Rt!GkrfXAcxBYHJ}v+!8k{!DnTlL_Vbs^1_`q@?tX3M_9?M2=7-f zpN~NdKZKr1J-Kjx8mlHJa~3X3ch*fi)&h0ye!9KU8!#1{kaJoEF|AJEe(u!zqQB%! zz35(5II35>+R4ba2U884oSezm?h`a|_QbW8q|@@0E7;VLRvOe$IYJ^<@Xq#nA+et* z4b&Vv-yf#H3BdeCAa;f zcQE$g2WHFfR2s?RB8z96`U$9Hkcg!^cBCD$pbCJSo=-hKHp@A&wCAf+-Op8KoHgmq zkEwPqrIz*>b)48#7~b9M{OTxsPmBC27x{f_Z?8li$#9vN+}OvPi& zg3a3P)0}(fa7l-&hKmMM!@fC(3z2>+JosX~yCl|KEN0cdUvsZi3crT&mN~XmP3cWY z!c?Ujm!+USRp5Y~v38Okl{aX;XPkGRJ-yhdnFO9*p>)54H+V=qAUMP~rRU*+Jw(E}0`}3!%Bs zw*2SzQ5v#V3Z`<{o#ebKq<&vI81*i3KBQ1>@aOV{uRwr~1x}Kd_AAakc4A07e??vq z$#Le|H{ed}^lCqcTaaT3KD!k3)dKw)*DI8#kG2rlyoSbWK+N^>($4i-K@U6JVF zjApe)HUJG?PXh^_Juof7!iP`#+-l}IQq2J<+ptH7cQy0;J#hG6T0;H}OXc1j$fc>S z+VZoUZ*SMX6=Td-p8f6-Z0pq&*t$F6b~n{F0JsaVAwQ?+*6f*}8Be!dprFsy!@Ttb zw$q36b+2@%0q5rWFQvagnUR<+`la0tYq$|>5N2eA-?uPyiq|tawG8rz1AeC?9D4e# zx(S^>1rUM->b7ZLKsM{Ot8kjp-L5p2q9By6evMwnj-(tF^!92&U@$^J-G{v3j8e$i zby2;`g8cc7jEo-u!8`*RTtARvfxoeq_<}2FhWyA2$l3PNVuqufQ`S}4oeFL><}iqB z%PU&wAALjXrT0k=Gw@FtVG}&(yV+s>kfh+%2Bgbt)qzt_%O~bo(Ad~^Q(kVU&k7=a zT%}12V<83V^@Gk&Wp$33|4h_-{rwkP?P?*z&jY_7!@yb{|8<@msStW^^!9!9)Clsq@cTljRR(0fqcrtrVbTz8 z9|u>|9uFh`(8}!YTu<;d$+)}P@PU;zt@3Vo^bmO>{}3$Kgu|{9M9U**lT(lEzwr=|=WT}4%UfgxYw9e&YqV;$OVae2mKQ6_GT&?+smZh= z%MO8;iot;w$@Zy8#zWJ->|boUumyXYx@;Qm)VR_ivE}a(c`dc<;OZ{gn#d! zbYhdmfIY%@r#g+c7JxmgUZ!ya{dcwif4My|Lyl`8S<)u?p4Y#YH7YAr5~7i>k`%MH z(rS_f9Fv+RjA8UA{0{?mKolu6j!*zaDB|)3r`@2CucurcD8W>>QsxG0em?4rqT}NR zq@&xvOq7+gG!6Bj26a|@AecRM>EIRy+yWu9tNb+;-&{Xt(T|9?+r|Qpd#fsTWC^%X zka9u1e(uurc+Vc#!yep2wID{~CpYVr#N@i55WWVATkQg2Jd}66w!kfIbC~WpP*Ese zar5<^xFO`rDX+Eaij~1GzvdjE|5olbI{g)5S z$8QkmRSK2ZY5fqB!|Jo1(=PR~_9zANkO0Q^Zyi!X>ATQ&*g>&IE*5rw4h?vI1>;>Q zg9ZLRiJgG5u+HCc>_Ec{`eU0>*(Y0`d4}`@DgRl}{(GFJteG5=`$Ng&;zWO`>bfI~ zA#AKkjVw?MM4I9zPkidSHja2JyDn&;%h-d88E#q68~IIvU+pI{*?-Y$f`GId>RM}f z@62W@H;0O)SmJEcd`wR4eYv^EX7Rr+%UTU;4uY4#6#Fg!yM}-*&A@CjC->0Xt%9nN zCr`Xy0|Rvg*4nxN81W_i7z3mETawesdTk)spa$(TwK!}Zc^(J9x?q&_N_LIOG6O1J z_9IboqZ<4<{2J7MZwInGPf0T=X*a#(Wu2unCemDHG5PmlNQ(;p2z<@=%!%>;8~-6- z(ZH`%Ab6H8c+3SB%0Z z89oLun8eCg>jX(RrX@y0%9{QiXsU{<0r%kpcVfML-M`?@am{es%an-_Diz2G&dOBa zNKUj}7dZ3iA)@J>_(!hT4-MDvS~cQ+Hn_*r5kN!mctXfZDBhZPI|9(9?e2mN1nIQx z!@})Sq1I-y*p`?z34}E&OpS%dH+{7?J+zmj2+Y!qbaSF2O9%}FH^cll0!Z^Wwcz9N z@@lAjcSUjnF@5|3ea&!x>=FOIZr<;en}2)f5%Cmwvvr<-0tv{ee+}@8XPMqg8$-Jw zEfIkW7#ZtQ^JYE7sytE?ARVp|O5EC^G4#8T^*=gX5gXlfF#x$C&&DM(xK=%9Md2Sy zVwTN-{e0Sp{hY^aAb%n>Hm6!%zo*NG5dDD!x1`{yE~ndsJE-lfQ0AhBE6cD)r|ya| zX$r*qG6D_PW6)8~cvKEI0N|+54gEcSbR->$?A?ys1_Y>-E~KH|o4y;^he{$x^t4w9 zenD@~e7!~hhTQE{8*c$M#1Oe@C>}y60o@DhfSu(& zZsK`I#4C0s^g#bDE%1Q+LYjTfg@GX);7=R}g;u)}^g&5RtApO*Mf7VJ^*tS`Z(#wJ zc`jz{HK+}w{a}Jo>q%mjHv}1#S&!1DQP;yFaj8t_c%Rd z(V&yRB(|P@jD$!nfdd(Py*%r-t}(IA+TI;m1%Gb>+-GjPK0fxk3W9=yx-uT`$bEg@ z2RFwFwbx(C5*uxTs?vAAU1uw%8SQ@1%AWeBNos#<3Pcjp{DT?YsR!v2Iz~nmBnRq> z79+7>2L|U555c<)cMRJ{Y{&~4j!+*D$IAZ9egEV8MKoz%9-Anh01+pL6?_p zb~xzJGggaB&{vTnY$HSFOxJrpHi&!JOb=7AAGJXPF7yB#qq8YHei}nSth1+{*{cix z4};3Rj#RaSx>;T5{wW`U3!8H!F5N;#Brf_F$I-G!nXpW`mVi9OW5wU|ACSM5fs>G! z+?nR6T2Q81qgqf%W1J=L0VoejYysW(-*4Rpg2$Z z=rZqncM8XQC7na-oPAW zmX^!>SK2s42P}-te*QP6WOq<#7*XMHgJXx$xR zbmv;3&isa-5bQ?F8}A`&RY3W}{!U2AZQ4QP3I}8z8dCEuWG|vXj{j0W>{mBCSsKUN z)^^i^XCYPuWa{H@-7SwPb@ZFq=zU>Ce^PTyAJTfBsRn&yykKng@Wgj1BdPN$Ff^MB zF5c!P*A)|4d3vRqAT-s zfH@gD`&BR7HialH_LLB>bNRg)X1gR!$F#49i|YFK9E-xeE#y%^uTt^HkNs2-^BORz-l?;yw5%pOaA_~jem=x#3 znvGGv&}p1_t~oimFQ(Qk&D~rBq%HPLT zj%`pc>0+v~@kbtE>OGKS>m|`2cByW;k9*qr4lI|`#;Bg=Cju_0ijY#+;rWDhR);=a zX6~hfinE~CUX2!uCsA$fVk1?FSLJf?G@5{zq4DAaU3^7fIjvTZXa`b-n?}<>c@B)4 zuBtCxpeldyq6^W_4jUv4EME=c?dpHP;RPPZx_AS~B^k5>W8dB60e@8kY*9F26<4RP ziXR>Um&ckZ!1ejjYj2I=t!&)yv_2>OLFaLv?T?>Sl59=YQBH+p?2Y42v zYJlNh2{uB5!XKlmP$mpKui4gsWDHd`NcWmucqy$6EP&L6{0Fzul$yinAy(w(qv|!D zX+XxP0?Ww18d+2>rEMiZ|4E40k~F9ak!-k5H%}--g-qEr za_eZUt+15v_N&I|93yx9U1t zlQTft^NCI|aB*;uPv7`JOsU%Z>Zk20vL=bR5eE!_` zS{gTf6Bri@G%{hp1K>y<{6&Se2naRq?~xEgzwn}tmXyD0K-`wuh^9l&Qse&w(~mhL z&iB-~YKxxK~KE-g$EiJR> z>P^Tg-D@duRnR@AvuDRZ7CwuM@+vG;01vdVFy@rVUsl{V8*JP0Okf2aE30eout5cT`!Oku1v6)Tik(BG6rkr3JVw_C&oVo5U zgOyHvLB;S=U5x70tD|ARW?(4ChDJQ*mq){kvpSZAyTbJGBoNu|gsC51S}Z(A_+xD* z!Qex-&2wvv7yr~^8z%26To2UT#*4T16RaGJ(|I_PZ9GHxGZhCcD?bpYqv=a$B2oQB z%^Swm=7OV%KWtH+nqbY*juFxZb+|u8=j=3+mXKl~H$3g>)QdZ$(=X8LC$)RS8=@>DkwK=AB~2&o zUUc+BGnDw*=)i7`ZdI&P3eghFjk(6g>wptAw}v6vTl&cPQG2zrYGVfD@A_- zP9GtgJ)9b2efRfnedsAv6Ucmj$Xotsgwh=t8xOSru z3(a|Egg$Ulk1;=ukbJQ7a2~L_;j`6|n=`iSp4Qi!9uoHK^;~SJ*gKZNY;W8sX%Xg$ zrro-#aAy|UHzv-)>YaimmC|Bzxvgn?;LZ#uY>3I}uzv)vOVwCLU^1rKXKP6>r^T<{ zIAVm;5vj`1Yy>u7U?lw>OxMXyr;xYT zax=KWV@#_^p0rdxPcrl4VO><>h>~8Rn{R6;+74S?;UpXi;vlG?k8G)`_*IXJ(U|lg zZrwH06Y9!@i645fVSyoT5vET+Fb!I}`-wr&Tp1Gh9Y-JDn?vd^^%ACHap(7WJjc2N z5qxWSL~A``wS)_+x;!0CQ6GDUT1f<<0q?i2%s;iz#)j(Zpq%G>D6CUZ1fg7sZ5npKy zHf+|b6^KdicF?;)ksml}8dz-8Aw$lFH#!=f6k$VTH@?!l*sk9RT9)f}u~cqJCHj|h z)Xud>R?s6vUjRk+Prq`QaxCI}+V3irNvwR@gUr{5d~JNz1eu3p;kS>#o+ppf!IkNX zbU}JbI@}n3<_u(x$-+Ftew3!pPX(qX{F_J`Z8(o+(kN&oSjk=1~Ri@4po3z zu~A%AKRom;k1!D$m5H^>fz#^3zW?#si>HxvM?-CqZWuj%B)#dQ>CJGq-aig$*TEl2 zhOnKKZBZWGbZ-Tz<;(N}nT`W3A9quvN$93zW}g6 zPruLLyPbjzM)3fahCSSc-8=3s+K=Ne%p0*gcx0TQtWs5YNdl2Xx2N=xaH{eMgH_-v zHHlIou@*y}go`1x660!V2|ktS$V*0;?w*~n&Ymy4AMrvj;RgARyqI?5Bp6A9G2Gb| zH{>kq_x8m-&-34oqb^+8q&3E2e#b5Ljo&%0qwfZOMWQGu^JsO~-=) zNb+w1^OD=^f%kROfO7uYU^f%ZcSBYj+_!?SLySu(qgIgXOui4fTMTu8hf?s0yg6SL z`yd^y2Huz88h8I@t_7nj1Yq>zhalNh7qgN5D~2UUHE|L~FdBuKF)lD_N*n5qee!OC z(L)eKjL%=(^S#MtemWcNwstRyA2u5eOS2sGLaPlrQElr5rbbregDm>?@CF(v-+$=` zAcXqloUp$nsMy;UpQYS0aRku&!4LsQ!-dQ0(qwTck}Id6L|U+`=nu7*`MUuW68n1d zYJ*=Q40xlVO8yLQCebKY^7QmIzY1L={eqpq>gQ(lexJ9B-5E#tE)k}^@o&FPPDaT% zP#tNiCyA;!_)AiebQEF(e5zEN+4hGW+7jyY?{Eh9CucZOCp2A~4XJU}9wNToEvMo$#r{(PHd!enwf@az;Jkvul)d-32_=+XT>+QQ8W#8)nu&> zylrA5y>RrZQPcriWgH2&KuS zc@MX?*xSs<5j`Ghby#p8;K2aLPf`2k^_S|@4{V!)ux1bZp}ekimgA=^PK_y8vZQpJ zEL+^B-bm9F&fJR0-e@x^=Iwj(7UdH`92AdlZse_`@GV51-Rji3icB$3$h>)`82dSE zqe1v|K?9dcQ~lP(@^%TRWgd$HTwOH1(=sJ6DYVh-IpeyoaAC@(41Vf)BO^=j1IIGp z8B;f7J}6qnZGa-CP0c&;;Q-agAX3pt~5Bi=Ie-#nhOg;dh9SnlUO&b2*xeAC*zDyC9>&Hh_g074?kit6@}B z1TsXsj#1$l6^>EyL>LuS)yLe7iupj7dH5A&Ls3+S-TM5Bx{WSHX|4gkVs93|V$bm_ zmcXxYi4iO9J}Fy!YtF3LE7#_GYs##6G3gOqYDAYB@!6+FoZpl`(~|!UGA+IsL;iDg z4s|IUo#7jQUYgFe>7``ihXNq>6;oBL$ zo#Fe57{05jk0ltsSCzi8YzWFWy;tAhUANJtD9bf4c<;|Lc<(!d_ksrRkMPEEI)oP{ zJ~Qyeo5C|+vYp%9bW)`D*WAv%U#`6O*VN8!P2PxveYB90Adq=miO1E3%JRhGE-Xfh zkldB!Lf5HEx0)8eTD)C5T;r0)^210t&USBI*o$F!y~K+%n)T z>M0koJ4867Zlc2$g1{&xNULTKXh0RJTA1dMpxh1Paf-nj;{+aLA6k>4u~(%0LZd&o zK$5i=?|eYs_0C1sm!A?$fR)}+hhe9pu7DBU1T;3`@*#&c@Fwgo=nu(JvOA*Af52DY z9TB>dk5qVGhSJ=Mb4yb=9N$1cq4_LB8uUKyvsMN#+=50L-;k>4g-H-hf~|{(2>bl> zl517~CQvQwtAnn5X-Ndpnm&}UY4Iad_m%YcEW}@Ka4AmMq0e1dE`t#TPF1dwuxECe zhp>{K>*v15}Lt*G0`@DCK)&A)t6ge2_7XlTs9!LBWMvGLlk;s zG~jL-!iPOOWWF~M5)1nz_}cA{eRS?2FHpnR6FTveC)S*px(tmN+%2px$2ufycvCcm zV-?fWWS;-8ajK>ZMy@*Nu@uU}E`5&Op7pIx zY|?y^%6d^vOS2~$ac5TujG3A2O7oY>x`vx;8CqtKoU5F)3eHx#KNWXP%v`om)D3qd zZNi$C4$@|fqdx9cDV*9qpQ1!a1TgvX4W?eiy{L3U8p9!pMqni%) zB*1f+42nYUSoSL)>s03+fC#6j^ zvlLbmD20Y{wN<4g0>`hSaliknM1)M7wQkQ)1S@qcUvOr>^2H0?di67GpbTJqWeHup zY;|S+IQ3;yU&SdK*3P^P$7vdfdh`YSS0!bL=6nZ#GVO2p^H;d?*WB#E&Jiw(uY-|z zK`<_r&7fJX{Uw+vYD9~iCQAqsbWbN66xyPgBZYY5rU!IRXJ^{OroR9G_P+hOZ6jIt z_xu%zc28N{B`AVVDI2*~er0t|68l*8-FquasXzjhuqFW(L0Z=F=KSrqyJrR%3}#3` zphQ`MYd1E5dG$Pc8uNYAy(ado)J2)=o-ZR%YYbM#V6pg~>C@ND(6i{%63iIr#uyDr zrcM)^2Jcs|`EsLe;Tlw9%#2X>36-@3`OWP`%tHFo)*#8uwKhEEwa`+|YH|4*wuN_e z!Eg#>ix39ayc0_L;yrwjMCiQ%W3?xOuR>}*?RWg60LJrtPgv~m%uCy@+g243@Vjvf zGU#e5CJJuZmuOzX2FE2LakAa~Z|+(m+w!bIl2k+POk#hz&z>}$cAG4a9nWUN{a~e4 zCiRwaP)}`6DMdL>QK7tyRkUqd(QqTJXg7g+x56yy*32U1&m)Kc>~shET0c1LLCs34 z)|Q%;Wcag%n7{HCbr*g0avH5X2_AZIomNx1YATls*dbtbuT-vnMJkt0fXY;^a&X?= zP`L_1sl42p%2iXjYAV+Qp>h>fAGf7)6#zJIL*FtrJ7rq+%hR{Y7P=J$`3UG+gH80U zK~3MPNZ&g1-Psf!-JQLC=f*L#&O4hg+?%IN;8LfZSX6^YPT(4tRrcU96S(O7ku!_p zgu_K)O_8V}Ji}`Yd9ivdSU#4&SVW7sWqr8vZ-}sjQ1HmN#_lQ>D6?2&7A-Q)U20mR z6{9p!QW1EVm1oUxoQWEPhy<~lK4U!MOFV~dorjuc5h^`J6j%yi%$XfCcZt1k`Co!e zP~*4>?^iLGoK(D=E%K8C*?wAxdzA(^*i0|XYo++F^srS zv_g*0zQ*f!>Zh`4Z5S8waGTVU>0Ab8p5Xv+FTXR@k*|PuUx%JZlINwcB)Y5ON#Ex$ zUgH=@IR%EA$-%%LDP_*#Ep{d5aKoGZ+{=KtqQn@_IEAA{AriSDlSN63l=1PL# z(z~P!o1&vs&%^6n_9|`AItZ4#2+0lZ0_~8gA6_o6(ynUYa&x5AzqNmte#v}^f*0$t zfZN`!7kSHuU)G~hx$w&d(CTp@Vc*0Z`^VyJ_9gTdo;7dZ->l=bYk;d#TWWyI@Tc}S zTVpjFzRmI5^j@(V9nfC}tI-Ki8LKJx<$gCpZlSI^ahVz!y4r5?rnp?7DdZHLw`I;)d-aVzChEsLh&3aexOx2qQ%n z_A`tB$HV`!qVe$SvpdC;Qi6&CKW#uWa}OOQ)Ld|YG#VYi5`+Oc z5C&4r68%S~&CaRdAIVYGfzTQ7kd(*)3s4rVVmghT&&3Ho>%r3yL;uCTowT)e1G{|7 zDu5U9j_2dFR<&&b9TH>yK|+U|VgY{hacYymx|yJL?A8?%3x~u2934~0Ss5#$3!`r* ziMT0NBpzXKL+Nb-HY5S?2y0-SxB(YoiPqsFhB&8LxGC4>=lL!++-%9V@}6VU77RsO z9&xx=SH3mY@Qq*%bzr_N2vuVxHCFOau#y@IxKk)V{gA^CnR|r-hPv&d1QehXpfVIt z?lbRhpn!s(*u2~t3aFug8VYzIP(V@jaa$)<$>*1f*kY`YMWj>8?i{&FG>D6N239Vhi2r!gswJ zcIiX(LyJQ3F=w>#Z36PG^==z8z%sV!zKcDMJiJlRZ@2qH%cjF+(QFhjX%k+vNnRwL zVUwZ5+cwah-Yf{AtLWrV^g6rlgISAul>-y{q289E;mv~{nOhIX+%MhMhJTMk0wUD~`ar{W zD}u;)iw@uTn-1r(EF*rCzLNYk=CAh13G)|CzK4~(pKWEIP-INSQPX}y3C@KlU~8d`@?0adp?D!ihEj9C!yd~$HZod5+Oal*H zQQs8kIW$G`7t+LKstwnuHWuI9FcP`xlQ`T&+sgr6Nvi&ZDh#N6sqs$9Pnftw;9O*6IDG2i=@@3tp!YS)=<5asK@R-UT{q@s3`^yono+Up>q33 zB{2$>wiTKLa|SFp5?YW)_R6|75(UP2*475Ej=n`_tM$Fcn#`acPUGS1y^$@Q{6od_Uxiy)gCNtDzh6h4sD5^egOJ>;8A^mOG4JOf2BEn&Lc0<`h zx1vNJ0lVR76T9K4W;bkw-SA?uTKaDykj$pfwRfOo-RV;%HK<{f_Sai7TuI6+~IKH$n+hLk!G zV6@Us+nxm>R&@>i5?!~fS1f$16|)ep@eh{MPReUqoxbHk&oaD+5eV*uIZy;!f0666 z#210ww-sS@7XDVc_elZLXgHFd$p@b8^pnWBEbt^Ec?$}Vi#hQT)xdMY+xPSma`vvW zS(UM717~^s@KglumDBu_C4sWqGgcOiau7mM*1}(r0b@;8A-n1NjDs%En9+mo2JtQ} zVd54+11?^gov)T_ZcfUS0>X6vo5&g1{1`S*3Z%!1#P>SXox-hApje8|%V#V_X2Zyv zot||C8Z4HfxfpXWAMbpgY<(0ku zvc!{27F-gBIY!Qjsm?>ySTw9L`m-?9g>iHSRCC9M41~XO&H=_8rEP8(uaR%NChg% zKtfpg8fn4;YqI&@q-ovc(^Yt7RpJ1SRNjZa6B}8dtQveZH+F`updNVPgJ$y6$qT81 zNv_K|H6TCPk25o~xrxZKp2I>2E;1nVL*C5b(HghNmec12(2HaYvX9v?WS{X7%03h$ zr9MqN9^T-b$#u4NNR**gCy$tALc8R5E4Keglb*$*jzzT6S>Sn7B7V9;4agf8bGZxi z$NzE>P4=;mFY=RJUQ@U*+ZBs|*^%+}tIgA}Y|G(7zxQVtn0tl57rb)8VqgFXKZ!v} zqt%j351F#yUc1_n&{oLn`p-yEXx)%;dYOfT8Wlb`$1D1%lq@tTRo9 zUM^Wd1A}GR?GD7+kSZ1T^W_`y)p3l!_Q4v7R@g0@)P~;M1VtRiomcxN5&xAKA*^*2 z@0*pIEw`~@9mqfRt1j96lW9QHgMSUNt;2#(Imi>Z@?uFFC53>eyyoUTKZY-@#C#<0 z?2MQ$^d7AxR*S}gd!|!1x@(ux%5FInj~rwuO{dZ)0WBC0=9fL$H~*#2FIm#1@gpPfmCkQiR&>l zy+o^6`a9tA)SldH#*>oc!7!dwJIqQ+eq0HsmIg6e$nss64r;Y@u7xm)}0QY0%z4ZW^>}a?@7GO?CWT z!;IrO<%!0X?xW%~k=%Oat%|N+>E9ryNpjTUqiPGs1WwJBfFb-A>$;F3G8Y4Jf@u_e z67;8p=9KmAp7;PrK%=>Hz<0_xry${)Vs}Oe=R9c*%rn z$}Vm|y?%ljXT#LN*%aOgH&t=d^1sXxe@HU22E>AVp){b)Yh`~8sVVH2(`J8lseNts zt371R93IiTA!~d8kUi|Mzk2Xjx83ftzuN3Che>(#dxL?2Kf}PS<`(=9_gc1q(j`Gk zkH~pLz9tI--HVIQlUG>0&-f>0tHl3-?YuG&)lLF8wcjnn-CC=RK!h z*8h$Gr;(sBU0o0drt%%GVS|p9#=nDq>s5pN~V(q9*m~4OvZ8LDt^|~M{1FJ51`9kdA8OoQ&B}~fk zuo9974A3>-c*TGquR0l}Cd;*?4Up~Gv`rylAhioPFYV69k>k|m_@ODEWHp_N*GLFk zF7QBj1Fy3A?BCCtYK@HB3EyG5cVp&NLmsi}Ew$?7<3BI(+o;8U%8ks*evB;)Vy05_Dzl;KEKMq<{7iT2YEZmW>BdN# za{U}ke&^;N|0U0^e3jYRr;43@3;(}ZH+S)Ue*V&HnKa3`n(%JJ92WXcqLFD-eult@ zEzotK*)5h-zs^IJa2O_esXA8MscV>KbmL=f>vD4~O_!-9>39rsl1&G`=J4}^KCZA17?Y|y zj%=6`PkYUVgiVZ7UcG1)p1@>1;aNXTqmeu1bU1_U5lnO*rBt$GrhSbJW11K5%QWJP zV3MKsZY++q6vwktGc)~^ZKgz}EZRz?G=p`+hSMm(^R=Upm_ga^Ywm$}E)vtX`z0fA z;h{k~FKx@82B22)IL&(VPP$-?esLwUPCnh3!e{F=Vs{R@1q*N9W3cb_iPCC!K51 z*6HTrbS|v`Rq0$MA-y}Ha}|YCdAT*6tEO|+bgqX%=PIl|ZcFFd66$vgj+ariqzpyE zA{?*Mg>FTOJ_3%Hvx(#7)Euv>94~fG@!`r3@jT_?RWO;HzPmVs_Tp!d8{*;SQ)Yds zb5N`>=aI9%9J7vh9zW~r8rFm5W@55rkMt-4Q-q8sH{={+SSUQkR>-(Zp(l7tP8-pf zSR6I77+6s#xIW15qU@go7ivu}C_^dx7z8Vg#bwQ0*y)03l?2s-zf%g(vDi_r=Rp&s$WVpiK4n~Rp^Gkd@|n3%PS3K<-vS3`5yYR)#?iumxmre( z39)LBu5#iLeQk+!ujHotXZ)Tgu3qK_H?|5PI-+KLJd_|0+w;@=!KJ!g*_6bYFF?oS8-SDhgye0(VLj>}Wa|!A)dmhCB zo+-sm98MM<4#6Kbp@QVHJ!G|$Kh~Sz3)R5~^953RhzW)aI+zT2Fuj05`#g|?L9oR5 zlx0XTb@ur!9nzog{Q&L#t^GUyXVWqzaW*IEY);bsy`gPrZ*xOiX+v9vDq5_e4W$>w zpG@=|R`t&~%Q(cUP)T%tZbW-iUk5VWD2hy&3@J>fLX1gCLT-ZClX7vHqvf1*=N5*q zv96dBo!eLs7@{`N`zFyW#_v@}A?O`Mn_Q0P_B}?jd5gT%G>pw%EoC)KP7-*h#I#{~ z46{ZQSYXn~SX{1G*r-?>h|;toTbdNlMO_I$=7e+;v_5@iYcd{7T06~?3jTeJFjq_) zU3LZN$Y63OBmF^n+Gy$)F(y%G0?mve3j=Z8R%NFBaHW26HB(G!Z&>UC@sVpdI~ zYk#4k#yv~`aW~FPU>_h0irY=r$cJ8oxr-1tOgNbSH_?hgx}Z;D-|7&vfw%%q7J2nL zi2c-CCRl0HDN(i2pd|u-95tc*8GgnP_l`*GXyIU8tqq~SMUITtwEjYqoZr%i?hrpOs`tyJ@7TAc~-mla3Nm+M`O>Xm({#vfz0XqKqO-MqE) z(aLzAy@Xl3h^A}uB|*cCGa=7x6PhH=(lG5JyNY8c5vG;MaJgxES8?nNLF@8+d&$ss z#p2La2}HNONOX#@@B$`@@=)HkK=ZyApMp?>vP}MJYD{XIC`CM1zbxhGbJ?VLPGHqR z=W5!DRnu1PR;XPBo!hnyvK3aT`I`#58`6*#h|LDo+bXX}TOSLj_w7-R9=#*73IwP} zN16X!=ySD6Gcq$UP*OMMN*wkfXbx0a){~Okm?Ge)x6xA zR9BPgYEs<;A=MRCAGeMQSslW^4WZ5?R?2;I$`k6!7P=J$`kg${zfD42XA_~WQxobc z6YAnQBj}u*yuv6QzQ@i{KhD7p^q(@7PMv*XZFL?wm9Asf?43tSr6VU?4C6#^5it=W z;$&%9D_RW94^^mRbpMN14n-~*`_i>t{(#^T^z%go3>KS2dOdNc=yz;I*J@#s!#9l^ zj{U?tShSjYECi8Y`k^lrbPtB7Z)xi!hbZVyEwoNn%V-|peO=PuI7n$LSH!$?t#}zt z{ZKrGG5_Q*n}|_G3nW;f%g;Cc!_1-wgO?%x8XU?oA3Y z0h2)l1!pl0$5AAU>9~rdzmt_0EQu75KsU*T!0>*g?69hMCo=}#?6Zv*0dBZo2C>Z? zXMd7EI*u`NF9MnOttFwUSjVfRa7>&)QNKhUMSy<O;c9WDA+)(kO+nvdJTgk~Lr+ zoDylUh+|EiD264=f$v(L?A!^3csY$$o=nzJ#d$mRIE{h|h^F5Ep^%_TvS0mcIa%mm zQ?jkL^)!CT7wb~j%$LbZ7I7J~E!H&IkmXKV&&Ki8Yq7EYuvo<`;-W^B2jU?zt%G(i9MseQ#T5bfVP`wMBe%Z zI*`a!L^9){v-|}MM~xr8xS^p#uoz4uM$?zJI2*mE5#{_E)RX*%?LpFZm0hyO)-xUj z@5DRbV~x#dfbS{AKfw@#{>J@=HTR!BxiO`ko;W zzWt2Wo@YcndD`S8>kY+KebDDwry;Wp$8PLfU%zG+_aA?dlY2%kCUf@d*Nm2g1X$76 zuX?ixUQ2c*Iqm1|D|(OyhBW%qbH(`(I}76|(}vSD3doC|4#6gsEO96dJ~1txYL|y) zTB|XcMd`;=I*SUNooU8!OXJ6ft~9P&b7M+zV^oj>5Bcwv8`G)CjnN5EnHy6M0=XM* zOhNdGms@jVYHm!;jd>v4n4;?A_S~2hI4}tJFW&Xni~oS%Vv6GuR`X)iMf}Od>pdX5wZ0o$Ry}Hiq;x@6Ti*Aq6Ua6 z@K_;rSVblAWZWASMtgwWFPTP^2G1VY`8}d#%j?LVuuuGKFe9k@B@>H|Lge6wx;Eq2 zD}0Q5*4Ul9qhQJ+am800g0dFy+0wN981!=Bk|%ve%AtNakxR!$;{l5QWe$bgAe_+GJ9c`62NoPy zu;x=APh4W(-*%`x7wfQjY{{Tlm^{gTk*5itVRTrP?fEVE+Rj0uQiz9bwG3lERF zFdol{#mIAd_(DVK(FO0w6e^*_kn<9c8PEI$*<_5_g5YHW&B$K3UP6(V7&U~_NfYIl zMDxqZHS{9=ES58=tfDIyJuLBVE=@>6dd0rDS-*jn#5*B@?*+f4GDS(c+Ry(eK9D35 zf>M}F7SI;MLeUW4N%)8`l@)jmauXnpzgz%0V%kSR7qFM$0n)zE2O^hI%garw3prK;;K#F6@YSK!||m!5iQA zV(D~=>Ei!VHC1aIe?H&)ovFiprd^KD_vmS(ktg)9kulJEG_xj6prL}XNqs^qto6=c z%mRXrW6ccWX)!>MJnT~O64PgW-bFCm|NFD^y=Tp&7%7D`)mQKrf*WIS8PXPI1rugpWGxXF zW92}(?0_0w7U2?N<_HGc^=7bKZ3{MF{%>#PTOMrnmlRbw-Ro)J^9fCGWBTZs-bkz? zYW(Rub&XP(4i$(@jV#A0`!dgeO7k^x?MRb8AYv9ZjXeBZ`b5aeGz^3Z*vBMC!+vZ3 z-umS8Jrc9oln*D9HZ75lcu>BE?EX+;{HW8cDX+$6t^@Oa(XvC`ROD*Pn?W)1;-of z7agJYM82&2ZVD|GZi?83p~)onNWRbT^fD<}>Ov^+y$_OneE&0c-kRblD|W%ZL6yc} zl%PvBc~vAUUoI0pagmoLDXF?D$o1xmI7Q#&x}Y7ZlbSZ9J79d^3&@be^QZnLNi$D! zu`P{;=pNS;3lS%iXgAK^1`I))^3lE%g4$bWndhb)bW z+l8jirjk9Uy2*oFPMzP?1|%<U!6fR>kAGsSAASj`lBAWX5M>SGH`vC>HEZFplQc~Xj3w>)pG zY@u7xoR5Gv*4xAz>(#umt?|ax^RY30griU#BYVmWGIb(~W!8J-46>eCyZ0V5gN&2M zkjBLrGL~2k+%M4?22x4SuMLJ-Yqmg2q8}4+7K!YmE6z%~c7x>wY|j^oxGWSP z4_d?y3odvMS;u(1owB{~ml}8^!;3jy2g|A9$5?V6PEsUDF(CL-lMZF`P^`nD*hVI! z=uOVXN?HlxumDg}+8oBr8cyG*jFS@&cVs-3k7lFmZ2ZoeHv zf8_f@0-R5#!DpYZ+co9NI6UmYAHZN^NH{gEnMvEs6x1}^A-Y#w7dP`JMKiCln{*-I zBHcR0gKX@*M8?9%wgF*Qq3sXD_AfQIolCX@Y}*90?X5KzzhOvRds+=5eh#MorT;n} zyVEsC;dd1138Oh_>-$!bcVy?3L*I?c?kR!a+vql~;-6BtmF5iO_Q*O$mB?V~s5_ii zHNRpP{0jAu91n@_m0!`T$gj`|P?=v*?g;&E_!R}=3tn!`uc-MIHNWD4@GFX{k1g;k z${|L#Ay=4$NqG>x^5lxLg>FS{ekV`wZ5u+8KKrTPnHz+Pf)G{&4~iiCOR(hZQhQV6 zb*FJe!5O?r_5!T=Ch)`6j4OqpH8ipKc6y}xz-QXv&3A*`&lUI)_?+_d<-#I3&FToKA#3Sw~1W~%awa?@;{Rot<E2t0^suD-(Q6RMID-~{^x&gjxlPHbw=6>6$b^j`4!AN*o7C&TNt(} zg`*lG`ql>Zl7ijY3?yOV@#PnPHcBU(L2y`lW|91lA&pCdpzupoq_ER z{jS~X4?tuWTG|w_5HQMcb4s#U<`#-LS(MjwsFU3b(wvPXlyXZM`8YajN(+VK2C=V;=?r0~XS ziDy@^Uf;ngTZ)cJT}4>=Dx8kfIh^zkZGU{^+r7@D4W>%FYx{2RXfhhOlkPw?`phDC zOp^H4%b5rJf1D|?)AbG~gOO)D{-|yD#^a9dwhzbla5U+6`s2ZHH1=4DRFL)J)Fgh_ z>GqGt!-+lehS0WQe{3HPVCuq{9gdH>!+!73=Ou;j){A-6o(!D!XkvHT1L#SZztE?S zXLpAacQEms5v(k}rd)3^vrfn>lVPBpo_E;s{V^2QgXur+KnsUHtcIh3J8XOIXfX7d z&!}`*ep>EZNp@c$JzwL=Le1^)+|mq}M#$6xy#oz7^v${! zRC1$HkZe@Pn|m;9qf#L8ZD~U#0QN%7PYuy;hxU}^Dd{;+cxDwZ(aoSf0cgK*^x4<7 z@(y@TPIq8>)jk}4gA}N8JRU{YKPW#Wy6xmC(TmECWMo{mgYYtMq_f!yXLbsw)zmuo_x5YED#DP86Pca-M?y^5g|{(I?+y zMw;(oy>4A! z1>-B`@kY?3u7VhYWx+C}tOWRx^MN>_G?fp7+<}RR(ENuLOd^;2h9Y&y;P=J(z`Ia-fuKC9zb5DYCtCO|2bU; z{_4U{_80%vfxkNKcDHE_+wER2>rX<5XbK8Y?p-$P8o&5_R=Bu`T^zD_3P1{RN$eL5AB=Gf9ugOY|c)0%izl<|yoC2e|Z3w_tTa)l_lJ?Y?xHfu#8Ete5TOc(tHwm&5KsBq#CMQ zCn*8^CUKiq(ga<8YKiVevL&VOrV;VwP*D(5k+_S|wM7FVXp6AZSoH8k6}wMei-L`nUlCGG>Wu z)(Zr4-n(9~ikS@&1e1N~A#-Z>5189%biroVPN;Kh$ALnn<)$gNITj~0U_bbH zrB`|&8j(IZ4L`#o3oc0!g18ZWkvA=+BBdUC;p53ps#{@D3^_DYInzjWIHks_b3u_t z&Y2Tb&3pPzD=43>+IQ)6lKUGbh9qM;v0lG8c`rV+p;Tp2{MFO|>3&D1gy-sKJ0^@l z5z-exCMg~)S@$0+tR^|$DarA^S%TYUId1qk|2BonsrX7_6e?}&GRQVprRHxc=njad z#Y!wl94%DXH%tM2aBRVvBB;+$Qv@G5MNoxx5!Sp{ilB}PUxp&66QD9hupH=nHx$8w zfIBa@rU=#)!I~oYKq!Jm)yHiqf)$YZ+YkXw;-s9tL3tuz*+RFXIKPu8__s*}9Bv{4 z4r?Od7KnhZ=lR|;V&2j(eUFZ)pELnbop@qd4IeoHaA;QM!$(R0WS(7+amT~WUHRzQ zh1h-=gAUgQZZJp?;-TV_umT`IkvnTSV6&f|2GzNX-4=Rwr9bD z|L7iL_r5#*#iDcnn4Fbi=er>+sK)u;?}8SUwx2aWTb+cw(P+k0Tbc*aKP_4L0rfsCyk#;T1Xm$yTw%Lq;rxKj;c=?8S!*t-9#(P z1FHeUqB5Q&+wv)VdBS~X#86P&P0-vFDsto_e{qtq88Q7YXEr2h8Qdz$Q>{uxV|$(HnKlh2iAb~-fEq1F<~3_4fV z16rQ4y1aEwZI~p;X)Em?sq{QkN-Ipkf_cP1RYE;MOe21VB9;`wPRel=!)r{lmJWO zMmX}Z{Aq9*K+n>lzMEtXqibvA<6-}0@EOXNN@s3CS_ml6C4Z`fqEbMsa`~ zp)!9Eo-&%)(&SgeBBwYK!d}dAO{)c^WW3UB0@$SstO`!VFR`*AXZKgxzhCpI{hlZa zncBqtQyHg{yx<_0Az2tXu7joLK=2C6fcrd3)Mj*_a6N(VV*^zDC%LSfgZ+6ZHzQ{t zUsBUZ3&?`P#mNIH?m92S7~r8-^sIq7rwnNOa06#R_B@g23Sg2P!f$PY_>;zRFH52j z9xN-SSu+b@hLXNuz9iU<|9HhcEis=&uw?(67A2`-iJZtjoa0yY6azA6Z^dPdeGzKxFU8V^RCM1~b=4G#{JEuqlx9 zdB_|7noSWL!SU30(X*TEdhI+^o0yNU2;!a0=j*5o*^r28{%FBHN95@ntmu@l!G1SO z(Fzz_;QvJ{igdcl1Y<;3Au*=|q>&gS*yWJtMO-+>A)qo8UI4UPp#o5v)X&BlP7>TT zj&q@*K&029XLyHGM`; z5U-&!+@>`p&}#Sq`};HW4npv>gv}QOs(F4Vmp^HizILhAh6W@lHb+NFO1Y!xNSi$e zpre%<9;q7tpi>i;?!rLW}*>3}An?y*l=fm=VcG*I= zqAVW)pnbFn&_1dG?TUalEUC9)qBdVeh(Dhof#fOU+3LI#tLo^HjTNVTZcD!sr__Xw58$ zG0+T8XU*IjYvEtwdC!7_>YeUm%G3#l_PCy=DX+dZ|&c64Pm1x=g0U;=X=t;WW%1^ zJfuB2Gg^j=(|l|)pxH-SHPAdf-B7T!^F5WFdo)yQ8^DQ#gcM!OG$pr)aY>yRMH$Jp zKI4*c8^gF8M=>r%B6QMCxlN*!M1#p?CNpwr>bQpF(lkuO7%?+)7l!X`t?!?6{y5({ zd#|b-YA*a9=?m}R5e!*zIeRB zru+VzAGs-Ra^`0}20E7P4Go(n>3V52U-mb<>%x>|HzqP(?0!5+odCRaNQKE)1uEN*8Rx9gk;q`$f88M`pW!ioBf{RJS=~2o!OqrIJ;X;xA;XvP}Hx$~iT|dodM#qL425sC`JfhtH+}nwOh*uCQ2t(7BX8P`)DsE{nYU0gg~_*3>i8_o^FH z@qApKgELy1Ad>YHxr}oYJLIcr^$OMo^%19^700Z@l8^VX_QMy;r@47LmaId^QwVe1n9Cy6ZN8Y@L`3q*-kf-4hkEHo>Jfc0E zCZ*d+c@#SK{6fJ^zr#y}B;BOSoH-&g+af=E?%8!~#kncL>T0WWHJyLqX`eN0t*^F6 zt~aHfuyfT!^saJ`-`iWq1Y;!oNoG`;zkAKm#pooB!4OlHth9Txc>I6DBcy(Cn=HF@ zk~<#!VgAzeP%Ot`Sh+Jn$W(h-?OL`OuOFnnHax$YgqOEzFttus{yy|%;Ev!M`x8Ab z=4OdnM_#Hy#lHFLY>nTZwpAXh|W3<9Pv{!EY z@OK0PdD605)py;^tD&vHJYg-dXf)7F9;X#<=rk78s03Q}GG}dO3u;aj+BEZm)bg%) z`M6hu)~EE0ERJJib$HH__4v z9qWB%U!?{LHAzkFWwlC11BK&m2$^yu1}qvcf6qT(gubhr-lOWLc}nqs#{=C<+Ocyc zG4c3-DDjA^oUdZ6uFoUEkQW|HQ^Lw~D#2q=%-qK(9O3ifEzJ37DnH0D)s zH9WL0Kzy!j?3f>sY#1m)vJ-EQY$%~MuXwZs4p*t4otH)3bxRq2=9G&Pk0f>P=$1OU zDo{yw2zTujNJ87kH}7X|g!UWfs_f_!ODfg&oY?grGg56Z>4wqd&}*SaN(S+q{=?b0 z%OiPM%9FL-9lB-F`dKvJUkeM8IDJ9MRq5HM4T;^y7QN8(yrvGM55wHxfULd$>(za0 z5D&{bEOW0_R^#UUkJaD0vbk{siPXAlv{d2G>^ak^wr0NRPhs6%jz2}q?rX(3)jGWFzh;KyY)%)EceLx@zqToEe?yVt=hePN1@|P2y?(-UM6KJ&*g)i zg~rmAH{bV%#Too~^O7e22r8Y3RujBM%Rh~)@VS~_kodE*kJ-!06-Pr-*563a>`PB8 z%CVas{4HhL5+5vP5G_&}5}GRqyQ+uI^G{tm+{vA|e`l7gEajh$SHg#uLQQ3UryOPF zEi&W-ZW?yh3d7*(3kE74a|k$6y4aS56ttzZITP6>-Se!68dK*>49>7_&-k(q>1Nlv ze#kAWx)@_(8Dru!#-HHudG74;^XxFi7qLKD#rbBPGkRwI@R6c~(^%x?Nux zZLb#GuAhVM6!3MLL&A?|9@cI4jyO)I)$5PA ztih;vYGf2XHL@ehwKxNee#Sidx9Eo`S1Le_K4XRe>H(}}z`8BUl>n>*z^cu}cmV4V zuzHA{a6S#Q`!NcVEoaJ3Iae}h5+)>ioCztI!k}gH$mLD4Qvy&Ykxvc-bq13eG*BlE z)QJXl?&XmM{};{WlRW|IPiDjdG!~#P0NukQvjLh9tWK4TSYV|Bt3QPi3#|FT$_Li6 z1J|6e*K%KY|6A}Mo%O)!Qps2W&IaJbQy442Sr44k!1<6*jtA-D$&3|XT>r9ga`ZqP-1*x!SQE(Sd|JuE6B9Vsia{Vx#~KM3TG&}@^`X9bo;@7NA NU{3~TjI$^>{uc<|hHC%- literal 0 HcmV?d00001 diff --git a/Solutions/Microsoft Entra ID/Package/createUiDefinition.json b/Solutions/Microsoft Entra ID/Package/createUiDefinition.json index 9c9419a5007..fe44181877a 100644 --- a/Solutions/Microsoft Entra ID/Package/createUiDefinition.json +++ b/Solutions/Microsoft Entra ID/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [ Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis) solution for Microsoft Sentinel enables you to ingest Azure Active Directory [Audit](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-audit-logs), [Sign-in](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins), [Provisioning](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-provisioning-logs), [Risk Events and Risky User/Service Principal](https://docs.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk#risky-users) logs using Diagnostic Settings into Microsoft Sentinel.\n\n**Data Connectors:** 1, **Workbooks:** 2, **Analytic Rules:** 60, **Playbooks:** 11\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Microsoft Entra ID](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis) solution for Microsoft Sentinel enables you to ingest Microsoft Entra ID [Audit](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-audit-logs), [Sign-in](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins), [Provisioning](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-provisioning-logs), [Risk Events and Risky User/Service Principal](https://docs.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk#risky-users) logs using Diagnostic Settings into Microsoft Sentinel.\n\n**Workbooks:** 2, **Analytic Rules:** 70, **Playbooks:** 11\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -51,30 +51,6 @@ } ], "steps": [ - { - "name": "dataconnectors", - "label": "Data Connectors", - "bladeTitle": "Data Connectors", - "elements": [ - { - "name": "dataconnectors1-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This Solution installs the data connector for Azure Active Directory. You can get Azure Active Directory custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." - } - }, - { - "name": "dataconnectors-link2", - "type": "Microsoft.Common.TextBlock", - "options": { - "link": { - "label": "Learn more about connecting data sources", - "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources" - } - } - } - ] - }, { "name": "workbooks", "label": "Workbooks", @@ -174,13 +150,13 @@ { "name": "analytic2", "type": "Microsoft.Common.Section", - "label": "Account created or deleted by non-approved user", + "label": "Account Created and Deleted in Short Timeframe", "elements": [ { "name": "analytic2-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies accounts that were created or deleted by a defined list of non-approved user principal names. Add to this list before running the query for accurate results.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts" + "text": "Search for user principal name (UPN) events. Look for accounts created and then deleted in under 24 hours. Attackers may create an account for their use, and then remove the account when no longer needed.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-account" } } ] @@ -188,13 +164,13 @@ { "name": "analytic3", "type": "Microsoft.Common.Section", - "label": "Modified domain federation trust settings", + "label": "Account Created and Deleted in Short Timeframe", "elements": [ { "name": "analytic3-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated.\nFor example, this alert will trigger when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain.\nModification to domain federation settings should be rare. Confirm the added or modified target domain/URL is legitimate administrator behavior.\nTo understand why an authorized user may update settings for a federated domain in Office 365, Azure, or Intune, see: https://docs.microsoft.com/office365/troubleshoot/active-directory/update-federated-domain-office-365.\nFor details on security realms that accept security tokens, see the ADFS Proxy Protocol (MS-ADFSPP) specification: https://docs.microsoft.com/openspecs/windows_protocols/ms-adfspp/e7b9ea73-1980-4318-96a6-da559486664b.\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities." + "text": "Search for user principal name (UPN) events. Look for accounts created and then deleted in under 24 hours. Attackers may create an account for their use, and then remove the account when no longer needed.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-account" } } ] @@ -202,13 +178,13 @@ { "name": "analytic4", "type": "Microsoft.Common.Section", - "label": "Password spray attack against ADFSSignInLogs", + "label": "Account Created and Deleted in Short Timeframe", "elements": [ { "name": "analytic4-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies evidence of password spray activity against Connect Health for AD FS sign-in events by looking for failures from multiple accounts from the same IP address within a time window.\nReference: https://adfshelp.microsoft.com/References/ConnectHealthErrorCodeReference" + "text": "Search for user principal name (UPN) events. Look for accounts created and then deleted in under 24 hours. Attackers may create an account for their use, and then remove the account when no longer needed.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-account" } } ] @@ -216,13 +192,13 @@ { "name": "analytic5", "type": "Microsoft.Common.Section", - "label": "Admin promotion after Role Management Application Permission Grant", + "label": "Account Created and Deleted in Short Timeframe", "elements": [ { "name": "analytic5-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This rule looks for a service principal being granted the Microsoft Graph RoleManagement.ReadWrite.Directory (application) permission before being used to add an Azure AD object or user account to an Admin directory role (i.e. Global Administrators).\nThis is a known attack path that is usually abused when a service principal already has the AppRoleAssignment.ReadWrite.All permission granted. This permission allows an app to manage permission grants for application permissions to any API.\nA service principal can promote itself or other service principals to admin roles (i.e. Global Administrators). This would be considered a privilege escalation technique.\nRef : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions, https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0&tabs=http" + "text": "Search for user principal name (UPN) events. Look for accounts created and then deleted in under 24 hours. Attackers may create an account for their use, and then remove the account when no longer needed.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-account" } } ] @@ -230,13 +206,13 @@ { "name": "analytic6", "type": "Microsoft.Common.Section", - "label": "Anomalous sign-in location by user account and authenticating application", + "label": "Account Created and Deleted in Short Timeframe", "elements": [ { "name": "analytic6-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query over Azure Active Directory sign-in considers all user sign-ins for each Azure Active\nDirectory application and picks out the most anomalous change in location profile for a user within an\nindividual application" + "text": "Search for user principal name (UPN) events. Look for accounts created and then deleted in under 24 hours. Attackers may create an account for their use, and then remove the account when no longer needed.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-account" } } ] @@ -244,13 +220,13 @@ { "name": "analytic7", "type": "Microsoft.Common.Section", - "label": "Authentication Methods Changed for Privileged Account", + "label": "Account created or deleted by non-approved user", "elements": [ { "name": "analytic7-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies authentication methods being changed for a privileged account. This could be an indication of an attacker adding an auth method to the account so they can have continued access.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1" + "text": "Identifies accounts that were created or deleted by a defined list of non-approved user principal names. Add to this list before running the query for accurate results.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts" } } ] @@ -258,13 +234,13 @@ { "name": "analytic8", "type": "Microsoft.Common.Section", - "label": "Azure Active Directory PowerShell accessing non-AAD resources", + "label": "Modified domain federation trust settings", "elements": [ { "name": "analytic8-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This will alert when a user or application signs in using Azure Active Directory PowerShell to access non-Active Directory resources, such as the Azure Key Vault, which may be undesired or unauthorized behavior.\nFor capabilities and expected behavior of the Azure Active Directory PowerShell module, see: https://docs.microsoft.com/powershell/module/azuread/?view=azureadps-2.0.\nFor further information on Azure Active Directory Signin activity reports, see: https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins." + "text": "This will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated.\nFor example, this alert will trigger when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain.\nModification to domain federation settings should be rare. Confirm the added or modified target domain/URL is legitimate administrator behavior.\nTo understand why an authorized user may update settings for a federated domain in Office 365, Azure, or Intune, see: https://docs.microsoft.com/office365/troubleshoot/active-directory/update-federated-domain-office-365.\nFor details on security realms that accept security tokens, see the ADFS Proxy Protocol (MS-ADFSPP) specification: https://docs.microsoft.com/openspecs/windows_protocols/ms-adfspp/e7b9ea73-1980-4318-96a6-da559486664b.\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities." } } ] @@ -272,13 +248,13 @@ { "name": "analytic9", "type": "Microsoft.Common.Section", - "label": "Azure AD Role Management Permission Grant", + "label": "Password spray attack against ADFSSignInLogs", "elements": [ { "name": "analytic9-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies when the Microsoft Graph RoleManagement.ReadWrite.Directory (Delegated or Application) permission is granted to a service principal.\nThis permission allows an application to read and manage the role-based access control (RBAC) settings for your company's directory.\nAn adversary could use this permission to add an Azure AD object to an Admin directory role and escalate privileges.\nRef : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions\nRef : https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0&tabs=http" + "text": "Identifies evidence of password spray activity against Connect Health for AD FS sign-in events by looking for failures from multiple accounts from the same IP address within a time window.\nReference: https://adfshelp.microsoft.com/References/ConnectHealthErrorCodeReference" } } ] @@ -286,13 +262,13 @@ { "name": "analytic10", "type": "Microsoft.Common.Section", - "label": "Azure Portal sign in from another Azure Tenant", + "label": "Admin promotion after Role Management Application Permission Grant", "elements": [ { "name": "analytic10-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query looks for successful sign in attempts to the Azure Portal where the user who is signing in from another Azure tenant,\n and the IP address the login attempt is from is an Azure IP. A threat actor who compromises an Azure tenant may look\n to pivot to other tenants leveraging cross-tenant delegated access in this manner." + "text": "This rule looks for a service principal being granted the Microsoft Graph RoleManagement.ReadWrite.Directory (application) permission before being used to add an Microsoft Entra ID object or user account to an Admin directory role (i.e. Global Administrators).\nThis is a known attack path that is usually abused when a service principal already has the AppRoleAssignment.ReadWrite.All permission granted. This permission allows an app to manage permission grants for application permissions to any API.\nA service principal can promote itself or other service principals to admin roles (i.e. Global Administrators). This would be considered a privilege escalation technique.\nRef : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions, https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0&tabs=http" } } ] @@ -300,13 +276,13 @@ { "name": "analytic11", "type": "Microsoft.Common.Section", - "label": "Brute Force Attack against GitHub Account", + "label": "Anomalous sign-in location by user account and authenticating application", "elements": [ { "name": "analytic11-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Attackers who are trying to guess your users' passwords or use brute-force methods to get in. If your organization is using SSO with Azure Active Directory, authentication logs to GitHub.com will be generated. Using the following query can help you identify a sudden increase in failed logon attempt of users." + "text": "This query over Microsoft Entra ID sign-in considers all user sign-ins for each Azure Active\nDirectory application and picks out the most anomalous change in location profile for a user within an\nindividual application" } } ] @@ -314,13 +290,13 @@ { "name": "analytic12", "type": "Microsoft.Common.Section", - "label": "Brute force attack against a Cloud PC", + "label": "Authentication Methods Changed for Privileged Account", "elements": [ { "name": "analytic12-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies evidence of brute force activity against a Windows 365 Cloud PC by highlighting multiple authentication failures and by a successful authentication within a given time window." + "text": "Identifies authentication methods being changed for a privileged account. This could be an indication of an attacker adding an auth method to the account so they can have continued access.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1" } } ] @@ -328,13 +304,13 @@ { "name": "analytic13", "type": "Microsoft.Common.Section", - "label": "Bulk Changes to Privileged Account Permissions", + "label": "Microsoft Entra ID PowerShell accessing non-AAD resources", "elements": [ { "name": "analytic13-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies when changes to multiple users permissions are changed at once. Investigate immediately if not a planned change. This setting could enable an attacker access to Azure subscriptions in your environment.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management" + "text": "This will alert when a user or application signs in using Microsoft Entra ID PowerShell to access non-Active Directory resources, such as the Azure Key Vault, which may be undesired or unauthorized behavior.\nFor capabilities and expected behavior of the Microsoft Entra ID PowerShell module, see: https://docs.microsoft.com/powershell/module/azuread/?view=azureadps-2.0.\nFor further information on Microsoft Entra ID Signin activity reports, see: https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins." } } ] @@ -342,13 +318,13 @@ { "name": "analytic14", "type": "Microsoft.Common.Section", - "label": "Attempt to bypass conditional access rule in Azure AD", + "label": "Microsoft Entra ID Role Management Permission Grant", "elements": [ { "name": "analytic14-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies an attempt to Bypass conditional access rule(s) in Azure Active Directory.\nThe ConditionalAccessStatus column value details if there was an attempt to bypass Conditional Access\nor if the Conditional access rule was not satisfied (ConditionalAccessStatus == 1).\nReferences:\nhttps://docs.microsoft.com/azure/active-directory/conditional-access/overview\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\nConditionalAccessStatus == 0 // Success\nConditionalAccessStatus == 1 // Failure\nConditionalAccessStatus == 2 // Not Applied\nConditionalAccessStatus == 3 // unknown" + "text": "Identifies when the Microsoft Graph RoleManagement.ReadWrite.Directory (Delegated or Application) permission is granted to a service principal.\nThis permission allows an application to read and manage the role-based access control (RBAC) settings for your company's directory.\nAn adversary could use this permission to add an Microsoft Entra ID object to an Admin directory role and escalate privileges.\nRef : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions\nRef : https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0&tabs=http" } } ] @@ -356,13 +332,13 @@ { "name": "analytic15", "type": "Microsoft.Common.Section", - "label": "Credential added after admin consented to Application", + "label": "Azure Portal sign in from another Azure Tenant", "elements": [ { "name": "analytic15-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query will identify instances where Service Principal credentials were added to an application by one user after the application was granted admin consent rights by another user.\n If a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\n Additional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow.\n For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities" + "text": "This query looks for successful sign in attempts to the Azure Portal where the user who is signing in from another Azure tenant,\n and the IP address the login attempt is from is an Azure IP. A threat actor who compromises an Azure tenant may look\n to pivot to other tenants leveraging cross-tenant delegated access in this manner." } } ] @@ -370,13 +346,13 @@ { "name": "analytic16", "type": "Microsoft.Common.Section", - "label": "Cross-tenant Access Settings Organization Added", + "label": "Brute Force Attack against GitHub Account", "elements": [ { "name": "analytic16-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when an Organization is added other than the list that is supposed to exist from the Azure AD Cross-tenant Access Settings." + "text": "Attackers who are trying to guess your users' passwords or use brute-force methods to get in. If your organization is using SSO with Microsoft Entra ID, authentication logs to GitHub.com will be generated. Using the following query can help you identify a sudden increase in failed logon attempt of users." } } ] @@ -384,13 +360,13 @@ { "name": "analytic17", "type": "Microsoft.Common.Section", - "label": "Cross-tenant Access Settings Organization Deleted", + "label": "Brute force attack against a Cloud PC", "elements": [ { "name": "analytic17-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when an Organization is deleted from the Azure AD Cross-tenant Access Settings." + "text": "Identifies evidence of brute force activity against a Windows 365 Cloud PC by highlighting multiple authentication failures and by a successful authentication within a given time window." } } ] @@ -398,13 +374,13 @@ { "name": "analytic18", "type": "Microsoft.Common.Section", - "label": "Cross-tenant Access Settings Organization Inbound Collaboration Settings Changed", + "label": "Bulk Changes to Privileged Account Permissions", "elements": [ { "name": "analytic18-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when Organization Inbound Collaboration Settings are changed for \"Users & Groups\" and for \"Applications\"." + "text": "Identifies when changes to multiple users permissions are changed at once. Investigate immediately if not a planned change. This setting could enable an attacker access to Azure subscriptions in your environment.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management" } } ] @@ -412,13 +388,13 @@ { "name": "analytic19", "type": "Microsoft.Common.Section", - "label": "Cross-tenant Access Settings Organization Inbound Direct Settings Changed", + "label": "Attempt to bypass conditional access rule in Microsoft Entra ID", "elements": [ { "name": "analytic19-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when Organization Inbound Direct Settings are changed for \"Users & Groups\" and for \"Applications\"." + "text": "Identifies an attempt to Bypass conditional access rule(s) in Microsoft Entra ID.\nThe ConditionalAccessStatus column value details if there was an attempt to bypass Conditional Access\nor if the Conditional access rule was not satisfied (ConditionalAccessStatus == 1).\nReferences:\nhttps://docs.microsoft.com/azure/active-directory/conditional-access/overview\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\nConditionalAccessStatus == 0 // Success\nConditionalAccessStatus == 1 // Failure\nConditionalAccessStatus == 2 // Not Applied\nConditionalAccessStatus == 3 // unknown" } } ] @@ -426,13 +402,13 @@ { "name": "analytic20", "type": "Microsoft.Common.Section", - "label": "Cross-tenant Access Settings Organization Outbound Collaboration Settings Changed", + "label": "Credential added after admin consented to Application", "elements": [ { "name": "analytic20-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when Organization Outbound Collaboration Settings are changed for \"Users & Groups\" and for \"Applications\"." + "text": "This query will identify instances where Service Principal credentials were added to an application by one user after the application was granted admin consent rights by another user.\n If a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\n Additional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow.\n For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities" } } ] @@ -440,13 +416,13 @@ { "name": "analytic21", "type": "Microsoft.Common.Section", - "label": "Cross-tenant Access Settings Organization Outbound Direct Settings Changed", + "label": "Cross-tenant Access Settings Organization Added", "elements": [ { "name": "analytic21-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when Organization Outbound Direct Settings are changed for \"Users & Groups\" and for \"Applications\"." + "text": "Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when an Organization is added other than the list that is supposed to exist from the Microsoft Entra ID Cross-tenant Access Settings." } } ] @@ -454,13 +430,13 @@ { "name": "analytic22", "type": "Microsoft.Common.Section", - "label": "Attempts to sign in to disabled accounts", + "label": "Cross-tenant Access Settings Organization Deleted", "elements": [ { "name": "analytic22-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies failed attempts to sign in to disabled accounts across multiple Azure Applications.\nDefault threshold for Azure Applications attempted to sign in to is 3.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\n50057 - User account is disabled. The account has been disabled by an administrator." + "text": "Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when an Organization is deleted from the Microsoft Entra ID Cross-tenant Access Settings." } } ] @@ -468,13 +444,13 @@ { "name": "analytic23", "type": "Microsoft.Common.Section", - "label": "Distributed Password cracking attempts in AzureAD", + "label": "Cross-tenant Access Settings Organization Inbound Collaboration Settings Changed", "elements": [ { "name": "analytic23-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies distributed password cracking attempts from the Azure Active Directory SigninLogs.\nThe query looks for unusually high number of failed password attempts coming from multiple locations for a user account.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\n50053 Account is locked because the user tried to sign in too many times with an incorrect user ID or password.\n50055 Invalid password, entered expired password.\n50056 Invalid or null password - Password does not exist in store for this user.\n50126 Invalid username or password, or invalid on-premises username or password." + "text": "Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when Organization Inbound Collaboration Settings are changed for \"Users & Groups\" and for \"Applications\"." } } ] @@ -482,13 +458,13 @@ { "name": "analytic24", "type": "Microsoft.Common.Section", - "label": "Explicit MFA Deny", + "label": "Cross-tenant Access Settings Organization Inbound Direct Settings Changed", "elements": [ { "name": "analytic24-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "User explicitly denies MFA push, indicating that login was not expected and the account's password may be compromised." + "text": "Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when Organization Inbound Direct Settings are changed for \"Users & Groups\" and for \"Applications\"." } } ] @@ -496,13 +472,13 @@ { "name": "analytic25", "type": "Microsoft.Common.Section", - "label": "full_access_as_app Granted To Application", + "label": "Cross-tenant Access Settings Organization Outbound Collaboration Settings Changed", "elements": [ { "name": "analytic25-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This detection looks for the full_access_as_app permission being granted to an OAuth application with Admin Consent.\nThis permission provide access to all Exchange mailboxes via the EWS API can could be exploited to access sensitive data \nby being added to a compromised application. The application granted this permission should be reviewed to ensure that it \nis absolutely necessary for the applications function.\nRef: https://learn.microsoft.com/graph/auth-limit-mailbox-access" + "text": "Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when Organization Outbound Collaboration Settings are changed for \"Users & Groups\" and for \"Applications\"." } } ] @@ -510,13 +486,13 @@ { "name": "analytic26", "type": "Microsoft.Common.Section", - "label": "Failed login attempts to Azure Portal", + "label": "Cross-tenant Access Settings Organization Outbound Direct Settings Changed", "elements": [ { "name": "analytic26-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies failed login attempts in the Azure Active Directory SigninLogs to the Azure Portal. Many failed logon\nattempts or some failed logon attempts from multiple IPs could indicate a potential brute force attack.\nThe following are excluded due to success and non-failure results:\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\n0 - successful logon\n50125 - Sign-in was interrupted due to a password reset or password registration entry.\n50140 - This error occurred due to 'Keep me signed in' interrupt when the user was signing-in." + "text": "Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when Organization Outbound Direct Settings are changed for \"Users & Groups\" and for \"Applications\"." } } ] @@ -524,13 +500,13 @@ { "name": "analytic27", "type": "Microsoft.Common.Section", - "label": "First access credential added to Application or Service Principal where no credential was present", + "label": "Attempts to sign in to disabled accounts", "elements": [ { "name": "analytic27-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where there was no previous verify KeyCredential associated.\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities." + "text": "Identifies failed attempts to sign in to disabled accounts across multiple Azure Applications.\nDefault threshold for Azure Applications attempted to sign in to is 3.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\n50057 - User account is disabled. The account has been disabled by an administrator." } } ] @@ -538,13 +514,13 @@ { "name": "analytic28", "type": "Microsoft.Common.Section", - "label": "Guest accounts added in AAD Groups other than the ones specified", + "label": "Distributed Password cracking attempts in Microsoft Entra ID", "elements": [ { "name": "analytic28-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Guest Accounts are added in the Organization Tenants to perform various tasks i.e projects execution, support etc.. This detection notifies when guest users are added to Azure AD Groups other than the ones specified and poses a risk to gain access to sensitive apps or data." + "text": "Identifies distributed password cracking attempts from the Microsoft Entra ID SigninLogs.\nThe query looks for unusually high number of failed password attempts coming from multiple locations for a user account.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\n50053 Account is locked because the user tried to sign in too many times with an incorrect user ID or password.\n50055 Invalid password, entered expired password.\n50056 Invalid or null password - Password does not exist in store for this user.\n50126 Invalid username or password, or invalid on-premises username or password." } } ] @@ -552,13 +528,13 @@ { "name": "analytic29", "type": "Microsoft.Common.Section", - "label": "Mail.Read Permissions Granted to Application", + "label": "Explicit MFA Deny", "elements": [ { "name": "analytic29-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query look for applications that have been granted (Delegated or App/Role) permissions to Read Mail (Permissions field has Mail.Read) and subsequently has been consented to. This can help identify applications that have been abused to gain access to mailboxes." + "text": "User explicitly denies MFA push, indicating that login was not expected and the account's password may be compromised." } } ] @@ -566,13 +542,13 @@ { "name": "analytic30", "type": "Microsoft.Common.Section", - "label": "Suspicious application consent similar to O365 Attack Toolkit", + "label": "full_access_as_app Granted To Application", "elements": [ { "name": "analytic30-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the MDSec O365 Attack Toolkit (https://github.com/mdsecactivebreach/o365-attack-toolkit).\nThe default permissions/scope for the MDSec O365 Attack toolkit change sometimes but often include contacts.read, user.read, mail.read, notes.read.all, mailboxsettings.readwrite, files.readwrite.all, mail.send, files.read, and files.read.all.\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities." + "text": "This detection looks for the full_access_as_app permission being granted to an OAuth application with Admin Consent.\nThis permission provide access to all Exchange mailboxes via the EWS API can could be exploited to access sensitive data \nby being added to a compromised application. The application granted this permission should be reviewed to ensure that it \nis absolutely necessary for the applications function.\nRef: https://learn.microsoft.com/graph/auth-limit-mailbox-access" } } ] @@ -580,13 +556,13 @@ { "name": "analytic31", "type": "Microsoft.Common.Section", - "label": "Suspicious application consent similar to PwnAuth", + "label": "Failed login attempts to Azure Portal", "elements": [ { "name": "analytic31-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the FireEye PwnAuth toolkit (https://github.com/fireeye/PwnAuth).\nThe default permissions/scope for the PwnAuth toolkit are user.read, offline_access, mail.readwrite, mail.send, and files.read.all.\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities." + "text": "Identifies failed login attempts in the Microsoft Entra ID SigninLogs to the Azure Portal. Many failed logon\nattempts or some failed logon attempts from multiple IPs could indicate a potential brute force attack.\nThe following are excluded due to success and non-failure results:\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\n0 - successful logon\n50125 - Sign-in was interrupted due to a password reset or password registration entry.\n50140 - This error occurred due to 'Keep me signed in' interrupt when the user was signing-in." } } ] @@ -594,13 +570,13 @@ { "name": "analytic32", "type": "Microsoft.Common.Section", - "label": "MFA Rejected by User", + "label": "First access credential added to Application or Service Principal where no credential was present", "elements": [ { "name": "analytic32-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies occurances where a user has rejected an MFA prompt. This could be an indicator that a threat actor has compromised the username and password of this user account and is using it to try and log into the account.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\nThis query has also been updated to include UEBA logs IdentityInfo and BehaviorAnalytics for contextual information around the results." + "text": "This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where there was no previous verify KeyCredential associated.\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities." } } ] @@ -608,13 +584,13 @@ { "name": "analytic33", "type": "Microsoft.Common.Section", - "label": "Multiple admin membership removals from newly created admin.", + "label": "Guest accounts added in AAD Groups other than the ones specified", "elements": [ { "name": "analytic33-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query detects when newly created Global admin removes multiple existing global admins which can be an attempt by adversaries to lock down organization and retain sole access. \n Investigate reasoning and intention of multiple membership removal by new Global admins and take necessary actions accordingly." + "text": "Guest Accounts are added in the Organization Tenants to perform various tasks i.e projects execution, support etc.. This detection notifies when guest users are added to Microsoft Entra ID Groups other than the ones specified and poses a risk to gain access to sensitive apps or data." } } ] @@ -622,13 +598,13 @@ { "name": "analytic34", "type": "Microsoft.Common.Section", - "label": "New access credential added to Application or Service Principal", + "label": "Mail.Read Permissions Granted to Application", "elements": [ { "name": "analytic34-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app.\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities." + "text": "This query look for applications that have been granted (Delegated or App/Role) permissions to Read Mail (Permissions field has Mail.Read) and subsequently has been consented to. This can help identify applications that have been abused to gain access to mailboxes." } } ] @@ -636,13 +612,13 @@ { "name": "analytic35", "type": "Microsoft.Common.Section", - "label": "NRT Modified domain federation trust settings", + "label": "Suspicious application consent similar to O365 Attack Toolkit", "elements": [ { "name": "analytic35-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated.\nFor example, this alert will trigger when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain.\nModification to domain federation settings should be rare. Confirm the added or modified target domain/URL is legitimate administrator behavior.\nTo understand why an authorized user may update settings for a federated domain in Office 365, Azure, or Intune, see: https://docs.microsoft.com/office365/troubleshoot/active-directory/update-federated-domain-office-365.\nFor details on security realms that accept security tokens, see the ADFS Proxy Protocol (MS-ADFSPP) specification: https://docs.microsoft.com/openspecs/windows_protocols/ms-adfspp/e7b9ea73-1980-4318-96a6-da559486664b.\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities." + "text": "This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the MDSec O365 Attack Toolkit (https://github.com/mdsecactivebreach/o365-attack-toolkit).\nThe default permissions/scope for the MDSec O365 Attack toolkit change sometimes but often include contacts.read, user.read, mail.read, notes.read.all, mailboxsettings.readwrite, files.readwrite.all, mail.send, files.read, and files.read.all.\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities." } } ] @@ -650,13 +626,13 @@ { "name": "analytic36", "type": "Microsoft.Common.Section", - "label": "NRT Authentication Methods Changed for VIP Users", + "label": "Suspicious application consent similar to O365 Attack Toolkit", "elements": [ { "name": "analytic36-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies authentication methods being changed for a list of VIP users watchlist. This could be an indication of an attacker adding an auth method to the account so they can have continued access." + "text": "This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the MDSec O365 Attack Toolkit (https://github.com/mdsecactivebreach/o365-attack-toolkit).\nThe default permissions/scope for the MDSec O365 Attack toolkit change sometimes but often include contacts.read, user.read, mail.read, notes.read.all, mailboxsettings.readwrite, files.readwrite.all, mail.send, files.read, and files.read.all.\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities." } } ] @@ -664,13 +640,13 @@ { "name": "analytic37", "type": "Microsoft.Common.Section", - "label": "NRT First access credential added to Application or Service Principal where no credential was present", + "label": "Suspicious application consent similar to O365 Attack Toolkit", "elements": [ { "name": "analytic37-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where there was no previous verify KeyCredential associated.\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities." + "text": "This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the MDSec O365 Attack Toolkit (https://github.com/mdsecactivebreach/o365-attack-toolkit).\nThe default permissions/scope for the MDSec O365 Attack toolkit change sometimes but often include contacts.read, user.read, mail.read, notes.read.all, mailboxsettings.readwrite, files.readwrite.all, mail.send, files.read, and files.read.all.\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities." } } ] @@ -678,13 +654,13 @@ { "name": "analytic38", "type": "Microsoft.Common.Section", - "label": "NRT New access credential added to Application or Service Principal", + "label": "Suspicious application consent similar to O365 Attack Toolkit", "elements": [ { "name": "analytic38-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app.\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities." + "text": "This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the MDSec O365 Attack Toolkit (https://github.com/mdsecactivebreach/o365-attack-toolkit).\nThe default permissions/scope for the MDSec O365 Attack toolkit change sometimes but often include contacts.read, user.read, mail.read, notes.read.all, mailboxsettings.readwrite, files.readwrite.all, mail.send, files.read, and files.read.all.\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities." } } ] @@ -692,13 +668,13 @@ { "name": "analytic39", "type": "Microsoft.Common.Section", - "label": "NRT PIM Elevation Request Rejected", + "label": "Suspicious application consent similar to O365 Attack Toolkit", "elements": [ { "name": "analytic39-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management" + "text": "This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the MDSec O365 Attack Toolkit (https://github.com/mdsecactivebreach/o365-attack-toolkit).\nThe default permissions/scope for the MDSec O365 Attack toolkit change sometimes but often include contacts.read, user.read, mail.read, notes.read.all, mailboxsettings.readwrite, files.readwrite.all, mail.send, files.read, and files.read.all.\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities." } } ] @@ -706,13 +682,13 @@ { "name": "analytic40", "type": "Microsoft.Common.Section", - "label": "NRT Privileged Role Assigned Outside PIM", + "label": "Suspicious application consent similar to O365 Attack Toolkit", "elements": [ { "name": "analytic40-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies a privileged role being assigned to a user outside of PIM\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1" + "text": "This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the MDSec O365 Attack Toolkit (https://github.com/mdsecactivebreach/o365-attack-toolkit).\nThe default permissions/scope for the MDSec O365 Attack toolkit change sometimes but often include contacts.read, user.read, mail.read, notes.read.all, mailboxsettings.readwrite, files.readwrite.all, mail.send, files.read, and files.read.all.\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities." } } ] @@ -720,13 +696,13 @@ { "name": "analytic41", "type": "Microsoft.Common.Section", - "label": "NRT User added to Azure Active Directory Privileged Groups", + "label": "Suspicious application consent similar to PwnAuth", "elements": [ { "name": "analytic41-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This will alert when a user is added to any of the Privileged Groups.\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\nFor Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles" + "text": "This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the FireEye PwnAuth toolkit (https://github.com/fireeye/PwnAuth).\nThe default permissions/scope for the PwnAuth toolkit are user.read, offline_access, mail.readwrite, mail.send, and files.read.all.\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities." } } ] @@ -734,13 +710,13 @@ { "name": "analytic42", "type": "Microsoft.Common.Section", - "label": "PIM Elevation Request Rejected", + "label": "MFA Rejected by User", "elements": [ { "name": "analytic42-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management" + "text": "Identifies occurances where a user has rejected an MFA prompt. This could be an indicator that a threat actor has compromised the username and password of this user account and is using it to try and log into the account.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\nThis query has also been updated to include UEBA logs IdentityInfo and BehaviorAnalytics for contextual information around the results." } } ] @@ -748,13 +724,13 @@ { "name": "analytic43", "type": "Microsoft.Common.Section", - "label": "Privileged Accounts - Sign in Failure Spikes", + "label": "Multiple admin membership removals from newly created admin.", "elements": [ { "name": "analytic43-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": " Identifies spike in failed sign-ins from Privileged accounts. Privileged accounts list can be based on IdentityInfo UEBA table.\nSpike is determined based on Time series anomaly which will look at historical baseline values.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor" + "text": "This query detects when newly created Global admin removes multiple existing global admins which can be an attempt by adversaries to lock down organization and retain sole access. \n Investigate reasoning and intention of multiple membership removal by new Global admins and take necessary actions accordingly." } } ] @@ -762,13 +738,13 @@ { "name": "analytic44", "type": "Microsoft.Common.Section", - "label": "Privileged Role Assigned Outside PIM", + "label": "New access credential added to Application or Service Principal", "elements": [ { "name": "analytic44-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies a privileged role being assigned to a user outside of PIM\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1" + "text": "This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app.\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities." } } ] @@ -776,13 +752,13 @@ { "name": "analytic45", "type": "Microsoft.Common.Section", - "label": "Rare application consent", + "label": "NRT Modified domain federation trust settings", "elements": [ { "name": "analytic45-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This will alert when the \"Consent to application\" operation occurs by a user that has not done this operation before or rarely does this.\nThis could indicate that permissions to access the listed Azure App were provided to a malicious actor.\nConsent to application, Add service principal and Add OAuth2PermissionGrant should typically be rare events.\nThis may help detect the Oauth2 attack that can be initiated by this publicly available tool - https://github.com/fireeye/PwnAuth\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities." + "text": "This will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated.\nFor example, this alert will trigger when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain.\nModification to domain federation settings should be rare. Confirm the added or modified target domain/URL is legitimate administrator behavior.\nTo understand why an authorized user may update settings for a federated domain in Office 365, Azure, or Intune, see: https://docs.microsoft.com/office365/troubleshoot/active-directory/update-federated-domain-office-365.\nFor details on security realms that accept security tokens, see the ADFS Proxy Protocol (MS-ADFSPP) specification: https://docs.microsoft.com/openspecs/windows_protocols/ms-adfspp/e7b9ea73-1980-4318-96a6-da559486664b.\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities." } } ] @@ -790,13 +766,13 @@ { "name": "analytic46", "type": "Microsoft.Common.Section", - "label": "Password spray attack against Microsoft Entra ID Seamless SSO", + "label": "NRT Authentication Methods Changed for VIP Users", "elements": [ { "name": "analytic46-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query detects when there is a spike in Azure AD Seamless SSO errors. They may not be caused by a Password Spray attack, but the cause of the errors might need to be investigated.\nAzure AD only logs the requests that matched existing accounts, thus there might have been unlogged requests for non-existing accounts." + "text": "Identifies authentication methods being changed for a list of VIP users watchlist. This could be an indication of an attacker adding an auth method to the account so they can have continued access." } } ] @@ -804,13 +780,13 @@ { "name": "analytic47", "type": "Microsoft.Common.Section", - "label": "GitHub Signin Burst from Multiple Locations", + "label": "NRT First access credential added to Application or Service Principal where no credential was present", "elements": [ { "name": "analytic47-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This detection triggers when there is a Signin burst from multiple locations in GitHub (AAD SSO).\n This detection is based on configurable threshold which can be prone to false positives. To view the anomaly based equivalent of thie detection, please see here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/Analytic%20Rules/AnomalousUserAppSigninLocationIncrease-detection.yaml. " + "text": "This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where there was no previous verify KeyCredential associated.\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities." } } ] @@ -818,13 +794,13 @@ { "name": "analytic48", "type": "Microsoft.Common.Section", - "label": "Sign-ins from IPs that attempt sign-ins to disabled accounts", + "label": "NRT New access credential added to Application or Service Principal", "elements": [ { "name": "analytic48-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies IPs with failed attempts to sign in to one or more disabled accounts using the IP through which successful signins from other accounts have happened.\nThis could indicate an attacker who obtained credentials for a list of accounts and is attempting to login with those accounts, some of which may have already been disabled.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\n50057 - User account is disabled. The account has been disabled by an administrator.\nThis query has also been updated to include UEBA logs IdentityInfo and BehaviorAnalytics for contextual information around the results." + "text": "This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app.\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities." } } ] @@ -832,13 +808,13 @@ { "name": "analytic49", "type": "Microsoft.Common.Section", - "label": "Brute force attack against Azure Portal", + "label": "NRT PIM Elevation Request Rejected", "elements": [ { "name": "analytic49-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Detects Azure Portal brute force attacks by monitoring for multiple authentication failures and a successful login within a 20-minute window. Default settings: 10 failures, 25 deviations.\nRef: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes." + "text": "Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management" } } ] @@ -846,13 +822,13 @@ { "name": "analytic50", "type": "Microsoft.Common.Section", - "label": "Password spray attack against Microsoft Entra ID application", + "label": "NRT Privileged Role Assigned Outside PIM", "elements": [ { "name": "analytic50-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies evidence of password spray activity against Azure AD applications by looking for failures from multiple accounts from the same\nIP address within a time window. If the number of accounts breaches the threshold just once, all failures from the IP address within the time range\nare bought into the result. Details on whether there were successful authentications by the IP address within the time window are also included.\nThis can be an indicator that an attack was successful.\nThe default failure acccount threshold is 5, Default time window for failures is 20m and default look back window is 3 days\nNote: Due to the number of possible accounts involved in a password spray it is not possible to map identities to a custom entity.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes." + "text": "Identifies a privileged role being assigned to a user outside of PIM\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1" } } ] @@ -860,13 +836,13 @@ { "name": "analytic51", "type": "Microsoft.Common.Section", - "label": "Successful logon from IP and failure from a different IP", + "label": "NRT User added to Microsoft Entra ID Privileged Groups", "elements": [ { "name": "analytic51-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies when a user account successfully logs onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP (may indicate a malicious attempt at password guessing with known account). UEBA added for context." + "text": "This will alert when a user is added to any of the Privileged Groups.\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\nFor Administrator role permissions in Microsoft Entra ID please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles" } } ] @@ -874,13 +850,13 @@ { "name": "analytic52", "type": "Microsoft.Common.Section", - "label": "Suspicious AAD Joined Device Update", + "label": "PIM Elevation Request Rejected", "elements": [ { "name": "analytic52-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query looks for suspicious updates to an Azure AD joined device where the device name is changed and the device falls out of compliance.\nThis could occur when a threat actor updates the details of an Autopilot provisioned device using a stolen device ticket, in order to access certificates and keys.\nRef: https://dirkjanm.io/assets/raw/Insomnihack%20Breaking%20and%20fixing%20Azure%20AD%20device%20identity%20security.pdf" + "text": "Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management" } } ] @@ -888,13 +864,13 @@ { "name": "analytic53", "type": "Microsoft.Common.Section", - "label": "Suspicious application consent for offline access", + "label": "Privileged Accounts - Sign in Failure Spikes", "elements": [ { "name": "analytic53-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This will alert when a user consents to provide a previously-unknown Azure application with offline access via OAuth.\nOffline access will provide the Azure App with access to the listed resources without requiring two-factor authentication.\nConsent to applications with offline access and read capabilities should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities." + "text": " Identifies spike in failed sign-ins from Privileged accounts. Privileged accounts list can be based on IdentityInfo UEBA table.\nSpike is determined based on Time series anomaly which will look at historical baseline values.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor" } } ] @@ -902,13 +878,13 @@ { "name": "analytic54", "type": "Microsoft.Common.Section", - "label": "Suspicious Service Principal creation activity", + "label": "Privileged Role Assigned Outside PIM", "elements": [ { "name": "analytic54-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This alert will detect creation of an SPN, permissions granted, credentials created, activity and deletion of the SPN in a time frame (default 10 minutes)" + "text": "Identifies a privileged role being assigned to a user outside of PIM\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1" } } ] @@ -916,13 +892,13 @@ { "name": "analytic55", "type": "Microsoft.Common.Section", - "label": "External guest invitation followed by Microsoft Entra ID PowerShell signin", + "label": "Rare application consent", "elements": [ { "name": "analytic55-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "By default guests have capability to invite more external guest users, guests also can do suspicious Azure AD enumeration. This detection look at guests\nusers, who have been invited or have invited recently, who also are logging via various PowerShell CLI.\nRef : 'https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/" + "text": "This will alert when the \"Consent to application\" operation occurs by a user that has not done this operation before or rarely does this.\nThis could indicate that permissions to access the listed Azure App were provided to a malicious actor.\nConsent to application, Add service principal and Add OAuth2PermissionGrant should typically be rare events.\nThis may help detect the Oauth2 attack that can be initiated by this publicly available tool - https://github.com/fireeye/PwnAuth\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities." } } ] @@ -930,13 +906,13 @@ { "name": "analytic56", "type": "Microsoft.Common.Section", - "label": "User Accounts - Sign in Failure due to CA Spikes", + "label": "Password spray attack against Microsoft Entra ID Seamless SSO", "elements": [ { "name": "analytic56-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": " Identifies spike in failed sign-ins from user accounts due to conditional access policied.\nSpike is determined based on Time series anomaly which will look at historical baseline values.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\nThis query has also been updated to include UEBA logs IdentityInfo and BehaviorAnalytics for contextual information around the results." + "text": "This query detects when there is a spike in Microsoft Entra ID Seamless SSO errors. They may not be caused by a Password Spray attack, but the cause of the errors might need to be investigated.\nMicrosoft Entra ID only logs the requests that matched existing accounts, thus there might have been unlogged requests for non-existing accounts." } } ] @@ -944,13 +920,13 @@ { "name": "analytic57", "type": "Microsoft.Common.Section", - "label": "User added to Azure Active Directory Privileged Groups", + "label": "GitHub Signin Burst from Multiple Locations", "elements": [ { "name": "analytic57-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This will alert when a user is added to any of the Privileged Groups.\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\nFor Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles" + "text": "This detection triggers when there is a Signin burst from multiple locations in GitHub (AAD SSO).\n This detection is based on configurable threshold which can be prone to false positives. To view the anomaly based equivalent of thie detection, please see here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/Analytic%20Rules/AnomalousUserAppSigninLocationIncrease-detection.yaml. " } } ] @@ -958,13 +934,13 @@ { "name": "analytic58", "type": "Microsoft.Common.Section", - "label": "New User Assigned to Privileged Role", + "label": "Sign-ins from IPs that attempt sign-ins to disabled accounts", "elements": [ { "name": "analytic58-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies when a privileged role is assigned to a new user. Any account eligible for a role is now being given privileged access. If the assignment is unexpected or into a role that isn't the responsibility of the account holder, investigate." + "text": "Identifies IPs with failed attempts to sign in to one or more disabled accounts using the IP through which successful signins from other accounts have happened.\nThis could indicate an attacker who obtained credentials for a list of accounts and is attempting to login with those accounts, some of which may have already been disabled.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\n50057 - User account is disabled. The account has been disabled by an administrator.\nThis query has also been updated to include UEBA logs IdentityInfo and BehaviorAnalytics for contextual information around the results." } } ] @@ -972,13 +948,13 @@ { "name": "analytic59", "type": "Microsoft.Common.Section", - "label": "New onmicrosoft domain added to tenant", + "label": "Brute force attack against Azure Portal", "elements": [ { "name": "analytic59-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This detection looks for new onmicrosoft domains being added to a tenant. \nAn attacker who compromises a tenant may register a new onmicrosoft domain in order to masquerade as a service provider for launching phishing campaigns.\nDomain additions are not a common occurrence and users should validate that the domain was added by a legitimate user, with a legitimate purpose." + "text": "Detects Azure Portal brute force attacks by monitoring for multiple authentication failures and a successful login within a 20-minute window. Default settings: 10 failures, 25 deviations.\nRef: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes." } } ] @@ -986,11 +962,151 @@ { "name": "analytic60", "type": "Microsoft.Common.Section", - "label": "Suspicious Sign In Followed by MFA Modification", + "label": "Password spray attack against Microsoft Entra ID application", "elements": [ { "name": "analytic60-text", "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Identifies evidence of password spray activity against Microsoft Entra ID applications by looking for failures from multiple accounts from the same\nIP address within a time window. If the number of accounts breaches the threshold just once, all failures from the IP address within the time range\nare bought into the result. Details on whether there were successful authentications by the IP address within the time window are also included.\nThis can be an indicator that an attack was successful.\nThe default failure acccount threshold is 5, Default time window for failures is 20m and default look back window is 3 days\nNote: Due to the number of possible accounts involved in a password spray it is not possible to map identities to a custom entity.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes." + } + } + ] + }, + { + "name": "analytic61", + "type": "Microsoft.Common.Section", + "label": "Successful logon from IP and failure from a different IP", + "elements": [ + { + "name": "analytic61-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Identifies when a user account successfully logs onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP (may indicate a malicious attempt at password guessing with known account). UEBA added for context." + } + } + ] + }, + { + "name": "analytic62", + "type": "Microsoft.Common.Section", + "label": "Suspicious AAD Joined Device Update", + "elements": [ + { + "name": "analytic62-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query looks for suspicious updates to an Microsoft Entra ID joined device where the device name is changed and the device falls out of compliance.\nThis could occur when a threat actor updates the details of an Autopilot provisioned device using a stolen device ticket, in order to access certificates and keys.\nRef: https://dirkjanm.io/assets/raw/Insomnihack%20Breaking%20and%20fixing%20Azure%20AD%20device%20identity%20security.pdf" + } + } + ] + }, + { + "name": "analytic63", + "type": "Microsoft.Common.Section", + "label": "Suspicious application consent for offline access", + "elements": [ + { + "name": "analytic63-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This will alert when a user consents to provide a previously-unknown Azure application with offline access via OAuth.\nOffline access will provide the Azure App with access to the listed resources without requiring two-factor authentication.\nConsent to applications with offline access and read capabilities should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities." + } + } + ] + }, + { + "name": "analytic64", + "type": "Microsoft.Common.Section", + "label": "Suspicious Service Principal creation activity", + "elements": [ + { + "name": "analytic64-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This alert will detect creation of an SPN, permissions granted, credentials created, activity and deletion of the SPN in a time frame (default 10 minutes)" + } + } + ] + }, + { + "name": "analytic65", + "type": "Microsoft.Common.Section", + "label": "External guest invitation followed by Microsoft Entra ID PowerShell signin", + "elements": [ + { + "name": "analytic65-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "By default guests have capability to invite more external guest users, guests also can do suspicious Microsoft Entra ID enumeration. This detection look at guests\nusers, who have been invited or have invited recently, who also are logging via various PowerShell CLI.\nRef : 'https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/" + } + } + ] + }, + { + "name": "analytic66", + "type": "Microsoft.Common.Section", + "label": "User Accounts - Sign in Failure due to CA Spikes", + "elements": [ + { + "name": "analytic66-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": " Identifies spike in failed sign-ins from user accounts due to conditional access policied.\nSpike is determined based on Time series anomaly which will look at historical baseline values.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\nThis query has also been updated to include UEBA logs IdentityInfo and BehaviorAnalytics for contextual information around the results." + } + } + ] + }, + { + "name": "analytic67", + "type": "Microsoft.Common.Section", + "label": "User added to Microsoft Entra ID Privileged Groups", + "elements": [ + { + "name": "analytic67-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This will alert when a user is added to any of the Privileged Groups.\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\nFor Administrator role permissions in Microsoft Entra ID please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles" + } + } + ] + }, + { + "name": "analytic68", + "type": "Microsoft.Common.Section", + "label": "New User Assigned to Privileged Role", + "elements": [ + { + "name": "analytic68-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Identifies when a privileged role is assigned to a new user. Any account eligible for a role is now being given privileged access. If the assignment is unexpected or into a role that isn't the responsibility of the account holder, investigate." + } + } + ] + }, + { + "name": "analytic69", + "type": "Microsoft.Common.Section", + "label": "New onmicrosoft domain added to tenant", + "elements": [ + { + "name": "analytic69-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This detection looks for new onmicrosoft domains being added to a tenant. \nAn attacker who compromises a tenant may register a new onmicrosoft domain in order to masquerade as a service provider for launching phishing campaigns.\nDomain additions are not a common occurrence and users should validate that the domain was added by a legitimate user, with a legitimate purpose." + } + } + ] + }, + { + "name": "analytic70", + "type": "Microsoft.Common.Section", + "label": "Suspicious Sign In Followed by MFA Modification", + "elements": [ + { + "name": "analytic70-text", + "type": "Microsoft.Common.TextBlock", "options": { "text": "This query looks uses Microsoft Sentinel's UEBA features to look for suspicious logons followed by modifications to MFA settings by that user." } diff --git a/Solutions/Microsoft Entra ID/Package/mainTemplate.json b/Solutions/Microsoft Entra ID/Package/mainTemplate.json index 053b82d2a10..d6dddbe30af 100644 --- a/Solutions/Microsoft Entra ID/Package/mainTemplate.json +++ b/Solutions/Microsoft Entra ID/Package/mainTemplate.json @@ -3,7 +3,7 @@ "contentVersion": "1.0.0.0", "metadata": { "author": "Microsoft - support@microsoft.com", - "comments": "Solution template for Azure Active Directory" + "comments": "Solution template for Microsoft Entra ID" }, "parameters": { "location": { @@ -46,394 +46,12 @@ } }, "variables": { - "email": "support@microsoft.com", - "_email": "[variables('email')]", - "_solutionName": "Azure Active Directory", - "_solutionVersion": "3.0.6", "solutionId": "azuresentinel.azure-sentinel-solution-azureactivedirectory", "_solutionId": "[variables('solutionId')]", - "uiConfigId1": "AzureActiveDirectory", - "_uiConfigId1": "[variables('uiConfigId1')]", - "dataConnectorContentId1": "AzureActiveDirectory", - "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", - "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "_dataConnectorId1": "[variables('dataConnectorId1')]", - "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", - "dataConnectorVersion1": "1.0.0", - "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", - "workbookVersion1": "1.2.0", - "workbookContentId1": "AzureActiveDirectoryAuditLogsWorkbook", - "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]", - "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]", - "_workbookContentId1": "[variables('workbookContentId1')]", - "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", - "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]", - "workbookVersion2": "2.4.0", - "workbookContentId2": "AzureActiveDirectorySigninLogsWorkbook", - "workbookId2": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId2'))]", - "workbookTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId2'))))]", - "_workbookContentId2": "[variables('workbookContentId2')]", - "_workbookcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId2'),'-', variables('workbookVersion2'))))]", - "analyticRuleVersion1": "1.0.3", - "analyticRulecontentId1": "bb616d82-108f-47d3-9dec-9652ea0d3bf6", - "_analyticRulecontentId1": "[variables('analyticRulecontentId1')]", - "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]", - "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1'))))]", - "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId1'),'-', variables('analyticRuleVersion1'))))]", - "analyticRuleVersion2": "1.0.2", - "analyticRulecontentId2": "6d63efa6-7c25-4bd4-a486-aa6bf50fde8a", - "_analyticRulecontentId2": "[variables('analyticRulecontentId2')]", - "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId2'))]", - "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId2'))))]", - "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId2'),'-', variables('analyticRuleVersion2'))))]", - "analyticRuleVersion3": "1.0.1", - "analyticRulecontentId3": "95dc4ae3-e0f2-48bd-b996-cdd22b90f9af", - "_analyticRulecontentId3": "[variables('analyticRulecontentId3')]", - "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId3'))]", - "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId3'))))]", - "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId3'),'-', variables('analyticRuleVersion3'))))]", - "analyticRuleVersion4": "1.0.1", - "analyticRulecontentId4": "5533fe80-905e-49d5-889a-df27d2c3976d", - "_analyticRulecontentId4": "[variables('analyticRulecontentId4')]", - "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId4'))]", - "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId4'))))]", - "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId4'),'-', variables('analyticRuleVersion4'))))]", - "analyticRuleVersion5": "1.0.3", - "analyticRulecontentId5": "f80d951a-eddc-4171-b9d0-d616bb83efdc", - "_analyticRulecontentId5": "[variables('analyticRulecontentId5')]", - "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId5'))]", - "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId5'))))]", - "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId5'),'-', variables('analyticRuleVersion5'))))]", - "analyticRuleVersion6": "2.0.0", - "analyticRulecontentId6": "7cb8f77d-c52f-4e46-b82f-3cf2e106224a", - "_analyticRulecontentId6": "[variables('analyticRulecontentId6')]", - "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId6'))]", - "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId6'))))]", - "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId6'),'-', variables('analyticRuleVersion6'))))]", - "analyticRuleVersion7": "1.0.8", - "analyticRulecontentId7": "694c91ee-d606-4ba9-928e-405a2dd0ff0f", - "_analyticRulecontentId7": "[variables('analyticRulecontentId7')]", - "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId7'))]", - "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId7'))))]", - "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId7'),'-', variables('analyticRuleVersion7'))))]", - "analyticRuleVersion8": "1.0.2", - "analyticRulecontentId8": "50574fac-f8d1-4395-81c7-78a463ff0c52", - "_analyticRulecontentId8": "[variables('analyticRulecontentId8')]", - "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId8'))]", - "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId8'))))]", - "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId8'),'-', variables('analyticRuleVersion8'))))]", - "analyticRuleVersion9": "1.0.4", - "analyticRulecontentId9": "1ff56009-db01-4615-8211-d4fda21da02d", - "_analyticRulecontentId9": "[variables('analyticRulecontentId9')]", - "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId9'))]", - "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId9'))))]", - "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId9'),'-', variables('analyticRuleVersion9'))))]", - "analyticRuleVersion10": "2.0.1", - "analyticRulecontentId10": "87210ca1-49a4-4a7d-bb4a-4988752f978c", - "_analyticRulecontentId10": "[variables('analyticRulecontentId10')]", - "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId10'))]", - "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId10'))))]", - "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId10'),'-', variables('analyticRuleVersion10'))))]", - "analyticRuleVersion11": "2.0.0", - "analyticRulecontentId11": "97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06", - "_analyticRulecontentId11": "[variables('analyticRulecontentId11')]", - "analyticRuleId11": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId11'))]", - "analyticRuleTemplateSpecName11": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId11'))))]", - "_analyticRulecontentProductId11": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId11'),'-', variables('analyticRuleVersion11'))))]", - "analyticRuleVersion12": "2.0.0", - "analyticRulecontentId12": "3fbc20a4-04c4-464e-8fcb-6667f53e4987", - "_analyticRulecontentId12": "[variables('analyticRulecontentId12')]", - "analyticRuleId12": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId12'))]", - "analyticRuleTemplateSpecName12": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId12'))))]", - "_analyticRulecontentProductId12": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId12'),'-', variables('analyticRuleVersion12'))))]", - "analyticRuleVersion13": "1.0.4", - "analyticRulecontentId13": "218f60de-c269-457a-b882-9966632b9dc6", - "_analyticRulecontentId13": "[variables('analyticRulecontentId13')]", - "analyticRuleId13": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId13'))]", - "analyticRuleTemplateSpecName13": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId13'))))]", - "_analyticRulecontentProductId13": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId13'),'-', variables('analyticRuleVersion13'))))]", - "analyticRuleVersion14": "1.0.4", - "analyticRulecontentId14": "3af9285d-bb98-4a35-ad29-5ea39ba0c628", - "_analyticRulecontentId14": "[variables('analyticRulecontentId14')]", - "analyticRuleId14": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId14'))]", - "analyticRuleTemplateSpecName14": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId14'))))]", - "_analyticRulecontentProductId14": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId14'),'-', variables('analyticRuleVersion14'))))]", - "analyticRuleVersion15": "1.0.2", - "analyticRulecontentId15": "707494a5-8e44-486b-90f8-155d1797a8eb", - "_analyticRulecontentId15": "[variables('analyticRulecontentId15')]", - "analyticRuleId15": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId15'))]", - "analyticRuleTemplateSpecName15": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId15'))))]", - "_analyticRulecontentProductId15": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId15'),'-', variables('analyticRuleVersion15'))))]", - "analyticRuleVersion16": "1.0.1", - "analyticRulecontentId16": "757e6a79-6d23-4ae6-9845-4dac170656b5", - "_analyticRulecontentId16": "[variables('analyticRulecontentId16')]", - "analyticRuleId16": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId16'))]", - "analyticRuleTemplateSpecName16": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId16'))))]", - "_analyticRulecontentProductId16": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId16'),'-', variables('analyticRuleVersion16'))))]", - "analyticRuleVersion17": "1.0.1", - "analyticRulecontentId17": "eb8a9c1c-f532-4630-817c-1ecd8a60ed80", - "_analyticRulecontentId17": "[variables('analyticRulecontentId17')]", - "analyticRuleId17": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId17'))]", - "analyticRuleTemplateSpecName17": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId17'))))]", - "_analyticRulecontentProductId17": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId17'),'-', variables('analyticRuleVersion17'))))]", - "analyticRuleVersion18": "1.0.1", - "analyticRulecontentId18": "c895c5b9-0fc6-40ce-9830-e8818862f2d5", - "_analyticRulecontentId18": "[variables('analyticRulecontentId18')]", - "analyticRuleId18": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId18'))]", - "analyticRuleTemplateSpecName18": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId18'))))]", - "_analyticRulecontentProductId18": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId18'),'-', variables('analyticRuleVersion18'))))]", - "analyticRuleVersion19": "1.0.1", - "analyticRulecontentId19": "276d5190-38de-4eb2-9933-b3b72f4a5737", - "_analyticRulecontentId19": "[variables('analyticRulecontentId19')]", - "analyticRuleId19": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId19'))]", - "analyticRuleTemplateSpecName19": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId19'))))]", - "_analyticRulecontentProductId19": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId19'),'-', variables('analyticRuleVersion19'))))]", - "analyticRuleVersion20": "1.0.1", - "analyticRulecontentId20": "229f71ba-d83b-42a5-b83b-11a641049ed1", - "_analyticRulecontentId20": "[variables('analyticRulecontentId20')]", - "analyticRuleId20": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId20'))]", - "analyticRuleTemplateSpecName20": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId20'))))]", - "_analyticRulecontentProductId20": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId20'),'-', variables('analyticRuleVersion20'))))]", - "analyticRuleVersion21": "1.0.1", - "analyticRulecontentId21": "0101e08d-99cd-4a97-a9e0-27649c4369ad", - "_analyticRulecontentId21": "[variables('analyticRulecontentId21')]", - "analyticRuleId21": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId21'))]", - "analyticRuleTemplateSpecName21": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId21'))))]", - "_analyticRulecontentProductId21": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId21'),'-', variables('analyticRuleVersion21'))))]", - "analyticRuleVersion22": "1.0.2", - "analyticRulecontentId22": "75ea5c39-93e5-489b-b1e1-68fa6c9d2d04", - "_analyticRulecontentId22": "[variables('analyticRulecontentId22')]", - "analyticRuleId22": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId22'))]", - "analyticRuleTemplateSpecName22": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId22'))))]", - "_analyticRulecontentProductId22": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId22'),'-', variables('analyticRuleVersion22'))))]", - "analyticRuleVersion23": "1.0.2", - "analyticRulecontentId23": "bfb1c90f-8006-4325-98be-c7fffbc254d6", - "_analyticRulecontentId23": "[variables('analyticRulecontentId23')]", - "analyticRuleId23": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId23'))]", - "analyticRuleTemplateSpecName23": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId23'))))]", - "_analyticRulecontentProductId23": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId23'),'-', variables('analyticRuleVersion23'))))]", - "analyticRuleVersion24": "1.0.2", - "analyticRulecontentId24": "a22740ec-fc1e-4c91-8de6-c29c6450ad00", - "_analyticRulecontentId24": "[variables('analyticRulecontentId24')]", - "analyticRuleId24": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId24'))]", - "analyticRuleTemplateSpecName24": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId24'))))]", - "_analyticRulecontentProductId24": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId24'),'-', variables('analyticRuleVersion24'))))]", - "analyticRuleVersion25": "1.0.0", - "analyticRulecontentId25": "54e22fed-0ec6-4fb2-8312-2a3809a93f63", - "_analyticRulecontentId25": "[variables('analyticRulecontentId25')]", - "analyticRuleId25": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId25'))]", - "analyticRuleTemplateSpecName25": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId25'))))]", - "_analyticRulecontentProductId25": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId25'),'-', variables('analyticRuleVersion25'))))]", - "analyticRuleVersion26": "1.0.4", - "analyticRulecontentId26": "223db5c1-1bf8-47d8-8806-bed401b356a4", - "_analyticRulecontentId26": "[variables('analyticRulecontentId26')]", - "analyticRuleId26": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId26'))]", - "analyticRuleTemplateSpecName26": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId26'))))]", - "_analyticRulecontentProductId26": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId26'),'-', variables('analyticRuleVersion26'))))]", - "analyticRuleVersion27": "1.1.4", - "analyticRulecontentId27": "2cfc3c6e-f424-4b88-9cc9-c89f482d016a", - "_analyticRulecontentId27": "[variables('analyticRulecontentId27')]", - "analyticRuleId27": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId27'))]", - "analyticRuleTemplateSpecName27": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId27'))))]", - "_analyticRulecontentProductId27": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId27'),'-', variables('analyticRuleVersion27'))))]", - "analyticRuleVersion28": "1.0.2", - "analyticRulecontentId28": "6ab1f7b2-61b8-442f-bc81-96afe7ad8c53", - "_analyticRulecontentId28": "[variables('analyticRulecontentId28')]", - "analyticRuleId28": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId28'))]", - "analyticRuleTemplateSpecName28": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId28'))))]", - "_analyticRulecontentProductId28": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId28'),'-', variables('analyticRuleVersion28'))))]", - "analyticRuleVersion29": "1.0.3", - "analyticRulecontentId29": "2560515c-07d1-434e-87fb-ebe3af267760", - "_analyticRulecontentId29": "[variables('analyticRulecontentId29')]", - "analyticRuleId29": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId29'))]", - "analyticRuleTemplateSpecName29": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId29'))))]", - "_analyticRulecontentProductId29": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId29'),'-', variables('analyticRuleVersion29'))))]", - "analyticRuleVersion30": "1.1.1", - "analyticRulecontentId30": "f948a32f-226c-4116-bddd-d95e91d97eb9", - "_analyticRulecontentId30": "[variables('analyticRulecontentId30')]", - "analyticRuleId30": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId30'))]", - "analyticRuleTemplateSpecName30": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId30'))))]", - "_analyticRulecontentProductId30": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId30'),'-', variables('analyticRuleVersion30'))))]", - "analyticRuleVersion31": "1.0.1", - "analyticRulecontentId31": "39198934-62a0-4781-8416-a81265c03fd6", - "_analyticRulecontentId31": "[variables('analyticRulecontentId31')]", - "analyticRuleId31": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId31'))]", - "analyticRuleTemplateSpecName31": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId31'))))]", - "_analyticRulecontentProductId31": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId31'),'-', variables('analyticRuleVersion31'))))]", - "analyticRuleVersion32": "2.0.0", - "analyticRulecontentId32": "d99cf5c3-d660-436c-895b-8a8f8448da23", - "_analyticRulecontentId32": "[variables('analyticRulecontentId32')]", - "analyticRuleId32": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId32'))]", - "analyticRuleTemplateSpecName32": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId32'))))]", - "_analyticRulecontentProductId32": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId32'),'-', variables('analyticRuleVersion32'))))]", - "analyticRuleVersion33": "1.0.1", - "analyticRulecontentId33": "cda5928c-2c1e-4575-9dfa-07568bc27a4f", - "_analyticRulecontentId33": "[variables('analyticRulecontentId33')]", - "analyticRuleId33": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId33'))]", - "analyticRuleTemplateSpecName33": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId33'))))]", - "_analyticRulecontentProductId33": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId33'),'-', variables('analyticRuleVersion33'))))]", - "analyticRuleVersion34": "1.1.1", - "analyticRulecontentId34": "79566f41-df67-4e10-a703-c38a6213afd8", - "_analyticRulecontentId34": "[variables('analyticRulecontentId34')]", - "analyticRuleId34": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId34'))]", - "analyticRuleTemplateSpecName34": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId34'))))]", - "_analyticRulecontentProductId34": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId34'),'-', variables('analyticRuleVersion34'))))]", - "analyticRuleVersion35": "1.0.1", - "analyticRulecontentId35": "8540c842-5bbc-4a24-9fb2-a836c0e55a51", - "_analyticRulecontentId35": "[variables('analyticRulecontentId35')]", - "analyticRuleId35": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId35'))]", - "analyticRuleTemplateSpecName35": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId35'))))]", - "_analyticRulecontentProductId35": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId35'),'-', variables('analyticRuleVersion35'))))]", - "analyticRuleVersion36": "1.0.2", - "analyticRulecontentId36": "29e99017-e28d-47be-8b9a-c8c711f8a903", - "_analyticRulecontentId36": "[variables('analyticRulecontentId36')]", - "analyticRuleId36": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId36'))]", - "analyticRuleTemplateSpecName36": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId36'))))]", - "_analyticRulecontentProductId36": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId36'),'-', variables('analyticRuleVersion36'))))]", - "analyticRuleVersion37": "1.0.4", - "analyticRulecontentId37": "b6988c32-4f3b-4a45-8313-b46b33061a74", - "_analyticRulecontentId37": "[variables('analyticRulecontentId37')]", - "analyticRuleId37": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId37'))]", - "analyticRuleTemplateSpecName37": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId37'))))]", - "_analyticRulecontentProductId37": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId37'),'-', variables('analyticRuleVersion37'))))]", - "analyticRuleVersion38": "1.0.2", - "analyticRulecontentId38": "e42e889a-caaf-4dbb-aec6-371b37d64298", - "_analyticRulecontentId38": "[variables('analyticRulecontentId38')]", - "analyticRuleId38": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId38'))]", - "analyticRuleTemplateSpecName38": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId38'))))]", - "_analyticRulecontentProductId38": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId38'),'-', variables('analyticRuleVersion38'))))]", - "analyticRuleVersion39": "1.0.1", - "analyticRulecontentId39": "5db427b2-f406-4274-b413-e9fcb29412f8", - "_analyticRulecontentId39": "[variables('analyticRulecontentId39')]", - "analyticRuleId39": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId39'))]", - "analyticRuleTemplateSpecName39": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId39'))))]", - "_analyticRulecontentProductId39": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId39'),'-', variables('analyticRuleVersion39'))))]", - "analyticRuleVersion40": "1.0.1", - "analyticRulecontentId40": "14f6da04-2f96-44ee-9210-9ccc1be6401e", - "_analyticRulecontentId40": "[variables('analyticRulecontentId40')]", - "analyticRuleId40": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId40'))]", - "analyticRuleTemplateSpecName40": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId40'))))]", - "_analyticRulecontentProductId40": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId40'),'-', variables('analyticRuleVersion40'))))]", - "analyticRuleVersion41": "1.0.3", - "analyticRulecontentId41": "70fc7201-f28e-4ba7-b9ea-c04b96701f13", - "_analyticRulecontentId41": "[variables('analyticRulecontentId41')]", - "analyticRuleId41": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId41'))]", - "analyticRuleTemplateSpecName41": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId41'))))]", - "_analyticRulecontentProductId41": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId41'),'-', variables('analyticRuleVersion41'))))]", - "analyticRuleVersion42": "1.0.7", - "analyticRulecontentId42": "7d7e20f8-3384-4b71-811c-f5e950e8306c", - "_analyticRulecontentId42": "[variables('analyticRulecontentId42')]", - "analyticRuleId42": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId42'))]", - "analyticRuleTemplateSpecName42": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId42'))))]", - "_analyticRulecontentProductId42": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId42'),'-', variables('analyticRuleVersion42'))))]", - "analyticRuleVersion43": "1.0.3", - "analyticRulecontentId43": "34c5aff9-a8c2-4601-9654-c7e46342d03b", - "_analyticRulecontentId43": "[variables('analyticRulecontentId43')]", - "analyticRuleId43": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId43'))]", - "analyticRuleTemplateSpecName43": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId43'))))]", - "_analyticRulecontentProductId43": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId43'),'-', variables('analyticRuleVersion43'))))]", - "analyticRuleVersion44": "1.0.4", - "analyticRulecontentId44": "269435e3-1db8-4423-9dfc-9bf59997da1c", - "_analyticRulecontentId44": "[variables('analyticRulecontentId44')]", - "analyticRuleId44": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId44'))]", - "analyticRuleTemplateSpecName44": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId44'))))]", - "_analyticRulecontentProductId44": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId44'),'-', variables('analyticRuleVersion44'))))]", - "analyticRuleVersion45": "1.1.4", - "analyticRulecontentId45": "83ba3057-9ea3-4759-bf6a-933f2e5bc7ee", - "_analyticRulecontentId45": "[variables('analyticRulecontentId45')]", - "analyticRuleId45": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId45'))]", - "analyticRuleTemplateSpecName45": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId45'))))]", - "_analyticRulecontentProductId45": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId45'),'-', variables('analyticRuleVersion45'))))]", - "analyticRuleVersion46": "1.0.2", - "analyticRulecontentId46": "fb7ca1c9-e14c-40a3-856e-28f3c14ea1ba", - "_analyticRulecontentId46": "[variables('analyticRulecontentId46')]", - "analyticRuleId46": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId46'))]", - "analyticRuleTemplateSpecName46": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId46'))))]", - "_analyticRulecontentProductId46": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId46'),'-', variables('analyticRuleVersion46'))))]", - "analyticRuleVersion47": "1.0.1", - "analyticRulecontentId47": "d3980830-dd9d-40a5-911f-76b44dfdce16", - "_analyticRulecontentId47": "[variables('analyticRulecontentId47')]", - "analyticRuleId47": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId47'))]", - "analyticRuleTemplateSpecName47": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId47'))))]", - "_analyticRulecontentProductId47": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId47'),'-', variables('analyticRuleVersion47'))))]", - "analyticRuleVersion48": "2.1.3", - "analyticRulecontentId48": "500c103a-0319-4d56-8e99-3cec8d860757", - "_analyticRulecontentId48": "[variables('analyticRulecontentId48')]", - "analyticRuleId48": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId48'))]", - "analyticRuleTemplateSpecName48": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId48'))))]", - "_analyticRulecontentProductId48": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId48'),'-', variables('analyticRuleVersion48'))))]", - "analyticRuleVersion49": "2.1.3", - "analyticRulecontentId49": "28b42356-45af-40a6-a0b4-a554cdfd5d8a", - "_analyticRulecontentId49": "[variables('analyticRulecontentId49')]", - "analyticRuleId49": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId49'))]", - "analyticRuleTemplateSpecName49": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId49'))))]", - "_analyticRulecontentProductId49": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId49'),'-', variables('analyticRuleVersion49'))))]", - "analyticRuleVersion50": "1.0.4", - "analyticRulecontentId50": "48607a29-a26a-4abf-8078-a06dbdd174a4", - "_analyticRulecontentId50": "[variables('analyticRulecontentId50')]", - "analyticRuleId50": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId50'))]", - "analyticRuleTemplateSpecName50": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId50'))))]", - "_analyticRulecontentProductId50": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId50'),'-', variables('analyticRuleVersion50'))))]", - "analyticRuleVersion51": "2.1.6", - "analyticRulecontentId51": "02ef8d7e-fc3a-4d86-a457-650fa571d8d2", - "_analyticRulecontentId51": "[variables('analyticRulecontentId51')]", - "analyticRuleId51": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId51'))]", - "analyticRuleTemplateSpecName51": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId51'))))]", - "_analyticRulecontentProductId51": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId51'),'-', variables('analyticRuleVersion51'))))]", - "analyticRuleVersion52": "1.0.1", - "analyticRulecontentId52": "3a3c6835-0086-40ca-b033-a93bf26d878f", - "_analyticRulecontentId52": "[variables('analyticRulecontentId52')]", - "analyticRuleId52": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId52'))]", - "analyticRuleTemplateSpecName52": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId52'))))]", - "_analyticRulecontentProductId52": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId52'),'-', variables('analyticRuleVersion52'))))]", - "analyticRuleVersion53": "1.0.1", - "analyticRulecontentId53": "3533f74c-9207-4047-96e2-0eb9383be587", - "_analyticRulecontentId53": "[variables('analyticRulecontentId53')]", - "analyticRuleId53": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId53'))]", - "analyticRuleTemplateSpecName53": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId53'))))]", - "_analyticRulecontentProductId53": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId53'),'-', variables('analyticRuleVersion53'))))]", - "analyticRuleVersion54": "1.0.2", - "analyticRulecontentId54": "6852d9da-8015-4b95-8ecf-d9572ee0395d", - "_analyticRulecontentId54": "[variables('analyticRulecontentId54')]", - "analyticRuleId54": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId54'))]", - "analyticRuleTemplateSpecName54": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId54'))))]", - "_analyticRulecontentProductId54": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId54'),'-', variables('analyticRuleVersion54'))))]", - "analyticRuleVersion55": "1.0.7", - "analyticRulecontentId55": "acc4c247-aaf7-494b-b5da-17f18863878a", - "_analyticRulecontentId55": "[variables('analyticRulecontentId55')]", - "analyticRuleId55": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId55'))]", - "analyticRuleTemplateSpecName55": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId55'))))]", - "_analyticRulecontentProductId55": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId55'),'-', variables('analyticRuleVersion55'))))]", - "analyticRuleVersion56": "2.0.2", - "analyticRulecontentId56": "3a9d5ede-2b9d-43a2-acc4-d272321ff77c", - "_analyticRulecontentId56": "[variables('analyticRulecontentId56')]", - "analyticRuleId56": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId56'))]", - "analyticRuleTemplateSpecName56": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId56'))))]", - "_analyticRulecontentProductId56": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId56'),'-', variables('analyticRuleVersion56'))))]", - "analyticRuleVersion57": "1.0.4", - "analyticRulecontentId57": "4d94d4a9-dc96-410a-8dea-4d4d4584188b", - "_analyticRulecontentId57": "[variables('analyticRulecontentId57')]", - "analyticRuleId57": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId57'))]", - "analyticRuleTemplateSpecName57": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId57'))))]", - "_analyticRulecontentProductId57": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId57'),'-', variables('analyticRuleVersion57'))))]", - "analyticRuleVersion58": "1.0.8", - "analyticRulecontentId58": "050b9b3d-53d0-4364-a3da-1b678b8211ec", - "_analyticRulecontentId58": "[variables('analyticRulecontentId58')]", - "analyticRuleId58": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId58'))]", - "analyticRuleTemplateSpecName58": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId58'))))]", - "_analyticRulecontentProductId58": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId58'),'-', variables('analyticRuleVersion58'))))]", - "analyticRuleVersion59": "1.0.0", - "analyticRulecontentId59": "4f42b94f-b210-42d1-a023-7fa1c51d969f", - "_analyticRulecontentId59": "[variables('analyticRulecontentId59')]", - "analyticRuleId59": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId59'))]", - "analyticRuleTemplateSpecName59": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId59'))))]", - "_analyticRulecontentProductId59": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId59'),'-', variables('analyticRuleVersion59'))))]", - "analyticRuleVersion60": "1.0.0", - "analyticRulecontentId60": "aec77100-25c5-4254-a20a-8027ed92c46c", - "_analyticRulecontentId60": "[variables('analyticRulecontentId60')]", - "analyticRuleId60": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId60'))]", - "analyticRuleTemplateSpecName60": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId60'))))]", - "_analyticRulecontentProductId60": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId60'),'-', variables('analyticRuleVersion60'))))]", + "email": "support@microsoft.com", + "_email": "[variables('email')]", + "_solutionName": "Microsoft Entra ID", + "_solutionVersion": "3.0.7", "Block-AADUser-alert-trigger": "Block-AADUser-alert-trigger", "_Block-AADUser-alert-trigger": "[variables('Block-AADUser-alert-trigger')]", "playbookVersion1": "1.1", @@ -441,64 +59,65 @@ "_playbookContentId1": "[variables('playbookContentId1')]", "playbookId1": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId1'))]", "playbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId1'))))]", + "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", "_playbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId1'),'-', variables('playbookVersion1'))))]", - "Block-AADUser-incident-trigger": "Block-AADUser-incident-trigger", - "_Block-AADUser-incident-trigger": "[variables('Block-AADUser-incident-trigger')]", + "Block-AADUser-entity-trigger": "Block-AADUser-entity-trigger", + "_Block-AADUser-entity-trigger": "[variables('Block-AADUser-entity-trigger')]", "playbookVersion2": "1.1", - "playbookContentId2": "Block-AADUser-incident-trigger", + "playbookContentId2": "Block-AADUser-entity-trigger", "_playbookContentId2": "[variables('playbookContentId2')]", "playbookId2": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId2'))]", "playbookTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId2'))))]", "_playbookcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId2'),'-', variables('playbookVersion2'))))]", - "Prompt-User-alert-trigger": "Prompt-User-alert-trigger", - "_Prompt-User-alert-trigger": "[variables('Prompt-User-alert-trigger')]", + "Block-AADUser-incident-trigger": "Block-AADUser-incident-trigger", + "_Block-AADUser-incident-trigger": "[variables('Block-AADUser-incident-trigger')]", "playbookVersion3": "1.1", - "playbookContentId3": "Prompt-User-alert-trigger", + "playbookContentId3": "Block-AADUser-incident-trigger", "_playbookContentId3": "[variables('playbookContentId3')]", "playbookId3": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId3'))]", "playbookTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId3'))))]", "_playbookcontentProductId3": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId3'),'-', variables('playbookVersion3'))))]", - "Prompt-User-incident-trigger": "Prompt-User-incident-trigger", - "_Prompt-User-incident-trigger": "[variables('Prompt-User-incident-trigger')]", + "Prompt-User-alert-trigger": "Prompt-User-alert-trigger", + "_Prompt-User-alert-trigger": "[variables('Prompt-User-alert-trigger')]", "playbookVersion4": "1.1", - "playbookContentId4": "Prompt-User-incident-trigger", + "playbookContentId4": "Prompt-User-alert-trigger", "_playbookContentId4": "[variables('playbookContentId4')]", "playbookId4": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId4'))]", "playbookTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId4'))))]", "_playbookcontentProductId4": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId4'),'-', variables('playbookVersion4'))))]", - "Reset-AADUserPassword-alert-trigger": "Reset-AADUserPassword-alert-trigger", - "_Reset-AADUserPassword-alert-trigger": "[variables('Reset-AADUserPassword-alert-trigger')]", + "Prompt-User-incident-trigger": "Prompt-User-incident-trigger", + "_Prompt-User-incident-trigger": "[variables('Prompt-User-incident-trigger')]", "playbookVersion5": "1.1", - "playbookContentId5": "Reset-AADUserPassword-alert-trigger", + "playbookContentId5": "Prompt-User-incident-trigger", "_playbookContentId5": "[variables('playbookContentId5')]", "playbookId5": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId5'))]", "playbookTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId5'))))]", "_playbookcontentProductId5": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId5'),'-', variables('playbookVersion5'))))]", - "Reset-AADUserPassword-incident-trigger": "Reset-AADUserPassword-incident-trigger", - "_Reset-AADUserPassword-incident-trigger": "[variables('Reset-AADUserPassword-incident-trigger')]", + "Reset-AADUserPassword-alert-trigger": "Reset-AADUserPassword-alert-trigger", + "_Reset-AADUserPassword-alert-trigger": "[variables('Reset-AADUserPassword-alert-trigger')]", "playbookVersion6": "1.1", - "playbookContentId6": "Reset-AADUserPassword-incident-trigger", + "playbookContentId6": "Reset-AADUserPassword-alert-trigger", "_playbookContentId6": "[variables('playbookContentId6')]", "playbookId6": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId6'))]", "playbookTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId6'))))]", "_playbookcontentProductId6": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId6'),'-', variables('playbookVersion6'))))]", - "Block-AADUser-entity-trigger": "Block-AADUser-entity-trigger", - "_Block-AADUser-entity-trigger": "[variables('Block-AADUser-entity-trigger')]", + "Reset-AADUserPassword-entity-trigger": "Reset-AADUserPassword-entity-trigger", + "_Reset-AADUserPassword-entity-trigger": "[variables('Reset-AADUserPassword-entity-trigger')]", "playbookVersion7": "1.1", - "playbookContentId7": "Block-AADUser-entity-trigger", + "playbookContentId7": "Reset-AADUserPassword-entity-trigger", "_playbookContentId7": "[variables('playbookContentId7')]", "playbookId7": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId7'))]", "playbookTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId7'))))]", "_playbookcontentProductId7": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId7'),'-', variables('playbookVersion7'))))]", - "Reset-AADUserPassword-entity-trigger": "Reset-AADUserPassword-entity-trigger", - "_Reset-AADUserPassword-entity-trigger": "[variables('Reset-AADUserPassword-entity-trigger')]", + "blanks": "[replace('b', 'b', '')]", + "Reset-AADUserPassword-incident-trigger": "Reset-AADUserPassword-incident-trigger", + "_Reset-AADUserPassword-incident-trigger": "[variables('Reset-AADUserPassword-incident-trigger')]", "playbookVersion8": "1.1", - "playbookContentId8": "Reset-AADUserPassword-entity-trigger", + "playbookContentId8": "Reset-AADUserPassword-incident-trigger", "_playbookContentId8": "[variables('playbookContentId8')]", "playbookId8": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId8'))]", "playbookTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId8'))))]", "_playbookcontentProductId8": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId8'),'-', variables('playbookVersion8'))))]", - "blanks": "[replace('b', 'b', '')]", "Revoke-AADSignInSessions-alert-trigger": "Revoke-AADSignInSessions-alert-trigger", "_Revoke-AADSignInSessions-alert-trigger": "[variables('Revoke-AADSignInSessions-alert-trigger')]", "playbookVersion9": "1.0", @@ -507,900 +126,914 @@ "playbookId9": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId9'))]", "playbookTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId9'))))]", "_playbookcontentProductId9": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId9'),'-', variables('playbookVersion9'))))]", - "Revoke-AADSignInSessions-incident-trigger": "Revoke-AADSignInSessions-incident-trigger", - "_Revoke-AADSignInSessions-incident-trigger": "[variables('Revoke-AADSignInSessions-incident-trigger')]", + "Revoke-AADSignInSessions-entity-trigger": "Revoke-AADSignInSessions-entity-trigger", + "_Revoke-AADSignInSessions-entity-trigger": "[variables('Revoke-AADSignInSessions-entity-trigger')]", "playbookVersion10": "1.0", - "playbookContentId10": "Revoke-AADSignInSessions-incident-trigger", + "playbookContentId10": "Revoke-AADSignInSessions-entity-trigger", "_playbookContentId10": "[variables('playbookContentId10')]", "playbookId10": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId10'))]", "playbookTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId10'))))]", "_playbookcontentProductId10": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId10'),'-', variables('playbookVersion10'))))]", - "Revoke-AADSignInSessions-entity-trigger": "Revoke-AADSignInSessions-entity-trigger", - "_Revoke-AADSignInSessions-entity-trigger": "[variables('Revoke-AADSignInSessions-entity-trigger')]", + "Revoke-AADSignInSessions-incident-trigger": "Revoke-AADSignInSessions-incident-trigger", + "_Revoke-AADSignInSessions-incident-trigger": "[variables('Revoke-AADSignInSessions-incident-trigger')]", "playbookVersion11": "1.0", - "playbookContentId11": "Revoke-AADSignInSessions-entity-trigger", + "playbookContentId11": "Revoke-AADSignInSessions-incident-trigger", "_playbookContentId11": "[variables('playbookContentId11')]", "playbookId11": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId11'))]", "playbookTemplateSpecName11": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId11'))))]", "_playbookcontentProductId11": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId11'),'-', variables('playbookVersion11'))))]", + "workbookVersion1": "1.2.0", + "workbookContentId1": "AzureActiveDirectoryAuditLogsWorkbook", + "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]", + "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]", + "_workbookContentId1": "[variables('workbookContentId1')]", + "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]", + "workbookVersion2": "2.4.0", + "workbookContentId2": "AzureActiveDirectorySigninLogsWorkbook", + "workbookId2": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId2'))]", + "workbookTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId2'))))]", + "_workbookContentId2": "[variables('workbookContentId2')]", + "_workbookcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId2'),'-', variables('workbookVersion2'))))]", + "analyticRuleObject1": { + "analyticRuleVersion1": "1.0.3", + "_analyticRulecontentId1": "bb616d82-108f-47d3-9dec-9652ea0d3bf6", + "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'bb616d82-108f-47d3-9dec-9652ea0d3bf6')]", + "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('bb616d82-108f-47d3-9dec-9652ea0d3bf6')))]", + "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','bb616d82-108f-47d3-9dec-9652ea0d3bf6','-', '1.0.3')))]" + }, + "analyticRuleObject2": { + "analyticRuleVersion2": "1.0.3", + "_analyticRulecontentId2": "bb616d82-108f-47d3-9dec-9652ea0d3bf6", + "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'bb616d82-108f-47d3-9dec-9652ea0d3bf6')]", + "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('bb616d82-108f-47d3-9dec-9652ea0d3bf6')))]", + "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','bb616d82-108f-47d3-9dec-9652ea0d3bf6','-', '1.0.3')))]" + }, + "analyticRuleObject3": { + "analyticRuleVersion3": "1.0.3", + "_analyticRulecontentId3": "bb616d82-108f-47d3-9dec-9652ea0d3bf6", + "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'bb616d82-108f-47d3-9dec-9652ea0d3bf6')]", + "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('bb616d82-108f-47d3-9dec-9652ea0d3bf6')))]", + "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','bb616d82-108f-47d3-9dec-9652ea0d3bf6','-', '1.0.3')))]" + }, + "analyticRuleObject4": { + "analyticRuleVersion4": "1.0.3", + "_analyticRulecontentId4": "bb616d82-108f-47d3-9dec-9652ea0d3bf6", + "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'bb616d82-108f-47d3-9dec-9652ea0d3bf6')]", + "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('bb616d82-108f-47d3-9dec-9652ea0d3bf6')))]", + "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','bb616d82-108f-47d3-9dec-9652ea0d3bf6','-', '1.0.3')))]" + }, + "analyticRuleObject5": { + "analyticRuleVersion5": "1.0.3", + "_analyticRulecontentId5": "bb616d82-108f-47d3-9dec-9652ea0d3bf6", + "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'bb616d82-108f-47d3-9dec-9652ea0d3bf6')]", + "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('bb616d82-108f-47d3-9dec-9652ea0d3bf6')))]", + "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','bb616d82-108f-47d3-9dec-9652ea0d3bf6','-', '1.0.3')))]" + }, + "analyticRuleObject6": { + "analyticRuleVersion6": "1.0.3", + "_analyticRulecontentId6": "bb616d82-108f-47d3-9dec-9652ea0d3bf6", + "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'bb616d82-108f-47d3-9dec-9652ea0d3bf6')]", + "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('bb616d82-108f-47d3-9dec-9652ea0d3bf6')))]", + "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','bb616d82-108f-47d3-9dec-9652ea0d3bf6','-', '1.0.3')))]" + }, + "analyticRuleObject7": { + "analyticRuleVersion7": "1.0.2", + "_analyticRulecontentId7": "6d63efa6-7c25-4bd4-a486-aa6bf50fde8a", + "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '6d63efa6-7c25-4bd4-a486-aa6bf50fde8a')]", + "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('6d63efa6-7c25-4bd4-a486-aa6bf50fde8a')))]", + "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','6d63efa6-7c25-4bd4-a486-aa6bf50fde8a','-', '1.0.2')))]" + }, + "analyticRuleObject8": { + "analyticRuleVersion8": "1.0.1", + "_analyticRulecontentId8": "95dc4ae3-e0f2-48bd-b996-cdd22b90f9af", + "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '95dc4ae3-e0f2-48bd-b996-cdd22b90f9af')]", + "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('95dc4ae3-e0f2-48bd-b996-cdd22b90f9af')))]", + "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','95dc4ae3-e0f2-48bd-b996-cdd22b90f9af','-', '1.0.1')))]" + }, + "analyticRuleObject9": { + "analyticRuleVersion9": "1.0.1", + "_analyticRulecontentId9": "5533fe80-905e-49d5-889a-df27d2c3976d", + "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '5533fe80-905e-49d5-889a-df27d2c3976d')]", + "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('5533fe80-905e-49d5-889a-df27d2c3976d')))]", + "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','5533fe80-905e-49d5-889a-df27d2c3976d','-', '1.0.1')))]" + }, + "analyticRuleObject10": { + "analyticRuleVersion10": "1.0.3", + "_analyticRulecontentId10": "f80d951a-eddc-4171-b9d0-d616bb83efdc", + "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'f80d951a-eddc-4171-b9d0-d616bb83efdc')]", + "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('f80d951a-eddc-4171-b9d0-d616bb83efdc')))]", + "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f80d951a-eddc-4171-b9d0-d616bb83efdc','-', '1.0.3')))]" + }, + "analyticRuleObject11": { + "analyticRuleVersion11": "2.0.0", + "_analyticRulecontentId11": "7cb8f77d-c52f-4e46-b82f-3cf2e106224a", + "analyticRuleId11": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '7cb8f77d-c52f-4e46-b82f-3cf2e106224a')]", + "analyticRuleTemplateSpecName11": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('7cb8f77d-c52f-4e46-b82f-3cf2e106224a')))]", + "_analyticRulecontentProductId11": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','7cb8f77d-c52f-4e46-b82f-3cf2e106224a','-', '2.0.0')))]" + }, + "analyticRuleObject12": { + "analyticRuleVersion12": "1.0.8", + "_analyticRulecontentId12": "694c91ee-d606-4ba9-928e-405a2dd0ff0f", + "analyticRuleId12": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '694c91ee-d606-4ba9-928e-405a2dd0ff0f')]", + "analyticRuleTemplateSpecName12": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('694c91ee-d606-4ba9-928e-405a2dd0ff0f')))]", + "_analyticRulecontentProductId12": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','694c91ee-d606-4ba9-928e-405a2dd0ff0f','-', '1.0.8')))]" + }, + "analyticRuleObject13": { + "analyticRuleVersion13": "1.0.2", + "_analyticRulecontentId13": "50574fac-f8d1-4395-81c7-78a463ff0c52", + "analyticRuleId13": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '50574fac-f8d1-4395-81c7-78a463ff0c52')]", + "analyticRuleTemplateSpecName13": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('50574fac-f8d1-4395-81c7-78a463ff0c52')))]", + "_analyticRulecontentProductId13": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','50574fac-f8d1-4395-81c7-78a463ff0c52','-', '1.0.2')))]" + }, + "analyticRuleObject14": { + "analyticRuleVersion14": "1.0.4", + "_analyticRulecontentId14": "1ff56009-db01-4615-8211-d4fda21da02d", + "analyticRuleId14": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '1ff56009-db01-4615-8211-d4fda21da02d')]", + "analyticRuleTemplateSpecName14": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('1ff56009-db01-4615-8211-d4fda21da02d')))]", + "_analyticRulecontentProductId14": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','1ff56009-db01-4615-8211-d4fda21da02d','-', '1.0.4')))]" + }, + "analyticRuleObject15": { + "analyticRuleVersion15": "2.0.1", + "_analyticRulecontentId15": "87210ca1-49a4-4a7d-bb4a-4988752f978c", + "analyticRuleId15": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '87210ca1-49a4-4a7d-bb4a-4988752f978c')]", + "analyticRuleTemplateSpecName15": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('87210ca1-49a4-4a7d-bb4a-4988752f978c')))]", + "_analyticRulecontentProductId15": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','87210ca1-49a4-4a7d-bb4a-4988752f978c','-', '2.0.1')))]" + }, + "analyticRuleObject16": { + "analyticRuleVersion16": "2.0.0", + "_analyticRulecontentId16": "97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06", + "analyticRuleId16": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06')]", + "analyticRuleTemplateSpecName16": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06')))]", + "_analyticRulecontentProductId16": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06','-', '2.0.0')))]" + }, + "analyticRuleObject17": { + "analyticRuleVersion17": "2.0.0", + "_analyticRulecontentId17": "3fbc20a4-04c4-464e-8fcb-6667f53e4987", + "analyticRuleId17": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '3fbc20a4-04c4-464e-8fcb-6667f53e4987')]", + "analyticRuleTemplateSpecName17": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('3fbc20a4-04c4-464e-8fcb-6667f53e4987')))]", + "_analyticRulecontentProductId17": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','3fbc20a4-04c4-464e-8fcb-6667f53e4987','-', '2.0.0')))]" + }, + "analyticRuleObject18": { + "analyticRuleVersion18": "1.0.4", + "_analyticRulecontentId18": "218f60de-c269-457a-b882-9966632b9dc6", + "analyticRuleId18": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '218f60de-c269-457a-b882-9966632b9dc6')]", + "analyticRuleTemplateSpecName18": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('218f60de-c269-457a-b882-9966632b9dc6')))]", + "_analyticRulecontentProductId18": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','218f60de-c269-457a-b882-9966632b9dc6','-', '1.0.4')))]" + }, + "analyticRuleObject19": { + "analyticRuleVersion19": "1.0.4", + "_analyticRulecontentId19": "3af9285d-bb98-4a35-ad29-5ea39ba0c628", + "analyticRuleId19": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '3af9285d-bb98-4a35-ad29-5ea39ba0c628')]", + "analyticRuleTemplateSpecName19": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('3af9285d-bb98-4a35-ad29-5ea39ba0c628')))]", + "_analyticRulecontentProductId19": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','3af9285d-bb98-4a35-ad29-5ea39ba0c628','-', '1.0.4')))]" + }, + "analyticRuleObject20": { + "analyticRuleVersion20": "1.0.2", + "_analyticRulecontentId20": "707494a5-8e44-486b-90f8-155d1797a8eb", + "analyticRuleId20": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '707494a5-8e44-486b-90f8-155d1797a8eb')]", + "analyticRuleTemplateSpecName20": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('707494a5-8e44-486b-90f8-155d1797a8eb')))]", + "_analyticRulecontentProductId20": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','707494a5-8e44-486b-90f8-155d1797a8eb','-', '1.0.2')))]" + }, + "analyticRuleObject21": { + "analyticRuleVersion21": "1.0.1", + "_analyticRulecontentId21": "757e6a79-6d23-4ae6-9845-4dac170656b5", + "analyticRuleId21": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '757e6a79-6d23-4ae6-9845-4dac170656b5')]", + "analyticRuleTemplateSpecName21": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('757e6a79-6d23-4ae6-9845-4dac170656b5')))]", + "_analyticRulecontentProductId21": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','757e6a79-6d23-4ae6-9845-4dac170656b5','-', '1.0.1')))]" + }, + "analyticRuleObject22": { + "analyticRuleVersion22": "1.0.1", + "_analyticRulecontentId22": "eb8a9c1c-f532-4630-817c-1ecd8a60ed80", + "analyticRuleId22": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'eb8a9c1c-f532-4630-817c-1ecd8a60ed80')]", + "analyticRuleTemplateSpecName22": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('eb8a9c1c-f532-4630-817c-1ecd8a60ed80')))]", + "_analyticRulecontentProductId22": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','eb8a9c1c-f532-4630-817c-1ecd8a60ed80','-', '1.0.1')))]" + }, + "analyticRuleObject23": { + "analyticRuleVersion23": "1.0.1", + "_analyticRulecontentId23": "c895c5b9-0fc6-40ce-9830-e8818862f2d5", + "analyticRuleId23": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'c895c5b9-0fc6-40ce-9830-e8818862f2d5')]", + "analyticRuleTemplateSpecName23": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('c895c5b9-0fc6-40ce-9830-e8818862f2d5')))]", + "_analyticRulecontentProductId23": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','c895c5b9-0fc6-40ce-9830-e8818862f2d5','-', '1.0.1')))]" + }, + "analyticRuleObject24": { + "analyticRuleVersion24": "1.0.1", + "_analyticRulecontentId24": "276d5190-38de-4eb2-9933-b3b72f4a5737", + "analyticRuleId24": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '276d5190-38de-4eb2-9933-b3b72f4a5737')]", + "analyticRuleTemplateSpecName24": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('276d5190-38de-4eb2-9933-b3b72f4a5737')))]", + "_analyticRulecontentProductId24": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','276d5190-38de-4eb2-9933-b3b72f4a5737','-', '1.0.1')))]" + }, + "analyticRuleObject25": { + "analyticRuleVersion25": "1.0.1", + "_analyticRulecontentId25": "229f71ba-d83b-42a5-b83b-11a641049ed1", + "analyticRuleId25": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '229f71ba-d83b-42a5-b83b-11a641049ed1')]", + "analyticRuleTemplateSpecName25": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('229f71ba-d83b-42a5-b83b-11a641049ed1')))]", + "_analyticRulecontentProductId25": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','229f71ba-d83b-42a5-b83b-11a641049ed1','-', '1.0.1')))]" + }, + "analyticRuleObject26": { + "analyticRuleVersion26": "1.0.1", + "_analyticRulecontentId26": "0101e08d-99cd-4a97-a9e0-27649c4369ad", + "analyticRuleId26": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '0101e08d-99cd-4a97-a9e0-27649c4369ad')]", + "analyticRuleTemplateSpecName26": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('0101e08d-99cd-4a97-a9e0-27649c4369ad')))]", + "_analyticRulecontentProductId26": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','0101e08d-99cd-4a97-a9e0-27649c4369ad','-', '1.0.1')))]" + }, + "analyticRuleObject27": { + "analyticRuleVersion27": "1.0.2", + "_analyticRulecontentId27": "75ea5c39-93e5-489b-b1e1-68fa6c9d2d04", + "analyticRuleId27": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '75ea5c39-93e5-489b-b1e1-68fa6c9d2d04')]", + "analyticRuleTemplateSpecName27": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('75ea5c39-93e5-489b-b1e1-68fa6c9d2d04')))]", + "_analyticRulecontentProductId27": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','75ea5c39-93e5-489b-b1e1-68fa6c9d2d04','-', '1.0.2')))]" + }, + "analyticRuleObject28": { + "analyticRuleVersion28": "1.0.2", + "_analyticRulecontentId28": "bfb1c90f-8006-4325-98be-c7fffbc254d6", + "analyticRuleId28": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'bfb1c90f-8006-4325-98be-c7fffbc254d6')]", + "analyticRuleTemplateSpecName28": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('bfb1c90f-8006-4325-98be-c7fffbc254d6')))]", + "_analyticRulecontentProductId28": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','bfb1c90f-8006-4325-98be-c7fffbc254d6','-', '1.0.2')))]" + }, + "analyticRuleObject29": { + "analyticRuleVersion29": "1.0.2", + "_analyticRulecontentId29": "a22740ec-fc1e-4c91-8de6-c29c6450ad00", + "analyticRuleId29": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'a22740ec-fc1e-4c91-8de6-c29c6450ad00')]", + "analyticRuleTemplateSpecName29": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('a22740ec-fc1e-4c91-8de6-c29c6450ad00')))]", + "_analyticRulecontentProductId29": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','a22740ec-fc1e-4c91-8de6-c29c6450ad00','-', '1.0.2')))]" + }, + "analyticRuleObject30": { + "analyticRuleVersion30": "1.0.0", + "_analyticRulecontentId30": "54e22fed-0ec6-4fb2-8312-2a3809a93f63", + "analyticRuleId30": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '54e22fed-0ec6-4fb2-8312-2a3809a93f63')]", + "analyticRuleTemplateSpecName30": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('54e22fed-0ec6-4fb2-8312-2a3809a93f63')))]", + "_analyticRulecontentProductId30": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','54e22fed-0ec6-4fb2-8312-2a3809a93f63','-', '1.0.0')))]" + }, + "analyticRuleObject31": { + "analyticRuleVersion31": "1.0.4", + "_analyticRulecontentId31": "223db5c1-1bf8-47d8-8806-bed401b356a4", + "analyticRuleId31": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '223db5c1-1bf8-47d8-8806-bed401b356a4')]", + "analyticRuleTemplateSpecName31": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('223db5c1-1bf8-47d8-8806-bed401b356a4')))]", + "_analyticRulecontentProductId31": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','223db5c1-1bf8-47d8-8806-bed401b356a4','-', '1.0.4')))]" + }, + "analyticRuleObject32": { + "analyticRuleVersion32": "1.1.4", + "_analyticRulecontentId32": "2cfc3c6e-f424-4b88-9cc9-c89f482d016a", + "analyticRuleId32": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '2cfc3c6e-f424-4b88-9cc9-c89f482d016a')]", + "analyticRuleTemplateSpecName32": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('2cfc3c6e-f424-4b88-9cc9-c89f482d016a')))]", + "_analyticRulecontentProductId32": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','2cfc3c6e-f424-4b88-9cc9-c89f482d016a','-', '1.1.4')))]" + }, + "analyticRuleObject33": { + "analyticRuleVersion33": "1.0.3", + "_analyticRulecontentId33": "6ab1f7b2-61b8-442f-bc81-96afe7ad8c53", + "analyticRuleId33": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '6ab1f7b2-61b8-442f-bc81-96afe7ad8c53')]", + "analyticRuleTemplateSpecName33": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('6ab1f7b2-61b8-442f-bc81-96afe7ad8c53')))]", + "_analyticRulecontentProductId33": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','6ab1f7b2-61b8-442f-bc81-96afe7ad8c53','-', '1.0.3')))]" + }, + "analyticRuleObject34": { + "analyticRuleVersion34": "1.0.3", + "_analyticRulecontentId34": "2560515c-07d1-434e-87fb-ebe3af267760", + "analyticRuleId34": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '2560515c-07d1-434e-87fb-ebe3af267760')]", + "analyticRuleTemplateSpecName34": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('2560515c-07d1-434e-87fb-ebe3af267760')))]", + "_analyticRulecontentProductId34": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','2560515c-07d1-434e-87fb-ebe3af267760','-', '1.0.3')))]" + }, + "analyticRuleObject35": { + "analyticRuleVersion35": "1.1.1", + "_analyticRulecontentId35": "f948a32f-226c-4116-bddd-d95e91d97eb9", + "analyticRuleId35": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'f948a32f-226c-4116-bddd-d95e91d97eb9')]", + "analyticRuleTemplateSpecName35": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('f948a32f-226c-4116-bddd-d95e91d97eb9')))]", + "_analyticRulecontentProductId35": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f948a32f-226c-4116-bddd-d95e91d97eb9','-', '1.1.1')))]" + }, + "analyticRuleObject36": { + "analyticRuleVersion36": "1.1.1", + "_analyticRulecontentId36": "f948a32f-226c-4116-bddd-d95e91d97eb9", + "analyticRuleId36": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'f948a32f-226c-4116-bddd-d95e91d97eb9')]", + "analyticRuleTemplateSpecName36": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('f948a32f-226c-4116-bddd-d95e91d97eb9')))]", + "_analyticRulecontentProductId36": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f948a32f-226c-4116-bddd-d95e91d97eb9','-', '1.1.1')))]" + }, + "analyticRuleObject37": { + "analyticRuleVersion37": "1.1.1", + "_analyticRulecontentId37": "f948a32f-226c-4116-bddd-d95e91d97eb9", + "analyticRuleId37": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'f948a32f-226c-4116-bddd-d95e91d97eb9')]", + "analyticRuleTemplateSpecName37": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('f948a32f-226c-4116-bddd-d95e91d97eb9')))]", + "_analyticRulecontentProductId37": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f948a32f-226c-4116-bddd-d95e91d97eb9','-', '1.1.1')))]" + }, + "analyticRuleObject38": { + "analyticRuleVersion38": "1.1.1", + "_analyticRulecontentId38": "f948a32f-226c-4116-bddd-d95e91d97eb9", + "analyticRuleId38": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'f948a32f-226c-4116-bddd-d95e91d97eb9')]", + "analyticRuleTemplateSpecName38": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('f948a32f-226c-4116-bddd-d95e91d97eb9')))]", + "_analyticRulecontentProductId38": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f948a32f-226c-4116-bddd-d95e91d97eb9','-', '1.1.1')))]" + }, + "analyticRuleObject39": { + "analyticRuleVersion39": "1.1.1", + "_analyticRulecontentId39": "f948a32f-226c-4116-bddd-d95e91d97eb9", + "analyticRuleId39": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'f948a32f-226c-4116-bddd-d95e91d97eb9')]", + "analyticRuleTemplateSpecName39": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('f948a32f-226c-4116-bddd-d95e91d97eb9')))]", + "_analyticRulecontentProductId39": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f948a32f-226c-4116-bddd-d95e91d97eb9','-', '1.1.1')))]" + }, + "analyticRuleObject40": { + "analyticRuleVersion40": "1.1.1", + "_analyticRulecontentId40": "f948a32f-226c-4116-bddd-d95e91d97eb9", + "analyticRuleId40": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'f948a32f-226c-4116-bddd-d95e91d97eb9')]", + "analyticRuleTemplateSpecName40": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('f948a32f-226c-4116-bddd-d95e91d97eb9')))]", + "_analyticRulecontentProductId40": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f948a32f-226c-4116-bddd-d95e91d97eb9','-', '1.1.1')))]" + }, + "analyticRuleObject41": { + "analyticRuleVersion41": "1.0.1", + "_analyticRulecontentId41": "39198934-62a0-4781-8416-a81265c03fd6", + "analyticRuleId41": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '39198934-62a0-4781-8416-a81265c03fd6')]", + "analyticRuleTemplateSpecName41": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('39198934-62a0-4781-8416-a81265c03fd6')))]", + "_analyticRulecontentProductId41": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','39198934-62a0-4781-8416-a81265c03fd6','-', '1.0.1')))]" + }, + "analyticRuleObject42": { + "analyticRuleVersion42": "2.0.0", + "_analyticRulecontentId42": "d99cf5c3-d660-436c-895b-8a8f8448da23", + "analyticRuleId42": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'd99cf5c3-d660-436c-895b-8a8f8448da23')]", + "analyticRuleTemplateSpecName42": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('d99cf5c3-d660-436c-895b-8a8f8448da23')))]", + "_analyticRulecontentProductId42": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','d99cf5c3-d660-436c-895b-8a8f8448da23','-', '2.0.0')))]" + }, + "analyticRuleObject43": { + "analyticRuleVersion43": "1.0.1", + "_analyticRulecontentId43": "cda5928c-2c1e-4575-9dfa-07568bc27a4f", + "analyticRuleId43": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'cda5928c-2c1e-4575-9dfa-07568bc27a4f')]", + "analyticRuleTemplateSpecName43": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('cda5928c-2c1e-4575-9dfa-07568bc27a4f')))]", + "_analyticRulecontentProductId43": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','cda5928c-2c1e-4575-9dfa-07568bc27a4f','-', '1.0.1')))]" + }, + "analyticRuleObject44": { + "analyticRuleVersion44": "1.1.1", + "_analyticRulecontentId44": "79566f41-df67-4e10-a703-c38a6213afd8", + "analyticRuleId44": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '79566f41-df67-4e10-a703-c38a6213afd8')]", + "analyticRuleTemplateSpecName44": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('79566f41-df67-4e10-a703-c38a6213afd8')))]", + "_analyticRulecontentProductId44": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','79566f41-df67-4e10-a703-c38a6213afd8','-', '1.1.1')))]" + }, + "analyticRuleObject45": { + "analyticRuleVersion45": "1.0.1", + "_analyticRulecontentId45": "8540c842-5bbc-4a24-9fb2-a836c0e55a51", + "analyticRuleId45": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '8540c842-5bbc-4a24-9fb2-a836c0e55a51')]", + "analyticRuleTemplateSpecName45": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('8540c842-5bbc-4a24-9fb2-a836c0e55a51')))]", + "_analyticRulecontentProductId45": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','8540c842-5bbc-4a24-9fb2-a836c0e55a51','-', '1.0.1')))]" + }, + "analyticRuleObject46": { + "analyticRuleVersion46": "1.0.2", + "_analyticRulecontentId46": "29e99017-e28d-47be-8b9a-c8c711f8a903", + "analyticRuleId46": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '29e99017-e28d-47be-8b9a-c8c711f8a903')]", + "analyticRuleTemplateSpecName46": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('29e99017-e28d-47be-8b9a-c8c711f8a903')))]", + "_analyticRulecontentProductId46": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','29e99017-e28d-47be-8b9a-c8c711f8a903','-', '1.0.2')))]" + }, + "analyticRuleObject47": { + "analyticRuleVersion47": "1.0.4", + "_analyticRulecontentId47": "b6988c32-4f3b-4a45-8313-b46b33061a74", + "analyticRuleId47": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'b6988c32-4f3b-4a45-8313-b46b33061a74')]", + "analyticRuleTemplateSpecName47": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('b6988c32-4f3b-4a45-8313-b46b33061a74')))]", + "_analyticRulecontentProductId47": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','b6988c32-4f3b-4a45-8313-b46b33061a74','-', '1.0.4')))]" + }, + "analyticRuleObject48": { + "analyticRuleVersion48": "1.0.2", + "_analyticRulecontentId48": "e42e889a-caaf-4dbb-aec6-371b37d64298", + "analyticRuleId48": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'e42e889a-caaf-4dbb-aec6-371b37d64298')]", + "analyticRuleTemplateSpecName48": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('e42e889a-caaf-4dbb-aec6-371b37d64298')))]", + "_analyticRulecontentProductId48": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','e42e889a-caaf-4dbb-aec6-371b37d64298','-', '1.0.2')))]" + }, + "analyticRuleObject49": { + "analyticRuleVersion49": "1.0.1", + "_analyticRulecontentId49": "5db427b2-f406-4274-b413-e9fcb29412f8", + "analyticRuleId49": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '5db427b2-f406-4274-b413-e9fcb29412f8')]", + "analyticRuleTemplateSpecName49": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('5db427b2-f406-4274-b413-e9fcb29412f8')))]", + "_analyticRulecontentProductId49": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','5db427b2-f406-4274-b413-e9fcb29412f8','-', '1.0.1')))]" + }, + "analyticRuleObject50": { + "analyticRuleVersion50": "1.0.1", + "_analyticRulecontentId50": "14f6da04-2f96-44ee-9210-9ccc1be6401e", + "analyticRuleId50": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '14f6da04-2f96-44ee-9210-9ccc1be6401e')]", + "analyticRuleTemplateSpecName50": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('14f6da04-2f96-44ee-9210-9ccc1be6401e')))]", + "_analyticRulecontentProductId50": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','14f6da04-2f96-44ee-9210-9ccc1be6401e','-', '1.0.1')))]" + }, + "analyticRuleObject51": { + "analyticRuleVersion51": "1.0.3", + "_analyticRulecontentId51": "70fc7201-f28e-4ba7-b9ea-c04b96701f13", + "analyticRuleId51": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '70fc7201-f28e-4ba7-b9ea-c04b96701f13')]", + "analyticRuleTemplateSpecName51": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('70fc7201-f28e-4ba7-b9ea-c04b96701f13')))]", + "_analyticRulecontentProductId51": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','70fc7201-f28e-4ba7-b9ea-c04b96701f13','-', '1.0.3')))]" + }, + "analyticRuleObject52": { + "analyticRuleVersion52": "1.0.7", + "_analyticRulecontentId52": "7d7e20f8-3384-4b71-811c-f5e950e8306c", + "analyticRuleId52": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '7d7e20f8-3384-4b71-811c-f5e950e8306c')]", + "analyticRuleTemplateSpecName52": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('7d7e20f8-3384-4b71-811c-f5e950e8306c')))]", + "_analyticRulecontentProductId52": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','7d7e20f8-3384-4b71-811c-f5e950e8306c','-', '1.0.7')))]" + }, + "analyticRuleObject53": { + "analyticRuleVersion53": "1.0.3", + "_analyticRulecontentId53": "34c5aff9-a8c2-4601-9654-c7e46342d03b", + "analyticRuleId53": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '34c5aff9-a8c2-4601-9654-c7e46342d03b')]", + "analyticRuleTemplateSpecName53": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('34c5aff9-a8c2-4601-9654-c7e46342d03b')))]", + "_analyticRulecontentProductId53": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','34c5aff9-a8c2-4601-9654-c7e46342d03b','-', '1.0.3')))]" + }, + "analyticRuleObject54": { + "analyticRuleVersion54": "1.0.4", + "_analyticRulecontentId54": "269435e3-1db8-4423-9dfc-9bf59997da1c", + "analyticRuleId54": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '269435e3-1db8-4423-9dfc-9bf59997da1c')]", + "analyticRuleTemplateSpecName54": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('269435e3-1db8-4423-9dfc-9bf59997da1c')))]", + "_analyticRulecontentProductId54": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','269435e3-1db8-4423-9dfc-9bf59997da1c','-', '1.0.4')))]" + }, + "analyticRuleObject55": { + "analyticRuleVersion55": "1.1.4", + "_analyticRulecontentId55": "83ba3057-9ea3-4759-bf6a-933f2e5bc7ee", + "analyticRuleId55": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '83ba3057-9ea3-4759-bf6a-933f2e5bc7ee')]", + "analyticRuleTemplateSpecName55": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('83ba3057-9ea3-4759-bf6a-933f2e5bc7ee')))]", + "_analyticRulecontentProductId55": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','83ba3057-9ea3-4759-bf6a-933f2e5bc7ee','-', '1.1.4')))]" + }, + "analyticRuleObject56": { + "analyticRuleVersion56": "1.0.2", + "_analyticRulecontentId56": "fb7ca1c9-e14c-40a3-856e-28f3c14ea1ba", + "analyticRuleId56": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'fb7ca1c9-e14c-40a3-856e-28f3c14ea1ba')]", + "analyticRuleTemplateSpecName56": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('fb7ca1c9-e14c-40a3-856e-28f3c14ea1ba')))]", + "_analyticRulecontentProductId56": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','fb7ca1c9-e14c-40a3-856e-28f3c14ea1ba','-', '1.0.2')))]" + }, + "analyticRuleObject57": { + "analyticRuleVersion57": "1.0.1", + "_analyticRulecontentId57": "d3980830-dd9d-40a5-911f-76b44dfdce16", + "analyticRuleId57": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'd3980830-dd9d-40a5-911f-76b44dfdce16')]", + "analyticRuleTemplateSpecName57": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('d3980830-dd9d-40a5-911f-76b44dfdce16')))]", + "_analyticRulecontentProductId57": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','d3980830-dd9d-40a5-911f-76b44dfdce16','-', '1.0.1')))]" + }, + "analyticRuleObject58": { + "analyticRuleVersion58": "2.1.3", + "_analyticRulecontentId58": "500c103a-0319-4d56-8e99-3cec8d860757", + "analyticRuleId58": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '500c103a-0319-4d56-8e99-3cec8d860757')]", + "analyticRuleTemplateSpecName58": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('500c103a-0319-4d56-8e99-3cec8d860757')))]", + "_analyticRulecontentProductId58": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','500c103a-0319-4d56-8e99-3cec8d860757','-', '2.1.3')))]" + }, + "analyticRuleObject59": { + "analyticRuleVersion59": "2.1.3", + "_analyticRulecontentId59": "28b42356-45af-40a6-a0b4-a554cdfd5d8a", + "analyticRuleId59": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '28b42356-45af-40a6-a0b4-a554cdfd5d8a')]", + "analyticRuleTemplateSpecName59": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('28b42356-45af-40a6-a0b4-a554cdfd5d8a')))]", + "_analyticRulecontentProductId59": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','28b42356-45af-40a6-a0b4-a554cdfd5d8a','-', '2.1.3')))]" + }, + "analyticRuleObject60": { + "analyticRuleVersion60": "1.0.4", + "_analyticRulecontentId60": "48607a29-a26a-4abf-8078-a06dbdd174a4", + "analyticRuleId60": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '48607a29-a26a-4abf-8078-a06dbdd174a4')]", + "analyticRuleTemplateSpecName60": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('48607a29-a26a-4abf-8078-a06dbdd174a4')))]", + "_analyticRulecontentProductId60": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','48607a29-a26a-4abf-8078-a06dbdd174a4','-', '1.0.4')))]" + }, + "analyticRuleObject61": { + "analyticRuleVersion61": "2.1.6", + "_analyticRulecontentId61": "02ef8d7e-fc3a-4d86-a457-650fa571d8d2", + "analyticRuleId61": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '02ef8d7e-fc3a-4d86-a457-650fa571d8d2')]", + "analyticRuleTemplateSpecName61": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('02ef8d7e-fc3a-4d86-a457-650fa571d8d2')))]", + "_analyticRulecontentProductId61": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','02ef8d7e-fc3a-4d86-a457-650fa571d8d2','-', '2.1.6')))]" + }, + "analyticRuleObject62": { + "analyticRuleVersion62": "1.0.1", + "_analyticRulecontentId62": "3a3c6835-0086-40ca-b033-a93bf26d878f", + "analyticRuleId62": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '3a3c6835-0086-40ca-b033-a93bf26d878f')]", + "analyticRuleTemplateSpecName62": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('3a3c6835-0086-40ca-b033-a93bf26d878f')))]", + "_analyticRulecontentProductId62": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','3a3c6835-0086-40ca-b033-a93bf26d878f','-', '1.0.1')))]" + }, + "analyticRuleObject63": { + "analyticRuleVersion63": "1.0.1", + "_analyticRulecontentId63": "3533f74c-9207-4047-96e2-0eb9383be587", + "analyticRuleId63": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '3533f74c-9207-4047-96e2-0eb9383be587')]", + "analyticRuleTemplateSpecName63": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('3533f74c-9207-4047-96e2-0eb9383be587')))]", + "_analyticRulecontentProductId63": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','3533f74c-9207-4047-96e2-0eb9383be587','-', '1.0.1')))]" + }, + "analyticRuleObject64": { + "analyticRuleVersion64": "1.0.2", + "_analyticRulecontentId64": "6852d9da-8015-4b95-8ecf-d9572ee0395d", + "analyticRuleId64": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '6852d9da-8015-4b95-8ecf-d9572ee0395d')]", + "analyticRuleTemplateSpecName64": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('6852d9da-8015-4b95-8ecf-d9572ee0395d')))]", + "_analyticRulecontentProductId64": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','6852d9da-8015-4b95-8ecf-d9572ee0395d','-', '1.0.2')))]" + }, + "analyticRuleObject65": { + "analyticRuleVersion65": "1.0.7", + "_analyticRulecontentId65": "acc4c247-aaf7-494b-b5da-17f18863878a", + "analyticRuleId65": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'acc4c247-aaf7-494b-b5da-17f18863878a')]", + "analyticRuleTemplateSpecName65": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('acc4c247-aaf7-494b-b5da-17f18863878a')))]", + "_analyticRulecontentProductId65": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','acc4c247-aaf7-494b-b5da-17f18863878a','-', '1.0.7')))]" + }, + "analyticRuleObject66": { + "analyticRuleVersion66": "2.0.2", + "_analyticRulecontentId66": "3a9d5ede-2b9d-43a2-acc4-d272321ff77c", + "analyticRuleId66": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '3a9d5ede-2b9d-43a2-acc4-d272321ff77c')]", + "analyticRuleTemplateSpecName66": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('3a9d5ede-2b9d-43a2-acc4-d272321ff77c')))]", + "_analyticRulecontentProductId66": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','3a9d5ede-2b9d-43a2-acc4-d272321ff77c','-', '2.0.2')))]" + }, + "analyticRuleObject67": { + "analyticRuleVersion67": "1.0.4", + "_analyticRulecontentId67": "4d94d4a9-dc96-410a-8dea-4d4d4584188b", + "analyticRuleId67": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '4d94d4a9-dc96-410a-8dea-4d4d4584188b')]", + "analyticRuleTemplateSpecName67": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('4d94d4a9-dc96-410a-8dea-4d4d4584188b')))]", + "_analyticRulecontentProductId67": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4d94d4a9-dc96-410a-8dea-4d4d4584188b','-', '1.0.4')))]" + }, + "analyticRuleObject68": { + "analyticRuleVersion68": "1.0.8", + "_analyticRulecontentId68": "050b9b3d-53d0-4364-a3da-1b678b8211ec", + "analyticRuleId68": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '050b9b3d-53d0-4364-a3da-1b678b8211ec')]", + "analyticRuleTemplateSpecName68": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('050b9b3d-53d0-4364-a3da-1b678b8211ec')))]", + "_analyticRulecontentProductId68": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','050b9b3d-53d0-4364-a3da-1b678b8211ec','-', '1.0.8')))]" + }, + "analyticRuleObject69": { + "analyticRuleVersion69": "1.0.0", + "_analyticRulecontentId69": "4f42b94f-b210-42d1-a023-7fa1c51d969f", + "analyticRuleId69": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '4f42b94f-b210-42d1-a023-7fa1c51d969f')]", + "analyticRuleTemplateSpecName69": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('4f42b94f-b210-42d1-a023-7fa1c51d969f')))]", + "_analyticRulecontentProductId69": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4f42b94f-b210-42d1-a023-7fa1c51d969f','-', '1.0.0')))]" + }, + "analyticRuleObject70": { + "analyticRuleVersion70": "1.0.0", + "_analyticRulecontentId70": "aec77100-25c5-4254-a20a-8027ed92c46c", + "analyticRuleId70": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'aec77100-25c5-4254-a20a-8027ed92c46c')]", + "analyticRuleTemplateSpecName70": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('aec77100-25c5-4254-a20a-8027ed92c46c')))]", + "_analyticRulecontentProductId70": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','aec77100-25c5-4254-a20a-8027ed92c46c','-', '1.0.0')))]" + }, "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" }, "resources": [ { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('dataConnectorTemplateSpecName1')]", + "name": "[variables('playbookTemplateSpecName1')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Azure Active Directory data connector with template version 3.0.6", + "description": "Block-AADUser-Alert Playbook with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('dataConnectorVersion1')]", - "parameters": {}, - "variables": {}, + "contentVersion": "[variables('playbookVersion1')]", + "parameters": { + "PlaybookName": { + "defaultValue": "Block-AADUser-Alert", + "type": "string" + } + }, + "variables": { + "AzureADConnectionName": "[[concat('azuread-', parameters('PlaybookName'))]", + "MicrosoftSentinelConnectionName": "[[concat('microsoftsentinel-', parameters('PlaybookName'))]", + "Office365ConnectionName": "[[concat('office365-', parameters('PlaybookName'))]", + "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuread')]", + "_connection-1": "[[variables('connection-1')]", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "_connection-2": "[[variables('connection-2')]", + "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]", + "_connection-3": "[[variables('connection-3')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, "resources": [ { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "StaticUI", - "properties": { - "connectorUiConfig": { - "id": "[variables('_uiConfigId1')]", - "title": "Azure Active Directory", - "publisher": "Microsoft", - "descriptionMarkdown": "Gain insights into Azure Active Directory by connecting Audit and Sign-in logs to Microsoft Sentinel to gather insights around Azure Active Directory scenarios. You can learn about app usage, conditional access policies, legacy auth relate details using our Sign-in logs. You can get information on your Self Service Password Reset (SSPR) usage, Azure Active Directory Management activities like user, group, role, app management using our Audit logs table. For more information, see the [Microsoft Sentinel documentation](https://go.microsoft.com/fwlink/?linkid=2219715&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci).", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "SigninLogs", - "baseQuery": "SigninLogs" - }, - { - "metricName": "Total data received", - "legend": "AuditLogs", - "baseQuery": "AuditLogs" - }, - { - "metricName": "Total data received", - "legend": "AADNonInteractiveUserSignInLogs", - "baseQuery": "AADNonInteractiveUserSignInLogs" - }, - { - "metricName": "Total data received", - "legend": "AADServicePrincipalSignInLogs", - "baseQuery": "AADServicePrincipalSignInLogs" - }, - { - "metricName": "Total data received", - "legend": "AADManagedIdentitySignInLogs", - "baseQuery": "AADManagedIdentitySignInLogs" - }, - { - "metricName": "Total data received", - "legend": "AADProvisioningLogs", - "baseQuery": "AADProvisioningLogs" - }, - { - "metricName": "Total data received", - "legend": "ADFSSignInLogs", - "baseQuery": "ADFSSignInLogs" - }, - { - "metricName": "Total data received", - "legend": "AADUserRiskEvents", - "baseQuery": "AADUserRiskEvents" - }, - { - "metricName": "Total data received", - "legend": "AADRiskyUsers", - "baseQuery": "AADRiskyUsers" - }, - { - "metricName": "Total data received", - "legend": "NetworkAccessTraffic", - "baseQuery": "NetworkAccessTraffic" - }, - { - "metricName": "Total data received", - "legend": "AADRiskyServicePrincipals", - "baseQuery": "AADRiskyServicePrincipals" - }, - { - "metricName": "Total data received", - "legend": "AADServicePrincipalRiskEvents", - "baseQuery": "AADServicePrincipalRiskEvents" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "SigninLogs\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)", - "AuditLogs\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)", - "AADNonInteractiveUserSignInLogs\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)", - "AADServicePrincipalSignInLogs\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)", - "AADManagedIdentitySignInLogs\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)", - "AADProvisioningLogs\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)", - "ADFSSignInLogs\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)", - "AADUserRiskEvents\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)", - "AADRiskyUsers\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)", - "NetworkAccessTraffic\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)", - "AADRiskyServicePrincipals\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)", - "AADServicePrincipalRiskEvents\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)" - ] - } - ], - "dataTypes": [ - { - "name": "SigninLogs", - "lastDataReceivedQuery": "SigninLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "AuditLogs", - "lastDataReceivedQuery": "AuditLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "AADNonInteractiveUserSignInLogs", - "lastDataReceivedQuery": "AADNonInteractiveUserSignInLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "AADServicePrincipalSignInLogs", - "lastDataReceivedQuery": "AADServicePrincipalSignInLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "AADManagedIdentitySignInLogs", - "lastDataReceivedQuery": "AADManagedIdentitySignInLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "AADProvisioningLogs", - "lastDataReceivedQuery": "AADProvisioningLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "ADFSSignInLogs", - "lastDataReceivedQuery": "ADFSSignInLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "AADUserRiskEvents", - "lastDataReceivedQuery": "AADUserRiskEvents\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "AADRiskyUsers", - "lastDataReceivedQuery": "AADRiskyUsers\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "NetworkAccessTraffic", - "lastDataReceivedQuery": "NetworkAccessTraffic\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "AADRiskyServicePrincipals", - "lastDataReceivedQuery": "AADRiskyServicePrincipals\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "AADServicePrincipalRiskEvents", - "lastDataReceivedQuery": "AADServicePrincipalRiskEvents\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ] + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('AzureADConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "properties": { + "displayName": "[[variables('AzureADConnectionName')]", + "api": { + "id": "[[variables('_connection-1')]" } } }, { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('MicrosoftSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", - "source": { - "kind": "Solution", - "name": "Azure Active Directory", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com/" + "displayName": "[[variables('MicrosoftSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[[variables('_connection-2')]" } } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_dataConnectorContentId1')]", - "contentKind": "DataConnector", - "displayName": "Azure Active Directory", - "contentProductId": "[variables('_dataConnectorcontentProductId1')]", - "id": "[variables('_dataConnectorcontentProductId1')]", - "version": "[variables('dataConnectorVersion1')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", - "dependsOn": [ - "[variables('_dataConnectorId1')]" - ], - "location": "[parameters('workspace-location')]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", - "source": { - "kind": "Solution", - "name": "Azure Active Directory", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com/" - } - } - }, - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "StaticUI", - "properties": { - "connectorUiConfig": { - "title": "Azure Active Directory", - "publisher": "Microsoft", - "descriptionMarkdown": "Gain insights into Azure Active Directory by connecting Audit and Sign-in logs to Microsoft Sentinel to gather insights around Azure Active Directory scenarios. You can learn about app usage, conditional access policies, legacy auth relate details using our Sign-in logs. You can get information on your Self Service Password Reset (SSPR) usage, Azure Active Directory Management activities like user, group, role, app management using our Audit logs table. For more information, see the [Microsoft Sentinel documentation](https://go.microsoft.com/fwlink/?linkid=2219715&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci).", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "SigninLogs", - "baseQuery": "SigninLogs" - }, - { - "metricName": "Total data received", - "legend": "AuditLogs", - "baseQuery": "AuditLogs" - }, - { - "metricName": "Total data received", - "legend": "AADNonInteractiveUserSignInLogs", - "baseQuery": "AADNonInteractiveUserSignInLogs" - }, - { - "metricName": "Total data received", - "legend": "AADServicePrincipalSignInLogs", - "baseQuery": "AADServicePrincipalSignInLogs" - }, - { - "metricName": "Total data received", - "legend": "AADManagedIdentitySignInLogs", - "baseQuery": "AADManagedIdentitySignInLogs" - }, - { - "metricName": "Total data received", - "legend": "AADProvisioningLogs", - "baseQuery": "AADProvisioningLogs" - }, - { - "metricName": "Total data received", - "legend": "ADFSSignInLogs", - "baseQuery": "ADFSSignInLogs" - }, - { - "metricName": "Total data received", - "legend": "AADUserRiskEvents", - "baseQuery": "AADUserRiskEvents" - }, - { - "metricName": "Total data received", - "legend": "AADRiskyUsers", - "baseQuery": "AADRiskyUsers" - }, - { - "metricName": "Total data received", - "legend": "NetworkAccessTraffic", - "baseQuery": "NetworkAccessTraffic" - }, - { - "metricName": "Total data received", - "legend": "AADRiskyServicePrincipals", - "baseQuery": "AADRiskyServicePrincipals" - }, - { - "metricName": "Total data received", - "legend": "AADServicePrincipalRiskEvents", - "baseQuery": "AADServicePrincipalRiskEvents" - } - ], - "dataTypes": [ - { - "name": "SigninLogs", - "lastDataReceivedQuery": "SigninLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "AuditLogs", - "lastDataReceivedQuery": "AuditLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "AADNonInteractiveUserSignInLogs", - "lastDataReceivedQuery": "AADNonInteractiveUserSignInLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "AADServicePrincipalSignInLogs", - "lastDataReceivedQuery": "AADServicePrincipalSignInLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "AADManagedIdentitySignInLogs", - "lastDataReceivedQuery": "AADManagedIdentitySignInLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "AADProvisioningLogs", - "lastDataReceivedQuery": "AADProvisioningLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "ADFSSignInLogs", - "lastDataReceivedQuery": "ADFSSignInLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "AADUserRiskEvents", - "lastDataReceivedQuery": "AADUserRiskEvents\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" }, { - "name": "AADRiskyUsers", - "lastDataReceivedQuery": "AADRiskyUsers\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "NetworkAccessTraffic", - "lastDataReceivedQuery": "NetworkAccessTraffic\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "AADRiskyServicePrincipals", - "lastDataReceivedQuery": "AADRiskyServicePrincipals\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "AADServicePrincipalRiskEvents", - "lastDataReceivedQuery": "AADServicePrincipalRiskEvents\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "SigninLogs\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)", - "AuditLogs\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)", - "AADNonInteractiveUserSignInLogs\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)", - "AADServicePrincipalSignInLogs\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)", - "AADManagedIdentitySignInLogs\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)", - "AADProvisioningLogs\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)", - "ADFSSignInLogs\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)", - "AADUserRiskEvents\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)", - "AADRiskyUsers\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)", - "NetworkAccessTraffic\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)", - "AADRiskyServicePrincipals\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)", - "AADServicePrincipalRiskEvents\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)" - ] - } - ], - "id": "[variables('_uiConfigId1')]" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('workbookTemplateSpecName1')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "AzureActiveDirectoryAuditLogsWorkbook Workbook with template version 3.0.6", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('workbookVersion1')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.Insights/workbooks", - "name": "[variables('workbookContentId1')]", - "location": "[parameters('workspace-location')]", - "kind": "shared", - "apiVersion": "2021-08-01", - "metadata": { - "description": "Gain insights into Azure Active Directory by connecting Microsoft Sentinel and using the audit logs to gather insights around Azure AD scenarios. \nYou can learn about user operations, including password and group management, device activities, and top active users and apps." - }, - "properties": { - "displayName": "[parameters('workbook1-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Azure AD audit logs\"},\"name\":\"text - 1\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"bc372bf5-2dcd-4efa-aa85-94b6e6fafe14\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":7776000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true}},{\"id\":\"e032b9f7-5449-4180-9c20-75760afa96f6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"User\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"AuditLogs\\r\\n| where SourceSystem == \\\"Azure AD\\\"\\r\\n| extend initiator = iif (tostring(InitiatedBy.user.userPrincipalName) != \\\"\\\", tostring(InitiatedBy.user.userPrincipalName), \\\"unknown\\\")\\r\\n//| where initiator!= \\\"\\\"\\r\\n| summarize Count = count() by initiator\\r\\n| order by Count desc, initiator asc\\r\\n| project Value = initiator, Label = strcat(initiator, ' - ', Count), Selected = false\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\"},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"0a59a0b3-6d93-4fee-bdbe-147383c510c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Category\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"AuditLogs\\r\\n| extend initiator = iif (tostring(InitiatedBy.user.userPrincipalName) != \\\"\\\", tostring(InitiatedBy.user.userPrincipalName), \\\"unknown\\\")\\r\\n| where \\\"{User:lable}\\\" == \\\"All\\\" or initiator in ({User})\\r\\n| summarize Count = count() by Category\\r\\n| order by Count desc, Category asc\\r\\n| project Value = Category, Label = strcat(Category, ' - ', Count)\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\"},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"4d2b245b-5e59-4eb6-9f51-ba926581ab47\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Result\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"AuditLogs\\r\\n| extend initiator = iif (tostring(InitiatedBy.user.userPrincipalName) != \\\"\\\", tostring(InitiatedBy.user.userPrincipalName), \\\"unknown\\\")\\r\\n| where \\\"{User:lable}\\\" == \\\"All\\\" or initiator in ({User})\\r\\n| summarize Count = count() by Result\\r\\n| order by Count desc, Result asc\\r\\n| project Value = Result, Label = strcat(Result, ' - ', Count, ' sign-ins')\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\"},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let data = AuditLogs\\r\\n| where \\\"{Category:lable}\\\" == \\\"All\\\" or Category in ({Category})\\r\\n| where \\\"{Result:lable}\\\" == \\\"All\\\" or Result in ({Result})\\r\\n| extend initiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\r\\n| where initiatingUserPrincipalName != \\\"\\\" \\r\\n| where \\\"{User:lable}\\\" == \\\"All\\\" or initiatingUserPrincipalName in ({User});\\r\\ndata\\r\\n| summarize Count = count() by Category\\r\\n| join kind = fullouter (datatable(Category:string)['Medium', 'high', 'low']) on Category\\r\\n| project Category = iff(Category == '', Category1, Category), Count = iff(Category == '', 0, Count)\\r\\n| join kind = inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by Category)\\r\\n on Category\\r\\n| project-away Category1, TimeGenerated\\r\\n| extend Category = Category\\r\\n| union (\\r\\n data \\r\\n | summarize Count = count() \\r\\n | extend jkey = 1\\r\\n | join kind=inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\\r\\n | extend jkey = 1) on jkey\\r\\n | extend Category = 'All', Categorys = '*' \\r\\n)\\r\\n| order by Count desc\\r\\n| take 10\",\"size\":4,\"title\":\"Categories volume\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"Category\",\"exportParameterName\":\"CategoryFIlter\",\"exportDefaultValue\":\"All\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Category\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":21,\"formatOptions\":{\"palette\":\"purple\",\"showIcon\":true}},\"showBorder\":false}},\"name\":\"query - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let data = AuditLogs\\r\\n| where \\\"{Result:lable}\\\" == \\\"All\\\" or Result in ({Result})\\r\\n| extend initiator = iif (tostring(InitiatedBy.user.userPrincipalName) != \\\"\\\", tostring(InitiatedBy.user.userPrincipalName), \\\"unknown\\\")\\r\\n| where \\\"{User:lable}\\\" == \\\"All\\\" or initiator in ({User})\\r\\n| where \\\"{Category:lable}\\\" == \\\"All\\\" or Category in ({Category})\\r\\n| where Category == '{CategoryFIlter}' or '{CategoryFIlter}' == \\\"All\\\";\\r\\nlet appData = data\\r\\n| summarize TotalCount = count() by OperationName, Category\\r\\n| join kind=inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by OperationName\\r\\n | project-away TimeGenerated) on OperationName\\r\\n| order by TotalCount desc, OperationName asc\\r\\n| project OperationName, TotalCount, Trend, Category\\r\\n| serialize Id = row_number();\\r\\ndata\\r\\n| summarize TotalCount = count() by initiator = iif (tostring(InitiatedBy.user.userPrincipalName) != \\\"\\\", tostring(InitiatedBy.user.userPrincipalName), \\\"unknown\\\"), Category, OperationName\\r\\n| join kind=inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by OperationName, initiator = iif (tostring(InitiatedBy.user.userPrincipalName) != \\\"\\\", tostring(InitiatedBy.user.userPrincipalName), \\\"unknown\\\")\\r\\n | project-away TimeGenerated) on OperationName, initiator\\r\\n| order by TotalCount desc, OperationName asc\\r\\n| project OperationName, initiator, TotalCount, Category, Trend\\r\\n| serialize Id = row_number(1000000)\\r\\n| join kind=inner (appData) on OperationName\\r\\n| project Id, Name = initiator, Type = 'initiator', ['Operations Count'] = TotalCount, Trend, Category, ParentId = Id1\\r\\n| union (appData \\r\\n | project Id, Name = OperationName, Type = 'Operation', ['Operations Count'] = TotalCount, Category, Trend)\\r\\n| order by ['Operations Count'] desc, Name asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"User activities\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"exportParameterName\":\"UserInfo\",\"exportDefaultValue\":\"{ \\\"Name\\\":\\\"\\\", \\\"Type\\\":\\\"*\\\"}\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Id\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Type\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Operations Count\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"palette\":\"blue\",\"showIcon\":true},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"min\":0,\"palette\":\"turquoise\",\"showIcon\":true},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"ParentId\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}}],\"rowLimit\":1000,\"filter\":true,\"hierarchySettings\":{\"idColumn\":\"Id\",\"parentColumn\":\"ParentId\",\"treeType\":0,\"expanderColumn\":\"Name\"}}},\"customWidth\":\"70\",\"showPin\":true,\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let details = dynamic({UserInfo});\\r\\nAuditLogs\\r\\n| where \\\"{Category:lable}\\\" == \\\"All\\\" or Category in ({Category})\\r\\n| where \\\"{Result:lable}\\\" == \\\"All\\\" or Result in ({Result})\\r\\n| extend initiatingUserPrincipalName = iif (tostring(InitiatedBy.user.userPrincipalName) != \\\"\\\", tostring(InitiatedBy.user.userPrincipalName), \\\"unknown\\\")\\r\\n//| where initiatingUserPrincipalName != \\\"\\\" \\r\\n| where \\\"{User:lable}\\\" == \\\"All\\\" or initiatingUserPrincipalName in ({User})\\r\\n| where details.Type == '*' or (details.Type == 'initiator' and initiatingUserPrincipalName == details.Name) or (details.Type == 'Operation' and OperationName == details.Name)\\r\\n| summarize Activities = count() by initiatingUserPrincipalName\\r\\n| sort by Activities desc nulls last \",\"size\":0,\"title\":\"Top active users\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"30\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let details = dynamic({UserInfo});\\r\\nlet data = AuditLogs\\r\\n| extend initiator = iif (tostring(InitiatedBy.user.userPrincipalName) != \\\"\\\", tostring(InitiatedBy.user.userPrincipalName), \\\"unknown\\\")\\r\\n| where details.Type == '*' or (details.Type == 'initiator' and initiator == details.Name) or (details.Type == 'Operation' and OperationName == details.Name)\\r\\n| where \\\"{Category:lable}\\\" == \\\"All\\\" or Category in ({Category})\\r\\n| where \\\"{Result:lable}\\\" == \\\"All\\\" or Result in ({Result})\\r\\n| where \\\"{User:lable}\\\" == \\\"All\\\" or initiator in ({User});\\r\\nlet appData = data\\r\\n| summarize TotalCount = count() by Result\\r\\n| join kind=inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by Result\\r\\n | project-away TimeGenerated) on Result\\r\\n| order by TotalCount desc, Result asc\\r\\n| project Result, TotalCount, Trend\\r\\n| serialize Id = row_number();\\r\\ndata\\r\\n| summarize TotalCount = count() by OperationName, Result\\r\\n| join kind=inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by Result, OperationName\\r\\n | project-away TimeGenerated) on Result, OperationName\\r\\n| order by TotalCount desc, Result asc\\r\\n| project Result, OperationName, TotalCount, Trend\\r\\n| serialize Id = row_number(1000000)\\r\\n| join kind=inner (appData) on Result\\r\\n| project Id, Name = OperationName, Type = 'Operation', ['Results Count'] = TotalCount, Trend, ParentId = Id1\\r\\n| union (appData \\r\\n | project Id, Name = Result, Type = 'Result', ['Results Count'] = TotalCount, Trend)\\r\\n| order by ['Results Count'] desc, Name asc\",\"size\":0,\"title\":\"Result status\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"exportParameterName\":\"ResultInfo\",\"exportDefaultValue\":\"{ \\\"Name\\\":\\\"\\\", \\\"Type\\\":\\\"*\\\"}\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Id\",\"formatter\":5},{\"columnMatch\":\"Type\",\"formatter\":5},{\"columnMatch\":\"Results Count\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"palette\":\"grayBlue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"greenDark\"}},{\"columnMatch\":\"ParentId\",\"formatter\":5}],\"hierarchySettings\":{\"idColumn\":\"Id\",\"parentColumn\":\"ParentId\",\"treeType\":0,\"expanderColumn\":\"Name\"}}},\"customWidth\":\"70\",\"name\":\"query - 5\"}],\"fallbackResourceIds\":[\"\"],\"fromTemplateId\":\"sentinel-AzureActiveDirectoryAuditLogs\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", - "version": "1.0", - "sourceId": "[variables('workspaceResourceId')]", - "category": "sentinel" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]", + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('Office365ConnectionName')]", + "location": "[[variables('workspace-location-inline')]", "properties": { - "description": "@{workbookKey=AzureActiveDirectoryAuditLogsWorkbook; logoFileName=azureactivedirectory_logo.svg; description=Gain insights into Azure Active Directory by connecting Microsoft Sentinel and using the audit logs to gather insights around Azure AD scenarios. \nYou can learn about user operations, including password and group management, device activities, and top active users and apps.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.2.0; title=Azure AD Audit logs; templateRelativePath=AzureActiveDirectoryAuditLogs.json; subtitle=; provider=Microsoft}.description", - "parentId": "[variables('workbookId1')]", - "contentId": "[variables('_workbookContentId1')]", - "kind": "Workbook", - "version": "[variables('workbookVersion1')]", - "source": { - "kind": "Solution", - "name": "Azure Active Directory", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com/" - }, - "dependencies": { - "operator": "AND", - "criteria": [ - { - "contentId": "AuditLogs", - "kind": "DataType" - }, - { - "contentId": "AzureActiveDirectory", - "kind": "DataConnector" - } - ] + "displayName": "[[variables('Office365ConnectionName')]", + "api": { + "id": "[[variables('_connection-3')]" } } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_workbookContentId1')]", - "contentKind": "Workbook", - "displayName": "[parameters('workbook1-name')]", - "contentProductId": "[variables('_workbookcontentProductId1')]", - "id": "[variables('_workbookcontentProductId1')]", - "version": "[variables('workbookVersion1')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('workbookTemplateSpecName2')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "AzureActiveDirectorySigninsWorkbook Workbook with template version 3.0.6", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('workbookVersion2')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.Insights/workbooks", - "name": "[variables('workbookContentId2')]", - "location": "[parameters('workspace-location')]", - "kind": "shared", - "apiVersion": "2021-08-01", - "metadata": { - "description": "Gain insights into Azure Active Directory by connecting Microsoft Sentinel and using the sign-in logs to gather insights around Azure AD scenarios. \nYou can learn about sign-in operations, such as user sign-ins and locations, email addresses, and IP addresses of your users, as well as failed activities and the errors that triggered the failures." - }, - "properties": { - "displayName": "[parameters('workbook2-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Sign-in Analysis\"},\"name\":\"text - 0\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"13f56671-7604-4427-a4d8-663f3da0cbc5\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":1209600000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000,\"createdTime\":\"2018-11-13T19:33:10.162Z\",\"isInitialTime\":false,\"grain\":1,\"useDashboardTimeRange\":false},{\"durationMs\":900000,\"createdTime\":\"2018-11-13T19:33:10.164Z\",\"isInitialTime\":false,\"grain\":1,\"useDashboardTimeRange\":false},{\"durationMs\":1800000,\"createdTime\":\"2018-11-13T19:33:10.164Z\",\"isInitialTime\":false,\"grain\":1,\"useDashboardTimeRange\":false},{\"durationMs\":3600000,\"createdTime\":\"2018-11-13T19:33:10.164Z\",\"isInitialTime\":false,\"grain\":1,\"useDashboardTimeRange\":false},{\"durationMs\":14400000,\"createdTime\":\"2018-11-13T19:33:10.164Z\",\"isInitialTime\":false,\"grain\":1,\"useDashboardTimeRange\":false},{\"durationMs\":43200000,\"createdTime\":\"2018-11-13T19:33:10.164Z\",\"isInitialTime\":false,\"grain\":1,\"useDashboardTimeRange\":false},{\"durationMs\":86400000,\"createdTime\":\"2018-11-13T19:33:10.165Z\",\"isInitialTime\":false,\"grain\":1,\"useDashboardTimeRange\":false},{\"durationMs\":172800000,\"createdTime\":\"2018-11-13T19:33:10.166Z\",\"isInitialTime\":false,\"grain\":1,\"useDashboardTimeRange\":false},{\"durationMs\":259200000,\"createdTime\":\"2018-11-13T19:33:10.166Z\",\"isInitialTime\":false,\"grain\":1,\"useDashboardTimeRange\":false},{\"durationMs\":604800000,\"createdTime\":\"2018-11-13T19:33:10.166Z\",\"isInitialTime\":false,\"grain\":1,\"useDashboardTimeRange\":false},{\"durationMs\":1209600000,\"createdTime\":\"2018-11-13T19:33:10.166Z\",\"isInitialTime\":false,\"grain\":1,\"useDashboardTimeRange\":false},{\"durationMs\":2592000000,\"createdTime\":\"2018-11-13T19:33:10.167Z\",\"isInitialTime\":false,\"grain\":1,\"useDashboardTimeRange\":false}],\"allowCustom\":true}},{\"id\":\"3b5cc420-8ad8-4523-ba28-a54910756794\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Apps\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"SigninLogs\\r\\n| summarize Count = count() by AppDisplayName\\r\\n| order by Count desc, AppDisplayName asc\\r\\n| project Value = AppDisplayName, Label = strcat(AppDisplayName, ' - ', Count, ' sign-ins'), Selected = false\\r\\n\",\"value\":[\"value::all\"],\"typeSettings\":{\"limitSelectTo\":10,\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\"},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"0611ecce-d6a0-4a6f-a1bc-6be314ae36a7\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"UserNamePrefix\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"SigninLogs\\r\\n|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n| summarize Count = count() by UserDisplayName\\r\\n| order by Count desc, UserDisplayName asc\\r\\n| project Value = UserDisplayName, Label = strcat(UserDisplayName, ' - ', Count, ' sign-ins'), Selected = false\\r\\n| extend prefix = substring(Value, 0, 1)\\r\\n| distinct prefix\\r\\n| sort by prefix asc\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"f7f7970b-58c1-474f-9043-62243d2d4edd\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Users\",\"label\":\"UserName\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"SigninLogs\\r\\n|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n| summarize Count = count() by UserDisplayName\\r\\n| order by Count desc, UserDisplayName asc\\r\\n| project Value = UserDisplayName, Label = strcat(UserDisplayName, ' - ', Count, ' sign-ins'), Selected = false\\r\\n| where (substring(Value, 0, 1) in ({UserNamePrefix})) or ('*' in ({UserNamePrefix}))\\r\\n| sort by Value asc\\r\\n\",\"value\":[\"value::all\"],\"typeSettings\":{\"limitSelectTo\":10000000,\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"\",\"showDefault\":false},\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"85568f4e-9ad4-46c5-91d4-0ee1b2c8f3aa\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Category\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"\"},\"jsonData\":\"[\\\"SignInLogs\\\", \\\"NonInteractiveUserSignInLogs\\\"]\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let data = \\r\\nunion SigninLogs,AADNonInteractiveUserSignInLogs\\r\\n| where Category in ({Category})\\r\\n|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users});\\r\\ndata\\r\\n| summarize count() by UserPrincipalName, bin (TimeGenerated,5m)\\r\\n\",\"size\":0,\"title\":\"Sign-in Trend over Time\",\"timeContext\":{\"durationMs\":86400000},\"timeContextFromParameter\":\"TimeRange\",\"timeBrushParameterName\":\"TimeBrush\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\"},\"name\":\"query - 19\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let nonInteractive = AADNonInteractiveUserSignInLogs\\r\\n| extend LocationDetails = parse_json(LocationDetails)\\r\\n| extend Status = parse_json(Status);\\r\\nlet data = \\r\\nunion SigninLogs,nonInteractive\\r\\n| where Category in ({Category})\\r\\n|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users}) \\r\\n|extend errorCode = Status.errorCode\\r\\n|extend SigninStatus = case(errorCode == 0, \\\"Success\\\", errorCode == 50058, \\\"Pending user action\\\",errorCode == 50140, \\\"Pending user action\\\", errorCode == 51006, \\\"Pending user action\\\", errorCode == 50059, \\\"Pending user action\\\",errorCode == 65001, \\\"Pending user action\\\", errorCode == 52004, \\\"Pending user action\\\", errorCode == 50055, \\\"Pending user action\\\", errorCode == 50144, \\\"Pending user action\\\", errorCode == 50072, \\\"Pending user action\\\", errorCode == 50074, \\\"Pending user action\\\", errorCode == 16000, \\\"Pending user action\\\", errorCode == 16001, \\\"Pending user action\\\", errorCode == 16003, \\\"Pending user action\\\", errorCode == 50127, \\\"Pending user action\\\", errorCode == 50125, \\\"Pending user action\\\", errorCode == 50129, \\\"Pending user action\\\", errorCode == 50143, \\\"Pending user action\\\", errorCode == 81010, \\\"Pending user action\\\", errorCode == 81014, \\\"Pending user action\\\", errorCode == 81012 ,\\\"Pending user action\\\", \\\"Failure\\\");\\r\\ndata\\r\\n| summarize Count = count() by SigninStatus\\r\\n| join kind = fullouter (datatable(SigninStatus:string)['Success', 'Pending action (Interrupts)', 'Failure']) on SigninStatus\\r\\n| project SigninStatus = iff(SigninStatus == '', SigninStatus1, SigninStatus), Count = iff(SigninStatus == '', 0, Count)\\r\\n| join kind = inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SigninStatus)\\r\\n on SigninStatus\\r\\n| project-away SigninStatus1, TimeGenerated\\r\\n| extend Status = SigninStatus\\r\\n| union (\\r\\n data \\r\\n | summarize Count = count()\\r\\n | extend jkey = 1\\r\\n | join kind=inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\\r\\n | extend jkey = 1) on jkey\\r\\n | extend SigninStatus = 'All Sign-ins', Status = '*' \\r\\n)\\r\\n| order by Count desc\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":3,\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeBrush\",\"exportFieldName\":\"Status\",\"exportParameterName\":\"SigninStatus\",\"exportDefaultValue\":\"*\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"min\":0,\"palette\":\"blue\",\"showIcon\":true}},\"showBorder\":false}},\"name\":\"query - 5\"},{\"type\":1,\"content\":{\"json\":\"
\\r\\n💡 _Click on a tile or a row in the grid to drill-in further_\"},\"name\":\"text - 6 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let nonInteractive = AADNonInteractiveUserSignInLogs\\r\\n| extend LocationDetails = parse_json(LocationDetails)\\r\\n| extend Status = parse_json(Status);\\r\\nlet data = \\r\\nunion SigninLogs,nonInteractive\\r\\n| extend AppDisplayName = iff(AppDisplayName == '', 'Unknown', AppDisplayName)\\r\\n|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users}) \\r\\n| extend Country = iff(LocationDetails.countryOrRegion == '', 'Unknown country', tostring(LocationDetails.countryOrRegion))\\r\\n| extend City = iff(LocationDetails.city == '', 'Unknown city', tostring(LocationDetails.city))\\r\\n| extend errorCode = Status.errorCode\\r\\n| extend SigninStatus = case(errorCode == 0, \\\"Success\\\", errorCode == 50058, \\\"Pending user action\\\",errorCode == 50140, \\\"Pending user action\\\", errorCode == 51006, \\\"Pending user action\\\", errorCode == 50059, \\\"Pending user action\\\",errorCode == 65001, \\\"Pending user action\\\", errorCode == 52004, \\\"Pending user action\\\", errorCode == 50055, \\\"Pending user action\\\", errorCode == 50144, \\\"Pending user action\\\", errorCode == 50072, \\\"Pending user action\\\", errorCode == 50074, \\\"Pending user action\\\", errorCode == 16000, \\\"Pending user action\\\", errorCode == 16001, \\\"Pending user action\\\", errorCode == 16003, \\\"Pending user action\\\", errorCode == 50127, \\\"Pending user action\\\", errorCode == 50125, \\\"Pending user action\\\", errorCode == 50129, \\\"Pending user action\\\", errorCode == 50143, \\\"Pending user action\\\", errorCode == 81010, \\\"Pending user action\\\", errorCode == 81014, \\\"Pending user action\\\", errorCode == 81012 ,\\\"Pending user action\\\", \\\"Failure\\\")\\r\\n| where SigninStatus == '{SigninStatus}' or '{SigninStatus}' == '*' or '{SigninStatus}' == 'All Sign-ins';\\r\\nlet countryData = data\\r\\n| summarize TotalCount = count(), SuccessCount = countif(SigninStatus == \\\"Success\\\"), FailureCount = countif(SigninStatus == \\\"Failure\\\"), InterruptCount = countif(SigninStatus == \\\"Pending user action\\\") by Country,Category\\r\\n| join kind=inner\\r\\n(\\r\\n data\\r\\n| make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by Country\\r\\n| project-away TimeGenerated\\r\\n)\\r\\non Country\\r\\n| project Country, TotalCount, SuccessCount,FailureCount,InterruptCount,Trend,Category\\r\\n| order by TotalCount desc, Country asc;\\r\\ndata\\r\\n| summarize TotalCount = count(), SuccessCount = countif(SigninStatus == \\\"Success\\\"), FailureCount = countif(SigninStatus == \\\"Failure\\\"), InterruptCount = countif(SigninStatus == \\\"Pending user action\\\") by Country, City,Category\\r\\n| join kind=inner\\r\\n(\\r\\n data \\r\\n| make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by Country, City\\r\\n| project-away TimeGenerated\\r\\n)\\r\\non Country, City\\r\\n| order by TotalCount desc, Country asc\\r\\n| project Country, City,TotalCount, SuccessCount,FailureCount,InterruptCount, Trend,Category\\r\\n| join kind=inner\\r\\n(\\r\\n countryData\\r\\n)\\r\\non Country\\r\\n| summarize arg_max(TotalCount, SuccessCount, FailureCount, InterruptCount) by Country, City, Category, tostring(Trend)\\r\\n| project Id = strcat(City, '-', Category), Name = City, Type = 'City', ['Sign-in Count'] = TotalCount, Trend, ['Failure Count'] = FailureCount, ['Interrupt Count'] = InterruptCount, ['Success Rate'] = 1.0 * SuccessCount / TotalCount, ParentId = strcat(Country, '-', Category),Category\\r\\n| union (countryData\\r\\n| summarize arg_max(TotalCount, SuccessCount, FailureCount, InterruptCount) by Country, Category, tostring(Trend)\\r\\n| project Id = strcat(Country, '-', Category), Name = Country, Type = 'Country', ['Sign-in Count'] = TotalCount, Trend, ['Failure Count'] = FailureCount, ['Interrupt Count'] = InterruptCount, ['Success Rate'] = 1.0 * SuccessCount / TotalCount, ParentId = 'root',Category)\\r\\n| where Category in ({Category})\\r\\n| order by ['Sign-in Count'] desc, Name asc\\r\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"Sign-ins by Location\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeBrush\",\"showRefreshButton\":true,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"Name\",\"parameterName\":\"LocationDetail\",\"parameterType\":1}],\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Id\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Type\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Sign-in Count\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"palette\":\"blue\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"min\":0,\"palette\":\"blue\",\"showIcon\":true}},{\"columnMatch\":\"Failure Count|Interrupt Count\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"palette\":\"orange\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"Success Rate\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"percent\"}}},{\"columnMatch\":\"ParentId\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true,\"hierarchySettings\":{\"idColumn\":\"Id\",\"parentColumn\":\"ParentId\",\"treeType\":0,\"expanderColumn\":\"Name\",\"expandTopLevel\":false}}},\"customWidth\":\"67\",\"showPin\":true,\"name\":\"query - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let selectedCountry = dynamic([{LocationDetail}]);\\r\\nlet nonInteractive = AADNonInteractiveUserSignInLogs\\r\\n| extend LocationDetails = parse_json(LocationDetails),Status = parse_json(Status),ConditionalAccessPolicies = parse_json(ConditionalAccessPolicies),DeviceDetail =parse_json(DeviceDetail);\\r\\nlet details = dynamic({ \\\"Name\\\":\\\"\\\", \\\"Type\\\":\\\"*\\\"});\\r\\nlet data = union SigninLogs,nonInteractive\\r\\n| extend AppDisplayName = iff(AppDisplayName == '', 'Unknown', AppDisplayName)\\r\\n|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users}) \\r\\n| extend Country = tostring(LocationDetails.countryOrRegion)\\r\\n| extend City = tostring(LocationDetails.city) \\r\\n| where array_length(selectedCountry) == 0 or \\\"*\\\" in (selectedCountry) or Country in (selectedCountry) or City in (selectedCountry) \\r\\n| extend errorCode = Status.errorCode\\r\\n| extend SigninStatus = case(errorCode == 0, \\\"Success\\\", errorCode == 50058, \\\"Pending user action\\\",errorCode == 50140, \\\"Pending user action\\\", errorCode == 51006, \\\"Pending user action\\\", errorCode == 50059, \\\"Pending user action\\\",errorCode == 65001, \\\"Pending user action\\\", errorCode == 52004, \\\"Pending user action\\\", errorCode == 50055, \\\"Pending user action\\\", errorCode == 50144, \\\"Pending user action\\\", errorCode == 50072, \\\"Pending user action\\\", errorCode == 50074, \\\"Pending user action\\\", errorCode == 16000, \\\"Pending user action\\\", errorCode == 16001, \\\"Pending user action\\\", errorCode == 16003, \\\"Pending user action\\\", errorCode == 50127, \\\"Pending user action\\\", errorCode == 50125, \\\"Pending user action\\\", errorCode == 50129, \\\"Pending user action\\\", errorCode == 50143, \\\"Pending user action\\\", errorCode == 81010, \\\"Pending user action\\\", errorCode == 81014, \\\"Pending user action\\\", errorCode == 81012 ,\\\"Pending user action\\\", \\\"Failure\\\")\\r\\n| where SigninStatus == '{SigninStatus}' or '{SigninStatus}' == '*' or '{SigninStatus}' == 'All Sign-ins'\\r\\n| where details.Type == '*' or (details.Type == 'Country' and Country == details.Name) or (details.Type == 'City' and City == details.Name);\\r\\ndata\\r\\n| top 200 by TimeGenerated desc\\r\\n| extend TimeFromNow = now() - TimeGenerated\\r\\n| extend TimeAgo = strcat(case(TimeFromNow < 2m, strcat(toint(TimeFromNow / 1m), ' seconds'), TimeFromNow < 2h, strcat(toint(TimeFromNow / 1m), ' minutes'), TimeFromNow < 2d, strcat(toint(TimeFromNow / 1h), ' hours'), strcat(toint(TimeFromNow / 1d), ' days')), ' ago')\\r\\n| project User = UserDisplayName, ['Sign-in Status'] = strcat(iff(SigninStatus == 'Success', '✔️', '❌'), ' ', SigninStatus), ['Sign-in Time'] = TimeAgo, App = AppDisplayName, ['Error code'] = errorCode, ['Result type'] = ResultType, ['Result signature'] = ResultSignature, ['Result description'] = ResultDescription, ['Conditional access policies'] = ConditionalAccessPolicies, ['Conditional access status'] = ConditionalAccessStatus, ['Operating system'] = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser, ['Country or region'] = LocationDetails.countryOrRegion, ['State'] = LocationDetails.state, ['City'] = LocationDetails.city, ['Time generated'] = TimeGenerated, Status, ['User principal name'] = UserPrincipalName, Category\\r\\n| where Category in ({Category})\\r\\n\\r\\n\\r\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"Location Sign-in details\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeBrush\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Sign-in Status\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"showIcon\":true}},{\"columnMatch\":\"App\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Error code\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Result type\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Result signature\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Result description\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Conditional access policies\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Conditional access status\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Operating system\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Browser\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Time generated\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Status\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"User principal name\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"TimeGenerated\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true}},\"customWidth\":\"33\",\"name\":\"query - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let nonInteractive = AADNonInteractiveUserSignInLogs | extend LocationDetails = parse_json(LocationDetails), Status = parse_json(Status), DeviceDetail = parse_json(DeviceDetail);\\r\\nlet data = \\r\\nunion SigninLogs,nonInteractive\\r\\n|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users}) \\r\\n | extend errorCode = Status.errorCode\\r\\n | extend SigninStatus = case(errorCode == 0, \\\"Success\\\", errorCode == 50058, \\\"Pending user action\\\", errorCode == 50140, \\\"Pending user action\\\", errorCode == 51006, \\\"Pending user action\\\", errorCode == 50059, \\\"Pending user action\\\", errorCode == 65001, \\\"Pending user action\\\", errorCode == 52004, \\\"Pending user action\\\", errorCode == 50055, \\\"Pending user action\\\", errorCode == 50144, \\\"Pending user action\\\", errorCode == 50072, \\\"Pending user action\\\", errorCode == 50074, \\\"Pending user action\\\", errorCode == 16000, \\\"Pending user action\\\", errorCode == 16001, \\\"Pending user action\\\", errorCode == 16003, \\\"Pending user action\\\", errorCode == 50127, \\\"Pending user action\\\", errorCode == 50125, \\\"Pending user action\\\", errorCode == 50129, \\\"Pending user action\\\", errorCode == 50143, \\\"Pending user action\\\", errorCode == 81010, \\\"Pending user action\\\", errorCode == 81014, \\\"Pending user action\\\", errorCode == 81012, \\\"Pending user action\\\", \\\"Failure\\\")\\r\\n| where SigninStatus == '{SigninStatus}' or '{SigninStatus}' == '*' or '{SigninStatus}' == 'All Sign-ins';\\r\\nlet appData = data\\r\\n | summarize TotalCount = count(), SuccessCount = countif(SigninStatus == \\\"Success\\\"), FailureCount = countif(SigninStatus == \\\"Failure\\\"), InterruptCount = countif(SigninStatus == \\\"Pending user action\\\") by Os = tostring(DeviceDetail.operatingSystem) ,Category\\r\\n | where Os != ''\\r\\n | join kind=inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by Os = tostring(DeviceDetail.operatingSystem)\\r\\n | project-away TimeGenerated)\\r\\n on Os\\r\\n | order by TotalCount desc, Os asc\\r\\n | project Os, TotalCount, SuccessCount, FailureCount, InterruptCount, Trend,Category\\r\\n | serialize Id = row_number();\\r\\ndata\\r\\n| summarize TotalCount = count(), SuccessCount = countif(SigninStatus == \\\"Success\\\"), FailureCount = countif(SigninStatus == \\\"Failure\\\"), InterruptCount = countif(SigninStatus == \\\"Pending user action\\\") by Os = tostring(DeviceDetail.operatingSystem), Browser = tostring(DeviceDetail.browser),Category\\r\\n| join kind=inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain})by Os = tostring(DeviceDetail.operatingSystem), Browser = tostring(DeviceDetail.browser)\\r\\n | project-away TimeGenerated)\\r\\n on Os, Browser\\r\\n| order by TotalCount desc, Os asc\\r\\n| project Os, Browser, TotalCount, SuccessCount, FailureCount, InterruptCount, Trend,Category\\r\\n| serialize Id = row_number(1000000)\\r\\n| join kind=inner (appData) on Os\\r\\n| project Id, Name = Browser, Type = 'Browser', ['Sign-in Count'] = TotalCount, Trend, ['Failure Count'] = FailureCount, ['Interrupt Count'] = InterruptCount, ['Success Rate'] = 1.0 * SuccessCount / TotalCount, ParentId = Id1,Category\\r\\n| union (appData \\r\\n | project Id, Name = Os, Type = 'Operating System', ['Sign-in Count'] = TotalCount, Trend, ['Failure Count'] = FailureCount, ['Interrupt Count'] = InterruptCount, ['Success Rate'] = 1.0 * SuccessCount / TotalCount, ParentId = -1,Category)\\r\\n| where Category in ({Category})\\r\\n| order by ['Sign-in Count'] desc, Name asc\\r\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"Sign-ins by Device\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeBrush\",\"exportedParameters\":[{\"parameterName\":\"DeviceDetail\",\"defaultValue\":\"{ \\\"Name\\\":\\\"\\\", \\\"Type\\\":\\\"*\\\"}\"},{\"fieldName\":\"Category\",\"parameterName\":\"exportCategory\",\"parameterType\":1,\"defaultValue\":\"*\"},{\"fieldName\":\"Name\",\"parameterName\":\"exportName\",\"parameterType\":1,\"defaultValue\":\"*\"}],\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Id\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Type\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Sign-in Count\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"palette\":\"blue\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"min\":0,\"palette\":\"blue\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"Failure Count|Interrupt Count\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"palette\":\"orange\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"Success Rate\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"percent\"}}},{\"columnMatch\":\"ParentId\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true,\"hierarchySettings\":{\"idColumn\":\"Id\",\"parentColumn\":\"ParentId\",\"treeType\":0,\"expanderColumn\":\"Name\",\"expandTopLevel\":false}}},\"customWidth\":\"67\",\"showPin\":true,\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let nonInteractive = AADNonInteractiveUserSignInLogs\\r\\n| extend LocationDetails = parse_json(LocationDetails),Status = parse_json(Status),ConditionalAccessPolicies = parse_json(ConditionalAccessPolicies),DeviceDetail =parse_json(DeviceDetail);\\r\\nlet details = dynamic({ \\\"Name\\\":\\\"\\\", \\\"Type\\\":\\\"*\\\"});\\r\\nlet data = union SigninLogs,nonInteractive\\r\\n| extend AppDisplayName = iff(AppDisplayName == '', 'Unknown', AppDisplayName)\\r\\n|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users}) \\r\\n| extend Country = tostring(LocationDetails.countryOrRegion)\\r\\n| extend City = tostring(LocationDetails.city)\\r\\n| extend errorCode = Status.errorCode\\r\\n| extend SigninStatus = case(errorCode == 0, \\\"Success\\\", errorCode == 50058, \\\"Pending user action\\\",errorCode == 50140, \\\"Pending user action\\\", errorCode == 51006, \\\"Pending user action\\\", errorCode == 50059, \\\"Pending user action\\\",errorCode == 65001, \\\"Pending user action\\\", errorCode == 52004, \\\"Pending user action\\\", errorCode == 50055, \\\"Pending user action\\\", errorCode == 50144, \\\"Pending user action\\\", errorCode == 50072, \\\"Pending user action\\\", errorCode == 50074, \\\"Pending user action\\\", errorCode == 16000, \\\"Pending user action\\\", errorCode == 16001, \\\"Pending user action\\\", errorCode == 16003, \\\"Pending user action\\\", errorCode == 50127, \\\"Pending user action\\\", errorCode == 50125, \\\"Pending user action\\\", errorCode == 50129, \\\"Pending user action\\\", errorCode == 50143, \\\"Pending user action\\\", errorCode == 81010, \\\"Pending user action\\\", errorCode == 81014, \\\"Pending user action\\\", errorCode == 81012 ,\\\"Pending user action\\\", \\\"Failure\\\")\\r\\n| where SigninStatus == '{SigninStatus}' or '{SigninStatus}' == '*' or '{SigninStatus}' == 'All Sign-ins'\\r\\n| where details.Type == '*' or (details.Type == 'Country' and Country == details.Name) or (details.Type == 'City' and City == details.Name);\\r\\ndata\\r\\n| top 200 by TimeGenerated desc\\r\\n| extend TimeFromNow = now() - TimeGenerated\\r\\n| extend TimeAgo = strcat(case(TimeFromNow < 2m, strcat(toint(TimeFromNow / 1m), ' seconds'), TimeFromNow < 2h, strcat(toint(TimeFromNow / 1m), ' minutes'), TimeFromNow < 2d, strcat(toint(TimeFromNow / 1h), ' hours'), strcat(toint(TimeFromNow / 1d), ' days')), ' ago')\\r\\n| project User = UserDisplayName, ['Sign-in Status'] = strcat(iff(SigninStatus == 'Success', '✔️', '❌'), ' ', SigninStatus), ['Sign-in Time'] = TimeAgo, App = AppDisplayName, ['Error code'] = errorCode, ['Result type'] = ResultType, ['Result signature'] = ResultSignature, ['Result description'] = ResultDescription, ['Conditional access policies'] = ConditionalAccessPolicies, ['Conditional access status'] = ConditionalAccessStatus, ['Operating system'] = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser, ['Country or region'] = LocationDetails.countryOrRegion, ['State'] = LocationDetails.state, ['City'] = LocationDetails.city, ['Time generated'] = TimeGenerated, Status, ['User principal name'] = UserPrincipalName, Category, Name = tostring(DeviceDetail.operatingSystem)\\r\\n| where Category in ('{exportCategory}') or \\\"*\\\" in ('{exportCategory}')\\r\\n| where Name in ('{exportName}') or \\\"*\\\" in ('{exportName}')\",\"size\":1,\"showAnalytics\":true,\"title\":\"Device Sign-in details\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Sign-in Status\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\"}},{\"columnMatch\":\"App\",\"formatter\":5},{\"columnMatch\":\"Error code\",\"formatter\":5},{\"columnMatch\":\"Result type\",\"formatter\":5},{\"columnMatch\":\"Result signature\",\"formatter\":5},{\"columnMatch\":\"Result description\",\"formatter\":5},{\"columnMatch\":\"Conditional access policies\",\"formatter\":5},{\"columnMatch\":\"Conditional access status\",\"formatter\":5},{\"columnMatch\":\"Operating system\",\"formatter\":5},{\"columnMatch\":\"Browser\",\"formatter\":5},{\"columnMatch\":\"Country or region\",\"formatter\":5},{\"columnMatch\":\"State\",\"formatter\":5},{\"columnMatch\":\"City\",\"formatter\":5},{\"columnMatch\":\"Time generated\",\"formatter\":5},{\"columnMatch\":\"Status\",\"formatter\":5},{\"columnMatch\":\"User principal name\",\"formatter\":5},{\"columnMatch\":\"Category\",\"formatter\":5},{\"columnMatch\":\"Name\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"33\",\"name\":\"query - 8 - Copy\"},{\"type\":1,\"content\":{\"json\":\"## Sign-ins using Conditional Access\"},\"name\":\"text - 12\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let nonInteractive = AADNonInteractiveUserSignInLogs\\r\\n| extend LocationDetails = parse_json(LocationDetails)\\r\\n| extend Status = parse_json(Status)\\r\\n| extend ConditionalAccessPolicies = parse_json(ConditionalAccessPolicies);\\r\\nlet data = \\r\\nunion SigninLogs,nonInteractive\\r\\n|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users}) \\r\\n|extend CAStatus = case(ConditionalAccessStatus ==\\\"success\\\",\\\"Successful\\\",\\r\\n ConditionalAccessStatus == \\\"failure\\\", \\\"Failed\\\", \\r\\n ConditionalAccessStatus == \\\"notApplied\\\", \\\"Not applied\\\", \\r\\n isempty(ConditionalAccessStatus), \\\"Not applied\\\", \\r\\n \\\"Disabled\\\")\\r\\n|mvexpand ConditionalAccessPolicies\\r\\n|extend CAGrantControlName = tostring(ConditionalAccessPolicies.enforcedGrantControls[0])\\r\\n|extend CAGrantControl = case(CAGrantControlName contains \\\"MFA\\\", \\\"Require MFA\\\", \\r\\n CAGrantControlName contains \\\"Terms of Use\\\", \\\"Require Terms of Use\\\", \\r\\n CAGrantControlName contains \\\"Privacy\\\", \\\"Require Privacy Statement\\\", \\r\\n CAGrantControlName contains \\\"Device\\\", \\\"Require Device Compliant\\\", \\r\\n CAGrantControlName contains \\\"Azure AD Joined\\\", \\\"Require Hybird Azure AD Joined Device\\\", \\r\\n CAGrantControlName contains \\\"Apps\\\", \\\"Require Approved Apps\\\",\\r\\n \\\"Other\\\");\\r\\ndata\\r\\n| where Category in ({Category})\\r\\n| summarize Count = dcount(Id) by CAStatus\\r\\n| join kind = inner (data\\r\\n | make-series Trend = dcount(Id) default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by CAStatus\\r\\n ) on CAStatus\\r\\n| project-away CAStatus1, TimeGenerated\\r\\n| order by Count desc\",\"size\":4,\"title\":\"Conditional access status\",\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeBrush\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"CAStatus\",\"formatter\":1},\"subtitleContent\":{\"columnMatch\":\"Category\"},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false}},\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let nonInteractive = AADNonInteractiveUserSignInLogs\\r\\n| extend LocationDetails = parse_json(LocationDetails)\\r\\n| extend Status = parse_json(Status)\\r\\n| extend ConditionalAccessPolicies = parse_json(ConditionalAccessPolicies);\\r\\nlet data = \\r\\nunion SigninLogs,nonInteractive|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users}) \\r\\n|extend errorCode = toint(Status.errorCode)\\r\\n|extend Reason = tostring(Status.failureReason)\\r\\n|extend CAStatus = case(ConditionalAccessStatus ==0,\\\"✔️ Success\\\", \\r\\n ConditionalAccessStatus == 1, \\\"❌ Failure\\\", \\r\\n ConditionalAccessStatus == 2, \\\"⚠️ Not Applied\\\", \\r\\n ConditionalAccessStatus == \\\"\\\", \\\"⚠️ Not Applied\\\", \\r\\n \\\"🚫 Disabled\\\")\\r\\n|mvexpand ConditionalAccessPolicies\\r\\n|extend CAGrantControlName = tostring(ConditionalAccessPolicies.enforcedGrantControls[0])\\r\\n|extend CAGrantControl = case(CAGrantControlName contains \\\"MFA\\\", \\\"Require MFA\\\", \\r\\n CAGrantControlName contains \\\"Terms of Use\\\", \\\"Require Terms of Use\\\", \\r\\n CAGrantControlName contains \\\"Privacy\\\", \\\"Require Privacy Statement\\\", \\r\\n CAGrantControlName contains \\\"Device\\\", \\\"Require Device Compliant\\\", \\r\\n CAGrantControlName contains \\\"Azure AD Joined\\\", \\\"Require Hybird Azure AD Joined Device\\\", \\r\\n CAGrantControlName contains \\\"Apps\\\", \\\"Require Approved Apps\\\",\\\"Other\\\");\\r\\ndata\\r\\n| summarize Count = dcount(Id) by CAStatus, CAGrantControl\\r\\n| project Id = strcat(CAStatus, '/', CAGrantControl), Name = CAGrantControl, Parent = CAStatus, Count, Type = 'CAGrantControl'\\r\\n| join kind = inner (data\\r\\n | make-series Trend = dcount(Id) default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by CAStatus, CAGrantControl\\r\\n | project Id = strcat(CAStatus, '/', CAGrantControl), Trend\\r\\n ) on Id\\r\\n| project-away Id1\\r\\n| union (data\\r\\n | where Category in ({Category})\\r\\n | summarize Count = dcount(Id) by CAStatus\\r\\n | project Id = CAStatus, Name = CAStatus, Parent = '', Count, Type = 'CAStatus'\\r\\n | join kind = inner (data\\r\\n | make-series Trend = dcount(Id) default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by CAStatus\\r\\n | project Id = CAStatus, Trend\\r\\n ) on Id\\r\\n | project-away Id1)\\r\\n| order by Count desc\",\"size\":0,\"title\":\"Conditional access status\",\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeBrush\",\"exportParameterName\":\"Detail\",\"exportDefaultValue\":\"{ \\\"Name\\\":\\\"\\\", \\\"Type\\\":\\\"*\\\", \\\"Parent\\\":\\\"*\\\"}\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Id\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Parent\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Count\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"palette\":\"blue\",\"showIcon\":true},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"Type\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"min\":0,\"palette\":\"blue\",\"showIcon\":true}}],\"hierarchySettings\":{\"idColumn\":\"Id\",\"parentColumn\":\"Parent\",\"treeType\":0,\"expanderColumn\":\"Name\",\"expandTopLevel\":true}}},\"customWidth\":\"50\",\"name\":\"query - 10\",\"styleSettings\":{\"margin\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let details = dynamic({Detail});\\r\\nlet nonInteractive = AADNonInteractiveUserSignInLogs\\r\\n| extend LocationDetails = parse_json(LocationDetails)\\r\\n| extend Status = parse_json(Status)\\r\\n| extend ConditionalAccessPolicies = parse_json(ConditionalAccessPolicies);\\r\\nlet data = \\r\\nunion SigninLogs,nonInteractive\\r\\n|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users}) \\r\\n|extend errorCode = toint(Status.errorCode)\\r\\n|extend Reason = tostring(Status.failureReason)\\r\\n|extend CAStatus = case(ConditionalAccessStatus ==\\\"success\\\",\\\"✔️ Success\\\", \\r\\n ConditionalAccessStatus == \\\"failure\\\", \\\"❌ Failure\\\", \\r\\n ConditionalAccessStatus == \\\"notApplied\\\", \\\"⚠️ Not Applied\\\", \\r\\n ConditionalAccessStatus == \\\"\\\", \\\"⚠️ Not Applied\\\", \\r\\n \\\"🚫 Disabled\\\")\\r\\n|mvexpand ConditionalAccessPolicies\\r\\n|extend CAGrantControlName = tostring(ConditionalAccessPolicies.enforcedGrantControls[0])\\r\\n|extend CAGrantControl = case(CAGrantControlName contains \\\"MFA\\\", \\\"Require MFA\\\", \\r\\n CAGrantControlName contains \\\"Terms of Use\\\", \\\"Require Terms of Use\\\", \\r\\n CAGrantControlName contains \\\"Privacy\\\", \\\"Require Privacy Statement\\\", \\r\\n CAGrantControlName contains \\\"Device\\\", \\\"Require Device Compliant\\\", \\r\\n CAGrantControlName contains \\\"Azure AD Joined\\\", \\\"Require Hybird Azure AD Joined Device\\\", \\r\\n CAGrantControlName contains \\\"Apps\\\", \\\"Require Approved Apps\\\",\\r\\n \\\"Other\\\")\\r\\n|extend CAGrantControlRank = case(CAGrantControlName contains \\\"MFA\\\", 1, \\r\\n CAGrantControlName contains \\\"Terms of Use\\\", 2, \\r\\n CAGrantControlName contains \\\"Privacy\\\", 3, \\r\\n CAGrantControlName contains \\\"Device\\\", 4, \\r\\n CAGrantControlName contains \\\"Azure AD Joined\\\", 5, \\r\\n CAGrantControlName contains \\\"Apps\\\", 6,\\r\\n 7)\\r\\n| where details.Type == '*' or (details.Type == 'CAStatus' and CAStatus == details.Name) or (details.Type == 'CAGrantControl' and CAGrantControl == details.Name and CAStatus == details.Parent);\\r\\ndata\\r\\n| order by CAGrantControlRank desc\\r\\n| summarize CAGrantControls = make_set(CAGrantControl) by AppDisplayName, CAStatus, TimeGenerated, UserDisplayName, Category\\r\\n| extend CAGrantControlText = replace(@\\\",\\\", \\\", \\\", replace(@'\\\"', @'', replace(@\\\"\\\\]\\\", @\\\"\\\", replace(@\\\"\\\\[\\\", @\\\"\\\", tostring(CAGrantControls)))))\\r\\n| extend CAGrantControlSummary = case(array_length(CAGrantControls) > 1, strcat(CAGrantControls[0], ' + ', array_length(CAGrantControls) - 1, ' more'), array_length(CAGrantControls) == 1, tostring(CAGrantControls[0]), 'None')\\r\\n| top 200 by TimeGenerated desc\\r\\n| extend TimeFromNow = now() - TimeGenerated\\r\\n| extend TimeAgo = strcat(case(TimeFromNow < 2m, strcat(toint(TimeFromNow / 1m), ' seconds'), TimeFromNow < 2h, strcat(toint(TimeFromNow / 1m), ' minutes'), TimeFromNow < 2d, strcat(toint(TimeFromNow / 1h), ' hours'), strcat(toint(TimeFromNow / 1d), ' days')), ' ago')\\r\\n| project Application = AppDisplayName, ['CA Status'] = CAStatus, ['CA Grant Controls'] = CAGrantControlSummary, ['All CA Grant Controls'] = CAGrantControlText, ['Sign-in Time'] = TimeAgo, ['User'] = UserDisplayName, Category\\r\\n| where Category in ({Category})\",\"size\":0,\"showAnalytics\":true,\"title\":\"Recent sign-ins\",\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"CA Grant Controls\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"All CA Grant Controls\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"User\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}}]}},\"customWidth\":\"50\",\"showPin\":true,\"name\":\"query - 7 - Copy\"},{\"type\":1,\"content\":{\"json\":\"## Troubleshooting Sign-ins\"},\"name\":\"text - 13\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let nonInteractive = AADNonInteractiveUserSignInLogs\\r\\n| extend LocationDetails = parse_json(LocationDetails)\\r\\n| extend Status = parse_json(Status);\\r\\nlet data = \\r\\nunion SigninLogs,nonInteractive|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users}) \\r\\n|extend errorCode = Status.errorCode\\r\\n|extend SigninStatus = case(errorCode == 0, \\\"Success\\\", errorCode == 50058, \\\"Pending action (Interrupts)\\\",errorCode == 50140, \\\"Pending action (Interrupts)\\\", errorCode == 51006, \\\"Pending action (Interrupts)\\\", errorCode == 50059, \\\"Pending action (Interrupts)\\\",errorCode == 65001, \\\"Pending action (Interrupts)\\\", errorCode == 52004, \\\"Pending action (Interrupts)\\\", errorCode == 50055, \\\"Pending action (Interrupts)\\\", errorCode == 50144, \\\"Pending action (Interrupts)\\\", errorCode == 50072, \\\"Pending action (Interrupts)\\\", errorCode == 50074, \\\"Pending action (Interrupts)\\\", errorCode == 16000, \\\"Pending action (Interrupts)\\\", errorCode == 16001, \\\"Pending action (Interrupts)\\\", errorCode == 16003, \\\"Pending action (Interrupts)\\\", errorCode == 50127, \\\"Pending action (Interrupts)\\\", errorCode == 50125, \\\"Pending action (Interrupts)\\\", errorCode == 50129, \\\"Pending action (Interrupts)\\\", errorCode == 50143, \\\"Pending action (Interrupts)\\\", errorCode == 81010, \\\"Pending action (Interrupts)\\\", errorCode == 81014, \\\"Pending action (Interrupts)\\\", errorCode == 81012 ,\\\"Pending action (Interrupts)\\\", \\\"Failure\\\");\\r\\ndata\\r\\n| summarize Count = count() by SigninStatus, Category\\r\\n| join kind = fullouter (datatable(SigninStatus:string)['Success', 'Pending action (Interrupts)', 'Failure']) on SigninStatus\\r\\n| project SigninStatus = iff(SigninStatus == '', SigninStatus1, SigninStatus), Count = iff(SigninStatus == '', 0, Count), Category\\r\\n| join kind = inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SigninStatus)\\r\\n on SigninStatus\\r\\n| project-away SigninStatus1, TimeGenerated\\r\\n| extend Status = SigninStatus\\r\\n| union (\\r\\n data \\r\\n | summarize Count = count() \\r\\n | extend jkey = 1\\r\\n | join kind=inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\\r\\n | extend jkey = 1) on jkey\\r\\n | extend SigninStatus = 'All Sign-ins', Status = '*' \\r\\n)\\r\\n| where Category in ({Category})\\r\\n| order by Count desc\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":3,\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"min\":0,\"palette\":\"blue\",\"showIcon\":true}},\"showBorder\":false}},\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let nonInteractive = AADNonInteractiveUserSignInLogs\\r\\n| extend LocationDetails = parse_json(LocationDetails)\\r\\n| extend Status = parse_json(Status);\\r\\nlet data = \\r\\nunion SigninLogs,nonInteractive|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users}) \\r\\n| extend ErrorCode = tostring(Status.errorCode) \\r\\n| extend FailureReason = tostring(Status.failureReason) \\r\\n| where ErrorCode !in (\\\"0\\\",\\\"50058\\\",\\\"50148\\\",\\\"50140\\\", \\\"51006\\\", \\\"50059\\\", \\\"65001\\\", \\\"52004\\\", \\\"50055\\\", \\\"50144\\\",\\\"50072\\\", \\\"50074\\\", \\\"16000\\\",\\\"16001\\\", \\\"16003\\\", \\\"50127\\\", \\\"50125\\\", \\\"50129\\\",\\\"50143\\\", \\\"81010\\\", \\\"81014\\\", \\\"81012\\\") \\r\\n|summarize errCount = count() by ErrorCode, tostring(FailureReason), Category| sort by errCount, Category\\r\\n|project ['❌ Error Code'] = ErrorCode, ['Reason']= FailureReason, ['Error Count'] = toint(errCount), Category\\r\\n|where Category in ({Category});\\r\\ndata\",\"size\":1,\"showAnalytics\":true,\"title\":\"Summary of top errors\",\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeBrush\",\"exportFieldName\":\"❌ Error Code\",\"exportParameterName\":\"ErrorCode\",\"exportDefaultValue\":\"*\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Error Count\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"palette\":\"orange\",\"showIcon\":true}}],\"filter\":true}},\"customWidth\":\"67\",\"showPin\":true,\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let nonInteractive = AADNonInteractiveUserSignInLogs\\r\\n| extend LocationDetails = parse_json(LocationDetails)\\r\\n| extend Status = parse_json(Status)\\r\\n| extend DeviceDetail = parse_json(DeviceDetail)\\r\\n| extend ConditionalAccessPolicies = parse_json(ConditionalAccessPolicies);\\r\\nlet data=\\r\\nunion SigninLogs,nonInteractive\\r\\n|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users}) \\r\\n| extend ErrorCode = tostring(Status.errorCode) \\r\\n| extend FailureReason = tostring(Status.failureReason) \\r\\n| where ErrorCode !in (\\\"0\\\",\\\"50058\\\",\\\"50148\\\",\\\"50140\\\", \\\"51006\\\", \\\"50059\\\", \\\"65001\\\", \\\"52004\\\", \\\"50055\\\", \\\"50144\\\",\\\"50072\\\", \\\"50074\\\", \\\"16000\\\",\\\"16001\\\", \\\"16003\\\", \\\"50127\\\", \\\"50125\\\", \\\"50129\\\",\\\"50143\\\", \\\"81010\\\", \\\"81014\\\", \\\"81012\\\") \\r\\n| where '{ErrorCode}' == '*' or '{ErrorCode}' == ErrorCode\\r\\n| top 200 by TimeGenerated desc\\r\\n| extend TimeFromNow = now() - TimeGenerated\\r\\n| extend TimeAgo = strcat(case(TimeFromNow < 2m, strcat(toint(TimeFromNow / 1m), ' seconds'), TimeFromNow < 2h, strcat(toint(TimeFromNow / 1m), ' minutes'), TimeFromNow < 2d, strcat(toint(TimeFromNow / 1h), ' hours'), strcat(toint(TimeFromNow / 1d), ' days')), ' ago')\\r\\n| project User = UserDisplayName, IPAddress, ['❌ Error Code'] = ErrorCode, ['Sign-in Time'] = TimeAgo, App = AppDisplayName, ['Error code'] = ErrorCode, ['Result type'] = ResultType, ['Result signature'] = ResultSignature, ['Result description'] = ResultDescription, ['Conditional access policies'] = ConditionalAccessPolicies, ['Conditional access status'] = ConditionalAccessStatus, ['Operating system'] = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser, ['Country or region'] = LocationDetails.countryOrRegion, ['State'] = LocationDetails.state, ['City'] = LocationDetails.city, ['Time generated'] = TimeGenerated, Status, ['User principal name'] = UserPrincipalName, Category\\r\\n| where Category in ({Category});\\r\\ndata\\r\\n\\r\\n\\r\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"Sign-ins with errors\",\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeBrush\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"❌ Error Code\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"showIcon\":true}},{\"columnMatch\":\"App\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Error code\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Result type\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Result signature\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Result description\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Conditional access policies\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Conditional access status\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Operating system\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Browser\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Country or region\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"State\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"City\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Time generated\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Status\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"User principal name\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true}},\"customWidth\":\"33\",\"name\":\"query - 5 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let nonInteractive = AADNonInteractiveUserSignInLogs\\r\\n| extend LocationDetails = parse_json(LocationDetails)\\r\\n| extend Status = parse_json(Status);\\r\\nlet data = \\r\\nunion SigninLogs,nonInteractive|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users}) \\r\\n| extend ErrorCode = tostring(Status.errorCode) \\r\\n| extend FailureReason = Status.failureReason \\r\\n| where ErrorCode in (\\\"50058\\\",\\\"50140\\\", \\\"51006\\\", \\\"50059\\\", \\\"65001\\\", \\\"52004\\\", \\\"50055\\\", \\\"50144\\\",\\\"50072\\\", \\\"50074\\\", \\\"16000\\\",\\\"16001\\\", \\\"16003\\\", \\\"50127\\\", \\\"50125\\\", \\\"50129\\\",\\\"50143\\\", \\\"81010\\\", \\\"81014\\\", \\\"81012\\\") \\r\\n|summarize errCount = count() by ErrorCode, tostring(FailureReason), Category\\r\\n| sort by errCount\\r\\n|project ['❌ Error Code'] = ErrorCode, ['Reason'] = FailureReason, ['Interrupt Count'] = toint(errCount), Category\\r\\n| where Category in ({Category});\\r\\ndata\",\"size\":1,\"showAnalytics\":true,\"title\":\"Summary of sign-ins waiting on user action\",\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeBrush\",\"exportFieldName\":\"❌ Error Code\",\"exportParameterName\":\"InterruptErrorCode\",\"exportDefaultValue\":\"*\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Interrupt Count\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"palette\":\"orange\"}}],\"filter\":true}},\"customWidth\":\"67\",\"showPin\":true,\"name\":\"query - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let nonInteractive = AADNonInteractiveUserSignInLogs\\r\\n| extend LocationDetails = parse_json(LocationDetails)\\r\\n| extend ConditionalAccessPolicies = parse_json(ConditionalAccessPolicies)\\r\\n| extend DeviceDetail = parse_json(DeviceDetail)\\r\\n| extend Status = parse_json(Status);\\r\\nlet data = \\r\\nunion SigninLogs,nonInteractive \\r\\n|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users}) \\r\\n| extend ErrorCode = tostring(Status.errorCode) \\r\\n| extend FailureReason = Status.failureReason \\r\\n| where ErrorCode in (\\\"50058\\\",\\\"50140\\\", \\\"51006\\\", \\\"50059\\\", \\\"65001\\\", \\\"52004\\\", \\\"50055\\\", \\\"50144\\\",\\\"50072\\\", \\\"50074\\\", \\\"16000\\\",\\\"16001\\\", \\\"16003\\\", \\\"50127\\\", \\\"50125\\\", \\\"50129\\\",\\\"50143\\\", \\\"81010\\\", \\\"81014\\\", \\\"81012\\\") \\r\\n| where '{InterruptErrorCode}' == '*' or '{InterruptErrorCode}' == ErrorCode\\r\\n| top 200 by TimeGenerated desc\\r\\n| extend TimeFromNow = now() - TimeGenerated\\r\\n| extend TimeAgo = strcat(case(TimeFromNow < 2m, strcat(toint(TimeFromNow / 1m), ' seconds'), TimeFromNow < 2h, strcat(toint(TimeFromNow / 1m), ' minutes'), TimeFromNow < 2d, strcat(toint(TimeFromNow / 1h), ' hours'), strcat(toint(TimeFromNow / 1d), ' days')), ' ago')\\r\\n| project User = UserDisplayName, IPAddress, ['❌ Error Code'] = ErrorCode, ['Sign-in Time'] = TimeAgo, App = AppDisplayName, ['Error code'] = ErrorCode, ['Result type'] = ResultType, ['Result signature'] = ResultSignature, ['Result description'] = ResultDescription, ['Conditional access policies'] = ConditionalAccessPolicies, ['Conditional access status'] = ConditionalAccessStatus, ['Operating system'] = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser, ['Country or region'] = LocationDetails.countryOrRegion, ['State'] = LocationDetails.state, ['City'] = LocationDetails.city, ['Time generated'] = TimeGenerated, Status, ['User principal name'] = UserPrincipalName, Category\\r\\n| where Category in ({Category});\\r\\ndata\\r\\n\\r\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"Sign-ins waiting on user action\",\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeBrush\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"❌ Error Code\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"showIcon\":true}},{\"columnMatch\":\"App\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Error code\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Result type\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Result signature\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Result description\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Conditional access policies\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Conditional access status\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Operating system\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Browser\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Country or region\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"State\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"City\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Time generated\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Status\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"User principal name\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true}},\"customWidth\":\"33\",\"showPin\":true,\"name\":\"query - 7 - Copy\"}],\"fromTemplateId\":\"sentinel-AzureActiveDirectorySigninLogs\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", - "version": "1.0", - "sourceId": "[variables('workspaceResourceId')]", - "category": "sentinel" - } }, { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId2'),'/'))))]", + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[[parameters('PlaybookName')]", + "location": "[[variables('workspace-location-inline')]", + "tags": { + "LogicAppsCategory": "security", + "hidden-SentinelTemplateName": "Block-AADUser_alert", + "hidden-SentinelTemplateVersion": "1.1", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "identity": { + "type": "SystemAssigned" + }, + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('AzureADConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]" + ], "properties": { - "description": "@{workbookKey=AzureActiveDirectorySigninLogsWorkbook; logoFileName=azureactivedirectory_logo.svg; description=Gain insights into Azure Active Directory by connecting Microsoft Sentinel and using the sign-in logs to gather insights around Azure AD scenarios. \nYou can learn about sign-in operations, such as user sign-ins and locations, email addresses, and IP addresses of your users, as well as failed activities and the errors that triggered the failures.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=2.4.0; title=Azure AD Sign-in logs; templateRelativePath=AzureActiveDirectorySignins.json; subtitle=; provider=Microsoft}.description", - "parentId": "[variables('workbookId2')]", - "contentId": "[variables('_workbookContentId2')]", - "kind": "Workbook", - "version": "[variables('workbookVersion2')]", - "source": { - "kind": "Solution", - "name": "Azure Active Directory", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com/" - }, - "dependencies": { - "operator": "AND", - "criteria": [ - { - "contentId": "SigninLogs", - "kind": "DataType" - }, - { - "contentId": "AzureActiveDirectory", - "kind": "DataConnector" + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" } - ] - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_workbookContentId2')]", - "contentKind": "Workbook", - "displayName": "[parameters('workbook2-name')]", - "contentProductId": "[variables('_workbookcontentProductId2')]", - "id": "[variables('_workbookcontentProductId2')]", - "version": "[variables('workbookVersion2')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName1')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "AccountCreatedandDeletedinShortTimeframe_AnalyticalRules Analytics Rule with template version 3.0.6", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion1')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId1')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Search for user principal name (UPN) events. Look for accounts created and then deleted in under 24 hours. Attackers may create an account for their use, and then remove the account when no longer needed.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-account", - "displayName": "Account Created and Deleted in Short Timeframe", - "enabled": false, - "query": "let queryfrequency = 1h;\nlet queryperiod = 1d;\nAuditLogs\n| where TimeGenerated > ago(queryfrequency)\n| where OperationName =~ \"Delete user\"\n//extend UserPrincipalName = tostring(TargetResources[0].userPrincipalName)\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type == \"User\"\n | extend UserPrincipalName = extract(@'([a-f0-9]{32})?(.*)', 2, tostring(TargetResource.userPrincipalName))\n )\n| extend DeletedByUser = tostring(InitiatedBy.user.userPrincipalName), DeletedByIPAddress = tostring(InitiatedBy.user.ipAddress)\n| extend DeletedByApp = tostring(InitiatedBy.app.displayName)\n| project Deletion_TimeGenerated = TimeGenerated, UserPrincipalName, DeletedByUser, DeletedByIPAddress, DeletedByApp, Deletion_AdditionalDetails = AdditionalDetails, Deletion_InitiatedBy = InitiatedBy, Deletion_TargetResources = TargetResources\n| join kind=inner (\n AuditLogs\n | where TimeGenerated > ago(queryperiod)\n | where OperationName =~ \"Add user\" \n | mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type == \"User\"\n | extend UserPrincipalName = trim(@'\"',tostring(TargetResource.userPrincipalName))\n )\n | project-rename Creation_TimeGenerated = TimeGenerated\n) on UserPrincipalName\n| extend TimeDelta = Deletion_TimeGenerated - Creation_TimeGenerated\n| where TimeDelta between (time(0s) .. queryperiod)\n| extend CreatedByUser = tostring(InitiatedBy.user.userPrincipalName), CreatedByIPAddress = tostring(InitiatedBy.user.ipAddress)\n| extend CreatedByApp = tostring(InitiatedBy.app.displayName)\n| project Creation_TimeGenerated, Deletion_TimeGenerated, TimeDelta, UserPrincipalName, DeletedByUser, DeletedByIPAddress, DeletedByApp, CreatedByUser, CreatedByIPAddress, CreatedByApp, Creation_AdditionalDetails = AdditionalDetails, Creation_InitiatedBy = InitiatedBy, Creation_TargetResources = TargetResources, Deletion_AdditionalDetails, Deletion_InitiatedBy, Deletion_TargetResources\n| extend timestamp = Deletion_TimeGenerated, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n", - "queryFrequency": "PT1H", - "queryPeriod": "P1D", - "severity": "High", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "AzureActiveDirectory", - "dataTypes": [ - "SigninLogs" - ] - } - ], - "tactics": [ - "InitialAccess" - ], - "techniques": [ - "T1078" - ], - "entityMappings": [ - { - "entityType": "Account", - "fieldMappings": [ - { - "columnName": "Name", - "identifier": "Name" - }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + }, + "triggers": { + "Microsoft_Sentinel_alert": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "path": "/subscribe" } - ] + } }, - { - "entityType": "IP", - "fieldMappings": [ - { - "columnName": "DeletedByIPAddress", - "identifier": "Address" + "actions": { + "Alert_-_Get_incident": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "method": "get", + "path": "/Incidents/subscriptions/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/resourceGroups/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/workspaces/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/alerts/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}" } - ] - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId1'),'/'))))]", - "properties": { - "description": "Azure Active Directory Analytics Rule 1", - "parentId": "[variables('analyticRuleId1')]", - "contentId": "[variables('_analyticRulecontentId1')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion1')]", - "source": { - "kind": "Solution", - "name": "Azure Active Directory", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId1')]", - "contentKind": "AnalyticsRule", - "displayName": "Account Created and Deleted in Short Timeframe", - "contentProductId": "[variables('_analyticRulecontentProductId1')]", - "id": "[variables('_analyticRulecontentProductId1')]", - "version": "[variables('analyticRuleVersion1')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName2')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "AccountCreatedDeletedByNonApprovedUser_AnalyticalRules Analytics Rule with template version 3.0.6", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion2')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId2')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Identifies accounts that were created or deleted by a defined list of non-approved user principal names. Add to this list before running the query for accurate results.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts", - "displayName": "Account created or deleted by non-approved user", - "enabled": false, - "query": "// Add non-approved user principal names to the list below to search for their account creation/deletion activity\n// ex: dynamic([\"UPN1\", \"upn123\"])\nlet nonapproved_users = dynamic([]);\nAuditLogs\n| where OperationName =~ \"Add user\" or OperationName =~ \"Delete user\"\n| where Result =~ \"success\"\n| extend InitiatingUser = tostring(InitiatedBy.user.userPrincipalName)\n| where InitiatingUser has_any (nonapproved_users)\n| project-reorder TimeGenerated, ResourceId, OperationName, InitiatingUser, TargetResources\n| extend InitiatedUserIpAddress = tostring(InitiatedBy.user.ipAddress)\n| extend Name = tostring(split(InitiatingUser,'@',0)[0]), UPNSuffix = tostring(split(InitiatingUser,'@',1)[0])\n", - "queryFrequency": "P1D", - "queryPeriod": "P1D", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "AzureActiveDirectory", - "dataTypes": [ - "AuditLogs" - ] - } - ], - "tactics": [ - "InitialAccess" - ], - "techniques": [ - "T1078" - ], - "entityMappings": [ - { - "entityType": "Account", - "fieldMappings": [ - { - "columnName": "Name", - "identifier": "Name" + }, + "Entities_-_Get_Accounts": { + "runAfter": { + "Alert_-_Get_incident": [ + "Succeeded" + ] }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" - } - ] - }, - { - "entityType": "IP", - "fieldMappings": [ - { - "columnName": "InitiatedUserIpAddress", - "identifier": "Address" + "type": "ApiConnection", + "inputs": { + "body": "@triggerBody()?['Entities']", + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "method": "post", + "path": "/entities/account" } - ] - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId2'),'/'))))]", - "properties": { - "description": "Azure Active Directory Analytics Rule 2", - "parentId": "[variables('analyticRuleId2')]", - "contentId": "[variables('_analyticRulecontentId2')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion2')]", - "source": { - "kind": "Solution", - "name": "Azure Active Directory", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId2')]", - "contentKind": "AnalyticsRule", - "displayName": "Account created or deleted by non-approved user", - "contentProductId": "[variables('_analyticRulecontentProductId2')]", - "id": "[variables('_analyticRulecontentProductId2')]", - "version": "[variables('analyticRuleVersion2')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName3')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "ADFSDomainTrustMods_AnalyticalRules Analytics Rule with template version 3.0.6", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion3')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId3')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "This will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated.\nFor example, this alert will trigger when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain.\nModification to domain federation settings should be rare. Confirm the added or modified target domain/URL is legitimate administrator behavior.\nTo understand why an authorized user may update settings for a federated domain in Office 365, Azure, or Intune, see: https://docs.microsoft.com/office365/troubleshoot/active-directory/update-federated-domain-office-365.\nFor details on security realms that accept security tokens, see the ADFS Proxy Protocol (MS-ADFSPP) specification: https://docs.microsoft.com/openspecs/windows_protocols/ms-adfspp/e7b9ea73-1980-4318-96a6-da559486664b.\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.", - "displayName": "Modified domain federation trust settings", - "enabled": false, - "query": "(union isfuzzy=true\n(\nAuditLogs\n| where OperationName =~ \"Set federation settings on domain\"\n//| where Result =~ \"success\" // commenting out, as it may be interesting to capture failed attempts\n| mv-expand TargetResources\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\n| mv-expand modifiedProperties\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName)\n),\n(\nAuditLogs\n| where OperationName =~ \"Set domain authentication\"\n//| where Result =~ \"success\" // commenting out, as it may be interesting to capture failed attempts\n| mv-expand TargetResources\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\n| mv-expand modifiedProperties\n| mv-apply Property = modifiedProperties on \n (\n where Property.displayName =~ \"LiveType\"\n | extend targetDisplayName = tostring(Property.displayName),\n NewDomainValue = tostring(Property.newValue)\n )\n| where NewDomainValue has \"Federated\"\n)\n)\n| mv-apply AdditionalDetail = AdditionalDetails on \n (\n where AdditionalDetail.key =~ \"User-Agent\"\n | extend UserAgent = tostring(AdditionalDetail.value)\n )\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, AADOperationType, targetDisplayName, Result, InitiatingIpAddress, UserAgent, CorrelationId, TenantId, AADTenantId\n| extend timestamp = TimeGenerated, Name = tostring(split(InitiatingUserOrApp,'@',0)[0]), UPNSuffix = tostring(split(InitiatingUserOrApp,'@',1)[0])\n", - "queryFrequency": "P1D", - "queryPeriod": "P1D", - "severity": "High", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "AzureActiveDirectory", - "dataTypes": [ - "AuditLogs" - ] + }, + "For_each": { + "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']", + "actions": { + "Condition": { + "actions": { + "Condition_-_if_user_have_manager": { + "actions": { + "Add_comment_to_incident_-_with_manager_-_no_admin": { + "runAfter": { + "Get_user_-_details": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@body('Alert_-_Get_incident')?['id']", + "message": "

User @{items('For_each')?['Name']} (UPN - @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}) was disabled in AAD via playbook Block-AADUser. Manager (@{body('Parse_JSON_-_get_user_manager')?['userPrincipalName']}) is notified.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Get_user_-_details": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuread']['connectionId']" + } + }, + "method": "get", + "path": "/v1.0/users/@{encodeURIComponent(concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix']))}" + } + }, + "Send_an_email_-_to_manager_-_no_admin": { + "runAfter": { + "Add_comment_to_incident_-_with_manager_-_no_admin": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "Body": "

Security notification! This is automated email sent by Microsoft Sentinel Automation!
\n
\nYour direct report @{items('For_each')?['Name']} has been disabled in Azure AD due to the security incident. Can you please notify the user and work with him to reach our support.
\n
\nDirect report details:
\nFirst name: @{body('Get_user_-_details')?['displayName']}
\nSurname: @{body('Get_user_-_details')?['surname']}
\nJob title: @{body('Get_user_-_details')?['jobTitle']}
\nOffice location: @{body('Get_user_-_details')?['officeLocation']}
\nBusiness phone: @{body('Get_user_-_details')?['businessPhones']}
\nMobile phone: @{body('Get_user_-_details')?['mobilePhone']}
\nMail: @{body('Get_user_-_details')?['mail']}
\n
\nThank you!

", + "Importance": "High", + "Subject": "@{items('For_each')?['Name']} has been disabled in Azure AD due to the security risk!", + "To": "@body('Parse_JSON_-_get_user_manager')?['userPrincipalName']" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['office365']['connectionId']" + } + }, + "method": "post", + "path": "/v2/Mail" + } + } + }, + "runAfter": { + "Parse_JSON_-_get_user_manager": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Add_comment_to_incident_-_no_manager_-_no_admin": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@body('Alert_-_Get_incident')?['id']", + "message": "

User @{items('For_each')?['Name']} (UPN - @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}) was disabled in AAD via playbook Block-AADUser. Manager has not been notified, since it is not found for this user!

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + } + } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@body('Parse_JSON_-_get_user_manager')?['userPrincipalName']", + "@null" + ] + } + } + ] + }, + "type": "If" + }, + "HTTP_-_get_user_manager": { + "type": "Http", + "inputs": { + "authentication": { + "audience": "https://graph.microsoft.com/", + "type": "ManagedServiceIdentity" + }, + "method": "GET", + "uri": "https://graph.microsoft.com/v1.0/users/@{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}/manager" + } + }, + "Parse_JSON_-_get_user_manager": { + "runAfter": { + "HTTP_-_get_user_manager": [ + "Succeeded", + "Failed" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@body('HTTP_-_get_user_manager')", + "schema": { + "properties": { + "userPrincipalName": { + "type": "string" + } + }, + "type": "object" + } + } + } + }, + "runAfter": { + "Update_user_-_disable_user": [ + "Succeeded", + "Failed" + ] + }, + "else": { + "actions": { + "Add_comment_to_incident_-_error_details": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@body('Alert_-_Get_incident')?['id']", + "message": "

Block-AADUser playbook could not disable user @{items('For_each')?['Name']}.
\nError message: @{body('Update_user_-_disable_user')['error']['message']}
\nNote: If user is admin, this playbook don't have privilages to block admin users!

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@body('Update_user_-_disable_user')", + "@null" + ] + } + ] + }, + "type": "If" + }, + "Update_user_-_disable_user": { + "type": "ApiConnection", + "inputs": { + "body": { + "accountEnabled": false + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuread']['connectionId']" + } + }, + "method": "patch", + "path": "/v1.0/users/@{encodeURIComponent(concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix']))}" + } + } + }, + "runAfter": { + "Entities_-_Get_Accounts": [ + "Succeeded" + ] + }, + "type": "Foreach" + } } - ], - "tactics": [ - "CredentialAccess" - ], - "entityMappings": [ - { - "entityType": "Account", - "fieldMappings": [ - { - "columnName": "Name", - "identifier": "Name" + }, + "parameters": { + "$connections": { + "value": { + "azuread": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureADConnectionName'))]", + "connectionName": "[[variables('AzureADConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuread')]" }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" - } - ] - }, - { - "entityType": "IP", - "fieldMappings": [ - { - "columnName": "InitiatingIpAddress", - "identifier": "Address" + "microsoftsentinel": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + }, + "office365": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]", + "connectionName": "[[variables('Office365ConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]" } - ] + } } - ] + } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId3'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId1'),'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 3", - "parentId": "[variables('analyticRuleId3')]", - "contentId": "[variables('_analyticRulecontentId3')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion3')]", - "source": { - "kind": "Solution", - "name": "Azure Active Directory", - "sourceId": "[variables('_solutionId')]" + "parentId": "[variables('playbookId1')]", + "contentId": "[variables('_playbookContentId1')]", + "kind": "Playbook", + "version": "[variables('playbookVersion1')]", + "source": { + "kind": "Solution", + "name": "Microsoft Entra ID", + "sourceId": "[variables('_solutionId')]" }, "author": { "name": "Microsoft", @@ -1414,719 +1047,456 @@ } } } - ] + ], + "metadata": { + "title": "Block Microsoft Entra ID user - Alert", + "description": "For each account entity included in the alert, this playbook will disable the user in Microsoft Entra ID, add a comment to the incident that contains this alert and notify manager if available. Note: This playbook will not disable admin user!", + "prerequisites": [ + "None" + ], + "postDeployment": [ + "1. Assign Microsoft Sentinel Responder role to the Playbook's managed identity.", + "2. Grant User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All permissions to the managed identity.", + "3. Authorize Microsoft Entra ID and Office 365 Outlook Logic App connections." + ], + "lastUpdateTime": "2022-07-11T00:00:00Z", + "entities": [ + "Account" + ], + "tags": [ + "Remediation" + ], + "releaseNotes": [ + { + "version": "1.0.0", + "title": "Added manager notification action", + "notes": [ + "Initial version" + ] + } + ] + } }, "packageKind": "Solution", "packageVersion": "[variables('_solutionVersion')]", "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId3')]", - "contentKind": "AnalyticsRule", - "displayName": "Modified domain federation trust settings", - "contentProductId": "[variables('_analyticRulecontentProductId3')]", - "id": "[variables('_analyticRulecontentProductId3')]", - "version": "[variables('analyticRuleVersion3')]" + "contentId": "[variables('_playbookContentId1')]", + "contentKind": "Playbook", + "displayName": "Block-AADUser-Alert", + "contentProductId": "[variables('_playbookcontentProductId1')]", + "id": "[variables('_playbookcontentProductId1')]", + "version": "[variables('playbookVersion1')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName4')]", + "name": "[variables('playbookTemplateSpecName2')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ADFSSignInLogsPasswordSpray_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "Block-AADUser-EntityTrigger Playbook with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion4')]", - "parameters": {}, - "variables": {}, + "contentVersion": "[variables('playbookVersion2')]", + "parameters": { + "PlaybookName": { + "defaultValue": "Block-AADUser-EntityTrigger", + "type": "string" + } + }, + "variables": { + "AzureADConnectionName": "[[concat('azuread-', parameters('PlaybookName'))]", + "MicrosoftSentinelConnectionName": "[[concat('microsoftsentinel-', parameters('PlaybookName'))]", + "Office365ConnectionName": "[[concat('office365-', parameters('PlaybookName'))]", + "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuread')]", + "_connection-1": "[[variables('connection-1')]", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "_connection-2": "[[variables('connection-2')]", + "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]", + "_connection-3": "[[variables('connection-3')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, "resources": [ { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId4')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('AzureADConnectionName')]", + "location": "[[variables('workspace-location-inline')]", "properties": { - "description": "Identifies evidence of password spray activity against Connect Health for AD FS sign-in events by looking for failures from multiple accounts from the same IP address within a time window.\nReference: https://adfshelp.microsoft.com/References/ConnectHealthErrorCodeReference", - "displayName": "Password spray attack against ADFSSignInLogs", - "enabled": false, - "query": "let queryfrequency = 30m;\nlet accountthreshold = 10;\nlet successCodes = dynamic([0, 50144]);\nADFSSignInLogs\n| extend IngestionTime = ingestion_time()\n| where IngestionTime > ago(queryfrequency)\n| where not(todynamic(AuthenticationDetails)[0].authenticationMethod == \"Integrated Windows Authentication\")\n| summarize\n DistinctFailureCount = dcountif(UserPrincipalName, ResultType !in (successCodes)),\n DistinctSuccessCount = dcountif(UserPrincipalName, ResultType in (successCodes)),\n SuccessAccounts = make_set_if(UserPrincipalName, ResultType in (successCodes), 250),\n arg_min(TimeGenerated, *)\n by IPAddress\n| where DistinctFailureCount > DistinctSuccessCount and DistinctFailureCount >= accountthreshold\n//| extend SuccessAccounts = iff(array_length(SuccessAccounts) != 0, SuccessAccounts, dynamic([\"null\"]))\n//| mv-expand SuccessAccounts\n| project TimeGenerated, Category, OperationName, IPAddress, DistinctFailureCount, DistinctSuccessCount, SuccessAccounts, AuthenticationRequirement, ConditionalAccessStatus, IsInteractive, UserAgent, NetworkLocationDetails, DeviceDetail, TokenIssuerType, TokenIssuerName, ResourceIdentity\n", - "queryFrequency": "PT30M", - "queryPeriod": "PT1H", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "AzureActiveDirectory", - "dataTypes": [ - "ADFSSignInLogs" - ] - } - ], - "tactics": [ - "CredentialAccess" - ], - "techniques": [ - "T1110" - ], - "entityMappings": [ - { - "entityType": "IP", - "fieldMappings": [ - { - "columnName": "IPAddress", - "identifier": "Address" - } - ] - } - ] + "displayName": "[[variables('AzureADConnectionName')]", + "api": { + "id": "[[variables('_connection-1')]" + } } }, { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId4'),'/'))))]", + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('MicrosoftSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", "properties": { - "description": "Azure Active Directory Analytics Rule 4", - "parentId": "[variables('analyticRuleId4')]", - "contentId": "[variables('_analyticRulecontentId4')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion4')]", - "source": { - "kind": "Solution", - "name": "Azure Active Directory", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com/" + "displayName": "[[variables('MicrosoftSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[[variables('_connection-2')]" } } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId4')]", - "contentKind": "AnalyticsRule", - "displayName": "Password spray attack against ADFSSignInLogs", - "contentProductId": "[variables('_analyticRulecontentProductId4')]", - "id": "[variables('_analyticRulecontentProductId4')]", - "version": "[variables('analyticRuleVersion4')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName5')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "AdminPromoAfterRoleMgmtAppPermissionGrant_AnalyticalRules Analytics Rule with template version 3.0.6", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion5')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId5')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "This rule looks for a service principal being granted the Microsoft Graph RoleManagement.ReadWrite.Directory (application) permission before being used to add an Azure AD object or user account to an Admin directory role (i.e. Global Administrators).\nThis is a known attack path that is usually abused when a service principal already has the AppRoleAssignment.ReadWrite.All permission granted. This permission allows an app to manage permission grants for application permissions to any API.\nA service principal can promote itself or other service principals to admin roles (i.e. Global Administrators). This would be considered a privilege escalation technique.\nRef : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions, https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0&tabs=http", - "displayName": "Admin promotion after Role Management Application Permission Grant", - "enabled": false, - "query": "let query_frequency = 1h;\nlet query_period = 2h;\nAuditLogs\n| where TimeGenerated > ago(query_period)\n| where Category =~ \"ApplicationManagement\" and LoggedByService =~ \"Core Directory\"\n| where OperationName =~ \"Add app role assignment to service principal\"\n| mv-expand TargetResource = TargetResources\n| mv-expand modifiedProperty = TargetResource[\"modifiedProperties\"]\n| where tostring(modifiedProperty[\"displayName\"]) == \"AppRole.Value\"\n| extend PermissionGrant = tostring(modifiedProperty[\"newValue\"])\n| where PermissionGrant has \"RoleManagement.ReadWrite.Directory\"\n| mv-apply modifiedProperty = TargetResource[\"modifiedProperties\"] on (\n summarize modifiedProperties = make_bag(\n bag_pack(tostring(modifiedProperty[\"displayName\"]),\n bag_pack(\"oldValue\", trim(@'[\\\"\\s]+', tostring(modifiedProperty[\"oldValue\"])),\n \"newValue\", trim(@'[\\\"\\s]+', tostring(modifiedProperty[\"newValue\"])))), 100)\n)\n| project\n PermissionGrant_TimeGenerated = TimeGenerated,\n PermissionGrant_OperationName = OperationName,\n PermissionGrant_Result = Result,\n PermissionGrant,\n AppDisplayName = tostring(modifiedProperties[\"ServicePrincipal.DisplayName\"][\"newValue\"]),\n AppServicePrincipalId = tostring(modifiedProperties[\"ServicePrincipal.ObjectID\"][\"newValue\"]),\n PermissionGrant_InitiatedBy = InitiatedBy,\n PermissionGrant_TargetResources = TargetResources,\n PermissionGrant_AdditionalDetails = AdditionalDetails,\n PermissionGrant_CorrelationId = CorrelationId\n| join kind=inner (\n AuditLogs\n | where TimeGenerated > ago(query_frequency)\n | where Category =~ \"RoleManagement\" and LoggedByService =~ \"Core Directory\" and AADOperationType =~ \"Assign\"\n | where isnotempty(InitiatedBy[\"app\"])\n | mv-expand TargetResource = TargetResources\n | mv-expand modifiedProperty = TargetResource[\"modifiedProperties\"]\n | where tostring(modifiedProperty[\"displayName\"]) in (\"Role.DisplayName\", \"RoleDefinition.DisplayName\")\n | extend RoleAssignment = tostring(modifiedProperty[\"newValue\"])\n | where RoleAssignment contains \"Admin\"\n | project\n RoleAssignment_TimeGenerated = TimeGenerated,\n RoleAssignment_OperationName = OperationName,\n RoleAssignment_Result = Result,\n RoleAssignment,\n TargetType = tostring(TargetResources[0][\"type\"]),\n Target = iff(isnotempty(TargetResources[0][\"displayName\"]), tostring(TargetResources[0][\"displayName\"]), tolower(TargetResources[0][\"userPrincipalName\"])),\n TargetId = tostring(TargetResources[0][\"id\"]),\n RoleAssignment_InitiatedBy = InitiatedBy,\n RoleAssignment_TargetResources = TargetResources,\n RoleAssignment_AdditionalDetails = AdditionalDetails,\n RoleAssignment_CorrelationId = CorrelationId,\n AppServicePrincipalId = tostring(InitiatedBy[\"app\"][\"servicePrincipalId\"])\n ) on AppServicePrincipalId\n| where PermissionGrant_TimeGenerated < RoleAssignment_TimeGenerated\n| extend\n TargetName = tostring(split(Target, \"@\")[0]),\n TargetUPNSuffix = tostring(split(Target, \"@\")[1])\n| project PermissionGrant_TimeGenerated, PermissionGrant_OperationName, PermissionGrant_Result, PermissionGrant, AppDisplayName, AppServicePrincipalId, PermissionGrant_InitiatedBy, PermissionGrant_TargetResources, PermissionGrant_AdditionalDetails, PermissionGrant_CorrelationId, RoleAssignment_TimeGenerated, RoleAssignment_OperationName, RoleAssignment_Result, RoleAssignment, TargetType, Target, TargetName, TargetUPNSuffix, TargetId, RoleAssignment_InitiatedBy, RoleAssignment_TargetResources, RoleAssignment_AdditionalDetails, RoleAssignment_CorrelationId\n", - "queryFrequency": "PT1H", - "queryPeriod": "PT2H", - "severity": "High", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "AzureActiveDirectory", - "dataTypes": [ - "AuditLogs" - ] - } - ], - "tactics": [ - "PrivilegeEscalation", - "Persistence" - ], - "techniques": [ - "T1098", - "T1078" - ], - "entityMappings": [ - { - "entityType": "Account", - "fieldMappings": [ - { - "columnName": "AppDisplayName", - "identifier": "Name" - } - ] - }, - { - "entityType": "Account", - "fieldMappings": [ - { - "columnName": "TargetName", - "identifier": "Name" - }, - { - "columnName": "TargetUPNSuffix", - "identifier": "UPNSuffix" - } - ] - } - ] - } }, { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId5'),'/'))))]", + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('Office365ConnectionName')]", + "location": "[[variables('workspace-location-inline')]", "properties": { - "description": "Azure Active Directory Analytics Rule 5", - "parentId": "[variables('analyticRuleId5')]", - "contentId": "[variables('_analyticRulecontentId5')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion5')]", - "source": { - "kind": "Solution", - "name": "Azure Active Directory", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com/" + "displayName": "[[variables('Office365ConnectionName')]", + "api": { + "id": "[[variables('_connection-3')]" } } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId5')]", - "contentKind": "AnalyticsRule", - "displayName": "Admin promotion after Role Management Application Permission Grant", - "contentProductId": "[variables('_analyticRulecontentProductId5')]", - "id": "[variables('_analyticRulecontentProductId5')]", - "version": "[variables('analyticRuleVersion5')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName6')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "AnomalousUserAppSigninLocationIncrease-detection_AnalyticalRules Analytics Rule with template version 3.0.6", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion6')]", - "parameters": {}, - "variables": {}, - "resources": [ + }, { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId6')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "This query over Azure Active Directory sign-in considers all user sign-ins for each Azure Active\nDirectory application and picks out the most anomalous change in location profile for a user within an\nindividual application", - "displayName": "Anomalous sign-in location by user account and authenticating application", - "enabled": false, - "query": "// Adjust this figure to adjust how sensitive this detection is\nlet sensitivity = 2.5;\nlet AuthEvents = materialize(\nunion isfuzzy=True SigninLogs, AADNonInteractiveUserSignInLogs\n| where TimeGenerated > ago(7d)\n| where ResultType == 0\n| extend LocationDetails = LocationDetails_dynamic\n| extend Location = strcat(LocationDetails.countryOrRegion, \"-\", LocationDetails.state,\"-\", LocationDetails.city)\n| where Location != \"--\");\nAuthEvents\n| summarize dcount(Location) by AppDisplayName, AppId, UserPrincipalName, UserId, bin(startofday(TimeGenerated), 1d)\n| where dcount_Location > 2\n| summarize CountOfLocations = make_list(dcount_Location, 10000), TimeStamp = make_list(TimeGenerated, 10000) by AppId, UserId\n| extend (Anomalies, Score, Baseline) = series_decompose_anomalies(CountOfLocations, sensitivity, -1, 'linefit')\n| mv-expand CountOfLocations to typeof(double), TimeStamp to typeof(datetime), Anomalies to typeof(double), Score to typeof(double), Baseline to typeof(long)\n| where Anomalies > 0\n| join kind=inner( AuthEvents | extend TimeStamp = startofday(TimeGenerated)) on UserId, AppId\n| extend SignInDetails = bag_pack(\"TimeGenerated\", TimeGenerated, \"Location\", Location, \"Source\", IPAddress, \"Device\", DeviceDetail_dynamic)\n| summarize SignInDetailsSet=make_set(SignInDetails, 1000) by UserId, UserPrincipalName, CountOfLocations, TimeStamp, AppId, AppDisplayName\n| extend Name = split(UserPrincipalName, \"@\")[0], UPNSuffix = split(UserPrincipalName, \"@\")[1]\n", - "queryFrequency": "P1D", - "queryPeriod": "P7D", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "AzureActiveDirectory", - "dataTypes": [ - "SigninLogs" - ] - }, - { - "connectorId": "AzureActiveDirectory", - "dataTypes": [ - "AADNonInteractiveUserSignInLogs" - ] - } - ], - "tactics": [ - "InitialAccess" - ], - "techniques": [ - "T1078" - ], - "entityMappings": [ - { - "entityType": "Account", - "fieldMappings": [ - { - "columnName": "Name", - "identifier": "Name" - }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" - }, - { - "columnName": "UserId", - "identifier": "AadUserId" - } - ] - } - ], - "eventGroupingSettings": { - "aggregationKind": "SingleAlert" - }, - "customDetails": { - "Application": "AppDisplayName" - }, - "alertDetailsOverride": { - "alertDisplayNameFormat": "Anomalous sign-in location by {{UserPrincipalName}} to {{AppDisplayName}}", - "alertDescriptionFormat": "This query over Azure Active Directory sign-in considers all user sign-ins for each Azure Active\nDirectory application and picks out the most anomalous change in location profile for a user within an\nindividual application. This has detected {{UserPrincipalName}} signing into {{AppDisplayName}} from {{CountOfLocations}} \ndifferent locations.\n" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId6'),'/'))))]", - "properties": { - "description": "Azure Active Directory Analytics Rule 6", - "parentId": "[variables('analyticRuleId6')]", - "contentId": "[variables('_analyticRulecontentId6')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion6')]", - "source": { - "kind": "Solution", - "name": "Azure Active Directory", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId6')]", - "contentKind": "AnalyticsRule", - "displayName": "Anomalous sign-in location by user account and authenticating application", - "contentProductId": "[variables('_analyticRulecontentProductId6')]", - "id": "[variables('_analyticRulecontentProductId6')]", - "version": "[variables('analyticRuleVersion6')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName7')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "AuthenticationMethodsChangedforPrivilegedAccount_AnalyticalRules Analytics Rule with template version 3.0.6", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion7')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId7')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[[parameters('PlaybookName')]", + "location": "[[variables('workspace-location-inline')]", + "tags": { + "LogicAppsCategory": "security", + "hidden-SentinelTemplateName": "Block-AADUser-EntityTrigger", + "hidden-SentinelTemplateVersion": "1.1", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "identity": { + "type": "SystemAssigned" + }, + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('AzureADConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]" + ], "properties": { - "description": "Identifies authentication methods being changed for a privileged account. This could be an indication of an attacker adding an auth method to the account so they can have continued access.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1", - "displayName": "Authentication Methods Changed for Privileged Account", - "enabled": false, - "query": "let queryperiod = 14d;\nlet queryfrequency = 2h;\nlet security_info_actions = dynamic([\"User registered security info\", \"User changed default security info\", \"User deleted security info\", \"Admin updated security info\", \"User reviewed security info\", \"Admin deleted security info\", \"Admin registered security info\"]);\nlet VIPUsers = (\n IdentityInfo\n | where TimeGenerated > ago(queryperiod)\n | mv-expand AssignedRoles\n | where AssignedRoles contains 'Admin'\n | summarize by AccountUPN);\nAuditLogs\n| where TimeGenerated > ago(queryfrequency)\n| where Category =~ \"UserManagement\"\n| where ActivityDisplayName in (security_info_actions)\n| extend Initiator = tostring(InitiatedBy.user.userPrincipalName)\n| extend IP = tostring(InitiatedBy.user.ipAddress)\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"User\"\n | extend Target = tostring(TargetResource.userPrincipalName)\n )\n| where Target in~ (VIPUsers)\n// Uncomment the line below if you are experiencing high volumes of Target entities. If this is uncommented, the Target column will not be mapped to an entity.\n//| summarize Start=min(TimeGenerated), End=max(TimeGenerated), Actions = make_set(ResultReason, MaxSize=8), Targets=make_set(Target, MaxSize=256) by Initiator, IP, Result\n// Comment out this line below, if line above is used.\n| summarize Start=min(TimeGenerated), End=max(TimeGenerated), Actions = make_set(ResultReason, MaxSize=8) by Initiator, IP, Result, Targets = Target\n| extend InitiatorName = tostring(split(Initiator,'@',0)[0]), \n InitiatorUPNSuffix = tostring(split(Initiator,'@',1)[0]),\n TargetName = iff(tostring(Targets) has \"[\", \"\", tostring(split(Targets,'@',0)[0])), \n TargetUPNSuffix = iff(tostring(Targets) has \"[\", \"\", tostring(split(Targets,'@',1)[0]))\n", - "queryFrequency": "PT2H", - "queryPeriod": "P14D", - "severity": "High", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "AzureActiveDirectory", - "dataTypes": [ - "AuditLogs" - ] - } - ], - "tactics": [ - "Persistence" - ], - "techniques": [ - "T1098" - ], - "entityMappings": [ - { - "entityType": "Account", - "fieldMappings": [ - { - "columnName": "InitiatorName", - "identifier": "Name" - }, - { - "columnName": "InitiatorUPNSuffix", - "identifier": "UPNSuffix" - } - ] - }, - { - "entityType": "Account", - "fieldMappings": [ - { - "columnName": "TargetName", - "identifier": "Name" - }, - { - "columnName": "TargetUPNSuffix", - "identifier": "UPNSuffix" - } - ] + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + } }, - { - "entityType": "IP", - "fieldMappings": [ - { - "columnName": "IP", - "identifier": "Address" + "triggers": { + "Microsoft_Sentinel_entity": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "path": "/entity/@{encodeURIComponent('Account')}" } - ] - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId7'),'/'))))]", - "properties": { - "description": "Azure Active Directory Analytics Rule 7", - "parentId": "[variables('analyticRuleId7')]", - "contentId": "[variables('_analyticRulecontentId7')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion7')]", - "source": { - "kind": "Solution", - "name": "Azure Active Directory", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId7')]", - "contentKind": "AnalyticsRule", - "displayName": "Authentication Methods Changed for Privileged Account", - "contentProductId": "[variables('_analyticRulecontentProductId7')]", - "id": "[variables('_analyticRulecontentProductId7')]", - "version": "[variables('analyticRuleVersion7')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName8')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "AzureAADPowerShellAnomaly_AnalyticalRules Analytics Rule with template version 3.0.6", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion8')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId8')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "This will alert when a user or application signs in using Azure Active Directory PowerShell to access non-Active Directory resources, such as the Azure Key Vault, which may be undesired or unauthorized behavior.\nFor capabilities and expected behavior of the Azure Active Directory PowerShell module, see: https://docs.microsoft.com/powershell/module/azuread/?view=azureadps-2.0.\nFor further information on Azure Active Directory Signin activity reports, see: https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins.", - "displayName": "Azure Active Directory PowerShell accessing non-AAD resources", - "enabled": false, - "query": "let aadFunc = (tableName:string){\ntable(tableName)\n| where AppId =~ \"1b730954-1685-4b74-9bfd-dac224a7b894\" // AppDisplayName IS Azure Active Directory PowerShell\n| where TokenIssuerType =~ \"AzureAD\"\n| where ResourceIdentity !in (\"00000002-0000-0000-c000-000000000000\", \"00000003-0000-0000-c000-000000000000\") // ResourceDisplayName IS NOT Windows Azure Active Directory OR Microsoft Graph\n| extend Status = todynamic(Status)\n| where Status.errorCode == 0 // Success\n| project-reorder IPAddress, UserAgent, ResourceDisplayName, UserDisplayName, UserId, UserPrincipalName, Type\n| order by TimeGenerated desc\n// New entity mapping\n| extend timestamp = TimeGenerated, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n", - "queryFrequency": "PT1H", - "queryPeriod": "PT1H", - "severity": "Low", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "AzureActiveDirectory", - "dataTypes": [ - "SigninLogs" - ] + } }, - { - "connectorId": "AzureActiveDirectory", - "dataTypes": [ - "AADNonInteractiveUserSignInLogs" - ] - } - ], - "tactics": [ - "InitialAccess" - ], - "techniques": [ - "T1078" - ], - "entityMappings": [ - { - "entityType": "Account", - "fieldMappings": [ - { - "columnName": "Name", - "identifier": "Name" + "actions": { + "Condition": { + "actions": { + "Condition_-_if_user_have_manager": { + "actions": { + "Condition_2": { + "actions": { + "Add_comment_to_incident_-_with_manager_-_no_admin": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['IncidentArmID']", + "message": "

User @{triggerBody()?['Entity']?['properties']?['Name']}  (UPN - @{variables('AccountDetails')}) was disabled in AAD via playbook Block-AADUser. Manager (@{body('Parse_JSON_-_get_user_manager')?['userPrincipalName']}) is notified.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + } + }, + "runAfter": { + "Get_user_-_details": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@triggerBody()?['IncidentArmID']", + "@null" + ] + } + } + ] + }, + "type": "If" + }, + "Get_user_-_details": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuread']['connectionId']" + } + }, + "method": "get", + "path": "/v1.0/users/@{encodeURIComponent(variables('AccountDetails'))}" + } + }, + "Send_an_email_-_to_manager_-_no_admin": { + "runAfter": { + "Condition_2": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "Body": "

Security notification! This is automated email sent by Microsoft Sentinel Automation!
\n
\nYour direct report @{triggerBody()?['Entity']?['properties']?['Name']} has been disabled in Azure AD due to the security incident. Can you please notify the user and work with him to reach our support.
\n
\nDirect report details:
\nFirst name: @{body('Get_user_-_details')?['displayName']}
\nSurname: @{body('Get_user_-_details')?['surname']}
\nJob title: @{body('Get_user_-_details')?['jobTitle']}
\nOffice location: @{body('Get_user_-_details')?['officeLocation']}
\nBusiness phone: @{body('Get_user_-_details')?['businessPhones']}
\nMobile phone: @{body('Get_user_-_details')?['mobilePhone']}
\nMail: @{body('Get_user_-_details')?['mail']}
\n
\nThank you!

", + "Importance": "High", + "Subject": "@{triggerBody()?['Entity']?['properties']?['Name']} has been disabled in Azure AD due to the security risk!", + "To": "@body('Parse_JSON_-_get_user_manager')?['userPrincipalName']" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['office365']['connectionId']" + } + }, + "method": "post", + "path": "/v2/Mail" + } + } + }, + "runAfter": { + "Parse_JSON_-_get_user_manager": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Condition_3": { + "actions": { + "Add_comment_to_incident_-_no_manager_-_no_admin": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['IncidentArmID']", + "message": "

User @{triggerBody()?['Entity']?['properties']?['Name']} (UPN - @{variables('AccountDetails')}) was disabled in AAD via playbook Block-AADUser. Manager has not been notified, since it is not found for this user!

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@triggerBody()?['IncidentArmID']", + "@null" + ] + } + } + ] + }, + "type": "If" + } + } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@body('Parse_JSON_-_get_user_manager')?['userPrincipalName']", + "@null" + ] + } + } + ] + }, + "type": "If" + }, + "HTTP_-_get_user_manager": { + "type": "Http", + "inputs": { + "authentication": { + "audience": "https://graph.microsoft.com/", + "type": "ManagedServiceIdentity" + }, + "method": "GET", + "uri": "https://graph.microsoft.com/v1.0/users/@{variables('AccountDetails')}/manager" + } + }, + "Parse_JSON_-_get_user_manager": { + "runAfter": { + "HTTP_-_get_user_manager": [ + "Succeeded", + "Failed" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@body('HTTP_-_get_user_manager')", + "schema": { + "properties": { + "userPrincipalName": { + "type": "string" + } + }, + "type": "object" + } + } + } }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "runAfter": { + "Update_user_-_disable_user": [ + "Succeeded", + "Failed" + ] }, - { - "columnName": "UserId", - "identifier": "AadUserId" + "else": { + "actions": { + "Add_comment_to_incident_-_error_details": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['IncidentArmID']", + "message": "

Block-AADUser playbook could not disable user @{triggerBody()?['Entity']?['properties']?['Name']}.
\nError message: @{body('Update_user_-_disable_user')['error']['message']}
\nNote: If user is admin, this playbook don't have privilages to block admin users!

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@body('Update_user_-_disable_user')", + "@null" + ] + } + ] + }, + "type": "If" + }, + "Initialize_variable_Account_Details": { + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "AccountDetails", + "type": "string" + } + ] } - ] - }, - { - "entityType": "IP", - "fieldMappings": [ - { - "columnName": "IPAddress", - "identifier": "Address" + }, + "Set_variable": { + "runAfter": { + "Initialize_variable_Account_Details": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "AccountDetails", + "value": "@{concat(triggerBody()?['Entity']?['properties']?['Name'],'@',triggerBody()?['Entity']?['properties']?['UPNSuffix'])}" } - ] - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId8'),'/'))))]", - "properties": { - "description": "Azure Active Directory Analytics Rule 8", - "parentId": "[variables('analyticRuleId8')]", - "contentId": "[variables('_analyticRulecontentId8')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion8')]", - "source": { - "kind": "Solution", - "name": "Azure Active Directory", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId8')]", - "contentKind": "AnalyticsRule", - "displayName": "Azure Active Directory PowerShell accessing non-AAD resources", - "contentProductId": "[variables('_analyticRulecontentProductId8')]", - "id": "[variables('_analyticRulecontentProductId8')]", - "version": "[variables('analyticRuleVersion8')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName9')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "AzureADRoleManagementPermissionGrant_AnalyticalRules Analytics Rule with template version 3.0.6", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion9')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId9')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Identifies when the Microsoft Graph RoleManagement.ReadWrite.Directory (Delegated or Application) permission is granted to a service principal.\nThis permission allows an application to read and manage the role-based access control (RBAC) settings for your company's directory.\nAn adversary could use this permission to add an Azure AD object to an Admin directory role and escalate privileges.\nRef : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions\nRef : https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0&tabs=http", - "displayName": "Azure AD Role Management Permission Grant", - "enabled": false, - "query": "AuditLogs\n| where Category =~ \"ApplicationManagement\" and LoggedByService =~ \"Core Directory\" and OperationName in~ (\"Add delegated permission grant\", \"Add app role assignment to service principal\")\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\" and array_length(TargetResource.modifiedProperties) > 0 and isnotnull(TargetResource.displayName)\n | extend props = TargetResource.modifiedProperties\n )\n| mv-apply Property = props on \n (\n where Property.displayName in~ (\"AppRole.Value\",\"DelegatedPermissionGrant.Scope\")\n | extend DisplayName = tostring(Property.displayName), PermissionGrant = trim('\"',tostring(Property.newValue))\n )\n| where PermissionGrant has \"RoleManagement.ReadWrite.Directory\"\n| mv-apply Property = props on \n (\n where Property.displayName =~ \"ServicePrincipal.DisplayName\"\n | extend AppDisplayName = trim('\"',tostring(Property.newValue))\n )\n| mv-apply Property = props on \n (\n where Property.displayName =~ \"ServicePrincipal.ObjectID\"\n | extend AppServicePrincipalId = trim('\"',tostring(Property.newValue))\n )\n| extend \n Initiator = iif(isnotempty(InitiatedBy.app), tostring(InitiatedBy.app.displayName), tostring(InitiatedBy.user.userPrincipalName)),\n InitiatorId = iif(isnotempty(InitiatedBy.app), tostring(InitiatedBy.app.servicePrincipalId), tostring(InitiatedBy.user.id))\n| project TimeGenerated, OperationName, Result, PermissionGrant, AppDisplayName, AppServicePrincipalId, Initiator, InitiatorId, InitiatedBy, TargetResources, AdditionalDetails, CorrelationId\n| extend Name = tostring(split(Initiator,'@',0)[0]), UPNSuffix = tostring(split(Initiator,'@',1)[0])\n", - "queryFrequency": "PT2H", - "queryPeriod": "PT2H", - "severity": "High", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "AzureActiveDirectory", - "dataTypes": [ - "AuditLogs" - ] - } - ], - "tactics": [ - "Persistence", - "Impact" - ], - "techniques": [ - "T1098", - "T1078" - ], - "entityMappings": [ - { - "entityType": "Account", - "fieldMappings": [ - { - "columnName": "Name", - "identifier": "Name" + }, + "Update_user_-_disable_user": { + "runAfter": { + "Set_variable": [ + "Succeeded" + ] }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "type": "ApiConnection", + "inputs": { + "body": { + "accountEnabled": false + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuread']['connectionId']" + } + }, + "method": "patch", + "path": "/v1.0/users/@{encodeURIComponent(variables('AccountDetails'))}" } - ] - }, - { - "entityType": "Account", - "fieldMappings": [ - { - "columnName": "AppDisplayName", - "identifier": "Name" + } + } + }, + "parameters": { + "$connections": { + "value": { + "azuread": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureADConnectionName'))]", + "connectionName": "[[variables('AzureADConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuread')]" + }, + "microsoftsentinel": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + }, + "office365": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]", + "connectionName": "[[variables('Office365ConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]" } - ] + } } - ] + } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId9'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId2'),'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 9", - "parentId": "[variables('analyticRuleId9')]", - "contentId": "[variables('_analyticRulecontentId9')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion9')]", + "parentId": "[variables('playbookId2')]", + "contentId": "[variables('_playbookContentId2')]", + "kind": "Playbook", + "version": "[variables('playbookVersion2')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -2141,598 +1511,415 @@ } } } - ] + ], + "metadata": { + "title": "Block Microsoft Entra ID user - Entity trigger", + "description": "This playbook disables the selected user (account entity) in Microsoft Entra ID. If this playbook triggered from an incident context, it will add a comment to the incident. This playbook will notify the disabled user manager if available. Note: This playbook will not disable admin user!", + "postDeployment": [ + "1. Assign Microsoft Sentinel Responder role to the Playbook's managed identity.", + "2. Grant User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All permissions to the managed identity.", + "3. Authorize Microsoft Entra ID and Office 365 Outlook Logic App connections." + ], + "lastUpdateTime": "2022-12-08T00:00:00Z", + "entities": [ + "Account" + ], + "tags": [ + "Remediation" + ], + "releaseNotes": [ + { + "version": "1.0.0", + "title": "Added manager notification action", + "notes": [ + "Initial version" + ] + } + ] + } }, "packageKind": "Solution", "packageVersion": "[variables('_solutionVersion')]", "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId9')]", - "contentKind": "AnalyticsRule", - "displayName": "Azure AD Role Management Permission Grant", - "contentProductId": "[variables('_analyticRulecontentProductId9')]", - "id": "[variables('_analyticRulecontentProductId9')]", - "version": "[variables('analyticRuleVersion9')]" + "contentId": "[variables('_playbookContentId2')]", + "contentKind": "Playbook", + "displayName": "Block-AADUser-EntityTrigger", + "contentProductId": "[variables('_playbookcontentProductId2')]", + "id": "[variables('_playbookcontentProductId2')]", + "version": "[variables('playbookVersion2')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName10')]", + "name": "[variables('playbookTemplateSpecName3')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AzurePortalSigninfromanotherAzureTenant_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "Block-AADUser-Incident Playbook with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion10')]", - "parameters": {}, - "variables": {}, + "contentVersion": "[variables('playbookVersion3')]", + "parameters": { + "PlaybookName": { + "defaultValue": "Block-AADUser-Incident", + "type": "string" + } + }, + "variables": { + "AzureADConnectionName": "[[concat('azuread-', parameters('PlaybookName'))]", + "MicrosoftSentinelConnectionName": "[[concat('microsoftsentinel-', parameters('PlaybookName'))]", + "Office365ConnectionName": "[[concat('office365-', parameters('PlaybookName'))]", + "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuread')]", + "_connection-1": "[[variables('connection-1')]", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "_connection-2": "[[variables('connection-2')]", + "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]", + "_connection-3": "[[variables('connection-3')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, "resources": [ { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId10')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('AzureADConnectionName')]", + "location": "[[variables('workspace-location-inline')]", "properties": { - "description": "This query looks for successful sign in attempts to the Azure Portal where the user who is signing in from another Azure tenant,\n and the IP address the login attempt is from is an Azure IP. A threat actor who compromises an Azure tenant may look\n to pivot to other tenants leveraging cross-tenant delegated access in this manner.", - "displayName": "Azure Portal sign in from another Azure Tenant", - "enabled": false, - "query": "// Get details of current Azure Ranges (note this URL updates regularly so will need to be manually updated over time)\n// You may find the name of the new JSON here: https://www.microsoft.com/download/details.aspx?id=56519\n// On the downloads page, click the 'details' button, and then replace just the filename in the URL below\nlet azure_ranges = externaldata(changeNumber: string, cloud: string, values: dynamic)\n[\"https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/MSFTIPRanges/ServiceTags_Public.json\"] with(format='multijson')\n| mv-expand values\n| mv-expand values.properties.addressPrefixes\n| mv-expand values_properties_addressPrefixes\n| summarize by tostring(values_properties_addressPrefixes)\n| extend isipv4 = parse_ipv4(values_properties_addressPrefixes)\n| extend isipv6 = parse_ipv6(values_properties_addressPrefixes)\n| extend ip_type = case(isnotnull(isipv4), \"v4\", \"v6\")\n| summarize make_list(values_properties_addressPrefixes) by ip_type\n;\nSigninLogs\n// Limiting to Azure Portal really reduces false positives and helps focus on potential admin activity\n| where ResultType == 0\n| where AppDisplayName =~ \"Azure Portal\"\n| extend isipv4 = parse_ipv4(IPAddress)\n| extend ip_type = case(isnotnull(isipv4), \"v4\", \"v6\")\n // Only get logons where the IP address is in an Azure range\n| join kind=fullouter (azure_ranges) on ip_type\n| extend ipv6_match = ipv6_is_in_any_range(IPAddress, list_values_properties_addressPrefixes)\n| extend ipv4_match = ipv4_is_in_any_range(IPAddress, list_values_properties_addressPrefixes)\n| where ipv4_match or ipv6_match \n// Limit to where the user is external to the tenant\n| where HomeTenantId != ResourceTenantId\n// Further limit it to just access to the current tenant (you can drop this if you wanted to look elsewhere as well but it helps reduce FPs)\n| where ResourceTenantId == AADTenantId\n| summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), make_set(ResourceDisplayName) by UserPrincipalName, IPAddress, UserAgent, Location, HomeTenantId, ResourceTenantId, UserId\n| extend AccountName = split(UserPrincipalName, \"@\")[0]\n| extend UPNSuffix = split(UserPrincipalName, \"@\")[1]\n", - "queryFrequency": "PT1H", - "queryPeriod": "PT1H", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "AzureActiveDirectory", - "dataTypes": [ - "SigninLogs" - ] - } - ], - "tactics": [ - "InitialAccess" - ], - "techniques": [ - "T1199" - ], - "entityMappings": [ - { - "entityType": "Account", - "fieldMappings": [ - { - "columnName": "AccountName", - "identifier": "Name" - }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" - }, - { - "columnName": "UserId", - "identifier": "AadUserId" - } - ] - }, - { - "entityType": "IP", - "fieldMappings": [ - { - "columnName": "IPAddress", - "identifier": "Address" - } - ] - } - ], - "alertDetailsOverride": { - "alertDisplayNameFormat": "Azure Portal sign in by {{UserPrincipalName}} from another Azure Tenant with IP Address {{IPAddress}}", - "alertDescriptionFormat": "This query looks for successful sign in attempts to the Azure Portal where the user who is signing in from another Azure tenant,\nand the IP address the login attempt is from is an Azure IP. A threat actor who compromises an Azure tenant may look\nto pivot to other tenants leveraging cross-tenant delegated access in this manner.\nIn this instance {{UserPrincipalName}} logged in at {{FirstSeen}} from IP Address {{IPAddress}}.\n" + "displayName": "[[variables('AzureADConnectionName')]", + "api": { + "id": "[[variables('_connection-1')]" } } }, { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId10'),'/'))))]", + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('MicrosoftSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", "properties": { - "description": "Azure Active Directory Analytics Rule 10", - "parentId": "[variables('analyticRuleId10')]", - "contentId": "[variables('_analyticRulecontentId10')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion10')]", - "source": { - "kind": "Solution", - "name": "Azure Active Directory", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com/" + "displayName": "[[variables('MicrosoftSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[[variables('_connection-2')]" } } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId10')]", - "contentKind": "AnalyticsRule", - "displayName": "Azure Portal sign in from another Azure Tenant", - "contentProductId": "[variables('_analyticRulecontentProductId10')]", - "id": "[variables('_analyticRulecontentProductId10')]", - "version": "[variables('analyticRuleVersion10')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName11')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Brute Force Attack against GitHub Account_AnalyticalRules Analytics Rule with template version 3.0.6", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion11')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId11')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Attackers who are trying to guess your users' passwords or use brute-force methods to get in. If your organization is using SSO with Azure Active Directory, authentication logs to GitHub.com will be generated. Using the following query can help you identify a sudden increase in failed logon attempt of users.", - "displayName": "Brute Force Attack against GitHub Account", - "enabled": false, - "query": "let LearningPeriod = 7d;\nlet BinTime = 1h;\nlet RunTime = 1h;\nlet StartTime = 1h; \nlet sensitivity = 2.5;\nlet EndRunTime = StartTime - RunTime;\nlet EndLearningTime = StartTime + LearningPeriod;\nlet aadFunc = (tableName:string){\ntable(tableName) \n| where TimeGenerated between (ago(EndLearningTime) .. ago(EndRunTime))\n| where AppDisplayName =~ \"GitHub.com\"\n| where ResultType != 0\n| make-series FailedLogins = count() on TimeGenerated from ago(LearningPeriod) to ago(EndRunTime) step BinTime by UserPrincipalName, Type\n| extend (Anomalies, Score, Baseline) = series_decompose_anomalies(FailedLogins, sensitivity, -1, 'linefit')\n| mv-expand FailedLogins to typeof(double), TimeGenerated to typeof(datetime), Anomalies to typeof(double), Score to typeof(double), Baseline to typeof(long) \n| where TimeGenerated >= ago(RunTime)\n| where Anomalies > 0 and Baseline > 0\n| join kind=inner (\n table(tableName) \n | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime))\n | where AppDisplayName =~ \"GitHub.com\"\n | where ResultType != 0\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddresses = make_set(IPAddress,100), Locations = make_set(LocationDetails,20), Devices = make_set(DeviceDetail,20) by UserPrincipalName \n ) on UserPrincipalName\n| extend timestamp = TimeGenerated, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n", - "queryFrequency": "PT1H", - "queryPeriod": "P7D", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "AzureActiveDirectory", - "dataTypes": [ - "SigninLogs" - ] - }, - { - "connectorId": "AzureActiveDirectory", - "dataTypes": [ - "AADNonInteractiveUserSignInLogs" - ] - } - ], - "tactics": [ - "CredentialAccess" - ], - "techniques": [ - "T1110" - ], - "entityMappings": [ - { - "entityType": "Account", - "fieldMappings": [ - { - "columnName": "Name", - "identifier": "Name" - }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" - } - ] - } - ] - } }, { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId11'),'/'))))]", + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('Office365ConnectionName')]", + "location": "[[variables('workspace-location-inline')]", "properties": { - "description": "Azure Active Directory Analytics Rule 11", - "parentId": "[variables('analyticRuleId11')]", - "contentId": "[variables('_analyticRulecontentId11')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion11')]", - "source": { - "kind": "Solution", - "name": "Azure Active Directory", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com/" + "displayName": "[[variables('Office365ConnectionName')]", + "api": { + "id": "[[variables('_connection-3')]" } } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId11')]", - "contentKind": "AnalyticsRule", - "displayName": "Brute Force Attack against GitHub Account", - "contentProductId": "[variables('_analyticRulecontentProductId11')]", - "id": "[variables('_analyticRulecontentProductId11')]", - "version": "[variables('analyticRuleVersion11')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName12')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "BruteForceCloudPC_AnalyticalRules Analytics Rule with template version 3.0.6", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion12')]", - "parameters": {}, - "variables": {}, - "resources": [ + }, { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId12')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[[parameters('PlaybookName')]", + "location": "[[variables('workspace-location-inline')]", + "tags": { + "LogicAppsCategory": "security", + "hidden-SentinelTemplateName": "Block-AADUser", + "hidden-SentinelTemplateVersion": "1.1", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "identity": { + "type": "SystemAssigned" + }, + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('AzureADConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]" + ], "properties": { - "description": "Identifies evidence of brute force activity against a Windows 365 Cloud PC by highlighting multiple authentication failures and by a successful authentication within a given time window.", - "displayName": "Brute force attack against a Cloud PC", - "enabled": false, - "query": "let authenticationWindow = 20m;\nlet sensitivity = 2.5;\nSigninLogs\n| where AppDisplayName =~ \"Windows Sign In\"\n| extend FailureOrSuccess = iff(ResultType in (\"0\", \"50125\", \"50140\", \"70043\", \"70044\"), \"Success\", \"Failure\")\n| summarize FailureCount = countif(FailureOrSuccess==\"Failure\"), SuccessCount = countif(FailureOrSuccess==\"Success\"), IPAddresses = make_set(IPAddress,1000)\n by bin(TimeGenerated, authenticationWindow), UserDisplayName, UserPrincipalName\n| extend FailureSuccessDiff = FailureCount - SuccessCount\n| where FailureSuccessDiff > 0\n| summarize Diff = make_list(FailureSuccessDiff, 10000), TimeStamp = make_list(TimeGenerated, 10000) by UserDisplayName, UserPrincipalName//, tostring(IPAddresses)\n| extend (Anomalies, Score, Baseline) = series_decompose_anomalies(Diff, sensitivity, -1, 'linefit') \n| mv-expand Diff to typeof(double), TimeStamp to typeof(datetime), Anomalies to typeof(double), Score to typeof(double), Baseline to typeof(long)\n| where Anomalies > 0\n| summarize by UserDisplayName, UserPrincipalName\n| join kind=leftouter (\n SigninLogs\n | where AppDisplayName =~ \"Windows Sign In\"\n | extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\n | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)\n | summarize StartTime = min(TimeGenerated), \n EndTime = max(TimeGenerated), \n IPAddress = make_set(IPAddress,100), \n OS = make_set(OS,20), \n Browser = make_set(Browser,20), \n City = make_set(City,100), \n ResultType = make_set(ResultType,100)\n by UserDisplayName, UserPrincipalName\n ) on UserDisplayName, UserPrincipalName\n| extend IPAddressFirst = IPAddress[0]\n| extend timestamp = StartTime, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n", - "queryFrequency": "P1D", - "queryPeriod": "P1D", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "AzureActiveDirectory", - "dataTypes": [ - "SigninLogs" - ] - } - ], - "tactics": [ - "CredentialAccess" - ], - "techniques": [ - "T1110" - ], - "entityMappings": [ - { - "entityType": "Account", - "fieldMappings": [ - { - "columnName": "Name", - "identifier": "Name" - }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + } + }, + "triggers": { + "Microsoft_Sentinel_incident": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "path": "/incident-creation" } - ] + } }, - { - "entityType": "IP", - "fieldMappings": [ - { - "columnName": "IPAddressFirst", - "identifier": "Address" + "actions": { + "Entities_-_Get_Accounts": { + "type": "ApiConnection", + "inputs": { + "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "method": "post", + "path": "/entities/account" } - ] - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId12'),'/'))))]", - "properties": { - "description": "Azure Active Directory Analytics Rule 12", - "parentId": "[variables('analyticRuleId12')]", - "contentId": "[variables('_analyticRulecontentId12')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion12')]", - "source": { - "kind": "Solution", - "name": "Azure Active Directory", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId12')]", - "contentKind": "AnalyticsRule", - "displayName": "Brute force attack against a Cloud PC", - "contentProductId": "[variables('_analyticRulecontentProductId12')]", - "id": "[variables('_analyticRulecontentProductId12')]", - "version": "[variables('analyticRuleVersion12')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName13')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "BulkChangestoPrivilegedAccountPermissions_AnalyticalRules Analytics Rule with template version 3.0.6", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion13')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId13')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Identifies when changes to multiple users permissions are changed at once. Investigate immediately if not a planned change. This setting could enable an attacker access to Azure subscriptions in your environment.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management", - "displayName": "Bulk Changes to Privileged Account Permissions", - "enabled": false, - "query": "let AdminRecords = AuditLogs\n| where Category =~ \"RoleManagement\"\n| where ActivityDisplayName has_any (\"Add eligible member to role\", \"Add member to role\")\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"User\"\n | extend Target = tostring(TargetResource.userPrincipalName),\n props = TargetResource.modifiedProperties\n )\n| mv-apply Property = props on \n (\n where Property.displayName =~ \"Role.DisplayName\"\n | extend RoleName = trim('\"',tostring(Property.newValue))\n )\n| where RoleName contains \"Admin\";\nAdminRecords\n| summarize dcount(Target) by bin(TimeGenerated, 1h)\n| where dcount_Target > 9\n| join kind=rightsemi (\n AdminRecords\n | extend TimeWindow = bin(TimeGenerated, 1h)\n) on $left.TimeGenerated == $right.TimeWindow\n| extend InitiatedByUser = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), \"\")\n| extend TargetName = tostring(split(Target,'@',0)[0]), TargetUPNSuffix = tostring(split(Target,'@',1)[0]),\n InitiatedByUserName = tostring(split(InitiatedByUser,'@',0)[0]), InitiatedByUserUPNSuffix = tostring(split(InitiatedByUser,'@',1)[0])\n", - "queryFrequency": "PT2H", - "queryPeriod": "PT2H", - "severity": "High", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "AzureActiveDirectory", - "dataTypes": [ - "AuditLogs" - ] - } - ], - "tactics": [ - "PrivilegeEscalation" - ], - "techniques": [ - "T1078" - ], - "entityMappings": [ - { - "entityType": "Account", - "fieldMappings": [ - { - "columnName": "TargetName", - "identifier": "Name" + }, + "For_each": { + "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']", + "actions": { + "Condition": { + "actions": { + "Condition_-_if_user_have_manager": { + "actions": { + "Add_comment_to_incident_-_with_manager_-_no_admin": { + "runAfter": { + "Get_user_-_details": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

User @{items('For_each')?['Name']} (UPN - @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}) was disabled in AAD via playbook Block-AADUser. Manager (@{body('Parse_JSON_-_get_user_manager')?['userPrincipalName']}) is notified.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Get_user_-_details": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuread']['connectionId']" + } + }, + "method": "get", + "path": "/v1.0/users/@{encodeURIComponent(concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix']))}" + } + }, + "Send_an_email_-_to_manager_-_no_admin": { + "runAfter": { + "Add_comment_to_incident_-_with_manager_-_no_admin": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "Body": "

Security notification! This is automated email sent by Microsoft Sentinel Automation!
\n
\nYour direct report @{items('For_each')?['Name']} has been disabled in Azure AD due to the security incident. Can you please notify the user and work with him to reach our support.
\n
\nDirect report details:
\nFirst name: @{body('Get_user_-_details')?['displayName']}
\nSurname: @{body('Get_user_-_details')?['surname']}
\nJob title: @{body('Get_user_-_details')?['jobTitle']}
\nOffice location: @{body('Get_user_-_details')?['officeLocation']}
\nBusiness phone: @{body('Get_user_-_details')?['businessPhones']}
\nMobile phone: @{body('Get_user_-_details')?['mobilePhone']}
\nMail: @{body('Get_user_-_details')?['mail']}
\n
\nThank you!

", + "Importance": "High", + "Subject": "@{items('For_each')?['Name']} has been disabled in Azure AD due to the security risk!", + "To": "@body('Parse_JSON_-_get_user_manager')?['userPrincipalName']" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['office365']['connectionId']" + } + }, + "method": "post", + "path": "/v2/Mail" + } + } + }, + "runAfter": { + "Parse_JSON_-_get_user_manager": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Add_comment_to_incident_-_no_manager_-_no_admin": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

User @{items('For_each')?['Name']} (UPN - @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}) was disabled in AAD via playbook Block-AADUser. Manager has not been notified, since it is not found for this user!

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + } + } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@body('Parse_JSON_-_get_user_manager')?['userPrincipalName']", + "@null" + ] + } + } + ] + }, + "type": "If" + }, + "HTTP_-_get_user_manager": { + "type": "Http", + "inputs": { + "authentication": { + "audience": "https://graph.microsoft.com/", + "type": "ManagedServiceIdentity" + }, + "method": "GET", + "uri": "https://graph.microsoft.com/v1.0/users/@{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}/manager" + } + }, + "Parse_JSON_-_get_user_manager": { + "runAfter": { + "HTTP_-_get_user_manager": [ + "Succeeded", + "Failed" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@body('HTTP_-_get_user_manager')", + "schema": { + "properties": { + "userPrincipalName": { + "type": "string" + } + }, + "type": "object" + } + } + } + }, + "runAfter": { + "Update_user_-_disable_user": [ + "Succeeded", + "Failed" + ] + }, + "else": { + "actions": { + "Add_comment_to_incident_-_error_details": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

Block-AADUser playbook could not disable user @{items('For_each')?['Name']}.
\nError message: @{body('Update_user_-_disable_user')['error']['message']}
\nNote: If user is admin, this playbook don't have privilages to block admin users!

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@body('Update_user_-_disable_user')", + "@null" + ] + } + ] + }, + "type": "If" + }, + "Update_user_-_disable_user": { + "type": "ApiConnection", + "inputs": { + "body": { + "accountEnabled": false + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuread']['connectionId']" + } + }, + "method": "patch", + "path": "/v1.0/users/@{encodeURIComponent(concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix']))}" + } + } }, - { - "columnName": "TargetUPNSuffix", - "identifier": "UPNSuffix" - } - ] - }, - { - "entityType": "Account", - "fieldMappings": [ - { - "columnName": "InitiatedByUserName", - "identifier": "Name" + "runAfter": { + "Entities_-_Get_Accounts": [ + "Succeeded" + ] }, - { - "columnName": "InitiatedByUserUPNSuffix", - "identifier": "UPNSuffix" - } - ] + "type": "Foreach" + } } - ], - "customDetails": { - "InitiatedByUser": "InitiatedByUser", - "TargetUser": "Target" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId13'),'/'))))]", - "properties": { - "description": "Azure Active Directory Analytics Rule 13", - "parentId": "[variables('analyticRuleId13')]", - "contentId": "[variables('_analyticRulecontentId13')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion13')]", - "source": { - "kind": "Solution", - "name": "Azure Active Directory", - "sourceId": "[variables('_solutionId')]" }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId13')]", - "contentKind": "AnalyticsRule", - "displayName": "Bulk Changes to Privileged Account Permissions", - "contentProductId": "[variables('_analyticRulecontentProductId13')]", - "id": "[variables('_analyticRulecontentProductId13')]", - "version": "[variables('analyticRuleVersion13')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName14')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "BypassCondAccessRule_AnalyticalRules Analytics Rule with template version 3.0.6", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion14')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId14')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Identifies an attempt to Bypass conditional access rule(s) in Azure Active Directory.\nThe ConditionalAccessStatus column value details if there was an attempt to bypass Conditional Access\nor if the Conditional access rule was not satisfied (ConditionalAccessStatus == 1).\nReferences:\nhttps://docs.microsoft.com/azure/active-directory/conditional-access/overview\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\nConditionalAccessStatus == 0 // Success\nConditionalAccessStatus == 1 // Failure\nConditionalAccessStatus == 2 // Not Applied\nConditionalAccessStatus == 3 // unknown", - "displayName": "Attempt to bypass conditional access rule in Azure AD", - "enabled": false, - "query": "let threshold = 1; // Modify this threshold value to reduce false positives based on your environment\nlet aadFunc = (tableName:string){\ntable(tableName)\n| where ConditionalAccessStatus == 1 or ConditionalAccessStatus =~ \"failure\"\n| mv-apply CAP = parse_json(ConditionalAccessPolicies) on (\n project ConditionalAccessPoliciesName = CAP.displayName, result = CAP.result\n | where result =~ \"failure\"\n)\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(Status), LocationDetails = todynamic(LocationDetails)\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\n| extend Status = strcat(StatusCode, \": \", ResultDescription)\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Status = make_list(Status,10), StatusDetails = make_list(StatusDetails,50), IPAddresses = make_list(IPAddress,100), IPAddressCount = dcount(IPAddress), CorrelationIds = make_list(CorrelationId,100), ConditionalAccessPoliciesName = make_list(ConditionalAccessPoliciesName,100)\nby UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), City, State, Region, Type\n| where IPAddressCount > threshold and StatusDetails !has \"MFA successfully completed\"\n| mv-expand IPAddresses, Status, StatusDetails, CorrelationIds\n| extend Status = strcat(Status, \" \", StatusDetails)\n| summarize IPAddresses = make_set(IPAddresses,100), Status = make_set(Status,10), CorrelationIds = make_set(CorrelationIds,100), ConditionalAccessPoliciesName = make_set(ConditionalAccessPoliciesName,100)\nby StartTime, EndTime, UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), City, State, Region, IPAddressCount, Type\n| extend timestamp = StartTime, IPAddresses = tostring(IPAddresses), Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n", - "queryFrequency": "P1D", - "queryPeriod": "P1D", - "severity": "Low", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "AzureActiveDirectory", - "dataTypes": [ - "SigninLogs" - ] - }, - { - "connectorId": "AzureActiveDirectory", - "dataTypes": [ - "AADNonInteractiveUserSignInLogs" - ] - } - ], - "tactics": [ - "InitialAccess", - "Persistence" - ], - "techniques": [ - "T1078", - "T1098" - ], - "entityMappings": [ - { - "entityType": "Account", - "fieldMappings": [ - { - "columnName": "Name", - "identifier": "Name" + "parameters": { + "$connections": { + "value": { + "azuread": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureADConnectionName'))]", + "connectionName": "[[variables('AzureADConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuread')]" }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" - } - ] - }, - { - "entityType": "IP", - "fieldMappings": [ - { - "columnName": "IPAddresses", - "identifier": "Address" + "microsoftsentinel": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + }, + "office365": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]", + "connectionName": "[[variables('Office365ConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]" } - ] + } } - ] + } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId14'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId3'),'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 14", - "parentId": "[variables('analyticRuleId14')]", - "contentId": "[variables('_analyticRulecontentId14')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion14')]", + "parentId": "[variables('playbookId3')]", + "contentId": "[variables('_playbookContentId3')]", + "kind": "Playbook", + "version": "[variables('playbookVersion3')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -2747,590 +1934,429 @@ } } } - ] + ], + "metadata": { + "title": "Block AAD user - Incident", + "description": "For each account entity included in the incident, this playbook will disable the user in Azure Active Directoy, add a comment to the incident that contains this alert and notify manager if available. Note: This playbook will not disable admin user!", + "prerequisites": [ + "None" + ], + "postDeployment": [ + "1. Assign Microsoft Sentinel Responder role to the Playbook's managed identity.", + "2. Grant User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All permissions to the managed identity.", + "3. Authorize Microsoft Entra ID and Office 365 Outlook Logic App connections." + ], + "lastUpdateTime": "2022-07-11T00:00:00Z", + "entities": [ + "Account" + ], + "tags": [ + "Remediation" + ], + "releaseNotes": [ + { + "version": "1.0.0", + "title": "Added manager notification action", + "notes": [ + "Initial version" + ] + } + ] + } }, "packageKind": "Solution", "packageVersion": "[variables('_solutionVersion')]", "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId14')]", - "contentKind": "AnalyticsRule", - "displayName": "Attempt to bypass conditional access rule in Azure AD", - "contentProductId": "[variables('_analyticRulecontentProductId14')]", - "id": "[variables('_analyticRulecontentProductId14')]", - "version": "[variables('analyticRuleVersion14')]" + "contentId": "[variables('_playbookContentId3')]", + "contentKind": "Playbook", + "displayName": "Block-AADUser-Incident", + "contentProductId": "[variables('_playbookcontentProductId3')]", + "id": "[variables('_playbookcontentProductId3')]", + "version": "[variables('playbookVersion3')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName15')]", + "name": "[variables('playbookTemplateSpecName4')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CredentialAddedAfterAdminConsent_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "Prompt-User-Alert Playbook with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion15')]", - "parameters": {}, - "variables": {}, + "contentVersion": "[variables('playbookVersion4')]", + "parameters": { + "PlaybookName": { + "defaultValue": "Prompt-User-Alert", + "type": "string" + }, + "TeamsId": { + "metadata": { + "description": "Enter the Teams Group ID" + }, + "type": "string" + }, + "TeamsChannelId": { + "metadata": { + "description": "Enter the Teams Channel ID" + }, + "type": "string" + } + }, + "variables": { + "AzureADConnectionName": "[[concat('azuread-', parameters('PlaybookName'))]", + "AzureSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]", + "Office365ConnectionName": "[[concat('office365-', parameters('PlaybookName'))]", + "TeamsConnectionName": "[[concat('teams-', parameters('PlaybookName'))]", + "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuread')]", + "_connection-1": "[[variables('connection-1')]", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "_connection-2": "[[variables('connection-2')]", + "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]", + "_connection-3": "[[variables('connection-3')]", + "connection-4": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/teams')]", + "_connection-4": "[[variables('connection-4')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, "resources": [ { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId15')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('AzureADConnectionName')]", + "location": "[[variables('workspace-location-inline')]", "properties": { - "description": "This query will identify instances where Service Principal credentials were added to an application by one user after the application was granted admin consent rights by another user.\n If a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\n Additional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow.\n For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities", - "displayName": "Credential added after admin consented to Application", - "enabled": false, - "query": "let auditLookbackStart = 2d;\nlet auditLookbackEnd = 1d;\nAuditLogs\n| where TimeGenerated >= ago(auditLookbackStart)\n| where OperationName =~ \"Consent to application\" \n| where Result =~ \"success\"\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\"\n | extend targetResourceName = tostring(TargetResource.displayName),\n targetResourceID = tostring(TargetResource.id),\n targetResourceType = tostring(TargetResource.type),\n targetModifiedProp = TargetResource.modifiedProperties\n )\n| mv-apply Property = targetModifiedProp on \n (\n where Property.displayName =~ \"ConsentContext.IsAdminConsent\"\n | extend isAdminConsent = trim(@'\"',tostring(Property.newValue))\n )\n| mv-apply Property = targetModifiedProp on \n (\n where Property.displayName =~ \"ConsentAction.Permissions\"\n | extend Consent_Permissions = trim(@'\"',tostring(Property.newValue))\n )\n| mv-apply Property = targetModifiedProp on \n (\n where Property.displayName =~ \"TargetId.ServicePrincipalNames\"\n | extend Consent_ServicePrincipalNames = tostring(extract_all(@\"([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})\",trim(@'\"',tostring(Property.newValue)))[0])\n )\n| extend Consent_InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend Consent_InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n| join ( \nAuditLogs\n| where TimeGenerated >= ago(auditLookbackEnd)\n| where OperationName =~ \"Add service principal credentials\"\n| where Result =~ \"success\"\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\"\n | extend targetResourceName = tostring(TargetResource.displayName),\n targetResourceID = tostring(TargetResource.id),\n targetModifiedProp = TargetResource.modifiedProperties\n )\n| mv-apply Property = targetModifiedProp on \n (\n where Property.displayName =~ \"KeyDescription\"\n | extend Credential_KeyDescription = trim(@'\"',tostring(Property.newValue))\n )\n| mv-apply Property = targetModifiedProp on \n (\n where Property.displayName =~ \"Included Updated Properties\"\n | extend UpdatedProperties = trim(@'\"',tostring(Property.newValue))\n )\n| mv-apply Property = targetModifiedProp on \n (\n where Property.displayName =~ \"TargetId.ServicePrincipalNames\"\n | extend Credential_ServicePrincipalNames = tostring(extract_all(@\"([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})\",trim(@'\"',tostring(Property.newValue)))[0])\n )\n| extend Credential_InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend Credential_InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n) on targetResourceName, targetResourceID\n| extend TimeConsent = TimeGenerated, TimeCred = TimeGenerated1\n| where TimeConsent < TimeCred \n| project TimeConsent, TimeCred, Consent_InitiatingUserOrApp, Credential_InitiatingUserOrApp, targetResourceName, targetResourceType, isAdminConsent, Consent_ServicePrincipalNames, Credential_ServicePrincipalNames, Consent_Permissions, Credential_KeyDescription, Consent_InitiatingIpAddress, Credential_InitiatingIpAddress\n| extend timestamp = TimeConsent, Name = tostring(split(Credential_InitiatingUserOrApp,'@',0)[0]), UPNSuffix = tostring(split(Credential_InitiatingUserOrApp,'@',1)[0])\n", - "queryFrequency": "P1D", - "queryPeriod": "P2D", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "AzureActiveDirectory", - "dataTypes": [ - "AuditLogs" - ] - } - ], - "tactics": [ - "CredentialAccess" - ], - "entityMappings": [ - { - "entityType": "Account", - "fieldMappings": [ - { - "columnName": "Name", - "identifier": "Name" - }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" - } - ] - }, - { - "entityType": "IP", - "fieldMappings": [ - { - "columnName": "Consent_InitiatingIpAddress", - "identifier": "Address" - } - ] - } - ] + "displayName": "[[variables('AzureADConnectionName')]", + "api": { + "id": "[[variables('_connection-1')]" + } } }, { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId15'),'/'))))]", + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('AzureSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", "properties": { - "description": "Azure Active Directory Analytics Rule 15", - "parentId": "[variables('analyticRuleId15')]", - "contentId": "[variables('_analyticRulecontentId15')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion15')]", - "source": { - "kind": "Solution", - "name": "Azure Active Directory", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com/" + "displayName": "[[variables('AzureSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[[variables('_connection-2')]" } } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId15')]", - "contentKind": "AnalyticsRule", - "displayName": "Credential added after admin consented to Application", - "contentProductId": "[variables('_analyticRulecontentProductId15')]", - "id": "[variables('_analyticRulecontentProductId15')]", - "version": "[variables('analyticRuleVersion15')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName16')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Cross-tenantAccessSettingsOrganizationAdded_AnalyticalRules Analytics Rule with template version 3.0.6", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion16')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId16')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when an Organization is added other than the list that is supposed to exist from the Azure AD Cross-tenant Access Settings.", - "displayName": "Cross-tenant Access Settings Organization Added", - "enabled": false, - "query": "// Tenants IDs can be found by navigating to Azure Active Directory then from menu on the left, select External Identities, then from menu on the left, select Cross-tenant access settings and from the list shown of Tenants\nlet ExpectedTenantIDs = dynamic([\"List of expected tenant IDs\",\"Tenant ID 2\"]);\nAuditLogs\n| where OperationName has \"Add a partner to cross-tenant access setting\"\n| extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\n| extend InitiatedByIPAdress = InitiatedBy.user.ipAddress\n| mv-apply TargetResource = TargetResources on\n (\n where TargetResource.type =~ \"Policy\"\n | extend Properties = TargetResource.modifiedProperties\n )\n| mv-apply Property = Properties on\n (\n where Property.displayName =~ \"tenantId\"\n | extend ExtTenantIDAdded = trim('\"',tostring(Property.newValue))\n )\n| where ExtTenantIDAdded !in (ExpectedTenantIDs)\n| extend Name = tostring(split(InitiatedByActionUserInformation,'@',0)[0]), UPNSuffix = tostring(split(InitiatedByActionUserInformation,'@',1)[0])\n", - "queryFrequency": "P2D", - "queryPeriod": "P2D", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "AzureActiveDirectory", - "dataTypes": [ - "AuditLogs" - ] - } - ], - "tactics": [ - "InitialAccess", - "Persistence", - "Discovery" - ], - "techniques": [ - "T1078", - "T1136", - "T1087" - ], - "entityMappings": [ - { - "entityType": "Account", - "fieldMappings": [ - { - "columnName": "Name", - "identifier": "Name" - }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" - } - ] - }, - { - "entityType": "IP", - "fieldMappings": [ - { - "columnName": "InitiatedByIPAdress", - "identifier": "Address" - } - ] - } - ] - } }, { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId16'),'/'))))]", + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('Office365ConnectionName')]", + "location": "[[variables('workspace-location-inline')]", "properties": { - "description": "Azure Active Directory Analytics Rule 16", - "parentId": "[variables('analyticRuleId16')]", - "contentId": "[variables('_analyticRulecontentId16')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion16')]", - "source": { - "kind": "Solution", - "name": "Azure Active Directory", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com/" + "displayName": "[[variables('Office365ConnectionName')]", + "api": { + "id": "[[variables('_connection-3')]" } } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId16')]", - "contentKind": "AnalyticsRule", - "displayName": "Cross-tenant Access Settings Organization Added", - "contentProductId": "[variables('_analyticRulecontentProductId16')]", - "id": "[variables('_analyticRulecontentProductId16')]", - "version": "[variables('analyticRuleVersion16')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName17')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Cross-tenantAccessSettingsOrganizationDeleted_AnalyticalRules Analytics Rule with template version 3.0.6", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion17')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId17')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when an Organization is deleted from the Azure AD Cross-tenant Access Settings.", - "displayName": "Cross-tenant Access Settings Organization Deleted", - "enabled": false, - "query": "AuditLogs\n| where OperationName has \"Delete partner specific cross-tenant access setting\"\n| extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\n| extend InitiatedByIPAdress = InitiatedBy.user.ipAddress\n| mv-apply TargetResource = TargetResources on\n (\n where TargetResource.type =~ \"Policy\"\n | extend Properties = TargetResource.modifiedProperties\n )\n| mv-apply Property = Properties on\n (\n where Property.displayName =~ \"tenantId\"\n | extend ExtTenantDeleted = trim('\"',tostring(Property.oldValue))\n )\n| extend Name = tostring(split(InitiatedByActionUserInformation,'@',0)[0]), UPNSuffix = tostring(split(InitiatedByActionUserInformation,'@',1)[0])\n", - "queryFrequency": "P2D", - "queryPeriod": "P2D", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "AzureActiveDirectory", - "dataTypes": [ - "AuditLogs" - ] - } - ], - "tactics": [ - "InitialAccess", - "Persistence", - "Discovery" - ], - "techniques": [ - "T1078", - "T1136", - "T1087" - ], - "entityMappings": [ - { - "entityType": "Account", - "fieldMappings": [ - { - "columnName": "Name", - "identifier": "Name" - }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" - } - ] - }, - { - "entityType": "IP", - "fieldMappings": [ - { - "columnName": "InitiatedByIPAdress", - "identifier": "Address" - } - ] - } - ] - } }, { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId17'),'/'))))]", + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('TeamsConnectionName')]", + "location": "[[variables('workspace-location-inline')]", "properties": { - "description": "Azure Active Directory Analytics Rule 17", - "parentId": "[variables('analyticRuleId17')]", - "contentId": "[variables('_analyticRulecontentId17')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion17')]", - "source": { - "kind": "Solution", - "name": "Azure Active Directory", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com/" + "displayName": "[[variables('TeamsConnectionName')]", + "api": { + "id": "[[variables('_connection-4')]" } } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId17')]", - "contentKind": "AnalyticsRule", - "displayName": "Cross-tenant Access Settings Organization Deleted", - "contentProductId": "[variables('_analyticRulecontentProductId17')]", - "id": "[variables('_analyticRulecontentProductId17')]", - "version": "[variables('analyticRuleVersion17')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName18')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Cross-tenantAccessSettingsOrganizationInboundCollaborationSettingsChanged_AnalyticalRules Analytics Rule with template version 3.0.6", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion18')]", - "parameters": {}, - "variables": {}, - "resources": [ + }, { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId18')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[[parameters('PlaybookName')]", + "location": "[[variables('workspace-location-inline')]", + "tags": { + "LogicAppsCategory": "security", + "hidden-SentinelTemplateName": "Prompt-User_alert", + "hidden-SentinelTemplateVersion": "1.1", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "identity": { + "type": "SystemAssigned" + }, + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('AzureADConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]" + ], "properties": { - "description": "Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when Organization Inbound Collaboration Settings are changed for \"Users & Groups\" and for \"Applications\".", - "displayName": "Cross-tenant Access Settings Organization Inbound Collaboration Settings Changed", - "enabled": false, - "query": "//In User & Groups and in Applications, the following \"AccessType\" values in columns PremodifiedInboundSettings and ModifiedInboundSettings are interpreted accordingly:\n// When Access Type in premodified inbound settings value was 1 that means that the initial access was allowed. When Access Type in premodified inbound settings value was 2 that means that the initial access was blocked. \n// When Access Type in modified inbound settings value is 1 that means that now access is allowed. When Access Type in modified inbound settings value is 2 that means that now access is blocked. \nAuditLogs\n| where OperationName has \"Update a partner cross-tenant access setting\"\n| mv-apply TargetResource = TargetResources on\n (\n where TargetResource.type =~ \"Policy\"\n | extend Properties = TargetResource.modifiedProperties\n )\n| mv-apply Property = Properties on\n (\n where Property.displayName =~ \"b2bCollaborationInbound\"\n | extend PremodifiedInboundSettings = trim('\"',tostring(Property.oldValue)),\n ModifiedInboundSettings = trim(@'\"',tostring(Property.newValue))\n )\n| extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\n| extend InitiatedByIPAdress = InitiatedBy.user.ipAddress\n| where PremodifiedInboundSettings != ModifiedInboundSettings\n| extend Name = tostring(split(InitiatedByActionUserInformation,'@',0)[0]), UPNSuffix = tostring(split(InitiatedByActionUserInformation,'@',1)[0])\n", - "queryFrequency": "P2D", - "queryPeriod": "P2D", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "AzureActiveDirectory", - "dataTypes": [ - "AuditLogs" - ] - } - ], - "tactics": [ - "InitialAccess", - "Persistence", - "Discovery" - ], - "techniques": [ - "T1078", - "T1136", - "T1087" - ], - "entityMappings": [ - { - "entityType": "Account", - "fieldMappings": [ - { - "columnName": "Name", - "identifier": "Name" + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "actions": { + "Alert_-_Get_incident": { + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "get", + "path": "/Incidents/subscriptions/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/resourceGroups/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/workspaces/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/alerts/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}" }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" - } - ] + "type": "ApiConnection" + }, + "Entities_-_Get_Accounts": { + "inputs": { + "body": "@triggerBody()?['Entities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/entities/account" + }, + "runAfter": { + "Alert_-_Get_incident": [ + "Succeeded" + ] + }, + "type": "ApiConnection" + }, + "For_each": { + "actions": { + "Condition_2": { + "actions": { + "Add_comment_to_incident_(V3)": { + "inputs": { + "body": { + "incidentArmId": "@body('Alert_-_Get_incident')?['id']", + "message": "

@{body('Get_user')?['displayName']} confirms they completed the action that triggered the alert.  Closing the incident.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + }, + "type": "ApiConnection" + }, + "Update_incident": { + "inputs": { + "body": { + "classification": { + "ClassificationAndReason": "BenignPositive - SuspiciousButExpected", + "ClassificationReasonText": "User Confirmed it was them" + }, + "incidentArmId": "@body('Alert_-_Get_incident')?['id']", + "status": "Closed" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "put", + "path": "/Incidents" + }, + "runAfter": { + "Add_comment_to_incident_(V3)": [ + "Succeeded" + ] + }, + "type": "ApiConnection" + } + }, + "else": { + "actions": { + "Add_comment_to_incident_(V3)_2": { + "inputs": { + "body": { + "incidentArmId": "@body('Alert_-_Get_incident')?['id']", + "message": "

@{body('Get_user')?['displayName']} confirms they did not complete the action. Further investigation is needed.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + }, + "type": "ApiConnection" + }, + "Post_message_in_a_chat_or_channel": { + "inputs": { + "body": { + "messageBody": "

New alert from Microsoft Sentinel.
\nPlease investigate ASAP.
\nSeverity : @{body('Alert_-_Get_incident')?['properties']?['severity']}
\nDescription: @{body('Alert_-_Get_incident')?['properties']?['description']}
\n
\n@{body('Get_user')?['displayName']} user confirmed they did not complete the action.

", + "recipient": { + "channelId": "[[parameters('TeamsChannelId')]", + "groupId": "[[parameters('TeamsId')]" + }, + "subject": "Incident @{body('Alert_-_Get_incident')?['properties']?['incidentNumber']} - @{body('Alert_-_Get_incident')?['properties']?['title']}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['teams']['connectionId']" + } + }, + "method": "post", + "path": "/beta/teams/conversation/message/poster/@{encodeURIComponent('User')}/location/@{encodeURIComponent('Channel')}" + }, + "runAfter": { + "Add_comment_to_incident_(V3)_2": [ + "Succeeded" + ] + }, + "type": "ApiConnection" + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "", + "This was me" + ] + } + ] + }, + "runAfter": { + "Send_approval_email": [ + "Succeeded" + ] + }, + "type": "If" + }, + "Get_user": { + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuread']['connectionId']" + } + }, + "method": "get", + "path": "/v1.0/users/@{encodeURIComponent(concat(items('For_each')?['Name'], '@' ,items('For_each')?['UPNSuffix']))}" + }, + "type": "ApiConnection" + }, + "Send_approval_email": { + "inputs": { + "body": { + "Message": { + "Body": "New Alert from Microsoft Sentinel.\nPlease respond ASAP.\nSeverity: @{triggerBody()?['Severity']}\nName: @{triggerBody()?['AlertDisplayName']}\nDescription: @{triggerBody()?['Description']}", + "HideHTMLMessage": false, + "Importance": "High", + "Options": "This was me, This was not me", + "ShowHTMLConfirmationDialog": false, + "Subject": "Security Alert: @{body('Alert_-_Get_incident')?['properties']?['title']}", + "To": "@body('Get_user')?['mail']" + }, + "NotificationUrl": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['office365']['connectionId']" + } + }, + "path": "/approvalmail/$subscriptions" + }, + "runAfter": { + "Get_user": [ + "Succeeded" + ] + }, + "type": "ApiConnectionWebhook" + } + }, + "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']", + "runAfter": { + "Entities_-_Get_Accounts": [ + "Succeeded" + ] + }, + "type": "Foreach" + } }, - { - "entityType": "IP", - "fieldMappings": [ - { - "columnName": "InitiatedByIPAdress", - "identifier": "Address" - } - ] + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + } + }, + "triggers": { + "Microsoft_Sentinel_alert": { + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/subscribe" + }, + "type": "ApiConnectionWebhook" + } } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId18'),'/'))))]", - "properties": { - "description": "Azure Active Directory Analytics Rule 18", - "parentId": "[variables('analyticRuleId18')]", - "contentId": "[variables('_analyticRulecontentId18')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion18')]", - "source": { - "kind": "Solution", - "name": "Azure Active Directory", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId18')]", - "contentKind": "AnalyticsRule", - "displayName": "Cross-tenant Access Settings Organization Inbound Collaboration Settings Changed", - "contentProductId": "[variables('_analyticRulecontentProductId18')]", - "id": "[variables('_analyticRulecontentProductId18')]", - "version": "[variables('analyticRuleVersion18')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName19')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Cross-tenantAccessSettingsOrganizationInboundDirectSettingsChanged_AnalyticalRules Analytics Rule with template version 3.0.6", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion19')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId19')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when Organization Inbound Direct Settings are changed for \"Users & Groups\" and for \"Applications\".", - "displayName": "Cross-tenant Access Settings Organization Inbound Direct Settings Changed", - "enabled": false, - "query": "//In User & Groups and in Applications, the following \"AccessType\" values in columns PremodifiedInboundSettings and ModifiedInboundSettings are interpreted accordingly:\n// When Access Type in premodified inbound settings value was 1 that means that the initial access was allowed. When Access Type in premodified inbound settings value was 2 that means that the initial access was blocked. \n// When Access Type in modified inbound settings value is 1 that means that now access is allowed. When Access Type in modified inbound settings value is 2 that means that now access is blocked. \nAuditLogs\n| where OperationName has \"Update a partner cross-tenant access setting\"\n| mv-apply TargetResource = TargetResources on\n (\n where TargetResource.type =~ \"Policy\"\n | extend Properties = TargetResource.modifiedProperties\n )\n| mv-apply Property = Properties on\n (\n where Property.displayName =~ \"b2bDirectConnectInbound\"\n | extend PremodifiedInboundSettings = trim('\"',tostring(Property.oldValue)),\n ModifiedInboundSettings = trim(@'\"',tostring(Property.newValue))\n )\n| extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\n| extend InitiatedByIPAdress = InitiatedBy.user.ipAddress\n| where PremodifiedInboundSettings != ModifiedInboundSettings\n| extend Name = tostring(split(InitiatedByActionUserInformation,'@',0)[0]), UPNSuffix = tostring(split(InitiatedByActionUserInformation,'@',1)[0])\n", - "queryFrequency": "P2D", - "queryPeriod": "P2D", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "AzureActiveDirectory", - "dataTypes": [ - "AuditLogs" - ] - } - ], - "tactics": [ - "InitialAccess", - "Persistence", - "Discovery" - ], - "techniques": [ - "T1078", - "T1136", - "T1087" - ], - "entityMappings": [ - { - "entityType": "Account", - "fieldMappings": [ - { - "columnName": "Name", - "identifier": "Name" + "parameters": { + "$connections": { + "value": { + "azuread": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureADConnectionName'))]", + "connectionName": "[[variables('AzureADConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuread')]" }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" - } - ] - }, - { - "entityType": "IP", - "fieldMappings": [ - { - "columnName": "InitiatedByIPAdress", - "identifier": "Address" + "azuresentinel": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", + "connectionName": "[[variables('AzureSentinelConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + }, + "office365": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]", + "connectionName": "[[variables('Office365ConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]" + }, + "teams": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]", + "connectionName": "[[variables('TeamsConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/teams')]" } - ] + } } - ] + } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId19'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId4'),'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 19", - "parentId": "[variables('analyticRuleId19')]", - "contentId": "[variables('_analyticRulecontentId19')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion19')]", + "parentId": "[variables('playbookId4')]", + "contentId": "[variables('_playbookContentId4')]", + "kind": "Playbook", + "version": "[variables('playbookVersion4')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -3345,480 +2371,411 @@ } } } - ] + ], + "metadata": { + "title": "Prompt User - Alert", + "description": "This playbook will ask the user if they completed the action from the alert in Microsoft Sentinel. If so, it will close the incident and add a comment. If not, it will post a message to teams for the SOC to investigate and add a comment to the incident.", + "prerequisites": [ + "1. You will need the Team Id and Channel Id." + ], + "postDeployment": [ + "1. Assign Microsoft Sentinel Responder role to the Playbook's managed identity.", + "2. Authorize Microsoft Entra ID, Microsoft Teams, and Office 365 Outlook Logic App connections." + ], + "lastUpdateTime": "2022-07-11T00:00:00Z", + "entities": [ + "Account" + ], + "tags": [ + "Remediation" + ], + "releaseNotes": [ + { + "version": "1.0.0", + "title": "Added new Post a Teams message action", + "notes": [ + "Initial version" + ] + } + ] + } }, "packageKind": "Solution", "packageVersion": "[variables('_solutionVersion')]", "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId19')]", - "contentKind": "AnalyticsRule", - "displayName": "Cross-tenant Access Settings Organization Inbound Direct Settings Changed", - "contentProductId": "[variables('_analyticRulecontentProductId19')]", - "id": "[variables('_analyticRulecontentProductId19')]", - "version": "[variables('analyticRuleVersion19')]" + "contentId": "[variables('_playbookContentId4')]", + "contentKind": "Playbook", + "displayName": "Prompt-User-Alert", + "contentProductId": "[variables('_playbookcontentProductId4')]", + "id": "[variables('_playbookcontentProductId4')]", + "version": "[variables('playbookVersion4')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName20')]", + "name": "[variables('playbookTemplateSpecName5')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Cross-tenantAccessSettingsOrganizationOutboundCollaborationSettingsChanged_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "Prompt-User-Incident Playbook with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion20')]", - "parameters": {}, - "variables": {}, + "contentVersion": "[variables('playbookVersion5')]", + "parameters": { + "PlaybookName": { + "defaultValue": "Prompt-User-Incident", + "type": "string" + }, + "TeamsId": { + "metadata": { + "description": "Enter the Teams Group ID" + }, + "type": "string" + }, + "TeamsChannelId": { + "metadata": { + "description": "Enter the Teams Channel ID" + }, + "type": "string" + } + }, + "variables": { + "AzureADConnectionName": "[[concat('azuread-', parameters('PlaybookName'))]", + "AzureSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]", + "Office365ConnectionName": "[[concat('office365-', parameters('PlaybookName'))]", + "TeamsConnectionName": "[[concat('teams-', parameters('PlaybookName'))]", + "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuread')]", + "_connection-1": "[[variables('connection-1')]", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "_connection-2": "[[variables('connection-2')]", + "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]", + "_connection-3": "[[variables('connection-3')]", + "connection-4": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/teams')]", + "_connection-4": "[[variables('connection-4')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, "resources": [ { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId20')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('AzureADConnectionName')]", + "location": "[[variables('workspace-location-inline')]", "properties": { - "description": "Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when Organization Outbound Collaboration Settings are changed for \"Users & Groups\" and for \"Applications\".", - "displayName": "Cross-tenant Access Settings Organization Outbound Collaboration Settings Changed", - "enabled": false, - "query": "//In User & Groups and in Applications, the following \"AccessType\" values in columns PremodifiedOutboundSettings and ModifiedOutboundSettings are interpreted accordingly:\n// When Access Type in premodified outbound settings value was 1 that means that the initial access was allowed. When Access Type in premodified outbound settings value was 2 that means that the initial access was blocked. \n// When Access Type in modified outbound settings value is 1 that means that now access is allowed. When Access Type in modified outbound settings value is 2 that means that now access is blocked. \nAuditLogs\n| where OperationName has \"Update a partner cross-tenant access setting\"\n| mv-apply TargetResource = TargetResources on\n (\n where TargetResource.type =~ \"Policy\"\n | extend Properties = TargetResource.modifiedProperties\n )\n| mv-apply Property = Properties on\n (\n where Property.displayName =~ \"b2bCollaborationOutbound\"\n | extend PremodifiedOutboundSettings = trim('\"',tostring(Property.oldValue)),\n ModifiedOutboundSettings = trim(@'\"',tostring(Property.newValue))\n )\n| extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\n| extend InitiatedByIPAdress = InitiatedBy.user.ipAddress\n| where PremodifiedOutboundSettings != ModifiedOutboundSettings\n| extend Name = tostring(split(InitiatedByActionUserInformation,'@',0)[0]), UPNSuffix = tostring(split(InitiatedByActionUserInformation,'@',1)[0])\n", - "queryFrequency": "P2D", - "queryPeriod": "P2D", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "AzureActiveDirectory", - "dataTypes": [ - "AuditLogs" - ] - } - ], - "tactics": [ - "InitialAccess", - "Persistence", - "Discovery" - ], - "techniques": [ - "T1078", - "T1136", - "T1087" - ], - "entityMappings": [ - { - "entityType": "Account", - "fieldMappings": [ - { - "columnName": "Name", - "identifier": "Name" - }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" - } - ] - }, - { - "entityType": "IP", - "fieldMappings": [ - { - "columnName": "InitiatedByIPAdress", - "identifier": "Address" - } - ] - } - ] + "displayName": "[[variables('AzureADConnectionName')]", + "api": { + "id": "[[variables('_connection-1')]" + } } }, { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId20'),'/'))))]", + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('AzureSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", "properties": { - "description": "Azure Active Directory Analytics Rule 20", - "parentId": "[variables('analyticRuleId20')]", - "contentId": "[variables('_analyticRulecontentId20')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion20')]", - "source": { - "kind": "Solution", - "name": "Azure Active Directory", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com/" + "displayName": "[[variables('AzureSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[[variables('_connection-2')]" } } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId20')]", - "contentKind": "AnalyticsRule", - "displayName": "Cross-tenant Access Settings Organization Outbound Collaboration Settings Changed", - "contentProductId": "[variables('_analyticRulecontentProductId20')]", - "id": "[variables('_analyticRulecontentProductId20')]", - "version": "[variables('analyticRuleVersion20')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName21')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Cross-tenantAccessSettingsOrganizationOutboundDirectSettingsChanged_AnalyticalRules Analytics Rule with template version 3.0.6", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion21')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId21')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when Organization Outbound Direct Settings are changed for \"Users & Groups\" and for \"Applications\".", - "displayName": "Cross-tenant Access Settings Organization Outbound Direct Settings Changed", - "enabled": false, - "query": "//In User & Groups and in Applications, the following \"AccessType\" values in columns PremodifiedOutboundSettings and ModifiedOutboundSettings are interpreted accordingly:\n// When Access Type in premodified outbound settings value was 1 that means that the initial access was allowed. When Access Type in premodified outbound settings value was 2 that means that the initial access was blocked. \n// When Access Type in modified outbound settings value is 1 that means that now access is allowed. When Access Type in modified outbound settings value is 2 that means that now access is blocked. \nAuditLogs\n| where OperationName has \"Update a partner cross-tenant access setting\"\n| mv-apply TargetResource = TargetResources on\n (\n where TargetResource.type =~ \"Policy\"\n | extend Properties = TargetResource.modifiedProperties\n )\n| mv-apply Property = Properties on\n (\n where Property.displayName =~ \"b2bDirectConnectOutbound\"\n | extend PremodifiedOutboundSettings = trim('\"',tostring(Property.oldValue)),\n ModifiedOutboundSettings = trim(@'\"',tostring(Property.newValue))\n )\n| extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\n| extend InitiatedByIPAdress = InitiatedBy.user.ipAddress\n| where PremodifiedOutboundSettings != ModifiedOutboundSettings\n| extend Name = tostring(split(InitiatedByActionUserInformation,'@',0)[0]), UPNSuffix = tostring(split(InitiatedByActionUserInformation,'@',1)[0])\n", - "queryFrequency": "P2D", - "queryPeriod": "P2D", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "AzureActiveDirectory", - "dataTypes": [ - "AuditLogs" - ] - } - ], - "tactics": [ - "InitialAccess", - "Persistence", - "Discovery" - ], - "techniques": [ - "T1078", - "T1136", - "T1087" - ], - "entityMappings": [ - { - "entityType": "Account", - "fieldMappings": [ - { - "columnName": "Name", - "identifier": "Name" - }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" - } - ] - }, - { - "entityType": "IP", - "fieldMappings": [ - { - "columnName": "InitiatedByIPAdress", - "identifier": "Address" - } - ] - } - ] - } }, { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId21'),'/'))))]", + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('Office365ConnectionName')]", + "location": "[[variables('workspace-location-inline')]", "properties": { - "description": "Azure Active Directory Analytics Rule 21", - "parentId": "[variables('analyticRuleId21')]", - "contentId": "[variables('_analyticRulecontentId21')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion21')]", - "source": { - "kind": "Solution", - "name": "Azure Active Directory", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com/" + "displayName": "[[variables('Office365ConnectionName')]", + "api": { + "id": "[[variables('_connection-3')]" } } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId21')]", - "contentKind": "AnalyticsRule", - "displayName": "Cross-tenant Access Settings Organization Outbound Direct Settings Changed", - "contentProductId": "[variables('_analyticRulecontentProductId21')]", - "id": "[variables('_analyticRulecontentProductId21')]", - "version": "[variables('analyticRuleVersion21')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName22')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "DisabledAccountSigninsAcrossManyApplications_AnalyticalRules Analytics Rule with template version 3.0.6", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion22')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId22')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Identifies failed attempts to sign in to disabled accounts across multiple Azure Applications.\nDefault threshold for Azure Applications attempted to sign in to is 3.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\n50057 - User account is disabled. The account has been disabled by an administrator.", - "displayName": "Attempts to sign in to disabled accounts", - "enabled": false, - "query": "let threshold = 3;\nlet aadFunc = (tableName:string){\ntable(tableName)\n| where ResultType == \"50057\"\n| where ResultDescription =~ \"User account is disabled. The account has been disabled by an administrator.\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), applicationCount = dcount(AppDisplayName),\napplicationSet = make_set(AppDisplayName), count() by UserPrincipalName, IPAddress, Type\n| where applicationCount >= threshold\n| extend timestamp = StartTime, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n", - "queryFrequency": "P1D", - "queryPeriod": "P1D", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "AzureActiveDirectory", - "dataTypes": [ - "SigninLogs" - ] - }, - { - "connectorId": "AzureActiveDirectory", - "dataTypes": [ - "AADNonInteractiveUserSignInLogs" - ] - } - ], - "tactics": [ - "InitialAccess" - ], - "techniques": [ - "T1078" - ], - "entityMappings": [ - { - "entityType": "Account", - "fieldMappings": [ - { - "columnName": "Name", - "identifier": "Name" - }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" - } - ] - }, - { - "entityType": "IP", - "fieldMappings": [ - { - "columnName": "IPAddress", - "identifier": "Address" - } - ] - } - ] - } }, { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId22'),'/'))))]", + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('TeamsConnectionName')]", + "location": "[[variables('workspace-location-inline')]", "properties": { - "description": "Azure Active Directory Analytics Rule 22", - "parentId": "[variables('analyticRuleId22')]", - "contentId": "[variables('_analyticRulecontentId22')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion22')]", - "source": { - "kind": "Solution", - "name": "Azure Active Directory", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com/" + "displayName": "[[variables('TeamsConnectionName')]", + "api": { + "id": "[[variables('_connection-4')]" } } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId22')]", - "contentKind": "AnalyticsRule", - "displayName": "Attempts to sign in to disabled accounts", - "contentProductId": "[variables('_analyticRulecontentProductId22')]", - "id": "[variables('_analyticRulecontentProductId22')]", - "version": "[variables('analyticRuleVersion22')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName23')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "DistribPassCrackAttempt_AnalyticalRules Analytics Rule with template version 3.0.6", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion23')]", - "parameters": {}, - "variables": {}, - "resources": [ + }, { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId23')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[[parameters('PlaybookName')]", + "location": "[[variables('workspace-location-inline')]", + "tags": { + "LogicAppsCategory": "security", + "hidden-SentinelTemplateName": "Prompt-User", + "hidden-SentinelTemplateVersion": "1.1", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "identity": { + "type": "SystemAssigned" + }, + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('AzureADConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]" + ], "properties": { - "description": "Identifies distributed password cracking attempts from the Azure Active Directory SigninLogs.\nThe query looks for unusually high number of failed password attempts coming from multiple locations for a user account.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\n50053 Account is locked because the user tried to sign in too many times with an incorrect user ID or password.\n50055 Invalid password, entered expired password.\n50056 Invalid or null password - Password does not exist in store for this user.\n50126 Invalid username or password, or invalid on-premises username or password.", - "displayName": "Distributed Password cracking attempts in AzureAD", - "enabled": false, - "query": "let s_threshold = 30;\nlet l_threshold = 3;\nlet aadFunc = (tableName:string){\ntable(tableName)\n| where OperationName =~ \"Sign-in activity\"\n// Error codes that we want to look at as they are related to the use of incorrect password.\n| where ResultType in (\"50126\", \"50053\" , \"50055\", \"50056\")\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\n| extend LocationString = strcat(tostring(LocationDetails.countryOrRegion), \"/\", tostring(LocationDetails.state), \"/\", tostring(LocationDetails.city))\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), LocationCount=dcount(LocationString), Location = make_set(LocationString,100),\nIPAddress = make_set(IPAddress,100), IPAddressCount = dcount(IPAddress), AppDisplayName = make_set(AppDisplayName,100), ResultDescription = make_set(ResultDescription,50),\nBrowser = make_set(Browser,20), OS = make_set(OS,20), SigninCount = count() by UserPrincipalName, Type\n// Setting a generic threshold - Can be different for different environment\n| where SigninCount > s_threshold and LocationCount >= l_threshold\n| extend Location = tostring(Location), IPAddress = tostring(IPAddress), AppDisplayName = tostring(AppDisplayName), ResultDescription = tostring(ResultDescription), Browser = tostring(Browser), OS = tostring(OS)\n| extend timestamp = StartTime, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n", - "queryFrequency": "P1D", - "queryPeriod": "P1D", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "AzureActiveDirectory", - "dataTypes": [ - "SigninLogs" - ] - }, - { - "connectorId": "AzureActiveDirectory", - "dataTypes": [ - "AADNonInteractiveUserSignInLogs" - ] - } - ], - "tactics": [ - "CredentialAccess" - ], - "techniques": [ - "T1110" - ], - "entityMappings": [ - { - "entityType": "Account", - "fieldMappings": [ - { - "columnName": "Name", - "identifier": "Name" + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "actions": { + "Entities_-_Get_Accounts": { + "inputs": { + "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/entities/account" }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" - } - ] + "type": "ApiConnection" + }, + "For_each": { + "actions": { + "Condition_2": { + "actions": { + "Add_comment_to_incident_(V3)": { + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

@{body('Get_user')?['displayName']} confirms they completed the action that triggered the alert.  Closing the incident.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + }, + "type": "ApiConnection" + }, + "Update_incident": { + "inputs": { + "body": { + "classification": { + "ClassificationAndReason": "BenignPositive - SuspiciousButExpected", + "ClassificationReasonText": "User Confirmed it was them" + }, + "incidentArmId": "@triggerBody()?['object']?['id']", + "status": "Closed" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "put", + "path": "/Incidents" + }, + "runAfter": { + "Add_comment_to_incident_(V3)": [ + "Succeeded" + ] + }, + "type": "ApiConnection" + } + }, + "else": { + "actions": { + "Add_comment_to_incident_(V3)_2": { + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

@{body('Get_user')?['displayName']} confirms they did not complete the action. Further investigation is needed.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + }, + "type": "ApiConnection" + }, + "Post_message_in_a_chat_or_channel": { + "inputs": { + "body": { + "messageBody": "

New alert from Microsoft Sentinel.
\nPlease investigate ASAP.
\nSeverity : @{triggerBody()?['object']?['properties']?['severity']}
\nDescription: @{triggerBody()?['object']?['properties']?['description']}
\n
\n@{body('Get_user')?['displayName']} user confirmed they did not complete the action.

", + "recipient": { + "channelId": "[[parameters('TeamsChannelId')]", + "groupId": "[[parameters('TeamsId')]" + }, + "subject": "Incident @{triggerBody()?['object']?['properties']?['incidentNumber']} - @{triggerBody()?['object']?['properties']?['title']}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['teams']['connectionId']" + } + }, + "method": "post", + "path": "/beta/teams/conversation/message/poster/@{encodeURIComponent('User')}/location/@{encodeURIComponent('Channel')}" + }, + "runAfter": { + "Add_comment_to_incident_(V3)_2": [ + "Succeeded" + ] + }, + "type": "ApiConnection" + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@body('Send_approval_email')?['SelectedOption']", + "This was me" + ] + } + ] + }, + "runAfter": { + "Send_approval_email": [ + "Succeeded" + ] + }, + "type": "If" + }, + "Get_user": { + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuread']['connectionId']" + } + }, + "method": "get", + "path": "/v1.0/users/@{encodeURIComponent(concat(items('For_each')?['Name'], '@' ,items('For_each')?['UPNSuffix']))}" + }, + "type": "ApiConnection" + }, + "Send_approval_email": { + "inputs": { + "body": { + "Message": { + "Body": "New Alert from Microsoft Sentinel.\nPlease respond ASAP.\nSeverity: @{triggerBody()?['object']?['properties']?['severity']}\nName: @{triggerBody()?['object']?['properties']?['title']}\nDescription: @{triggerBody()?['object']?['properties']?['description']}", + "HideHTMLMessage": false, + "Importance": "High", + "Options": "This was me, This was not me", + "ShowHTMLConfirmationDialog": false, + "Subject": "Security Alert: @{triggerBody()?['object']?['properties']?['title']}", + "To": "@body('Get_user')?['mail']" + }, + "NotificationUrl": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['office365']['connectionId']" + } + }, + "path": "/approvalmail/$subscriptions" + }, + "runAfter": { + "Get_user": [ + "Succeeded" + ] + }, + "type": "ApiConnectionWebhook" + } + }, + "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']", + "runAfter": { + "Entities_-_Get_Accounts": [ + "Succeeded" + ] + }, + "type": "Foreach" + } }, - { - "entityType": "IP", - "fieldMappings": [ - { - "columnName": "IPAddress", - "identifier": "Address" + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + } + }, + "triggers": { + "Microsoft_Sentinel_incident": { + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/incident-creation" + }, + "type": "ApiConnectionWebhook" + } + } + }, + "parameters": { + "$connections": { + "value": { + "azuread": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureADConnectionName'))]", + "connectionName": "[[variables('AzureADConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuread')]" + }, + "azuresentinel": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", + "connectionName": "[[variables('AzureSentinelConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + }, + "office365": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]", + "connectionName": "[[variables('Office365ConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]" + }, + "teams": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]", + "connectionName": "[[variables('TeamsConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/teams')]" } - ] + } } - ] + } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId23'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId5'),'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 23", - "parentId": "[variables('analyticRuleId23')]", - "contentId": "[variables('_analyticRulecontentId23')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion23')]", + "parentId": "[variables('playbookId5')]", + "contentId": "[variables('_playbookContentId5')]", + "kind": "Playbook", + "version": "[variables('playbookVersion5')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -3833,499 +2790,391 @@ } } } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId23')]", - "contentKind": "AnalyticsRule", - "displayName": "Distributed Password cracking attempts in AzureAD", - "contentProductId": "[variables('_analyticRulecontentProductId23')]", - "id": "[variables('_analyticRulecontentProductId23')]", - "version": "[variables('analyticRuleVersion23')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName24')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "ExplicitMFADeny_AnalyticalRules Analytics Rule with template version 3.0.6", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion24')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId24')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "User explicitly denies MFA push, indicating that login was not expected and the account's password may be compromised.", - "displayName": "Explicit MFA Deny", - "enabled": false, - "query": "let aadFunc = (tableName:string){\ntable(tableName)\n| where ResultType == 500121\n| where Status has \"MFA Denied; user declined the authentication\" or Status has \"MFA denied; Phone App Reported Fraud\"\n| extend Type = Type\n| extend timestamp = TimeGenerated, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n", - "queryFrequency": "P1D", - "queryPeriod": "P1D", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "AzureActiveDirectory", - "dataTypes": [ - "SigninLogs" - ] - }, - { - "connectorId": "AzureActiveDirectory", - "dataTypes": [ - "AADNonInteractiveUserSignInLogs" - ] - } - ], - "tactics": [ - "CredentialAccess" - ], - "techniques": [ - "T1110" - ], - "entityMappings": [ - { - "entityType": "Account", - "fieldMappings": [ - { - "columnName": "Name", - "identifier": "Name" - }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" - } - ] - }, - { - "entityType": "IP", - "fieldMappings": [ - { - "columnName": "IPAddress", - "identifier": "Address" - } - ] - }, - { - "entityType": "URL", - "fieldMappings": [ - { - "columnName": "ClientAppUsed", - "identifier": "Url" - } - ] - } + ], + "metadata": { + "title": "Prompt User - Incident", + "description": "This playbook will ask the user if they completed the action from the Incident in Microsoft Sentinel. If so, it will close the incident and add a comment. If not, it will post a message to teams for the SOC to investigate and add a comment to the incident.", + "prerequisites": [ + "1. You will need the Team Id and Channel Id." + ], + "postDeployment": [ + "1. Assign Microsoft Sentinel Responder role to the Playbook's managed identity.", + "2. Authorize Microsoft Entra ID, Microsoft Teams, and Office 365 Outlook Logic App connections." + ], + "lastUpdateTime": "2022-07-11T00:00:00Z", + "entities": [ + "Account" + ], + "tags": [ + "Remediation" + ], + "releaseNotes": [ + { + "version": "1.0.0", + "title": "Added new Post a Teams message action", + "notes": [ + "Initial version" ] } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId24'),'/'))))]", - "properties": { - "description": "Azure Active Directory Analytics Rule 24", - "parentId": "[variables('analyticRuleId24')]", - "contentId": "[variables('_analyticRulecontentId24')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion24')]", - "source": { - "kind": "Solution", - "name": "Azure Active Directory", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com/" - } - } - } - ] + ] + } }, "packageKind": "Solution", "packageVersion": "[variables('_solutionVersion')]", "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId24')]", - "contentKind": "AnalyticsRule", - "displayName": "Explicit MFA Deny", - "contentProductId": "[variables('_analyticRulecontentProductId24')]", - "id": "[variables('_analyticRulecontentProductId24')]", - "version": "[variables('analyticRuleVersion24')]" + "contentId": "[variables('_playbookContentId5')]", + "contentKind": "Playbook", + "displayName": "Prompt-User-Incident", + "contentProductId": "[variables('_playbookcontentProductId5')]", + "id": "[variables('_playbookcontentProductId5')]", + "version": "[variables('playbookVersion5')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName25')]", + "name": "[variables('playbookTemplateSpecName6')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ExchangeFullAccessGrantedToApp_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "Reset-AADPassword-AlertTrigger Playbook with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion25')]", - "parameters": {}, - "variables": {}, + "contentVersion": "[variables('playbookVersion6')]", + "parameters": { + "PlaybookName": { + "defaultValue": "Reset-AADPassword-AlertTrigger", + "type": "string" + } + }, + "variables": { + "MicrosoftSentinelConnectionName": "[[concat('microsoftsentinel-', parameters('PlaybookName'))]", + "office365ConnectionName": "[[concat('office365-', parameters('PlaybookName'))]", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "_connection-2": "[[variables('connection-2')]", + "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]", + "_connection-3": "[[variables('connection-3')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, "resources": [ { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId25')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", "properties": { - "description": "This detection looks for the full_access_as_app permission being granted to an OAuth application with Admin Consent.\nThis permission provide access to all Exchange mailboxes via the EWS API can could be exploited to access sensitive data \nby being added to a compromised application. The application granted this permission should be reviewed to ensure that it \nis absolutely necessary for the applications function.\nRef: https://learn.microsoft.com/graph/auth-limit-mailbox-access", - "displayName": "full_access_as_app Granted To Application", - "enabled": false, - "query": "AuditLogs\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Consent to application\"\n| where TargetResources has \"full_access_as_app\"\n| mv-expand TargetResources\n| extend OAuthAppName = TargetResources.displayName\n| extend ModifiedProperties = TargetResources.modifiedProperties \n| mv-apply Property = ModifiedProperties on \n (\n where Property.displayName =~ \"ConsentContext.isAdminConsent\"\n | extend AdminConsent = tostring(Property.newValue)\n )\n| mv-apply Property = ModifiedProperties on \n (\n where Property.displayName =~ \"ConsentAction.Permissions\"\n | extend Permissions = tostring(Property.newValue)\n )\n| mv-apply Property = ModifiedProperties on \n (\n where Property.displayName =~ \"TargetId.ServicePrincipalNames\"\n | extend AppId = tostring(Property.newValue)\n )\n| mv-expand AdditionalDetails\n| extend GrantUserAgent = tostring(iff(AdditionalDetails.key =~ \"User-Agent\", AdditionalDetails.value, \"\"))\n| parse Permissions with * \"ConsentType: \" GrantConsentType \", Scope: \" GrantScope1 \",\" *\n| where GrantScope1 =~ \"full_access_as_app\"\n| extend GrantIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\n| extend GrantInitiatedBy = tostring(iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName))\n| project-reorder TimeGenerated, OAuthAppName, AppId, AdminConsent, Permissions, GrantIpAddress, GrantInitiatedBy, GrantUserAgent, GrantScope1, GrantConsentType\n| extend Name = split(GrantInitiatedBy, \"@\")[0], UPNSuffix = split(GrantInitiatedBy, \"@\")[1]\n", - "queryFrequency": "PT1H", - "queryPeriod": "PT1H", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "AzureActiveDirectory", - "dataTypes": [ - "AuditLogs" - ] - } - ], - "tactics": [ - "DefenseEvasion" - ], - "techniques": [ - "T1550" - ], - "entityMappings": [ - { - "entityType": "Account", - "fieldMappings": [ - { - "columnName": "Name", - "identifier": "Name" - }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + } + }, + "triggers": { + "Microsoft_Sentinel_alert": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "path": "/subscribe" } - ] + } }, - { - "entityType": "IP", - "fieldMappings": [ - { - "columnName": "GrantIpAddress", - "identifier": "Address" + "actions": { + "Alert_-_Get_incident": { + "runAfter": { + "Set_variable_-_password": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "method": "get", + "path": "/Incidents/subscriptions/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/resourceGroups/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/workspaces/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/alerts/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}" } - ] - } - ], - "customDetails": { - "OAuthAppId": "AppId", - "UserAgent": "GrantUserAgent", - "OAuthApplication": "OAuthAppName" - }, - "alertDetailsOverride": { - "alertDisplayNameFormat": "User {{GrantInitiatedBy}} granted full_access_as_app to {{OAuthAppName}}", - "alertDescriptionFormat": "This detection looks for the full_access_as_app permission being granted to an OAuth application with Admin Consent.\nThis permission provide access to all Exchange mailboxes via the EWS API can could be exploited to access sensitive data \nby being added to a compromised application. The application granted this permission should be reviewed to ensure that it \nis absolutely necessary for the applications function.\nIn this case {{GrantInitiatedBy}} granted full_access_as_app to {{OAuthAppName}} from {{GrantIpAddress}}\nRef: https://learn.microsoft.com/graph/auth-limit-mailbox-access\n" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId25'),'/'))))]", - "properties": { - "description": "Azure Active Directory Analytics Rule 25", - "parentId": "[variables('analyticRuleId25')]", - "contentId": "[variables('_analyticRulecontentId25')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion25')]", - "source": { - "kind": "Solution", - "name": "Azure Active Directory", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId25')]", - "contentKind": "AnalyticsRule", - "displayName": "full_access_as_app Granted To Application", - "contentProductId": "[variables('_analyticRulecontentProductId25')]", - "id": "[variables('_analyticRulecontentProductId25')]", - "version": "[variables('analyticRuleVersion25')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName26')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "FailedLogonToAzurePortal_AnalyticalRules Analytics Rule with template version 3.0.6", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion26')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId26')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Identifies failed login attempts in the Azure Active Directory SigninLogs to the Azure Portal. Many failed logon\nattempts or some failed logon attempts from multiple IPs could indicate a potential brute force attack.\nThe following are excluded due to success and non-failure results:\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\n0 - successful logon\n50125 - Sign-in was interrupted due to a password reset or password registration entry.\n50140 - This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.", - "displayName": "Failed login attempts to Azure Portal", - "enabled": false, - "query": "let timeRange = 1d;\nlet lookBack = 7d;\nlet threshold_Failed = 5;\nlet threshold_FailedwithSingleIP = 20;\nlet threshold_IPAddressCount = 2;\nlet isGUID = \"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\";\nlet aadFunc = (tableName:string){\nlet azPortalSignins = materialize(table(tableName)\n| where TimeGenerated >= ago(lookBack)\n// Azure Portal only\n| where AppDisplayName =~ \"Azure Portal\")\n;\nlet successPortalSignins = azPortalSignins\n| where TimeGenerated >= ago(timeRange)\n// Azure Portal only and exclude non-failure Result Types\n| where ResultType in (\"0\", \"50125\", \"50140\")\n// Tagging identities not resolved to friendly names\n//| extend Unresolved = iff(Identity matches regex isGUID, true, false)\n| distinct TimeGenerated, UserPrincipalName\n;\nlet failPortalSignins = azPortalSignins\n| where TimeGenerated >= ago(timeRange)\n// Azure Portal only and exclude non-failure Result Types\n| where ResultType !in (\"0\", \"50125\", \"50140\", \"70044\", \"70043\")\n// Tagging identities not resolved to friendly names\n| extend Unresolved = iff(Identity matches regex isGUID, true, false)\n;\n// Verify there is no success for the same connection attempt after the fail\nlet failnoSuccess = failPortalSignins | join kind= leftouter (\n successPortalSignins\n) on UserPrincipalName\n| where TimeGenerated > TimeGenerated1 or isempty(TimeGenerated1)\n| project-away TimeGenerated1, UserPrincipalName1\n;\n// Lookup up resolved identities from last 7 days\nlet identityLookup = azPortalSignins\n| where TimeGenerated >= ago(lookBack)\n| where not(Identity matches regex isGUID)\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName;\n// Join resolved names to unresolved list from portal signins\nlet unresolvedNames = failnoSuccess | where Unresolved == true | join kind= inner (\n identityLookup\n) on UserId\n| extend UserDisplayName = lu_UserDisplayName, UserPrincipalName = lu_UserPrincipalName\n| project-away lu_UserDisplayName, lu_UserPrincipalName;\n// Join Signins that had resolved names with list of unresolved that now have a resolved name\nlet u_azPortalSignins = failnoSuccess | where Unresolved == false | union unresolvedNames;\nu_azPortalSignins\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\n| extend Status = strcat(ResultType, \": \", ResultDescription), OS = tostring(DeviceDetail.operatingSystem), Browser = tostring(DeviceDetail.browser)\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\n| extend FullLocation = strcat(Region,'|', State, '|', City) \n| summarize TimeGenerated = make_list(TimeGenerated,100), Status = make_list(Status,100), IPAddresses = make_list(IPAddress,100), IPAddressCount = dcount(IPAddress), FailedLogonCount = count()\nby UserPrincipalName, UserId, UserDisplayName, AppDisplayName, Browser, OS, FullLocation, Type\n| mvexpand TimeGenerated, IPAddresses, Status\n| extend TimeGenerated = todatetime(tostring(TimeGenerated)), IPAddress = tostring(IPAddresses), Status = tostring(Status)\n| project-away IPAddresses\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserPrincipalName, UserId, UserDisplayName, Status, FailedLogonCount, IPAddress, IPAddressCount, AppDisplayName, Browser, OS, FullLocation, Type\n| where (IPAddressCount >= threshold_IPAddressCount and FailedLogonCount >= threshold_Failed) or FailedLogonCount >= threshold_FailedwithSingleIP\n| extend timestamp = StartTime, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n", - "queryFrequency": "P1D", - "queryPeriod": "P7D", - "severity": "Low", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "AzureActiveDirectory", - "dataTypes": [ - "SigninLogs" - ] - }, - { - "connectorId": "AzureActiveDirectory", - "dataTypes": [ - "AADNonInteractiveUserSignInLogs" - ] - } - ], - "tactics": [ - "CredentialAccess" - ], - "techniques": [ - "T1110" - ], - "entityMappings": [ - { - "entityType": "Account", - "fieldMappings": [ - { - "columnName": "Name", - "identifier": "Name" + }, + "Entities_-_Get_Accounts": { + "runAfter": { + "Alert_-_Get_incident": [ + "Succeeded" + ] }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "type": "ApiConnection", + "inputs": { + "body": "@triggerBody()?['Entities']", + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "method": "post", + "path": "/entities/account" } - ] - }, - { - "entityType": "IP", - "fieldMappings": [ - { - "columnName": "IPAddress", - "identifier": "Address" + }, + "For_each": { + "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']", + "actions": { + "Condition_-_is_manager_available": { + "actions": { + "Add_comment_to_incident_-_manager_available": { + "runAfter": { + "Send_an_email_-_to_manager_with_password_details": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@body('Alert_-_Get_incident')?['id']", + "message": "

User @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])} password was reset in AAD and their manager @{body('Parse_JSON_-_HTTP_-_get_manager')?['userPrincipalName']} was contacted using playbook.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Parse_JSON_-_HTTP_-_get_manager": { + "type": "ParseJson", + "inputs": { + "content": "@body('HTTP_-_get_manager')", + "schema": { + "properties": { + "userPrincipalName": { + "type": "string" + } + }, + "type": "object" + } + } + }, + "Send_an_email_-_to_manager_with_password_details": { + "runAfter": { + "Parse_JSON_-_HTTP_-_get_manager": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "Body": "

User, @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}, was involved in part of a security incident.  As part of remediation, the user password has been reset.
\n
\nThe temporary password is: @{variables('Password')}
\n
\nThe user will be required to reset this password upon login.

", + "Subject": "A user password was reset due to security incident.", + "To": "@body('Parse_JSON_-_HTTP_-_get_manager')?['userPrincipalName']" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['office365']['connectionId']" + } + }, + "method": "post", + "path": "/v2/Mail" + } + } + }, + "runAfter": { + "HTTP_-_get_manager": [ + "Succeeded", + "Failed" + ] + }, + "else": { + "actions": { + "Add_comment_to_incident_-_manager_not_available": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@body('Alert_-_Get_incident')?['id']", + "message": "

User @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])} password was reset in AAD but the user doesn't have a manager.
\n
\nThe temporary password is: @{variables('Password')}
\n
\nThe user will be required to reset this password upon login.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@outputs('HTTP_-_get_manager')['statusCode']", + 200 + ] + } + ] + }, + "type": "If" + }, + "HTTP_-_get_manager": { + "runAfter": { + "HTTP_-_reset_a_password": [ + "Succeeded" + ] + }, + "type": "Http", + "inputs": { + "authentication": { + "audience": "https://graph.microsoft.com", + "type": "ManagedServiceIdentity" + }, + "method": "GET", + "uri": "https://graph.microsoft.com/v1.0/users/@{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}/manager" + } + }, + "HTTP_-_reset_a_password": { + "type": "Http", + "inputs": { + "authentication": { + "audience": "https://graph.microsoft.com", + "type": "ManagedServiceIdentity" + }, + "body": { + "passwordProfile": { + "forceChangePasswordNextSignIn": true, + "forceChangePasswordNextSignInWithMfa": false, + "password": "@{variables('Password')}" + } + }, + "method": "PATCH", + "uri": "https://graph.microsoft.com/v1.0/users/@{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}" + } + } + }, + "runAfter": { + "Entities_-_Get_Accounts": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Initialize_variable": { + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Password", + "type": "String", + "value": "null" + } + ] + } + }, + "Set_variable_-_password": { + "runAfter": { + "Initialize_variable": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "Password", + "value": "@{substring(guid(), 0, 10)}" } - ] + } } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId26'),'/'))))]", - "properties": { - "description": "Azure Active Directory Analytics Rule 26", - "parentId": "[variables('analyticRuleId26')]", - "contentId": "[variables('_analyticRulecontentId26')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion26')]", - "source": { - "kind": "Solution", - "name": "Azure Active Directory", - "sourceId": "[variables('_solutionId')]" }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com/" + "parameters": { + "$connections": { + "value": { + "microsoftsentinel": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + }, + "office365": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('office365ConnectionName'))]", + "connectionName": "[[variables('office365ConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]" + } + } + } + } + }, + "name": "[[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[[variables('workspace-location-inline')]", + "tags": { + "LogicAppsCategory": "security", + "hidden-SentinelTemplateName": "Reset-AADUserPassword_alert", + "hidden-SentinelTemplateVersion": "1.1", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('office365ConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('MicrosoftSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('MicrosoftSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[[variables('_connection-2')]" } } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId26')]", - "contentKind": "AnalyticsRule", - "displayName": "Failed login attempts to Azure Portal", - "contentProductId": "[variables('_analyticRulecontentProductId26')]", - "id": "[variables('_analyticRulecontentProductId26')]", - "version": "[variables('analyticRuleVersion26')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName27')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "FirstAppOrServicePrincipalCredential_AnalyticalRules Analytics Rule with template version 3.0.6", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion27')]", - "parameters": {}, - "variables": {}, - "resources": [ + }, { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId27')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('office365ConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", "properties": { - "description": "This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where there was no previous verify KeyCredential associated.\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.", - "displayName": "First access credential added to Application or Service Principal where no credential was present", - "enabled": false, - "query": "AuditLogs\n| where OperationName has (\"Certificates and secrets management\")\n| where Result =~ \"success\"\n| where tostring(InitiatedBy.user.userPrincipalName) has \"@\" or tostring(InitiatedBy.app.displayName) has \"@\"\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"Application\"\n | extend targetDisplayName = tostring(TargetResource.displayName),\n targetId = tostring(TargetResource.id),\n targetType = tostring(TargetResource.type),\n keyEvents = TargetResource.modifiedProperties\n )\n| mv-apply Property = keyEvents on \n (\n where Property.displayName =~ \"KeyDescription\"\n | extend new_value_set = parse_json(tostring(Property.newValue)),\n old_value_set = parse_json(tostring(Property.oldValue))\n )\n| where old_value_set == \"[]\" \n| mv-expand new_value_set\n| parse new_value_set with * \"KeyIdentifier=\" keyIdentifier:string \",KeyType=\" keyType:string \",KeyUsage=\" keyUsage:string \",DisplayName=\" keyDisplayName:string \"]\" *\n| where keyUsage =~ \"Verify\"\n| mv-apply AdditionalDetail = AdditionalDetails on \n (\n where AdditionalDetail.key =~ \"User-Agent\"\n | extend UserAgent = tostring(AdditionalDetail.value)\n )\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n| project-away new_value_set, old_value_set\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\n| extend timestamp = TimeGenerated, Name = tostring(split(InitiatingUserOrApp,'@',0)[0]), UPNSuffix = tostring(split(InitiatingUserOrApp,'@',1)[0])\n", - "queryFrequency": "PT1H", - "queryPeriod": "PT1H", - "severity": "High", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "AzureActiveDirectory", - "dataTypes": [ - "AuditLogs" - ] - } - ], - "tactics": [ - "DefenseEvasion" - ], - "techniques": [ - "T1550" - ], - "entityMappings": [ - { - "entityType": "Account", - "fieldMappings": [ - { - "columnName": "Name", - "identifier": "Name" - }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" - } - ] - }, - { - "entityType": "IP", - "fieldMappings": [ - { - "columnName": "InitiatingIpAddress", - "identifier": "Address" - } - ] - }, - { - "entityType": "CloudApplication", - "fieldMappings": [ - { - "columnName": "targetDisplayName", - "identifier": "Name" - } - ] - } - ] + "displayName": "[[variables('office365ConnectionName')]", + "api": { + "id": "[[variables('_connection-3')]" + } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId27'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId6'),'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 27", - "parentId": "[variables('analyticRuleId27')]", - "contentId": "[variables('_analyticRulecontentId27')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion27')]", + "parentId": "[variables('playbookId6')]", + "contentId": "[variables('_playbookContentId6')]", + "kind": "Playbook", + "version": "[variables('playbookVersion6')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -4340,367 +3189,402 @@ } } } - ] + ], + "metadata": { + "title": "Reset Microsoft Entra ID User Password - Alert Trigger", + "description": "This playbook will reset the user password using Graph API. It will send the password (which is a random guid substring) to the user's manager. The user will have to reset the password upon login.", + "prerequisites": [ + "None" + ], + "postDeployment": [ + "1. Assign Password Administrator permission to managed identity.", + "2. Assign Microsoft Sentinel Responder permission to managed identity.", + "3. Authorize Office 365 Outlook connection" + ], + "lastUpdateTime": "2022-07-11T00:00:00Z", + "entities": [ + "Account" + ], + "tags": [ + "Remediation" + ], + "releaseNotes": [ + { + "version": "1.0.0", + "title": " Added manager notification action", + "notes": [ + "Initial version" + ] + } + ] + } }, "packageKind": "Solution", "packageVersion": "[variables('_solutionVersion')]", "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId27')]", - "contentKind": "AnalyticsRule", - "displayName": "First access credential added to Application or Service Principal where no credential was present", - "contentProductId": "[variables('_analyticRulecontentProductId27')]", - "id": "[variables('_analyticRulecontentProductId27')]", - "version": "[variables('analyticRuleVersion27')]" + "contentId": "[variables('_playbookContentId6')]", + "contentKind": "Playbook", + "displayName": "Reset-AADPassword-AlertTrigger", + "contentProductId": "[variables('_playbookcontentProductId6')]", + "id": "[variables('_playbookcontentProductId6')]", + "version": "[variables('playbookVersion6')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName28')]", + "name": "[variables('playbookTemplateSpecName7')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "GuestAccountsAddedinAADGroupsOtherThanTheOnesSpecified_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "Reset-AADUserPassword-EntityTrigger Playbook with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion28')]", - "parameters": {}, - "variables": {}, + "contentVersion": "[variables('playbookVersion7')]", + "parameters": { + "PlaybookName": { + "defaultValue": "Reset-AADUserPassword-EntityTrigger", + "type": "string" + } + }, + "variables": { + "MicrosoftSentinelConnectionName": "[[concat('microsoftsentinel-', parameters('PlaybookName'))]", + "office365ConnectionName": "[[concat('office365-', parameters('PlaybookName'))]", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "_connection-2": "[[variables('connection-2')]", + "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]", + "_connection-3": "[[variables('connection-3')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, "resources": [ { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId28')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", "properties": { - "description": "Guest Accounts are added in the Organization Tenants to perform various tasks i.e projects execution, support etc.. This detection notifies when guest users are added to Azure AD Groups other than the ones specified and poses a risk to gain access to sensitive apps or data.", - "displayName": "Guest accounts added in AAD Groups other than the ones specified", - "enabled": false, - "query": "// OBJECT ID of AAD Groups can be found by navigating to Azure Active Directory then from menu on the left, select Groups and from the list shown of AAD Groups, the Second Column shows the ObjectID of each\nlet GroupIDs = dynamic([\"List with Custom AAD GROUP OBJECT ID 1\",\"Custom AAD GROUP OBJECT ID 2\"]);\nAuditLogs\n| where OperationName in ('Add member to group', 'Add owner to group')\n| extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\n| extend InitiatedByIPAdress = InitiatedBy.user.ipAddress \n// Uncomment the following line to filter events where the inviting user was a guest user\n//| where InitiatedBy has_any (\"CUSTOM DOMAIN NAME#\", \"#EXT#\")\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"User\"\n | extend InvitedUser = trim(@'\"',tostring(TargetResource.userPrincipalName)),\n Properties = TargetResource.modifiedProperties\n )\n| mv-apply Property = Properties on \n (\n where Property.displayName =~ \"Group.DisplayName\"\n | extend AADGroup = trim('\"',tostring(Property.newValue))\n )\n| where InvitedUser has_any (\"CUSTOM DOMAIN NAME#\", \"#EXT#\")\n| mv-apply Property = Properties on\n (\n where Property.displayName =~ \"Group.ObjectID\"\n | extend AADGroupId = trim('\"',tostring(Property.newValue))\n )\n| where AADGroupId !in (GroupIDs)\n| extend Name = tostring(split(InitiatedByActionUserInformation,'@',0)[0]), UPNSuffix = tostring(split(InitiatedByActionUserInformation,'@',1)[0])\n", - "queryFrequency": "P1D", - "queryPeriod": "P1D", - "severity": "High", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "AzureActiveDirectory", - "dataTypes": [ - "AuditLogs" - ] - } - ], - "tactics": [ - "InitialAccess", - "Persistence", - "Discovery" - ], - "techniques": [ - "T1078", - "T1136", - "T1087" - ], - "entityMappings": [ - { - "entityType": "Account", - "fieldMappings": [ - { - "columnName": "InvitedUser", - "identifier": "Name" - } - ] + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + } }, - { - "entityType": "Account", - "fieldMappings": [ - { - "columnName": "Name", - "identifier": "Name" - }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "triggers": { + "Microsoft_Sentinel_entity": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "path": "/entity/@{encodeURIComponent('Account')}" } - ] + } }, - { - "entityType": "IP", - "fieldMappings": [ - { - "columnName": "InitiatedByIPAdress", - "identifier": "Address" + "actions": { + "Condition_-_is_manager_available": { + "actions": { + "Condition_2": { + "actions": { + "Add_comment_to_incident_-_manager_available": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['IncidentArmID']", + "message": "

User @{variables('AccountDetails')} password was reset in AAD and their manager @{body('Parse_JSON_-_HTTP_-_get_manager')?['userPrincipalName']} was contacted using playbook.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + } + }, + "runAfter": { + "Send_an_email_-_to_manager_with_password_details": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@triggerBody()?['IncidentArmID']", + "@null" + ] + } + } + ] + }, + "type": "If" + }, + "Parse_JSON_-_HTTP_-_get_manager": { + "type": "ParseJson", + "inputs": { + "content": "@body('HTTP_-_get_manager')", + "schema": { + "properties": { + "userPrincipalName": { + "type": "string" + } + }, + "type": "object" + } + } + }, + "Send_an_email_-_to_manager_with_password_details": { + "runAfter": { + "Parse_JSON_-_HTTP_-_get_manager": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "Body": "

User, @{variables('AccountDetails')}, was involved in part of a security incident.  As part of remediation, the user password has been reset.
\n
\nThe temporary password is: @{variables('Password')}
\n
\nThe user will be required to reset this password upon login.

", + "Subject": "A user password was reset due to security incident.", + "To": "@body('Parse_JSON_-_HTTP_-_get_manager')?['userPrincipalName']" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['office365']['connectionId']" + } + }, + "method": "post", + "path": "/v2/Mail" + } + } + }, + "runAfter": { + "HTTP_-_get_manager": [ + "Succeeded", + "Failed" + ] + }, + "else": { + "actions": { + "Condition": { + "actions": { + "Add_comment_to_incident_-_manager_not_available": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['IncidentArmID']", + "message": "

User @{variables('AccountDetails')} password was reset in AAD but the user doesn't have a manager.
\n
\nThe temporary password is: @{variables('Password')}
\n
\nThe user will be required to reset this password upon login.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@triggerBody()?['IncidentArmID']", + "@null" + ] + } + } + ] + }, + "type": "If" + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@outputs('HTTP_-_get_manager')['statusCode']", + 200 + ] + } + ] + }, + "type": "If" + }, + "HTTP_-_get_manager": { + "runAfter": { + "HTTP_-_reset_a_password": [ + "Succeeded" + ] + }, + "type": "Http", + "inputs": { + "authentication": { + "audience": "https://graph.microsoft.com", + "type": "ManagedServiceIdentity" + }, + "method": "GET", + "uri": "https://graph.microsoft.com/v1.0/users/@{variables('AccountDetails')}/manager" + } + }, + "HTTP_-_reset_a_password": { + "runAfter": { + "Initialize_variable_Account": [ + "Succeeded" + ] + }, + "type": "Http", + "inputs": { + "authentication": { + "audience": "https://graph.microsoft.com", + "type": "ManagedServiceIdentity" + }, + "body": { + "passwordProfile": { + "forceChangePasswordNextSignIn": true, + "forceChangePasswordNextSignInWithMfa": false, + "password": "@{variables('Password')}" + } + }, + "method": "PATCH", + "uri": "https://graph.microsoft.com/v1.0/users/@{variables('AccountDetails')}" + } + }, + "Initialize_variable": { + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Password", + "type": "String", + "value": "null" + } + ] + } + }, + "Initialize_variable_Account": { + "runAfter": { + "Set_variable_-_password": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "AccountDetails", + "type": "string", + "value": "@{concat(triggerBody()?['Entity']?['properties']?['Name'],'@',triggerBody()?['Entity']?['properties']?['UPNSuffix'])}" + } + ] + } + }, + "Set_variable_-_password": { + "runAfter": { + "Initialize_variable": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "Password", + "value": "@{substring(guid(), 0, 10)}" } - ] + } } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId28'),'/'))))]", - "properties": { - "description": "Azure Active Directory Analytics Rule 28", - "parentId": "[variables('analyticRuleId28')]", - "contentId": "[variables('_analyticRulecontentId28')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion28')]", - "source": { - "kind": "Solution", - "name": "Azure Active Directory", - "sourceId": "[variables('_solutionId')]" }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId28')]", - "contentKind": "AnalyticsRule", - "displayName": "Guest accounts added in AAD Groups other than the ones specified", - "contentProductId": "[variables('_analyticRulecontentProductId28')]", - "id": "[variables('_analyticRulecontentProductId28')]", - "version": "[variables('analyticRuleVersion28')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName29')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "MailPermissionsAddedToApplication_AnalyticalRules Analytics Rule with template version 3.0.6", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion29')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId29')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "This query look for applications that have been granted (Delegated or App/Role) permissions to Read Mail (Permissions field has Mail.Read) and subsequently has been consented to. This can help identify applications that have been abused to gain access to mailboxes.", - "displayName": "Mail.Read Permissions Granted to Application", - "enabled": false, - "query": "AuditLogs\n| where Category =~ \"ApplicationManagement\"\n| where ActivityDisplayName has_any (\"Add delegated permission grant\",\"Add app role assignment to service principal\") \n| where Result =~ \"success\"\n| where tostring(InitiatedBy.user.userPrincipalName) has \"@\" or tostring(InitiatedBy.app.displayName) has \"@\"\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\" and array_length(TargetResource.modifiedProperties) > 0 and isnotnull(TargetResource.displayName)\n | extend props = TargetResource.modifiedProperties,\n Type = tostring(TargetResource.type),\n PermissionsAddedTo = tostring(TargetResource.displayName)\n )\n| mv-apply Property = props on \n (\n where Property.displayName =~ \"DelegatedPermissionGrant.Scope\"\n | extend DisplayName = tostring(Property.displayName), Permissions = trim('\"',tostring(Property.newValue))\n )\n| where Permissions has_any (\"Mail.Read\", \"Mail.ReadWrite\")\n| mv-apply AdditionalDetail = AdditionalDetails on \n (\n where AdditionalDetail.key =~ \"User-Agent\"\n | extend UserAgent = tostring(AdditionalDetail.value)\n )\n| extend InitiatingUser = tostring(InitiatedBy.user.userPrincipalName)\n| extend UserIPAddress = tostring(InitiatedBy.user.ipAddress) \n| project-away props, TargetResource*, AdditionalDetail*, Property, InitiatedBy\n| join kind=leftouter(\n AuditLogs\n | where ActivityDisplayName has \"Consent to application\"\n | mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\"\n | extend AppName = tostring(TargetResource.displayName),\n AppId = tostring(TargetResource.id)\n )\n | project AppName, AppId, CorrelationId) on CorrelationId\n| project-reorder TimeGenerated, OperationName, InitiatingUser, UserIPAddress, UserAgent, PermissionsAddedTo, Permissions, AppName, AppId, CorrelationId\n| extend timestamp = TimeGenerated, Name = tostring(split(InitiatingUser,'@',0)[0]), UPNSuffix = tostring(split(InitiatingUser,'@',1)[0])\n", - "queryFrequency": "P1D", - "queryPeriod": "P1D", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "AzureActiveDirectory", - "dataTypes": [ - "AuditLogs" - ] - } - ], - "tactics": [ - "Persistence" - ], - "techniques": [ - "T1098" - ], - "entityMappings": [ - { - "entityType": "Account", - "fieldMappings": [ - { - "columnName": "Name", - "identifier": "Name" + "parameters": { + "$connections": { + "value": { + "microsoftsentinel": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" - } - ] - }, - { - "entityType": "IP", - "fieldMappings": [ - { - "columnName": "UserIPAddress", - "identifier": "Address" + "office365": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('office365ConnectionName'))]", + "connectionName": "[[variables('office365ConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]" } - ] + } } - ] - } + } + }, + "name": "[[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[[variables('workspace-location-inline')]", + "tags": { + "LogicAppsCategory": "security", + "hidden-SentinelTemplateName": "Reset-AADUserPassword-EntityTrigger", + "hidden-SentinelTemplateVersion": "1.1", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('office365ConnectionName'))]" + ] }, { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId29'),'/'))))]", + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('MicrosoftSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", "properties": { - "description": "Azure Active Directory Analytics Rule 29", - "parentId": "[variables('analyticRuleId29')]", - "contentId": "[variables('_analyticRulecontentId29')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion29')]", - "source": { - "kind": "Solution", - "name": "Azure Active Directory", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com/" + "displayName": "[[variables('MicrosoftSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[[variables('_connection-2')]" } } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId29')]", - "contentKind": "AnalyticsRule", - "displayName": "Mail.Read Permissions Granted to Application", - "contentProductId": "[variables('_analyticRulecontentProductId29')]", - "id": "[variables('_analyticRulecontentProductId29')]", - "version": "[variables('analyticRuleVersion29')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName30')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "MaliciousOAuthApp_O365AttackToolkit_AnalyticalRules Analytics Rule with template version 3.0.6", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion30')]", - "parameters": {}, - "variables": {}, - "resources": [ + }, { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId30')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('office365ConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", "properties": { - "description": "This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the MDSec O365 Attack Toolkit (https://github.com/mdsecactivebreach/o365-attack-toolkit).\nThe default permissions/scope for the MDSec O365 Attack toolkit change sometimes but often include contacts.read, user.read, mail.read, notes.read.all, mailboxsettings.readwrite, files.readwrite.all, mail.send, files.read, and files.read.all.\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.", - "displayName": "Suspicious application consent similar to O365 Attack Toolkit", - "enabled": false, - "query": "let detectionTime = 1d;\nlet joinLookback = 14d;\nlet threshold = 5;\nlet o365_attack_regex = \"contacts.read|user.read|mail.read|notes.read.all|mailboxsettings.readwrite|Files.ReadWrite.All|mail.send|files.read|files.read.all\";\nlet o365_attack = dynamic([\"contacts.read\", \"user.read\", \"mail.read\", \"notes.read.all\", \"mailboxsettings.readwrite\", \"Files.ReadWrite.All\", \"mail.send\", \"files.read\", \"files.read.all\"]);\nAuditLogs\n| where TimeGenerated > ago(detectionTime)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Consent to application\"\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\"\n | extend AppDisplayName = tostring(TargetResource.displayName),\n AppClientId = tostring(TargetResource.id),\n props = TargetResource.modifiedProperties\n )\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\"] with (format=\"csv\"))) // NOTE: a MATCH from this list will cause the alert to NOT fire - please modify for your environment!\n| mv-apply ConsentFull = props on \n (\n where ConsentFull.displayName =~ \"ConsentAction.Permissions\"\n )\n| parse ConsentFull with * \"ConsentType: \" GrantConsentType \", Scope: \" GrantScope1 \", CreatedDateTime\" * \"]\" *\n| where GrantConsentType != \"AllPrincipals\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\n| where ConsentFull has_any (o365_attack) \n| extend GrantScopeCount = countof(tolower(GrantScope1), o365_attack_regex, 'regex')\n| where GrantScopeCount > threshold\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| mv-apply AdditionalDetail = AdditionalDetails on \n (\n where AdditionalDetail.key =~ \"User-Agent\"\n | extend GrantUserAgent = AdditionalDetail.value\n )\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\n| join kind = leftouter (AuditLogs\n | where TimeGenerated > ago(joinLookback)\n | where LoggedByService =~ \"Core Directory\"\n | where Category =~ \"ApplicationManagement\"\n | where OperationName =~ \"Add service principal\"\n | mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\"\n | extend props = TargetResource.modifiedProperties,\n AppClientId = tostring(TargetResource.id)\n )\n | mv-apply Property = props on \n (\n where Property.displayName =~ \"AppAddress\" and Property.newValue has \"AddressType\"\n | extend AppReplyURLs = trim('\"',tostring(Property.newValue))\n )\n | distinct AppClientId, tostring(AppReplyURLs)\n) on AppClientId\n| join kind = innerunique (AuditLogs\n | where TimeGenerated > ago(joinLookback)\n | where LoggedByService =~ \"Core Directory\"\n | where Category =~ \"ApplicationManagement\"\n | where OperationName =~ \"Add OAuth2PermissionGrant\" or OperationName =~ \"Add delegated permission grant\"\n | mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\" and array_length(TargetResource.modifiedProperties) > 0 and isnotnull(TargetResource.displayName)\n | extend GrantAuthentication = tostring(TargetResource.displayName)\n )\n | extend GrantOperation = OperationName\n | project GrantAuthentication, GrantOperation, CorrelationId\n ) on CorrelationId\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\n| extend timestamp = TimeGenerated, Name = tostring(split(GrantInitiatedBy,'@',0)[0]), UPNSuffix = tostring(split(GrantInitiatedBy,'@',1)[0])\n", - "queryFrequency": "P1D", - "queryPeriod": "P14D", - "severity": "High", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "AzureActiveDirectory", - "dataTypes": [ - "AuditLogs" - ] - } - ], - "tactics": [ - "CredentialAccess", - "DefenseEvasion" - ], - "techniques": [ - "T1528", - "T1550" - ], - "entityMappings": [ - { - "entityType": "Account", - "fieldMappings": [ - { - "columnName": "Name", - "identifier": "Name" - }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" - } - ] - }, - { - "entityType": "IP", - "fieldMappings": [ - { - "columnName": "GrantIpAddress", - "identifier": "Address" - } - ] - }, - { - "entityType": "CloudApplication", - "fieldMappings": [ - { - "columnName": "AppDisplayName", - "identifier": "Name" - } - ] - } - ] + "displayName": "[[variables('office365ConnectionName')]", + "api": { + "id": "[[variables('_connection-3')]" + } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId30'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId7'),'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 30", - "parentId": "[variables('analyticRuleId30')]", - "contentId": "[variables('_analyticRulecontentId30')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion30')]", + "parentId": "[variables('playbookId7')]", + "contentId": "[variables('_playbookContentId7')]", + "kind": "Playbook", + "version": "[variables('playbookVersion7')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -4715,352 +3599,370 @@ } } } - ] + ], + "metadata": { + "title": "Reset Microsoft Entra ID User Password - Entity trigger", + "description": "This playbook will reset the user password using Graph API. It will send the password (which is a random guid substring) to the user's manager. The user will have to reset the password upon login.", + "postDeployment": [ + "1. Assign Password Administrator permission to managed identity.", + "2. Assign Microsoft Sentinel Responder permission to managed identity.", + "3. Authorize Office 365 Outlook connection" + ], + "lastUpdateTime": "2022-12-06T00:00:00Z", + "entities": [ + "Account" + ], + "tags": [ + "Remediation" + ], + "releaseNotes": { + "version": "1.1", + "title": "[variables('blanks')]", + "notes": [ + "Initial version" + ] + } + } }, "packageKind": "Solution", "packageVersion": "[variables('_solutionVersion')]", "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId30')]", - "contentKind": "AnalyticsRule", - "displayName": "Suspicious application consent similar to O365 Attack Toolkit", - "contentProductId": "[variables('_analyticRulecontentProductId30')]", - "id": "[variables('_analyticRulecontentProductId30')]", - "version": "[variables('analyticRuleVersion30')]" + "contentId": "[variables('_playbookContentId7')]", + "contentKind": "Playbook", + "displayName": "Reset-AADUserPassword-EntityTrigger", + "contentProductId": "[variables('_playbookcontentProductId7')]", + "id": "[variables('_playbookcontentProductId7')]", + "version": "[variables('playbookVersion7')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName31')]", + "name": "[variables('playbookTemplateSpecName8')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MaliciousOAuthApp_PwnAuth_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "Reset-AADPassword-IncidentTrigger Playbook with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion31')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId31')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the FireEye PwnAuth toolkit (https://github.com/fireeye/PwnAuth).\nThe default permissions/scope for the PwnAuth toolkit are user.read, offline_access, mail.readwrite, mail.send, and files.read.all.\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.", - "displayName": "Suspicious application consent similar to PwnAuth", - "enabled": false, - "query": "let detectionTime = 1d;\nlet joinLookback = 14d;\nAuditLogs\n| where TimeGenerated > ago(detectionTime)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Consent to application\"\n| where TargetResources has \"offline\"\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\"\n | extend AppDisplayName = tostring(TargetResource.displayName),\n AppClientId = tostring(TargetResource.id),\n props = TargetResource.modifiedProperties\n )\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\"] with (format=\"csv\")))\n| mv-apply ConsentFull = props on \n (\n where ConsentFull.displayName =~ \"ConsentAction.Permissions\"\n )\n| parse ConsentFull with * \"ConsentType: \" GrantConsentType \", Scope: \" GrantScope1 \"]\" *\n| where ConsentFull has_all (\"user.read\", \"offline_access\", \"mail.readwrite\", \"mail.send\", \"files.read.all\")\n| where GrantConsentType != \"AllPrincipals\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| mv-apply AdditionalDetail = AdditionalDetails on \n (\n where AdditionalDetail.key =~ \"User-Agent\"\n | extend GrantUserAgent = AdditionalDetail.value\n )\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\n| join kind = leftouter (AuditLogs\n| where TimeGenerated > ago(joinLookback)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Add service principal\"\n | mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\"\n | extend props = TargetResource.modifiedProperties,\n AppClientId = tostring(TargetResource.id)\n )\n | mv-apply Property = props on \n (\n where Property.displayName =~ \"AppAddress\" and Property.newValue has \"AddressType\"\n | extend AppReplyURLs = trim('\"',tostring(Property.newValue))\n )\n| distinct AppClientId, tostring(AppReplyURLs)\n)\non AppClientId\n| join kind = innerunique (AuditLogs\n| where TimeGenerated > ago(joinLookback)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Add OAuth2PermissionGrant\" or OperationName =~ \"Add delegated permission grant\"\n | mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\" and array_length(TargetResource.modifiedProperties) > 0 and isnotnull(TargetResource.displayName)\n | extend GrantAuthentication = tostring(TargetResource.displayName)\n )\n| extend GrantOperation = OperationName\n| project GrantAuthentication, GrantOperation, CorrelationId\n) on CorrelationId\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\n| extend timestamp = TimeGenerated, Name = tostring(split(GrantInitiatedBy,'@',0)[0]), UPNSuffix = tostring(split(GrantInitiatedBy,'@',1)[0])\n", - "queryFrequency": "P1D", - "queryPeriod": "P14D", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "AzureActiveDirectory", - "dataTypes": [ - "AuditLogs" - ] - } - ], - "tactics": [ - "CredentialAccess", - "DefenseEvasion" - ], - "techniques": [ - "T1528", - "T1550" - ], - "entityMappings": [ - { - "entityType": "Account", - "fieldMappings": [ - { - "columnName": "Name", - "identifier": "Name" - }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" - } - ] - }, - { - "entityType": "IP", - "fieldMappings": [ - { - "columnName": "GrantIpAddress", - "identifier": "Address" - } - ] - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId31'),'/'))))]", - "properties": { - "description": "Azure Active Directory Analytics Rule 31", - "parentId": "[variables('analyticRuleId31')]", - "contentId": "[variables('_analyticRulecontentId31')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion31')]", - "source": { - "kind": "Solution", - "name": "Azure Active Directory", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com/" - } - } + "contentVersion": "[variables('playbookVersion8')]", + "parameters": { + "PlaybookName": { + "defaultValue": "Reset-AADPassword-IncidentTrigger", + "type": "string" } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId31')]", - "contentKind": "AnalyticsRule", - "displayName": "Suspicious application consent similar to PwnAuth", - "contentProductId": "[variables('_analyticRulecontentProductId31')]", - "id": "[variables('_analyticRulecontentProductId31')]", - "version": "[variables('analyticRuleVersion31')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName32')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "MFARejectedbyUser_AnalyticalRules Analytics Rule with template version 3.0.6", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion32')]", - "parameters": {}, - "variables": {}, + }, + "variables": { + "MicrosoftSentinelConnectionName": "[[concat('microsoftsentinel-', parameters('PlaybookName'))]", + "office365ConnectionName": "[[concat('office365-', parameters('PlaybookName'))]", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "_connection-2": "[[variables('connection-2')]", + "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]", + "_connection-3": "[[variables('connection-3')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, "resources": [ { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId32')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", "properties": { - "description": "Identifies occurances where a user has rejected an MFA prompt. This could be an indicator that a threat actor has compromised the username and password of this user account and is using it to try and log into the account.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\nThis query has also been updated to include UEBA logs IdentityInfo and BehaviorAnalytics for contextual information around the results.", - "displayName": "MFA Rejected by User", - "enabled": false, - "query": "let riskScoreCutoff = 20; //Adjust this based on volume of results\nSigninLogs\n| where ResultType == 500121\n| extend additionalDetails_ = tostring(Status.additionalDetails)\n| extend UserPrincipalName = tolower(UserPrincipalName)\n| where additionalDetails_ =~ \"MFA denied; user declined the authentication\" or additionalDetails_ has \"fraud\"\n| summarize StartTime = min(TimeGenerated), EndTIme = max(TimeGenerated) by UserPrincipalName, UserId, AADTenantId, IPAddress\n| extend Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n| join kind=leftouter (\n IdentityInfo\n | summarize LatestReportTime = arg_max(TimeGenerated, *) by AccountUPN\n | extend BlastRadiusInt = iif(BlastRadius == \"High\", 1, 0)\n | project AccountUPN, Tags, JobTitle, GroupMembership, AssignedRoles, UserType, IsAccountEnabled, BlastRadiusInt\n | summarize\n Tags = make_set(Tags, 1000),\n GroupMembership = make_set(GroupMembership, 1000),\n AssignedRoles = make_set(AssignedRoles, 1000),\n BlastRadiusInt = sum(BlastRadiusInt),\n UserType = make_set(UserType, 1000),\n UserAccountControl = make_set(UserType, 1000)\n by AccountUPN\n | extend UserPrincipalName=tolower(AccountUPN)\n) on UserPrincipalName\n| join kind=leftouter (\n BehaviorAnalytics\n | where ActivityType in (\"FailedLogOn\", \"LogOn\")\n | where isnotempty(SourceIPAddress)\n | project UsersInsights, DevicesInsights, ActivityInsights, InvestigationPriority, SourceIPAddress\n | project-rename IPAddress = SourceIPAddress\n | summarize\n UsersInsights = make_set(UsersInsights, 1000),\n DevicesInsights = make_set(DevicesInsights, 1000),\n IPInvestigationPriority = sum(InvestigationPriority)\n by IPAddress)\non IPAddress\n| extend UEBARiskScore = BlastRadiusInt + IPInvestigationPriority\n| where UEBARiskScore > riskScoreCutoff\n| sort by UEBARiskScore desc \n", - "queryFrequency": "PT1H", - "queryPeriod": "PT1H", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "AzureActiveDirectory", - "dataTypes": [ - "SigninLogs" - ] - }, - { - "connectorId": "BehaviorAnalytics", - "dataTypes": [ - "BehaviorAnalytics" - ] + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + } }, - { - "connectorId": "IdentityInfo", - "dataTypes": [ - "IdentityInfo" - ] - } - ], - "tactics": [ - "InitialAccess" - ], - "techniques": [ - "T1078" - ], - "entityMappings": [ - { - "entityType": "Account", - "fieldMappings": [ - { - "columnName": "Name", - "identifier": "Name" - }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" - }, - { - "columnName": "UserId", - "identifier": "AadUserId" + "triggers": { + "Microsoft_Sentinel_incident": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "path": "/incident-creation" } - ] + } }, - { - "entityType": "IP", - "fieldMappings": [ - { - "columnName": "IPAddress", - "identifier": "Address" + "actions": { + "Entities_-_Get_Accounts": { + "runAfter": { + "Set_variable_-_password": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "method": "post", + "path": "/entities/account" } - ] - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId32'),'/'))))]", - "properties": { - "description": "Azure Active Directory Analytics Rule 32", - "parentId": "[variables('analyticRuleId32')]", - "contentId": "[variables('_analyticRulecontentId32')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion32')]", - "source": { - "kind": "Solution", - "name": "Azure Active Directory", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId32')]", - "contentKind": "AnalyticsRule", - "displayName": "MFA Rejected by User", - "contentProductId": "[variables('_analyticRulecontentProductId32')]", - "id": "[variables('_analyticRulecontentProductId32')]", - "version": "[variables('analyticRuleVersion32')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName33')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "MultipleAdmin_membership_removals_from_NewAdmin_AnalyticalRules Analytics Rule with template version 3.0.6", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion33')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId33')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "This query detects when newly created Global admin removes multiple existing global admins which can be an attempt by adversaries to lock down organization and retain sole access. \n Investigate reasoning and intention of multiple membership removal by new Global admins and take necessary actions accordingly.", - "displayName": "Multiple admin membership removals from newly created admin.", - "enabled": false, - "query": "let lookback = 7d; \nlet timeframe = 1h; \nlet GlobalAdminsRemoved = AuditLogs \n| where TimeGenerated > ago(timeframe) \n| where Category =~ \"RoleManagement\" \n| where AADOperationType in (\"Unassign\", \"RemoveEligibleRole\") \n| where ActivityDisplayName has_any (\"Remove member from role\", \"Remove eligible member from role\") \n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"User\"\n | extend Target = tostring(TargetResource.userPrincipalName),\n props = TargetResource.modifiedProperties\n )\n| mv-apply Property = props on \n (\n where Property.displayName =~ \"Role.DisplayName\"\n | extend RoleName = trim('\"',tostring(Property.oldValue))\n )\n| where RoleName =~ \"Global Administrator\" // Add other Privileged role if applicable \n| extend InitiatingApp = tostring(InitiatedBy.app.displayName) \n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(InitiatedBy.user.userPrincipalName)) \n| where Initiator != \"MS-PIM\" // Filtering PIM events \n| summarize RemovedGlobalAdminTime = max(TimeGenerated), TargetAdmins = make_set(Target,100) by OperationName, RoleName, Initiator, Result; \nlet GlobalAdminsAdded = AuditLogs \n| where TimeGenerated > ago(lookback) \n| where Category =~ \"RoleManagement\" \n| where AADOperationType in (\"Assign\", \"AssignEligibleRole\") \n| where ActivityDisplayName has_any (\"Add eligible member to role\", \"Add member to role\") and Result == \"success\" \n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"User\"\n | extend Target = tostring(TargetResource.userPrincipalName),\n props = TargetResource.modifiedProperties\n )\n| mv-apply Property = props on \n (\n where Property.displayName =~ \"Role.DisplayName\"\n | extend RoleName = trim('\"',tostring(Property.newValue))\n )\n| where RoleName =~ \"Global Administrator\" // Add other Privileged role if applicable \n| extend InitiatingApp = tostring(InitiatedBy.app.displayName) \n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(InitiatedBy.user.userPrincipalName)) \n| where Initiator != \"MS-PIM\" // Filtering PIM events \n| summarize AddedGlobalAdminTime = max(TimeGenerated) by OperationName, RoleName, Target, Initiator, Result \n| extend AccountCustomEntity = Target; \nGlobalAdminsAdded \n| join kind= inner GlobalAdminsRemoved on $left.Target == $right.Initiator \n| where AddedGlobalAdminTime < RemovedGlobalAdminTime \n| extend NoofAdminsRemoved = array_length(TargetAdmins) \n| where NoofAdminsRemoved > 1\n| project AddedGlobalAdminTime, Initiator, Target, AccountCustomEntity, RemovedGlobalAdminTime, TargetAdmins, NoofAdminsRemoved\n| extend Name = tostring(split(AccountCustomEntity,'@',0)[0]), UPNSuffix = tostring(split(AccountCustomEntity,'@',1)[0])\n", - "queryFrequency": "PT1H", - "queryPeriod": "P7D", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "AzureActiveDirectory", - "dataTypes": [ - "AuditLogs" - ] + }, + "For_each": { + "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']", + "actions": { + "Condition_-_is_manager_available": { + "actions": { + "Add_comment_to_incident_-_manager_available": { + "runAfter": { + "Send_an_email_-_to_manager_with_password_details": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

User @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])} password was reset in AAD and their manager @{body('Parse_JSON_-_HTTP_-_get_manager')?['userPrincipalName']} was contacted using playbook.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Parse_JSON_-_HTTP_-_get_manager": { + "type": "ParseJson", + "inputs": { + "content": "@body('HTTP_-_get_manager')", + "schema": { + "properties": { + "userPrincipalName": { + "type": "string" + } + }, + "type": "object" + } + } + }, + "Send_an_email_-_to_manager_with_password_details": { + "runAfter": { + "Parse_JSON_-_HTTP_-_get_manager": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "Body": "

User, @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}, was involved in part of a security incident.  As part of remediation, the user password has been reset.
\n
\nThe temporary password is: @{variables('Password')}
\n
\nThe user will be required to reset this password upon login.

", + "Subject": "A user password was reset due to security incident.", + "To": "@body('Parse_JSON_-_HTTP_-_get_manager')?['userPrincipalName']" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['office365']['connectionId']" + } + }, + "method": "post", + "path": "/v2/Mail" + } + } + }, + "runAfter": { + "HTTP_-_get_manager": [ + "Succeeded", + "Failed" + ] + }, + "else": { + "actions": { + "Add_comment_to_incident_-_manager_not_available": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

User @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])} password was reset in AAD but the user doesn't have a manager.
\n
\nThe temporary password is: @{variables('Password')}
\n
\nThe user will be required to reset this password upon login.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@outputs('HTTP_-_get_manager')['statusCode']", + 200 + ] + } + ] + }, + "type": "If" + }, + "HTTP_-_get_manager": { + "runAfter": { + "HTTP_-_reset_a_password": [ + "Succeeded" + ] + }, + "type": "Http", + "inputs": { + "authentication": { + "audience": "https://graph.microsoft.com", + "type": "ManagedServiceIdentity" + }, + "method": "GET", + "uri": "https://graph.microsoft.com/v1.0/users/@{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}/manager" + } + }, + "HTTP_-_reset_a_password": { + "type": "Http", + "inputs": { + "authentication": { + "audience": "https://graph.microsoft.com", + "type": "ManagedServiceIdentity" + }, + "body": { + "passwordProfile": { + "forceChangePasswordNextSignIn": true, + "forceChangePasswordNextSignInWithMfa": false, + "password": "@{variables('Password')}" + } + }, + "method": "PATCH", + "uri": "https://graph.microsoft.com/v1.0/users/@{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}" + } + } + }, + "runAfter": { + "Entities_-_Get_Accounts": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Initialize_variable": { + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Password", + "type": "String", + "value": "null" + } + ] + } + }, + "Set_variable_-_password": { + "runAfter": { + "Initialize_variable": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "Password", + "value": "@{substring(guid(), 0, 10)}" + } + } } - ], - "tactics": [ - "Impact" - ], - "techniques": [ - "T1531" - ], - "entityMappings": [ - { - "entityType": "Account", - "fieldMappings": [ - { - "columnName": "Name", - "identifier": "Name" + }, + "parameters": { + "$connections": { + "value": { + "microsoftsentinel": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "office365": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('office365ConnectionName'))]", + "connectionName": "[[variables('office365ConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]" } - ] + } } - ] + } + }, + "name": "[[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[[variables('workspace-location-inline')]", + "tags": { + "LogicAppsCategory": "security", + "hidden-SentinelTemplateName": "Reset-AADUserPassword", + "hidden-SentinelTemplateVersion": "1.1", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('office365ConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('MicrosoftSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('MicrosoftSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('office365ConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('office365ConnectionName')]", + "api": { + "id": "[[variables('_connection-3')]" + } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId33'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId8'),'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 33", - "parentId": "[variables('analyticRuleId33')]", - "contentId": "[variables('_analyticRulecontentId33')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion33')]", + "parentId": "[variables('playbookId8')]", + "contentId": "[variables('_playbookContentId8')]", + "kind": "Playbook", + "version": "[variables('playbookVersion8')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -5075,332 +3977,325 @@ } } } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId33')]", - "contentKind": "AnalyticsRule", - "displayName": "Multiple admin membership removals from newly created admin.", - "contentProductId": "[variables('_analyticRulecontentProductId33')]", - "id": "[variables('_analyticRulecontentProductId33')]", - "version": "[variables('analyticRuleVersion33')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName34')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "NewAppOrServicePrincipalCredential_AnalyticalRules Analytics Rule with template version 3.0.6", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion34')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId34')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app.\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.", - "displayName": "New access credential added to Application or Service Principal", - "enabled": false, - "query": "AuditLogs\n| where OperationName has_any (\"Add service principal\", \"Certificates and secrets management\") // captures \"Add service principal\", \"Add service principal credentials\", and \"Update application - Certificates and secrets management\" events\n| where Result =~ \"success\"\n| where tostring(InitiatedBy.user.userPrincipalName) has \"@\" or tostring(InitiatedBy.app.displayName) has \"@\"\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"Application\"\n | extend targetDisplayName = tostring(TargetResource.displayName),\n targetId = tostring(TargetResource.id),\n targetType = tostring(TargetResource.type),\n keyEvents = TargetResource.modifiedProperties\n )\n| mv-apply Property = keyEvents on \n (\n where Property.displayName =~ \"KeyDescription\"\n | extend new_value_set = parse_json(tostring(Property.newValue)),\n old_value_set = parse_json(tostring(Property.oldValue))\n )\n| where old_value_set != \"[]\"\n| extend diff = set_difference(new_value_set, old_value_set)\n| where isnotempty(diff)\n| parse diff with * \"KeyIdentifier=\" keyIdentifier:string \",KeyType=\" keyType:string \",KeyUsage=\" keyUsage:string \",DisplayName=\" keyDisplayName:string \"]\" *\n| where keyUsage =~ \"Verify\"\n| mv-apply AdditionalDetail = AdditionalDetails on \n (\n where AdditionalDetail.key =~ \"User-Agent\"\n | extend UserAgent = tostring(AdditionalDetail.value)\n )\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\n//| where targetType =~ \"Application\" // or targetType =~ \"ServicePrincipal\"\n| project-away diff, new_value_set, old_value_set\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\n| extend timestamp = TimeGenerated, Name = tostring(split(InitiatingUserOrApp,'@',0)[0]), UPNSuffix = tostring(split(InitiatingUserOrApp,'@',1)[0])\n", - "queryFrequency": "PT1H", - "queryPeriod": "PT1H", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "AzureActiveDirectory", - "dataTypes": [ - "AuditLogs" - ] - } - ], - "tactics": [ - "DefenseEvasion" - ], - "techniques": [ - "T1550" - ], - "entityMappings": [ - { - "entityType": "Account", - "fieldMappings": [ - { - "columnName": "Name", - "identifier": "Name" - }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" - } - ] - }, - { - "entityType": "IP", - "fieldMappings": [ - { - "columnName": "InitiatingIpAddress", - "identifier": "Address" - } - ] - } + ], + "metadata": { + "title": "Reset Microsoft Entra ID User Password - Incident Trigger", + "description": "This playbook will reset the user password using Graph API. It will send the password (which is a random guid substring) to the user's manager. The user will have to reset the password upon login.", + "prerequisites": [ + "None" + ], + "postDeployment": [ + "1. Assign Password Administrator permission to managed identity.", + "2. Assign Microsoft Sentinel Responder permission to managed identity.", + "3. Authorize Office 365 Outlook connection" + ], + "lastUpdateTime": "2022-07-11T00:00:00Z", + "entities": [ + "Account" + ], + "tags": [ + "Remediation" + ], + "releaseNotes": [ + { + "version": "1.0.0", + "title": " Added manager notification action", + "notes": [ + "Initial version" ] } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId34'),'/'))))]", - "properties": { - "description": "Azure Active Directory Analytics Rule 34", - "parentId": "[variables('analyticRuleId34')]", - "contentId": "[variables('_analyticRulecontentId34')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion34')]", - "source": { - "kind": "Solution", - "name": "Azure Active Directory", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com/" - } - } - } - ] + ] + } }, "packageKind": "Solution", "packageVersion": "[variables('_solutionVersion')]", "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId34')]", - "contentKind": "AnalyticsRule", - "displayName": "New access credential added to Application or Service Principal", - "contentProductId": "[variables('_analyticRulecontentProductId34')]", - "id": "[variables('_analyticRulecontentProductId34')]", - "version": "[variables('analyticRuleVersion34')]" + "contentId": "[variables('_playbookContentId8')]", + "contentKind": "Playbook", + "displayName": "Reset-AADPassword-IncidentTrigger", + "contentProductId": "[variables('_playbookcontentProductId8')]", + "id": "[variables('_playbookcontentProductId8')]", + "version": "[variables('playbookVersion8')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName35')]", + "name": "[variables('playbookTemplateSpecName9')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "NRT_ADFSDomainTrustMods_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "Revoke-AADSignInSessions-alert Playbook with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion35')]", - "parameters": {}, - "variables": {}, + "contentVersion": "[variables('playbookVersion9')]", + "parameters": { + "PlaybookName": { + "defaultValue": "Revoke-AADSignInSessions-alert", + "type": "string" + }, + "UserName": { + "defaultValue": "@", + "type": "string" + } + }, + "variables": { + "AzureSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]", + "Office365ConnectionName": "[[concat('office365-', parameters('PlaybookName'))]", + "Office365UsersConnectionName": "[[concat('office365users-', parameters('PlaybookName'))]", + "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "_connection-1": "[[variables('connection-1')]", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]", + "_connection-2": "[[variables('connection-2')]", + "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365users')]", + "_connection-3": "[[variables('connection-3')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, "resources": [ { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId35')]", - "apiVersion": "2022-04-01-preview", - "kind": "NRT", - "location": "[parameters('workspace-location')]", + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('AzureSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", "properties": { - "description": "This will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated.\nFor example, this alert will trigger when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain.\nModification to domain federation settings should be rare. Confirm the added or modified target domain/URL is legitimate administrator behavior.\nTo understand why an authorized user may update settings for a federated domain in Office 365, Azure, or Intune, see: https://docs.microsoft.com/office365/troubleshoot/active-directory/update-federated-domain-office-365.\nFor details on security realms that accept security tokens, see the ADFS Proxy Protocol (MS-ADFSPP) specification: https://docs.microsoft.com/openspecs/windows_protocols/ms-adfspp/e7b9ea73-1980-4318-96a6-da559486664b.\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.", - "displayName": "NRT Modified domain federation trust settings", - "enabled": false, - "query": "AuditLogs\n| where OperationName =~ \"Set federation settings on domain\" or OperationName =~ \"Set domain authentication\"\n//| where Result =~ \"success\" // commenting out, as it may be interesting to capture failed attempts\n| mv-expand TargetResources\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\n| mv-apply Property = modifiedProperties on \n (\n where Property.displayName =~ \"LiveType\"\n | extend targetDisplayName = tostring(Property.displayName),\n NewDomainValue = tostring(Property.newValue)\n )\n| extend Federated = iif(OperationName =~ \"Set domain authentication\", iif(NewDomainValue has \"Federated\", True, False), True)\n| where Federated == True\n| mv-expand AdditionalDetails\n| mv-apply AdditionalDetail = AdditionalDetails on \n (\n where AdditionalDetail.key =~ \"User-Agent\"\n | extend UserAgent = tostring(AdditionalDetail.value)\n )\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, AADOperationType, targetDisplayName, Result, InitiatingIpAddress, UserAgent, CorrelationId, TenantId, AADTenantId\n| extend Name = tostring(split(InitiatingUserOrApp,'@',0)[0]), UPNSuffix = tostring(split(InitiatingUserOrApp,'@',1)[0])\n", - "severity": "High", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "AzureActiveDirectory", - "dataTypes": [ - "AuditLogs" - ] - } - ], - "tactics": [ - "CredentialAccess" - ], - "entityMappings": [ - { - "entityType": "Account", - "fieldMappings": [ - { - "columnName": "Name", - "identifier": "Name" - }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" - } - ] - }, - { - "entityType": "IP", - "fieldMappings": [ - { - "columnName": "InitiatingIpAddress", - "identifier": "Address" - } - ] - } - ] + "displayName": "[[parameters('PlaybookName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[[variables('_connection-1')]" + } } }, { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId35'),'/'))))]", + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('Office365ConnectionName')]", + "location": "[[variables('workspace-location-inline')]", "properties": { - "description": "Azure Active Directory Analytics Rule 35", - "parentId": "[variables('analyticRuleId35')]", - "contentId": "[variables('_analyticRulecontentId35')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion35')]", - "source": { - "kind": "Solution", - "name": "Azure Active Directory", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com/" + "displayName": "[[parameters('UserName')]", + "api": { + "id": "[[variables('_connection-2')]" } } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId35')]", - "contentKind": "AnalyticsRule", - "displayName": "NRT Modified domain federation trust settings", - "contentProductId": "[variables('_analyticRulecontentProductId35')]", - "id": "[variables('_analyticRulecontentProductId35')]", - "version": "[variables('analyticRuleVersion35')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName36')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "NRT_AuthenticationMethodsChangedforVIPUsers_AnalyticalRules Analytics Rule with template version 3.0.6", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion36')]", - "parameters": {}, - "variables": {}, - "resources": [ + }, { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId36')]", - "apiVersion": "2022-04-01-preview", - "kind": "NRT", - "location": "[parameters('workspace-location')]", + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('Office365UsersConnectionName')]", + "location": "[[variables('workspace-location-inline')]", "properties": { - "description": "Identifies authentication methods being changed for a list of VIP users watchlist. This could be an indication of an attacker adding an auth method to the account so they can have continued access.", - "displayName": "NRT Authentication Methods Changed for VIP Users", - "enabled": false, - "query": "let security_info_actions = dynamic([\"User registered security info\", \"User changed default security info\", \"User deleted security info\", \"Admin updated security info\", \"User reviewed security info\", \"Admin deleted security info\", \"Admin registered security info\"]);\nlet VIPUsers = (_GetWatchlist('VIPUsers') | distinct \"User Principal Name\");\nAuditLogs\n| where Category =~ \"UserManagement\"\n| where ActivityDisplayName in (security_info_actions)\n| extend Initiator = tostring(InitiatedBy.user.userPrincipalName)\n| extend IP = tostring(InitiatedBy.user.ipAddress)\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"User\"\n | extend Target = trim(@'\"',tolower(tostring(TargetResource.userPrincipalName)))\n )\n| where Target in~ (VIPUsers)\n| summarize Start=min(TimeGenerated), End=max(TimeGenerated), Actions = make_set(ResultReason) by Initiator, IP, Result, Target\n| extend Name = tostring(split(Target,'@',0)[0]), UPNSuffix = tostring(split(Target,'@',1)[0])\n", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "AzureActiveDirectory", - "dataTypes": [ - "AuditLogs" - ] - } - ], - "tactics": [ - "Persistence" - ], - "techniques": [ - "T1098" - ], - "entityMappings": [ - { - "entityType": "Account", - "fieldMappings": [ - { - "columnName": "Name", - "identifier": "Name" + "displayName": "[[parameters('UserName')]", + "api": { + "id": "[[variables('_connection-3')]" + } + } + }, + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[[parameters('PlaybookName')]", + "location": "[[variables('workspace-location-inline')]", + "tags": { + "LogicAppsCategory": "security", + "hidden-SentinelTemplateName": "Revoke-AADSigninSessions_alert", + "hidden-SentinelTemplateVersion": "1.0", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "identity": { + "type": "SystemAssigned" + }, + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('Office365UsersConnectionName'))]" + ], + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "actions": { + "Alert_-_Get_incident": { + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "get", + "path": "/Incidents/subscriptions/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/resourceGroups/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/workspaces/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/alerts/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}" }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" - } - ] + "type": "ApiConnection" + }, + "Entities_-_Get_Accounts": { + "inputs": { + "body": "@triggerBody()?['Entities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/entities/account" + }, + "runAfter": { + "Alert_-_Get_incident": [ + "Succeeded" + ] + }, + "type": "ApiConnection" + }, + "For_each": { + "actions": { + "Add_comment_to_incident_(V3)": { + "inputs": { + "body": { + "incidentArmId": "@body('Alert_-_Get_incident')?['id']", + "message": "

User @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])} singin sessions were revoked in AAD and their manager @{body('Get_manager_(V2)')?['displayName']} was contacted using playbook.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + }, + "runAfter": { + "Send_an_email_(V2)": [ + "Succeeded" + ] + }, + "type": "ApiConnection" + }, + "Get_manager_(V2)": { + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['office365users']['connectionId']" + } + }, + "method": "get", + "path": "/codeless/v1.0/users/@{encodeURIComponent(concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix']))}/manager" + }, + "runAfter": { + "HTTP": [ + "Succeeded" + ] + }, + "type": "ApiConnection" + }, + "HTTP": { + "inputs": { + "authentication": { + "audience": "https://graph.microsoft.com", + "type": "ManagedServiceIdentity" + }, + "method": "POST", + "uri": "https://graph.microsoft.com/v1.0/users/@{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}/revokeSignInSessions" + }, + "type": "Http" + }, + "Send_an_email_(V2)": { + "inputs": { + "body": { + "Body": "

User, @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}, was involved in part of a security incident.  As part of remediation, the user signin sessions have been revoked.  The user will need to reauthenticate in all applications.

", + "Subject": "User signin sessions were reset due to security incident.", + "To": "@body('Get_manager_(V2)')?['mail']" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['office365']['connectionId']" + } + }, + "method": "post", + "path": "/v2/Mail" + }, + "runAfter": { + "Get_manager_(V2)": [ + "Succeeded" + ] + }, + "type": "ApiConnection" + } + }, + "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']", + "runAfter": { + "Entities_-_Get_Accounts": [ + "Succeeded" + ] + }, + "type": "Foreach" + } }, - { - "entityType": "IP", - "fieldMappings": [ - { - "columnName": "IP", - "identifier": "Address" + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + } + }, + "triggers": { + "Microsoft_Sentinel_alert": { + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/subscribe" + }, + "type": "ApiConnectionWebhook" + } + } + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", + "connectionName": "[[variables('AzureSentinelConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + }, + "office365": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]", + "connectionName": "[[variables('Office365ConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]" + }, + "office365users": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('Office365UsersConnectionName'))]", + "connectionName": "[[variables('Office365UsersConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365users')]" } - ] + } } - ] + } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId36'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId9'),'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 36", - "parentId": "[variables('analyticRuleId36')]", - "contentId": "[variables('_analyticRulecontentId36')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion36')]", + "parentId": "[variables('playbookId9')]", + "contentId": "[variables('_playbookContentId9')]", + "kind": "Playbook", + "version": "[variables('playbookVersion9')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -5415,105 +4310,211 @@ } } } - ] + ], + "metadata": { + "title": "Revoke-AADSignInSessions alert trigger", + "description": "This playbook will revoke all signin sessions for the user using Graph API. It will send an email to the user's manager.", + "prerequisites": [ + "1. You must create an app registration for graph api with appropriate permissions.", + "2. You will need to add the managed identity that is created by the logic app to the Password Administrator role in Microsoft Entra ID." + ], + "comments": "This playbook will revoke all signin sessions for the user using Graph API using a Beta API. It will send and email to the user's manager.", + "lastUpdateTime": "2021-07-14T00:00:00Z", + "entities": [ + "Account" + ], + "tags": [ + "Remediation" + ], + "releaseNotes": { + "version": "1.0", + "title": "[variables('blanks')]", + "notes": [ + "Initial version" + ] + } + } }, "packageKind": "Solution", "packageVersion": "[variables('_solutionVersion')]", "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId36')]", - "contentKind": "AnalyticsRule", - "displayName": "NRT Authentication Methods Changed for VIP Users", - "contentProductId": "[variables('_analyticRulecontentProductId36')]", - "id": "[variables('_analyticRulecontentProductId36')]", - "version": "[variables('analyticRuleVersion36')]" + "contentId": "[variables('_playbookContentId9')]", + "contentKind": "Playbook", + "displayName": "Revoke-AADSignInSessions-alert", + "contentProductId": "[variables('_playbookcontentProductId9')]", + "id": "[variables('_playbookcontentProductId9')]", + "version": "[variables('playbookVersion9')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName37')]", + "name": "[variables('playbookTemplateSpecName10')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "nrt_FirstAppOrServicePrincipalCredential_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "Revoke-AADSignIn-Session-entityTrigger Playbook with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion37')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId37')]", - "apiVersion": "2022-04-01-preview", - "kind": "NRT", - "location": "[parameters('workspace-location')]", + "contentVersion": "[variables('playbookVersion10')]", + "parameters": { + "PlaybookName": { + "defaultValue": "Revoke-AADSignIn-Session-entityTrigger", + "type": "string" + } + }, + "variables": { + "MicrosoftSentinelConnectionName": "[[concat('MicrosoftSentinel-', parameters('PlaybookName'))]", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", + "_connection-2": "[[variables('connection-2')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { "properties": { - "description": "This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where there was no previous verify KeyCredential associated.\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.", - "displayName": "NRT First access credential added to Application or Service Principal where no credential was present", - "enabled": false, - "query": "AuditLogs\n| where OperationName has_any (\"Add service principal\", \"Certificates and secrets management\")\n| where Result =~ \"success\"\n| where tostring(InitiatedBy.user.userPrincipalName) has \"@\" or tostring(InitiatedBy.app.displayName) has \"@\"\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"Application\"\n | extend targetDisplayName = tostring(TargetResource.displayName),\n targetId = tostring(TargetResource.id),\n targetType = tostring(TargetResource.type),\n keyEvents = TargetResource.modifiedProperties\n )\n| mv-apply Property = keyEvents on \n (\n where Property.displayName =~ \"KeyDescription\"\n | extend new_value_set = parse_json(tostring(Property.newValue)),\n old_value_set = parse_json(tostring(Property.oldValue))\n )\n| where old_value_set == \"[]\"\n| mv-expand new_value_set\n| parse new_value_set with * \"KeyIdentifier=\" keyIdentifier:string \",KeyType=\" keyType:string \",KeyUsage=\" keyUsage:string \",DisplayName=\" keyDisplayName:string \"]\" *\n| where keyUsage == \"Verify\"\n | mv-apply AdditionalDetail = AdditionalDetails on \n (\n where AdditionalDetail.key =~ \"User-Agent\"\n | extend UserAgent = tostring(AdditionalDetail.value)\n )\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n//| where targetType =~ \"Application\" // or targetType =~ \"ServicePrincipal\"\n| project-away new_value_set, old_value_set\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\n| extend timestamp = TimeGenerated, Name = tostring(split(InitiatingUserOrApp,'@',0)[0]), UPNSuffix = tostring(split(InitiatingUserOrApp,'@',1)[0])\n", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "AzureActiveDirectory", - "dataTypes": [ - "AuditLogs" - ] - } - ], - "tactics": [ - "DefenseEvasion" - ], - "techniques": [ - "T1550" - ], - "entityMappings": [ - { - "entityType": "Account", - "fieldMappings": [ - { - "columnName": "Name", - "identifier": "Name" - }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + } + }, + "triggers": { + "Microsoft_Sentinel_entity": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "path": "/entity/@{encodeURIComponent('Account')}" } - ] + } }, - { - "entityType": "IP", - "fieldMappings": [ - { - "columnName": "InitiatingIpAddress", - "identifier": "Address" + "actions": { + "Condition": { + "actions": { + "Add_comment_to_incident_(V3)_-_session_revoked": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['IncidentArmID']", + "message": "

Sign-in session revoked for the user - @{concat(triggerBody()?['Entity']?['properties']?['Name'], '@', triggerBody()?['Entity']?['properties']?['upnSuffix'])}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + } + }, + "runAfter": { + "HTTP_-_revoke_sign-in_session": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@triggerBody()?['IncidentArmID']", + "@null" + ] + } + } + ] + }, + "type": "If" + }, + "HTTP_-_revoke_sign-in_session": { + "type": "Http", + "inputs": { + "authentication": { + "audience": "https://graph.microsoft.com", + "type": "ManagedServiceIdentity" + }, + "method": "POST", + "uri": "https://graph.microsoft.com/v1.0/users/@{concat(triggerBody()?['Entity']?['properties']?['Name'], '@', triggerBody()?['Entity']?['properties']?['upnSuffix'])}/revokeSignInSessions" } - ] + } } - ] + }, + "parameters": { + "$connections": { + "value": { + "microsoftsentinel": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + } + } + } + } + }, + "name": "[[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[[variables('workspace-location-inline')]", + "tags": { + "hidden-SentinelTemplateName": "Revoke-AADSignIn-Session-entityTrigger", + "hidden-SentinelTemplateVersion": "1.0", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('MicrosoftSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('MicrosoftSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[[variables('_connection-2')]" + } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId37'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId10'),'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 37", - "parentId": "[variables('analyticRuleId37')]", - "contentId": "[variables('_analyticRulecontentId37')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion37')]", + "parentId": "[variables('playbookId10')]", + "contentId": "[variables('_playbookContentId10')]", + "kind": "Playbook", + "version": "[variables('playbookVersion10')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -5528,105 +4529,316 @@ } } } - ] + ], + "metadata": { + "title": "Revoke AAD Sign-in session using entity trigger", + "description": "This playbook will revoke user's sign-in sessions and user will have to perform authentication again. It invalidates all the refresh tokens issued to applications for a user (as well as session cookies in a user's browser), by resetting the signInSessionsValidFromDateTime user property to the current date-time.", + "postDeployment": [ + "1. Add Microsoft Sentinel Responder role to the managed identity.", + "2. Assign User.ReadWrite.All and Directory.ReadWrite.All API permissions to the managed identity." + ], + "lastUpdateTime": "2022-12-22T00:00:00Z", + "entities": [ + "Account" + ], + "releaseNotes": { + "version": "1.0", + "title": "[variables('blanks')]", + "notes": [ + "Initial version" + ] + } + } }, "packageKind": "Solution", "packageVersion": "[variables('_solutionVersion')]", "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId37')]", - "contentKind": "AnalyticsRule", - "displayName": "NRT First access credential added to Application or Service Principal where no credential was present", - "contentProductId": "[variables('_analyticRulecontentProductId37')]", - "id": "[variables('_analyticRulecontentProductId37')]", - "version": "[variables('analyticRuleVersion37')]" + "contentId": "[variables('_playbookContentId10')]", + "contentKind": "Playbook", + "displayName": "Revoke-AADSignIn-Session-entityTrigger", + "contentProductId": "[variables('_playbookcontentProductId10')]", + "id": "[variables('_playbookcontentProductId10')]", + "version": "[variables('playbookVersion10')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName38')]", + "name": "[variables('playbookTemplateSpecName11')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "NRT_NewAppOrServicePrincipalCredential_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "Revoke-AADSignInSessions-incident Playbook with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion38')]", - "parameters": {}, - "variables": {}, + "contentVersion": "[variables('playbookVersion11')]", + "parameters": { + "PlaybookName": { + "defaultValue": "Revoke-AADSignInSessions-incident", + "type": "string" + }, + "UserName": { + "defaultValue": "@", + "type": "string" + } + }, + "variables": { + "AzureSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]", + "Office365ConnectionName": "[[concat('office365-', parameters('PlaybookName'))]", + "Office365UsersConnectionName": "[[concat('office365users-', parameters('PlaybookName'))]", + "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "_connection-1": "[[variables('connection-1')]", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]", + "_connection-2": "[[variables('connection-2')]", + "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365users')]", + "_connection-3": "[[variables('connection-3')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, "resources": [ { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId38')]", - "apiVersion": "2022-04-01-preview", - "kind": "NRT", - "location": "[parameters('workspace-location')]", + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('AzureSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", "properties": { - "description": "This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app.\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.", - "displayName": "NRT New access credential added to Application or Service Principal", - "enabled": false, - "query": "AuditLogs\n| where OperationName has_any (\"Add service principal\", \"Certificates and secrets management\") // captures \"Add service principal\", \"Add service principal credentials\", and \"Update application - Certificates and secrets management\" events\n| where Result =~ \"success\"\n| where tostring(InitiatedBy.user.userPrincipalName) has \"@\" or tostring(InitiatedBy.app.displayName) has \"@\"\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"Application\"\n | extend targetDisplayName = tostring(TargetResource.displayName),\n targetId = tostring(TargetResource.id),\n targetType = tostring(TargetResource.type),\n keyEvents = TargetResource.modifiedProperties\n )\n| mv-apply Property = keyEvents on \n (\n where Property.displayName =~ \"KeyDescription\"\n | extend new_value_set = parse_json(tostring(Property.newValue)),\n old_value_set = parse_json(tostring(Property.oldValue))\n )\n| where old_value_set != \"[]\"\n| extend diff = set_difference(new_value_set, old_value_set)\n| where diff != \"[]\"\n| parse diff with * \"KeyIdentifier=\" keyIdentifier:string \",KeyType=\" keyType:string \",KeyUsage=\" keyUsage:string \",DisplayName=\" keyDisplayName:string \"]\" *\n| where keyUsage =~ \"Verify\"\n| mv-apply AdditionalDetail = AdditionalDetails on \n (\n where AdditionalDetail.key =~ \"User-Agent\"\n | extend UserAgent = tostring(AdditionalDetail.value)\n )\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\n//| where targetType =~ \"Application\" // or targetType =~ \"ServicePrincipal\"\n| project-away diff, new_value_set, old_value_set\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\n| extend timestamp = TimeGenerated, Name = tostring(split(InitiatingUserOrApp,'@',0)[0]), UPNSuffix = tostring(split(InitiatingUserOrApp,'@',1)[0])\n", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "AzureActiveDirectory", - "dataTypes": [ - "AuditLogs" - ] - } - ], - "tactics": [ - "DefenseEvasion" - ], - "techniques": [ - "T1550" - ], - "entityMappings": [ - { - "entityType": "Account", - "fieldMappings": [ - { - "columnName": "Name", - "identifier": "Name" + "displayName": "[[parameters('PlaybookName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[[variables('_connection-1')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('Office365ConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "properties": { + "displayName": "[[parameters('UserName')]", + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('Office365UsersConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "properties": { + "displayName": "[[parameters('UserName')]", + "api": { + "id": "[[variables('_connection-3')]" + } + } + }, + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[[parameters('PlaybookName')]", + "location": "[[variables('workspace-location-inline')]", + "tags": { + "LogicAppsCategory": "security", + "hidden-SentinelTemplateName": "Revoke-AADSigninSessions", + "hidden-SentinelTemplateVersion": "1.0", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "identity": { + "type": "SystemAssigned" + }, + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('Office365UsersConnectionName'))]" + ], + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "actions": { + "Alert_-_Get_incident": { + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "get", + "path": "/Incidents/subscriptions/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/resourceGroups/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/workspaces/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/alerts/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}" }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" - } - ] + "type": "ApiConnection" + }, + "Entities_-_Get_Accounts": { + "inputs": { + "body": "@triggerBody()?['Entities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/entities/account" + }, + "runAfter": { + "Alert_-_Get_incident": [ + "Succeeded" + ] + }, + "type": "ApiConnection" + }, + "For_each": { + "actions": { + "Add_comment_to_incident_(V3)": { + "inputs": { + "body": { + "incidentArmId": "@body('Alert_-_Get_incident')?['id']", + "message": "

User @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])} singin sessions were revoked in AAD and their manager @{body('Get_manager_(V2)')?['displayName']} was contacted using playbook.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + }, + "runAfter": { + "Send_an_email_(V2)": [ + "Succeeded" + ] + }, + "type": "ApiConnection" + }, + "Get_manager_(V2)": { + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['office365users']['connectionId']" + } + }, + "method": "get", + "path": "/codeless/v1.0/users/@{encodeURIComponent(concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix']))}/manager" + }, + "runAfter": { + "HTTP": [ + "Succeeded" + ] + }, + "type": "ApiConnection" + }, + "HTTP": { + "inputs": { + "authentication": { + "audience": "https://graph.microsoft.com", + "type": "ManagedServiceIdentity" + }, + "method": "POST", + "uri": "https://graph.microsoft.com/v1.0/users/@{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}/revokeSignInSessions" + }, + "type": "Http" + }, + "Send_an_email_(V2)": { + "inputs": { + "body": { + "Body": "

User, @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}, was involved in part of a security incident.  As part of remediation, the user signin sessions have been revoked.  The user will need to reauthenticate in all applications.

", + "Subject": "User signin sessions were reset due to security incident.", + "To": "@body('Get_manager_(V2)')?['mail']" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['office365']['connectionId']" + } + }, + "method": "post", + "path": "/v2/Mail" + }, + "runAfter": { + "Get_manager_(V2)": [ + "Succeeded" + ] + }, + "type": "ApiConnection" + } + }, + "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']", + "runAfter": { + "Entities_-_Get_Accounts": [ + "Succeeded" + ] + }, + "type": "Foreach" + } }, - { - "entityType": "IP", - "fieldMappings": [ - { - "columnName": "InitiatingIpAddress", - "identifier": "Address" + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + } + }, + "triggers": { + "Microsoft_Sentinel_alert": { + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/subscribe" + }, + "type": "ApiConnectionWebhook" + } + } + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", + "connectionName": "[[variables('AzureSentinelConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + }, + "office365": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]", + "connectionName": "[[variables('Office365ConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]" + }, + "office365users": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('Office365UsersConnectionName'))]", + "connectionName": "[[variables('Office365UsersConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365users')]" } - ] + } } - ] + } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId38'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId11'),'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 38", - "parentId": "[variables('analyticRuleId38')]", - "contentId": "[variables('_analyticRulecontentId38')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion38')]", + "parentId": "[variables('playbookId11')]", + "contentId": "[variables('_playbookContentId11')]", + "kind": "Playbook", + "version": "[variables('playbookVersion11')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -5641,118 +4853,86 @@ } } } - ] + ], + "metadata": { + "title": "Revoke AAD SignIn Sessions - incident trigger", + "description": "This playbook will revoke all signin sessions for the user using Graph API. It will send an email to the user's manager.", + "prerequisites": "1. You will need to grant User.ReadWrite.All permissions to the managed identity.", + "lastUpdateTime": "2021-07-14T00:00:00Z", + "entities": [ + "Account" + ], + "tags": [ + "Remediation" + ], + "releaseNotes": { + "version": "1.0", + "title": "[variables('blanks')]", + "notes": [ + "Initial version" + ] + } + } }, "packageKind": "Solution", "packageVersion": "[variables('_solutionVersion')]", "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId38')]", - "contentKind": "AnalyticsRule", - "displayName": "NRT New access credential added to Application or Service Principal", - "contentProductId": "[variables('_analyticRulecontentProductId38')]", - "id": "[variables('_analyticRulecontentProductId38')]", - "version": "[variables('analyticRuleVersion38')]" + "contentId": "[variables('_playbookContentId11')]", + "contentKind": "Playbook", + "displayName": "Revoke-AADSignInSessions-incident", + "contentProductId": "[variables('_playbookcontentProductId11')]", + "id": "[variables('_playbookcontentProductId11')]", + "version": "[variables('playbookVersion11')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName39')]", + "name": "[variables('workbookTemplateSpecName1')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "NRT_PIMElevationRequestRejected_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "AzureActiveDirectoryAuditLogsWorkbook Workbook with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion39')]", + "contentVersion": "[variables('workbookVersion1')]", "parameters": {}, "variables": {}, "resources": [ { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId39')]", - "apiVersion": "2022-04-01-preview", - "kind": "NRT", + "type": "Microsoft.Insights/workbooks", + "name": "[variables('workbookContentId1')]", "location": "[parameters('workspace-location')]", + "kind": "shared", + "apiVersion": "2021-08-01", + "metadata": { + "description": "Gain insights into Azure Active Directory by connecting Microsoft Sentinel and using the audit logs to gather insights around Azure AD scenarios. \nYou can learn about user operations, including password and group management, device activities, and top active users and apps." + }, "properties": { - "description": "Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management", - "displayName": "NRT PIM Elevation Request Rejected", - "enabled": false, - "query": "AuditLogs\n| where ActivityDisplayName =~'Add member to role completed (PIM activation)'\n| where Result =~ \"failure\"\n| mv-apply ResourceItem = TargetResources on \n (\n where ResourceItem.type =~ \"Role\"\n | extend Role = trim(@'\"',tostring(ResourceItem.displayName))\n )\n| mv-apply ResourceItem = TargetResources on \n (\n where ResourceItem.type =~ \"User\"\n | extend User = trim(@'\"',tostring(ResourceItem.userPrincipalName))\n )\n| project-reorder TimeGenerated, User, Role, OperationName, Result, ResultDescription\n| where isnotempty(InitiatedBy.user)\n| extend InitiatingUser = tostring(InitiatedBy.user.userPrincipalName), InitiatingIpAddress = tostring(InitiatedBy.user.ipAddress)\n| extend InitiatingName = tostring(split(InitiatingUser,'@',0)[0]), InitiatingUPNSuffix = tostring(split(InitiatingUser,'@',1)[0])\n| extend UserName = tostring(split(User,'@',0)[0]), UserUPNSuffix = tostring(split(User,'@',1)[0])\n", - "severity": "High", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "AzureActiveDirectory", - "dataTypes": [ - "AuditLogs" - ] - } - ], - "tactics": [ - "Persistence" - ], - "techniques": [ - "T1078" - ], - "entityMappings": [ - { - "entityType": "Account", - "fieldMappings": [ - { - "columnName": "InitiatingName", - "identifier": "Name" - }, - { - "columnName": "InitiatingUPNSuffix", - "identifier": "UPNSuffix" - } - ] - }, - { - "entityType": "Account", - "fieldMappings": [ - { - "columnName": "UserName", - "identifier": "Name" - }, - { - "columnName": "UserUPNSuffix", - "identifier": "UPNSuffix" - } - ] - }, - { - "entityType": "IP", - "fieldMappings": [ - { - "columnName": "InitiatingIpAddress", - "identifier": "Address" - } - ] - } - ] + "displayName": "[parameters('workbook1-name')]", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Azure AD audit logs\"},\"name\":\"text - 1\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"bc372bf5-2dcd-4efa-aa85-94b6e6fafe14\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":7776000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true}},{\"id\":\"e032b9f7-5449-4180-9c20-75760afa96f6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"User\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"AuditLogs\\r\\n| where SourceSystem == \\\"Azure AD\\\"\\r\\n| extend initiator = iif (tostring(InitiatedBy.user.userPrincipalName) != \\\"\\\", tostring(InitiatedBy.user.userPrincipalName), \\\"unknown\\\")\\r\\n//| where initiator!= \\\"\\\"\\r\\n| summarize Count = count() by initiator\\r\\n| order by Count desc, initiator asc\\r\\n| project Value = initiator, Label = strcat(initiator, ' - ', Count), Selected = false\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\"},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"0a59a0b3-6d93-4fee-bdbe-147383c510c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Category\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"AuditLogs\\r\\n| extend initiator = iif (tostring(InitiatedBy.user.userPrincipalName) != \\\"\\\", tostring(InitiatedBy.user.userPrincipalName), \\\"unknown\\\")\\r\\n| where \\\"{User:lable}\\\" == \\\"All\\\" or initiator in ({User})\\r\\n| summarize Count = count() by Category\\r\\n| order by Count desc, Category asc\\r\\n| project Value = Category, Label = strcat(Category, ' - ', Count)\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\"},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"4d2b245b-5e59-4eb6-9f51-ba926581ab47\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Result\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"AuditLogs\\r\\n| extend initiator = iif (tostring(InitiatedBy.user.userPrincipalName) != \\\"\\\", tostring(InitiatedBy.user.userPrincipalName), \\\"unknown\\\")\\r\\n| where \\\"{User:lable}\\\" == \\\"All\\\" or initiator in ({User})\\r\\n| summarize Count = count() by Result\\r\\n| order by Count desc, Result asc\\r\\n| project Value = Result, Label = strcat(Result, ' - ', Count, ' sign-ins')\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\"},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let data = AuditLogs\\r\\n| where \\\"{Category:lable}\\\" == \\\"All\\\" or Category in ({Category})\\r\\n| where \\\"{Result:lable}\\\" == \\\"All\\\" or Result in ({Result})\\r\\n| extend initiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\r\\n| where initiatingUserPrincipalName != \\\"\\\" \\r\\n| where \\\"{User:lable}\\\" == \\\"All\\\" or initiatingUserPrincipalName in ({User});\\r\\ndata\\r\\n| summarize Count = count() by Category\\r\\n| join kind = fullouter (datatable(Category:string)['Medium', 'high', 'low']) on Category\\r\\n| project Category = iff(Category == '', Category1, Category), Count = iff(Category == '', 0, Count)\\r\\n| join kind = inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by Category)\\r\\n on Category\\r\\n| project-away Category1, TimeGenerated\\r\\n| extend Category = Category\\r\\n| union (\\r\\n data \\r\\n | summarize Count = count() \\r\\n | extend jkey = 1\\r\\n | join kind=inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\\r\\n | extend jkey = 1) on jkey\\r\\n | extend Category = 'All', Categorys = '*' \\r\\n)\\r\\n| order by Count desc\\r\\n| take 10\",\"size\":4,\"title\":\"Categories volume\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"Category\",\"exportParameterName\":\"CategoryFIlter\",\"exportDefaultValue\":\"All\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Category\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":21,\"formatOptions\":{\"palette\":\"purple\",\"showIcon\":true}},\"showBorder\":false}},\"name\":\"query - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let data = AuditLogs\\r\\n| where \\\"{Result:lable}\\\" == \\\"All\\\" or Result in ({Result})\\r\\n| extend initiator = iif (tostring(InitiatedBy.user.userPrincipalName) != \\\"\\\", tostring(InitiatedBy.user.userPrincipalName), \\\"unknown\\\")\\r\\n| where \\\"{User:lable}\\\" == \\\"All\\\" or initiator in ({User})\\r\\n| where \\\"{Category:lable}\\\" == \\\"All\\\" or Category in ({Category})\\r\\n| where Category == '{CategoryFIlter}' or '{CategoryFIlter}' == \\\"All\\\";\\r\\nlet appData = data\\r\\n| summarize TotalCount = count() by OperationName, Category\\r\\n| join kind=inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by OperationName\\r\\n | project-away TimeGenerated) on OperationName\\r\\n| order by TotalCount desc, OperationName asc\\r\\n| project OperationName, TotalCount, Trend, Category\\r\\n| serialize Id = row_number();\\r\\ndata\\r\\n| summarize TotalCount = count() by initiator = iif (tostring(InitiatedBy.user.userPrincipalName) != \\\"\\\", tostring(InitiatedBy.user.userPrincipalName), \\\"unknown\\\"), Category, OperationName\\r\\n| join kind=inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by OperationName, initiator = iif (tostring(InitiatedBy.user.userPrincipalName) != \\\"\\\", tostring(InitiatedBy.user.userPrincipalName), \\\"unknown\\\")\\r\\n | project-away TimeGenerated) on OperationName, initiator\\r\\n| order by TotalCount desc, OperationName asc\\r\\n| project OperationName, initiator, TotalCount, Category, Trend\\r\\n| serialize Id = row_number(1000000)\\r\\n| join kind=inner (appData) on OperationName\\r\\n| project Id, Name = initiator, Type = 'initiator', ['Operations Count'] = TotalCount, Trend, Category, ParentId = Id1\\r\\n| union (appData \\r\\n | project Id, Name = OperationName, Type = 'Operation', ['Operations Count'] = TotalCount, Category, Trend)\\r\\n| order by ['Operations Count'] desc, Name asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"User activities\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"exportParameterName\":\"UserInfo\",\"exportDefaultValue\":\"{ \\\"Name\\\":\\\"\\\", \\\"Type\\\":\\\"*\\\"}\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Id\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Type\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Operations Count\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"palette\":\"blue\",\"showIcon\":true},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"min\":0,\"palette\":\"turquoise\",\"showIcon\":true},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"ParentId\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}}],\"rowLimit\":1000,\"filter\":true,\"hierarchySettings\":{\"idColumn\":\"Id\",\"parentColumn\":\"ParentId\",\"treeType\":0,\"expanderColumn\":\"Name\"}}},\"customWidth\":\"70\",\"showPin\":true,\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let details = dynamic({UserInfo});\\r\\nAuditLogs\\r\\n| where \\\"{Category:lable}\\\" == \\\"All\\\" or Category in ({Category})\\r\\n| where \\\"{Result:lable}\\\" == \\\"All\\\" or Result in ({Result})\\r\\n| extend initiatingUserPrincipalName = iif (tostring(InitiatedBy.user.userPrincipalName) != \\\"\\\", tostring(InitiatedBy.user.userPrincipalName), \\\"unknown\\\")\\r\\n//| where initiatingUserPrincipalName != \\\"\\\" \\r\\n| where \\\"{User:lable}\\\" == \\\"All\\\" or initiatingUserPrincipalName in ({User})\\r\\n| where details.Type == '*' or (details.Type == 'initiator' and initiatingUserPrincipalName == details.Name) or (details.Type == 'Operation' and OperationName == details.Name)\\r\\n| summarize Activities = count() by initiatingUserPrincipalName\\r\\n| sort by Activities desc nulls last \",\"size\":0,\"title\":\"Top active users\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"30\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let details = dynamic({UserInfo});\\r\\nlet data = AuditLogs\\r\\n| extend initiator = iif (tostring(InitiatedBy.user.userPrincipalName) != \\\"\\\", tostring(InitiatedBy.user.userPrincipalName), \\\"unknown\\\")\\r\\n| where details.Type == '*' or (details.Type == 'initiator' and initiator == details.Name) or (details.Type == 'Operation' and OperationName == details.Name)\\r\\n| where \\\"{Category:lable}\\\" == \\\"All\\\" or Category in ({Category})\\r\\n| where \\\"{Result:lable}\\\" == \\\"All\\\" or Result in ({Result})\\r\\n| where \\\"{User:lable}\\\" == \\\"All\\\" or initiator in ({User});\\r\\nlet appData = data\\r\\n| summarize TotalCount = count() by Result\\r\\n| join kind=inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by Result\\r\\n | project-away TimeGenerated) on Result\\r\\n| order by TotalCount desc, Result asc\\r\\n| project Result, TotalCount, Trend\\r\\n| serialize Id = row_number();\\r\\ndata\\r\\n| summarize TotalCount = count() by OperationName, Result\\r\\n| join kind=inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by Result, OperationName\\r\\n | project-away TimeGenerated) on Result, OperationName\\r\\n| order by TotalCount desc, Result asc\\r\\n| project Result, OperationName, TotalCount, Trend\\r\\n| serialize Id = row_number(1000000)\\r\\n| join kind=inner (appData) on Result\\r\\n| project Id, Name = OperationName, Type = 'Operation', ['Results Count'] = TotalCount, Trend, ParentId = Id1\\r\\n| union (appData \\r\\n | project Id, Name = Result, Type = 'Result', ['Results Count'] = TotalCount, Trend)\\r\\n| order by ['Results Count'] desc, Name asc\",\"size\":0,\"title\":\"Result status\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"exportParameterName\":\"ResultInfo\",\"exportDefaultValue\":\"{ \\\"Name\\\":\\\"\\\", \\\"Type\\\":\\\"*\\\"}\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Id\",\"formatter\":5},{\"columnMatch\":\"Type\",\"formatter\":5},{\"columnMatch\":\"Results Count\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"palette\":\"grayBlue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"greenDark\"}},{\"columnMatch\":\"ParentId\",\"formatter\":5}],\"hierarchySettings\":{\"idColumn\":\"Id\",\"parentColumn\":\"ParentId\",\"treeType\":0,\"expanderColumn\":\"Name\"}}},\"customWidth\":\"70\",\"name\":\"query - 5\"}],\"fallbackResourceIds\":[\"\"],\"fromTemplateId\":\"sentinel-AzureActiveDirectoryAuditLogs\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n", + "version": "1.0", + "sourceId": "[variables('workspaceResourceId')]", + "category": "sentinel" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId39'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 39", - "parentId": "[variables('analyticRuleId39')]", - "contentId": "[variables('_analyticRulecontentId39')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion39')]", + "description": "@{workbookKey=AzureActiveDirectoryAuditLogsWorkbook; logoFileName=azureactivedirectory_logo.svg; description=Gain insights into Azure Active Directory by connecting Microsoft Sentinel and using the audit logs to gather insights around Azure AD scenarios. \nYou can learn about user operations, including password and group management, device activities, and top active users and apps.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.2.0; title=Azure AD Audit logs; templateRelativePath=AzureActiveDirectoryAuditLogs.json; subtitle=; provider=Microsoft}.description", + "parentId": "[variables('workbookId1')]", + "contentId": "[variables('_workbookContentId1')]", + "kind": "Workbook", + "version": "[variables('workbookVersion1')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -5764,6 +4944,19 @@ "name": "Microsoft Corporation", "email": "support@microsoft.com", "link": "https://support.microsoft.com/" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "contentId": "AuditLogs", + "kind": "DataType" + }, + { + "contentId": "AzureActiveDirectory", + "kind": "DataConnector" + } + ] } } } @@ -5774,98 +4967,60 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId39')]", - "contentKind": "AnalyticsRule", - "displayName": "NRT PIM Elevation Request Rejected", - "contentProductId": "[variables('_analyticRulecontentProductId39')]", - "id": "[variables('_analyticRulecontentProductId39')]", - "version": "[variables('analyticRuleVersion39')]" + "contentId": "[variables('_workbookContentId1')]", + "contentKind": "Workbook", + "displayName": "[parameters('workbook1-name')]", + "contentProductId": "[variables('_workbookcontentProductId1')]", + "id": "[variables('_workbookcontentProductId1')]", + "version": "[variables('workbookVersion1')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName40')]", + "name": "[variables('workbookTemplateSpecName2')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "NRT_PrivlegedRoleAssignedOutsidePIM_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "AzureActiveDirectorySigninsWorkbook Workbook with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion40')]", + "contentVersion": "[variables('workbookVersion2')]", "parameters": {}, "variables": {}, "resources": [ { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId40')]", - "apiVersion": "2022-04-01-preview", - "kind": "NRT", + "type": "Microsoft.Insights/workbooks", + "name": "[variables('workbookContentId2')]", "location": "[parameters('workspace-location')]", + "kind": "shared", + "apiVersion": "2021-08-01", + "metadata": { + "description": "Gain insights into Azure Active Directory by connecting Microsoft Sentinel and using the sign-in logs to gather insights around Azure AD scenarios. \nYou can learn about sign-in operations, such as user sign-ins and locations, email addresses, and IP addresses of your users, as well as failed activities and the errors that triggered the failures." + }, "properties": { - "description": "Identifies a privileged role being assigned to a user outside of PIM\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1", - "displayName": "NRT Privileged Role Assigned Outside PIM", - "enabled": false, - "query": "AuditLogs\n| where Category =~ \"RoleManagement\"\n| where OperationName has \"Add member to role outside of PIM\"\n or (LoggedByService =~ \"Core Directory\" and OperationName =~ \"Add member to role\" and Identity != \"MS-PIM\")\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"User\"\n | extend UserPrincipalName = tostring(TargetResource.userPrincipalName)\n )\n| extend IpAddress = tostring(InitiatedBy.user.ipAddress), Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n", - "severity": "Low", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "AzureActiveDirectory", - "dataTypes": [ - "AuditLogs" - ] - } - ], - "tactics": [ - "PrivilegeEscalation" - ], - "techniques": [ - "T1078" - ], - "entityMappings": [ - { - "entityType": "Account", - "fieldMappings": [ - { - "columnName": "Name", - "identifier": "Name" - }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" - } - ] - }, - { - "entityType": "IP", - "fieldMappings": [ - { - "columnName": "IpAddress", - "identifier": "Address" - } - ] - } - ] + "displayName": "[parameters('workbook2-name')]", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Sign-in Analysis\"},\"name\":\"text - 0\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"13f56671-7604-4427-a4d8-663f3da0cbc5\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":1209600000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000,\"createdTime\":\"2018-11-13T19:33:10.162Z\",\"isInitialTime\":false,\"grain\":1,\"useDashboardTimeRange\":false},{\"durationMs\":900000,\"createdTime\":\"2018-11-13T19:33:10.164Z\",\"isInitialTime\":false,\"grain\":1,\"useDashboardTimeRange\":false},{\"durationMs\":1800000,\"createdTime\":\"2018-11-13T19:33:10.164Z\",\"isInitialTime\":false,\"grain\":1,\"useDashboardTimeRange\":false},{\"durationMs\":3600000,\"createdTime\":\"2018-11-13T19:33:10.164Z\",\"isInitialTime\":false,\"grain\":1,\"useDashboardTimeRange\":false},{\"durationMs\":14400000,\"createdTime\":\"2018-11-13T19:33:10.164Z\",\"isInitialTime\":false,\"grain\":1,\"useDashboardTimeRange\":false},{\"durationMs\":43200000,\"createdTime\":\"2018-11-13T19:33:10.164Z\",\"isInitialTime\":false,\"grain\":1,\"useDashboardTimeRange\":false},{\"durationMs\":86400000,\"createdTime\":\"2018-11-13T19:33:10.165Z\",\"isInitialTime\":false,\"grain\":1,\"useDashboardTimeRange\":false},{\"durationMs\":172800000,\"createdTime\":\"2018-11-13T19:33:10.166Z\",\"isInitialTime\":false,\"grain\":1,\"useDashboardTimeRange\":false},{\"durationMs\":259200000,\"createdTime\":\"2018-11-13T19:33:10.166Z\",\"isInitialTime\":false,\"grain\":1,\"useDashboardTimeRange\":false},{\"durationMs\":604800000,\"createdTime\":\"2018-11-13T19:33:10.166Z\",\"isInitialTime\":false,\"grain\":1,\"useDashboardTimeRange\":false},{\"durationMs\":1209600000,\"createdTime\":\"2018-11-13T19:33:10.166Z\",\"isInitialTime\":false,\"grain\":1,\"useDashboardTimeRange\":false},{\"durationMs\":2592000000,\"createdTime\":\"2018-11-13T19:33:10.167Z\",\"isInitialTime\":false,\"grain\":1,\"useDashboardTimeRange\":false}],\"allowCustom\":true}},{\"id\":\"3b5cc420-8ad8-4523-ba28-a54910756794\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Apps\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"SigninLogs\\r\\n| summarize Count = count() by AppDisplayName\\r\\n| order by Count desc, AppDisplayName asc\\r\\n| project Value = AppDisplayName, Label = strcat(AppDisplayName, ' - ', Count, ' sign-ins'), Selected = false\\r\\n\",\"value\":[\"value::all\"],\"typeSettings\":{\"limitSelectTo\":10,\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\"},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"0611ecce-d6a0-4a6f-a1bc-6be314ae36a7\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"UserNamePrefix\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"SigninLogs\\r\\n|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n| summarize Count = count() by UserDisplayName\\r\\n| order by Count desc, UserDisplayName asc\\r\\n| project Value = UserDisplayName, Label = strcat(UserDisplayName, ' - ', Count, ' sign-ins'), Selected = false\\r\\n| extend prefix = substring(Value, 0, 1)\\r\\n| distinct prefix\\r\\n| sort by prefix asc\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"f7f7970b-58c1-474f-9043-62243d2d4edd\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Users\",\"label\":\"UserName\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"SigninLogs\\r\\n|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n| summarize Count = count() by UserDisplayName\\r\\n| order by Count desc, UserDisplayName asc\\r\\n| project Value = UserDisplayName, Label = strcat(UserDisplayName, ' - ', Count, ' sign-ins'), Selected = false\\r\\n| where (substring(Value, 0, 1) in ({UserNamePrefix})) or ('*' in ({UserNamePrefix}))\\r\\n| sort by Value asc\\r\\n\",\"value\":[\"value::all\"],\"typeSettings\":{\"limitSelectTo\":10000000,\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"\",\"showDefault\":false},\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"85568f4e-9ad4-46c5-91d4-0ee1b2c8f3aa\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Category\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"\"},\"jsonData\":\"[\\\"SignInLogs\\\", \\\"NonInteractiveUserSignInLogs\\\"]\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let data = \\r\\nunion SigninLogs,AADNonInteractiveUserSignInLogs\\r\\n| where Category in ({Category})\\r\\n|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users});\\r\\ndata\\r\\n| summarize count() by UserPrincipalName, bin (TimeGenerated,5m)\\r\\n\",\"size\":0,\"title\":\"Sign-in Trend over Time\",\"timeContext\":{\"durationMs\":86400000},\"timeContextFromParameter\":\"TimeRange\",\"timeBrushParameterName\":\"TimeBrush\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\"},\"name\":\"query - 19\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let nonInteractive = AADNonInteractiveUserSignInLogs\\r\\n| extend LocationDetails = parse_json(LocationDetails)\\r\\n| extend Status = parse_json(Status);\\r\\nlet data = \\r\\nunion SigninLogs,nonInteractive\\r\\n| where Category in ({Category})\\r\\n|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users}) \\r\\n|extend errorCode = Status.errorCode\\r\\n|extend SigninStatus = case(errorCode == 0, \\\"Success\\\", errorCode == 50058, \\\"Pending user action\\\",errorCode == 50140, \\\"Pending user action\\\", errorCode == 51006, \\\"Pending user action\\\", errorCode == 50059, \\\"Pending user action\\\",errorCode == 65001, \\\"Pending user action\\\", errorCode == 52004, \\\"Pending user action\\\", errorCode == 50055, \\\"Pending user action\\\", errorCode == 50144, \\\"Pending user action\\\", errorCode == 50072, \\\"Pending user action\\\", errorCode == 50074, \\\"Pending user action\\\", errorCode == 16000, \\\"Pending user action\\\", errorCode == 16001, \\\"Pending user action\\\", errorCode == 16003, \\\"Pending user action\\\", errorCode == 50127, \\\"Pending user action\\\", errorCode == 50125, \\\"Pending user action\\\", errorCode == 50129, \\\"Pending user action\\\", errorCode == 50143, \\\"Pending user action\\\", errorCode == 81010, \\\"Pending user action\\\", errorCode == 81014, \\\"Pending user action\\\", errorCode == 81012 ,\\\"Pending user action\\\", \\\"Failure\\\");\\r\\ndata\\r\\n| summarize Count = count() by SigninStatus\\r\\n| join kind = fullouter (datatable(SigninStatus:string)['Success', 'Pending action (Interrupts)', 'Failure']) on SigninStatus\\r\\n| project SigninStatus = iff(SigninStatus == '', SigninStatus1, SigninStatus), Count = iff(SigninStatus == '', 0, Count)\\r\\n| join kind = inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SigninStatus)\\r\\n on SigninStatus\\r\\n| project-away SigninStatus1, TimeGenerated\\r\\n| extend Status = SigninStatus\\r\\n| union (\\r\\n data \\r\\n | summarize Count = count()\\r\\n | extend jkey = 1\\r\\n | join kind=inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\\r\\n | extend jkey = 1) on jkey\\r\\n | extend SigninStatus = 'All Sign-ins', Status = '*' \\r\\n)\\r\\n| order by Count desc\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":3,\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeBrush\",\"exportFieldName\":\"Status\",\"exportParameterName\":\"SigninStatus\",\"exportDefaultValue\":\"*\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"min\":0,\"palette\":\"blue\",\"showIcon\":true}},\"showBorder\":false}},\"name\":\"query - 5\"},{\"type\":1,\"content\":{\"json\":\"
\\r\\n💡 _Click on a tile or a row in the grid to drill-in further_\"},\"name\":\"text - 6 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let nonInteractive = AADNonInteractiveUserSignInLogs\\r\\n| extend LocationDetails = parse_json(LocationDetails)\\r\\n| extend Status = parse_json(Status);\\r\\nlet data = \\r\\nunion SigninLogs,nonInteractive\\r\\n| extend AppDisplayName = iff(AppDisplayName == '', 'Unknown', AppDisplayName)\\r\\n|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users}) \\r\\n| extend Country = iff(LocationDetails.countryOrRegion == '', 'Unknown country', tostring(LocationDetails.countryOrRegion))\\r\\n| extend City = iff(LocationDetails.city == '', 'Unknown city', tostring(LocationDetails.city))\\r\\n| extend errorCode = Status.errorCode\\r\\n| extend SigninStatus = case(errorCode == 0, \\\"Success\\\", errorCode == 50058, \\\"Pending user action\\\",errorCode == 50140, \\\"Pending user action\\\", errorCode == 51006, \\\"Pending user action\\\", errorCode == 50059, \\\"Pending user action\\\",errorCode == 65001, \\\"Pending user action\\\", errorCode == 52004, \\\"Pending user action\\\", errorCode == 50055, \\\"Pending user action\\\", errorCode == 50144, \\\"Pending user action\\\", errorCode == 50072, \\\"Pending user action\\\", errorCode == 50074, \\\"Pending user action\\\", errorCode == 16000, \\\"Pending user action\\\", errorCode == 16001, \\\"Pending user action\\\", errorCode == 16003, \\\"Pending user action\\\", errorCode == 50127, \\\"Pending user action\\\", errorCode == 50125, \\\"Pending user action\\\", errorCode == 50129, \\\"Pending user action\\\", errorCode == 50143, \\\"Pending user action\\\", errorCode == 81010, \\\"Pending user action\\\", errorCode == 81014, \\\"Pending user action\\\", errorCode == 81012 ,\\\"Pending user action\\\", \\\"Failure\\\")\\r\\n| where SigninStatus == '{SigninStatus}' or '{SigninStatus}' == '*' or '{SigninStatus}' == 'All Sign-ins';\\r\\nlet countryData = data\\r\\n| summarize TotalCount = count(), SuccessCount = countif(SigninStatus == \\\"Success\\\"), FailureCount = countif(SigninStatus == \\\"Failure\\\"), InterruptCount = countif(SigninStatus == \\\"Pending user action\\\") by Country,Category\\r\\n| join kind=inner\\r\\n(\\r\\n data\\r\\n| make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by Country\\r\\n| project-away TimeGenerated\\r\\n)\\r\\non Country\\r\\n| project Country, TotalCount, SuccessCount,FailureCount,InterruptCount,Trend,Category\\r\\n| order by TotalCount desc, Country asc;\\r\\ndata\\r\\n| summarize TotalCount = count(), SuccessCount = countif(SigninStatus == \\\"Success\\\"), FailureCount = countif(SigninStatus == \\\"Failure\\\"), InterruptCount = countif(SigninStatus == \\\"Pending user action\\\") by Country, City,Category\\r\\n| join kind=inner\\r\\n(\\r\\n data \\r\\n| make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by Country, City\\r\\n| project-away TimeGenerated\\r\\n)\\r\\non Country, City\\r\\n| order by TotalCount desc, Country asc\\r\\n| project Country, City,TotalCount, SuccessCount,FailureCount,InterruptCount, Trend,Category\\r\\n| join kind=inner\\r\\n(\\r\\n countryData\\r\\n)\\r\\non Country\\r\\n| summarize arg_max(TotalCount, SuccessCount, FailureCount, InterruptCount) by Country, City, Category, tostring(Trend)\\r\\n| project Id = strcat(City, '-', Category), Name = City, Type = 'City', ['Sign-in Count'] = TotalCount, Trend, ['Failure Count'] = FailureCount, ['Interrupt Count'] = InterruptCount, ['Success Rate'] = 1.0 * SuccessCount / TotalCount, ParentId = strcat(Country, '-', Category),Category\\r\\n| union (countryData\\r\\n| summarize arg_max(TotalCount, SuccessCount, FailureCount, InterruptCount) by Country, Category, tostring(Trend)\\r\\n| project Id = strcat(Country, '-', Category), Name = Country, Type = 'Country', ['Sign-in Count'] = TotalCount, Trend, ['Failure Count'] = FailureCount, ['Interrupt Count'] = InterruptCount, ['Success Rate'] = 1.0 * SuccessCount / TotalCount, ParentId = 'root',Category)\\r\\n| where Category in ({Category})\\r\\n| order by ['Sign-in Count'] desc, Name asc\\r\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"Sign-ins by Location\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeBrush\",\"showRefreshButton\":true,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"Name\",\"parameterName\":\"LocationDetail\",\"parameterType\":1}],\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Id\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Type\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Sign-in Count\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"palette\":\"blue\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"min\":0,\"palette\":\"blue\",\"showIcon\":true}},{\"columnMatch\":\"Failure Count|Interrupt Count\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"palette\":\"orange\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"Success Rate\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"percent\"}}},{\"columnMatch\":\"ParentId\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true,\"hierarchySettings\":{\"idColumn\":\"Id\",\"parentColumn\":\"ParentId\",\"treeType\":0,\"expanderColumn\":\"Name\",\"expandTopLevel\":false}}},\"customWidth\":\"67\",\"showPin\":true,\"name\":\"query - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let selectedCountry = dynamic([{LocationDetail}]);\\r\\nlet nonInteractive = AADNonInteractiveUserSignInLogs\\r\\n| extend LocationDetails = parse_json(LocationDetails),Status = parse_json(Status),ConditionalAccessPolicies = parse_json(ConditionalAccessPolicies),DeviceDetail =parse_json(DeviceDetail);\\r\\nlet details = dynamic({ \\\"Name\\\":\\\"\\\", \\\"Type\\\":\\\"*\\\"});\\r\\nlet data = union SigninLogs,nonInteractive\\r\\n| extend AppDisplayName = iff(AppDisplayName == '', 'Unknown', AppDisplayName)\\r\\n|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users}) \\r\\n| extend Country = tostring(LocationDetails.countryOrRegion)\\r\\n| extend City = tostring(LocationDetails.city) \\r\\n| where array_length(selectedCountry) == 0 or \\\"*\\\" in (selectedCountry) or Country in (selectedCountry) or City in (selectedCountry) \\r\\n| extend errorCode = Status.errorCode\\r\\n| extend SigninStatus = case(errorCode == 0, \\\"Success\\\", errorCode == 50058, \\\"Pending user action\\\",errorCode == 50140, \\\"Pending user action\\\", errorCode == 51006, \\\"Pending user action\\\", errorCode == 50059, \\\"Pending user action\\\",errorCode == 65001, \\\"Pending user action\\\", errorCode == 52004, \\\"Pending user action\\\", errorCode == 50055, \\\"Pending user action\\\", errorCode == 50144, \\\"Pending user action\\\", errorCode == 50072, \\\"Pending user action\\\", errorCode == 50074, \\\"Pending user action\\\", errorCode == 16000, \\\"Pending user action\\\", errorCode == 16001, \\\"Pending user action\\\", errorCode == 16003, \\\"Pending user action\\\", errorCode == 50127, \\\"Pending user action\\\", errorCode == 50125, \\\"Pending user action\\\", errorCode == 50129, \\\"Pending user action\\\", errorCode == 50143, \\\"Pending user action\\\", errorCode == 81010, \\\"Pending user action\\\", errorCode == 81014, \\\"Pending user action\\\", errorCode == 81012 ,\\\"Pending user action\\\", \\\"Failure\\\")\\r\\n| where SigninStatus == '{SigninStatus}' or '{SigninStatus}' == '*' or '{SigninStatus}' == 'All Sign-ins'\\r\\n| where details.Type == '*' or (details.Type == 'Country' and Country == details.Name) or (details.Type == 'City' and City == details.Name);\\r\\ndata\\r\\n| top 200 by TimeGenerated desc\\r\\n| extend TimeFromNow = now() - TimeGenerated\\r\\n| extend TimeAgo = strcat(case(TimeFromNow < 2m, strcat(toint(TimeFromNow / 1m), ' seconds'), TimeFromNow < 2h, strcat(toint(TimeFromNow / 1m), ' minutes'), TimeFromNow < 2d, strcat(toint(TimeFromNow / 1h), ' hours'), strcat(toint(TimeFromNow / 1d), ' days')), ' ago')\\r\\n| project User = UserDisplayName, ['Sign-in Status'] = strcat(iff(SigninStatus == 'Success', '✔️', '❌'), ' ', SigninStatus), ['Sign-in Time'] = TimeAgo, App = AppDisplayName, ['Error code'] = errorCode, ['Result type'] = ResultType, ['Result signature'] = ResultSignature, ['Result description'] = ResultDescription, ['Conditional access policies'] = ConditionalAccessPolicies, ['Conditional access status'] = ConditionalAccessStatus, ['Operating system'] = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser, ['Country or region'] = LocationDetails.countryOrRegion, ['State'] = LocationDetails.state, ['City'] = LocationDetails.city, ['Time generated'] = TimeGenerated, Status, ['User principal name'] = UserPrincipalName, Category\\r\\n| where Category in ({Category})\\r\\n\\r\\n\\r\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"Location Sign-in details\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeBrush\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Sign-in Status\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"showIcon\":true}},{\"columnMatch\":\"App\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Error code\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Result type\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Result signature\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Result description\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Conditional access policies\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Conditional access status\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Operating system\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Browser\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Time generated\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Status\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"User principal name\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"TimeGenerated\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true}},\"customWidth\":\"33\",\"name\":\"query - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let nonInteractive = AADNonInteractiveUserSignInLogs | extend LocationDetails = parse_json(LocationDetails), Status = parse_json(Status), DeviceDetail = parse_json(DeviceDetail);\\r\\nlet data = \\r\\nunion SigninLogs,nonInteractive\\r\\n|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users}) \\r\\n | extend errorCode = Status.errorCode\\r\\n | extend SigninStatus = case(errorCode == 0, \\\"Success\\\", errorCode == 50058, \\\"Pending user action\\\", errorCode == 50140, \\\"Pending user action\\\", errorCode == 51006, \\\"Pending user action\\\", errorCode == 50059, \\\"Pending user action\\\", errorCode == 65001, \\\"Pending user action\\\", errorCode == 52004, \\\"Pending user action\\\", errorCode == 50055, \\\"Pending user action\\\", errorCode == 50144, \\\"Pending user action\\\", errorCode == 50072, \\\"Pending user action\\\", errorCode == 50074, \\\"Pending user action\\\", errorCode == 16000, \\\"Pending user action\\\", errorCode == 16001, \\\"Pending user action\\\", errorCode == 16003, \\\"Pending user action\\\", errorCode == 50127, \\\"Pending user action\\\", errorCode == 50125, \\\"Pending user action\\\", errorCode == 50129, \\\"Pending user action\\\", errorCode == 50143, \\\"Pending user action\\\", errorCode == 81010, \\\"Pending user action\\\", errorCode == 81014, \\\"Pending user action\\\", errorCode == 81012, \\\"Pending user action\\\", \\\"Failure\\\")\\r\\n| where SigninStatus == '{SigninStatus}' or '{SigninStatus}' == '*' or '{SigninStatus}' == 'All Sign-ins';\\r\\nlet appData = data\\r\\n | summarize TotalCount = count(), SuccessCount = countif(SigninStatus == \\\"Success\\\"), FailureCount = countif(SigninStatus == \\\"Failure\\\"), InterruptCount = countif(SigninStatus == \\\"Pending user action\\\") by Os = tostring(DeviceDetail.operatingSystem) ,Category\\r\\n | where Os != ''\\r\\n | join kind=inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by Os = tostring(DeviceDetail.operatingSystem)\\r\\n | project-away TimeGenerated)\\r\\n on Os\\r\\n | order by TotalCount desc, Os asc\\r\\n | project Os, TotalCount, SuccessCount, FailureCount, InterruptCount, Trend,Category\\r\\n | serialize Id = row_number();\\r\\ndata\\r\\n| summarize TotalCount = count(), SuccessCount = countif(SigninStatus == \\\"Success\\\"), FailureCount = countif(SigninStatus == \\\"Failure\\\"), InterruptCount = countif(SigninStatus == \\\"Pending user action\\\") by Os = tostring(DeviceDetail.operatingSystem), Browser = tostring(DeviceDetail.browser),Category\\r\\n| join kind=inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain})by Os = tostring(DeviceDetail.operatingSystem), Browser = tostring(DeviceDetail.browser)\\r\\n | project-away TimeGenerated)\\r\\n on Os, Browser\\r\\n| order by TotalCount desc, Os asc\\r\\n| project Os, Browser, TotalCount, SuccessCount, FailureCount, InterruptCount, Trend,Category\\r\\n| serialize Id = row_number(1000000)\\r\\n| join kind=inner (appData) on Os\\r\\n| project Id, Name = Browser, Type = 'Browser', ['Sign-in Count'] = TotalCount, Trend, ['Failure Count'] = FailureCount, ['Interrupt Count'] = InterruptCount, ['Success Rate'] = 1.0 * SuccessCount / TotalCount, ParentId = Id1,Category\\r\\n| union (appData \\r\\n | project Id, Name = Os, Type = 'Operating System', ['Sign-in Count'] = TotalCount, Trend, ['Failure Count'] = FailureCount, ['Interrupt Count'] = InterruptCount, ['Success Rate'] = 1.0 * SuccessCount / TotalCount, ParentId = -1,Category)\\r\\n| where Category in ({Category})\\r\\n| order by ['Sign-in Count'] desc, Name asc\\r\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"Sign-ins by Device\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeBrush\",\"exportedParameters\":[{\"parameterName\":\"DeviceDetail\",\"defaultValue\":\"{ \\\"Name\\\":\\\"\\\", \\\"Type\\\":\\\"*\\\"}\"},{\"fieldName\":\"Category\",\"parameterName\":\"exportCategory\",\"parameterType\":1,\"defaultValue\":\"*\"},{\"fieldName\":\"Name\",\"parameterName\":\"exportName\",\"parameterType\":1,\"defaultValue\":\"*\"}],\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Id\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Type\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Sign-in Count\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"palette\":\"blue\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"min\":0,\"palette\":\"blue\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"Failure Count|Interrupt Count\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"palette\":\"orange\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"Success Rate\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"percent\"}}},{\"columnMatch\":\"ParentId\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true,\"hierarchySettings\":{\"idColumn\":\"Id\",\"parentColumn\":\"ParentId\",\"treeType\":0,\"expanderColumn\":\"Name\",\"expandTopLevel\":false}}},\"customWidth\":\"67\",\"showPin\":true,\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let nonInteractive = AADNonInteractiveUserSignInLogs\\r\\n| extend LocationDetails = parse_json(LocationDetails),Status = parse_json(Status),ConditionalAccessPolicies = parse_json(ConditionalAccessPolicies),DeviceDetail =parse_json(DeviceDetail);\\r\\nlet details = dynamic({ \\\"Name\\\":\\\"\\\", \\\"Type\\\":\\\"*\\\"});\\r\\nlet data = union SigninLogs,nonInteractive\\r\\n| extend AppDisplayName = iff(AppDisplayName == '', 'Unknown', AppDisplayName)\\r\\n|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users}) \\r\\n| extend Country = tostring(LocationDetails.countryOrRegion)\\r\\n| extend City = tostring(LocationDetails.city)\\r\\n| extend errorCode = Status.errorCode\\r\\n| extend SigninStatus = case(errorCode == 0, \\\"Success\\\", errorCode == 50058, \\\"Pending user action\\\",errorCode == 50140, \\\"Pending user action\\\", errorCode == 51006, \\\"Pending user action\\\", errorCode == 50059, \\\"Pending user action\\\",errorCode == 65001, \\\"Pending user action\\\", errorCode == 52004, \\\"Pending user action\\\", errorCode == 50055, \\\"Pending user action\\\", errorCode == 50144, \\\"Pending user action\\\", errorCode == 50072, \\\"Pending user action\\\", errorCode == 50074, \\\"Pending user action\\\", errorCode == 16000, \\\"Pending user action\\\", errorCode == 16001, \\\"Pending user action\\\", errorCode == 16003, \\\"Pending user action\\\", errorCode == 50127, \\\"Pending user action\\\", errorCode == 50125, \\\"Pending user action\\\", errorCode == 50129, \\\"Pending user action\\\", errorCode == 50143, \\\"Pending user action\\\", errorCode == 81010, \\\"Pending user action\\\", errorCode == 81014, \\\"Pending user action\\\", errorCode == 81012 ,\\\"Pending user action\\\", \\\"Failure\\\")\\r\\n| where SigninStatus == '{SigninStatus}' or '{SigninStatus}' == '*' or '{SigninStatus}' == 'All Sign-ins'\\r\\n| where details.Type == '*' or (details.Type == 'Country' and Country == details.Name) or (details.Type == 'City' and City == details.Name);\\r\\ndata\\r\\n| top 200 by TimeGenerated desc\\r\\n| extend TimeFromNow = now() - TimeGenerated\\r\\n| extend TimeAgo = strcat(case(TimeFromNow < 2m, strcat(toint(TimeFromNow / 1m), ' seconds'), TimeFromNow < 2h, strcat(toint(TimeFromNow / 1m), ' minutes'), TimeFromNow < 2d, strcat(toint(TimeFromNow / 1h), ' hours'), strcat(toint(TimeFromNow / 1d), ' days')), ' ago')\\r\\n| project User = UserDisplayName, ['Sign-in Status'] = strcat(iff(SigninStatus == 'Success', '✔️', '❌'), ' ', SigninStatus), ['Sign-in Time'] = TimeAgo, App = AppDisplayName, ['Error code'] = errorCode, ['Result type'] = ResultType, ['Result signature'] = ResultSignature, ['Result description'] = ResultDescription, ['Conditional access policies'] = ConditionalAccessPolicies, ['Conditional access status'] = ConditionalAccessStatus, ['Operating system'] = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser, ['Country or region'] = LocationDetails.countryOrRegion, ['State'] = LocationDetails.state, ['City'] = LocationDetails.city, ['Time generated'] = TimeGenerated, Status, ['User principal name'] = UserPrincipalName, Category, Name = tostring(DeviceDetail.operatingSystem)\\r\\n| where Category in ('{exportCategory}') or \\\"*\\\" in ('{exportCategory}')\\r\\n| where Name in ('{exportName}') or \\\"*\\\" in ('{exportName}')\",\"size\":1,\"showAnalytics\":true,\"title\":\"Device Sign-in details\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Sign-in Status\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\"}},{\"columnMatch\":\"App\",\"formatter\":5},{\"columnMatch\":\"Error code\",\"formatter\":5},{\"columnMatch\":\"Result type\",\"formatter\":5},{\"columnMatch\":\"Result signature\",\"formatter\":5},{\"columnMatch\":\"Result description\",\"formatter\":5},{\"columnMatch\":\"Conditional access policies\",\"formatter\":5},{\"columnMatch\":\"Conditional access status\",\"formatter\":5},{\"columnMatch\":\"Operating system\",\"formatter\":5},{\"columnMatch\":\"Browser\",\"formatter\":5},{\"columnMatch\":\"Country or region\",\"formatter\":5},{\"columnMatch\":\"State\",\"formatter\":5},{\"columnMatch\":\"City\",\"formatter\":5},{\"columnMatch\":\"Time generated\",\"formatter\":5},{\"columnMatch\":\"Status\",\"formatter\":5},{\"columnMatch\":\"User principal name\",\"formatter\":5},{\"columnMatch\":\"Category\",\"formatter\":5},{\"columnMatch\":\"Name\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"33\",\"name\":\"query - 8 - Copy\"},{\"type\":1,\"content\":{\"json\":\"## Sign-ins using Conditional Access\"},\"name\":\"text - 12\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let nonInteractive = AADNonInteractiveUserSignInLogs\\r\\n| extend LocationDetails = parse_json(LocationDetails)\\r\\n| extend Status = parse_json(Status)\\r\\n| extend ConditionalAccessPolicies = parse_json(ConditionalAccessPolicies);\\r\\nlet data = \\r\\nunion SigninLogs,nonInteractive\\r\\n|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users}) \\r\\n|extend CAStatus = case(ConditionalAccessStatus ==\\\"success\\\",\\\"Successful\\\",\\r\\n ConditionalAccessStatus == \\\"failure\\\", \\\"Failed\\\", \\r\\n ConditionalAccessStatus == \\\"notApplied\\\", \\\"Not applied\\\", \\r\\n isempty(ConditionalAccessStatus), \\\"Not applied\\\", \\r\\n \\\"Disabled\\\")\\r\\n|mvexpand ConditionalAccessPolicies\\r\\n|extend CAGrantControlName = tostring(ConditionalAccessPolicies.enforcedGrantControls[0])\\r\\n|extend CAGrantControl = case(CAGrantControlName contains \\\"MFA\\\", \\\"Require MFA\\\", \\r\\n CAGrantControlName contains \\\"Terms of Use\\\", \\\"Require Terms of Use\\\", \\r\\n CAGrantControlName contains \\\"Privacy\\\", \\\"Require Privacy Statement\\\", \\r\\n CAGrantControlName contains \\\"Device\\\", \\\"Require Device Compliant\\\", \\r\\n CAGrantControlName contains \\\"Azure AD Joined\\\", \\\"Require Hybird Azure AD Joined Device\\\", \\r\\n CAGrantControlName contains \\\"Apps\\\", \\\"Require Approved Apps\\\",\\r\\n \\\"Other\\\");\\r\\ndata\\r\\n| where Category in ({Category})\\r\\n| summarize Count = dcount(Id) by CAStatus\\r\\n| join kind = inner (data\\r\\n | make-series Trend = dcount(Id) default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by CAStatus\\r\\n ) on CAStatus\\r\\n| project-away CAStatus1, TimeGenerated\\r\\n| order by Count desc\",\"size\":4,\"title\":\"Conditional access status\",\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeBrush\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"CAStatus\",\"formatter\":1},\"subtitleContent\":{\"columnMatch\":\"Category\"},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false}},\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let nonInteractive = AADNonInteractiveUserSignInLogs\\r\\n| extend LocationDetails = parse_json(LocationDetails)\\r\\n| extend Status = parse_json(Status)\\r\\n| extend ConditionalAccessPolicies = parse_json(ConditionalAccessPolicies);\\r\\nlet data = \\r\\nunion SigninLogs,nonInteractive|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users}) \\r\\n|extend errorCode = toint(Status.errorCode)\\r\\n|extend Reason = tostring(Status.failureReason)\\r\\n|extend CAStatus = case(ConditionalAccessStatus ==0,\\\"✔️ Success\\\", \\r\\n ConditionalAccessStatus == 1, \\\"❌ Failure\\\", \\r\\n ConditionalAccessStatus == 2, \\\"⚠️ Not Applied\\\", \\r\\n ConditionalAccessStatus == \\\"\\\", \\\"⚠️ Not Applied\\\", \\r\\n \\\"🚫 Disabled\\\")\\r\\n|mvexpand ConditionalAccessPolicies\\r\\n|extend CAGrantControlName = tostring(ConditionalAccessPolicies.enforcedGrantControls[0])\\r\\n|extend CAGrantControl = case(CAGrantControlName contains \\\"MFA\\\", \\\"Require MFA\\\", \\r\\n CAGrantControlName contains \\\"Terms of Use\\\", \\\"Require Terms of Use\\\", \\r\\n CAGrantControlName contains \\\"Privacy\\\", \\\"Require Privacy Statement\\\", \\r\\n CAGrantControlName contains \\\"Device\\\", \\\"Require Device Compliant\\\", \\r\\n CAGrantControlName contains \\\"Azure AD Joined\\\", \\\"Require Hybird Azure AD Joined Device\\\", \\r\\n CAGrantControlName contains \\\"Apps\\\", \\\"Require Approved Apps\\\",\\\"Other\\\");\\r\\ndata\\r\\n| summarize Count = dcount(Id) by CAStatus, CAGrantControl\\r\\n| project Id = strcat(CAStatus, '/', CAGrantControl), Name = CAGrantControl, Parent = CAStatus, Count, Type = 'CAGrantControl'\\r\\n| join kind = inner (data\\r\\n | make-series Trend = dcount(Id) default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by CAStatus, CAGrantControl\\r\\n | project Id = strcat(CAStatus, '/', CAGrantControl), Trend\\r\\n ) on Id\\r\\n| project-away Id1\\r\\n| union (data\\r\\n | where Category in ({Category})\\r\\n | summarize Count = dcount(Id) by CAStatus\\r\\n | project Id = CAStatus, Name = CAStatus, Parent = '', Count, Type = 'CAStatus'\\r\\n | join kind = inner (data\\r\\n | make-series Trend = dcount(Id) default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by CAStatus\\r\\n | project Id = CAStatus, Trend\\r\\n ) on Id\\r\\n | project-away Id1)\\r\\n| order by Count desc\",\"size\":0,\"title\":\"Conditional access status\",\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeBrush\",\"exportParameterName\":\"Detail\",\"exportDefaultValue\":\"{ \\\"Name\\\":\\\"\\\", \\\"Type\\\":\\\"*\\\", \\\"Parent\\\":\\\"*\\\"}\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Id\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Parent\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Count\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"palette\":\"blue\",\"showIcon\":true},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"Type\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"min\":0,\"palette\":\"blue\",\"showIcon\":true}}],\"hierarchySettings\":{\"idColumn\":\"Id\",\"parentColumn\":\"Parent\",\"treeType\":0,\"expanderColumn\":\"Name\",\"expandTopLevel\":true}}},\"customWidth\":\"50\",\"name\":\"query - 10\",\"styleSettings\":{\"margin\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let details = dynamic({Detail});\\r\\nlet nonInteractive = AADNonInteractiveUserSignInLogs\\r\\n| extend LocationDetails = parse_json(LocationDetails)\\r\\n| extend Status = parse_json(Status)\\r\\n| extend ConditionalAccessPolicies = parse_json(ConditionalAccessPolicies);\\r\\nlet data = \\r\\nunion SigninLogs,nonInteractive\\r\\n|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users}) \\r\\n|extend errorCode = toint(Status.errorCode)\\r\\n|extend Reason = tostring(Status.failureReason)\\r\\n|extend CAStatus = case(ConditionalAccessStatus ==\\\"success\\\",\\\"✔️ Success\\\", \\r\\n ConditionalAccessStatus == \\\"failure\\\", \\\"❌ Failure\\\", \\r\\n ConditionalAccessStatus == \\\"notApplied\\\", \\\"⚠️ Not Applied\\\", \\r\\n ConditionalAccessStatus == \\\"\\\", \\\"⚠️ Not Applied\\\", \\r\\n \\\"🚫 Disabled\\\")\\r\\n|mvexpand ConditionalAccessPolicies\\r\\n|extend CAGrantControlName = tostring(ConditionalAccessPolicies.enforcedGrantControls[0])\\r\\n|extend CAGrantControl = case(CAGrantControlName contains \\\"MFA\\\", \\\"Require MFA\\\", \\r\\n CAGrantControlName contains \\\"Terms of Use\\\", \\\"Require Terms of Use\\\", \\r\\n CAGrantControlName contains \\\"Privacy\\\", \\\"Require Privacy Statement\\\", \\r\\n CAGrantControlName contains \\\"Device\\\", \\\"Require Device Compliant\\\", \\r\\n CAGrantControlName contains \\\"Azure AD Joined\\\", \\\"Require Hybird Azure AD Joined Device\\\", \\r\\n CAGrantControlName contains \\\"Apps\\\", \\\"Require Approved Apps\\\",\\r\\n \\\"Other\\\")\\r\\n|extend CAGrantControlRank = case(CAGrantControlName contains \\\"MFA\\\", 1, \\r\\n CAGrantControlName contains \\\"Terms of Use\\\", 2, \\r\\n CAGrantControlName contains \\\"Privacy\\\", 3, \\r\\n CAGrantControlName contains \\\"Device\\\", 4, \\r\\n CAGrantControlName contains \\\"Azure AD Joined\\\", 5, \\r\\n CAGrantControlName contains \\\"Apps\\\", 6,\\r\\n 7)\\r\\n| where details.Type == '*' or (details.Type == 'CAStatus' and CAStatus == details.Name) or (details.Type == 'CAGrantControl' and CAGrantControl == details.Name and CAStatus == details.Parent);\\r\\ndata\\r\\n| order by CAGrantControlRank desc\\r\\n| summarize CAGrantControls = make_set(CAGrantControl) by AppDisplayName, CAStatus, TimeGenerated, UserDisplayName, Category\\r\\n| extend CAGrantControlText = replace(@\\\",\\\", \\\", \\\", replace(@'\\\"', @'', replace(@\\\"\\\\]\\\", @\\\"\\\", replace(@\\\"\\\\[\\\", @\\\"\\\", tostring(CAGrantControls)))))\\r\\n| extend CAGrantControlSummary = case(array_length(CAGrantControls) > 1, strcat(CAGrantControls[0], ' + ', array_length(CAGrantControls) - 1, ' more'), array_length(CAGrantControls) == 1, tostring(CAGrantControls[0]), 'None')\\r\\n| top 200 by TimeGenerated desc\\r\\n| extend TimeFromNow = now() - TimeGenerated\\r\\n| extend TimeAgo = strcat(case(TimeFromNow < 2m, strcat(toint(TimeFromNow / 1m), ' seconds'), TimeFromNow < 2h, strcat(toint(TimeFromNow / 1m), ' minutes'), TimeFromNow < 2d, strcat(toint(TimeFromNow / 1h), ' hours'), strcat(toint(TimeFromNow / 1d), ' days')), ' ago')\\r\\n| project Application = AppDisplayName, ['CA Status'] = CAStatus, ['CA Grant Controls'] = CAGrantControlSummary, ['All CA Grant Controls'] = CAGrantControlText, ['Sign-in Time'] = TimeAgo, ['User'] = UserDisplayName, Category\\r\\n| where Category in ({Category})\",\"size\":0,\"showAnalytics\":true,\"title\":\"Recent sign-ins\",\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"CA Grant Controls\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"All CA Grant Controls\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"User\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}}]}},\"customWidth\":\"50\",\"showPin\":true,\"name\":\"query - 7 - Copy\"},{\"type\":1,\"content\":{\"json\":\"## Troubleshooting Sign-ins\"},\"name\":\"text - 13\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let nonInteractive = AADNonInteractiveUserSignInLogs\\r\\n| extend LocationDetails = parse_json(LocationDetails)\\r\\n| extend Status = parse_json(Status);\\r\\nlet data = \\r\\nunion SigninLogs,nonInteractive|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users}) \\r\\n|extend errorCode = Status.errorCode\\r\\n|extend SigninStatus = case(errorCode == 0, \\\"Success\\\", errorCode == 50058, \\\"Pending action (Interrupts)\\\",errorCode == 50140, \\\"Pending action (Interrupts)\\\", errorCode == 51006, \\\"Pending action (Interrupts)\\\", errorCode == 50059, \\\"Pending action (Interrupts)\\\",errorCode == 65001, \\\"Pending action (Interrupts)\\\", errorCode == 52004, \\\"Pending action (Interrupts)\\\", errorCode == 50055, \\\"Pending action (Interrupts)\\\", errorCode == 50144, \\\"Pending action (Interrupts)\\\", errorCode == 50072, \\\"Pending action (Interrupts)\\\", errorCode == 50074, \\\"Pending action (Interrupts)\\\", errorCode == 16000, \\\"Pending action (Interrupts)\\\", errorCode == 16001, \\\"Pending action (Interrupts)\\\", errorCode == 16003, \\\"Pending action (Interrupts)\\\", errorCode == 50127, \\\"Pending action (Interrupts)\\\", errorCode == 50125, \\\"Pending action (Interrupts)\\\", errorCode == 50129, \\\"Pending action (Interrupts)\\\", errorCode == 50143, \\\"Pending action (Interrupts)\\\", errorCode == 81010, \\\"Pending action (Interrupts)\\\", errorCode == 81014, \\\"Pending action (Interrupts)\\\", errorCode == 81012 ,\\\"Pending action (Interrupts)\\\", \\\"Failure\\\");\\r\\ndata\\r\\n| summarize Count = count() by SigninStatus, Category\\r\\n| join kind = fullouter (datatable(SigninStatus:string)['Success', 'Pending action (Interrupts)', 'Failure']) on SigninStatus\\r\\n| project SigninStatus = iff(SigninStatus == '', SigninStatus1, SigninStatus), Count = iff(SigninStatus == '', 0, Count), Category\\r\\n| join kind = inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SigninStatus)\\r\\n on SigninStatus\\r\\n| project-away SigninStatus1, TimeGenerated\\r\\n| extend Status = SigninStatus\\r\\n| union (\\r\\n data \\r\\n | summarize Count = count() \\r\\n | extend jkey = 1\\r\\n | join kind=inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\\r\\n | extend jkey = 1) on jkey\\r\\n | extend SigninStatus = 'All Sign-ins', Status = '*' \\r\\n)\\r\\n| where Category in ({Category})\\r\\n| order by Count desc\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":3,\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"min\":0,\"palette\":\"blue\",\"showIcon\":true}},\"showBorder\":false}},\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let nonInteractive = AADNonInteractiveUserSignInLogs\\r\\n| extend LocationDetails = parse_json(LocationDetails)\\r\\n| extend Status = parse_json(Status);\\r\\nlet data = \\r\\nunion SigninLogs,nonInteractive|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users}) \\r\\n| extend ErrorCode = tostring(Status.errorCode) \\r\\n| extend FailureReason = tostring(Status.failureReason) \\r\\n| where ErrorCode !in (\\\"0\\\",\\\"50058\\\",\\\"50148\\\",\\\"50140\\\", \\\"51006\\\", \\\"50059\\\", \\\"65001\\\", \\\"52004\\\", \\\"50055\\\", \\\"50144\\\",\\\"50072\\\", \\\"50074\\\", \\\"16000\\\",\\\"16001\\\", \\\"16003\\\", \\\"50127\\\", \\\"50125\\\", \\\"50129\\\",\\\"50143\\\", \\\"81010\\\", \\\"81014\\\", \\\"81012\\\") \\r\\n|summarize errCount = count() by ErrorCode, tostring(FailureReason), Category| sort by errCount, Category\\r\\n|project ['❌ Error Code'] = ErrorCode, ['Reason']= FailureReason, ['Error Count'] = toint(errCount), Category\\r\\n|where Category in ({Category});\\r\\ndata\",\"size\":1,\"showAnalytics\":true,\"title\":\"Summary of top errors\",\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeBrush\",\"exportFieldName\":\"❌ Error Code\",\"exportParameterName\":\"ErrorCode\",\"exportDefaultValue\":\"*\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Error Count\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"palette\":\"orange\",\"showIcon\":true}}],\"filter\":true}},\"customWidth\":\"67\",\"showPin\":true,\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let nonInteractive = AADNonInteractiveUserSignInLogs\\r\\n| extend LocationDetails = parse_json(LocationDetails)\\r\\n| extend Status = parse_json(Status)\\r\\n| extend DeviceDetail = parse_json(DeviceDetail)\\r\\n| extend ConditionalAccessPolicies = parse_json(ConditionalAccessPolicies);\\r\\nlet data=\\r\\nunion SigninLogs,nonInteractive\\r\\n|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users}) \\r\\n| extend ErrorCode = tostring(Status.errorCode) \\r\\n| extend FailureReason = tostring(Status.failureReason) \\r\\n| where ErrorCode !in (\\\"0\\\",\\\"50058\\\",\\\"50148\\\",\\\"50140\\\", \\\"51006\\\", \\\"50059\\\", \\\"65001\\\", \\\"52004\\\", \\\"50055\\\", \\\"50144\\\",\\\"50072\\\", \\\"50074\\\", \\\"16000\\\",\\\"16001\\\", \\\"16003\\\", \\\"50127\\\", \\\"50125\\\", \\\"50129\\\",\\\"50143\\\", \\\"81010\\\", \\\"81014\\\", \\\"81012\\\") \\r\\n| where '{ErrorCode}' == '*' or '{ErrorCode}' == ErrorCode\\r\\n| top 200 by TimeGenerated desc\\r\\n| extend TimeFromNow = now() - TimeGenerated\\r\\n| extend TimeAgo = strcat(case(TimeFromNow < 2m, strcat(toint(TimeFromNow / 1m), ' seconds'), TimeFromNow < 2h, strcat(toint(TimeFromNow / 1m), ' minutes'), TimeFromNow < 2d, strcat(toint(TimeFromNow / 1h), ' hours'), strcat(toint(TimeFromNow / 1d), ' days')), ' ago')\\r\\n| project User = UserDisplayName, IPAddress, ['❌ Error Code'] = ErrorCode, ['Sign-in Time'] = TimeAgo, App = AppDisplayName, ['Error code'] = ErrorCode, ['Result type'] = ResultType, ['Result signature'] = ResultSignature, ['Result description'] = ResultDescription, ['Conditional access policies'] = ConditionalAccessPolicies, ['Conditional access status'] = ConditionalAccessStatus, ['Operating system'] = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser, ['Country or region'] = LocationDetails.countryOrRegion, ['State'] = LocationDetails.state, ['City'] = LocationDetails.city, ['Time generated'] = TimeGenerated, Status, ['User principal name'] = UserPrincipalName, Category\\r\\n| where Category in ({Category});\\r\\ndata\\r\\n\\r\\n\\r\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"Sign-ins with errors\",\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeBrush\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"❌ Error Code\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"showIcon\":true}},{\"columnMatch\":\"App\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Error code\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Result type\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Result signature\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Result description\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Conditional access policies\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Conditional access status\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Operating system\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Browser\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Country or region\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"State\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"City\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Time generated\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Status\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"User principal name\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true}},\"customWidth\":\"33\",\"name\":\"query - 5 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let nonInteractive = AADNonInteractiveUserSignInLogs\\r\\n| extend LocationDetails = parse_json(LocationDetails)\\r\\n| extend Status = parse_json(Status);\\r\\nlet data = \\r\\nunion SigninLogs,nonInteractive|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users}) \\r\\n| extend ErrorCode = tostring(Status.errorCode) \\r\\n| extend FailureReason = Status.failureReason \\r\\n| where ErrorCode in (\\\"50058\\\",\\\"50140\\\", \\\"51006\\\", \\\"50059\\\", \\\"65001\\\", \\\"52004\\\", \\\"50055\\\", \\\"50144\\\",\\\"50072\\\", \\\"50074\\\", \\\"16000\\\",\\\"16001\\\", \\\"16003\\\", \\\"50127\\\", \\\"50125\\\", \\\"50129\\\",\\\"50143\\\", \\\"81010\\\", \\\"81014\\\", \\\"81012\\\") \\r\\n|summarize errCount = count() by ErrorCode, tostring(FailureReason), Category\\r\\n| sort by errCount\\r\\n|project ['❌ Error Code'] = ErrorCode, ['Reason'] = FailureReason, ['Interrupt Count'] = toint(errCount), Category\\r\\n| where Category in ({Category});\\r\\ndata\",\"size\":1,\"showAnalytics\":true,\"title\":\"Summary of sign-ins waiting on user action\",\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeBrush\",\"exportFieldName\":\"❌ Error Code\",\"exportParameterName\":\"InterruptErrorCode\",\"exportDefaultValue\":\"*\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Interrupt Count\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"palette\":\"orange\"}}],\"filter\":true}},\"customWidth\":\"67\",\"showPin\":true,\"name\":\"query - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let nonInteractive = AADNonInteractiveUserSignInLogs\\r\\n| extend LocationDetails = parse_json(LocationDetails)\\r\\n| extend ConditionalAccessPolicies = parse_json(ConditionalAccessPolicies)\\r\\n| extend DeviceDetail = parse_json(DeviceDetail)\\r\\n| extend Status = parse_json(Status);\\r\\nlet data = \\r\\nunion SigninLogs,nonInteractive \\r\\n|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users}) \\r\\n| extend ErrorCode = tostring(Status.errorCode) \\r\\n| extend FailureReason = Status.failureReason \\r\\n| where ErrorCode in (\\\"50058\\\",\\\"50140\\\", \\\"51006\\\", \\\"50059\\\", \\\"65001\\\", \\\"52004\\\", \\\"50055\\\", \\\"50144\\\",\\\"50072\\\", \\\"50074\\\", \\\"16000\\\",\\\"16001\\\", \\\"16003\\\", \\\"50127\\\", \\\"50125\\\", \\\"50129\\\",\\\"50143\\\", \\\"81010\\\", \\\"81014\\\", \\\"81012\\\") \\r\\n| where '{InterruptErrorCode}' == '*' or '{InterruptErrorCode}' == ErrorCode\\r\\n| top 200 by TimeGenerated desc\\r\\n| extend TimeFromNow = now() - TimeGenerated\\r\\n| extend TimeAgo = strcat(case(TimeFromNow < 2m, strcat(toint(TimeFromNow / 1m), ' seconds'), TimeFromNow < 2h, strcat(toint(TimeFromNow / 1m), ' minutes'), TimeFromNow < 2d, strcat(toint(TimeFromNow / 1h), ' hours'), strcat(toint(TimeFromNow / 1d), ' days')), ' ago')\\r\\n| project User = UserDisplayName, IPAddress, ['❌ Error Code'] = ErrorCode, ['Sign-in Time'] = TimeAgo, App = AppDisplayName, ['Error code'] = ErrorCode, ['Result type'] = ResultType, ['Result signature'] = ResultSignature, ['Result description'] = ResultDescription, ['Conditional access policies'] = ConditionalAccessPolicies, ['Conditional access status'] = ConditionalAccessStatus, ['Operating system'] = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser, ['Country or region'] = LocationDetails.countryOrRegion, ['State'] = LocationDetails.state, ['City'] = LocationDetails.city, ['Time generated'] = TimeGenerated, Status, ['User principal name'] = UserPrincipalName, Category\\r\\n| where Category in ({Category});\\r\\ndata\\r\\n\\r\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"Sign-ins waiting on user action\",\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeBrush\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"❌ Error Code\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"showIcon\":true}},{\"columnMatch\":\"App\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Error code\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Result type\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Result signature\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Result description\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Conditional access policies\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Conditional access status\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Operating system\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Browser\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Country or region\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"State\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"City\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Time generated\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Status\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"User principal name\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true}},\"customWidth\":\"33\",\"showPin\":true,\"name\":\"query - 7 - Copy\"}],\"fromTemplateId\":\"sentinel-AzureActiveDirectorySigninLogs\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n", + "version": "1.0", + "sourceId": "[variables('workspaceResourceId')]", + "category": "sentinel" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId40'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId2'),'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 40", - "parentId": "[variables('analyticRuleId40')]", - "contentId": "[variables('_analyticRulecontentId40')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion40')]", + "description": "@{workbookKey=AzureActiveDirectorySigninLogsWorkbook; logoFileName=azureactivedirectory_logo.svg; description=Gain insights into Azure Active Directory by connecting Microsoft Sentinel and using the sign-in logs to gather insights around Azure AD scenarios. \nYou can learn about sign-in operations, such as user sign-ins and locations, email addresses, and IP addresses of your users, as well as failed activities and the errors that triggered the failures.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=2.4.0; title=Azure AD Sign-in logs; templateRelativePath=AzureActiveDirectorySignins.json; subtitle=; provider=Microsoft}.description", + "parentId": "[variables('workbookId2')]", + "contentId": "[variables('_workbookContentId2')]", + "kind": "Workbook", + "version": "[variables('workbookVersion2')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -5877,6 +5032,19 @@ "name": "Microsoft Corporation", "email": "support@microsoft.com", "link": "https://support.microsoft.com/" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "contentId": "SigninLogs", + "kind": "DataType" + }, + { + "contentId": "AzureActiveDirectory", + "kind": "DataConnector" + } + ] } } } @@ -5887,87 +5055,85 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId40')]", - "contentKind": "AnalyticsRule", - "displayName": "NRT Privileged Role Assigned Outside PIM", - "contentProductId": "[variables('_analyticRulecontentProductId40')]", - "id": "[variables('_analyticRulecontentProductId40')]", - "version": "[variables('analyticRuleVersion40')]" + "contentId": "[variables('_workbookContentId2')]", + "contentKind": "Workbook", + "displayName": "[parameters('workbook2-name')]", + "contentProductId": "[variables('_workbookcontentProductId2')]", + "id": "[variables('_workbookcontentProductId2')]", + "version": "[variables('workbookVersion2')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName41')]", + "name": "[variables('analyticRuleObject1').analyticRuleTemplateSpecName1]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "NRT_UseraddedtoPrivilgedGroups_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "AccountCreatedandDeletedinShortTimeframe_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion41')]", + "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId41')]", + "name": "[variables('analyticRuleObject1')._analyticRulecontentId1]", "apiVersion": "2022-04-01-preview", - "kind": "NRT", + "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "This will alert when a user is added to any of the Privileged Groups.\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\nFor Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles", - "displayName": "NRT User added to Azure Active Directory Privileged Groups", + "description": "Search for user principal name (UPN) events. Look for accounts created and then deleted in under 24 hours. Attackers may create an account for their use, and then remove the account when no longer needed.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-account", + "displayName": "Account Created and Deleted in Short Timeframe", "enabled": false, - "query": "let OperationList = dynamic([\"Add member to role\",\"Add member to role in PIM requested (permanent)\"]);\nlet PrivilegedGroups = dynamic([\"UserAccountAdmins\",\"PrivilegedRoleAdmins\",\"TenantAdmins\"]);\nAuditLogs\n//| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"RoleManagement\"\n| where OperationName in~ (OperationList)\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"User\"\n | extend TargetUserPrincipalName = tostring(TargetResource.userPrincipalName),\n modProps = TargetResource.modifiedProperties\n )\n| mv-apply Property = modProps on \n (\n where Property.displayName =~ \"Role.WellKnownObjectName\"\n | extend DisplayName = trim('\"',tostring(Property.displayName)),\n GroupName = trim('\"',tostring(Property.newValue))\n )\n| extend AppId = InitiatedBy.app.appId,\n InitiatedByDisplayName = case(isnotempty(InitiatedBy.app.displayName), InitiatedBy.app.displayName, isnotempty(InitiatedBy.user.displayName), InitiatedBy.user.displayName, \"not available\"),\n ServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId),\n ServicePrincipalName = tostring(InitiatedBy.app.servicePrincipalName),\n UserId = InitiatedBy.user.id,\n UserIPAddress = InitiatedBy.user.ipAddress,\n UserRoles = InitiatedBy.user.roles,\n UserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\n| where GroupName in~ (PrivilegedGroups)\n// If you don't want to alert for operations from PIM, remove below filtering for MS-PIM.\n//| where InitiatedByDisplayName != \"MS-PIM\"\n| project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, AppId, InitiatedByDisplayName, ServicePrincipalId, ServicePrincipalName, DisplayName, GroupName, UserId, UserIPAddress, UserRoles, UserPrincipalName, TargetUserPrincipalName\n| extend AccountCustomEntity = case(isnotempty(ServicePrincipalName), ServicePrincipalName, \n isnotempty(UserPrincipalName), UserPrincipalName, \n \"\")\n| extend AccountName = tostring(split(AccountCustomEntity,'@',0)[0]), AccountUPNSuffix = tostring(split(AccountCustomEntity,'@',1)[0])\n| extend TargetName = tostring(split(TargetUserPrincipalName,'@',0)[0]), TargetUPNSuffix = tostring(split(TargetUserPrincipalName,'@',1)[0])\n", - "severity": "Medium", + "query": "let queryfrequency = 1h;\nlet queryperiod = 1d;\nAuditLogs\n| where TimeGenerated > ago(queryfrequency)\n| where OperationName =~ \"Delete user\"\n//extend UserPrincipalName = tostring(TargetResources[0].userPrincipalName)\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type == \"User\"\n | extend UserPrincipalName = extract(@'([a-f0-9]{32})?(.*)', 2, tostring(TargetResource.userPrincipalName))\n )\n| extend DeletedByUser = tostring(InitiatedBy.user.userPrincipalName), DeletedByIPAddress = tostring(InitiatedBy.user.ipAddress)\n| extend DeletedByApp = tostring(InitiatedBy.app.displayName)\n| project Deletion_TimeGenerated = TimeGenerated, UserPrincipalName, DeletedByUser, DeletedByIPAddress, DeletedByApp, Deletion_AdditionalDetails = AdditionalDetails, Deletion_InitiatedBy = InitiatedBy, Deletion_TargetResources = TargetResources\n| join kind=inner (\n AuditLogs\n | where TimeGenerated > ago(queryperiod)\n | where OperationName =~ \"Add user\" \n | mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type == \"User\"\n | extend UserPrincipalName = trim(@'\"',tostring(TargetResource.userPrincipalName))\n )\n | project-rename Creation_TimeGenerated = TimeGenerated\n) on UserPrincipalName\n| extend TimeDelta = Deletion_TimeGenerated - Creation_TimeGenerated\n| where TimeDelta between (time(0s) .. queryperiod)\n| extend CreatedByUser = tostring(InitiatedBy.user.userPrincipalName), CreatedByIPAddress = tostring(InitiatedBy.user.ipAddress)\n| extend CreatedByApp = tostring(InitiatedBy.app.displayName)\n| project Creation_TimeGenerated, Deletion_TimeGenerated, TimeDelta, UserPrincipalName, DeletedByUser, DeletedByIPAddress, DeletedByApp, CreatedByUser, CreatedByIPAddress, CreatedByApp, Creation_AdditionalDetails = AdditionalDetails, Creation_InitiatedBy = InitiatedBy, Creation_TargetResources = TargetResources, Deletion_AdditionalDetails, Deletion_InitiatedBy, Deletion_TargetResources\n| extend timestamp = Deletion_TimeGenerated, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n", + "queryFrequency": "PT1H", + "queryPeriod": "P1D", + "severity": "High", "suppressionDuration": "PT1H", "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, "status": "Available", "requiredDataConnectors": [ { - "connectorId": "AzureActiveDirectory", "dataTypes": [ - "AuditLogs" - ] + "SigninLogs" + ], + "connectorId": "AzureActiveDirectory" } ], "tactics": [ - "Persistence", - "PrivilegeEscalation" + "InitialAccess" ], "techniques": [ - "T1098", "T1078" ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "columnName": "AccountName", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "AccountUPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "Account", "fieldMappings": [ { - "columnName": "TargetName", - "identifier": "Name" - }, - { - "columnName": "TargetUPNSuffix", - "identifier": "UPNSuffix" + "identifier": "Address", + "columnName": "DeletedByIPAddress" } - ] + ], + "entityType": "IP" } ] } @@ -5975,16 +5141,16 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId41'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject1').analyticRuleId1,'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 41", - "parentId": "[variables('analyticRuleId41')]", - "contentId": "[variables('_analyticRulecontentId41')]", + "description": "Microsoft Entra ID Analytics Rule 1", + "parentId": "[variables('analyticRuleObject1').analyticRuleId1]", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion41')]", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -6006,43 +5172,43 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId41')]", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", "contentKind": "AnalyticsRule", - "displayName": "NRT User added to Azure Active Directory Privileged Groups", - "contentProductId": "[variables('_analyticRulecontentProductId41')]", - "id": "[variables('_analyticRulecontentProductId41')]", - "version": "[variables('analyticRuleVersion41')]" + "displayName": "Account Created and Deleted in Short Timeframe", + "contentProductId": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", + "id": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName42')]", + "name": "[variables('analyticRuleObject2').analyticRuleTemplateSpecName2]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PIMElevationRequestRejected_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "AccountCreatedandDeletedinShortTimeframe_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion42')]", + "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId42')]", + "name": "[variables('analyticRuleObject2')._analyticRulecontentId2]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management", - "displayName": "PIM Elevation Request Rejected", + "description": "Search for user principal name (UPN) events. Look for accounts created and then deleted in under 24 hours. Attackers may create an account for their use, and then remove the account when no longer needed.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-account", + "displayName": "Account Created and Deleted in Short Timeframe", "enabled": false, - "query": "AuditLogs\n| where ActivityDisplayName =~'Add member to role request denied (PIM activation)'\n| mv-apply ResourceItem = TargetResources on \n (\n where ResourceItem.type =~ \"Role\"\n | extend Role = trim(@'\"',tostring(ResourceItem.displayName))\n )\n| mv-apply ResourceItem = TargetResources on \n (\n where ResourceItem.type =~ \"User\"\n | extend User = trim(@'\"',tostring(ResourceItem.userPrincipalName))\n )\n| project-reorder TimeGenerated, User, Role, OperationName, Result, ResultDescription\n| where isnotempty(InitiatedBy.user)\n| extend InitiatingUser = tostring(InitiatedBy.user.userPrincipalName), InitiatingIpAddress = tostring(InitiatedBy.user.ipAddress)\n| extend InitiatingName = tostring(split(InitiatingUser,'@',0)[0]), InitiatingUPNSuffix = tostring(split(InitiatingUser,'@',1)[0])\n| extend UserName = tostring(split(User,'@',0)[0]), UserUPNSuffix = tostring(split(User,'@',1)[0])\n", - "queryFrequency": "PT2H", - "queryPeriod": "PT2H", + "query": "let queryfrequency = 1h;\nlet queryperiod = 1d;\nAuditLogs\n| where TimeGenerated > ago(queryfrequency)\n| where OperationName =~ \"Delete user\"\n//extend UserPrincipalName = tostring(TargetResources[0].userPrincipalName)\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type == \"User\"\n | extend UserPrincipalName = extract(@'([a-f0-9]{32})?(.*)', 2, tostring(TargetResource.userPrincipalName))\n )\n| extend DeletedByUser = tostring(InitiatedBy.user.userPrincipalName), DeletedByIPAddress = tostring(InitiatedBy.user.ipAddress)\n| extend DeletedByApp = tostring(InitiatedBy.app.displayName)\n| project Deletion_TimeGenerated = TimeGenerated, UserPrincipalName, DeletedByUser, DeletedByIPAddress, DeletedByApp, Deletion_AdditionalDetails = AdditionalDetails, Deletion_InitiatedBy = InitiatedBy, Deletion_TargetResources = TargetResources\n| join kind=inner (\n AuditLogs\n | where TimeGenerated > ago(queryperiod)\n | where OperationName =~ \"Add user\" \n | mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type == \"User\"\n | extend UserPrincipalName = trim(@'\"',tostring(TargetResource.userPrincipalName))\n )\n | project-rename Creation_TimeGenerated = TimeGenerated\n) on UserPrincipalName\n| extend TimeDelta = Deletion_TimeGenerated - Creation_TimeGenerated\n| where TimeDelta between (time(0s) .. queryperiod)\n| extend CreatedByUser = tostring(InitiatedBy.user.userPrincipalName), CreatedByIPAddress = tostring(InitiatedBy.user.ipAddress)\n| extend CreatedByApp = tostring(InitiatedBy.app.displayName)\n| project Creation_TimeGenerated, Deletion_TimeGenerated, TimeDelta, UserPrincipalName, DeletedByUser, DeletedByIPAddress, DeletedByApp, CreatedByUser, CreatedByIPAddress, CreatedByApp, Creation_AdditionalDetails = AdditionalDetails, Creation_InitiatedBy = InitiatedBy, Creation_TargetResources = TargetResources, Deletion_AdditionalDetails, Deletion_InitiatedBy, Deletion_TargetResources\n| extend timestamp = Deletion_TimeGenerated, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n", + "queryFrequency": "PT1H", + "queryPeriod": "P1D", "severity": "High", "suppressionDuration": "PT1H", "suppressionEnabled": false, @@ -6051,53 +5217,40 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "AzureActiveDirectory", "dataTypes": [ - "AuditLogs" - ] + "SigninLogs" + ], + "connectorId": "AzureActiveDirectory" } ], "tactics": [ - "Persistence" + "InitialAccess" ], "techniques": [ "T1078" ], "entityMappings": [ { - "entityType": "Account", - "fieldMappings": [ - { - "columnName": "InitiatingName", - "identifier": "Name" - }, - { - "columnName": "InitiatingUPNSuffix", - "identifier": "UPNSuffix" - } - ] - }, - { - "entityType": "Account", "fieldMappings": [ { - "columnName": "UserName", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UserUPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "columnName": "InitiatingIpAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "DeletedByIPAddress" } - ] + ], + "entityType": "IP" } ] } @@ -6105,16 +5258,16 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId42'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject2').analyticRuleId2,'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 42", - "parentId": "[variables('analyticRuleId42')]", - "contentId": "[variables('_analyticRulecontentId42')]", + "description": "Microsoft Entra ID Analytics Rule 2", + "parentId": "[variables('analyticRuleObject2').analyticRuleId2]", + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion42')]", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -6136,43 +5289,43 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId42')]", + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", "contentKind": "AnalyticsRule", - "displayName": "PIM Elevation Request Rejected", - "contentProductId": "[variables('_analyticRulecontentProductId42')]", - "id": "[variables('_analyticRulecontentProductId42')]", - "version": "[variables('analyticRuleVersion42')]" + "displayName": "Account Created and Deleted in Short Timeframe", + "contentProductId": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", + "id": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName43')]", + "name": "[variables('analyticRuleObject3').analyticRuleTemplateSpecName3]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PrivilegedAccountsSigninFailureSpikes_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "AccountCreatedandDeletedinShortTimeframe_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion43')]", + "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId43')]", + "name": "[variables('analyticRuleObject3')._analyticRulecontentId3]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": " Identifies spike in failed sign-ins from Privileged accounts. Privileged accounts list can be based on IdentityInfo UEBA table.\nSpike is determined based on Time series anomaly which will look at historical baseline values.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor", - "displayName": "Privileged Accounts - Sign in Failure Spikes", + "description": "Search for user principal name (UPN) events. Look for accounts created and then deleted in under 24 hours. Attackers may create an account for their use, and then remove the account when no longer needed.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-account", + "displayName": "Account Created and Deleted in Short Timeframe", "enabled": false, - "query": "let starttime = 14d;\nlet timeframe = 1d;\nlet scorethreshold = 3;\nlet baselinethreshold = 5;\nlet aadFunc = (tableName:string){\n IdentityInfo\n | where TimeGenerated > ago(starttime)\n | summarize arg_max(TimeGenerated, *) by AccountUPN\n | mv-expand AssignedRoles\n | where AssignedRoles contains 'Admin'\n | summarize Roles = make_list(AssignedRoles) by AccountUPN = tolower(AccountUPN)\n | join kind=inner (\n table(tableName)\n | where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\n | where ResultType != 0\n | extend UserPrincipalName = tolower(UserPrincipalName)\n ) on $left.AccountUPN == $right.UserPrincipalName\n | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, Roles = tostring(Roles)\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nlet allSignins = union isfuzzy=true aadSignin, aadNonInt;\nlet TimeSeriesAlerts = \n allSignins\n | make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step 1h by UserPrincipalName, Roles\n | extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, 'linefit')\n | mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\n // Filtering low count events per baselinethreshold\n | where anomalies > 0 and baseline > baselinethreshold\n | extend AnomalyHour = TimeGenerated\n | project UserPrincipalName, Roles, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\n// Filter the alerts for specified timeframe\nTimeSeriesAlerts\n| where TimeGenerated > startofday(ago(timeframe))\n| join kind=inner ( \n allSignins\n | where TimeGenerated > startofday(ago(timeframe))\n // create a new column and round to hour\n | extend DateHour = bin(TimeGenerated, 1h)\n | summarize PartialFailedSignins = count(), LatestAnomalyTime = arg_max(TimeGenerated, *) by bin(TimeGenerated, 1h), OperationName, Category, ResultType, ResultDescription, UserPrincipalName, Roles, UserDisplayName, AppDisplayName, ClientAppUsed, IPAddress, ResourceDisplayName\n) on UserPrincipalName, $left.AnomalyHour == $right.DateHour\n| project LatestAnomalyTime, OperationName, Category, UserPrincipalName, Roles = todynamic(Roles), UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, PartialFailedSignins, TotalFailedSignins = HourlyCount, baseline, anomalies, score\n| extend timestamp = LatestAnomalyTime, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n", - "queryFrequency": "P1D", - "queryPeriod": "P14D", + "query": "let queryfrequency = 1h;\nlet queryperiod = 1d;\nAuditLogs\n| where TimeGenerated > ago(queryfrequency)\n| where OperationName =~ \"Delete user\"\n//extend UserPrincipalName = tostring(TargetResources[0].userPrincipalName)\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type == \"User\"\n | extend UserPrincipalName = extract(@'([a-f0-9]{32})?(.*)', 2, tostring(TargetResource.userPrincipalName))\n )\n| extend DeletedByUser = tostring(InitiatedBy.user.userPrincipalName), DeletedByIPAddress = tostring(InitiatedBy.user.ipAddress)\n| extend DeletedByApp = tostring(InitiatedBy.app.displayName)\n| project Deletion_TimeGenerated = TimeGenerated, UserPrincipalName, DeletedByUser, DeletedByIPAddress, DeletedByApp, Deletion_AdditionalDetails = AdditionalDetails, Deletion_InitiatedBy = InitiatedBy, Deletion_TargetResources = TargetResources\n| join kind=inner (\n AuditLogs\n | where TimeGenerated > ago(queryperiod)\n | where OperationName =~ \"Add user\" \n | mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type == \"User\"\n | extend UserPrincipalName = trim(@'\"',tostring(TargetResource.userPrincipalName))\n )\n | project-rename Creation_TimeGenerated = TimeGenerated\n) on UserPrincipalName\n| extend TimeDelta = Deletion_TimeGenerated - Creation_TimeGenerated\n| where TimeDelta between (time(0s) .. queryperiod)\n| extend CreatedByUser = tostring(InitiatedBy.user.userPrincipalName), CreatedByIPAddress = tostring(InitiatedBy.user.ipAddress)\n| extend CreatedByApp = tostring(InitiatedBy.app.displayName)\n| project Creation_TimeGenerated, Deletion_TimeGenerated, TimeDelta, UserPrincipalName, DeletedByUser, DeletedByIPAddress, DeletedByApp, CreatedByUser, CreatedByIPAddress, CreatedByApp, Creation_AdditionalDetails = AdditionalDetails, Creation_InitiatedBy = InitiatedBy, Creation_TargetResources = TargetResources, Deletion_AdditionalDetails, Deletion_InitiatedBy, Deletion_TargetResources\n| extend timestamp = Deletion_TimeGenerated, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n", + "queryFrequency": "PT1H", + "queryPeriod": "P1D", "severity": "High", "suppressionDuration": "PT1H", "suppressionEnabled": false, @@ -6181,16 +5334,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "AzureActiveDirectory", "dataTypes": [ "SigninLogs" - ] - }, - { - "connectorId": "AzureActiveDirectory", - "dataTypes": [ - "AADNonInteractiveUserSignInLogs" - ] + ], + "connectorId": "AzureActiveDirectory" } ], "tactics": [ @@ -6201,26 +5348,26 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "columnName": "IPAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "DeletedByIPAddress" } - ] + ], + "entityType": "IP" } ] } @@ -6228,16 +5375,16 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId43'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject3').analyticRuleId3,'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 43", - "parentId": "[variables('analyticRuleId43')]", - "contentId": "[variables('_analyticRulecontentId43')]", + "description": "Microsoft Entra ID Analytics Rule 3", + "parentId": "[variables('analyticRuleObject3').analyticRuleId3]", + "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion43')]", + "version": "[variables('analyticRuleObject3').analyticRuleVersion3]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -6259,44 +5406,44 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId43')]", + "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", "contentKind": "AnalyticsRule", - "displayName": "Privileged Accounts - Sign in Failure Spikes", - "contentProductId": "[variables('_analyticRulecontentProductId43')]", - "id": "[variables('_analyticRulecontentProductId43')]", - "version": "[variables('analyticRuleVersion43')]" + "displayName": "Account Created and Deleted in Short Timeframe", + "contentProductId": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]", + "id": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]", + "version": "[variables('analyticRuleObject3').analyticRuleVersion3]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName44')]", + "name": "[variables('analyticRuleObject4').analyticRuleTemplateSpecName4]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PrivlegedRoleAssignedOutsidePIM_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "AccountCreatedandDeletedinShortTimeframe_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion44')]", + "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId44')]", + "name": "[variables('analyticRuleObject4')._analyticRulecontentId4]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Identifies a privileged role being assigned to a user outside of PIM\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1", - "displayName": "Privileged Role Assigned Outside PIM", + "description": "Search for user principal name (UPN) events. Look for accounts created and then deleted in under 24 hours. Attackers may create an account for their use, and then remove the account when no longer needed.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-account", + "displayName": "Account Created and Deleted in Short Timeframe", "enabled": false, - "query": "AuditLogs\n| where Category =~ \"RoleManagement\"\n| where OperationName has \"Add member to role outside of PIM\"\n or (LoggedByService =~ \"Core Directory\" and OperationName =~ \"Add member to role\" and Identity != \"MS-PIM\")\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"User\"\n | extend UserPrincipalName = tostring(TargetResource.userPrincipalName)\n )\n| extend IpAddress = tostring(InitiatedBy.user.ipAddress), Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n", - "queryFrequency": "P1D", + "query": "let queryfrequency = 1h;\nlet queryperiod = 1d;\nAuditLogs\n| where TimeGenerated > ago(queryfrequency)\n| where OperationName =~ \"Delete user\"\n//extend UserPrincipalName = tostring(TargetResources[0].userPrincipalName)\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type == \"User\"\n | extend UserPrincipalName = extract(@'([a-f0-9]{32})?(.*)', 2, tostring(TargetResource.userPrincipalName))\n )\n| extend DeletedByUser = tostring(InitiatedBy.user.userPrincipalName), DeletedByIPAddress = tostring(InitiatedBy.user.ipAddress)\n| extend DeletedByApp = tostring(InitiatedBy.app.displayName)\n| project Deletion_TimeGenerated = TimeGenerated, UserPrincipalName, DeletedByUser, DeletedByIPAddress, DeletedByApp, Deletion_AdditionalDetails = AdditionalDetails, Deletion_InitiatedBy = InitiatedBy, Deletion_TargetResources = TargetResources\n| join kind=inner (\n AuditLogs\n | where TimeGenerated > ago(queryperiod)\n | where OperationName =~ \"Add user\" \n | mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type == \"User\"\n | extend UserPrincipalName = trim(@'\"',tostring(TargetResource.userPrincipalName))\n )\n | project-rename Creation_TimeGenerated = TimeGenerated\n) on UserPrincipalName\n| extend TimeDelta = Deletion_TimeGenerated - Creation_TimeGenerated\n| where TimeDelta between (time(0s) .. queryperiod)\n| extend CreatedByUser = tostring(InitiatedBy.user.userPrincipalName), CreatedByIPAddress = tostring(InitiatedBy.user.ipAddress)\n| extend CreatedByApp = tostring(InitiatedBy.app.displayName)\n| project Creation_TimeGenerated, Deletion_TimeGenerated, TimeDelta, UserPrincipalName, DeletedByUser, DeletedByIPAddress, DeletedByApp, CreatedByUser, CreatedByIPAddress, CreatedByApp, Creation_AdditionalDetails = AdditionalDetails, Creation_InitiatedBy = InitiatedBy, Creation_TargetResources = TargetResources, Deletion_AdditionalDetails, Deletion_InitiatedBy, Deletion_TargetResources\n| extend timestamp = Deletion_TimeGenerated, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n", + "queryFrequency": "PT1H", "queryPeriod": "P1D", - "severity": "Low", + "severity": "High", "suppressionDuration": "PT1H", "suppressionEnabled": false, "triggerOperator": "GreaterThan", @@ -6304,40 +5451,40 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "AzureActiveDirectory", "dataTypes": [ - "AuditLogs" - ] + "SigninLogs" + ], + "connectorId": "AzureActiveDirectory" } ], "tactics": [ - "PrivilegeEscalation" + "InitialAccess" ], "techniques": [ "T1078" ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "columnName": "IpAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "DeletedByIPAddress" } - ] + ], + "entityType": "IP" } ] } @@ -6345,16 +5492,16 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId44'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject4').analyticRuleId4,'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 44", - "parentId": "[variables('analyticRuleId44')]", - "contentId": "[variables('_analyticRulecontentId44')]", + "description": "Microsoft Entra ID Analytics Rule 4", + "parentId": "[variables('analyticRuleObject4').analyticRuleId4]", + "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion44')]", + "version": "[variables('analyticRuleObject4').analyticRuleVersion4]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -6376,96 +5523,85 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId44')]", + "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", "contentKind": "AnalyticsRule", - "displayName": "Privileged Role Assigned Outside PIM", - "contentProductId": "[variables('_analyticRulecontentProductId44')]", - "id": "[variables('_analyticRulecontentProductId44')]", - "version": "[variables('analyticRuleVersion44')]" + "displayName": "Account Created and Deleted in Short Timeframe", + "contentProductId": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]", + "id": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]", + "version": "[variables('analyticRuleObject4').analyticRuleVersion4]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName45')]", + "name": "[variables('analyticRuleObject5').analyticRuleTemplateSpecName5]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RareApplicationConsent_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "AccountCreatedandDeletedinShortTimeframe_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion45')]", + "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId45')]", + "name": "[variables('analyticRuleObject5')._analyticRulecontentId5]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "This will alert when the \"Consent to application\" operation occurs by a user that has not done this operation before or rarely does this.\nThis could indicate that permissions to access the listed Azure App were provided to a malicious actor.\nConsent to application, Add service principal and Add OAuth2PermissionGrant should typically be rare events.\nThis may help detect the Oauth2 attack that can be initiated by this publicly available tool - https://github.com/fireeye/PwnAuth\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.", - "displayName": "Rare application consent", + "description": "Search for user principal name (UPN) events. Look for accounts created and then deleted in under 24 hours. Attackers may create an account for their use, and then remove the account when no longer needed.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-account", + "displayName": "Account Created and Deleted in Short Timeframe", "enabled": false, - "query": "let current = 1d;\nlet auditLookback = 7d;\n// Setting threshold to 3 as a default, change as needed.\n// Any operation that has been initiated by a user or app more than 3 times in the past 7 days will be excluded\nlet threshold = 3;\n// Gather initial data from lookback period, excluding current, adjust current to more than a single day if no results\nlet AuditTrail = AuditLogs | where TimeGenerated >= ago(auditLookback) and TimeGenerated < ago(current)\n// 2 other operations that can be part of malicious activity in this situation are\n// \"Add OAuth2PermissionGrant\" and \"Add service principal\", extend the filter below to capture these too\n| where OperationName has \"Consent to application\"\n| extend InitiatedBy = iff(isnotempty(tostring(InitiatedBy.user.userPrincipalName)),\n tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\"\n | extend TargetResourceName = tolower(tostring(TargetResource.displayName))\n )\n| summarize max(TimeGenerated), OperationCount = count() by OperationName, InitiatedBy, TargetResourceName\n// only including operations initiated by a user or app that is above the threshold so we produce only rare and has not occurred in last 7 days\n| where OperationCount > threshold;\n// Gather current period of audit data\nlet RecentConsent = AuditLogs | where TimeGenerated >= ago(current)\n| where OperationName has \"Consent to application\"\n| extend IpAddress = case(\n isnotempty(tostring(InitiatedBy.user.ipAddress)) and tostring(InitiatedBy.user.ipAddress) != 'null', tostring(InitiatedBy.user.ipAddress),\n isnotempty(tostring(InitiatedBy.app.ipAddress)) and tostring(InitiatedBy.app.ipAddress) != 'null', tostring(InitiatedBy.app.ipAddress),\n 'Not Available')\n| extend InitiatedBy = iff(isnotempty(tostring(InitiatedBy.user.userPrincipalName)),\n tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\"\n | extend TargetResourceName = tolower(tostring(TargetResource.displayName)),\n props = TargetResource.modifiedProperties\n )\n| parse props with * \"ConsentType: \" ConsentType \"]\" *\n| mv-apply AdditionalDetail = AdditionalDetails on \n (\n where AdditionalDetail.key =~ \"User-Agent\"\n | extend UserAgent = tostring(AdditionalDetail.value)\n )\n| project TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type;\n// Exclude previously seen audit activity for \"Consent to application\" that was seen in the lookback period\n// First for rare InitiatedBy\nlet RareConsentBy = RecentConsent | join kind= leftanti AuditTrail on OperationName, InitiatedBy\n| extend Reason = \"Previously unseen user consenting\";\n// Second for rare TargetResourceName\nlet RareConsentApp = RecentConsent | join kind= leftanti AuditTrail on OperationName, TargetResourceName\n| extend Reason = \"Previously unseen app granted consent\";\nRareConsentBy | union RareConsentApp\n| summarize Reason = make_set(Reason,100) by TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type\n| extend timestamp = TimeGenerated, Name = tolower(tostring(split(InitiatedBy,'@',0)[0])), UPNSuffix = tolower(tostring(split(InitiatedBy,'@',1)[0]))\n", - "queryFrequency": "P1D", - "queryPeriod": "P7D", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, + "query": "let queryfrequency = 1h;\nlet queryperiod = 1d;\nAuditLogs\n| where TimeGenerated > ago(queryfrequency)\n| where OperationName =~ \"Delete user\"\n//extend UserPrincipalName = tostring(TargetResources[0].userPrincipalName)\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type == \"User\"\n | extend UserPrincipalName = extract(@'([a-f0-9]{32})?(.*)', 2, tostring(TargetResource.userPrincipalName))\n )\n| extend DeletedByUser = tostring(InitiatedBy.user.userPrincipalName), DeletedByIPAddress = tostring(InitiatedBy.user.ipAddress)\n| extend DeletedByApp = tostring(InitiatedBy.app.displayName)\n| project Deletion_TimeGenerated = TimeGenerated, UserPrincipalName, DeletedByUser, DeletedByIPAddress, DeletedByApp, Deletion_AdditionalDetails = AdditionalDetails, Deletion_InitiatedBy = InitiatedBy, Deletion_TargetResources = TargetResources\n| join kind=inner (\n AuditLogs\n | where TimeGenerated > ago(queryperiod)\n | where OperationName =~ \"Add user\" \n | mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type == \"User\"\n | extend UserPrincipalName = trim(@'\"',tostring(TargetResource.userPrincipalName))\n )\n | project-rename Creation_TimeGenerated = TimeGenerated\n) on UserPrincipalName\n| extend TimeDelta = Deletion_TimeGenerated - Creation_TimeGenerated\n| where TimeDelta between (time(0s) .. queryperiod)\n| extend CreatedByUser = tostring(InitiatedBy.user.userPrincipalName), CreatedByIPAddress = tostring(InitiatedBy.user.ipAddress)\n| extend CreatedByApp = tostring(InitiatedBy.app.displayName)\n| project Creation_TimeGenerated, Deletion_TimeGenerated, TimeDelta, UserPrincipalName, DeletedByUser, DeletedByIPAddress, DeletedByApp, CreatedByUser, CreatedByIPAddress, CreatedByApp, Creation_AdditionalDetails = AdditionalDetails, Creation_InitiatedBy = InitiatedBy, Creation_TargetResources = TargetResources, Deletion_AdditionalDetails, Deletion_InitiatedBy, Deletion_TargetResources\n| extend timestamp = Deletion_TimeGenerated, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n", + "queryFrequency": "PT1H", + "queryPeriod": "P1D", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, "triggerOperator": "GreaterThan", - "triggerThreshold": 3, + "triggerThreshold": 0, "status": "Available", "requiredDataConnectors": [ { - "connectorId": "AzureActiveDirectory", "dataTypes": [ - "AuditLogs" - ] + "SigninLogs" + ], + "connectorId": "AzureActiveDirectory" } ], "tactics": [ - "Persistence", - "PrivilegeEscalation" + "InitialAccess" ], "techniques": [ - "T1136", - "T1068" + "T1078" ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "CloudApplication", "fieldMappings": [ { - "columnName": "TargetResourceName", - "identifier": "Name" + "identifier": "Address", + "columnName": "DeletedByIPAddress" } - ] - }, - { - "entityType": "IP", - "fieldMappings": [ - { - "columnName": "IpAddress", - "identifier": "Address" - } - ] + ], + "entityType": "IP" } ] } @@ -6473,16 +5609,16 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId45'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject5').analyticRuleId5,'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 45", - "parentId": "[variables('analyticRuleId45')]", - "contentId": "[variables('_analyticRulecontentId45')]", + "description": "Microsoft Entra ID Analytics Rule 5", + "parentId": "[variables('analyticRuleObject5').analyticRuleId5]", + "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion45')]", + "version": "[variables('analyticRuleObject5').analyticRuleVersion5]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -6504,44 +5640,44 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId45')]", + "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", "contentKind": "AnalyticsRule", - "displayName": "Rare application consent", - "contentProductId": "[variables('_analyticRulecontentProductId45')]", - "id": "[variables('_analyticRulecontentProductId45')]", - "version": "[variables('analyticRuleVersion45')]" + "displayName": "Account Created and Deleted in Short Timeframe", + "contentProductId": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]", + "id": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]", + "version": "[variables('analyticRuleObject5').analyticRuleVersion5]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName46')]", + "name": "[variables('analyticRuleObject6').analyticRuleTemplateSpecName6]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SeamlessSSOPasswordSpray_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "AccountCreatedandDeletedinShortTimeframe_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion46')]", + "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId46')]", + "name": "[variables('analyticRuleObject6')._analyticRulecontentId6]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "This query detects when there is a spike in Azure AD Seamless SSO errors. They may not be caused by a Password Spray attack, but the cause of the errors might need to be investigated.\nAzure AD only logs the requests that matched existing accounts, thus there might have been unlogged requests for non-existing accounts.", - "displayName": "Password spray attack against Azure AD Seamless SSO", + "description": "Search for user principal name (UPN) events. Look for accounts created and then deleted in under 24 hours. Attackers may create an account for their use, and then remove the account when no longer needed.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-account", + "displayName": "Account Created and Deleted in Short Timeframe", "enabled": false, - "query": "let account_threshold = 5;\nAADNonInteractiveUserSignInLogs\n//| where ResultType == \"81016\"\n| where ResultType startswith \"81\"\n| summarize DistinctAccounts = dcount(UserPrincipalName), DistinctAddresses = make_set(IPAddress,100) by ResultType\n| where DistinctAccounts > account_threshold\n| mv-expand IPAddress = DistinctAddresses\n| extend IPAddress = tostring(IPAddress)\n| join kind=leftouter (union isfuzzy=true SigninLogs, AADNonInteractiveUserSignInLogs) on IPAddress\n| summarize\n StartTime = min(TimeGenerated),\n EndTime = max(TimeGenerated),\n UserPrincipalName = make_set(UserPrincipalName,100),\n UserAgent = make_set(UserAgent,100),\n ResultDescription = take_any(ResultDescription),\n ResultSignature = take_any(ResultSignature)\n by IPAddress, Type, ResultType\n| project Type, StartTime, EndTime, IPAddress, ResultType, ResultDescription, ResultSignature, UserPrincipalName, UserAgent = iff(array_length(UserAgent) == 1, UserAgent[0], UserAgent)\n| extend Name = tostring(split(UserPrincipalName[0],'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName[0],'@',1)[0])\n", + "query": "let queryfrequency = 1h;\nlet queryperiod = 1d;\nAuditLogs\n| where TimeGenerated > ago(queryfrequency)\n| where OperationName =~ \"Delete user\"\n//extend UserPrincipalName = tostring(TargetResources[0].userPrincipalName)\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type == \"User\"\n | extend UserPrincipalName = extract(@'([a-f0-9]{32})?(.*)', 2, tostring(TargetResource.userPrincipalName))\n )\n| extend DeletedByUser = tostring(InitiatedBy.user.userPrincipalName), DeletedByIPAddress = tostring(InitiatedBy.user.ipAddress)\n| extend DeletedByApp = tostring(InitiatedBy.app.displayName)\n| project Deletion_TimeGenerated = TimeGenerated, UserPrincipalName, DeletedByUser, DeletedByIPAddress, DeletedByApp, Deletion_AdditionalDetails = AdditionalDetails, Deletion_InitiatedBy = InitiatedBy, Deletion_TargetResources = TargetResources\n| join kind=inner (\n AuditLogs\n | where TimeGenerated > ago(queryperiod)\n | where OperationName =~ \"Add user\" \n | mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type == \"User\"\n | extend UserPrincipalName = trim(@'\"',tostring(TargetResource.userPrincipalName))\n )\n | project-rename Creation_TimeGenerated = TimeGenerated\n) on UserPrincipalName\n| extend TimeDelta = Deletion_TimeGenerated - Creation_TimeGenerated\n| where TimeDelta between (time(0s) .. queryperiod)\n| extend CreatedByUser = tostring(InitiatedBy.user.userPrincipalName), CreatedByIPAddress = tostring(InitiatedBy.user.ipAddress)\n| extend CreatedByApp = tostring(InitiatedBy.app.displayName)\n| project Creation_TimeGenerated, Deletion_TimeGenerated, TimeDelta, UserPrincipalName, DeletedByUser, DeletedByIPAddress, DeletedByApp, CreatedByUser, CreatedByIPAddress, CreatedByApp, Creation_AdditionalDetails = AdditionalDetails, Creation_InitiatedBy = InitiatedBy, Creation_TargetResources = TargetResources, Deletion_AdditionalDetails, Deletion_InitiatedBy, Deletion_TargetResources\n| extend timestamp = Deletion_TimeGenerated, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n", "queryFrequency": "PT1H", - "queryPeriod": "PT1H", - "severity": "Medium", + "queryPeriod": "P1D", + "severity": "High", "suppressionDuration": "PT1H", "suppressionEnabled": false, "triggerOperator": "GreaterThan", @@ -6549,40 +5685,40 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "AzureActiveDirectory", "dataTypes": [ - "AADNonInteractiveUserSignInLogs" - ] + "SigninLogs" + ], + "connectorId": "AzureActiveDirectory" } ], "tactics": [ - "CredentialAccess" + "InitialAccess" ], "techniques": [ - "T1110" + "T1078" ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "columnName": "IPAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "DeletedByIPAddress" } - ] + ], + "entityType": "IP" } ] } @@ -6590,16 +5726,16 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId46'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject6').analyticRuleId6,'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 46", - "parentId": "[variables('analyticRuleId46')]", - "contentId": "[variables('_analyticRulecontentId46')]", + "description": "Microsoft Entra ID Analytics Rule 6", + "parentId": "[variables('analyticRuleObject6').analyticRuleId6]", + "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion46')]", + "version": "[variables('analyticRuleObject6').analyticRuleVersion6]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -6621,43 +5757,43 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId46')]", + "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", "contentKind": "AnalyticsRule", - "displayName": "Password spray attack against Azure AD Seamless SSO", - "contentProductId": "[variables('_analyticRulecontentProductId46')]", - "id": "[variables('_analyticRulecontentProductId46')]", - "version": "[variables('analyticRuleVersion46')]" + "displayName": "Account Created and Deleted in Short Timeframe", + "contentProductId": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]", + "id": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]", + "version": "[variables('analyticRuleObject6').analyticRuleVersion6]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName47')]", + "name": "[variables('analyticRuleObject7').analyticRuleTemplateSpecName7]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Sign-in Burst from Multiple Locations_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "AccountCreatedDeletedByNonApprovedUser_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion47')]", + "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId47')]", + "name": "[variables('analyticRuleObject7')._analyticRulecontentId7]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "This detection triggers when there is a Signin burst from multiple locations in GitHub (AAD SSO).\n This detection is based on configurable threshold which can be prone to false positives. To view the anomaly based equivalent of thie detection, please see here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/Analytic%20Rules/AnomalousUserAppSigninLocationIncrease-detection.yaml. ", - "displayName": "GitHub Signin Burst from Multiple Locations", + "description": "Identifies accounts that were created or deleted by a defined list of non-approved user principal names. Add to this list before running the query for accurate results.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts", + "displayName": "Account created or deleted by non-approved user", "enabled": false, - "query": "let locationThreshold = 1;\nlet aadFunc = (tableName:string){\ntable(tableName)\n| where AppDisplayName =~ \"GitHub.com\"\n| where ResultType == 0\n| summarize CountOfLocations = dcount(Location), Locations = make_set(Location,100), BurstStartTime = min(TimeGenerated), BurstEndTime = max(TimeGenerated) by UserPrincipalName, Type\n| where CountOfLocations > locationThreshold\n| extend timestamp = BurstStartTime\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n| extend Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n", - "queryFrequency": "PT1H", - "queryPeriod": "PT1H", + "query": "// Add non-approved user principal names to the list below to search for their account creation/deletion activity\n// ex: dynamic([\"UPN1\", \"upn123\"])\nlet nonapproved_users = dynamic([]);\nAuditLogs\n| where OperationName =~ \"Add user\" or OperationName =~ \"Delete user\"\n| where Result =~ \"success\"\n| extend InitiatingUser = tostring(InitiatedBy.user.userPrincipalName)\n| where InitiatingUser has_any (nonapproved_users)\n| project-reorder TimeGenerated, ResourceId, OperationName, InitiatingUser, TargetResources\n| extend InitiatedUserIpAddress = tostring(InitiatedBy.user.ipAddress)\n| extend Name = tostring(split(InitiatingUser,'@',0)[0]), UPNSuffix = tostring(split(InitiatingUser,'@',1)[0])\n", + "queryFrequency": "P1D", + "queryPeriod": "P1D", "severity": "Medium", "suppressionDuration": "PT1H", "suppressionEnabled": false, @@ -6666,37 +5802,40 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "AzureActiveDirectory", "dataTypes": [ - "SigninLogs" - ] - }, - { - "connectorId": "AzureActiveDirectory", - "dataTypes": [ - "AADNonInteractiveUserSignInLogs" - ] + "AuditLogs" + ], + "connectorId": "AzureActiveDirectory" } ], "tactics": [ - "CredentialAccess" + "InitialAccess" ], "techniques": [ - "T1110" + "T1078" ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "InitiatedUserIpAddress" } - ] + ], + "entityType": "IP" } ] } @@ -6704,16 +5843,16 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId47'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject7').analyticRuleId7,'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 47", - "parentId": "[variables('analyticRuleId47')]", - "contentId": "[variables('_analyticRulecontentId47')]", + "description": "Microsoft Entra ID Analytics Rule 7", + "parentId": "[variables('analyticRuleObject7').analyticRuleId7]", + "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion47')]", + "version": "[variables('analyticRuleObject7').analyticRuleVersion7]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -6735,44 +5874,44 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId47')]", + "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]", "contentKind": "AnalyticsRule", - "displayName": "GitHub Signin Burst from Multiple Locations", - "contentProductId": "[variables('_analyticRulecontentProductId47')]", - "id": "[variables('_analyticRulecontentProductId47')]", - "version": "[variables('analyticRuleVersion47')]" + "displayName": "Account created or deleted by non-approved user", + "contentProductId": "[variables('analyticRuleObject7')._analyticRulecontentProductId7]", + "id": "[variables('analyticRuleObject7')._analyticRulecontentProductId7]", + "version": "[variables('analyticRuleObject7').analyticRuleVersion7]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName48')]", + "name": "[variables('analyticRuleObject8').analyticRuleTemplateSpecName8]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SigninAttemptsByIPviaDisabledAccounts_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "ADFSDomainTrustMods_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion48')]", + "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId48')]", + "name": "[variables('analyticRuleObject8')._analyticRulecontentId8]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Identifies IPs with failed attempts to sign in to one or more disabled accounts using the IP through which successful signins from other accounts have happened.\nThis could indicate an attacker who obtained credentials for a list of accounts and is attempting to login with those accounts, some of which may have already been disabled.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\n50057 - User account is disabled. The account has been disabled by an administrator.\nThis query has also been updated to include UEBA logs IdentityInfo and BehaviorAnalytics for contextual information around the results.", - "displayName": "Sign-ins from IPs that attempt sign-ins to disabled accounts", + "description": "This will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated.\nFor example, this alert will trigger when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain.\nModification to domain federation settings should be rare. Confirm the added or modified target domain/URL is legitimate administrator behavior.\nTo understand why an authorized user may update settings for a federated domain in Office 365, Azure, or Intune, see: https://docs.microsoft.com/office365/troubleshoot/active-directory/update-federated-domain-office-365.\nFor details on security realms that accept security tokens, see the ADFS Proxy Protocol (MS-ADFSPP) specification: https://docs.microsoft.com/openspecs/windows_protocols/ms-adfspp/e7b9ea73-1980-4318-96a6-da559486664b.\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.", + "displayName": "Modified domain federation trust settings", "enabled": false, - "query": "let aadFunc = (tableName: string) {\nlet failed_signins = table(tableName)\n| where ResultType == \"50057\"\n| where ResultDescription == \"User account is disabled. The account has been disabled by an administrator.\";\nlet disabled_users = failed_signins | summarize by UserPrincipalName;\ntable(tableName)\n | where ResultType == 0\n | where isnotempty(UserPrincipalName)\n | where UserPrincipalName !in (disabled_users)\n| summarize\n successfulAccountsTargettedCount = dcount(UserPrincipalName),\n successfulAccountSigninSet = make_set(UserPrincipalName, 100),\n successfulApplicationSet = make_set(AppDisplayName, 100)\n by IPAddress, Type\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\n | where successfulAccountsTargettedCount < 50\n | where isnotempty(successfulAccountsTargettedCount)\n | join kind=inner (failed_signins\n| summarize\n StartTime = min(TimeGenerated),\n EndTime = max(TimeGenerated),\n totalDisabledAccountLoginAttempts = count(),\n disabledAccountsTargettedCount = dcount(UserPrincipalName),\n applicationsTargeted = dcount(AppDisplayName),\n disabledAccountSet = make_set(UserPrincipalName, 100),\n disabledApplicationSet = make_set(AppDisplayName, 100)\nby IPAddress, Type\n| order by totalDisabledAccountLoginAttempts desc) on IPAddress\n| project StartTime, EndTime, IPAddress, totalDisabledAccountLoginAttempts, disabledAccountsTargettedCount, disabledAccountSet, disabledApplicationSet, successfulApplicationSet, successfulAccountsTargettedCount, successfulAccountSigninSet, Type\n| order by totalDisabledAccountLoginAttempts};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n| join kind=leftouter (\n BehaviorAnalytics\n | where ActivityType in (\"FailedLogOn\", \"LogOn\")\n | where EventSource =~ \"Azure AD\"\n | project UsersInsights, DevicesInsights, ActivityInsights, InvestigationPriority, SourceIPAddress, UserPrincipalName\n | project-rename IPAddress = SourceIPAddress\n | summarize\n Users = make_set(UserPrincipalName, 100),\n UsersInsights = make_set(UsersInsights, 100),\n DevicesInsights = make_set(DevicesInsights, 100),\n IPInvestigationPriority = sum(InvestigationPriority)\n by IPAddress\n) on IPAddress\n| extend SFRatio = toreal(toreal(disabledAccountsTargettedCount)/toreal(successfulAccountsTargettedCount))\n| where SFRatio >= 0.5\n| sort by IPInvestigationPriority desc\n", + "query": "(union isfuzzy=true\n(\nAuditLogs\n| where OperationName =~ \"Set federation settings on domain\"\n//| where Result =~ \"success\" // commenting out, as it may be interesting to capture failed attempts\n| mv-expand TargetResources\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\n| mv-expand modifiedProperties\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName)\n),\n(\nAuditLogs\n| where OperationName =~ \"Set domain authentication\"\n//| where Result =~ \"success\" // commenting out, as it may be interesting to capture failed attempts\n| mv-expand TargetResources\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\n| mv-expand modifiedProperties\n| mv-apply Property = modifiedProperties on \n (\n where Property.displayName =~ \"LiveType\"\n | extend targetDisplayName = tostring(Property.displayName),\n NewDomainValue = tostring(Property.newValue)\n )\n| where NewDomainValue has \"Federated\"\n)\n)\n| mv-apply AdditionalDetail = AdditionalDetails on \n (\n where AdditionalDetail.key =~ \"User-Agent\"\n | extend UserAgent = tostring(AdditionalDetail.value)\n )\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, AADOperationType, targetDisplayName, Result, InitiatingIpAddress, UserAgent, CorrelationId, TenantId, AADTenantId\n| extend timestamp = TimeGenerated, Name = tostring(split(InitiatingUserOrApp,'@',0)[0]), UPNSuffix = tostring(split(InitiatingUserOrApp,'@',1)[0])\n", "queryFrequency": "P1D", "queryPeriod": "P1D", - "severity": "Medium", + "severity": "High", "suppressionDuration": "PT1H", "suppressionEnabled": false, "triggerOperator": "GreaterThan", @@ -6780,41 +5919,37 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "AzureActiveDirectory", - "dataTypes": [ - "SigninLogs" - ] - }, - { - "connectorId": "AzureActiveDirectory", - "dataTypes": [ - "AADNonInteractiveUserSignInLogs" - ] - }, - { - "connectorId": "BehaviorAnalytics", "dataTypes": [ - "BehaviorAnalytics" - ] + "AuditLogs" + ], + "connectorId": "AzureActiveDirectory" } ], "tactics": [ - "InitialAccess", - "Persistence" - ], - "techniques": [ - "T1078", - "T1098" + "CredentialAccess" ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { - "columnName": "IPAddress", - "identifier": "Address" + "identifier": "Name", + "columnName": "Name" + }, + { + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "InitiatingIpAddress" } - ] + ], + "entityType": "IP" } ] } @@ -6822,16 +5957,16 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId48'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject8').analyticRuleId8,'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 48", - "parentId": "[variables('analyticRuleId48')]", - "contentId": "[variables('_analyticRulecontentId48')]", + "description": "Microsoft Entra ID Analytics Rule 8", + "parentId": "[variables('analyticRuleObject8').analyticRuleId8]", + "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion48')]", + "version": "[variables('analyticRuleObject8').analyticRuleVersion8]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -6853,43 +5988,43 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId48')]", + "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]", "contentKind": "AnalyticsRule", - "displayName": "Sign-ins from IPs that attempt sign-ins to disabled accounts", - "contentProductId": "[variables('_analyticRulecontentProductId48')]", - "id": "[variables('_analyticRulecontentProductId48')]", - "version": "[variables('analyticRuleVersion48')]" + "displayName": "Modified domain federation trust settings", + "contentProductId": "[variables('analyticRuleObject8')._analyticRulecontentProductId8]", + "id": "[variables('analyticRuleObject8')._analyticRulecontentProductId8]", + "version": "[variables('analyticRuleObject8').analyticRuleVersion8]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName49')]", + "name": "[variables('analyticRuleObject9').analyticRuleTemplateSpecName9]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SigninBruteForce-AzurePortal_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "ADFSSignInLogsPasswordSpray_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion49')]", + "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId49')]", + "name": "[variables('analyticRuleObject9')._analyticRulecontentId9]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Detects Azure Portal brute force attacks by monitoring for multiple authentication failures and a successful login within a 20-minute window. Default settings: 10 failures, 25 deviations.\nRef: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.", - "displayName": "Brute force attack against Azure Portal", + "description": "Identifies evidence of password spray activity against Connect Health for AD FS sign-in events by looking for failures from multiple accounts from the same IP address within a time window.\nReference: https://adfshelp.microsoft.com/References/ConnectHealthErrorCodeReference", + "displayName": "Password spray attack against ADFSSignInLogs", "enabled": false, - "query": "// Set threshold value for deviation\nlet threshold = 25;\n// Set the time range for the query\nlet timeRange = 24h;\n// Set the authentication window duration\nlet authenticationWindow = 20m;\n// Define a reusable function 'aadFunc' that takes a table name as input\nlet aadFunc = (tableName: string) {\n // Query the specified table\n table(tableName)\n // Filter data within the last 24 hours\n | where TimeGenerated > ago(1d)\n // Filter records related to \"Azure Portal\" applications\n | where AppDisplayName has \"Azure Portal\"\n // Extract and transform some fields\n | extend\n DeviceDetail = todynamic(DeviceDetail),\n LocationDetails = todynamic(LocationDetails)\n | extend\n OS = tostring(DeviceDetail.operatingSystem),\n Browser = tostring(DeviceDetail.browser),\n State = tostring(LocationDetails.state),\n City = tostring(LocationDetails.city),\n Region = tostring(LocationDetails.countryOrRegion)\n // Categorize records as Success or Failure based on ResultType\n | extend FailureOrSuccess = iff(ResultType in (\"0\", \"50125\", \"50140\", \"70043\", \"70044\"), \"Success\", \"Failure\")\n // Sort and identify sessions\n | sort by UserPrincipalName asc, TimeGenerated asc\n | extend SessionStartedUtc = row_window_session(TimeGenerated, timeRange, authenticationWindow, UserPrincipalName != prev(UserPrincipalName) or prev(FailureOrSuccess) == \"Success\")\n // Summarize data\n | summarize FailureOrSuccessCount = count() by FailureOrSuccess, UserId, UserDisplayName, AppDisplayName, IPAddress, Browser, OS, State, City, Region, Type, CorrelationId, bin(TimeGenerated, authenticationWindow), ResultType, UserPrincipalName, SessionStartedUtc\n | summarize FailureCountBeforeSuccess = sumif(FailureOrSuccessCount, FailureOrSuccess == \"Failure\"), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), makelist(FailureOrSuccess), IPAddress = make_set(IPAddress, 15), make_set(Browser, 15), make_set(City, 15), make_set(State, 15), make_set(Region, 15), make_set(ResultType, 15) by SessionStartedUtc, UserPrincipalName, CorrelationId, AppDisplayName, UserId, Type\n // Filter records where \"Success\" occurs in the middle of a session\n | where array_index_of(list_FailureOrSuccess, \"Success\") != 0\n | where array_index_of(list_FailureOrSuccess, \"Success\") == array_length(list_FailureOrSuccess) - 1\n // Remove unnecessary columns from the output\n | project-away SessionStartedUtc, list_FailureOrSuccess\n // Join with another table and calculate deviation\n | join kind=inner (\n table(tableName)\n | where TimeGenerated > ago(7d)\n | where AppDisplayName has \"Azure Portal\"\n | extend FailureOrSuccess = iff(ResultType in (\"0\", \"50125\", \"50140\", \"70043\", \"70044\"), \"Success\", \"Failure\")\n | summarize avgFailures = avg(todouble(FailureOrSuccess == \"Failure\")) by UserPrincipalName\n ) on UserPrincipalName\n | extend Deviation = abs(FailureCountBeforeSuccess - avgFailures) / avgFailures\n // Filter records based on deviation and failure count criteria\n | where Deviation > threshold and FailureCountBeforeSuccess >= 10\n // Expand the IPAddress array\n | mv-expand IPAddress\n | extend IPAddress = tostring(IPAddress)\n | extend timestamp = StartTime\n};\n// Call 'aadFunc' with different table names and union the results\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n// Additional transformation: Split UserPrincipalName\n| extend Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n", - "queryFrequency": "P1D", - "queryPeriod": "P7D", + "query": "let queryfrequency = 30m;\nlet accountthreshold = 10;\nlet successCodes = dynamic([0, 50144]);\nADFSSignInLogs\n| extend IngestionTime = ingestion_time()\n| where IngestionTime > ago(queryfrequency)\n| where not(todynamic(AuthenticationDetails)[0].authenticationMethod == \"Integrated Windows Authentication\")\n| summarize\n DistinctFailureCount = dcountif(UserPrincipalName, ResultType !in (successCodes)),\n DistinctSuccessCount = dcountif(UserPrincipalName, ResultType in (successCodes)),\n SuccessAccounts = make_set_if(UserPrincipalName, ResultType in (successCodes), 250),\n arg_min(TimeGenerated, *)\n by IPAddress\n| where DistinctFailureCount > DistinctSuccessCount and DistinctFailureCount >= accountthreshold\n//| extend SuccessAccounts = iff(array_length(SuccessAccounts) != 0, SuccessAccounts, dynamic([\"null\"]))\n//| mv-expand SuccessAccounts\n| project TimeGenerated, Category, OperationName, IPAddress, DistinctFailureCount, DistinctSuccessCount, SuccessAccounts, AuthenticationRequirement, ConditionalAccessStatus, IsInteractive, UserAgent, NetworkLocationDetails, DeviceDetail, TokenIssuerType, TokenIssuerName, ResourceIdentity\n", + "queryFrequency": "PT30M", + "queryPeriod": "PT1H", "severity": "Medium", "suppressionDuration": "PT1H", "suppressionEnabled": false, @@ -6898,16 +6033,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "AzureActiveDirectory", - "dataTypes": [ - "SigninLogs" - ] - }, - { - "connectorId": "AzureActiveDirectory", "dataTypes": [ - "AADNonInteractiveUserSignInLogs" - ] + "ADFSSignInLogs" + ], + "connectorId": "AzureActiveDirectory" } ], "tactics": [ @@ -6918,30 +6047,13 @@ ], "entityMappings": [ { - "entityType": "Account", - "fieldMappings": [ - { - "columnName": "Name", - "identifier": "Name" - }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" - }, - { - "columnName": "UserId", - "identifier": "AadUserId" - } - ] - }, - { - "entityType": "IP", "fieldMappings": [ { - "columnName": "IPAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "IPAddress" } - ] + ], + "entityType": "IP" } ] } @@ -6949,16 +6061,16 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId49'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject9').analyticRuleId9,'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 49", - "parentId": "[variables('analyticRuleId49')]", - "contentId": "[variables('_analyticRulecontentId49')]", + "description": "Microsoft Entra ID Analytics Rule 9", + "parentId": "[variables('analyticRuleObject9').analyticRuleId9]", + "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion49')]", + "version": "[variables('analyticRuleObject9').analyticRuleVersion9]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -6980,44 +6092,44 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId49')]", + "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]", "contentKind": "AnalyticsRule", - "displayName": "Brute force attack against Azure Portal", - "contentProductId": "[variables('_analyticRulecontentProductId49')]", - "id": "[variables('_analyticRulecontentProductId49')]", - "version": "[variables('analyticRuleVersion49')]" + "displayName": "Password spray attack against ADFSSignInLogs", + "contentProductId": "[variables('analyticRuleObject9')._analyticRulecontentProductId9]", + "id": "[variables('analyticRuleObject9')._analyticRulecontentProductId9]", + "version": "[variables('analyticRuleObject9').analyticRuleVersion9]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName50')]", + "name": "[variables('analyticRuleObject10').analyticRuleTemplateSpecName10]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SigninPasswordSpray_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "AdminPromoAfterRoleMgmtAppPermissionGrant_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion50')]", + "contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId50')]", + "name": "[variables('analyticRuleObject10')._analyticRulecontentId10]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Identifies evidence of password spray activity against Azure AD applications by looking for failures from multiple accounts from the same\nIP address within a time window. If the number of accounts breaches the threshold just once, all failures from the IP address within the time range\nare bought into the result. Details on whether there were successful authentications by the IP address within the time window are also included.\nThis can be an indicator that an attack was successful.\nThe default failure acccount threshold is 5, Default time window for failures is 20m and default look back window is 3 days\nNote: Due to the number of possible accounts involved in a password spray it is not possible to map identities to a custom entity.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.", - "displayName": "Password spray attack against Azure AD application", + "description": "This rule looks for a service principal being granted the Microsoft Graph RoleManagement.ReadWrite.Directory (application) permission before being used to add an Microsoft Entra ID object or user account to an Admin directory role (i.e. Global Administrators).\nThis is a known attack path that is usually abused when a service principal already has the AppRoleAssignment.ReadWrite.All permission granted. This permission allows an app to manage permission grants for application permissions to any API.\nA service principal can promote itself or other service principals to admin roles (i.e. Global Administrators). This would be considered a privilege escalation technique.\nRef : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions, https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0&tabs=http", + "displayName": "Admin promotion after Role Management Application Permission Grant", "enabled": false, - "query": "let timeRange = 3d;\nlet lookBack = 7d;\nlet authenticationWindow = 20m;\nlet authenticationThreshold = 5;\nlet isGUID = \"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\";\nlet failureCodes = dynamic([50053, 50126, 50055]); // invalid password, account is locked - too many sign ins, expired password\nlet successCodes = dynamic([0, 50055, 50057, 50155, 50105, 50133, 50005, 50076, 50079, 50173, 50158, 50072, 50074, 53003, 53000, 53001, 50129]);\n// Lookup up resolved identities from last 7 days\nlet aadFunc = (tableName:string){\nlet identityLookup = table(tableName)\n| where TimeGenerated >= ago(lookBack)\n| where not(Identity matches regex isGUID)\n| where isnotempty(UserId)\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName, Type;\n// collect window threshold breaches\ntable(tableName)\n| where TimeGenerated > ago(timeRange)\n| where ResultType in(failureCodes)\n| summarize FailedPrincipalCount = dcount(UserPrincipalName) by bin(TimeGenerated, authenticationWindow), IPAddress, AppDisplayName, Type\n| where FailedPrincipalCount >= authenticationThreshold\n| summarize WindowThresholdBreaches = count() by IPAddress, Type\n| join kind= inner (\n// where we breached a threshold, join the details back on all failure data\ntable(tableName)\n| where TimeGenerated > ago(timeRange)\n| where ResultType in(failureCodes)\n| extend LocationDetails = todynamic(LocationDetails)\n| extend FullLocation = strcat(LocationDetails.countryOrRegion,'|', LocationDetails.state, '|', LocationDetails.city)\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), make_set(ClientAppUsed,20), make_set(FullLocation,20), FailureCount = count() by IPAddress, AppDisplayName, UserPrincipalName, UserDisplayName, Identity, UserId, Type\n// lookup any unresolved identities\n| extend UnresolvedUserId = iff(Identity matches regex isGUID, UserId, \"\")\n| join kind= leftouter (\n identityLookup\n) on $left.UnresolvedUserId==$right.UserId\n| extend UserDisplayName=iff(isempty(lu_UserDisplayName), UserDisplayName, lu_UserDisplayName)\n| extend UserPrincipalName=iff(isempty(lu_UserPrincipalName), UserPrincipalName, lu_UserPrincipalName)\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), make_set(UserPrincipalName,20), make_set(UserDisplayName,20), make_set(set_ClientAppUsed,20), make_set(set_FullLocation,20), make_list(FailureCount,20) by IPAddress, AppDisplayName, Type\n| extend FailedPrincipalCount = array_length(set_UserPrincipalName)\n) on IPAddress\n| project IPAddress, StartTime, EndTime, TargetedApplication=AppDisplayName, FailedPrincipalCount, UserPrincipalNames=set_UserPrincipalName, UserDisplayNames=set_UserDisplayName, ClientAppsUsed=set_set_ClientAppUsed, Locations=set_set_FullLocation, FailureCountByPrincipal=list_FailureCount, WindowThresholdBreaches, Type\n| join kind= inner (\ntable(tableName) // get data on success vs. failure history for each IP\n| where TimeGenerated > ago(timeRange)\n| where ResultType in(successCodes) or ResultType in(failureCodes) // success or failure types\n| summarize GlobalSuccessPrincipalCount = dcountif(UserPrincipalName, (ResultType in (successCodes))), ResultTypeSuccesses = make_set_if(ResultType, (ResultType in (successCodes))), GlobalFailPrincipalCount = dcountif(UserPrincipalName, (ResultType in (failureCodes))), ResultTypeFailures = make_set_if(ResultType, (ResultType in (failureCodes))) by IPAddress, Type\n| where GlobalFailPrincipalCount > GlobalSuccessPrincipalCount // where the number of failed principals is greater than success - eliminates FPs from IPs who authenticate successfully alot and as a side effect have alot of failures\n) on IPAddress\n| project-away IPAddress1\n| extend timestamp=StartTime\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n", - "queryFrequency": "P1D", - "queryPeriod": "P7D", - "severity": "Medium", + "query": "let query_frequency = 1h;\nlet query_period = 2h;\nAuditLogs\n| where TimeGenerated > ago(query_period)\n| where Category =~ \"ApplicationManagement\" and LoggedByService =~ \"Core Directory\"\n| where OperationName =~ \"Add app role assignment to service principal\"\n| mv-expand TargetResource = TargetResources\n| mv-expand modifiedProperty = TargetResource[\"modifiedProperties\"]\n| where tostring(modifiedProperty[\"displayName\"]) == \"AppRole.Value\"\n| extend PermissionGrant = tostring(modifiedProperty[\"newValue\"])\n| where PermissionGrant has \"RoleManagement.ReadWrite.Directory\"\n| mv-apply modifiedProperty = TargetResource[\"modifiedProperties\"] on (\n summarize modifiedProperties = make_bag(\n bag_pack(tostring(modifiedProperty[\"displayName\"]),\n bag_pack(\"oldValue\", trim(@'[\\\"\\s]+', tostring(modifiedProperty[\"oldValue\"])),\n \"newValue\", trim(@'[\\\"\\s]+', tostring(modifiedProperty[\"newValue\"])))), 100)\n)\n| project\n PermissionGrant_TimeGenerated = TimeGenerated,\n PermissionGrant_OperationName = OperationName,\n PermissionGrant_Result = Result,\n PermissionGrant,\n AppDisplayName = tostring(modifiedProperties[\"ServicePrincipal.DisplayName\"][\"newValue\"]),\n AppServicePrincipalId = tostring(modifiedProperties[\"ServicePrincipal.ObjectID\"][\"newValue\"]),\n PermissionGrant_InitiatedBy = InitiatedBy,\n PermissionGrant_TargetResources = TargetResources,\n PermissionGrant_AdditionalDetails = AdditionalDetails,\n PermissionGrant_CorrelationId = CorrelationId\n| join kind=inner (\n AuditLogs\n | where TimeGenerated > ago(query_frequency)\n | where Category =~ \"RoleManagement\" and LoggedByService =~ \"Core Directory\" and AADOperationType =~ \"Assign\"\n | where isnotempty(InitiatedBy[\"app\"])\n | mv-expand TargetResource = TargetResources\n | mv-expand modifiedProperty = TargetResource[\"modifiedProperties\"]\n | where tostring(modifiedProperty[\"displayName\"]) in (\"Role.DisplayName\", \"RoleDefinition.DisplayName\")\n | extend RoleAssignment = tostring(modifiedProperty[\"newValue\"])\n | where RoleAssignment contains \"Admin\"\n | project\n RoleAssignment_TimeGenerated = TimeGenerated,\n RoleAssignment_OperationName = OperationName,\n RoleAssignment_Result = Result,\n RoleAssignment,\n TargetType = tostring(TargetResources[0][\"type\"]),\n Target = iff(isnotempty(TargetResources[0][\"displayName\"]), tostring(TargetResources[0][\"displayName\"]), tolower(TargetResources[0][\"userPrincipalName\"])),\n TargetId = tostring(TargetResources[0][\"id\"]),\n RoleAssignment_InitiatedBy = InitiatedBy,\n RoleAssignment_TargetResources = TargetResources,\n RoleAssignment_AdditionalDetails = AdditionalDetails,\n RoleAssignment_CorrelationId = CorrelationId,\n AppServicePrincipalId = tostring(InitiatedBy[\"app\"][\"servicePrincipalId\"])\n ) on AppServicePrincipalId\n| where PermissionGrant_TimeGenerated < RoleAssignment_TimeGenerated\n| extend\n TargetName = tostring(split(Target, \"@\")[0]),\n TargetUPNSuffix = tostring(split(Target, \"@\")[1])\n| project PermissionGrant_TimeGenerated, PermissionGrant_OperationName, PermissionGrant_Result, PermissionGrant, AppDisplayName, AppServicePrincipalId, PermissionGrant_InitiatedBy, PermissionGrant_TargetResources, PermissionGrant_AdditionalDetails, PermissionGrant_CorrelationId, RoleAssignment_TimeGenerated, RoleAssignment_OperationName, RoleAssignment_Result, RoleAssignment, TargetType, Target, TargetName, TargetUPNSuffix, TargetId, RoleAssignment_InitiatedBy, RoleAssignment_TargetResources, RoleAssignment_AdditionalDetails, RoleAssignment_CorrelationId\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT2H", + "severity": "High", "suppressionDuration": "PT1H", "suppressionEnabled": false, "triggerOperator": "GreaterThan", @@ -7025,33 +6137,42 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "AzureActiveDirectory", - "dataTypes": [ - "SigninLogs" - ] - }, - { - "connectorId": "AzureActiveDirectory", "dataTypes": [ - "AADNonInteractiveUserSignInLogs" - ] + "AuditLogs" + ], + "connectorId": "AzureActiveDirectory" } ], "tactics": [ - "CredentialAccess" + "PrivilegeEscalation", + "Persistence" ], "techniques": [ - "T1110" + "T1098", + "T1078" ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { - "columnName": "IPAddress", - "identifier": "Address" + "identifier": "Name", + "columnName": "AppDisplayName" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "TargetName" + }, + { + "identifier": "UPNSuffix", + "columnName": "TargetUPNSuffix" } - ] + ], + "entityType": "Account" } ] } @@ -7059,16 +6180,16 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId50'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject10').analyticRuleId10,'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 50", - "parentId": "[variables('analyticRuleId50')]", - "contentId": "[variables('_analyticRulecontentId50')]", + "description": "Microsoft Entra ID Analytics Rule 10", + "parentId": "[variables('analyticRuleObject10').analyticRuleId10]", + "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion50')]", + "version": "[variables('analyticRuleObject10').analyticRuleVersion10]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -7090,43 +6211,43 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId50')]", + "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]", "contentKind": "AnalyticsRule", - "displayName": "Password spray attack against Azure AD application", - "contentProductId": "[variables('_analyticRulecontentProductId50')]", - "id": "[variables('_analyticRulecontentProductId50')]", - "version": "[variables('analyticRuleVersion50')]" + "displayName": "Admin promotion after Role Management Application Permission Grant", + "contentProductId": "[variables('analyticRuleObject10')._analyticRulecontentProductId10]", + "id": "[variables('analyticRuleObject10')._analyticRulecontentProductId10]", + "version": "[variables('analyticRuleObject10').analyticRuleVersion10]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName51')]", + "name": "[variables('analyticRuleObject11').analyticRuleTemplateSpecName11]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SuccessThenFail_DiffIP_SameUserandApp_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "AnomalousUserAppSigninLocationIncrease-detection_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion51')]", + "contentVersion": "[variables('analyticRuleObject11').analyticRuleVersion11]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId51')]", + "name": "[variables('analyticRuleObject11')._analyticRulecontentId11]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Identifies when a user account successfully logs onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP (may indicate a malicious attempt at password guessing with known account). UEBA added for context.", - "displayName": "Successful logon from IP and failure from a different IP", + "description": "This query over Microsoft Entra ID sign-in considers all user sign-ins for each Azure Active\nDirectory application and picks out the most anomalous change in location profile for a user within an\nindividual application", + "displayName": "Anomalous sign-in location by user account and authenticating application", "enabled": false, - "query": "let riskScoreCutoff = 20; //Adjust this based on volume of results\nlet logonDiff = 10m; let aadFunc = (tableName:string){ table(tableName)\n| where ResultType == \"0\"\n| where AppDisplayName !in (\"Office 365 Exchange Online\", \"Skype for Business Online\") // To remove false-positives, add more Apps to this array\n// ---------- Fix for SuccessBlock to also consider IPv6\n| extend SuccessIPv6Block = strcat(split(IPAddress, \":\")[0], \":\", split(IPAddress, \":\")[1], \":\", split(IPAddress, \":\")[2], \":\", split(IPAddress, \":\")[3])\n| extend SuccessIPv4Block = strcat(split(IPAddress, \".\")[0], \".\", split(IPAddress, \".\")[1])\n// ------------------\n| project SuccessLogonTime = TimeGenerated, UserPrincipalName, SuccessIPAddress = IPAddress, SuccessLocation = Location, AppDisplayName, SuccessIPBlock = iff(IPAddress contains \":\", strcat(split(IPAddress, \":\")[0], \":\", split(IPAddress, \":\")[1]), strcat(split(IPAddress, \".\")[0], \".\", split(IPAddress, \".\")[1])), Type\n| join kind= inner (\n table(tableName)\n | where ResultType !in (\"0\", \"50140\")\n | where ResultDescription !~ \"Other\"\n | where AppDisplayName !in (\"Office 365 Exchange Online\", \"Skype for Business Online\")\n | project FailedLogonTime = TimeGenerated, UserPrincipalName, FailedIPAddress = IPAddress, FailedLocation = Location, AppDisplayName, ResultType, ResultDescription, Type \n) on UserPrincipalName, AppDisplayName\n| where SuccessLogonTime < FailedLogonTime and FailedLogonTime - SuccessLogonTime <= logonDiff and FailedIPAddress !startswith SuccessIPBlock\n| summarize FailedLogonTime = max(FailedLogonTime), SuccessLogonTime = max(SuccessLogonTime) by UserPrincipalName, SuccessIPAddress, SuccessLocation, AppDisplayName, FailedIPAddress, FailedLocation, ResultType, ResultDescription, Type\n| extend timestamp = SuccessLogonTime\n| extend UserPrincipalName = tolower(UserPrincipalName)};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n| extend Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n// UEBA context below - make sure you have these 2 datatypes, otherwise the query will not work. If so, comment all that is below.\n| join kind=leftouter (\n IdentityInfo\n | summarize LatestReportTime = arg_max(TimeGenerated, *) by AccountUPN\n | extend BlastRadiusInt = iif(BlastRadius == \"High\", 1, 0)\n | project AccountUPN, Tags, JobTitle, GroupMembership, AssignedRoles, UserType, IsAccountEnabled, BlastRadiusInt\n | summarize\n Tags = make_set(Tags, 1000),\n GroupMembership = make_set(GroupMembership, 1000),\n AssignedRoles = make_set(AssignedRoles, 1000),\n BlastRadiusInt = sum(BlastRadiusInt),\n UserType = make_set(UserType, 1000),\n UserAccountControl = make_set(UserType, 1000)\n by AccountUPN\n | extend UserPrincipalName=tolower(AccountUPN)\n) on UserPrincipalName\n| join kind=leftouter (\n BehaviorAnalytics\n | where ActivityType in (\"FailedLogOn\", \"LogOn\")\n | where isnotempty(SourceIPAddress)\n | project UsersInsights, DevicesInsights, ActivityInsights, InvestigationPriority, SourceIPAddress\n | project-rename FailedIPAddress = SourceIPAddress\n | summarize\n UsersInsights = make_set(UsersInsights, 1000),\n DevicesInsights = make_set(DevicesInsights, 1000),\n IPInvestigationPriority = sum(InvestigationPriority)\n by FailedIPAddress)\non FailedIPAddress\n| extend UEBARiskScore = BlastRadiusInt + IPInvestigationPriority\n| where UEBARiskScore > riskScoreCutoff\n| sort by UEBARiskScore desc \n", + "query": "// Adjust this figure to adjust how sensitive this detection is\nlet sensitivity = 2.5;\nlet AuthEvents = materialize(\nunion isfuzzy=True SigninLogs, AADNonInteractiveUserSignInLogs\n| where TimeGenerated > ago(7d)\n| where ResultType == 0\n| extend LocationDetails = LocationDetails_dynamic\n| extend Location = strcat(LocationDetails.countryOrRegion, \"-\", LocationDetails.state,\"-\", LocationDetails.city)\n| where Location != \"--\");\nAuthEvents\n| summarize dcount(Location) by AppDisplayName, AppId, UserPrincipalName, UserId, bin(startofday(TimeGenerated), 1d)\n| where dcount_Location > 2\n| summarize CountOfLocations = make_list(dcount_Location, 10000), TimeStamp = make_list(TimeGenerated, 10000) by AppId, UserId\n| extend (Anomalies, Score, Baseline) = series_decompose_anomalies(CountOfLocations, sensitivity, -1, 'linefit')\n| mv-expand CountOfLocations to typeof(double), TimeStamp to typeof(datetime), Anomalies to typeof(double), Score to typeof(double), Baseline to typeof(long)\n| where Anomalies > 0\n| join kind=inner( AuthEvents | extend TimeStamp = startofday(TimeGenerated)) on UserId, AppId\n| extend SignInDetails = bag_pack(\"TimeGenerated\", TimeGenerated, \"Location\", Location, \"Source\", IPAddress, \"Device\", DeviceDetail_dynamic)\n| summarize SignInDetailsSet=make_set(SignInDetails, 1000) by UserId, UserPrincipalName, CountOfLocations, TimeStamp, AppId, AppDisplayName\n| extend Name = split(UserPrincipalName, \"@\")[0], UPNSuffix = split(UserPrincipalName, \"@\")[1]\n", "queryFrequency": "P1D", - "queryPeriod": "P1D", + "queryPeriod": "P7D", "severity": "Medium", "suppressionDuration": "PT1H", "suppressionEnabled": false, @@ -7135,86 +6256,68 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "AzureActiveDirectory", "dataTypes": [ "SigninLogs" - ] + ], + "connectorId": "AzureActiveDirectory" }, { - "connectorId": "AzureActiveDirectory", "dataTypes": [ "AADNonInteractiveUserSignInLogs" - ] - }, - { - "connectorId": "BehaviorAnalytics", - "dataTypes": [ - "BehaviorAnalytics" - ] - }, - { - "connectorId": "IdentityInfo", - "dataTypes": [ - "IdentityInfo" - ] + ], + "connectorId": "AzureActiveDirectory" } ], "tactics": [ - "CredentialAccess", "InitialAccess" ], "techniques": [ - "T1110", "T1078" ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" - } - ] - }, - { - "entityType": "IP", - "fieldMappings": [ - { - "columnName": "SuccessIPAddress", - "identifier": "Address" - } - ] - }, - { - "entityType": "IP", - "fieldMappings": [ + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" + }, { - "columnName": "FailedIPAddress", - "identifier": "Address" + "identifier": "AadUserId", + "columnName": "UserId" } - ] + ], + "entityType": "Account" } - ] + ], + "eventGroupingSettings": { + "aggregationKind": "SingleAlert" + }, + "customDetails": { + "Application": "AppDisplayName" + }, + "alertDetailsOverride": { + "alertDescriptionFormat": "This query over Microsoft Entra ID sign-in considers all user sign-ins for each Azure Active\nDirectory application and picks out the most anomalous change in location profile for a user within an\nindividual application. This has detected {{UserPrincipalName}} signing into {{AppDisplayName}} from {{CountOfLocations}} \ndifferent locations.\n", + "alertDisplayNameFormat": "Anomalous sign-in location by {{UserPrincipalName}} to {{AppDisplayName}}" + } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId51'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject11').analyticRuleId11,'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 51", - "parentId": "[variables('analyticRuleId51')]", - "contentId": "[variables('_analyticRulecontentId51')]", + "description": "Microsoft Entra ID Analytics Rule 11", + "parentId": "[variables('analyticRuleObject11').analyticRuleId11]", + "contentId": "[variables('analyticRuleObject11')._analyticRulecontentId11]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion51')]", + "version": "[variables('analyticRuleObject11').analyticRuleVersion11]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -7236,44 +6339,44 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId51')]", + "contentId": "[variables('analyticRuleObject11')._analyticRulecontentId11]", "contentKind": "AnalyticsRule", - "displayName": "Successful logon from IP and failure from a different IP", - "contentProductId": "[variables('_analyticRulecontentProductId51')]", - "id": "[variables('_analyticRulecontentProductId51')]", - "version": "[variables('analyticRuleVersion51')]" + "displayName": "Anomalous sign-in location by user account and authenticating application", + "contentProductId": "[variables('analyticRuleObject11')._analyticRulecontentProductId11]", + "id": "[variables('analyticRuleObject11')._analyticRulecontentProductId11]", + "version": "[variables('analyticRuleObject11').analyticRuleVersion11]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName52')]", + "name": "[variables('analyticRuleObject12').analyticRuleTemplateSpecName12]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SuspiciousAADJoinedDeviceUpdate_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "AuthenticationMethodsChangedforPrivilegedAccount_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion52')]", + "contentVersion": "[variables('analyticRuleObject12').analyticRuleVersion12]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId52')]", + "name": "[variables('analyticRuleObject12')._analyticRulecontentId12]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "This query looks for suspicious updates to an Azure AD joined device where the device name is changed and the device falls out of compliance.\nThis could occur when a threat actor updates the details of an Autopilot provisioned device using a stolen device ticket, in order to access certificates and keys.\nRef: https://dirkjanm.io/assets/raw/Insomnihack%20Breaking%20and%20fixing%20Azure%20AD%20device%20identity%20security.pdf", - "displayName": "Suspicious AAD Joined Device Update", + "description": "Identifies authentication methods being changed for a privileged account. This could be an indication of an attacker adding an auth method to the account so they can have continued access.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1", + "displayName": "Authentication Methods Changed for Privileged Account", "enabled": false, - "query": "AuditLogs\n| where OperationName =~ \"Update device\"\n| mv-apply TargetResource=TargetResources on (\n where TargetResource.type =~ \"Device\"\n | extend ModifiedProperties = TargetResource.modifiedProperties\n | extend DeviceId = TargetResource.id)\n| mv-apply Prop=ModifiedProperties on ( \n where Prop.displayName =~ \"CloudDisplayName\"\n | extend OldName = Prop.oldValue \n | extend NewName = Prop.newValue)\n| mv-apply Prop=ModifiedProperties on ( \n where Prop.displayName =~ \"IsCompliant\"\n | extend OldComplianceState = Prop.oldValue \n | extend NewComplianceState = Prop.newValue)\n| mv-apply Prop=ModifiedProperties on ( \n where Prop.displayName =~ \"TargetId.DeviceTrustType\"\n | extend OldTrustType = Prop.oldValue \n | extend NewTrustType = Prop.newValue)\n| mv-apply Prop=ModifiedProperties on ( \n where Prop.displayName =~ \"Included Updated Properties\" \n | extend UpdatedProperties = Prop.newValue)\n| extend OldDeviceName = tostring(parse_json(tostring(OldName))[0])\n| extend NewDeviceName = tostring(parse_json(tostring(NewName))[0])\n| extend OldComplianceState = tostring(parse_json(tostring(OldComplianceState))[0])\n| extend NewComplianceState = tostring(parse_json(tostring(NewComplianceState))[0])\n| extend InitiatedByUser = tostring(iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName))\n| extend UpdatedPropertiesCount = array_length(split(UpdatedProperties, ','))\n| where OldDeviceName != NewDeviceName\n| where OldComplianceState =~ 'true' and NewComplianceState =~ 'false'\n// Most common is transferring from AAD Registered to AAD Joined - we just want AAD Joined devices\n| where NewTrustType == '\"AzureAd\"' and OldTrustType != '\"Workplace\"'\n// We can modify this value to tune FPs - more properties changed about the device beyond its name the more suspicious it could be\n| where UpdatedPropertiesCount > 1\n| project-reorder TimeGenerated, DeviceId, NewDeviceName, OldDeviceName, NewComplianceState, InitiatedByUser, AADOperationType, OldTrustType, NewTrustType, UpdatedProperties, UpdatedPropertiesCount\n", - "queryFrequency": "P1D", - "queryPeriod": "P1D", - "severity": "Medium", + "query": "let queryperiod = 14d;\nlet queryfrequency = 2h;\nlet security_info_actions = dynamic([\"User registered security info\", \"User changed default security info\", \"User deleted security info\", \"Admin updated security info\", \"User reviewed security info\", \"Admin deleted security info\", \"Admin registered security info\"]);\nlet VIPUsers = (\n IdentityInfo\n | where TimeGenerated > ago(queryperiod)\n | mv-expand AssignedRoles\n | where AssignedRoles contains 'Admin'\n | summarize by AccountUPN);\nAuditLogs\n| where TimeGenerated > ago(queryfrequency)\n| where Category =~ \"UserManagement\"\n| where ActivityDisplayName in (security_info_actions)\n| extend Initiator = tostring(InitiatedBy.user.userPrincipalName)\n| extend IP = tostring(InitiatedBy.user.ipAddress)\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"User\"\n | extend Target = tostring(TargetResource.userPrincipalName)\n )\n| where Target in~ (VIPUsers)\n// Uncomment the line below if you are experiencing high volumes of Target entities. If this is uncommented, the Target column will not be mapped to an entity.\n//| summarize Start=min(TimeGenerated), End=max(TimeGenerated), Actions = make_set(ResultReason, MaxSize=8), Targets=make_set(Target, MaxSize=256) by Initiator, IP, Result\n// Comment out this line below, if line above is used.\n| summarize Start=min(TimeGenerated), End=max(TimeGenerated), Actions = make_set(ResultReason, MaxSize=8) by Initiator, IP, Result, Targets = Target\n| extend InitiatorName = tostring(split(Initiator,'@',0)[0]), \n InitiatorUPNSuffix = tostring(split(Initiator,'@',1)[0]),\n TargetName = iff(tostring(Targets) has \"[\", \"\", tostring(split(Targets,'@',0)[0])), \n TargetUPNSuffix = iff(tostring(Targets) has \"[\", \"\", tostring(split(Targets,'@',1)[0]))\n", + "queryFrequency": "PT2H", + "queryPeriod": "P14D", + "severity": "High", "suppressionDuration": "PT1H", "suppressionEnabled": false, "triggerOperator": "GreaterThan", @@ -7281,75 +6384,70 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ] + ], + "connectorId": "AzureActiveDirectory" } ], "tactics": [ - "CredentialAccess" + "Persistence" ], "techniques": [ - "T1528" + "T1098" ], "entityMappings": [ { - "entityType": "Host", "fieldMappings": [ { - "columnName": "NewDeviceName", - "identifier": "HostName" - } - ] - }, - { - "entityType": "Host", - "fieldMappings": [ + "identifier": "Name", + "columnName": "InitiatorName" + }, { - "columnName": "OldDeviceName", - "identifier": "HostName" + "identifier": "UPNSuffix", + "columnName": "InitiatorUPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "Host", "fieldMappings": [ { - "columnName": "DeviceId", - "identifier": "AzureID" + "identifier": "Name", + "columnName": "TargetName" + }, + { + "identifier": "UPNSuffix", + "columnName": "TargetUPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "Account", "fieldMappings": [ { - "columnName": "InitiatedByUser", - "identifier": "AadUserId" + "identifier": "Address", + "columnName": "IP" } - ] + ], + "entityType": "IP" } - ], - "alertDetailsOverride": { - "alertDisplayNameFormat": "Suspicious AAD Joined Device Update {{OldDeviceName}} renamed to {{NewDeviceName}} and {{UpdatedPropertiesCount}} properties changed", - "alertDescriptionFormat": "This query looks for suspicious updates to an Azure AD joined device where the device name is changed and the device falls out of compliance.\nIn this case {{OldDeviceName}} was renamed to {{NewDeviceName}} and {{UpdatedPropertiesCount}} properties were changed.\nThis could occur when a threat actor steals a Device ticket from an Autopilot provisioned device and uses it to AAD Join a new device.\nRef: https://dirkjanm.io/assets/raw/Insomnihack%20Breaking%20and%20fixing%20Azure%20AD%20device%20identity%20security.pdf\n" - } + ] } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId52'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject12').analyticRuleId12,'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 52", - "parentId": "[variables('analyticRuleId52')]", - "contentId": "[variables('_analyticRulecontentId52')]", + "description": "Microsoft Entra ID Analytics Rule 12", + "parentId": "[variables('analyticRuleObject12').analyticRuleId12]", + "contentId": "[variables('analyticRuleObject12')._analyticRulecontentId12]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion52')]", + "version": "[variables('analyticRuleObject12').analyticRuleVersion12]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -7371,43 +6469,43 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId52')]", + "contentId": "[variables('analyticRuleObject12')._analyticRulecontentId12]", "contentKind": "AnalyticsRule", - "displayName": "Suspicious AAD Joined Device Update", - "contentProductId": "[variables('_analyticRulecontentProductId52')]", - "id": "[variables('_analyticRulecontentProductId52')]", - "version": "[variables('analyticRuleVersion52')]" + "displayName": "Authentication Methods Changed for Privileged Account", + "contentProductId": "[variables('analyticRuleObject12')._analyticRulecontentProductId12]", + "id": "[variables('analyticRuleObject12')._analyticRulecontentProductId12]", + "version": "[variables('analyticRuleObject12').analyticRuleVersion12]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName53')]", + "name": "[variables('analyticRuleObject13').analyticRuleTemplateSpecName13]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SuspiciousOAuthApp_OfflineAccess_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "AzureAADPowerShellAnomaly_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion53')]", + "contentVersion": "[variables('analyticRuleObject13').analyticRuleVersion13]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId53')]", + "name": "[variables('analyticRuleObject13')._analyticRulecontentId13]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "This will alert when a user consents to provide a previously-unknown Azure application with offline access via OAuth.\nOffline access will provide the Azure App with access to the listed resources without requiring two-factor authentication.\nConsent to applications with offline access and read capabilities should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.", - "displayName": "Suspicious application consent for offline access", + "description": "This will alert when a user or application signs in using Microsoft Entra ID PowerShell to access non-Active Directory resources, such as the Azure Key Vault, which may be undesired or unauthorized behavior.\nFor capabilities and expected behavior of the Microsoft Entra ID PowerShell module, see: https://docs.microsoft.com/powershell/module/azuread/?view=azureadps-2.0.\nFor further information on Microsoft Entra ID Signin activity reports, see: https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins.", + "displayName": "Microsoft Entra ID PowerShell accessing non-AAD resources", "enabled": false, - "query": "let detectionTime = 1d;\nlet joinLookback = 14d;\nAuditLogs\n| where TimeGenerated > ago(detectionTime)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Consent to application\"\n| where TargetResources has \"offline\"\n| mv-apply TargetResource=TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\"\n | extend ModifiedProperties = TargetResource.modifiedProperties,\n AppDisplayName = tostring(TargetResource.displayName),\n AppClientId = tolower(tostring(TargetResource.id))\n )\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\"] with (format=\"csv\")))\n| mv-apply Properties=ModifiedProperties on \n (\n where Properties.displayName =~ \"ConsentAction.Permissions\"\n | extend ConsentFull = tostring(Properties.newValue)\n | extend ConsentFull = trim(@'\"',tostring(ConsentFull))\n )\n| parse ConsentFull with * \"ConsentType: \" GrantConsentType \", Scope: \" GrantScope1 \"]\" *\n| where ConsentFull has \"offline_access\" and ConsentFull has_any (\"Files.Read\", \"Mail.Read\", \"Notes.Read\", \"ChannelMessage.Read\", \"Chat.Read\", \"TeamsActivity.Read\", \"Group.Read\", \"EWS.AccessAsUser.All\", \"EAS.AccessAsUser.All\")\n| where GrantConsentType != \"AllPrincipals\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\n| extend GrantIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\n| extend GrantInitiatedBy = tostring(iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName))\n| extend GrantUserAgent = tostring(iff(AdditionalDetails[0].key =~ \"User-Agent\", AdditionalDetails[0].value, \"\"))\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\n| join kind = leftouter (AuditLogs\n| where TimeGenerated > ago(joinLookback)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Add service principal\"\n| mv-apply TargetResource=TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\"\n | extend ModifiedProperties = TargetResource.modifiedProperties,\n AppClientId = tolower(TargetResource.id)\n )\n| mv-apply ModifiedProperties=TargetResource.modifiedProperties on \n (\n where ModifiedProperties.displayName =~ \"AppAddress\" and ModifiedProperties.newValue has \"AddressType\"\n | extend AppReplyURLs = ModifiedProperties.newValue\n )\n | distinct AppClientId, tostring(AppReplyURLs)\n)\non AppClientId\n| join kind = innerunique (AuditLogs\n| where TimeGenerated > ago(joinLookback)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Add OAuth2PermissionGrant\" or OperationName =~ \"Add delegated permission grant\"\n | mv-apply TargetResource=TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\" and array_length(TargetResource.modifiedProperties) > 0 and isnotnull(TargetResource.displayName)\n | extend GrantAuthentication = tostring(TargetResource.displayName)\n )\n| extend GrantOperation = OperationName\n| project GrantAuthentication, GrantOperation, CorrelationId\n) on CorrelationId\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\n| extend timestamp = TimeGenerated, Name = tostring(split(GrantInitiatedBy,'@',0)[0]), UPNSuffix = tostring(split(GrantInitiatedBy,'@',1)[0])\n", - "queryFrequency": "P1D", - "queryPeriod": "P14D", + "query": "let aadFunc = (tableName:string){\ntable(tableName)\n| where AppId =~ \"1b730954-1685-4b74-9bfd-dac224a7b894\" // AppDisplayName IS Azure Active Directory PowerShell\n| where TokenIssuerType =~ \"AzureAD\"\n| where ResourceIdentity !in (\"00000002-0000-0000-c000-000000000000\", \"00000003-0000-0000-c000-000000000000\") // ResourceDisplayName IS NOT Windows Azure Active Directory OR Microsoft Graph\n| extend Status = todynamic(Status)\n| where Status.errorCode == 0 // Success\n| project-reorder IPAddress, UserAgent, ResourceDisplayName, UserDisplayName, UserId, UserPrincipalName, Type\n| order by TimeGenerated desc\n// New entity mapping\n| extend timestamp = TimeGenerated, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", "severity": "Low", "suppressionDuration": "PT1H", "suppressionEnabled": false, @@ -7416,40 +6514,50 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "AzureActiveDirectory", "dataTypes": [ - "AuditLogs" - ] + "SigninLogs" + ], + "connectorId": "AzureActiveDirectory" + }, + { + "dataTypes": [ + "AADNonInteractiveUserSignInLogs" + ], + "connectorId": "AzureActiveDirectory" } ], "tactics": [ - "CredentialAccess" + "InitialAccess" ], "techniques": [ - "T1528" + "T1078" ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" + }, + { + "identifier": "AadUserId", + "columnName": "UserId" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "columnName": "GrantIpAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "IPAddress" } - ] + ], + "entityType": "IP" } ] } @@ -7457,16 +6565,16 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId53'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject13').analyticRuleId13,'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 53", - "parentId": "[variables('analyticRuleId53')]", - "contentId": "[variables('_analyticRulecontentId53')]", + "description": "Microsoft Entra ID Analytics Rule 13", + "parentId": "[variables('analyticRuleObject13').analyticRuleId13]", + "contentId": "[variables('analyticRuleObject13')._analyticRulecontentId13]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion53')]", + "version": "[variables('analyticRuleObject13').analyticRuleVersion13]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -7488,44 +6596,44 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId53')]", + "contentId": "[variables('analyticRuleObject13')._analyticRulecontentId13]", "contentKind": "AnalyticsRule", - "displayName": "Suspicious application consent for offline access", - "contentProductId": "[variables('_analyticRulecontentProductId53')]", - "id": "[variables('_analyticRulecontentProductId53')]", - "version": "[variables('analyticRuleVersion53')]" + "displayName": "Microsoft Entra ID PowerShell accessing non-AAD resources", + "contentProductId": "[variables('analyticRuleObject13')._analyticRulecontentProductId13]", + "id": "[variables('analyticRuleObject13')._analyticRulecontentProductId13]", + "version": "[variables('analyticRuleObject13').analyticRuleVersion13]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName54')]", + "name": "[variables('analyticRuleObject14').analyticRuleTemplateSpecName14]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SuspiciousServicePrincipalcreationactivity_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "AzureADRoleManagementPermissionGrant_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion54')]", + "contentVersion": "[variables('analyticRuleObject14').analyticRuleVersion14]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId54')]", + "name": "[variables('analyticRuleObject14')._analyticRulecontentId14]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "This alert will detect creation of an SPN, permissions granted, credentials created, activity and deletion of the SPN in a time frame (default 10 minutes)", - "displayName": "Suspicious Service Principal creation activity", + "description": "Identifies when the Microsoft Graph RoleManagement.ReadWrite.Directory (Delegated or Application) permission is granted to a service principal.\nThis permission allows an application to read and manage the role-based access control (RBAC) settings for your company's directory.\nAn adversary could use this permission to add an Microsoft Entra ID object to an Admin directory role and escalate privileges.\nRef : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions\nRef : https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0&tabs=http", + "displayName": "Microsoft Entra ID Role Management Permission Grant", "enabled": false, - "query": "let queryfrequency = 1h;\nlet wait_for_deletion = 10m;\nlet account_created =\n AuditLogs \n | where ActivityDisplayName == \"Add service principal\"\n | where Result == \"success\"\n | extend AppID = tostring(AdditionalDetails[1].value)\n | extend creationTime = ActivityDateTime\n | extend userPrincipalName_creator = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\n | extend ipAddress_creator = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);\nlet account_activity =\n AADServicePrincipalSignInLogs\n | extend Activities = pack(\"ActivityTime\", TimeGenerated ,\"IpAddress\", IPAddress, \"ResourceDisplayName\", ResourceDisplayName)\n | extend AppID = AppId\n | summarize make_list(Activities) by AppID;\nlet account_deleted =\n AuditLogs \n | where OperationName == \"Remove service principal\"\n | where Result == \"success\"\n | extend AppID = tostring(AdditionalDetails[1].value)\n | extend deletionTime = ActivityDateTime\n | extend userPrincipalName_deleter = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\n | extend ipAddress_deleter = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);\nlet account_credentials =\n AuditLogs\n | where OperationName has_all (\"Update application\", \"Certificates and secrets management\")\n | where Result == \"success\"\n | extend AppID = tostring(AdditionalDetails[1].value)\n | extend credentialCreationTime = ActivityDateTime;\nlet roles_assigned =\n AuditLogs\n | where ActivityDisplayName == \"Add app role assignment to service principal\"\n | extend AppID = tostring(TargetResources[1].displayName)\n | extend AssignedRole = iff(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].displayName)==\"AppRole.Value\", tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue))),\"\")\n | extend AssignedRoles = pack(\"Role\", AssignedRole)\n | summarize make_list(AssignedRoles) by AppID;\naccount_created\n| where TimeGenerated between (ago(wait_for_deletion+queryfrequency)..ago(wait_for_deletion))\n| join kind= inner (account_activity) on AppID\n| join kind= inner (account_deleted) on AppID\n| join kind= inner (account_credentials) on AppID\n| join kind= inner (roles_assigned) on AppID\n| where deletionTime - creationTime between (time(0s)..wait_for_deletion)\n| extend AliveTime = deletionTime - creationTime\n| project AADTenantId, AppID, creationTime, deletionTime, userPrincipalName_creator, userPrincipalName_deleter, ipAddress_creator, ipAddress_deleter, list_Activities, list_AssignedRoles, AliveTime\n", - "queryFrequency": "PT1H", - "queryPeriod": "PT70M", - "severity": "Low", + "query": "AuditLogs\n| where Category =~ \"ApplicationManagement\" and LoggedByService =~ \"Core Directory\" and OperationName in~ (\"Add delegated permission grant\", \"Add app role assignment to service principal\")\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\" and array_length(TargetResource.modifiedProperties) > 0 and isnotnull(TargetResource.displayName)\n | extend props = TargetResource.modifiedProperties\n )\n| mv-apply Property = props on \n (\n where Property.displayName in~ (\"AppRole.Value\",\"DelegatedPermissionGrant.Scope\")\n | extend DisplayName = tostring(Property.displayName), PermissionGrant = trim('\"',tostring(Property.newValue))\n )\n| where PermissionGrant has \"RoleManagement.ReadWrite.Directory\"\n| mv-apply Property = props on \n (\n where Property.displayName =~ \"ServicePrincipal.DisplayName\"\n | extend AppDisplayName = trim('\"',tostring(Property.newValue))\n )\n| mv-apply Property = props on \n (\n where Property.displayName =~ \"ServicePrincipal.ObjectID\"\n | extend AppServicePrincipalId = trim('\"',tostring(Property.newValue))\n )\n| extend \n Initiator = iif(isnotempty(InitiatedBy.app), tostring(InitiatedBy.app.displayName), tostring(InitiatedBy.user.userPrincipalName)),\n InitiatorId = iif(isnotempty(InitiatedBy.app), tostring(InitiatedBy.app.servicePrincipalId), tostring(InitiatedBy.user.id))\n| project TimeGenerated, OperationName, Result, PermissionGrant, AppDisplayName, AppServicePrincipalId, Initiator, InitiatorId, InitiatedBy, TargetResources, AdditionalDetails, CorrelationId\n| extend Name = tostring(split(Initiator,'@',0)[0]), UPNSuffix = tostring(split(Initiator,'@',1)[0])\n", + "queryFrequency": "PT2H", + "queryPeriod": "PT2H", + "severity": "High", "suppressionDuration": "PT1H", "suppressionEnabled": false, "triggerOperator": "GreaterThan", @@ -7533,58 +6641,42 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "AzureActiveDirectory", "dataTypes": [ - "AuditLogs", - "AADServicePrincipalSignInLogs" - ] + "AuditLogs" + ], + "connectorId": "AzureActiveDirectory" } ], "tactics": [ - "CredentialAccess", - "PrivilegeEscalation", - "InitialAccess" + "Persistence", + "Impact" ], "techniques": [ - "T1078", - "T1528" + "T1098", + "T1078" ], "entityMappings": [ { - "entityType": "Account", - "fieldMappings": [ - { - "columnName": "userPrincipalName_creator", - "identifier": "FullName" - } - ] - }, - { - "entityType": "Account", "fieldMappings": [ { - "columnName": "userPrincipalName_deleter", - "identifier": "FullName" - } - ] - }, - { - "entityType": "IP", - "fieldMappings": [ + "identifier": "Name", + "columnName": "Name" + }, { - "columnName": "ipAddress_creator", - "identifier": "Address" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "columnName": "ipAddress_deleter", - "identifier": "Address" + "identifier": "Name", + "columnName": "AppDisplayName" } - ] + ], + "entityType": "Account" } ] } @@ -7592,16 +6684,16 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId54'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject14').analyticRuleId14,'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 54", - "parentId": "[variables('analyticRuleId54')]", - "contentId": "[variables('_analyticRulecontentId54')]", + "description": "Microsoft Entra ID Analytics Rule 14", + "parentId": "[variables('analyticRuleObject14').analyticRuleId14]", + "contentId": "[variables('analyticRuleObject14')._analyticRulecontentId14]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion54')]", + "version": "[variables('analyticRuleObject14').analyticRuleVersion14]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -7623,43 +6715,43 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId54')]", + "contentId": "[variables('analyticRuleObject14')._analyticRulecontentId14]", "contentKind": "AnalyticsRule", - "displayName": "Suspicious Service Principal creation activity", - "contentProductId": "[variables('_analyticRulecontentProductId54')]", - "id": "[variables('_analyticRulecontentProductId54')]", - "version": "[variables('analyticRuleVersion54')]" + "displayName": "Microsoft Entra ID Role Management Permission Grant", + "contentProductId": "[variables('analyticRuleObject14')._analyticRulecontentProductId14]", + "id": "[variables('analyticRuleObject14')._analyticRulecontentProductId14]", + "version": "[variables('analyticRuleObject14').analyticRuleVersion14]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName55')]", + "name": "[variables('analyticRuleObject15').analyticRuleTemplateSpecName15]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "UnusualGuestActivity_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "AzurePortalSigninfromanotherAzureTenant_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion55')]", + "contentVersion": "[variables('analyticRuleObject15').analyticRuleVersion15]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId55')]", + "name": "[variables('analyticRuleObject15')._analyticRulecontentId15]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "By default guests have capability to invite more external guest users, guests also can do suspicious Azure AD enumeration. This detection look at guests\nusers, who have been invited or have invited recently, who also are logging via various PowerShell CLI.\nRef : 'https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/", - "displayName": "External guest invitation followed by Azure AD PowerShell signin", + "description": "This query looks for successful sign in attempts to the Azure Portal where the user who is signing in from another Azure tenant,\n and the IP address the login attempt is from is an Azure IP. A threat actor who compromises an Azure tenant may look\n to pivot to other tenants leveraging cross-tenant delegated access in this manner.", + "displayName": "Azure Portal sign in from another Azure Tenant", "enabled": false, - "query": "let queryfrequency = 1h;\nlet queryperiod = 1d;\nAuditLogs\n| where TimeGenerated > ago(queryperiod)\n| where OperationName in (\"Invite external user\", \"Bulk invite users - started (bulk)\", \"Invite external user with reset invitation status\")\n| extend InitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\n// Uncomment the following line to filter events where the inviting user was a guest user\n//| where InitiatedBy has_any (\"live.com#\", \"#EXT#\")\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"User\"\n | extend InvitedUser = tostring(TargetResource.userPrincipalName)\n )\n| mv-expand UserToCompare = pack_array(InitiatedBy, InvitedUser) to typeof(string)\n| where UserToCompare has_any (\"live.com#\", \"#EXT#\")\n| extend\n parsedUser = replace_string(tolower(iff(UserToCompare startswith \"live.com#\", tostring(split(UserToCompare, \"#\")[1]), tostring(split(UserToCompare, \"#EXT#\")[0]))), \"@\", \"_\"),\n InvitationTime = TimeGenerated\n| join (\n (union isfuzzy=true SigninLogs, AADNonInteractiveUserSignInLogs)\n | where TimeGenerated > ago(queryfrequency)\n | where UserType != \"Member\"\n | where AppId has_any // This web may contain a list of these apps: https://msshells.net/\n (\"1b730954-1685-4b74-9bfd-dac224a7b894\",// Azure Active Directory PowerShell\n \"04b07795-8ddb-461a-bbee-02f9e1bf7b46\",// Microsoft Azure CLI\n \"1950a258-227b-4e31-a9cf-717495945fc2\",// Microsoft Azure PowerShell\n \"a0c73c16-a7e3-4564-9a95-2bdf47383716\",// Microsoft Exchange Online Remote PowerShell\n \"fb78d390-0c51-40cd-8e17-fdbfab77341b\",// Microsoft Exchange REST API Based Powershell\n \"d1ddf0e4-d672-4dae-b554-9d5bdfd93547\",// Microsoft Intune PowerShell\n \"9bc3ab49-b65d-410a-85ad-de819febfddc\",// Microsoft SharePoint Online Management Shell\n \"12128f48-ec9e-42f0-b203-ea49fb6af367\",// MS Teams Powershell Cmdlets\n \"23d8f6bd-1eb0-4cc2-a08c-7bf525c67bcd\",// Power BI PowerShell\n \"31359c7f-bd7e-475c-86db-fdb8c937548e\",// PnP Management Shell\n \"90f610bf-206d-4950-b61d-37fa6fd1b224\",// Aadrm Admin Powershell\n \"14d82eec-204b-4c2f-b7e8-296a70dab67e\" // Microsoft Graph PowerShell\n )\n | summarize arg_min(TimeGenerated, *) by UserPrincipalName\n | extend\n parsedUser = replace_string(UserPrincipalName, \"@\", \"_\"),\n SigninTime = TimeGenerated\n )\n on parsedUser\n| project InvitationTime, InitiatedBy, OperationName, InvitedUser, SigninTime, SigninCategory = Category1, SigninUserPrincipalName = UserPrincipalName, IPAddress, AppDisplayName, ResourceDisplayName, UserAgent, InvitationAdditionalDetails = AdditionalDetails, InvitationTargetResources = TargetResources\n| extend InvitedUserName = tostring(split(InvitedUser,'@',0)[0]), InvitedUserUPNSuffix = tostring(split(InvitedUser,'@',1)[0]), \n InitiatedByName = tostring(split(InitiatedBy,'@',0)[0]), InitiatedByUPNSuffix = tostring(split(InitiatedBy,'@',1)[0])\n", + "query": "// Get details of current Azure Ranges (note this URL updates regularly so will need to be manually updated over time)\n// You may find the name of the new JSON here: https://www.microsoft.com/download/details.aspx?id=56519\n// On the downloads page, click the 'details' button, and then replace just the filename in the URL below\nlet azure_ranges = externaldata(changeNumber: string, cloud: string, values: dynamic)\n[\"https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/MSFTIPRanges/ServiceTags_Public.json\"] with(format='multijson')\n| mv-expand values\n| mv-expand values.properties.addressPrefixes\n| mv-expand values_properties_addressPrefixes\n| summarize by tostring(values_properties_addressPrefixes)\n| extend isipv4 = parse_ipv4(values_properties_addressPrefixes)\n| extend isipv6 = parse_ipv6(values_properties_addressPrefixes)\n| extend ip_type = case(isnotnull(isipv4), \"v4\", \"v6\")\n| summarize make_list(values_properties_addressPrefixes) by ip_type\n;\nSigninLogs\n// Limiting to Azure Portal really reduces false positives and helps focus on potential admin activity\n| where ResultType == 0\n| where AppDisplayName =~ \"Azure Portal\"\n| extend isipv4 = parse_ipv4(IPAddress)\n| extend ip_type = case(isnotnull(isipv4), \"v4\", \"v6\")\n // Only get logons where the IP address is in an Azure range\n| join kind=fullouter (azure_ranges) on ip_type\n| extend ipv6_match = ipv6_is_in_any_range(IPAddress, list_values_properties_addressPrefixes)\n| extend ipv4_match = ipv4_is_in_any_range(IPAddress, list_values_properties_addressPrefixes)\n| where ipv4_match or ipv6_match \n// Limit to where the user is external to the tenant\n| where HomeTenantId != ResourceTenantId\n// Further limit it to just access to the current tenant (you can drop this if you wanted to look elsewhere as well but it helps reduce FPs)\n| where ResourceTenantId == AADTenantId\n| summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), make_set(ResourceDisplayName) by UserPrincipalName, IPAddress, UserAgent, Location, HomeTenantId, ResourceTenantId, UserId\n| extend AccountName = split(UserPrincipalName, \"@\")[0]\n| extend UPNSuffix = split(UserPrincipalName, \"@\")[1]\n", "queryFrequency": "PT1H", - "queryPeriod": "P1D", + "queryPeriod": "PT1H", "severity": "Medium", "suppressionDuration": "PT1H", "suppressionEnabled": false, @@ -7668,80 +6760,65 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "AzureActiveDirectory", - "dataTypes": [ - "AuditLogs" - ] - }, - { - "connectorId": "AzureActiveDirectory", "dataTypes": [ "SigninLogs" - ] + ], + "connectorId": "AzureActiveDirectory" } ], "tactics": [ - "InitialAccess", - "Persistence", - "Discovery" + "InitialAccess" ], "techniques": [ - "T1078", - "T1136", - "T1087" + "T1199" ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "columnName": "InvitedUserName", - "identifier": "Name" + "identifier": "Name", + "columnName": "AccountName" }, { - "columnName": "InvitedUserUPNSuffix", - "identifier": "UPNSuffix" - } - ] - }, - { - "entityType": "Account", - "fieldMappings": [ - { - "columnName": "InitiatedByName", - "identifier": "Name" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" }, { - "columnName": "InitiatedByUPNSuffix", - "identifier": "UPNSuffix" + "identifier": "AadUserId", + "columnName": "UserId" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "columnName": "IPAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "IPAddress" } - ] + ], + "entityType": "IP" } - ] + ], + "alertDetailsOverride": { + "alertDescriptionFormat": "This query looks for successful sign in attempts to the Azure Portal where the user who is signing in from another Azure tenant,\nand the IP address the login attempt is from is an Azure IP. A threat actor who compromises an Azure tenant may look\nto pivot to other tenants leveraging cross-tenant delegated access in this manner.\nIn this instance {{UserPrincipalName}} logged in at {{FirstSeen}} from IP Address {{IPAddress}}.\n", + "alertDisplayNameFormat": "Azure Portal sign in by {{UserPrincipalName}} from another Azure Tenant with IP Address {{IPAddress}}" + } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId55'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject15').analyticRuleId15,'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 55", - "parentId": "[variables('analyticRuleId55')]", - "contentId": "[variables('_analyticRulecontentId55')]", + "description": "Microsoft Entra ID Analytics Rule 15", + "parentId": "[variables('analyticRuleObject15').analyticRuleId15]", + "contentId": "[variables('analyticRuleObject15')._analyticRulecontentId15]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion55')]", + "version": "[variables('analyticRuleObject15').analyticRuleVersion15]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -7763,43 +6840,43 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId55')]", + "contentId": "[variables('analyticRuleObject15')._analyticRulecontentId15]", "contentKind": "AnalyticsRule", - "displayName": "External guest invitation followed by Azure AD PowerShell signin", - "contentProductId": "[variables('_analyticRulecontentProductId55')]", - "id": "[variables('_analyticRulecontentProductId55')]", - "version": "[variables('analyticRuleVersion55')]" + "displayName": "Azure Portal sign in from another Azure Tenant", + "contentProductId": "[variables('analyticRuleObject15')._analyticRulecontentProductId15]", + "id": "[variables('analyticRuleObject15')._analyticRulecontentProductId15]", + "version": "[variables('analyticRuleObject15').analyticRuleVersion15]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName56')]", + "name": "[variables('analyticRuleObject16').analyticRuleTemplateSpecName16]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "UserAccounts-CABlockedSigninSpikes_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "Brute Force Attack against GitHub Account_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion56')]", + "contentVersion": "[variables('analyticRuleObject16').analyticRuleVersion16]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId56')]", + "name": "[variables('analyticRuleObject16')._analyticRulecontentId16]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": " Identifies spike in failed sign-ins from user accounts due to conditional access policied.\nSpike is determined based on Time series anomaly which will look at historical baseline values.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\nThis query has also been updated to include UEBA logs IdentityInfo and BehaviorAnalytics for contextual information around the results.", - "displayName": "User Accounts - Sign in Failure due to CA Spikes", + "description": "Attackers who are trying to guess your users' passwords or use brute-force methods to get in. If your organization is using SSO with Microsoft Entra ID, authentication logs to GitHub.com will be generated. Using the following query can help you identify a sudden increase in failed logon attempt of users.", + "displayName": "Brute Force Attack against GitHub Account", "enabled": false, - "query": "let riskScoreCutoff = 20; //Adjust this based on volume of results\nlet starttime = 14d;\nlet timeframe = 1d;\nlet scorethreshold = 3;\nlet baselinethreshold = 50;\nlet aadFunc = (tableName:string){\n // Failed Signins attempts with reasoning related to conditional access policies.\n table(tableName)\n | where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\n | where ResultDescription has_any (\"conditional access\", \"CA\") or ResultType in (50005, 50131, 53000, 53001, 53002, 52003, 70044)\n | extend UserPrincipalName = tolower(UserPrincipalName)\n | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nlet allSignins = union isfuzzy=true aadSignin, aadNonInt;\nlet TimeSeriesAlerts = \nallSignins\n| make-series DailyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step 1d by UserPrincipalName\n| extend (anomalies, score, baseline) = series_decompose_anomalies(DailyCount, scorethreshold, -1, 'linefit')\n| mv-expand DailyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\n// Filtering low count events per baselinethreshold\n| where anomalies > 0 and baseline > baselinethreshold\n| extend AnomalyHour = TimeGenerated\n| project UserPrincipalName, AnomalyHour, TimeGenerated, DailyCount, baseline, anomalies, score;\n// Filter the alerts for specified timeframe\nTimeSeriesAlerts\n| where TimeGenerated > startofday(ago(timeframe))\n| join kind=inner ( \n allSignins\n | where TimeGenerated > startofday(ago(timeframe))\n // create a new column and round to hour\n | extend DateHour = bin(TimeGenerated, 1h)\n | summarize PartialFailedSignins = count(), LatestAnomalyTime = arg_max(TimeGenerated, *) by bin(TimeGenerated, 1h), OperationName, Category, ResultType, ResultDescription, UserPrincipalName, UserDisplayName, AppDisplayName, ClientAppUsed, IPAddress, ResourceDisplayName\n) on UserPrincipalName, $left.AnomalyHour == $right.DateHour\n| project LatestAnomalyTime, OperationName, Category, UserPrincipalName, UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, PartialFailedSignins, TotalFailedSignins = DailyCount, baseline, anomalies, score\n| extend timestamp = LatestAnomalyTime, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n| extend UserPrincipalName = tolower(UserPrincipalName)\n| join kind=leftouter (\n IdentityInfo\n | summarize LatestReportTime = arg_max(TimeGenerated, *) by AccountUPN\n | extend BlastRadiusInt = iif(BlastRadius == \"High\", 1, 0)\n | project AccountUPN, Tags, JobTitle, GroupMembership, AssignedRoles, UserType, IsAccountEnabled, BlastRadiusInt\n | summarize\n Tags = make_set(Tags, 1000),\n GroupMembership = make_set(GroupMembership, 1000),\n AssignedRoles = make_set(AssignedRoles, 1000),\n BlastRadiusInt = sum(BlastRadiusInt),\n UserType = make_set(UserType, 1000),\n UserAccountControl = make_set(UserType, 1000)\n by AccountUPN\n | extend UserPrincipalName=tolower(AccountUPN)\n) on UserPrincipalName\n| join kind=leftouter (\n BehaviorAnalytics\n | where ActivityType in (\"FailedLogOn\", \"LogOn\")\n | where isnotempty(SourceIPAddress)\n | project UsersInsights, DevicesInsights, ActivityInsights, InvestigationPriority, SourceIPAddress\n | project-rename IPAddress = SourceIPAddress\n | summarize\n UsersInsights = make_set(UsersInsights, 1000),\n DevicesInsights = make_set(DevicesInsights, 1000),\n IPInvestigationPriority = sum(InvestigationPriority)\n by IPAddress)\non IPAddress\n| extend UEBARiskScore = BlastRadiusInt + IPInvestigationPriority\n| where UEBARiskScore > riskScoreCutoff\n| sort by UEBARiskScore desc \n", - "queryFrequency": "P1D", - "queryPeriod": "P14D", + "query": "let LearningPeriod = 7d;\nlet BinTime = 1h;\nlet RunTime = 1h;\nlet StartTime = 1h; \nlet sensitivity = 2.5;\nlet EndRunTime = StartTime - RunTime;\nlet EndLearningTime = StartTime + LearningPeriod;\nlet aadFunc = (tableName:string){\ntable(tableName) \n| where TimeGenerated between (ago(EndLearningTime) .. ago(EndRunTime))\n| where AppDisplayName =~ \"GitHub.com\"\n| where ResultType != 0\n| make-series FailedLogins = count() on TimeGenerated from ago(LearningPeriod) to ago(EndRunTime) step BinTime by UserPrincipalName, Type\n| extend (Anomalies, Score, Baseline) = series_decompose_anomalies(FailedLogins, sensitivity, -1, 'linefit')\n| mv-expand FailedLogins to typeof(double), TimeGenerated to typeof(datetime), Anomalies to typeof(double), Score to typeof(double), Baseline to typeof(long) \n| where TimeGenerated >= ago(RunTime)\n| where Anomalies > 0 and Baseline > 0\n| join kind=inner (\n table(tableName) \n | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime))\n | where AppDisplayName =~ \"GitHub.com\"\n | where ResultType != 0\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddresses = make_set(IPAddress,100), Locations = make_set(LocationDetails,20), Devices = make_set(DeviceDetail,20) by UserPrincipalName \n ) on UserPrincipalName\n| extend timestamp = TimeGenerated, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n", + "queryFrequency": "PT1H", + "queryPeriod": "P7D", "severity": "Medium", "suppressionDuration": "PT1H", "suppressionEnabled": false, @@ -7808,58 +6885,37 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "AzureActiveDirectory", "dataTypes": [ "SigninLogs" - ] + ], + "connectorId": "AzureActiveDirectory" }, { - "connectorId": "AzureActiveDirectory", "dataTypes": [ "AADNonInteractiveUserSignInLogs" - ] - }, - { - "connectorId": "BehaviorAnalytics", - "dataTypes": [ - "BehaviorAnalytics" - ] - }, - { - "connectorId": "IdentityInfo", - "dataTypes": [ - "IdentityInfo" - ] + ], + "connectorId": "AzureActiveDirectory" } ], "tactics": [ - "InitialAccess" + "CredentialAccess" ], "techniques": [ - "T1078" + "T1110" ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" - } - ] - }, - { - "entityType": "IP", - "fieldMappings": [ - { - "columnName": "IPAddress", - "identifier": "Address" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" } ] } @@ -7867,16 +6923,16 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId56'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject16').analyticRuleId16,'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 56", - "parentId": "[variables('analyticRuleId56')]", - "contentId": "[variables('_analyticRulecontentId56')]", + "description": "Microsoft Entra ID Analytics Rule 16", + "parentId": "[variables('analyticRuleObject16').analyticRuleId16]", + "contentId": "[variables('analyticRuleObject16')._analyticRulecontentId16]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion56')]", + "version": "[variables('analyticRuleObject16').analyticRuleVersion16]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -7898,43 +6954,43 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId56')]", + "contentId": "[variables('analyticRuleObject16')._analyticRulecontentId16]", "contentKind": "AnalyticsRule", - "displayName": "User Accounts - Sign in Failure due to CA Spikes", - "contentProductId": "[variables('_analyticRulecontentProductId56')]", - "id": "[variables('_analyticRulecontentProductId56')]", - "version": "[variables('analyticRuleVersion56')]" + "displayName": "Brute Force Attack against GitHub Account", + "contentProductId": "[variables('analyticRuleObject16')._analyticRulecontentProductId16]", + "id": "[variables('analyticRuleObject16')._analyticRulecontentProductId16]", + "version": "[variables('analyticRuleObject16').analyticRuleVersion16]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName57')]", + "name": "[variables('analyticRuleObject17').analyticRuleTemplateSpecName17]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "UseraddedtoPrivilgedGroups_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "BruteForceCloudPC_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion57')]", + "contentVersion": "[variables('analyticRuleObject17').analyticRuleVersion17]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId57')]", + "name": "[variables('analyticRuleObject17')._analyticRulecontentId17]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "This will alert when a user is added to any of the Privileged Groups.\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\nFor Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles", - "displayName": "User added to Azure Active Directory Privileged Groups", + "description": "Identifies evidence of brute force activity against a Windows 365 Cloud PC by highlighting multiple authentication failures and by a successful authentication within a given time window.", + "displayName": "Brute force attack against a Cloud PC", "enabled": false, - "query": "let OperationList = dynamic([\"Add member to role\",\"Add member to role in PIM requested (permanent)\"]);\nlet PrivilegedGroups = dynamic([\"UserAccountAdmins\",\"PrivilegedRoleAdmins\",\"TenantAdmins\"]);\nAuditLogs\n//| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"RoleManagement\"\n| where OperationName in~ (OperationList)\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"User\"\n | extend TargetUserPrincipalName = tostring(TargetResource.userPrincipalName),\n modProps = TargetResource.modifiedProperties\n )\n| mv-apply Property = modProps on \n (\n where Property.displayName =~ \"Role.WellKnownObjectName\"\n | extend DisplayName = trim('\"',tostring(Property.displayName)),\n GroupName = trim('\"',tostring(Property.newValue))\n )\n| extend AppId = InitiatedBy.app.appId,\n InitiatedByDisplayName = case(isnotempty(InitiatedBy.app.displayName), InitiatedBy.app.displayName, isnotempty(InitiatedBy.user.displayName), InitiatedBy.user.displayName, \"not available\"),\n ServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId),\n ServicePrincipalName = tostring(InitiatedBy.app.servicePrincipalName),\n UserId = InitiatedBy.user.id,\n UserIPAddress = InitiatedBy.user.ipAddress,\n UserRoles = InitiatedBy.user.roles,\n UserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\n| where GroupName in~ (PrivilegedGroups)\n// If you don't want to alert for operations from PIM, remove below filtering for MS-PIM.\n//| where InitiatedByDisplayName != \"MS-PIM\"\n| project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, AppId, InitiatedByDisplayName, ServicePrincipalId, ServicePrincipalName, DisplayName, GroupName, UserId, UserIPAddress, UserRoles, UserPrincipalName, TargetUserPrincipalName\n| extend AccountCustomEntity = case(isnotempty(ServicePrincipalName), ServicePrincipalName, \n isnotempty(UserPrincipalName), UserPrincipalName, \n \"\")\n| extend AccountName = tostring(split(AccountCustomEntity,'@',0)[0]), AccountUPNSuffix = tostring(split(AccountCustomEntity,'@',1)[0])\n| extend TargetName = tostring(split(TargetUserPrincipalName,'@',0)[0]), TargetUPNSuffix = tostring(split(TargetUserPrincipalName,'@',1)[0])\n", - "queryFrequency": "PT1H", - "queryPeriod": "PT1H", + "query": "let authenticationWindow = 20m;\nlet sensitivity = 2.5;\nSigninLogs\n| where AppDisplayName =~ \"Windows Sign In\"\n| extend FailureOrSuccess = iff(ResultType in (\"0\", \"50125\", \"50140\", \"70043\", \"70044\"), \"Success\", \"Failure\")\n| summarize FailureCount = countif(FailureOrSuccess==\"Failure\"), SuccessCount = countif(FailureOrSuccess==\"Success\"), IPAddresses = make_set(IPAddress,1000)\n by bin(TimeGenerated, authenticationWindow), UserDisplayName, UserPrincipalName\n| extend FailureSuccessDiff = FailureCount - SuccessCount\n| where FailureSuccessDiff > 0\n| summarize Diff = make_list(FailureSuccessDiff, 10000), TimeStamp = make_list(TimeGenerated, 10000) by UserDisplayName, UserPrincipalName//, tostring(IPAddresses)\n| extend (Anomalies, Score, Baseline) = series_decompose_anomalies(Diff, sensitivity, -1, 'linefit') \n| mv-expand Diff to typeof(double), TimeStamp to typeof(datetime), Anomalies to typeof(double), Score to typeof(double), Baseline to typeof(long)\n| where Anomalies > 0\n| summarize by UserDisplayName, UserPrincipalName\n| join kind=leftouter (\n SigninLogs\n | where AppDisplayName =~ \"Windows Sign In\"\n | extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\n | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)\n | summarize StartTime = min(TimeGenerated), \n EndTime = max(TimeGenerated), \n IPAddress = make_set(IPAddress,100), \n OS = make_set(OS,20), \n Browser = make_set(Browser,20), \n City = make_set(City,100), \n ResultType = make_set(ResultType,100)\n by UserDisplayName, UserPrincipalName\n ) on UserDisplayName, UserPrincipalName\n| extend IPAddressFirst = IPAddress[0]\n| extend timestamp = StartTime, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n", + "queryFrequency": "P1D", + "queryPeriod": "P1D", "severity": "Medium", "suppressionDuration": "PT1H", "suppressionEnabled": false, @@ -7943,46 +6999,40 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "AzureActiveDirectory", "dataTypes": [ - "AuditLogs" - ] + "SigninLogs" + ], + "connectorId": "AzureActiveDirectory" } ], "tactics": [ - "Persistence", - "PrivilegeEscalation" + "CredentialAccess" ], "techniques": [ - "T1098", - "T1078" + "T1110" ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "columnName": "AccountName", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "AccountUPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "Account", "fieldMappings": [ { - "columnName": "TargetName", - "identifier": "Name" - }, - { - "columnName": "TargetUPNSuffix", - "identifier": "UPNSuffix" + "identifier": "Address", + "columnName": "IPAddressFirst" } - ] + ], + "entityType": "IP" } ] } @@ -7990,16 +7040,16 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId57'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject17').analyticRuleId17,'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 57", - "parentId": "[variables('analyticRuleId57')]", - "contentId": "[variables('_analyticRulecontentId57')]", + "description": "Microsoft Entra ID Analytics Rule 17", + "parentId": "[variables('analyticRuleObject17').analyticRuleId17]", + "contentId": "[variables('analyticRuleObject17')._analyticRulecontentId17]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion57')]", + "version": "[variables('analyticRuleObject17').analyticRuleVersion17]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -8021,43 +7071,43 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId57')]", + "contentId": "[variables('analyticRuleObject17')._analyticRulecontentId17]", "contentKind": "AnalyticsRule", - "displayName": "User added to Azure Active Directory Privileged Groups", - "contentProductId": "[variables('_analyticRulecontentProductId57')]", - "id": "[variables('_analyticRulecontentProductId57')]", - "version": "[variables('analyticRuleVersion57')]" + "displayName": "Brute force attack against a Cloud PC", + "contentProductId": "[variables('analyticRuleObject17')._analyticRulecontentProductId17]", + "id": "[variables('analyticRuleObject17')._analyticRulecontentProductId17]", + "version": "[variables('analyticRuleObject17').analyticRuleVersion17]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName58')]", + "name": "[variables('analyticRuleObject18').analyticRuleTemplateSpecName18]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "UserAssignedPrivilegedRole_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "BulkChangestoPrivilegedAccountPermissions_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion58')]", + "contentVersion": "[variables('analyticRuleObject18').analyticRuleVersion18]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId58')]", + "name": "[variables('analyticRuleObject18')._analyticRulecontentId18]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Identifies when a privileged role is assigned to a new user. Any account eligible for a role is now being given privileged access. If the assignment is unexpected or into a role that isn't the responsibility of the account holder, investigate.", - "displayName": "New User Assigned to Privileged Role", + "description": "Identifies when changes to multiple users permissions are changed at once. Investigate immediately if not a planned change. This setting could enable an attacker access to Azure subscriptions in your environment.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management", + "displayName": "Bulk Changes to Privileged Account Permissions", "enabled": false, - "query": "// Define the start and end times based on input values\nlet starttime = now()-1d;\nlet endtime = now();\n// Set a lookback period of 14 days\nlet lookback = starttime - 14d;\n// Define a reusable function to query audit logs\nlet awsFunc = (start:datetime, end:datetime) {\n AuditLogs\n | where TimeGenerated between (start..end)\n | where Category =~ \"RoleManagement\"\n | where AADOperationType in (\"Assign\", \"AssignEligibleRole\")\n | where ActivityDisplayName has_any (\"Add eligible member to role\", \"Add member to role\")\n | mv-apply TargetResource = TargetResources on\n (\n where TargetResource.type in~ (\"User\", \"ServicePrincipal\")\n | extend Target = iff(TargetResource.type =~ \"ServicePrincipal\", tostring(TargetResource.displayName), tostring(TargetResource.userPrincipalName)),\n props = TargetResource.modifiedProperties\n )\n | mv-apply Property = props on\n (\n where Property.displayName =~ \"Role.DisplayName\"\n | extend RoleName = trim('\"', tostring(Property.newValue))\n )\n | where RoleName contains \"Admin\" and Result == \"success\"\n};\n// Query for audit events in the current day\nlet EventInfo_CurrentDay = awsFunc(starttime, endtime);\n// Query for audit events in the historical period (lookback)\nlet EventInfo_historical = awsFunc(lookback, starttime);\n// Find unseen events by performing a left anti-join\nlet EventInfo_Unseen = (EventInfo_CurrentDay\n | join kind=leftanti(EventInfo_historical) on Target, RoleName, OperationName\n);\n// Extend and clean up the results\nEventInfo_Unseen\n| extend InitiatingApp = tostring(InitiatedBy.app.displayName)\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(InitiatedBy.user.userPrincipalName))\n// You can uncomment the lines below to filter out PIM activations\n// | where Initiator != \"MS-PIM\"\n// | summarize StartTime=min(TimeGenerated), EndTime=min(TimeGenerated) by OperationName, RoleName, Target, Initiator, Result\n// Project specific columns and split them for further analysis\n| project TimeGenerated, OperationName, RoleName, Target, Initiator, Result\n| extend TargetName = tostring(split(Target, '@', 0)[0]),\n TargetUPNSuffix = tostring(split(Target, '@', 1)[0]),\n InitiatorName = tostring(split(Initiator, '@', 0)[0]),\n InitiatorUPNSuffix = tostring(split(Initiator, '@', 1)[0])\n", - "queryFrequency": "PT1H", - "queryPeriod": "P14D", + "query": "let AdminRecords = AuditLogs\n| where Category =~ \"RoleManagement\"\n| where ActivityDisplayName has_any (\"Add eligible member to role\", \"Add member to role\")\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"User\"\n | extend Target = tostring(TargetResource.userPrincipalName),\n props = TargetResource.modifiedProperties\n )\n| mv-apply Property = props on \n (\n where Property.displayName =~ \"Role.DisplayName\"\n | extend RoleName = trim('\"',tostring(Property.newValue))\n )\n| where RoleName contains \"Admin\";\nAdminRecords\n| summarize dcount(Target) by bin(TimeGenerated, 1h)\n| where dcount_Target > 9\n| join kind=rightsemi (\n AdminRecords\n | extend TimeWindow = bin(TimeGenerated, 1h)\n) on $left.TimeGenerated == $right.TimeWindow\n| extend InitiatedByUser = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), \"\")\n| extend TargetName = tostring(split(Target,'@',0)[0]), TargetUPNSuffix = tostring(split(Target,'@',1)[0]),\n InitiatedByUserName = tostring(split(InitiatedByUser,'@',0)[0]), InitiatedByUserUPNSuffix = tostring(split(InitiatedByUser,'@',1)[0])\n", + "queryFrequency": "PT2H", + "queryPeriod": "PT2H", "severity": "High", "suppressionDuration": "PT1H", "suppressionEnabled": false, @@ -8066,61 +7116,65 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ] + ], + "connectorId": "AzureActiveDirectory" } ], "tactics": [ - "Persistence" + "PrivilegeEscalation" ], "techniques": [ "T1078" ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "columnName": "TargetName", - "identifier": "Name" + "identifier": "Name", + "columnName": "TargetName" }, { - "columnName": "TargetUPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "TargetUPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "Account", "fieldMappings": [ { - "columnName": "InitiatorName", - "identifier": "Name" + "identifier": "Name", + "columnName": "InitiatedByUserName" }, { - "columnName": "InitiatorUPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "InitiatedByUserUPNSuffix" } - ] + ], + "entityType": "Account" } - ] + ], + "customDetails": { + "TargetUser": "Target", + "InitiatedByUser": "InitiatedByUser" + } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId58'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject18').analyticRuleId18,'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 58", - "parentId": "[variables('analyticRuleId58')]", - "contentId": "[variables('_analyticRulecontentId58')]", + "description": "Microsoft Entra ID Analytics Rule 18", + "parentId": "[variables('analyticRuleObject18').analyticRuleId18]", + "contentId": "[variables('analyticRuleObject18')._analyticRulecontentId18]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion58')]", + "version": "[variables('analyticRuleObject18').analyticRuleVersion18]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -8142,44 +7196,44 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId58')]", + "contentId": "[variables('analyticRuleObject18')._analyticRulecontentId18]", "contentKind": "AnalyticsRule", - "displayName": "New User Assigned to Privileged Role", - "contentProductId": "[variables('_analyticRulecontentProductId58')]", - "id": "[variables('_analyticRulecontentProductId58')]", - "version": "[variables('analyticRuleVersion58')]" + "displayName": "Bulk Changes to Privileged Account Permissions", + "contentProductId": "[variables('analyticRuleObject18')._analyticRulecontentProductId18]", + "id": "[variables('analyticRuleObject18')._analyticRulecontentProductId18]", + "version": "[variables('analyticRuleObject18').analyticRuleVersion18]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName59')]", + "name": "[variables('analyticRuleObject19').analyticRuleTemplateSpecName19]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "NewOnmicrosoftDomainAdded_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "BypassCondAccessRule_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion59')]", + "contentVersion": "[variables('analyticRuleObject19').analyticRuleVersion19]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId59')]", + "name": "[variables('analyticRuleObject19')._analyticRulecontentId19]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "This detection looks for new onmicrosoft domains being added to a tenant. \nAn attacker who compromises a tenant may register a new onmicrosoft domain in order to masquerade as a service provider for launching phishing campaigns.\nDomain additions are not a common occurrence and users should validate that the domain was added by a legitimate user, with a legitimate purpose.", - "displayName": "New onmicrosoft domain added to tenant", + "description": "Identifies an attempt to Bypass conditional access rule(s) in Microsoft Entra ID.\nThe ConditionalAccessStatus column value details if there was an attempt to bypass Conditional Access\nor if the Conditional access rule was not satisfied (ConditionalAccessStatus == 1).\nReferences:\nhttps://docs.microsoft.com/azure/active-directory/conditional-access/overview\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\nConditionalAccessStatus == 0 // Success\nConditionalAccessStatus == 1 // Failure\nConditionalAccessStatus == 2 // Not Applied\nConditionalAccessStatus == 3 // unknown", + "displayName": "Attempt to bypass conditional access rule in Microsoft Entra ID", "enabled": false, - "query": "AuditLogs\n| where AADOperationType == \"Add\"\n| where Result == \"success\"\n| where OperationName in (\"Add verified domain\", \"Add unverified domain\")\n| extend InitiatedBy = parse_json(InitiatedBy)\n| extend InitiatingUser = tostring(InitiatedBy.user.userPrincipalName)\n| extend InitiatingIp = tostring(InitiatedBy.user.ipAddress)\n| extend InitiatingApp = tostring(InitiatedBy.app.displayName)\n| extend InitiatingSPID = tostring(InitiatedBy.app.servicePrincipalId)\n| extend DomainAdded = tostring(TargetResources[0].displayName)\n| where DomainAdded has \"onmicrosoft\"\n| extend ActionInitiatedBy = case(isnotempty(InitiatingUser), InitiatingUser, strcat(InitiatingApp, \" - \", InitiatingSPID))\n| extend UserName = split(InitiatingUser, \"@\")[0]\n| extend UPNSuffix = split(InitiatingUser, \"@\")[1]\n| project-reorder TimeGenerated, OperationName, DomainAdded, ActionInitiatedBy, InitiatingIp\n", - "queryFrequency": "PT1H", - "queryPeriod": "PT1H", - "severity": "Medium", + "query": "let threshold = 1; // Modify this threshold value to reduce false positives based on your environment\nlet aadFunc = (tableName:string){\ntable(tableName)\n| where ConditionalAccessStatus == 1 or ConditionalAccessStatus =~ \"failure\"\n| mv-apply CAP = parse_json(ConditionalAccessPolicies) on (\n project ConditionalAccessPoliciesName = CAP.displayName, result = CAP.result\n | where result =~ \"failure\"\n)\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(Status), LocationDetails = todynamic(LocationDetails)\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\n| extend Status = strcat(StatusCode, \": \", ResultDescription)\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Status = make_list(Status,10), StatusDetails = make_list(StatusDetails,50), IPAddresses = make_list(IPAddress,100), IPAddressCount = dcount(IPAddress), CorrelationIds = make_list(CorrelationId,100), ConditionalAccessPoliciesName = make_list(ConditionalAccessPoliciesName,100)\nby UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), City, State, Region, Type\n| where IPAddressCount > threshold and StatusDetails !has \"MFA successfully completed\"\n| mv-expand IPAddresses, Status, StatusDetails, CorrelationIds\n| extend Status = strcat(Status, \" \", StatusDetails)\n| summarize IPAddresses = make_set(IPAddresses,100), Status = make_set(Status,10), CorrelationIds = make_set(CorrelationIds,100), ConditionalAccessPoliciesName = make_set(ConditionalAccessPoliciesName,100)\nby StartTime, EndTime, UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), City, State, Region, IPAddressCount, Type\n| extend timestamp = StartTime, IPAddresses = tostring(IPAddresses), Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n", + "queryFrequency": "P1D", + "queryPeriod": "P1D", + "severity": "Low", "suppressionDuration": "PT1H", "suppressionEnabled": false, "triggerOperator": "GreaterThan", @@ -8187,77 +7241,65 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "AzureActiveDirectory", "dataTypes": [ - "AuditLogs" - ] + "SigninLogs" + ], + "connectorId": "AzureActiveDirectory" + }, + { + "dataTypes": [ + "AADNonInteractiveUserSignInLogs" + ], + "connectorId": "AzureActiveDirectory" } ], "tactics": [ - "ResourceDevelopment" + "InitialAccess", + "Persistence" ], "techniques": [ - "T1585" + "T1078", + "T1098" ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "columnName": "UserName", - "identifier": "Name" - }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "InitiatingSPID", - "identifier": "AadUserId" - } - ] - }, - { - "entityType": "IP", - "fieldMappings": [ - { - "columnName": "InitiatingIp", - "identifier": "Address" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "DNS", "fieldMappings": [ { - "columnName": "DomainAdded", - "identifier": "DomainName" + "identifier": "Address", + "columnName": "IPAddresses" } - ] + ], + "entityType": "IP" } - ], - "eventGroupingSettings": { - "aggregationKind": "SingleAlert" - }, - "alertDetailsOverride": { - "alertDisplayNameFormat": "{{DomainAdded}} added to tenant by {{ActionInitiatedBy}}", - "alertDescriptionFormat": "This detection looks for new onmicrosoft domains being added to a tenant. An attacker who compromises a tenant may register a new onmicrosoft domain in order to masquerade as a service provider for launching phishing accounts. Domain additions are not a common occurrence and users should validate that {{ActionInitiatedBy}} added {{DomainAdded}} with a legitimate purpose." - } + ] } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId59'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject19').analyticRuleId19,'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 59", - "parentId": "[variables('analyticRuleId59')]", - "contentId": "[variables('_analyticRulecontentId59')]", + "description": "Microsoft Entra ID Analytics Rule 19", + "parentId": "[variables('analyticRuleObject19').analyticRuleId19]", + "contentId": "[variables('analyticRuleObject19')._analyticRulecontentId19]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion59')]", + "version": "[variables('analyticRuleObject19').analyticRuleVersion19]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -8279,43 +7321,43 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId59')]", + "contentId": "[variables('analyticRuleObject19')._analyticRulecontentId19]", "contentKind": "AnalyticsRule", - "displayName": "New onmicrosoft domain added to tenant", - "contentProductId": "[variables('_analyticRulecontentProductId59')]", - "id": "[variables('_analyticRulecontentProductId59')]", - "version": "[variables('analyticRuleVersion59')]" + "displayName": "Attempt to bypass conditional access rule in Microsoft Entra ID", + "contentProductId": "[variables('analyticRuleObject19')._analyticRulecontentProductId19]", + "id": "[variables('analyticRuleObject19')._analyticRulecontentProductId19]", + "version": "[variables('analyticRuleObject19').analyticRuleVersion19]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName60')]", + "name": "[variables('analyticRuleObject20').analyticRuleTemplateSpecName20]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SuspiciousSignInFollowedByMFAModification_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "CredentialAddedAfterAdminConsent_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion60')]", + "contentVersion": "[variables('analyticRuleObject20').analyticRuleVersion20]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId60')]", + "name": "[variables('analyticRuleObject20')._analyticRulecontentId20]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "This query looks uses Microsoft Sentinel's UEBA features to look for suspicious logons followed by modifications to MFA settings by that user.", - "displayName": "Suspicious Sign In Followed by MFA Modification", + "description": "This query will identify instances where Service Principal credentials were added to an application by one user after the application was granted admin consent rights by another user.\n If a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\n Additional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow.\n For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities", + "displayName": "Credential added after admin consented to Application", "enabled": false, - "query": "let PriorityScore = 9;\nBehaviorAnalytics\n| where ActionType == \"Sign-in\"\n| where InvestigationPriority > PriorityScore\n| extend UserPrincipalName = tolower(UserPrincipalName)\n| extend LogOnTime = TimeGenerated\n| join kind=inner (AuditLogs\n| where Category =~ \"UserManagement\" \n| where OperationName in~ (\"Admin registered security info\", \"Admin updated security info\", \"Admin deleted security info\", \"User registered security info\", \"User changed default security info\", \"User deleted security info\",\"User registered all required security info\",\"User started security info registration\") \n| extend InitiatorUPN = tolower(tostring(InitiatedBy.user.userPrincipalName))\n| extend InitiatorID = tostring(InitiatedBy.user.id)\n| extend FromIP = tostring(InitiatedBy.user.ipAddress) \n| extend TargetUPN = tolower(tostring(TargetResources[0].userPrincipalName))\n| extend TargetId = tostring(TargetResources[0].id)\n| extend MFAModTime = TimeGenerated\n| where isnotempty(InitiatorUPN)) on $left.UserPrincipalName == $right.InitiatorUPN\n| where MFAModTime between((LogOnTime-30m)..(LogOnTime+1h))\n| extend InitiatorName = tostring(split(InitiatorUPN, \"@\")[0]), InitiatorSuffix = tostring(split(InitiatorUPN, \"@\")[1]), TargetName = tostring(split(TargetUPN, \"@\")[0]), TargetSuffix = tostring(split(TargetUPN, \"@\")[1])\n", + "query": "let auditLookbackStart = 2d;\nlet auditLookbackEnd = 1d;\nAuditLogs\n| where TimeGenerated >= ago(auditLookbackStart)\n| where OperationName =~ \"Consent to application\" \n| where Result =~ \"success\"\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\"\n | extend targetResourceName = tostring(TargetResource.displayName),\n targetResourceID = tostring(TargetResource.id),\n targetResourceType = tostring(TargetResource.type),\n targetModifiedProp = TargetResource.modifiedProperties\n )\n| mv-apply Property = targetModifiedProp on \n (\n where Property.displayName =~ \"ConsentContext.IsAdminConsent\"\n | extend isAdminConsent = trim(@'\"',tostring(Property.newValue))\n )\n| mv-apply Property = targetModifiedProp on \n (\n where Property.displayName =~ \"ConsentAction.Permissions\"\n | extend Consent_Permissions = trim(@'\"',tostring(Property.newValue))\n )\n| mv-apply Property = targetModifiedProp on \n (\n where Property.displayName =~ \"TargetId.ServicePrincipalNames\"\n | extend Consent_ServicePrincipalNames = tostring(extract_all(@\"([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})\",trim(@'\"',tostring(Property.newValue)))[0])\n )\n| extend Consent_InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend Consent_InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n| join ( \nAuditLogs\n| where TimeGenerated >= ago(auditLookbackEnd)\n| where OperationName =~ \"Add service principal credentials\"\n| where Result =~ \"success\"\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\"\n | extend targetResourceName = tostring(TargetResource.displayName),\n targetResourceID = tostring(TargetResource.id),\n targetModifiedProp = TargetResource.modifiedProperties\n )\n| mv-apply Property = targetModifiedProp on \n (\n where Property.displayName =~ \"KeyDescription\"\n | extend Credential_KeyDescription = trim(@'\"',tostring(Property.newValue))\n )\n| mv-apply Property = targetModifiedProp on \n (\n where Property.displayName =~ \"Included Updated Properties\"\n | extend UpdatedProperties = trim(@'\"',tostring(Property.newValue))\n )\n| mv-apply Property = targetModifiedProp on \n (\n where Property.displayName =~ \"TargetId.ServicePrincipalNames\"\n | extend Credential_ServicePrincipalNames = tostring(extract_all(@\"([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})\",trim(@'\"',tostring(Property.newValue)))[0])\n )\n| extend Credential_InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend Credential_InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n) on targetResourceName, targetResourceID\n| extend TimeConsent = TimeGenerated, TimeCred = TimeGenerated1\n| where TimeConsent < TimeCred \n| project TimeConsent, TimeCred, Consent_InitiatingUserOrApp, Credential_InitiatingUserOrApp, targetResourceName, targetResourceType, isAdminConsent, Consent_ServicePrincipalNames, Credential_ServicePrincipalNames, Consent_Permissions, Credential_KeyDescription, Consent_InitiatingIpAddress, Credential_InitiatingIpAddress\n| extend timestamp = TimeConsent, Name = tostring(split(Credential_InitiatingUserOrApp,'@',0)[0]), UPNSuffix = tostring(split(Credential_InitiatingUserOrApp,'@',1)[0])\n", "queryFrequency": "P1D", - "queryPeriod": "P1D", + "queryPeriod": "P2D", "severity": "Medium", "suppressionDuration": "PT1H", "suppressionEnabled": false, @@ -8324,102 +7366,54 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ] - }, - { - "connectorId": "BehaviorAnalytics", - "dataTypes": [ - "BehaviorAnalytics" - ] + ], + "connectorId": "AzureActiveDirectory" } ], "tactics": [ - "InitialAccess", - "DefenseEvasion" - ], - "techniques": [ - "T1078", - "T1556" + "CredentialAccess" ], "entityMappings": [ { - "entityType": "Account", - "fieldMappings": [ - { - "columnName": "InitiatorID", - "identifier": "AadUserId" - }, - { - "columnName": "InitiatorName", - "identifier": "Name" - }, - { - "columnName": "InitiatorSuffix", - "identifier": "UPNSuffix" - } - ] - }, - { - "entityType": "Account", "fieldMappings": [ { - "columnName": "TargetId", - "identifier": "AadUserId" - }, - { - "columnName": "TargetName", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "TargetSuffix", - "identifier": "UPNSuffix" - } - ] - }, - { - "entityType": "IP", - "fieldMappings": [ - { - "columnName": "FromIP", - "identifier": "Address" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "columnName": "SourceIPAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "Consent_InitiatingIpAddress" } - ] + ], + "entityType": "IP" } - ], - "eventGroupingSettings": { - "aggregationKind": "AlertPerResult" - }, - "alertDetailsOverride": { - "alertDisplayNameFormat": "Suspicious Sign In by {{InitiatorUPN}} Followed by MFA Modification to {{TargetUPN}}", - "alertDescriptionFormat": "This query looks uses Microsoft Sentinel's UEBA features to look for suspicious logons followed by modifications to MFA settings by that user.\nIn this case {{InitiatorUPN}} logged in followed by a modification to MFA settings for {{TargetUPN}}.\nThe sign in was from {{SourceIPAddress}}.\n" - } + ] } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId60'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject20').analyticRuleId20,'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 60", - "parentId": "[variables('analyticRuleId60')]", - "contentId": "[variables('_analyticRulecontentId60')]", + "description": "Microsoft Entra ID Analytics Rule 20", + "parentId": "[variables('analyticRuleObject20').analyticRuleId20]", + "contentId": "[variables('analyticRuleObject20')._analyticRulecontentId20]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion60')]", + "version": "[variables('analyticRuleObject20').analyticRuleVersion20]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -8441,400 +7435,227 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId60')]", + "contentId": "[variables('analyticRuleObject20')._analyticRulecontentId20]", "contentKind": "AnalyticsRule", - "displayName": "Suspicious Sign In Followed by MFA Modification", - "contentProductId": "[variables('_analyticRulecontentProductId60')]", - "id": "[variables('_analyticRulecontentProductId60')]", - "version": "[variables('analyticRuleVersion60')]" + "displayName": "Credential added after admin consented to Application", + "contentProductId": "[variables('analyticRuleObject20')._analyticRulecontentProductId20]", + "id": "[variables('analyticRuleObject20')._analyticRulecontentProductId20]", + "version": "[variables('analyticRuleObject20').analyticRuleVersion20]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('playbookTemplateSpecName1')]", + "name": "[variables('analyticRuleObject21').analyticRuleTemplateSpecName21]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Block-AADUser-Alert Playbook with template version 3.0.6", + "description": "Cross-tenantAccessSettingsOrganizationAdded_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion1')]", - "parameters": { - "PlaybookName": { - "defaultValue": "Block-AADUser-Alert", - "type": "string" - } - }, - "variables": { - "AzureADConnectionName": "[[concat('azuread-', parameters('PlaybookName'))]", - "MicrosoftSentinelConnectionName": "[[concat('microsoftsentinel-', parameters('PlaybookName'))]", - "Office365ConnectionName": "[[concat('office365-', parameters('PlaybookName'))]", - "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuread')]", - "_connection-1": "[[variables('connection-1')]", - "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", - "_connection-2": "[[variables('connection-2')]", - "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]", - "_connection-3": "[[variables('connection-3')]", - "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", - "workspace-name": "[parameters('workspace')]", - "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" - }, + "contentVersion": "[variables('analyticRuleObject21').analyticRuleVersion21]", + "parameters": {}, + "variables": {}, "resources": [ { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('AzureADConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "properties": { - "displayName": "[[variables('AzureADConnectionName')]", - "api": { - "id": "[[variables('_connection-1')]" - } - } - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('MicrosoftSentinelConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('MicrosoftSentinelConnectionName')]", - "parameterValueType": "Alternative", - "api": { - "id": "[[variables('_connection-2')]" - } - } - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('Office365ConnectionName')]", - "location": "[[variables('workspace-location-inline')]", + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject21')._analyticRulecontentId21]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", "properties": { - "displayName": "[[variables('Office365ConnectionName')]", - "api": { - "id": "[[variables('_connection-3')]" - } + "description": "Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when an Organization is added other than the list that is supposed to exist from the Microsoft Entra ID Cross-tenant Access Settings.", + "displayName": "Cross-tenant Access Settings Organization Added", + "enabled": false, + "query": "// Tenants IDs can be found by navigating to Azure Active Directory then from menu on the left, select External Identities, then from menu on the left, select Cross-tenant access settings and from the list shown of Tenants\nlet ExpectedTenantIDs = dynamic([\"List of expected tenant IDs\",\"Tenant ID 2\"]);\nAuditLogs\n| where OperationName has \"Add a partner to cross-tenant access setting\"\n| extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\n| extend InitiatedByIPAdress = InitiatedBy.user.ipAddress\n| mv-apply TargetResource = TargetResources on\n (\n where TargetResource.type =~ \"Policy\"\n | extend Properties = TargetResource.modifiedProperties\n )\n| mv-apply Property = Properties on\n (\n where Property.displayName =~ \"tenantId\"\n | extend ExtTenantIDAdded = trim('\"',tostring(Property.newValue))\n )\n| where ExtTenantIDAdded !in (ExpectedTenantIDs)\n| extend Name = tostring(split(InitiatedByActionUserInformation,'@',0)[0]), UPNSuffix = tostring(split(InitiatedByActionUserInformation,'@',1)[0])\n", + "queryFrequency": "P2D", + "queryPeriod": "P2D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "AuditLogs" + ], + "connectorId": "AzureActiveDirectory" + } + ], + "tactics": [ + "InitialAccess", + "Persistence", + "Discovery" + ], + "techniques": [ + "T1078", + "T1136", + "T1087" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "Name" + }, + { + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "InitiatedByIPAdress" + } + ], + "entityType": "IP" + } + ] } }, { - "type": "Microsoft.Logic/workflows", - "apiVersion": "2017-07-01", - "name": "[[parameters('PlaybookName')]", - "location": "[[variables('workspace-location-inline')]", - "tags": { - "LogicAppsCategory": "security", - "hidden-SentinelTemplateName": "Block-AADUser_alert", - "hidden-SentinelTemplateVersion": "1.1", - "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" - }, - "identity": { - "type": "SystemAssigned" - }, - "dependsOn": [ - "[[resourceId('Microsoft.Web/connections', variables('AzureADConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]" - ], + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject21').analyticRuleId21,'/'))))]", "properties": { - "state": "Enabled", - "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "$connections": { - "type": "Object" - } - }, - "triggers": { - "Microsoft_Sentinel_alert": { - "type": "ApiConnectionWebhook", - "inputs": { - "body": { - "callback_url": "@{listCallbackUrl()}" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" - } - }, - "path": "/subscribe" + "description": "Microsoft Entra ID Analytics Rule 21", + "parentId": "[variables('analyticRuleObject21').analyticRuleId21]", + "contentId": "[variables('analyticRuleObject21')._analyticRulecontentId21]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject21').analyticRuleVersion21]", + "source": { + "kind": "Solution", + "name": "Microsoft Entra ID", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject21')._analyticRulecontentId21]", + "contentKind": "AnalyticsRule", + "displayName": "Cross-tenant Access Settings Organization Added", + "contentProductId": "[variables('analyticRuleObject21')._analyticRulecontentProductId21]", + "id": "[variables('analyticRuleObject21')._analyticRulecontentProductId21]", + "version": "[variables('analyticRuleObject21').analyticRuleVersion21]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject22').analyticRuleTemplateSpecName22]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Cross-tenantAccessSettingsOrganizationDeleted_AnalyticalRules Analytics Rule with template version 3.0.7", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject22').analyticRuleVersion22]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject22')._analyticRulecontentId22]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when an Organization is deleted from the Microsoft Entra ID Cross-tenant Access Settings.", + "displayName": "Cross-tenant Access Settings Organization Deleted", + "enabled": false, + "query": "AuditLogs\n| where OperationName has \"Delete partner specific cross-tenant access setting\"\n| extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\n| extend InitiatedByIPAdress = InitiatedBy.user.ipAddress\n| mv-apply TargetResource = TargetResources on\n (\n where TargetResource.type =~ \"Policy\"\n | extend Properties = TargetResource.modifiedProperties\n )\n| mv-apply Property = Properties on\n (\n where Property.displayName =~ \"tenantId\"\n | extend ExtTenantDeleted = trim('\"',tostring(Property.oldValue))\n )\n| extend Name = tostring(split(InitiatedByActionUserInformation,'@',0)[0]), UPNSuffix = tostring(split(InitiatedByActionUserInformation,'@',1)[0])\n", + "queryFrequency": "P2D", + "queryPeriod": "P2D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "AuditLogs" + ], + "connectorId": "AzureActiveDirectory" + } + ], + "tactics": [ + "InitialAccess", + "Persistence", + "Discovery" + ], + "techniques": [ + "T1078", + "T1136", + "T1087" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "Name" + }, + { + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - } + ], + "entityType": "Account" }, - "actions": { - "Alert_-_Get_incident": { - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" - } - }, - "method": "get", - "path": "/Incidents/subscriptions/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/resourceGroups/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/workspaces/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/alerts/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}" - } - }, - "Entities_-_Get_Accounts": { - "runAfter": { - "Alert_-_Get_incident": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "body": "@triggerBody()?['Entities']", - "host": { - "connection": { - "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" - } - }, - "method": "post", - "path": "/entities/account" + { + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "InitiatedByIPAdress" } - }, - "For_each": { - "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']", - "actions": { - "Condition": { - "actions": { - "Condition_-_if_user_have_manager": { - "actions": { - "Add_comment_to_incident_-_with_manager_-_no_admin": { - "runAfter": { - "Get_user_-_details": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "body": { - "incidentArmId": "@body('Alert_-_Get_incident')?['id']", - "message": "

User @{items('For_each')?['Name']} (UPN - @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}) was disabled in AAD via playbook Block-AADUser. Manager (@{body('Parse_JSON_-_get_user_manager')?['userPrincipalName']}) is notified.

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - } - }, - "Get_user_-_details": { - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['azuread']['connectionId']" - } - }, - "method": "get", - "path": "/v1.0/users/@{encodeURIComponent(concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix']))}" - } - }, - "Send_an_email_-_to_manager_-_no_admin": { - "runAfter": { - "Add_comment_to_incident_-_with_manager_-_no_admin": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "body": { - "Body": "

Security notification! This is automated email sent by Microsoft Sentinel Automation!
\n
\nYour direct report @{items('For_each')?['Name']} has been disabled in Azure AD due to the security incident. Can you please notify the user and work with him to reach our support.
\n
\nDirect report details:
\nFirst name: @{body('Get_user_-_details')?['displayName']}
\nSurname: @{body('Get_user_-_details')?['surname']}
\nJob title: @{body('Get_user_-_details')?['jobTitle']}
\nOffice location: @{body('Get_user_-_details')?['officeLocation']}
\nBusiness phone: @{body('Get_user_-_details')?['businessPhones']}
\nMobile phone: @{body('Get_user_-_details')?['mobilePhone']}
\nMail: @{body('Get_user_-_details')?['mail']}
\n
\nThank you!

", - "Importance": "High", - "Subject": "@{items('For_each')?['Name']} has been disabled in Azure AD due to the security risk!", - "To": "@body('Parse_JSON_-_get_user_manager')?['userPrincipalName']" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['office365']['connectionId']" - } - }, - "method": "post", - "path": "/v2/Mail" - } - } - }, - "runAfter": { - "Parse_JSON_-_get_user_manager": [ - "Succeeded" - ] - }, - "else": { - "actions": { - "Add_comment_to_incident_-_no_manager_-_no_admin": { - "type": "ApiConnection", - "inputs": { - "body": { - "incidentArmId": "@body('Alert_-_Get_incident')?['id']", - "message": "

User @{items('For_each')?['Name']} (UPN - @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}) was disabled in AAD via playbook Block-AADUser. Manager has not been notified, since it is not found for this user!

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - } - } - } - }, - "expression": { - "and": [ - { - "not": { - "equals": [ - "@body('Parse_JSON_-_get_user_manager')?['userPrincipalName']", - "@null" - ] - } - } - ] - }, - "type": "If" - }, - "HTTP_-_get_user_manager": { - "type": "Http", - "inputs": { - "authentication": { - "audience": "https://graph.microsoft.com/", - "type": "ManagedServiceIdentity" - }, - "method": "GET", - "uri": "https://graph.microsoft.com/v1.0/users/@{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}/manager" - } - }, - "Parse_JSON_-_get_user_manager": { - "runAfter": { - "HTTP_-_get_user_manager": [ - "Succeeded", - "Failed" - ] - }, - "type": "ParseJson", - "inputs": { - "content": "@body('HTTP_-_get_user_manager')", - "schema": { - "properties": { - "userPrincipalName": { - "type": "string" - } - }, - "type": "object" - } - } - } - }, - "runAfter": { - "Update_user_-_disable_user": [ - "Succeeded", - "Failed" - ] - }, - "else": { - "actions": { - "Add_comment_to_incident_-_error_details": { - "type": "ApiConnection", - "inputs": { - "body": { - "incidentArmId": "@body('Alert_-_Get_incident')?['id']", - "message": "

Block-AADUser playbook could not disable user @{items('For_each')?['Name']}.
\nError message: @{body('Update_user_-_disable_user')['error']['message']}
\nNote: If user is admin, this playbook don't have privilages to block admin users!

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - } - } - } - }, - "expression": { - "and": [ - { - "equals": [ - "@body('Update_user_-_disable_user')", - "@null" - ] - } - ] - }, - "type": "If" - }, - "Update_user_-_disable_user": { - "type": "ApiConnection", - "inputs": { - "body": { - "accountEnabled": false - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuread']['connectionId']" - } - }, - "method": "patch", - "path": "/v1.0/users/@{encodeURIComponent(concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix']))}" - } - } - }, - "runAfter": { - "Entities_-_Get_Accounts": [ - "Succeeded" - ] - }, - "type": "Foreach" - } - } - }, - "parameters": { - "$connections": { - "value": { - "azuread": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureADConnectionName'))]", - "connectionName": "[[variables('AzureADConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuread')]" - }, - "microsoftsentinel": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", - "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", - "connectionProperties": { - "authentication": { - "type": "ManagedServiceIdentity" - } - } - }, - "office365": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]", - "connectionName": "[[variables('Office365ConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]" - } - } + ], + "entityType": "IP" } - } + ] } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId1'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject22').analyticRuleId22,'/'))))]", "properties": { - "parentId": "[variables('playbookId1')]", - "contentId": "[variables('_playbookContentId1')]", - "kind": "Playbook", - "version": "[variables('playbookVersion1')]", + "description": "Microsoft Entra ID Analytics Rule 22", + "parentId": "[variables('analyticRuleObject22').analyticRuleId22]", + "contentId": "[variables('analyticRuleObject22')._analyticRulecontentId22]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject22').analyticRuleVersion22]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -8849,418 +7670,234 @@ } } } - ], - "metadata": { - "title": "Block AAD user - Alert", - "description": "For each account entity included in the alert, this playbook will disable the user in Azure Active Directoy, add a comment to the incident that contains this alert and notify manager if available. Note: This playbook will not disable admin user!", - "prerequisites": [ - "None" - ], - "postDeployment": [ - "1. Assign Microsoft Sentinel Responder role to the Playbook's managed identity.", - "2. Grant User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All permissions to the managed identity.", - "3. Authorize Azure AD and Office 365 Outlook Logic App connections." - ], - "lastUpdateTime": "2022-07-11T00:00:00Z", - "entities": [ - "Account" - ], - "tags": [ - "Remediation" - ], - "releaseNotes": [ - { - "version": "1.0.0", - "title": "Added manager notification action", - "notes": [ - "Initial version" - ] - } - ] - } + ] }, "packageKind": "Solution", "packageVersion": "[variables('_solutionVersion')]", "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_playbookContentId1')]", - "contentKind": "Playbook", - "displayName": "Block-AADUser-Alert", - "contentProductId": "[variables('_playbookcontentProductId1')]", - "id": "[variables('_playbookcontentProductId1')]", - "version": "[variables('playbookVersion1')]" + "contentId": "[variables('analyticRuleObject22')._analyticRulecontentId22]", + "contentKind": "AnalyticsRule", + "displayName": "Cross-tenant Access Settings Organization Deleted", + "contentProductId": "[variables('analyticRuleObject22')._analyticRulecontentProductId22]", + "id": "[variables('analyticRuleObject22')._analyticRulecontentProductId22]", + "version": "[variables('analyticRuleObject22').analyticRuleVersion22]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('playbookTemplateSpecName2')]", + "name": "[variables('analyticRuleObject23').analyticRuleTemplateSpecName23]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Block-AADUser-Incident Playbook with template version 3.0.6", + "description": "Cross-tenantAccessSettingsOrganizationInboundCollaborationSettingsChanged_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion2')]", - "parameters": { - "PlaybookName": { - "defaultValue": "Block-AADUser-Incident", - "type": "string" - } - }, - "variables": { - "AzureADConnectionName": "[[concat('azuread-', parameters('PlaybookName'))]", - "MicrosoftSentinelConnectionName": "[[concat('microsoftsentinel-', parameters('PlaybookName'))]", - "Office365ConnectionName": "[[concat('office365-', parameters('PlaybookName'))]", - "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuread')]", - "_connection-1": "[[variables('connection-1')]", - "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", - "_connection-2": "[[variables('connection-2')]", - "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]", - "_connection-3": "[[variables('connection-3')]", - "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", - "workspace-name": "[parameters('workspace')]", - "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" - }, + "contentVersion": "[variables('analyticRuleObject23').analyticRuleVersion23]", + "parameters": {}, + "variables": {}, "resources": [ { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('AzureADConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "properties": { - "displayName": "[[variables('AzureADConnectionName')]", - "api": { - "id": "[[variables('_connection-1')]" - } - } - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('MicrosoftSentinelConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject23')._analyticRulecontentId23]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", "properties": { - "displayName": "[[variables('MicrosoftSentinelConnectionName')]", - "parameterValueType": "Alternative", - "api": { - "id": "[[variables('_connection-2')]" - } + "description": "Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when Organization Inbound Collaboration Settings are changed for \"Users & Groups\" and for \"Applications\".", + "displayName": "Cross-tenant Access Settings Organization Inbound Collaboration Settings Changed", + "enabled": false, + "query": "//In User & Groups and in Applications, the following \"AccessType\" values in columns PremodifiedInboundSettings and ModifiedInboundSettings are interpreted accordingly:\n// When Access Type in premodified inbound settings value was 1 that means that the initial access was allowed. When Access Type in premodified inbound settings value was 2 that means that the initial access was blocked. \n// When Access Type in modified inbound settings value is 1 that means that now access is allowed. When Access Type in modified inbound settings value is 2 that means that now access is blocked. \nAuditLogs\n| where OperationName has \"Update a partner cross-tenant access setting\"\n| mv-apply TargetResource = TargetResources on\n (\n where TargetResource.type =~ \"Policy\"\n | extend Properties = TargetResource.modifiedProperties\n )\n| mv-apply Property = Properties on\n (\n where Property.displayName =~ \"b2bCollaborationInbound\"\n | extend PremodifiedInboundSettings = trim('\"',tostring(Property.oldValue)),\n ModifiedInboundSettings = trim(@'\"',tostring(Property.newValue))\n )\n| extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\n| extend InitiatedByIPAdress = InitiatedBy.user.ipAddress\n| where PremodifiedInboundSettings != ModifiedInboundSettings\n| extend Name = tostring(split(InitiatedByActionUserInformation,'@',0)[0]), UPNSuffix = tostring(split(InitiatedByActionUserInformation,'@',1)[0])\n", + "queryFrequency": "P2D", + "queryPeriod": "P2D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "AuditLogs" + ], + "connectorId": "AzureActiveDirectory" + } + ], + "tactics": [ + "InitialAccess", + "Persistence", + "Discovery" + ], + "techniques": [ + "T1078", + "T1136", + "T1087" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "Name" + }, + { + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "InitiatedByIPAdress" + } + ], + "entityType": "IP" + } + ] } }, { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('Office365ConnectionName')]", - "location": "[[variables('workspace-location-inline')]", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject23').analyticRuleId23,'/'))))]", "properties": { - "displayName": "[[variables('Office365ConnectionName')]", - "api": { - "id": "[[variables('_connection-3')]" + "description": "Microsoft Entra ID Analytics Rule 23", + "parentId": "[variables('analyticRuleObject23').analyticRuleId23]", + "contentId": "[variables('analyticRuleObject23')._analyticRulecontentId23]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject23').analyticRuleVersion23]", + "source": { + "kind": "Solution", + "name": "Microsoft Entra ID", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" } } - }, + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject23')._analyticRulecontentId23]", + "contentKind": "AnalyticsRule", + "displayName": "Cross-tenant Access Settings Organization Inbound Collaboration Settings Changed", + "contentProductId": "[variables('analyticRuleObject23')._analyticRulecontentProductId23]", + "id": "[variables('analyticRuleObject23')._analyticRulecontentProductId23]", + "version": "[variables('analyticRuleObject23').analyticRuleVersion23]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject24').analyticRuleTemplateSpecName24]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Cross-tenantAccessSettingsOrganizationInboundDirectSettingsChanged_AnalyticalRules Analytics Rule with template version 3.0.7", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject24').analyticRuleVersion24]", + "parameters": {}, + "variables": {}, + "resources": [ { - "type": "Microsoft.Logic/workflows", - "apiVersion": "2017-07-01", - "name": "[[parameters('PlaybookName')]", - "location": "[[variables('workspace-location-inline')]", - "tags": { - "LogicAppsCategory": "security", - "hidden-SentinelTemplateName": "Block-AADUser", - "hidden-SentinelTemplateVersion": "1.1", - "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" - }, - "identity": { - "type": "SystemAssigned" - }, - "dependsOn": [ - "[[resourceId('Microsoft.Web/connections', variables('AzureADConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]" - ], + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject24')._analyticRulecontentId24]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", "properties": { - "state": "Enabled", - "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "$connections": { - "type": "Object" - } - }, - "triggers": { - "Microsoft_Sentinel_incident": { - "type": "ApiConnectionWebhook", - "inputs": { - "body": { - "callback_url": "@{listCallbackUrl()}" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" - } - }, - "path": "/incident-creation" + "description": "Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when Organization Inbound Direct Settings are changed for \"Users & Groups\" and for \"Applications\".", + "displayName": "Cross-tenant Access Settings Organization Inbound Direct Settings Changed", + "enabled": false, + "query": "//In User & Groups and in Applications, the following \"AccessType\" values in columns PremodifiedInboundSettings and ModifiedInboundSettings are interpreted accordingly:\n// When Access Type in premodified inbound settings value was 1 that means that the initial access was allowed. When Access Type in premodified inbound settings value was 2 that means that the initial access was blocked. \n// When Access Type in modified inbound settings value is 1 that means that now access is allowed. When Access Type in modified inbound settings value is 2 that means that now access is blocked. \nAuditLogs\n| where OperationName has \"Update a partner cross-tenant access setting\"\n| mv-apply TargetResource = TargetResources on\n (\n where TargetResource.type =~ \"Policy\"\n | extend Properties = TargetResource.modifiedProperties\n )\n| mv-apply Property = Properties on\n (\n where Property.displayName =~ \"b2bDirectConnectInbound\"\n | extend PremodifiedInboundSettings = trim('\"',tostring(Property.oldValue)),\n ModifiedInboundSettings = trim(@'\"',tostring(Property.newValue))\n )\n| extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\n| extend InitiatedByIPAdress = InitiatedBy.user.ipAddress\n| where PremodifiedInboundSettings != ModifiedInboundSettings\n| extend Name = tostring(split(InitiatedByActionUserInformation,'@',0)[0]), UPNSuffix = tostring(split(InitiatedByActionUserInformation,'@',1)[0])\n", + "queryFrequency": "P2D", + "queryPeriod": "P2D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "AuditLogs" + ], + "connectorId": "AzureActiveDirectory" + } + ], + "tactics": [ + "InitialAccess", + "Persistence", + "Discovery" + ], + "techniques": [ + "T1078", + "T1136", + "T1087" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "Name" + }, + { + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - } + ], + "entityType": "Account" }, - "actions": { - "Entities_-_Get_Accounts": { - "type": "ApiConnection", - "inputs": { - "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", - "host": { - "connection": { - "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" - } - }, - "method": "post", - "path": "/entities/account" + { + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "InitiatedByIPAdress" } - }, - "For_each": { - "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']", - "actions": { - "Condition": { - "actions": { - "Condition_-_if_user_have_manager": { - "actions": { - "Add_comment_to_incident_-_with_manager_-_no_admin": { - "runAfter": { - "Get_user_-_details": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "

User @{items('For_each')?['Name']} (UPN - @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}) was disabled in AAD via playbook Block-AADUser. Manager (@{body('Parse_JSON_-_get_user_manager')?['userPrincipalName']}) is notified.

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - } - }, - "Get_user_-_details": { - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['azuread']['connectionId']" - } - }, - "method": "get", - "path": "/v1.0/users/@{encodeURIComponent(concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix']))}" - } - }, - "Send_an_email_-_to_manager_-_no_admin": { - "runAfter": { - "Add_comment_to_incident_-_with_manager_-_no_admin": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "body": { - "Body": "

Security notification! This is automated email sent by Microsoft Sentinel Automation!
\n
\nYour direct report @{items('For_each')?['Name']} has been disabled in Azure AD due to the security incident. Can you please notify the user and work with him to reach our support.
\n
\nDirect report details:
\nFirst name: @{body('Get_user_-_details')?['displayName']}
\nSurname: @{body('Get_user_-_details')?['surname']}
\nJob title: @{body('Get_user_-_details')?['jobTitle']}
\nOffice location: @{body('Get_user_-_details')?['officeLocation']}
\nBusiness phone: @{body('Get_user_-_details')?['businessPhones']}
\nMobile phone: @{body('Get_user_-_details')?['mobilePhone']}
\nMail: @{body('Get_user_-_details')?['mail']}
\n
\nThank you!

", - "Importance": "High", - "Subject": "@{items('For_each')?['Name']} has been disabled in Azure AD due to the security risk!", - "To": "@body('Parse_JSON_-_get_user_manager')?['userPrincipalName']" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['office365']['connectionId']" - } - }, - "method": "post", - "path": "/v2/Mail" - } - } - }, - "runAfter": { - "Parse_JSON_-_get_user_manager": [ - "Succeeded" - ] - }, - "else": { - "actions": { - "Add_comment_to_incident_-_no_manager_-_no_admin": { - "type": "ApiConnection", - "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "

User @{items('For_each')?['Name']} (UPN - @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}) was disabled in AAD via playbook Block-AADUser. Manager has not been notified, since it is not found for this user!

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - } - } - } - }, - "expression": { - "and": [ - { - "not": { - "equals": [ - "@body('Parse_JSON_-_get_user_manager')?['userPrincipalName']", - "@null" - ] - } - } - ] - }, - "type": "If" - }, - "HTTP_-_get_user_manager": { - "type": "Http", - "inputs": { - "authentication": { - "audience": "https://graph.microsoft.com/", - "type": "ManagedServiceIdentity" - }, - "method": "GET", - "uri": "https://graph.microsoft.com/v1.0/users/@{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}/manager" - } - }, - "Parse_JSON_-_get_user_manager": { - "runAfter": { - "HTTP_-_get_user_manager": [ - "Succeeded", - "Failed" - ] - }, - "type": "ParseJson", - "inputs": { - "content": "@body('HTTP_-_get_user_manager')", - "schema": { - "properties": { - "userPrincipalName": { - "type": "string" - } - }, - "type": "object" - } - } - } - }, - "runAfter": { - "Update_user_-_disable_user": [ - "Succeeded", - "Failed" - ] - }, - "else": { - "actions": { - "Add_comment_to_incident_-_error_details": { - "type": "ApiConnection", - "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "

Block-AADUser playbook could not disable user @{items('For_each')?['Name']}.
\nError message: @{body('Update_user_-_disable_user')['error']['message']}
\nNote: If user is admin, this playbook don't have privilages to block admin users!

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - } - } - } - }, - "expression": { - "and": [ - { - "equals": [ - "@body('Update_user_-_disable_user')", - "@null" - ] - } - ] - }, - "type": "If" - }, - "Update_user_-_disable_user": { - "type": "ApiConnection", - "inputs": { - "body": { - "accountEnabled": false - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuread']['connectionId']" - } - }, - "method": "patch", - "path": "/v1.0/users/@{encodeURIComponent(concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix']))}" - } - } - }, - "runAfter": { - "Entities_-_Get_Accounts": [ - "Succeeded" - ] - }, - "type": "Foreach" - } - } - }, - "parameters": { - "$connections": { - "value": { - "azuread": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureADConnectionName'))]", - "connectionName": "[[variables('AzureADConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuread')]" - }, - "microsoftsentinel": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", - "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", - "connectionProperties": { - "authentication": { - "type": "ManagedServiceIdentity" - } - } - }, - "office365": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]", - "connectionName": "[[variables('Office365ConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]" - } - } + ], + "entityType": "IP" } - } + ] } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId2'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject24').analyticRuleId24,'/'))))]", "properties": { - "parentId": "[variables('playbookId2')]", - "contentId": "[variables('_playbookContentId2')]", - "kind": "Playbook", - "version": "[variables('playbookVersion2')]", + "description": "Microsoft Entra ID Analytics Rule 24", + "parentId": "[variables('analyticRuleObject24').analyticRuleId24]", + "contentId": "[variables('analyticRuleObject24')._analyticRulecontentId24]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject24').analyticRuleVersion24]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -9275,429 +7912,357 @@ } } } - ], - "metadata": { - "title": "Block AAD user - Incident", - "description": "For each account entity included in the incident, this playbook will disable the user in Azure Active Directoy, add a comment to the incident that contains this alert and notify manager if available. Note: This playbook will not disable admin user!", - "prerequisites": [ - "None" - ], - "postDeployment": [ - "1. Assign Microsoft Sentinel Responder role to the Playbook's managed identity.", - "2. Grant User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All permissions to the managed identity.", - "3. Authorize Azure AD and Office 365 Outlook Logic App connections." - ], - "lastUpdateTime": "2022-07-11T00:00:00Z", - "entities": [ - "Account" - ], - "tags": [ - "Remediation" - ], - "releaseNotes": [ - { - "version": "1.0.0", - "title": "Added manager notification action", - "notes": [ - "Initial version" - ] - } - ] - } + ] }, "packageKind": "Solution", "packageVersion": "[variables('_solutionVersion')]", "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_playbookContentId2')]", - "contentKind": "Playbook", - "displayName": "Block-AADUser-Incident", - "contentProductId": "[variables('_playbookcontentProductId2')]", - "id": "[variables('_playbookcontentProductId2')]", - "version": "[variables('playbookVersion2')]" + "contentId": "[variables('analyticRuleObject24')._analyticRulecontentId24]", + "contentKind": "AnalyticsRule", + "displayName": "Cross-tenant Access Settings Organization Inbound Direct Settings Changed", + "contentProductId": "[variables('analyticRuleObject24')._analyticRulecontentProductId24]", + "id": "[variables('analyticRuleObject24')._analyticRulecontentProductId24]", + "version": "[variables('analyticRuleObject24').analyticRuleVersion24]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('playbookTemplateSpecName3')]", + "name": "[variables('analyticRuleObject25').analyticRuleTemplateSpecName25]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Prompt-User-Alert Playbook with template version 3.0.6", + "description": "Cross-tenantAccessSettingsOrganizationOutboundCollaborationSettingsChanged_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion3')]", - "parameters": { - "PlaybookName": { - "defaultValue": "Prompt-User-Alert", - "type": "string" - }, - "TeamsId": { - "metadata": { - "description": "Enter the Teams Group ID" - }, - "type": "string" - }, - "TeamsChannelId": { - "metadata": { - "description": "Enter the Teams Channel ID" - }, - "type": "string" - } - }, - "variables": { - "AzureADConnectionName": "[[concat('azuread-', parameters('PlaybookName'))]", - "AzureSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]", - "Office365ConnectionName": "[[concat('office365-', parameters('PlaybookName'))]", - "TeamsConnectionName": "[[concat('teams-', parameters('PlaybookName'))]", - "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuread')]", - "_connection-1": "[[variables('connection-1')]", - "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", - "_connection-2": "[[variables('connection-2')]", - "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]", - "_connection-3": "[[variables('connection-3')]", - "connection-4": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/teams')]", - "_connection-4": "[[variables('connection-4')]", - "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", - "workspace-name": "[parameters('workspace')]", - "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" - }, + "contentVersion": "[variables('analyticRuleObject25').analyticRuleVersion25]", + "parameters": {}, + "variables": {}, "resources": [ { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('AzureADConnectionName')]", - "location": "[[variables('workspace-location-inline')]", + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject25')._analyticRulecontentId25]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", "properties": { - "displayName": "[[variables('AzureADConnectionName')]", - "api": { - "id": "[[variables('_connection-1')]" - } - } - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('AzureSentinelConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('AzureSentinelConnectionName')]", - "parameterValueType": "Alternative", - "api": { - "id": "[[variables('_connection-2')]" - } + "description": "Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when Organization Outbound Collaboration Settings are changed for \"Users & Groups\" and for \"Applications\".", + "displayName": "Cross-tenant Access Settings Organization Outbound Collaboration Settings Changed", + "enabled": false, + "query": "//In User & Groups and in Applications, the following \"AccessType\" values in columns PremodifiedOutboundSettings and ModifiedOutboundSettings are interpreted accordingly:\n// When Access Type in premodified outbound settings value was 1 that means that the initial access was allowed. When Access Type in premodified outbound settings value was 2 that means that the initial access was blocked. \n// When Access Type in modified outbound settings value is 1 that means that now access is allowed. When Access Type in modified outbound settings value is 2 that means that now access is blocked. \nAuditLogs\n| where OperationName has \"Update a partner cross-tenant access setting\"\n| mv-apply TargetResource = TargetResources on\n (\n where TargetResource.type =~ \"Policy\"\n | extend Properties = TargetResource.modifiedProperties\n )\n| mv-apply Property = Properties on\n (\n where Property.displayName =~ \"b2bCollaborationOutbound\"\n | extend PremodifiedOutboundSettings = trim('\"',tostring(Property.oldValue)),\n ModifiedOutboundSettings = trim(@'\"',tostring(Property.newValue))\n )\n| extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\n| extend InitiatedByIPAdress = InitiatedBy.user.ipAddress\n| where PremodifiedOutboundSettings != ModifiedOutboundSettings\n| extend Name = tostring(split(InitiatedByActionUserInformation,'@',0)[0]), UPNSuffix = tostring(split(InitiatedByActionUserInformation,'@',1)[0])\n", + "queryFrequency": "P2D", + "queryPeriod": "P2D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "AuditLogs" + ], + "connectorId": "AzureActiveDirectory" + } + ], + "tactics": [ + "InitialAccess", + "Persistence", + "Discovery" + ], + "techniques": [ + "T1078", + "T1136", + "T1087" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "Name" + }, + { + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "InitiatedByIPAdress" + } + ], + "entityType": "IP" + } + ] } }, { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('Office365ConnectionName')]", - "location": "[[variables('workspace-location-inline')]", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject25').analyticRuleId25,'/'))))]", "properties": { - "displayName": "[[variables('Office365ConnectionName')]", - "api": { - "id": "[[variables('_connection-3')]" + "description": "Microsoft Entra ID Analytics Rule 25", + "parentId": "[variables('analyticRuleObject25').analyticRuleId25]", + "contentId": "[variables('analyticRuleObject25')._analyticRulecontentId25]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject25').analyticRuleVersion25]", + "source": { + "kind": "Solution", + "name": "Microsoft Entra ID", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" } } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject25')._analyticRulecontentId25]", + "contentKind": "AnalyticsRule", + "displayName": "Cross-tenant Access Settings Organization Outbound Collaboration Settings Changed", + "contentProductId": "[variables('analyticRuleObject25')._analyticRulecontentProductId25]", + "id": "[variables('analyticRuleObject25')._analyticRulecontentProductId25]", + "version": "[variables('analyticRuleObject25').analyticRuleVersion25]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject26').analyticRuleTemplateSpecName26]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Cross-tenantAccessSettingsOrganizationOutboundDirectSettingsChanged_AnalyticalRules Analytics Rule with template version 3.0.7", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject26').analyticRuleVersion26]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject26')._analyticRulecontentId26]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when Organization Outbound Direct Settings are changed for \"Users & Groups\" and for \"Applications\".", + "displayName": "Cross-tenant Access Settings Organization Outbound Direct Settings Changed", + "enabled": false, + "query": "//In User & Groups and in Applications, the following \"AccessType\" values in columns PremodifiedOutboundSettings and ModifiedOutboundSettings are interpreted accordingly:\n// When Access Type in premodified outbound settings value was 1 that means that the initial access was allowed. When Access Type in premodified outbound settings value was 2 that means that the initial access was blocked. \n// When Access Type in modified outbound settings value is 1 that means that now access is allowed. When Access Type in modified outbound settings value is 2 that means that now access is blocked. \nAuditLogs\n| where OperationName has \"Update a partner cross-tenant access setting\"\n| mv-apply TargetResource = TargetResources on\n (\n where TargetResource.type =~ \"Policy\"\n | extend Properties = TargetResource.modifiedProperties\n )\n| mv-apply Property = Properties on\n (\n where Property.displayName =~ \"b2bDirectConnectOutbound\"\n | extend PremodifiedOutboundSettings = trim('\"',tostring(Property.oldValue)),\n ModifiedOutboundSettings = trim(@'\"',tostring(Property.newValue))\n )\n| extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\n| extend InitiatedByIPAdress = InitiatedBy.user.ipAddress\n| where PremodifiedOutboundSettings != ModifiedOutboundSettings\n| extend Name = tostring(split(InitiatedByActionUserInformation,'@',0)[0]), UPNSuffix = tostring(split(InitiatedByActionUserInformation,'@',1)[0])\n", + "queryFrequency": "P2D", + "queryPeriod": "P2D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "AuditLogs" + ], + "connectorId": "AzureActiveDirectory" + } + ], + "tactics": [ + "InitialAccess", + "Persistence", + "Discovery" + ], + "techniques": [ + "T1078", + "T1136", + "T1087" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "Name" + }, + { + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "InitiatedByIPAdress" + } + ], + "entityType": "IP" + } + ] + } }, { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('TeamsConnectionName')]", - "location": "[[variables('workspace-location-inline')]", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject26').analyticRuleId26,'/'))))]", "properties": { - "displayName": "[[variables('TeamsConnectionName')]", - "api": { - "id": "[[variables('_connection-4')]" + "description": "Microsoft Entra ID Analytics Rule 26", + "parentId": "[variables('analyticRuleObject26').analyticRuleId26]", + "contentId": "[variables('analyticRuleObject26')._analyticRulecontentId26]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject26').analyticRuleVersion26]", + "source": { + "kind": "Solution", + "name": "Microsoft Entra ID", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" } } - }, + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject26')._analyticRulecontentId26]", + "contentKind": "AnalyticsRule", + "displayName": "Cross-tenant Access Settings Organization Outbound Direct Settings Changed", + "contentProductId": "[variables('analyticRuleObject26')._analyticRulecontentProductId26]", + "id": "[variables('analyticRuleObject26')._analyticRulecontentProductId26]", + "version": "[variables('analyticRuleObject26').analyticRuleVersion26]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject27').analyticRuleTemplateSpecName27]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "DisabledAccountSigninsAcrossManyApplications_AnalyticalRules Analytics Rule with template version 3.0.7", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject27').analyticRuleVersion27]", + "parameters": {}, + "variables": {}, + "resources": [ { - "type": "Microsoft.Logic/workflows", - "apiVersion": "2017-07-01", - "name": "[[parameters('PlaybookName')]", - "location": "[[variables('workspace-location-inline')]", - "tags": { - "LogicAppsCategory": "security", - "hidden-SentinelTemplateName": "Prompt-User_alert", - "hidden-SentinelTemplateVersion": "1.1", - "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" - }, - "identity": { - "type": "SystemAssigned" - }, - "dependsOn": [ - "[[resourceId('Microsoft.Web/connections', variables('AzureADConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]" - ], + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject27')._analyticRulecontentId27]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", "properties": { - "state": "Enabled", - "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "actions": { - "Alert_-_Get_incident": { - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "get", - "path": "/Incidents/subscriptions/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/resourceGroups/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/workspaces/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/alerts/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}" - }, - "type": "ApiConnection" - }, - "Entities_-_Get_Accounts": { - "inputs": { - "body": "@triggerBody()?['Entities']", - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "path": "/entities/account" - }, - "runAfter": { - "Alert_-_Get_incident": [ - "Succeeded" - ] - }, - "type": "ApiConnection" - }, - "For_each": { - "actions": { - "Condition_2": { - "actions": { - "Add_comment_to_incident_(V3)": { - "inputs": { - "body": { - "incidentArmId": "@body('Alert_-_Get_incident')?['id']", - "message": "

@{body('Get_user')?['displayName']} confirms they completed the action that triggered the alert.  Closing the incident.

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - }, - "type": "ApiConnection" - }, - "Update_incident": { - "inputs": { - "body": { - "classification": { - "ClassificationAndReason": "BenignPositive - SuspiciousButExpected", - "ClassificationReasonText": "User Confirmed it was them" - }, - "incidentArmId": "@body('Alert_-_Get_incident')?['id']", - "status": "Closed" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "put", - "path": "/Incidents" - }, - "runAfter": { - "Add_comment_to_incident_(V3)": [ - "Succeeded" - ] - }, - "type": "ApiConnection" - } - }, - "else": { - "actions": { - "Add_comment_to_incident_(V3)_2": { - "inputs": { - "body": { - "incidentArmId": "@body('Alert_-_Get_incident')?['id']", - "message": "

@{body('Get_user')?['displayName']} confirms they did not complete the action. Further investigation is needed.

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - }, - "type": "ApiConnection" - }, - "Post_message_in_a_chat_or_channel": { - "inputs": { - "body": { - "messageBody": "

New alert from Microsoft Sentinel.
\nPlease investigate ASAP.
\nSeverity : @{body('Alert_-_Get_incident')?['properties']?['severity']}
\nDescription: @{body('Alert_-_Get_incident')?['properties']?['description']}
\n
\n@{body('Get_user')?['displayName']} user confirmed they did not complete the action.

", - "recipient": { - "channelId": "[[parameters('TeamsChannelId')]", - "groupId": "[[parameters('TeamsId')]" - }, - "subject": "Incident @{body('Alert_-_Get_incident')?['properties']?['incidentNumber']} - @{body('Alert_-_Get_incident')?['properties']?['title']}" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['teams']['connectionId']" - } - }, - "method": "post", - "path": "/beta/teams/conversation/message/poster/@{encodeURIComponent('User')}/location/@{encodeURIComponent('Channel')}" - }, - "runAfter": { - "Add_comment_to_incident_(V3)_2": [ - "Succeeded" - ] - }, - "type": "ApiConnection" - } - } - }, - "expression": { - "and": [ - { - "equals": [ - "", - "This was me" - ] - } - ] - }, - "runAfter": { - "Send_approval_email": [ - "Succeeded" - ] - }, - "type": "If" - }, - "Get_user": { - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['azuread']['connectionId']" - } - }, - "method": "get", - "path": "/v1.0/users/@{encodeURIComponent(concat(items('For_each')?['Name'], '@' ,items('For_each')?['UPNSuffix']))}" - }, - "type": "ApiConnection" - }, - "Send_approval_email": { - "inputs": { - "body": { - "Message": { - "Body": "New Alert from Microsoft Sentinel.\nPlease respond ASAP.\nSeverity: @{triggerBody()?['Severity']}\nName: @{triggerBody()?['AlertDisplayName']}\nDescription: @{triggerBody()?['Description']}", - "HideHTMLMessage": false, - "Importance": "High", - "Options": "This was me, This was not me", - "ShowHTMLConfirmationDialog": false, - "Subject": "Security Alert: @{body('Alert_-_Get_incident')?['properties']?['title']}", - "To": "@body('Get_user')?['mail']" - }, - "NotificationUrl": "@{listCallbackUrl()}" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['office365']['connectionId']" - } - }, - "path": "/approvalmail/$subscriptions" - }, - "runAfter": { - "Get_user": [ - "Succeeded" - ] - }, - "type": "ApiConnectionWebhook" - } - }, - "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']", - "runAfter": { - "Entities_-_Get_Accounts": [ - "Succeeded" - ] - }, - "type": "Foreach" - } - }, - "contentVersion": "1.0.0.0", - "parameters": { - "$connections": { - "type": "Object" - } + "description": "Identifies failed attempts to sign in to disabled accounts across multiple Azure Applications.\nDefault threshold for Azure Applications attempted to sign in to is 3.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\n50057 - User account is disabled. The account has been disabled by an administrator.", + "displayName": "Attempts to sign in to disabled accounts", + "enabled": false, + "query": "let threshold = 3;\nlet aadFunc = (tableName:string){\ntable(tableName)\n| where ResultType == \"50057\"\n| where ResultDescription =~ \"User account is disabled. The account has been disabled by an administrator.\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), applicationCount = dcount(AppDisplayName),\napplicationSet = make_set(AppDisplayName), count() by UserPrincipalName, IPAddress, Type\n| where applicationCount >= threshold\n| extend timestamp = StartTime, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n", + "queryFrequency": "P1D", + "queryPeriod": "P1D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "SigninLogs" + ], + "connectorId": "AzureActiveDirectory" }, - "triggers": { - "Microsoft_Sentinel_alert": { - "inputs": { - "body": { - "callback_url": "@{listCallbackUrl()}" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "path": "/subscribe" - }, - "type": "ApiConnectionWebhook" - } + { + "dataTypes": [ + "AADNonInteractiveUserSignInLogs" + ], + "connectorId": "AzureActiveDirectory" } - }, - "parameters": { - "$connections": { - "value": { - "azuread": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureADConnectionName'))]", - "connectionName": "[[variables('AzureADConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuread')]" - }, - "azuresentinel": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", - "connectionName": "[[variables('AzureSentinelConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", - "connectionProperties": { - "authentication": { - "type": "ManagedServiceIdentity" - } - } - }, - "office365": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]", - "connectionName": "[[variables('Office365ConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]" + ], + "tactics": [ + "InitialAccess" + ], + "techniques": [ + "T1078" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "Name" }, - "teams": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]", - "connectionName": "[[variables('TeamsConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/teams')]" + { + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "IPAddress" + } + ], + "entityType": "IP" } - } + ] } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId3'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject27').analyticRuleId27,'/'))))]", "properties": { - "parentId": "[variables('playbookId3')]", - "contentId": "[variables('_playbookContentId3')]", - "kind": "Playbook", - "version": "[variables('playbookVersion3')]", + "description": "Microsoft Entra ID Analytics Rule 27", + "parentId": "[variables('analyticRuleObject27').analyticRuleId27]", + "contentId": "[variables('analyticRuleObject27')._analyticRulecontentId27]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject27').analyticRuleVersion27]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -9712,411 +8277,373 @@ } } } - ], - "metadata": { - "title": "Prompt User - Alert", - "description": "This playbook will ask the user if they completed the action from the alert in Microsoft Sentinel. If so, it will close the incident and add a comment. If not, it will post a message to teams for the SOC to investigate and add a comment to the incident.", - "prerequisites": [ - "1. You will need the Team Id and Channel Id." - ], - "postDeployment": [ - "1. Assign Microsoft Sentinel Responder role to the Playbook's managed identity.", - "2. Authorize Azure AD, Microsoft Teams, and Office 365 Outlook Logic App connections." - ], - "lastUpdateTime": "2022-07-11T00:00:00Z", - "entities": [ - "Account" - ], - "tags": [ - "Remediation" - ], - "releaseNotes": [ - { - "version": "1.0.0", - "title": "Added new Post a Teams message action", - "notes": [ - "Initial version" - ] - } - ] - } + ] }, "packageKind": "Solution", "packageVersion": "[variables('_solutionVersion')]", "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_playbookContentId3')]", - "contentKind": "Playbook", - "displayName": "Prompt-User-Alert", - "contentProductId": "[variables('_playbookcontentProductId3')]", - "id": "[variables('_playbookcontentProductId3')]", - "version": "[variables('playbookVersion3')]" + "contentId": "[variables('analyticRuleObject27')._analyticRulecontentId27]", + "contentKind": "AnalyticsRule", + "displayName": "Attempts to sign in to disabled accounts", + "contentProductId": "[variables('analyticRuleObject27')._analyticRulecontentProductId27]", + "id": "[variables('analyticRuleObject27')._analyticRulecontentProductId27]", + "version": "[variables('analyticRuleObject27').analyticRuleVersion27]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('playbookTemplateSpecName4')]", + "name": "[variables('analyticRuleObject28').analyticRuleTemplateSpecName28]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Prompt-User-Incident Playbook with template version 3.0.6", + "description": "DistribPassCrackAttempt_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion4')]", - "parameters": { - "PlaybookName": { - "defaultValue": "Prompt-User-Incident", - "type": "string" - }, - "TeamsId": { - "metadata": { - "description": "Enter the Teams Group ID" - }, - "type": "string" - }, - "TeamsChannelId": { - "metadata": { - "description": "Enter the Teams Channel ID" - }, - "type": "string" - } - }, - "variables": { - "AzureADConnectionName": "[[concat('azuread-', parameters('PlaybookName'))]", - "AzureSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]", - "Office365ConnectionName": "[[concat('office365-', parameters('PlaybookName'))]", - "TeamsConnectionName": "[[concat('teams-', parameters('PlaybookName'))]", - "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuread')]", - "_connection-1": "[[variables('connection-1')]", - "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", - "_connection-2": "[[variables('connection-2')]", - "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]", - "_connection-3": "[[variables('connection-3')]", - "connection-4": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/teams')]", - "_connection-4": "[[variables('connection-4')]", - "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", - "workspace-name": "[parameters('workspace')]", - "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" - }, + "contentVersion": "[variables('analyticRuleObject28').analyticRuleVersion28]", + "parameters": {}, + "variables": {}, "resources": [ { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('AzureADConnectionName')]", - "location": "[[variables('workspace-location-inline')]", + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject28')._analyticRulecontentId28]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", "properties": { - "displayName": "[[variables('AzureADConnectionName')]", - "api": { - "id": "[[variables('_connection-1')]" - } + "description": "Identifies distributed password cracking attempts from the Microsoft Entra ID SigninLogs.\nThe query looks for unusually high number of failed password attempts coming from multiple locations for a user account.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\n50053 Account is locked because the user tried to sign in too many times with an incorrect user ID or password.\n50055 Invalid password, entered expired password.\n50056 Invalid or null password - Password does not exist in store for this user.\n50126 Invalid username or password, or invalid on-premises username or password.", + "displayName": "Distributed Password cracking attempts in Microsoft Entra ID", + "enabled": false, + "query": "let s_threshold = 30;\nlet l_threshold = 3;\nlet aadFunc = (tableName:string){\ntable(tableName)\n| where OperationName =~ \"Sign-in activity\"\n// Error codes that we want to look at as they are related to the use of incorrect password.\n| where ResultType in (\"50126\", \"50053\" , \"50055\", \"50056\")\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\n| extend LocationString = strcat(tostring(LocationDetails.countryOrRegion), \"/\", tostring(LocationDetails.state), \"/\", tostring(LocationDetails.city))\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), LocationCount=dcount(LocationString), Location = make_set(LocationString,100),\nIPAddress = make_set(IPAddress,100), IPAddressCount = dcount(IPAddress), AppDisplayName = make_set(AppDisplayName,100), ResultDescription = make_set(ResultDescription,50),\nBrowser = make_set(Browser,20), OS = make_set(OS,20), SigninCount = count() by UserPrincipalName, Type\n// Setting a generic threshold - Can be different for different environment\n| where SigninCount > s_threshold and LocationCount >= l_threshold\n| extend Location = tostring(Location), IPAddress = tostring(IPAddress), AppDisplayName = tostring(AppDisplayName), ResultDescription = tostring(ResultDescription), Browser = tostring(Browser), OS = tostring(OS)\n| extend timestamp = StartTime, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n", + "queryFrequency": "P1D", + "queryPeriod": "P1D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "SigninLogs" + ], + "connectorId": "AzureActiveDirectory" + }, + { + "dataTypes": [ + "AADNonInteractiveUserSignInLogs" + ], + "connectorId": "AzureActiveDirectory" + } + ], + "tactics": [ + "CredentialAccess" + ], + "techniques": [ + "T1110" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "Name" + }, + { + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "IPAddress" + } + ], + "entityType": "IP" + } + ] } }, { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('AzureSentinelConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject28').analyticRuleId28,'/'))))]", "properties": { - "displayName": "[[variables('AzureSentinelConnectionName')]", - "parameterValueType": "Alternative", - "api": { - "id": "[[variables('_connection-2')]" + "description": "Microsoft Entra ID Analytics Rule 28", + "parentId": "[variables('analyticRuleObject28').analyticRuleId28]", + "contentId": "[variables('analyticRuleObject28')._analyticRulecontentId28]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject28').analyticRuleVersion28]", + "source": { + "kind": "Solution", + "name": "Microsoft Entra ID", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" } } - }, + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject28')._analyticRulecontentId28]", + "contentKind": "AnalyticsRule", + "displayName": "Distributed Password cracking attempts in Microsoft Entra ID", + "contentProductId": "[variables('analyticRuleObject28')._analyticRulecontentProductId28]", + "id": "[variables('analyticRuleObject28')._analyticRulecontentProductId28]", + "version": "[variables('analyticRuleObject28').analyticRuleVersion28]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject29').analyticRuleTemplateSpecName29]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "ExplicitMFADeny_AnalyticalRules Analytics Rule with template version 3.0.7", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject29').analyticRuleVersion29]", + "parameters": {}, + "variables": {}, + "resources": [ { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('Office365ConnectionName')]", - "location": "[[variables('workspace-location-inline')]", + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject29')._analyticRulecontentId29]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", "properties": { - "displayName": "[[variables('Office365ConnectionName')]", - "api": { - "id": "[[variables('_connection-3')]" - } + "description": "User explicitly denies MFA push, indicating that login was not expected and the account's password may be compromised.", + "displayName": "Explicit MFA Deny", + "enabled": false, + "query": "let aadFunc = (tableName:string){\ntable(tableName)\n| where ResultType == 500121\n| where Status has \"MFA Denied; user declined the authentication\" or Status has \"MFA denied; Phone App Reported Fraud\"\n| extend Type = Type\n| extend timestamp = TimeGenerated, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n", + "queryFrequency": "P1D", + "queryPeriod": "P1D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "SigninLogs" + ], + "connectorId": "AzureActiveDirectory" + }, + { + "dataTypes": [ + "AADNonInteractiveUserSignInLogs" + ], + "connectorId": "AzureActiveDirectory" + } + ], + "tactics": [ + "CredentialAccess" + ], + "techniques": [ + "T1110" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "Name" + }, + { + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "IPAddress" + } + ], + "entityType": "IP" + }, + { + "fieldMappings": [ + { + "identifier": "Url", + "columnName": "ClientAppUsed" + } + ], + "entityType": "URL" + } + ] } }, { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('TeamsConnectionName')]", - "location": "[[variables('workspace-location-inline')]", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject29').analyticRuleId29,'/'))))]", "properties": { - "displayName": "[[variables('TeamsConnectionName')]", - "api": { - "id": "[[variables('_connection-4')]" + "description": "Microsoft Entra ID Analytics Rule 29", + "parentId": "[variables('analyticRuleObject29').analyticRuleId29]", + "contentId": "[variables('analyticRuleObject29')._analyticRulecontentId29]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject29').analyticRuleVersion29]", + "source": { + "kind": "Solution", + "name": "Microsoft Entra ID", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" } } - }, - { - "type": "Microsoft.Logic/workflows", - "apiVersion": "2017-07-01", - "name": "[[parameters('PlaybookName')]", - "location": "[[variables('workspace-location-inline')]", - "tags": { - "LogicAppsCategory": "security", - "hidden-SentinelTemplateName": "Prompt-User", - "hidden-SentinelTemplateVersion": "1.1", - "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" - }, - "identity": { - "type": "SystemAssigned" - }, - "dependsOn": [ - "[[resourceId('Microsoft.Web/connections', variables('AzureADConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]" - ], + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject29')._analyticRulecontentId29]", + "contentKind": "AnalyticsRule", + "displayName": "Explicit MFA Deny", + "contentProductId": "[variables('analyticRuleObject29')._analyticRulecontentProductId29]", + "id": "[variables('analyticRuleObject29')._analyticRulecontentProductId29]", + "version": "[variables('analyticRuleObject29').analyticRuleVersion29]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject30').analyticRuleTemplateSpecName30]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "ExchangeFullAccessGrantedToApp_AnalyticalRules Analytics Rule with template version 3.0.7", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject30').analyticRuleVersion30]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject30')._analyticRulecontentId30]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", "properties": { - "state": "Enabled", - "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "actions": { - "Entities_-_Get_Accounts": { - "inputs": { - "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "path": "/entities/account" - }, - "type": "ApiConnection" - }, - "For_each": { - "actions": { - "Condition_2": { - "actions": { - "Add_comment_to_incident_(V3)": { - "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "

@{body('Get_user')?['displayName']} confirms they completed the action that triggered the alert.  Closing the incident.

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - }, - "type": "ApiConnection" - }, - "Update_incident": { - "inputs": { - "body": { - "classification": { - "ClassificationAndReason": "BenignPositive - SuspiciousButExpected", - "ClassificationReasonText": "User Confirmed it was them" - }, - "incidentArmId": "@triggerBody()?['object']?['id']", - "status": "Closed" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "put", - "path": "/Incidents" - }, - "runAfter": { - "Add_comment_to_incident_(V3)": [ - "Succeeded" - ] - }, - "type": "ApiConnection" - } - }, - "else": { - "actions": { - "Add_comment_to_incident_(V3)_2": { - "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "

@{body('Get_user')?['displayName']} confirms they did not complete the action. Further investigation is needed.

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - }, - "type": "ApiConnection" - }, - "Post_message_in_a_chat_or_channel": { - "inputs": { - "body": { - "messageBody": "

New alert from Microsoft Sentinel.
\nPlease investigate ASAP.
\nSeverity : @{triggerBody()?['object']?['properties']?['severity']}
\nDescription: @{triggerBody()?['object']?['properties']?['description']}
\n
\n@{body('Get_user')?['displayName']} user confirmed they did not complete the action.

", - "recipient": { - "channelId": "[[parameters('TeamsChannelId')]", - "groupId": "[[parameters('TeamsId')]" - }, - "subject": "Incident @{triggerBody()?['object']?['properties']?['incidentNumber']} - @{triggerBody()?['object']?['properties']?['title']}" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['teams']['connectionId']" - } - }, - "method": "post", - "path": "/beta/teams/conversation/message/poster/@{encodeURIComponent('User')}/location/@{encodeURIComponent('Channel')}" - }, - "runAfter": { - "Add_comment_to_incident_(V3)_2": [ - "Succeeded" - ] - }, - "type": "ApiConnection" - } - } - }, - "expression": { - "and": [ - { - "equals": [ - "@body('Send_approval_email')?['SelectedOption']", - "This was me" - ] - } - ] - }, - "runAfter": { - "Send_approval_email": [ - "Succeeded" - ] - }, - "type": "If" - }, - "Get_user": { - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['azuread']['connectionId']" - } - }, - "method": "get", - "path": "/v1.0/users/@{encodeURIComponent(concat(items('For_each')?['Name'], '@' ,items('For_each')?['UPNSuffix']))}" - }, - "type": "ApiConnection" - }, - "Send_approval_email": { - "inputs": { - "body": { - "Message": { - "Body": "New Alert from Microsoft Sentinel.\nPlease respond ASAP.\nSeverity: @{triggerBody()?['object']?['properties']?['severity']}\nName: @{triggerBody()?['object']?['properties']?['title']}\nDescription: @{triggerBody()?['object']?['properties']?['description']}", - "HideHTMLMessage": false, - "Importance": "High", - "Options": "This was me, This was not me", - "ShowHTMLConfirmationDialog": false, - "Subject": "Security Alert: @{triggerBody()?['object']?['properties']?['title']}", - "To": "@body('Get_user')?['mail']" - }, - "NotificationUrl": "@{listCallbackUrl()}" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['office365']['connectionId']" - } - }, - "path": "/approvalmail/$subscriptions" - }, - "runAfter": { - "Get_user": [ - "Succeeded" - ] - }, - "type": "ApiConnectionWebhook" - } - }, - "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']", - "runAfter": { - "Entities_-_Get_Accounts": [ - "Succeeded" - ] + "description": "This detection looks for the full_access_as_app permission being granted to an OAuth application with Admin Consent.\nThis permission provide access to all Exchange mailboxes via the EWS API can could be exploited to access sensitive data \nby being added to a compromised application. The application granted this permission should be reviewed to ensure that it \nis absolutely necessary for the applications function.\nRef: https://learn.microsoft.com/graph/auth-limit-mailbox-access", + "displayName": "full_access_as_app Granted To Application", + "enabled": false, + "query": "AuditLogs\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Consent to application\"\n| where TargetResources has \"full_access_as_app\"\n| mv-expand TargetResources\n| extend OAuthAppName = TargetResources.displayName\n| extend ModifiedProperties = TargetResources.modifiedProperties \n| mv-apply Property = ModifiedProperties on \n (\n where Property.displayName =~ \"ConsentContext.isAdminConsent\"\n | extend AdminConsent = tostring(Property.newValue)\n )\n| mv-apply Property = ModifiedProperties on \n (\n where Property.displayName =~ \"ConsentAction.Permissions\"\n | extend Permissions = tostring(Property.newValue)\n )\n| mv-apply Property = ModifiedProperties on \n (\n where Property.displayName =~ \"TargetId.ServicePrincipalNames\"\n | extend AppId = tostring(Property.newValue)\n )\n| mv-expand AdditionalDetails\n| extend GrantUserAgent = tostring(iff(AdditionalDetails.key =~ \"User-Agent\", AdditionalDetails.value, \"\"))\n| parse Permissions with * \"ConsentType: \" GrantConsentType \", Scope: \" GrantScope1 \",\" *\n| where GrantScope1 =~ \"full_access_as_app\"\n| extend GrantIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\n| extend GrantInitiatedBy = tostring(iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName))\n| project-reorder TimeGenerated, OAuthAppName, AppId, AdminConsent, Permissions, GrantIpAddress, GrantInitiatedBy, GrantUserAgent, GrantScope1, GrantConsentType\n| extend Name = split(GrantInitiatedBy, \"@\")[0], UPNSuffix = split(GrantInitiatedBy, \"@\")[1]\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "AuditLogs" + ], + "connectorId": "AzureActiveDirectory" + } + ], + "tactics": [ + "DefenseEvasion" + ], + "techniques": [ + "T1550" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "Name" }, - "type": "Foreach" - } - }, - "contentVersion": "1.0.0.0", - "parameters": { - "$connections": { - "type": "Object" - } + { + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" + } + ], + "entityType": "Account" }, - "triggers": { - "Microsoft_Sentinel_incident": { - "inputs": { - "body": { - "callback_url": "@{listCallbackUrl()}" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "path": "/incident-creation" - }, - "type": "ApiConnectionWebhook" - } - } - }, - "parameters": { - "$connections": { - "value": { - "azuread": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureADConnectionName'))]", - "connectionName": "[[variables('AzureADConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuread')]" - }, - "azuresentinel": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", - "connectionName": "[[variables('AzureSentinelConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", - "connectionProperties": { - "authentication": { - "type": "ManagedServiceIdentity" - } - } - }, - "office365": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]", - "connectionName": "[[variables('Office365ConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]" - }, - "teams": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]", - "connectionName": "[[variables('TeamsConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/teams')]" + { + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "GrantIpAddress" } - } + ], + "entityType": "IP" } + ], + "customDetails": { + "OAuthApplication": "OAuthAppName", + "OAuthAppId": "AppId", + "UserAgent": "GrantUserAgent" + }, + "alertDetailsOverride": { + "alertDescriptionFormat": "This detection looks for the full_access_as_app permission being granted to an OAuth application with Admin Consent.\nThis permission provide access to all Exchange mailboxes via the EWS API can could be exploited to access sensitive data \nby being added to a compromised application. The application granted this permission should be reviewed to ensure that it \nis absolutely necessary for the applications function.\nIn this case {{GrantInitiatedBy}} granted full_access_as_app to {{OAuthAppName}} from {{GrantIpAddress}}\nRef: https://learn.microsoft.com/graph/auth-limit-mailbox-access\n", + "alertDisplayNameFormat": "User {{GrantInitiatedBy}} granted full_access_as_app to {{OAuthAppName}}" } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId4'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject30').analyticRuleId30,'/'))))]", "properties": { - "parentId": "[variables('playbookId4')]", - "contentId": "[variables('_playbookContentId4')]", - "kind": "Playbook", - "version": "[variables('playbookVersion4')]", + "description": "Microsoft Entra ID Analytics Rule 30", + "parentId": "[variables('analyticRuleObject30').analyticRuleId30]", + "contentId": "[variables('analyticRuleObject30')._analyticRulecontentId30]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject30').analyticRuleVersion30]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -10131,391 +8658,115 @@ } } } - ], - "metadata": { - "title": "Prompt User - Incident", - "description": "This playbook will ask the user if they completed the action from the Incident in Microsoft Sentinel. If so, it will close the incident and add a comment. If not, it will post a message to teams for the SOC to investigate and add a comment to the incident.", - "prerequisites": [ - "1. You will need the Team Id and Channel Id." - ], - "postDeployment": [ - "1. Assign Microsoft Sentinel Responder role to the Playbook's managed identity.", - "2. Authorize Azure AD, Microsoft Teams, and Office 365 Outlook Logic App connections." - ], - "lastUpdateTime": "2022-07-11T00:00:00Z", - "entities": [ - "Account" - ], - "tags": [ - "Remediation" - ], - "releaseNotes": [ - { - "version": "1.0.0", - "title": "Added new Post a Teams message action", - "notes": [ - "Initial version" - ] - } - ] - } + ] }, "packageKind": "Solution", "packageVersion": "[variables('_solutionVersion')]", "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_playbookContentId4')]", - "contentKind": "Playbook", - "displayName": "Prompt-User-Incident", - "contentProductId": "[variables('_playbookcontentProductId4')]", - "id": "[variables('_playbookcontentProductId4')]", - "version": "[variables('playbookVersion4')]" + "contentId": "[variables('analyticRuleObject30')._analyticRulecontentId30]", + "contentKind": "AnalyticsRule", + "displayName": "full_access_as_app Granted To Application", + "contentProductId": "[variables('analyticRuleObject30')._analyticRulecontentProductId30]", + "id": "[variables('analyticRuleObject30')._analyticRulecontentProductId30]", + "version": "[variables('analyticRuleObject30').analyticRuleVersion30]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('playbookTemplateSpecName5')]", + "name": "[variables('analyticRuleObject31').analyticRuleTemplateSpecName31]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Reset-AADPassword-AlertTrigger Playbook with template version 3.0.6", + "description": "FailedLogonToAzurePortal_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion5')]", - "parameters": { - "PlaybookName": { - "defaultValue": "Reset-AADPassword-AlertTrigger", - "type": "string" - } - }, - "variables": { - "MicrosoftSentinelConnectionName": "[[concat('microsoftsentinel-', parameters('PlaybookName'))]", - "office365ConnectionName": "[[concat('office365-', parameters('PlaybookName'))]", - "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", - "_connection-2": "[[variables('connection-2')]", - "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]", - "_connection-3": "[[variables('connection-3')]", - "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", - "workspace-name": "[parameters('workspace')]", - "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" - }, + "contentVersion": "[variables('analyticRuleObject31').analyticRuleVersion31]", + "parameters": {}, + "variables": {}, "resources": [ { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject31')._analyticRulecontentId31]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", "properties": { - "provisioningState": "Succeeded", - "state": "Enabled", - "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "$connections": { - "type": "Object" - } - }, - "triggers": { - "Microsoft_Sentinel_alert": { - "type": "ApiConnectionWebhook", - "inputs": { - "body": { - "callback_url": "@{listCallbackUrl()}" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" - } - }, - "path": "/subscribe" - } - } + "description": "Identifies failed login attempts in the Microsoft Entra ID SigninLogs to the Azure Portal. Many failed logon\nattempts or some failed logon attempts from multiple IPs could indicate a potential brute force attack.\nThe following are excluded due to success and non-failure results:\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\n0 - successful logon\n50125 - Sign-in was interrupted due to a password reset or password registration entry.\n50140 - This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.", + "displayName": "Failed login attempts to Azure Portal", + "enabled": false, + "query": "let timeRange = 1d;\nlet lookBack = 7d;\nlet threshold_Failed = 5;\nlet threshold_FailedwithSingleIP = 20;\nlet threshold_IPAddressCount = 2;\nlet isGUID = \"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\";\nlet aadFunc = (tableName:string){\nlet azPortalSignins = materialize(table(tableName)\n| where TimeGenerated >= ago(lookBack)\n// Azure Portal only\n| where AppDisplayName =~ \"Azure Portal\")\n;\nlet successPortalSignins = azPortalSignins\n| where TimeGenerated >= ago(timeRange)\n// Azure Portal only and exclude non-failure Result Types\n| where ResultType in (\"0\", \"50125\", \"50140\")\n// Tagging identities not resolved to friendly names\n//| extend Unresolved = iff(Identity matches regex isGUID, true, false)\n| distinct TimeGenerated, UserPrincipalName\n;\nlet failPortalSignins = azPortalSignins\n| where TimeGenerated >= ago(timeRange)\n// Azure Portal only and exclude non-failure Result Types\n| where ResultType !in (\"0\", \"50125\", \"50140\", \"70044\", \"70043\")\n// Tagging identities not resolved to friendly names\n| extend Unresolved = iff(Identity matches regex isGUID, true, false)\n;\n// Verify there is no success for the same connection attempt after the fail\nlet failnoSuccess = failPortalSignins | join kind= leftouter (\n successPortalSignins\n) on UserPrincipalName\n| where TimeGenerated > TimeGenerated1 or isempty(TimeGenerated1)\n| project-away TimeGenerated1, UserPrincipalName1\n;\n// Lookup up resolved identities from last 7 days\nlet identityLookup = azPortalSignins\n| where TimeGenerated >= ago(lookBack)\n| where not(Identity matches regex isGUID)\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName;\n// Join resolved names to unresolved list from portal signins\nlet unresolvedNames = failnoSuccess | where Unresolved == true | join kind= inner (\n identityLookup\n) on UserId\n| extend UserDisplayName = lu_UserDisplayName, UserPrincipalName = lu_UserPrincipalName\n| project-away lu_UserDisplayName, lu_UserPrincipalName;\n// Join Signins that had resolved names with list of unresolved that now have a resolved name\nlet u_azPortalSignins = failnoSuccess | where Unresolved == false | union unresolvedNames;\nu_azPortalSignins\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\n| extend Status = strcat(ResultType, \": \", ResultDescription), OS = tostring(DeviceDetail.operatingSystem), Browser = tostring(DeviceDetail.browser)\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\n| extend FullLocation = strcat(Region,'|', State, '|', City) \n| summarize TimeGenerated = make_list(TimeGenerated,100), Status = make_list(Status,100), IPAddresses = make_list(IPAddress,100), IPAddressCount = dcount(IPAddress), FailedLogonCount = count()\nby UserPrincipalName, UserId, UserDisplayName, AppDisplayName, Browser, OS, FullLocation, Type\n| mvexpand TimeGenerated, IPAddresses, Status\n| extend TimeGenerated = todatetime(tostring(TimeGenerated)), IPAddress = tostring(IPAddresses), Status = tostring(Status)\n| project-away IPAddresses\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserPrincipalName, UserId, UserDisplayName, Status, FailedLogonCount, IPAddress, IPAddressCount, AppDisplayName, Browser, OS, FullLocation, Type\n| where (IPAddressCount >= threshold_IPAddressCount and FailedLogonCount >= threshold_Failed) or FailedLogonCount >= threshold_FailedwithSingleIP\n| extend timestamp = StartTime, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n", + "queryFrequency": "P1D", + "queryPeriod": "P7D", + "severity": "Low", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "SigninLogs" + ], + "connectorId": "AzureActiveDirectory" }, - "actions": { - "Alert_-_Get_incident": { - "runAfter": { - "Set_variable_-_password": [ - "Succeeded" - ] + { + "dataTypes": [ + "AADNonInteractiveUserSignInLogs" + ], + "connectorId": "AzureActiveDirectory" + } + ], + "tactics": [ + "CredentialAccess" + ], + "techniques": [ + "T1110" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "Name" }, - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" - } - }, - "method": "get", - "path": "/Incidents/subscriptions/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/resourceGroups/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/workspaces/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/alerts/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}" + { + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - }, - "Entities_-_Get_Accounts": { - "runAfter": { - "Alert_-_Get_incident": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "body": "@triggerBody()?['Entities']", - "host": { - "connection": { - "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" - } - }, - "method": "post", - "path": "/entities/account" + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "IPAddress" } - }, - "For_each": { - "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']", - "actions": { - "Condition_-_is_manager_available": { - "actions": { - "Add_comment_to_incident_-_manager_available": { - "runAfter": { - "Send_an_email_-_to_manager_with_password_details": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "body": { - "incidentArmId": "@body('Alert_-_Get_incident')?['id']", - "message": "

User @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])} password was reset in AAD and their manager @{body('Parse_JSON_-_HTTP_-_get_manager')?['userPrincipalName']} was contacted using playbook.

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - } - }, - "Parse_JSON_-_HTTP_-_get_manager": { - "type": "ParseJson", - "inputs": { - "content": "@body('HTTP_-_get_manager')", - "schema": { - "properties": { - "userPrincipalName": { - "type": "string" - } - }, - "type": "object" - } - } - }, - "Send_an_email_-_to_manager_with_password_details": { - "runAfter": { - "Parse_JSON_-_HTTP_-_get_manager": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "body": { - "Body": "

User, @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}, was involved in part of a security incident.  As part of remediation, the user password has been reset.
\n
\nThe temporary password is: @{variables('Password')}
\n
\nThe user will be required to reset this password upon login.

", - "Subject": "A user password was reset due to security incident.", - "To": "@body('Parse_JSON_-_HTTP_-_get_manager')?['userPrincipalName']" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['office365']['connectionId']" - } - }, - "method": "post", - "path": "/v2/Mail" - } - } - }, - "runAfter": { - "HTTP_-_get_manager": [ - "Succeeded", - "Failed" - ] - }, - "else": { - "actions": { - "Add_comment_to_incident_-_manager_not_available": { - "type": "ApiConnection", - "inputs": { - "body": { - "incidentArmId": "@body('Alert_-_Get_incident')?['id']", - "message": "

User @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])} password was reset in AAD but the user doesn't have a manager.
\n
\nThe temporary password is: @{variables('Password')}
\n
\nThe user will be required to reset this password upon login.

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - } - } - } - }, - "expression": { - "and": [ - { - "equals": [ - "@outputs('HTTP_-_get_manager')['statusCode']", - 200 - ] - } - ] - }, - "type": "If" - }, - "HTTP_-_get_manager": { - "runAfter": { - "HTTP_-_reset_a_password": [ - "Succeeded" - ] - }, - "type": "Http", - "inputs": { - "authentication": { - "audience": "https://graph.microsoft.com", - "type": "ManagedServiceIdentity" - }, - "method": "GET", - "uri": "https://graph.microsoft.com/v1.0/users/@{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}/manager" - } - }, - "HTTP_-_reset_a_password": { - "type": "Http", - "inputs": { - "authentication": { - "audience": "https://graph.microsoft.com", - "type": "ManagedServiceIdentity" - }, - "body": { - "passwordProfile": { - "forceChangePasswordNextSignIn": true, - "forceChangePasswordNextSignInWithMfa": false, - "password": "@{variables('Password')}" - } - }, - "method": "PATCH", - "uri": "https://graph.microsoft.com/v1.0/users/@{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}" - } - } - }, - "runAfter": { - "Entities_-_Get_Accounts": [ - "Succeeded" - ] - }, - "type": "Foreach" - }, - "Initialize_variable": { - "type": "InitializeVariable", - "inputs": { - "variables": [ - { - "name": "Password", - "type": "String", - "value": "null" - } - ] - } - }, - "Set_variable_-_password": { - "runAfter": { - "Initialize_variable": [ - "Succeeded" - ] - }, - "type": "SetVariable", - "inputs": { - "name": "Password", - "value": "@{substring(guid(), 0, 10)}" - } - } - } - }, - "parameters": { - "$connections": { - "value": { - "microsoftsentinel": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", - "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", - "connectionProperties": { - "authentication": { - "type": "ManagedServiceIdentity" - } - } - }, - "office365": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('office365ConnectionName'))]", - "connectionName": "[[variables('office365ConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]" - } - } + ], + "entityType": "IP" } - } - }, - "name": "[[parameters('PlaybookName')]", - "type": "Microsoft.Logic/workflows", - "location": "[[variables('workspace-location-inline')]", - "tags": { - "LogicAppsCategory": "security", - "hidden-SentinelTemplateName": "Reset-AADUserPassword_alert", - "hidden-SentinelTemplateVersion": "1.1", - "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" - }, - "identity": { - "type": "SystemAssigned" - }, - "apiVersion": "2017-07-01", - "dependsOn": [ - "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('office365ConnectionName'))]" - ] - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('MicrosoftSentinelConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('MicrosoftSentinelConnectionName')]", - "parameterValueType": "Alternative", - "api": { - "id": "[[variables('_connection-2')]" - } - } - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('office365ConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('office365ConnectionName')]", - "api": { - "id": "[[variables('_connection-3')]" - } + ] } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId5'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject31').analyticRuleId31,'/'))))]", "properties": { - "parentId": "[variables('playbookId5')]", - "contentId": "[variables('_playbookContentId5')]", - "kind": "Playbook", - "version": "[variables('playbookVersion5')]", + "description": "Microsoft Entra ID Analytics Rule 31", + "parentId": "[variables('analyticRuleObject31').analyticRuleId31]", + "contentId": "[variables('analyticRuleObject31')._analyticRulecontentId31]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject31').analyticRuleVersion31]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -10530,375 +8781,248 @@ } } } - ], - "metadata": { - "title": "Reset Azure AD User Password - Alert Trigger", - "description": "This playbook will reset the user password using Graph API. It will send the password (which is a random guid substring) to the user's manager. The user will have to reset the password upon login.", - "prerequisites": [ - "None" - ], - "postDeployment": [ - "1. Assign Password Administrator permission to managed identity.", - "2. Assign Microsoft Sentinel Responder permission to managed identity.", - "3. Authorize Office 365 Outlook connection" - ], - "lastUpdateTime": "2022-07-11T00:00:00Z", - "entities": [ - "Account" - ], - "tags": [ - "Remediation" - ], - "releaseNotes": [ - { - "version": "1.0.0", - "title": " Added manager notification action", - "notes": [ - "Initial version" - ] - } - ] - } + ] }, "packageKind": "Solution", "packageVersion": "[variables('_solutionVersion')]", "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_playbookContentId5')]", - "contentKind": "Playbook", - "displayName": "Reset-AADPassword-AlertTrigger", - "contentProductId": "[variables('_playbookcontentProductId5')]", - "id": "[variables('_playbookcontentProductId5')]", - "version": "[variables('playbookVersion5')]" + "contentId": "[variables('analyticRuleObject31')._analyticRulecontentId31]", + "contentKind": "AnalyticsRule", + "displayName": "Failed login attempts to Azure Portal", + "contentProductId": "[variables('analyticRuleObject31')._analyticRulecontentProductId31]", + "id": "[variables('analyticRuleObject31')._analyticRulecontentProductId31]", + "version": "[variables('analyticRuleObject31').analyticRuleVersion31]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('playbookTemplateSpecName6')]", + "name": "[variables('analyticRuleObject32').analyticRuleTemplateSpecName32]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Reset-AADPassword-IncidentTrigger Playbook with template version 3.0.6", + "description": "FirstAppOrServicePrincipalCredential_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion6')]", - "parameters": { - "PlaybookName": { - "defaultValue": "Reset-AADPassword-IncidentTrigger", - "type": "string" - } - }, - "variables": { - "MicrosoftSentinelConnectionName": "[[concat('microsoftsentinel-', parameters('PlaybookName'))]", - "office365ConnectionName": "[[concat('office365-', parameters('PlaybookName'))]", - "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", - "_connection-2": "[[variables('connection-2')]", - "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]", - "_connection-3": "[[variables('connection-3')]", - "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", - "workspace-name": "[parameters('workspace')]", - "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" - }, + "contentVersion": "[variables('analyticRuleObject32').analyticRuleVersion32]", + "parameters": {}, + "variables": {}, "resources": [ { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject32')._analyticRulecontentId32]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", "properties": { - "provisioningState": "Succeeded", - "state": "Enabled", - "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "$connections": { - "type": "Object" - } - }, - "triggers": { - "Microsoft_Sentinel_incident": { - "type": "ApiConnectionWebhook", - "inputs": { - "body": { - "callback_url": "@{listCallbackUrl()}" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" - } - }, - "path": "/incident-creation" - } - } - }, - "actions": { - "Entities_-_Get_Accounts": { - "runAfter": { - "Set_variable_-_password": [ - "Succeeded" - ] + "description": "This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where there was no previous verify KeyCredential associated.\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.", + "displayName": "First access credential added to Application or Service Principal where no credential was present", + "enabled": false, + "query": "AuditLogs\n| where OperationName has (\"Certificates and secrets management\")\n| where Result =~ \"success\"\n| where tostring(InitiatedBy.user.userPrincipalName) has \"@\" or tostring(InitiatedBy.app.displayName) has \"@\"\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"Application\"\n | extend targetDisplayName = tostring(TargetResource.displayName),\n targetId = tostring(TargetResource.id),\n targetType = tostring(TargetResource.type),\n keyEvents = TargetResource.modifiedProperties\n )\n| mv-apply Property = keyEvents on \n (\n where Property.displayName =~ \"KeyDescription\"\n | extend new_value_set = parse_json(tostring(Property.newValue)),\n old_value_set = parse_json(tostring(Property.oldValue))\n )\n| where old_value_set == \"[]\" \n| mv-expand new_value_set\n| parse new_value_set with * \"KeyIdentifier=\" keyIdentifier:string \",KeyType=\" keyType:string \",KeyUsage=\" keyUsage:string \",DisplayName=\" keyDisplayName:string \"]\" *\n| where keyUsage =~ \"Verify\"\n| mv-apply AdditionalDetail = AdditionalDetails on \n (\n where AdditionalDetail.key =~ \"User-Agent\"\n | extend UserAgent = tostring(AdditionalDetail.value)\n )\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n| project-away new_value_set, old_value_set\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\n| extend timestamp = TimeGenerated, Name = tostring(split(InitiatingUserOrApp,'@',0)[0]), UPNSuffix = tostring(split(InitiatingUserOrApp,'@',1)[0])\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "AuditLogs" + ], + "connectorId": "AzureActiveDirectory" + } + ], + "tactics": [ + "DefenseEvasion" + ], + "techniques": [ + "T1550" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "Name" }, - "type": "ApiConnection", - "inputs": { - "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", - "host": { - "connection": { - "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" - } - }, - "method": "post", - "path": "/entities/account" + { + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - }, - "For_each": { - "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']", - "actions": { - "Condition_-_is_manager_available": { - "actions": { - "Add_comment_to_incident_-_manager_available": { - "runAfter": { - "Send_an_email_-_to_manager_with_password_details": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "

User @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])} password was reset in AAD and their manager @{body('Parse_JSON_-_HTTP_-_get_manager')?['userPrincipalName']} was contacted using playbook.

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - } - }, - "Parse_JSON_-_HTTP_-_get_manager": { - "type": "ParseJson", - "inputs": { - "content": "@body('HTTP_-_get_manager')", - "schema": { - "properties": { - "userPrincipalName": { - "type": "string" - } - }, - "type": "object" - } - } - }, - "Send_an_email_-_to_manager_with_password_details": { - "runAfter": { - "Parse_JSON_-_HTTP_-_get_manager": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "body": { - "Body": "

User, @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}, was involved in part of a security incident.  As part of remediation, the user password has been reset.
\n
\nThe temporary password is: @{variables('Password')}
\n
\nThe user will be required to reset this password upon login.

", - "Subject": "A user password was reset due to security incident.", - "To": "@body('Parse_JSON_-_HTTP_-_get_manager')?['userPrincipalName']" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['office365']['connectionId']" - } - }, - "method": "post", - "path": "/v2/Mail" - } - } - }, - "runAfter": { - "HTTP_-_get_manager": [ - "Succeeded", - "Failed" - ] - }, - "else": { - "actions": { - "Add_comment_to_incident_-_manager_not_available": { - "type": "ApiConnection", - "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "

User @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])} password was reset in AAD but the user doesn't have a manager.
\n
\nThe temporary password is: @{variables('Password')}
\n
\nThe user will be required to reset this password upon login.

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - } - } - } - }, - "expression": { - "and": [ - { - "equals": [ - "@outputs('HTTP_-_get_manager')['statusCode']", - 200 - ] - } - ] - }, - "type": "If" - }, - "HTTP_-_get_manager": { - "runAfter": { - "HTTP_-_reset_a_password": [ - "Succeeded" - ] - }, - "type": "Http", - "inputs": { - "authentication": { - "audience": "https://graph.microsoft.com", - "type": "ManagedServiceIdentity" - }, - "method": "GET", - "uri": "https://graph.microsoft.com/v1.0/users/@{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}/manager" - } - }, - "HTTP_-_reset_a_password": { - "type": "Http", - "inputs": { - "authentication": { - "audience": "https://graph.microsoft.com", - "type": "ManagedServiceIdentity" - }, - "body": { - "passwordProfile": { - "forceChangePasswordNextSignIn": true, - "forceChangePasswordNextSignInWithMfa": false, - "password": "@{variables('Password')}" - } - }, - "method": "PATCH", - "uri": "https://graph.microsoft.com/v1.0/users/@{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}" - } - } - }, - "runAfter": { - "Entities_-_Get_Accounts": [ - "Succeeded" - ] - }, - "type": "Foreach" - }, - "Initialize_variable": { - "type": "InitializeVariable", - "inputs": { - "variables": [ - { - "name": "Password", - "type": "String", - "value": "null" - } - ] + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "InitiatingIpAddress" } - }, - "Set_variable_-_password": { - "runAfter": { - "Initialize_variable": [ - "Succeeded" - ] - }, - "type": "SetVariable", - "inputs": { - "name": "Password", - "value": "@{substring(guid(), 0, 10)}" + ], + "entityType": "IP" + }, + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "targetDisplayName" } - } + ], + "entityType": "CloudApplication" } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject32').analyticRuleId32,'/'))))]", + "properties": { + "description": "Microsoft Entra ID Analytics Rule 32", + "parentId": "[variables('analyticRuleObject32').analyticRuleId32]", + "contentId": "[variables('analyticRuleObject32')._analyticRulecontentId32]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject32').analyticRuleVersion32]", + "source": { + "kind": "Solution", + "name": "Microsoft Entra ID", + "sourceId": "[variables('_solutionId')]" }, - "parameters": { - "$connections": { - "value": { - "microsoftsentinel": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", - "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", - "connectionProperties": { - "authentication": { - "type": "ManagedServiceIdentity" - } - } - }, - "office365": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('office365ConnectionName'))]", - "connectionName": "[[variables('office365ConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]" - } - } - } - } - }, - "name": "[[parameters('PlaybookName')]", - "type": "Microsoft.Logic/workflows", - "location": "[[variables('workspace-location-inline')]", - "tags": { - "LogicAppsCategory": "security", - "hidden-SentinelTemplateName": "Reset-AADUserPassword", - "hidden-SentinelTemplateVersion": "1.1", - "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" - }, - "identity": { - "type": "SystemAssigned" - }, - "apiVersion": "2017-07-01", - "dependsOn": [ - "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('office365ConnectionName'))]" - ] - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('MicrosoftSentinelConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('MicrosoftSentinelConnectionName')]", - "parameterValueType": "Alternative", - "api": { - "id": "[[variables('_connection-2')]" + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" } } - }, + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject32')._analyticRulecontentId32]", + "contentKind": "AnalyticsRule", + "displayName": "First access credential added to Application or Service Principal where no credential was present", + "contentProductId": "[variables('analyticRuleObject32')._analyticRulecontentProductId32]", + "id": "[variables('analyticRuleObject32')._analyticRulecontentProductId32]", + "version": "[variables('analyticRuleObject32').analyticRuleVersion32]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject33').analyticRuleTemplateSpecName33]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "GuestAccountsAddedinAADGroupsOtherThanTheOnesSpecified_AnalyticalRules Analytics Rule with template version 3.0.7", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject33').analyticRuleVersion33]", + "parameters": {}, + "variables": {}, + "resources": [ { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('office365ConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject33')._analyticRulecontentId33]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", "properties": { - "displayName": "[[variables('office365ConnectionName')]", - "api": { - "id": "[[variables('_connection-3')]" - } + "description": "Guest Accounts are added in the Organization Tenants to perform various tasks i.e projects execution, support etc.. This detection notifies when guest users are added to Microsoft Entra ID Groups other than the ones specified and poses a risk to gain access to sensitive apps or data.", + "displayName": "Guest accounts added in AAD Groups other than the ones specified", + "enabled": false, + "query": "// OBJECT ID of AAD Groups can be found by navigating to Azure Active Directory then from menu on the left, select Groups and from the list shown of AAD Groups, the Second Column shows the ObjectID of each\nlet GroupIDs = dynamic([\"List with Custom AAD GROUP OBJECT ID 1\",\"Custom AAD GROUP OBJECT ID 2\"]);\nAuditLogs\n| where OperationName in ('Add member to group', 'Add owner to group')\n| extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\n| extend InitiatedByIPAdress = InitiatedBy.user.ipAddress \n// Uncomment the following line to filter events where the inviting user was a guest user\n//| where InitiatedBy has_any (\"CUSTOM DOMAIN NAME#\", \"#EXT#\")\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"User\"\n | extend InvitedUser = trim(@'\"',tostring(TargetResource.userPrincipalName)),\n Properties = TargetResource.modifiedProperties\n )\n| mv-apply Property = Properties on \n (\n where Property.displayName =~ \"Group.DisplayName\"\n | extend AADGroup = trim('\"',tostring(Property.newValue))\n )\n| where InvitedUser has_any (\"CUSTOM DOMAIN NAME#\", \"#EXT#\")\n| mv-apply Property = Properties on\n (\n where Property.displayName =~ \"Group.ObjectID\"\n | extend AADGroupId = trim('\"',tostring(Property.newValue))\n )\n| where AADGroupId !in (GroupIDs)\n| extend Name = tostring(split(InitiatedByActionUserInformation,'@',0)[0]), UPNSuffix = tostring(split(InitiatedByActionUserInformation,'@',1)[0])\n", + "queryFrequency": "PT2H", + "queryPeriod": "PT2H", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "AuditLogs" + ], + "connectorId": "AzureActiveDirectory" + } + ], + "tactics": [ + "InitialAccess", + "Persistence", + "Discovery" + ], + "techniques": [ + "T1078", + "T1136", + "T1087" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "InvitedUser" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "Name" + }, + { + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "InitiatedByIPAdress" + } + ], + "entityType": "IP" + } + ] } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId6'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject33').analyticRuleId33,'/'))))]", "properties": { - "parentId": "[variables('playbookId6')]", - "contentId": "[variables('_playbookContentId6')]", - "kind": "Playbook", - "version": "[variables('playbookVersion6')]", + "description": "Microsoft Entra ID Analytics Rule 33", + "parentId": "[variables('analyticRuleObject33').analyticRuleId33]", + "contentId": "[variables('analyticRuleObject33')._analyticRulecontentId33]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject33').analyticRuleVersion33]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -10913,456 +9037,3008 @@ } } } - ], - "metadata": { - "title": "Reset Azure AD User Password - Incident Trigger", - "description": "This playbook will reset the user password using Graph API. It will send the password (which is a random guid substring) to the user's manager. The user will have to reset the password upon login.", - "prerequisites": [ - "None" - ], - "postDeployment": [ - "1. Assign Password Administrator permission to managed identity.", - "2. Assign Microsoft Sentinel Responder permission to managed identity.", - "3. Authorize Office 365 Outlook connection" - ], - "lastUpdateTime": "2022-07-11T00:00:00Z", - "entities": [ - "Account" - ], - "tags": [ - "Remediation" - ], - "releaseNotes": [ - { - "version": "1.0.0", - "title": " Added manager notification action", - "notes": [ - "Initial version" - ] - } - ] - } + ] }, "packageKind": "Solution", "packageVersion": "[variables('_solutionVersion')]", "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_playbookContentId6')]", - "contentKind": "Playbook", - "displayName": "Reset-AADPassword-IncidentTrigger", - "contentProductId": "[variables('_playbookcontentProductId6')]", - "id": "[variables('_playbookcontentProductId6')]", - "version": "[variables('playbookVersion6')]" + "contentId": "[variables('analyticRuleObject33')._analyticRulecontentId33]", + "contentKind": "AnalyticsRule", + "displayName": "Guest accounts added in AAD Groups other than the ones specified", + "contentProductId": "[variables('analyticRuleObject33')._analyticRulecontentProductId33]", + "id": "[variables('analyticRuleObject33')._analyticRulecontentProductId33]", + "version": "[variables('analyticRuleObject33').analyticRuleVersion33]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('playbookTemplateSpecName7')]", + "name": "[variables('analyticRuleObject34').analyticRuleTemplateSpecName34]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Block-AADUser-EntityTrigger Playbook with template version 3.0.6", + "description": "MailPermissionsAddedToApplication_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion7')]", - "parameters": { - "PlaybookName": { - "defaultValue": "Block-AADUser-EntityTrigger", - "type": "string" - } - }, - "variables": { - "AzureADConnectionName": "[[concat('azuread-', parameters('PlaybookName'))]", - "MicrosoftSentinelConnectionName": "[[concat('microsoftsentinel-', parameters('PlaybookName'))]", - "Office365ConnectionName": "[[concat('office365-', parameters('PlaybookName'))]", - "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuread')]", - "_connection-1": "[[variables('connection-1')]", - "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", - "_connection-2": "[[variables('connection-2')]", - "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]", - "_connection-3": "[[variables('connection-3')]", - "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", - "workspace-name": "[parameters('workspace')]", - "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" - }, + "contentVersion": "[variables('analyticRuleObject34').analyticRuleVersion34]", + "parameters": {}, + "variables": {}, "resources": [ { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('AzureADConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "properties": { - "displayName": "[[variables('AzureADConnectionName')]", - "api": { - "id": "[[variables('_connection-1')]" - } - } - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('MicrosoftSentinelConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('MicrosoftSentinelConnectionName')]", - "parameterValueType": "Alternative", - "api": { - "id": "[[variables('_connection-2')]" - } - } - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('Office365ConnectionName')]", - "location": "[[variables('workspace-location-inline')]", + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject34')._analyticRulecontentId34]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", "properties": { - "displayName": "[[variables('Office365ConnectionName')]", - "api": { - "id": "[[variables('_connection-3')]" - } - } - }, - { - "type": "Microsoft.Logic/workflows", - "apiVersion": "2017-07-01", - "name": "[[parameters('PlaybookName')]", - "location": "[[variables('workspace-location-inline')]", - "tags": { - "LogicAppsCategory": "security", - "hidden-SentinelTemplateName": "Block-AADUser-EntityTrigger", - "hidden-SentinelTemplateVersion": "1.1", - "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" - }, - "identity": { - "type": "SystemAssigned" - }, - "dependsOn": [ - "[[resourceId('Microsoft.Web/connections', variables('AzureADConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]" - ], + "description": "This query look for applications that have been granted (Delegated or App/Role) permissions to Read Mail (Permissions field has Mail.Read) and subsequently has been consented to. This can help identify applications that have been abused to gain access to mailboxes.", + "displayName": "Mail.Read Permissions Granted to Application", + "enabled": false, + "query": "AuditLogs\n| where Category =~ \"ApplicationManagement\"\n| where ActivityDisplayName has_any (\"Add delegated permission grant\",\"Add app role assignment to service principal\") \n| where Result =~ \"success\"\n| where tostring(InitiatedBy.user.userPrincipalName) has \"@\" or tostring(InitiatedBy.app.displayName) has \"@\"\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\" and array_length(TargetResource.modifiedProperties) > 0 and isnotnull(TargetResource.displayName)\n | extend props = TargetResource.modifiedProperties,\n Type = tostring(TargetResource.type),\n PermissionsAddedTo = tostring(TargetResource.displayName)\n )\n| mv-apply Property = props on \n (\n where Property.displayName =~ \"DelegatedPermissionGrant.Scope\"\n | extend DisplayName = tostring(Property.displayName), Permissions = trim('\"',tostring(Property.newValue))\n )\n| where Permissions has_any (\"Mail.Read\", \"Mail.ReadWrite\")\n| mv-apply AdditionalDetail = AdditionalDetails on \n (\n where AdditionalDetail.key =~ \"User-Agent\"\n | extend UserAgent = tostring(AdditionalDetail.value)\n )\n| extend InitiatingUser = tostring(InitiatedBy.user.userPrincipalName)\n| extend UserIPAddress = tostring(InitiatedBy.user.ipAddress) \n| project-away props, TargetResource*, AdditionalDetail*, Property, InitiatedBy\n| join kind=leftouter(\n AuditLogs\n | where ActivityDisplayName has \"Consent to application\"\n | mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\"\n | extend AppName = tostring(TargetResource.displayName),\n AppId = tostring(TargetResource.id)\n )\n | project AppName, AppId, CorrelationId) on CorrelationId\n| project-reorder TimeGenerated, OperationName, InitiatingUser, UserIPAddress, UserAgent, PermissionsAddedTo, Permissions, AppName, AppId, CorrelationId\n| extend timestamp = TimeGenerated, Name = tostring(split(InitiatingUser,'@',0)[0]), UPNSuffix = tostring(split(InitiatingUser,'@',1)[0])\n", + "queryFrequency": "P1D", + "queryPeriod": "P1D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "AuditLogs" + ], + "connectorId": "AzureActiveDirectory" + } + ], + "tactics": [ + "Persistence" + ], + "techniques": [ + "T1098" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "Name" + }, + { + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "UserIPAddress" + } + ], + "entityType": "IP" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject34').analyticRuleId34,'/'))))]", "properties": { - "state": "Enabled", - "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "$connections": { - "type": "Object" - } + "description": "Microsoft Entra ID Analytics Rule 34", + "parentId": "[variables('analyticRuleObject34').analyticRuleId34]", + "contentId": "[variables('analyticRuleObject34')._analyticRulecontentId34]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject34').analyticRuleVersion34]", + "source": { + "kind": "Solution", + "name": "Microsoft Entra ID", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject34')._analyticRulecontentId34]", + "contentKind": "AnalyticsRule", + "displayName": "Mail.Read Permissions Granted to Application", + "contentProductId": "[variables('analyticRuleObject34')._analyticRulecontentProductId34]", + "id": "[variables('analyticRuleObject34')._analyticRulecontentProductId34]", + "version": "[variables('analyticRuleObject34').analyticRuleVersion34]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject35').analyticRuleTemplateSpecName35]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "MaliciousOAuthApp_O365AttackToolkit_AnalyticalRules Analytics Rule with template version 3.0.7", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject35').analyticRuleVersion35]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject35')._analyticRulecontentId35]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the MDSec O365 Attack Toolkit (https://github.com/mdsecactivebreach/o365-attack-toolkit).\nThe default permissions/scope for the MDSec O365 Attack toolkit change sometimes but often include contacts.read, user.read, mail.read, notes.read.all, mailboxsettings.readwrite, files.readwrite.all, mail.send, files.read, and files.read.all.\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.", + "displayName": "Suspicious application consent similar to O365 Attack Toolkit", + "enabled": false, + "query": "let detectionTime = 1d;\nlet joinLookback = 14d;\nlet threshold = 5;\nlet o365_attack_regex = \"contacts.read|user.read|mail.read|notes.read.all|mailboxsettings.readwrite|Files.ReadWrite.All|mail.send|files.read|files.read.all\";\nlet o365_attack = dynamic([\"contacts.read\", \"user.read\", \"mail.read\", \"notes.read.all\", \"mailboxsettings.readwrite\", \"Files.ReadWrite.All\", \"mail.send\", \"files.read\", \"files.read.all\"]);\nAuditLogs\n| where TimeGenerated > ago(detectionTime)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Consent to application\"\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\"\n | extend AppDisplayName = tostring(TargetResource.displayName),\n AppClientId = tostring(TargetResource.id),\n props = TargetResource.modifiedProperties\n )\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\"] with (format=\"csv\"))) // NOTE: a MATCH from this list will cause the alert to NOT fire - please modify for your environment!\n| mv-apply ConsentFull = props on \n (\n where ConsentFull.displayName =~ \"ConsentAction.Permissions\"\n )\n| parse ConsentFull with * \"ConsentType: \" GrantConsentType \", Scope: \" GrantScope1 \", CreatedDateTime\" * \"]\" *\n| where GrantConsentType != \"AllPrincipals\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\n| where ConsentFull has_any (o365_attack) \n| extend GrantScopeCount = countof(tolower(GrantScope1), o365_attack_regex, 'regex')\n| where GrantScopeCount > threshold\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| mv-apply AdditionalDetail = AdditionalDetails on \n (\n where AdditionalDetail.key =~ \"User-Agent\"\n | extend GrantUserAgent = AdditionalDetail.value\n )\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\n| join kind = leftouter (AuditLogs\n | where TimeGenerated > ago(joinLookback)\n | where LoggedByService =~ \"Core Directory\"\n | where Category =~ \"ApplicationManagement\"\n | where OperationName =~ \"Add service principal\"\n | mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\"\n | extend props = TargetResource.modifiedProperties,\n AppClientId = tostring(TargetResource.id)\n )\n | mv-apply Property = props on \n (\n where Property.displayName =~ \"AppAddress\" and Property.newValue has \"AddressType\"\n | extend AppReplyURLs = trim('\"',tostring(Property.newValue))\n )\n | distinct AppClientId, tostring(AppReplyURLs)\n) on AppClientId\n| join kind = innerunique (AuditLogs\n | where TimeGenerated > ago(joinLookback)\n | where LoggedByService =~ \"Core Directory\"\n | where Category =~ \"ApplicationManagement\"\n | where OperationName =~ \"Add OAuth2PermissionGrant\" or OperationName =~ \"Add delegated permission grant\"\n | mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\" and array_length(TargetResource.modifiedProperties) > 0 and isnotnull(TargetResource.displayName)\n | extend GrantAuthentication = tostring(TargetResource.displayName)\n )\n | extend GrantOperation = OperationName\n | project GrantAuthentication, GrantOperation, CorrelationId\n ) on CorrelationId\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\n| extend timestamp = TimeGenerated, Name = tostring(split(GrantInitiatedBy,'@',0)[0]), UPNSuffix = tostring(split(GrantInitiatedBy,'@',1)[0])\n", + "queryFrequency": "P1D", + "queryPeriod": "P14D", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "AuditLogs" + ], + "connectorId": "AzureActiveDirectory" + } + ], + "tactics": [ + "CredentialAccess", + "DefenseEvasion" + ], + "techniques": [ + "T1528", + "T1550" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "Name" + }, + { + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" + } + ], + "entityType": "Account" }, - "triggers": { - "Microsoft_Sentinel_entity": { - "type": "ApiConnectionWebhook", - "inputs": { - "body": { - "callback_url": "@{listCallbackUrl()}" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" - } - }, - "path": "/entity/@{encodeURIComponent('Account')}" + { + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "GrantIpAddress" } - } + ], + "entityType": "IP" }, - "actions": { - "Condition": { - "actions": { - "Condition_-_if_user_have_manager": { - "actions": { - "Condition_2": { - "actions": { - "Add_comment_to_incident_-_with_manager_-_no_admin": { - "type": "ApiConnection", - "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['IncidentArmID']", - "message": "

User @{triggerBody()?['Entity']?['properties']?['Name']}  (UPN - @{variables('AccountDetails')}) was disabled in AAD via playbook Block-AADUser. Manager (@{body('Parse_JSON_-_get_user_manager')?['userPrincipalName']}) is notified.

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - } - } - }, - "runAfter": { - "Get_user_-_details": [ - "Succeeded" - ] - }, - "expression": { - "and": [ - { - "not": { - "equals": [ - "@triggerBody()?['IncidentArmID']", - "@null" - ] - } - } - ] - }, - "type": "If" - }, - "Get_user_-_details": { - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['azuread']['connectionId']" - } - }, - "method": "get", - "path": "/v1.0/users/@{encodeURIComponent(variables('AccountDetails'))}" - } - }, - "Send_an_email_-_to_manager_-_no_admin": { - "runAfter": { - "Condition_2": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "body": { - "Body": "

Security notification! This is automated email sent by Microsoft Sentinel Automation!
\n
\nYour direct report @{triggerBody()?['Entity']?['properties']?['Name']} has been disabled in Azure AD due to the security incident. Can you please notify the user and work with him to reach our support.
\n
\nDirect report details:
\nFirst name: @{body('Get_user_-_details')?['displayName']}
\nSurname: @{body('Get_user_-_details')?['surname']}
\nJob title: @{body('Get_user_-_details')?['jobTitle']}
\nOffice location: @{body('Get_user_-_details')?['officeLocation']}
\nBusiness phone: @{body('Get_user_-_details')?['businessPhones']}
\nMobile phone: @{body('Get_user_-_details')?['mobilePhone']}
\nMail: @{body('Get_user_-_details')?['mail']}
\n
\nThank you!

", - "Importance": "High", - "Subject": "@{triggerBody()?['Entity']?['properties']?['Name']} has been disabled in Azure AD due to the security risk!", - "To": "@body('Parse_JSON_-_get_user_manager')?['userPrincipalName']" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['office365']['connectionId']" - } - }, - "method": "post", - "path": "/v2/Mail" - } - } - }, - "runAfter": { - "Parse_JSON_-_get_user_manager": [ - "Succeeded" - ] - }, - "else": { - "actions": { - "Condition_3": { - "actions": { - "Add_comment_to_incident_-_no_manager_-_no_admin": { - "type": "ApiConnection", - "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['IncidentArmID']", - "message": "

User @{triggerBody()?['Entity']?['properties']?['Name']} (UPN - @{variables('AccountDetails')}) was disabled in AAD via playbook Block-AADUser. Manager has not been notified, since it is not found for this user!

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - } - } - }, - "expression": { - "and": [ - { - "not": { - "equals": [ - "@triggerBody()?['IncidentArmID']", - "@null" - ] - } - } - ] - }, - "type": "If" - } - } - }, - "expression": { - "and": [ - { - "not": { - "equals": [ - "@body('Parse_JSON_-_get_user_manager')?['userPrincipalName']", - "@null" - ] - } - } - ] - }, - "type": "If" - }, - "HTTP_-_get_user_manager": { - "type": "Http", - "inputs": { - "authentication": { - "audience": "https://graph.microsoft.com/", - "type": "ManagedServiceIdentity" - }, - "method": "GET", - "uri": "https://graph.microsoft.com/v1.0/users/@{variables('AccountDetails')}/manager" - } - }, - "Parse_JSON_-_get_user_manager": { - "runAfter": { - "HTTP_-_get_user_manager": [ - "Succeeded", - "Failed" - ] - }, - "type": "ParseJson", - "inputs": { - "content": "@body('HTTP_-_get_user_manager')", - "schema": { - "properties": { - "userPrincipalName": { - "type": "string" - } - }, - "type": "object" - } - } - } + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "AppDisplayName" + } + ], + "entityType": "CloudApplication" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject35').analyticRuleId35,'/'))))]", + "properties": { + "description": "Microsoft Entra ID Analytics Rule 35", + "parentId": "[variables('analyticRuleObject35').analyticRuleId35]", + "contentId": "[variables('analyticRuleObject35')._analyticRulecontentId35]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject35').analyticRuleVersion35]", + "source": { + "kind": "Solution", + "name": "Microsoft Entra ID", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject35')._analyticRulecontentId35]", + "contentKind": "AnalyticsRule", + "displayName": "Suspicious application consent similar to O365 Attack Toolkit", + "contentProductId": "[variables('analyticRuleObject35')._analyticRulecontentProductId35]", + "id": "[variables('analyticRuleObject35')._analyticRulecontentProductId35]", + "version": "[variables('analyticRuleObject35').analyticRuleVersion35]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject36').analyticRuleTemplateSpecName36]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "MaliciousOAuthApp_O365AttackToolkit_AnalyticalRules Analytics Rule with template version 3.0.7", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject36').analyticRuleVersion36]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject36')._analyticRulecontentId36]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the MDSec O365 Attack Toolkit (https://github.com/mdsecactivebreach/o365-attack-toolkit).\nThe default permissions/scope for the MDSec O365 Attack toolkit change sometimes but often include contacts.read, user.read, mail.read, notes.read.all, mailboxsettings.readwrite, files.readwrite.all, mail.send, files.read, and files.read.all.\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.", + "displayName": "Suspicious application consent similar to O365 Attack Toolkit", + "enabled": false, + "query": "let detectionTime = 1d;\nlet joinLookback = 14d;\nlet threshold = 5;\nlet o365_attack_regex = \"contacts.read|user.read|mail.read|notes.read.all|mailboxsettings.readwrite|Files.ReadWrite.All|mail.send|files.read|files.read.all\";\nlet o365_attack = dynamic([\"contacts.read\", \"user.read\", \"mail.read\", \"notes.read.all\", \"mailboxsettings.readwrite\", \"Files.ReadWrite.All\", \"mail.send\", \"files.read\", \"files.read.all\"]);\nAuditLogs\n| where TimeGenerated > ago(detectionTime)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Consent to application\"\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\"\n | extend AppDisplayName = tostring(TargetResource.displayName),\n AppClientId = tostring(TargetResource.id),\n props = TargetResource.modifiedProperties\n )\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\"] with (format=\"csv\"))) // NOTE: a MATCH from this list will cause the alert to NOT fire - please modify for your environment!\n| mv-apply ConsentFull = props on \n (\n where ConsentFull.displayName =~ \"ConsentAction.Permissions\"\n )\n| parse ConsentFull with * \"ConsentType: \" GrantConsentType \", Scope: \" GrantScope1 \", CreatedDateTime\" * \"]\" *\n| where GrantConsentType != \"AllPrincipals\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\n| where ConsentFull has_any (o365_attack) \n| extend GrantScopeCount = countof(tolower(GrantScope1), o365_attack_regex, 'regex')\n| where GrantScopeCount > threshold\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| mv-apply AdditionalDetail = AdditionalDetails on \n (\n where AdditionalDetail.key =~ \"User-Agent\"\n | extend GrantUserAgent = AdditionalDetail.value\n )\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\n| join kind = leftouter (AuditLogs\n | where TimeGenerated > ago(joinLookback)\n | where LoggedByService =~ \"Core Directory\"\n | where Category =~ \"ApplicationManagement\"\n | where OperationName =~ \"Add service principal\"\n | mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\"\n | extend props = TargetResource.modifiedProperties,\n AppClientId = tostring(TargetResource.id)\n )\n | mv-apply Property = props on \n (\n where Property.displayName =~ \"AppAddress\" and Property.newValue has \"AddressType\"\n | extend AppReplyURLs = trim('\"',tostring(Property.newValue))\n )\n | distinct AppClientId, tostring(AppReplyURLs)\n) on AppClientId\n| join kind = innerunique (AuditLogs\n | where TimeGenerated > ago(joinLookback)\n | where LoggedByService =~ \"Core Directory\"\n | where Category =~ \"ApplicationManagement\"\n | where OperationName =~ \"Add OAuth2PermissionGrant\" or OperationName =~ \"Add delegated permission grant\"\n | mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\" and array_length(TargetResource.modifiedProperties) > 0 and isnotnull(TargetResource.displayName)\n | extend GrantAuthentication = tostring(TargetResource.displayName)\n )\n | extend GrantOperation = OperationName\n | project GrantAuthentication, GrantOperation, CorrelationId\n ) on CorrelationId\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\n| extend timestamp = TimeGenerated, Name = tostring(split(GrantInitiatedBy,'@',0)[0]), UPNSuffix = tostring(split(GrantInitiatedBy,'@',1)[0])\n", + "queryFrequency": "P1D", + "queryPeriod": "P14D", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "AuditLogs" + ], + "connectorId": "AzureActiveDirectory" + } + ], + "tactics": [ + "CredentialAccess", + "DefenseEvasion" + ], + "techniques": [ + "T1528", + "T1550" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "Name" + }, + { + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "GrantIpAddress" + } + ], + "entityType": "IP" + }, + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "AppDisplayName" + } + ], + "entityType": "CloudApplication" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject36').analyticRuleId36,'/'))))]", + "properties": { + "description": "Microsoft Entra ID Analytics Rule 36", + "parentId": "[variables('analyticRuleObject36').analyticRuleId36]", + "contentId": "[variables('analyticRuleObject36')._analyticRulecontentId36]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject36').analyticRuleVersion36]", + "source": { + "kind": "Solution", + "name": "Microsoft Entra ID", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject36')._analyticRulecontentId36]", + "contentKind": "AnalyticsRule", + "displayName": "Suspicious application consent similar to O365 Attack Toolkit", + "contentProductId": "[variables('analyticRuleObject36')._analyticRulecontentProductId36]", + "id": "[variables('analyticRuleObject36')._analyticRulecontentProductId36]", + "version": "[variables('analyticRuleObject36').analyticRuleVersion36]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject37').analyticRuleTemplateSpecName37]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "MaliciousOAuthApp_O365AttackToolkit_AnalyticalRules Analytics Rule with template version 3.0.7", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject37').analyticRuleVersion37]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject37')._analyticRulecontentId37]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the MDSec O365 Attack Toolkit (https://github.com/mdsecactivebreach/o365-attack-toolkit).\nThe default permissions/scope for the MDSec O365 Attack toolkit change sometimes but often include contacts.read, user.read, mail.read, notes.read.all, mailboxsettings.readwrite, files.readwrite.all, mail.send, files.read, and files.read.all.\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.", + "displayName": "Suspicious application consent similar to O365 Attack Toolkit", + "enabled": false, + "query": "let detectionTime = 1d;\nlet joinLookback = 14d;\nlet threshold = 5;\nlet o365_attack_regex = \"contacts.read|user.read|mail.read|notes.read.all|mailboxsettings.readwrite|Files.ReadWrite.All|mail.send|files.read|files.read.all\";\nlet o365_attack = dynamic([\"contacts.read\", \"user.read\", \"mail.read\", \"notes.read.all\", \"mailboxsettings.readwrite\", \"Files.ReadWrite.All\", \"mail.send\", \"files.read\", \"files.read.all\"]);\nAuditLogs\n| where TimeGenerated > ago(detectionTime)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Consent to application\"\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\"\n | extend AppDisplayName = tostring(TargetResource.displayName),\n AppClientId = tostring(TargetResource.id),\n props = TargetResource.modifiedProperties\n )\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\"] with (format=\"csv\"))) // NOTE: a MATCH from this list will cause the alert to NOT fire - please modify for your environment!\n| mv-apply ConsentFull = props on \n (\n where ConsentFull.displayName =~ \"ConsentAction.Permissions\"\n )\n| parse ConsentFull with * \"ConsentType: \" GrantConsentType \", Scope: \" GrantScope1 \", CreatedDateTime\" * \"]\" *\n| where GrantConsentType != \"AllPrincipals\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\n| where ConsentFull has_any (o365_attack) \n| extend GrantScopeCount = countof(tolower(GrantScope1), o365_attack_regex, 'regex')\n| where GrantScopeCount > threshold\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| mv-apply AdditionalDetail = AdditionalDetails on \n (\n where AdditionalDetail.key =~ \"User-Agent\"\n | extend GrantUserAgent = AdditionalDetail.value\n )\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\n| join kind = leftouter (AuditLogs\n | where TimeGenerated > ago(joinLookback)\n | where LoggedByService =~ \"Core Directory\"\n | where Category =~ \"ApplicationManagement\"\n | where OperationName =~ \"Add service principal\"\n | mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\"\n | extend props = TargetResource.modifiedProperties,\n AppClientId = tostring(TargetResource.id)\n )\n | mv-apply Property = props on \n (\n where Property.displayName =~ \"AppAddress\" and Property.newValue has \"AddressType\"\n | extend AppReplyURLs = trim('\"',tostring(Property.newValue))\n )\n | distinct AppClientId, tostring(AppReplyURLs)\n) on AppClientId\n| join kind = innerunique (AuditLogs\n | where TimeGenerated > ago(joinLookback)\n | where LoggedByService =~ \"Core Directory\"\n | where Category =~ \"ApplicationManagement\"\n | where OperationName =~ \"Add OAuth2PermissionGrant\" or OperationName =~ \"Add delegated permission grant\"\n | mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\" and array_length(TargetResource.modifiedProperties) > 0 and isnotnull(TargetResource.displayName)\n | extend GrantAuthentication = tostring(TargetResource.displayName)\n )\n | extend GrantOperation = OperationName\n | project GrantAuthentication, GrantOperation, CorrelationId\n ) on CorrelationId\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\n| extend timestamp = TimeGenerated, Name = tostring(split(GrantInitiatedBy,'@',0)[0]), UPNSuffix = tostring(split(GrantInitiatedBy,'@',1)[0])\n", + "queryFrequency": "P1D", + "queryPeriod": "P14D", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "AuditLogs" + ], + "connectorId": "AzureActiveDirectory" + } + ], + "tactics": [ + "CredentialAccess", + "DefenseEvasion" + ], + "techniques": [ + "T1528", + "T1550" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "Name" + }, + { + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "GrantIpAddress" + } + ], + "entityType": "IP" + }, + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "AppDisplayName" + } + ], + "entityType": "CloudApplication" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject37').analyticRuleId37,'/'))))]", + "properties": { + "description": "Microsoft Entra ID Analytics Rule 37", + "parentId": "[variables('analyticRuleObject37').analyticRuleId37]", + "contentId": "[variables('analyticRuleObject37')._analyticRulecontentId37]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject37').analyticRuleVersion37]", + "source": { + "kind": "Solution", + "name": "Microsoft Entra ID", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject37')._analyticRulecontentId37]", + "contentKind": "AnalyticsRule", + "displayName": "Suspicious application consent similar to O365 Attack Toolkit", + "contentProductId": "[variables('analyticRuleObject37')._analyticRulecontentProductId37]", + "id": "[variables('analyticRuleObject37')._analyticRulecontentProductId37]", + "version": "[variables('analyticRuleObject37').analyticRuleVersion37]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject38').analyticRuleTemplateSpecName38]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "MaliciousOAuthApp_O365AttackToolkit_AnalyticalRules Analytics Rule with template version 3.0.7", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject38').analyticRuleVersion38]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject38')._analyticRulecontentId38]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the MDSec O365 Attack Toolkit (https://github.com/mdsecactivebreach/o365-attack-toolkit).\nThe default permissions/scope for the MDSec O365 Attack toolkit change sometimes but often include contacts.read, user.read, mail.read, notes.read.all, mailboxsettings.readwrite, files.readwrite.all, mail.send, files.read, and files.read.all.\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.", + "displayName": "Suspicious application consent similar to O365 Attack Toolkit", + "enabled": false, + "query": "let detectionTime = 1d;\nlet joinLookback = 14d;\nlet threshold = 5;\nlet o365_attack_regex = \"contacts.read|user.read|mail.read|notes.read.all|mailboxsettings.readwrite|Files.ReadWrite.All|mail.send|files.read|files.read.all\";\nlet o365_attack = dynamic([\"contacts.read\", \"user.read\", \"mail.read\", \"notes.read.all\", \"mailboxsettings.readwrite\", \"Files.ReadWrite.All\", \"mail.send\", \"files.read\", \"files.read.all\"]);\nAuditLogs\n| where TimeGenerated > ago(detectionTime)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Consent to application\"\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\"\n | extend AppDisplayName = tostring(TargetResource.displayName),\n AppClientId = tostring(TargetResource.id),\n props = TargetResource.modifiedProperties\n )\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\"] with (format=\"csv\"))) // NOTE: a MATCH from this list will cause the alert to NOT fire - please modify for your environment!\n| mv-apply ConsentFull = props on \n (\n where ConsentFull.displayName =~ \"ConsentAction.Permissions\"\n )\n| parse ConsentFull with * \"ConsentType: \" GrantConsentType \", Scope: \" GrantScope1 \", CreatedDateTime\" * \"]\" *\n| where GrantConsentType != \"AllPrincipals\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\n| where ConsentFull has_any (o365_attack) \n| extend GrantScopeCount = countof(tolower(GrantScope1), o365_attack_regex, 'regex')\n| where GrantScopeCount > threshold\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| mv-apply AdditionalDetail = AdditionalDetails on \n (\n where AdditionalDetail.key =~ \"User-Agent\"\n | extend GrantUserAgent = AdditionalDetail.value\n )\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\n| join kind = leftouter (AuditLogs\n | where TimeGenerated > ago(joinLookback)\n | where LoggedByService =~ \"Core Directory\"\n | where Category =~ \"ApplicationManagement\"\n | where OperationName =~ \"Add service principal\"\n | mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\"\n | extend props = TargetResource.modifiedProperties,\n AppClientId = tostring(TargetResource.id)\n )\n | mv-apply Property = props on \n (\n where Property.displayName =~ \"AppAddress\" and Property.newValue has \"AddressType\"\n | extend AppReplyURLs = trim('\"',tostring(Property.newValue))\n )\n | distinct AppClientId, tostring(AppReplyURLs)\n) on AppClientId\n| join kind = innerunique (AuditLogs\n | where TimeGenerated > ago(joinLookback)\n | where LoggedByService =~ \"Core Directory\"\n | where Category =~ \"ApplicationManagement\"\n | where OperationName =~ \"Add OAuth2PermissionGrant\" or OperationName =~ \"Add delegated permission grant\"\n | mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\" and array_length(TargetResource.modifiedProperties) > 0 and isnotnull(TargetResource.displayName)\n | extend GrantAuthentication = tostring(TargetResource.displayName)\n )\n | extend GrantOperation = OperationName\n | project GrantAuthentication, GrantOperation, CorrelationId\n ) on CorrelationId\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\n| extend timestamp = TimeGenerated, Name = tostring(split(GrantInitiatedBy,'@',0)[0]), UPNSuffix = tostring(split(GrantInitiatedBy,'@',1)[0])\n", + "queryFrequency": "P1D", + "queryPeriod": "P14D", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "AuditLogs" + ], + "connectorId": "AzureActiveDirectory" + } + ], + "tactics": [ + "CredentialAccess", + "DefenseEvasion" + ], + "techniques": [ + "T1528", + "T1550" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "Name" + }, + { + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "GrantIpAddress" + } + ], + "entityType": "IP" + }, + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "AppDisplayName" + } + ], + "entityType": "CloudApplication" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject38').analyticRuleId38,'/'))))]", + "properties": { + "description": "Microsoft Entra ID Analytics Rule 38", + "parentId": "[variables('analyticRuleObject38').analyticRuleId38]", + "contentId": "[variables('analyticRuleObject38')._analyticRulecontentId38]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject38').analyticRuleVersion38]", + "source": { + "kind": "Solution", + "name": "Microsoft Entra ID", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject38')._analyticRulecontentId38]", + "contentKind": "AnalyticsRule", + "displayName": "Suspicious application consent similar to O365 Attack Toolkit", + "contentProductId": "[variables('analyticRuleObject38')._analyticRulecontentProductId38]", + "id": "[variables('analyticRuleObject38')._analyticRulecontentProductId38]", + "version": "[variables('analyticRuleObject38').analyticRuleVersion38]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject39').analyticRuleTemplateSpecName39]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "MaliciousOAuthApp_O365AttackToolkit_AnalyticalRules Analytics Rule with template version 3.0.7", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject39').analyticRuleVersion39]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject39')._analyticRulecontentId39]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the MDSec O365 Attack Toolkit (https://github.com/mdsecactivebreach/o365-attack-toolkit).\nThe default permissions/scope for the MDSec O365 Attack toolkit change sometimes but often include contacts.read, user.read, mail.read, notes.read.all, mailboxsettings.readwrite, files.readwrite.all, mail.send, files.read, and files.read.all.\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.", + "displayName": "Suspicious application consent similar to O365 Attack Toolkit", + "enabled": false, + "query": "let detectionTime = 1d;\nlet joinLookback = 14d;\nlet threshold = 5;\nlet o365_attack_regex = \"contacts.read|user.read|mail.read|notes.read.all|mailboxsettings.readwrite|Files.ReadWrite.All|mail.send|files.read|files.read.all\";\nlet o365_attack = dynamic([\"contacts.read\", \"user.read\", \"mail.read\", \"notes.read.all\", \"mailboxsettings.readwrite\", \"Files.ReadWrite.All\", \"mail.send\", \"files.read\", \"files.read.all\"]);\nAuditLogs\n| where TimeGenerated > ago(detectionTime)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Consent to application\"\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\"\n | extend AppDisplayName = tostring(TargetResource.displayName),\n AppClientId = tostring(TargetResource.id),\n props = TargetResource.modifiedProperties\n )\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\"] with (format=\"csv\"))) // NOTE: a MATCH from this list will cause the alert to NOT fire - please modify for your environment!\n| mv-apply ConsentFull = props on \n (\n where ConsentFull.displayName =~ \"ConsentAction.Permissions\"\n )\n| parse ConsentFull with * \"ConsentType: \" GrantConsentType \", Scope: \" GrantScope1 \", CreatedDateTime\" * \"]\" *\n| where GrantConsentType != \"AllPrincipals\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\n| where ConsentFull has_any (o365_attack) \n| extend GrantScopeCount = countof(tolower(GrantScope1), o365_attack_regex, 'regex')\n| where GrantScopeCount > threshold\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| mv-apply AdditionalDetail = AdditionalDetails on \n (\n where AdditionalDetail.key =~ \"User-Agent\"\n | extend GrantUserAgent = AdditionalDetail.value\n )\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\n| join kind = leftouter (AuditLogs\n | where TimeGenerated > ago(joinLookback)\n | where LoggedByService =~ \"Core Directory\"\n | where Category =~ \"ApplicationManagement\"\n | where OperationName =~ \"Add service principal\"\n | mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\"\n | extend props = TargetResource.modifiedProperties,\n AppClientId = tostring(TargetResource.id)\n )\n | mv-apply Property = props on \n (\n where Property.displayName =~ \"AppAddress\" and Property.newValue has \"AddressType\"\n | extend AppReplyURLs = trim('\"',tostring(Property.newValue))\n )\n | distinct AppClientId, tostring(AppReplyURLs)\n) on AppClientId\n| join kind = innerunique (AuditLogs\n | where TimeGenerated > ago(joinLookback)\n | where LoggedByService =~ \"Core Directory\"\n | where Category =~ \"ApplicationManagement\"\n | where OperationName =~ \"Add OAuth2PermissionGrant\" or OperationName =~ \"Add delegated permission grant\"\n | mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\" and array_length(TargetResource.modifiedProperties) > 0 and isnotnull(TargetResource.displayName)\n | extend GrantAuthentication = tostring(TargetResource.displayName)\n )\n | extend GrantOperation = OperationName\n | project GrantAuthentication, GrantOperation, CorrelationId\n ) on CorrelationId\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\n| extend timestamp = TimeGenerated, Name = tostring(split(GrantInitiatedBy,'@',0)[0]), UPNSuffix = tostring(split(GrantInitiatedBy,'@',1)[0])\n", + "queryFrequency": "P1D", + "queryPeriod": "P14D", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "AuditLogs" + ], + "connectorId": "AzureActiveDirectory" + } + ], + "tactics": [ + "CredentialAccess", + "DefenseEvasion" + ], + "techniques": [ + "T1528", + "T1550" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "Name" + }, + { + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "GrantIpAddress" + } + ], + "entityType": "IP" + }, + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "AppDisplayName" + } + ], + "entityType": "CloudApplication" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject39').analyticRuleId39,'/'))))]", + "properties": { + "description": "Microsoft Entra ID Analytics Rule 39", + "parentId": "[variables('analyticRuleObject39').analyticRuleId39]", + "contentId": "[variables('analyticRuleObject39')._analyticRulecontentId39]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject39').analyticRuleVersion39]", + "source": { + "kind": "Solution", + "name": "Microsoft Entra ID", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject39')._analyticRulecontentId39]", + "contentKind": "AnalyticsRule", + "displayName": "Suspicious application consent similar to O365 Attack Toolkit", + "contentProductId": "[variables('analyticRuleObject39')._analyticRulecontentProductId39]", + "id": "[variables('analyticRuleObject39')._analyticRulecontentProductId39]", + "version": "[variables('analyticRuleObject39').analyticRuleVersion39]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject40').analyticRuleTemplateSpecName40]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "MaliciousOAuthApp_O365AttackToolkit_AnalyticalRules Analytics Rule with template version 3.0.7", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject40').analyticRuleVersion40]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject40')._analyticRulecontentId40]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the MDSec O365 Attack Toolkit (https://github.com/mdsecactivebreach/o365-attack-toolkit).\nThe default permissions/scope for the MDSec O365 Attack toolkit change sometimes but often include contacts.read, user.read, mail.read, notes.read.all, mailboxsettings.readwrite, files.readwrite.all, mail.send, files.read, and files.read.all.\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.", + "displayName": "Suspicious application consent similar to O365 Attack Toolkit", + "enabled": false, + "query": "let detectionTime = 1d;\nlet joinLookback = 14d;\nlet threshold = 5;\nlet o365_attack_regex = \"contacts.read|user.read|mail.read|notes.read.all|mailboxsettings.readwrite|Files.ReadWrite.All|mail.send|files.read|files.read.all\";\nlet o365_attack = dynamic([\"contacts.read\", \"user.read\", \"mail.read\", \"notes.read.all\", \"mailboxsettings.readwrite\", \"Files.ReadWrite.All\", \"mail.send\", \"files.read\", \"files.read.all\"]);\nAuditLogs\n| where TimeGenerated > ago(detectionTime)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Consent to application\"\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\"\n | extend AppDisplayName = tostring(TargetResource.displayName),\n AppClientId = tostring(TargetResource.id),\n props = TargetResource.modifiedProperties\n )\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\"] with (format=\"csv\"))) // NOTE: a MATCH from this list will cause the alert to NOT fire - please modify for your environment!\n| mv-apply ConsentFull = props on \n (\n where ConsentFull.displayName =~ \"ConsentAction.Permissions\"\n )\n| parse ConsentFull with * \"ConsentType: \" GrantConsentType \", Scope: \" GrantScope1 \", CreatedDateTime\" * \"]\" *\n| where GrantConsentType != \"AllPrincipals\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\n| where ConsentFull has_any (o365_attack) \n| extend GrantScopeCount = countof(tolower(GrantScope1), o365_attack_regex, 'regex')\n| where GrantScopeCount > threshold\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| mv-apply AdditionalDetail = AdditionalDetails on \n (\n where AdditionalDetail.key =~ \"User-Agent\"\n | extend GrantUserAgent = AdditionalDetail.value\n )\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\n| join kind = leftouter (AuditLogs\n | where TimeGenerated > ago(joinLookback)\n | where LoggedByService =~ \"Core Directory\"\n | where Category =~ \"ApplicationManagement\"\n | where OperationName =~ \"Add service principal\"\n | mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\"\n | extend props = TargetResource.modifiedProperties,\n AppClientId = tostring(TargetResource.id)\n )\n | mv-apply Property = props on \n (\n where Property.displayName =~ \"AppAddress\" and Property.newValue has \"AddressType\"\n | extend AppReplyURLs = trim('\"',tostring(Property.newValue))\n )\n | distinct AppClientId, tostring(AppReplyURLs)\n) on AppClientId\n| join kind = innerunique (AuditLogs\n | where TimeGenerated > ago(joinLookback)\n | where LoggedByService =~ \"Core Directory\"\n | where Category =~ \"ApplicationManagement\"\n | where OperationName =~ \"Add OAuth2PermissionGrant\" or OperationName =~ \"Add delegated permission grant\"\n | mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\" and array_length(TargetResource.modifiedProperties) > 0 and isnotnull(TargetResource.displayName)\n | extend GrantAuthentication = tostring(TargetResource.displayName)\n )\n | extend GrantOperation = OperationName\n | project GrantAuthentication, GrantOperation, CorrelationId\n ) on CorrelationId\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\n| extend timestamp = TimeGenerated, Name = tostring(split(GrantInitiatedBy,'@',0)[0]), UPNSuffix = tostring(split(GrantInitiatedBy,'@',1)[0])\n", + "queryFrequency": "P1D", + "queryPeriod": "P14D", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "AuditLogs" + ], + "connectorId": "AzureActiveDirectory" + } + ], + "tactics": [ + "CredentialAccess", + "DefenseEvasion" + ], + "techniques": [ + "T1528", + "T1550" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "Name" + }, + { + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "GrantIpAddress" + } + ], + "entityType": "IP" + }, + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "AppDisplayName" + } + ], + "entityType": "CloudApplication" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject40').analyticRuleId40,'/'))))]", + "properties": { + "description": "Microsoft Entra ID Analytics Rule 40", + "parentId": "[variables('analyticRuleObject40').analyticRuleId40]", + "contentId": "[variables('analyticRuleObject40')._analyticRulecontentId40]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject40').analyticRuleVersion40]", + "source": { + "kind": "Solution", + "name": "Microsoft Entra ID", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject40')._analyticRulecontentId40]", + "contentKind": "AnalyticsRule", + "displayName": "Suspicious application consent similar to O365 Attack Toolkit", + "contentProductId": "[variables('analyticRuleObject40')._analyticRulecontentProductId40]", + "id": "[variables('analyticRuleObject40')._analyticRulecontentProductId40]", + "version": "[variables('analyticRuleObject40').analyticRuleVersion40]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject41').analyticRuleTemplateSpecName41]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "MaliciousOAuthApp_PwnAuth_AnalyticalRules Analytics Rule with template version 3.0.7", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject41').analyticRuleVersion41]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject41')._analyticRulecontentId41]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the FireEye PwnAuth toolkit (https://github.com/fireeye/PwnAuth).\nThe default permissions/scope for the PwnAuth toolkit are user.read, offline_access, mail.readwrite, mail.send, and files.read.all.\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.", + "displayName": "Suspicious application consent similar to PwnAuth", + "enabled": false, + "query": "let detectionTime = 1d;\nlet joinLookback = 14d;\nAuditLogs\n| where TimeGenerated > ago(detectionTime)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Consent to application\"\n| where TargetResources has \"offline\"\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\"\n | extend AppDisplayName = tostring(TargetResource.displayName),\n AppClientId = tostring(TargetResource.id),\n props = TargetResource.modifiedProperties\n )\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\"] with (format=\"csv\")))\n| mv-apply ConsentFull = props on \n (\n where ConsentFull.displayName =~ \"ConsentAction.Permissions\"\n )\n| parse ConsentFull with * \"ConsentType: \" GrantConsentType \", Scope: \" GrantScope1 \"]\" *\n| where ConsentFull has_all (\"user.read\", \"offline_access\", \"mail.readwrite\", \"mail.send\", \"files.read.all\")\n| where GrantConsentType != \"AllPrincipals\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| mv-apply AdditionalDetail = AdditionalDetails on \n (\n where AdditionalDetail.key =~ \"User-Agent\"\n | extend GrantUserAgent = AdditionalDetail.value\n )\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\n| join kind = leftouter (AuditLogs\n| where TimeGenerated > ago(joinLookback)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Add service principal\"\n | mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\"\n | extend props = TargetResource.modifiedProperties,\n AppClientId = tostring(TargetResource.id)\n )\n | mv-apply Property = props on \n (\n where Property.displayName =~ \"AppAddress\" and Property.newValue has \"AddressType\"\n | extend AppReplyURLs = trim('\"',tostring(Property.newValue))\n )\n| distinct AppClientId, tostring(AppReplyURLs)\n)\non AppClientId\n| join kind = innerunique (AuditLogs\n| where TimeGenerated > ago(joinLookback)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Add OAuth2PermissionGrant\" or OperationName =~ \"Add delegated permission grant\"\n | mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\" and array_length(TargetResource.modifiedProperties) > 0 and isnotnull(TargetResource.displayName)\n | extend GrantAuthentication = tostring(TargetResource.displayName)\n )\n| extend GrantOperation = OperationName\n| project GrantAuthentication, GrantOperation, CorrelationId\n) on CorrelationId\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\n| extend timestamp = TimeGenerated, Name = tostring(split(GrantInitiatedBy,'@',0)[0]), UPNSuffix = tostring(split(GrantInitiatedBy,'@',1)[0])\n", + "queryFrequency": "P1D", + "queryPeriod": "P14D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "AuditLogs" + ], + "connectorId": "AzureActiveDirectory" + } + ], + "tactics": [ + "CredentialAccess", + "DefenseEvasion" + ], + "techniques": [ + "T1528", + "T1550" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "Name" + }, + { + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "GrantIpAddress" + } + ], + "entityType": "IP" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject41').analyticRuleId41,'/'))))]", + "properties": { + "description": "Microsoft Entra ID Analytics Rule 41", + "parentId": "[variables('analyticRuleObject41').analyticRuleId41]", + "contentId": "[variables('analyticRuleObject41')._analyticRulecontentId41]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject41').analyticRuleVersion41]", + "source": { + "kind": "Solution", + "name": "Microsoft Entra ID", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject41')._analyticRulecontentId41]", + "contentKind": "AnalyticsRule", + "displayName": "Suspicious application consent similar to PwnAuth", + "contentProductId": "[variables('analyticRuleObject41')._analyticRulecontentProductId41]", + "id": "[variables('analyticRuleObject41')._analyticRulecontentProductId41]", + "version": "[variables('analyticRuleObject41').analyticRuleVersion41]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject42').analyticRuleTemplateSpecName42]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "MFARejectedbyUser_AnalyticalRules Analytics Rule with template version 3.0.7", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject42').analyticRuleVersion42]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject42')._analyticRulecontentId42]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies occurances where a user has rejected an MFA prompt. This could be an indicator that a threat actor has compromised the username and password of this user account and is using it to try and log into the account.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\nThis query has also been updated to include UEBA logs IdentityInfo and BehaviorAnalytics for contextual information around the results.", + "displayName": "MFA Rejected by User", + "enabled": false, + "query": "let riskScoreCutoff = 20; //Adjust this based on volume of results\nSigninLogs\n| where ResultType == 500121\n| extend additionalDetails_ = tostring(Status.additionalDetails)\n| extend UserPrincipalName = tolower(UserPrincipalName)\n| where additionalDetails_ =~ \"MFA denied; user declined the authentication\" or additionalDetails_ has \"fraud\"\n| summarize StartTime = min(TimeGenerated), EndTIme = max(TimeGenerated) by UserPrincipalName, UserId, AADTenantId, IPAddress\n| extend Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n| join kind=leftouter (\n IdentityInfo\n | summarize LatestReportTime = arg_max(TimeGenerated, *) by AccountUPN\n | extend BlastRadiusInt = iif(BlastRadius == \"High\", 1, 0)\n | project AccountUPN, Tags, JobTitle, GroupMembership, AssignedRoles, UserType, IsAccountEnabled, BlastRadiusInt\n | summarize\n Tags = make_set(Tags, 1000),\n GroupMembership = make_set(GroupMembership, 1000),\n AssignedRoles = make_set(AssignedRoles, 1000),\n BlastRadiusInt = sum(BlastRadiusInt),\n UserType = make_set(UserType, 1000),\n UserAccountControl = make_set(UserType, 1000)\n by AccountUPN\n | extend UserPrincipalName=tolower(AccountUPN)\n) on UserPrincipalName\n| join kind=leftouter (\n BehaviorAnalytics\n | where ActivityType in (\"FailedLogOn\", \"LogOn\")\n | where isnotempty(SourceIPAddress)\n | project UsersInsights, DevicesInsights, ActivityInsights, InvestigationPriority, SourceIPAddress\n | project-rename IPAddress = SourceIPAddress\n | summarize\n UsersInsights = make_set(UsersInsights, 1000),\n DevicesInsights = make_set(DevicesInsights, 1000),\n IPInvestigationPriority = sum(InvestigationPriority)\n by IPAddress)\non IPAddress\n| extend UEBARiskScore = BlastRadiusInt + IPInvestigationPriority\n| where UEBARiskScore > riskScoreCutoff\n| sort by UEBARiskScore desc \n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "SigninLogs" + ], + "connectorId": "AzureActiveDirectory" + }, + { + "dataTypes": [ + "BehaviorAnalytics" + ], + "connectorId": "BehaviorAnalytics" + }, + { + "dataTypes": [ + "IdentityInfo" + ], + "connectorId": "IdentityInfo" + } + ], + "tactics": [ + "InitialAccess" + ], + "techniques": [ + "T1078" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "Name" + }, + { + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" + }, + { + "identifier": "AadUserId", + "columnName": "UserId" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "IPAddress" + } + ], + "entityType": "IP" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject42').analyticRuleId42,'/'))))]", + "properties": { + "description": "Microsoft Entra ID Analytics Rule 42", + "parentId": "[variables('analyticRuleObject42').analyticRuleId42]", + "contentId": "[variables('analyticRuleObject42')._analyticRulecontentId42]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject42').analyticRuleVersion42]", + "source": { + "kind": "Solution", + "name": "Microsoft Entra ID", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject42')._analyticRulecontentId42]", + "contentKind": "AnalyticsRule", + "displayName": "MFA Rejected by User", + "contentProductId": "[variables('analyticRuleObject42')._analyticRulecontentProductId42]", + "id": "[variables('analyticRuleObject42')._analyticRulecontentProductId42]", + "version": "[variables('analyticRuleObject42').analyticRuleVersion42]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject43').analyticRuleTemplateSpecName43]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "MultipleAdmin_membership_removals_from_NewAdmin_AnalyticalRules Analytics Rule with template version 3.0.7", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject43').analyticRuleVersion43]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject43')._analyticRulecontentId43]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "This query detects when newly created Global admin removes multiple existing global admins which can be an attempt by adversaries to lock down organization and retain sole access. \n Investigate reasoning and intention of multiple membership removal by new Global admins and take necessary actions accordingly.", + "displayName": "Multiple admin membership removals from newly created admin.", + "enabled": false, + "query": "let lookback = 7d; \nlet timeframe = 1h; \nlet GlobalAdminsRemoved = AuditLogs \n| where TimeGenerated > ago(timeframe) \n| where Category =~ \"RoleManagement\" \n| where AADOperationType in (\"Unassign\", \"RemoveEligibleRole\") \n| where ActivityDisplayName has_any (\"Remove member from role\", \"Remove eligible member from role\") \n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"User\"\n | extend Target = tostring(TargetResource.userPrincipalName),\n props = TargetResource.modifiedProperties\n )\n| mv-apply Property = props on \n (\n where Property.displayName =~ \"Role.DisplayName\"\n | extend RoleName = trim('\"',tostring(Property.oldValue))\n )\n| where RoleName =~ \"Global Administrator\" // Add other Privileged role if applicable \n| extend InitiatingApp = tostring(InitiatedBy.app.displayName) \n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(InitiatedBy.user.userPrincipalName)) \n| where Initiator != \"MS-PIM\" // Filtering PIM events \n| summarize RemovedGlobalAdminTime = max(TimeGenerated), TargetAdmins = make_set(Target,100) by OperationName, RoleName, Initiator, Result; \nlet GlobalAdminsAdded = AuditLogs \n| where TimeGenerated > ago(lookback) \n| where Category =~ \"RoleManagement\" \n| where AADOperationType in (\"Assign\", \"AssignEligibleRole\") \n| where ActivityDisplayName has_any (\"Add eligible member to role\", \"Add member to role\") and Result == \"success\" \n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"User\"\n | extend Target = tostring(TargetResource.userPrincipalName),\n props = TargetResource.modifiedProperties\n )\n| mv-apply Property = props on \n (\n where Property.displayName =~ \"Role.DisplayName\"\n | extend RoleName = trim('\"',tostring(Property.newValue))\n )\n| where RoleName =~ \"Global Administrator\" // Add other Privileged role if applicable \n| extend InitiatingApp = tostring(InitiatedBy.app.displayName) \n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(InitiatedBy.user.userPrincipalName)) \n| where Initiator != \"MS-PIM\" // Filtering PIM events \n| summarize AddedGlobalAdminTime = max(TimeGenerated) by OperationName, RoleName, Target, Initiator, Result \n| extend AccountCustomEntity = Target; \nGlobalAdminsAdded \n| join kind= inner GlobalAdminsRemoved on $left.Target == $right.Initiator \n| where AddedGlobalAdminTime < RemovedGlobalAdminTime \n| extend NoofAdminsRemoved = array_length(TargetAdmins) \n| where NoofAdminsRemoved > 1\n| project AddedGlobalAdminTime, Initiator, Target, AccountCustomEntity, RemovedGlobalAdminTime, TargetAdmins, NoofAdminsRemoved\n| extend Name = tostring(split(AccountCustomEntity,'@',0)[0]), UPNSuffix = tostring(split(AccountCustomEntity,'@',1)[0])\n", + "queryFrequency": "PT1H", + "queryPeriod": "P7D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "AuditLogs" + ], + "connectorId": "AzureActiveDirectory" + } + ], + "tactics": [ + "Impact" + ], + "techniques": [ + "T1531" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "Name" + }, + { + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" + } + ], + "entityType": "Account" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject43').analyticRuleId43,'/'))))]", + "properties": { + "description": "Microsoft Entra ID Analytics Rule 43", + "parentId": "[variables('analyticRuleObject43').analyticRuleId43]", + "contentId": "[variables('analyticRuleObject43')._analyticRulecontentId43]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject43').analyticRuleVersion43]", + "source": { + "kind": "Solution", + "name": "Microsoft Entra ID", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject43')._analyticRulecontentId43]", + "contentKind": "AnalyticsRule", + "displayName": "Multiple admin membership removals from newly created admin.", + "contentProductId": "[variables('analyticRuleObject43')._analyticRulecontentProductId43]", + "id": "[variables('analyticRuleObject43')._analyticRulecontentProductId43]", + "version": "[variables('analyticRuleObject43').analyticRuleVersion43]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject44').analyticRuleTemplateSpecName44]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "NewAppOrServicePrincipalCredential_AnalyticalRules Analytics Rule with template version 3.0.7", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject44').analyticRuleVersion44]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject44')._analyticRulecontentId44]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app.\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.", + "displayName": "New access credential added to Application or Service Principal", + "enabled": false, + "query": "AuditLogs\n| where OperationName has_any (\"Add service principal\", \"Certificates and secrets management\") // captures \"Add service principal\", \"Add service principal credentials\", and \"Update application - Certificates and secrets management\" events\n| where Result =~ \"success\"\n| where tostring(InitiatedBy.user.userPrincipalName) has \"@\" or tostring(InitiatedBy.app.displayName) has \"@\"\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"Application\"\n | extend targetDisplayName = tostring(TargetResource.displayName),\n targetId = tostring(TargetResource.id),\n targetType = tostring(TargetResource.type),\n keyEvents = TargetResource.modifiedProperties\n )\n| mv-apply Property = keyEvents on \n (\n where Property.displayName =~ \"KeyDescription\"\n | extend new_value_set = parse_json(tostring(Property.newValue)),\n old_value_set = parse_json(tostring(Property.oldValue))\n )\n| where old_value_set != \"[]\"\n| extend diff = set_difference(new_value_set, old_value_set)\n| where isnotempty(diff)\n| parse diff with * \"KeyIdentifier=\" keyIdentifier:string \",KeyType=\" keyType:string \",KeyUsage=\" keyUsage:string \",DisplayName=\" keyDisplayName:string \"]\" *\n| where keyUsage =~ \"Verify\"\n| mv-apply AdditionalDetail = AdditionalDetails on \n (\n where AdditionalDetail.key =~ \"User-Agent\"\n | extend UserAgent = tostring(AdditionalDetail.value)\n )\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\n//| where targetType =~ \"Application\" // or targetType =~ \"ServicePrincipal\"\n| project-away diff, new_value_set, old_value_set\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\n| extend timestamp = TimeGenerated, Name = tostring(split(InitiatingUserOrApp,'@',0)[0]), UPNSuffix = tostring(split(InitiatingUserOrApp,'@',1)[0])\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "AuditLogs" + ], + "connectorId": "AzureActiveDirectory" + } + ], + "tactics": [ + "DefenseEvasion" + ], + "techniques": [ + "T1550" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "Name" + }, + { + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "InitiatingIpAddress" + } + ], + "entityType": "IP" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject44').analyticRuleId44,'/'))))]", + "properties": { + "description": "Microsoft Entra ID Analytics Rule 44", + "parentId": "[variables('analyticRuleObject44').analyticRuleId44]", + "contentId": "[variables('analyticRuleObject44')._analyticRulecontentId44]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject44').analyticRuleVersion44]", + "source": { + "kind": "Solution", + "name": "Microsoft Entra ID", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject44')._analyticRulecontentId44]", + "contentKind": "AnalyticsRule", + "displayName": "New access credential added to Application or Service Principal", + "contentProductId": "[variables('analyticRuleObject44')._analyticRulecontentProductId44]", + "id": "[variables('analyticRuleObject44')._analyticRulecontentProductId44]", + "version": "[variables('analyticRuleObject44').analyticRuleVersion44]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject45').analyticRuleTemplateSpecName45]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "NRT_ADFSDomainTrustMods_AnalyticalRules Analytics Rule with template version 3.0.7", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject45').analyticRuleVersion45]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject45')._analyticRulecontentId45]", + "apiVersion": "2022-04-01-preview", + "kind": "NRT", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "This will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated.\nFor example, this alert will trigger when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain.\nModification to domain federation settings should be rare. Confirm the added or modified target domain/URL is legitimate administrator behavior.\nTo understand why an authorized user may update settings for a federated domain in Office 365, Azure, or Intune, see: https://docs.microsoft.com/office365/troubleshoot/active-directory/update-federated-domain-office-365.\nFor details on security realms that accept security tokens, see the ADFS Proxy Protocol (MS-ADFSPP) specification: https://docs.microsoft.com/openspecs/windows_protocols/ms-adfspp/e7b9ea73-1980-4318-96a6-da559486664b.\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.", + "displayName": "NRT Modified domain federation trust settings", + "enabled": false, + "query": "AuditLogs\n| where OperationName =~ \"Set federation settings on domain\" or OperationName =~ \"Set domain authentication\"\n//| where Result =~ \"success\" // commenting out, as it may be interesting to capture failed attempts\n| mv-expand TargetResources\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\n| mv-apply Property = modifiedProperties on \n (\n where Property.displayName =~ \"LiveType\"\n | extend targetDisplayName = tostring(Property.displayName),\n NewDomainValue = tostring(Property.newValue)\n )\n| extend Federated = iif(OperationName =~ \"Set domain authentication\", iif(NewDomainValue has \"Federated\", True, False), True)\n| where Federated == True\n| mv-expand AdditionalDetails\n| mv-apply AdditionalDetail = AdditionalDetails on \n (\n where AdditionalDetail.key =~ \"User-Agent\"\n | extend UserAgent = tostring(AdditionalDetail.value)\n )\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, AADOperationType, targetDisplayName, Result, InitiatingIpAddress, UserAgent, CorrelationId, TenantId, AADTenantId\n| extend Name = tostring(split(InitiatingUserOrApp,'@',0)[0]), UPNSuffix = tostring(split(InitiatingUserOrApp,'@',1)[0])\n", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "AuditLogs" + ], + "connectorId": "AzureActiveDirectory" + } + ], + "tactics": [ + "CredentialAccess" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "Name" + }, + { + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "InitiatingIpAddress" + } + ], + "entityType": "IP" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject45').analyticRuleId45,'/'))))]", + "properties": { + "description": "Microsoft Entra ID Analytics Rule 45", + "parentId": "[variables('analyticRuleObject45').analyticRuleId45]", + "contentId": "[variables('analyticRuleObject45')._analyticRulecontentId45]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject45').analyticRuleVersion45]", + "source": { + "kind": "Solution", + "name": "Microsoft Entra ID", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject45')._analyticRulecontentId45]", + "contentKind": "AnalyticsRule", + "displayName": "NRT Modified domain federation trust settings", + "contentProductId": "[variables('analyticRuleObject45')._analyticRulecontentProductId45]", + "id": "[variables('analyticRuleObject45')._analyticRulecontentProductId45]", + "version": "[variables('analyticRuleObject45').analyticRuleVersion45]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject46').analyticRuleTemplateSpecName46]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "NRT_AuthenticationMethodsChangedforVIPUsers_AnalyticalRules Analytics Rule with template version 3.0.7", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject46').analyticRuleVersion46]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject46')._analyticRulecontentId46]", + "apiVersion": "2022-04-01-preview", + "kind": "NRT", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies authentication methods being changed for a list of VIP users watchlist. This could be an indication of an attacker adding an auth method to the account so they can have continued access.", + "displayName": "NRT Authentication Methods Changed for VIP Users", + "enabled": false, + "query": "let security_info_actions = dynamic([\"User registered security info\", \"User changed default security info\", \"User deleted security info\", \"Admin updated security info\", \"User reviewed security info\", \"Admin deleted security info\", \"Admin registered security info\"]);\nlet VIPUsers = (_GetWatchlist('VIPUsers') | distinct \"User Principal Name\");\nAuditLogs\n| where Category =~ \"UserManagement\"\n| where ActivityDisplayName in (security_info_actions)\n| extend Initiator = tostring(InitiatedBy.user.userPrincipalName)\n| extend IP = tostring(InitiatedBy.user.ipAddress)\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"User\"\n | extend Target = trim(@'\"',tolower(tostring(TargetResource.userPrincipalName)))\n )\n| where Target in~ (VIPUsers)\n| summarize Start=min(TimeGenerated), End=max(TimeGenerated), Actions = make_set(ResultReason) by Initiator, IP, Result, Target\n| extend Name = tostring(split(Target,'@',0)[0]), UPNSuffix = tostring(split(Target,'@',1)[0])\n", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "AuditLogs" + ], + "connectorId": "AzureActiveDirectory" + } + ], + "tactics": [ + "Persistence" + ], + "techniques": [ + "T1098" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "Name" + }, + { + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "IP" + } + ], + "entityType": "IP" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject46').analyticRuleId46,'/'))))]", + "properties": { + "description": "Microsoft Entra ID Analytics Rule 46", + "parentId": "[variables('analyticRuleObject46').analyticRuleId46]", + "contentId": "[variables('analyticRuleObject46')._analyticRulecontentId46]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject46').analyticRuleVersion46]", + "source": { + "kind": "Solution", + "name": "Microsoft Entra ID", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject46')._analyticRulecontentId46]", + "contentKind": "AnalyticsRule", + "displayName": "NRT Authentication Methods Changed for VIP Users", + "contentProductId": "[variables('analyticRuleObject46')._analyticRulecontentProductId46]", + "id": "[variables('analyticRuleObject46')._analyticRulecontentProductId46]", + "version": "[variables('analyticRuleObject46').analyticRuleVersion46]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject47').analyticRuleTemplateSpecName47]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "nrt_FirstAppOrServicePrincipalCredential_AnalyticalRules Analytics Rule with template version 3.0.7", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject47').analyticRuleVersion47]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject47')._analyticRulecontentId47]", + "apiVersion": "2022-04-01-preview", + "kind": "NRT", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where there was no previous verify KeyCredential associated.\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.", + "displayName": "NRT First access credential added to Application or Service Principal where no credential was present", + "enabled": false, + "query": "AuditLogs\n| where OperationName has_any (\"Add service principal\", \"Certificates and secrets management\")\n| where Result =~ \"success\"\n| where tostring(InitiatedBy.user.userPrincipalName) has \"@\" or tostring(InitiatedBy.app.displayName) has \"@\"\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"Application\"\n | extend targetDisplayName = tostring(TargetResource.displayName),\n targetId = tostring(TargetResource.id),\n targetType = tostring(TargetResource.type),\n keyEvents = TargetResource.modifiedProperties\n )\n| mv-apply Property = keyEvents on \n (\n where Property.displayName =~ \"KeyDescription\"\n | extend new_value_set = parse_json(tostring(Property.newValue)),\n old_value_set = parse_json(tostring(Property.oldValue))\n )\n| where old_value_set == \"[]\"\n| mv-expand new_value_set\n| parse new_value_set with * \"KeyIdentifier=\" keyIdentifier:string \",KeyType=\" keyType:string \",KeyUsage=\" keyUsage:string \",DisplayName=\" keyDisplayName:string \"]\" *\n| where keyUsage == \"Verify\"\n | mv-apply AdditionalDetail = AdditionalDetails on \n (\n where AdditionalDetail.key =~ \"User-Agent\"\n | extend UserAgent = tostring(AdditionalDetail.value)\n )\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n//| where targetType =~ \"Application\" // or targetType =~ \"ServicePrincipal\"\n| project-away new_value_set, old_value_set\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\n| extend timestamp = TimeGenerated, Name = tostring(split(InitiatingUserOrApp,'@',0)[0]), UPNSuffix = tostring(split(InitiatingUserOrApp,'@',1)[0])\n", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "AuditLogs" + ], + "connectorId": "AzureActiveDirectory" + } + ], + "tactics": [ + "DefenseEvasion" + ], + "techniques": [ + "T1550" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "Name" + }, + { + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "InitiatingIpAddress" + } + ], + "entityType": "IP" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject47').analyticRuleId47,'/'))))]", + "properties": { + "description": "Microsoft Entra ID Analytics Rule 47", + "parentId": "[variables('analyticRuleObject47').analyticRuleId47]", + "contentId": "[variables('analyticRuleObject47')._analyticRulecontentId47]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject47').analyticRuleVersion47]", + "source": { + "kind": "Solution", + "name": "Microsoft Entra ID", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject47')._analyticRulecontentId47]", + "contentKind": "AnalyticsRule", + "displayName": "NRT First access credential added to Application or Service Principal where no credential was present", + "contentProductId": "[variables('analyticRuleObject47')._analyticRulecontentProductId47]", + "id": "[variables('analyticRuleObject47')._analyticRulecontentProductId47]", + "version": "[variables('analyticRuleObject47').analyticRuleVersion47]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject48').analyticRuleTemplateSpecName48]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "NRT_NewAppOrServicePrincipalCredential_AnalyticalRules Analytics Rule with template version 3.0.7", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject48').analyticRuleVersion48]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject48')._analyticRulecontentId48]", + "apiVersion": "2022-04-01-preview", + "kind": "NRT", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app.\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.", + "displayName": "NRT New access credential added to Application or Service Principal", + "enabled": false, + "query": "AuditLogs\n| where OperationName has_any (\"Add service principal\", \"Certificates and secrets management\") // captures \"Add service principal\", \"Add service principal credentials\", and \"Update application - Certificates and secrets management\" events\n| where Result =~ \"success\"\n| where tostring(InitiatedBy.user.userPrincipalName) has \"@\" or tostring(InitiatedBy.app.displayName) has \"@\"\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"Application\"\n | extend targetDisplayName = tostring(TargetResource.displayName),\n targetId = tostring(TargetResource.id),\n targetType = tostring(TargetResource.type),\n keyEvents = TargetResource.modifiedProperties\n )\n| mv-apply Property = keyEvents on \n (\n where Property.displayName =~ \"KeyDescription\"\n | extend new_value_set = parse_json(tostring(Property.newValue)),\n old_value_set = parse_json(tostring(Property.oldValue))\n )\n| where old_value_set != \"[]\"\n| extend diff = set_difference(new_value_set, old_value_set)\n| where diff != \"[]\"\n| parse diff with * \"KeyIdentifier=\" keyIdentifier:string \",KeyType=\" keyType:string \",KeyUsage=\" keyUsage:string \",DisplayName=\" keyDisplayName:string \"]\" *\n| where keyUsage =~ \"Verify\"\n| mv-apply AdditionalDetail = AdditionalDetails on \n (\n where AdditionalDetail.key =~ \"User-Agent\"\n | extend UserAgent = tostring(AdditionalDetail.value)\n )\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\n//| where targetType =~ \"Application\" // or targetType =~ \"ServicePrincipal\"\n| project-away diff, new_value_set, old_value_set\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\n| extend timestamp = TimeGenerated, Name = tostring(split(InitiatingUserOrApp,'@',0)[0]), UPNSuffix = tostring(split(InitiatingUserOrApp,'@',1)[0])\n", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "AuditLogs" + ], + "connectorId": "AzureActiveDirectory" + } + ], + "tactics": [ + "DefenseEvasion" + ], + "techniques": [ + "T1550" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "Name" + }, + { + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "InitiatingIpAddress" + } + ], + "entityType": "IP" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject48').analyticRuleId48,'/'))))]", + "properties": { + "description": "Microsoft Entra ID Analytics Rule 48", + "parentId": "[variables('analyticRuleObject48').analyticRuleId48]", + "contentId": "[variables('analyticRuleObject48')._analyticRulecontentId48]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject48').analyticRuleVersion48]", + "source": { + "kind": "Solution", + "name": "Microsoft Entra ID", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject48')._analyticRulecontentId48]", + "contentKind": "AnalyticsRule", + "displayName": "NRT New access credential added to Application or Service Principal", + "contentProductId": "[variables('analyticRuleObject48')._analyticRulecontentProductId48]", + "id": "[variables('analyticRuleObject48')._analyticRulecontentProductId48]", + "version": "[variables('analyticRuleObject48').analyticRuleVersion48]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject49').analyticRuleTemplateSpecName49]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "NRT_PIMElevationRequestRejected_AnalyticalRules Analytics Rule with template version 3.0.7", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject49').analyticRuleVersion49]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject49')._analyticRulecontentId49]", + "apiVersion": "2022-04-01-preview", + "kind": "NRT", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management", + "displayName": "NRT PIM Elevation Request Rejected", + "enabled": false, + "query": "AuditLogs\n| where ActivityDisplayName =~'Add member to role completed (PIM activation)'\n| where Result =~ \"failure\"\n| mv-apply ResourceItem = TargetResources on \n (\n where ResourceItem.type =~ \"Role\"\n | extend Role = trim(@'\"',tostring(ResourceItem.displayName))\n )\n| mv-apply ResourceItem = TargetResources on \n (\n where ResourceItem.type =~ \"User\"\n | extend User = trim(@'\"',tostring(ResourceItem.userPrincipalName))\n )\n| project-reorder TimeGenerated, User, Role, OperationName, Result, ResultDescription\n| where isnotempty(InitiatedBy.user)\n| extend InitiatingUser = tostring(InitiatedBy.user.userPrincipalName), InitiatingIpAddress = tostring(InitiatedBy.user.ipAddress)\n| extend InitiatingName = tostring(split(InitiatingUser,'@',0)[0]), InitiatingUPNSuffix = tostring(split(InitiatingUser,'@',1)[0])\n| extend UserName = tostring(split(User,'@',0)[0]), UserUPNSuffix = tostring(split(User,'@',1)[0])\n", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "AuditLogs" + ], + "connectorId": "AzureActiveDirectory" + } + ], + "tactics": [ + "Persistence" + ], + "techniques": [ + "T1078" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "InitiatingName" + }, + { + "identifier": "UPNSuffix", + "columnName": "InitiatingUPNSuffix" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "UserName" + }, + { + "identifier": "UPNSuffix", + "columnName": "UserUPNSuffix" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "InitiatingIpAddress" + } + ], + "entityType": "IP" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject49').analyticRuleId49,'/'))))]", + "properties": { + "description": "Microsoft Entra ID Analytics Rule 49", + "parentId": "[variables('analyticRuleObject49').analyticRuleId49]", + "contentId": "[variables('analyticRuleObject49')._analyticRulecontentId49]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject49').analyticRuleVersion49]", + "source": { + "kind": "Solution", + "name": "Microsoft Entra ID", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject49')._analyticRulecontentId49]", + "contentKind": "AnalyticsRule", + "displayName": "NRT PIM Elevation Request Rejected", + "contentProductId": "[variables('analyticRuleObject49')._analyticRulecontentProductId49]", + "id": "[variables('analyticRuleObject49')._analyticRulecontentProductId49]", + "version": "[variables('analyticRuleObject49').analyticRuleVersion49]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject50').analyticRuleTemplateSpecName50]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "NRT_PrivlegedRoleAssignedOutsidePIM_AnalyticalRules Analytics Rule with template version 3.0.7", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject50').analyticRuleVersion50]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject50')._analyticRulecontentId50]", + "apiVersion": "2022-04-01-preview", + "kind": "NRT", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies a privileged role being assigned to a user outside of PIM\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1", + "displayName": "NRT Privileged Role Assigned Outside PIM", + "enabled": false, + "query": "AuditLogs\n| where Category =~ \"RoleManagement\"\n| where OperationName has \"Add member to role outside of PIM\"\n or (LoggedByService =~ \"Core Directory\" and OperationName =~ \"Add member to role\" and Identity != \"MS-PIM\")\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"User\"\n | extend UserPrincipalName = tostring(TargetResource.userPrincipalName)\n )\n| extend IpAddress = tostring(InitiatedBy.user.ipAddress), Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n", + "severity": "Low", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "AuditLogs" + ], + "connectorId": "AzureActiveDirectory" + } + ], + "tactics": [ + "PrivilegeEscalation" + ], + "techniques": [ + "T1078" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "Name" + }, + { + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "IpAddress" + } + ], + "entityType": "IP" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject50').analyticRuleId50,'/'))))]", + "properties": { + "description": "Microsoft Entra ID Analytics Rule 50", + "parentId": "[variables('analyticRuleObject50').analyticRuleId50]", + "contentId": "[variables('analyticRuleObject50')._analyticRulecontentId50]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject50').analyticRuleVersion50]", + "source": { + "kind": "Solution", + "name": "Microsoft Entra ID", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject50')._analyticRulecontentId50]", + "contentKind": "AnalyticsRule", + "displayName": "NRT Privileged Role Assigned Outside PIM", + "contentProductId": "[variables('analyticRuleObject50')._analyticRulecontentProductId50]", + "id": "[variables('analyticRuleObject50')._analyticRulecontentProductId50]", + "version": "[variables('analyticRuleObject50').analyticRuleVersion50]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject51').analyticRuleTemplateSpecName51]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "NRT_UseraddedtoPrivilgedGroups_AnalyticalRules Analytics Rule with template version 3.0.7", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject51').analyticRuleVersion51]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject51')._analyticRulecontentId51]", + "apiVersion": "2022-04-01-preview", + "kind": "NRT", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "This will alert when a user is added to any of the Privileged Groups.\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\nFor Administrator role permissions in Microsoft Entra ID please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles", + "displayName": "NRT User added to Microsoft Entra ID Privileged Groups", + "enabled": false, + "query": "let OperationList = dynamic([\"Add member to role\",\"Add member to role in PIM requested (permanent)\"]);\nlet PrivilegedGroups = dynamic([\"UserAccountAdmins\",\"PrivilegedRoleAdmins\",\"TenantAdmins\"]);\nAuditLogs\n//| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"RoleManagement\"\n| where OperationName in~ (OperationList)\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"User\"\n | extend TargetUserPrincipalName = tostring(TargetResource.userPrincipalName),\n modProps = TargetResource.modifiedProperties\n )\n| mv-apply Property = modProps on \n (\n where Property.displayName =~ \"Role.WellKnownObjectName\"\n | extend DisplayName = trim('\"',tostring(Property.displayName)),\n GroupName = trim('\"',tostring(Property.newValue))\n )\n| extend AppId = InitiatedBy.app.appId,\n InitiatedByDisplayName = case(isnotempty(InitiatedBy.app.displayName), InitiatedBy.app.displayName, isnotempty(InitiatedBy.user.displayName), InitiatedBy.user.displayName, \"not available\"),\n ServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId),\n ServicePrincipalName = tostring(InitiatedBy.app.servicePrincipalName),\n UserId = InitiatedBy.user.id,\n UserIPAddress = InitiatedBy.user.ipAddress,\n UserRoles = InitiatedBy.user.roles,\n UserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\n| where GroupName in~ (PrivilegedGroups)\n// If you don't want to alert for operations from PIM, remove below filtering for MS-PIM.\n//| where InitiatedByDisplayName != \"MS-PIM\"\n| project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, AppId, InitiatedByDisplayName, ServicePrincipalId, ServicePrincipalName, DisplayName, GroupName, UserId, UserIPAddress, UserRoles, UserPrincipalName, TargetUserPrincipalName\n| extend AccountCustomEntity = case(isnotempty(ServicePrincipalName), ServicePrincipalName, \n isnotempty(UserPrincipalName), UserPrincipalName, \n \"\")\n| extend AccountName = tostring(split(AccountCustomEntity,'@',0)[0]), AccountUPNSuffix = tostring(split(AccountCustomEntity,'@',1)[0])\n| extend TargetName = tostring(split(TargetUserPrincipalName,'@',0)[0]), TargetUPNSuffix = tostring(split(TargetUserPrincipalName,'@',1)[0])\n", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "AuditLogs" + ], + "connectorId": "AzureActiveDirectory" + } + ], + "tactics": [ + "Persistence", + "PrivilegeEscalation" + ], + "techniques": [ + "T1098", + "T1078" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "AccountName" + }, + { + "identifier": "UPNSuffix", + "columnName": "AccountUPNSuffix" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "TargetName" + }, + { + "identifier": "UPNSuffix", + "columnName": "TargetUPNSuffix" + } + ], + "entityType": "Account" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject51').analyticRuleId51,'/'))))]", + "properties": { + "description": "Microsoft Entra ID Analytics Rule 51", + "parentId": "[variables('analyticRuleObject51').analyticRuleId51]", + "contentId": "[variables('analyticRuleObject51')._analyticRulecontentId51]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject51').analyticRuleVersion51]", + "source": { + "kind": "Solution", + "name": "Microsoft Entra ID", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject51')._analyticRulecontentId51]", + "contentKind": "AnalyticsRule", + "displayName": "NRT User added to Microsoft Entra ID Privileged Groups", + "contentProductId": "[variables('analyticRuleObject51')._analyticRulecontentProductId51]", + "id": "[variables('analyticRuleObject51')._analyticRulecontentProductId51]", + "version": "[variables('analyticRuleObject51').analyticRuleVersion51]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject52').analyticRuleTemplateSpecName52]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "PIMElevationRequestRejected_AnalyticalRules Analytics Rule with template version 3.0.7", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject52').analyticRuleVersion52]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject52')._analyticRulecontentId52]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management", + "displayName": "PIM Elevation Request Rejected", + "enabled": false, + "query": "AuditLogs\n| where ActivityDisplayName =~'Add member to role request denied (PIM activation)'\n| mv-apply ResourceItem = TargetResources on \n (\n where ResourceItem.type =~ \"Role\"\n | extend Role = trim(@'\"',tostring(ResourceItem.displayName))\n )\n| mv-apply ResourceItem = TargetResources on \n (\n where ResourceItem.type =~ \"User\"\n | extend User = trim(@'\"',tostring(ResourceItem.userPrincipalName))\n )\n| project-reorder TimeGenerated, User, Role, OperationName, Result, ResultDescription\n| where isnotempty(InitiatedBy.user)\n| extend InitiatingUser = tostring(InitiatedBy.user.userPrincipalName), InitiatingIpAddress = tostring(InitiatedBy.user.ipAddress)\n| extend InitiatingName = tostring(split(InitiatingUser,'@',0)[0]), InitiatingUPNSuffix = tostring(split(InitiatingUser,'@',1)[0])\n| extend UserName = tostring(split(User,'@',0)[0]), UserUPNSuffix = tostring(split(User,'@',1)[0])\n", + "queryFrequency": "PT2H", + "queryPeriod": "PT2H", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "AuditLogs" + ], + "connectorId": "AzureActiveDirectory" + } + ], + "tactics": [ + "Persistence" + ], + "techniques": [ + "T1078" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "InitiatingName" }, - "runAfter": { - "Update_user_-_disable_user": [ - "Succeeded", - "Failed" - ] + { + "identifier": "UPNSuffix", + "columnName": "InitiatingUPNSuffix" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "UserName" }, - "else": { - "actions": { - "Add_comment_to_incident_-_error_details": { - "type": "ApiConnection", - "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['IncidentArmID']", - "message": "

Block-AADUser playbook could not disable user @{triggerBody()?['Entity']?['properties']?['Name']}.
\nError message: @{body('Update_user_-_disable_user')['error']['message']}
\nNote: If user is admin, this playbook don't have privilages to block admin users!

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - } - } - } + { + "identifier": "UPNSuffix", + "columnName": "UserUPNSuffix" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "InitiatingIpAddress" + } + ], + "entityType": "IP" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject52').analyticRuleId52,'/'))))]", + "properties": { + "description": "Microsoft Entra ID Analytics Rule 52", + "parentId": "[variables('analyticRuleObject52').analyticRuleId52]", + "contentId": "[variables('analyticRuleObject52')._analyticRulecontentId52]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject52').analyticRuleVersion52]", + "source": { + "kind": "Solution", + "name": "Microsoft Entra ID", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject52')._analyticRulecontentId52]", + "contentKind": "AnalyticsRule", + "displayName": "PIM Elevation Request Rejected", + "contentProductId": "[variables('analyticRuleObject52')._analyticRulecontentProductId52]", + "id": "[variables('analyticRuleObject52')._analyticRulecontentProductId52]", + "version": "[variables('analyticRuleObject52').analyticRuleVersion52]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject53').analyticRuleTemplateSpecName53]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "PrivilegedAccountsSigninFailureSpikes_AnalyticalRules Analytics Rule with template version 3.0.7", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject53').analyticRuleVersion53]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject53')._analyticRulecontentId53]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": " Identifies spike in failed sign-ins from Privileged accounts. Privileged accounts list can be based on IdentityInfo UEBA table.\nSpike is determined based on Time series anomaly which will look at historical baseline values.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor", + "displayName": "Privileged Accounts - Sign in Failure Spikes", + "enabled": false, + "query": "let starttime = 14d;\nlet timeframe = 1d;\nlet scorethreshold = 3;\nlet baselinethreshold = 5;\nlet aadFunc = (tableName:string){\n IdentityInfo\n | where TimeGenerated > ago(starttime)\n | summarize arg_max(TimeGenerated, *) by AccountUPN\n | mv-expand AssignedRoles\n | where AssignedRoles contains 'Admin'\n | summarize Roles = make_list(AssignedRoles) by AccountUPN = tolower(AccountUPN)\n | join kind=inner (\n table(tableName)\n | where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\n | where ResultType != 0\n | extend UserPrincipalName = tolower(UserPrincipalName)\n ) on $left.AccountUPN == $right.UserPrincipalName\n | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, Roles = tostring(Roles)\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nlet allSignins = union isfuzzy=true aadSignin, aadNonInt;\nlet TimeSeriesAlerts = \n allSignins\n | make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step 1h by UserPrincipalName, Roles\n | extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, 'linefit')\n | mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\n // Filtering low count events per baselinethreshold\n | where anomalies > 0 and baseline > baselinethreshold\n | extend AnomalyHour = TimeGenerated\n | project UserPrincipalName, Roles, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\n// Filter the alerts for specified timeframe\nTimeSeriesAlerts\n| where TimeGenerated > startofday(ago(timeframe))\n| join kind=inner ( \n allSignins\n | where TimeGenerated > startofday(ago(timeframe))\n // create a new column and round to hour\n | extend DateHour = bin(TimeGenerated, 1h)\n | summarize PartialFailedSignins = count(), LatestAnomalyTime = arg_max(TimeGenerated, *) by bin(TimeGenerated, 1h), OperationName, Category, ResultType, ResultDescription, UserPrincipalName, Roles, UserDisplayName, AppDisplayName, ClientAppUsed, IPAddress, ResourceDisplayName\n) on UserPrincipalName, $left.AnomalyHour == $right.DateHour\n| project LatestAnomalyTime, OperationName, Category, UserPrincipalName, Roles = todynamic(Roles), UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, PartialFailedSignins, TotalFailedSignins = HourlyCount, baseline, anomalies, score\n| extend timestamp = LatestAnomalyTime, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n", + "queryFrequency": "P1D", + "queryPeriod": "P14D", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "SigninLogs" + ], + "connectorId": "AzureActiveDirectory" + }, + { + "dataTypes": [ + "AADNonInteractiveUserSignInLogs" + ], + "connectorId": "AzureActiveDirectory" + } + ], + "tactics": [ + "InitialAccess" + ], + "techniques": [ + "T1078" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "Name" }, - "expression": { - "and": [ - { - "equals": [ - "@body('Update_user_-_disable_user')", - "@null" - ] - } - ] + { + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "IPAddress" + } + ], + "entityType": "IP" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject53').analyticRuleId53,'/'))))]", + "properties": { + "description": "Microsoft Entra ID Analytics Rule 53", + "parentId": "[variables('analyticRuleObject53').analyticRuleId53]", + "contentId": "[variables('analyticRuleObject53')._analyticRulecontentId53]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject53').analyticRuleVersion53]", + "source": { + "kind": "Solution", + "name": "Microsoft Entra ID", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject53')._analyticRulecontentId53]", + "contentKind": "AnalyticsRule", + "displayName": "Privileged Accounts - Sign in Failure Spikes", + "contentProductId": "[variables('analyticRuleObject53')._analyticRulecontentProductId53]", + "id": "[variables('analyticRuleObject53')._analyticRulecontentProductId53]", + "version": "[variables('analyticRuleObject53').analyticRuleVersion53]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject54').analyticRuleTemplateSpecName54]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "PrivlegedRoleAssignedOutsidePIM_AnalyticalRules Analytics Rule with template version 3.0.7", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject54').analyticRuleVersion54]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject54')._analyticRulecontentId54]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies a privileged role being assigned to a user outside of PIM\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1", + "displayName": "Privileged Role Assigned Outside PIM", + "enabled": false, + "query": "AuditLogs\n| where Category =~ \"RoleManagement\"\n| where OperationName has \"Add member to role outside of PIM\"\n or (LoggedByService =~ \"Core Directory\" and OperationName =~ \"Add member to role\" and Identity != \"MS-PIM\")\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"User\"\n | extend UserPrincipalName = tostring(TargetResource.userPrincipalName)\n )\n| extend IpAddress = tostring(InitiatedBy.user.ipAddress), Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n", + "queryFrequency": "P1D", + "queryPeriod": "P1D", + "severity": "Low", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "AuditLogs" + ], + "connectorId": "AzureActiveDirectory" + } + ], + "tactics": [ + "PrivilegeEscalation" + ], + "techniques": [ + "T1078" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "Name" + }, + { + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "IpAddress" + } + ], + "entityType": "IP" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject54').analyticRuleId54,'/'))))]", + "properties": { + "description": "Microsoft Entra ID Analytics Rule 54", + "parentId": "[variables('analyticRuleObject54').analyticRuleId54]", + "contentId": "[variables('analyticRuleObject54')._analyticRulecontentId54]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject54').analyticRuleVersion54]", + "source": { + "kind": "Solution", + "name": "Microsoft Entra ID", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject54')._analyticRulecontentId54]", + "contentKind": "AnalyticsRule", + "displayName": "Privileged Role Assigned Outside PIM", + "contentProductId": "[variables('analyticRuleObject54')._analyticRulecontentProductId54]", + "id": "[variables('analyticRuleObject54')._analyticRulecontentProductId54]", + "version": "[variables('analyticRuleObject54').analyticRuleVersion54]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject55').analyticRuleTemplateSpecName55]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "RareApplicationConsent_AnalyticalRules Analytics Rule with template version 3.0.7", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject55').analyticRuleVersion55]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject55')._analyticRulecontentId55]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "This will alert when the \"Consent to application\" operation occurs by a user that has not done this operation before or rarely does this.\nThis could indicate that permissions to access the listed Azure App were provided to a malicious actor.\nConsent to application, Add service principal and Add OAuth2PermissionGrant should typically be rare events.\nThis may help detect the Oauth2 attack that can be initiated by this publicly available tool - https://github.com/fireeye/PwnAuth\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.", + "displayName": "Rare application consent", + "enabled": false, + "query": "let current = 1d;\nlet auditLookback = 7d;\n// Setting threshold to 3 as a default, change as needed.\n// Any operation that has been initiated by a user or app more than 3 times in the past 7 days will be excluded\nlet threshold = 3;\n// Gather initial data from lookback period, excluding current, adjust current to more than a single day if no results\nlet AuditTrail = AuditLogs | where TimeGenerated >= ago(auditLookback) and TimeGenerated < ago(current)\n// 2 other operations that can be part of malicious activity in this situation are\n// \"Add OAuth2PermissionGrant\" and \"Add service principal\", extend the filter below to capture these too\n| where OperationName has \"Consent to application\"\n| extend InitiatedBy = iff(isnotempty(tostring(InitiatedBy.user.userPrincipalName)),\n tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\"\n | extend TargetResourceName = tolower(tostring(TargetResource.displayName))\n )\n| summarize max(TimeGenerated), OperationCount = count() by OperationName, InitiatedBy, TargetResourceName\n// only including operations initiated by a user or app that is above the threshold so we produce only rare and has not occurred in last 7 days\n| where OperationCount > threshold;\n// Gather current period of audit data\nlet RecentConsent = AuditLogs | where TimeGenerated >= ago(current)\n| where OperationName has \"Consent to application\"\n| extend IpAddress = case(\n isnotempty(tostring(InitiatedBy.user.ipAddress)) and tostring(InitiatedBy.user.ipAddress) != 'null', tostring(InitiatedBy.user.ipAddress),\n isnotempty(tostring(InitiatedBy.app.ipAddress)) and tostring(InitiatedBy.app.ipAddress) != 'null', tostring(InitiatedBy.app.ipAddress),\n 'Not Available')\n| extend InitiatedBy = iff(isnotempty(tostring(InitiatedBy.user.userPrincipalName)),\n tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\"\n | extend TargetResourceName = tolower(tostring(TargetResource.displayName)),\n props = TargetResource.modifiedProperties\n )\n| parse props with * \"ConsentType: \" ConsentType \"]\" *\n| mv-apply AdditionalDetail = AdditionalDetails on \n (\n where AdditionalDetail.key =~ \"User-Agent\"\n | extend UserAgent = tostring(AdditionalDetail.value)\n )\n| project TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type;\n// Exclude previously seen audit activity for \"Consent to application\" that was seen in the lookback period\n// First for rare InitiatedBy\nlet RareConsentBy = RecentConsent | join kind= leftanti AuditTrail on OperationName, InitiatedBy\n| extend Reason = \"Previously unseen user consenting\";\n// Second for rare TargetResourceName\nlet RareConsentApp = RecentConsent | join kind= leftanti AuditTrail on OperationName, TargetResourceName\n| extend Reason = \"Previously unseen app granted consent\";\nRareConsentBy | union RareConsentApp\n| summarize Reason = make_set(Reason,100) by TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type\n| extend timestamp = TimeGenerated, Name = tolower(tostring(split(InitiatedBy,'@',0)[0])), UPNSuffix = tolower(tostring(split(InitiatedBy,'@',1)[0]))\n", + "queryFrequency": "P1D", + "queryPeriod": "P7D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 3, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "AuditLogs" + ], + "connectorId": "AzureActiveDirectory" + } + ], + "tactics": [ + "Persistence", + "PrivilegeEscalation" + ], + "techniques": [ + "T1136", + "T1068" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "Name" }, - "type": "If" - }, - "Initialize_variable_Account_Details": { - "type": "InitializeVariable", - "inputs": { - "variables": [ - { - "name": "AccountDetails", - "type": "string" - } - ] + { + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - }, - "Set_variable": { - "runAfter": { - "Initialize_variable_Account_Details": [ - "Succeeded" - ] + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "TargetResourceName" + } + ], + "entityType": "CloudApplication" + }, + { + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "IpAddress" + } + ], + "entityType": "IP" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject55').analyticRuleId55,'/'))))]", + "properties": { + "description": "Microsoft Entra ID Analytics Rule 55", + "parentId": "[variables('analyticRuleObject55').analyticRuleId55]", + "contentId": "[variables('analyticRuleObject55')._analyticRulecontentId55]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject55').analyticRuleVersion55]", + "source": { + "kind": "Solution", + "name": "Microsoft Entra ID", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject55')._analyticRulecontentId55]", + "contentKind": "AnalyticsRule", + "displayName": "Rare application consent", + "contentProductId": "[variables('analyticRuleObject55')._analyticRulecontentProductId55]", + "id": "[variables('analyticRuleObject55')._analyticRulecontentProductId55]", + "version": "[variables('analyticRuleObject55').analyticRuleVersion55]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject56').analyticRuleTemplateSpecName56]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "SeamlessSSOPasswordSpray_AnalyticalRules Analytics Rule with template version 3.0.7", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject56').analyticRuleVersion56]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject56')._analyticRulecontentId56]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "This query detects when there is a spike in Microsoft Entra ID Seamless SSO errors. They may not be caused by a Password Spray attack, but the cause of the errors might need to be investigated.\nMicrosoft Entra ID only logs the requests that matched existing accounts, thus there might have been unlogged requests for non-existing accounts.", + "displayName": "Password spray attack against Microsoft Entra ID Seamless SSO", + "enabled": false, + "query": "let account_threshold = 5;\nAADNonInteractiveUserSignInLogs\n//| where ResultType == \"81016\"\n| where ResultType startswith \"81\"\n| summarize DistinctAccounts = dcount(UserPrincipalName), DistinctAddresses = make_set(IPAddress,100) by ResultType\n| where DistinctAccounts > account_threshold\n| mv-expand IPAddress = DistinctAddresses\n| extend IPAddress = tostring(IPAddress)\n| join kind=leftouter (union isfuzzy=true SigninLogs, AADNonInteractiveUserSignInLogs) on IPAddress\n| summarize\n StartTime = min(TimeGenerated),\n EndTime = max(TimeGenerated),\n UserPrincipalName = make_set(UserPrincipalName,100),\n UserAgent = make_set(UserAgent,100),\n ResultDescription = take_any(ResultDescription),\n ResultSignature = take_any(ResultSignature)\n by IPAddress, Type, ResultType\n| project Type, StartTime, EndTime, IPAddress, ResultType, ResultDescription, ResultSignature, UserPrincipalName, UserAgent = iff(array_length(UserAgent) == 1, UserAgent[0], UserAgent)\n| extend Name = tostring(split(UserPrincipalName[0],'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName[0],'@',1)[0])\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "AADNonInteractiveUserSignInLogs" + ], + "connectorId": "AzureActiveDirectory" + } + ], + "tactics": [ + "CredentialAccess" + ], + "techniques": [ + "T1110" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "Name" }, - "type": "SetVariable", - "inputs": { - "name": "AccountDetails", - "value": "@{concat(triggerBody()?['Entity']?['properties']?['Name'],'@',triggerBody()?['Entity']?['properties']?['UPNSuffix'])}" + { + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - }, - "Update_user_-_disable_user": { - "runAfter": { - "Set_variable": [ - "Succeeded" - ] + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "IPAddress" + } + ], + "entityType": "IP" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject56').analyticRuleId56,'/'))))]", + "properties": { + "description": "Microsoft Entra ID Analytics Rule 56", + "parentId": "[variables('analyticRuleObject56').analyticRuleId56]", + "contentId": "[variables('analyticRuleObject56')._analyticRulecontentId56]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject56').analyticRuleVersion56]", + "source": { + "kind": "Solution", + "name": "Microsoft Entra ID", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject56')._analyticRulecontentId56]", + "contentKind": "AnalyticsRule", + "displayName": "Password spray attack against Microsoft Entra ID Seamless SSO", + "contentProductId": "[variables('analyticRuleObject56')._analyticRulecontentProductId56]", + "id": "[variables('analyticRuleObject56')._analyticRulecontentProductId56]", + "version": "[variables('analyticRuleObject56').analyticRuleVersion56]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject57').analyticRuleTemplateSpecName57]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Sign-in Burst from Multiple Locations_AnalyticalRules Analytics Rule with template version 3.0.7", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject57').analyticRuleVersion57]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject57')._analyticRulecontentId57]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "This detection triggers when there is a Signin burst from multiple locations in GitHub (AAD SSO).\n This detection is based on configurable threshold which can be prone to false positives. To view the anomaly based equivalent of thie detection, please see here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/Analytic%20Rules/AnomalousUserAppSigninLocationIncrease-detection.yaml. ", + "displayName": "GitHub Signin Burst from Multiple Locations", + "enabled": false, + "query": "let locationThreshold = 1;\nlet aadFunc = (tableName:string){\ntable(tableName)\n| where AppDisplayName =~ \"GitHub.com\"\n| where ResultType == 0\n| summarize CountOfLocations = dcount(Location), Locations = make_set(Location,100), BurstStartTime = min(TimeGenerated), BurstEndTime = max(TimeGenerated) by UserPrincipalName, Type\n| where CountOfLocations > locationThreshold\n| extend timestamp = BurstStartTime\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n| extend Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "SigninLogs" + ], + "connectorId": "AzureActiveDirectory" + }, + { + "dataTypes": [ + "AADNonInteractiveUserSignInLogs" + ], + "connectorId": "AzureActiveDirectory" + } + ], + "tactics": [ + "CredentialAccess" + ], + "techniques": [ + "T1110" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "Name" }, - "type": "ApiConnection", - "inputs": { - "body": { - "accountEnabled": false - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuread']['connectionId']" - } - }, - "method": "patch", - "path": "/v1.0/users/@{encodeURIComponent(variables('AccountDetails'))}" + { + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - } + ], + "entityType": "Account" } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject57').analyticRuleId57,'/'))))]", + "properties": { + "description": "Microsoft Entra ID Analytics Rule 57", + "parentId": "[variables('analyticRuleObject57').analyticRuleId57]", + "contentId": "[variables('analyticRuleObject57')._analyticRulecontentId57]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject57').analyticRuleVersion57]", + "source": { + "kind": "Solution", + "name": "Microsoft Entra ID", + "sourceId": "[variables('_solutionId')]" }, - "parameters": { - "$connections": { - "value": { - "azuread": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureADConnectionName'))]", - "connectionName": "[[variables('AzureADConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuread')]" - }, - "microsoftsentinel": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", - "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", - "connectionProperties": { - "authentication": { - "type": "ManagedServiceIdentity" - } - } - }, - "office365": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]", - "connectionName": "[[variables('Office365ConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]" + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject57')._analyticRulecontentId57]", + "contentKind": "AnalyticsRule", + "displayName": "GitHub Signin Burst from Multiple Locations", + "contentProductId": "[variables('analyticRuleObject57')._analyticRulecontentProductId57]", + "id": "[variables('analyticRuleObject57')._analyticRulecontentProductId57]", + "version": "[variables('analyticRuleObject57').analyticRuleVersion57]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject58').analyticRuleTemplateSpecName58]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "SigninAttemptsByIPviaDisabledAccounts_AnalyticalRules Analytics Rule with template version 3.0.7", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject58').analyticRuleVersion58]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject58')._analyticRulecontentId58]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies IPs with failed attempts to sign in to one or more disabled accounts using the IP through which successful signins from other accounts have happened.\nThis could indicate an attacker who obtained credentials for a list of accounts and is attempting to login with those accounts, some of which may have already been disabled.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\n50057 - User account is disabled. The account has been disabled by an administrator.\nThis query has also been updated to include UEBA logs IdentityInfo and BehaviorAnalytics for contextual information around the results.", + "displayName": "Sign-ins from IPs that attempt sign-ins to disabled accounts", + "enabled": false, + "query": "let aadFunc = (tableName: string) {\nlet failed_signins = table(tableName)\n| where ResultType == \"50057\"\n| where ResultDescription == \"User account is disabled. The account has been disabled by an administrator.\";\nlet disabled_users = failed_signins | summarize by UserPrincipalName;\ntable(tableName)\n | where ResultType == 0\n | where isnotempty(UserPrincipalName)\n | where UserPrincipalName !in (disabled_users)\n| summarize\n successfulAccountsTargettedCount = dcount(UserPrincipalName),\n successfulAccountSigninSet = make_set(UserPrincipalName, 100),\n successfulApplicationSet = make_set(AppDisplayName, 100)\n by IPAddress, Type\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\n | where successfulAccountsTargettedCount < 50\n | where isnotempty(successfulAccountsTargettedCount)\n | join kind=inner (failed_signins\n| summarize\n StartTime = min(TimeGenerated),\n EndTime = max(TimeGenerated),\n totalDisabledAccountLoginAttempts = count(),\n disabledAccountsTargettedCount = dcount(UserPrincipalName),\n applicationsTargeted = dcount(AppDisplayName),\n disabledAccountSet = make_set(UserPrincipalName, 100),\n disabledApplicationSet = make_set(AppDisplayName, 100)\nby IPAddress, Type\n| order by totalDisabledAccountLoginAttempts desc) on IPAddress\n| project StartTime, EndTime, IPAddress, totalDisabledAccountLoginAttempts, disabledAccountsTargettedCount, disabledAccountSet, disabledApplicationSet, successfulApplicationSet, successfulAccountsTargettedCount, successfulAccountSigninSet, Type\n| order by totalDisabledAccountLoginAttempts};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n| join kind=leftouter (\n BehaviorAnalytics\n | where ActivityType in (\"FailedLogOn\", \"LogOn\")\n | where EventSource =~ \"Azure AD\"\n | project UsersInsights, DevicesInsights, ActivityInsights, InvestigationPriority, SourceIPAddress, UserPrincipalName\n | project-rename IPAddress = SourceIPAddress\n | summarize\n Users = make_set(UserPrincipalName, 100),\n UsersInsights = make_set(UsersInsights, 100),\n DevicesInsights = make_set(DevicesInsights, 100),\n IPInvestigationPriority = sum(InvestigationPriority)\n by IPAddress\n) on IPAddress\n| extend SFRatio = toreal(toreal(disabledAccountsTargettedCount)/toreal(successfulAccountsTargettedCount))\n| where SFRatio >= 0.5\n| sort by IPInvestigationPriority desc\n", + "queryFrequency": "P1D", + "queryPeriod": "P1D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "SigninLogs" + ], + "connectorId": "AzureActiveDirectory" + }, + { + "dataTypes": [ + "AADNonInteractiveUserSignInLogs" + ], + "connectorId": "AzureActiveDirectory" + }, + { + "dataTypes": [ + "BehaviorAnalytics" + ], + "connectorId": "BehaviorAnalytics" + } + ], + "tactics": [ + "InitialAccess", + "Persistence" + ], + "techniques": [ + "T1078", + "T1098" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "IPAddress" } - } + ], + "entityType": "IP" } - } + ] } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId7'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject58').analyticRuleId58,'/'))))]", "properties": { - "parentId": "[variables('playbookId7')]", - "contentId": "[variables('_playbookContentId7')]", - "kind": "Playbook", - "version": "[variables('playbookVersion7')]", + "description": "Microsoft Entra ID Analytics Rule 58", + "parentId": "[variables('analyticRuleObject58').analyticRuleId58]", + "contentId": "[variables('analyticRuleObject58')._analyticRulecontentId58]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject58').analyticRuleVersion58]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -11377,399 +12053,627 @@ } } } - ], - "metadata": { - "title": "Block AAD user - Entity trigger", - "description": "This playbook disables the selected user (account entity) in Azure Active Directoy. If this playbook triggered from an incident context, it will add a comment to the incident. This playbook will notify the disabled user manager if available. Note: This playbook will not disable admin user!", - "postDeployment": [ - "1. Assign Microsoft Sentinel Responder role to the Playbook's managed identity.", - "2. Grant User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All permissions to the managed identity.", - "3. Authorize Azure AD and Office 365 Outlook Logic App connections." - ], - "lastUpdateTime": "2022-12-08T00:00:00Z", - "entities": [ - "Account" - ], - "tags": [ - "Remediation" - ], - "releaseNotes": [ - { - "version": "1.0.0", - "title": "Added manager notification action", - "notes": [ - "Initial version" + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject58')._analyticRulecontentId58]", + "contentKind": "AnalyticsRule", + "displayName": "Sign-ins from IPs that attempt sign-ins to disabled accounts", + "contentProductId": "[variables('analyticRuleObject58')._analyticRulecontentProductId58]", + "id": "[variables('analyticRuleObject58')._analyticRulecontentProductId58]", + "version": "[variables('analyticRuleObject58').analyticRuleVersion58]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject59').analyticRuleTemplateSpecName59]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "SigninBruteForce-AzurePortal_AnalyticalRules Analytics Rule with template version 3.0.7", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject59').analyticRuleVersion59]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject59')._analyticRulecontentId59]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Detects Azure Portal brute force attacks by monitoring for multiple authentication failures and a successful login within a 20-minute window. Default settings: 10 failures, 25 deviations.\nRef: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.", + "displayName": "Brute force attack against Azure Portal", + "enabled": false, + "query": "// Set threshold value for deviation\nlet threshold = 25;\n// Set the time range for the query\nlet timeRange = 24h;\n// Set the authentication window duration\nlet authenticationWindow = 20m;\n// Define a reusable function 'aadFunc' that takes a table name as input\nlet aadFunc = (tableName: string) {\n // Query the specified table\n table(tableName)\n // Filter data within the last 24 hours\n | where TimeGenerated > ago(1d)\n // Filter records related to \"Azure Portal\" applications\n | where AppDisplayName has \"Azure Portal\"\n // Extract and transform some fields\n | extend\n DeviceDetail = todynamic(DeviceDetail),\n LocationDetails = todynamic(LocationDetails)\n | extend\n OS = tostring(DeviceDetail.operatingSystem),\n Browser = tostring(DeviceDetail.browser),\n State = tostring(LocationDetails.state),\n City = tostring(LocationDetails.city),\n Region = tostring(LocationDetails.countryOrRegion)\n // Categorize records as Success or Failure based on ResultType\n | extend FailureOrSuccess = iff(ResultType in (\"0\", \"50125\", \"50140\", \"70043\", \"70044\"), \"Success\", \"Failure\")\n // Sort and identify sessions\n | sort by UserPrincipalName asc, TimeGenerated asc\n | extend SessionStartedUtc = row_window_session(TimeGenerated, timeRange, authenticationWindow, UserPrincipalName != prev(UserPrincipalName) or prev(FailureOrSuccess) == \"Success\")\n // Summarize data\n | summarize FailureOrSuccessCount = count() by FailureOrSuccess, UserId, UserDisplayName, AppDisplayName, IPAddress, Browser, OS, State, City, Region, Type, CorrelationId, bin(TimeGenerated, authenticationWindow), ResultType, UserPrincipalName, SessionStartedUtc\n | summarize FailureCountBeforeSuccess = sumif(FailureOrSuccessCount, FailureOrSuccess == \"Failure\"), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), makelist(FailureOrSuccess), IPAddress = make_set(IPAddress, 15), make_set(Browser, 15), make_set(City, 15), make_set(State, 15), make_set(Region, 15), make_set(ResultType, 15) by SessionStartedUtc, UserPrincipalName, CorrelationId, AppDisplayName, UserId, Type\n // Filter records where \"Success\" occurs in the middle of a session\n | where array_index_of(list_FailureOrSuccess, \"Success\") != 0\n | where array_index_of(list_FailureOrSuccess, \"Success\") == array_length(list_FailureOrSuccess) - 1\n // Remove unnecessary columns from the output\n | project-away SessionStartedUtc, list_FailureOrSuccess\n // Join with another table and calculate deviation\n | join kind=inner (\n table(tableName)\n | where TimeGenerated > ago(7d)\n | where AppDisplayName has \"Azure Portal\"\n | extend FailureOrSuccess = iff(ResultType in (\"0\", \"50125\", \"50140\", \"70043\", \"70044\"), \"Success\", \"Failure\")\n | summarize avgFailures = avg(todouble(FailureOrSuccess == \"Failure\")) by UserPrincipalName\n ) on UserPrincipalName\n | extend Deviation = abs(FailureCountBeforeSuccess - avgFailures) / avgFailures\n // Filter records based on deviation and failure count criteria\n | where Deviation > threshold and FailureCountBeforeSuccess >= 10\n // Expand the IPAddress array\n | mv-expand IPAddress\n | extend IPAddress = tostring(IPAddress)\n | extend timestamp = StartTime\n};\n// Call 'aadFunc' with different table names and union the results\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n// Additional transformation: Split UserPrincipalName\n| extend Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n", + "queryFrequency": "P1D", + "queryPeriod": "P7D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "SigninLogs" + ], + "connectorId": "AzureActiveDirectory" + }, + { + "dataTypes": [ + "AADNonInteractiveUserSignInLogs" + ], + "connectorId": "AzureActiveDirectory" + } + ], + "tactics": [ + "CredentialAccess" + ], + "techniques": [ + "T1110" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "Name" + }, + { + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" + }, + { + "identifier": "AadUserId", + "columnName": "UserId" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "IPAddress" + } + ], + "entityType": "IP" + } ] } - ] - } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject59').analyticRuleId59,'/'))))]", + "properties": { + "description": "Microsoft Entra ID Analytics Rule 59", + "parentId": "[variables('analyticRuleObject59').analyticRuleId59]", + "contentId": "[variables('analyticRuleObject59')._analyticRulecontentId59]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject59').analyticRuleVersion59]", + "source": { + "kind": "Solution", + "name": "Microsoft Entra ID", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" + } + } + } + ] }, "packageKind": "Solution", "packageVersion": "[variables('_solutionVersion')]", "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_playbookContentId7')]", - "contentKind": "Playbook", - "displayName": "Block-AADUser-EntityTrigger", - "contentProductId": "[variables('_playbookcontentProductId7')]", - "id": "[variables('_playbookcontentProductId7')]", - "version": "[variables('playbookVersion7')]" + "contentId": "[variables('analyticRuleObject59')._analyticRulecontentId59]", + "contentKind": "AnalyticsRule", + "displayName": "Brute force attack against Azure Portal", + "contentProductId": "[variables('analyticRuleObject59')._analyticRulecontentProductId59]", + "id": "[variables('analyticRuleObject59')._analyticRulecontentProductId59]", + "version": "[variables('analyticRuleObject59').analyticRuleVersion59]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('playbookTemplateSpecName8')]", + "name": "[variables('analyticRuleObject60').analyticRuleTemplateSpecName60]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Reset-AADUserPassword-EntityTrigger Playbook with template version 3.0.6", + "description": "SigninPasswordSpray_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion8')]", - "parameters": { - "PlaybookName": { - "defaultValue": "Reset-AADUserPassword-EntityTrigger", - "type": "string" - } - }, - "variables": { - "MicrosoftSentinelConnectionName": "[[concat('microsoftsentinel-', parameters('PlaybookName'))]", - "office365ConnectionName": "[[concat('office365-', parameters('PlaybookName'))]", - "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", - "_connection-2": "[[variables('connection-2')]", - "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]", - "_connection-3": "[[variables('connection-3')]", - "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", - "workspace-name": "[parameters('workspace')]", - "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" - }, + "contentVersion": "[variables('analyticRuleObject60').analyticRuleVersion60]", + "parameters": {}, + "variables": {}, "resources": [ { - "properties": { - "provisioningState": "Succeeded", - "state": "Enabled", - "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "$connections": { - "type": "Object" - } - }, - "triggers": { - "Microsoft_Sentinel_entity": { - "type": "ApiConnectionWebhook", - "inputs": { - "body": { - "callback_url": "@{listCallbackUrl()}" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" - } - }, - "path": "/entity/@{encodeURIComponent('Account')}" - } - } - }, - "actions": { - "Condition_-_is_manager_available": { - "actions": { - "Condition_2": { - "actions": { - "Add_comment_to_incident_-_manager_available": { - "type": "ApiConnection", - "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['IncidentArmID']", - "message": "

User @{variables('AccountDetails')} password was reset in AAD and their manager @{body('Parse_JSON_-_HTTP_-_get_manager')?['userPrincipalName']} was contacted using playbook.

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - } - } - }, - "runAfter": { - "Send_an_email_-_to_manager_with_password_details": [ - "Succeeded" - ] - }, - "expression": { - "and": [ - { - "not": { - "equals": [ - "@triggerBody()?['IncidentArmID']", - "@null" - ] - } - } - ] - }, - "type": "If" - }, - "Parse_JSON_-_HTTP_-_get_manager": { - "type": "ParseJson", - "inputs": { - "content": "@body('HTTP_-_get_manager')", - "schema": { - "properties": { - "userPrincipalName": { - "type": "string" - } - }, - "type": "object" - } - } - }, - "Send_an_email_-_to_manager_with_password_details": { - "runAfter": { - "Parse_JSON_-_HTTP_-_get_manager": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "body": { - "Body": "

User, @{variables('AccountDetails')}, was involved in part of a security incident.  As part of remediation, the user password has been reset.
\n
\nThe temporary password is: @{variables('Password')}
\n
\nThe user will be required to reset this password upon login.

", - "Subject": "A user password was reset due to security incident.", - "To": "@body('Parse_JSON_-_HTTP_-_get_manager')?['userPrincipalName']" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['office365']['connectionId']" - } - }, - "method": "post", - "path": "/v2/Mail" - } - } - }, - "runAfter": { - "HTTP_-_get_manager": [ - "Succeeded", - "Failed" - ] - }, - "else": { - "actions": { - "Condition": { - "actions": { - "Add_comment_to_incident_-_manager_not_available": { - "type": "ApiConnection", - "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['IncidentArmID']", - "message": "

User @{variables('AccountDetails')} password was reset in AAD but the user doesn't have a manager.
\n
\nThe temporary password is: @{variables('Password')}
\n
\nThe user will be required to reset this password upon login.

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - } - } - }, - "expression": { - "and": [ - { - "not": { - "equals": [ - "@triggerBody()?['IncidentArmID']", - "@null" - ] - } - } - ] - }, - "type": "If" - } - } - }, - "expression": { - "and": [ - { - "equals": [ - "@outputs('HTTP_-_get_manager')['statusCode']", - 200 - ] - } - ] - }, - "type": "If" - }, - "HTTP_-_get_manager": { - "runAfter": { - "HTTP_-_reset_a_password": [ - "Succeeded" - ] - }, - "type": "Http", - "inputs": { - "authentication": { - "audience": "https://graph.microsoft.com", - "type": "ManagedServiceIdentity" - }, - "method": "GET", - "uri": "https://graph.microsoft.com/v1.0/users/@{variables('AccountDetails')}/manager" - } - }, - "HTTP_-_reset_a_password": { - "runAfter": { - "Initialize_variable_Account": [ - "Succeeded" - ] - }, - "type": "Http", - "inputs": { - "authentication": { - "audience": "https://graph.microsoft.com", - "type": "ManagedServiceIdentity" - }, - "body": { - "passwordProfile": { - "forceChangePasswordNextSignIn": true, - "forceChangePasswordNextSignInWithMfa": false, - "password": "@{variables('Password')}" - } - }, - "method": "PATCH", - "uri": "https://graph.microsoft.com/v1.0/users/@{variables('AccountDetails')}" - } - }, - "Initialize_variable": { - "type": "InitializeVariable", - "inputs": { - "variables": [ - { - "name": "Password", - "type": "String", - "value": "null" - } - ] + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject60')._analyticRulecontentId60]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies evidence of password spray activity against Microsoft Entra ID applications by looking for failures from multiple accounts from the same\nIP address within a time window. If the number of accounts breaches the threshold just once, all failures from the IP address within the time range\nare bought into the result. Details on whether there were successful authentications by the IP address within the time window are also included.\nThis can be an indicator that an attack was successful.\nThe default failure acccount threshold is 5, Default time window for failures is 20m and default look back window is 3 days\nNote: Due to the number of possible accounts involved in a password spray it is not possible to map identities to a custom entity.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.", + "displayName": "Password spray attack against Microsoft Entra ID application", + "enabled": false, + "query": "let timeRange = 3d;\nlet lookBack = 7d;\nlet authenticationWindow = 20m;\nlet authenticationThreshold = 5;\nlet isGUID = \"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\";\nlet failureCodes = dynamic([50053, 50126, 50055]); // invalid password, account is locked - too many sign ins, expired password\nlet successCodes = dynamic([0, 50055, 50057, 50155, 50105, 50133, 50005, 50076, 50079, 50173, 50158, 50072, 50074, 53003, 53000, 53001, 50129]);\n// Lookup up resolved identities from last 7 days\nlet aadFunc = (tableName:string){\nlet identityLookup = table(tableName)\n| where TimeGenerated >= ago(lookBack)\n| where not(Identity matches regex isGUID)\n| where isnotempty(UserId)\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName, Type;\n// collect window threshold breaches\ntable(tableName)\n| where TimeGenerated > ago(timeRange)\n| where ResultType in(failureCodes)\n| summarize FailedPrincipalCount = dcount(UserPrincipalName) by bin(TimeGenerated, authenticationWindow), IPAddress, AppDisplayName, Type\n| where FailedPrincipalCount >= authenticationThreshold\n| summarize WindowThresholdBreaches = count() by IPAddress, Type\n| join kind= inner (\n// where we breached a threshold, join the details back on all failure data\ntable(tableName)\n| where TimeGenerated > ago(timeRange)\n| where ResultType in(failureCodes)\n| extend LocationDetails = todynamic(LocationDetails)\n| extend FullLocation = strcat(LocationDetails.countryOrRegion,'|', LocationDetails.state, '|', LocationDetails.city)\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), make_set(ClientAppUsed,20), make_set(FullLocation,20), FailureCount = count() by IPAddress, AppDisplayName, UserPrincipalName, UserDisplayName, Identity, UserId, Type\n// lookup any unresolved identities\n| extend UnresolvedUserId = iff(Identity matches regex isGUID, UserId, \"\")\n| join kind= leftouter (\n identityLookup\n) on $left.UnresolvedUserId==$right.UserId\n| extend UserDisplayName=iff(isempty(lu_UserDisplayName), UserDisplayName, lu_UserDisplayName)\n| extend UserPrincipalName=iff(isempty(lu_UserPrincipalName), UserPrincipalName, lu_UserPrincipalName)\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), make_set(UserPrincipalName,20), make_set(UserDisplayName,20), make_set(set_ClientAppUsed,20), make_set(set_FullLocation,20), make_list(FailureCount,20) by IPAddress, AppDisplayName, Type\n| extend FailedPrincipalCount = array_length(set_UserPrincipalName)\n) on IPAddress\n| project IPAddress, StartTime, EndTime, TargetedApplication=AppDisplayName, FailedPrincipalCount, UserPrincipalNames=set_UserPrincipalName, UserDisplayNames=set_UserDisplayName, ClientAppsUsed=set_set_ClientAppUsed, Locations=set_set_FullLocation, FailureCountByPrincipal=list_FailureCount, WindowThresholdBreaches, Type\n| join kind= inner (\ntable(tableName) // get data on success vs. failure history for each IP\n| where TimeGenerated > ago(timeRange)\n| where ResultType in(successCodes) or ResultType in(failureCodes) // success or failure types\n| summarize GlobalSuccessPrincipalCount = dcountif(UserPrincipalName, (ResultType in (successCodes))), ResultTypeSuccesses = make_set_if(ResultType, (ResultType in (successCodes))), GlobalFailPrincipalCount = dcountif(UserPrincipalName, (ResultType in (failureCodes))), ResultTypeFailures = make_set_if(ResultType, (ResultType in (failureCodes))) by IPAddress, Type\n| where GlobalFailPrincipalCount > GlobalSuccessPrincipalCount // where the number of failed principals is greater than success - eliminates FPs from IPs who authenticate successfully alot and as a side effect have alot of failures\n) on IPAddress\n| project-away IPAddress1\n| extend timestamp=StartTime\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n", + "queryFrequency": "P1D", + "queryPeriod": "P7D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "SigninLogs" + ], + "connectorId": "AzureActiveDirectory" + }, + { + "dataTypes": [ + "AADNonInteractiveUserSignInLogs" + ], + "connectorId": "AzureActiveDirectory" + } + ], + "tactics": [ + "CredentialAccess" + ], + "techniques": [ + "T1110" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "IPAddress" } - }, - "Initialize_variable_Account": { - "runAfter": { - "Set_variable_-_password": [ - "Succeeded" - ] + ], + "entityType": "IP" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject60').analyticRuleId60,'/'))))]", + "properties": { + "description": "Microsoft Entra ID Analytics Rule 60", + "parentId": "[variables('analyticRuleObject60').analyticRuleId60]", + "contentId": "[variables('analyticRuleObject60')._analyticRulecontentId60]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject60').analyticRuleVersion60]", + "source": { + "kind": "Solution", + "name": "Microsoft Entra ID", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject60')._analyticRulecontentId60]", + "contentKind": "AnalyticsRule", + "displayName": "Password spray attack against Microsoft Entra ID application", + "contentProductId": "[variables('analyticRuleObject60')._analyticRulecontentProductId60]", + "id": "[variables('analyticRuleObject60')._analyticRulecontentProductId60]", + "version": "[variables('analyticRuleObject60').analyticRuleVersion60]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject61').analyticRuleTemplateSpecName61]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "SuccessThenFail_DiffIP_SameUserandApp_AnalyticalRules Analytics Rule with template version 3.0.7", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject61').analyticRuleVersion61]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject61')._analyticRulecontentId61]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies when a user account successfully logs onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP (may indicate a malicious attempt at password guessing with known account). UEBA added for context.", + "displayName": "Successful logon from IP and failure from a different IP", + "enabled": false, + "query": "let riskScoreCutoff = 20; //Adjust this based on volume of results\nlet logonDiff = 10m; let aadFunc = (tableName:string){ table(tableName)\n| where ResultType == \"0\"\n| where AppDisplayName !in (\"Office 365 Exchange Online\", \"Skype for Business Online\") // To remove false-positives, add more Apps to this array\n// ---------- Fix for SuccessBlock to also consider IPv6\n| extend SuccessIPv6Block = strcat(split(IPAddress, \":\")[0], \":\", split(IPAddress, \":\")[1], \":\", split(IPAddress, \":\")[2], \":\", split(IPAddress, \":\")[3])\n| extend SuccessIPv4Block = strcat(split(IPAddress, \".\")[0], \".\", split(IPAddress, \".\")[1])\n// ------------------\n| project SuccessLogonTime = TimeGenerated, UserPrincipalName, SuccessIPAddress = IPAddress, SuccessLocation = Location, AppDisplayName, SuccessIPBlock = iff(IPAddress contains \":\", strcat(split(IPAddress, \":\")[0], \":\", split(IPAddress, \":\")[1]), strcat(split(IPAddress, \".\")[0], \".\", split(IPAddress, \".\")[1])), Type\n| join kind= inner (\n table(tableName)\n | where ResultType !in (\"0\", \"50140\")\n | where ResultDescription !~ \"Other\"\n | where AppDisplayName !in (\"Office 365 Exchange Online\", \"Skype for Business Online\")\n | project FailedLogonTime = TimeGenerated, UserPrincipalName, FailedIPAddress = IPAddress, FailedLocation = Location, AppDisplayName, ResultType, ResultDescription, Type \n) on UserPrincipalName, AppDisplayName\n| where SuccessLogonTime < FailedLogonTime and FailedLogonTime - SuccessLogonTime <= logonDiff and FailedIPAddress !startswith SuccessIPBlock\n| summarize FailedLogonTime = max(FailedLogonTime), SuccessLogonTime = max(SuccessLogonTime) by UserPrincipalName, SuccessIPAddress, SuccessLocation, AppDisplayName, FailedIPAddress, FailedLocation, ResultType, ResultDescription, Type\n| extend timestamp = SuccessLogonTime\n| extend UserPrincipalName = tolower(UserPrincipalName)};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n| extend Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n// UEBA context below - make sure you have these 2 datatypes, otherwise the query will not work. If so, comment all that is below.\n| join kind=leftouter (\n IdentityInfo\n | summarize LatestReportTime = arg_max(TimeGenerated, *) by AccountUPN\n | extend BlastRadiusInt = iif(BlastRadius == \"High\", 1, 0)\n | project AccountUPN, Tags, JobTitle, GroupMembership, AssignedRoles, UserType, IsAccountEnabled, BlastRadiusInt\n | summarize\n Tags = make_set(Tags, 1000),\n GroupMembership = make_set(GroupMembership, 1000),\n AssignedRoles = make_set(AssignedRoles, 1000),\n BlastRadiusInt = sum(BlastRadiusInt),\n UserType = make_set(UserType, 1000),\n UserAccountControl = make_set(UserType, 1000)\n by AccountUPN\n | extend UserPrincipalName=tolower(AccountUPN)\n) on UserPrincipalName\n| join kind=leftouter (\n BehaviorAnalytics\n | where ActivityType in (\"FailedLogOn\", \"LogOn\")\n | where isnotempty(SourceIPAddress)\n | project UsersInsights, DevicesInsights, ActivityInsights, InvestigationPriority, SourceIPAddress\n | project-rename FailedIPAddress = SourceIPAddress\n | summarize\n UsersInsights = make_set(UsersInsights, 1000),\n DevicesInsights = make_set(DevicesInsights, 1000),\n IPInvestigationPriority = sum(InvestigationPriority)\n by FailedIPAddress)\non FailedIPAddress\n| extend UEBARiskScore = BlastRadiusInt + IPInvestigationPriority\n| where UEBARiskScore > riskScoreCutoff\n| sort by UEBARiskScore desc \n", + "queryFrequency": "P1D", + "queryPeriod": "P1D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "SigninLogs" + ], + "connectorId": "AzureActiveDirectory" + }, + { + "dataTypes": [ + "AADNonInteractiveUserSignInLogs" + ], + "connectorId": "AzureActiveDirectory" + }, + { + "dataTypes": [ + "BehaviorAnalytics" + ], + "connectorId": "BehaviorAnalytics" + }, + { + "dataTypes": [ + "IdentityInfo" + ], + "connectorId": "IdentityInfo" + } + ], + "tactics": [ + "CredentialAccess", + "InitialAccess" + ], + "techniques": [ + "T1110", + "T1078" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "Name" }, - "type": "InitializeVariable", - "inputs": { - "variables": [ - { - "name": "AccountDetails", - "type": "string", - "value": "@{concat(triggerBody()?['Entity']?['properties']?['Name'],'@',triggerBody()?['Entity']?['properties']?['UPNSuffix'])}" - } - ] + { + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - }, - "Set_variable_-_password": { - "runAfter": { - "Initialize_variable": [ - "Succeeded" - ] - }, - "type": "SetVariable", - "inputs": { - "name": "Password", - "value": "@{substring(guid(), 0, 10)}" + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "SuccessIPAddress" } - } + ], + "entityType": "IP" + }, + { + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "FailedIPAddress" + } + ], + "entityType": "IP" } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject61').analyticRuleId61,'/'))))]", + "properties": { + "description": "Microsoft Entra ID Analytics Rule 61", + "parentId": "[variables('analyticRuleObject61').analyticRuleId61]", + "contentId": "[variables('analyticRuleObject61')._analyticRulecontentId61]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject61').analyticRuleVersion61]", + "source": { + "kind": "Solution", + "name": "Microsoft Entra ID", + "sourceId": "[variables('_solutionId')]" }, - "parameters": { - "$connections": { - "value": { - "microsoftsentinel": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", - "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", - "connectionProperties": { - "authentication": { - "type": "ManagedServiceIdentity" - } - } - }, - "office365": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('office365ConnectionName'))]", - "connectionName": "[[variables('office365ConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]" + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject61')._analyticRulecontentId61]", + "contentKind": "AnalyticsRule", + "displayName": "Successful logon from IP and failure from a different IP", + "contentProductId": "[variables('analyticRuleObject61')._analyticRulecontentProductId61]", + "id": "[variables('analyticRuleObject61')._analyticRulecontentProductId61]", + "version": "[variables('analyticRuleObject61').analyticRuleVersion61]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject62').analyticRuleTemplateSpecName62]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "SuspiciousAADJoinedDeviceUpdate_AnalyticalRules Analytics Rule with template version 3.0.7", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject62').analyticRuleVersion62]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject62')._analyticRulecontentId62]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "This query looks for suspicious updates to an Microsoft Entra ID joined device where the device name is changed and the device falls out of compliance.\nThis could occur when a threat actor updates the details of an Autopilot provisioned device using a stolen device ticket, in order to access certificates and keys.\nRef: https://dirkjanm.io/assets/raw/Insomnihack%20Breaking%20and%20fixing%20Azure%20AD%20device%20identity%20security.pdf", + "displayName": "Suspicious AAD Joined Device Update", + "enabled": false, + "query": "AuditLogs\n| where OperationName =~ \"Update device\"\n| mv-apply TargetResource=TargetResources on (\n where TargetResource.type =~ \"Device\"\n | extend ModifiedProperties = TargetResource.modifiedProperties\n | extend DeviceId = TargetResource.id)\n| mv-apply Prop=ModifiedProperties on ( \n where Prop.displayName =~ \"CloudDisplayName\"\n | extend OldName = Prop.oldValue \n | extend NewName = Prop.newValue)\n| mv-apply Prop=ModifiedProperties on ( \n where Prop.displayName =~ \"IsCompliant\"\n | extend OldComplianceState = Prop.oldValue \n | extend NewComplianceState = Prop.newValue)\n| mv-apply Prop=ModifiedProperties on ( \n where Prop.displayName =~ \"TargetId.DeviceTrustType\"\n | extend OldTrustType = Prop.oldValue \n | extend NewTrustType = Prop.newValue)\n| mv-apply Prop=ModifiedProperties on ( \n where Prop.displayName =~ \"Included Updated Properties\" \n | extend UpdatedProperties = Prop.newValue)\n| extend OldDeviceName = tostring(parse_json(tostring(OldName))[0])\n| extend NewDeviceName = tostring(parse_json(tostring(NewName))[0])\n| extend OldComplianceState = tostring(parse_json(tostring(OldComplianceState))[0])\n| extend NewComplianceState = tostring(parse_json(tostring(NewComplianceState))[0])\n| extend InitiatedByUser = tostring(iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName))\n| extend UpdatedPropertiesCount = array_length(split(UpdatedProperties, ','))\n| where OldDeviceName != NewDeviceName\n| where OldComplianceState =~ 'true' and NewComplianceState =~ 'false'\n// Most common is transferring from AAD Registered to AAD Joined - we just want AAD Joined devices\n| where NewTrustType == '\"AzureAd\"' and OldTrustType != '\"Workplace\"'\n// We can modify this value to tune FPs - more properties changed about the device beyond its name the more suspicious it could be\n| where UpdatedPropertiesCount > 1\n| project-reorder TimeGenerated, DeviceId, NewDeviceName, OldDeviceName, NewComplianceState, InitiatedByUser, AADOperationType, OldTrustType, NewTrustType, UpdatedProperties, UpdatedPropertiesCount\n", + "queryFrequency": "P1D", + "queryPeriod": "P1D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "AuditLogs" + ], + "connectorId": "AzureActiveDirectory" + } + ], + "tactics": [ + "CredentialAccess" + ], + "techniques": [ + "T1528" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "HostName", + "columnName": "NewDeviceName" } - } + ], + "entityType": "Host" + }, + { + "fieldMappings": [ + { + "identifier": "HostName", + "columnName": "OldDeviceName" + } + ], + "entityType": "Host" + }, + { + "fieldMappings": [ + { + "identifier": "AzureID", + "columnName": "DeviceId" + } + ], + "entityType": "Host" + }, + { + "fieldMappings": [ + { + "identifier": "AadUserId", + "columnName": "InitiatedByUser" + } + ], + "entityType": "Account" } + ], + "alertDetailsOverride": { + "alertDescriptionFormat": "This query looks for suspicious updates to an Microsoft Entra ID joined device where the device name is changed and the device falls out of compliance.\nIn this case {{OldDeviceName}} was renamed to {{NewDeviceName}} and {{UpdatedPropertiesCount}} properties were changed.\nThis could occur when a threat actor steals a Device ticket from an Autopilot provisioned device and uses it to AAD Join a new device.\nRef: https://dirkjanm.io/assets/raw/Insomnihack%20Breaking%20and%20fixing%20Azure%20AD%20device%20identity%20security.pdf\n", + "alertDisplayNameFormat": "Suspicious AAD Joined Device Update {{OldDeviceName}} renamed to {{NewDeviceName}} and {{UpdatedPropertiesCount}} properties changed" } - }, - "name": "[[parameters('PlaybookName')]", - "type": "Microsoft.Logic/workflows", - "location": "[[variables('workspace-location-inline')]", - "tags": { - "LogicAppsCategory": "security", - "hidden-SentinelTemplateName": "Reset-AADUserPassword-EntityTrigger", - "hidden-SentinelTemplateVersion": "1.1", - "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" - }, - "identity": { - "type": "SystemAssigned" - }, - "apiVersion": "2017-07-01", - "dependsOn": [ - "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('office365ConnectionName'))]" - ] + } }, { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('MicrosoftSentinelConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject62').analyticRuleId62,'/'))))]", "properties": { - "displayName": "[[variables('MicrosoftSentinelConnectionName')]", - "parameterValueType": "Alternative", - "api": { - "id": "[[variables('_connection-2')]" + "description": "Microsoft Entra ID Analytics Rule 62", + "parentId": "[variables('analyticRuleObject62').analyticRuleId62]", + "contentId": "[variables('analyticRuleObject62')._analyticRulecontentId62]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject62').analyticRuleVersion62]", + "source": { + "kind": "Solution", + "name": "Microsoft Entra ID", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" } } - }, + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject62')._analyticRulecontentId62]", + "contentKind": "AnalyticsRule", + "displayName": "Suspicious AAD Joined Device Update", + "contentProductId": "[variables('analyticRuleObject62')._analyticRulecontentProductId62]", + "id": "[variables('analyticRuleObject62')._analyticRulecontentProductId62]", + "version": "[variables('analyticRuleObject62').analyticRuleVersion62]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject63').analyticRuleTemplateSpecName63]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "SuspiciousOAuthApp_OfflineAccess_AnalyticalRules Analytics Rule with template version 3.0.7", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject63').analyticRuleVersion63]", + "parameters": {}, + "variables": {}, + "resources": [ { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('office365ConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject63')._analyticRulecontentId63]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", "properties": { - "displayName": "[[variables('office365ConnectionName')]", - "api": { - "id": "[[variables('_connection-3')]" - } + "description": "This will alert when a user consents to provide a previously-unknown Azure application with offline access via OAuth.\nOffline access will provide the Azure App with access to the listed resources without requiring two-factor authentication.\nConsent to applications with offline access and read capabilities should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.", + "displayName": "Suspicious application consent for offline access", + "enabled": false, + "query": "let detectionTime = 1d;\nlet joinLookback = 14d;\nAuditLogs\n| where TimeGenerated > ago(detectionTime)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Consent to application\"\n| where TargetResources has \"offline\"\n| mv-apply TargetResource=TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\"\n | extend ModifiedProperties = TargetResource.modifiedProperties,\n AppDisplayName = tostring(TargetResource.displayName),\n AppClientId = tolower(tostring(TargetResource.id))\n )\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\"] with (format=\"csv\")))\n| mv-apply Properties=ModifiedProperties on \n (\n where Properties.displayName =~ \"ConsentAction.Permissions\"\n | extend ConsentFull = tostring(Properties.newValue)\n | extend ConsentFull = trim(@'\"',tostring(ConsentFull))\n )\n| parse ConsentFull with * \"ConsentType: \" GrantConsentType \", Scope: \" GrantScope1 \"]\" *\n| where ConsentFull has \"offline_access\" and ConsentFull has_any (\"Files.Read\", \"Mail.Read\", \"Notes.Read\", \"ChannelMessage.Read\", \"Chat.Read\", \"TeamsActivity.Read\", \"Group.Read\", \"EWS.AccessAsUser.All\", \"EAS.AccessAsUser.All\")\n| where GrantConsentType != \"AllPrincipals\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\n| extend GrantIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\n| extend GrantInitiatedBy = tostring(iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName))\n| extend GrantUserAgent = tostring(iff(AdditionalDetails[0].key =~ \"User-Agent\", AdditionalDetails[0].value, \"\"))\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\n| join kind = leftouter (AuditLogs\n| where TimeGenerated > ago(joinLookback)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Add service principal\"\n| mv-apply TargetResource=TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\"\n | extend ModifiedProperties = TargetResource.modifiedProperties,\n AppClientId = tolower(TargetResource.id)\n )\n| mv-apply ModifiedProperties=TargetResource.modifiedProperties on \n (\n where ModifiedProperties.displayName =~ \"AppAddress\" and ModifiedProperties.newValue has \"AddressType\"\n | extend AppReplyURLs = ModifiedProperties.newValue\n )\n | distinct AppClientId, tostring(AppReplyURLs)\n)\non AppClientId\n| join kind = innerunique (AuditLogs\n| where TimeGenerated > ago(joinLookback)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Add OAuth2PermissionGrant\" or OperationName =~ \"Add delegated permission grant\"\n | mv-apply TargetResource=TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\" and array_length(TargetResource.modifiedProperties) > 0 and isnotnull(TargetResource.displayName)\n | extend GrantAuthentication = tostring(TargetResource.displayName)\n )\n| extend GrantOperation = OperationName\n| project GrantAuthentication, GrantOperation, CorrelationId\n) on CorrelationId\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\n| extend timestamp = TimeGenerated, Name = tostring(split(GrantInitiatedBy,'@',0)[0]), UPNSuffix = tostring(split(GrantInitiatedBy,'@',1)[0])\n", + "queryFrequency": "P1D", + "queryPeriod": "P14D", + "severity": "Low", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "AuditLogs" + ], + "connectorId": "AzureActiveDirectory" + } + ], + "tactics": [ + "CredentialAccess" + ], + "techniques": [ + "T1528" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "Name" + }, + { + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "GrantIpAddress" + } + ], + "entityType": "IP" + } + ] } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId8'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject63').analyticRuleId63,'/'))))]", "properties": { - "parentId": "[variables('playbookId8')]", - "contentId": "[variables('_playbookContentId8')]", - "kind": "Playbook", - "version": "[variables('playbookVersion8')]", + "description": "Microsoft Entra ID Analytics Rule 63", + "parentId": "[variables('analyticRuleObject63').analyticRuleId63]", + "contentId": "[variables('analyticRuleObject63')._analyticRulecontentId63]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject63').analyticRuleVersion63]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -11784,320 +12688,525 @@ } } } - ], - "metadata": { - "title": "Reset Azure AD User Password - Entity trigger", - "description": "This playbook will reset the user password using Graph API. It will send the password (which is a random guid substring) to the user's manager. The user will have to reset the password upon login.", - "postDeployment": [ - "1. Assign Password Administrator permission to managed identity.", - "2. Assign Microsoft Sentinel Responder permission to managed identity.", - "3. Authorize Office 365 Outlook connection" - ], - "lastUpdateTime": "2022-12-06T00:00:00Z", - "entities": [ - "Account" - ], - "tags": [ - "Remediation" - ], - "releaseNotes": { - "version": "1.1", - "title": "[variables('blanks')]", - "notes": [ - "Initial version" - ] + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject63')._analyticRulecontentId63]", + "contentKind": "AnalyticsRule", + "displayName": "Suspicious application consent for offline access", + "contentProductId": "[variables('analyticRuleObject63')._analyticRulecontentProductId63]", + "id": "[variables('analyticRuleObject63')._analyticRulecontentProductId63]", + "version": "[variables('analyticRuleObject63').analyticRuleVersion63]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject64').analyticRuleTemplateSpecName64]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "SuspiciousServicePrincipalcreationactivity_AnalyticalRules Analytics Rule with template version 3.0.7", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject64').analyticRuleVersion64]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject64')._analyticRulecontentId64]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "This alert will detect creation of an SPN, permissions granted, credentials created, activity and deletion of the SPN in a time frame (default 10 minutes)", + "displayName": "Suspicious Service Principal creation activity", + "enabled": false, + "query": "let queryfrequency = 1h;\nlet wait_for_deletion = 10m;\nlet account_created =\n AuditLogs \n | where ActivityDisplayName == \"Add service principal\"\n | where Result == \"success\"\n | extend AppID = tostring(AdditionalDetails[1].value)\n | extend creationTime = ActivityDateTime\n | extend userPrincipalName_creator = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\n | extend ipAddress_creator = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);\nlet account_activity =\n AADServicePrincipalSignInLogs\n | extend Activities = pack(\"ActivityTime\", TimeGenerated ,\"IpAddress\", IPAddress, \"ResourceDisplayName\", ResourceDisplayName)\n | extend AppID = AppId\n | summarize make_list(Activities) by AppID;\nlet account_deleted =\n AuditLogs \n | where OperationName == \"Remove service principal\"\n | where Result == \"success\"\n | extend AppID = tostring(AdditionalDetails[1].value)\n | extend deletionTime = ActivityDateTime\n | extend userPrincipalName_deleter = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\n | extend ipAddress_deleter = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);\nlet account_credentials =\n AuditLogs\n | where OperationName has_all (\"Update application\", \"Certificates and secrets management\")\n | where Result == \"success\"\n | extend AppID = tostring(AdditionalDetails[1].value)\n | extend credentialCreationTime = ActivityDateTime;\nlet roles_assigned =\n AuditLogs\n | where ActivityDisplayName == \"Add app role assignment to service principal\"\n | extend AppID = tostring(TargetResources[1].displayName)\n | extend AssignedRole = iff(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].displayName)==\"AppRole.Value\", tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue))),\"\")\n | extend AssignedRoles = pack(\"Role\", AssignedRole)\n | summarize make_list(AssignedRoles) by AppID;\naccount_created\n| where TimeGenerated between (ago(wait_for_deletion+queryfrequency)..ago(wait_for_deletion))\n| join kind= inner (account_activity) on AppID\n| join kind= inner (account_deleted) on AppID\n| join kind= inner (account_credentials) on AppID\n| join kind= inner (roles_assigned) on AppID\n| where deletionTime - creationTime between (time(0s)..wait_for_deletion)\n| extend AliveTime = deletionTime - creationTime\n| project AADTenantId, AppID, creationTime, deletionTime, userPrincipalName_creator, userPrincipalName_deleter, ipAddress_creator, ipAddress_deleter, list_Activities, list_AssignedRoles, AliveTime\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT70M", + "severity": "Low", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "AuditLogs", + "AADServicePrincipalSignInLogs" + ], + "connectorId": "AzureActiveDirectory" + } + ], + "tactics": [ + "CredentialAccess", + "PrivilegeEscalation", + "InitialAccess" + ], + "techniques": [ + "T1078", + "T1528" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "FullName", + "columnName": "userPrincipalName_creator" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "identifier": "FullName", + "columnName": "userPrincipalName_deleter" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "ipAddress_creator" + } + ], + "entityType": "IP" + }, + { + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "ipAddress_deleter" + } + ], + "entityType": "IP" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject64').analyticRuleId64,'/'))))]", + "properties": { + "description": "Microsoft Entra ID Analytics Rule 64", + "parentId": "[variables('analyticRuleObject64').analyticRuleId64]", + "contentId": "[variables('analyticRuleObject64')._analyticRulecontentId64]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject64').analyticRuleVersion64]", + "source": { + "kind": "Solution", + "name": "Microsoft Entra ID", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" + } + } } - } + ] }, "packageKind": "Solution", "packageVersion": "[variables('_solutionVersion')]", "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_playbookContentId8')]", - "contentKind": "Playbook", - "displayName": "Reset-AADUserPassword-EntityTrigger", - "contentProductId": "[variables('_playbookcontentProductId8')]", - "id": "[variables('_playbookcontentProductId8')]", - "version": "[variables('playbookVersion8')]" + "contentId": "[variables('analyticRuleObject64')._analyticRulecontentId64]", + "contentKind": "AnalyticsRule", + "displayName": "Suspicious Service Principal creation activity", + "contentProductId": "[variables('analyticRuleObject64')._analyticRulecontentProductId64]", + "id": "[variables('analyticRuleObject64')._analyticRulecontentProductId64]", + "version": "[variables('analyticRuleObject64').analyticRuleVersion64]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('playbookTemplateSpecName9')]", + "name": "[variables('analyticRuleObject65').analyticRuleTemplateSpecName65]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Revoke-AADSignInSessions-alert Playbook with template version 3.0.6", + "description": "UnusualGuestActivity_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion9')]", - "parameters": { - "PlaybookName": { - "defaultValue": "Revoke-AADSignInSessions-alert", - "type": "string" - }, - "UserName": { - "defaultValue": "@", - "type": "string" - } - }, - "variables": { - "AzureSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]", - "Office365ConnectionName": "[[concat('office365-', parameters('PlaybookName'))]", - "Office365UsersConnectionName": "[[concat('office365users-', parameters('PlaybookName'))]", - "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", - "_connection-1": "[[variables('connection-1')]", - "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]", - "_connection-2": "[[variables('connection-2')]", - "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365users')]", - "_connection-3": "[[variables('connection-3')]", - "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", - "workspace-name": "[parameters('workspace')]", - "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" - }, + "contentVersion": "[variables('analyticRuleObject65').analyticRuleVersion65]", + "parameters": {}, + "variables": {}, "resources": [ { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('AzureSentinelConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[parameters('PlaybookName')]", - "parameterValueType": "Alternative", - "api": { - "id": "[[variables('_connection-1')]" - } - } - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('Office365ConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "properties": { - "displayName": "[[parameters('UserName')]", - "api": { - "id": "[[variables('_connection-2')]" - } - } - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('Office365UsersConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "properties": { - "displayName": "[[parameters('UserName')]", - "api": { - "id": "[[variables('_connection-3')]" - } - } - }, - { - "type": "Microsoft.Logic/workflows", - "apiVersion": "2017-07-01", - "name": "[[parameters('PlaybookName')]", - "location": "[[variables('workspace-location-inline')]", - "tags": { - "LogicAppsCategory": "security", - "hidden-SentinelTemplateName": "Revoke-AADSigninSessions_alert", - "hidden-SentinelTemplateVersion": "1.0", - "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" - }, - "identity": { - "type": "SystemAssigned" - }, - "dependsOn": [ - "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('Office365UsersConnectionName'))]" - ], + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject65')._analyticRulecontentId65]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", "properties": { - "state": "Enabled", - "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "actions": { - "Alert_-_Get_incident": { - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "get", - "path": "/Incidents/subscriptions/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/resourceGroups/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/workspaces/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/alerts/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}" - }, - "type": "ApiConnection" - }, - "Entities_-_Get_Accounts": { - "inputs": { - "body": "@triggerBody()?['Entities']", - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "path": "/entities/account" - }, - "runAfter": { - "Alert_-_Get_incident": [ - "Succeeded" - ] - }, - "type": "ApiConnection" - }, - "For_each": { - "actions": { - "Add_comment_to_incident_(V3)": { - "inputs": { - "body": { - "incidentArmId": "@body('Alert_-_Get_incident')?['id']", - "message": "

User @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])} singin sessions were revoked in AAD and their manager @{body('Get_manager_(V2)')?['displayName']} was contacted using playbook.

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - }, - "runAfter": { - "Send_an_email_(V2)": [ - "Succeeded" - ] - }, - "type": "ApiConnection" - }, - "Get_manager_(V2)": { - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['office365users']['connectionId']" - } - }, - "method": "get", - "path": "/codeless/v1.0/users/@{encodeURIComponent(concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix']))}/manager" - }, - "runAfter": { - "HTTP": [ - "Succeeded" - ] - }, - "type": "ApiConnection" - }, - "HTTP": { - "inputs": { - "authentication": { - "audience": "https://graph.microsoft.com", - "type": "ManagedServiceIdentity" - }, - "method": "POST", - "uri": "https://graph.microsoft.com/v1.0/users/@{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}/revokeSignInSessions" - }, - "type": "Http" - }, - "Send_an_email_(V2)": { - "inputs": { - "body": { - "Body": "

User, @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}, was involved in part of a security incident.  As part of remediation, the user signin sessions have been revoked.  The user will need to reauthenticate in all applications.

", - "Subject": "User signin sessions were reset due to security incident.", - "To": "@body('Get_manager_(V2)')?['mail']" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['office365']['connectionId']" - } - }, - "method": "post", - "path": "/v2/Mail" - }, - "runAfter": { - "Get_manager_(V2)": [ - "Succeeded" - ] - }, - "type": "ApiConnection" - } + "description": "By default guests have capability to invite more external guest users, guests also can do suspicious Microsoft Entra ID enumeration. This detection look at guests\nusers, who have been invited or have invited recently, who also are logging via various PowerShell CLI.\nRef : 'https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/", + "displayName": "External guest invitation followed by Microsoft Entra ID PowerShell signin", + "enabled": false, + "query": "let queryfrequency = 1h;\nlet queryperiod = 1d;\nAuditLogs\n| where TimeGenerated > ago(queryperiod)\n| where OperationName in (\"Invite external user\", \"Bulk invite users - started (bulk)\", \"Invite external user with reset invitation status\")\n| extend InitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\n// Uncomment the following line to filter events where the inviting user was a guest user\n//| where InitiatedBy has_any (\"live.com#\", \"#EXT#\")\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"User\"\n | extend InvitedUser = tostring(TargetResource.userPrincipalName)\n )\n| mv-expand UserToCompare = pack_array(InitiatedBy, InvitedUser) to typeof(string)\n| where UserToCompare has_any (\"live.com#\", \"#EXT#\")\n| extend\n parsedUser = replace_string(tolower(iff(UserToCompare startswith \"live.com#\", tostring(split(UserToCompare, \"#\")[1]), tostring(split(UserToCompare, \"#EXT#\")[0]))), \"@\", \"_\"),\n InvitationTime = TimeGenerated\n| join (\n (union isfuzzy=true SigninLogs, AADNonInteractiveUserSignInLogs)\n | where TimeGenerated > ago(queryfrequency)\n | where UserType != \"Member\"\n | where AppId has_any // This web may contain a list of these apps: https://msshells.net/\n (\"1b730954-1685-4b74-9bfd-dac224a7b894\",// Azure Active Directory PowerShell\n \"04b07795-8ddb-461a-bbee-02f9e1bf7b46\",// Microsoft Azure CLI\n \"1950a258-227b-4e31-a9cf-717495945fc2\",// Microsoft Azure PowerShell\n \"a0c73c16-a7e3-4564-9a95-2bdf47383716\",// Microsoft Exchange Online Remote PowerShell\n \"fb78d390-0c51-40cd-8e17-fdbfab77341b\",// Microsoft Exchange REST API Based Powershell\n \"d1ddf0e4-d672-4dae-b554-9d5bdfd93547\",// Microsoft Intune PowerShell\n \"9bc3ab49-b65d-410a-85ad-de819febfddc\",// Microsoft SharePoint Online Management Shell\n \"12128f48-ec9e-42f0-b203-ea49fb6af367\",// MS Teams Powershell Cmdlets\n \"23d8f6bd-1eb0-4cc2-a08c-7bf525c67bcd\",// Power BI PowerShell\n \"31359c7f-bd7e-475c-86db-fdb8c937548e\",// PnP Management Shell\n \"90f610bf-206d-4950-b61d-37fa6fd1b224\",// Aadrm Admin Powershell\n \"14d82eec-204b-4c2f-b7e8-296a70dab67e\" // Microsoft Graph PowerShell\n )\n | summarize arg_min(TimeGenerated, *) by UserPrincipalName\n | extend\n parsedUser = replace_string(UserPrincipalName, \"@\", \"_\"),\n SigninTime = TimeGenerated\n )\n on parsedUser\n| project InvitationTime, InitiatedBy, OperationName, InvitedUser, SigninTime, SigninCategory = Category1, SigninUserPrincipalName = UserPrincipalName, IPAddress, AppDisplayName, ResourceDisplayName, UserAgent, InvitationAdditionalDetails = AdditionalDetails, InvitationTargetResources = TargetResources\n| extend InvitedUserName = tostring(split(InvitedUser,'@',0)[0]), InvitedUserUPNSuffix = tostring(split(InvitedUser,'@',1)[0]), \n InitiatedByName = tostring(split(InitiatedBy,'@',0)[0]), InitiatedByUPNSuffix = tostring(split(InitiatedBy,'@',1)[0])\n", + "queryFrequency": "PT1H", + "queryPeriod": "P1D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "AuditLogs" + ], + "connectorId": "AzureActiveDirectory" + }, + { + "dataTypes": [ + "SigninLogs" + ], + "connectorId": "AzureActiveDirectory" + } + ], + "tactics": [ + "InitialAccess", + "Persistence", + "Discovery" + ], + "techniques": [ + "T1078", + "T1136", + "T1087" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "InvitedUserName" }, - "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']", - "runAfter": { - "Entities_-_Get_Accounts": [ - "Succeeded" - ] + { + "identifier": "UPNSuffix", + "columnName": "InvitedUserUPNSuffix" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "InitiatedByName" }, - "type": "Foreach" - } + { + "identifier": "UPNSuffix", + "columnName": "InitiatedByUPNSuffix" + } + ], + "entityType": "Account" }, - "contentVersion": "1.0.0.0", - "parameters": { - "$connections": { - "type": "Object" - } + { + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "IPAddress" + } + ], + "entityType": "IP" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject65').analyticRuleId65,'/'))))]", + "properties": { + "description": "Microsoft Entra ID Analytics Rule 65", + "parentId": "[variables('analyticRuleObject65').analyticRuleId65]", + "contentId": "[variables('analyticRuleObject65')._analyticRulecontentId65]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject65').analyticRuleVersion65]", + "source": { + "kind": "Solution", + "name": "Microsoft Entra ID", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject65')._analyticRulecontentId65]", + "contentKind": "AnalyticsRule", + "displayName": "External guest invitation followed by Microsoft Entra ID PowerShell signin", + "contentProductId": "[variables('analyticRuleObject65')._analyticRulecontentProductId65]", + "id": "[variables('analyticRuleObject65')._analyticRulecontentProductId65]", + "version": "[variables('analyticRuleObject65').analyticRuleVersion65]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject66').analyticRuleTemplateSpecName66]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "UserAccounts-CABlockedSigninSpikes_AnalyticalRules Analytics Rule with template version 3.0.7", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject66').analyticRuleVersion66]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject66')._analyticRulecontentId66]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": " Identifies spike in failed sign-ins from user accounts due to conditional access policied.\nSpike is determined based on Time series anomaly which will look at historical baseline values.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\nThis query has also been updated to include UEBA logs IdentityInfo and BehaviorAnalytics for contextual information around the results.", + "displayName": "User Accounts - Sign in Failure due to CA Spikes", + "enabled": false, + "query": "let riskScoreCutoff = 20; //Adjust this based on volume of results\nlet starttime = 14d;\nlet timeframe = 1d;\nlet scorethreshold = 3;\nlet baselinethreshold = 50;\nlet aadFunc = (tableName:string){\n // Failed Signins attempts with reasoning related to conditional access policies.\n table(tableName)\n | where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\n | where ResultDescription has_any (\"conditional access\", \"CA\") or ResultType in (50005, 50131, 53000, 53001, 53002, 52003, 70044)\n | extend UserPrincipalName = tolower(UserPrincipalName)\n | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nlet allSignins = union isfuzzy=true aadSignin, aadNonInt;\nlet TimeSeriesAlerts = \nallSignins\n| make-series DailyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step 1d by UserPrincipalName\n| extend (anomalies, score, baseline) = series_decompose_anomalies(DailyCount, scorethreshold, -1, 'linefit')\n| mv-expand DailyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\n// Filtering low count events per baselinethreshold\n| where anomalies > 0 and baseline > baselinethreshold\n| extend AnomalyHour = TimeGenerated\n| project UserPrincipalName, AnomalyHour, TimeGenerated, DailyCount, baseline, anomalies, score;\n// Filter the alerts for specified timeframe\nTimeSeriesAlerts\n| where TimeGenerated > startofday(ago(timeframe))\n| join kind=inner ( \n allSignins\n | where TimeGenerated > startofday(ago(timeframe))\n // create a new column and round to hour\n | extend DateHour = bin(TimeGenerated, 1h)\n | summarize PartialFailedSignins = count(), LatestAnomalyTime = arg_max(TimeGenerated, *) by bin(TimeGenerated, 1h), OperationName, Category, ResultType, ResultDescription, UserPrincipalName, UserDisplayName, AppDisplayName, ClientAppUsed, IPAddress, ResourceDisplayName\n) on UserPrincipalName, $left.AnomalyHour == $right.DateHour\n| project LatestAnomalyTime, OperationName, Category, UserPrincipalName, UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, PartialFailedSignins, TotalFailedSignins = DailyCount, baseline, anomalies, score\n| extend timestamp = LatestAnomalyTime, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n| extend UserPrincipalName = tolower(UserPrincipalName)\n| join kind=leftouter (\n IdentityInfo\n | summarize LatestReportTime = arg_max(TimeGenerated, *) by AccountUPN\n | extend BlastRadiusInt = iif(BlastRadius == \"High\", 1, 0)\n | project AccountUPN, Tags, JobTitle, GroupMembership, AssignedRoles, UserType, IsAccountEnabled, BlastRadiusInt\n | summarize\n Tags = make_set(Tags, 1000),\n GroupMembership = make_set(GroupMembership, 1000),\n AssignedRoles = make_set(AssignedRoles, 1000),\n BlastRadiusInt = sum(BlastRadiusInt),\n UserType = make_set(UserType, 1000),\n UserAccountControl = make_set(UserType, 1000)\n by AccountUPN\n | extend UserPrincipalName=tolower(AccountUPN)\n) on UserPrincipalName\n| join kind=leftouter (\n BehaviorAnalytics\n | where ActivityType in (\"FailedLogOn\", \"LogOn\")\n | where isnotempty(SourceIPAddress)\n | project UsersInsights, DevicesInsights, ActivityInsights, InvestigationPriority, SourceIPAddress\n | project-rename IPAddress = SourceIPAddress\n | summarize\n UsersInsights = make_set(UsersInsights, 1000),\n DevicesInsights = make_set(DevicesInsights, 1000),\n IPInvestigationPriority = sum(InvestigationPriority)\n by IPAddress)\non IPAddress\n| extend UEBARiskScore = BlastRadiusInt + IPInvestigationPriority\n| where UEBARiskScore > riskScoreCutoff\n| sort by UEBARiskScore desc \n", + "queryFrequency": "P1D", + "queryPeriod": "P14D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "SigninLogs" + ], + "connectorId": "AzureActiveDirectory" }, - "triggers": { - "Microsoft_Sentinel_alert": { - "inputs": { - "body": { - "callback_url": "@{listCallbackUrl()}" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "path": "/subscribe" + { + "dataTypes": [ + "AADNonInteractiveUserSignInLogs" + ], + "connectorId": "AzureActiveDirectory" + }, + { + "dataTypes": [ + "BehaviorAnalytics" + ], + "connectorId": "BehaviorAnalytics" + }, + { + "dataTypes": [ + "IdentityInfo" + ], + "connectorId": "IdentityInfo" + } + ], + "tactics": [ + "InitialAccess" + ], + "techniques": [ + "T1078" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "Name" }, - "type": "ApiConnectionWebhook" - } + { + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "IPAddress" + } + ], + "entityType": "IP" } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject66').analyticRuleId66,'/'))))]", + "properties": { + "description": "Microsoft Entra ID Analytics Rule 66", + "parentId": "[variables('analyticRuleObject66').analyticRuleId66]", + "contentId": "[variables('analyticRuleObject66')._analyticRulecontentId66]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject66').analyticRuleVersion66]", + "source": { + "kind": "Solution", + "name": "Microsoft Entra ID", + "sourceId": "[variables('_solutionId')]" }, - "parameters": { - "$connections": { - "value": { - "azuresentinel": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", - "connectionName": "[[variables('AzureSentinelConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", - "connectionProperties": { - "authentication": { - "type": "ManagedServiceIdentity" - } - } + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject66')._analyticRulecontentId66]", + "contentKind": "AnalyticsRule", + "displayName": "User Accounts - Sign in Failure due to CA Spikes", + "contentProductId": "[variables('analyticRuleObject66')._analyticRulecontentProductId66]", + "id": "[variables('analyticRuleObject66')._analyticRulecontentProductId66]", + "version": "[variables('analyticRuleObject66').analyticRuleVersion66]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject67').analyticRuleTemplateSpecName67]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "UseraddedtoPrivilgedGroups_AnalyticalRules Analytics Rule with template version 3.0.7", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject67').analyticRuleVersion67]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject67')._analyticRulecontentId67]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "This will alert when a user is added to any of the Privileged Groups.\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\nFor Administrator role permissions in Microsoft Entra ID please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles", + "displayName": "User added to Microsoft Entra ID Privileged Groups", + "enabled": false, + "query": "let OperationList = dynamic([\"Add member to role\",\"Add member to role in PIM requested (permanent)\"]);\nlet PrivilegedGroups = dynamic([\"UserAccountAdmins\",\"PrivilegedRoleAdmins\",\"TenantAdmins\"]);\nAuditLogs\n//| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"RoleManagement\"\n| where OperationName in~ (OperationList)\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"User\"\n | extend TargetUserPrincipalName = tostring(TargetResource.userPrincipalName),\n modProps = TargetResource.modifiedProperties\n )\n| mv-apply Property = modProps on \n (\n where Property.displayName =~ \"Role.WellKnownObjectName\"\n | extend DisplayName = trim('\"',tostring(Property.displayName)),\n GroupName = trim('\"',tostring(Property.newValue))\n )\n| extend AppId = InitiatedBy.app.appId,\n InitiatedByDisplayName = case(isnotempty(InitiatedBy.app.displayName), InitiatedBy.app.displayName, isnotempty(InitiatedBy.user.displayName), InitiatedBy.user.displayName, \"not available\"),\n ServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId),\n ServicePrincipalName = tostring(InitiatedBy.app.servicePrincipalName),\n UserId = InitiatedBy.user.id,\n UserIPAddress = InitiatedBy.user.ipAddress,\n UserRoles = InitiatedBy.user.roles,\n UserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\n| where GroupName in~ (PrivilegedGroups)\n// If you don't want to alert for operations from PIM, remove below filtering for MS-PIM.\n//| where InitiatedByDisplayName != \"MS-PIM\"\n| project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, AppId, InitiatedByDisplayName, ServicePrincipalId, ServicePrincipalName, DisplayName, GroupName, UserId, UserIPAddress, UserRoles, UserPrincipalName, TargetUserPrincipalName\n| extend AccountCustomEntity = case(isnotempty(ServicePrincipalName), ServicePrincipalName, \n isnotempty(UserPrincipalName), UserPrincipalName, \n \"\")\n| extend AccountName = tostring(split(AccountCustomEntity,'@',0)[0]), AccountUPNSuffix = tostring(split(AccountCustomEntity,'@',1)[0])\n| extend TargetName = tostring(split(TargetUserPrincipalName,'@',0)[0]), TargetUPNSuffix = tostring(split(TargetUserPrincipalName,'@',1)[0])\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "AuditLogs" + ], + "connectorId": "AzureActiveDirectory" + } + ], + "tactics": [ + "Persistence", + "PrivilegeEscalation" + ], + "techniques": [ + "T1098", + "T1078" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "AccountName" }, - "office365": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]", - "connectionName": "[[variables('Office365ConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]" + { + "identifier": "UPNSuffix", + "columnName": "AccountUPNSuffix" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "TargetName" }, - "office365users": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('Office365UsersConnectionName'))]", - "connectionName": "[[variables('Office365UsersConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365users')]" + { + "identifier": "UPNSuffix", + "columnName": "TargetUPNSuffix" } - } + ], + "entityType": "Account" } - } + ] } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId9'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject67').analyticRuleId67,'/'))))]", "properties": { - "parentId": "[variables('playbookId9')]", - "contentId": "[variables('_playbookContentId9')]", - "kind": "Playbook", - "version": "[variables('playbookVersion9')]", + "description": "Microsoft Entra ID Analytics Rule 67", + "parentId": "[variables('analyticRuleObject67').analyticRuleId67]", + "contentId": "[variables('analyticRuleObject67')._analyticRulecontentId67]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject67').analyticRuleVersion67]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -12112,320 +13221,250 @@ } } } - ], - "metadata": { - "title": "Revoke-AADSignInSessions alert trigger", - "description": "This playbook will revoke all signin sessions for the user using Graph API. It will send an email to the user's manager.", - "prerequisites": [ - "1. You must create an app registration for graph api with appropriate permissions.", - "2. You will need to add the managed identity that is created by the logic app to the Password Administrator role in Azure AD." - ], - "comments": "This playbook will revoke all signin sessions for the user using Graph API using a Beta API. It will send and email to the user's manager.", - "lastUpdateTime": "2021-07-14T00:00:00Z", - "entities": [ - "Account" - ], - "tags": [ - "Remediation" - ], - "releaseNotes": { - "version": "1.0", - "title": "[variables('blanks')]", - "notes": [ - "Initial version" - ] - } - } + ] }, "packageKind": "Solution", "packageVersion": "[variables('_solutionVersion')]", "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_playbookContentId9')]", - "contentKind": "Playbook", - "displayName": "Revoke-AADSignInSessions-alert", - "contentProductId": "[variables('_playbookcontentProductId9')]", - "id": "[variables('_playbookcontentProductId9')]", - "version": "[variables('playbookVersion9')]" + "contentId": "[variables('analyticRuleObject67')._analyticRulecontentId67]", + "contentKind": "AnalyticsRule", + "displayName": "User added to Microsoft Entra ID Privileged Groups", + "contentProductId": "[variables('analyticRuleObject67')._analyticRulecontentProductId67]", + "id": "[variables('analyticRuleObject67')._analyticRulecontentProductId67]", + "version": "[variables('analyticRuleObject67').analyticRuleVersion67]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('playbookTemplateSpecName10')]", + "name": "[variables('analyticRuleObject68').analyticRuleTemplateSpecName68]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Revoke-AADSignInSessions-incident Playbook with template version 3.0.6", + "description": "UserAssignedPrivilegedRole_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion10')]", - "parameters": { - "PlaybookName": { - "defaultValue": "Revoke-AADSignInSessions-incident", - "type": "string" - }, - "UserName": { - "defaultValue": "@", - "type": "string" - } - }, - "variables": { - "AzureSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]", - "Office365ConnectionName": "[[concat('office365-', parameters('PlaybookName'))]", - "Office365UsersConnectionName": "[[concat('office365users-', parameters('PlaybookName'))]", - "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", - "_connection-1": "[[variables('connection-1')]", - "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]", - "_connection-2": "[[variables('connection-2')]", - "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365users')]", - "_connection-3": "[[variables('connection-3')]", - "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", - "workspace-name": "[parameters('workspace')]", - "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" - }, + "contentVersion": "[variables('analyticRuleObject68').analyticRuleVersion68]", + "parameters": {}, + "variables": {}, "resources": [ { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('AzureSentinelConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[parameters('PlaybookName')]", - "parameterValueType": "Alternative", - "api": { - "id": "[[variables('_connection-1')]" - } - } - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('Office365ConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "properties": { - "displayName": "[[parameters('UserName')]", - "api": { - "id": "[[variables('_connection-2')]" - } - } - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('Office365UsersConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "properties": { - "displayName": "[[parameters('UserName')]", - "api": { - "id": "[[variables('_connection-3')]" - } - } - }, - { - "type": "Microsoft.Logic/workflows", - "apiVersion": "2017-07-01", - "name": "[[parameters('PlaybookName')]", - "location": "[[variables('workspace-location-inline')]", - "tags": { - "LogicAppsCategory": "security", - "hidden-SentinelTemplateName": "Revoke-AADSigninSessions", - "hidden-SentinelTemplateVersion": "1.0", - "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" - }, - "identity": { - "type": "SystemAssigned" - }, - "dependsOn": [ - "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('Office365UsersConnectionName'))]" - ], + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject68')._analyticRulecontentId68]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", "properties": { - "state": "Enabled", - "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "actions": { - "Alert_-_Get_incident": { - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "get", - "path": "/Incidents/subscriptions/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/resourceGroups/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/workspaces/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/alerts/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}" - }, - "type": "ApiConnection" - }, - "Entities_-_Get_Accounts": { - "inputs": { - "body": "@triggerBody()?['Entities']", - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "path": "/entities/account" - }, - "runAfter": { - "Alert_-_Get_incident": [ - "Succeeded" - ] - }, - "type": "ApiConnection" - }, - "For_each": { - "actions": { - "Add_comment_to_incident_(V3)": { - "inputs": { - "body": { - "incidentArmId": "@body('Alert_-_Get_incident')?['id']", - "message": "

User @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])} singin sessions were revoked in AAD and their manager @{body('Get_manager_(V2)')?['displayName']} was contacted using playbook.

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - }, - "runAfter": { - "Send_an_email_(V2)": [ - "Succeeded" - ] - }, - "type": "ApiConnection" - }, - "Get_manager_(V2)": { - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['office365users']['connectionId']" - } - }, - "method": "get", - "path": "/codeless/v1.0/users/@{encodeURIComponent(concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix']))}/manager" - }, - "runAfter": { - "HTTP": [ - "Succeeded" - ] - }, - "type": "ApiConnection" - }, - "HTTP": { - "inputs": { - "authentication": { - "audience": "https://graph.microsoft.com", - "type": "ManagedServiceIdentity" - }, - "method": "POST", - "uri": "https://graph.microsoft.com/v1.0/users/@{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}/revokeSignInSessions" - }, - "type": "Http" - }, - "Send_an_email_(V2)": { - "inputs": { - "body": { - "Body": "

User, @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}, was involved in part of a security incident.  As part of remediation, the user signin sessions have been revoked.  The user will need to reauthenticate in all applications.

", - "Subject": "User signin sessions were reset due to security incident.", - "To": "@body('Get_manager_(V2)')?['mail']" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['office365']['connectionId']" - } - }, - "method": "post", - "path": "/v2/Mail" - }, - "runAfter": { - "Get_manager_(V2)": [ - "Succeeded" - ] - }, - "type": "ApiConnection" - } - }, - "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']", - "runAfter": { - "Entities_-_Get_Accounts": [ - "Succeeded" - ] + "description": "Identifies when a privileged role is assigned to a new user. Any account eligible for a role is now being given privileged access. If the assignment is unexpected or into a role that isn't the responsibility of the account holder, investigate.", + "displayName": "New User Assigned to Privileged Role", + "enabled": false, + "query": "// Define the start and end times based on input values\nlet starttime = now()-1d;\nlet endtime = now();\n// Set a lookback period of 14 days\nlet lookback = starttime - 14d;\n// Define a reusable function to query audit logs\nlet awsFunc = (start:datetime, end:datetime) {\n AuditLogs\n | where TimeGenerated between (start..end)\n | where Category =~ \"RoleManagement\"\n | where AADOperationType in (\"Assign\", \"AssignEligibleRole\")\n | where ActivityDisplayName has_any (\"Add eligible member to role\", \"Add member to role\")\n | mv-apply TargetResource = TargetResources on\n (\n where TargetResource.type in~ (\"User\", \"ServicePrincipal\")\n | extend Target = iff(TargetResource.type =~ \"ServicePrincipal\", tostring(TargetResource.displayName), tostring(TargetResource.userPrincipalName)),\n props = TargetResource.modifiedProperties\n )\n | mv-apply Property = props on\n (\n where Property.displayName =~ \"Role.DisplayName\"\n | extend RoleName = trim('\"', tostring(Property.newValue))\n )\n | where RoleName contains \"Admin\" and Result == \"success\"\n};\n// Query for audit events in the current day\nlet EventInfo_CurrentDay = awsFunc(starttime, endtime);\n// Query for audit events in the historical period (lookback)\nlet EventInfo_historical = awsFunc(lookback, starttime);\n// Find unseen events by performing a left anti-join\nlet EventInfo_Unseen = (EventInfo_CurrentDay\n | join kind=leftanti(EventInfo_historical) on Target, RoleName, OperationName\n);\n// Extend and clean up the results\nEventInfo_Unseen\n| extend InitiatingApp = tostring(InitiatedBy.app.displayName)\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(InitiatedBy.user.userPrincipalName))\n// You can uncomment the lines below to filter out PIM activations\n// | where Initiator != \"MS-PIM\"\n// | summarize StartTime=min(TimeGenerated), EndTime=min(TimeGenerated) by OperationName, RoleName, Target, Initiator, Result\n// Project specific columns and split them for further analysis\n| project TimeGenerated, OperationName, RoleName, Target, Initiator, Result\n| extend TargetName = tostring(split(Target, '@', 0)[0]),\n TargetUPNSuffix = tostring(split(Target, '@', 1)[0]),\n InitiatorName = tostring(split(Initiator, '@', 0)[0]),\n InitiatorUPNSuffix = tostring(split(Initiator, '@', 1)[0])\n", + "queryFrequency": "PT1H", + "queryPeriod": "P14D", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "AuditLogs" + ], + "connectorId": "AzureActiveDirectory" + } + ], + "tactics": [ + "Persistence" + ], + "techniques": [ + "T1078" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "TargetName" }, - "type": "Foreach" - } - }, - "contentVersion": "1.0.0.0", - "parameters": { - "$connections": { - "type": "Object" - } + { + "identifier": "UPNSuffix", + "columnName": "TargetUPNSuffix" + } + ], + "entityType": "Account" }, - "triggers": { - "Microsoft_Sentinel_alert": { - "inputs": { - "body": { - "callback_url": "@{listCallbackUrl()}" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "path": "/subscribe" + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "InitiatorName" }, - "type": "ApiConnectionWebhook" - } + { + "identifier": "UPNSuffix", + "columnName": "InitiatorUPNSuffix" + } + ], + "entityType": "Account" } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject68').analyticRuleId68,'/'))))]", + "properties": { + "description": "Microsoft Entra ID Analytics Rule 68", + "parentId": "[variables('analyticRuleObject68').analyticRuleId68]", + "contentId": "[variables('analyticRuleObject68')._analyticRulecontentId68]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject68').analyticRuleVersion68]", + "source": { + "kind": "Solution", + "name": "Microsoft Entra ID", + "sourceId": "[variables('_solutionId')]" }, - "parameters": { - "$connections": { - "value": { - "azuresentinel": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", - "connectionName": "[[variables('AzureSentinelConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", - "connectionProperties": { - "authentication": { - "type": "ManagedServiceIdentity" - } - } + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject68')._analyticRulecontentId68]", + "contentKind": "AnalyticsRule", + "displayName": "New User Assigned to Privileged Role", + "contentProductId": "[variables('analyticRuleObject68')._analyticRulecontentProductId68]", + "id": "[variables('analyticRuleObject68')._analyticRulecontentProductId68]", + "version": "[variables('analyticRuleObject68').analyticRuleVersion68]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject69').analyticRuleTemplateSpecName69]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "NewOnmicrosoftDomainAdded_AnalyticalRules Analytics Rule with template version 3.0.7", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject69').analyticRuleVersion69]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject69')._analyticRulecontentId69]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "This detection looks for new onmicrosoft domains being added to a tenant. \nAn attacker who compromises a tenant may register a new onmicrosoft domain in order to masquerade as a service provider for launching phishing campaigns.\nDomain additions are not a common occurrence and users should validate that the domain was added by a legitimate user, with a legitimate purpose.", + "displayName": "New onmicrosoft domain added to tenant", + "enabled": false, + "query": "AuditLogs\n| where AADOperationType == \"Add\"\n| where Result == \"success\"\n| where OperationName in (\"Add verified domain\", \"Add unverified domain\")\n| extend InitiatedBy = parse_json(InitiatedBy)\n| extend InitiatingUser = tostring(InitiatedBy.user.userPrincipalName)\n| extend InitiatingIp = tostring(InitiatedBy.user.ipAddress)\n| extend InitiatingApp = tostring(InitiatedBy.app.displayName)\n| extend InitiatingSPID = tostring(InitiatedBy.app.servicePrincipalId)\n| extend DomainAdded = tostring(TargetResources[0].displayName)\n| where DomainAdded has \"onmicrosoft\"\n| extend ActionInitiatedBy = case(isnotempty(InitiatingUser), InitiatingUser, strcat(InitiatingApp, \" - \", InitiatingSPID))\n| extend UserName = split(InitiatingUser, \"@\")[0]\n| extend UPNSuffix = split(InitiatingUser, \"@\")[1]\n| project-reorder TimeGenerated, OperationName, DomainAdded, ActionInitiatedBy, InitiatingIp\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "AuditLogs" + ], + "connectorId": "AzureActiveDirectory" + } + ], + "tactics": [ + "ResourceDevelopment" + ], + "techniques": [ + "T1585" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "UserName" }, - "office365": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]", - "connectionName": "[[variables('Office365ConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]" + { + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" }, - "office365users": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('Office365UsersConnectionName'))]", - "connectionName": "[[variables('Office365UsersConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365users')]" + { + "identifier": "AadUserId", + "columnName": "InitiatingSPID" } - } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "InitiatingIp" + } + ], + "entityType": "IP" + }, + { + "fieldMappings": [ + { + "identifier": "DomainName", + "columnName": "DomainAdded" + } + ], + "entityType": "DNS" } + ], + "eventGroupingSettings": { + "aggregationKind": "SingleAlert" + }, + "alertDetailsOverride": { + "alertDescriptionFormat": "This detection looks for new onmicrosoft domains being added to a tenant. An attacker who compromises a tenant may register a new onmicrosoft domain in order to masquerade as a service provider for launching phishing accounts. Domain additions are not a common occurrence and users should validate that {{ActionInitiatedBy}} added {{DomainAdded}} with a legitimate purpose.", + "alertDisplayNameFormat": "{{DomainAdded}} added to tenant by {{ActionInitiatedBy}}" } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId10'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject69').analyticRuleId69,'/'))))]", "properties": { - "parentId": "[variables('playbookId10')]", - "contentId": "[variables('_playbookContentId10')]", - "kind": "Playbook", - "version": "[variables('playbookVersion10')]", + "description": "Microsoft Entra ID Analytics Rule 69", + "parentId": "[variables('analyticRuleObject69').analyticRuleId69]", + "contentId": "[variables('analyticRuleObject69')._analyticRulecontentId69]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject69').analyticRuleVersion69]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -12440,207 +13479,154 @@ } } } - ], - "metadata": { - "title": "Revoke AAD SignIn Sessions - incident trigger", - "description": "This playbook will revoke all signin sessions for the user using Graph API. It will send an email to the user's manager.", - "prerequisites": "1. You will need to grant User.ReadWrite.All permissions to the managed identity.", - "lastUpdateTime": "2021-07-14T00:00:00Z", - "entities": [ - "Account" - ], - "tags": [ - "Remediation" - ], - "releaseNotes": { - "version": "1.0", - "title": "[variables('blanks')]", - "notes": [ - "Initial version" - ] - } - } + ] }, "packageKind": "Solution", "packageVersion": "[variables('_solutionVersion')]", "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_playbookContentId10')]", - "contentKind": "Playbook", - "displayName": "Revoke-AADSignInSessions-incident", - "contentProductId": "[variables('_playbookcontentProductId10')]", - "id": "[variables('_playbookcontentProductId10')]", - "version": "[variables('playbookVersion10')]" + "contentId": "[variables('analyticRuleObject69')._analyticRulecontentId69]", + "contentKind": "AnalyticsRule", + "displayName": "New onmicrosoft domain added to tenant", + "contentProductId": "[variables('analyticRuleObject69')._analyticRulecontentProductId69]", + "id": "[variables('analyticRuleObject69')._analyticRulecontentProductId69]", + "version": "[variables('analyticRuleObject69').analyticRuleVersion69]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('playbookTemplateSpecName11')]", + "name": "[variables('analyticRuleObject70').analyticRuleTemplateSpecName70]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Revoke-AADSignIn-Session-entityTrigger Playbook with template version 3.0.6", + "description": "SuspiciousSignInFollowedByMFAModification_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion11')]", - "parameters": { - "PlaybookName": { - "defaultValue": "Revoke-AADSignIn-Session-entityTrigger", - "type": "string" - } - }, - "variables": { - "MicrosoftSentinelConnectionName": "[[concat('MicrosoftSentinel-', parameters('PlaybookName'))]", - "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", - "_connection-2": "[[variables('connection-2')]", - "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", - "workspace-name": "[parameters('workspace')]", - "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" - }, + "contentVersion": "[variables('analyticRuleObject70').analyticRuleVersion70]", + "parameters": {}, + "variables": {}, "resources": [ { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject70')._analyticRulecontentId70]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", "properties": { - "provisioningState": "Succeeded", - "state": "Enabled", - "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "$connections": { - "type": "Object" - } + "description": "This query looks uses Microsoft Sentinel's UEBA features to look for suspicious logons followed by modifications to MFA settings by that user.", + "displayName": "Suspicious Sign In Followed by MFA Modification", + "enabled": false, + "query": "let PriorityScore = 9;\nBehaviorAnalytics\n| where ActionType == \"Sign-in\"\n| where InvestigationPriority > PriorityScore\n| extend UserPrincipalName = tolower(UserPrincipalName)\n| extend LogOnTime = TimeGenerated\n| join kind=inner (AuditLogs\n| where Category =~ \"UserManagement\" \n| where OperationName in~ (\"Admin registered security info\", \"Admin updated security info\", \"Admin deleted security info\", \"User registered security info\", \"User changed default security info\", \"User deleted security info\",\"User registered all required security info\",\"User started security info registration\") \n| extend InitiatorUPN = tolower(tostring(InitiatedBy.user.userPrincipalName))\n| extend InitiatorID = tostring(InitiatedBy.user.id)\n| extend FromIP = tostring(InitiatedBy.user.ipAddress) \n| extend TargetUPN = tolower(tostring(TargetResources[0].userPrincipalName))\n| extend TargetId = tostring(TargetResources[0].id)\n| extend MFAModTime = TimeGenerated\n| where isnotempty(InitiatorUPN)) on $left.UserPrincipalName == $right.InitiatorUPN\n| where MFAModTime between((LogOnTime-30m)..(LogOnTime+1h))\n| extend InitiatorName = tostring(split(InitiatorUPN, \"@\")[0]), InitiatorSuffix = tostring(split(InitiatorUPN, \"@\")[1]), TargetName = tostring(split(TargetUPN, \"@\")[0]), TargetSuffix = tostring(split(TargetUPN, \"@\")[1])\n", + "queryFrequency": "P1D", + "queryPeriod": "P1D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "AuditLogs" + ], + "connectorId": "AzureActiveDirectory" }, - "triggers": { - "Microsoft_Sentinel_entity": { - "type": "ApiConnectionWebhook", - "inputs": { - "body": { - "callback_url": "@{listCallbackUrl()}" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" - } - }, - "path": "/entity/@{encodeURIComponent('Account')}" + { + "dataTypes": [ + "BehaviorAnalytics" + ], + "connectorId": "BehaviorAnalytics" + } + ], + "tactics": [ + "InitialAccess", + "DefenseEvasion" + ], + "techniques": [ + "T1078", + "T1556" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "AadUserId", + "columnName": "InitiatorID" + }, + { + "identifier": "Name", + "columnName": "InitiatorName" + }, + { + "identifier": "UPNSuffix", + "columnName": "InitiatorSuffix" } - } + ], + "entityType": "Account" }, - "actions": { - "Condition": { - "actions": { - "Add_comment_to_incident_(V3)_-_session_revoked": { - "type": "ApiConnection", - "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['IncidentArmID']", - "message": "

Sign-in session revoked for the user - @{concat(triggerBody()?['Entity']?['properties']?['Name'], '@', triggerBody()?['Entity']?['properties']?['upnSuffix'])}

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - } - } - }, - "runAfter": { - "HTTP_-_revoke_sign-in_session": [ - "Succeeded" - ] + { + "fieldMappings": [ + { + "identifier": "AadUserId", + "columnName": "TargetId" }, - "expression": { - "and": [ - { - "not": { - "equals": [ - "@triggerBody()?['IncidentArmID']", - "@null" - ] - } - } - ] + { + "identifier": "Name", + "columnName": "TargetName" }, - "type": "If" - }, - "HTTP_-_revoke_sign-in_session": { - "type": "Http", - "inputs": { - "authentication": { - "audience": "https://graph.microsoft.com", - "type": "ManagedServiceIdentity" - }, - "method": "POST", - "uri": "https://graph.microsoft.com/v1.0/users/@{concat(triggerBody()?['Entity']?['properties']?['Name'], '@', triggerBody()?['Entity']?['properties']?['upnSuffix'])}/revokeSignInSessions" + { + "identifier": "UPNSuffix", + "columnName": "TargetSuffix" } - } - } - }, - "parameters": { - "$connections": { - "value": { - "microsoftsentinel": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", - "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", - "connectionProperties": { - "authentication": { - "type": "ManagedServiceIdentity" - } - } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "FromIP" } - } + ], + "entityType": "IP" + }, + { + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "SourceIPAddress" + } + ], + "entityType": "IP" } - } - }, - "name": "[[parameters('PlaybookName')]", - "type": "Microsoft.Logic/workflows", - "location": "[[variables('workspace-location-inline')]", - "tags": { - "hidden-SentinelTemplateName": "Revoke-AADSignIn-Session-entityTrigger", - "hidden-SentinelTemplateVersion": "1.0", - "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" - }, - "identity": { - "type": "SystemAssigned" - }, - "apiVersion": "2017-07-01", - "dependsOn": [ - "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]" - ] - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('MicrosoftSentinelConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('MicrosoftSentinelConnectionName')]", - "parameterValueType": "Alternative", - "api": { - "id": "[[variables('_connection-2')]" + ], + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "alertDetailsOverride": { + "alertDescriptionFormat": "This query looks uses Microsoft Sentinel's UEBA features to look for suspicious logons followed by modifications to MFA settings by that user.\nIn this case {{InitiatorUPN}} logged in followed by a modification to MFA settings for {{TargetUPN}}.\nThe sign in was from {{SourceIPAddress}}.\n", + "alertDisplayNameFormat": "Suspicious Sign In by {{InitiatorUPN}} Followed by MFA Modification to {{TargetUPN}}" } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId11'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject70').analyticRuleId70,'/'))))]", "properties": { - "parentId": "[variables('playbookId11')]", - "contentId": "[variables('_playbookContentId11')]", - "kind": "Playbook", - "version": "[variables('playbookVersion11')]", + "description": "Microsoft Entra ID Analytics Rule 70", + "parentId": "[variables('analyticRuleObject70').analyticRuleId70]", + "contentId": "[variables('analyticRuleObject70')._analyticRulecontentId70]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject70').analyticRuleVersion70]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -12655,38 +13641,19 @@ } } } - ], - "metadata": { - "title": "Revoke AAD Sign-in session using entity trigger", - "description": "This playbook will revoke user's sign-in sessions and user will have to perform authentication again. It invalidates all the refresh tokens issued to applications for a user (as well as session cookies in a user's browser), by resetting the signInSessionsValidFromDateTime user property to the current date-time.", - "postDeployment": [ - "1. Add Microsoft Sentinel Responder role to the managed identity.", - "2. Assign User.ReadWrite.All and Directory.ReadWrite.All API permissions to the managed identity." - ], - "lastUpdateTime": "2022-12-22T00:00:00Z", - "entities": [ - "Account" - ], - "releaseNotes": { - "version": "1.0", - "title": "[variables('blanks')]", - "notes": [ - "Initial version" - ] - } - } + ] }, "packageKind": "Solution", "packageVersion": "[variables('_solutionVersion')]", "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_playbookContentId11')]", - "contentKind": "Playbook", - "displayName": "Revoke-AADSignIn-Session-entityTrigger", - "contentProductId": "[variables('_playbookcontentProductId11')]", - "id": "[variables('_playbookcontentProductId11')]", - "version": "[variables('playbookVersion11')]" + "contentId": "[variables('analyticRuleObject70')._analyticRulecontentId70]", + "contentKind": "AnalyticsRule", + "displayName": "Suspicious Sign In Followed by MFA Modification", + "contentProductId": "[variables('analyticRuleObject70')._analyticRulecontentProductId70]", + "id": "[variables('analyticRuleObject70')._analyticRulecontentProductId70]", + "version": "[variables('analyticRuleObject70').analyticRuleVersion70]" } }, { @@ -12694,12 +13661,12 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.6", + "version": "3.0.7", "kind": "Solution", "contentSchemaVersion": "3.0.0", - "displayName": "Azure Active Directory", + "displayName": "Microsoft Entra ID", "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation", - "descriptionHtml": "

Note: There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Azure Active Directory solution for Microsoft Sentinel enables you to ingest Azure Active Directory Audit, Sign-in, Provisioning, Risk Events and Risky User/Service Principal logs using Diagnostic Settings into Microsoft Sentinel.

\n

Data Connectors: 1, Workbooks: 2, Analytic Rules: 60, Playbooks: 11

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "descriptionHtml": "

Note: There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Microsoft Entra ID solution for Microsoft Sentinel enables you to ingest Microsoft Entra ID Audit, Sign-in, Provisioning, Risk Events and Risky User/Service Principal logs using Diagnostic Settings into Microsoft Sentinel.

\n

Workbooks: 2, Analytic Rules: 70, Playbooks: 11

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -12708,7 +13675,7 @@ "parentId": "[variables('_solutionId')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -12725,9 +13692,59 @@ "operator": "AND", "criteria": [ { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId1')]", - "version": "[variables('dataConnectorVersion1')]" + "kind": "Playbook", + "contentId": "[variables('_Block-AADUser-alert-trigger')]", + "version": "[variables('playbookVersion1')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_Block-AADUser-entity-trigger')]", + "version": "[variables('playbookVersion2')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_Block-AADUser-incident-trigger')]", + "version": "[variables('playbookVersion3')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_Prompt-User-alert-trigger')]", + "version": "[variables('playbookVersion4')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_Prompt-User-incident-trigger')]", + "version": "[variables('playbookVersion5')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_Reset-AADUserPassword-alert-trigger')]", + "version": "[variables('playbookVersion6')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_Reset-AADUserPassword-entity-trigger')]", + "version": "[variables('playbookVersion7')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_Reset-AADUserPassword-incident-trigger')]", + "version": "[variables('playbookVersion8')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_Revoke-AADSignInSessions-alert-trigger')]", + "version": "[variables('playbookVersion9')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_Revoke-AADSignInSessions-entity-trigger')]", + "version": "[variables('playbookVersion10')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_Revoke-AADSignInSessions-incident-trigger')]", + "version": "[variables('playbookVersion11')]" }, { "kind": "Workbook", @@ -12741,358 +13758,353 @@ }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId1')]", - "version": "[variables('analyticRuleVersion1')]" + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId2')]", - "version": "[variables('analyticRuleVersion2')]" + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId3')]", - "version": "[variables('analyticRuleVersion3')]" + "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "version": "[variables('analyticRuleObject3').analyticRuleVersion3]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId4')]", - "version": "[variables('analyticRuleVersion4')]" + "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", + "version": "[variables('analyticRuleObject4').analyticRuleVersion4]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId5')]", - "version": "[variables('analyticRuleVersion5')]" + "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", + "version": "[variables('analyticRuleObject5').analyticRuleVersion5]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId6')]", - "version": "[variables('analyticRuleVersion6')]" + "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", + "version": "[variables('analyticRuleObject6').analyticRuleVersion6]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId7')]", - "version": "[variables('analyticRuleVersion7')]" + "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]", + "version": "[variables('analyticRuleObject7').analyticRuleVersion7]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId8')]", - "version": "[variables('analyticRuleVersion8')]" + "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]", + "version": "[variables('analyticRuleObject8').analyticRuleVersion8]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId9')]", - "version": "[variables('analyticRuleVersion9')]" + "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]", + "version": "[variables('analyticRuleObject9').analyticRuleVersion9]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId10')]", - "version": "[variables('analyticRuleVersion10')]" + "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]", + "version": "[variables('analyticRuleObject10').analyticRuleVersion10]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId11')]", - "version": "[variables('analyticRuleVersion11')]" + "contentId": "[variables('analyticRuleObject11')._analyticRulecontentId11]", + "version": "[variables('analyticRuleObject11').analyticRuleVersion11]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId12')]", - "version": "[variables('analyticRuleVersion12')]" + "contentId": "[variables('analyticRuleObject12')._analyticRulecontentId12]", + "version": "[variables('analyticRuleObject12').analyticRuleVersion12]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId13')]", - "version": "[variables('analyticRuleVersion13')]" + "contentId": "[variables('analyticRuleObject13')._analyticRulecontentId13]", + "version": "[variables('analyticRuleObject13').analyticRuleVersion13]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId14')]", - "version": "[variables('analyticRuleVersion14')]" + "contentId": "[variables('analyticRuleObject14')._analyticRulecontentId14]", + "version": "[variables('analyticRuleObject14').analyticRuleVersion14]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId15')]", - "version": "[variables('analyticRuleVersion15')]" + "contentId": "[variables('analyticRuleObject15')._analyticRulecontentId15]", + "version": "[variables('analyticRuleObject15').analyticRuleVersion15]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId16')]", - "version": "[variables('analyticRuleVersion16')]" + "contentId": "[variables('analyticRuleObject16')._analyticRulecontentId16]", + "version": "[variables('analyticRuleObject16').analyticRuleVersion16]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId17')]", - "version": "[variables('analyticRuleVersion17')]" + "contentId": "[variables('analyticRuleObject17')._analyticRulecontentId17]", + "version": "[variables('analyticRuleObject17').analyticRuleVersion17]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId18')]", - "version": "[variables('analyticRuleVersion18')]" + "contentId": "[variables('analyticRuleObject18')._analyticRulecontentId18]", + "version": "[variables('analyticRuleObject18').analyticRuleVersion18]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId19')]", - "version": "[variables('analyticRuleVersion19')]" + "contentId": "[variables('analyticRuleObject19')._analyticRulecontentId19]", + "version": "[variables('analyticRuleObject19').analyticRuleVersion19]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId20')]", - "version": "[variables('analyticRuleVersion20')]" + "contentId": "[variables('analyticRuleObject20')._analyticRulecontentId20]", + "version": "[variables('analyticRuleObject20').analyticRuleVersion20]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId21')]", - "version": "[variables('analyticRuleVersion21')]" + "contentId": "[variables('analyticRuleObject21')._analyticRulecontentId21]", + "version": "[variables('analyticRuleObject21').analyticRuleVersion21]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId22')]", - "version": "[variables('analyticRuleVersion22')]" + "contentId": "[variables('analyticRuleObject22')._analyticRulecontentId22]", + "version": "[variables('analyticRuleObject22').analyticRuleVersion22]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId23')]", - "version": "[variables('analyticRuleVersion23')]" + "contentId": "[variables('analyticRuleObject23')._analyticRulecontentId23]", + "version": "[variables('analyticRuleObject23').analyticRuleVersion23]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId24')]", - "version": "[variables('analyticRuleVersion24')]" + "contentId": "[variables('analyticRuleObject24')._analyticRulecontentId24]", + "version": "[variables('analyticRuleObject24').analyticRuleVersion24]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId25')]", - "version": "[variables('analyticRuleVersion25')]" + "contentId": "[variables('analyticRuleObject25')._analyticRulecontentId25]", + "version": "[variables('analyticRuleObject25').analyticRuleVersion25]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId26')]", - "version": "[variables('analyticRuleVersion26')]" + "contentId": "[variables('analyticRuleObject26')._analyticRulecontentId26]", + "version": "[variables('analyticRuleObject26').analyticRuleVersion26]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId27')]", - "version": "[variables('analyticRuleVersion27')]" + "contentId": "[variables('analyticRuleObject27')._analyticRulecontentId27]", + "version": "[variables('analyticRuleObject27').analyticRuleVersion27]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId28')]", - "version": "[variables('analyticRuleVersion28')]" + "contentId": "[variables('analyticRuleObject28')._analyticRulecontentId28]", + "version": "[variables('analyticRuleObject28').analyticRuleVersion28]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId29')]", - "version": "[variables('analyticRuleVersion29')]" + "contentId": "[variables('analyticRuleObject29')._analyticRulecontentId29]", + "version": "[variables('analyticRuleObject29').analyticRuleVersion29]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId30')]", - "version": "[variables('analyticRuleVersion30')]" + "contentId": "[variables('analyticRuleObject30')._analyticRulecontentId30]", + "version": "[variables('analyticRuleObject30').analyticRuleVersion30]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId31')]", - "version": "[variables('analyticRuleVersion31')]" + "contentId": "[variables('analyticRuleObject31')._analyticRulecontentId31]", + "version": "[variables('analyticRuleObject31').analyticRuleVersion31]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId32')]", - "version": "[variables('analyticRuleVersion32')]" + "contentId": "[variables('analyticRuleObject32')._analyticRulecontentId32]", + "version": "[variables('analyticRuleObject32').analyticRuleVersion32]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId33')]", - "version": "[variables('analyticRuleVersion33')]" + "contentId": "[variables('analyticRuleObject33')._analyticRulecontentId33]", + "version": "[variables('analyticRuleObject33').analyticRuleVersion33]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId34')]", - "version": "[variables('analyticRuleVersion34')]" + "contentId": "[variables('analyticRuleObject34')._analyticRulecontentId34]", + "version": "[variables('analyticRuleObject34').analyticRuleVersion34]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId35')]", - "version": "[variables('analyticRuleVersion35')]" + "contentId": "[variables('analyticRuleObject35')._analyticRulecontentId35]", + "version": "[variables('analyticRuleObject35').analyticRuleVersion35]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId36')]", - "version": "[variables('analyticRuleVersion36')]" + "contentId": "[variables('analyticRuleObject36')._analyticRulecontentId36]", + "version": "[variables('analyticRuleObject36').analyticRuleVersion36]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId37')]", - "version": "[variables('analyticRuleVersion37')]" + "contentId": "[variables('analyticRuleObject37')._analyticRulecontentId37]", + "version": "[variables('analyticRuleObject37').analyticRuleVersion37]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId38')]", - "version": "[variables('analyticRuleVersion38')]" + "contentId": "[variables('analyticRuleObject38')._analyticRulecontentId38]", + "version": "[variables('analyticRuleObject38').analyticRuleVersion38]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId39')]", - "version": "[variables('analyticRuleVersion39')]" + "contentId": "[variables('analyticRuleObject39')._analyticRulecontentId39]", + "version": "[variables('analyticRuleObject39').analyticRuleVersion39]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId40')]", - "version": "[variables('analyticRuleVersion40')]" + "contentId": "[variables('analyticRuleObject40')._analyticRulecontentId40]", + "version": "[variables('analyticRuleObject40').analyticRuleVersion40]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId41')]", - "version": "[variables('analyticRuleVersion41')]" + "contentId": "[variables('analyticRuleObject41')._analyticRulecontentId41]", + "version": "[variables('analyticRuleObject41').analyticRuleVersion41]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId42')]", - "version": "[variables('analyticRuleVersion42')]" + "contentId": "[variables('analyticRuleObject42')._analyticRulecontentId42]", + "version": "[variables('analyticRuleObject42').analyticRuleVersion42]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId43')]", - "version": "[variables('analyticRuleVersion43')]" + "contentId": "[variables('analyticRuleObject43')._analyticRulecontentId43]", + "version": "[variables('analyticRuleObject43').analyticRuleVersion43]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId44')]", - "version": "[variables('analyticRuleVersion44')]" + "contentId": "[variables('analyticRuleObject44')._analyticRulecontentId44]", + "version": "[variables('analyticRuleObject44').analyticRuleVersion44]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId45')]", - "version": "[variables('analyticRuleVersion45')]" + "contentId": "[variables('analyticRuleObject45')._analyticRulecontentId45]", + "version": "[variables('analyticRuleObject45').analyticRuleVersion45]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId46')]", - "version": "[variables('analyticRuleVersion46')]" + "contentId": "[variables('analyticRuleObject46')._analyticRulecontentId46]", + "version": "[variables('analyticRuleObject46').analyticRuleVersion46]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId47')]", - "version": "[variables('analyticRuleVersion47')]" + "contentId": "[variables('analyticRuleObject47')._analyticRulecontentId47]", + "version": "[variables('analyticRuleObject47').analyticRuleVersion47]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId48')]", - "version": "[variables('analyticRuleVersion48')]" + "contentId": "[variables('analyticRuleObject48')._analyticRulecontentId48]", + "version": "[variables('analyticRuleObject48').analyticRuleVersion48]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId49')]", - "version": "[variables('analyticRuleVersion49')]" + "contentId": "[variables('analyticRuleObject49')._analyticRulecontentId49]", + "version": "[variables('analyticRuleObject49').analyticRuleVersion49]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId50')]", - "version": "[variables('analyticRuleVersion50')]" + "contentId": "[variables('analyticRuleObject50')._analyticRulecontentId50]", + "version": "[variables('analyticRuleObject50').analyticRuleVersion50]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId51')]", - "version": "[variables('analyticRuleVersion51')]" + "contentId": "[variables('analyticRuleObject51')._analyticRulecontentId51]", + "version": "[variables('analyticRuleObject51').analyticRuleVersion51]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId52')]", - "version": "[variables('analyticRuleVersion52')]" + "contentId": "[variables('analyticRuleObject52')._analyticRulecontentId52]", + "version": "[variables('analyticRuleObject52').analyticRuleVersion52]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId53')]", - "version": "[variables('analyticRuleVersion53')]" + "contentId": "[variables('analyticRuleObject53')._analyticRulecontentId53]", + "version": "[variables('analyticRuleObject53').analyticRuleVersion53]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId54')]", - "version": "[variables('analyticRuleVersion54')]" + "contentId": "[variables('analyticRuleObject54')._analyticRulecontentId54]", + "version": "[variables('analyticRuleObject54').analyticRuleVersion54]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId55')]", - "version": "[variables('analyticRuleVersion55')]" + "contentId": "[variables('analyticRuleObject55')._analyticRulecontentId55]", + "version": "[variables('analyticRuleObject55').analyticRuleVersion55]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId56')]", - "version": "[variables('analyticRuleVersion56')]" + "contentId": "[variables('analyticRuleObject56')._analyticRulecontentId56]", + "version": "[variables('analyticRuleObject56').analyticRuleVersion56]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId57')]", - "version": "[variables('analyticRuleVersion57')]" + "contentId": "[variables('analyticRuleObject57')._analyticRulecontentId57]", + "version": "[variables('analyticRuleObject57').analyticRuleVersion57]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId58')]", - "version": "[variables('analyticRuleVersion58')]" + "contentId": "[variables('analyticRuleObject58')._analyticRulecontentId58]", + "version": "[variables('analyticRuleObject58').analyticRuleVersion58]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId59')]", - "version": "[variables('analyticRuleVersion59')]" + "contentId": "[variables('analyticRuleObject59')._analyticRulecontentId59]", + "version": "[variables('analyticRuleObject59').analyticRuleVersion59]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId60')]", - "version": "[variables('analyticRuleVersion60')]" - }, - { - "kind": "Playbook", - "contentId": "[variables('_Block-AADUser-alert-trigger')]", - "version": "[variables('playbookVersion1')]" + "contentId": "[variables('analyticRuleObject60')._analyticRulecontentId60]", + "version": "[variables('analyticRuleObject60').analyticRuleVersion60]" }, { - "kind": "Playbook", - "contentId": "[variables('_Block-AADUser-incident-trigger')]", - "version": "[variables('playbookVersion2')]" + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject61')._analyticRulecontentId61]", + "version": "[variables('analyticRuleObject61').analyticRuleVersion61]" }, { - "kind": "Playbook", - "contentId": "[variables('_Prompt-User-alert-trigger')]", - "version": "[variables('playbookVersion3')]" + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject62')._analyticRulecontentId62]", + "version": "[variables('analyticRuleObject62').analyticRuleVersion62]" }, { - "kind": "Playbook", - "contentId": "[variables('_Prompt-User-incident-trigger')]", - "version": "[variables('playbookVersion4')]" + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject63')._analyticRulecontentId63]", + "version": "[variables('analyticRuleObject63').analyticRuleVersion63]" }, { - "kind": "Playbook", - "contentId": "[variables('_Reset-AADUserPassword-alert-trigger')]", - "version": "[variables('playbookVersion5')]" + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject64')._analyticRulecontentId64]", + "version": "[variables('analyticRuleObject64').analyticRuleVersion64]" }, { - "kind": "Playbook", - "contentId": "[variables('_Reset-AADUserPassword-incident-trigger')]", - "version": "[variables('playbookVersion6')]" + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject65')._analyticRulecontentId65]", + "version": "[variables('analyticRuleObject65').analyticRuleVersion65]" }, { - "kind": "Playbook", - "contentId": "[variables('_Block-AADUser-entity-trigger')]", - "version": "[variables('playbookVersion7')]" + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject66')._analyticRulecontentId66]", + "version": "[variables('analyticRuleObject66').analyticRuleVersion66]" }, { - "kind": "Playbook", - "contentId": "[variables('_Reset-AADUserPassword-entity-trigger')]", - "version": "[variables('playbookVersion8')]" + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject67')._analyticRulecontentId67]", + "version": "[variables('analyticRuleObject67').analyticRuleVersion67]" }, { - "kind": "Playbook", - "contentId": "[variables('_Revoke-AADSignInSessions-alert-trigger')]", - "version": "[variables('playbookVersion9')]" + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject68')._analyticRulecontentId68]", + "version": "[variables('analyticRuleObject68').analyticRuleVersion68]" }, { - "kind": "Playbook", - "contentId": "[variables('_Revoke-AADSignInSessions-incident-trigger')]", - "version": "[variables('playbookVersion10')]" + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject69')._analyticRulecontentId69]", + "version": "[variables('analyticRuleObject69').analyticRuleVersion69]" }, { - "kind": "Playbook", - "contentId": "[variables('_Revoke-AADSignInSessions-entity-trigger')]", - "version": "[variables('playbookVersion11')]" + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject70')._analyticRulecontentId70]", + "version": "[variables('analyticRuleObject70').analyticRuleVersion70]" } ] }, From 22137e4c5cd1fd52a4af0bd2a27e6e3d930088d7 Mon Sep 17 00:00:00 2001 From: v-rusraut Date: Mon, 6 Nov 2023 06:49:50 +0530 Subject: [PATCH 07/17] update Package --- ...erAppSigninLocationIncrease-detection.yaml | 6 +- .../Microsoft Entra ID/Data/Solution_AAD.json | 22 +- .../Microsoft Entra ID/Package/3.0.7.zip | Bin 87803 -> 94755 bytes .../Package/createUiDefinition.json | 388 +- .../Package/mainTemplate.json | 17016 ++++++++-------- Solutions/Microsoft Entra ID/ReleaseNotes.md | 1 + .../Images/Logos/MicrosoftEntraID_logo.svg | 9 + 7 files changed, 8331 insertions(+), 9111 deletions(-) create mode 100644 Workbooks/Images/Logos/MicrosoftEntraID_logo.svg diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/AnomalousUserAppSigninLocationIncrease-detection.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/AnomalousUserAppSigninLocationIncrease-detection.yaml index 196d7fbbdc1..983d11b410e 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/AnomalousUserAppSigninLocationIncrease-detection.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/AnomalousUserAppSigninLocationIncrease-detection.yaml @@ -1,8 +1,7 @@ id: 7cb8f77d-c52f-4e46-b82f-3cf2e106224a name: Anomalous sign-in location by user account and authenticating application description: | - 'This query over Microsoft Entra ID sign-in considers all user sign-ins for each Azure Active - Directory application and picks out the most anomalous change in location profile for a user within an + 'This query over Microsoft Entra ID sign-in considers all user sign-ins for each Microsoft Entra ID application and picks out the most anomalous change in location profile for a user within an individual application. severity: Medium requiredDataConnectors: @@ -58,8 +57,7 @@ customDetails: alertDetailsOverride: alertDisplayNameFormat: Anomalous sign-in location by {{UserPrincipalName}} to {{AppDisplayName}} alertDescriptionFormat: | - This query over Microsoft Entra ID sign-in considers all user sign-ins for each Azure Active - Directory application and picks out the most anomalous change in location profile for a user within an + This query over Microsoft Entra ID sign-in considers all user sign-ins for each Microsoft Entra ID application and picks out the most anomalous change in location profile for a user within an individual application. This has detected {{UserPrincipalName}} signing into {{AppDisplayName}} from {{CountOfLocations}} different locations. version: 2.0.0 diff --git a/Solutions/Microsoft Entra ID/Data/Solution_AAD.json b/Solutions/Microsoft Entra ID/Data/Solution_AAD.json index 6416d9b2d8d..b211157937f 100644 --- a/Solutions/Microsoft Entra ID/Data/Solution_AAD.json +++ b/Solutions/Microsoft Entra ID/Data/Solution_AAD.json @@ -1,7 +1,7 @@ { "Name": "Microsoft Entra ID", "Author": "Microsoft - support@microsoft.com", - "Logo": "", + "Logo": "", "Description": "The [Microsoft Entra ID](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis) solution for Microsoft Sentinel enables you to ingest Microsoft Entra ID [Audit](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-audit-logs), [Sign-in](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins), [Provisioning](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-provisioning-logs), [Risk Events and Risky User/Service Principal](https://docs.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk#risky-users) logs using Diagnostic Settings into Microsoft Sentinel.", "Data Connectors": [ "Solutions/Microsoft Entra ID/Data Connectors/template_AzureActiveDirectory.json" @@ -11,11 +11,6 @@ "Solutions/Microsoft Entra ID/Workbooks/AzureActiveDirectorySignins.json" ], "Analytic Rules": [ - "Solutions/Microsoft Entra ID/Analytic Rules/AccountCreatedandDeletedinShortTimeframe.yaml", - "Solutions/Microsoft Entra ID/Analytic Rules/AccountCreatedandDeletedinShortTimeframe.yaml", - "Solutions/Microsoft Entra ID/Analytic Rules/AccountCreatedandDeletedinShortTimeframe.yaml", - "Solutions/Microsoft Entra ID/Analytic Rules/AccountCreatedandDeletedinShortTimeframe.yaml", - "Solutions/Microsoft Entra ID/Analytic Rules/AccountCreatedandDeletedinShortTimeframe.yaml", "Solutions/Microsoft Entra ID/Analytic Rules/AccountCreatedandDeletedinShortTimeframe.yaml", "Solutions/Microsoft Entra ID/Analytic Rules/AccountCreatedDeletedByNonApprovedUser.yaml", "Solutions/Microsoft Entra ID/Analytic Rules/ADFSDomainTrustMods.yaml", @@ -46,14 +41,11 @@ "Solutions/Microsoft Entra ID/Analytic Rules/GuestAccountsAddedinAADGroupsOtherThanTheOnesSpecified.yaml", "Solutions/Microsoft Entra ID/Analytic Rules/MailPermissionsAddedToApplication.yaml", "Solutions/Microsoft Entra ID/Analytic Rules/MaliciousOAuthApp_O365AttackToolkit.yaml", - "Solutions/Microsoft Entra ID/Analytic Rules/MaliciousOAuthApp_O365AttackToolkit.yaml", - "Solutions/Microsoft Entra ID/Analytic Rules/MaliciousOAuthApp_O365AttackToolkit.yaml", - "Solutions/Microsoft Entra ID/Analytic Rules/MaliciousOAuthApp_O365AttackToolkit.yaml", - "Solutions/Microsoft Entra ID/Analytic Rules/MaliciousOAuthApp_O365AttackToolkit.yaml", - "Solutions/Microsoft Entra ID/Analytic Rules/MaliciousOAuthApp_O365AttackToolkit.yaml", "Solutions/Microsoft Entra ID/Analytic Rules/MaliciousOAuthApp_PwnAuth.yaml", "Solutions/Microsoft Entra ID/Analytic Rules/MFARejectedbyUser.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/MFASpammingfollowedbySuccessfullogin.yaml", "Solutions/Microsoft Entra ID/Analytic Rules/MultipleAdmin_membership_removals_from_NewAdmin.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/NewOnmicrosoftDomainAdded.yaml", "Solutions/Microsoft Entra ID/Analytic Rules/NewAppOrServicePrincipalCredential.yaml", "Solutions/Microsoft Entra ID/Analytic Rules/NRT_ADFSDomainTrustMods.yaml", "Solutions/Microsoft Entra ID/Analytic Rules/NRT_AuthenticationMethodsChangedforVIPUsers.yaml", @@ -75,13 +67,13 @@ "Solutions/Microsoft Entra ID/Analytic Rules/SuspiciousAADJoinedDeviceUpdate.yaml", "Solutions/Microsoft Entra ID/Analytic Rules/SuspiciousOAuthApp_OfflineAccess.yaml", "Solutions/Microsoft Entra ID/Analytic Rules/SuspiciousServicePrincipalcreationactivity.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/SuspiciousSignInFollowedByMFAModification.yaml", "Solutions/Microsoft Entra ID/Analytic Rules/UnusualGuestActivity.yaml", "Solutions/Microsoft Entra ID/Analytic Rules/UserAccounts-CABlockedSigninSpikes.yaml", "Solutions/Microsoft Entra ID/Analytic Rules/UseraddedtoPrivilgedGroups.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/UserAssignedNewPrivilegedRole.yaml", "Solutions/Microsoft Entra ID/Analytic Rules/UserAssignedPrivilegedRole.yaml", - "Solutions/Microsoft Entra ID/Analytic Rules/NewOnmicrosoftDomainAdded.yaml", - "Solutions/Microsoft Entra ID/Analytic Rules/SuspiciousSignInFollowedByMFAModification.yaml" - ], + ], "Playbooks": [ "Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/alert-trigger/azuredeploy.json", "Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/incident-trigger/azuredeploy.json", @@ -96,7 +88,7 @@ "Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/entity-trigger/azuredeploy.json" ], "BasePath": "C:\\GitHub\\Azure-Sentinel", - "Version": "3.0.6", + "Version": "3.0.7", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, "Is1PConnector": true diff --git a/Solutions/Microsoft Entra ID/Package/3.0.7.zip b/Solutions/Microsoft Entra ID/Package/3.0.7.zip index c2b30500a11645649791dc3d682ea62430e5147d..0944f163483aefb760090fc8bdde6f06cd11d34a 100644 GIT binary patch literal 94755 zcmZ^~V~{3W&^6lDv^j0Nr)}G|ZQHhOPIph+wr$(C?b~zCd*k9eZ$$m5sEAd2=gO5U zGoELctOPI!G5`Po1b`x=vC7m?lr$bW007bp007$eQv-V=Jx3!YGeIL`Gix(PGaGAa za|avieXa{@Ot$zhxMmkTP8SOfS&7CwY)$9iH3^Y)BmJRSkgzj&zgx+}GA@m660AfR zFt@W0a4xdD+wNsy1p+J=Nte^R(a3XQ`M!g55KyqeYD@JI47>_qZIxYXiA>kh?po+|R=`v(CYK_E=F+Wdy z&*MolR*s_lC7wEi7Yxr*kN9Te2nAYo)83j-Os|ImO%_Bl)iWM@GuP2_bF>Qo!H0`>k zsz7XP(z&iHS3y-G&CXl9(n0T+BI|11fiJgek%-{0m>4i?*z~*{;x^Pjb!h<24BR2a z)lF9pPH_w+PAL98Tfil!e$I35)l3bIQ7&ru;(dOMb|<0OC28O#L*YvMMrEvLgoA*1 zkB!!Dcs*?=)ooM>_c5(t<|li&#yGOYG!vInDU$NGa&Al(^O z0Jf?Obwl(>Y`8`IbuFdv&H#$0ead`>HX%v`6Gy!2;rvO$B56RI%EXd%0JSkfdIZr1 z!o2nFO+%a6qh>fG?R#wX*h$8$K_Q!5rx zM88HI(0@1s<@eWapB!})BCU%s46VR$2AqI1IO!?Q--5;3!e&qw;gRPf;=KTVrHPP* z_$tC1E1UhfAsi`c@h_x<4+rG;W1$DXRVDu2i9#f@ZtGlpn+Y&Srts)-zF47dy^{d! zNk8t!J`|^;#Ow0>jKjqv_R?M$gtBi*QvzR6XuFk zyiay|avH@h&z{eP+TsvNX=wU0h@~T~JXCdh_Xrlw^?u8)o4S&~ z>@9jgOCXjq!(Ior-4KwH0j*I{qNsylVyU7wFYQ_JLduta2y)U_CV>!LoZp&zH#Rpf zuQVcxKRJ#y=7fnDf|!>V>qt!^5+Rc_(`F*c!dg}!(~wBw#cVjXgU{%vW7=cm>hN)K z&#}*iJmB&=KCA$mtz0Z(SDkNm(=lC(>1C-t^5s!PbUmr+rC(J4EVpN2gd=B)(pd_3xLbPEFJM|B5M9{tSockL(aey~GLu~zDhUVv zv=EeE9!6Nb(suWi)AW>g{jC^fk+d!?CE@OoJHvVq#+nfPyQP-clIyerMXHHvdJTUq zCh}QV`F^6{-43k62T1AKyC8z1d{I-5m=$Ys2XZq)+$P5&&lDtL!S)`jQFm$Io~B)pX|&2pT&Y_lK|=+wAH(#A&=? z%poiFk-z}Aa9Y*7yc_Uoxigzzc_#+XPI4;RHk5<_A0ItSo8p;&E`&svDTQ-@5oh?x z>UMPp#&hLL<*h*hqa-fuY{+5Pw-KVTUgA=~KbxO*5mqKrR{dY=<<;osQ5X78EvBQU zv?7G`G!ub9=wu_7wnCVC@bR_vQLIt6iKreq|h-J2(8hVLycJIxy9{pOcsv3TV z*$u<)qTjU{yxpK}D48BODtUS&MBeM)WihzG%ysyBP33H`{tyqr!2dNG=Fhr+TIJXl zd3P;?xv7F@bHHov?x6qMS_M83d(m#MPU+EH?bQ|M)ECt%GQB|$U)umm%?(OA*oc<{ z5}W}sy-70PV0yAZv2{wgg#|^PK&mX1cD+~e;xXVNb;wNU)2gQd%#j3SG;#ctBz)5# z>~|=FkYD!<;xrm2hSIW$|6pSri8iu(+Stw1(1C~qoHtz8W~8Id? z9<-ZN02S^GagAK%1xHiPGp8a4LVUZHP3}W3VbJ@--H)408C1FfSVUZrJ zyFmaU$e%g9I@8fGCmN$61>vaMK(rK0$Cr?=w+w7Pv zy*^q7)y@ph$0F;TA#BVu7h=7B46f))j|B{lLUEDDp^y))&lFKrr1q-kqBYXSe}G*z9|Ekx+ z3czC?=eK_NM6gY}1CchVmUSj!pzE=8GEuM69v!UTB$tIfhK8<*oh9=`jl_?%JbDEl5lV5^Om!uW4KPzAgh9rHcC`(e;7!64!0g+5GDXuPXg<{8`3VDU zAnN~T30f^&GK&N9EM0s1PSa0$jBlb^GgOf1L+(>ta+&Z^jJ=CJq)Z4J+Tc(wUyYmz z?M3P9cN~`Q%aqVAu6K=j8^Vc;*^b-nlLlnlHVZ;zmgWIMYBljWFF*1u+l9^KE=S?~ zd0^yEnQ6mLP2C254sKS@G~Y-`O-JwA@LXaX{!y9uR!zUwmb}2)QHQFPPwg=K%d|3z zIF@e1Qu*yRr?=<`_r`#bD!ikbOTb0^uvbomHbLj-t&q%zW+IN-`P2 zFe6H&mOFEadkzIND{oq8M2SN~cc$hWRlQN;c&x|YPiF*tP>yh}LH^6nJ7jYfR+M>X zMb3ip-7>j#&)q%YzzEVHSHA^#voyB(CI&z;)qP%u6D%2i-UXp^^yL>7wVgw=$P-n8 z$S@QR`UE^i_4SRc@o9(aF{@JfLIG^wixD8|h#M^d>#F=LWNl1z;-+)!=aEbhsrvud?C-h1&q)$nW$S3kky>TcJ_dS+W z3xYhPChLq?$y6l7!-1~hX*c8>P+O@e*&&SE!M9Nb`0UJ-g!gH>+PI*jA9sg1wX-h8 z;x@;xL?#b+7dY|*Bt@}EFcwc!LO0k6GY25}!E5*?LhDQTqnfw}fk^)@4?+;@yfC2^ zFIZ47-9@+qZGRrB>^%;8S*(P6{6;5VKdCkgtq6gehi%2E72d9+M1`ip*DtpL$M;8k z@sE#6Ti{c^Lc(lGM>**Jj~juWtF7oqT<+zF%k@nkc&_%LDpT^IJmT~hAT z!U#l&tb~qXRKCTCk2au-_pH^y|`UPzGe}Vvugis(j1w6!GZ@`MVhVEiR^Cpoa0%iLD ztU}gpCZ{y$<7LSSrBA>p(^#&HKPu}{L217_#H$86IhrFAWqUN%@*S#?I7&NGAtkjwYB3Tsmz^LO)E z_Q+fY2Vu9e`IV*?hS^5=ri;ocvG8+|9{QneQ)nPsl~*8erPYLVv08oflq>9JHN1%Y z`Y{#2@o|Qt&=m@bA*~L*sSyhvG0(U-?kGi;0VIHuH$cE92Z6Ka2gTQnp%pS{<(x6Q z@@wnI578#G++W^@mag{D5;%>%(K{AnX#QgPLhO84l=2yr6&J37mVz~%7(>otXq%FK z>ZIj#ebpeaZqz-Wh?2*tMU&e|H&iLxc3MLX=>(v#{tdznw;zCh5$WTy$n~dQ?vmQW zd{PpO$im_Il7bmTsIiQ{3!4a6RXPWYxYvq6H5dfU1S4*?Z4c$(KhbXkf@9_elU~%LmzGCeVs)8c< zhztlILB+rV!DBuq`x&xjO4Lg>F}F7$Y2%T08LOHgZV_CyA+Ocsb0eXgO)CW5yCev- z?p<|cSIUe-0#gEGZFh+!dNm;`9Q@n6==`At3?hn$u_(&9qkscJdYNyi&J7*TjTl6R z7;g;xlEymt1si1$GZ6CFHY7Klp6L1Jme@{^Y_rAI0}PALGj)r#MGAeao6FU7k)VZf zQcs7ATRDwWkNq3MZoa2op8|krLB8Y&(t^KJ}K#tUr&p6b}scb zQ^Q?-FMnK5G&=1y=f!}{5xZ6fE38nSn#9^N8{z`EVC%df=asv#-M-)^qeT^*3GsUB6su$ z)meIUcs(3Uw^cLILOJ+NEBWBKRRW* zgm^!G{;IfgdvX2_SG6A`_!-GH^$&L{zqJYV(Of&{)KUsP(vS_LCl@Nr;A~FZB`pCT+Yfek|bxn|7 z!{ji*-Xh0IqU0p}I8^e}wf+ak8Ag*`jmgVbZ zloIjS3Kse2sS*Q`v;f(7SkmeiC9Nfu!AHX6s6TiZ^#NNxm)S3%613FbSXpWwBq!z%=~eJqnE_%mVMSKSNve z;8-`)0MJ&6rWQKvURP+j`}*Zg&Vy3V8@JQv`=i;Ufa@^?HU9^~HZ30gbjWT5Y$wK? z6@?!&9IQmFKmlcWO(Lr;l181{9Z^j#Xf#XpzM@-e;!vN2U#zUAT;)UYpGG4CuG4k^ z*jD9koE=twCMU9o-P{uj`;Rcu5@61~+7Pi{jw!vLG<4u&K;hoTWwP+mbgK`pwurKC zrziMrE?<)Zhs^;SCtG}Y*3>hIs_v!XJuiHJY?Hv{G70PnLDWR*^AR@dgM57qjB+ec z)wNIqv4Z_bDN{4nF13U4gYfMQpLWe1oN#we%OiAyqU+7VDd`Lpv0uRnMoZTjevc3J zW0LVx81Tqwa%p&xY}A!Ga|dx9hivdsgHFQGu8kEGM^m~t*$G}tSVADhG(6igYoP?$ zCpkYp*0z?`6GzxCP%K^GyQm4+d$l@~!n75gPoTtlrX*fWxp~pduNoZ;J(N5wU-agR z=Qi0N8J#v(3YU85Z)yq+H_42%to)`$3_^--)SgT9sX>D{ok5+j)&Wh%ZdYaTb5R4e za{y`@`C^iNJPar7R2bFXOuGvC1J^o!pp)}Q=haKKZkl^pv-OLE@IvNd+C^|z%lM2Z zpnr+D5so=!@=M$7jU#zY%lJ5iFDR~x-9IL5K6SJ#;;3yZ9mf+%%-ttsnW+WG5*Y1mWYS z5ca0fq`fPzuthY__DEMvcZ4%%`ru=s@3rK5t6Tn9t3RP;AeKrq--F+E^FCdcZl#$q z7x_YfP2MOTq^!JVbbMJJYNIZW!7Oz{t0uVG!6!7uVpny0FNJD(p56HBdgw_JFm?9{ zT1?#15_IrUKh}kHc#Ac#dI*fp&LrMiXzH53Ny;c7GR+tW`wxzyaBPpyteKYr)ucaz z#hA%_DNOFK&ZBL#2X@}kE}sik?$FGN+j1~BxxWc9C9*C-vvh~sdx6_=F68>4!w{JX zwZ3QrnO%F)>7>z7Q{-FQntb4+!(!sP1zb;r;ZH~>Zkk#wnaniyoFbB_Bbc&1c~S6S zJZ>C^qXoIIw3RI@-~AOsY$-ud!DjsIfm75K-Gf=yNdA10fe%GdvOXrkJjmhcWS{?Z z)?m3mn#3G%>bY4h$sOZ-0dYOcnkehsyKW-0bVjhXeROiz1IL_zgA8{w;gBoKg{l|8DOXA+p2zJW zauv$&b{nr~ zum&{?rqk1E$2hO&TJbzi;DucQ@;!prH6L9Th}G5GG`TAl^{4Rt$7jitxcln7?t&1X z_5EUzts8epIT!FH4-xM`v!6K+8l}470{H&T!=Xj%U-fj|f9>`eGtNep#sK3Hb zBhTvkb1_Nb4HFL6s#|^?7>TlY$C*_C^OU;%#w9y{G|_Z038f|0nyXzd@wv{4q&|In zWS-raj2pnl@f{YdGe9BUm54XB*8_LVc=|#okWAH>2BBzs(wV`Z zv}LUPML|v9t+OD;wI$oC#=fFsaTwM0fZ{yrnf#mv%9)0bImO6^r}Q!pFcf=!@00-U zO0j2@*5gUv7q@J-DokA=Wd$hyWXbbpGS)#(KX-#hA4eJAyh8uvGWdOo%I=Mta{XJ5 zOz&Thl^;!3gpgm9oWMde*$cYWL=n8+NiS~}Wx?YTp zQzXQ^8Py`h%km%$!(tBXja_iIJnPU9)o+m0$=!D(F-yVyg8N(0W)$6o`71q>W8zv& z;l%MB?2Zrh>6~VUF*7ZaC@Ov!`U!yL%N&RCl}Vwa?ROA)DJC5i^OIJ5T2fnLk^oGb zaxoqVePs&{5W|T&U~!+i1T8$orVLmhP1~p%%`BlU?RF|W5U6-i)N|KyfyEeY5a1wc z-Xue_7D`=5bY{wEao5Uh;CSoj7HZ~YcUlbL;NKzJ&2PFVNmwER%gQ=ppcpV(aOS73 znJ(q1#52$j$3fZNZR)iM1$HOJk&PS%S5i2r1-?z675HWY zuZY28H}p}Qtu7zuL=-7-vjTiTh?|L;q|Vc!Bk-UvV2NtPS1(BYMqYe$XVqRhD_H)% zXLUB|XS-)${ISTYdnDFO%v`<2!;pRBH4O`1_DLRo{Y__a%+;L7&zCNVvdC8(tkolP z(qx^V3!T<$OLD1$8m6DBS!pyO9fapFePEaxXv3K;(AUMp%J$6ic-azK-P zIa9Pg_aSOZ3Q}loW>`oHnruFATv+6v1c0n?I-xp?p2XO(ybmnkWadAeD?AL?7sn@fW4xZBnq2Kn6Pn}?_UzIPh3^11M++?Co8B!)QQ-sHo6!6|tYt%N!G zZ<;s2N6!gorlPGmn@zm_L=*(w;m8<7;ybpb5JtW$kJ}OLecOG*^hjDT&-WBVrpBotL?x)gu1bY6TS54cOV;T9s~`MwvT zi5wJM5KMuP5k(@Oh-eaA{1)Zq<9c-t2dFsf-K(8l zWvaIrCK#D=r*EMV^4$vP3lqvFu%D=dgDXbelCI6{nE;Z7ks)ghr%tZrf=ri5-h67Rxn#yx))T6dVaz`u~ z`S4~_h|Q)Ax^{!}SMmC8M$_etj)#O74kB-ek=2|(`xFa|@Y8a{B6D$_R>S9QnX+g% zrgFv8kWKzl$qP|}E7UO~x(VtCqPLtm+)m?iy#JW{1F z<{ekPodH)uU)8a^(h?yK&`hmF*#c>>5!{I(cf*O??9s+I0Uo$8D*tJ^jbSY(`D{h; z5k*%7OE_ak70LA&(0l+LwDy9R4q&D$SVD4#r6U4{ZV#-tdmHxGP1wRX; zIHG3q|7gs*{mPm4Bxj6uA*&PGJqTa zq+=|AXXiTq0%Jm^6cfb_l=!ISk9OQ-j{OF<`2+Wi^DvjGoU*8L&j(6G#?fcFn-WBr zscnDtfTQr0WA4Edl+VR@e?lVL&Xja74faJ3rZr_#tfzG^1hqx)2E#A@5oOw6`KeU(Y-V_2mVz~4u3#I$%-w6p5zxKHi zq4`p4D>JOXW1;)xYlk`aMUuk~8IGY>6BDbp=UTgg$SaNDmGTg#kjP058}*QoD^(TZ z@HW*bY(uJ8^0gC=b#*ZOtW6UG?_>>kjTI5|V9U#^-_kIaPV3o&R?-H&kZ>;lV5^}2Fzs-6f~Vi`S+w=wgQu7lui$mi zwrh!wMg_k(c;Rw^Nazl`Y17c)J#_$Z6XQ==(_B_$5>?4%b8~VlaNkRcg#uF})kz&* zM{y17A^@H>Y|kjC*YOg>2`?vFu@R2?9Fp43Y3o!@KAXESb?7Q=XdnHtcfkj$YJ388 z3vX$wABY+=eQYpe<9GK!r*88uHMRuDUwEiPT?578@F>^v8*X)M3b&-^lxGXd*~r<- z0@5VTcI{CgG6=*7C8e$vI%{n8Df{uyv1ZxoTih@6CQyK_{PYd&D$EP)>CHEC1kBtn zUiHsVj5g~u*tCkTIqh^ba0r@X%(xyFh_K(f$&H~Wz4xIe+&CGA>E{VduzKm7`s6d2+^Lwb&sWESSnju6{e-ivHeNaeeJVr>1X^9UTAt2c2kR z2we-Y-(|SrI`Yc2Y&N;-a!}R)&v0ZGo07xoP+EilHcHLb-FPV&(!!48{#M2v=0&gX zQ!B5loTbwT{Ldx~U~MC3(`5$uU`}kGA{yr^UL(#j=M8;K#EqRBQUdwgoXo6J!oFM& zawiy?+zUQVPST>ocd}D9c%32tA(it@TqA#BdcMl*L2o~i0euUJ8T|+A`y)E5Qc(E_ z)d9d)Q6$@1CNFJiFf~wf-qDTY=kV4f`-W9LrNcR*0mPU@m|BVlvH^jZ8Jk~0xMW+i z5zWlR>6Sv#4*kje^Fh7(!8#c)wLO{Rl{|whe{%MLXK@rz1JpbjSSN?QCgUkr=R4Ot zUgL$~&VspTosPHcZq+^=drApkMS=x!sa^xQS2fLi*fFZqdiV)sFY(EO-pPFmCcRyq zEZ~Ce(T=YzAjLE41}S++QN^TX(s^zG&VT*p&`wTBGuP}9RWsoq(H|>AzayTdlU4hJ zjac&5JmO&>H&U4EZXsT;%4UpT7cOF$DZQr`A5PqOfM!KE;0BLqws-Pr9|m_!i5>9@(B@Nk)Cw8ZZ5Rk_wpWSZk=O;}nM=%6*#W{gI`^e8_K*{ZC_(Y=Sx zysLF)67~Y&-8-2+Ku#1rh(;=S6jOIB5<`S|9>?t_;_7COuD!Qrg|fV0{x)trn2oHT zA0uYCd}1ua$D!%!jN<_(6ky=6D}|jC^5UpSfaM!nus7P8@+Y=9VkxJklWqZwUQ8IO zz)nRcF&Sp->3;3}eDn`<3X*pFYJhHgW?Srd0q>8%{vPWw2QlwyO?0tc_CPr9CSAy>0Vk6SJf!SA#8&)+fvB$j`5%-_4c$NrMQr>GSal!HJ9`?pwohALrOyOJod&?8Z`$=Cr_0GtzdA3g zFb;%Mo;n~P)nl>87kPZ)jB>e&+LPslmyn=v6}N3_wY@K;N-(_T9=hQw_u!!*%>jdL`N3=i+- zHH$xnMwB~>869bANei?#iWpM`t<)BLz~M*d5L7d`B(DrEV=&dOZV8BtfyCz(Dcu=j zDwQz(qGT&tRlI&X=kae9dV4lFF8VZIS%f_lu5}!lVN8WUcs*B*_MMc!w-g84+=mWQ zuBT0oSM^@PiWT1JkbkNH?NizW&)w!(X1gSs3}!&=rw^QC%t^RraI@x` zc3_bmm~sW)R#{{$wltNB5Jwg_A!cv}WT1>+f$6rooUVk5~p#wuKIFGdX5E%#(y79{=pyIhwjp^VI8zL*qJ zZ&mnV=Idk4&By*mg#MLpI)&@0+Q&BiEJg*3`|IF&n5sw)ExGs*Q?)^GBxLJh#`(51 zQ`yL%(b@WT#fdIzB)#e3r|a%lG#_3oM_5r?ywfUiO6L3A25Cy6r^9mw*NIrs6tz3c z>>m3J+?Rjog?*7c;>QNPPe5$a=cbG>cD(1ur18aa?#jhIK3SIZ(tC{OR&TZ+P21xm z%R|-)PpcJw_&CczNT*k@^wHC6&?RH`_-D-;Yrj@XjGA53)`Qh`<}An0w4B)CjoSamYkUX zsLi3b01pEkvT%)m0Pm|lTg}hPR<8QfxJUKAr9eas)23mVH487*>$`yp7jaaOt)R58 z@#phq>Z@M8<9R8|2bX6R%}2e%wQFnZ;`9Dc>S^RG=5bMbDCWlbYxQ&MgSqoDBPPVE zjRhGgfL0{69rEVV_|60AY3pWhBWh!4$!E>V`s-kz>=D4*p>1mI6Qil^;jobn)-5W- z2X>8Tumi?<%kVnpFyK9|W2w}tEWaXmiZ0*bdC@TKpg5~DX{fpa%IENdSZsjfGL+4_`t8FW0t$A(T#_K)i z;_&nG0Ie!U@h)Z(b=tW7|grgP(5<*DtbcE$RKw-cs8s9wWX`Q^EFQ|(%e zY1db*Os{p<>p?~z-*nqk##@H(ZRPP4!bi~tSl39~$E|zAD}Lo-Q=3Iky&%G3p(ljg^G^nje^=6@Ce~(uoea0adQ*)G=9N7{ zh0UJS-NWVX=clz|_?jg*{5+%Aipq22iK?#n}1Ad=4M(=vMa%&dp7pJGe${6NIbFJey&Hk4g{Tjj}Qp z!re;kq(|YN{4$lNrn9cCp~^{}Ug>T$0Seg6rjZ1hxhztXQ(CT9>o&-zPl#!`i%suP zIK-2HH}P$fyD}A(9-RiCa(2KgcEAv3Fc%w_kJ228B`8r>m-gJMC$i5ONOorpxG9*6 ztPBIemh4qPLO7!~+-R?zJ?7}6TTg5*vTTxfgnJo=7Iso2R8=1bgX-*wcfOKro-rQO zc^>2~E#3rxA8Amw`pNauZf}2 z0N5lE2GEhYsGHZ{3X9;N3*cJ1Ueo&jT$B)%jy27*^p!C(30#^2o<2TEU%Q{lErcKB z=K&WnA_9vUs9)=F_i(L5M?`Ua3WC+rp=I5%kTZmYpi!vchwRKSY1y8JmPxEH9gk2b#RI|1HjlvorzPYP8W~*kuqpyQq)?Mv{D;@RqEU9 zep#J7!3c%KfhP!h>VnNMNqn`QS!8jyig=emBFPqE->+aIaJ42BKp+iob_QfKAiBkuJ%yGY zEaVGZIU#y5#h3JjxI^s4inhh105KppkAy}=utNfwT~$R! zRPu8-PJ|ACxSJCBY46F}>q!!*M?nF9c=x@iBVcb{V72d5(AxALJ6eBLWP$5YBq93> z&`ADl2)3d-S;Tj|-rYNdU@Y9|>QqR*)NrW4fp>@iMlD*jWa7XKU$lB32M72aW<|H6 z1bIL=zPmqM_FqA&%z=u|l^Q+Fr)r&2}>7C|4EDWq> zBN&f>aLFZy46EVm*~u&>Vv`exfZ_y|5UWmw)tOBDAG(bHrHlD5UEetZMj&bKx5b>9 z3?6$TYE`Wu>)AYHj5-Ki_5^{8<^<`87AtqD;5_jV%ZAm$u0_n zf;VL}-(xuM+YV3!OLXcl!69FN3Q+;j5@j^v7VgloL!w9RCdlp<@+Xl364l|RL@$=q z_6!eF@$Zk&;0bcTw?OagvBeU+)ELhD`^!m3Lt0eC>|$61w~B{(NTUQrOhSYEmgr6- z&v7_zKvS^syr9DlY0k9hOn5Zi4ZvZohS8e!7Z6o{7i2~+6=HayYenY*sr5_ebXPUb z9MG2Mg1!Zr#3u5Cian~m)TKA))%JA(M|6T57P^bhTyMLTYNA%w8-Qtgv1h#HbT>VT z?GYm+5X7U9iFb7D!;{(G;zKM3aH9r>BgqHb2W54|ljDlbW!V&+>9rvAr6g}vC00yS zMkfL`YB|mm6n5})t1cBhf5tM?{KUWIP3=@_D?K3m8 zTSbxL9E@;G+_?qEk&F@|dQB_u{$#`fa|5D*`!`aze_A-uVkOs>>OsMr&rOs;>D$?lP;=(|3s?=RNRzAt}= zKXnwvzbF`KPiMc!mM{oQQ~&!PBn5Bw*h;`iF`ygZB#!7jF&HO_`8~p2+h++MKMu{G5^&b&Oh3-fBaW_b>N5# z!04@}p{QA0?)HzP7Qb3m#no(kkpwkoCpefGXW3&2sllSd4ER^$*#0;4qW@pC?IQ%p zK6CQxep(6wu{7JRw1r_i%dka4^JJYHfyibHym7FNwVKgGAx>rSIg%?N8gazz4EUlCjTEvxO36p*Z6!B zU0edt;_w*Q?++1EZJtAAxhP$>FY6e$B3K}AzprltWdaxbU8i+y9(aH2v}YwCv=zWm z+41owxAd>kU{SOT=%wTX`Fus@t5rNVFl2t-o={U!S_*as2>Oh_>jHqMO&px}7%KXX zqyF9XLm{fHKp;vMm-5cJQ_VPhKFpq|e8in6Hyl>_QD6m$B28Mc zwft41b__IF%kgb{{G@`>%kY~%>3?ilq7YTcBu0tVLyJl#lf4hg zK5>60;IK>~f?R+?ZC5CJT7m)Se~|`f0~x!=`8Q{m>W)+A==esvAVEY*IQ;g#%6h?^ zbIS6)mQZ~%a&`Z)<5Lj(0j-F|}l{5W@?PUw;I9uweAgY65#_ZMwH}jZ$cx7ms za+Cik!FghZe~_C!D+BUKQ9XjWqE5V;Eur-csBRZ1_+lCXBA4ot+vop!smcF%sRy21 zist!Wf^SGBsTala8*H-Uq$cL5k|T`$kj7MsX6b^7Ys_6|;Qvv@UxWI8s}WCNN&WhJ zzcN$jNgn&u%=Q>-I^NfdB>e#n!^{?ssRYp_cx+7H$>si=TmV@5oPW#)AdRN`Z{`0M zIs9f><(uVli0CFkZd))si#P1%*?(x2Vo}|*{R0Bm?MMgr_zyq;U&Oh1D znW}pkshCPc?^!eSUr?Ok=>?niK2Q zrrZzzWr?$HX+YkL6)6rMu{8uBeXB+)GJ(akeq6laLnpgn8_AGOqRgFg%{4|3%byv3JI3IzGA%tg*H&cSjCRl<^DD z=8h=g35fEGvrh^@b-KAc;{ESkM9%TCf5+t!Vq3o|0_CTNf0|G#LVzng;)yA=KDRq| zeZM$#m$LFdO7;z)I{fSE6uhYaG)!2$rfELD?;QJox4r@Ml%s1l0cs31M2#>iXDl`R z<|!dkf1GUf(EniT6!AMf*{t859PynX7AK<;zT`tS&ZbH?gREILJ#5(dgAcA;?Tq%ys#@lWtPhl9n-#Roa+Ba2RwZk zMuf7TSwZ^FR9N5DIUNlX5`@9Vr(~cIEJJX)9<>~L{cK+h`+qHd8XwW|y|N(aa8@1Z zPl<33Lo#JHmCD$-I0CFJz4R6`VeeiQ$(?h+zatd$w<~^+P{gbr@Ny}>-%08pS)tq# zxzsN}WlYt*+Yf>0&ocAIo-R5xq7NSoO+)D8>A?FhNB^#dx8c0w^RPJvkAtG(HdV|H zc@P7^ps5!5xGFJnYxyDyFaa)HHAbTU1zl7u^c^p$Nmcu6MMT4lbg?q_)(0K ziHVi`oyPvpal_rI-2yO2efXQSzpiyf=u*S^6Q`Mp?D-HMU=|t+pZQ7smWTgN)2(le z_2BR90LVIQPyN?0fec&z@4j+HIQBm;I2zU}-=zm3MHlyH?GLidjysruQWQy*fu3Vs zCmj0^xt#j5)l#v0-0q*B(0`AFsLSX>K!{ZJG@9dgZi|uunTo4s;=@1xm-_HR-RIe| zdXvu5sMYEWeDP9x-`&M`p;yR^npk;xga zOM7zQ5#p>&m2m%T%ZT`K*d~CX1xyUNAvftMAo7V*;t8?(x>zM(ZQg91EeM@B*^(Sw zc4T)i3OJ(=IFnvJb;YGFaPJ8d6(#4yB*@2fPemwe1S4k(qeXwrDFZWO55uLLrsUPW zmVYNOcs)2LhOyBVv#Yx;+EK0FL93g7sMb727>JU}SbW1>o7`buHu z2uB$|e^J|YHV>k{%%h|Lpe)raH zaY;0HL_c>#Vm{NxsD5$(MIBQkL{Y^8QPEu+;ZgOVkMeF^ zoO`722@}VPC#zJRvhN84XE1s`mSQp1|H#98Yi3mLh|uRw^;h}@hhW)|us)nv-2AU3rc$#cMYW2#q_kDV#rg>n zBl=hXV##;_a6ATuq=X~L=#}(}iz)+;^YhP5wB@5TwB>G-YVndtk+SABlN@B{k{W&14w!}0~ zsxZBG8WYiR$)z}$Cdct`J4C0fpQ>h@c1=XZcqGAySr+aa6eU!Ull!AR16qnsqdh_S zNun_!sjmMzS~f%(;$$$Wp}}8kclP18z*fVPxgo<49*$7ez{AoYDFpChVQ zrkX(bhT4YO41x>;xtLucr!Ju0!&Sh*q-)`%u`upwaR=>%4Vx+>aZkeTOQN zKA+S|lod84QA50s6+@jsj6MHMs-rt<3rwtT`U$t4M)ueKhZa3?s!7Ohp}+SidKL`p z6*9Cne#qo?zQfr7+eg&wG`zEWpe89(05#B{G55tymH2`t4UX`qB4di7-#gYgL5OB1 zlBF9xvXl(>TO9}e9yTv`4K=Zc+0!pPPP=#BdxciX=VzCj>&XmO)!hwC<|v)Z%UYI; zFeF}3QrV@(yEo3;)jr$au7S1=>8Dh&32Mg$*7h8--o?))R_M>-TL91-X9Xe}m14wz z3X3SwStHdro0FLM%$*Fq)UYFq*CL7sqdC_bg5RS;rQRcv#g(E^z-b7pR!)zRgo?&$ z`lX^bsFX2j9X3tI3ea^i8KhaVu^iag3h#QBW3HAvB@ai%%AwDfr0-{7c;=GdL4%2J+@`v5 z>tcTnzHe(sx~i59pR7Na^h0X;d(g3de`w^2nV`5xxt;>L`EzTNok5qLd?2is&5$_} z39bWRpDA)}U#FK1ot<~pA%!glFkX+0bNF92sin7?2OhkM0I%GV=AlT8bQuRv6 zJi1ErDdsXltGnrcYgfw=T9J8_O;4nd~_8<-tLjfDwR?)J+2D9@n(1oIHfzm_mMLi z`9s@!8S_4_>WQY;C-%yHmnHD%Dyp-%(C8~5l2c*R>uY0y;t+`Y`1>{J@Klyqtt3-Z9KRM&MmtPi5lk86Wf%@U!Nj#rS;C%JFM}Bo;-1fcWokLFG$nj<8 zy+84O@d7-udu~I|4X0ytPbLbxkWZ)dBXMrSog=rAUkjq_J0CHN#e2s`&3OI}@KLj! zyODd;TqXVAsvw=%Y;RnvaH^H7@_2O&aQvwNC6uLY}bl0}Ve z)O5KOw%9s7y814x&C73vMR#Y9ux%Dn`W3azBHO=5*e;9c28)_yf$ilZY?TTs#G=Nq z-?cuvHn7z+=2zcxAN=TQUO^#Q)c3ZV>ql6BE4^h=-EDU3kFDMn)tkB1uXYM}Y^|_} z7PM3nDjYE$VS6m3EUmJ0c)(f0^xAM_$)wX>=guY&UHIt1ww=BL!SjyE0mn2e*_=+m&gClBthn z260515AwQMQ8E(}wrHs?GN$~rjHx20!J6CLT?#Y8yx2T-Na?h;PZPbIX)M(~_1ZA} zO;h3)T62X_ZY46@0-Lzv*|Zx&E_-_F443}0 z1gcJQA}bd@A!~9hu69YUu#`XQB|P7sp_r7>gJ4l}?0naQ=eKWIe*Bm26DkiKHLrPJ zP_iGe-Un1)|5Iy*dA%=N=k3?`RAD*mdD%K%W&N(SZdYHgIf&T%d06>()P5bcU&o{I>nQQ($ZB2|Fd9^h1&eTF zOMi`W<z%i+LkehC|3xCpWj}&-vt0opTg*RT0~M$OX_e04`I4^w zyiO4=GHT1#SDdN}HzSY8c&)q#CA?U$cX>Rs@6d z^{9=%wkvf_>8+M)vs_9SZcDfQR6N9dRgunAEj}Y zeJ!hOF-v>$!Hlme)wj})w93l)0Haj>scn0OCb-0{HQQA7ZmdP_t5$pAO}NWsxF%NH z+6QB8(Y@#cGQ7wZ@&VahVC(mQ+}iKm9*jxL9oU2MXTOPhKo)KGLJ!4WwY|(kak;=Y z;D z8InqyQL{&cCa?zE94f7KLR-1^!V7MA_3m;J3baJWV?yWMuDzt!w- z!7+If!>13B5Jv(0*@f49*upP(kK>x={^K8$)=&DXzx54rAX_xi3?^>UB3*o)5Ixq3 zs$Bi`-^Q1st{1?NBIm>2VP1~?{hTlRd%c`5FAnqa zbdP#@9P|#3^XMIR_VaRed!6Gv)_eQiT#~Xh!?%O(i~YQBN~c{zuQ}s!`1x!e&%z1s z@NYB^7eBAF*Bcyx%`^T+)X#Ljlu-9oF9RL+)0Lz|M>rZik{>`zb$M&C8*fB%MBE&4mr2lbltE4pM}-N(QmIXNNy zet%1hc>G(Wrh79N=2Ms)9hm81f9?AtvNH?$JscP8i|77y-^Qtu{v&t(IKwr_9~gc7 zUz1eH*`)dA!N(x{9N?b~#@Fty)FKMTlrjYG$>HJ*){_~qKE(guY2a!lGm6x(M!+Hh zUsz&X37bm2op>lxiem>I)z}~+Q4`J{16b=$2viXbmz6KuFjK*~M{%`Kj18zoqMTY$m`aqto&DpLrqB-}sGAT`(KcUCb9g zWv50=M@#Z53MW#&``Ou)%HDe>*d6#S_GkPRNVVL1g~@*2&+g~>y26KI$2mB5I)lB| zp?kd7+8=pdYv2yNR(Jns@5SEmpxYTPG8E510&hbcEDtjrALjrQ!wX-1#o6lR7}v3H z_*+gFAU^mrj1=x+zqms)d}~+@L)rXAqfjI&8iXQEW(+1DQbVvFaAgB--|Y>0`v-&8 zfp-9FpEo#c9ghyWt$}mgJ3M&Nbq4!K3k*1DJQzmxaC?y9#v8wAu(2dXLye`#3^egt z9cK6|W^NAgc0K0IV~%n@yC1WRQ-3^;S6+rX0+X{=_Vl*bEIz%Z#&j~y#@>wCPM(mQ z4JQ?CF&7t$x18>&bcx4nXdH)5k2-sLBXW^H@YznMBAk zvw)GfGB5nVh-2?qO%eKv{I4MpLlqQmRp)SAnuFw!9i&IkwsL`e$y%xLVf(e``tu3Q z0o!*ViunI<$lAVcpf8h7UQ8~s(_um$jdqfsCuDm&*#dNvKO0TSz9~mXuJneA_(32l z!9Jr><=@G~`RKJ`>J&uYM;=Won#T1;4$9F9>0mul$OIX|bV0t#DFT|piDutWx23!U zdf#BO^rq^|+sN^QZ)(Fg5{~lQtL1!l?$uUF@uP{i(zZIec>sf(>?B3fQLMH}zObmN zcuD{I(Zf=@>L=OmC&pHP;Fi}J(JDe^7JnEjt2FC2j7vpIV|?|eZA{JbNg*^Wx#APv z%1F9wW{sh}`%EK6y)gUAQ3admQ#hVa*h*Bqu4y_d`vuPXf?m9@d~fW&F`kuJ0!bp1 z=+(t|#?m=ISI|9!Im{LQopACG^Ziz$_1yU~S{fXCV_Atz38& z%qIgcdPNDaoG{$+ukI0i4O3jp{fFxf{fWbRX5xJDC-ccGYOfOp=l-ofqsq7B8?}WR z`9mj|$eG2N9ec*gf8+0dqT>zTQYFi`)HaBU z9qfSiH@O2^?S|z!o?q6qT}*8czNROsZ`(-6@HSl--$`LlJJabo>umGBih2_nHdhkB z#^!8hR^yVTa*1UU=telV?_`$BroK=%vx{Vwca^EsmLzSlfs7dPDeIupQtbShN^Uxa zYHgShXtE~BHft=vGID_p7KNX0*wnaFygSb8#YZ#xlBzb%&HQu(s`+?Yby3+?s<3)7 zSD*w{;*u9OOciC<*dnytV!l$M*-?aY8g%8m@*a+<@q#XqjX@@yXc+dTB+jq)w#poO~*}yv*ns8(n8$2>hF^+1~tzsZ1fXJmbIvnV6riw1k+nIokaGyaGFHc zG94F8j7cJ}Dq>QF1a2TmFdxJ4Ku^H}$>Y9h@Q< zWTj70dm5H3W~9B1&PYY7p2w}9S#oG$b=EhK9`n4u$gG!EZ>>Oilm_n~_0e8s)#@Of zW0;URHs@O>2=jx?sj~b`yqFe9J6%4x-Z83-Ds)zk%4wOtD^u;2cV#8@M!L%uRUj}b zC5nwzs57L5b2iv-TOLe$3q4!0(jwV$@SX&*o6T*u8&!81dAbQ!?pm}HtKHbFNCifhyb1~7fx|3q7O1!w#;Vb2TBo# zNykPi2q2o&at+NGgnJ$G^Ah1x<~r3XbQ`3lawk8UO$OBUXLs`fb?TGuSi7gw>DV7q z;cW@Wx7Oc;_)q6>-0^Y zkPLa$uB`S95xakio-dn7@v}D`b8y!VN%=Q?;W+AefLG{ z@NjRm=Q^F?V0ggrc$-or>uH@m=e%kV9X0-o$phFvhz>Scq2#?*2apAEoIHi;o5kS;iVn{FEV=8 zBj6>Ot{(w2NenP+W{y_H41#tg!Nc|j2gBihuhV+rz+$_90O!$x(|gf!4)%|`ouh-p zqvQPrmfh3oG*(yKUUO~XQ?8Og_ZhPogGCH*cAo6WGWG_lEl4_PQM8eC%1qP|{d0cw z5kt@|S|sa&Dp5&jlQClNLzEVjzvV-f{OPd=Dp8|x9d^6k5Dstdq0?#YJBOo|(;W<3 zhXZe~yYF~=ht49wfzVbC`|&dJM*f$Fl5%G4r->-F<-@V}jT$|o>7???YJ6brYzK&z zwrGTCNi#zv^S$~Qk%p~P+A&CbKHzq#lnokhqbr*M4rVZ3fJc^IwhlLQ=2V1@QKiAR zl5y5#eh%Dps4rKT$1t=;N28qh~V{Niy9$$$?aWYGOYcMNp*-)9!`tW1*krk~z2D1yG+=eYbJS|6O zzf_m-;3N6P!NK8+(Z1I@cHI5e{^9VTb=-x&I-b`Z^oB1+dyccfNKQp0S=XqoBoC|T zbnG(Jo1q?#zWRX1nODi>EAWe%a28%71mCZpT}(ALPMNiEGKn_JE>ud*C?(z!i%-QY zr#_9!nJ6v^L8eXHDTkIO86X`TtkMF#c`#`x^On&*S?FAuVSNbgP1r%NbP7o#Usswy zFzHXxJig1?EWa0@RxN)`bF8C@>OdvsQ<$T6k5?v}K}z)Sq-H0Md?)!UM_3{ZA{;GwO(~Lc7P{EJtcGp*DxH#5O}5O? ziM<^q_X%zw=!`n2R~@nGG?n0>(>Zv-5?umCM62d84?_@Ace19IzPsNkPOlXJ`-H~(?7Map{CqVE_7(B zehF8_ZOOd*w3bTombdDfh%OOGR890f#u3$IdK(T#!fF5qPx7H!L{Y=P%7z&?ek(mq zCwp8|=uj>!$>;1wIVDv|!i;<0pEk6SUM6U0rY?^!aOgrofF6I~&`ME-a@*ir(>{La zLHb0MZw&O0gNW?@$cEzo`0xMw|4nYr#{Tdl&I}GgDZ_JvgWk+|B0y^?bR)$n$c_B* z7!S0gd4#57H)bQEL-^lWIK8irctuA%UVwIdW4i(UCEE{d|HdL}Z0oq?CJ%%%>NJk{ zNW@9kTCqK3U*AUWyjyGytpa!^-_1@2(QL%o?Yz7&5#ceXGZPX<4Aa0X2r|lc^^by@RB{;>atex7}YwegQ z(k^^>TR}`5Q31hAeh8e@`3rC8FlLkul8VHlc5qYev}U>^nk;OL-kABZb;Pc~iHDVg z89fWRquY{&q%S#BKdc0%YO=5xrn6fKOs?e8CS6E;iCKQjx?{*nK9{1KJIWG?cB0!G zI8yH9@|hA+UGfYvqy&7Hd)9OWr6e{JNv;{BS+`rtEierkxru#5)dZ?>&e(?d!!}<$ zilR1QGS0t}EM21y+pkvE-)D=fRzWM%DIO@wRcw-rSwYg(!@P5QfgQyjA;2&RNHL%CA4v-K%Q z*B2taK$&SMFf}jzyEX?c*LYzh?P507eCq7Ds7w{{*2!lLhT+h|CR=9^`3DafFTcGH zr@wlisQob4iDSd*(eMtBWcObd#*%-rGF^4d?P>WMO_B)CAHJsN-*4Bd3VD+{?q-2j zy9vvfu%bMr(tH_?{UM7ct|ZS*)@Yv7AYrU9a-!r>Kcv*>*=X1Fz(xDKk4@VziJfUs z#(!^Wcxy$vPJ!vsi}m8NSjM3fMb7=r*b8oFcRQNIH>j=~>nOX2)*zD%LuYgDbH5{R z#*bPh6g6F~r!VKI*3;W$sP*)g8EQR!Wj%emIO_`$#L1tAIFWO|)ny1&-NW*6cr=yC zpsvNJo-ppI-Y%tORIdx>vnnRQlkc1GGfb+mJnl4LTUBJnh2KtZ!$b{2XJVDkKa$?0 zDZb7^KbWOH?~?AMLEV|Cod)%0(z4&#WQWtkeCC<5yT#e>X!bie8Pm)~NnM)Mb?##p z1&cVh;dVwTgljx8_;)1=4<=Al@xqHU8V@QakN@$1{vZF}|NFnuzy8~Q*`{S{hKUWe z0OXr#ky!W8Jr2pbKY!T%8Alu$!jPlss>~DhlW~vuWY=H4LT|OovIP`k z>B%8;z&~ml5BM0A^}Q3_dNWGo%o~r-l{T`{-oUJoDb7}(V4|1IDJvzbOh@aWD<`sb z5Lafum69)*FxOp9Y?jkyO3^3cl@jMu_DX4{=h>B#&Y1?5A!(TDS4uyQ<~9P<5qz6w38HMJ^5N(e-4H!rnQjGt}B1n+&zK$1=mC)b^BQz<(c5+f#DuBAc_Gv31;AoP8z2P;@|U5Y2{%wGHbh zAoB;rVAL<`b;nzQJza&m>ueX?f0#}Re7}v=R>?QG19qf|OsW+4QeY%nXai-ov*S{| z!s{--mocDfiOe~;x+rV#_GmBsTvrPiB)NFJ(6J)vi*~acFzLbalhE0%a@4HsR#7n_ z81L{*Sm!2%{KbgB3&=0;T*!AuUHTywO#Prz-u`4Ptibe>6_ia-R!D6Px+KBW zV9HRgWYGAmtU=esb8S#sg}2(EbWH}OPcyzgFGxYQEOY z*P40T49`L{U)y17S!+AY+77d}!>sKvAJPs}YCrAN@dc{H?XPJa*0=3O*7wJdC{0ps zXGKbUQAmm>=vUQ4vU;w~EOafGIW!m2jHTzQ%rSidv(O4gpq0%#s~c`EXp*_Gv8Anf zW4;-sErrA z3d4Wjgw%j5d1>?HbKu9`WIDUgYuZLmq4@;yJ9IDNX|8&jo_u0T?tJmp`~H{6324aY zC>-ls#atq7FMwHW=(%d{_(SKqQAAz}Shi4{NgSM%urjY-ohCiOub3jr%e+PrPZ|C9 zUNoWi%>Nd9*@8@8mn{)C=bxP6eYPOm92q^MQWs^S2Sh8B|hfe2VuH$ zKsgTXH`Q}r@ix2o=(q3{1gkv*uKIQW+4%bQvrFU7&j%JHS#}Q16r50dI2etHPK}kIdR40W-B7%{$MDG0c6kN#Ys!{*`^tY=dlf z*f4j%dc#!6Bn61tJjKgeeyN0GX#erw{tJ1f?!#@Kg$w0a;(z?t{|hUNo8Qyb?YQwN zC>x7NHVSzx6qCm^|Kq>^*Z+sq8}Xc{jDEcluQ%c)+icqnbW>wV+h?Z3@X9>fyW4uk zMiPxT^iFuA*Tid(WgW{pH(cPOgv0=AXC1DoL)u+I%6) z`2u_HGE?)Fdp@kwdw}9&%NvWcp}d5tIAg{H%^k1j|zNyYzhcm7<7nl|XeXK0m-Br{!E2+IzkWC5e-YO`noxHyaf<|dOSP5k*L5CJna- z+Iu4ig#mLbI8Bxa8-Ikfc8Zfo&$MYmxuvj8wMk!>oV>Hru6i*jDwkA3+@hc=<0kfI z+PI*42Hh-PQ6Z$QrZYDE62a8AnyE70qp{lwi9Eh1=e82J$=6RD=t7i9EW_y_b` zC??WEBHLsVMjm=P6englQ(pCO7XY;2DB>kH{RuLNd_PN zLi>}54&^Bf0*cAeH_Ijq4#;A68Rixt{U8d*e2Gd}QxTTB7`*e)ah}?sqeX3h<@&;R zYjQGJv6?Q^k^PM2M{{xYl2KGLB`l-B`psw`Z%OdFNGntxKj5gk1^4?XoI`H`?U1?y zTuJ#e8gB1BbF-BNbv+NI<6B}6mS<*9WJd-`!RGCkJI&|iD|Mc?%$Rkex8l^` zOmA6W)~VhyW7fIeHe<%g-Zo>#+1@_mLM0lU@9i@#)Ex$Ae7lSWr+oX2i}s`Lq;H*3 zchT}j8>CFGS1R0Y$eD)YWp2h^Qsf_ex^(roI&@=&|Ih=R@~gX_{?$pg zVD#vv{KNxQ@{^vEl&^UDNhdx~f5J&c<>9E8N_(VarAGysmhS)4ANNvpdq?S?=~8>g zN~y3}PCn8taQf$d`X^;kHg2-aL$?_=owC&xEp)0ImHiiN8p3FXxdg4u-b`!}KVYCA zMw}pZs)|&~!nis}ef#<(Ej39{A6fv-$8@)%%}~^l z+DE<9G;FTb&8A(PKq?LXP=*R@T4L;{^$pVX4bqj%iOpKjWlAXzqqqd|pVn}LbY@Lh zDRsJVtdycTyyFrC)9cboN#|(Ummz6b85gE+cWloK4tZcSEqZo`_3uZ=Y&sd|9*o7g zIC~nd&%Zh6-&HD*MYrf`Wd6Ro@|YO3$I`5!f(E(5{=4#SJ5eFWa^vmzbg>0VoyWtVCyd+5}>$*45}Ord(eAdMGBr zdReTO#q_c$)xz1SQPU6SC8!m}wW7FI6xWL4O(=>hZ(1L2r~2UA##$p>PPWzvTWM-* zjc~0It~J7sOCxM?B2QGrlrk(>@4X4^;AS2MRD+Z;oX-8g8@Fiij8l44Joh8mQ^G2o z942Xbe-{t$yop2e-OXmx_~q{Itv|b)4`3%U*?lcmvt7l_ymi5sv)12WIU9uG$9Q)z z4hOpv2gYKw%Sh6-4nMY;BkVU=>w~T4|NK7@?GZYJt(Ro0+wK^XutoO5#WWv2IgyW` zYP_>8*VA{NNV46yHj)_fZ3vPOEwrVl`<8z3O(XPGPfztCNKrOa`)#u9Uu2j4T?|m; zyHMj@*kU-i70PnEGfKjF8()-U~}nxHe^9Lp{)a=hX;?T*u!L5E3X$9@gN`Uj^yEdiN*AGA!8qfsDi3@RdLIa9?`jU?!#`aYd#ZOwo=%-Tt7i zu_wPcut^pBGx%c`ipWJw#UcyEgDSsE9{1@*_|iUsmNH2jzPB$ z1{q3@(J9cQqlM#N0V`TCQ)xY;JekdJG09$KsJjVY=6%8EnX=D1>i8MD> zkeOz{pAKxbBLDUlw*Kr3SL?*>AE-JD_r~$LH-&S)7vP5DgdLjNZwGkL{cz2aow3FR zn#F1P7`T`?w_Yr|+>nk>D<{47e!KGnp~r_4+1yu3_rOO!gTC|NU+DHr=&SO%AP`*^DV+vw3es<};BZmj-&rVRkWy$|h$M zi+q~OErZR<=7F!Ua0TmcUNb3^TQcZ=hTW7yF3xi@1eBeEevmcbO#C@H?ZR#$Clj7M zF^||@@VxC*-d)@3yUN^<+Xifkq+Pak`X*0EU~Izr=sS?=gDHVwy%$e<{3Yv=xg?rH zi26C75e*f_$5d&2ELkzlS(Z%6`8SU<)9Y(Px9P9+O_lmn$*ceRl7@ z*XryW_wLD_U8#w~6`$|sV~_1+y4#Jm`c@QrHT8zrk6opOw#2s2*txVCEs-SEw0vHT z-v;T~aO(pFXs|lT5o;$({@k{0Jvd0@oJkM@DL9k}nPB4%>EsPMrPHsIn&q88^mE7Q zkm}yg;N&p#T-fEFdt+eM^@A%|{b#7a7$N^RLO1P|OG%p&*0(4Q_8;2P2_I>aS`st58b4V1=1?0laqf9e$S8fms4#_?{2%G*M--o zbJw3y?V&{b($)Y!BAC6CrrAgm%Qb=;nw5=%n{6W8zw zEp~SPyuI_mX^lFqE?w+G+m@gB$glc@;BMs)0o|Qr1XRJbt?81_P4RMc~hT zhkl}T48)pAZfRCfNW!1;R7MV%O@T2tbV6H^^@eKcK=Xr4+@wV*15q0Q=v3uRwP~if zYbIsEcaBpfCS{p-N_wR-kW%@jq|rqxBV<_XOk^S^L(0fv0#!1)*tl$@QyYdC)QOKR zCaE$8Rn>ukj~pD82T1840g;(tbmpz?X2rpPk8B4KuPXBB;zZ}sQqk%MG~!Z*EzLj) z`k5N%<;ZI*r?h1DQ>YBQ*=G+{s2wyu*y+R#(r%M<$0qiRY%y4Hgv;DZjBrU~!4Yn5 zm}X8(Hj{Q*&7e;;ps7WgsTwvDel2GSnZ96_NZO!mmMEH~%rjE{9Hew2N?JT~CevII zmY3nl4rZ`Vwhy-dyxr_HSOjp`|6R>TBmawS#xBj6g9g$u@JehQaFcTRzWbN_q?dHK z&~#m+rf(~Ty(wnVC z1*Vcbxtvv$Rn|@Kxe9`x+|1HxB(cE`%r21?T2ACxPrF@QS`TRbRc)=otu>?u5|vW< zCL872ybHIxN>h$3UaKohyT-LD4;Z(qKt;fOSv4O?w05a(Fs96bFUsqcqh{q~Ym_}n zSEK9|QTDP~RsC7RwU%)0;aVVQ|W?orY(#lt3bWGyR`L68=1AQCz^L0e#SR( zVgtbNcSmI(T40wlkMkHe6~9L)mv~=Z%De49^ic`ZrC#e>^J&oS?e(`%4?Je!Ap~1D z$QG)_Wyb4<8G0^;yMWhnxLJ^T$K3B|5^&%G6T@_IPj)iZ zSK*UZZGbskcMel(9~uR}NfzEJ{Q@OZ|( zYmM%6L<#nCr*ysgl<0Fo3ErdD{ zgXN*MK7MlPkiy)*OLPFZ}NyHY1hHF90Vu)=xLRNtR zEZ%iJS7_l`eSpo^v_*J*;3Kc7scquBa6X2`+anR2huRqEa^y!7<{d|gLzQ_8LqSwC z%<1j^_U>2YVeH+);eUcH>bMg>@Z%ZPK?2b`=aU~sz|s4Vx$ng@v^4m9cTXMl=w{si zU4RSd#y4kOBl)AyjNlvt$g--ye{V-4Y`?w3gC+}%(?nJ;g4sNPKV#1;glD z%M3mA3BFE*Eu*i-hXj;c(^~{RU6GC9*&5GFhc=? z|D+CZu{|Q{`>FuCm4pUAMDt|PggLMa^@?>IdgF=M4f=0-CY9Bi;FJK z5aE1AV>0#44$-F}7HfCa?OxW^WDzKJ6Cu{KuUc%Ru;n%?PPBmfIF{g^n*GM=@pchH6XExCXr zzYY4I(lojUmdODur-k%%?T_9)Yavvrw@z<8yhg$3LQKD@Rm;%&l&+r)xVi^d=s^O5sgKMhtDQ?4=Wg+4`?akM~-Wsl}Dec1`C1nN!Eu$=xe9G z8lNw~=g**laNVv7(R($du01uRZhGt+%rNU$Xu29tf3|qKt_{6#_cn{C?-`dDdpzAx zfu-^EYHCul7ChZjP0h*HczTkq#?xy&J)5soNYy-R!P9MLm4)&2g;bRbAnAD(ktDSG z*dXauX|7-%71W+OlD=Ppr0>^Ay1yzU{Yu^vdg;V5@aSGmBj^76M$~ly-J?4~sAw+Kgt0lj(ag!tn34UIUM z@<~%umIQDOLcG*e@N$|$(!}-47>zZJvAy=-OyRP)ka*+lEkpkQ#=vZHssVDeJbAS{ z14zz&1lNW$ewFYUzw6zl?dOjSq2`q9Ny#7ZDoV9M8vlP5O2kM*jhn^>GO(K#;CDnO1^&G8X1HQ#ceyrGH_JB3d$cyW zh+`P33~o|hNRi_EKaZ;V?6H~md!5($X%%!P7fGodC~3Nl0yOEB%bf1np)^*Gl-+K} zmY(<6P@g(vU-}$jefoc%P=S8TgCovnp@MzmL}w2b7%H$dR8Z~wN7e!rSf0N**%~TH z($!Ew4Habbl?thvXDv{H?X0peRIsQfVga-uuP%~=RwWy>peoH3Or?U_Q%4I9O3;FX z8ZGcwf)=3n3drLmJRJd#@4~V7`gSrqolfBpJMrmB@|Va7X5Tk%EhW5saMa9if9Nk>7Wo z&~ayyE1UxQ5L&=c|dSRwP6IlehAMz2-Mkw+2cMMuOqL4X zkqG!AJAT`1lV8T+0P1q8`m)6hbYjC+K&LzMF$g~gVhNr)INH(2%g4*r=gxQx%kzLT z$bA8`E#-_OsQNwiDxmIP(%-ZLkoL*i)l}`<<<6ZMpoF!py^JlR)9$_1Y)I}_ln$e?;jZGXEw=t{I zXW^0vgDb}67M)^{ZC;Uqn3!N5ZRpbU?5C)?0xus40m{Nf%wSA51zhNLQ9Hm$wPQi{&gZW97&-1b! znd{WT4TJtv+?PtCfM%aK3aSm9TjgRp_;rIv$ejv}syUfS68)`k?D7U`iYw|q^!rfJ zeti88+s(qpP4Zqh41R1xZT{-i)vjyce!JW02=6tHgRvs@oo?|hi{?Dq0Ml?ZbDnqH zl~Oo88B_7MAkR5Yf!S{VfXz-rqZ7Le+@3OvpIZ5weE3GCf z>lzt6Vxf|YuG14=>6FyWg-<%C)#PQ!W;1^ovYDr_Y(nJ&>sTgrNn>du@}Yxs$Bg<& zr&b@9j$~Y6jrsLOtfV+YayVRgkvVn7%~xN=Sg!O8YNX`5S|zncE}I_>S!}0BL)I#@ zq#=9ZM5$yeU2IH~4g3*jG9`nFUQ%l$oV#_?#>+nz4yR-n$;xAGsxQb4qh#N3Hu*D5 z8q{f6%~aq&tmW)pt2>rr{+q@7lI&+bY%`katmZ|eQol;b{ALaK3!2W;lMp=pW+UIj}g%e!OW_sR{KYCrRh zm@z$7Kl4kW&H7m?vvQE%OH?4oGitDGTeyvxQ|I_aPKi%DmVA1)Hdm2ntl|P+QNFyV z<7l2t;45paTsl>`dU8<%45LPWRhzXfYu2VCkQeU3X3g3Tj0>N=S(~8(OPjS-gC@yZ z%-SrWVNSL-YfIAAW^J`uTQ*;*kg9psV%BCmt1N8RwpwU&0b{qk8cGscMQx1Ts?uD+ z1S_aLbz`@~5@WZ++StusiLqM{PMmQ#kEt)&bb3W2Oba)%ivVwUh`p8z6&T{1@7v~0 zmr9=T@LHq$9BtkXbC&?U`jqIivUy|o!-gQvCJVEeyTA)OB@72YX4Yo>6En5)oZ+1* zziNVo(BIS_evC0*Ff|FAgfaTp@?lDbcTR9i{e49}an&68F!q=^9xYe6&j)=N&8`m< z_#Caxl7fsoaeYmeg^C)=A_w9wdOAD)Fbwn?s{Z|ZxL!<4F{M$LjHi^UD z-i4n@j1xAEvrp5=8H@Na_l@TXdAE{PO?-Eb$lM~WWY;!b^USLssbHn|f4S67O zJd5ytOcUW@MEM(?~^c#X(P3xQre9V&ahX3obUw4_o8S?V9q+NcFt*cH5@byE)d z+*w{S)Am#u5-VWYG*WWQQMf6cq7^Tk@V6mo#FSl zBauMb3gNZJJ6djPI@9Su8Cd2OkE5F;*I*ZxnAcI%DHV=)hmAHLfsU(Ti1!%$1S>C` zjJyW+BS@tOeGRkjWE#fajU$rp=xjGtNpF%?7j_y*X5`PdMVxAGWRR&bULgTO7>;&a zdL2Tle#%Fv6^4X>&ysCZURn{;2T?WU+c*qvmEKC|{>a9IW=*oAj$7G^YG>ri1;s># z1kwIb`hgAKWV9)EU1{KRt4Xv@?r({PR7VTGzoLsezEz?J;Jwm_9^z}&Or=sMECW+1v`-P{;PXC$~>ElO7Wja4oCav}J!zJ{7U8s_xaFt9bDU#sAZt}qqY zI(1y0Czq{?L&#eSlrzdB?kRqW!a0i6l?c3n5AJ$l<}?1ylQ z2`79B&n-()f6~gPA#Tf}=v8IBq_?mRM$kj~wPT6piTD-0`DyF|wutO?L)-r=jh>e${tc@TCtWkEqAdOfnm{&6^+D2MO(@4~h@y zX10yYE`qFR%-X1@tToNg6R*~_hZpYQX7TDn<1Wx1uQpU*X}r3cT9K>;ueMa{aKd=k<|`FaHP2e`YTH?5alCpRy72{I>%59e5?Xz2VC$+hS1`{CYEK=uJ}QB& zk80T3UkPk&2o)Tk(IbEh+kI(P?eYWR_YGU?QpqzOU2AloBW!(?yAtTtr$nC%Y^{WO z*Df}nu))IPr?6wQ%g@L%xP~iMFMb{#idY;DUb^iHTH%O>8KD7CaK&?7y1KFJa(PLF zUrR2Q!>fg(nNh@kY&NvY}=l;ZQHhOThq2}+nly-+qR8q+x>d( zy|k~;B_uT6(* zcr;QgKS3KD)6d9Jj-*(t-ZgKF{X1wP-1RH#R%+d>(p!Z2do_qcTXeifqpxf5vct^$8i9h!N) zQ=%B=`LUm!zN7Y72evYym3lH$do(kGK=If**YVMTQ^k`s5I}ze{YpEZUp z(X3Bm$1Z>iWM8<=#PEBP`!8i#exw0YF#2n5GSR`0ru!o(@!U>xh@Clh|Bm31GVw(& z_CIzlNo>MvLq`yeEHiFej7toS{PTG-)(US67(uz*s2vlI8<Sl;F(As-n8~`2CBE*gGCAU_&+BD!lN#7W@n%H@H+K#EcxyG%Ln;~ET}Gf%Em#|> z_a;&YC>8hC&$z|(wl?!R^lWV9xj=0D*LTl2K|KFD-Z%X@;bG#jGTa?QPE?%v%dYUGv&62`x|wKmvPJh)NA7( zLA|tm6RSt{+EDzS7+ZdE`5~w+R$g5HM^IaS2X7MN!D7I8?p2B4EAQIxo*2nMoD$wcZ@mT9$@Hc|BEQ|PeNCZl?u6V zUbNW^op-+*;3jv}6;pXD%FA*nkQu|l{9}fGypRR~#w>C#fqWCBAc4rT`viblVJN|0 z*E8Kj`?PS#9(QWjIUfx|O}Dw%UN4;XSBMzt;Jw`COlMPsfE%`NJ)U6+I~=(m^p?+a z+Bq=UWlT4FH^Ox(Fv?Hi+(Jf{4Y_x>ep|RYX=)*_WNBB?NJ$~EyboSdg z9t#>$FA$B(pO?7N3B$MtvPPGrLim`wpMc+J zUkg0i3Mxp1FggMYyQXjZd@4L&_Vb$f*w<}w;6-gFoI|>{yB(R`>^paM2v4DM;kAEZXD*a|^V|*6U8n-V zwh+=q>0=dh-V&O6j#uxpDhGJabdK7O4}JCSs}lrz!p@A0CG@A;cFtf&7QIkIq$`>^ zO~kZ;Hy-C&i$XO-m4+Dra+*(%_BQ$4L}RJ<&h9!6hoh6?i-fb0Mm+{)W(x?3nb0g@vXs1LV8ZfV-*KifowKSDEP6hM26}iab;5 zKr6|C%HpAT-j}@Z!#tF{k}PLdj~?bxW0qaX)o!I@jU2`}7+2#zfI(5mjIJnFC$JJY zphnTkvW^}mIkRN07Coqcl?+y%YCvV4c2U(pkJbuzu>usPtug%JxqMi{)jvFUvf>}l zJ&ch;Xgk1+zgG(#%`UM`>Rhxve#`0O&_Qw^KKLiUf}F%SntA?5eg!;1j#Z49C_VzhywX!|HdWHVN%8g z_a1!^%8^->!NCA%Nsv-)b0XrMmGqRjD+=3Q$VDVA)$L5PZJgF^tBd8xS`vI@i-`?@Ys7ZY6a8!U}AA$!bij2dME(<;ZshFIxb{0!i_pgmhV>o%tM5nL%) z?ZD--A?|a@Gy5>)x)Q%IO~}1_oQkWM0XiLyRz}%32(_~^+kWl``0HK4FjHo4<~%gA z{;agZSFt@Wuk~1Nc9}@3rQ+2T%vE|AxNL4OyDtrl!g$yby(rU*xtpD#_p3%z=Df=G zNhRAU@ogOM0!iyP>u*fj2-5YgMi2epRBGE1HXSH=wo+y*Z%-Q|0p5JjW@<#ST4=RL zxEVLiBzXsB9($LrKvZhT_Sa{-EoUmFf)yyPM{k&u^okE^EKwcQQ59C}w3`Q0{jDRz zk5jnAEI*(Hy(I%GrV@0xN!kAgv_xh8sW8~Y9G?0gXwldH0WHb&HYh5`Kmazn$;6OV zrmO%q|H=Uh|H=WoE?guKHZ4j*tzYB#n^I}I*$hmuBY)Ym@P*mP-Y&b)yq?KzM6unc zlaLk1XAnn0*TUwlUpu$9&s8-b3;ZiF@x(W^$WoYO#FahVu`u?kF3x-QJFJy`B$u zZ}L2)p*0q@kNe!!91f3rdr7=q_R}JRkb|w-3`beaq;;uoQ*xcR!B4odnO4$7S znop+|F#5XL9js!?+iO2)hQAI|ui!$)AT8ffOUggik$Mlfc!%O7+4=r=aVNl&gwvqVic6@;L$*MkFa;C$TZn*B%sVllY`fVudlStgd zKr9E!lCmmdp^EZ(XXN{4foH%)7SVb~!I*btP9Yf!35P0=TS}QM5d=dbt@WIb zI21(Q3~7BN4e?Eqb+h#p9O)VuSs3ajcGk0x2r=Ao_wseu{0H!sJH;5{4-JntvEP)n`PU=2`9AgHTT4qI>^4&>|MkyBe0bE4*h zJX6gLzm+9pU*PMUFcV@oXBlU{6|TK~RM{4p*)^MJRkGw_YieoK8jwZx&H#>urof+ES&%CWjR%%b!jT?<5dkd&83W%u*|QU6ts6;IM9~Hdh0+d08F1 zS)*5;sD(EnM3)9jDf(Pljj;^MLvCBUP|LJ>u4;^Qf^V7D4Xx}3YK4jH!T=e$w$CZ8gAk3)r^MI z3}Vj)N6uSmASdqa!Ef|4dzh?NhG=OVPh-Ep3YLOEsm-q_j<3A6 zTkawVxRsa9!sqYJV7%T7`n#;O{Rg7e#Xg1XeNRO+#29rfbqy1BISx@n6&S|ZuwAv8 zaQPDlit69ING+`2Aiv_}5L2sLt6#Uc?<2PPGdhWdwJ)&c*;h(}W2>z}@x1Ek2qoNe)DG-E~;WBrfx`*8kTeB&nqALN=Q&uOJD4rtoYC$56C)|`|dw>8!rYGsc zoexW`sTL17<`;&IAO1bc$=P@7tqe>myY-TG$oy(aQ0I_$IBJ=q-nM9ZZ+xgGQ?MmB zDP}iKGqhg;=#>H`MCYt$A3*2Ig%ec!nvo(&tP8bsj9bk8Jc~e)9Mff3Mjvl)Oq~1+ zrO1dOQ5J*Cx%FNqgo}@|XQx$kEth88=AQ(TqtScMbm~Q?o(e0_Vk9-=Y0V0<6MoAt zVqfJqkHx9$s{-sU1?=AL0g3{R1$NgyoLmGHXI4IN$FD201g!xdXIAmGA7q73C!q%H z&Jve8rAGP3GUpM%eVJ*ZpMP60qg#Z&v$LGoJX4j33Z{l}DS5IaU^{W-#=`_%w`Ta} zBiX>sDJeVud*f)$HD>87fDBCSTC?zjx~^UKtFf95faG1fmXk!fIdlO>Gc$xJqz^Hq zZ)`$oi1Kh$i}o1~9s-Bw@D4`hkLxUh(FHchSn0trGSOGD0o!0de|Ngrjvt`uytKMh zq!HYu)>ze#LCLL9^@WM16UcnHB3@S#XRI||UZt0Mip>fysFgDj?=GKiiK$-vk~RZt zAu$sFDDx$v>3Abd4pyX>IPIgV=uVi7RO*P9znRafyY35?qcR;bb)OpeS zmRDEh{=XAt<#~9~z`-!?LH+QBHj%{RSViHGN6)(e(dogrq+Byq{ubZ%)UjpQ^XU?d zo=f*_D`(LOlWwcn*5nB($5r6eZ)w|kI^zwHf?MJMLekAIz^?v<5piK)=ty9XNB;b= ze3-sP0NaH$#^Cy~V|igK6-UhJcd-)Ut1n|@{&rk|-RltC#?5Dzp&u$Oq6ozn6Jal= zAiCsDKe$90V346m)J+Sm z0#)^7j_vlS#uC=f99I6fOa7q20HMiDyNc4Uw3w3`zCd*`JpR$IwAn*KwiQev(TOEY zGq7~ct4Of?SOY%HlBa+L#vQA&1+qT@5VnY6+mc z2MNHL_sdNbIAXZrMp66j?Cw{ui38h-D_rF{5Cz!Qc9ZC<22h3Pt5VlCK+**hi0awr z0QCbcC@wL*WY>2Rmy*#r^_XHi`XV?Sn{K8yNUna^D>_ryOJexR{-yVUXA}-bP-~6= z9w^|UKF3DTu;D%%(7luoMvjCn*70^aF{H{E5b)r=eCpN2Rjrat19Ft)8P#2<*mjmSnn;oPXrz1 z=oMklXQXTw=hq9aq1A7=I*V3Vek3WnDuGtW$L+k@n`33%3#S6rBgx*%4!KmMh~xrI z6Y_1TS);K^1XmIk-~r^1Ek38<v?y&?Ss+YqF3noB{|#W2{Y-23P#%iG&KA*?a!_A zH2AXKvrNt>g>TE}>+v5z5W=66ICvGb6dH}7ybm3U0$3)}`!2i54@1+jV*MQW?25}F zRbK}1aH7}c?P4Z#o-gk=rY#?945ydR>VU0qLf%ZU9hl&g0t z0mzj$VP`XqN|xYY4QXB>ZuTn!x~t&@?I{q@r_y7;VYn(HtxVP**>!&fv_#NM(zQn! z>PZrEu8b2nLU^66=@f;XuKH&q$8}Zb5RaUKAa{xIvn^3dV?ILzE1qN(@+hdg{8UO( zMC++k04nIDr(D~ql;a!ieJu4;a1u6g_1J|DAtAaD4JB&-a-NK<_F8f%$Ldh|$_}C}WR9))ARTtFc6p6M-_l~YThl$K7q=hsg zd&686%TVmN*SYvB!qj&t7x?8b-5ySre&$}MVA)Oj;Qn=@Vuq`XDyOhh$ttPG5ZYv! zBq_=i3dRia6cMnSAmTqo@C&8=W+{N@V3}`d!)0!9Z7Q(JmKaOglMuw)KPt$|4qrQPvx>?1zBapD-b5)gphcXlM6EsgIwil3En) zeL|SFYZk>{79}}G+S|BYU}4Yy&Ry7JehrC6%E>|zEHdZ_fm2pJgpyHx=j79CfY1qy zZr^~-6uH1cyMZ!A{7LM#s0s=lGRsD&29fl3{Y@Ie3DvBTrBj6ejUp!PNR6P!$@*H2 zK`4}`$W@6$75X~!*>ejMGKKVWNmC7h>#+?9?4&gb>_r!(FUkwzBy)}GzilN%`blpJ z*}(!A-p_2k=MLn<>wW(+`?@st&+_g8EMGq}WE#MU-yo%U7F~YlpbXQymv;*gN?48X zhF8Exx^kJ2k1ZDmmdMUtY4=;G13ah$qww?#9c(f*gPr}nv?wqGs0z!5h>Rak7(A4? zI+C3f($VWrU&-s%>7r6C-tJ{R+>lTfMrBq5J>j0;t2yb_{3rw)+n+)M4@8u zBl72Q$6L17M8B4z>9kAV*t4#D&YJ`)O=?)MjSiaQj#@=L8(A;C> z_m+zz;y4I;+?8uT{+$72>FTuwYk6w)rR#ZMmeOHJi>u%U4wqlI7ol|so&Yvo(apoCV=$WxNf(< zMdbNTn*DS;nUB_I$323xW2=-Z*)i|626Zbekujnae;z3?&mrf*BVK-MoC5M|BGy19 zPjzz5q9#4PCuw|FGv4~P5nuShDCjn1Ua$SEN%Zi0gcz7K%|XeML_)A$qw$w{N?5Qi zkrK@r55_uavqopIWeQw*v4z;$WG=Z(Q&K{LlGH2DhzeFEcpg0>Mx1#edaD6Z zWANeR;sC_-GPnt>c$J{{QIDumYXUXdR#w6v7lNp96Qag{T?ipo41^6i8mO#>hp;njBtxWY9yV1WF3Ow$6cstub{JoIiR$f3xXv-eJwlqZ_)g>p4kp))9kc(N^i zeBbDpmsbhTjkV~jD;I-c&%}1TdorZF>-piCVrj+E;wo6pBE6cR#|a#uP_-ysb1=5y zc!fD%Cv=MiHqz=|#TZ@A+k|@M9IY~X)EU4XdM;p>jW4tx*l~8m=Y!HkK3_mq1lFOe zQkBP$i2hQ%4=p}JS#cu=V-R$3NKY*ppH9eJG!e`8!@+QX!pQs${$+1i-pcfUpkIc*iU4X;V z26Ynx`%n}_j<35^e=ng|dhuYO2ojv=p$A)$FOw?k`T6M;7uU*Kfa4!De+Uu2hFK#q}5e7FbA-AQ#JmW`CPEot{J#$IYtc{qZuMRXnDC*_wiXj1e}-{9 z$_y&(luVgB^EWyI2V=M)3jd&T=n-IiM2T8GF8`ovU@zo~pLjwwn6M>3@qcxuzktG( zW+|`$gkU@qgmL1!$w)VX73nC%ia#%N{O@Ii2j+Vn9u8|=7Uz`XX+ z&Q`k~ceu0*pexan=&D)9XOL*!<9n!2Vfn|F?Z%3C6BZ-JLK!5Y4}ypeeMd!^Xli>N zv1snD$LJK;bB8}^j>QG}D7Ncw42BRSAq&068B#Pr4c4~0AWmtL>LVHhW<4!0)oafY zYmt0JpL4!Y4{(|QW{DrlkJIFB4VASA4;k-*hI7@3Ee!F$Ij^;X&@}vd`|{v#Fh#TGZlx@Z1^BcwnZ1jUQo?Yc{Yu%nlLei3 z$TCE|(IPDGVL{ zYjr0jq9|uZJNhi;;<+Xd{xirbizpnW{j2ol=2>zTc@aOTC6-cE`7Z7;FQPeuRkl?W z<%f=zs~1N69~~_>=V`D8P^ql;&<1gutgr`yw?t_H!l6>q8Ed3E<#C_AZG~~-t`-pU zJ;)>CGFUM;ivJTa=jK(V;FDs0VE^Ti|D%;?6-L8Hu+{^9q#1~24`Aw5LcK1%7)I0a zig?9Gd&O`q{(D&d*O})2e0w`2)33zRZSH32rNBMGqW$wj;_lK48+nU51FzfFR(aK4 zG?^dLqE}hEOz^i4?YD|mmR&R*>6xWh-7s3ie~W{-UUMF%Yxv#f`HtEk>XQ|gK!BDk z%|NLCX72Sfb7%d!6$(I9&umQf2R3l(?jv@w%V~3(I&L#bd5WVG2>SW;%#}##AAH5q z`+^Tph&~d#lUo`pLY?`5?&ZfNhN(%Es#)f{}(vN1a{ZBIhTca7k?_dEtv&9Xp?82H5QGpq``UfHd zVz)j(h5n@oFg!d|FR#w4=r-zQy8|EqeOR`i&tJha9!vPO0o24b? zd&8JE+K`$mKcgifSVIlk150)XLjBS0xZo`4SRq&)!@>1Ho8~`qoSl&f4!j2Zrg??g z&%9fI<~D2tvY&CW^#{Zq0&b(lCw@lW_%s$<9Cfc;>`jda${;1vKUvF zD&4X5vJQXRaVSNkFg~CO#3OTC{bS+VDWDnUCt>MxC-j5y)G&c=*x!FO1}gk?jn$sY zGJo1GY4;It3H1Hi2W>5Or>#`r1FwEL_Zst3(Z6OIAB420VB^AXKY=Qpy8xHeT~Y2A4eQ0c>;}s z7R+cuj+zn2x{?vcKj?M{q?6xg33BpE$o|%c5gUaiYUeQw+6ok4^z#RVkR1|Y(SQ#y zs#x6(vH~HKP$Obz2}t~(9*ocaPY;HeCiF-Xxk>NLAQq2MC7|*u{?UV_|Dy++J&oU_ zcVXtxM07Z$^+CXfA?7^J+>Eo9$G=_+2d4){7Ey@8|xOh^^ctr=w9<_w? zc`2Ct1sd;<=vqr#2digO^;2q0Ls8lNc116bG8|%~z^)iT48EO`+^cHzL=ma3P6I)r zY@x>?d~58G@)30>R>n<7TQPG|1J(dh7`O%hEr|VbxTR#6D20mRWn7cPKM^@_mw8N1;RQo1JH@6~m#Psx(QNjdQhjK< z`3%{A$N0Ch?1BZ(%HvwhcyC?lB+3*}8v)&UEHPqL^KVXQk!RaN*KL|k8-2A4!`Q=P zey^bhaW;@}D`wSj*9au?PPhL2X{YF9Wy;}n*~JSN&aiMvnX(M#J~oSTkn2T!)mPm4 zKLm?jcFBp%08r$xKgvwuJjZbwtP@KbuvPRBjmvIBNt&vTfi6$snrUs87y z86wqy$F`}^J`S>C=l)6Rdo0*F|BI>Ky?-%f_fnqJ8OeX>-Xzs)U6r7U;BHb*m2L>y zMFt;#ohoqn&LVtO14Q`!3f=Dg(y&q^JJYrM#T7d2T=z@J>ia+N_4f0_UH4~gdTQf8 zSQME&054W0h!+u8Pcy5FzeQSh~u2?Vo-(CmuQmb*I4Oj;tB zHPC|>RP491h#ptvlH{AFL=E@PspH8H%z9OSYLXwC5_0%brjkqk_@1V4V!ij0Uzq4q zGJ*M~zB1oN3|m>2?QDNq^87ukvE(+g;1=Su-`B7ja2xKn?@$Dsq5t6s+=crVNtNI; zwM!5`93dzE$1NL$IrG15s2(>kKODh;yHMV?0YW@}!~uxRJWI!<)4Ko5pKY>U@ zlkf4FlyK&JY{MY5d;w}qe0|3N%oDdG*%Ei#%ryXcH&J;x;^cJS5>hd`I77KhA{EyX zh@zX>%sIVgqIN08;bXJ_YB{zNYLemn6ufa9NE8g0!48htVRz|%?BH4c{)z&x#GSXBKug_Z0qXhpA;i)Ap7N6R^F4fYr-RFbijC+x-J194b z;)tY=usS6FE&c0aAIWLaNB<%I*MJ5AP^BIhfECx%W!P5d5_ zgl2GJTMRW@#*syY?U<1cYH(|yrHC$i-_v12UKUa699S295AV`hOL$;pt(e3;?wsIX-8783n*_<~ zQm;vZ-}LolO5;Ks6Nfrq2&)Md<<@71GOU3Z4+2FnHKSVUHH4?Zn^3odibS^&x;z~! ze@SveboUAMN#Jl+8+|{^Z4-V>?ok*XFzByuD#;S!vVp9h-xpobjvMUttRHIh+dL>% z@FY^*p2u#MIArOMSH}A@veVrvMyZiV6q#7z%JB&}Ge;j!H64Hm_z;qRXl1Dvnz-sD z^6agc`MKfSi|{!{zCRpqe<8e+(k$^em8f8fTW^yvTjB;yms+JS%+1dZXCUEE9$0a= zdK&@_<~X-#`U4nP4eW!2MTl)!vw(!v-vl6N|H4;p&j3*Pg@5;IN?Dd;_A@@8Vqya{ zs9ie9Js4I{Ob!(|SD-i;Hm;azC|A^JCKt7uD-yL@6OP!&7>0PQ?Nt2c=!6xFN5omq z2`=>)PM4jef02)4xrQnB!cQhKO=#03fVbJA)c(&2pO<$@dW1bSbV!s}0iLeRjkR^a96JtbVe9Zz0K zfO~>Xs^`K!e2+Y%5OjD_k3h&AR<~bxR9Vt5dm#J%2FR>+q`w?KBc53juX_Rt4_U3o zE&Fu&pD^Cyw*uKx`S3yj|!iat}@-w zBL4*9mqSE)(2p3BJS_Ei`3~x5)%Nqk^-`&@?nma|ZACpwij&#oXB1VRcQ=${CskM_ zsK}$hfdwzYgnWT!8{ss>kZmD~&7G{|(cN6|^GbEuZHJBHG;{^1wc=|FTJ3E-Vki7= zaXfQ~QEm}Qz<)jaB~1`D_G;DPe#q+E@%4E#WBT@P6TZW>;j8;Q$uVDA!slRXtc2$I z8wwbbiTp)oQ@eRvZ<;^rv}~~}n$={6Wz@Z#SCbkFJeKk~e9te5om$i3&W9S4KzXOK zSm73fMGCw<&ysm3m}YeH9XjLL2}6_Wp#R}~Go?DyK(V;zs<{kDep~GM36%zpFNO>b zMAvns$kuK~j`-akfQz2n(V${XRcGk`z@`Rk~cNh#xnxrPu1w=U5RO<@PK~(}!`=$rOdZq8xe<2q{;uXvmE%#r%a2{%DUKHpRZ z-dF&FUsMnO&Ih0LF!4%8etqDB9gba?kC*ec1|Eh=%b10r%2NTm);F)-T&V7Mny%o} zy}k9vE!?RSg&nRZCADe~+VEUlsJunFdRkCW7<(aF80g8BVU{BXxa1Zo-VetFc{nC5 zOk5w|+?={XU9cDXZO@op3RDMwO@hYJaWtn%-XVmA(7-0Jw8yqNURsN|CJ)2Zb@?vg zk`ey=A>kvjcxM9c5$}cwssIP|u5~JG1HnXa-M~q|f^T2ZVqyNPvL`rKlD&XqXxw<$ z7ONGOB2oTZeF1sz?+BqAK}-ysDHrD(M?H3CUB-dM2leo+^7(@?v0O#(kfwqsM}b!n zdSz28(U%gF`q9iUxZV3(2jg_YtN*&yUItcmJ`+=Z`sdlh5asX{so8C@-veDN>;7)^K4L+p0eF1>f zK?}obNXG*b2>5efZC27@|MzLT7V<$bEh-Pb1BD^XZdF528}$R8I$bvR{#}-6!|jj}| zsZIy@K#60<{$8H5Qulc5etoZ4i67%kSbw;QuK!V-Y; zPeesVn4Di0G{Y&KxFeDfpHgFT^3g%5Io14GL5#R!&ff#w%u@2 z75;t;fl^H;5lIoB(O#HYgkLY!q}W5%e%30s)b`BRfmWlWdyO1wiJTG-B87ws4ub#L zvKv$iZHUN02=}Z0q&s;;*30JZmk7a#JDzaLG9j~uCIT^Pz`Vy)nC7RzF#$2o3(1Qk0|a;7U%GJ%ru!|IqU6pwxU2C4U} zy|vK(>iTu5zw2G`ip1~ILJg4-c_%ShY%-PKWL#U=+^vzH{u4b!I8TVETARygwdj(; z*7YoP#Hsn@6~;{J&)`%p2#@eDS@mS)Wx#JU0ePO6xZ~oA9ia()EUmP@Id%XvR*J#Z z@0|4SD_0GhoI3d<#WQ|CXLmax$Z&r~^fcYy!CS@j-*G@4b1>%Q@iK_*^|r67?UJvq z*RqS{?_)4&!HVTyaP%N(J0kzUl|p$(=p~o%15Xc#%Dn8CYuLUPiqWvdJLbN!~I?fTSjyYJZSeu`sg70 zo8aNsg?B%&F8e{>qAUk6{67dY=EhE~%QOjxU-!4)Ew8NqP@CX{)eG@gw+HWFiw*k6 zuo|O}rgSF|IS7MwM(?O9ddJvF5GajaPAu8vHxO{h>yNixd=l?jlg6}_9FAy@IcycR zMVWwme8mcwM6=uJCCC)f|J*2TUik=ultt>WlC;qkdGAO$bx7b2!(^*npfsL1NzTBP znb248g+vpI@Z|HP_>=4%Zc?V~Tw|g%z|Zz~9emCA>(c{~i}>OS^z;pG`)TGrZ)*_| zu1LwDSP7*jf+_{Tn^qup+k$HOU_kw+WuMNZfvF5_YOXq>@B% zE(dO&eB&&Telon8*6XLMmuTT}_a`t00(Xm#m5S)xI*|IllEeE6;0g|=ltoCtMB zlD?;wHJ>w@29nIx+@%rDbQ{EOXR5I0H8s*< zP5bRqa3&yj!7?bt0^~$1%9ZAHL5jphkEC zf>a>Ce$>9sd?IV*X2~Nsfzw_EgBRX)dv!Pt-SY|Ux^S1;@_l`v z2V!qz!VHPc11;|vQgz4U71^tb4a4^Rb#8f(3?v5|{>spV{~D20OK&gmOC`CDpQ*M8 z$9lbhBpf!`+N=2zbv>Yub@tu%s*cu@c1e}BMcb-~Mlv(Qio&cm$);jkT?WLRFo9Gy zH%V!3Nzh0U(K4I1gz>6f2g#L2TmY_3gJ`b~A2h8| z*Xdg8FDIYf1}{4``L$6=gHadJ=sgZ@QdQ`86<~M9Yjca-p$FsQ-%L@pR46#qaSFX$ zOx%*(I~>zB2DQ`n8sOLyyk&^%J4D_4O&GbT9Q3`WYF-rtT`eqBF*mB5vbrVw&L2z| zyow)Ycavd*55JdxaAJ8S%6Aex@2xn0nqXjHE9|@Q3Kp6)&Q_s zh}jF90=U}^Ug2FGp!F;0onc-ag$}!d1w}!&xzI}JPSdbSY-oAsKkJ-2&0eunqvRav z=xaxX7&?ki>9zOrqc_T?(|t7GjqU9LO1?~*h!)yhudVs5EF@^xjZW;|q*3PjrqKg~ z44dMu4zv=>3(C3#TmHcAt=}xBu6gW85Xqz}e^;2$_G@7L&Ha{dmZnt;mjwI1RbHdT z?5bj~wWdZfo9HnAgkodmUAbQ^D)TM!+dC?t%6<8zr`i_#G60YdlUC1kQ6XU%yT=)M zx&MKYbRHS0zmEw+6wMnXgpE+l5<&OWnHf^@;3>QDRKcga(Os|Sy!#6CF{@3be39*_@=`;~ z5al9s-ey|QxFH}0RBhgtWB@EQ?;N$hGv+i|wEU^=#S}YY#?Skm+QC;+;@7Min7=@h z(k?P^`QfU$$3tjNZIGB}skRbz*hU^7Q)7=X+zEy01Uz~CD8_`aI)a~-7#72(t2(E5 zO5Jh!pNlC}+nL875cKC$Kul=}cYK6CK~$h_Ne+P5 zJn#2{bFMfVbX4`o4n9umsyW|P1iLK7RPAnN(g>A21Ov%bK4VcU=jV9?>Q`yh-Zn%fd zr7TcJESM@#ZB;*ri&SOY^J?@`))UO3W1%{JL!V=mW|F8AQGD9XKy%A$b!~?WV*vd4 zBvyg>1v^TQ)g@C&B%Z0zpV%FzPRp`uYx#uJZ?GE0CG(zo+IA3fG-;>e=m}9*LTop1 z%C@Z;^KE-1vH@ca$+JCTd2El$3ZQN$C)EP^O)k z=!f7xx5l2?M7c7x5RR@nQJ6VSIRld}1XEW?ruHC%}pAn~4&%MUn!;U+)j!pq$X>nj7Mu zD|iT%-15wc%mr&cRLRP^-afeJXw$gxp7mRu_p_hMx-piv*d0rKEe#FHblQCG!s|bL zUgwky+)YR@?oY^>ri4KbC+MTYXty_6rGqU4mDd8?Tse4D=?pGix)DxN7AT_cbVic& z-|M^*!qP&^Jr6QvS+aSRZ{5h>o@sC+!Gp-Em5HiCZ1Ex$V6=`1aX z++FjV=3{(jU7w7q2tgN`)&ju=)gGzidP!KSUi_;Z5m6ZjgGp+F)|cSumvHY$cDLfs z6rXi6Oe8Q#5iFk;EPmXOa;%D;*P~0UGrcuPI#esxcRwX#VQhlAC%Y+8WxKuPcCgZ; zSF|y`>TQ1Oj6xQ$dKIVf=P2vD#XUTh3`lC@t^>)LBas!e*IYfdHvGQC>yH{H{_7@BH}}#Mb1;4R06`A+~qwoN#_M`nV^Ut*}&jNlaMk z$FYOdd)P_FXqQ_emPc3bB4n4Fxa`rM+}BYJkFhy^Sa5;vLN1PnqhuU0VGysZ?*rkC z!}g&gV~^n!}pZ6?LI-@3R#L?OUN1WXa9=*d1i}= zLEmT6S}bU=J{sDB_2Ix2C1QXlkHc2<7Q_sVc}|+6E^}60d6q$CwJk?Uf0Gyte{Ka| zM{L*vaK7zDPK0hL#|jLu^7)<`OwnfxL0@I)LXC%(J!W1dqAA;<3(li(=7n=r&L*q- z)^8LGiA5$(wlP@=#e20lNtpRyjv8!l56-qP*Qn%C2B%?$^P|%zz7f7T(vV<=1jgt* zdy18?-p?m`)`+=i$oA$Ww&H1f?Td6*ugK^p>5Pk%SPzl0~&#Gh%$8DW}n zaiuxR(0`1T;(RIRn9Gd>s!lDfge6+1wK?R%wU2VoWE>V70TD7C6edit{6DJRF}Tuj z=^CEcwkMb*6Wg|J+qN^YlZkEHwryu(+vdA-o^!sc@5ip%wd?+~@9L|s)oZQp9#%jY zMvSZflDlLI-kV#d_eNIHTCA94Olm8woU90p`1{Lol1eF!tY z^)F?_u~PU56)dTtOEmvQKa&O7$+iSuS++l`LFEF~-gs*VfCbd&G&usU(#!8buVwIb zcaw-Jj!wX!bJ|M8K%VS&vzfnbwP45!~zXiMU%$ zo6&4Rk&|JR`3(eaRX7Jpzkz_}ol5eMrZ>jG=ReWxF!K~-QR@n2qtfS?&m=L;tZWNt zQJdf)#;8~CNC*4=P9*aV#a{Bok^C)a{e~hR^z)PfInAJ|q{~(rEkT^I6vzpUiKMgy zwRmLHIOOFhYO@;P2jEb3z}Bxrw%OH#!EJHNi6a4j#|X$t(oC7^yLvt1C93Y!(v7r( zr^(uP3c9qeH4UBmHyzUUYKG=3ij0``CoR%m3o$RpsoV^c9od7{26)h}xrNR_F;8aW zt3icF3$hSq^J>zI(rhvk`q^%v|@h+2x%fQrRKMREH7Dwg7A3Bp+o!Dt*NX;x#EpCnh@0G$@Y6>(Lh3w_}uY*1Y*2NApxk zcow0mB%^K7l7~z_yGfVUmB0mSJ;K9&9qT=^5<+Sp6zIOUOSsjB8Qm{}X%=Y|hc*wY zsK7CzjpzNjDY?Up*<@oF^w`j1QESo7-9^Aqrr;h0A4qm<>G!pf!-W>5WUq8uGG`g- z+NrR0U-t8;7`K*3J{19Oc9<*uIIw1;(VSK!ngV!6XofNKA)X7!`<7rZcB-i(QAfO@ z2M{Vk^)D%fb^5y79(yDwOQPW*MB6A_#kOLh=*6tl(Hz5XVllSPm?o_q93vzKz~X26HeA{#hmb`uJ{a)h@s?8EF}1(p+^2M z5iiOCOK2vw{syXt-#Oy{h_I-7SDUpN5zOU&!lgusWZ#R9Jy@~JPoLx|u? z*i$}G)}+VA@Hmur!z0=CHVdRK8&c1LF#DEE)wc=*y7HUl^jn2tCIQ|qBPN52uLn&g zV3x&{P6(VabK9vC>Kw~UX3_+9(ssmIeuDC=GDJ`+DBE0iWt7OoBcT z9&Qs!o;Y0vO`9s<=ac~yj#6W@?)F(e>(mSiIl#ndI1I2}5anRn$KyY2o93PYzb*ZZ zl~MqWF_z-`0Hfjw4wO>Z(zB;^jzUQD!#g!UHIywa z0Y6SKw5A81D1sOw`PjRoEp_GCJwcarwqNtW|2AMpKaAI33ic96a*=u*a!2oaH07_3k}q~~PIoEm zp&O0Gm=%;?h`d2;KV!Jr_6pspfcM|yNLxD}C_g&o#20FH?M4w;{4iaXKZA3`>ZUv1 zOf65`X&%3`-gf5nJ=ZjuN9RbY4>~9Y3!%#F&FAJdLu6G$OmYE(lTLa|Igh2y0#cPp zYghc%c^oeI$jpQv{JXAq2ircMf!K|qmeQSwI=!uq?PN~r|0PtKm$}I5ss@K5#ayi; zE?Z4`2`Y{b!xgRQ#8;0R%pR#84#Q@qMAe_Qj}#{12%7pPv;$jid>y4+z@0P-`}%O1 zWJW5Bc6ue!PSgayxNtf>TY9cXm2ze_vlVuJuvA;TRjg~bPH~v#Oz%K zzIYx+1dw2%n@Sw;ZhJHMX<@@aQUP!gzbfVa-4y|XveP;w14f!--Xz(ldh-=J&jnRw zrTFZy(U`?QA|`1=vB|Y>t0AgtNfFKMCqGznB{%5t-4O7{bKC2zHZ5PUAu(zH%_pqT zbVF}PU}Qp2Ko9yof$Z)4zQ*h#xFg=5%JdrJ^sCTw;O~!s_f;N=Ig#;EOogM~DJ_3H zA8b!-tJk64868b`%ABP^@PXEDOCGg_zm@3318oMn2a;%Cn~{vi_`1(Q*mvgj64K{t z#{}8DpdXd1OQj9eRJe(wczdD7nFdDKriNc~_xR}8{7W~g{jMW|8GgVyIJ9G7POP|n zjU6v;XBb|8X12YWp&b$NTnbC2Heo$yNhj}AHXT5a<9Za@x6TK#2?6qj-hc&x1M(B{ zO0)z9`;rKEO+Z^lgxFiDi2bA)G8FN!A7||a6IhF7$A4{WF%ROnULaA7|L3MI%k=c7 zAVdwSj9@v`bc*klAs1QFpjFWCnF>L|nPW(}Jr*Gdh8M@;c^edLb2kPV(FyrR=RjVt zbZ39Ra-;MDB&{NIj#*fgFK?UvKo2u)d^N;G`##XaJ8)`64oGS~DfyQ*Id7EUvK~rb z>yjkBk~)|0NC7NL=8Ydvl8LNB9!FxfaPdaCa9hYqaTe6r6&E&&_I_)h zXd5&Q`+*!LzEL-d#f7h;^;AtFU$U{2OHiQl3#`o^NtnP~VLTEqk-Q8Jj*M|SLR89Q zPQ~Z?l4KlU%+oYfGF`}wrASSE60bhL$21bL<(J5Md#!AQF5U(y-On@BkNsqC}@zu}S;_@DJ93}&Qb**G+2A;76T!4JOgYoK3 z*g4(jCoPCtARiRkaQDl6zWjII)ej+FlLLV!0zNPrWpeLDh$Z#E5({Yt2PE95 z@!z)6gFdbnSA1(=&%ZFfb_7$>)>x7JZ=JYq`s95SfeuLiwX={^{~GI7wYr%E@b;EL zw~k%}jad9hK7I&D*J6_>hqFTBYRhC?nNzg%yQ~wCPOXtEZ%~9UbiN-c-0Q+=ybmPO z!@-xtRQAn4A~7Mwj|PY`VFodRI5}T#*oPi9YI!*%aOx9q%*w9YGJTtPD%POXdAc5# zcKhJX`g3j2FHEx9%4Dc(xU`?GYU6|sz%#>K-9^Ee&{+~>3|#C~!$2PVM_GF}b-5*^ z!MsP>{Hl`>GgbC<0}1b^#Ho=Jce9{P31Pb7WY-a$wsT!a+!l#SK}dQ~E9n8vkdnZZ zr4aLteNv~+hfLbLhFKxO@pd?~xL_vIee0APv+gVlZ7zk%p8DblY1gAIg<8P=HDm0Q z15#q)&?w#H`v#M~?(n*Yil8JSu-lBX$@!IzgLYcCmTw%YNIYpCK9?KX^HMzLzhMQ= zoJ<-#YH(1Zv zgpJ#B{!)slwbw(T9R;$?X7|6~hM)li_mE$C_RUnlGkT+-e!YmJ1Yy^AaHo6+_svFj z(DUVTsBI0&z>^WvD?nT(+aCk;OojMJODEJ@f35xPNSe9wsg3fqmXIl>}81i>O{E&%wy8NNB}x z%GVc=k)vHh1u~X`UG3geqD$Rz?R&1gp@F0!=;4j0lpwC^Lykq1MsxQ-rP%5nTP$Vc zsy)y(yyL)Cr=E*~zr6W$^QF%EvJEh3`NAw8yu&NuK-_OG6D|nO@%eM#pN*RvBb-a{ zJ=XV%zy3c-8Lq}QU2U(xJ>r1%E#Ph$r6Uim?^kRdPT{7NmT>kR|@QS>)NwW?e4*W;Atr-r80rN zC#@{aGcRXr4s;Uj^=Y?b@=W0mw?yN@W)tSbI;|``MV1c_yBlte&f6E92CcbO)ctNW zx1bj`paMEFmf^Uk`mg7ttr4yJ!>Tx=tIb`__L>2+qgjBm9CRM+)wSn+PgQQTR=MG2 zneV5nBex{$CsH>ekqcAZtz$ZZb}WU%4*mHo^0K%&!PGw*K09Cu3OgZXTau?mRhiLrT z=IU!srZ1(yVo*wuHYFyUX;f<2e|O>I@o8;N;WC21}sr9M!P zjmjz2Tx6=$012kbFkPi46wEm;m?v9VRyZup1;opQq9R3NAhXN2L(uoOW>pUp_=jMH zotyCl-o;*>KSnW`;Zo37d3}fE!rlx4VKJ!Ino`fknEK1t-bw{4y|P?r@ZPPxox zBYElJB8cd;A2L3(4s(mcv)G52D4Vh11LDOk@ywj?S$#vFJqM=1@NZ&dhNiF7w&5gn zE+K3|kxi**#Zd=?>1wyYZt_dY+CQq@wU}chzfvQHAHci*_6_)YUd`PItCtp%Yk4+0 zdcCWIi(3faSB8(B^2+)okZ>nnwN(qo*GZw@$xo)Kr7-K`TkqvwqSTWHN zqIyyae9!vD8qzTV1OdCrG(Zu!Bs7`!zap@P6i@^Psi8=6lx2s=$S?2-d(o|_hs($V zaArjX0B4?{Lew9lLNI3%sX=G%?(R*Frn@F*P`}e>k?cLiCU@Au2bKCbgyU)9#4X1O z+RItpe&2*JcI12?RJKQ%)1`mPaC|vE{Y4WG*2A2jklip$f$#NOck2n{aoYy`%mQ6X zaUEcOD#roU4}jjn^nW1FTRcTe-glx8Z+y_w45d0h`!$u|sVL#Lj+PNc1Q77l-rtKu zNvcjtXPm)_+^s*+c)8LUAw{(X5Gq^^L_tAgxsQ85UpQaO=^$avg9|WkDaM38_DIgk zX>Nt$AZuq2UJow#Ya6d1>=GW?{IxTy6G9z?s{h;kaI$M!5#Yk!xA<}FKg0RN6KYU0 zI~*!4pw%!0DbKskjhr0Fa@uRl(_O`nAxY|GHup*>KA6ZXTU|vAe+|@1_WaR&M8|RB zSW{-YKjKuJ*0__0G=x zjsB01j}4o%R0e4pp1LOmvgp%s1^yGoQW2-I~*WlGo_lN!|MJzyL%&PzMNBG@2AUT&`$o-NZy^_^| zrNRh|Q?{3=jY5CNbcTzIwPFmsR=lAGb-O;yb}iIL5AAOpu2hZ&HSGF>E3>d2d5k;{ z*=m75Jz52W9?n*-4C}Klwl9BqAARRIya)V2wK))NBzg^M;J@uHW8c*Y4rPy-W0ZDC_;yqYI~7>a4BEY*P#d@oeo70KjaPxw-XfO{R^TF{LZbDomJL!zwXvTtM9$k9_l+t zI613l6q#XbyXXR6tV4B$Wnl$zHI|E@>AurvKO$N;&Z>o8Xx-MOfE}D*i4!xdd_Us< zG-b@Z24i)|;FKplBYcv)5@BdYI&2l_uo8f#Yy!}fAH@b{sYrH9M2P&2e0`!zNCMnfjRYYUCYLGl%rYl`eTQpg5G(l;4pm0D_RJs0TdGYdq^YpF(veU$L zjs>#QNUQv*Xt;A)OfvLlZMgG*$NjFpujMJ-YkxO@JbjvliOXA8rHa;L4>))b!<1Pj zb&G%YjAau52M<^E#KNuveE5F{Z`;j$ybh7=vjC#@?&qoSMox`wKC1-b={Iymmvo=T zli#wQ=38+6$DD^x1tLG(?(K~DFMN&M!6e}?Ni}hnOl5O5N-N-nGH3A+Wa)%dR{}lQ zV#w*{>Ap9l*rL-^3$9e*4`f3O=>q-brA_FDOyQ-?&;_5Qy+T?7KiQjh(D!~%C0O(A zLu^W5CvJq-D?gD(v2(nsHrrEZM|oX$}OT-!plR;*=COF zy;YpY+@ChUQ=P}`B8nn(m5UTDkd-uCvDREJzhwfq#6br<%q?U>nMmj!MW-ZTIF0mn5i9q=;dnDT(m6QgR!rB;^6OXPkg3x_GW)JgUEO zEb7$sW;fpR(?U250WZQZ1`m9|Ri~Yce`&Bone#UxJ1TRGn(q6}_S~70naP9@G>p{n z_ZiR=24?S|t~{yX_Htbxyz4*tjq3?Cu6RZxMPvZI0u6Tb9oeCh?K`S*;DQeZkHH5F z3=fBH4ttRj;S(N%RZ^y8d9yG}m;%{tWCvzN-1Xy;XwHRLF~&7fnwNnyzpyfQsMJrl z1vOJ0%-AKRA(L7`#SaZo81v_>9RddLeCZInaNUP!6WFWr2(9$5b6=CH#J7c>uDThE z`qHcXaw_t>D}Vu3>zw1O$Py3Gr_Iqp*MlHn?C-5)1D%3o;6p(f)iRO3scHS;PoX%^ zg7{Rg4P7^^0T0*m>Zhby4z770Q9BxA?{lT^h@Dy$< z-Dv%(1h=E`WFZD!{u3{u3L?Y2oiNR+DE`1z4wUf?zJ3(n7AxItiwj%Jjl|3*D7YyY zmrBwXC~Vdb$2Xboi2q~GLZyO}4G-|-kQh>Ij|a6teBBHgW%Kh3X?^OW|D}j_;PkKS zJCzhQXj|?49})5Uz@8Yte-6zt&?eqtAz~3Rn%d2`HHLXRgof^hLtC@txz%G;A%#WKT%)w#Q0YO^K5UJ zbRFbNq*fYUsklu#*K#OBR(GElBecwkE>e3oo~28l0Nuwg<)G^CM*g^pRXc#m3hT!C z;W=WnjbU1qV>)Ryrc_Z<@3`s{u;qSX@6*jNQeyS@EPmDy1Z8!3%Xm4@hf}p@j8^Zz zxAY%Ion1gQUs0T-WveD>Vb?WzZ$=-QoJ-5>9IOE~FxfI%H_wWNOx3s#5OnXuXrqK` zw$?J)@_*BFTKpM+M6HcK3)fw~%h1JW6v|}6funHt(FR=N6W=WAbhWEVrta0k(Q2Sy6~8fIbCeo=;hcYhs>{i+26*44j9bP$ZTrPkJa<{Y4;Ud5qqQm~?V5fhdSmACnj>e)A9BFYXcVr0O`E(Wu( zt#`ii3!}J=G2zg3bOq-9;=)6TRWY1}EC)+p&v8u2R? zn@dtfCBmLzU&N1CS%+n|)xSAhzETQZNz&4R;XSpWP(#q&nlFQiLxOB{JLNIqt%>uj ze%P#!YlWvr1A!%O$wlMk<}eR9N}V@4*sKMwX1)Jdr)}U2;&>So$y#a}X(Gu+0Y-@h z#LdFBFU20?e1Bisf}(Yq#oWo!wg2ad=uYY6&fVy5@{L+Ey-zIJ)X}8JQevmU(XxR2 z;I&bNLPaA-XU-ms#(8mu=wMrRwv6n}rZSdrjlcCOO9av$RX%W*h7!=hI~!*Enr5dg zya!E8yaCVQPl|uGh@e^{Y`v(?0lgx{Qp!SUyJ=D=3fQ4l-cRPGS+wXE<&q9d998(0 zJRDTyFYd&vY0S0X{!0VCe+`Ogr;mB|*2W2x_bX$f^K=hrWsk}b^9;q4qRjVQboVw{ ze|J~6Q3S6zml9in?`;5wV8(NBUa<-LxbqyU2~kV%3czx9F3))Wj|lPru$<`rn;4wN z*$|<$7Rmk-QHP1ZyOfgJ;r5BQS=@--oG_tVm4459SbSa=2{jeaW9Chs-?~4lPxH!J zIv$?^2H%c-<}E2m`d(YBsS8EU=~TCiG+Vc2-z`R$B9!vXbjKp)sVG^^2?5d&^t;#aoHCMl4pyll0d( zBsZUgE54H{xn{@&WpGo^VAyqdRc+VUGXEwWPFwZ|PR5UPEGQ9WNC7NB70^+NUqt;T z3mOnTw95vW%M9IU=rvVBV_m}fICb{A2eE~Kb=6&R)f$t&dTG_5vDQxKv0}wUWx#$O zJk0CnSy4%ra@rrq%HUfX24l93`gPV5;$Gr9MgL|QiQZ-0T9No0Me|1^K{Vnm(`A+V zm4mvC!f33b9x2?4@^kT=ahLiZA%SYvYL;hWfm~K>iUZmjO{n421Tr$)XT=iiRLlxc z6JEx81aK`16;tHhLn5))_$?n#F8pB>UF8A!Uttw1&ysa<4WxNLHkBnz%06>)rS;{% zfW~jOZ%{c;Q`#)+38Sj!2pK*HUjs%wWCFIscnvZ+mEQ7rSce?q)1Q9WUd2w@E5OYE zIlRW+a^smJ&Ku|!kGHj`w1ag#s4;0Qp(YUal%lz2}e{D-4U#*d9Llzic;+{cTD%SIa~;&lGE`pxkjs8 zN}!&;zEK4Bsg|L-iM$U(?GnXaYb4=r*kERdryXi2Gc^%9x@N}x`}G2%jdYyTKa`F} z)rMr6!cyQ3c*XT-l>NL zEt}}F97fRMm_DJc+EtT0f`Qq3L4Dlsx`Zp9 zU}T6e6<+7b?}0xXeFb87X~V+xF4Tt04CxN??RBmsWW1sZ^Js69vSeAYf8oki4>>jl zEzQ;9w;ricXKH)4r7iZY%-3lwm|TvUQLFexG#U(v+>NFs`LbachU{(i{YX4mso*vZ z`J~2Vkoa6!h)!Gb<2~S{(vF~XQj^Fx3*B#`ZlPA!>gXFOo(Y`Ju;E$agD7g6N(vu~9VqEb zE!@z)pqd)fqN_TGSRcVBI0t5K()bMB&|>f*nFK)UlI0x2^dn|nO|B?=@>a_JJ1OR| zPX2ZZJ}iz#z3?P0-#2W$HPa}g$^5gnR(o&g+-*kIoHX}by;3G@;jvad zIh}ueZQ%az-*H^iS*xSkYv^3~-NRLUE?g;hv?F3Dky)pj)P|}^alrki_!yvGd=ByO z+p{K8@eyVvD8jLyvJRV+$WwCE3dV#r2w5sFVYc$>OTD8WeoIv{NW^?)cum#_BZX9t;TY5nLMs2|4 zi34K|%fo`LrXSLA>BtPU-iu|q&%H2oz5F4$ySQth;T^<0q-xEF4(Q4|_=E23ZIRxx zMU>9$M6jC4i#aQtHhg0ZxVIB z1?-LKByRN>qV|gSRr3geaOnlGM#tjglm3z4tngu{HzI<~VyQzJ5wXJ%+#@2pf*) zX?}EeP%|=>Feyhl63#@h%>)cN7qgAw4-<@1N^E-MD$w1!D7`tq@;hy3??C^!l+)Q_ z%RlJE=TWr&=mR*+tbl7vJCM~SB)lF@0n{dCrBDNmUzdRaPk#1piRIyAq{Pvk)x=*HkIFOW?{VOjX;9*v|kXxran}ogs*i%3z(5Z zgo?rte59A=N+m^0oG$B{-r=STd}LoP-gyXSAgp*qJ)#_rtn&hhcqkt`95H0ZliQUk zOAg`{YI6JJSR)p0%2QXE3bKv;`03%=N4cZdBtKSV^khXbeMdkwVn`dC5C#ThajfIF z%uw|MI=_>P?%=6{#-&55k8h;zpj36qjuLB?syW`F8im*xW)R4NGCMmncea6$8MI!` z1 z(Kg%gD7-zV{m#=*Kc$DcB7xOE!lr-0YZbhtyz#eXOQ8yXs@XJ+6$mxFDzjn1>Yzyx zqO4bHFlP7{QY1;U)$6S8w_0?*f}xTNGwP~m2-E)4O6651>BPNDysDEwK>SyeLE1GU znmypFSP!e8d$l85^a1Cq(;we$?18{UwtWO)`(C^96Eh~!cXP4ri%85Y2C0={ z4i3t?n1f^5rTI0_OF|5*20DHZ6R8)C%?TSw~X7li3WB93rsnjtnhE9#CjF2 zZkMTR83wBiU~f^#0L>0$i^pByE^(rJ75hf}Dr_F8($|K~uxVh->2kPM!w}P~vUY2A z=CnWA(UN8Xl?4vcy}#bjo0DsL!qDX%>o(p)>6wzYT}kY?&_UEeP+Ty)Gsd9L*-f?Rmdd$~`JVI13a0T+?^IPBW$DU>LDEsA zNDccWynGl?ssl-pbwofUW``*Ni2Wr2fY`my?a;l?Yl>pP#&cq{UoY+c_<+*#X0(d~ zqutYp*1kRWK^YZ&jVJ!~8_~1(xh9hNjEnxskc1^g zx!Yq4k4JxVJK{ywhqgbin)bLPiA8MAu#YUt*p^|h;M_@|kf0Ehc67H2&6n=L4HOL3 zc8)hAA@q z@oqhG@U;+T&}2r2!g)yp0dgflif2UD#&EsIng*XTbYjV6)Cq%cQpB~L<@j#s2c~{( zzf605^%mPQ@?V_YKr3?6{ZiD^n_!MwRvEknT*jDs8V8INeJpXsJ7Tzl3;Z4A13eWY z(lYEai&kLYiKoyWt{~S-B^uPE@;~sgmM5qT)CAZ(nMlduq$Bie4Q}eHU3_>fhFT-} zb{Y~zj_fHOVIV&{C=jHFN0BuEY%_y+7Dj*k%H?pecXqdRv|-Lc0;UZq1Vnm60!C4Q z{<*}&PH;?mYx1hr$}gJO1_$>!)joFSlHkLrlmK0IZE++ck7SozV$QMqd#*|0I(dk4 zL6gpizgjy(E%g8C_mXi|1}WAQmHe=L(|D6SvMgX*cPjotuBQ_M%wVgW4J<6DMzigL zWYokXwti<%Rik6$Et~sKudiaL-nMw2hH|=khk36!c-aboCMq7!+v&Gbr_+Fi4wt!o zmU-y;oXoU4DSilj+szP_-)~LJfkMZ!x&UB;uV8NRhddnO!GG;$Kk@)fiOnA~^J1~P z95LZZMYovQF$MB(Dyp^?Kt+khMw{e{i86fuJ}l@sr2 zbl#Is6)}uKxjKDEo!Cjq%KLZixD2hZtA}h+&vrSsC-H8V?z{+!JqATWDa2ar3qACe z;Sg%~L`xk0v>#m&52nUTi@^Bz!Andjn!U@h-_@jcSsHKmW zlc!ln@M<1_#`lXrA5`+fI^3>69v*6YdxH%mawn|Fj~=Yosvc9dYKr%;y=9w2wkb&# z_fLya$IdC;@H(a_oLvXvA3^imczvvI7?~GrPOb|#zd$$XlrqF{eVC8!rH1K6*9~$5 za~#$iLVPx+0OVBzm^N^oyUR+X3HL1b$f*rk)eDhW1x{dbP557I1;Ud6NGSn;OBQ|t zgc+4t#1B{`U4kF(n^MmMxIyqNRxGFgU_Y)gFCbFESU~p0)4Q)q=@ z9o6+&l@pY~5}t~LkK1<+#4dSoG0Z;u9y=fxfUbFcuJz1#*6%X(ga}i7;$Qq82I&mb zz1!-G>PTCXl_GF53CF@8Q{wdK>k_@f&(zw9GQ!W0n;-IN#JB5Dw-bT)q@5;_gG20k z9eWkx#6Eb4g5_O}tbl+;aG4{sK`+JOgqxVt z3@>}fResk}RU^(!?8)4XcqD>;X$Ehg>x}!how|-d1Jz`fEW3M@s~5eP14)KWFOBI$ zL$)5n-ObXVdSjDQPnu&qX>ka=$hq&I&`HF?n+=DPTPbAQJPtUa6B?fUn9fmi8Xe5N zDM{5$Bo`OYu*@DjyZ7VC#Tkl^su(yS7t9-y^Svbj2W6;%v4p*nnT^eVSmM6>_ zQOD5GdX!CR1Rt;{`dXldRCB_>55`qXwY`ikjRRFM?TQ{~lo9B+OoGEZac5#?0$UZ- z9cp#d1B(C=HiUX38dqGHCtu0=KX5<-BTB5t7Vu}*OhTe=R-t1EEJk6q0s~^5bL$3& zwsa>@cTeVB0izwMmF`RCl@1`K6>;kjcHJB~d&PaO);G*$zYU&~_U5Lw7wNA_FQ%di zMK?593yf~qX!4FZ;C-XBT2Rb7Was;(<4T4z590^M(c>_^jC#uhbn)w4qP9eNPBBvU`#RNKF< z3oExwIIQI}dgM-|=KKT;Qkm;uvK7v(Klw*c!+AZk_hcBB)xRP3xtZC)$g$u=iPV{eaO17 zCm2d|P|Y$>9c4AujA^v1@cgp~a+C{s2OL?II$Pqgqmltib^_d+Iz@9iE9w<){ctzT|ym z>n1~8R;DH=j1XT0OXU?+#FBDKGq`__-ODAgBg*2Brp*B9o9X-Cn=8npCX=(lO+fL& zACR1JOZe2(HIzqajm^jxYVI0>;$Nk|4EUD|g3}gyB${_M37IQ$%v&FfdxsL@o2fj& zpGK%!v6d)IxOS4Ln_xXbKs^3Q2D*w)FLzse`!afZXw6_?Hxn_ol?PZNm!Kiz>cS1zF$fH26DoS%6iit}om zOJVC{joHu^|Lc6rQk+d4EInSx2-kDZ2w%Q2I`59iv6p`R|5YxpXOK& z-ft{Wa0-v=`cI`*f@&N1B9>*lPq;L|CN?!cq^Q zp-dHg3g&cG)W^qhOj$|yeL2iSP$hoB=~)^aZC++Y`6Hi-2t0Lp8~yP zafg&3yr=Auu5g<61T+sgDIQprp;ruj|Hg+wRkV~3&)7Wp?7GPfle<;1Xog$VEJvf# z8n3r?h=ns8o{Q<+5eRdb9)f&v>}U&vPVDFLd3{3N6-r@?X@vI$Kf{zDF()K#C}K+= zqj9*MyS43Q?z<9Bcm^0~U4NF*E3wh79@_2ewAXhgf3{I(;Wzwi=R95BD31dFq!GHs z$omOooX5`R6y|3B&V;1Zt|MS(UEmLo z*l7ModV=6{MtXtO5Ql<^;p-V*w;PZ*09&~m0?zQ#nsZDxE@Byrn!;HlDNTe-@*SR*rPvyD^08M_lGb*ckwo>%{+YD)-%tk&}5gGLuA^)T|D0T-;CZnmgde+#KA{MYvgd?Yh*yu zm{DSO~5U}(eA z0185>I_xny+EGDc7OKsOd`#F?Q3eo9mH>ju(`NCJ%4X4JvJyIJxU$TU5~DmTL+9Ur z(wvetM!NHVx+dhxn68+3usdo*dsapu*N84JWMKZ~-SHvjV+zfhj&@0?tEgkVmM#aN z)<_)RKc8o`?uzjo=psRgDO69nT_4ynoWI%+JxQ@XY9H(3E2-x~eWm8aV4G$1Uq|w2 z66{D0lQT$iwL#A^3SwklM5-f36JKoOm+ECG`@`mQW`h_7T5~;PUBQ8iNq;cqJN2sd z&5a62+Ck;NKVF*w*^qlbA@V~*t<41>c-o;N%*_<;eCqtU)XP3^{go2)_?H^sjo99k_9uwLdp#7KElI1obZCUt^{A^R~Oo>K70#^OyhWxAB+vDs+$(i=@?SeF5hqH-qFNV_>?M}nZ0t1q@fJ|qU_GWcHfX9*f`HRXnCb3 zde%H^1Ul+XTUk+HfyU9(%R?cXJtrneiX`fxyz|hg0s^sN15;WTT z?pHE*5gPlF``i83{t#Wvd+#9Qo)oIK z-D4cZyf9hyzct}?8mBNZJMvOX9|Ujah|U{+dV6T++<@6xQAwkX6ARU`gjO&&T~h{K zP_I}fH&XT;MQm9x%8c`}s}>R(MnM|bbI>lVUTiQp*Lw@{V$J-kvgbULaw&I2^xj=t z4u_aoIOLsH48Dke)CV1zA1}4qzoI_>G+Jl+^w9r7Smqz7*2q!Re73puI(&LF(+gDH zGNYpO?_?PyvM+OZEy`E#NeFR&pB(nB_eoza7_j^MQc%`v``>A(DYO=kj5YH z6E6hXW(I6Iaw8zpmX*T)*OYb*y-yEtYLUe#4*;)Pj2IfQR}?J$9_=R(Jda!2avA;w=t zw6EHlo5R`PfTTYmFqHt!JsNk~fb=ZBUrLI=h#nND9%#id=0ngTSJoB|r@%r#rS>o*9`wZ{gUc=nXUdK-XS<^0$Pb>duJ2`i0y&?4}&mBc!le6Wq;m0i_GeXGz z-7@ds5fGapxXMFOZyQzAx8lF;OE;ZB0(b#@oc8ng5N@$^sOk#%j`HXPfwZCf2Xoup&iwr$(!*mgQ*#kOsmf3Exa z-hZjK8e7$@g&Jedfn(oKDnIAnN@$;~mKi|K@OzQq|D?_<@pw;mO3*UyDA1_PK{Ct9 zR&7BZl-s%H9n5lEk5NKvndM|drfg)xC}(k2@axqn_T5U<(40dID={;@qX3qYKc;_Ufi;8W&UFr)5EZCs`F`If5=U zmXPn)n>MQuEZ$tBfGwhEo;R@eiu2F&VgoRS=R=LM2GeJ}t=(*r@}}CUvk5^8#g1-L za7b}Cpx8OB_+#FMe@b{f?2KTLY_&qG`QlI0*CEVMNL%NqFNf)ZZi)%vqaiGOGiTZZ zVP8n?HQMYcBC+=E-r5ib1_y2Om7Iw%VIgtixivc*5k=s|3l7%e7``FP5V&!vtI}Fg zI?XOVv{lY6l||gJ`eOai@|X;08~@Sr3!Gt}G0EEQ*#1|E4Wgwz!~5^B%diyCghxat zc9w{*EhmIGHh~oNKeYVR9rfzyYJ14ltJ%UQRy1V(so>D8@xzt`i;yE`G+wj@G|i3| z<}45|3S`7|M5E{^a$T*_ANpm;xk>awVRnW=idxaqoETHnKVsAImBksH%2xcPvv{m} zHEzuInoobR_hPQa8k?B5L`v+vN#8Eenz&*il<#h>=h=uk^l;Jee5m8+Zz3^(cN|KuyiM#HA-t;61-i$NwoGC`_THk2cy8-3CZLZ>#51U}O5K+E)8~*Wk33dNu?$ZeR==o9 zve24qwsUzO;wsB;(P$Q2&tg~)$|}+p(rVC}2Q$)XxoSu!b;%O6)fsDiwTinH_`!;2 zCDw)^wnSQ9nL(*!esVBuJ(2cwTJV##bYu)*%WQ%vH6^c$Y(3uH8PXNU8b9qn`lqa;R=BlZKD3^K zpR#DCcNgO41XLD;_JYdj;1_Hu9>ta55{Tyk^fjoH@4p_RibkH@ zu4Wp1L=O<3*~o;!BO$Z8&zrz+I$1M0hQHlkNE`=p^E@SfEK6}=eu*0*&R{`Tvp01L zi}LpnL01RDt}NIRg+Pq7Nh%`&O3m3wm@_5-E}WOY-Y}rwtAxBz8Dh+LU3HTmEG~$h zO$yo~1RsZu-|2`jID>iLKh-`|k!;$f_JTr(uLdy6tk~d!cWReK~K~WeZjeJ zwta6xzNJb>U#@Xq5NlCBNOD4ZYa?d9mqyRE1Q{H&qMgzDwwP^iz$%8?0F9C5!XkVb z?tSUzFx2VE3@F(F{$wP&=_h7W(0E&%w`cu@H!{R&x%(G+2Z;*#x&2YXM?O}vFAS-- z6zH)L%JvsN2Z}&b_s+URX;iev=`u!8yA1%+=mhp1f~vWt{BR?gj1{<&R?zL{CgA-T zE__i`g;KH98&4oM#lQBt>*(nDrL>nuN4(b-G3TC`xvwtI83t{&7 zis~z-jdoEMH^I=Gz-l}^opTf+IwmGqc>GCK5cyRa77+L8r)^gO~ zW43b^W3FQx_p_za&JVtgYU5j;B2yLCsf0i@?R1fIF8G~^X1l_lC`i&?9b_3SZU?Z^ z*qp;td%wcB@n)$f|?F#cunF~X_13(20PbwQYO{?uc?N53^*Y^ zW6t4guX=p$4y0)Tq?DQWzgH!B^MVCD^er5DI@SuxbrdmMh1R;u&IQGPJ2T0@Ai(G; zn%Y=lL=SzHRl4}}`Tvy7#-Z=Te)kSDs#`zcIW~q|0wDY|!WJ0G21Ri7>_FdHpzb2g zksaZE_0%FzRJLpYyd}!bZ5{;P_<0D6f9*P&1DPDA2E07C98T-fmOCWY;&jglYIjBP3a=hIEtM+dmx*xun#Ks-4!?Vz)4U&se@|^TDGr z*a>dztIpCwXo~GUP+j1I4{g4rA`VUoch_FDM@;*E^BYlpeIylt**CD+g#N&lMxMmL z7!U8)Pjcx0mRyU`9)%WaFQo9S2WD~q(oUzn7-aU=nc|HovKq;PpR!tEtO{Ept_!)lnFVmZDmR%~W3K1uI|7KTueon39V-K72P z{NJ*(KpFXuLFM0*Wbl^Yoy>y5xka>`%z~u=D(`S0zn0ykyN74{Q^$tKE0;0$wjQiy<#W(zmnN=vIgDA1^c!UORKakkp zKk|uif5VIk98MO1qVq!(S5Lh_!{t2?oVSy<;`X*;`(9DFfj}5Bd*5#v<5zo;_(3N z3#wUY>L{T(Z46Us3jxHzxLrKyePOI0zjdGrTpW~W6YVKqp`_{#`>0HE~yRx*Gr+t-F#9|FR-%!3&y8>FHyhmry$4nUK^nOflFZVdPA99Tdn!p(vUIUY) zMXoWbLJhcZykS>rAS=gB4Eno!TWVXKeM0Z3B4=l{3P0Kn=Og}6@bM%c=B2NXlg(=jX>s$Uu=+KQwEy|z(cPB%yLb(F%JfARxXd)F$sk+mjXj&Q~;kIvF z6|OdJ(0aToHO9j$25Bd@1G6#m=pp3h$vAW=(sqLWijf`Ed^12F9;3$#HP54NZClCP zs(E96?iiJBm*Rn#&3$21;m>Ph!X379W(xYKYz*BZ%{z<2fYK{YyJuOEie-bLFP2J- zHsR*mAnf=bI2_a)MA?AK&$Vt_pQj<5h}Fzw#FU@h7T0eQ4nq-AqKrXO&gl40r@mWkz%1&3_x1u4zy%oZ?4^&L6>^FnJsaZbel#T2Y+^pJm&Vbl}E=oo^ zc!CyjUW9SgzTpLoDDkxeZ}?cVR7T$Zi->EcI@ST{xVdrYJs*!c?u=MA)Z8j3xmY#WUOLHq z&;^y7qu&ODrt7%UJZN72vh+E%pokAgT0@D!`<(3=xhrMf^SM$4+H8d;_Ka}&Mz56A;pzBi6q zzO!r4t21a!@&%pmQVO)l?ASAAx0qTMWxKrp@BUeRiMjqi{fXx65}46Xh$K5{;9vtu zAcKLqB!-7sK~WzPHIg(V*sMRyQG8Z|ouFMtar6X4Bf2JhmzeV02z9mO_<0kcPq!y6 zuTO=$#P58oNfQv}>{-b%dZtdUY9c&K=;QGfkzC6AE5y@2=oX%Co6{o7Lth+OIFe9s zBV68a#J!|O-Sj058-hY)m^(KVJhN}d-4S_Pnc{aZs`rTnWuM1KE9uR)I7Q)w!Y^PM zE9lAH-L|GCZvCuQ-Z6Le`d4da;ydvHkRr24>4bOi$loVD%$nsC_q#kEMhqmHZMCwL zr9}c|@K?6X+Ue0(K{?I4SSOiI%?>3*;u3NGZq3A)r_n*wk$I*9w(284g*RVt(Rrf` z_lU9_l^0VX0sY$I67lj1YFeO{?oOkjgB-^rH%h)@2UP+j9=zno4r`fHwM&vW?Hq0&aostVAv&pBgwT0LHQDCa6h$)?~PCUuN+E3hUBavQB zw#~5g`l}#`vL8s5zsW_TdR?H3qtDVZE2^bpO5cDpn$K0HtTKeQ)!p(70N*&XZ`8kA zpN>(AZ_PFD;@H=(EKclAjWk(Sx0(q*BpA_H)MYEnY~7I@ZNr+nPckL4Oepx`JIayp z7O%DQ&D)7>-lVx?oGp|R2X4i{66~c6URsLT(q`>ANiZ>%m_xC;@Xw0{qB&y|wJ0Zq zw{y}J)7>s-99ci7`AS&l0wI85m z9mYViQC6%hFe)xAyRJ?k&)DDeV;kT9_1?v90AJQv3tpyWNir|H&MV+Ww52%KFYr zUY&scc6lC;(Vat3S!1DBI`Shk&m6h4AUNvdCEylho;2F-2&oXd|1S@aDKRAC(SnmH zp`kAdRbxRwqa$};Wxhi$6#DC;b#ZTPh*d1?T z&mC_8FHRqThsdMkfeC*@@%Q=d_Olb!w=vdj1GdyX9fq26^M7$mY68e1j{mutRnZVP z8Cg6oRI-RpPxn;%1-g8E`rqm}0vr=z@h9}(6ieFDPINL9SVUDq*YFCxnXc9M;znK` zqoIf0uF~ZXH1rS|8Zm*0zMTu6>?>LzDh-r-#?=DL|Ui z{Yaojm#pG!`5|I;C3yKJp=7o;YI4xWO8nBex$_rpp}-Iv=hp1;0g4-6xQOGe9IYpbJ$Hn(#;;- zr9TI&;z6^zRSZJ@Q~%Qz?Qsie!P6GerILUxS0Sa;n1(D=#s9yp1KOe=$`^*Vh@^oX zk-n(xS7fh2QzaUG(GMb`{y&eVFoM~vFoKn)WF4I5XsLao>_(pgsv!2bR}Nz~u;E#5 zwqDqO41O*wwqJshUxt8gp-pazE^FPfA_}h=grD z{Qkm!=f`UKIbu*i?>|9*kwe&CMT-St2d;F9-FZ0t2^rVT=S{oQSw8W5r3^bd4)hW} zTH7 z6a#}3S!*K7Q3@>WkA}|yJB@$-C}AzhmSbk=xUcSFQlQ>Ib6k#F@ z9zi`MAo3^5u<_50sI)Z?354WFZvc987}07>xb}M{nle$YzV__{ zDW6E=XQ_f<;vFqtNSvz=l?K9j5THk>EWy|iuo>+V{g(C5Sk9&KZp?+y4&9FYRUw`} z%AgN&z>jo|Qi{FIYt>P56Lrp{kSwSu0U-V;2~EtZ9En4U3C8Ipde`e`yYn}E&mmR* zZ}|i(^G8+^5~WuB17*+WlRIB5rGO6*xbx>~pVwzkZz`hde)`DF08jb*EJ zEFJ|kj(PM6^Hw5GEUQuBJpYOX;pHU)n=gj@@ zs_=bDpF&|v^CLY#2u6!r=Vee(Vb{^$W0$PXcl_4X5b);Jtt-OU9NX{w&d%w>3i6ON zAS+{WrDOBjOWSLFj@DL0p~Rkfiw=n{-}`*0Id8C}(bVr%QZt6N;=<|lt``?^Kv~nLVWSjRct8@L6<3e?fS8jWg|IF=q^J}WR z>Vdov%0%;i^>ilaQ4k=xv2}~^{;pHIdfRzAW7+b@Z#Xr?qQ&UGU_Ik0Al9 ze%VZHa{Kh+0{;==ZL-D<$c1<1oE`D`my5v!f|mp@q*rHHcRX6Ig58l~XV12U+xz6@ zlfVPn3FCvsh}9L|!{%rA@@fABiqqKR9`XLfd|<%Ug=g4$_co|OXZ}~0P1$Y$V&ks) zHov)-t=o6+vBAPZ-3MA{A+ME)a%GYCVlR&?=%F2sqQIBI|`QX;Bh z>+#C~eZyw1)gz=x4a`DUqw#X^1Og={rkIuqezpEKbo%rUZhp`eH ziNIHe{#VhW0|&vvY~(D+|CpDLN(=FOeLu}q_Fq>F$ua8vxpkCe$Xl0rZce?e>PZVF z*3!qA_FrE{FZDcD(i!hRNp%<$1{wC)AYux#{S6EmDw68|AvgUMP{s9&@pWVU89&O@ zex*}O6jizY|Hlf(*Zlz7?NaKMz*@(B?yB4gY$itX6byF6ep)) zQv0X-LDl*a&2w}Ah5Ei-czs+PI-+?$C1Fl2v9K#n{a;m!hUVBvOpyQO3hJ6yGCsOx z)dT1K8L<0wAwQ$+Ia&8ok#2d(ro%l@4MT(&rQ8E=fdZ}3-~)AcysBvhYSZ-%hX#NO z4VnE49wwA7V8)t$6trB%#zmRZ9a#L{X$Ig>m zm2>Z;>H6b(40DB}I9|kvW7z!&fjVvGTxsoZVDkc%ulr0I>5|xauAtT~N!%0tSM=^V zu(f99tBrYKmXtvC#>jrR2>*+pOBBr^x1*M(Q#$SeMARW&baL4W;iv&)E>+n`w4!1~udI1iAQkZfs^Yd2A+^5b8gqKzptu45UVwJnqEo%B+W4_6+y; z?1=J3sL@&UWGGvQbjoNAW+n2OjeNonVi?G+DugW=W|p+>9H}CVIxAJG16na<<+0z# z!;2>t;g>|Q{fFHxn);%Sf@+aAc@}ZF7H%wOtQ7h5pE-zfg#m=nJWB8Of_7N3O5I^; z=8A4nWuhl%cz9=6XrOx1U|}=?7JP8g?|#E1PSMDlQkr{GtNDg_jE6%0JUHipB`cCXc`?$Mg@MpGdOZGiQ_6M3^D_l@I$6b!*4WfDIMvHR%I46 z1JQ0|c+<$&LV5T@!QB>#fVKNNxe1fMaYo^0FKk4HhcPSo59-4l20~2CK%0EqB~EEk zBrXUlP#eH{YRMr;tjh+1`&X`X5R&$$;gkEm%*9R|)8E@$tz4}(Rz6>}Wlvc#{8p<8 z#*{X#ty&}U>l-%8cG)dXtpIoPh?Yk&3>Pu#^49gwbxcS^6tY_`BI*oR|I?=Ca83jS zgsFWenbv%y;@M2yCo7G>3C_+jA zoVMf}Y}JsPihVr7`z)-c*7QwEFeHe>k#iIuU*M&D&ROFQ`F1$w9NkMQK}YXtLTa0! z88O7p(hOX^CmIb^PNL%g!F$1^@z(jpXa=yL{T+gl(@AGV?+%8|aqT2(`jP^I-9Jrg zXPPDmj)Dy4$xqq*-f6=?Gmtr0zuOgDu4!Gw=zpJ@v|GROcUKu(a2-0PtQL1|Q-772 zrZxU;iJ$)6?kE-@%6Vj&F+q3e&Wua`hw6ba(e<9BlcMB=$P_-A&aU(2!kD7J=iC9I z&!4QliSeuTV68^9BpZ`hgvJ=gNB*b4?HD3+{v55~sQf{XIkEM#Wcgnu-cJ)aoZRfz zIWgwsnRv&)Nk32zk5);@ocTgxNImz$4(k+49ltC^L6hf=AZez zrcBmePXQ@>|T5ArN z5tmP5MEEe&NJ6-pZnvPQ-u($=~dTSa8($iFa^q#p$VS?Pq4raFJKM!oANt5n0hH|e3dpqUn$FRAP zeaiKkQ&L5i89(g>+%h%_Llg|aE+5Epq+|S$GN2-_q@K%bFj^^({LX%ZW(xRU;nTSg zeuEZTU*WUHC<>~8RmV36p3YcGS>~^dcVbnl-^p}H1eLGMZ^R9==d0c(AnMI=Lx>5a zoBsQRPS`+lY($$?yRrp(EAj#JklD#xcksLG6cGB(-40LNz`eZfnvAE%CVeuoUr9re zNkeoH$&YNYR&59j8OThR#{vNlrIqf`z*C=4YbQ}|uI*Ns58;1(Z$?&6^u~j2_rPC7 zSje4V%&Lxt=gZQV>@2=Bfi?6j*~fuvDa%@rY*L`oY|>Z!Y@vVn z1gHBPZ9u_bhB0&p05eod3TkF3gHMmA8GJvxbG+x>AIxVrI+~VN%lDOQrp_>LU-5Y? zdo`rV`PZcAOqO9skW^%hV%F|7&^9EtFd z9oN=LA^6y*!1UaI{8gUpaIHAylf{&+YG3$oESrY-d-~WX(`4J9tvr!#WZ!6&yEM5Q z#^iZ-e?D5pF)wz*pz1(MywOqM+p=Ngc|P~=BR@R2s^300>`(*uCTdfI8d+GEcX{)d zHAHUZ9dLE0vxnDtM~4;8uMjPZBqgt6zs|KjBHEI1tzLC>Qo4DLWf!YZy_-MdpANDJ zRwXzz3|6n}W{c8r=YLM5pIBn|>;Kr0XY~)T@F;6~ePORd4pw}rk30Hebm|v0 z3>=v7#F}Qy*TodlUFc;17ZNl)>g@Ww-9{*BarCFPS4eCNSZR6t2D?wJ468LdGkG{) z>S8K4mW~U8y9Jb7fuP4QoUpW>Gu&L1$CB`GfHxVLUoh-cUXtTFUrBrQ6a+bGwtYE(MGE*J@4Q{Krn;_{IbVN zZ#iTl+TYe4$%}L?o!&6Zmko9-gx^ZD^i3831!b*eQ~;`cs(*o_ni1>Q0Rnm0Uw!bD zK8DGcZqv!8yGshs3Q|Ui$QiUo{6Kbf%$&(g2adodMX_Zwb+Hc`6xdXCLjk3>gQ`MO zRK4eW6=g80lh>YaIkw!#lQ$uxBZ9*Vcns*G`yr=}Z}XDPYF=QS=ef_ZDwDfV1?Bp* zN%Va&npl-@Gjnf3%|F3w(iPj_lVRJv7Kk4o==(-NkEseKUfq{M)^P(jPZ_JL24U-U%}ieLfnz zd6e}e=duLcp;suwIk0r7vinhE3GR?2B-jmw1fJ;7S`&aCTMb8A@*srIZTR_XAQVFa zKNMRVj1?r(#)1d;=q!eCA3=-FQ#8B=W1NH5n1)WFrvwTkpC1K z*zwd@#4GALRN_WMy(GuOGADu7im2lkk@Npcz86BHd@hUYX_myxLBXe8Qr-iGZ z4WsaS992b!I^^Tmz!7@>w%^V z%aH3iVz?38TcQ$t^YtcAdm;IK+9x=W^k~&t$04RW)`y!9gS1ocdfkYhQet);b!rrE ztGEnJ|K0)wnd}i5E$T1>8K|Q|)ZZ*v0#0%85~Z9eEhoFbMJ)0e31R^6GHE2brN~-W zkKS;DV5oz6w+6tU7a0V%z9Xf71P}(!J~Rag>mm6kzt+evim`^aqP-?f{PLC>Dvw-O zOVR%vdt#gkTj8?cihv6IJ=*9E31_!kSJj@D{3)QSHQ5iF_u^vONjp()n5i8O^%8U?{S2J`k^6{6T!{i%tJvo}TF@`!<>2ETEb{Iiu`EA^K!(j%(>7lpb3q+A}gH)mHT+=HnG8W_31$LC0 zol;A$Y!2*xw~3Z$|0PoZYfedO?;B6oEpt37lOU==yDFb;-LRvs?{Dfjj_fR+9Wzn2 z&Rv6_B!HFC&O;D3fBI|?cFqeHR}i*N5r=in8cj=EdSA4zqzzrUsa~2NjOoL$=|jUF z>K|V%jzYxdH`Rjl zMiOmt#BA>w;2}(;o@<)XRcX$>)Ki_+Z^y}Ae{-ZEMw(uCm^SM(UU%iA-v9OU_J+wS zpO&pTkezrdWQmYbLdkRp-JjGi$Qt)TTyP0I>)|H(Ht=Gg!^WPG4fs@8PlhCm^e6PDlB`P0fhZk9A zgTtR^I=f>tPQJTCQ`ev2Fa6u?YcSX^}U?t)bO zrTPXc5%&0V<{Qvu>i2qZlJ#>kuhVvsoT1yCe@~!(CeDem>hNUi+Fq=C$f@IoJ1d-H zfGnnIgrZhr2hMuW2hypq-o)lD+hmMX#UUdSGdfs0GKt~Y)D`jtO+>cha%-9DElmG# z|22PH6T$)8m!-X>;%uX-&M~z=M3U0&HIq6xHCwYi>C6&w>;phO7*a?S-*t6CKK&U? zmdVuk7w176(&Vha_Eb{b*&HKdgDb|=45AGYAUZ6Pz?^*3=Cs-toDFC=s5ly~#jwXl zJtBpZb{9Ao5`RU2xeX?aqCsUn}7_4@~FlmRTCVV+CajnwY}mAvp2TGf53cIK%y zEG<(ePVU4~N_Duh5~tPlrS#HKoXN=NW|8PdwmVDI`56pJ5dnHs8N;*I5MRld=j5!l z-p|X{nKkl*wLJ`Gyq$iya$6joeD=d+&9S*AV`&R1D%|be%7_dpG`SaFii;Hd9^YY( z)x~^jZkERY{ZX?#>j53nO5Bs|Kj7M$8`zo3#s_N<{3X)=PV_#IY8iTQQDc$(46UU@ z^01L-zBcU5`p#GMztOl^9X-gGDCke)yWeSZ1g0hc7e6CL<{;kq+jU5)R8 zU+#$!xX0k1b4kygeuQYwOx=%Nim;7mXi2epDh0gJxFq8+zaXS<=C-r|Opg!Y#g1tF zkwe4rb{twib|rqnZp|Ta-hZQ}EA}|`($vlfv2VAcq}7MzdzYk18EBl18AAzk?=}B) z9aZzpi)*Sr%*Np`nC#Iw!-r%EL^0x+B)fyZeH#9S7v9FC%+)3qkIug%V0axz81(Q3 zs7!y=Rdu}Q8@5x$$XE5-q@t=2j%O@Ny$f`8__qZ|Wt|v#_Z1tAxMHN_XBoA}Q6|A6 zZ`#*OvoHwp0#PWfGJQJbYS(cZJ3JP6#AkZe=~~ZxMoImPEMct-Gvoftm6RE+EiKpb znMkR3r9u_8YiubDJ!W|ZFyYtTy3^`jq3r#JpOf#};l!K3ZOtPn9#90DZ@KFxwb85iKfVTbXRQ%Cdmk2tFXEO zzGWG!CIK`1HESyw(eFA(FZL1qHG0)LRYLy$>{%X%?j2DmkLbT6UrRF7#pVEmh zIgGP3;@rWUsJZgW3L+rt59GhaopiEBdFkgmicCwF ztH1WjaM+K5hyNOGWD`f2kg=a1aB@*GNks?OaP6HW%;;R^nMJY#H zC4HbGXmm4ds|eO6x1zxT&L4#V6I@Z!b2pb~(h{PuW7zheHsbcl!a)O5P6imwo!$D( zsV4>E!ILEY{4j^-Z63-rm;_{3cza?&ESRWEyr*;L4$g5o=C>FA>*=JFNcjYJoX43D zr{1*v91z*D)M%1Zc|u0^B(bD;u0d@LUZL~i;`{C8I&0VHE?H<5reKXK?DLyDehytf z?uzP>W(3t>q+CgT+n}Ug?YT))8#N>+Z|8W$IG?-+5`Y`>#*4fQVbi7Uh%m7q!q5E` zW4@7~3%6Zdedem!)s#^3&E93M9$EW-4=p_BV23s!ixVVrh`NE(5ZL1D`ZUDEDzKx- zh@h`dx@{LZ?B|<|Iy8wU zV6n|~Ec6^lOQ5YF!ZE}2*`=W%utl+ALcsTPI57vtjecwWi$hrN?rovHWSw2f!R^ZXx-M`iOx2rgGiC>8$hJ7agBc zG)z!?ch5A`o?t0x;G@`(V$5uJ&|+9m@JQ&4Gknf!yqJQLtt{+F@1l*s=UqWJi&KUCKcM zw09dEsV$~R)g`EFVy>#+J8A2IY=5w%1r*K9!DCxZ+agd}4@F4syH+63*9#gQq6&(2 z1@R)PmTZ-6fU(Bf>fjMa?i7j%$DEak<0+7ma)wJ%k#J4bEz1wx*|F;^&w~`QgbHEl zPnc1LDS(z?HC{xIn3jkQ{14)rGvNG-<-x=i`H1+AUqSlsDUfqvW1d+Elru^Q?oUGy zn008&=g^jIo+2=g8>8E$8EL_6Y012_6MlLdGryKX8!fWeArcMkxs;%sS)*)W*6Z(i zltuZ=1alT*WWbimUU#|D^+cW~-nhhwI%}2GQ3CzHrjXSr*;+|5y@*vx?c(>AHD;B~ z>`H4|gu3MEp$m-+=Z-l+zd0{CyZK^pU%hg2DYa5;uBw*IzHXuLCGL?PgE*Nv(9oMw z%GVFcttT?{!cth0VEW1Z#I9X|R|D+XQ)2;LyAvIQZ+DLM@$Ziu0$k>Adao#PfZ7NB zIGjTErhEntOA7yhvsn|Oz<2UAWGJVk*eK5bUEn=Sd4Dk z?S%o-osIV>DHArYoa8?c?M^$QybkA$x+$!xJZfU4BWaIFr^eL3)DlY?x)u&_n6`N4 zypb8Xh$f?QkE@y}esmTvz8L!VDl?}sfs^Cyi;|GQb^<$-or_ZcdxiY>>d&e0$Dlkn zrpwyIYXEJS!P3M5ewRPymhP?yl^OTgo6x~vSL zLUO?4I7#>(2$fQ({+0&m0)3?i0Y;4AcvcxLPE6$hN6B(%ewCL28M#RkWyQkYXrdkU zG}Kt4^DwxvV09tMbg^JG`zjae9d*q4V^U8rymNmeeETZi7$Y4cTreUlW9BM6RR5}+ zjBJe!(0eqz>^2`N;652Hdl-oDUwif)>Z*(;2`Z6qd;wKj%7yWeHImRoOIQrsC2wGT zNG5mbO`d#tY^sGs5<#N}6MMPvj5Ca?K+qrH(2Dp)K!%s{Q^n$@jvQe`*l1+fWNJFV zgKL^PpdYBY+V_am{_1K;%2=+6LA4L~LRB&*|60zu{M9?9g@o}C(;tJ;gsL8g_@9Vv z5jCIlj8@vl>!*ia8o}#rPw#MnsuG^{$T06ZpO^mK+rD?7A0*SE+6JC&IAm?w<#cTm z~y4IP#cKvr_X_X2h`Vf$`B6I5-uUiKRx{c4IL`=86XuoLea zg7`OgPuUs`{Cwe#gtyY~W*i@=s+k%{-7Uou)c;WgxQ@UUuU8W?V=yxIb~JjJM-!}$ zqXikL>fRf;w<8K@X=i^RIm5>g1hxuRlRjnGe8Y0rg$Du-A3D?QNavD~h&`-k37_n7wvzVqUZ}Pv`7!?Zr(0_#RyABM93cF3Yfl$sPu6_3 zpKiT@7NaW{aqe1w#wu+_beRWk?}FaZY_fAU)?_&d!fWdCs_%^}(RxZ-4Y5W-)Hq#C zUg{|E&$u79GKmRJv&}apO0|~G<;~j>Rq@oMC7~v&L+b}JHmkq!2?%biU{ZhhV$uCP^k#%~?oH_-=3YFdr`Zzp>N`)!h9WvZRg0 z^KW!zi$iN?;F8|Hcdj;~xc0=Gfuw6{L|dwNzIH$I;E;ATA6n3_%M;$CLuJuQbiA4^ zS+Ql@pzVMZ?A&d5>M`9>jZ3HS_a*Z#B-ODW31fuJV%`P<-uJrWX8e}J^CW9 zX6?75x!y3xG;9SThM(?lyqar%i0^JN{pcCp5Zl^O2TcAVHrP%4){{eks2#H+>r7c5)F5PE3d)ipmm z>Gs`G*S!jM%u&Dq^ypacj`pNnec?OU2bVm1p@k%kMET=o@M!_Mq7ECa@!&mU4O7Bc ziuoh%ELjYMG?PAA=-ho1F`U6)ot+0ms>Y5gv?3=4{h!DH3#ON{13VM#EA?%@n2-f%RfwX(z>{K zFRq}K`o|i0V|^+IQ&a*I{u#4K>$4CKt4F!439PSgP{bolbZXV0ro7nODr|LW3@-%k zuxB`i<5Bxl-z^Kg`gRrh2`3MYaOud^wm)+KHL|b_jcGFU#{;4Wmkz?$4kd8Ee;#VhlM=vkN+K(qsA1|r2cm|E_&e#<9UQl*{jgt;%G<&y>Fh4Nu;mYuLh`>#l zJ-8JQUn2Dt;00{Pp9d^uPXqjy+flChCVlSHx}q1%9##Spd9+vLK2!i6_g3a{ zIll;L`KLjCAF&%K><0MffDQMcYFc*GS-P8*$H>2ZXg$7^79dy~w$6Cq<0%gjW%ncl zwvpqJr}_gXppT=3ZJwRX-}Tu739*&wsH!A(XBEBkWp?ogy0f+6cZ~Vo{Ce?wh?q8 zK?lz-cMvylbjJ~=N$u@hDgKueZVNJ9T8QiVtArRsV2($G=<($(s&YjNK9PSS|k)SZA^?Qe^R zC(ru739k}yB*l$wYaIBVN0URi89pB@EzdA17S6dj^4{u-xWD_3bo;=`Cej)Q%LZV*D;i%zGyTJdq^Q3D>@9Yt!bGg{v!c|$GAS!PN*}umu~PC zGhNHvsyoA-10hzZJjhUn38bqR(0gX???W)(KV1zpi>b3kwCaOU(Z_uPuWAh#qqFtt zNL;mmN@y$Qpp7i9zu}#M;5MLoTgtvhh5%iEBh?05*jNt&KN2%v}G`tZ9tm!4i$MDU=*=l18!}Y}stNx0~T@!J7=uUwa7IBaT!aeHK9+oV)soR&l`? z$^Y$A{xof`lNfoeTL=7Hv8%X?Qr0wY4>+bhwlqFX!7_;AP2R0F=H!$6hm!OIw*8_@p@<8`Uq# zq=qC`!xfdlriyt<9mr!7DJ&k)Pu)P5PTl7eTO|pa&+L}=Pd!q$#u9Y&+z80SCae+M zU(IX{$POB)HucYKCN1S4mQ}snx|vrN@J_Q_$wFW+dan-W2%;h$GC%hhiW+MM>~g&( z9GJ2TklSRR&TS?FW*u#J3D8-j^d_*&5MwpL47#3xf4ioVo4PNM6TE)SS{wrOr-6Sv z3>_Uj)IKVL7?)9Il-}SENX7^Ju0kKSfg~4-T&D;6WYz0SZ#t;^iznnWvLh*7(O`4V z)XEJT)1VOmb5oD-qW*CKd7`e>5`#|)%#&&YKT{9P!yz<6BY4)ShRB0qge3vsr^=wr zAHh)8sjZFX9X~veJFTgU90;#I?3;cF*7#IhrZFTXZdDXYSX^GU@$T^_iK=+(V|4g= zU*b=)u2KO{)evXS3>x|WEA13liMjf&~dWK#(B8 z-3jjQ?u32$`)jLq_t$Q1?M%(|yzV}?&)nBjb8q+UZsyrlckIQU*rLHB3>@t#4pO%< zZD5T|eLpYsSNlA+fZZDxu6Kh&k z+}nu2MEj;W)358GJeYRO{9@^%ILa_x)4o(h z$c7ag4qx%F|Lm^K0(p#OS0aQRmW^1p*$@c~t4+HrxBpIv)-!feb}SyltkmbHUpOi5 z*?{+tJ5L8K?YfOrlgr`n#3RdhqZkq4rv~eL*oP?fXB>~R56*>t{t0I$`w)>KJDXc% ziW-eftCp4U)t;{%o2YyfR#I&T8&C!+uBwsKQkW?uaSfr*?c~P7-ks0)Vq)OSALp^U z85(6P{jU}8R!tO$bu>X>aYVzVY#98~4qQqi*AGMwy;Mu1>9n)_{FSS)scnIl8(;N* zz%cL2KF}BZM17DGoX|=;rtZl*Hd2^DX0>Ev`xZat2EShvjqN;En^UT?*b!J+B|_{u zSbtqm&folVTFM5`yshAFxHkwGcKybmv$o~k2Uem?PAnQUFS5(?<5$o`>#?aH#a|R0 z(TB^}A3QR>Q$qijGpq+>^>sdhSH2mD~3|7%gJaJU(7Iv(M2T zOF8{FCHVBpBv*2TyW?U1k*(%%A;9nXF6M8997$4+Hj^=mh~Do4ys4P`L#KK86(*`k zR9ZWDBKo-$?e|1{!Q_wrX^Ro(BM_3mY{|RCgZ0LxaDlAml7ylQ?|n{>TqeXUGx~I_Ha%)QtB^Kz#mdH^NRgzi+A80( zn!MUM(x;<08hH3_Yx?b19w+mLL?jB+9u6&&;min6Ce5EuWabP!YmYyY7N-JZcmzPDB5jMLUd~dZO ztFRiw&%(K=bY#s}&I8WPkJ6dtXN>gUynZMCQBIPLvG~waro6hiavw34YcQrd@zRLNvjfxL!Ac47PfP7v+g!@% zB-5(=l1n{l_1#l}oryEEA9`QbXGEW^s85ljsb3MIxD{=XtYPf?q22HJNHKoRju?iK zvZK-CJDH4JlbTcmY7vFab2VadDJ@;OiN$1|eo%vjE05&Jbc$C$M=ztnfEuYU$yk%BGCRLU6#Z+s+^4~Et0cnQ=@5C~ci`VKHW9a;_j2&<%k%O< zBj3-%f(WKO8MO?0X%${?k>Z|#3Hx5Pb(*(g` z*)>;%{T0oPVb-Z2pX=Mv>VZ0y@80FYc#|g-R)!MP<;OPL0Yf=x%`73;g~@(XozKYn zllUbk`ZZ_&tM#I?k_k1=U$?Zs|i!(^2!eir$+C)mjcQk(JYr7A%^ti4zHepAjc5VvE*?E ziw{bqIF~TmFoTziOrnig)*d#aRGe4sg87c6+eBXP-cycPi^w`6T2IK7DlDfyI8I81 zpEebz;*wZpgvM=gVA+uX`z*Opt^ZQm+a*7`Pu2CqIIYKdpSPm4|4CrfI(70eI=%VR zo;_4gm-qsO=+z4oY59T|;b7Yfxrd@cP|N4870kHLblb^$!z1EQ+h?0*E2(gi0{EU@ z>J?Aco~Z#o1*;mvK7*R|DdZfohKn7xl=1P+aUSRfK73KI=_FSo%*!$6~|K`$I9ouA!!4Q{k8$QzIS+!>8(c+q(x!;`+a4&+;= zzr7kjm^5L}Z9T9zWkTebi-4GoRmR2XoE)i>4+oux$vyI-eZvXA=u2rOQeew4MCHd) zU<;@IBdDTeD29KjVRQ~`gG|*UExm4J?BaeZ2X+{A`VW6GPgZ21?bA>pRUjj>Ts(j7IxRKDuI9 z36>SBXL2Dg57F7_efRZPGQMw`O!tzm@qGP3rC$tQ1XhSgCYD>>1X@Z4!?MW(&y)xa zL@QxHE!r1!es^Fc)=#lws%$ajgK@7#!Lf5f))qZAADP(n#p z60kfH&!Pu~`-RWMAVJ5?!@EH89EhbW3CUT3j*Ec!QVqbqHUaGGVd^gydX-V? zfPI}cfBjnlmYZejI;Y{=6vS{c>XBR{>NWkO_9@31l9zsmZ9^nI!r4ujX-oyy9bhjX zD3gqZ%1$3e>)sR2^6JsyR|jTy88sEo_W~9P-~TDlwrW1%Hf?kRE8)#?&^vr5b1%`L zG2W*mFGz-S;}oe@DoS3BnARJ)tY$aziyv7! z*Cf%H#!gBezT39pe+<($TZ2EhReHVW-9bLxmz(v+rH(bM_(f zF#SQB6Cs`*OP~{Nc{x06kD`aXP!Ha>331QYyz3D*8(F%mqA!ue0}s}hj$VP6twC*L zZHv4slqh?v-JXGc*DjnZ=x`#75=p*jm zpp6X;g1jG~nR^aER_a{LR%^49xyxmiY0D@Szq@`?$H}~z=IKiqOZU&&EgkHU7}7^C zp4y6^`teY7Nf~6WUe^e=Qwsb+qBw)|5coS1|?z|ps7n!810=@eS z`|g{7%*KAOT@Ib{0(PFRd7Vlo*Nukaxck=$ z_FoIWEc0<@$J2S*@tIWgzZ+!|u;G=^jqepI+uJ|^1&O~|rh9NFNtrWh0+LG3IaILo zR7Y)(Ujmt)N2NtI#SBXHl)B9>kbk$kb!U12Gsl~1aNlUEIg3Jb zE57NGZ}fDC$dz4-++INEc=Ek40z)c3y%tRZl6yQq20?DNYVvY6!`05gedrK`BU;o$|ebCK(v)UC|O}Jpvj%e<8!n1*vhytBEqtDSCZR)Cv7TswGOR& zs=z&}#BLf&txM+|{W97Ydy&q>fVsenZ3@SJPupfcdq%L?{x@UzsCIK#4~$oKw!J~| zi%O*(SRC(`z~ z5VkO1&c1Z#Dpw~nPR7LD*J)%m!ah|LDd>_UJ}NqbU>Z^kPQ1D!40g4|bfK{1u%njK zIgJ$hX(b4uUhaF|(+sO6+17lX4@coqkuo3qfpxmq7|8ntX6}k6oOXSjK7E$9S-3~B zPtK@1xvK$BqQSG}-2;rCNe;{oV;S0tbdczis=wWAo?iKq*-g(P(JTvu&GfoQx1kY( zwx_&vYZK4Reg8S5E0YutzyA8zf4N%O_2t_EetfoVRgt8hrx_8{y6^XxGX*-@}rpuSN-@+vJ{ z<-d93u8ZLdK759A`sE6~|2J!kIZu5EogWcujd75gkT9B@bgQ*xqg*3%lUV)1Z;5Wj ztFVTSt9hqC>TAz0vhgYml+`uF=f6Fi-?(~L#MdX=y8m9JNl z3JTMj{w0ccmre7O>)3MAv4o=&`8NYw2EwhOPyo+N84q&#;kmYJ(_3F12G~gdVq*(} zQVtM}UtxpEd-*d;O0=;<#**WwV_ptJ7Y|EaiB4^FSd5V1S5g&0PbZJ~lmtmVEvMaj z^Ewv2GQzc_1PuY>W6U_H)HVLeS6r|uZ}pI7ndP9X$f)^2bRwuU&+p(xg~rIgj$Y5z z3kpmJ=TI*>{$%dngwPNCWLjn26RTfY$uTyvQkK zzXi%qg-&(+OF|48_$NSiST4r$)B`pMe#t17lJcx@NuoziLolD+*CY- z{O5iG?0tqCZ*HK1B^mz-MykCgbqi%8T1X-l!+-eWjwdTKLa%ug%NzusJHb41>n<5Vj8*F{Hu^0K%#)85 zpTAgl#f(Pa)flXF^;y<&HZ-@#B&TK@U$#&y{+WE;G5v5NOjN|l$mcl7f=0UMcO*kJN&shJ4F!YdREirphRZB)*Op5C&8@8!c&<7Qh9!*N8`S$&8~{S~y4z<9#|>YTs1C=SS6wka-$3<|&iGF?Z7KsM33bdc$t0?^=v6 zm#_-e$2ZiO1?)%R%K1wT3+JJG@$O+1`vTd+M|~pO#lA?%CqZqI^-LXhnJS*AwAW@4 z-5(KU@;IEd4+JB?27->`66ywra5<#N-5FOB^Cs~3v%AQzyv`6rJ(fRp$M{Y2m(OnQ*Vj1Kl>`Ezm8@S{ zeM^aCPJ2iPn8*Kl<3D*krUL%`95AX+2nJ(5y|1R3BTj@(qgDgC)nn@b4W@c^uq=BFkt@Wdp2&^8`JbN4%GZ7)j@ts&AGYmoH_A6X9-Pi z$pL50w**yA{Y%U*g*#X{wFa|(KUC@{jLR5q2`l{v)qOuKu%I6zOvw`S8!-$VP~@J7^gYaB0^rrki5yP)Zw({@99hFj(Trl{@Lbn4Y65 z1urL8g%e;^-Gp()(Umg#&1Es)yV1-Jn71S110P5UJ5Ab$zrI z5~1@CC2!W@wn*Q`I{s{ljTeoBls{E+5cM!MtGm)mTo=Fa~^i^?$zn>TZT!-WDC6-Rcfw(T%v~2<oI6ACFcB{OLp6U+2!Wl?Wh~}7C=2IjRpi|O7`e2b-PYNB! zOmmG_A3qd<$eK`T$dQv&v zM0xr#eQ{6QlTk-?WVnpHmf6jy1Ih%cX{mYL|Kl!ut8Ugt<5*W|-98t4f(@K}8ed)} z6m;i;g#S-Sl~2YU_8k1R&6T6fR2a%v9M6%E?Rr66(VvIRFhF!S^v`GHp%4lWyQXpFDBKw^mLx~4r0y6h(&9ArHc+{zn!zW{%H3K_oet5 zE3p$@+Sd(ZhO_8YQcTb-5%PYs2+6u-V(R8NIl&Z15LD&+9wxcJ^DXf5WBYIr@8}}p zbTBbY<_26!P^dJ$Vf||XrhPSJX=qm#@w_$e#{z;tZ|GK^IviIgR5+)wP z7r|U7f2Y~sRRWT+r&_58XlA#A^&t-b#=uYZY;(+DdZR_!IP7;y*q5UeDNx)szYaJc zVOs0J86~hR_3VF`P}~*AW}uLq(GiM-l+Fq1fWZWR&5X0Mdh~#Jf`@!5iT@GEJe*sG zIAS60wDjlzIsPU)D`iT+p*q5BhGQ6I)_FLe0M(&LhmVge{4;5?T9JXNNKjUZu`(@+ z@%$bvF^ieFDL1A9&ZFAky9=~tG?5ik5?aP;d5^KS-6$?H0Q=5=2+}JK5rV2I5 z3|oX5E$P;t;T-kP?1uNWFqYp?t#dy1ImQ>AvzQGr-s0wV2-u+@kzjeN8cdHPbLzkX z()G^CmW`<@LERw|kku8}G~wX^_qdIDn>gjXx;plum@fJUi!Ln@I!C|~6di<2nP+3G zc-pFE-dWp5?M;Rh!|%2<>a3$syA5;Kw4e;VgurogV^LcuO5SgJGn??HzJhB+lfj0O zhRl|xp`|=3xq)-;3gG4+rh;~o#(Poc0^nTV7N-4|U%(n6aTcV`md0yMsx9HkhCeq$ z-_Q&6rB-%!HQB8p3vq*gYgfDzKRHe1tkziW_;OG^#Vqm9{~^rV3N3s130K47{{0m{ zFiiP~XG(r{uFMiR0F0P*TVP3*R@$I4ay4{C5KNx`yW%~)mH~T4ye{n+ zA-t|4g6lf6{oGwv8*1p5>o*n@n*3tWTG5`}7a!ptf3x}N@tfGD*A%&$#K&R z?wVU$X+5KP)9{ZcO4VOQ=lMUM@UnXJ^wht6LXLAhU~iHRJ-wLguOq3T_ym~5WKA}J zNoLEy=y=pZ)D4I!FzTajxfa5^8ug=%m1x!x)=CRuMC?S2Bt=3= zzg$w3Pz$d?9Tzp`ijIE{zs96<9GKfsO__?d`Hf-XTeIoVW&R2Z$hwMD&x&y6l52#> zpcN+&Zs2P(!6`a(Z>r!}EWkaPL7=;k)^ZVB+RYw8#-^h_wD3-%(b}|JrCQal;jix` zf3Yd2U$DzA8%SJwN*Jmj&DI?CI_WenV8S?Kk`aptoPc8qnT@4|pid&}gH+H3p^4TE z$aud^E2A$&%ITml%BH=erX6BhW>MTZy_`3pf>%cVgy~ErG4XkCftXJ`i{}IKLF7BJ zI;5sBl0@%)TeMOTS>mDEFB3dyzg`b_dDbz{pm^{FW~(>;;vPkpH0(oUlW8=JAFRC6 z53O>d)dE7Y20c6MnHc(FAxp|gczL1?D$@HW_=iXznI6j1LeLDC1& z1vY3bGVuQdcB@&9Kl%!9y@oA;h@pnwP5^`N00!DQOa`d>rn>$MM7((xgn&FycTVdQ z)%rC1AGAotteZyso7hwQl7OmNH8@ANkS9CBKWf$S2-#|O&E>oxY3?iYPZa^=$2l!- zM0mj3EuFvRaCm%fPep-R z-`LzHQb()PghF%U7`){`tMI=C@qfp?Hn?3$>QKmKU2+#c=aQ!bkNhr6gh_vo7F zVoSKLw@A|-M)Sck#(`79pIKr2U3<(dvJ<5V(A9T?^9x@&o5Fy_$C~o#O>9-#wZ6J1 zc?1(b*_P>yJb&4h--LRZA`96n)sBO|lF~FsrRLV^kNaq|>QVPgzKI`jvW9VG*yW;* zGo_VFpMldb8<@2FZH1)ybB%YyV${KT}xF;3ry_kw@qxP|Uh>!EwLOk;QqD@2Kha$H60QHhN+poHZXSYEUpb^;a ziQX_=zE7@yD|({gxFMsA7GYRc&K1${6mc@KsrDB;JV|-h?26a!=kD+ajeBDU?qUIQ zMLkiKtKT1gGx?A4eDHCjMmPTv3u55c$*~L=zFSq(V#0D`OK=?zK9uSF!7|G^Zr)>3 zp48QpK-Uabj%->JAzkn2-t&KU1CLgnEcBRlYs+SL`1ebNI2q-!J>0o3H7jcjx_Sz- zI&t5hVXb-D)Fq}A9`A@vF?;x=26?V()VI?}PUTAcnR4qucMP22|AnN~oy=+x7h1q! z*srC2^|NsILoZ~{CabzHT0xGTX9hT3Y$z8T@{M9iU`$H5l%xzLy3b@p$%wVQn27Cg zZucqE@NQMHq)Qpq-=};k>wr+@hoF9_-fH`E8MVJW3YWP)3N= zCmgRjjt*;=pWYiAi&2v`iC@?b?8}98oF}sos;O@~+amN^EmtZ1##}MYv&89w7<-te ze!;x2Pvw|`{{%h!bk!rH7*tH`R990q-U^T{Q|rJ zaS5N{nlu^uz>?utDWi^fNlqr8jYVpHbXyk8WP^=kmihDs8y_q-WyQXomRji?*EpZN zx1X&RuH$^sPMxw^Bjy3GEEoMXo%|Sqi9p=8)A|~yV$i`&n$_$|QNr(6jWG1jsoj%>)fpy@PO9-u8k#&`*Az@410N9crg*)C6TT6frGelAyykvz7e8 z?XwMA;d}{aTIPpyjwSLyP=8JN44rdjp$1AA9a_ z3lwpyrB20z#iSr3D*Fb&p}FlQZ}^tINeJ(P5-8ev&pVfc0aM69;o%73pJP!(yHa@k z;k~Wa6+DqemsL+XXxH~6@wU)cOFCL4u!6@X~O+LuQXEOp<8Ld z*P`8=mEYs>tjV`>Tynf(Z+}L!kTfh`qN>}geTKsD)3;U|hme{=yZoj{lv21T$GzRA zI6eSdBd!@HyYXw5S`hdzb>>w&&ZmpUeWR3m8dd9g%Pns~cP#HxI^?AK8miUoY)JN! zqEGj=G4irTs|+tiE&26k`?hVZ?9kl((cr^E18 ztHnMS|7P<2fk}}V`fVtwhv_8Mc7b#(yzn%-&uo+!86krIg7sv?lNcFLB;7AY#zT0M z7%(Xfpt!aR@_{R^*MfX^)5(e0(111T$%$Jai4qI6A-+kEg?}vxm^1=_Mg$128bxA( zC1f{Rx%k|@W7);YWwGI7w(~JW6{o+uSWI<3wv19|xPRm%%8+aj<65*g#u$fRO&Eu_ zytJQG5Fx^cg^2M{LxOcAh`5ud;NdA8CQ%t2jB#h+$95pWVk$&#AJqV8qZpTtgE7WD z0G)@oba9weFa)4Y0JJGs#~gqz!owE=&~gB}3_zQJohtySD^V6rvkBLbgLMKB-2=QV zha46ZT!{#&n@#wrn+qk&=YgxNS=;}jOvjaoH+dx-9zdW10@7B(#{h(wE0M?lRqX!} znn}~F3NSKHSdju+l>!*e0vrgan^gfui2#%*c|{6nbrxvVoFfY00Bp5v{a=)&tw;fk z5&=f;0HgmWvHufPkXzm{0+94EbjJhus;868EhIpzXsAic|CIEx0mxQx737w2i~tCu zjRDzQKrQkX55); z^0fv(6Hr#j4t_?4Nn~4qaHL6XE;shOHYqsbRR*-lbGH65fwYiE=#dQ(1^K7+y5p7{ zmYMV0IN8Jra2D|59WKrfsPBL{1`KRXs3)35-n||{_`b27n@EJ?a%8pr?Bw{r3Q0|YUWAi@0#!7lf-wIR n`rn0U0HPgCY#h}s9GvX|QU3{tga20x8hC~QX_N~T@c!Qbi1aVH literal 87803 zcmZ^~V{~O(*EJg3b}F`$idC^~+qP}nwrxA9*tTs{cvH`L-gdwH-Sht0tF_tIntP5u z`sjVEx#yOZ00uz;004jh02MM&S=;4m>7@VwxI_d5K>r>!us70kG*U7XG%_}`Hghzy zv8FY5u(7`MdUII+xpZ>5@%!IL#5D6<{~&6l(p}pYdgKxGn}iq!^j|3T$bVja7-=%y?gY;!jmm^~+Nmfb6* zVt!DD7}=NY70M3Cqc^})Y@DT!-wrJ)A*CR{JnaX(&krT1mKt(Vd~Ex4jndX%_k4+^ zoP}KXpyN-GmCNc=n&{^a(&00CC4~*9il^zcY+f9StjNtXIlBv&pjI!=%)j46k1END zuk=|`i_`oT(;rOpswKKp6e|$S6E5FbH;2NK`H&aCe19*UMrC_-8>gitC!5(mqZ{bC2o*`Xho-C94bEa)*c zWq_!6=BQoq?kvF%amY|0mw1>N14O@eNr&vrxSJ==y|?SPG)WV-{tl=cXgc1lq4Scm z%s*t$PdAS`+Ei+W`r#-<;O&$to+f_!kc82eE`wjl5d~~mTEx%8Cb8A z2#h`HRQ=qpS}H@bh{8h?c0Q1J2n0+%&@h5?WLvJgv-df$JZ_sFjND@|cO3H_K%yC% zaDGNdSL@u6cLl_JI=rd|AZvc-IiSXwFsFTTyFsO0J5TOjeA>adS^?O1pR)4933?CV8 z%!zeydn%n!=H#%~T6sP0Dd;17>>8^n_K|M~eYF@Y-OUsH`XR!!v)HPtx^n(G?fuzj z`CF|zox^uz+qx(9>HYx1&?0YsSVFzz7*g8%9A{{bTukmgqOTGx9uVTUJh>)xEJNRY zmR5Ui6Lf+64k9I72-q+hne^2cBdJv3inP*CTC#Q68LMkYJ2%d(%`BZ3teX$A&}n-} zX-Q^te2p6IOjcV2lvMj)IRe#`ZSzEA)c+teh8s9yrbwUdoj3TZY>P}WQgmb|8f z?*Um?Bs^P)Pi?rj7d1dh!Y}@-w2u}Tb+ymBJ^Z2V77}vS;CL(2;w(jWd|xc)>w8lH zK05TBbj{waEABIhFBn~mi14({9OxR%35PB|J^%t=Yl6~(Cb6BjKui$1N)1^%h{IJn zG${a&tY0t*s>691tqr#5$YP7io<7I6lRO#WZK7N?guc;0Zo4)))%IZPNh>HKZ! z-+c>y)KF?vZMvRV2DpQ)O$!#WQ~WmIQ}ztUfVB{Yn229eLu2AQNu+>;vf|a-Iqdi{vHdx9#1>D>sH1wuv*HM@3)#0mu*bzX z_4RSCLU`=`HfmP&#K|}P!Hemh4j^CkqZFHdP)-4s>=%}>w#ySgvK<&2S79-u-|7$p zxzey+2^)JA9VGWJITiYRXWKz4&~TD>ACPN*!-}{JJ8ZPl@L%Xl8{`p&T*|q$v$&q% zQdhjeC)<-cU1A!~M|<)lQhp4(C?1{>0=F43o8T;>G>V#M;$09h%UNv6Q^3tXI2 zexgR7TmAyZ7L*te?=69Rbd$ZI7c%_vxrFx;LP%s@>lVuj+EbA+H?pW@rS1tv5euFc zL7sl+lZXKj(63M<+5QFb5%ZzRRop3HwwGS`7t`s20GfF@9Sw9-jP~xMWI*L_KG#sm zGS#8Yh>I+&F#JLMhjGD={WBcu^+kt7ube6d`Y0p z?C%Oc-gd!Ozwh^@gf_ivbux6(fS7T~U`++IZ4f=eILy=Uk94m4xOK1n2;93Bc2vKT zO`RI6p%->yCnkPp5NCV|7+@EUs7))t8hm7X;xB(lhZUkJr*;@A|Eg4Ea5zvz6@?9A zRDw!urj*o1UE(o=wb(wvc&0ebV6b)(16V0~y{s00c9DMo zo|~=e-9nx=1$1QO!L9rCcGoa_p?PNFSfZgimsCB-ev@t!{fVG9X}d3GmIYdPvEZ&V zOIq9uaPK+cpOk$PavZ8HEM8uHBu97-Ch0=tz_KHGcjdl%y;v|_P8)p zcWmveq@Zeg5U+fvwoxTlp12&oLFCYv4+yYYQ^X2+QVN0$1D@UmT~?YL(BXo+`fio8 znDFWlz_G;{o3lxYaXnqvwTJ3>>LryU0c&vP zuCg#gE=IR4g&1&|B+qyHHIG+AR`&ez8bu1NckKfd&m? z(CV(Wc473{#&=oMc=y%lU6u#;i>j@NEa2X;v)yD*aS=ze#q+;I2rATTZ}Fn>q0s*J zb+S{Gl%E-n!`@?>YMA!)2tSo_D>o+@39-dqI6FrG-dXMKjgteumiHG6T7)0&N*|8Z zr+>1B%lSwsHaVVB@bQy_5aCe%^iv|Z+_LuIV6?ZNxq47U?vk*N>6r&u;|Sq<0A}zk z4>!}NA6Dz6G;H3v{|eBa*km~)K%w##JwAx5>+e|d28TklkA!X^Aai1a^CikbxGxBD;x@Ib@uM5j@`DC_%qd5^o0ez?BQBPGgEF&j?zF zF+C_)KMcken0ty{c+Wobz+VN`tJ}AZ%AB(UCghJjM{$RmS8Q|G5Q_-x$-hZhd+-yK41KXLK<-BI_}<_**QuLkejfb=d3yON zKx0>r9>fHbJ5o2q@^gE~m)37Tw_xC!NSbDh(Kx@?l(XL;eU4}ee6%d3QTkNC^FRSH z=7Sb#oYfSg0kO$dZeC^KMxCR5V|vW#lBb%EKah&zbK&BuEQ zgh>nIAoA&}f0XT$)YXpY(irTe6VmtJSCOI=qd`$~g#c0mO<{4?H$}RhVAKg}FgY9e zVNqp02*}46L{k*ntkJPsY}^70_)Lkq`f^Kl;_fc(@uSh;xcgMc zfFG#kX1Gk-IE9_+nxldeb}Au`Jd~#@Er^M1)8|JNx&`qu6xWdFbEi+^Jl9;&0$lGS z4oo$8akKF3jsNseDh&-q9O5CpEenqoJgEyd@C#T#N-MO6Lb)=qHAzIzTx$E{=yssk zqJAdq7+mx%nOabOxb!7o5t;J1OlC!;*PM<*u9Pn8;)wVU**I%qC0MW-=0#?@sCf$P z+V=drU#@Ae>0!c@F4_5qeAJMkSrHS*lAvVy%`-wDS~xLaVxiDC2xKK%v*?)>e*IGS zC2^^{vxB8OYM(f#fUQ%|gzH>w3xXM34BlXyqI?hblHweEILIL}IIulbnYmXONdh)J??u)WwQxQsgx>v>2Yz#UW+6Nz5J! z-QoQZF^2Ws9xrYjDXOJ_Bk8X_5zE3Z(^#A}M2I)^WU{LlzM0J@)|q3|}=p?L~+$)V0CiwA=+u!!n`=pDn`%Jop7;PJqQa9RZj3rL8gi?B^#gP;#^6*#V zghFC|o!5M}x0=$X`8Lls3)_pn*ag%40EZZHZWvL;1tSIXo1?PB@L|Q&BIV0(+wQJV zzwRV(fUQ25p}d=>+Ct7X{T##kiC42Uh$VcX9~Ov^Kis^DL~9kNqB?e)cWp(z!6FRhbr+wU z?%kgxFD?W1Adf;KF2=*ieU%59PV)x9tj20Euh2x~Xkax$fZF_s%I^?hoho;TSbMEh z9^CgT>pSd`eQ*1|_dsksZSnEn#nxNFQMX@i1Uy@RkLq>T6K_2M@kK)kp^z(JgO4Kq zxR?<($+iy>`{=kczp7z63Q%&N`|6^UStN)BtGeux6+i_pqgj9vQGNrMY*S#C-E%ai zaS5jW6X{PDE7nTX0k$C2cc?B4-#E+-2P_F>MX<^|`RGfz4vNG%%K2kpR1xEM>Q3(? zJBCNiekwdDvGTw;d9TA%OE3#2qLAeUm44U zI#UDss_y0YTZi6-c1dru^g=trY(~hl(ZZ^WC}iH#`BW;y#cR-`Y)~=bsi4a&0o%bM zKwgD|$(Rf2{j~i~b$ip6!^(@Dh@?eN;P<{i=P4bCQw)Lg!3?pK#(Fvq$aN?t5KHTl zfmE#fmi>@HNugtx*W2zfu%)I=TV!-n91b(t(h=qX_PgpN=y4&Yrjqbo>@7^d>Fr^L#2+-lgu2(5R$9 zZaHa-!SCyk187B%g=qAOu)E7fXRa&R!F8DicN079$GiCG6?CJnz(nmfj}wdJ3u6+w#qoBZJX1Sm)N}M*`3L z&L0jW)-B2jcyzxTWO_1|+8TH&Kh(wwh#x(+)&rFseZF$P*#ShpyX$T^_V)rFxe8lm zW!xhMDILW#GW-@aL=}$JuM8)dZjbPN!`a~`QD(I-^V)r)_xXJ|UKy5&2c-JOLbBT} zo8BvHUt8-`1rU1N20#)rMNS)>(91qzQVNZv^newNfR4wd^?3m3c}Lta7=HGtERu^2 zqkz3ok|~dKq|E`N?N87E#iWkAQjiX#U$sJZv2K`#q~P7gtf-$EajffN!;6DVr_fcd z+pP#eWQRXlD?&D6MC;+|6j|5>5Qd%;yGmB%dS6c$t@QJ|d8ni~@EZ)Mw*bxuHTKH{ zLQhjMp1VymJpfH8f?aZ&1>sQ}4ti2Y^3pYrY`|o9s=YdU`qK00K1GzB1%ER2j=iCq zUabMQ;O!Ccc^GhdEwJe7IJ!m&Y=?*t-t`q$1G@XHmucKJ7p5IGLlU_#(2j@If7=Sm zHrz3y<5_joxHw^$$pO%zLl$H5xV^_bnoFozJXRodKOd9|4)KRi4@8=*rHXGI1!Lm8 zUGu=pw`6mv-~f#%v!G`_##iLXPaayDPQASm127YfcU2W+zKWowh%g(<31{&}1q zB2~(`hMer*^in`dF`mE)@FbTmnZQ_&&~VE}MKti_SwrWAaIabZE46rr5wd!0zuk0g zqKYGJdRsleh-Q561WM8|g9WIcj**wTIOwEI9gB`f=kDlW;gCjyJ&(RyA?4?tUM)hN zRnu@TySN`nICpXFoN|$<-5vlX5@jlqxj>v&UpM|z?$@RN9?BrEMrxk1BY=x0FF8sC zB&CUvP;stSOl1&3^A3%G7DRRAYVWULK-+>qW{ej^?|2MCDM3?e4b_DJo|g{!wp9BF z5{_gyS)Y!nt9>rq(*#G|^a|vjOSf_z(jW@2?=m4jrr z;dHL`afQYzT$_Z(pzh!O=>!;dLq)*AqbtnA>wrygs-QPV{!$p+zzL(eLXv2?~ z1tDQHRxdf298Xfh(I3akhaM~1Yy(u5u(&vU?fZ_EsC_20_jTeNzz5An80$||T$&0m zKmvK!dGyz+rkQ6s>ylCvyNaOtS*?SgzP&o)X1%0h?Wqz~49{36F9}%f&h;28pg6Kg z16L*+5C-Y7k9>i*4HC>1>z2qV&~u4Nl;MM(2g4zXDSdTKYoEQ^sfr+&7qN>3P7zHg zeC!2;fO_(YEm7Bu%5S^r`e;XtWyj|ot9uoSE+JD3Sx&98EO{YCXwFCHeTdYE<@%g~ z3jf%pmZ>A@&HP(?+z})>6qk4?}q2uwDfCOq$3elFg2pw zUUbr$Gt&IxSHqLD2zk7^reMOO`r3A|MFLQBn+u-w+9%l*c_WDg1>~;t1_aJ@O_uvxB+<%_^{@4cE_E^w%J>%Z< zh*`p{Z~r^x_waMpbrU+gr$@I7)Eh+OI%AE733BD*U3-eJA)WE>zD1@CqfBd%>GHI* zRTG=(`6F+A zG!B7}tV9K(x3$KFMlcxIimgKi$jFj+ln=~3dBB*n1j7SAfeq|R={bjm(iMvFgL>L- zoXxWh9U!s2puF1N15auOlRYqtuyrv!3UXGpl|X;wa9iFouQ?s`+w$P3*w$5|NIT!VQf;=O<7Ww(M=OGf1CeRKlW2hIQMX#Wrwa4B}jIKubHd^x#K$HshsrWzVOIdD+}b`qNy#|^t|omeIK_j+ z^dbP|T=>*JuI0v)kk>Di4B_?-5k_~mzX^OE9h*GupG_yq{p=cQGyqsW zh!Yv6ceOKupQD}*XuFT|^SCLkgBkAkbM_b**+03jt_*n&ocZQ6(nW`f5{|haU2hb} zM&Jv&N@Sc1MBtyZ1!dq5^-#tG0!m`Caq#eXur@YUpQb0f)+5e@ue>6_F22~G|d*%4ER?=N<_+2vJqyyz#3}ZB7lrlolcxg4fjj(|B+JJC0|9RYjQk z5|q12K8Q`#=Ve|vNHqj%Ry$C(x6(6?jkYfQz{bNkqJisA>DtkWMK}Z!;1iZ6I_*O8 zwiAQN1s9C&KC!#Ysu0g*v-1w0ekh(Z9rXS*Id#>bF}`n>$-7c@9QXwqD%#hYo4=AV zY7pF*qzs_y&$-Y-ghjrAIX%c`cmO1^Qze**!>uP{p%b63=mthgQ#w~uSn-E+!oZ*6 z59oQS9(DNF2bwQElQ^cBRaXkB;Niy+Rfl?C=ok+CZ;WB4u ztYGGWlM1pn0Im8|uu^_RVRlilM^Hucp$<*>o9x9_3Q>eJP3cG~uFmGj9MmKLRL)~` zp_9wT%#O9l?De)B_7fj*M0f#vxE!JzH5F2G?D^0;zFNPEv!^u4!SQ`wjr1%*ladZh zm8*BfLjsh=_L9`~K-Rp(yve4B`n(|%;r-ZAQhwaY{*Y@2AAO%TiQnL5GB)ze?IH)- zMi@N+y(rpb4m0BA4^v&z<{L8;|M;BRYM!88Qp2_ull@r-hn&oV~`>hu@rrDHfdSs&Xt4|Ii46u?QwRng@VW1GLoTv(EsLzD_Q0 z1@m?qF$~7`+9}b`KhvOLo5B3JWi)qX0D_g$)3Pehhyp1F{kf=zpWP(kYRWeSA_R`rgd#e=$F5#6(4Ht8YQnh2rP#1wjnX#oW`)5@w zydj20$?(xAVv0o?iJM`ZI)?Nj|rS)7B!18A>rV0zI+ER>{hEdKU zla%---;L+PH%8j(VO*1wN}@2e@yC-3QLoxNN{E|FkVU|S|FI8(M~8Q3^a?M)ANRDE z>anO{M;Flos)4$?CX3f>M!Z}r0 zPL2G&ZIhV;c$ozvTBc*NC21hVlRRe|<<~?zBMxH9JE4f+uyh_AK z!%o~l0Dk@1ylG9=2luFL(=$f>e!QlDoMEMm%aXO9NW>?9q8#zJtMZr6L<((dDf zM*zK9hT^u@E`)=lL9gXAG_~ndl08+eA52ZE>}ly;w<`1g*|QGc6PJ5OYBbzRaXerv zyDzMP>Vw-tgP{aA%7J`|>GZAA zN>EJsVDO1<;Yc~e1`GcgHPtfyqNNpY6x; z=aoY$w>kX{RU|O4$Qaq@JU$cd0DLym`yL_Bj>>Vz#nG*)5%Hq-!iWh}8^PA9xenSH z4e|;{MBj!SK?`YTXh%W;JpH}ZJ(^UnSN_9g{@8ga(c&qpp9#_fy%wsX5mYump->55 zzZ#MX2Nnb3&&BC!RIQ8*rsaY-hSJP79Ab)dl?)C`3p;kaX7o)Y**AScm?XY@11bxk zX34Yj%0Oh4?{{+h9`$5NlM-GhEIGht55p2WAd3n?Cm^ac$vnljyjUn*YB}us0-&JF z=7tniib_7i%Ssr(wFoV@+c5iP`Sngz%jUwy63qqm>=>OC(4c{?JF_yy3&Fz z*g@gn7TOZQwyvEy)~=8OcdeurDRnlNL*;Z@J0uQ!7QT7?@dL<{mbu$#PSvM1v?%Fb>y}Zm#}Ge$M1OJHu!s!yghh@qw;zBS^MXZy3?Upn?v^wOe{MKXAZRXDrH5&l>OSs#YO2a*F`K+Qpa6o1|IDUEMe9oG<>2zk z5)XI{iA<_8Iw9IPC9lXmEw29^oLWm@uZsA=m^iNq6i;-{^Q4h_gBV+Qr>J`8DcXAg zY^?uLSYvxj?*Rtdu7>nx`k9MHti(hhE8A-$JBF}*z2eYxC!c3eCOd(GGv*x6?$U67}Jv7I*q ztgrAj0kIdLg#Cd;^X3=Ek|(Rr;=UX#ApA2|QUf3@o39qaR{ceF8CcCFFo9^x-LH=T zNQgS1EuMP7K2NBw3yGKHpGNmh23ciT0Dy>=u=2Wa$6{&a7Gy54Pg(-p-qPc-SL29R zV1^ci>2-i3Kn8lFG{S3jSy6mCmS>uFiBSo<6l(E%Oj>$f1RA&xR(^GqM!QG>t**De7q+y;_|JhZ?qVTlNAPUMX}Djd_Ef4XP8SmLwl8vg3}*@ zR)b>nfNPb-`4^$1#R@B<$mp!r+`$SO^2;Jiwo#i{#wet4`*>!QN_5_pU=ASnZ|ID( zSg-&{&>3r#STo?sxB2NOe@}opR<}gv^mXqG5ww(2R zcy49E@eufjgEIGyM|WK&kuc>q6VTcD|?~DY|z0GStLJC~~dX z+0^%Ry~sPNB;v`NHOvKI_LAiofT+XKqa>oWu3=v8tJ2VX1KYK3pT|eZ2lF#vnv}2Q zLGHcie5tnKzG8c%YPf#`e|;C(ThZNcti}6~o6q#~bMt!p!$DwrAd3g^)rcX$Ev>e86XY4%hu35~b93F{4Q;dF&)vl5 zF(sc#v=9CVT6Tt(L8S{#mqliWDZ@R!Xxs9MH$y|p$;EXZ@7Mk;h1vG)vBdj)4LJn2 zk90f3RQthKUC#CFobx5g=@;^6WKW&SI4AE9P@kvFUignw`S~W>Ce@d|yHl@sTufLi z|0g?{c6hNO3!i57z3fIKW(=z{aP_qXmwO{!3zZa+)-w~1z#!ZeR}5F*(;vp&26U^g ztE?{_hu^R5c>P8@lQsq2V?l;Satmqnc{>5W9tgVp z!Hsv&V}^gtbu4}VYf{MX8PJ6t_T5AMy#$)3%oYXqjp<{1diFDMJ)qLU4wPj16tpZerd$;p4rJ|dD|GI4{Kh4rnY|U5F{6}{sG%2*1~g{ z)8Qbio8ag-@nbEJP$kK+iPv8RJ55Pzj_=NCu;SQ*xYVDWsGA!I`AtuILvu9!{5mvr zNJjwW=n?E+6wUhQ32io^=*pDo_n2Qr+p0P7+R*D+aCLIpkN8pm%$4AqWKz~3ql3>GW0<#_s@EL4k}IL z*;RJ-%ghpkR^chin`C&E`VDLRaA@lk1UKbVV`l4COlqZkG4B=!}nKv!Q z>nVz@B)E@|;bNc3V*Dn8O6iL3$lyM#QVoVB=ny=8`Dr@y?BXy_b)L|+h8xZt?(wM5 zKTJBx6S>B?0qHw^cNNO^rDKP(4GeHB1UTl+u>zA^43O-@mNX-&k2nU(c9EqskB-anEo%0rvF760hr%kag?tI^uWEc0xPK8wB z?1c~gvil~s+n8GqAT4pN-E6laV*RLAjS;6l|-%U;q3W~fraqhfwsR#-!mUYor5GBC|zEaqWF zU3)SR{1oAC#Wkwz2D|K_jv-}aIO=ufIG8gnp=0uG6K5+y-50kXYqMJp2#B0lV0>FHy>1 zwivQk7Ivbb#Kr!|W$_`90(*u4&4NhFiGt!M zqax5ttGHs}Oz=D)(O%ig@>#BW8w!VY_E=dQ=$35=Uyk<;t;C~Rx+KdwcT*smM8lFC z#S54xm@53Gr4X}_FwZ9|Ae$(4h0|rFAo8w=jfLZ7BN&+8S*nQ@k$;t*4{lrp%epbJ z3dv8<#p8m?^r%nHM2u}SjA5>>>|RW}rLA+H7uEH#uG&jW(@K&88|*|&Zk|LJx3f5U zysijE^WZ&58MG@sW6NS)RrtKVEF)SmwE1__wN!l;Uq`mwnZXa zHM?;(Boea#w?MW<%9R=JSND?&b6Uw896m~ccB7lGRukwTO?94>GHVehz7BA9A*^-b z>o|wl4#?fqhP{01ZCqbZbgs~cc;@fmgk;pn!(EuU0+8$o`2Ir5 zbSwPEjs)8l+?gwmJR5NSjsdJS+~G!xrCC}Uc3W_6<|gph8HTrZ7CV~FW?|sXX7B{F z9!{s(QM6fWrA~}kXM)WDGZ!*IBb>D$DIn>NbC47k$&OqKBhzJ&*{jlEXAy==ET={Z ziRia#gVoZKf~$pvs@cIsvi(~=7tLj6vi&PZOBta?4ODH=LM_o}-L*}zchnGPy#(L+ zD~>u<*m+u0am+OqzDCaKyiJBwXR|Typ5=^uITd`DH_?`1YaRTk;pQvp$vg{=u3Ouk zaMKn_OGwd<*sH$pxLQf!F8fIVOE#VKGqH-bW)cg{QikIdImp^|qf$__qT8=pZB{t! zwM1GX^ZeWoX?c@1wb?^E*P3qbFg*09|HZjT{{RSze^8?nvL9S?7mfTy+I-e)6P> zpF!kl?)cVx+P-<(NTui#1@>+k`?-tKNhgABiH3x-0VIQMDvgQBC#I%YS|h^(IP1yQtE$&&lGNBfI8ni>fLQP% zdl{O**{q^pwoqFs=deGaA)&1Ou3?!=BJp4vg%;SiO#yeLqS0{Stz1mmlX;vr8SqSO z%4NV3%C=1>gl)M~ z(O9Bp9cP^4u2O*~%s%p}WQ2(n@MCU8J&p`7IP@_$eCgo+K{4{b7({)es10B3FoJ2o z_RR=x500NAUitfxA_tWx=gk(;w`zLN!^j=yFcWdH{@6F8|Eyip{-3pb+UK&1Db%VR zCom!BXjZXAq2fA+EUnbvawDs~RARuAzP57Wo(lKGOfyzON6iSPI?wvbe6N7(T3?5U zeTAABiB5ed;cp_-jhFr$Ob{PeEur;=!@UVG*M=B)?WA*0n3?9rh$!o{Xs$B^Z}R)l zpF&f#LgwJ)`mljsPm+PB2Z4aL^pSz5B{*sZs%5+w_fw>z2_?jFJHv>K{B8?-eAHIK z#}p7@jopvF;74yOsQw$q*gs)-{vTnCDcEMoOkMPSKkg*F-#wob`FOQ}d7`|`pE`e| zJ8NnfDGcmj-u@TEzY+XpV#0qh{2M^F|M~apDQJnV`T`EzMmNLNSr=lrv%2Xo+KjGj zo>QsdBa{mMf$W)dzuX&Z0FZbfP03A8%z_MoKFT z;2MXc7qKI)^fUuk|M$g{a?wSj;y%S~y0{y7Z3w(%vt!9Tg!#dE(WkEgn_Q$@FC)p@ z0`su{!+#mLfA}v0$4usCq5cgW&R^)VB*}uAuB0F3QUv{;CU};X$wXa(=PB%{o@i8H z2Il|wZ$HA2?rSWyN*Abz!0|f6P}Ol64vt2B_Pa_oFwuSNXkJIvn8*6Jyoo8;)=ZHt zOL*Eh#c@}fZvQG~7pjgP31_zox5+HX);lZS#C95aYGuWJ5JcIq=p_R`#g8UyqRaVP zKfdxbH)DQBiFvxJhBE&%jU8fTsoB$p*fxWs0V6IVN<W z9ql^i7eJn^Dmc*Nzy-3lX(RKn^ZgaGjPE4=6|(>tI7TuzsOtN%$GzwLb8f846GzLa z3%nz`c^m{yXkaRi>hrU!)|la7PQ3gvRnfkGg@I8WWTIfU;(HP>TPQqB$-j4{7yYF> zR>@zoHw*TCqqKz}-8T?L(F&NO+3@WQIhy<5zL2w#Oy2sPOzb`i*G7iFT(?O6TW1!T z-+G_0js&{==fM42r(#%(cfdUDC*^OtJ?*0uY@t2v*Yk8MrpQd3`cNjqt$+0?Bd;V$ z$=5cqUi=QGSTXmLv6lGO$b^O+H~UIc8_P(M{p=!m$&Lz*fw;UFYA#g|!_>xu( zGl`&1Q~GEE@L!SWIvn%+$9caeAf^kjz>jFyai^!@z?z`q2ySxL(Mk4ybk`myo9B9(M7wkX`%kbi^`HKJuuO5|{$@8#wHFl%Ue zJ~fJoHSA~@)1lA(o!I|BI};oOJCwe&5YN@Nb|S9q$cPam4CmLF8Xu{+ewM&?l+9BI zmY`k3Nq>gZb z+F;)lqJGi%X2EurDrp!{mO63HG>&@e7=20J?Lu0r!8m=1K9uzy%Ri;D?qL7_#xHi> z_rZ~)*#lj?Q(DS`+v>bLH+hN?Gyh8zKjUSM-5F;jHP>&EB{tOm?Vrln{@P0UE0kg2 zz2E%(AD8$TBvbkF<{qfNkj~0mWqF|RGBeYMe;mWuEhw;%8V=A~PQ~ia(CmS{5dTkk zVmp(V{-EUcHIZ0|4TE0FiziyQzOx8=nC3qC;fqMS(DG*}iJ$VS4`1L_vf3$m?SsdH*XJVT;+vL)a4Z(UE;f>ps-Qv_SWhFbh8(qzb~UUlaz6g- z(w+$x{r{cf{+}|i`gVY$#9K;WivO(O?Lc+*)bK>t80&nr7H9KpuP^!)xGz_nwWaIoFAU^GQe*=*7a&T5<)>yiZ9n%hyzV0+ai)o^Rk3Fo24@a7O zD6JL3#YCR}S7`nPf~CgqEaY$_g#@{Od^dfUE*;Ucm#gkACXr6i4m~`-_UpDBVwvnk z0cC{E#MtHIO`lcwp(x}%)DHP zmk9qC@4LyJB4ZW(_C8j2&Zw!8Q^_A?3Al=_8W$kMr+Lf}N36z1G`P+XT z{X?tu?+GXV>AwQLE6W1jSO~nJ`!re$`9LwsZQucVlZ zPgZ?6*RzFHk5iq^rLq))v18 z8pf&?TbwvAUz`q>&M2~^4=N0w46 ztj3nvxandOyd`*(_S9N%MrTWxTPJJV)Q!y-5{Jvl7OB=IO-jVg`Mtx_WGW8N?~ix(`%?$&)Um|h1)V=ETQ#FX!^z=QG%q~v2EM7 zZQHhO+qP|+cWmFWZQQXvZ+5?Zf2y*xt1F@-I;#_PPBB!Y7p|U&NhWG2!-X0YXidbj$Rok#}4ugW{cUXC?G)bDmZ+%PxzqDTlPU+ry(jbQ% zwAP@F_>&gut0j-ul|$pFiTWu*GJ$!a|KuyuW!C7sDR%<(cBhHTp25bva?C)mL>#%V zLQizQ`xFl}x$e6K_}_0SO|gq2s#m?dRaedC%Wt+dvY!59Yk%!wFQ@*bHm}LH`N2}2 zq%u@V^}@9s9)a;^9#eh`$STEqP*jK)(6_2KNWi!j%ii3aIQc%>^@8j9Cu{yKK7IoC zblqU)Jo0||+~#7r3&oZ!cW2ZHk-wk4T8qy!r!DQGetfl_d-}(sZY&31f5XUXd^^t0 z=K4xvOUjI~d2i<+DpJcqwG2IOWuP!?wsd6h9na3^tzW+(L#hs6$j7x8qS22@+|IY! zhg;;q{s?!K%i8BJ?HNs~UVH#_-SXQ$#$b~oD_ zvCFYEsiZU5-P?eP)EFZ2Z?MR8N%0u(@+=clW+05KwvZYQ^gcWyXL0vN`+2%P zP50@)I_sQpAhGWn(ed%U$=h>90y*Y3f4S`B`tZ$aN|qwn%fM+pvN87pQN^Uqtu+BE6eCFKhhdBHWj5*I`=r?glsk4 zr+)V!&uERuXzy*G4Rd&DZIyVia`WI)ReqB;eFsfr4t`K*4LWBh8Zn!E_uy|4Y<5-` z{j0X2R&CYKK=s%JAGLZ*xSzyjtULUAP;t`&A#q9Bafeg8?+ zzgwkLrzq@zAJ%xwJ?lG!T1W|~WwJ3j+l7?W&u{fKp0c0eB{P><*T`Ke`D%zKD{hFE zb=SDv*}9|-n)~C(qvu9UgWrQ+J>l|^-2JRqm-^e&-vP>63KNe-uzAiQ85f~pBez1U zrKtQoki1T9a(>+O9sJ|wI|1hLrxk$a*I22*a@U~EAYhsO2PP6?p&{s?E}{LtaSvzN z=q(xzc_QO&HropBAF2vr5*{&g9*9PUQ@!r2PJ9B4*5rP=om_VIb?BcdKRCi}Qn7C( z2<|q%nh_(QBTmOW5*O!EK*;jva`Q|M|<6l5UpyAs4hg`&97I$)s->cpI_RlJ{ z*}w9(OEXV`+rbzAfcT@<{7#jcQgMExQchS(>)g?%w5HDi9&(+91U^OOA~!iFs6j0kQtk7-<3pq(lZ~4+ZmR$kEO$pURb+x1A)Y@!exNQO_pZ2tZQDZQ+E`q>u)u)s;T%qK1BUV9t3 zz!?*Ca-er#L<6vp>+eL_Lq@_Rd^~Eex{p!cjs)>5Y1@Vh-=Fuzq8`wO%5 z<_T6eg8VTTMez=7MB`jPZRsSZiLErd#+%CmGzb??!+bTjquau)X3VDVi zFDUdnXW*O*(hr2ueO7^tUG4%Uk#nzVsczJ_KzK+B$~`p@v8h+x{%n*!^%%5ycdIyw0H{WY|M`Cs5 z75+O~1mY3Ot{Ac**Dp`=%EW$5TSO21ZcNDw@|C}knRwO0+7JWo>KRLkf12yu^|$YI zTR9`UN55Q(yUu$_{tWY?cz}bB(^gKI(C}AzAhhxKdmGi7wUsu5IjvSh1=a94Q4@b3 z%_5#b0`YRk6;VucjGb89Mp1&;y37DXv1<;r9RnoH)Tv=Mn$qWT@#}61@lXZ%gZ4!X zH5$$z9yC0DfhPFlkAOQ*IVLMh?K*N*${z)lI^z09?Ae6e%^;qu)BB`R#z{rMX^$Hn zJ$6$H2rii9IBm&wB*2)&u*jydG~-@gcx4vPed$66?j^Ws#l#V7l%*?ZN7oFv0Uuf= zlM5nkHUMwbPKxN|o0T>oCW&pzR&yc{&*#}Wf%vIDY2wWT!nj4uYG6|zxLI0H8ibPx zavcTWlCdIPhKt?uBhNtq#j!OH9Xobpcyg9ZtWh`~W3{Y9;45)i;=!j7HQ_DG_+Pr z`@P|Or$XE&g4+%T%MS!?p;wL`C*FaJ3>ixo7w!guBZcNgi3LH@0K}AZr_6o=v|C53 z^JDt31eJ5XVD-VFncOt{b#mCX?YXC*ie}1lx6`3`fp~3*I;ju#u~;QWD%z)pUAR)0PhGcTxE`4*3?e{Pi+J!b6YW5 zphz>L6!_P4&uKdm>^KCTzM|#quDXwqeL8q%0wmpUF#Kf+dmD@<@edX9SsXnLM|*81 zSz<*q$Ysdl*ol_#eRfS&8kGKrdgl7%)vIP zZ8pK)<#e9xjaNe%(8@osAv1^YxX8v zWA`U3HDC5wg=aiI8;(gC4rvF|PSex|(y3paK=tePrcix4gXrZ`h(Pu8YNE&MO8=*c zm!^8XpO%N}%~9jFdA-llPU>I(5YUurN%38tX19Sus=C~(FC- zR7npgUP`H1MOl;bp0*;)t@q%NCS;O;u=_9K8kYc@J$Rcs+6+eCxq1%jVjz-zYReib zK|^W!6m|c3;sv)MHKeY~AH&ddL_H9i+F{=<2)Z7cCI=if?KGm+2=)fV9K%VfO-OqU zLA}G$7to_Hc@%Mne`ldAV_;6XM^r(o@?rsa=L_YTp=R{C#&c%4J;Zw%ag2$376()$0SC2=etU)QM zoz}l0$#(D+H8?J;X_^^9v7!AU)54}TRbtQn_9C(VOhWWLDc$k`<$~)2q6$pmVvipY_Qq%I;)xxd6{yda z&5}(0Vl}qt<-cSr_5$#Xi>Iw`e~KaM7-}1XmAaf`pJqKMtJ(m|w)&s3DvoUe-R^9% z3-Qiv<@*EUlf)xU;4hSeh+*qfyn7{>fb;}ttoJK`CCddOK8g`D^kXeik(%fTFyZQ=l~|1{-6N75pP(63g}^k0uk5~*HQu8y8$O;Yl9J- z3Rui%AqC_Vk!1lBpg$D=jI)9Y_(1?1U7pm@c1lo)BFypxxw|~T6-!)V^0_BWZSejT zPR+js9Gi_W<+G299}V2h1pDqWn^k^woP6n{pTJgw;ps-I{geS<$2%1#VGMWa)()ao z&p3RWzr=Um>LHOM^R0>Hqyrk&!uRgx5Q4nCGg5`jy{x8@#ASH) zfD>0Wj8{%fl(DA0yjyesd^H@C#^}}#!Hri}C5)pUb`0gHLl{Fn=n%q@S0N1L_>aLR zl>SfiYp}z2zXt30AA|iJ%2)?^g)lJ-WvpWuLmlI2=Z_O}x3&z5Stf*8Pf>{rGU?I1 z{Rf#Kj<~WeAM9?pFS^@={T+4yKN`oFz|E4crZeZ?XcMF7z!@OXX*G6y9~1mFG!df% zmKxwa9{qmj%tO=)tOUyX&u@%`;4(-hmGv&DLh{!ZDS=qjQ-Uv|T?^^0H;!Z_phF*8 zTEB`}%fq_kMJb}JWprb2xup%HpYkm@U?{*L8V-AppBRnT-8jG>{@<5|-w2L$W-Z7U zDyGJWsXS|vY>6mn**Z|?Fk$E`eyV!J53SH=J^q-N#&OFDoT+Segah%X(|tSbLa<@x zqSRh@eHn-e?<;4nGcn0F3Idm{jGn88c(h{He}V+FMt6xPDpldYa_ZYhx1e(69Zh6` z+?AQY3iZ2wwf%*21vkJm3B4+|O1iZ7`v#MZ{%l6jstKKU8bw4A+fuJN)sW z{<_5^C_G#ZWAEQ>Z|z|eOOLo40w`90Y#^U<2r8R_A*@&8y{sDGLOppi{%s*x71mi= zX1>go5Y`uK!4Bx1nzh3{vc4sIqgCJmWveBG4%l4^gc+DEYTAp$Wbc_Tf*q-xKRLEo zx^kqk(ZUTZlKIa}fMK+;)e;Tm&KTM(p7e8UwzQC}u+=ux?XcC-M0d*mpA#9hXD{rv z^TTXtedx5fQ9Dp?|4G|e#?WPH{7=u|n6BOleYI9si+%X6u4A1KZ`kf0Jefo3W%=p4 zio3U*jXZX>Biqh}emk9IcPd#@34KCLp-)q|f!nB7t*zAAY|%VsB?#&76AZs_e|-zU zEUf0V-o3i}$p1XJ@%WiKRRL7%a?aZ=$aW9;OBgY`*MM-EMpgQA%vBJi=5Ws*sb*d-T;YiXE{4+kw+`xyQ; z7^L-Q2oU=7i9EwQp`o;5g%jFBEN}{e9}UmKG4W7dueh7OWrB7nj82BEFJNN#@IQtW z1}2~}I#oUe{o}lT_}0M0&T^4YjET{~$^9a9YN>ORy^~6dfW}1HP{^LfGA1(eFVUrP zk{>}-aPfF>>r^{3SfRpnv=t;sPWv6+v6mmWQRawf|2n#TN2x%dDzJpKmneoQI~h>n z^Jm0AF8}`SuCsv-j?>!lS<{EKx(2t)YJ&;P`in`q3CcX<)?0K;N?Fifjq2gLOhj>e zaRJ(}(G8F?WKCwTD%598J78g4F$z}s$h*8{u+0nfqfZVor*H!mjcBK zu(Gm;HA+0Jph$SH^abcAhrQww<-HSYCn3EenO(@icrTjLCeow(FD8Wroa;3e{pL=! zjp>HYs50rQ3JZ>x3cx?Hrt~F)*5l%^w>Ofl1)|4GR)cl+K}~zcn0LIl3Qq`E!kPYi zR**qQ{|PMY1P%}aJ-EMLqcy~G3tkwJp>3jrWZ$7MPcp{+*|TPTXEXNB zcMbv;b`X~lB2hP7kiFXI1`|5iny}|3JFrS#`)jxWh(IeSz)eifdd3{iQy0m>CzJcio5c5hG5l{D6 zUvdL-6nXv3quV5Fj*@~G4Dmbc>AroUl492~)J^5$BHaQB7AZ6nsR_xX)vTfuCqyD} zAeARF_V_txTu4n)*mV~U?hN!Moz|?a6|vhvEi9w~SPEr2@q``2QmSI*T#LQ>ps&Oe z?5_cXrS4Ng*^oQrq_Ve*WZ+=Q3jvqh77-``3A(~Y0w9PhoN4TclE!%*jrKS-tGj#9 zIYUKnzgXh=GbVT(9&!9)mMqJ?U1ukGqUqxF%ZY%L%mg<_-#e!FCoEq96f<5?VI-)C zL1eR+01$Xg4M;_4dW%lH$IWhs31GcH~ z0=0kdX9kGk`wEXlQ$y@9byQUy!@KJ=$H)+0y2P;o}u9n-f}w z&|Z*RS~P8N9SIW|e7wx^#g+c$utWm&2L5?~K0cq7^vEyJ7-qyB{}4=Q7P;rl_wt1Y z%cgm;ljlvjdybp2r98L_Cka;Mmz5?B3-(^>x2?Q?c~TtPbI7}_tpUA@-Du9{2-E@^ zbCzaaLt&>?!@jUNRTyuk$9AvzHtj4^9BWb51B6^+L~sQZHAXGG!>mBe3Ld=t%F&qu z1VP^=9Tz<)x+hB1Ap%O9`AdgzejI4=LCWv!#qA+|DC!Yv(Vot!+UpWavC=uMi$YM= ziGL^fb@(seUrIf^2p-6)?ul$=K3dd9WHJx2Tq0y| zkN3fz)GX06m)a9GzOMU|mUey!aQj5>U{ZHyt=cqucQfByY1bc;VrOhoo|#^Uui3mg z@~V4GA8++Mx^^^kYj2=#hQyC(*f>z^`SMfW$&uxsv~Gu55@*k5anuo9^zPhI9LZ_) zEX)A?!CCOhZtPFe9#f~I=kcX=RP%u7#vFh}78Zg$GjlRJ>iExXq{x`zNJkRzCmCOV zvBrT}P<2&tG0}i`vz9oHx~00ln2j2d8?hiaq8=@&aXM9Licqd67-)uIV@Osdy}pW% zx@C{6#lU*XVgN@4R%~VOhpKK1x3pNdoD=xnISZE*(DbIQVoRukl^3O z{s+v#O$*UWpciyf40sUSv?H#?k#EZ!f2rU~iEnra&FNhrq>&ArV8(LR$5abeBtbuD zQ2-E>y7d0a+R&~7wMV3 z9c+s&w?SxifR8-$uA=Utir~jJ#D;qupA|jk0JFkC#wBX^4dLL2)+Zmyo^Le(_p10a zZJadFdb@_IQ1CmIv;=s}W%kgV@_4U`0?DEl@H%@Wz3<~*FX`h*ZQut~Ui2JFZ~frQ zaZAmuFY13J)z@CAU3PWN{SPvKs9p8_kCQHy*Irqhp8wtY)u64I%*g(ZyBd2@9q-MW z`^@~TN$^E&x)~t&xW-ysDt`lEp{-6RMI|6&(*gC$inF3GD2Eblxwj9eC_?QnMi42S zdKWGHrUaS)Wuir}g$=SGR+1?USNq#)$yqcf-02U+`#3izoQ=Q-OQ8tGsX`b&881Z` zZimi^VwYVZ3>(^Bf*=f7+Xljj(p&A*qTt~hiZc0Q9qFMiQ7B-lC6}uvQTQPU6}y+o zG3Sp97Q|jm7LGnoSsEaU+ECGu1B6yfS@R#6;?{~V45xM#2fHhY!bVAeSaq$$+TtsK z4wcT*)H77N%0UwJi$X^!RCvd3Q9B>iDD`l%sQfKS_O=Wm#Lt*Ybk}F@9^MtF!9}@8iz!N1 ztE(gRv3SEAiRl2=W+tG6fH2P&tbz_cwnK$fGGMcYu2&d9iz*2KwKc5RiJS#Vh|`4B z8TTi%TnCs7dYCj&=(_<3Ukz2I=Ghfa=#TI?7~@He*-hn{Y$pI&BZhg@x2PlH)BL%> zYDbe++Il5Y`i-%4Q{%ICBIJ86|0etf{czP#63EAco*p4p>Pyara%A!LaWY+_ctR#rl z=9mRWM_T@XYv&U*mxDWRu1Qn8+QD!~_8y4KQ^MMvKr(Iyv)8y=<9y$#k^3wv97sm8 z_>NB@kB)#!oZZ${7Iz*2#N>rX})n?3PV740IN*=r4XD21<3c=qCf*_Mvo&3rWZ=*In$uEf68 z8jsXDBy!EMe$i^5kKQ+7m6<0{7eDA}9tmFnA0blPgln@5xRf!uj)l`6b{$tc;GzxQ zr!sxn^OFs7!qS zTFN$yW71~m6`hauGQQ+aB)gCva!{iE?VKEGLR9kb)$O=*jJ#ayMTPm#f}>21y*5~f z${%s{dUIj|Ojb)GY#_6xHoyKoOsIx%_9$JTXNaUYwh~RlYH*oqg8n?&VYB`0`=N2` z-iV%2>TU3s2)86EiI|hSeGF5her@mJc&njZ-QCfL&40NGGtwyML{ zSyR-<#y=>THOEWDju7p+Rwa*-ux!2U$+15R25Vs2VTRO&2qLVc3UVT{EZ{?A7lH!~ zmQZ1}unaaTp(g^Cj0SBQ zAuX48W8AZy#PJ;)S_ZSaKYGMrw6u-Rxx*DkkGSy+kVf+@K9`WOjuRlc1a{MrEK3{C z{(9pOJ0L=|njg?FJK5eIVb2R=)Zszi@uRc}m;j8600lM+SIo%Wz1_w*5E4K+3Q%u`PUmv>X$V&a6hNkgyiiHLJJ`Tv`i- z)UDxkX|0zQE2rM~qXRXt(QaTj12vH88wWL&Ijl*GBmdh&nal3iTp^p+4$7)wlmKZ} zQ&hHM4w1#nJoJlON9`L>8OgN64YdI##Ly_kYGOY%kt<}S9s8v#KSf0-s%IjlV;44? z;Hw)CdrT+*azQzW0@guT*}yuKO2Md;+4UnAwgFJKe!*1sn7q&UG89XYf?B~svMk8y z5_o*7rz3S(BAtFGfw2PzDkxQ@w@qmEiCV}E;VcSSxSyZIeShd1nIuuF){z3C( zg&`v$tY8O6+*s6pnsGp2L5~MUQ7K)dyu{y^vcr5a2hZSltqc>`R#&^(<{Fh(hD-za zQiEDFf3b{Ta6*XKR*v2z&KFXPUIy;IE(Ze%xUNp{_pr4e%9(2r6a;(=NYep)TUuTx zPLQ9OAaaZZ*FPjg_pGe${xt3F{MS7lisw`cjyY~6rShWGew;An+iV4rFb;5}>bw+G zS)vJ3!Sz`_*`*V_A-nxIDgn5JhQ&#$kfd$VEfAQh(M=#vsuJZ)?ACSVZ&4VpnPTiZ z3GAg(sl~D&!!KrZe2A_#-VKqslj6V@_)e$@)MTIl3n0h}0mRA}ph7mkqY~KHN`;Pv z7#_t05q6D>X1vHsv#XH6{;=Acmb{(EUMP|-h4>H1ckIW}n(!&^xA_HEF+Q;ZM-U`< z{Stse4$w(ezMk4Ug#jJtv?@Os=rpJn8R)cVH06I3r2(B(0i9Mz)5En?0d%r}E+hW5 z0UAmGx{mQs1=4^nlmT^HDDdC~)*Yq+bxLsFD#}1i!b>8~0J=qZC<5ta0Ds`13ZgAn zH}0jy&XjJo6g+5w^JRj8gI1|>ck!#}Ln(nxO;=6KW_QDNa3y1MRKv5MJh|mvL0ogpM6A&(MKWSgD{Mt^iCU z(KH53C^Kr3&V~Nd)BI9M8Z-pjWWJh2?0A>Aeeh^Jv4yyxh3zBw?VGRcZFf?rkNC(v#9V}Mp`vQq}AAt=# zxIP_GBd-gwH*az2VG}AwKJd=b+6FeJo@~N^d5>`;1m_i_mWUV`3y`pwHZXA9!cvlf zNy}VUfJsXeEhXlYHGF{pSOM(Zlex(Tqamh^(%r-!PG^+t9yEUrN1=HXPAN1%t@BY^ zOt9G31|Kr^6E_B^36KdZ_p}!k9zaR!i^DzetBW$qq?V^fSdrKty8vL7uxefj3OIK2 znXS&}qx+GvpJncwqQB)2mp6!vwm#A|FuX1ldadRX^}TwykLb4*J&-n6CL8E4=8`s@ z?~!!A(PBAwUtApsZazt2&0^xyq!#nGaLeRKIoFiIr&_Va!ccQKXEg2~*BUL?qAZ38 zP*Aj*^8fyDwz_DSQED4Fw^hBElylWvDjIu1Jh!NC)=(K;a3IlWyV%<8&_Fskxea{; zK{v$c4DC5Vh}Btt0|z1~14?ZSK^sZ{(op)53^IQk+Oq%1NkAG^l6h7rB}$%A;lPzF8%!lil$)GYl!5gGzwWXG>94!2B&nPr1rAz?!u`bR z*Y<-BRE0u-Rfpu|6OdDU`i-M%{6?We#z2SMTZJ(SxX*-&eSl+)4~4nb-AuSI+kHj1 z6TpFPeofzFY4Uf$Mv+Aa)FW99dRL{*`BYT)SsnB&g}x(fuo1EV86ecum!tfEgLE(F z_k(^csc#B#?RStf20dK@$XNvc;UxQ-f43|~ia3^E`QO)DN2z7?(WF33SY1p_b;K6Kdr z2Go_opMHn(V2?Hk5U%We@U81;QQqSEmG1p`d71ggZ-3S?bKzq#5~b_!HnSy??llqF z|4+}g(flVpM>QYlN{lFJ)vz&Gp*#--y@%XUD$0pvy_aqWaT2ex=Kil6}LW*7ybA;FFg zG%>8kM+8t1oY13jJ6_>^ILk49eW#}o_qa|Q7C>>0v@j@8)VNTjjjq6ar!9*!Wk&*Q zpitJJ-Q?jrqEcm|Zp}&^0uDe^O<7|x5j6{`-?P*%=;HSdM7LITX(;kLnH64dVd$HS zQ{4M%3IZsRILojki1b0@og7QK*z0kkkdDb5nx0NOhHz*l+#5jn(>hUjKogp!BYa-& zMQC_<7?x78MHTWw!!`tJDpi=H^xN4EXVl#h6Hml=fz4-ikH$1n8H`~-nI^-czQ0L6B66jT6-?FGkig>ATdi`4FZw*TW{W6`cd?{D2% z1&-x2N$C z4*KMIe)a%0rgy4k$F>InR9D!q2WYf9{wKH%>`dq|kV6jqdlbRPLz>lzY9cq+I>U?{X>F(A-6^~$=Z#D7;eF>90Y4XPEM_a&5sS^9uEJ_Glgs?#!CtPw^)gJG+Go|QW zn^SAicYVVIo%q~2m|CB@03|M!i&^AEy*OFxSU22d0>RjN(1;u)a}RV zLVRb#$Xl!G5gu4Io?D%GFuWMv03Y~92PDW8SmD8>c0|a^osgIyX>Q$!=j$IY<2P{l`$j2q$-L$l+t_y(7Z_ko@?^)A+rmFE+461kb|L+Bjw zq8TBqcQKlFz$_!(1GrWHc!w!HjJl$PUKuUc)`yLnDdX%T@#OA*44Ey#;Bm)DGvjgK zypRpOQ9wTD89WU-7o?h)3+5SJAU{&0kG^}m`eKF-^TA3oTfD=GE*ir~Z)J)5|D<(l zaPT0#q9hK{nuxdp}3@YnluJ2XT2H`l-<`fzO zHoZS6o;Ume4FgKeHQXM)6@knt(E&9$E|-ucYS5oRl%kUsmXRecAWIIYD##Olwcti~ zYVrh?|CKKwNuEF!((gf%paAFEj@H!U@lCr_alpMu>w5)NtRMP{)5lTv3P^z-zR_jg6>~+lEp74)9=`-b5UMD z70!C!ii-c6qbio4LG2}--%*{c>R{dwEl0VB;TDQ ziO;HwW+AEyQ7VSESe1TBtpZh3Csa{emIxJs3n4;O3#iJ1Pzg|VXIf7nN%?8d@ZTcq z=e6QrJumDv53`&SAB6?qLh&cL_{l~73Lf9!T}fp4Cx;{}c8PgHSmwt{%hN$ZPZLP3sgcR2H2$~tef#-A>j{25*)%^HWk%yAl5_Qv zV)hK)%wjwyF1Zz1)Zh}P2EKf-zl4%s8t(8nx1?n`JPIdHHKZ{ekb**2vENz*^Y{#m zhQ6`1u;1WnIuy%RF*eF6gh6d6n{W-2BY|8-dy0%`$dHQ~NiP_cOfJ@kH$g4L-2GBf z*zT^Cp>SD;q%T9vS64X|I&f;+4N-{GtlkIpX)>D+#+nFuNVv{nT?F%ycgXQ30PQ3w zy3&zfD$a(QbfYD)x@6KqYH)}l@XMElzQ*)$QWt_VE^%fZyk^bP^W$Ka2hP;yzLQ z`!|sIiyQu*#((b5`FeQYW2_St=Y^zciW}+d6Y3Ym#zw@Ni{Cf-&FBv+_4WZti>1*C zu!>F>ppeViS;!ZA?f%47Yg<_TYvaB6XKc+R5M0SC8YYSj@RS6Td$v%2`9@o$FHYP( zP8C`o;TMkyXs%VF}Jnv zVb;m!rTBI5Vm$CNDsd}pPf%s38Khs6NBL^Xg0RdOR%QWW=1*f~Ki4YK3e(Ju2D{w? zW0)*ypR@ZuI*#;}w%+3Iv3mP8|MO~tO850)F~q;fh4@xzH=7evF5F|UX}mpHT_2Cz zTn+!xf$D7)5572nbtHZrra8$Bn&RG<^~)P2C3c?vqhYvGHsfM}O_$~QlF=Kukms8lW)buDsS1d{Q0%@ z!$JPTV|d8LAAgz%L$fH(^X%a2A0Hp%PjrRZd3#W}7=3dG$yu2cLsk|Cw*0 z?2X36i2|L)KF{Cxjg@@5S?sQJZq#)tOXQ7aJx-s2o4X5uEQa2^Uav^*(KlhQ;$mni zk($1nj>EW0i$WL>3F+%xLRs3g8q?7A>Rgj7s^249_&)oo;`%aKWqd0qxt!s{}7ULZMG7@)X(vZF7{V|f44g4$7P`+j#3nm;LzB$pTy{AFD`r7y z`4X=G`}85InDg?CD2Ob!@sC{gWHhjhdmoA?+N?y_(1US}6+5v=i);x%`(2FAYZ$AX zn|Uqr+YO&x%vxSV)t|xD(&Z!r$K>a;Z8lDWKC^0<`?3dSr=DeAK+CS75{Ykg{U)v( zITn9CD?T*3i8A9ro?N_g{CtaCxhf!xbAEZb1GO<+u)$6Ml z3Gy;j6svk*k?2urG`Cm~nk)+rh~7Wqhsf$4*AY59@5)DNU~H_T{h z7KvZ?Yz;kcr304t_)XPG*z$qh%+}gAcC6%RM~5xalOyY_h{)1yDocyI zyTl98iC>hOFXUUQyAPA-;7S<~rJDDF%!fPjNI#ONd!LRSBf;d$VdUiFZ}^I@D_wd*C?lxgZEWH-(uWIo|3p}oK6 zNK6e*?Uf1mdqnPu*(_&~zQ=x)hL|OzS^1;cy#0~BCunfpb@OH5X+ml4j}3ip*L}$Z zHTZKw63Iqgw)AM|G|im+Q?36hiJViyS?)y3%NguHEllj9HKFnhqCMD8JHNcD4Ly z8LVtz%rw`5)QpmU$2tiRdSZxL9XqL4DRk70?xxl&FB_tgh_JNoS#2yrN$INZx7gO`$g{H* zFS-)#oB~tV!b?v>Djk`ZpDg`+uo4009#@rbr{1~G->mqas##v-Q_L|G6X=mfiGND1 zyg#4v$Nl-pxi;KedRD*P`?xLASTEQ-fjeM%*z1qUvrI38>8T3UO<`N$Rc}1GXmQbV}tM~A!ccI<6t~J1Fds2s+ zqD^n)hlK^}bTw|1vhcbv$Cmt0_h(>py25$py{?(L@@N8^K2xV(Itl53Lzr|zGFQpq zr%a=m>C9J|!^L<%PdcU9HVxS|H`8}`aP`gyP1xKGg`_vL5v?OX0=n*S+%O3a$QgC` z_`IEY8TxtFCt1wtt>Ye8ENoJZ*kJ&P)z*+{nqttAQ zd~`b`;;gS-1KAr&5PhhUiZaO}fC^{SnWyncz(uI55Gw0#{~%O!$Tsh_*}6i*bGpBx z4d|$e{%%=&O)`#L+N>0*VtQ)X+T5M70n_l|@sU>V z2;}zbH4HgPce~YFYI;SJyIH;Z!<(+M=!de$8jCQq;4(@P7Asnp$PmVndmS~RPZnRQ zMh3Z{S6srUMLQ7jl;&OyDSIHT)cBWPX-4E(8<+Uv^h~j~MB9z;> zQ!sz`UIF@|sgs(42qd254uHd{UPQD*4@#~Sq#Vh<97B$DM>(sq129X9Q2F+}ykozw zFr2(#X~kYbFY~8|z4-iE-eQNcYx0j{F1FGE&8NdhY})xvq?9yGDXE|E4YEi`XgW(Z z)_yf1RDJ_ZK64n^+X*f;8X)_dpzL~tRsFRjl1sN@j#DCthfz+Z`L;bv6*Z4!+BuQt zl6}(WvATsA{+v%_dPkO4#pPRAfN-PPL^#rPpunu~o6~}_t)%2HFK~{$w zq)i!KIhdB}L4+p_1#6j5)>Qk`Cze&UNh9)oG4^**KL9WfDnYsd!5 zs;J!w6(&DmMIk}Iy1=JA_kfYeCAw1hp7RaF)#w)e#*AwVJqrc>BZva~wyn@MMvtXG z0|wT+LqKSTX{PXY+g2hU#$y@p>NOW~c^`d6HjUJjnF71X1dxc1q=|t`h=yIf%g|ix zjJTEiYiN6^(rr2$)qGQ&$Anhevt8%jL2#CLBxI6ML+}5;9aS1$N8=MEh z$_f}#;9H9U38I$*v>4J5YO4VSBcBp<7!oj3VEDrB4%i5U!d@dx8(SI(NEN8DBtxAR zLz;?Cy8#2G61oS&P#G9-!0UzVdz^8muCK}A(8|T3_31F1_@C|eQ8D*5e3-F+1k<`S zX!~&ja%-wI*r95fd-39KnN%jJ8U$}esu=`tNu)Lj2eU>o2yiTDS4w!?A#|A5m#y*@ zp>w+@0Yv^*+&L0x%+>}N;{)kz?gs9zQ+P72n;9JM20>n7ro}t`dfV#wXMW{t4@Xm?a8rQNmE7(lko%x_RPBw~L_L7z@u< zNTTrzh6*Y$#F}6}^h2LPW8;(P!HLCc2NDIiz%QSa6JilSJ`2cYur;i>a^Z)D?nN)+ zafRB#)>ZLcYV!CQWy{X8t3q{MWY&$&#$w~dV|G#V8$%X0vT<*psiR+IO7{7lO3kB%RxMP)tADXwEX-%@Gil_d zOz7q1=&0F)rjr5XCpYw7l(9?`H7|k`$|_(8+L$ZN&ACiglB<*RYWed`Lfqb=INUgs z8rt{a(ZlLCUyVvg$=8|!Kq%S=tG2Jp+4SoAxfq8KdEIO&S6c9UnhS>QU*{5WJ1YjK z7?z2ABKTp`B=k^E3K4b@FdTG08Z$w?#oJpS)Ms4sWT}3hxBd1o^#hl2i?XHY`)T)y z_a@9dQvGA;rb<%k!!<&#ze|2XC=gVN6VU61By!H6@7s3%!%#iLv`F&HRAA7zmJ6$v zh24g()l=wP{a%9tRX}+28b%_(Is*w8{g-aE>xfUsR2XSC@WRS%K`QWI^NA+Z613En zbICfS&J@~$Zurw!N>uhaOE_X;s|i|aN`h905}?Z5wKW3YAH2>D3oNpl34d!a0D)c2 zs7noU6H5pwa_=10C0dQCJcE~wF!K`fivh(2^12C!)fM=yjpSg*D8Ud~+ zs(l>*@;l#-1^B2}l8*OK)vBN_nKfPYin05B{mw1&L9@sr@*S4|4D%krIk)8h`ZGg0 z*Pm~?R2|*}@YOGd@F_y+#Z^%y-F~+ai+Ukj%r59`fZueYsmOoq^OiRFhgcH?->=W^ zRtyga_~(Iayy;_5f6xBh_5JK_%rs}7c9SO!tU#nDdI!ro#ZANph)5-x$P)!^^=HqF zhr0cNlE_$t<&Urk`1xV>zbmNoP*v})2p)WjwFDla&*YnX3*FaqiSnD$)q_B`u^7CA z%OX^s1wlXQTCY;;o$^a|Mj7Y*E|jr|4`n&|SsbZEfK;)Afhs;^#m<|ad)!un8HW*z zgM_GcR<7lwXpWL9gDd%@P4Qa?EnuFRUOFA*!=?|Bx=8Z=9ujA}5k%iaca{#+WYCHI zQWN%9mM+Wkw^$C-J-R{mX(H+0^IWe!l#J|&4U>#|I3f(f z;{{UPXdhO-uN7NyF{c#=O{sY|2k+qel(9j_lZX}xPaLetekO7*YrInmQH4n!Fo|ln zN4aav!ZWJ@znJ;dJjT#hS#mdJwFB;+$lBseqc_Z+a}wvt6v}G}qxfaL{kwUh*M;&g z%GuA;PC}E0(gVv;Y1NF%y{G(zFgx4Rl?~T2pc?gwNsAmHgb8EZC>KP1IKVnD&1MqJF=`fA1&^02t4^61-pJBBb0q5K zaT2U!Khf(cBd=u^^8*>6b2QRLv+v1ldK63=SgfWd*J?7y)o$Msh5yIdI|Wx3c3q=M z$F^)d>GZsyghy~Y~r!Q5lbXUrq6J=&&D zZ(PS%dneD|M`**+vLRe;57%H=jjMaF0>~H*6^9d&BhKdK7FKBT*Qs!L78;x6i|<>0 zn+e-G?-4n(5ZD0R)j{`E=K%fs&!y1of?=yAeN?%OH8I1?LynxgyXX6kN+|af_NxWx ziYF@m;XTT67|AJy&$MI4$!lqQ{knt&sqph5?uBflGb7*8w3&(2#dydRT*Hr)AFp1V z`B#?*iw-wnylwbj@4F_!M=cW_`@e>A5q(cet^;Zd{q!uVTh!Yc3xC z8$v8fW?UhBnhCpKmE019p8~RJbC2*<7#w1bsO=}4KtoaP`I^=bD@7vAiY&&(6;FfTu z9-6%d0xLDTM42r-h&`pn8XT#{2L-<))QeQ_Uo#&v%ZsPQr<}GFT8ZKfS;;c!M~D*@ zB?X?9=Q^a)JC#vuHcu{isC5UT(kCa+ShUr-8~IG!7|Au+f_#&#A8EBgy{AV7*Rknr z{`b>%JqRDu2iKhl&z?H=KAo})~i&fTL@1xVGhva9? z&^B3yH0tV8%u`rUr&hwYW+#bmp0gnyZJu)zePdhm3hLc(0TAWL;<)iMBMnBe z`laoJIc7na_|5EAId&|*g#4+SMf+@sauiI@d$lw=RFfD(`#wk}sv@{{At4EYqX!;+ zJ%2#MREB@w?q3j>+uSIOGXz1@s}TD{jcWaYceA`~$XwR|h9^_~Dc(*h{CtC4q8&I$ zJ6!)~vO>DT`t)=hp*ZhxR5ayuq9CsSFw_@>s?!!sd4lqCLW$=2>MF+s!NSekdN>;; z6k2T**$Jjp$tYZp3zLRMZj1HyZ@8vX@m+u)n*}0X1s@EDv1j(2HLiuV8DP&-0r_c! zmjtuuoS!ei(KK9UHk%c#4whK{cOD%y5udy}3mR70FVDd*j~ZTSNS}J5vwpIIQyML# zY>!bHw>W%&HNdzI#kKD@rP!fjT1`T6~>omA3^Q zy*+6JcMTbx8VQsdZ;OhcwarBQXss_fBSgUlo3PE~q(Do)Kra?d9kNnPgs2hW7bXae z1_mD$8b+JXAc-%wx}lHv?eRx4N2Kuqv7O)+1bjhDUc;X;Sxx@s5`Fx_JecS^b><2y zGf+$KPUDZ*frf}qYtdXEeZG{;Dg9x|gt|3p)rOM_t5(S;xeZ#rmy**Z#x9z89@tmd zSIv&&ww^&4&ilRT(#^RNV6D@XjHq6ixle;vLX9;Pfs#G&v1>QaFu>H*R`E4}k)$Qn zE5h?zNNF^_xuiFxsuhW{pH;8t`vgsIB1yf;wfEFRlpg5z~E33Qtty zmgO6NA#GF37vr0>yEQ`UvgU<7`>?QepMZc|XU8JQLBl5#C&r&wS@R6r7w3flk?nTG zzoME#@dC`RyLe-$ZmHLwZrm2Jl@|Pb+}OJ$Fo6zj}9B6DW#qOQz>cirf8L@&(%ZK#eE{(T1 zaOmd-Re_Hjl}`8@b!fM5M(r+$65#9eHWm{xdTtgN>?s^hB5(p zxDF|23lqU*2Y7{1-N!nWJa94o#_yNwZ{>IXiV)kTh0&B3g73?3;smnsYY|6mSDEcs zyI*sNTDL2#@+4v+r=Xt2MpvVitntaI(+pIKA5_ zp`lehx9T>Zl;*d?A?KP9XJ8ds6 zHqkq8Ag-2~h+N=FO@it)iA{SEO)8^pa22K4+qqj(O3ih6-0V0M%Q_2#X4X+_Z&Ql1 zK)=Zb1m$UYafsM4Ya9I|9zy>fkQ`JgDWJGZWY~)TgHbAXe`56P?Y*b>;{@bqnn`DLZR{3jt>G4Amcbo1@|9-R~oAg~Ybq(YO3nfvI^jO`ik(_LWm4lRVx6D6`UHxT4mskoX>N zlmG=%)6_alOOnxSZCZ6>+~H^p+@zG2qWR+A#|iS>p6l{T!N(V1p;ySO6~CVTj-d4? ztUv`p-;LhOEfNGxu3APEf#whPghTaz2`-s`3u6zxHFH=Q%2hLX5h~SW^C6-V6QmI? zYBT>J5SaURg%^=}+QkeRdAbcXc^r^#571OM;bj_m-ISvz-0h;RY>pVj^JfArr;|{a z6X@8}{n{bDg`tW6Hc5CDh{IueBV9gfFsQC9HrC!*Sh6}YyySEUP~sy?@%?1$kjv~G zBiC1z{`-Lo*L5Gwozzf;hPLO=dqnPwG2aoT*zDQ~l)tuFIx6v~$O`wsHN;(_;_$jJ zr8;*S!+>t4;PQdN!5q`2UROS;udCKjo}p3y)hSwV6VvF}0trq_&)0d%kNRKH+WtSH^)L5hA{ORrctk$&2tLg7U$Q3tOeb=g-zGMCT_D}k)~HoE z1-DHMikfiq+xY)W05b*ihxA2`&lvuiYjrp-uzLYqW`%acgYHtjV_wyReXcN6^vRN7yvM@}c4M(mu$F7sSx zAC!@UJxb{3r(LpNHB=(15VWbYX<@f;-Qm9|S-6xW_5>h~UOV;diVl+474n7rH6Iq=Bc^g5PHMVBSjoqRDMu*uh zAy#{}TnE#0d%Wv+zGV{AZg4&u8Ri^FnlLfeTs^1OFvt+wgws`p#ApAg#Qpebqud&FbX)2w#dpEl3eR!48lFyAUWwKju zM*A;B1S~O64J$n9KfzU>QfFJZ(^1Cx+M=Kyk|v_|{|Nxeh}u6-RMuDoYBh6w%R9-T zK;_;tdu7L|Y_rlOJ6ISG)+$@pk+)Ea~0IimZ3UUb-4wFLRY`!rGcJ z^kTY69tmQjAgk6&U|%PK#5iOF^e+sZ*A0fi;Op2w-dv|CMMr-Bzas3C5e~u~j`h*@ z+qNf*@Siyf_OiiAVjHc~;6zRsz=lr(pGwY$o?#cO%GeDc*#}l-u##G$-OJR6H->$j$omM%t6-Th+IS zi@iGXLa%xi#W$%J)hvuU?D77;lIAGt)}VQWPRSaX^R11f>yD9w5K zQ?!61m}1O9*R&bp8xv|u74jRy_Fbw|9jy>Uk?AQ49nf_f7#V*1kPyhopJNP_K@x_! zOs1Pm<~5X}KY6B6?SZo5jh=$YCQ!dCewi9zG00@=73YQg*n7a3a>(+jyFZ{(`x`4Q z*tWb4~XJ zZ8>{VW*!<%k{9M3L)PJ{5EmYeNngfU&?eFOVY9V2|J5 zXApNh)z1tyErPbPspMweKOf@mN;xSdxJ{qTH=9XHZ0!bpdxTw&6_S}uy2ezr`K76b z>Qwo*6 z_AQCi0x=OrDXhrpKL(ew|M0rb(OYi3?}xzL^hHb z)H~H|lPw@?5r?OQz=W(#=IB5AhG|un>*QnMmz_`5-0F9e28U2#eaKiTHJcid2-4Lt zSst)Na6~utt0gT$8X`0-Mj(v3cZLO_Pf0-P!~zAq-gMU;b1o%&E6=%}-GlcW5G*Wt z!eYP~+HfC6W#?~R75)qD17suBLe!H3T*JFQ}at){il*y-8j-1_UQ`#~FnJ6MAs(d02I0RWWg!AhA{uA}QaH^DWLpwSC%uXvI}z{?vH z>5wy6F3co_#<@8X(aA8kx77~Wwik!(D-3iQ7jTK&Q}<}DO3?GZ$O6duDA{iSAi)yf z|6ygCE|e8dp=iq`lEmHS7xwuqEURd1d9Zpzu?|`IXRg6>`=!dhOP8;>fyB51Xkp(9 zY=AAwF#8a95;ukLU8)+c1N81a%;a|Yy2JSlZ-%>nHF*o*4CP3oP zj+Th*wddfSo1Sj`7%tWizMxb~7)V&dv2&XrPRE_rO;zfX%q~7(gk3mBk8L3?X~W7c z-UpKmEA$FV6ko}emHZMooVjKJaz*i;B@Qp_)oBL?h60JTh7 z)Diyq-Jg-Kmt7vsGSpL{+(c|U91&@L3n6LIcg~a1@k=3U#TD4^F)MDkqfhP1}plqry)d7$lX*O-lhP~J~CR;J#};K0qP zfsD6>6!jizFOOQJdKI)z>~M92U(BapP!n}!2WlDV_MVIYFdUQk)pWpaEE$h&Q665g zK+c;2tB1Y%k#k>zB4Lg`j;O12@(m3QLpzUbC?O2(_1he6uC#D8-g@eMv=UK!yftvt zQcu+r9Z&a0nK~zFU9Gwz<#%!w`?qgg9dg)hEN1c`Fv??dE6s`-eQf>(E1d=x999df z*@MH?8Qhc;R)eMu1gY2RdAeAEN>YsGYb%-8#<(N4^6G|Td-DmU#~+dS0wx^Wsth## zq(Z2I;m>ya1h~+N0oRpuwx7;1ZI($LF6&oo#7M(PNHOc$me4_MWgAW7+7U46OKYU%mkJFdH|pocM*|MT3qTFaJCeNOC9`47PVMPOe^cUWOR zuBKbttKQh6-)!od+Gxt0vpuU$VqUNw(uQG)5v`(jt#VkQcD3f&X!<>84|%0A_a~m* z<9{G&ve;-!{?8?s&6`ak#F5k*|DgmbsIBOK#m0Z1;eS%1@k5Em|Bez;8MXfbXsauOCW2|F@L9{SPE~i>;Or{}TzP+Yb^y`Ba4epD(BH z2T8#H776(OM6%p!88WWDUfRK~;FR-z9|5*%e}HT`h;dO#7q9on{-rgmNhpt!fM3z{ zQrSxcRte$aZd%8JAPkQCY3NO0FDQ%GjQxx8@#tk>5+)@buypj5$q7lhf0NlgsC?eO zHa}wRNmRiuphVz`RC(m+HBi*8W>FN;)i>B0>?^u!(G2T)6q;n$euq)gh>GK(Ju`DU zzf{ersfAi|Ir%N#4W*>}@jbJ(&e0M@a$fMABj@*c^*OXgGM2o}=g8ah$T?OyLyn@F znc3ActVFL-Xk|mHC?e^?+Th6lerW>)3h9qrhB1=7D>?O#6lkvs#|R+j>WI6sz=JTb zeHUb(GB?<_NLW7ZU$f2R`wK2)b4s^*R%gC#&8)s6>Xz~B;zGwdR{~vM_ax)Z1C zvmZgUwXVXn4}&jy-L@(7<>d3USC5`<=4=PW(^Xp|YfHRAK;5BGHBgMt>bysqc_r@S?0 zc~S2h3ho3!zh{OwQ{<}Uz&?QydphLius3HIyl#f>-3;RjtQ*le8JwhX4oRKB_LWpv z?frgMtPc_61`Yx6Ane#hieLNOI5w8}o!la>qiCDwaI+M!1e?Aw%-|7%hbBtDx;7th(+}S}yiG}yTTttJ*GBNl^1%Y{ zi(KaOWP|-kD&a9k9(mP~k}~+$H~)hNr*8+uyNoD#Gr7wnFLo5k3mcq&8KtCjQ{LS& zW!MO%tE)XPbw70{psEstZp#n7X4@Zpu=xfIBbz*h=2!BL1$6G%xl6#V_$JPf?#@kq z^t{nNyWUOlt+W3(-q2?24Ewfj^Ud3kNI;QYu1N&9x0#)WfjQ^i@5=p<2M-_JoXH68j5r2gx<`*ngh3wx_76aKi*38C7Dq&NLBB~Ido4wdRSb< zE{@94#s6B?+%C$r!3WWq$K; z(*SErQ&Q7l(E6S+G_{3#R%DLjt3>C8GUX~U`}`7OlHlzR0^0*~LUk8|9MU4`W7CW@ z8I({_z70w1T5SVQy<(fw*SSNbjX>uLAk`0F2w7W%=-$zh2CB|6_tI z?euQO+r|IfdO-y{W+`Dt#j+;$-eB2 zUq{JH(@`8ozD;Bkh;K4j5LPYRA(o4V=^FjXA-smgh(X^Mq4O)0hc~O+#Fhby(5A0! z5G0y-yPRM|7tyen8IrzNMV70T5A#`Ux0ZlXm9ssP(kPt0_Z}wDXKX$^KA0176%K0z zr7Zy);sg~jtaeX(mH?YUKz+LJVZQzm|JO#K2v-4A+nD~O2)6`d_3qf<~Faic*L zcykj!lrh)fNOWE@r0#di5Far3?v8_v!MaRy&*tj-{*^)7^wGs;3ncsyl7{KrJl%J9 zaj6@ZDP7k=Bw>L9?;7q5!n!)n2ZJj9{UK@_SG|RkK?CejwIc2*Ov!TY1*eXeC&uW9;O&Y<&%OfHo z&KW}lG4z2Oc~k3#aXbjUk4U@_^1W)56Z>MHT})Vp`!Ppvq$$~XZV#jVSo*hP{klSr z%y=~Tp4N-CmDE?IipxZCXrOjs)h8H8+S{-@f~m!X-0MC9u3H^{A<(xo6>9ruT*|yO z@gJ!e^w&Hg(P=o7dztpTl7E!w_t*RkOt#$_b3p1qxGsBaW!V0j%76DMb$(wOA5+g@ zte%F;iJI ze)Xfe0pt^mb=Y-*jL*dwTRqy6_HEU*-ysZ{U{3Oey7@0e@uruvLRezHl&u`HBRV|@ z$2V}!@-I_prsL-nj1N$8H)F~coP%XtGDr`M#Yc_XDnOaxJ3dzA&$5SJj!{jwlU;5C7fCO zBVOVN^WF%cG(-Dn-r}`m@3jQIZhE#J-hGO(Dyh^8;I{Siu+ybfw(Im|02_g3;9zD5Kh@SO+dw7ACPB%ML`h`SX(W#IWUYWw$!kh}=Li zts*_(r=F5%(|f}A@=F2m$%72Sene!FS_2Kt6K3S-yYp|U3*Ncauv273czp^lqF2G6snV+s8r%=W|-|(S&3SbKw-eZssocA{^%BFT|EI-6IDw)cHg;bUYmqa(7hd|kk;~R9VtMzhK zPiwwk%ekB#ls9#8&~q4y<$OPvAB!w^-knW7H9b6_62k%WUTs;~B{MoBh>ReI^(%2U zA@c&G8j@N;pIUprRkfaUXK&+3IYBtrYaGwbC!;-r)vq^dzA3-D-M-o%xQ=)eP0?u7 zbJDPeFCNQ{c^X!xUQGnLHnycEJ>9BEzC5Bn=3-UZoTovl&D*QOQ2gM5PctbAte&R= zlECnWn}`{-kADmkY3&40w5uE?3HxV`nHX?nm^x~h^jNKrXQA1K08oSTVj1EL9YBk}Z@UQi{^GgV10sI9~eiv^nVZ>7-XeKf)YK5ExXQ zaGI7m5bCgE8c;(RA_(hJ=vxQVOE7DaR&tk<1-CH^nZ_C(3al~y{E160cWx{!dix_% zrkvsa?_VO^M?5+;m3}^J$#Sri?k24JYfaf+;TG}h{Y&Ormh~&&BDpU}kpO(NM-f$b zv*^@xO`BGM())JimyTj5op!=h3jDrzfqBl7foEG`7R&Ud0k9PJY}v7$5VISm0H~d z3=|2eapWM)x!KxO-8nza87M+=%3?2qhA2aM$VH?h+UDrQB--YQ^~5A;X=DRwE(J<- zT0n>fPj5MxX_{KNaV?5oB&ix0tBNHea@pRfQDn?af%oR^mXoZda`z^Fk6bFI@*YwN zrBGlZWXpA|><-Lve)5tssH)*8vr)Ef{<@NdBB}&0N*`q%Q*Yi+>n@bB(LJZ3Z;(zl z2)gqMFQ$bqKSNg}Ji7S45HTMoc$0x@xR-2enNW64N?Dxpe9L`~&V6b;Z%<+sM&N?e zG#a0tZ?=F2(Fg!q#V0D6>LHINEB_?THGUDsk-)nT=UMgsTdbuaTbX0*w1-gzb}0Hf zsKxLXVcJN|)(`@%2%U_=ewlP}nOZ9Jvx5R5>7Zjt7elDX$;4Z*=Ql|JNVC$(6;QWeCnUb7Ag_wPpl-vqowe1mg`I%_}>I)e@LgW-VOq-EkUsdsLtvIq}F|KCKqb7t+ZR5XMG!(CJA&<^)-nX+x4%bJZOhU|7nch&<17Vv!g9sd>99 zGB-10I&L^-xR-n3jQs>=Yi;fEOA?*!&dDR$^J2y*uU@xEuZg2^QN5#IQED1&zIt8m zw24iR5%|;zNgnjZH)IOfZ#A1+cClV2rI0XH&^T(5bkrghqNy-+T@ofVLd^z^IfhF= z0R3Sw+W-NO6(kp9AWJxISH{SNowbA^jwu_C$E+=*D)>$vJ(e!Jhw`}Na5T|KC?q|U z;VzjR|M%nJlFdK`{Xbx>S<7YU^ZqLgr@u!k(n0u-XhlO27|ye=6m#zd zi0<$@U_~jIyZcS9;I}Osmkto=?vyrujxiYmHLzy;)xHvrG>p6YXge6~ z3#EX+tnZnfReIqPR)Hfc!a-#EbOQ*SX302wB;_t(^C)SZmRc>!xS|e}7ch6Y$$afRWx;n9ecw+EN?D=uVOyC!;(pUT*RS^d6 zAjQ82hHnB@sdLimw0g3CPew+rdZ(zqc@zi%{^Enw)$RG#aRYnZkD--Q!|cO3z3w?q z0l8AjZQ1ta*v{CQM&oT0!{;xkY%pJcqfV#_u+XR)c(Aqhtf}&@f(z#S-G-iPmHs{Z z@sp7_m=YzwfXtT@XX&iX4+`1>vhy+q_w&ct@zJn8CP|S zYUPv1GMvUzVKRz#4TPSU7zpYc{%J_e7Coy!B_!#k_i|hh9pA+5$yn1qX3t3;6p44o zD+it>J6oAo;;1*dL|4*RmJ(f3>(eig>&P$8ACF+Fm2;KQ}jQiHHsWK(LOYv06JfHMhD!Ncv10|YzZ1{9` zjabd>zQ)C9E4l-IHIvjs(@N580Xh;k;8PuWBYzuwm}<;H-w^FeSW4u;<~ATZBs$;t z@B;|n$~FY$+U@S@4#Hj_W4V7)ED<53zjJ@`W9Ai%AC5xk#dV^0`dF$izfFinT7;^t!J)-=>UT?e$PrrG$9UeJSH(+(Bas+KLy4OVF8Y+0 zUz#Dw6Na=JkOkky84e_h!Y)r-$mZn|w#eb$C=dG(=uiJh@mUZo2JnS?@zWuKJRvB^ zJH#BhqH8EJimM{aR#)9)990+_6RdE7jjeQ1kCt8BK2M*S$biq@fG0~K<vp(Z`g-8zB`6k>3vUTM^n8tqo& zf;{gKpdzO4a7cDo?>Q#-(vxHypaZa_P}X~q^Eq2GUIaIzs(#z-cDKs#b&c1n{~GA5 z5~|D6{PG0&2x`$|$!HjP#A?k73*LDb*n_~~$W{kPMlBNG1pD1)ti>*3~O**b!O9&i`be(xQE1Mrzyf?1c zMkiv?tBO|7nZj~sGz&CF@ll_2HV~dz;q>7&vuexUhC7>kY_pQ#2)??^|g5a0W$hD+`SAn)|Q2!rwHjUnMmRj4lU< z+OyY=#a3!|rR8KlA!%6Rrz#(A}o7Bhy2t^a({sIeBq2A`%ht~!k z7U@DE^+5+d*HcDoY@8Gm<1`2l$x4rG@{qGgBfh>9^aXzYwC}zP=|H@K?}Q>o--qOm zc@iB@LArGvyJ-Q+JLkFPk4$(%V_r~S!SUeG&)GrRGbG9uys%bBv`_RpLs%ySXQD^u z76wY;Fnh0CH_;n<>u@9r!PHK;~};n;4{PfFjpe z0+8<4{OTsP-<*hdSjd1ze)%Q%fP&Qg?K&Fa-Ko+D2Ej8_)%U4o(}C3AF}@jJp6K?_ zi|AV7r&AtyXjY$|@RRiRf{vhkTjG!}ZjO+S^^teas_DKtAIs|_yBcS&g?r8JmCe=F zdwARE=;vy7%(v*{fwmmoqfFFB?W*A#;GZKp1H^6|S==?ww9C@`lS+2F)>iif@^m)? z-wR1SV+8O~p#YbX6sw)kgMmo>&yU@NaV8sry^t7_cHGU^Bt4K{8Kj?ob>~(7>Y70? zBk*xm8s-Sco6&jM&_L~hZnZhpsM1|F7$bi8>jS5_vt z&o`Q=6`Bf2Op227)984NtN+j19Z(Id*vtV#weBdssu)|p@@f=JzvOj_p7^V|_Q#dzb1P_tO1gHzaUK2^4zkV>Bzy4<*-B$x{7QFe`&2WZ(!U!&h2{yp17hVchXFf*2Dk23xc5hW>Q;=^ z*q!@E24=nrZSHOUZ1=^mP*Sccj)26T)w&^0P-KD{2ue&(`@ z%NZxT)b>~<0c-xNr=oNw&(Al6?a{+5w!da9DQEufM$R!RY+EMutM)`eb!2q*Obnj< zf=*;TE9v~z6Hl>f$El+1joQ?6QYH+ zvt4gMmj7ANcvgV)HgmvguXz4CV*#Cml`7WEq%Ehi_D2{vq2zn!_@4wBRvytOGB@`e zVV?W6Ic)1HMJi9wEX3?H;Ce~7#mL)kP}mAPi9U!LY0DTBYFxDp4vD8$-7?F)IAD-u zmd7{UbkYhA3oju_V68bK1^2ZdV?e6qUq*#kMcOVo*6~@8lC~ys*!#?xl*psg*_^as z+>4P|K#L5p&W_)W#6^%q--qAK>AMl2gb(oyPZUf ziJRf42U{sNgHur!({Y0CjA>%*<6s_YswFy|e;%&O9bCuXJ zZ+sAd*%%}OEI$mR!Qmgk;Vsx1JC9CS&ppg*%Yclx*kFg-?0ZK19^OHKV=Ce*j2atq z!WT&KUD3RK(af)cDPgYr1;oP`e~UVXgQJp;Tl_MGC%!7={Kt3{mfCjy^doKN-(5#T zCE*UYz6(w+h#VlEqVcg|I2^sduMN^YZrL%qj^7#M6TnO}lRN_L507@*rRy=OJ1d%( z$cU%&@=%NS-nUupl7dQr=NV?SBj=(vt@@jJcL7?#q0YC6IKzAcPn|LQGKK; zoYQL8?&?`TudAd*{rm{JsNt9cUF1^|3#6s8YNDi@d-eo<+KmPm0|N+^PF#-d@r&D~ zfUb-ZFUy7Nt`3*0t|f})?vu_?#iIx^52`4Ctn`MLP_9Y4+ zU5*-cY-`4-T`v`~?r_JZ`Sa_=F#DjF{an^uV@I(8p@lBxae@q9ht9g6)u-V0S-~9T z9cG@~3PdfHU15f`8+%PyL`|^q+zcg}eb)>{E|6V8*?SUiz+Fen7=KuJRS&gIzlYy2 z-=;uHA;Ypal{0lHmD4UV3=9heK)$cgyTgXDRVPO!Lv?S%w6Yiai5mUI->pwiXQxjf zNyVe)I6WxPW&%)CnjS0@U&@$=U?h*nB}4J+*o?jni0W*)-RJcN^Uo@tMF14pjhpw{ z$Y*NsAycG@VOlEUOG&awEbSjGNAz#E%5jk?4~l8&`0N<`@glQMmk8gTNYOYF48QBO z|HuHsCnpSHf0w>Q{=h2$@O%x?p(bi^o*+PpA-QBhwGYR5zkqPB%lu*>YwU!uwYZ6s zq0}@H3H9`XFGnPyK2HVXLJHmQf$0R5A;Vw>zR8>XekY;Kj{O}IE&cIsuhlBtM!O_3 zY!to|intVu%j>%Kp8t|Dsv1?=PPf`fP0pi2`JN-1qinXyeVbNS@Fd*A@zb4$sZ3_l z)zYc3Z_S##Is%^qdtq0nX*Y6q0-5P6;ddm`rA1L{0GqL`IZT%j&yVM^Sse$I{?v0) z&ys-eozi@+9{8(Gy%Q>IgGf_=Y0llhOY#{h#C)1VV-DHe!I;_+rXF(;BD%BlCW72m z8d;E8ul$$dt?%M)tn|tyKPB9ZlOU1=%Qzf%jrUxDz3oEGNUc?BCmV-b70`!_R|fe+ zyH$l;K<#Gi!2H#t;Xls9j)M@CbUm()HT+R-!p*aWVc#8?s@w;}D%bISEMKelKbuvx zhAaY9s})1TCf92QS^Zy25twNU)M*nPnc4?zkqX}JOp3K2oNCZ!wLykF)fL)j^qRO- ztxth|)bdN<57W?%8c1@6>c)VjWXOuNC!|IMUg}DhTEfczEeCJ~pdQIWUG(X$s z5^m*@UK7QyivQ$U{TBCXhera74+vZa#>8O+?I~U|r`S66$rvhp>ZKOeah0R|BIV2S=lGD~iwnbcZ2bh0jI4&%V z!)emB7ZvxKE%HV@C0bh4DJJZmw1E9~rmFlZ4`wpaQTqkA5YpCEG@_>*F{=hGJ;DP3 z%ie!U`E_E(Ecus<|4Iz#P_nk!AH}&zrf{~^XBG!)M5QgxS*EXMaS@|FUacGL4x^O%Ok|Q~WI_~~ zV+_;pX7)Ygmr9muYpDt6-R@;C=g!$;y<)@AX6!Uv86h-lH1pSbYyx_&axanNEV>=~tI}iqWnSiV#`|I{VF28P(?rg4U}Y7+K>(r<6>efJ>`D zRBH}!wUY(vYDaMc%osz=BcBYWsGrPuLm12og$z17%C&b7WQLhX{E3P#jYpWr3T=V_ z4d2Lw`sKUPT2K%pOtQ8i^D%a%JK_T}??@$(914MqEU{<8KSaTO`n!6FFR4#efWFya zg-9{3Hk#1EhMWqm0C*hX1zyYrvJX(^`I66q=Ihkqfm^0YUGnl`+(a z+g#?r`ZU_sUcP9j8PqXnuNx@wGm-_MN>>}^a(ismL-`-Q(f6skf*Smofd)QzG0UoG z*>Q6)yn~va@m*C5JbX|?&8*) zT~LF!Cw@|>c~l_LiU9=-?*tr>>~t?B^l`qeRt_E#(`vMo6h}P$+~d>~rR*77Hy3xU z=OSPM2BNv*c?~&ec;?1^sb4{7RXK-*Zi+DKF4JC~A-p)8OtNCPzhkY&t!4}?i@hXY zbX_`XnOr8ET5mEchL)tIpfsTI(Nr7A?5hJRR>5l-t5s&A>#?<}^5LW!&+XVkD!8;R z!*(o`f7JQbwNCa{ccA9_K1$k)QvP0*mbs$RDK?;g(WbywBk+2fsCpTCkbMoDcU;!U zC9h zfq9gcTE*>s5r=yM+^_m+txd!wXi#FQW-f-{u7j3w_b;_YQn`L=8h9I?7j0x=&j)lUIe4(J|g8# zev}Cq61$duN^Ql4FkIJVyNC@hjm>{zoMz*l)`sZ6PnS5V^dMj)Yx>N=Tx)k`YVAsd zUNYf6%7R?$ZaCkNhY(a68nA{tYg;5;TD?6PfH!a@KsbllKk+@k@o!t8wa`OAjHW^FP*q5|w<*x#BB=ZuRgj5u^WY7fdmc&$GL+I>1Y60*jL}r!C`}V|gaO zl3Gh{Gl`_*nvmm<9gjAxeKE|g0onT9WHoCE zhCG_vox6Ru;mbwi-Vndy-Sd2cZ?nf#8Ise+rRl9@&0W2fP6qCSr9m|V(@sj4nkMPM zvE&gG6RtT=f{sYrO$Ji*OPBr#z+K)+9{zfp8P^aS03`(oz+{+%E z6yhSO_tW_W1>O>dk;jr9A{Z)0AW5{3{}&Zb-Dre7rL6)oA;u$6(v2i?5SN0sdv`i~ z+#HjKSlpYmhH4F@orpb?>;BGeV)i-FwE_VzQocAUbONMNyy^q3e->s`o6F$bt=X=XcIFx(kQ3 zd^GFFw_6aG4?5m_4p}p}sBF_}eXD;ZtX1ZSlXF>RPOu0$bI3#;LJ{$l-Ld9MV=e64 zoo#UA9G%UXQiSYoUfg>O9Cp8uOa1HW8l=nLHaU>$2yU{6+Sb!i8veBptB=Y$9oo`P z3n5dmNrSFOI+b<0Q4c8AEVgMvN|Q67Q=BMNSBJ4-(OJ^i+CNWoIDdIa3grPBxi`;O`YAcdAwl4OL{#$FD(_nCiR=O zNAxP(SH0fOuEhNt@A;oj-&a;%3LKkeD>?naCNUE%q6MFO1XTyC0pz*KN6vq1jwQj<_{bMH0)BI;^sin*>a&@bl3fq6%NT7$mpEW#l#di5agIO+`?<# zCd|++JSxS+H1Zb$&*Dt8IEL)L3004--RJYOc}I#Z{KHRO)51A!9qhhCpbx?Gq=RL@n`6o0X-+(l!|L zE)R<5r^Yjwy)h-dFts!#vBC*cAp1kUnDO-`(O|@PXilOE9FpGYq;}Gs2sowGt7ng- zPiPFB!X^1Ai>%Gp+moy&5F-`MHF5N6A%q>l2xs>iJ&vq!k=iW47MLpI4R6&DO3|!twhrsyO z*v+*dM{-RmLlmo|)vPm?Mq&W`nVryAlv0ZyB5- zmyW0QbVWxz-mQZvjh6%S6z5v!SpUn(KJ}X5=Uz6M>$x=@TN1tmpnLN^l69@SE4KZPg=; zEl-XllKF;{%A;wvbM=}0%Y;WAzlZ%ix`g+5VgQZg^n3@FJ<{Vb!tTX_vtK9rZ93wc zMG0W3)cTGBELE3Ee>nKpIiCnW02DK+0N}cF$9>E-M3br^Fhua99Y>&w&GbTt3u8?E zZN23lIatU}679gV!3<;d1-+gcu0v11CoK)L@~xWYuToi7xi*_WxeGgA$1{1N@DD?Iq7?k_Jnz_BxCBy(*7vvtB8Tb#zXJe` z)Pg1oMLnW{VPa`Eq5&I~qUc+c#ZsOK5``1hEV^Jsd3o%MV!o%W?A^AoX@R1GTnPZ6 z0`!57C)s+#+{|`_d60;`Fno?(1p=h>e+Zdeic(whSjV7TBvw2ThN18g29F+*zKSRi z=P_Xo`qBvDyc^<%{_Z~kab9$l2o?U3iuea5!x<_b^~o3gk3(zl00jZV?~V%x*f42M z9V0JStNtCd(=?=%)KA-pEw$K4>2tbp>1CkL#-MmL?#$LIGF0O?TmA1}I}Q=w1Ep0| zi7Q4ZB8THV<09&Bs89?`06!Fg?X{R<6QFc6|AyXyl;(k9vYVNqI=u_<>4slq7{B2? zWW;M?dMZoo-(VA`cNF2#zB;%4FiWWQG}@r!`YNv5*O$_!m;L95G&O{(4Z%AoB6KQ&XR}oFp`d z2jy1c?<=}=Bqg`s5OdcIp^jx8MV*WtDF$ee%N4b6)Q2uD_}>BRr}Et$k=m_#Zq8%%F)(tIDJQT27yB5HsI`FYj{blR@d^9uk_eOg2mN}30hvu27aS4*TS<`l&v9EboSa#0cQU?2I z9R(ORPM_xny%0RPE1!qXDL(HbK^P|R%V3Bv(E-6p@;VXr2h z1AqB_#1Qf`k^@`xv;N|iYG$jkqzdef)_ZfVw}%?p;do2g@isw;h47Ph^zZJozGeav z2puR0JbLlBpND+VpxiJsf*WX&_pANFXeL zNDPVrpY@~_NpEEG4SD^c_f*3WoHK4)4fK^`4vovT`%8{%r}YIg>H2Iap&*f=6)VkW5+ z%SgqXq~VNa-Eo9Mb^;zs&yWY9h{GR>oDdNtXNpLAR{EkfLD|rd%My4CFj}-&NwFc& z`#Jc2DsuHp?|GZPg2!C;7h z(tfVRIu1~aBX^uT9R}dNKeefP~vU2vZECrzTVhi<&a;HTmD=!?3@Zdg*S zac1JzPC)QvW!6?8rUPOwjv@6bHb%b1naVNx>u?hx2#oo|FCUCbi{%LYXcKOeeSat+ z>A$1B-r@B^f4QxGYI0By%APJo|2|Q&Y17~BTV)78Ss_6SUt_VbowCi17-@=YpC17J zY}3cY5bRqbiISb(EoASC4S@_tl=~J+_*jJf(+u`n;aotpuuo4>2;RSRaxhlI zLcpeSvI5aBLSXP$D9sB?=mOD!RCadvp}L{0ME*^k#)nP?ASPTg?s2&1gPjYPVo%^- zT(=s*!-WQv=urvj+Jm)M_#%Hqkk=~Jrvj9H{^`*<#4#CefK$NqcQ>a%(Z0E%fN1tC zlGq=%*JwkGyC7`-XCh27u13OQHUo?`5UfzeQ(vSSD6uk&NR$h1oS{A{Br#7?CMnei zX2$3rVPz&nafLQGaMPTX$ngt6_y^7zQ6RoRljP5Da7ip^Nij(e=bfSxT%Qa-RHMiE z8x-dy$uw>)XWso%ogm^WexhAxK^!tlW(dol(65zIqyg1GaAoGCcR@XWYUtf1C6)VP z<_Tt;hgSkK(v>bxFn-O~EnUek6IK#M4F_eA7&^)aGOsu{jPy;7jLa*u9E(nY*e{Sl z(|CUR(q5Zjn?0%EKDMF5cEGk1-N#Tyd%-H(7y+2UJ#!qC*_UXEHcy6Of0LBr$uLB# z$jN8$I}sCk5^Z>YC`{@kKw6jtnM3G@S){Yl5?UnX{;^oUs<5=LgMXqJH3g<7_Q<}IB_jV)5P&koEBxE9YEZDWs@FxeRWWlS zmBZ$mS9s42O=%0?;P>TKhNHZ>7`|N~4NPdZ)tU)}0kyTQ<7majwH3RZz5iLQU5jd% zlXu-0&4g?ZiGC|14W^RVh&VJXf~%q}xAp_87e2cuA{@K&ZBb15r+$YzzRYKL4TCW3 z2JQhH)v(<)H%>q+`oylh!OOs9u^;#*9K)Y?K-C~m9@uk;kK$hTW&m=Ef|7kX;hkoT z9piUun+(b~<_Kbi{b(nS_xitBSNpgV?J+nv6}EH89*p?EHs^gbr=NsBA5Bi`2qq|0 z16CEVC;2tWhAq|#1LOaM?HfD5r{K3@Xt$CUv7wy9&?KJq$5^u_!*Y*(M;Ue}y&irC zvRk=lQW+P{ZS2XI(pG35^5IMhmEc@h9j4B?6aVa`9>A1X%mqG{L?pwk_0=}#dFYJ9DbwJBJyjExNa3?V&j{CO@;L4v88(WU6bmSAPH8Rg)~q4Cqt{D z>Wy~eb<)pY!^Vdb0t*RAE!2MWz` z2xpHUOH&&sk=v0dZGp2zstaGjz7^9+r3Q7R;)ykI){9w-S+;JGuJldd0_3Q|r% zlocEke{ekgH#A37gUb2x!j}NtI3EHzA2Mo=QBh-n=!Gw#NJ2`qd`5@t*xXI}-u%eH z>br;Rjpc0$+~D6Uc^n^hQZ+=O-q5}KYFP0oc|ReCb(Gu1So@vEK8Ij}4hTq*8|+!8 z3f@Y+BDgyO5A;UA0j$vOZ*-cl0g1a3x`F{ZV3n=p_KhDG7gKWLEQ`)ezeZ>{f7C+azw4Sq1LJBUy!={=FK zukSZm1879V(oFm)H{d6VbwC)T4gxst45OX;0;-{;OP@~|R$Vm$2ha$TuSIHufv~e4 zongADDbdf|%AT=ge;s0y(zRnH);<4Yo@Y%kh>kTDkiZRFXcRgGlxq=w`w`!pfH&pc zKIad4=FXjNgU;OA7ZF+CX;|3~H4o5VYt?m=d21n`xVw;IV{`|eVi7q4KdL>sv#pUo z5yKExiGoe)OgKOTVOn&|X4r1-$g71kj(E@s;KjfOizhz zDz?m(1aQ02HwN_uVXlN@y&ey9Qh*eIOjo`MKDNt(J)AxwM=Bn&2ADp8pfm13EV~=# zhK$IFr{52{GGSb=EzxK$Tc#C*U!NuJ^~gR4o&(nw2*wgj@C5VfsAk6P-!3rkztaJ? z>D2r2=TLjv3@U+mHr?Ti_aJo%xs&|I=0&dlKnJ~#x81{lAg5IXuC=G>3d=+a?6?xV z?I>W#i+mW;5MMf!>iG<-0a*tMwjJ4Vq>9BQYg{JNE4P;ga>Rid0WkknE6(qO!9Eea#W?o#GoQ`sPBitn|i5 zbJk&$?`2Df!+so>_OxMC*4yG6-Qz{si9(63kP;p29dTgCi59?;eAs<177 z3EWzgORo@_$n@2!4L_1hx%zEz$LceNCQQop3TBX18|CEbxaP5B(}q*%B5o$jk{}$x zawI6(tE{^yw=yO(r7TXzH&~0?HF2Egmw(CnGG~P7Do#`m|H>OOt6~3y>bOq1(7#)L zj^54Er!}6YfT@KAq<{_~`MRaeN!=_g2_oyU1#vtP`9{$p7Hw>~Q(YMOI#SvGna-!O z{mgwXmXl?Vv&@Xy4e*$z9zfY&N%ht6EvZhr+^Gy!V7ZTKGH??!n=h(X88DiuCLO*8 zjmd#XuC$@cw=vW7kfs*R^4&>W#-1Yk9IS@E+UohT>%Mxw5&z3P9w{j9_ochls*stF z{3o<9@$+V6HyPpVO|2Ppajk6ir%1SNf2!4hc}$=}SfD~JSHa{1Gc`=dTJzG>DF(zD z2v!lvLZd`YaG(MvBG3YLzUYM32jutB1L)Bi|NB4q8o3O(oLL8c+=yl*QRcx67gWjKTUpVWBP$QzF_TZ~YY==;_t zhlAv!LtzR`0|YrDB6nnBNlJoKn5YgC-3Y7uMgBm8QG=}70Z@is+6Nnm7g9_B&Rf!4 zc58^8nxl%Z^@iiMhA$a?pC_g+H-G%gNwBLAE-FV%&pS*8WHsTKwI<1^^=uP*v%VAj z!xsetW;cK_cX`S!Pv=|mQ4AGYF~2X=OW%5Qk4;NV*I)adPrrL{+Be^t{;RAk{%ZDe z(VHUDo|``yo^I40-z!PO<)1UI*P6Vp4h6&zl20~{{^1? z^rxds)OCRVa!^P>-k$gB^=UnBSz5?rMJVB09bB$jXog=*ec*QlMYHM*adaJ8P9~+q z-R+8HfNZEO=?2>#={^X0?G0bK&JN*^B2GxaP#WDCDPWNp4DO%r! zS(jlx-_SB241R$uZ=aV5RrGluU0&k~8CFZA))6u$oT!lBxD#$UN~5ophN#cFC-w_} zwop|kuzIoNL?}oP2n{blEh!oFPv-hNimjb&;nQB=^522VS0!&{8v|&Y9cgY%aoJh`3%2Vjf z_79J#ZoA_@<0%#8e%3t}_V4tBGx3M947_(nMGgNLsaN4=7>*jQt0a_*N3Rwc@>Mh_0(Oo*f&<01l6h<%0ogz-%CC;tKet zDPcld{2(Jw*Hh(@Q}%WY+cv0$x-89wIzn+m?L=-YN@_8S_qbGsy;J2YiuutAdMZd8 z^GQn+o`ZHDb6HChk#AlwZ@yxef|Q)Z#D-(nzi}%7d#g-_Li@O& zaW1a%*$*0AON93!!mWzd-%&K{&8H_hCs)pPcb`rnN77zn*)G_?;|fvw|>0q?OT>ZoTFK4DZ3lZwIh~M??YN$ ze(w$;NHLWhat>9Ke&$H~Hp|E}c?^hwrYsM%OPdT{ zqZmgn+8WLxsBL6N5o7!iPhW$*BzU(j8tbNS3{lWrWP8C2IE@2 zL<1r3$E1lulo}kJmX#@Bt$z<6xE^s2M-?tjAE_{ty*@cj4O8AK-DBO-q)Q`Zp{~-V zf5+@=BJ9(|xj2c!#R7slVf&3z@lQ9?_=+(B=3_9Mg;HMCn~wseqWUpLX+V{a1d}yF z$>$=%ow9fjTg3^hH~#~Sq$?O%lDmT$wRB}6LBY3{*bL9SQnW4!e!ui)3d_~uEfx4J zy7Eo4V&RN*H5)wqE^5e8|)NqD4S=rs6)Da^C_uxWC7U$0{ z*goNb7)Mz$_l#-I26j@^P94@$T+8(QxNb{{&I0{?g)R!w*nV;macso#+Kh1idtsOy zD`@q|(*hW2`L;jdix;gO(g~x$CUKI%g#(Moi|AuCH(cXyy?9V0$Yd+LQ#6=`V8`cKKt7*hH+p8GV}#NE04;kuQz_1o zfkWONAu^Cx=sr=9epG{+^t*e$N5{5v;CtK{UxCIVFsGQ`r+bDnSGbI&7-P9@^%;}z z*-YpOhkXx|0FwzZ2w#V9`NuLNXYTQj?>i>y^dRWFe7vskZ827fQEdu!M%*#!D~!OP z$p{)~KvIEbw9Xg5xC0a-6`~>o4TjIYLR^7f_#mO&uq0*^OfecYu>upk{l4XoDdU#w zIj{0Kp6DqY*>L`wm)rTUr}Kxfr;;Q7h8+2=o)?x_wc8_(ud5P%_|w6$aJW`4tkQb| zam?qO5NTgDB=)bzQ>#7IhG<#^9cB1r0ENAh?rAR=myZP4TDt3Oa9ScT~(+d18=w`hs_)I%uqLrM7viTK0 zs*WaKm)1vzisDIqwC)oo%dVTFIy2xx{&lVXu73)Mo873+&xC|#iw~*0V-KqT%bC)z zGKbPe?ADrvpk8%-E+0@Q?0yxwUi`Os^>K}0U-I0Zuiv3AbZ!CoX#Ioa=e}k*-tU6t zpUnD7ypaI9C;;EsfOyq8V=x8&A-u313bLZZ&xE_t#+Ay5`L)cX@$Sb#o3D4fS-S; z(XX27RD!&J$Ji_V7>Rj>NVyJk^ORB)l7XCw6xar4I!AiUcl}w=^XAw~+^d2TOFtl} z0*f;9U7Rm6FKZSvEo-hn#Bv_s3;NS7$~o`C=3C>rZguE+nOxbya*_(M>+9DXtQD`U zWe`YE2lIOPy|(t4oOn}=fLhohEukY6?X7JUB_KjSuB8Td1>8#l@Flq`Tm2^J!qd)j zQ%}0SXuw}%*Fp~ZNTYSltb$(TlN^{`NLG0uiNzcE}Gy8l5~$Spdz z+tpK;)>(M01o%!`%8@6jUo6Rql=|@^&$$AIj^Z=L(9jmX+z_%ciei9V zse73_rm8UYlE|($j}qI%4$lIfvTt=r1-+a*<`Q=>o$L8Gk=2;xo{SWnrkHxqXh7)+Dt=E1QQM^ix6T{-h7qqzj6;OM~U*p3=Vmy1GaOt&KLS9hu{9 zjqZp=N5!Shdh*0qH~Z_#r@H6PU~5sxZB6=Q^y#e^d4&Bed7%4X8h)VL)xg_x^x%rz;&S}85bj$*!Cfk9t8bXArv7wEk(FBYh8Z>1u+OYLniAEJ!EP+-a zX}I>DqJyecl*f7oEOJ#f-~B8#6;|{(((^@W`j_6EZVi%uISr=xL>S)A6b=^{6yt@PxlUky^rTfb&`c? zF_Ag_EM$x67CAN@-N0sBtBpfSLr)(u`irV2#AZJ_@Vm<&(Rxe)1UE&1QY6k+s;)KU zaF~M}5}Y5gop=34Hqb9pn|Z;;Q>B4zmks}d_MXJtZ{`kVdY%Z;2m(FvpppTg!`j#G zo(i5>bn|o0qWIh_n%c#Xzm{qDPmiOwfchM}%b@*SVTAq-z5IJ*Oh~85+SyYETAOST zYC7*r7Id(D`f($+1-8lydu33~mc3K#^tnA9oN=@E>AVfs97zk@Kh>ePyV&yv1oLfd4R&PXCWg)_uwjK}x z$kkVW@HOidTiY3{^D=dvxjGKZ2ACNfB(2_Al?w@V^sJ z@)XHvJ7b>pw$o+1#2Mx|Nx!iVrH*JL4w|Y54Igc!S6BF6j_Q82?L3m)q|jljz?>Hh_4L%TY9wkjMoXhChOZ9)gXY#hrX< zgCK{g5_p!X^fk(iA^xVA%XwYx_stEbD>sL+EgD(~3wl)IeZaknUm{i)~i8Nk1`471IAJ6yaMsZWg79IW+YP<~vf* zm%*5-GWN8Y;b#=r;hlG}<$Xoj*%uh52s#41CmGpC@Ai*X@pR0+W74b>#k@fgF+oWKFb{{Nbf8vSM&q<}%qlnc`j|@&S6$ZF>hKd|x z(nyEsmDQUZCrK3sAsrJ2NsLL3P_PxxmfS^grToNf-p~nr^hn(A-z>uAoh;$0ki$&o z7ae11%BX^6P17b;)yd{c_GA4e2KP#w&GXBq_1;+qyFa}o-PL1Qk;ApIEx`eG)5tIt zGcD?`SH%v);{do5o~d+C;18FGo}rKYAtB*iQxj!MTIQ@%GFnVi&on=3wI+lTtF2gG`x>M5&JiM z!WN9@<4z2a(Bo&2dS5P?$NkG|)^b6_DTHnSeqsbqaSAI;;?j8(#+LfhStO9hRNn)P zkBk9w>1-01OMIU)9r%9@SkbdJa9+O0@8M8zzLC^xTg!&&6Huv1bngTZS zIHIJAXR`lu+yA-u|Nnt)tMflq9AUHm_dn5l{xpu8o1Wia;esl&`O7Rp7^L#a33cLZ z825k7MbL_e@03Xb=+dPMYQ+-Q;z3!8+J#yy{VNJ=QVvW|WBIE`48mM}9d-SYqA!%? zzu>><(oaDz-Y7w@^MBpcE(KNA243VtSi==`->Nf2%=16A6JYPW93K3ug1aXd*uwv7 zES7)334#*+vMHyhm?cab{`2H+M}WPn7Y{U(EY+-Zp#6*h8ww%- z@y?7}=)Kmw*UcTY!2MGcw~*}xlon_m2mjvEe_c)(bZ^NdL0b`PK1xDQs11~F8Kgm& zTLlKuqN+iI8d;(QSAi85u}Clyk-k4r+=)&4elIF-IP9F2Ycsmy+&nJ#D6k(O_h5ld zMd^%gwKV=ksz{y+p`CBz>Q}nLIY-8tZN7fiH?HPz@jF6x&lgUtL~PTCCRkRytFZ?? zBFWFC{eau?!-h(qhROIFO$^4dL;#Cqz}fI$77b5GGyHe|hF;039C|2uO=F@Iv}mrp z<-!I&9`;=06|UqB7L%1l0}S7WhV{BLJ<5)1_LfVU^jMuIonQkta&GZl?KlDTH0~B0 z%PGY}JxbF{-|aAC{Ln)QXCUSDkgkZpa>{Sx_u=us6MkBfNiL*iDJ}!b^e~IR1x~%( z@J_w|h;QI($YVqf~R{QzP;VgNGs!%PVW*O(JCVIeoE5QEj#>Du+A@!j)&E~9C4uN zhsTi)PqEhzm^!VyI^3px82){gr{nqILW`+gjVTS8(p;-gf0KDX9r<_RbV#xSy2dqN z3r~E{<@`arROJdV?QZOO z1Am0e&Nn8xL@6OHeA~Y@WFAH_g9j8d;($dGkG;=Qv>rHYO&SsM!#pV+un-#9dB&6t zPS~m8g4QMD?>6Rd-px&}r(f2YG0*W^9<6M-M^6?pFb=fgG5Vq@OiAGkCpZh@?UJ2g z3Fyr|T^lPW7L*Rt!GkrfXAcxBYHJ}v+!8k{!DnTlL_Vbs^1_`q@?tX3M_9?M2=7-f zpN~NdKZKr1J-Kjx8mlHJa~3X3ch*fi)&h0ye!9KU8!#1{kaJoEF|AJEe(u!zqQB%! zz35(5II35>+R4ba2U884oSezm?h`a|_QbW8q|@@0E7;VLRvOe$IYJ^<@Xq#nA+et* z4b&Vv-yf#H3BdeCAa;f zcQE$g2WHFfR2s?RB8z96`U$9Hkcg!^cBCD$pbCJSo=-hKHp@A&wCAf+-Op8KoHgmq zkEwPqrIz*>b)48#7~b9M{OTxsPmBC27x{f_Z?8li$#9vN+}OvPi& zg3a3P)0}(fa7l-&hKmMM!@fC(3z2>+JosX~yCl|KEN0cdUvsZi3crT&mN~XmP3cWY z!c?Ujm!+USRp5Y~v38Okl{aX;XPkGRJ-yhdnFO9*p>)54H+V=qAUMP~rRU*+Jw(E}0`}3!%Bs zw*2SzQ5v#V3Z`<{o#ebKq<&vI81*i3KBQ1>@aOV{uRwr~1x}Kd_AAakc4A07e??vq z$#Le|H{ed}^lCqcTaaT3KD!k3)dKw)*DI8#kG2rlyoSbWK+N^>($4i-K@U6JVF zjApe)HUJG?PXh^_Juof7!iP`#+-l}IQq2J<+ptH7cQy0;J#hG6T0;H}OXc1j$fc>S z+VZoUZ*SMX6=Td-p8f6-Z0pq&*t$F6b~n{F0JsaVAwQ?+*6f*}8Be!dprFsy!@Ttb zw$q36b+2@%0q5rWFQvagnUR<+`la0tYq$|>5N2eA-?uPyiq|tawG8rz1AeC?9D4e# zx(S^>1rUM->b7ZLKsM{Ot8kjp-L5p2q9By6evMwnj-(tF^!92&U@$^J-G{v3j8e$i zby2;`g8cc7jEo-u!8`*RTtARvfxoeq_<}2FhWyA2$l3PNVuqufQ`S}4oeFL><}iqB z%PU&wAALjXrT0k=Gw@FtVG}&(yV+s>kfh+%2Bgbt)qzt_%O~bo(Ad~^Q(kVU&k7=a zT%}12V<83V^@Gk&Wp$33|4h_-{rwkP?P?*z&jY_7!@yb{|8<@msStW^^!9!9)Clsq@cTljRR(0fqcrtrVbTz8 z9|u>|9uFh`(8}!YTu<;d$+)}P@PU;zt@3Vo^bmO>{}3$Kgu|{9M9U**lT(lEzwr=|=WT}4%UfgxYw9e&YqV;$OVae2mKQ6_GT&?+smZh= z%MO8;iot;w$@Zy8#zWJ->|boUumyXYx@;Qm)VR_ivE}a(c`dc<;OZ{gn#d! zbYhdmfIY%@r#g+c7JxmgUZ!ya{dcwif4My|Lyl`8S<)u?p4Y#YH7YAr5~7i>k`%MH z(rS_f9Fv+RjA8UA{0{?mKolu6j!*zaDB|)3r`@2CucurcD8W>>QsxG0em?4rqT}NR zq@&xvOq7+gG!6Bj26a|@AecRM>EIRy+yWu9tNb+;-&{Xt(T|9?+r|Qpd#fsTWC^%X zka9u1e(uurc+Vc#!yep2wID{~CpYVr#N@i55WWVATkQg2Jd}66w!kfIbC~WpP*Ese zar5<^xFO`rDX+Eaij~1GzvdjE|5olbI{g)5S z$8QkmRSK2ZY5fqB!|Jo1(=PR~_9zANkO0Q^Zyi!X>ATQ&*g>&IE*5rw4h?vI1>;>Q zg9ZLRiJgG5u+HCc>_Ec{`eU0>*(Y0`d4}`@DgRl}{(GFJteG5=`$Ng&;zWO`>bfI~ zA#AKkjVw?MM4I9zPkidSHja2JyDn&;%h-d88E#q68~IIvU+pI{*?-Y$f`GId>RM}f z@62W@H;0O)SmJEcd`wR4eYv^EX7Rr+%UTU;4uY4#6#Fg!yM}-*&A@CjC->0Xt%9nN zCr`Xy0|Rvg*4nxN81W_i7z3mETawesdTk)spa$(TwK!}Zc^(J9x?q&_N_LIOG6O1J z_9IboqZ<4<{2J7MZwInGPf0T=X*a#(Wu2unCemDHG5PmlNQ(;p2z<@=%!%>;8~-6- z(ZH`%Ab6H8c+3SB%0Z z89oLun8eCg>jX(RrX@y0%9{QiXsU{<0r%kpcVfML-M`?@am{es%an-_Diz2G&dOBa zNKUj}7dZ3iA)@J>_(!hT4-MDvS~cQ+Hn_*r5kN!mctXfZDBhZPI|9(9?e2mN1nIQx z!@})Sq1I-y*p`?z34}E&OpS%dH+{7?J+zmj2+Y!qbaSF2O9%}FH^cll0!Z^Wwcz9N z@@lAjcSUjnF@5|3ea&!x>=FOIZr<;en}2)f5%Cmwvvr<-0tv{ee+}@8XPMqg8$-Jw zEfIkW7#ZtQ^JYE7sytE?ARVp|O5EC^G4#8T^*=gX5gXlfF#x$C&&DM(xK=%9Md2Sy zVwTN-{e0Sp{hY^aAb%n>Hm6!%zo*NG5dDD!x1`{yE~ndsJE-lfQ0AhBE6cD)r|ya| zX$r*qG6D_PW6)8~cvKEI0N|+54gEcSbR->$?A?ys1_Y>-E~KH|o4y;^he{$x^t4w9 zenD@~e7!~hhTQE{8*c$M#1Oe@C>}y60o@DhfSu(& zZsK`I#4C0s^g#bDE%1Q+LYjTfg@GX);7=R}g;u)}^g&5RtApO*Mf7VJ^*tS`Z(#wJ zc`jz{HK+}w{a}Jo>q%mjHv}1#S&!1DQP;yFaj8t_c%Rd z(V&yRB(|P@jD$!nfdd(Py*%r-t}(IA+TI;m1%Gb>+-GjPK0fxk3W9=yx-uT`$bEg@ z2RFwFwbx(C5*uxTs?vAAU1uw%8SQ@1%AWeBNos#<3Pcjp{DT?YsR!v2Iz~nmBnRq> z79+7>2L|U555c<)cMRJ{Y{&~4j!+*D$IAZ9egEV8MKoz%9-Anh01+pL6?_p zb~xzJGggaB&{vTnY$HSFOxJrpHi&!JOb=7AAGJXPF7yB#qq8YHei}nSth1+{*{cix z4};3Rj#RaSx>;T5{wW`U3!8H!F5N;#Brf_F$I-G!nXpW`mVi9OW5wU|ACSM5fs>G! z+?nR6T2Q81qgqf%W1J=L0VoejYysW(-*4Rpg2$Z z=rZqncM8XQC7na-oPAW zmX^!>SK2s42P}-te*QP6WOq<#7*XMHgJXx$xR zbmv;3&isa-5bQ?F8}A`&RY3W}{!U2AZQ4QP3I}8z8dCEuWG|vXj{j0W>{mBCSsKUN z)^^i^XCYPuWa{H@-7SwPb@ZFq=zU>Ce^PTyAJTfBsRn&yykKng@Wgj1BdPN$Ff^MB zF5c!P*A)|4d3vRqAT-s zfH@gD`&BR7HialH_LLB>bNRg)X1gR!$F#49i|YFK9E-xeE#y%^uTt^HkNs2-^BORz-l?;yw5%pOaA_~jem=x#3 znvGGv&}p1_t~oimFQ(Qk&D~rBq%HPLT zj%`pc>0+v~@kbtE>OGKS>m|`2cByW;k9*qr4lI|`#;Bg=Cju_0ijY#+;rWDhR);=a zX6~hfinE~CUX2!uCsA$fVk1?FSLJf?G@5{zq4DAaU3^7fIjvTZXa`b-n?}<>c@B)4 zuBtCxpeldyq6^W_4jUv4EME=c?dpHP;RPPZx_AS~B^k5>W8dB60e@8kY*9F26<4RP ziXR>Um&ckZ!1ejjYj2I=t!&)yv_2>OLFaLv?T?>Sl59=YQBH+p?2Y42v zYJlNh2{uB5!XKlmP$mpKui4gsWDHd`NcWmucqy$6EP&L6{0Fzul$yinAy(w(qv|!D zX+XxP0?Ww18d+2>rEMiZ|4E40k~F9ak!-k5H%}--g-qEr za_eZUt+15v_N&I|93yx9U1t zlQTft^NCI|aB*;uPv7`JOsU%Z>Zk20vL=bR5eE!_` zS{gTf6Bri@G%{hp1K>y<{6&Se2naRq?~xEgzwn}tmXyD0K-`wuh^9l&Qse&w(~mhL z&iB-~YKxxK~KE-g$EiJR> z>P^Tg-D@duRnR@AvuDRZ7CwuM@+vG;01vdVFy@rVUsl{V8*JP0Okf2aE30eout5cT`!Oku1v6)Tik(BG6rkr3JVw_C&oVo5U zgOyHvLB;S=U5x70tD|ARW?(4ChDJQ*mq){kvpSZAyTbJGBoNu|gsC51S}Z(A_+xD* z!Qex-&2wvv7yr~^8z%26To2UT#*4T16RaGJ(|I_PZ9GHxGZhCcD?bpYqv=a$B2oQB z%^Swm=7OV%KWtH+nqbY*juFxZb+|u8=j=3+mXKl~H$3g>)QdZ$(=X8LC$)RS8=@>DkwK=AB~2&o zUUc+BGnDw*=)i7`ZdI&P3eghFjk(6g>wptAw}v6vTl&cPQG2zrYGVfD@A_- zP9GtgJ)9b2efRfnedsAv6Ucmj$Xotsgwh=t8xOSru z3(a|Egg$Ulk1;=ukbJQ7a2~L_;j`6|n=`iSp4Qi!9uoHK^;~SJ*gKZNY;W8sX%Xg$ zrro-#aAy|UHzv-)>YaimmC|Bzxvgn?;LZ#uY>3I}uzv)vOVwCLU^1rKXKP6>r^T<{ zIAVm;5vj`1Yy>u7U?lw>OxMXyr;xYT zax=KWV@#_^p0rdxPcrl4VO><>h>~8Rn{R6;+74S?;UpXi;vlG?k8G)`_*IXJ(U|lg zZrwH06Y9!@i645fVSyoT5vET+Fb!I}`-wr&Tp1Gh9Y-JDn?vd^^%ACHap(7WJjc2N z5qxWSL~A``wS)_+x;!0CQ6GDUT1f<<0q?i2%s;iz#)j(Zpq%G>D6CUZ1fg7sZ5npKy zHf+|b6^KdicF?;)ksml}8dz-8Aw$lFH#!=f6k$VTH@?!l*sk9RT9)f}u~cqJCHj|h z)Xud>R?s6vUjRk+Prq`QaxCI}+V3irNvwR@gUr{5d~JNz1eu3p;kS>#o+ppf!IkNX zbU}JbI@}n3<_u(x$-+Ftew3!pPX(qX{F_J`Z8(o+(kN&oSjk=1~Ri@4po3z zu~A%AKRom;k1!D$m5H^>fz#^3zW?#si>HxvM?-CqZWuj%B)#dQ>CJGq-aig$*TEl2 zhOnKKZBZWGbZ-Tz<;(N}nT`W3A9quvN$93zW}g6 zPruLLyPbjzM)3fahCSSc-8=3s+K=Ne%p0*gcx0TQtWs5YNdl2Xx2N=xaH{eMgH_-v zHHlIou@*y}go`1x660!V2|ktS$V*0;?w*~n&Ymy4AMrvj;RgARyqI?5Bp6A9G2Gb| zH{>kq_x8m-&-34oqb^+8q&3E2e#b5Ljo&%0qwfZOMWQGu^JsO~-=) zNb+w1^OD=^f%kROfO7uYU^f%ZcSBYj+_!?SLySu(qgIgXOui4fTMTu8hf?s0yg6SL z`yd^y2Huz88h8I@t_7nj1Yq>zhalNh7qgN5D~2UUHE|L~FdBuKF)lD_N*n5qee!OC z(L)eKjL%=(^S#MtemWcNwstRyA2u5eOS2sGLaPlrQElr5rbbregDm>?@CF(v-+$=` zAcXqloUp$nsMy;UpQYS0aRku&!4LsQ!-dQ0(qwTck}Id6L|U+`=nu7*`MUuW68n1d zYJ*=Q40xlVO8yLQCebKY^7QmIzY1L={eqpq>gQ(lexJ9B-5E#tE)k}^@o&FPPDaT% zP#tNiCyA;!_)AiebQEF(e5zEN+4hGW+7jyY?{Eh9CucZOCp2A~4XJU}9wNToEvMo$#r{(PHd!enwf@az;Jkvul)d-32_=+XT>+QQ8W#8)nu&> zylrA5y>RrZQPcriWgH2&KuS zc@MX?*xSs<5j`Ghby#p8;K2aLPf`2k^_S|@4{V!)ux1bZp}ekimgA=^PK_y8vZQpJ zEL+^B-bm9F&fJR0-e@x^=Iwj(7UdH`92AdlZse_`@GV51-Rji3icB$3$h>)`82dSE zqe1v|K?9dcQ~lP(@^%TRWgd$HTwOH1(=sJ6DYVh-IpeyoaAC@(41Vf)BO^=j1IIGp z8B;f7J}6qnZGa-CP0c&;;Q-agAX3pt~5Bi=Ie-#nhOg;dh9SnlUO&b2*xeAC*zDyC9>&Hh_g074?kit6@}B z1TsXsj#1$l6^>EyL>LuS)yLe7iupj7dH5A&Ls3+S-TM5Bx{WSHX|4gkVs93|V$bm_ zmcXxYi4iO9J}Fy!YtF3LE7#_GYs##6G3gOqYDAYB@!6+FoZpl`(~|!UGA+IsL;iDg z4s|IUo#7jQUYgFe>7``ihXNq>6;oBL$ zo#Fe57{05jk0ltsSCzi8YzWFWy;tAhUANJtD9bf4c<;|Lc<(!d_ksrRkMPEEI)oP{ zJ~Qyeo5C|+vYp%9bW)`D*WAv%U#`6O*VN8!P2PxveYB90Adq=miO1E3%JRhGE-Xfh zkldB!Lf5HEx0)8eTD)C5T;r0)^210t&USBI*o$F!y~K+%n)T z>M0koJ4867Zlc2$g1{&xNULTKXh0RJTA1dMpxh1Paf-nj;{+aLA6k>4u~(%0LZd&o zK$5i=?|eYs_0C1sm!A?$fR)}+hhe9pu7DBU1T;3`@*#&c@Fwgo=nu(JvOA*Af52DY z9TB>dk5qVGhSJ=Mb4yb=9N$1cq4_LB8uUKyvsMN#+=50L-;k>4g-H-hf~|{(2>bl> zl517~CQvQwtAnn5X-Ndpnm&}UY4Iad_m%YcEW}@Ka4AmMq0e1dE`t#TPF1dwuxECe zhp>{K>*v15}Lt*G0`@DCK)&A)t6ge2_7XlTs9!LBWMvGLlk;s zG~jL-!iPOOWWF~M5)1nz_}cA{eRS?2FHpnR6FTveC)S*px(tmN+%2px$2ufycvCcm zV-?fWWS;-8ajK>ZMy@*Nu@uU}E`5&Op7pIx zY|?y^%6d^vOS2~$ac5TujG3A2O7oY>x`vx;8CqtKoU5F)3eHx#KNWXP%v`om)D3qd zZNi$C4$@|fqdx9cDV*9qpQ1!a1TgvX4W?eiy{L3U8p9!pMqni%) zB*1f+42nYUSoSL)>s03+fC#6j^ zvlLbmD20Y{wN<4g0>`hSaliknM1)M7wQkQ)1S@qcUvOr>^2H0?di67GpbTJqWeHup zY;|S+IQ3;yU&SdK*3P^P$7vdfdh`YSS0!bL=6nZ#GVO2p^H;d?*WB#E&Jiw(uY-|z zK`<_r&7fJX{Uw+vYD9~iCQAqsbWbN66xyPgBZYY5rU!IRXJ^{OroR9G_P+hOZ6jIt z_xu%zc28N{B`AVVDI2*~er0t|68l*8-FquasXzjhuqFW(L0Z=F=KSrqyJrR%3}#3` zphQ`MYd1E5dG$Pc8uNYAy(ado)J2)=o-ZR%YYbM#V6pg~>C@ND(6i{%63iIr#uyDr zrcM)^2Jcs|`EsLe;Tlw9%#2X>36-@3`OWP`%tHFo)*#8uwKhEEwa`+|YH|4*wuN_e z!Eg#>ix39ayc0_L;yrwjMCiQ%W3?xOuR>}*?RWg60LJrtPgv~m%uCy@+g243@Vjvf zGU#e5CJJuZmuOzX2FE2LakAa~Z|+(m+w!bIl2k+POk#hz&z>}$cAG4a9nWUN{a~e4 zCiRwaP)}`6DMdL>QK7tyRkUqd(QqTJXg7g+x56yy*32U1&m)Kc>~shET0c1LLCs34 z)|Q%;Wcag%n7{HCbr*g0avH5X2_AZIomNx1YATls*dbtbuT-vnMJkt0fXY;^a&X?= zP`L_1sl42p%2iXjYAV+Qp>h>fAGf7)6#zJIL*FtrJ7rq+%hR{Y7P=J$`3UG+gH80U zK~3MPNZ&g1-Psf!-JQLC=f*L#&O4hg+?%IN;8LfZSX6^YPT(4tRrcU96S(O7ku!_p zgu_K)O_8V}Ji}`Yd9ivdSU#4&SVW7sWqr8vZ-}sjQ1HmN#_lQ>D6?2&7A-Q)U20mR z6{9p!QW1EVm1oUxoQWEPhy<~lK4U!MOFV~dorjuc5h^`J6j%yi%$XfCcZt1k`Co!e zP~*4>?^iLGoK(D=E%K8C*?wAxdzA(^*i0|XYo++F^srS zv_g*0zQ*f!>Zh`4Z5S8waGTVU>0Ab8p5Xv+FTXR@k*|PuUx%JZlINwcB)Y5ON#Ex$ zUgH=@IR%EA$-%%LDP_*#Ep{d5aKoGZ+{=KtqQn@_IEAA{AriSDlSN63l=1PL# z(z~P!o1&vs&%^6n_9|`AItZ4#2+0lZ0_~8gA6_o6(ynUYa&x5AzqNmte#v}^f*0$t zfZN`!7kSHuU)G~hx$w&d(CTp@Vc*0Z`^VyJ_9gTdo;7dZ->l=bYk;d#TWWyI@Tc}S zTVpjFzRmI5^j@(V9nfC}tI-Ki8LKJx<$gCpZlSI^ahVz!y4r5?rnp?7DdZHLw`I;)d-aVzChEsLh&3aexOx2qQ%n z_A`tB$HV`!qVe$SvpdC;Qi6&CKW#uWa}OOQ)Ld|YG#VYi5`+Oc z5C&4r68%S~&CaRdAIVYGfzTQ7kd(*)3s4rVVmghT&&3Ho>%r3yL;uCTowT)e1G{|7 zDu5U9j_2dFR<&&b9TH>yK|+U|VgY{hacYymx|yJL?A8?%3x~u2934~0Ss5#$3!`r* ziMT0NBpzXKL+Nb-HY5S?2y0-SxB(YoiPqsFhB&8LxGC4>=lL!++-%9V@}6VU77RsO z9&xx=SH3mY@Qq*%bzr_N2vuVxHCFOau#y@IxKk)V{gA^CnR|r-hPv&d1QehXpfVIt z?lbRhpn!s(*u2~t3aFug8VYzIP(V@jaa$)<$>*1f*kY`YMWj>8?i{&FG>D6N239Vhi2r!gswJ zcIiX(LyJQ3F=w>#Z36PG^==z8z%sV!zKcDMJiJlRZ@2qH%cjF+(QFhjX%k+vNnRwL zVUwZ5+cwah-Yf{AtLWrV^g6rlgISAul>-y{q289E;mv~{nOhIX+%MhMhJTMk0wUD~`ar{W zD}u;)iw@uTn-1r(EF*rCzLNYk=CAh13G)|CzK4~(pKWEIP-INSQPX}y3C@KlU~8d`@?0adp?D!ihEj9C!yd~$HZod5+Oal*H zQQs8kIW$G`7t+LKstwnuHWuI9FcP`xlQ`T&+sgr6Nvi&ZDh#N6sqs$9Pnftw;9O*6IDG2i=@@3tp!YS)=<5asK@R-UT{q@s3`^yono+Up>q33 zB{2$>wiTKLa|SFp5?YW)_R6|75(UP2*475Ej=n`_tM$Fcn#`acPUGS1y^$@Q{6od_Uxiy)gCNtDzh6h4sD5^egOJ>;8A^mOG4JOf2BEn&Lc0<`h zx1vNJ0lVR76T9K4W;bkw-SA?uTKaDykj$pfwRfOo-RV;%HK<{f_Sai7TuI6+~IKH$n+hLk!G zV6@Us+nxm>R&@>i5?!~fS1f$16|)ep@eh{MPReUqoxbHk&oaD+5eV*uIZy;!f0666 z#210ww-sS@7XDVc_elZLXgHFd$p@b8^pnWBEbt^Ec?$}Vi#hQT)xdMY+xPSma`vvW zS(UM717~^s@KglumDBu_C4sWqGgcOiau7mM*1}(r0b@;8A-n1NjDs%En9+mo2JtQ} zVd54+11?^gov)T_ZcfUS0>X6vo5&g1{1`S*3Z%!1#P>SXox-hApje8|%V#V_X2Zyv zot||C8Z4HfxfpXWAMbpgY<(0ku zvc!{27F-gBIY!Qjsm?>ySTw9L`m-?9g>iHSRCC9M41~XO&H=_8rEP8(uaR%NChg% zKtfpg8fn4;YqI&@q-ovc(^Yt7RpJ1SRNjZa6B}8dtQveZH+F`updNVPgJ$y6$qT81 zNv_K|H6TCPk25o~xrxZKp2I>2E;1nVL*C5b(HghNmec12(2HaYvX9v?WS{X7%03h$ zr9MqN9^T-b$#u4NNR**gCy$tALc8R5E4Keglb*$*jzzT6S>Sn7B7V9;4agf8bGZxi z$NzE>P4=;mFY=RJUQ@U*+ZBs|*^%+}tIgA}Y|G(7zxQVtn0tl57rb)8VqgFXKZ!v} zqt%j351F#yUc1_n&{oLn`p-yEXx)%;dYOfT8Wlb`$1D1%lq@tTRo9 zUM^Wd1A}GR?GD7+kSZ1T^W_`y)p3l!_Q4v7R@g0@)P~;M1VtRiomcxN5&xAKA*^*2 z@0*pIEw`~@9mqfRt1j96lW9QHgMSUNt;2#(Imi>Z@?uFFC53>eyyoUTKZY-@#C#<0 z?2MQ$^d7AxR*S}gd!|!1x@(ux%5FInj~rwuO{dZ)0WBC0=9fL$H~*#2FIm#1@gpPfmCkQiR&>l zy+o^6`a9tA)SldH#*>oc!7!dwJIqQ+eq0HsmIg6e$nss64r;Y@u7xm)}0QY0%z4ZW^>}a?@7GO?CWT z!;IrO<%!0X?xW%~k=%Oat%|N+>E9ryNpjTUqiPGs1WwJBfFb-A>$;F3G8Y4Jf@u_e z67;8p=9KmAp7;PrK%=>Hz<0_xry${)Vs}Oe=R9c*%rn z$}Vm|y?%ljXT#LN*%aOgH&t=d^1sXxe@HU22E>AVp){b)Yh`~8sVVH2(`J8lseNts zt371R93IiTA!~d8kUi|Mzk2Xjx83ftzuN3Che>(#dxL?2Kf}PS<`(=9_gc1q(j`Gk zkH~pLz9tI--HVIQlUG>0&-f>0tHl3-?YuG&)lLF8wcjnn-CC=RK!h z*8h$Gr;(sBU0o0drt%%GVS|p9#=nDq>s5pN~V(q9*m~4OvZ8LDt^|~M{1FJ51`9kdA8OoQ&B}~fk zuo9974A3>-c*TGquR0l}Cd;*?4Up~Gv`rylAhioPFYV69k>k|m_@ODEWHp_N*GLFk zF7QBj1Fy3A?BCCtYK@HB3EyG5cVp&NLmsi}Ew$?7<3BI(+o;8U%8ks*evB;)Vy05_Dzl;KEKMq<{7iT2YEZmW>BdN# za{U}ke&^;N|0U0^e3jYRr;43@3;(}ZH+S)Ue*V&HnKa3`n(%JJ92WXcqLFD-eult@ zEzotK*)5h-zs^IJa2O_esXA8MscV>KbmL=f>vD4~O_!-9>39rsl1&G`=J4}^KCZA17?Y|y zj%=6`PkYUVgiVZ7UcG1)p1@>1;aNXTqmeu1bU1_U5lnO*rBt$GrhSbJW11K5%QWJP zV3MKsZY++q6vwktGc)~^ZKgz}EZRz?G=p`+hSMm(^R=Upm_ga^Ywm$}E)vtX`z0fA z;h{k~FKx@82B22)IL&(VPP$-?esLwUPCnh3!e{F=Vs{R@1q*N9W3cb_iPCC!K51 z*6HTrbS|v`Rq0$MA-y}Ha}|YCdAT*6tEO|+bgqX%=PIl|ZcFFd66$vgj+ariqzpyE zA{?*Mg>FTOJ_3%Hvx(#7)Euv>94~fG@!`r3@jT_?RWO;HzPmVs_Tp!d8{*;SQ)Yds zb5N`>=aI9%9J7vh9zW~r8rFm5W@55rkMt-4Q-q8sH{={+SSUQkR>-(Zp(l7tP8-pf zSR6I77+6s#xIW15qU@go7ivu}C_^dx7z8Vg#bwQ0*y)03l?2s-zf%g(vDi_r=Rp&s$WVpiK4n~Rp^Gkd@|n3%PS3K<-vS3`5yYR)#?iumxmre( z39)LBu5#iLeQk+!ujHotXZ)Tgu3qK_H?|5PI-+KLJd_|0+w;@=!KJ!g*_6bYFF?oS8-SDhgye0(VLj>}Wa|!A)dmhCB zo+-sm98MM<4#6Kbp@QVHJ!G|$Kh~Sz3)R5~^953RhzW)aI+zT2Fuj05`#g|?L9oR5 zlx0XTb@ur!9nzog{Q&L#t^GUyXVWqzaW*IEY);bsy`gPrZ*xOiX+v9vDq5_e4W$>w zpG@=|R`t&~%Q(cUP)T%tZbW-iUk5VWD2hy&3@J>fLX1gCLT-ZClX7vHqvf1*=N5*q zv96dBo!eLs7@{`N`zFyW#_v@}A?O`Mn_Q0P_B}?jd5gT%G>pw%EoC)KP7-*h#I#{~ z46{ZQSYXn~SX{1G*r-?>h|;toTbdNlMO_I$=7e+;v_5@iYcd{7T06~?3jTeJFjq_) zU3LZN$Y63OBmF^n+Gy$)F(y%G0?mve3j=Z8R%NFBaHW26HB(G!Z&>UC@sVpdI~ zYk#4k#yv~`aW~FPU>_h0irY=r$cJ8oxr-1tOgNbSH_?hgx}Z;D-|7&vfw%%q7J2nL zi2c-CCRl0HDN(i2pd|u-95tc*8GgnP_l`*GXyIU8tqq~SMUITtwEjYqoZr%i?hrpOs`tyJ@7TAc~-mla3Nm+M`O>Xm({#vfz0XqKqO-MqE) z(aLzAy@Xl3h^A}uB|*cCGa=7x6PhH=(lG5JyNY8c5vG;MaJgxES8?nNLF@8+d&$ss z#p2La2}HNONOX#@@B$`@@=)HkK=ZyApMp?>vP}MJYD{XIC`CM1zbxhGbJ?VLPGHqR z=W5!DRnu1PR;XPBo!hnyvK3aT`I`#58`6*#h|LDo+bXX}TOSLj_w7-R9=#*73IwP} zN16X!=ySD6Gcq$UP*OMMN*wkfXbx0a){~Okm?Ge)x6xA zR9BPgYEs<;A=MRCAGeMQSslW^4WZ5?R?2;I$`k6!7P=J$`kg${zfD42XA_~WQxobc z6YAnQBj}u*yuv6QzQ@i{KhD7p^q(@7PMv*XZFL?wm9Asf?43tSr6VU?4C6#^5it=W z;$&%9D_RW94^^mRbpMN14n-~*`_i>t{(#^T^z%go3>KS2dOdNc=yz;I*J@#s!#9l^ zj{U?tShSjYECi8Y`k^lrbPtB7Z)xi!hbZVyEwoNn%V-|peO=PuI7n$LSH!$?t#}zt z{ZKrGG5_Q*n}|_G3nW;f%g;Cc!_1-wgO?%x8XU?oA3Y z0h2)l1!pl0$5AAU>9~rdzmt_0EQu75KsU*T!0>*g?69hMCo=}#?6Zv*0dBZo2C>Z? zXMd7EI*u`NF9MnOttFwUSjVfRa7>&)QNKhUMSy<O;c9WDA+)(kO+nvdJTgk~Lr+ zoDylUh+|EiD264=f$v(L?A!^3csY$$o=nzJ#d$mRIE{h|h^F5Ep^%_TvS0mcIa%mm zQ?jkL^)!CT7wb~j%$LbZ7I7J~E!H&IkmXKV&&Ki8Yq7EYuvo<`;-W^B2jU?zt%G(i9MseQ#T5bfVP`wMBe%Z zI*`a!L^9){v-|}MM~xr8xS^p#uoz4uM$?zJI2*mE5#{_E)RX*%?LpFZm0hyO)-xUj z@5DRbV~x#dfbS{AKfw@#{>J@=HTR!BxiO`ko;W zzWt2Wo@YcndD`S8>kY+KebDDwry;Wp$8PLfU%zG+_aA?dlY2%kCUf@d*Nm2g1X$76 zuX?ixUQ2c*Iqm1|D|(OyhBW%qbH(`(I}76|(}vSD3doC|4#6gsEO96dJ~1txYL|y) zTB|XcMd`;=I*SUNooU8!OXJ6ft~9P&b7M+zV^oj>5Bcwv8`G)CjnN5EnHy6M0=XM* zOhNdGms@jVYHm!;jd>v4n4;?A_S~2hI4}tJFW&Xni~oS%Vv6GuR`X)iMf}Od>pdX5wZ0o$Ry}Hiq;x@6Ti*Aq6Ua6 z@K_;rSVblAWZWASMtgwWFPTP^2G1VY`8}d#%j?LVuuuGKFe9k@B@>H|Lge6wx;Eq2 zD}0Q5*4Ul9qhQJ+am800g0dFy+0wN981!=Bk|%ve%AtNakxR!$;{l5QWe$bgAe_+GJ9c`62NoPy zu;x=APh4W(-*%`x7wfQjY{{Tlm^{gTk*5itVRTrP?fEVE+Rj0uQiz9bwG3lERF zFdol{#mIAd_(DVK(FO0w6e^*_kn<9c8PEI$*<_5_g5YHW&B$K3UP6(V7&U~_NfYIl zMDxqZHS{9=ES58=tfDIyJuLBVE=@>6dd0rDS-*jn#5*B@?*+f4GDS(c+Ry(eK9D35 zf>M}F7SI;MLeUW4N%)8`l@)jmauXnpzgz%0V%kSR7qFM$0n)zE2O^hI%garw3prK;;K#F6@YSK!||m!5iQA zV(D~=>Ei!VHC1aIe?H&)ovFiprd^KD_vmS(ktg)9kulJEG_xj6prL}XNqs^qto6=c z%mRXrW6ccWX)!>MJnT~O64PgW-bFCm|NFD^y=Tp&7%7D`)mQKrf*WIS8PXPI1rugpWGxXF zW92}(?0_0w7U2?N<_HGc^=7bKZ3{MF{%>#PTOMrnmlRbw-Ro)J^9fCGWBTZs-bkz? zYW(Rub&XP(4i$(@jV#A0`!dgeO7k^x?MRb8AYv9ZjXeBZ`b5aeGz^3Z*vBMC!+vZ3 z-umS8Jrc9oln*D9HZ75lcu>BE?EX+;{HW8cDX+$6t^@Oa(XvC`ROD*Pn?W)1;-of z7agJYM82&2ZVD|GZi?83p~)onNWRbT^fD<}>Ov^+y$_OneE&0c-kRblD|W%ZL6yc} zl%PvBc~vAUUoI0pagmoLDXF?D$o1xmI7Q#&x}Y7ZlbSZ9J79d^3&@be^QZnLNi$D! zu`P{;=pNS;3lS%iXgAK^1`I))^3lE%g4$bWndhb)bW z+l8jirjk9Uy2*oFPMzP?1|%<U!6fR>kAGsSAASj`lBAWX5M>SGH`vC>HEZFplQc~Xj3w>)pG zY@u7xoR5Gv*4xAz>(#umt?|ax^RY30griU#BYVmWGIb(~W!8J-46>eCyZ0V5gN&2M zkjBLrGL~2k+%M4?22x4SuMLJ-Yqmg2q8}4+7K!YmE6z%~c7x>wY|j^oxGWSP z4_d?y3odvMS;u(1owB{~ml}8^!;3jy2g|A9$5?V6PEsUDF(CL-lMZF`P^`nD*hVI! z=uOVXN?HlxumDg}+8oBr8cyG*jFS@&cVs-3k7lFmZ2ZoeHv zf8_f@0-R5#!DpYZ+co9NI6UmYAHZN^NH{gEnMvEs6x1}^A-Y#w7dP`JMKiCln{*-I zBHcR0gKX@*M8?9%wgF*Qq3sXD_AfQIolCX@Y}*90?X5KzzhOvRds+=5eh#MorT;n} zyVEsC;dd1138Oh_>-$!bcVy?3L*I?c?kR!a+vql~;-6BtmF5iO_Q*O$mB?V~s5_ii zHNRpP{0jAu91n@_m0!`T$gj`|P?=v*?g;&E_!R}=3tn!`uc-MIHNWD4@GFX{k1g;k z${|L#Ay=4$NqG>x^5lxLg>FS{ekV`wZ5u+8KKrTPnHz+Pf)G{&4~iiCOR(hZQhQV6 zb*FJe!5O?r_5!T=Ch)`6j4OqpH8ipKc6y}xz-QXv&3A*`&lUI)_?+_d<-#I3&FToKA#3Sw~1W~%awa?@;{Rot<E2t0^suD-(Q6RMID-~{^x&gjxlPHbw=6>6$b^j`4!AN*o7C&TNt(} zg`*lG`ql>Zl7ijY3?yOV@#PnPHcBU(L2y`lW|91lA&pCdpzupoq_ER z{jS~X4?tuWTG|w_5HQMcb4s#U<`#-LS(MjwsFU3b(wvPXlyXZM`8YajN(+VK2C=V;=?r0~XS ziDy@^Uf;ngTZ)cJT}4>=Dx8kfIh^zkZGU{^+r7@D4W>%FYx{2RXfhhOlkPw?`phDC zOp^H4%b5rJf1D|?)AbG~gOO)D{-|yD#^a9dwhzbla5U+6`s2ZHH1=4DRFL)J)Fgh_ z>GqGt!-+lehS0WQe{3HPVCuq{9gdH>!+!73=Ou;j){A-6o(!D!XkvHT1L#SZztE?S zXLpAacQEms5v(k}rd)3^vrfn>lVPBpo_E;s{V^2QgXur+KnsUHtcIh3J8XOIXfX7d z&!}`*ep>EZNp@c$JzwL=Le1^)+|mq}M#$6xy#oz7^v${! zRC1$HkZe@Pn|m;9qf#L8ZD~U#0QN%7PYuy;hxU}^Dd{;+cxDwZ(aoSf0cgK*^x4<7 z@(y@TPIq8>)jk}4gA}N8JRU{YKPW#Wy6xmC(TmECWMo{mgYYtMq_f!yXLbsw)zmuo_x5YED#DP86Pca-M?y^5g|{(I?+y zMw;(oy>4A! z1>-B`@kY?3u7VhYWx+C}tOWRx^MN>_G?fp7+<}RR(ENuLOd^;2h9Y&y;P=J(z`Ia-fuKC9zb5DYCtCO|2bU; z{_4U{_80%vfxkNKcDHE_+wER2>rX<5XbK8Y?p-$P8o&5_R=Bu`T^zD_3P1{RN$eL5AB=Gf9ugOY|c)0%izl<|yoC2e|Z3w_tTa)l_lJ?Y?xHfu#8Ete5TOc(tHwm&5KsBq#CMQ zCn*8^CUKiq(ga<8YKiVevL&VOrV;VwP*D(5k+_S|wM7FVXp6AZSoH8k6}wMei-L`nUlCGG>Wu z)(Zr4-n(9~ikS@&1e1N~A#-Z>5189%biroVPN;Kh$ALnn<)$gNITj~0U_bbH zrB`|&8j(IZ4L`#o3oc0!g18ZWkvA=+BBdUC;p53ps#{@D3^_DYInzjWIHks_b3u_t z&Y2Tb&3pPzD=43>+IQ)6lKUGbh9qM;v0lG8c`rV+p;Tp2{MFO|>3&D1gy-sKJ0^@l z5z-exCMg~)S@$0+tR^|$DarA^S%TYUId1qk|2BonsrX7_6e?}&GRQVprRHxc=njad z#Y!wl94%DXH%tM2aBRVvBB;+$Qv@G5MNoxx5!Sp{ilB}PUxp&66QD9hupH=nHx$8w zfIBa@rU=#)!I~oYKq!Jm)yHiqf)$YZ+YkXw;-s9tL3tuz*+RFXIKPu8__s*}9Bv{4 z4r?Od7KnhZ=lR|;V&2j(eUFZ)pELnbop@qd4IeoHaA;QM!$(R0WS(7+amT~WUHRzQ zh1h-=gAUgQZZJp?;-TV_umT`IkvnTSV6&f|2GzNX-4=Rwr9bD z|L7iL_r5#*#iDcnn4Fbi=er>+sK)u;?}8SUwx2aWTb+cw(P+k0Tbc*aKP_4L0rfsCyk#;T1Xm$yTw%Lq;rxKj;c=?8S!*t-9#(P z1FHeUqB5Q&+wv)VdBS~X#86P&P0-vFDsto_e{qtq88Q7YXEr2h8Qdz$Q>{uxV|$(HnKlh2iAb~-fEq1F<~3_4fV z16rQ4y1aEwZI~p;X)Em?sq{QkN-Ipkf_cP1RYE;MOe21VB9;`wPRel=!)r{lmJWO zMmX}Z{Aq9*K+n>lzMEtXqibvA<6-}0@EOXNN@s3CS_ml6C4Z`fqEbMsa`~ zp)!9Eo-&%)(&SgeBBwYK!d}dAO{)c^WW3UB0@$SstO`!VFR`*AXZKgxzhCpI{hlZa zncBqtQyHg{yx<_0Az2tXu7joLK=2C6fcrd3)Mj*_a6N(VV*^zDC%LSfgZ+6ZHzQ{t zUsBUZ3&?`P#mNIH?m92S7~r8-^sIq7rwnNOa06#R_B@g23Sg2P!f$PY_>;zRFH52j z9xN-SSu+b@hLXNuz9iU<|9HhcEis=&uw?(67A2`-iJZtjoa0yY6azA6Z^dPdeGzKxFU8V^RCM1~b=4G#{JEuqlx9 zdB_|7noSWL!SU30(X*TEdhI+^o0yNU2;!a0=j*5o*^r28{%FBHN95@ntmu@l!G1SO z(Fzz_;QvJ{igdcl1Y<;3Au*=|q>&gS*yWJtMO-+>A)qo8UI4UPp#o5v)X&BlP7>TT zj&q@*K&029XLyHGM`; z5U-&!+@>`p&}#Sq`};HW4npv>gv}QOs(F4Vmp^HizILhAh6W@lHb+NFO1Y!xNSi$e zpre%<9;q7tpi>i;?!rLW}*>3}An?y*l=fm=VcG*I= zqAVW)pnbFn&_1dG?TUalEUC9)qBdVeh(Dhof#fOU+3LI#tLo^HjTNVTZcD!sr__Xw58$ zG0+T8XU*IjYvEtwdC!7_>YeUm%G3#l_PCy=DX+dZ|&c64Pm1x=g0U;=X=t;WW%1^ zJfuB2Gg^j=(|l|)pxH-SHPAdf-B7T!^F5WFdo)yQ8^DQ#gcM!OG$pr)aY>yRMH$Jp zKI4*c8^gF8M=>r%B6QMCxlN*!M1#p?CNpwr>bQpF(lkuO7%?+)7l!X`t?!?6{y5({ zd#|b-YA*a9=?m}R5e!*zIeRB zru+VzAGs-Ra^`0}20E7P4Go(n>3V52U-mb<>%x>|HzqP(?0!5+odCRaNQKE)1uEN*8Rx9gk;q`$f88M`pW!ioBf{RJS=~2o!OqrIJ;X;xA;XvP}Hx$~iT|dodM#qL425sC`JfhtH+}nwOh*uCQ2t(7BX8P`)DsE{nYU0gg~_*3>i8_o^FH z@qApKgELy1Ad>YHxr}oYJLIcr^$OMo^%19^700Z@l8^VX_QMy;r@47LmaId^QwVe1n9Cy6ZN8Y@L`3q*-kf-4hkEHo>Jfc0E zCZ*d+c@#SK{6fJ^zr#y}B;BOSoH-&g+af=E?%8!~#kncL>T0WWHJyLqX`eN0t*^F6 zt~aHfuyfT!^saJ`-`iWq1Y;!oNoG`;zkAKm#pooB!4OlHth9Txc>I6DBcy(Cn=HF@ zk~<#!VgAzeP%Ot`Sh+Jn$W(h-?OL`OuOFnnHax$YgqOEzFttus{yy|%;Ev!M`x8Ab z=4OdnM_#Hy#lHFLY>nTZwpAXh|W3<9Pv{!EY z@OK0PdD605)py;^tD&vHJYg-dXf)7F9;X#<=rk78s03Q}GG}dO3u;aj+BEZm)bg%) z`M6hu)~EE0ERJJib$HH__4v z9qWB%U!?{LHAzkFWwlC11BK&m2$^yu1}qvcf6qT(gubhr-lOWLc}nqs#{=C<+Ocyc zG4c3-DDjA^oUdZ6uFoUEkQW|HQ^Lw~D#2q=%-qK(9O3ifEzJ37DnH0D)s zH9WL0Kzy!j?3f>sY#1m)vJ-EQY$%~MuXwZs4p*t4otH)3bxRq2=9G&Pk0f>P=$1OU zDo{yw2zTujNJ87kH}7X|g!UWfs_f_!ODfg&oY?grGg56Z>4wqd&}*SaN(S+q{=?b0 z%OiPM%9FL-9lB-F`dKvJUkeM8IDJ9MRq5HM4T;^y7QN8(yrvGM55wHxfULd$>(za0 z5D&{bEOW0_R^#UUkJaD0vbk{siPXAlv{d2G>^ak^wr0NRPhs6%jz2}q?rX(3)jGWFzh;KyY)%)EceLx@zqToEe?yVt=hePN1@|P2y?(-UM6KJ&*g)i zg~rmAH{bV%#Too~^O7e22r8Y3RujBM%Rh~)@VS~_kodE*kJ-!06-Pr-*563a>`PB8 z%CVas{4HhL5+5vP5G_&}5}GRqyQ+uI^G{tm+{vA|e`l7gEajh$SHg#uLQQ3UryOPF zEi&W-ZW?yh3d7*(3kE74a|k$6y4aS56ttzZITP6>-Se!68dK*>49>7_&-k(q>1Nlv ze#kAWx)@_(8Dru!#-HHudG74;^XxFi7qLKD#rbBPGkRwI@R6c~(^%x?Nux zZLb#GuAhVM6!3MLL&A?|9@cI4jyO)I)$5PA ztih;vYGf2XHL@ehwKxNee#Sidx9Eo`S1Le_K4XRe>H(}}z`8BUl>n>*z^cu}cmV4V zuzHA{a6S#Q`!NcVEoaJ3Iae}h5+)>ioCztI!k}gH$mLD4Qvy&Ykxvc-bq13eG*BlE z)QJXl?&XmM{};{WlRW|IPiDjdG!~#P0NukQvjLh9tWK4TSYV|Bt3QPi3#|FT$_Li6 z1J|6e*K%KY|6A}Mo%O)!Qps2W&IaJbQy442Sr44k!1<6*jtA-D$&3|XT>r9ga`ZqP-1*x!SQE(Sd|JuE6B9Vsia{Vx#~KM3TG&}@^`X9bo;@7NA NU{3~TjI$^>{uc<|hHC%- diff --git a/Solutions/Microsoft Entra ID/Package/createUiDefinition.json b/Solutions/Microsoft Entra ID/Package/createUiDefinition.json index fe44181877a..6f1a494bf0c 100644 --- a/Solutions/Microsoft Entra ID/Package/createUiDefinition.json +++ b/Solutions/Microsoft Entra ID/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Microsoft Entra ID](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis) solution for Microsoft Sentinel enables you to ingest Microsoft Entra ID [Audit](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-audit-logs), [Sign-in](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins), [Provisioning](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-provisioning-logs), [Risk Events and Risky User/Service Principal](https://docs.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk#risky-users) logs using Diagnostic Settings into Microsoft Sentinel.\n\n**Workbooks:** 2, **Analytic Rules:** 70, **Playbooks:** 11\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/ReleaseNotes.md)\r \n There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Microsoft Entra ID](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis) solution for Microsoft Sentinel enables you to ingest Microsoft Entra ID [Audit](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-audit-logs), [Sign-in](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins), [Provisioning](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-provisioning-logs), [Risk Events and Risky User/Service Principal](https://docs.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk#risky-users) logs using Diagnostic Settings into Microsoft Sentinel.\n\n**Data Connectors:** 1, **Workbooks:** 2, **Analytic Rules:** 62, **Playbooks:** 11\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -51,6 +51,30 @@ } ], "steps": [ + { + "name": "dataconnectors", + "label": "Data Connectors", + "bladeTitle": "Data Connectors", + "elements": [ + { + "name": "dataconnectors1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Solution installs the data connector for Microsoft Entra ID. You can get Microsoft Entra ID custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." + } + }, + { + "name": "dataconnectors-link2", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more about connecting data sources", + "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources" + } + } + } + ] + }, { "name": "workbooks", "label": "Workbooks", @@ -80,13 +104,13 @@ { "name": "workbook1", "type": "Microsoft.Common.Section", - "label": "Azure AD Audit logs", + "label": "Microsoft Entra ID Audit logs", "elements": [ { "name": "workbook1-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Gain insights into Azure Active Directory by connecting Microsoft Sentinel and using the audit logs to gather insights around Azure AD scenarios. \nYou can learn about user operations, including password and group management, device activities, and top active users and apps." + "text": "Gain insights into Microsoft Entra ID by connecting Microsoft Sentinel and using the audit logs to gather insights around Microsoft Entra ID scenarios. \nYou can learn about user operations, including password and group management, device activities, and top active users and apps." } } ] @@ -94,13 +118,13 @@ { "name": "workbook2", "type": "Microsoft.Common.Section", - "label": "Azure AD Sign-in logs", + "label": "Microsoft Entra ID Sign-in logs", "elements": [ { "name": "workbook2-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Gain insights into Azure Active Directory by connecting Microsoft Sentinel and using the sign-in logs to gather insights around Azure AD scenarios. \nYou can learn about sign-in operations, such as user sign-ins and locations, email addresses, and IP addresses of your users, as well as failed activities and the errors that triggered the failures." + "text": "Gain insights into Microsoft Entra ID by connecting Microsoft Sentinel and using the sign-in logs to gather insights around Microsoft Entra ID scenarios. \nYou can learn about sign-in operations, such as user sign-ins and locations, email addresses, and IP addresses of your users, as well as failed activities and the errors that triggered the failures." } } ] @@ -150,13 +174,13 @@ { "name": "analytic2", "type": "Microsoft.Common.Section", - "label": "Account Created and Deleted in Short Timeframe", + "label": "Account created or deleted by non-approved user", "elements": [ { "name": "analytic2-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Search for user principal name (UPN) events. Look for accounts created and then deleted in under 24 hours. Attackers may create an account for their use, and then remove the account when no longer needed.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-account" + "text": "Identifies accounts that were created or deleted by a defined list of non-approved user principal names. Add to this list before running the query for accurate results.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts" } } ] @@ -164,13 +188,13 @@ { "name": "analytic3", "type": "Microsoft.Common.Section", - "label": "Account Created and Deleted in Short Timeframe", + "label": "Modified domain federation trust settings", "elements": [ { "name": "analytic3-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Search for user principal name (UPN) events. Look for accounts created and then deleted in under 24 hours. Attackers may create an account for their use, and then remove the account when no longer needed.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-account" + "text": "This will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated.\nFor example, this alert will trigger when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain.\nModification to domain federation settings should be rare. Confirm the added or modified target domain/URL is legitimate administrator behavior.\nTo understand why an authorized user may update settings for a federated domain in Office 365, Azure, or Intune, see: https://docs.microsoft.com/office365/troubleshoot/active-directory/update-federated-domain-office-365.\nFor details on security realms that accept security tokens, see the ADFS Proxy Protocol (MS-ADFSPP) specification: https://docs.microsoft.com/openspecs/windows_protocols/ms-adfspp/e7b9ea73-1980-4318-96a6-da559486664b.\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities." } } ] @@ -178,13 +202,13 @@ { "name": "analytic4", "type": "Microsoft.Common.Section", - "label": "Account Created and Deleted in Short Timeframe", + "label": "Password spray attack against ADFSSignInLogs", "elements": [ { "name": "analytic4-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Search for user principal name (UPN) events. Look for accounts created and then deleted in under 24 hours. Attackers may create an account for their use, and then remove the account when no longer needed.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-account" + "text": "Identifies evidence of password spray activity against Connect Health for AD FS sign-in events by looking for failures from multiple accounts from the same IP address within a time window.\nReference: https://adfshelp.microsoft.com/References/ConnectHealthErrorCodeReference" } } ] @@ -192,13 +216,13 @@ { "name": "analytic5", "type": "Microsoft.Common.Section", - "label": "Account Created and Deleted in Short Timeframe", + "label": "Admin promotion after Role Management Application Permission Grant", "elements": [ { "name": "analytic5-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Search for user principal name (UPN) events. Look for accounts created and then deleted in under 24 hours. Attackers may create an account for their use, and then remove the account when no longer needed.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-account" + "text": "This rule looks for a service principal being granted the Microsoft Graph RoleManagement.ReadWrite.Directory (application) permission before being used to add an Microsoft Entra ID object or user account to an Admin directory role (i.e. Global Administrators).\nThis is a known attack path that is usually abused when a service principal already has the AppRoleAssignment.ReadWrite.All permission granted. This permission allows an app to manage permission grants for application permissions to any API.\nA service principal can promote itself or other service principals to admin roles (i.e. Global Administrators). This would be considered a privilege escalation technique.\nRef : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions, https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0&tabs=http" } } ] @@ -206,13 +230,13 @@ { "name": "analytic6", "type": "Microsoft.Common.Section", - "label": "Account Created and Deleted in Short Timeframe", + "label": "Anomalous sign-in location by user account and authenticating application", "elements": [ { "name": "analytic6-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Search for user principal name (UPN) events. Look for accounts created and then deleted in under 24 hours. Attackers may create an account for their use, and then remove the account when no longer needed.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-account" + "text": "This query over Microsoft Entra ID sign-in considers all user sign-ins for each Microsoft Entra ID application and picks out the most anomalous change in location profile for a user within an\nindividual application" } } ] @@ -220,13 +244,13 @@ { "name": "analytic7", "type": "Microsoft.Common.Section", - "label": "Account created or deleted by non-approved user", + "label": "Authentication Methods Changed for Privileged Account", "elements": [ { "name": "analytic7-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies accounts that were created or deleted by a defined list of non-approved user principal names. Add to this list before running the query for accurate results.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts" + "text": "Identifies authentication methods being changed for a privileged account. This could be an indication of an attacker adding an auth method to the account so they can have continued access.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1" } } ] @@ -234,13 +258,13 @@ { "name": "analytic8", "type": "Microsoft.Common.Section", - "label": "Modified domain federation trust settings", + "label": "Microsoft Entra ID PowerShell accessing non-AAD resources", "elements": [ { "name": "analytic8-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated.\nFor example, this alert will trigger when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain.\nModification to domain federation settings should be rare. Confirm the added or modified target domain/URL is legitimate administrator behavior.\nTo understand why an authorized user may update settings for a federated domain in Office 365, Azure, or Intune, see: https://docs.microsoft.com/office365/troubleshoot/active-directory/update-federated-domain-office-365.\nFor details on security realms that accept security tokens, see the ADFS Proxy Protocol (MS-ADFSPP) specification: https://docs.microsoft.com/openspecs/windows_protocols/ms-adfspp/e7b9ea73-1980-4318-96a6-da559486664b.\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities." + "text": "This will alert when a user or application signs in using Microsoft Entra ID PowerShell to access non-Active Directory resources, such as the Azure Key Vault, which may be undesired or unauthorized behavior.\nFor capabilities and expected behavior of the Microsoft Entra ID PowerShell module, see: https://docs.microsoft.com/powershell/module/azuread/?view=azureadps-2.0.\nFor further information on Microsoft Entra ID Signin activity reports, see: https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins." } } ] @@ -248,13 +272,13 @@ { "name": "analytic9", "type": "Microsoft.Common.Section", - "label": "Password spray attack against ADFSSignInLogs", + "label": "Microsoft Entra ID Role Management Permission Grant", "elements": [ { "name": "analytic9-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies evidence of password spray activity against Connect Health for AD FS sign-in events by looking for failures from multiple accounts from the same IP address within a time window.\nReference: https://adfshelp.microsoft.com/References/ConnectHealthErrorCodeReference" + "text": "Identifies when the Microsoft Graph RoleManagement.ReadWrite.Directory (Delegated or Application) permission is granted to a service principal.\nThis permission allows an application to read and manage the role-based access control (RBAC) settings for your company's directory.\nAn adversary could use this permission to add an Microsoft Entra ID object to an Admin directory role and escalate privileges.\nRef : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions\nRef : https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0&tabs=http" } } ] @@ -262,13 +286,13 @@ { "name": "analytic10", "type": "Microsoft.Common.Section", - "label": "Admin promotion after Role Management Application Permission Grant", + "label": "Azure Portal sign in from another Azure Tenant", "elements": [ { "name": "analytic10-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This rule looks for a service principal being granted the Microsoft Graph RoleManagement.ReadWrite.Directory (application) permission before being used to add an Microsoft Entra ID object or user account to an Admin directory role (i.e. Global Administrators).\nThis is a known attack path that is usually abused when a service principal already has the AppRoleAssignment.ReadWrite.All permission granted. This permission allows an app to manage permission grants for application permissions to any API.\nA service principal can promote itself or other service principals to admin roles (i.e. Global Administrators). This would be considered a privilege escalation technique.\nRef : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions, https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0&tabs=http" + "text": "This query looks for successful sign in attempts to the Azure Portal where the user who is signing in from another Azure tenant,\n and the IP address the login attempt is from is an Azure IP. A threat actor who compromises an Azure tenant may look\n to pivot to other tenants leveraging cross-tenant delegated access in this manner." } } ] @@ -276,13 +300,13 @@ { "name": "analytic11", "type": "Microsoft.Common.Section", - "label": "Anomalous sign-in location by user account and authenticating application", + "label": "Brute Force Attack against GitHub Account", "elements": [ { "name": "analytic11-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query over Microsoft Entra ID sign-in considers all user sign-ins for each Azure Active\nDirectory application and picks out the most anomalous change in location profile for a user within an\nindividual application" + "text": "Attackers who are trying to guess your users' passwords or use brute-force methods to get in. If your organization is using SSO with Microsoft Entra ID, authentication logs to GitHub.com will be generated. Using the following query can help you identify a sudden increase in failed logon attempt of users." } } ] @@ -290,13 +314,13 @@ { "name": "analytic12", "type": "Microsoft.Common.Section", - "label": "Authentication Methods Changed for Privileged Account", + "label": "Brute force attack against a Cloud PC", "elements": [ { "name": "analytic12-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies authentication methods being changed for a privileged account. This could be an indication of an attacker adding an auth method to the account so they can have continued access.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1" + "text": "Identifies evidence of brute force activity against a Windows 365 Cloud PC by highlighting multiple authentication failures and by a successful authentication within a given time window." } } ] @@ -304,13 +328,13 @@ { "name": "analytic13", "type": "Microsoft.Common.Section", - "label": "Microsoft Entra ID PowerShell accessing non-AAD resources", + "label": "Bulk Changes to Privileged Account Permissions", "elements": [ { "name": "analytic13-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This will alert when a user or application signs in using Microsoft Entra ID PowerShell to access non-Active Directory resources, such as the Azure Key Vault, which may be undesired or unauthorized behavior.\nFor capabilities and expected behavior of the Microsoft Entra ID PowerShell module, see: https://docs.microsoft.com/powershell/module/azuread/?view=azureadps-2.0.\nFor further information on Microsoft Entra ID Signin activity reports, see: https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins." + "text": "Identifies when changes to multiple users permissions are changed at once. Investigate immediately if not a planned change. This setting could enable an attacker access to Azure subscriptions in your environment.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management" } } ] @@ -318,13 +342,13 @@ { "name": "analytic14", "type": "Microsoft.Common.Section", - "label": "Microsoft Entra ID Role Management Permission Grant", + "label": "Attempt to bypass conditional access rule in Microsoft Entra ID", "elements": [ { "name": "analytic14-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies when the Microsoft Graph RoleManagement.ReadWrite.Directory (Delegated or Application) permission is granted to a service principal.\nThis permission allows an application to read and manage the role-based access control (RBAC) settings for your company's directory.\nAn adversary could use this permission to add an Microsoft Entra ID object to an Admin directory role and escalate privileges.\nRef : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions\nRef : https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0&tabs=http" + "text": "Identifies an attempt to Bypass conditional access rule(s) in Microsoft Entra ID.\nThe ConditionalAccessStatus column value details if there was an attempt to bypass Conditional Access\nor if the Conditional access rule was not satisfied (ConditionalAccessStatus == 1).\nReferences:\nhttps://docs.microsoft.com/azure/active-directory/conditional-access/overview\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\nConditionalAccessStatus == 0 // Success\nConditionalAccessStatus == 1 // Failure\nConditionalAccessStatus == 2 // Not Applied\nConditionalAccessStatus == 3 // unknown" } } ] @@ -332,13 +356,13 @@ { "name": "analytic15", "type": "Microsoft.Common.Section", - "label": "Azure Portal sign in from another Azure Tenant", + "label": "Credential added after admin consented to Application", "elements": [ { "name": "analytic15-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query looks for successful sign in attempts to the Azure Portal where the user who is signing in from another Azure tenant,\n and the IP address the login attempt is from is an Azure IP. A threat actor who compromises an Azure tenant may look\n to pivot to other tenants leveraging cross-tenant delegated access in this manner." + "text": "This query will identify instances where Service Principal credentials were added to an application by one user after the application was granted admin consent rights by another user.\n If a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\n Additional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow.\n For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities" } } ] @@ -346,13 +370,13 @@ { "name": "analytic16", "type": "Microsoft.Common.Section", - "label": "Brute Force Attack against GitHub Account", + "label": "Cross-tenant Access Settings Organization Added", "elements": [ { "name": "analytic16-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Attackers who are trying to guess your users' passwords or use brute-force methods to get in. If your organization is using SSO with Microsoft Entra ID, authentication logs to GitHub.com will be generated. Using the following query can help you identify a sudden increase in failed logon attempt of users." + "text": "Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when an Organization is added other than the list that is supposed to exist from the Microsoft Entra ID Cross-tenant Access Settings." } } ] @@ -360,13 +384,13 @@ { "name": "analytic17", "type": "Microsoft.Common.Section", - "label": "Brute force attack against a Cloud PC", + "label": "Cross-tenant Access Settings Organization Deleted", "elements": [ { "name": "analytic17-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies evidence of brute force activity against a Windows 365 Cloud PC by highlighting multiple authentication failures and by a successful authentication within a given time window." + "text": "Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when an Organization is deleted from the Microsoft Entra ID Cross-tenant Access Settings." } } ] @@ -374,13 +398,13 @@ { "name": "analytic18", "type": "Microsoft.Common.Section", - "label": "Bulk Changes to Privileged Account Permissions", + "label": "Cross-tenant Access Settings Organization Inbound Collaboration Settings Changed", "elements": [ { "name": "analytic18-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies when changes to multiple users permissions are changed at once. Investigate immediately if not a planned change. This setting could enable an attacker access to Azure subscriptions in your environment.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management" + "text": "Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when Organization Inbound Collaboration Settings are changed for \"Users & Groups\" and for \"Applications\"." } } ] @@ -388,13 +412,13 @@ { "name": "analytic19", "type": "Microsoft.Common.Section", - "label": "Attempt to bypass conditional access rule in Microsoft Entra ID", + "label": "Cross-tenant Access Settings Organization Inbound Direct Settings Changed", "elements": [ { "name": "analytic19-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies an attempt to Bypass conditional access rule(s) in Microsoft Entra ID.\nThe ConditionalAccessStatus column value details if there was an attempt to bypass Conditional Access\nor if the Conditional access rule was not satisfied (ConditionalAccessStatus == 1).\nReferences:\nhttps://docs.microsoft.com/azure/active-directory/conditional-access/overview\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\nConditionalAccessStatus == 0 // Success\nConditionalAccessStatus == 1 // Failure\nConditionalAccessStatus == 2 // Not Applied\nConditionalAccessStatus == 3 // unknown" + "text": "Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when Organization Inbound Direct Settings are changed for \"Users & Groups\" and for \"Applications\"." } } ] @@ -402,13 +426,13 @@ { "name": "analytic20", "type": "Microsoft.Common.Section", - "label": "Credential added after admin consented to Application", + "label": "Cross-tenant Access Settings Organization Outbound Collaboration Settings Changed", "elements": [ { "name": "analytic20-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query will identify instances where Service Principal credentials were added to an application by one user after the application was granted admin consent rights by another user.\n If a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\n Additional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow.\n For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities" + "text": "Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when Organization Outbound Collaboration Settings are changed for \"Users & Groups\" and for \"Applications\"." } } ] @@ -416,13 +440,13 @@ { "name": "analytic21", "type": "Microsoft.Common.Section", - "label": "Cross-tenant Access Settings Organization Added", + "label": "Cross-tenant Access Settings Organization Outbound Direct Settings Changed", "elements": [ { "name": "analytic21-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when an Organization is added other than the list that is supposed to exist from the Microsoft Entra ID Cross-tenant Access Settings." + "text": "Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when Organization Outbound Direct Settings are changed for \"Users & Groups\" and for \"Applications\"." } } ] @@ -430,13 +454,13 @@ { "name": "analytic22", "type": "Microsoft.Common.Section", - "label": "Cross-tenant Access Settings Organization Deleted", + "label": "Attempts to sign in to disabled accounts", "elements": [ { "name": "analytic22-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when an Organization is deleted from the Microsoft Entra ID Cross-tenant Access Settings." + "text": "Identifies failed attempts to sign in to disabled accounts across multiple Azure Applications.\nDefault threshold for Azure Applications attempted to sign in to is 3.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\n50057 - User account is disabled. The account has been disabled by an administrator." } } ] @@ -444,13 +468,13 @@ { "name": "analytic23", "type": "Microsoft.Common.Section", - "label": "Cross-tenant Access Settings Organization Inbound Collaboration Settings Changed", + "label": "Distributed Password cracking attempts in Microsoft Entra ID", "elements": [ { "name": "analytic23-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when Organization Inbound Collaboration Settings are changed for \"Users & Groups\" and for \"Applications\"." + "text": "Identifies distributed password cracking attempts from the Microsoft Entra ID SigninLogs.\nThe query looks for unusually high number of failed password attempts coming from multiple locations for a user account.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\n50053 Account is locked because the user tried to sign in too many times with an incorrect user ID or password.\n50055 Invalid password, entered expired password.\n50056 Invalid or null password - Password does not exist in store for this user.\n50126 Invalid username or password, or invalid on-premises username or password." } } ] @@ -458,13 +482,13 @@ { "name": "analytic24", "type": "Microsoft.Common.Section", - "label": "Cross-tenant Access Settings Organization Inbound Direct Settings Changed", + "label": "Explicit MFA Deny", "elements": [ { "name": "analytic24-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when Organization Inbound Direct Settings are changed for \"Users & Groups\" and for \"Applications\"." + "text": "User explicitly denies MFA push, indicating that login was not expected and the account's password may be compromised." } } ] @@ -472,13 +496,13 @@ { "name": "analytic25", "type": "Microsoft.Common.Section", - "label": "Cross-tenant Access Settings Organization Outbound Collaboration Settings Changed", + "label": "full_access_as_app Granted To Application", "elements": [ { "name": "analytic25-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when Organization Outbound Collaboration Settings are changed for \"Users & Groups\" and for \"Applications\"." + "text": "This detection looks for the full_access_as_app permission being granted to an OAuth application with Admin Consent.\nThis permission provide access to all Exchange mailboxes via the EWS API can could be exploited to access sensitive data \nby being added to a compromised application. The application granted this permission should be reviewed to ensure that it \nis absolutely necessary for the applications function.\nRef: https://learn.microsoft.com/graph/auth-limit-mailbox-access" } } ] @@ -486,13 +510,13 @@ { "name": "analytic26", "type": "Microsoft.Common.Section", - "label": "Cross-tenant Access Settings Organization Outbound Direct Settings Changed", + "label": "Failed login attempts to Azure Portal", "elements": [ { "name": "analytic26-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when Organization Outbound Direct Settings are changed for \"Users & Groups\" and for \"Applications\"." + "text": "Identifies failed login attempts in the Microsoft Entra ID SigninLogs to the Azure Portal. Many failed logon\nattempts or some failed logon attempts from multiple IPs could indicate a potential brute force attack.\nThe following are excluded due to success and non-failure results:\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\n0 - successful logon\n50125 - Sign-in was interrupted due to a password reset or password registration entry.\n50140 - This error occurred due to 'Keep me signed in' interrupt when the user was signing-in." } } ] @@ -500,13 +524,13 @@ { "name": "analytic27", "type": "Microsoft.Common.Section", - "label": "Attempts to sign in to disabled accounts", + "label": "First access credential added to Application or Service Principal where no credential was present", "elements": [ { "name": "analytic27-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies failed attempts to sign in to disabled accounts across multiple Azure Applications.\nDefault threshold for Azure Applications attempted to sign in to is 3.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\n50057 - User account is disabled. The account has been disabled by an administrator." + "text": "This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where there was no previous verify KeyCredential associated.\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities." } } ] @@ -514,13 +538,13 @@ { "name": "analytic28", "type": "Microsoft.Common.Section", - "label": "Distributed Password cracking attempts in Microsoft Entra ID", + "label": "Guest accounts added in AAD Groups other than the ones specified", "elements": [ { "name": "analytic28-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies distributed password cracking attempts from the Microsoft Entra ID SigninLogs.\nThe query looks for unusually high number of failed password attempts coming from multiple locations for a user account.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\n50053 Account is locked because the user tried to sign in too many times with an incorrect user ID or password.\n50055 Invalid password, entered expired password.\n50056 Invalid or null password - Password does not exist in store for this user.\n50126 Invalid username or password, or invalid on-premises username or password." + "text": "Guest Accounts are added in the Organization Tenants to perform various tasks i.e projects execution, support etc.. This detection notifies when guest users are added to Microsoft Entra ID Groups other than the ones specified and poses a risk to gain access to sensitive apps or data." } } ] @@ -528,13 +552,13 @@ { "name": "analytic29", "type": "Microsoft.Common.Section", - "label": "Explicit MFA Deny", + "label": "Mail.Read Permissions Granted to Application", "elements": [ { "name": "analytic29-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "User explicitly denies MFA push, indicating that login was not expected and the account's password may be compromised." + "text": "This query look for applications that have been granted (Delegated or App/Role) permissions to Read Mail (Permissions field has Mail.Read) and subsequently has been consented to. This can help identify applications that have been abused to gain access to mailboxes." } } ] @@ -542,13 +566,13 @@ { "name": "analytic30", "type": "Microsoft.Common.Section", - "label": "full_access_as_app Granted To Application", + "label": "Suspicious application consent similar to O365 Attack Toolkit", "elements": [ { "name": "analytic30-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This detection looks for the full_access_as_app permission being granted to an OAuth application with Admin Consent.\nThis permission provide access to all Exchange mailboxes via the EWS API can could be exploited to access sensitive data \nby being added to a compromised application. The application granted this permission should be reviewed to ensure that it \nis absolutely necessary for the applications function.\nRef: https://learn.microsoft.com/graph/auth-limit-mailbox-access" + "text": "This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the MDSec O365 Attack Toolkit (https://github.com/mdsecactivebreach/o365-attack-toolkit).\nThe default permissions/scope for the MDSec O365 Attack toolkit change sometimes but often include contacts.read, user.read, mail.read, notes.read.all, mailboxsettings.readwrite, files.readwrite.all, mail.send, files.read, and files.read.all.\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities." } } ] @@ -556,13 +580,13 @@ { "name": "analytic31", "type": "Microsoft.Common.Section", - "label": "Failed login attempts to Azure Portal", + "label": "Suspicious application consent similar to PwnAuth", "elements": [ { "name": "analytic31-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies failed login attempts in the Microsoft Entra ID SigninLogs to the Azure Portal. Many failed logon\nattempts or some failed logon attempts from multiple IPs could indicate a potential brute force attack.\nThe following are excluded due to success and non-failure results:\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\n0 - successful logon\n50125 - Sign-in was interrupted due to a password reset or password registration entry.\n50140 - This error occurred due to 'Keep me signed in' interrupt when the user was signing-in." + "text": "This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the FireEye PwnAuth toolkit (https://github.com/fireeye/PwnAuth).\nThe default permissions/scope for the PwnAuth toolkit are user.read, offline_access, mail.readwrite, mail.send, and files.read.all.\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities." } } ] @@ -570,13 +594,13 @@ { "name": "analytic32", "type": "Microsoft.Common.Section", - "label": "First access credential added to Application or Service Principal where no credential was present", + "label": "MFA Rejected by User", "elements": [ { "name": "analytic32-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where there was no previous verify KeyCredential associated.\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities." + "text": "Identifies occurances where a user has rejected an MFA prompt. This could be an indicator that a threat actor has compromised the username and password of this user account and is using it to try and log into the account.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\nThis query has also been updated to include UEBA logs IdentityInfo and BehaviorAnalytics for contextual information around the results." } } ] @@ -584,13 +608,13 @@ { "name": "analytic33", "type": "Microsoft.Common.Section", - "label": "Guest accounts added in AAD Groups other than the ones specified", + "label": "MFA Spamming followed by Successful login", "elements": [ { "name": "analytic33-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Guest Accounts are added in the Organization Tenants to perform various tasks i.e projects execution, support etc.. This detection notifies when guest users are added to Microsoft Entra ID Groups other than the ones specified and poses a risk to gain access to sensitive apps or data." + "text": "Identifies MFA Spamming followed by Successful logins and by a successful authentication within a given time window,\nDefault Failure count is 10 and 1 successful login with default Time Window is 5 minutes." } } ] @@ -598,13 +622,13 @@ { "name": "analytic34", "type": "Microsoft.Common.Section", - "label": "Mail.Read Permissions Granted to Application", + "label": "Multiple admin membership removals from newly created admin.", "elements": [ { "name": "analytic34-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query look for applications that have been granted (Delegated or App/Role) permissions to Read Mail (Permissions field has Mail.Read) and subsequently has been consented to. This can help identify applications that have been abused to gain access to mailboxes." + "text": "This query detects when newly created Global admin removes multiple existing global admins which can be an attempt by adversaries to lock down organization and retain sole access. \n Investigate reasoning and intention of multiple membership removal by new Global admins and take necessary actions accordingly." } } ] @@ -612,13 +636,13 @@ { "name": "analytic35", "type": "Microsoft.Common.Section", - "label": "Suspicious application consent similar to O365 Attack Toolkit", + "label": "New onmicrosoft domain added to tenant", "elements": [ { "name": "analytic35-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the MDSec O365 Attack Toolkit (https://github.com/mdsecactivebreach/o365-attack-toolkit).\nThe default permissions/scope for the MDSec O365 Attack toolkit change sometimes but often include contacts.read, user.read, mail.read, notes.read.all, mailboxsettings.readwrite, files.readwrite.all, mail.send, files.read, and files.read.all.\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities." + "text": "This detection looks for new onmicrosoft domains being added to a tenant. \nAn attacker who compromises a tenant may register a new onmicrosoft domain in order to masquerade as a service provider for launching phishing campaigns.\nDomain additions are not a common occurrence and users should validate that the domain was added by a legitimate user, with a legitimate purpose." } } ] @@ -626,13 +650,13 @@ { "name": "analytic36", "type": "Microsoft.Common.Section", - "label": "Suspicious application consent similar to O365 Attack Toolkit", + "label": "New access credential added to Application or Service Principal", "elements": [ { "name": "analytic36-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the MDSec O365 Attack Toolkit (https://github.com/mdsecactivebreach/o365-attack-toolkit).\nThe default permissions/scope for the MDSec O365 Attack toolkit change sometimes but often include contacts.read, user.read, mail.read, notes.read.all, mailboxsettings.readwrite, files.readwrite.all, mail.send, files.read, and files.read.all.\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities." + "text": "This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app.\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities." } } ] @@ -640,13 +664,13 @@ { "name": "analytic37", "type": "Microsoft.Common.Section", - "label": "Suspicious application consent similar to O365 Attack Toolkit", + "label": "NRT Modified domain federation trust settings", "elements": [ { "name": "analytic37-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the MDSec O365 Attack Toolkit (https://github.com/mdsecactivebreach/o365-attack-toolkit).\nThe default permissions/scope for the MDSec O365 Attack toolkit change sometimes but often include contacts.read, user.read, mail.read, notes.read.all, mailboxsettings.readwrite, files.readwrite.all, mail.send, files.read, and files.read.all.\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities." + "text": "This will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated.\nFor example, this alert will trigger when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain.\nModification to domain federation settings should be rare. Confirm the added or modified target domain/URL is legitimate administrator behavior.\nTo understand why an authorized user may update settings for a federated domain in Office 365, Azure, or Intune, see: https://docs.microsoft.com/office365/troubleshoot/active-directory/update-federated-domain-office-365.\nFor details on security realms that accept security tokens, see the ADFS Proxy Protocol (MS-ADFSPP) specification: https://docs.microsoft.com/openspecs/windows_protocols/ms-adfspp/e7b9ea73-1980-4318-96a6-da559486664b.\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities." } } ] @@ -654,13 +678,13 @@ { "name": "analytic38", "type": "Microsoft.Common.Section", - "label": "Suspicious application consent similar to O365 Attack Toolkit", + "label": "NRT Authentication Methods Changed for VIP Users", "elements": [ { "name": "analytic38-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the MDSec O365 Attack Toolkit (https://github.com/mdsecactivebreach/o365-attack-toolkit).\nThe default permissions/scope for the MDSec O365 Attack toolkit change sometimes but often include contacts.read, user.read, mail.read, notes.read.all, mailboxsettings.readwrite, files.readwrite.all, mail.send, files.read, and files.read.all.\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities." + "text": "Identifies authentication methods being changed for a list of VIP users watchlist. This could be an indication of an attacker adding an auth method to the account so they can have continued access." } } ] @@ -668,13 +692,13 @@ { "name": "analytic39", "type": "Microsoft.Common.Section", - "label": "Suspicious application consent similar to O365 Attack Toolkit", + "label": "NRT First access credential added to Application or Service Principal where no credential was present", "elements": [ { "name": "analytic39-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the MDSec O365 Attack Toolkit (https://github.com/mdsecactivebreach/o365-attack-toolkit).\nThe default permissions/scope for the MDSec O365 Attack toolkit change sometimes but often include contacts.read, user.read, mail.read, notes.read.all, mailboxsettings.readwrite, files.readwrite.all, mail.send, files.read, and files.read.all.\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities." + "text": "This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where there was no previous verify KeyCredential associated.\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities." } } ] @@ -682,13 +706,13 @@ { "name": "analytic40", "type": "Microsoft.Common.Section", - "label": "Suspicious application consent similar to O365 Attack Toolkit", + "label": "NRT New access credential added to Application or Service Principal", "elements": [ { "name": "analytic40-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the MDSec O365 Attack Toolkit (https://github.com/mdsecactivebreach/o365-attack-toolkit).\nThe default permissions/scope for the MDSec O365 Attack toolkit change sometimes but often include contacts.read, user.read, mail.read, notes.read.all, mailboxsettings.readwrite, files.readwrite.all, mail.send, files.read, and files.read.all.\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities." + "text": "This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app.\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities." } } ] @@ -696,13 +720,13 @@ { "name": "analytic41", "type": "Microsoft.Common.Section", - "label": "Suspicious application consent similar to PwnAuth", + "label": "NRT PIM Elevation Request Rejected", "elements": [ { "name": "analytic41-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the FireEye PwnAuth toolkit (https://github.com/fireeye/PwnAuth).\nThe default permissions/scope for the PwnAuth toolkit are user.read, offline_access, mail.readwrite, mail.send, and files.read.all.\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities." + "text": "Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management" } } ] @@ -710,13 +734,13 @@ { "name": "analytic42", "type": "Microsoft.Common.Section", - "label": "MFA Rejected by User", + "label": "NRT Privileged Role Assigned Outside PIM", "elements": [ { "name": "analytic42-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies occurances where a user has rejected an MFA prompt. This could be an indicator that a threat actor has compromised the username and password of this user account and is using it to try and log into the account.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\nThis query has also been updated to include UEBA logs IdentityInfo and BehaviorAnalytics for contextual information around the results." + "text": "Identifies a privileged role being assigned to a user outside of PIM\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1" } } ] @@ -724,13 +748,13 @@ { "name": "analytic43", "type": "Microsoft.Common.Section", - "label": "Multiple admin membership removals from newly created admin.", + "label": "NRT User added to Microsoft Entra ID Privileged Groups", "elements": [ { "name": "analytic43-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query detects when newly created Global admin removes multiple existing global admins which can be an attempt by adversaries to lock down organization and retain sole access. \n Investigate reasoning and intention of multiple membership removal by new Global admins and take necessary actions accordingly." + "text": "This will alert when a user is added to any of the Privileged Groups.\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\nFor Administrator role permissions in Microsoft Entra ID please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles" } } ] @@ -738,13 +762,13 @@ { "name": "analytic44", "type": "Microsoft.Common.Section", - "label": "New access credential added to Application or Service Principal", + "label": "PIM Elevation Request Rejected", "elements": [ { "name": "analytic44-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app.\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities." + "text": "Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management" } } ] @@ -752,13 +776,13 @@ { "name": "analytic45", "type": "Microsoft.Common.Section", - "label": "NRT Modified domain federation trust settings", + "label": "Privileged Accounts - Sign in Failure Spikes", "elements": [ { "name": "analytic45-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated.\nFor example, this alert will trigger when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain.\nModification to domain federation settings should be rare. Confirm the added or modified target domain/URL is legitimate administrator behavior.\nTo understand why an authorized user may update settings for a federated domain in Office 365, Azure, or Intune, see: https://docs.microsoft.com/office365/troubleshoot/active-directory/update-federated-domain-office-365.\nFor details on security realms that accept security tokens, see the ADFS Proxy Protocol (MS-ADFSPP) specification: https://docs.microsoft.com/openspecs/windows_protocols/ms-adfspp/e7b9ea73-1980-4318-96a6-da559486664b.\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities." + "text": " Identifies spike in failed sign-ins from Privileged accounts. Privileged accounts list can be based on IdentityInfo UEBA table.\nSpike is determined based on Time series anomaly which will look at historical baseline values.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor" } } ] @@ -766,13 +790,13 @@ { "name": "analytic46", "type": "Microsoft.Common.Section", - "label": "NRT Authentication Methods Changed for VIP Users", + "label": "Privileged Role Assigned Outside PIM", "elements": [ { "name": "analytic46-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies authentication methods being changed for a list of VIP users watchlist. This could be an indication of an attacker adding an auth method to the account so they can have continued access." + "text": "Identifies a privileged role being assigned to a user outside of PIM\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1" } } ] @@ -780,13 +804,13 @@ { "name": "analytic47", "type": "Microsoft.Common.Section", - "label": "NRT First access credential added to Application or Service Principal where no credential was present", + "label": "Rare application consent", "elements": [ { "name": "analytic47-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where there was no previous verify KeyCredential associated.\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities." + "text": "This will alert when the \"Consent to application\" operation occurs by a user that has not done this operation before or rarely does this.\nThis could indicate that permissions to access the listed Azure App were provided to a malicious actor.\nConsent to application, Add service principal and Add OAuth2PermissionGrant should typically be rare events.\nThis may help detect the Oauth2 attack that can be initiated by this publicly available tool - https://github.com/fireeye/PwnAuth\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities." } } ] @@ -794,13 +818,13 @@ { "name": "analytic48", "type": "Microsoft.Common.Section", - "label": "NRT New access credential added to Application or Service Principal", + "label": "Password spray attack against Microsoft Entra ID Seamless SSO", "elements": [ { "name": "analytic48-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app.\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities." + "text": "This query detects when there is a spike in Microsoft Entra ID Seamless SSO errors. They may not be caused by a Password Spray attack, but the cause of the errors might need to be investigated.\nMicrosoft Entra ID only logs the requests that matched existing accounts, thus there might have been unlogged requests for non-existing accounts." } } ] @@ -808,13 +832,13 @@ { "name": "analytic49", "type": "Microsoft.Common.Section", - "label": "NRT PIM Elevation Request Rejected", + "label": "GitHub Signin Burst from Multiple Locations", "elements": [ { "name": "analytic49-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management" + "text": "This detection triggers when there is a Signin burst from multiple locations in GitHub (AAD SSO).\n This detection is based on configurable threshold which can be prone to false positives. To view the anomaly based equivalent of thie detection, please see here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/Analytic%20Rules/AnomalousUserAppSigninLocationIncrease-detection.yaml. " } } ] @@ -822,13 +846,13 @@ { "name": "analytic50", "type": "Microsoft.Common.Section", - "label": "NRT Privileged Role Assigned Outside PIM", + "label": "Sign-ins from IPs that attempt sign-ins to disabled accounts", "elements": [ { "name": "analytic50-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies a privileged role being assigned to a user outside of PIM\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1" + "text": "Identifies IPs with failed attempts to sign in to one or more disabled accounts using the IP through which successful signins from other accounts have happened.\nThis could indicate an attacker who obtained credentials for a list of accounts and is attempting to login with those accounts, some of which may have already been disabled.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\n50057 - User account is disabled. The account has been disabled by an administrator.\nThis query has also been updated to include UEBA logs IdentityInfo and BehaviorAnalytics for contextual information around the results." } } ] @@ -836,13 +860,13 @@ { "name": "analytic51", "type": "Microsoft.Common.Section", - "label": "NRT User added to Microsoft Entra ID Privileged Groups", + "label": "Brute force attack against Azure Portal", "elements": [ { "name": "analytic51-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This will alert when a user is added to any of the Privileged Groups.\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\nFor Administrator role permissions in Microsoft Entra ID please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles" + "text": "Detects Azure Portal brute force attacks by monitoring for multiple authentication failures and a successful login within a 20-minute window. Default settings: 10 failures, 25 deviations.\nRef: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes." } } ] @@ -850,13 +874,13 @@ { "name": "analytic52", "type": "Microsoft.Common.Section", - "label": "PIM Elevation Request Rejected", + "label": "Password spray attack against Microsoft Entra ID application", "elements": [ { "name": "analytic52-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management" + "text": "Identifies evidence of password spray activity against Microsoft Entra ID applications by looking for failures from multiple accounts from the same\nIP address within a time window. If the number of accounts breaches the threshold just once, all failures from the IP address within the time range\nare bought into the result. Details on whether there were successful authentications by the IP address within the time window are also included.\nThis can be an indicator that an attack was successful.\nThe default failure acccount threshold is 5, Default time window for failures is 20m and default look back window is 3 days\nNote: Due to the number of possible accounts involved in a password spray it is not possible to map identities to a custom entity.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes." } } ] @@ -864,13 +888,13 @@ { "name": "analytic53", "type": "Microsoft.Common.Section", - "label": "Privileged Accounts - Sign in Failure Spikes", + "label": "Successful logon from IP and failure from a different IP", "elements": [ { "name": "analytic53-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": " Identifies spike in failed sign-ins from Privileged accounts. Privileged accounts list can be based on IdentityInfo UEBA table.\nSpike is determined based on Time series anomaly which will look at historical baseline values.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor" + "text": "Identifies when a user account successfully logs onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP (may indicate a malicious attempt at password guessing with known account). UEBA added for context." } } ] @@ -878,13 +902,13 @@ { "name": "analytic54", "type": "Microsoft.Common.Section", - "label": "Privileged Role Assigned Outside PIM", + "label": "Suspicious AAD Joined Device Update", "elements": [ { "name": "analytic54-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies a privileged role being assigned to a user outside of PIM\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1" + "text": "This query looks for suspicious updates to an Microsoft Entra ID joined device where the device name is changed and the device falls out of compliance.\nThis could occur when a threat actor updates the details of an Autopilot provisioned device using a stolen device ticket, in order to access certificates and keys.\nRef: https://dirkjanm.io/assets/raw/Insomnihack%20Breaking%20and%20fixing%20Azure%20AD%20device%20identity%20security.pdf" } } ] @@ -892,13 +916,13 @@ { "name": "analytic55", "type": "Microsoft.Common.Section", - "label": "Rare application consent", + "label": "Suspicious application consent for offline access", "elements": [ { "name": "analytic55-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This will alert when the \"Consent to application\" operation occurs by a user that has not done this operation before or rarely does this.\nThis could indicate that permissions to access the listed Azure App were provided to a malicious actor.\nConsent to application, Add service principal and Add OAuth2PermissionGrant should typically be rare events.\nThis may help detect the Oauth2 attack that can be initiated by this publicly available tool - https://github.com/fireeye/PwnAuth\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities." + "text": "This will alert when a user consents to provide a previously-unknown Azure application with offline access via OAuth.\nOffline access will provide the Azure App with access to the listed resources without requiring two-factor authentication.\nConsent to applications with offline access and read capabilities should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities." } } ] @@ -906,13 +930,13 @@ { "name": "analytic56", "type": "Microsoft.Common.Section", - "label": "Password spray attack against Microsoft Entra ID Seamless SSO", + "label": "Suspicious Service Principal creation activity", "elements": [ { "name": "analytic56-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query detects when there is a spike in Microsoft Entra ID Seamless SSO errors. They may not be caused by a Password Spray attack, but the cause of the errors might need to be investigated.\nMicrosoft Entra ID only logs the requests that matched existing accounts, thus there might have been unlogged requests for non-existing accounts." + "text": "This alert will detect creation of an SPN, permissions granted, credentials created, activity and deletion of the SPN in a time frame (default 10 minutes)" } } ] @@ -920,13 +944,13 @@ { "name": "analytic57", "type": "Microsoft.Common.Section", - "label": "GitHub Signin Burst from Multiple Locations", + "label": "Suspicious Sign In Followed by MFA Modification", "elements": [ { "name": "analytic57-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This detection triggers when there is a Signin burst from multiple locations in GitHub (AAD SSO).\n This detection is based on configurable threshold which can be prone to false positives. To view the anomaly based equivalent of thie detection, please see here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/Analytic%20Rules/AnomalousUserAppSigninLocationIncrease-detection.yaml. " + "text": "This query looks uses Microsoft Sentinel's UEBA features to look for suspicious logons followed by modifications to MFA settings by that user." } } ] @@ -934,13 +958,13 @@ { "name": "analytic58", "type": "Microsoft.Common.Section", - "label": "Sign-ins from IPs that attempt sign-ins to disabled accounts", + "label": "External guest invitation followed by Microsoft Entra ID PowerShell signin", "elements": [ { "name": "analytic58-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies IPs with failed attempts to sign in to one or more disabled accounts using the IP through which successful signins from other accounts have happened.\nThis could indicate an attacker who obtained credentials for a list of accounts and is attempting to login with those accounts, some of which may have already been disabled.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\n50057 - User account is disabled. The account has been disabled by an administrator.\nThis query has also been updated to include UEBA logs IdentityInfo and BehaviorAnalytics for contextual information around the results." + "text": "By default guests have capability to invite more external guest users, guests also can do suspicious Microsoft Entra ID enumeration. This detection look at guests\nusers, who have been invited or have invited recently, who also are logging via various PowerShell CLI.\nRef : 'https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/" } } ] @@ -948,13 +972,13 @@ { "name": "analytic59", "type": "Microsoft.Common.Section", - "label": "Brute force attack against Azure Portal", + "label": "User Accounts - Sign in Failure due to CA Spikes", "elements": [ { "name": "analytic59-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Detects Azure Portal brute force attacks by monitoring for multiple authentication failures and a successful login within a 20-minute window. Default settings: 10 failures, 25 deviations.\nRef: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes." + "text": " Identifies spike in failed sign-ins from user accounts due to conditional access policied.\nSpike is determined based on Time series anomaly which will look at historical baseline values.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\nThis query has also been updated to include UEBA logs IdentityInfo and BehaviorAnalytics for contextual information around the results." } } ] @@ -962,13 +986,13 @@ { "name": "analytic60", "type": "Microsoft.Common.Section", - "label": "Password spray attack against Microsoft Entra ID application", + "label": "User added to Microsoft Entra ID Privileged Groups", "elements": [ { "name": "analytic60-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies evidence of password spray activity against Microsoft Entra ID applications by looking for failures from multiple accounts from the same\nIP address within a time window. If the number of accounts breaches the threshold just once, all failures from the IP address within the time range\nare bought into the result. Details on whether there were successful authentications by the IP address within the time window are also included.\nThis can be an indicator that an attack was successful.\nThe default failure acccount threshold is 5, Default time window for failures is 20m and default look back window is 3 days\nNote: Due to the number of possible accounts involved in a password spray it is not possible to map identities to a custom entity.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes." + "text": "This will alert when a user is added to any of the Privileged Groups.\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\nFor Administrator role permissions in Microsoft Entra ID please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles" } } ] @@ -976,13 +1000,13 @@ { "name": "analytic61", "type": "Microsoft.Common.Section", - "label": "Successful logon from IP and failure from a different IP", + "label": "User Assigned New Privileged Role", "elements": [ { "name": "analytic61-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies when a user account successfully logs onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP (may indicate a malicious attempt at password guessing with known account). UEBA added for context." + "text": "Identifies when a new eligible or active privileged role is assigned to a user. Does not alert on PIM activations. Any account eligible for a role is now being given privileged access. If the assignment is unexpected or into a role that isn't the responsibility of the account holder, investigate.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1" } } ] @@ -990,128 +1014,16 @@ { "name": "analytic62", "type": "Microsoft.Common.Section", - "label": "Suspicious AAD Joined Device Update", - "elements": [ - { - "name": "analytic62-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This query looks for suspicious updates to an Microsoft Entra ID joined device where the device name is changed and the device falls out of compliance.\nThis could occur when a threat actor updates the details of an Autopilot provisioned device using a stolen device ticket, in order to access certificates and keys.\nRef: https://dirkjanm.io/assets/raw/Insomnihack%20Breaking%20and%20fixing%20Azure%20AD%20device%20identity%20security.pdf" - } - } - ] - }, - { - "name": "analytic63", - "type": "Microsoft.Common.Section", - "label": "Suspicious application consent for offline access", - "elements": [ - { - "name": "analytic63-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This will alert when a user consents to provide a previously-unknown Azure application with offline access via OAuth.\nOffline access will provide the Azure App with access to the listed resources without requiring two-factor authentication.\nConsent to applications with offline access and read capabilities should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities." - } - } - ] - }, - { - "name": "analytic64", - "type": "Microsoft.Common.Section", - "label": "Suspicious Service Principal creation activity", - "elements": [ - { - "name": "analytic64-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This alert will detect creation of an SPN, permissions granted, credentials created, activity and deletion of the SPN in a time frame (default 10 minutes)" - } - } - ] - }, - { - "name": "analytic65", - "type": "Microsoft.Common.Section", - "label": "External guest invitation followed by Microsoft Entra ID PowerShell signin", - "elements": [ - { - "name": "analytic65-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "By default guests have capability to invite more external guest users, guests also can do suspicious Microsoft Entra ID enumeration. This detection look at guests\nusers, who have been invited or have invited recently, who also are logging via various PowerShell CLI.\nRef : 'https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/" - } - } - ] - }, - { - "name": "analytic66", - "type": "Microsoft.Common.Section", - "label": "User Accounts - Sign in Failure due to CA Spikes", - "elements": [ - { - "name": "analytic66-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": " Identifies spike in failed sign-ins from user accounts due to conditional access policied.\nSpike is determined based on Time series anomaly which will look at historical baseline values.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\nThis query has also been updated to include UEBA logs IdentityInfo and BehaviorAnalytics for contextual information around the results." - } - } - ] - }, - { - "name": "analytic67", - "type": "Microsoft.Common.Section", - "label": "User added to Microsoft Entra ID Privileged Groups", - "elements": [ - { - "name": "analytic67-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This will alert when a user is added to any of the Privileged Groups.\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\nFor Administrator role permissions in Microsoft Entra ID please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles" - } - } - ] - }, - { - "name": "analytic68", - "type": "Microsoft.Common.Section", "label": "New User Assigned to Privileged Role", "elements": [ { - "name": "analytic68-text", + "name": "analytic62-text", "type": "Microsoft.Common.TextBlock", "options": { "text": "Identifies when a privileged role is assigned to a new user. Any account eligible for a role is now being given privileged access. If the assignment is unexpected or into a role that isn't the responsibility of the account holder, investigate." } } ] - }, - { - "name": "analytic69", - "type": "Microsoft.Common.Section", - "label": "New onmicrosoft domain added to tenant", - "elements": [ - { - "name": "analytic69-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This detection looks for new onmicrosoft domains being added to a tenant. \nAn attacker who compromises a tenant may register a new onmicrosoft domain in order to masquerade as a service provider for launching phishing campaigns.\nDomain additions are not a common occurrence and users should validate that the domain was added by a legitimate user, with a legitimate purpose." - } - } - ] - }, - { - "name": "analytic70", - "type": "Microsoft.Common.Section", - "label": "Suspicious Sign In Followed by MFA Modification", - "elements": [ - { - "name": "analytic70-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This query looks uses Microsoft Sentinel's UEBA features to look for suspicious logons followed by modifications to MFA settings by that user." - } - } - ] } ] }, diff --git a/Solutions/Microsoft Entra ID/Package/mainTemplate.json b/Solutions/Microsoft Entra ID/Package/mainTemplate.json index d6dddbe30af..9673e19cdbd 100644 --- a/Solutions/Microsoft Entra ID/Package/mainTemplate.json +++ b/Solutions/Microsoft Entra ID/Package/mainTemplate.json @@ -46,107 +46,25 @@ } }, "variables": { - "solutionId": "azuresentinel.azure-sentinel-solution-azureactivedirectory", - "_solutionId": "[variables('solutionId')]", "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "Microsoft Entra ID", "_solutionVersion": "3.0.7", - "Block-AADUser-alert-trigger": "Block-AADUser-alert-trigger", - "_Block-AADUser-alert-trigger": "[variables('Block-AADUser-alert-trigger')]", - "playbookVersion1": "1.1", - "playbookContentId1": "Block-AADUser-alert-trigger", - "_playbookContentId1": "[variables('playbookContentId1')]", - "playbookId1": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId1'))]", - "playbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId1'))))]", - "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", - "_playbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId1'),'-', variables('playbookVersion1'))))]", - "Block-AADUser-entity-trigger": "Block-AADUser-entity-trigger", - "_Block-AADUser-entity-trigger": "[variables('Block-AADUser-entity-trigger')]", - "playbookVersion2": "1.1", - "playbookContentId2": "Block-AADUser-entity-trigger", - "_playbookContentId2": "[variables('playbookContentId2')]", - "playbookId2": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId2'))]", - "playbookTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId2'))))]", - "_playbookcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId2'),'-', variables('playbookVersion2'))))]", - "Block-AADUser-incident-trigger": "Block-AADUser-incident-trigger", - "_Block-AADUser-incident-trigger": "[variables('Block-AADUser-incident-trigger')]", - "playbookVersion3": "1.1", - "playbookContentId3": "Block-AADUser-incident-trigger", - "_playbookContentId3": "[variables('playbookContentId3')]", - "playbookId3": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId3'))]", - "playbookTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId3'))))]", - "_playbookcontentProductId3": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId3'),'-', variables('playbookVersion3'))))]", - "Prompt-User-alert-trigger": "Prompt-User-alert-trigger", - "_Prompt-User-alert-trigger": "[variables('Prompt-User-alert-trigger')]", - "playbookVersion4": "1.1", - "playbookContentId4": "Prompt-User-alert-trigger", - "_playbookContentId4": "[variables('playbookContentId4')]", - "playbookId4": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId4'))]", - "playbookTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId4'))))]", - "_playbookcontentProductId4": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId4'),'-', variables('playbookVersion4'))))]", - "Prompt-User-incident-trigger": "Prompt-User-incident-trigger", - "_Prompt-User-incident-trigger": "[variables('Prompt-User-incident-trigger')]", - "playbookVersion5": "1.1", - "playbookContentId5": "Prompt-User-incident-trigger", - "_playbookContentId5": "[variables('playbookContentId5')]", - "playbookId5": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId5'))]", - "playbookTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId5'))))]", - "_playbookcontentProductId5": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId5'),'-', variables('playbookVersion5'))))]", - "Reset-AADUserPassword-alert-trigger": "Reset-AADUserPassword-alert-trigger", - "_Reset-AADUserPassword-alert-trigger": "[variables('Reset-AADUserPassword-alert-trigger')]", - "playbookVersion6": "1.1", - "playbookContentId6": "Reset-AADUserPassword-alert-trigger", - "_playbookContentId6": "[variables('playbookContentId6')]", - "playbookId6": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId6'))]", - "playbookTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId6'))))]", - "_playbookcontentProductId6": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId6'),'-', variables('playbookVersion6'))))]", - "Reset-AADUserPassword-entity-trigger": "Reset-AADUserPassword-entity-trigger", - "_Reset-AADUserPassword-entity-trigger": "[variables('Reset-AADUserPassword-entity-trigger')]", - "playbookVersion7": "1.1", - "playbookContentId7": "Reset-AADUserPassword-entity-trigger", - "_playbookContentId7": "[variables('playbookContentId7')]", - "playbookId7": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId7'))]", - "playbookTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId7'))))]", - "_playbookcontentProductId7": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId7'),'-', variables('playbookVersion7'))))]", - "blanks": "[replace('b', 'b', '')]", - "Reset-AADUserPassword-incident-trigger": "Reset-AADUserPassword-incident-trigger", - "_Reset-AADUserPassword-incident-trigger": "[variables('Reset-AADUserPassword-incident-trigger')]", - "playbookVersion8": "1.1", - "playbookContentId8": "Reset-AADUserPassword-incident-trigger", - "_playbookContentId8": "[variables('playbookContentId8')]", - "playbookId8": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId8'))]", - "playbookTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId8'))))]", - "_playbookcontentProductId8": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId8'),'-', variables('playbookVersion8'))))]", - "Revoke-AADSignInSessions-alert-trigger": "Revoke-AADSignInSessions-alert-trigger", - "_Revoke-AADSignInSessions-alert-trigger": "[variables('Revoke-AADSignInSessions-alert-trigger')]", - "playbookVersion9": "1.0", - "playbookContentId9": "Revoke-AADSignInSessions-alert-trigger", - "_playbookContentId9": "[variables('playbookContentId9')]", - "playbookId9": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId9'))]", - "playbookTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId9'))))]", - "_playbookcontentProductId9": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId9'),'-', variables('playbookVersion9'))))]", - "Revoke-AADSignInSessions-entity-trigger": "Revoke-AADSignInSessions-entity-trigger", - "_Revoke-AADSignInSessions-entity-trigger": "[variables('Revoke-AADSignInSessions-entity-trigger')]", - "playbookVersion10": "1.0", - "playbookContentId10": "Revoke-AADSignInSessions-entity-trigger", - "_playbookContentId10": "[variables('playbookContentId10')]", - "playbookId10": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId10'))]", - "playbookTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId10'))))]", - "_playbookcontentProductId10": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId10'),'-', variables('playbookVersion10'))))]", - "Revoke-AADSignInSessions-incident-trigger": "Revoke-AADSignInSessions-incident-trigger", - "_Revoke-AADSignInSessions-incident-trigger": "[variables('Revoke-AADSignInSessions-incident-trigger')]", - "playbookVersion11": "1.0", - "playbookContentId11": "Revoke-AADSignInSessions-incident-trigger", - "_playbookContentId11": "[variables('playbookContentId11')]", - "playbookId11": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId11'))]", - "playbookTemplateSpecName11": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId11'))))]", - "_playbookcontentProductId11": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId11'),'-', variables('playbookVersion11'))))]", + "solutionId": "azuresentinel.azure-sentinel-solution-azureactivedirectory", + "_solutionId": "[variables('solutionId')]", + "_uiConfigId1": "AzureActiveDirectory", + "_dataConnectorContentId1": "AzureActiveDirectory", + "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "_dataConnectorId1": "[variables('dataConnectorId1')]", + "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", + "dataConnectorVersion1": "1.0.0", + "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", "workbookVersion1": "1.2.0", "workbookContentId1": "AzureActiveDirectoryAuditLogsWorkbook", "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]", "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]", "_workbookContentId1": "[variables('workbookContentId1')]", + "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]", "workbookVersion2": "2.4.0", "workbookContentId2": "AzureActiveDirectorySigninLogsWorkbook", @@ -162,1338 +80,1281 @@ "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','bb616d82-108f-47d3-9dec-9652ea0d3bf6','-', '1.0.3')))]" }, "analyticRuleObject2": { - "analyticRuleVersion2": "1.0.3", - "_analyticRulecontentId2": "bb616d82-108f-47d3-9dec-9652ea0d3bf6", - "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'bb616d82-108f-47d3-9dec-9652ea0d3bf6')]", - "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('bb616d82-108f-47d3-9dec-9652ea0d3bf6')))]", - "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','bb616d82-108f-47d3-9dec-9652ea0d3bf6','-', '1.0.3')))]" + "analyticRuleVersion2": "1.0.2", + "_analyticRulecontentId2": "6d63efa6-7c25-4bd4-a486-aa6bf50fde8a", + "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '6d63efa6-7c25-4bd4-a486-aa6bf50fde8a')]", + "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('6d63efa6-7c25-4bd4-a486-aa6bf50fde8a')))]", + "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','6d63efa6-7c25-4bd4-a486-aa6bf50fde8a','-', '1.0.2')))]" }, "analyticRuleObject3": { - "analyticRuleVersion3": "1.0.3", - "_analyticRulecontentId3": "bb616d82-108f-47d3-9dec-9652ea0d3bf6", - "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'bb616d82-108f-47d3-9dec-9652ea0d3bf6')]", - "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('bb616d82-108f-47d3-9dec-9652ea0d3bf6')))]", - "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','bb616d82-108f-47d3-9dec-9652ea0d3bf6','-', '1.0.3')))]" + "analyticRuleVersion3": "1.0.1", + "_analyticRulecontentId3": "95dc4ae3-e0f2-48bd-b996-cdd22b90f9af", + "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '95dc4ae3-e0f2-48bd-b996-cdd22b90f9af')]", + "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('95dc4ae3-e0f2-48bd-b996-cdd22b90f9af')))]", + "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','95dc4ae3-e0f2-48bd-b996-cdd22b90f9af','-', '1.0.1')))]" }, "analyticRuleObject4": { - "analyticRuleVersion4": "1.0.3", - "_analyticRulecontentId4": "bb616d82-108f-47d3-9dec-9652ea0d3bf6", - "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'bb616d82-108f-47d3-9dec-9652ea0d3bf6')]", - "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('bb616d82-108f-47d3-9dec-9652ea0d3bf6')))]", - "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','bb616d82-108f-47d3-9dec-9652ea0d3bf6','-', '1.0.3')))]" + "analyticRuleVersion4": "1.0.1", + "_analyticRulecontentId4": "5533fe80-905e-49d5-889a-df27d2c3976d", + "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '5533fe80-905e-49d5-889a-df27d2c3976d')]", + "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('5533fe80-905e-49d5-889a-df27d2c3976d')))]", + "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','5533fe80-905e-49d5-889a-df27d2c3976d','-', '1.0.1')))]" }, "analyticRuleObject5": { "analyticRuleVersion5": "1.0.3", - "_analyticRulecontentId5": "bb616d82-108f-47d3-9dec-9652ea0d3bf6", - "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'bb616d82-108f-47d3-9dec-9652ea0d3bf6')]", - "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('bb616d82-108f-47d3-9dec-9652ea0d3bf6')))]", - "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','bb616d82-108f-47d3-9dec-9652ea0d3bf6','-', '1.0.3')))]" + "_analyticRulecontentId5": "f80d951a-eddc-4171-b9d0-d616bb83efdc", + "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'f80d951a-eddc-4171-b9d0-d616bb83efdc')]", + "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('f80d951a-eddc-4171-b9d0-d616bb83efdc')))]", + "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f80d951a-eddc-4171-b9d0-d616bb83efdc','-', '1.0.3')))]" }, "analyticRuleObject6": { - "analyticRuleVersion6": "1.0.3", - "_analyticRulecontentId6": "bb616d82-108f-47d3-9dec-9652ea0d3bf6", - "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'bb616d82-108f-47d3-9dec-9652ea0d3bf6')]", - "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('bb616d82-108f-47d3-9dec-9652ea0d3bf6')))]", - "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','bb616d82-108f-47d3-9dec-9652ea0d3bf6','-', '1.0.3')))]" + "analyticRuleVersion6": "2.0.0", + "_analyticRulecontentId6": "7cb8f77d-c52f-4e46-b82f-3cf2e106224a", + "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '7cb8f77d-c52f-4e46-b82f-3cf2e106224a')]", + "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('7cb8f77d-c52f-4e46-b82f-3cf2e106224a')))]", + "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','7cb8f77d-c52f-4e46-b82f-3cf2e106224a','-', '2.0.0')))]" }, "analyticRuleObject7": { - "analyticRuleVersion7": "1.0.2", - "_analyticRulecontentId7": "6d63efa6-7c25-4bd4-a486-aa6bf50fde8a", - "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '6d63efa6-7c25-4bd4-a486-aa6bf50fde8a')]", - "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('6d63efa6-7c25-4bd4-a486-aa6bf50fde8a')))]", - "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','6d63efa6-7c25-4bd4-a486-aa6bf50fde8a','-', '1.0.2')))]" + "analyticRuleVersion7": "1.0.8", + "_analyticRulecontentId7": "694c91ee-d606-4ba9-928e-405a2dd0ff0f", + "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '694c91ee-d606-4ba9-928e-405a2dd0ff0f')]", + "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('694c91ee-d606-4ba9-928e-405a2dd0ff0f')))]", + "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','694c91ee-d606-4ba9-928e-405a2dd0ff0f','-', '1.0.8')))]" }, "analyticRuleObject8": { - "analyticRuleVersion8": "1.0.1", - "_analyticRulecontentId8": "95dc4ae3-e0f2-48bd-b996-cdd22b90f9af", - "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '95dc4ae3-e0f2-48bd-b996-cdd22b90f9af')]", - "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('95dc4ae3-e0f2-48bd-b996-cdd22b90f9af')))]", - "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','95dc4ae3-e0f2-48bd-b996-cdd22b90f9af','-', '1.0.1')))]" + "analyticRuleVersion8": "1.0.2", + "_analyticRulecontentId8": "50574fac-f8d1-4395-81c7-78a463ff0c52", + "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '50574fac-f8d1-4395-81c7-78a463ff0c52')]", + "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('50574fac-f8d1-4395-81c7-78a463ff0c52')))]", + "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','50574fac-f8d1-4395-81c7-78a463ff0c52','-', '1.0.2')))]" }, "analyticRuleObject9": { - "analyticRuleVersion9": "1.0.1", - "_analyticRulecontentId9": "5533fe80-905e-49d5-889a-df27d2c3976d", - "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '5533fe80-905e-49d5-889a-df27d2c3976d')]", - "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('5533fe80-905e-49d5-889a-df27d2c3976d')))]", - "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','5533fe80-905e-49d5-889a-df27d2c3976d','-', '1.0.1')))]" + "analyticRuleVersion9": "1.0.4", + "_analyticRulecontentId9": "1ff56009-db01-4615-8211-d4fda21da02d", + "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '1ff56009-db01-4615-8211-d4fda21da02d')]", + "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('1ff56009-db01-4615-8211-d4fda21da02d')))]", + "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','1ff56009-db01-4615-8211-d4fda21da02d','-', '1.0.4')))]" }, "analyticRuleObject10": { - "analyticRuleVersion10": "1.0.3", - "_analyticRulecontentId10": "f80d951a-eddc-4171-b9d0-d616bb83efdc", - "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'f80d951a-eddc-4171-b9d0-d616bb83efdc')]", - "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('f80d951a-eddc-4171-b9d0-d616bb83efdc')))]", - "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f80d951a-eddc-4171-b9d0-d616bb83efdc','-', '1.0.3')))]" + "analyticRuleVersion10": "2.0.1", + "_analyticRulecontentId10": "87210ca1-49a4-4a7d-bb4a-4988752f978c", + "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '87210ca1-49a4-4a7d-bb4a-4988752f978c')]", + "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('87210ca1-49a4-4a7d-bb4a-4988752f978c')))]", + "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','87210ca1-49a4-4a7d-bb4a-4988752f978c','-', '2.0.1')))]" }, "analyticRuleObject11": { "analyticRuleVersion11": "2.0.0", - "_analyticRulecontentId11": "7cb8f77d-c52f-4e46-b82f-3cf2e106224a", - "analyticRuleId11": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '7cb8f77d-c52f-4e46-b82f-3cf2e106224a')]", - "analyticRuleTemplateSpecName11": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('7cb8f77d-c52f-4e46-b82f-3cf2e106224a')))]", - "_analyticRulecontentProductId11": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','7cb8f77d-c52f-4e46-b82f-3cf2e106224a','-', '2.0.0')))]" + "_analyticRulecontentId11": "97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06", + "analyticRuleId11": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06')]", + "analyticRuleTemplateSpecName11": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06')))]", + "_analyticRulecontentProductId11": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06','-', '2.0.0')))]" }, "analyticRuleObject12": { - "analyticRuleVersion12": "1.0.8", - "_analyticRulecontentId12": "694c91ee-d606-4ba9-928e-405a2dd0ff0f", - "analyticRuleId12": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '694c91ee-d606-4ba9-928e-405a2dd0ff0f')]", - "analyticRuleTemplateSpecName12": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('694c91ee-d606-4ba9-928e-405a2dd0ff0f')))]", - "_analyticRulecontentProductId12": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','694c91ee-d606-4ba9-928e-405a2dd0ff0f','-', '1.0.8')))]" + "analyticRuleVersion12": "2.0.0", + "_analyticRulecontentId12": "3fbc20a4-04c4-464e-8fcb-6667f53e4987", + "analyticRuleId12": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '3fbc20a4-04c4-464e-8fcb-6667f53e4987')]", + "analyticRuleTemplateSpecName12": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('3fbc20a4-04c4-464e-8fcb-6667f53e4987')))]", + "_analyticRulecontentProductId12": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','3fbc20a4-04c4-464e-8fcb-6667f53e4987','-', '2.0.0')))]" }, "analyticRuleObject13": { - "analyticRuleVersion13": "1.0.2", - "_analyticRulecontentId13": "50574fac-f8d1-4395-81c7-78a463ff0c52", - "analyticRuleId13": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '50574fac-f8d1-4395-81c7-78a463ff0c52')]", - "analyticRuleTemplateSpecName13": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('50574fac-f8d1-4395-81c7-78a463ff0c52')))]", - "_analyticRulecontentProductId13": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','50574fac-f8d1-4395-81c7-78a463ff0c52','-', '1.0.2')))]" + "analyticRuleVersion13": "1.0.4", + "_analyticRulecontentId13": "218f60de-c269-457a-b882-9966632b9dc6", + "analyticRuleId13": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '218f60de-c269-457a-b882-9966632b9dc6')]", + "analyticRuleTemplateSpecName13": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('218f60de-c269-457a-b882-9966632b9dc6')))]", + "_analyticRulecontentProductId13": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','218f60de-c269-457a-b882-9966632b9dc6','-', '1.0.4')))]" }, "analyticRuleObject14": { "analyticRuleVersion14": "1.0.4", - "_analyticRulecontentId14": "1ff56009-db01-4615-8211-d4fda21da02d", - "analyticRuleId14": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '1ff56009-db01-4615-8211-d4fda21da02d')]", - "analyticRuleTemplateSpecName14": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('1ff56009-db01-4615-8211-d4fda21da02d')))]", - "_analyticRulecontentProductId14": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','1ff56009-db01-4615-8211-d4fda21da02d','-', '1.0.4')))]" + "_analyticRulecontentId14": "3af9285d-bb98-4a35-ad29-5ea39ba0c628", + "analyticRuleId14": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '3af9285d-bb98-4a35-ad29-5ea39ba0c628')]", + "analyticRuleTemplateSpecName14": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('3af9285d-bb98-4a35-ad29-5ea39ba0c628')))]", + "_analyticRulecontentProductId14": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','3af9285d-bb98-4a35-ad29-5ea39ba0c628','-', '1.0.4')))]" }, "analyticRuleObject15": { - "analyticRuleVersion15": "2.0.1", - "_analyticRulecontentId15": "87210ca1-49a4-4a7d-bb4a-4988752f978c", - "analyticRuleId15": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '87210ca1-49a4-4a7d-bb4a-4988752f978c')]", - "analyticRuleTemplateSpecName15": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('87210ca1-49a4-4a7d-bb4a-4988752f978c')))]", - "_analyticRulecontentProductId15": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','87210ca1-49a4-4a7d-bb4a-4988752f978c','-', '2.0.1')))]" + "analyticRuleVersion15": "1.0.2", + "_analyticRulecontentId15": "707494a5-8e44-486b-90f8-155d1797a8eb", + "analyticRuleId15": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '707494a5-8e44-486b-90f8-155d1797a8eb')]", + "analyticRuleTemplateSpecName15": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('707494a5-8e44-486b-90f8-155d1797a8eb')))]", + "_analyticRulecontentProductId15": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','707494a5-8e44-486b-90f8-155d1797a8eb','-', '1.0.2')))]" }, "analyticRuleObject16": { - "analyticRuleVersion16": "2.0.0", - "_analyticRulecontentId16": "97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06", - "analyticRuleId16": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06')]", - "analyticRuleTemplateSpecName16": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06')))]", - "_analyticRulecontentProductId16": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06','-', '2.0.0')))]" + "analyticRuleVersion16": "1.0.1", + "_analyticRulecontentId16": "757e6a79-6d23-4ae6-9845-4dac170656b5", + "analyticRuleId16": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '757e6a79-6d23-4ae6-9845-4dac170656b5')]", + "analyticRuleTemplateSpecName16": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('757e6a79-6d23-4ae6-9845-4dac170656b5')))]", + "_analyticRulecontentProductId16": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','757e6a79-6d23-4ae6-9845-4dac170656b5','-', '1.0.1')))]" }, "analyticRuleObject17": { - "analyticRuleVersion17": "2.0.0", - "_analyticRulecontentId17": "3fbc20a4-04c4-464e-8fcb-6667f53e4987", - "analyticRuleId17": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '3fbc20a4-04c4-464e-8fcb-6667f53e4987')]", - "analyticRuleTemplateSpecName17": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('3fbc20a4-04c4-464e-8fcb-6667f53e4987')))]", - "_analyticRulecontentProductId17": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','3fbc20a4-04c4-464e-8fcb-6667f53e4987','-', '2.0.0')))]" + "analyticRuleVersion17": "1.0.1", + "_analyticRulecontentId17": "eb8a9c1c-f532-4630-817c-1ecd8a60ed80", + "analyticRuleId17": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'eb8a9c1c-f532-4630-817c-1ecd8a60ed80')]", + "analyticRuleTemplateSpecName17": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('eb8a9c1c-f532-4630-817c-1ecd8a60ed80')))]", + "_analyticRulecontentProductId17": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','eb8a9c1c-f532-4630-817c-1ecd8a60ed80','-', '1.0.1')))]" }, "analyticRuleObject18": { - "analyticRuleVersion18": "1.0.4", - "_analyticRulecontentId18": "218f60de-c269-457a-b882-9966632b9dc6", - "analyticRuleId18": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '218f60de-c269-457a-b882-9966632b9dc6')]", - "analyticRuleTemplateSpecName18": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('218f60de-c269-457a-b882-9966632b9dc6')))]", - "_analyticRulecontentProductId18": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','218f60de-c269-457a-b882-9966632b9dc6','-', '1.0.4')))]" + "analyticRuleVersion18": "1.0.1", + "_analyticRulecontentId18": "c895c5b9-0fc6-40ce-9830-e8818862f2d5", + "analyticRuleId18": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'c895c5b9-0fc6-40ce-9830-e8818862f2d5')]", + "analyticRuleTemplateSpecName18": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('c895c5b9-0fc6-40ce-9830-e8818862f2d5')))]", + "_analyticRulecontentProductId18": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','c895c5b9-0fc6-40ce-9830-e8818862f2d5','-', '1.0.1')))]" }, "analyticRuleObject19": { - "analyticRuleVersion19": "1.0.4", - "_analyticRulecontentId19": "3af9285d-bb98-4a35-ad29-5ea39ba0c628", - "analyticRuleId19": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '3af9285d-bb98-4a35-ad29-5ea39ba0c628')]", - "analyticRuleTemplateSpecName19": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('3af9285d-bb98-4a35-ad29-5ea39ba0c628')))]", - "_analyticRulecontentProductId19": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','3af9285d-bb98-4a35-ad29-5ea39ba0c628','-', '1.0.4')))]" + "analyticRuleVersion19": "1.0.1", + "_analyticRulecontentId19": "276d5190-38de-4eb2-9933-b3b72f4a5737", + "analyticRuleId19": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '276d5190-38de-4eb2-9933-b3b72f4a5737')]", + "analyticRuleTemplateSpecName19": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('276d5190-38de-4eb2-9933-b3b72f4a5737')))]", + "_analyticRulecontentProductId19": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','276d5190-38de-4eb2-9933-b3b72f4a5737','-', '1.0.1')))]" }, "analyticRuleObject20": { - "analyticRuleVersion20": "1.0.2", - "_analyticRulecontentId20": "707494a5-8e44-486b-90f8-155d1797a8eb", - "analyticRuleId20": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '707494a5-8e44-486b-90f8-155d1797a8eb')]", - "analyticRuleTemplateSpecName20": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('707494a5-8e44-486b-90f8-155d1797a8eb')))]", - "_analyticRulecontentProductId20": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','707494a5-8e44-486b-90f8-155d1797a8eb','-', '1.0.2')))]" + "analyticRuleVersion20": "1.0.1", + "_analyticRulecontentId20": "229f71ba-d83b-42a5-b83b-11a641049ed1", + "analyticRuleId20": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '229f71ba-d83b-42a5-b83b-11a641049ed1')]", + "analyticRuleTemplateSpecName20": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('229f71ba-d83b-42a5-b83b-11a641049ed1')))]", + "_analyticRulecontentProductId20": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','229f71ba-d83b-42a5-b83b-11a641049ed1','-', '1.0.1')))]" }, "analyticRuleObject21": { "analyticRuleVersion21": "1.0.1", - "_analyticRulecontentId21": "757e6a79-6d23-4ae6-9845-4dac170656b5", - "analyticRuleId21": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '757e6a79-6d23-4ae6-9845-4dac170656b5')]", - "analyticRuleTemplateSpecName21": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('757e6a79-6d23-4ae6-9845-4dac170656b5')))]", - "_analyticRulecontentProductId21": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','757e6a79-6d23-4ae6-9845-4dac170656b5','-', '1.0.1')))]" + "_analyticRulecontentId21": "0101e08d-99cd-4a97-a9e0-27649c4369ad", + "analyticRuleId21": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '0101e08d-99cd-4a97-a9e0-27649c4369ad')]", + "analyticRuleTemplateSpecName21": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('0101e08d-99cd-4a97-a9e0-27649c4369ad')))]", + "_analyticRulecontentProductId21": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','0101e08d-99cd-4a97-a9e0-27649c4369ad','-', '1.0.1')))]" }, "analyticRuleObject22": { - "analyticRuleVersion22": "1.0.1", - "_analyticRulecontentId22": "eb8a9c1c-f532-4630-817c-1ecd8a60ed80", - "analyticRuleId22": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'eb8a9c1c-f532-4630-817c-1ecd8a60ed80')]", - "analyticRuleTemplateSpecName22": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('eb8a9c1c-f532-4630-817c-1ecd8a60ed80')))]", - "_analyticRulecontentProductId22": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','eb8a9c1c-f532-4630-817c-1ecd8a60ed80','-', '1.0.1')))]" + "analyticRuleVersion22": "1.0.2", + "_analyticRulecontentId22": "75ea5c39-93e5-489b-b1e1-68fa6c9d2d04", + "analyticRuleId22": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '75ea5c39-93e5-489b-b1e1-68fa6c9d2d04')]", + "analyticRuleTemplateSpecName22": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('75ea5c39-93e5-489b-b1e1-68fa6c9d2d04')))]", + "_analyticRulecontentProductId22": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','75ea5c39-93e5-489b-b1e1-68fa6c9d2d04','-', '1.0.2')))]" }, "analyticRuleObject23": { - "analyticRuleVersion23": "1.0.1", - "_analyticRulecontentId23": "c895c5b9-0fc6-40ce-9830-e8818862f2d5", - "analyticRuleId23": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'c895c5b9-0fc6-40ce-9830-e8818862f2d5')]", - "analyticRuleTemplateSpecName23": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('c895c5b9-0fc6-40ce-9830-e8818862f2d5')))]", - "_analyticRulecontentProductId23": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','c895c5b9-0fc6-40ce-9830-e8818862f2d5','-', '1.0.1')))]" + "analyticRuleVersion23": "1.0.2", + "_analyticRulecontentId23": "bfb1c90f-8006-4325-98be-c7fffbc254d6", + "analyticRuleId23": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'bfb1c90f-8006-4325-98be-c7fffbc254d6')]", + "analyticRuleTemplateSpecName23": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('bfb1c90f-8006-4325-98be-c7fffbc254d6')))]", + "_analyticRulecontentProductId23": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','bfb1c90f-8006-4325-98be-c7fffbc254d6','-', '1.0.2')))]" }, "analyticRuleObject24": { - "analyticRuleVersion24": "1.0.1", - "_analyticRulecontentId24": "276d5190-38de-4eb2-9933-b3b72f4a5737", - "analyticRuleId24": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '276d5190-38de-4eb2-9933-b3b72f4a5737')]", - "analyticRuleTemplateSpecName24": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('276d5190-38de-4eb2-9933-b3b72f4a5737')))]", - "_analyticRulecontentProductId24": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','276d5190-38de-4eb2-9933-b3b72f4a5737','-', '1.0.1')))]" + "analyticRuleVersion24": "1.0.2", + "_analyticRulecontentId24": "a22740ec-fc1e-4c91-8de6-c29c6450ad00", + "analyticRuleId24": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'a22740ec-fc1e-4c91-8de6-c29c6450ad00')]", + "analyticRuleTemplateSpecName24": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('a22740ec-fc1e-4c91-8de6-c29c6450ad00')))]", + "_analyticRulecontentProductId24": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','a22740ec-fc1e-4c91-8de6-c29c6450ad00','-', '1.0.2')))]" }, "analyticRuleObject25": { - "analyticRuleVersion25": "1.0.1", - "_analyticRulecontentId25": "229f71ba-d83b-42a5-b83b-11a641049ed1", - "analyticRuleId25": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '229f71ba-d83b-42a5-b83b-11a641049ed1')]", - "analyticRuleTemplateSpecName25": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('229f71ba-d83b-42a5-b83b-11a641049ed1')))]", - "_analyticRulecontentProductId25": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','229f71ba-d83b-42a5-b83b-11a641049ed1','-', '1.0.1')))]" + "analyticRuleVersion25": "1.0.0", + "_analyticRulecontentId25": "54e22fed-0ec6-4fb2-8312-2a3809a93f63", + "analyticRuleId25": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '54e22fed-0ec6-4fb2-8312-2a3809a93f63')]", + "analyticRuleTemplateSpecName25": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('54e22fed-0ec6-4fb2-8312-2a3809a93f63')))]", + "_analyticRulecontentProductId25": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','54e22fed-0ec6-4fb2-8312-2a3809a93f63','-', '1.0.0')))]" }, "analyticRuleObject26": { - "analyticRuleVersion26": "1.0.1", - "_analyticRulecontentId26": "0101e08d-99cd-4a97-a9e0-27649c4369ad", - "analyticRuleId26": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '0101e08d-99cd-4a97-a9e0-27649c4369ad')]", - "analyticRuleTemplateSpecName26": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('0101e08d-99cd-4a97-a9e0-27649c4369ad')))]", - "_analyticRulecontentProductId26": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','0101e08d-99cd-4a97-a9e0-27649c4369ad','-', '1.0.1')))]" + "analyticRuleVersion26": "1.0.4", + "_analyticRulecontentId26": "223db5c1-1bf8-47d8-8806-bed401b356a4", + "analyticRuleId26": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '223db5c1-1bf8-47d8-8806-bed401b356a4')]", + "analyticRuleTemplateSpecName26": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('223db5c1-1bf8-47d8-8806-bed401b356a4')))]", + "_analyticRulecontentProductId26": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','223db5c1-1bf8-47d8-8806-bed401b356a4','-', '1.0.4')))]" }, "analyticRuleObject27": { - "analyticRuleVersion27": "1.0.2", - "_analyticRulecontentId27": "75ea5c39-93e5-489b-b1e1-68fa6c9d2d04", - "analyticRuleId27": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '75ea5c39-93e5-489b-b1e1-68fa6c9d2d04')]", - "analyticRuleTemplateSpecName27": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('75ea5c39-93e5-489b-b1e1-68fa6c9d2d04')))]", - "_analyticRulecontentProductId27": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','75ea5c39-93e5-489b-b1e1-68fa6c9d2d04','-', '1.0.2')))]" + "analyticRuleVersion27": "1.1.4", + "_analyticRulecontentId27": "2cfc3c6e-f424-4b88-9cc9-c89f482d016a", + "analyticRuleId27": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '2cfc3c6e-f424-4b88-9cc9-c89f482d016a')]", + "analyticRuleTemplateSpecName27": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('2cfc3c6e-f424-4b88-9cc9-c89f482d016a')))]", + "_analyticRulecontentProductId27": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','2cfc3c6e-f424-4b88-9cc9-c89f482d016a','-', '1.1.4')))]" }, "analyticRuleObject28": { - "analyticRuleVersion28": "1.0.2", - "_analyticRulecontentId28": "bfb1c90f-8006-4325-98be-c7fffbc254d6", - "analyticRuleId28": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'bfb1c90f-8006-4325-98be-c7fffbc254d6')]", - "analyticRuleTemplateSpecName28": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('bfb1c90f-8006-4325-98be-c7fffbc254d6')))]", - "_analyticRulecontentProductId28": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','bfb1c90f-8006-4325-98be-c7fffbc254d6','-', '1.0.2')))]" + "analyticRuleVersion28": "1.0.3", + "_analyticRulecontentId28": "6ab1f7b2-61b8-442f-bc81-96afe7ad8c53", + "analyticRuleId28": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '6ab1f7b2-61b8-442f-bc81-96afe7ad8c53')]", + "analyticRuleTemplateSpecName28": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('6ab1f7b2-61b8-442f-bc81-96afe7ad8c53')))]", + "_analyticRulecontentProductId28": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','6ab1f7b2-61b8-442f-bc81-96afe7ad8c53','-', '1.0.3')))]" }, "analyticRuleObject29": { - "analyticRuleVersion29": "1.0.2", - "_analyticRulecontentId29": "a22740ec-fc1e-4c91-8de6-c29c6450ad00", - "analyticRuleId29": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'a22740ec-fc1e-4c91-8de6-c29c6450ad00')]", - "analyticRuleTemplateSpecName29": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('a22740ec-fc1e-4c91-8de6-c29c6450ad00')))]", - "_analyticRulecontentProductId29": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','a22740ec-fc1e-4c91-8de6-c29c6450ad00','-', '1.0.2')))]" + "analyticRuleVersion29": "1.0.3", + "_analyticRulecontentId29": "2560515c-07d1-434e-87fb-ebe3af267760", + "analyticRuleId29": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '2560515c-07d1-434e-87fb-ebe3af267760')]", + "analyticRuleTemplateSpecName29": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('2560515c-07d1-434e-87fb-ebe3af267760')))]", + "_analyticRulecontentProductId29": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','2560515c-07d1-434e-87fb-ebe3af267760','-', '1.0.3')))]" }, "analyticRuleObject30": { - "analyticRuleVersion30": "1.0.0", - "_analyticRulecontentId30": "54e22fed-0ec6-4fb2-8312-2a3809a93f63", - "analyticRuleId30": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '54e22fed-0ec6-4fb2-8312-2a3809a93f63')]", - "analyticRuleTemplateSpecName30": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('54e22fed-0ec6-4fb2-8312-2a3809a93f63')))]", - "_analyticRulecontentProductId30": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','54e22fed-0ec6-4fb2-8312-2a3809a93f63','-', '1.0.0')))]" + "analyticRuleVersion30": "1.1.1", + "_analyticRulecontentId30": "f948a32f-226c-4116-bddd-d95e91d97eb9", + "analyticRuleId30": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'f948a32f-226c-4116-bddd-d95e91d97eb9')]", + "analyticRuleTemplateSpecName30": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('f948a32f-226c-4116-bddd-d95e91d97eb9')))]", + "_analyticRulecontentProductId30": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f948a32f-226c-4116-bddd-d95e91d97eb9','-', '1.1.1')))]" }, "analyticRuleObject31": { - "analyticRuleVersion31": "1.0.4", - "_analyticRulecontentId31": "223db5c1-1bf8-47d8-8806-bed401b356a4", - "analyticRuleId31": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '223db5c1-1bf8-47d8-8806-bed401b356a4')]", - "analyticRuleTemplateSpecName31": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('223db5c1-1bf8-47d8-8806-bed401b356a4')))]", - "_analyticRulecontentProductId31": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','223db5c1-1bf8-47d8-8806-bed401b356a4','-', '1.0.4')))]" + "analyticRuleVersion31": "1.0.1", + "_analyticRulecontentId31": "39198934-62a0-4781-8416-a81265c03fd6", + "analyticRuleId31": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '39198934-62a0-4781-8416-a81265c03fd6')]", + "analyticRuleTemplateSpecName31": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('39198934-62a0-4781-8416-a81265c03fd6')))]", + "_analyticRulecontentProductId31": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','39198934-62a0-4781-8416-a81265c03fd6','-', '1.0.1')))]" }, "analyticRuleObject32": { - "analyticRuleVersion32": "1.1.4", - "_analyticRulecontentId32": "2cfc3c6e-f424-4b88-9cc9-c89f482d016a", - "analyticRuleId32": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '2cfc3c6e-f424-4b88-9cc9-c89f482d016a')]", - "analyticRuleTemplateSpecName32": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('2cfc3c6e-f424-4b88-9cc9-c89f482d016a')))]", - "_analyticRulecontentProductId32": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','2cfc3c6e-f424-4b88-9cc9-c89f482d016a','-', '1.1.4')))]" + "analyticRuleVersion32": "2.0.0", + "_analyticRulecontentId32": "d99cf5c3-d660-436c-895b-8a8f8448da23", + "analyticRuleId32": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'd99cf5c3-d660-436c-895b-8a8f8448da23')]", + "analyticRuleTemplateSpecName32": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('d99cf5c3-d660-436c-895b-8a8f8448da23')))]", + "_analyticRulecontentProductId32": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','d99cf5c3-d660-436c-895b-8a8f8448da23','-', '2.0.0')))]" }, "analyticRuleObject33": { - "analyticRuleVersion33": "1.0.3", - "_analyticRulecontentId33": "6ab1f7b2-61b8-442f-bc81-96afe7ad8c53", - "analyticRuleId33": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '6ab1f7b2-61b8-442f-bc81-96afe7ad8c53')]", - "analyticRuleTemplateSpecName33": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('6ab1f7b2-61b8-442f-bc81-96afe7ad8c53')))]", - "_analyticRulecontentProductId33": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','6ab1f7b2-61b8-442f-bc81-96afe7ad8c53','-', '1.0.3')))]" + "analyticRuleVersion33": "1.0.2", + "_analyticRulecontentId33": "a8cc6d5c-4e7e-4b48-b4ac-d8a116c62a8b", + "analyticRuleId33": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'a8cc6d5c-4e7e-4b48-b4ac-d8a116c62a8b')]", + "analyticRuleTemplateSpecName33": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('a8cc6d5c-4e7e-4b48-b4ac-d8a116c62a8b')))]", + "_analyticRulecontentProductId33": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','a8cc6d5c-4e7e-4b48-b4ac-d8a116c62a8b','-', '1.0.2')))]" }, "analyticRuleObject34": { - "analyticRuleVersion34": "1.0.3", - "_analyticRulecontentId34": "2560515c-07d1-434e-87fb-ebe3af267760", - "analyticRuleId34": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '2560515c-07d1-434e-87fb-ebe3af267760')]", - "analyticRuleTemplateSpecName34": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('2560515c-07d1-434e-87fb-ebe3af267760')))]", - "_analyticRulecontentProductId34": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','2560515c-07d1-434e-87fb-ebe3af267760','-', '1.0.3')))]" + "analyticRuleVersion34": "1.0.1", + "_analyticRulecontentId34": "cda5928c-2c1e-4575-9dfa-07568bc27a4f", + "analyticRuleId34": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'cda5928c-2c1e-4575-9dfa-07568bc27a4f')]", + "analyticRuleTemplateSpecName34": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('cda5928c-2c1e-4575-9dfa-07568bc27a4f')))]", + "_analyticRulecontentProductId34": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','cda5928c-2c1e-4575-9dfa-07568bc27a4f','-', '1.0.1')))]" }, "analyticRuleObject35": { - "analyticRuleVersion35": "1.1.1", - "_analyticRulecontentId35": "f948a32f-226c-4116-bddd-d95e91d97eb9", - "analyticRuleId35": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'f948a32f-226c-4116-bddd-d95e91d97eb9')]", - "analyticRuleTemplateSpecName35": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('f948a32f-226c-4116-bddd-d95e91d97eb9')))]", - "_analyticRulecontentProductId35": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f948a32f-226c-4116-bddd-d95e91d97eb9','-', '1.1.1')))]" + "analyticRuleVersion35": "1.0.0", + "_analyticRulecontentId35": "4f42b94f-b210-42d1-a023-7fa1c51d969f", + "analyticRuleId35": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '4f42b94f-b210-42d1-a023-7fa1c51d969f')]", + "analyticRuleTemplateSpecName35": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('4f42b94f-b210-42d1-a023-7fa1c51d969f')))]", + "_analyticRulecontentProductId35": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4f42b94f-b210-42d1-a023-7fa1c51d969f','-', '1.0.0')))]" }, "analyticRuleObject36": { "analyticRuleVersion36": "1.1.1", - "_analyticRulecontentId36": "f948a32f-226c-4116-bddd-d95e91d97eb9", - "analyticRuleId36": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'f948a32f-226c-4116-bddd-d95e91d97eb9')]", - "analyticRuleTemplateSpecName36": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('f948a32f-226c-4116-bddd-d95e91d97eb9')))]", - "_analyticRulecontentProductId36": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f948a32f-226c-4116-bddd-d95e91d97eb9','-', '1.1.1')))]" + "_analyticRulecontentId36": "79566f41-df67-4e10-a703-c38a6213afd8", + "analyticRuleId36": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '79566f41-df67-4e10-a703-c38a6213afd8')]", + "analyticRuleTemplateSpecName36": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('79566f41-df67-4e10-a703-c38a6213afd8')))]", + "_analyticRulecontentProductId36": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','79566f41-df67-4e10-a703-c38a6213afd8','-', '1.1.1')))]" }, "analyticRuleObject37": { - "analyticRuleVersion37": "1.1.1", - "_analyticRulecontentId37": "f948a32f-226c-4116-bddd-d95e91d97eb9", - "analyticRuleId37": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'f948a32f-226c-4116-bddd-d95e91d97eb9')]", - "analyticRuleTemplateSpecName37": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('f948a32f-226c-4116-bddd-d95e91d97eb9')))]", - "_analyticRulecontentProductId37": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f948a32f-226c-4116-bddd-d95e91d97eb9','-', '1.1.1')))]" + "analyticRuleVersion37": "1.0.1", + "_analyticRulecontentId37": "8540c842-5bbc-4a24-9fb2-a836c0e55a51", + "analyticRuleId37": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '8540c842-5bbc-4a24-9fb2-a836c0e55a51')]", + "analyticRuleTemplateSpecName37": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('8540c842-5bbc-4a24-9fb2-a836c0e55a51')))]", + "_analyticRulecontentProductId37": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','8540c842-5bbc-4a24-9fb2-a836c0e55a51','-', '1.0.1')))]" }, "analyticRuleObject38": { - "analyticRuleVersion38": "1.1.1", - "_analyticRulecontentId38": "f948a32f-226c-4116-bddd-d95e91d97eb9", - "analyticRuleId38": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'f948a32f-226c-4116-bddd-d95e91d97eb9')]", - "analyticRuleTemplateSpecName38": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('f948a32f-226c-4116-bddd-d95e91d97eb9')))]", - "_analyticRulecontentProductId38": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f948a32f-226c-4116-bddd-d95e91d97eb9','-', '1.1.1')))]" + "analyticRuleVersion38": "1.0.2", + "_analyticRulecontentId38": "29e99017-e28d-47be-8b9a-c8c711f8a903", + "analyticRuleId38": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '29e99017-e28d-47be-8b9a-c8c711f8a903')]", + "analyticRuleTemplateSpecName38": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('29e99017-e28d-47be-8b9a-c8c711f8a903')))]", + "_analyticRulecontentProductId38": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','29e99017-e28d-47be-8b9a-c8c711f8a903','-', '1.0.2')))]" }, "analyticRuleObject39": { - "analyticRuleVersion39": "1.1.1", - "_analyticRulecontentId39": "f948a32f-226c-4116-bddd-d95e91d97eb9", - "analyticRuleId39": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'f948a32f-226c-4116-bddd-d95e91d97eb9')]", - "analyticRuleTemplateSpecName39": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('f948a32f-226c-4116-bddd-d95e91d97eb9')))]", - "_analyticRulecontentProductId39": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f948a32f-226c-4116-bddd-d95e91d97eb9','-', '1.1.1')))]" + "analyticRuleVersion39": "1.0.4", + "_analyticRulecontentId39": "b6988c32-4f3b-4a45-8313-b46b33061a74", + "analyticRuleId39": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'b6988c32-4f3b-4a45-8313-b46b33061a74')]", + "analyticRuleTemplateSpecName39": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('b6988c32-4f3b-4a45-8313-b46b33061a74')))]", + "_analyticRulecontentProductId39": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','b6988c32-4f3b-4a45-8313-b46b33061a74','-', '1.0.4')))]" }, "analyticRuleObject40": { - "analyticRuleVersion40": "1.1.1", - "_analyticRulecontentId40": "f948a32f-226c-4116-bddd-d95e91d97eb9", - "analyticRuleId40": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'f948a32f-226c-4116-bddd-d95e91d97eb9')]", - "analyticRuleTemplateSpecName40": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('f948a32f-226c-4116-bddd-d95e91d97eb9')))]", - "_analyticRulecontentProductId40": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f948a32f-226c-4116-bddd-d95e91d97eb9','-', '1.1.1')))]" + "analyticRuleVersion40": "1.0.2", + "_analyticRulecontentId40": "e42e889a-caaf-4dbb-aec6-371b37d64298", + "analyticRuleId40": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'e42e889a-caaf-4dbb-aec6-371b37d64298')]", + "analyticRuleTemplateSpecName40": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('e42e889a-caaf-4dbb-aec6-371b37d64298')))]", + "_analyticRulecontentProductId40": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','e42e889a-caaf-4dbb-aec6-371b37d64298','-', '1.0.2')))]" }, "analyticRuleObject41": { "analyticRuleVersion41": "1.0.1", - "_analyticRulecontentId41": "39198934-62a0-4781-8416-a81265c03fd6", - "analyticRuleId41": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '39198934-62a0-4781-8416-a81265c03fd6')]", - "analyticRuleTemplateSpecName41": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('39198934-62a0-4781-8416-a81265c03fd6')))]", - "_analyticRulecontentProductId41": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','39198934-62a0-4781-8416-a81265c03fd6','-', '1.0.1')))]" + "_analyticRulecontentId41": "5db427b2-f406-4274-b413-e9fcb29412f8", + "analyticRuleId41": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '5db427b2-f406-4274-b413-e9fcb29412f8')]", + "analyticRuleTemplateSpecName41": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('5db427b2-f406-4274-b413-e9fcb29412f8')))]", + "_analyticRulecontentProductId41": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','5db427b2-f406-4274-b413-e9fcb29412f8','-', '1.0.1')))]" }, "analyticRuleObject42": { - "analyticRuleVersion42": "2.0.0", - "_analyticRulecontentId42": "d99cf5c3-d660-436c-895b-8a8f8448da23", - "analyticRuleId42": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'd99cf5c3-d660-436c-895b-8a8f8448da23')]", - "analyticRuleTemplateSpecName42": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('d99cf5c3-d660-436c-895b-8a8f8448da23')))]", - "_analyticRulecontentProductId42": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','d99cf5c3-d660-436c-895b-8a8f8448da23','-', '2.0.0')))]" + "analyticRuleVersion42": "1.0.1", + "_analyticRulecontentId42": "14f6da04-2f96-44ee-9210-9ccc1be6401e", + "analyticRuleId42": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '14f6da04-2f96-44ee-9210-9ccc1be6401e')]", + "analyticRuleTemplateSpecName42": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('14f6da04-2f96-44ee-9210-9ccc1be6401e')))]", + "_analyticRulecontentProductId42": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','14f6da04-2f96-44ee-9210-9ccc1be6401e','-', '1.0.1')))]" }, "analyticRuleObject43": { - "analyticRuleVersion43": "1.0.1", - "_analyticRulecontentId43": "cda5928c-2c1e-4575-9dfa-07568bc27a4f", - "analyticRuleId43": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'cda5928c-2c1e-4575-9dfa-07568bc27a4f')]", - "analyticRuleTemplateSpecName43": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('cda5928c-2c1e-4575-9dfa-07568bc27a4f')))]", - "_analyticRulecontentProductId43": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','cda5928c-2c1e-4575-9dfa-07568bc27a4f','-', '1.0.1')))]" + "analyticRuleVersion43": "1.0.3", + "_analyticRulecontentId43": "70fc7201-f28e-4ba7-b9ea-c04b96701f13", + "analyticRuleId43": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '70fc7201-f28e-4ba7-b9ea-c04b96701f13')]", + "analyticRuleTemplateSpecName43": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('70fc7201-f28e-4ba7-b9ea-c04b96701f13')))]", + "_analyticRulecontentProductId43": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','70fc7201-f28e-4ba7-b9ea-c04b96701f13','-', '1.0.3')))]" }, "analyticRuleObject44": { - "analyticRuleVersion44": "1.1.1", - "_analyticRulecontentId44": "79566f41-df67-4e10-a703-c38a6213afd8", - "analyticRuleId44": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '79566f41-df67-4e10-a703-c38a6213afd8')]", - "analyticRuleTemplateSpecName44": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('79566f41-df67-4e10-a703-c38a6213afd8')))]", - "_analyticRulecontentProductId44": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','79566f41-df67-4e10-a703-c38a6213afd8','-', '1.1.1')))]" + "analyticRuleVersion44": "1.0.7", + "_analyticRulecontentId44": "7d7e20f8-3384-4b71-811c-f5e950e8306c", + "analyticRuleId44": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '7d7e20f8-3384-4b71-811c-f5e950e8306c')]", + "analyticRuleTemplateSpecName44": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('7d7e20f8-3384-4b71-811c-f5e950e8306c')))]", + "_analyticRulecontentProductId44": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','7d7e20f8-3384-4b71-811c-f5e950e8306c','-', '1.0.7')))]" }, "analyticRuleObject45": { - "analyticRuleVersion45": "1.0.1", - "_analyticRulecontentId45": "8540c842-5bbc-4a24-9fb2-a836c0e55a51", - "analyticRuleId45": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '8540c842-5bbc-4a24-9fb2-a836c0e55a51')]", - "analyticRuleTemplateSpecName45": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('8540c842-5bbc-4a24-9fb2-a836c0e55a51')))]", - "_analyticRulecontentProductId45": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','8540c842-5bbc-4a24-9fb2-a836c0e55a51','-', '1.0.1')))]" + "analyticRuleVersion45": "1.0.3", + "_analyticRulecontentId45": "34c5aff9-a8c2-4601-9654-c7e46342d03b", + "analyticRuleId45": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '34c5aff9-a8c2-4601-9654-c7e46342d03b')]", + "analyticRuleTemplateSpecName45": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('34c5aff9-a8c2-4601-9654-c7e46342d03b')))]", + "_analyticRulecontentProductId45": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','34c5aff9-a8c2-4601-9654-c7e46342d03b','-', '1.0.3')))]" }, "analyticRuleObject46": { - "analyticRuleVersion46": "1.0.2", - "_analyticRulecontentId46": "29e99017-e28d-47be-8b9a-c8c711f8a903", - "analyticRuleId46": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '29e99017-e28d-47be-8b9a-c8c711f8a903')]", - "analyticRuleTemplateSpecName46": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('29e99017-e28d-47be-8b9a-c8c711f8a903')))]", - "_analyticRulecontentProductId46": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','29e99017-e28d-47be-8b9a-c8c711f8a903','-', '1.0.2')))]" + "analyticRuleVersion46": "1.0.4", + "_analyticRulecontentId46": "269435e3-1db8-4423-9dfc-9bf59997da1c", + "analyticRuleId46": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '269435e3-1db8-4423-9dfc-9bf59997da1c')]", + "analyticRuleTemplateSpecName46": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('269435e3-1db8-4423-9dfc-9bf59997da1c')))]", + "_analyticRulecontentProductId46": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','269435e3-1db8-4423-9dfc-9bf59997da1c','-', '1.0.4')))]" }, "analyticRuleObject47": { - "analyticRuleVersion47": "1.0.4", - "_analyticRulecontentId47": "b6988c32-4f3b-4a45-8313-b46b33061a74", - "analyticRuleId47": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'b6988c32-4f3b-4a45-8313-b46b33061a74')]", - "analyticRuleTemplateSpecName47": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('b6988c32-4f3b-4a45-8313-b46b33061a74')))]", - "_analyticRulecontentProductId47": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','b6988c32-4f3b-4a45-8313-b46b33061a74','-', '1.0.4')))]" + "analyticRuleVersion47": "1.1.4", + "_analyticRulecontentId47": "83ba3057-9ea3-4759-bf6a-933f2e5bc7ee", + "analyticRuleId47": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '83ba3057-9ea3-4759-bf6a-933f2e5bc7ee')]", + "analyticRuleTemplateSpecName47": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('83ba3057-9ea3-4759-bf6a-933f2e5bc7ee')))]", + "_analyticRulecontentProductId47": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','83ba3057-9ea3-4759-bf6a-933f2e5bc7ee','-', '1.1.4')))]" }, "analyticRuleObject48": { "analyticRuleVersion48": "1.0.2", - "_analyticRulecontentId48": "e42e889a-caaf-4dbb-aec6-371b37d64298", - "analyticRuleId48": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'e42e889a-caaf-4dbb-aec6-371b37d64298')]", - "analyticRuleTemplateSpecName48": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('e42e889a-caaf-4dbb-aec6-371b37d64298')))]", - "_analyticRulecontentProductId48": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','e42e889a-caaf-4dbb-aec6-371b37d64298','-', '1.0.2')))]" + "_analyticRulecontentId48": "fb7ca1c9-e14c-40a3-856e-28f3c14ea1ba", + "analyticRuleId48": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'fb7ca1c9-e14c-40a3-856e-28f3c14ea1ba')]", + "analyticRuleTemplateSpecName48": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('fb7ca1c9-e14c-40a3-856e-28f3c14ea1ba')))]", + "_analyticRulecontentProductId48": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','fb7ca1c9-e14c-40a3-856e-28f3c14ea1ba','-', '1.0.2')))]" }, "analyticRuleObject49": { "analyticRuleVersion49": "1.0.1", - "_analyticRulecontentId49": "5db427b2-f406-4274-b413-e9fcb29412f8", - "analyticRuleId49": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '5db427b2-f406-4274-b413-e9fcb29412f8')]", - "analyticRuleTemplateSpecName49": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('5db427b2-f406-4274-b413-e9fcb29412f8')))]", - "_analyticRulecontentProductId49": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','5db427b2-f406-4274-b413-e9fcb29412f8','-', '1.0.1')))]" + "_analyticRulecontentId49": "d3980830-dd9d-40a5-911f-76b44dfdce16", + "analyticRuleId49": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'd3980830-dd9d-40a5-911f-76b44dfdce16')]", + "analyticRuleTemplateSpecName49": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('d3980830-dd9d-40a5-911f-76b44dfdce16')))]", + "_analyticRulecontentProductId49": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','d3980830-dd9d-40a5-911f-76b44dfdce16','-', '1.0.1')))]" }, "analyticRuleObject50": { - "analyticRuleVersion50": "1.0.1", - "_analyticRulecontentId50": "14f6da04-2f96-44ee-9210-9ccc1be6401e", - "analyticRuleId50": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '14f6da04-2f96-44ee-9210-9ccc1be6401e')]", - "analyticRuleTemplateSpecName50": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('14f6da04-2f96-44ee-9210-9ccc1be6401e')))]", - "_analyticRulecontentProductId50": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','14f6da04-2f96-44ee-9210-9ccc1be6401e','-', '1.0.1')))]" + "analyticRuleVersion50": "2.1.3", + "_analyticRulecontentId50": "500c103a-0319-4d56-8e99-3cec8d860757", + "analyticRuleId50": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '500c103a-0319-4d56-8e99-3cec8d860757')]", + "analyticRuleTemplateSpecName50": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('500c103a-0319-4d56-8e99-3cec8d860757')))]", + "_analyticRulecontentProductId50": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','500c103a-0319-4d56-8e99-3cec8d860757','-', '2.1.3')))]" }, "analyticRuleObject51": { - "analyticRuleVersion51": "1.0.3", - "_analyticRulecontentId51": "70fc7201-f28e-4ba7-b9ea-c04b96701f13", - "analyticRuleId51": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '70fc7201-f28e-4ba7-b9ea-c04b96701f13')]", - "analyticRuleTemplateSpecName51": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('70fc7201-f28e-4ba7-b9ea-c04b96701f13')))]", - "_analyticRulecontentProductId51": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','70fc7201-f28e-4ba7-b9ea-c04b96701f13','-', '1.0.3')))]" + "analyticRuleVersion51": "2.1.3", + "_analyticRulecontentId51": "28b42356-45af-40a6-a0b4-a554cdfd5d8a", + "analyticRuleId51": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '28b42356-45af-40a6-a0b4-a554cdfd5d8a')]", + "analyticRuleTemplateSpecName51": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('28b42356-45af-40a6-a0b4-a554cdfd5d8a')))]", + "_analyticRulecontentProductId51": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','28b42356-45af-40a6-a0b4-a554cdfd5d8a','-', '2.1.3')))]" }, "analyticRuleObject52": { - "analyticRuleVersion52": "1.0.7", - "_analyticRulecontentId52": "7d7e20f8-3384-4b71-811c-f5e950e8306c", - "analyticRuleId52": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '7d7e20f8-3384-4b71-811c-f5e950e8306c')]", - "analyticRuleTemplateSpecName52": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('7d7e20f8-3384-4b71-811c-f5e950e8306c')))]", - "_analyticRulecontentProductId52": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','7d7e20f8-3384-4b71-811c-f5e950e8306c','-', '1.0.7')))]" + "analyticRuleVersion52": "1.0.4", + "_analyticRulecontentId52": "48607a29-a26a-4abf-8078-a06dbdd174a4", + "analyticRuleId52": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '48607a29-a26a-4abf-8078-a06dbdd174a4')]", + "analyticRuleTemplateSpecName52": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('48607a29-a26a-4abf-8078-a06dbdd174a4')))]", + "_analyticRulecontentProductId52": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','48607a29-a26a-4abf-8078-a06dbdd174a4','-', '1.0.4')))]" }, "analyticRuleObject53": { - "analyticRuleVersion53": "1.0.3", - "_analyticRulecontentId53": "34c5aff9-a8c2-4601-9654-c7e46342d03b", - "analyticRuleId53": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '34c5aff9-a8c2-4601-9654-c7e46342d03b')]", - "analyticRuleTemplateSpecName53": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('34c5aff9-a8c2-4601-9654-c7e46342d03b')))]", - "_analyticRulecontentProductId53": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','34c5aff9-a8c2-4601-9654-c7e46342d03b','-', '1.0.3')))]" + "analyticRuleVersion53": "2.1.6", + "_analyticRulecontentId53": "02ef8d7e-fc3a-4d86-a457-650fa571d8d2", + "analyticRuleId53": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '02ef8d7e-fc3a-4d86-a457-650fa571d8d2')]", + "analyticRuleTemplateSpecName53": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('02ef8d7e-fc3a-4d86-a457-650fa571d8d2')))]", + "_analyticRulecontentProductId53": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','02ef8d7e-fc3a-4d86-a457-650fa571d8d2','-', '2.1.6')))]" }, "analyticRuleObject54": { - "analyticRuleVersion54": "1.0.4", - "_analyticRulecontentId54": "269435e3-1db8-4423-9dfc-9bf59997da1c", - "analyticRuleId54": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '269435e3-1db8-4423-9dfc-9bf59997da1c')]", - "analyticRuleTemplateSpecName54": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('269435e3-1db8-4423-9dfc-9bf59997da1c')))]", - "_analyticRulecontentProductId54": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','269435e3-1db8-4423-9dfc-9bf59997da1c','-', '1.0.4')))]" + "analyticRuleVersion54": "1.0.1", + "_analyticRulecontentId54": "3a3c6835-0086-40ca-b033-a93bf26d878f", + "analyticRuleId54": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '3a3c6835-0086-40ca-b033-a93bf26d878f')]", + "analyticRuleTemplateSpecName54": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('3a3c6835-0086-40ca-b033-a93bf26d878f')))]", + "_analyticRulecontentProductId54": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','3a3c6835-0086-40ca-b033-a93bf26d878f','-', '1.0.1')))]" }, "analyticRuleObject55": { - "analyticRuleVersion55": "1.1.4", - "_analyticRulecontentId55": "83ba3057-9ea3-4759-bf6a-933f2e5bc7ee", - "analyticRuleId55": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '83ba3057-9ea3-4759-bf6a-933f2e5bc7ee')]", - "analyticRuleTemplateSpecName55": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('83ba3057-9ea3-4759-bf6a-933f2e5bc7ee')))]", - "_analyticRulecontentProductId55": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','83ba3057-9ea3-4759-bf6a-933f2e5bc7ee','-', '1.1.4')))]" + "analyticRuleVersion55": "1.0.1", + "_analyticRulecontentId55": "3533f74c-9207-4047-96e2-0eb9383be587", + "analyticRuleId55": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '3533f74c-9207-4047-96e2-0eb9383be587')]", + "analyticRuleTemplateSpecName55": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('3533f74c-9207-4047-96e2-0eb9383be587')))]", + "_analyticRulecontentProductId55": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','3533f74c-9207-4047-96e2-0eb9383be587','-', '1.0.1')))]" }, "analyticRuleObject56": { "analyticRuleVersion56": "1.0.2", - "_analyticRulecontentId56": "fb7ca1c9-e14c-40a3-856e-28f3c14ea1ba", - "analyticRuleId56": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'fb7ca1c9-e14c-40a3-856e-28f3c14ea1ba')]", - "analyticRuleTemplateSpecName56": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('fb7ca1c9-e14c-40a3-856e-28f3c14ea1ba')))]", - "_analyticRulecontentProductId56": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','fb7ca1c9-e14c-40a3-856e-28f3c14ea1ba','-', '1.0.2')))]" + "_analyticRulecontentId56": "6852d9da-8015-4b95-8ecf-d9572ee0395d", + "analyticRuleId56": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '6852d9da-8015-4b95-8ecf-d9572ee0395d')]", + "analyticRuleTemplateSpecName56": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('6852d9da-8015-4b95-8ecf-d9572ee0395d')))]", + "_analyticRulecontentProductId56": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','6852d9da-8015-4b95-8ecf-d9572ee0395d','-', '1.0.2')))]" }, "analyticRuleObject57": { - "analyticRuleVersion57": "1.0.1", - "_analyticRulecontentId57": "d3980830-dd9d-40a5-911f-76b44dfdce16", - "analyticRuleId57": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'd3980830-dd9d-40a5-911f-76b44dfdce16')]", - "analyticRuleTemplateSpecName57": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('d3980830-dd9d-40a5-911f-76b44dfdce16')))]", - "_analyticRulecontentProductId57": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','d3980830-dd9d-40a5-911f-76b44dfdce16','-', '1.0.1')))]" + "analyticRuleVersion57": "1.0.0", + "_analyticRulecontentId57": "aec77100-25c5-4254-a20a-8027ed92c46c", + "analyticRuleId57": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'aec77100-25c5-4254-a20a-8027ed92c46c')]", + "analyticRuleTemplateSpecName57": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('aec77100-25c5-4254-a20a-8027ed92c46c')))]", + "_analyticRulecontentProductId57": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','aec77100-25c5-4254-a20a-8027ed92c46c','-', '1.0.0')))]" }, "analyticRuleObject58": { - "analyticRuleVersion58": "2.1.3", - "_analyticRulecontentId58": "500c103a-0319-4d56-8e99-3cec8d860757", - "analyticRuleId58": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '500c103a-0319-4d56-8e99-3cec8d860757')]", - "analyticRuleTemplateSpecName58": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('500c103a-0319-4d56-8e99-3cec8d860757')))]", - "_analyticRulecontentProductId58": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','500c103a-0319-4d56-8e99-3cec8d860757','-', '2.1.3')))]" + "analyticRuleVersion58": "1.0.7", + "_analyticRulecontentId58": "acc4c247-aaf7-494b-b5da-17f18863878a", + "analyticRuleId58": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'acc4c247-aaf7-494b-b5da-17f18863878a')]", + "analyticRuleTemplateSpecName58": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('acc4c247-aaf7-494b-b5da-17f18863878a')))]", + "_analyticRulecontentProductId58": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','acc4c247-aaf7-494b-b5da-17f18863878a','-', '1.0.7')))]" }, "analyticRuleObject59": { - "analyticRuleVersion59": "2.1.3", - "_analyticRulecontentId59": "28b42356-45af-40a6-a0b4-a554cdfd5d8a", - "analyticRuleId59": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '28b42356-45af-40a6-a0b4-a554cdfd5d8a')]", - "analyticRuleTemplateSpecName59": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('28b42356-45af-40a6-a0b4-a554cdfd5d8a')))]", - "_analyticRulecontentProductId59": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','28b42356-45af-40a6-a0b4-a554cdfd5d8a','-', '2.1.3')))]" + "analyticRuleVersion59": "2.0.2", + "_analyticRulecontentId59": "3a9d5ede-2b9d-43a2-acc4-d272321ff77c", + "analyticRuleId59": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '3a9d5ede-2b9d-43a2-acc4-d272321ff77c')]", + "analyticRuleTemplateSpecName59": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('3a9d5ede-2b9d-43a2-acc4-d272321ff77c')))]", + "_analyticRulecontentProductId59": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','3a9d5ede-2b9d-43a2-acc4-d272321ff77c','-', '2.0.2')))]" }, "analyticRuleObject60": { "analyticRuleVersion60": "1.0.4", - "_analyticRulecontentId60": "48607a29-a26a-4abf-8078-a06dbdd174a4", - "analyticRuleId60": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '48607a29-a26a-4abf-8078-a06dbdd174a4')]", - "analyticRuleTemplateSpecName60": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('48607a29-a26a-4abf-8078-a06dbdd174a4')))]", - "_analyticRulecontentProductId60": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','48607a29-a26a-4abf-8078-a06dbdd174a4','-', '1.0.4')))]" + "_analyticRulecontentId60": "4d94d4a9-dc96-410a-8dea-4d4d4584188b", + "analyticRuleId60": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '4d94d4a9-dc96-410a-8dea-4d4d4584188b')]", + "analyticRuleTemplateSpecName60": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('4d94d4a9-dc96-410a-8dea-4d4d4584188b')))]", + "_analyticRulecontentProductId60": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4d94d4a9-dc96-410a-8dea-4d4d4584188b','-', '1.0.4')))]" }, "analyticRuleObject61": { - "analyticRuleVersion61": "2.1.6", - "_analyticRulecontentId61": "02ef8d7e-fc3a-4d86-a457-650fa571d8d2", - "analyticRuleId61": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '02ef8d7e-fc3a-4d86-a457-650fa571d8d2')]", - "analyticRuleTemplateSpecName61": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('02ef8d7e-fc3a-4d86-a457-650fa571d8d2')))]", - "_analyticRulecontentProductId61": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','02ef8d7e-fc3a-4d86-a457-650fa571d8d2','-', '2.1.6')))]" + "analyticRuleVersion61": "1.0.0", + "_analyticRulecontentId61": "746ddb63-f51b-4563-b449-a8b13cf302ec", + "analyticRuleId61": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '746ddb63-f51b-4563-b449-a8b13cf302ec')]", + "analyticRuleTemplateSpecName61": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('746ddb63-f51b-4563-b449-a8b13cf302ec')))]", + "_analyticRulecontentProductId61": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','746ddb63-f51b-4563-b449-a8b13cf302ec','-', '1.0.0')))]" }, "analyticRuleObject62": { - "analyticRuleVersion62": "1.0.1", - "_analyticRulecontentId62": "3a3c6835-0086-40ca-b033-a93bf26d878f", - "analyticRuleId62": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '3a3c6835-0086-40ca-b033-a93bf26d878f')]", - "analyticRuleTemplateSpecName62": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('3a3c6835-0086-40ca-b033-a93bf26d878f')))]", - "_analyticRulecontentProductId62": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','3a3c6835-0086-40ca-b033-a93bf26d878f','-', '1.0.1')))]" - }, - "analyticRuleObject63": { - "analyticRuleVersion63": "1.0.1", - "_analyticRulecontentId63": "3533f74c-9207-4047-96e2-0eb9383be587", - "analyticRuleId63": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '3533f74c-9207-4047-96e2-0eb9383be587')]", - "analyticRuleTemplateSpecName63": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('3533f74c-9207-4047-96e2-0eb9383be587')))]", - "_analyticRulecontentProductId63": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','3533f74c-9207-4047-96e2-0eb9383be587','-', '1.0.1')))]" - }, - "analyticRuleObject64": { - "analyticRuleVersion64": "1.0.2", - "_analyticRulecontentId64": "6852d9da-8015-4b95-8ecf-d9572ee0395d", - "analyticRuleId64": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '6852d9da-8015-4b95-8ecf-d9572ee0395d')]", - "analyticRuleTemplateSpecName64": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('6852d9da-8015-4b95-8ecf-d9572ee0395d')))]", - "_analyticRulecontentProductId64": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','6852d9da-8015-4b95-8ecf-d9572ee0395d','-', '1.0.2')))]" - }, - "analyticRuleObject65": { - "analyticRuleVersion65": "1.0.7", - "_analyticRulecontentId65": "acc4c247-aaf7-494b-b5da-17f18863878a", - "analyticRuleId65": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'acc4c247-aaf7-494b-b5da-17f18863878a')]", - "analyticRuleTemplateSpecName65": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('acc4c247-aaf7-494b-b5da-17f18863878a')))]", - "_analyticRulecontentProductId65": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','acc4c247-aaf7-494b-b5da-17f18863878a','-', '1.0.7')))]" - }, - "analyticRuleObject66": { - "analyticRuleVersion66": "2.0.2", - "_analyticRulecontentId66": "3a9d5ede-2b9d-43a2-acc4-d272321ff77c", - "analyticRuleId66": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '3a9d5ede-2b9d-43a2-acc4-d272321ff77c')]", - "analyticRuleTemplateSpecName66": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('3a9d5ede-2b9d-43a2-acc4-d272321ff77c')))]", - "_analyticRulecontentProductId66": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','3a9d5ede-2b9d-43a2-acc4-d272321ff77c','-', '2.0.2')))]" - }, - "analyticRuleObject67": { - "analyticRuleVersion67": "1.0.4", - "_analyticRulecontentId67": "4d94d4a9-dc96-410a-8dea-4d4d4584188b", - "analyticRuleId67": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '4d94d4a9-dc96-410a-8dea-4d4d4584188b')]", - "analyticRuleTemplateSpecName67": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('4d94d4a9-dc96-410a-8dea-4d4d4584188b')))]", - "_analyticRulecontentProductId67": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4d94d4a9-dc96-410a-8dea-4d4d4584188b','-', '1.0.4')))]" - }, - "analyticRuleObject68": { - "analyticRuleVersion68": "1.0.8", - "_analyticRulecontentId68": "050b9b3d-53d0-4364-a3da-1b678b8211ec", - "analyticRuleId68": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '050b9b3d-53d0-4364-a3da-1b678b8211ec')]", - "analyticRuleTemplateSpecName68": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('050b9b3d-53d0-4364-a3da-1b678b8211ec')))]", - "_analyticRulecontentProductId68": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','050b9b3d-53d0-4364-a3da-1b678b8211ec','-', '1.0.8')))]" - }, - "analyticRuleObject69": { - "analyticRuleVersion69": "1.0.0", - "_analyticRulecontentId69": "4f42b94f-b210-42d1-a023-7fa1c51d969f", - "analyticRuleId69": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '4f42b94f-b210-42d1-a023-7fa1c51d969f')]", - "analyticRuleTemplateSpecName69": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('4f42b94f-b210-42d1-a023-7fa1c51d969f')))]", - "_analyticRulecontentProductId69": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4f42b94f-b210-42d1-a023-7fa1c51d969f','-', '1.0.0')))]" - }, - "analyticRuleObject70": { - "analyticRuleVersion70": "1.0.0", - "_analyticRulecontentId70": "aec77100-25c5-4254-a20a-8027ed92c46c", - "analyticRuleId70": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'aec77100-25c5-4254-a20a-8027ed92c46c')]", - "analyticRuleTemplateSpecName70": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('aec77100-25c5-4254-a20a-8027ed92c46c')))]", - "_analyticRulecontentProductId70": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','aec77100-25c5-4254-a20a-8027ed92c46c','-', '1.0.0')))]" + "analyticRuleVersion62": "1.0.8", + "_analyticRulecontentId62": "050b9b3d-53d0-4364-a3da-1b678b8211ec", + "analyticRuleId62": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '050b9b3d-53d0-4364-a3da-1b678b8211ec')]", + "analyticRuleTemplateSpecName62": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('050b9b3d-53d0-4364-a3da-1b678b8211ec')))]", + "_analyticRulecontentProductId62": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','050b9b3d-53d0-4364-a3da-1b678b8211ec','-', '1.0.8')))]" }, + "Block-AADUser-alert-trigger": "Block-AADUser-alert-trigger", + "_Block-AADUser-alert-trigger": "[variables('Block-AADUser-alert-trigger')]", + "playbookVersion1": "1.1", + "playbookContentId1": "Block-AADUser-alert-trigger", + "_playbookContentId1": "[variables('playbookContentId1')]", + "playbookId1": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId1'))]", + "playbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId1'))))]", + "_playbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId1'),'-', variables('playbookVersion1'))))]", + "Block-AADUser-incident-trigger": "Block-AADUser-incident-trigger", + "_Block-AADUser-incident-trigger": "[variables('Block-AADUser-incident-trigger')]", + "playbookVersion2": "1.1", + "playbookContentId2": "Block-AADUser-incident-trigger", + "_playbookContentId2": "[variables('playbookContentId2')]", + "playbookId2": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId2'))]", + "playbookTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId2'))))]", + "_playbookcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId2'),'-', variables('playbookVersion2'))))]", + "Prompt-User-alert-trigger": "Prompt-User-alert-trigger", + "_Prompt-User-alert-trigger": "[variables('Prompt-User-alert-trigger')]", + "playbookVersion3": "1.1", + "playbookContentId3": "Prompt-User-alert-trigger", + "_playbookContentId3": "[variables('playbookContentId3')]", + "playbookId3": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId3'))]", + "playbookTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId3'))))]", + "_playbookcontentProductId3": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId3'),'-', variables('playbookVersion3'))))]", + "Prompt-User-incident-trigger": "Prompt-User-incident-trigger", + "_Prompt-User-incident-trigger": "[variables('Prompt-User-incident-trigger')]", + "playbookVersion4": "1.1", + "playbookContentId4": "Prompt-User-incident-trigger", + "_playbookContentId4": "[variables('playbookContentId4')]", + "playbookId4": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId4'))]", + "playbookTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId4'))))]", + "_playbookcontentProductId4": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId4'),'-', variables('playbookVersion4'))))]", + "Reset-AADUserPassword-alert-trigger": "Reset-AADUserPassword-alert-trigger", + "_Reset-AADUserPassword-alert-trigger": "[variables('Reset-AADUserPassword-alert-trigger')]", + "playbookVersion5": "1.1", + "playbookContentId5": "Reset-AADUserPassword-alert-trigger", + "_playbookContentId5": "[variables('playbookContentId5')]", + "playbookId5": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId5'))]", + "playbookTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId5'))))]", + "_playbookcontentProductId5": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId5'),'-', variables('playbookVersion5'))))]", + "Reset-AADUserPassword-incident-trigger": "Reset-AADUserPassword-incident-trigger", + "_Reset-AADUserPassword-incident-trigger": "[variables('Reset-AADUserPassword-incident-trigger')]", + "playbookVersion6": "1.1", + "playbookContentId6": "Reset-AADUserPassword-incident-trigger", + "_playbookContentId6": "[variables('playbookContentId6')]", + "playbookId6": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId6'))]", + "playbookTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId6'))))]", + "_playbookcontentProductId6": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId6'),'-', variables('playbookVersion6'))))]", + "Block-AADUser-entity-trigger": "Block-AADUser-entity-trigger", + "_Block-AADUser-entity-trigger": "[variables('Block-AADUser-entity-trigger')]", + "playbookVersion7": "1.1", + "playbookContentId7": "Block-AADUser-entity-trigger", + "_playbookContentId7": "[variables('playbookContentId7')]", + "playbookId7": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId7'))]", + "playbookTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId7'))))]", + "_playbookcontentProductId7": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId7'),'-', variables('playbookVersion7'))))]", + "Reset-AADUserPassword-entity-trigger": "Reset-AADUserPassword-entity-trigger", + "_Reset-AADUserPassword-entity-trigger": "[variables('Reset-AADUserPassword-entity-trigger')]", + "playbookVersion8": "1.1", + "playbookContentId8": "Reset-AADUserPassword-entity-trigger", + "_playbookContentId8": "[variables('playbookContentId8')]", + "playbookId8": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId8'))]", + "playbookTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId8'))))]", + "_playbookcontentProductId8": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId8'),'-', variables('playbookVersion8'))))]", + "blanks": "[replace('b', 'b', '')]", + "Revoke-AADSignInSessions-alert-trigger": "Revoke-AADSignInSessions-alert-trigger", + "_Revoke-AADSignInSessions-alert-trigger": "[variables('Revoke-AADSignInSessions-alert-trigger')]", + "playbookVersion9": "1.0", + "playbookContentId9": "Revoke-AADSignInSessions-alert-trigger", + "_playbookContentId9": "[variables('playbookContentId9')]", + "playbookId9": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId9'))]", + "playbookTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId9'))))]", + "_playbookcontentProductId9": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId9'),'-', variables('playbookVersion9'))))]", + "Revoke-AADSignInSessions-incident-trigger": "Revoke-AADSignInSessions-incident-trigger", + "_Revoke-AADSignInSessions-incident-trigger": "[variables('Revoke-AADSignInSessions-incident-trigger')]", + "playbookVersion10": "1.0", + "playbookContentId10": "Revoke-AADSignInSessions-incident-trigger", + "_playbookContentId10": "[variables('playbookContentId10')]", + "playbookId10": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId10'))]", + "playbookTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId10'))))]", + "_playbookcontentProductId10": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId10'),'-', variables('playbookVersion10'))))]", + "Revoke-AADSignInSessions-entity-trigger": "Revoke-AADSignInSessions-entity-trigger", + "_Revoke-AADSignInSessions-entity-trigger": "[variables('Revoke-AADSignInSessions-entity-trigger')]", + "playbookVersion11": "1.0", + "playbookContentId11": "Revoke-AADSignInSessions-entity-trigger", + "_playbookContentId11": "[variables('playbookContentId11')]", + "playbookId11": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId11'))]", + "playbookTemplateSpecName11": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId11'))))]", + "_playbookcontentProductId11": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId11'),'-', variables('playbookVersion11'))))]", "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" }, "resources": [ { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('playbookTemplateSpecName1')]", + "name": "[variables('dataConnectorTemplateSpecName1')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Block-AADUser-Alert Playbook with template version 3.0.7", + "description": "Microsoft Entra ID data connector with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion1')]", - "parameters": { - "PlaybookName": { - "defaultValue": "Block-AADUser-Alert", - "type": "string" - } - }, - "variables": { - "AzureADConnectionName": "[[concat('azuread-', parameters('PlaybookName'))]", - "MicrosoftSentinelConnectionName": "[[concat('microsoftsentinel-', parameters('PlaybookName'))]", - "Office365ConnectionName": "[[concat('office365-', parameters('PlaybookName'))]", - "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuread')]", - "_connection-1": "[[variables('connection-1')]", - "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", - "_connection-2": "[[variables('connection-2')]", - "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]", - "_connection-3": "[[variables('connection-3')]", - "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", - "workspace-name": "[parameters('workspace')]", - "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" - }, + "contentVersion": "[variables('dataConnectorVersion1')]", + "parameters": {}, + "variables": {}, "resources": [ { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('AzureADConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "properties": { - "displayName": "[[variables('AzureADConnectionName')]", - "api": { - "id": "[[variables('_connection-1')]" + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "StaticUI", + "properties": { + "connectorUiConfig": { + "id": "AzureActiveDirectory", + "title": "Microsoft Entra ID", + "publisher": "Microsoft", + "descriptionMarkdown": "Gain insights into Microsoft Entra ID by connecting Audit and Sign-in logs to Microsoft Sentinel to gather insights around Microsoft Entra ID scenarios. You can learn about app usage, conditional access policies, legacy auth relate details using our Sign-in logs. You can get information on your Self Service Password Reset (SSPR) usage, Microsoft Entra ID Management activities like user, group, role, app management using our Audit logs table. For more information, see the [Microsoft Sentinel documentation](https://go.microsoft.com/fwlink/?linkid=2219715&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci).", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "SigninLogs", + "baseQuery": "SigninLogs" + }, + { + "metricName": "Total data received", + "legend": "AuditLogs", + "baseQuery": "AuditLogs" + }, + { + "metricName": "Total data received", + "legend": "AADNonInteractiveUserSignInLogs", + "baseQuery": "AADNonInteractiveUserSignInLogs" + }, + { + "metricName": "Total data received", + "legend": "AADServicePrincipalSignInLogs", + "baseQuery": "AADServicePrincipalSignInLogs" + }, + { + "metricName": "Total data received", + "legend": "AADManagedIdentitySignInLogs", + "baseQuery": "AADManagedIdentitySignInLogs" + }, + { + "metricName": "Total data received", + "legend": "AADProvisioningLogs", + "baseQuery": "AADProvisioningLogs" + }, + { + "metricName": "Total data received", + "legend": "ADFSSignInLogs", + "baseQuery": "ADFSSignInLogs" + }, + { + "metricName": "Total data received", + "legend": "AADUserRiskEvents", + "baseQuery": "AADUserRiskEvents" + }, + { + "metricName": "Total data received", + "legend": "AADRiskyUsers", + "baseQuery": "AADRiskyUsers" + }, + { + "metricName": "Total data received", + "legend": "NetworkAccessTraffic", + "baseQuery": "NetworkAccessTraffic" + }, + { + "metricName": "Total data received", + "legend": "AADRiskyServicePrincipals", + "baseQuery": "AADRiskyServicePrincipals" + }, + { + "metricName": "Total data received", + "legend": "AADServicePrincipalRiskEvents", + "baseQuery": "AADServicePrincipalRiskEvents" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "SigninLogs\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)", + "AuditLogs\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)", + "AADNonInteractiveUserSignInLogs\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)", + "AADServicePrincipalSignInLogs\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)", + "AADManagedIdentitySignInLogs\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)", + "AADProvisioningLogs\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)", + "ADFSSignInLogs\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)", + "AADUserRiskEvents\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)", + "AADRiskyUsers\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)", + "NetworkAccessTraffic\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)", + "AADRiskyServicePrincipals\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)", + "AADServicePrincipalRiskEvents\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)" + ] + } + ], + "dataTypes": [ + { + "name": "SigninLogs", + "lastDataReceivedQuery": "SigninLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "AuditLogs", + "lastDataReceivedQuery": "AuditLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "AADNonInteractiveUserSignInLogs", + "lastDataReceivedQuery": "AADNonInteractiveUserSignInLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "AADServicePrincipalSignInLogs", + "lastDataReceivedQuery": "AADServicePrincipalSignInLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "AADManagedIdentitySignInLogs", + "lastDataReceivedQuery": "AADManagedIdentitySignInLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "AADProvisioningLogs", + "lastDataReceivedQuery": "AADProvisioningLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "ADFSSignInLogs", + "lastDataReceivedQuery": "ADFSSignInLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "AADUserRiskEvents", + "lastDataReceivedQuery": "AADUserRiskEvents\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "AADRiskyUsers", + "lastDataReceivedQuery": "AADRiskyUsers\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "NetworkAccessTraffic", + "lastDataReceivedQuery": "NetworkAccessTraffic\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "AADRiskyServicePrincipals", + "lastDataReceivedQuery": "AADRiskyServicePrincipals\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "AADServicePrincipalRiskEvents", + "lastDataReceivedQuery": "AADServicePrincipalRiskEvents\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ] } } }, { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('MicrosoftSentinelConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", "properties": { - "displayName": "[[variables('MicrosoftSentinelConnectionName')]", - "parameterValueType": "Alternative", - "api": { - "id": "[[variables('_connection-2')]" + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "contentId": "[variables('_dataConnectorContentId1')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion1')]", + "source": { + "kind": "Solution", + "name": "Microsoft Entra ID", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" } } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_dataConnectorContentId1')]", + "contentKind": "DataConnector", + "displayName": "Microsoft Entra ID", + "contentProductId": "[variables('_dataConnectorcontentProductId1')]", + "id": "[variables('_dataConnectorcontentProductId1')]", + "version": "[variables('dataConnectorVersion1')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", + "dependsOn": [ + "[variables('_dataConnectorId1')]" + ], + "location": "[parameters('workspace-location')]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "contentId": "[variables('_dataConnectorContentId1')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion1')]", + "source": { + "kind": "Solution", + "name": "Microsoft Entra ID", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "StaticUI", + "properties": { + "connectorUiConfig": { + "title": "Microsoft Entra ID", + "publisher": "Microsoft", + "descriptionMarkdown": "Gain insights into Microsoft Entra ID by connecting Audit and Sign-in logs to Microsoft Sentinel to gather insights around Microsoft Entra ID scenarios. You can learn about app usage, conditional access policies, legacy auth relate details using our Sign-in logs. You can get information on your Self Service Password Reset (SSPR) usage, Microsoft Entra ID Management activities like user, group, role, app management using our Audit logs table. For more information, see the [Microsoft Sentinel documentation](https://go.microsoft.com/fwlink/?linkid=2219715&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci).", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "SigninLogs", + "baseQuery": "SigninLogs" }, { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('Office365ConnectionName')]", - "location": "[[variables('workspace-location-inline')]", + "metricName": "Total data received", + "legend": "AuditLogs", + "baseQuery": "AuditLogs" + }, + { + "metricName": "Total data received", + "legend": "AADNonInteractiveUserSignInLogs", + "baseQuery": "AADNonInteractiveUserSignInLogs" + }, + { + "metricName": "Total data received", + "legend": "AADServicePrincipalSignInLogs", + "baseQuery": "AADServicePrincipalSignInLogs" + }, + { + "metricName": "Total data received", + "legend": "AADManagedIdentitySignInLogs", + "baseQuery": "AADManagedIdentitySignInLogs" + }, + { + "metricName": "Total data received", + "legend": "AADProvisioningLogs", + "baseQuery": "AADProvisioningLogs" + }, + { + "metricName": "Total data received", + "legend": "ADFSSignInLogs", + "baseQuery": "ADFSSignInLogs" + }, + { + "metricName": "Total data received", + "legend": "AADUserRiskEvents", + "baseQuery": "AADUserRiskEvents" + }, + { + "metricName": "Total data received", + "legend": "AADRiskyUsers", + "baseQuery": "AADRiskyUsers" + }, + { + "metricName": "Total data received", + "legend": "NetworkAccessTraffic", + "baseQuery": "NetworkAccessTraffic" + }, + { + "metricName": "Total data received", + "legend": "AADRiskyServicePrincipals", + "baseQuery": "AADRiskyServicePrincipals" + }, + { + "metricName": "Total data received", + "legend": "AADServicePrincipalRiskEvents", + "baseQuery": "AADServicePrincipalRiskEvents" + } + ], + "dataTypes": [ + { + "name": "SigninLogs", + "lastDataReceivedQuery": "SigninLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "AuditLogs", + "lastDataReceivedQuery": "AuditLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "AADNonInteractiveUserSignInLogs", + "lastDataReceivedQuery": "AADNonInteractiveUserSignInLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "AADServicePrincipalSignInLogs", + "lastDataReceivedQuery": "AADServicePrincipalSignInLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "AADManagedIdentitySignInLogs", + "lastDataReceivedQuery": "AADManagedIdentitySignInLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "AADProvisioningLogs", + "lastDataReceivedQuery": "AADProvisioningLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "ADFSSignInLogs", + "lastDataReceivedQuery": "ADFSSignInLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "AADUserRiskEvents", + "lastDataReceivedQuery": "AADUserRiskEvents\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "AADRiskyUsers", + "lastDataReceivedQuery": "AADRiskyUsers\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "NetworkAccessTraffic", + "lastDataReceivedQuery": "NetworkAccessTraffic\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "AADRiskyServicePrincipals", + "lastDataReceivedQuery": "AADRiskyServicePrincipals\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "AADServicePrincipalRiskEvents", + "lastDataReceivedQuery": "AADServicePrincipalRiskEvents\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "SigninLogs\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)", + "AuditLogs\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)", + "AADNonInteractiveUserSignInLogs\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)", + "AADServicePrincipalSignInLogs\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)", + "AADManagedIdentitySignInLogs\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)", + "AADProvisioningLogs\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)", + "ADFSSignInLogs\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)", + "AADUserRiskEvents\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)", + "AADRiskyUsers\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)", + "NetworkAccessTraffic\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)", + "AADRiskyServicePrincipals\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)", + "AADServicePrincipalRiskEvents\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)" + ] + } + ], + "id": "[variables('_uiConfigId1')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('workbookTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "AzureActiveDirectoryAuditLogsWorkbook Workbook with template version 3.0.7", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('workbookVersion1')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Insights/workbooks", + "name": "[variables('workbookContentId1')]", + "location": "[parameters('workspace-location')]", + "kind": "shared", + "apiVersion": "2021-08-01", + "metadata": { + "description": "Gain insights into Azure Active Directory by connecting Microsoft Sentinel and using the audit logs to gather insights around Azure AD scenarios. \nYou can learn about user operations, including password and group management, device activities, and top active users and apps." + }, "properties": { - "displayName": "[[variables('Office365ConnectionName')]", - "api": { - "id": "[[variables('_connection-3')]" - } + "displayName": "[parameters('workbook1-name')]", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Azure AD audit logs\"},\"name\":\"text - 1\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"bc372bf5-2dcd-4efa-aa85-94b6e6fafe14\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":7776000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true}},{\"id\":\"e032b9f7-5449-4180-9c20-75760afa96f6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"User\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"AuditLogs\\r\\n| where SourceSystem == \\\"Azure AD\\\"\\r\\n| extend initiator = iif (tostring(InitiatedBy.user.userPrincipalName) != \\\"\\\", tostring(InitiatedBy.user.userPrincipalName), \\\"unknown\\\")\\r\\n//| where initiator!= \\\"\\\"\\r\\n| summarize Count = count() by initiator\\r\\n| order by Count desc, initiator asc\\r\\n| project Value = initiator, Label = strcat(initiator, ' - ', Count), Selected = false\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\"},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"0a59a0b3-6d93-4fee-bdbe-147383c510c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Category\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"AuditLogs\\r\\n| extend initiator = iif (tostring(InitiatedBy.user.userPrincipalName) != \\\"\\\", tostring(InitiatedBy.user.userPrincipalName), \\\"unknown\\\")\\r\\n| where \\\"{User:lable}\\\" == \\\"All\\\" or initiator in ({User})\\r\\n| summarize Count = count() by Category\\r\\n| order by Count desc, Category asc\\r\\n| project Value = Category, Label = strcat(Category, ' - ', Count)\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\"},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"4d2b245b-5e59-4eb6-9f51-ba926581ab47\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Result\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"AuditLogs\\r\\n| extend initiator = iif (tostring(InitiatedBy.user.userPrincipalName) != \\\"\\\", tostring(InitiatedBy.user.userPrincipalName), \\\"unknown\\\")\\r\\n| where \\\"{User:lable}\\\" == \\\"All\\\" or initiator in ({User})\\r\\n| summarize Count = count() by Result\\r\\n| order by Count desc, Result asc\\r\\n| project Value = Result, Label = strcat(Result, ' - ', Count, ' sign-ins')\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\"},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let data = AuditLogs\\r\\n| where \\\"{Category:lable}\\\" == \\\"All\\\" or Category in ({Category})\\r\\n| where \\\"{Result:lable}\\\" == \\\"All\\\" or Result in ({Result})\\r\\n| extend initiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\r\\n| where initiatingUserPrincipalName != \\\"\\\" \\r\\n| where \\\"{User:lable}\\\" == \\\"All\\\" or initiatingUserPrincipalName in ({User});\\r\\ndata\\r\\n| summarize Count = count() by Category\\r\\n| join kind = fullouter (datatable(Category:string)['Medium', 'high', 'low']) on Category\\r\\n| project Category = iff(Category == '', Category1, Category), Count = iff(Category == '', 0, Count)\\r\\n| join kind = inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by Category)\\r\\n on Category\\r\\n| project-away Category1, TimeGenerated\\r\\n| extend Category = Category\\r\\n| union (\\r\\n data \\r\\n | summarize Count = count() \\r\\n | extend jkey = 1\\r\\n | join kind=inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\\r\\n | extend jkey = 1) on jkey\\r\\n | extend Category = 'All', Categorys = '*' \\r\\n)\\r\\n| order by Count desc\\r\\n| take 10\",\"size\":4,\"title\":\"Categories volume\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"Category\",\"exportParameterName\":\"CategoryFIlter\",\"exportDefaultValue\":\"All\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Category\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":21,\"formatOptions\":{\"palette\":\"purple\",\"showIcon\":true}},\"showBorder\":false}},\"name\":\"query - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let data = AuditLogs\\r\\n| where \\\"{Result:lable}\\\" == \\\"All\\\" or Result in ({Result})\\r\\n| extend initiator = iif (tostring(InitiatedBy.user.userPrincipalName) != \\\"\\\", tostring(InitiatedBy.user.userPrincipalName), \\\"unknown\\\")\\r\\n| where \\\"{User:lable}\\\" == \\\"All\\\" or initiator in ({User})\\r\\n| where \\\"{Category:lable}\\\" == \\\"All\\\" or Category in ({Category})\\r\\n| where Category == '{CategoryFIlter}' or '{CategoryFIlter}' == \\\"All\\\";\\r\\nlet appData = data\\r\\n| summarize TotalCount = count() by OperationName, Category\\r\\n| join kind=inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by OperationName\\r\\n | project-away TimeGenerated) on OperationName\\r\\n| order by TotalCount desc, OperationName asc\\r\\n| project OperationName, TotalCount, Trend, Category\\r\\n| serialize Id = row_number();\\r\\ndata\\r\\n| summarize TotalCount = count() by initiator = iif (tostring(InitiatedBy.user.userPrincipalName) != \\\"\\\", tostring(InitiatedBy.user.userPrincipalName), \\\"unknown\\\"), Category, OperationName\\r\\n| join kind=inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by OperationName, initiator = iif (tostring(InitiatedBy.user.userPrincipalName) != \\\"\\\", tostring(InitiatedBy.user.userPrincipalName), \\\"unknown\\\")\\r\\n | project-away TimeGenerated) on OperationName, initiator\\r\\n| order by TotalCount desc, OperationName asc\\r\\n| project OperationName, initiator, TotalCount, Category, Trend\\r\\n| serialize Id = row_number(1000000)\\r\\n| join kind=inner (appData) on OperationName\\r\\n| project Id, Name = initiator, Type = 'initiator', ['Operations Count'] = TotalCount, Trend, Category, ParentId = Id1\\r\\n| union (appData \\r\\n | project Id, Name = OperationName, Type = 'Operation', ['Operations Count'] = TotalCount, Category, Trend)\\r\\n| order by ['Operations Count'] desc, Name asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"User activities\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"exportParameterName\":\"UserInfo\",\"exportDefaultValue\":\"{ \\\"Name\\\":\\\"\\\", \\\"Type\\\":\\\"*\\\"}\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Id\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Type\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Operations Count\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"palette\":\"blue\",\"showIcon\":true},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"min\":0,\"palette\":\"turquoise\",\"showIcon\":true},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"ParentId\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}}],\"rowLimit\":1000,\"filter\":true,\"hierarchySettings\":{\"idColumn\":\"Id\",\"parentColumn\":\"ParentId\",\"treeType\":0,\"expanderColumn\":\"Name\"}}},\"customWidth\":\"70\",\"showPin\":true,\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let details = dynamic({UserInfo});\\r\\nAuditLogs\\r\\n| where \\\"{Category:lable}\\\" == \\\"All\\\" or Category in ({Category})\\r\\n| where \\\"{Result:lable}\\\" == \\\"All\\\" or Result in ({Result})\\r\\n| extend initiatingUserPrincipalName = iif (tostring(InitiatedBy.user.userPrincipalName) != \\\"\\\", tostring(InitiatedBy.user.userPrincipalName), \\\"unknown\\\")\\r\\n//| where initiatingUserPrincipalName != \\\"\\\" \\r\\n| where \\\"{User:lable}\\\" == \\\"All\\\" or initiatingUserPrincipalName in ({User})\\r\\n| where details.Type == '*' or (details.Type == 'initiator' and initiatingUserPrincipalName == details.Name) or (details.Type == 'Operation' and OperationName == details.Name)\\r\\n| summarize Activities = count() by initiatingUserPrincipalName\\r\\n| sort by Activities desc nulls last \",\"size\":0,\"title\":\"Top active users\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"30\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let details = dynamic({UserInfo});\\r\\nlet data = AuditLogs\\r\\n| extend initiator = iif (tostring(InitiatedBy.user.userPrincipalName) != \\\"\\\", tostring(InitiatedBy.user.userPrincipalName), \\\"unknown\\\")\\r\\n| where details.Type == '*' or (details.Type == 'initiator' and initiator == details.Name) or (details.Type == 'Operation' and OperationName == details.Name)\\r\\n| where \\\"{Category:lable}\\\" == \\\"All\\\" or Category in ({Category})\\r\\n| where \\\"{Result:lable}\\\" == \\\"All\\\" or Result in ({Result})\\r\\n| where \\\"{User:lable}\\\" == \\\"All\\\" or initiator in ({User});\\r\\nlet appData = data\\r\\n| summarize TotalCount = count() by Result\\r\\n| join kind=inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by Result\\r\\n | project-away TimeGenerated) on Result\\r\\n| order by TotalCount desc, Result asc\\r\\n| project Result, TotalCount, Trend\\r\\n| serialize Id = row_number();\\r\\ndata\\r\\n| summarize TotalCount = count() by OperationName, Result\\r\\n| join kind=inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by Result, OperationName\\r\\n | project-away TimeGenerated) on Result, OperationName\\r\\n| order by TotalCount desc, Result asc\\r\\n| project Result, OperationName, TotalCount, Trend\\r\\n| serialize Id = row_number(1000000)\\r\\n| join kind=inner (appData) on Result\\r\\n| project Id, Name = OperationName, Type = 'Operation', ['Results Count'] = TotalCount, Trend, ParentId = Id1\\r\\n| union (appData \\r\\n | project Id, Name = Result, Type = 'Result', ['Results Count'] = TotalCount, Trend)\\r\\n| order by ['Results Count'] desc, Name asc\",\"size\":0,\"title\":\"Result status\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"exportParameterName\":\"ResultInfo\",\"exportDefaultValue\":\"{ \\\"Name\\\":\\\"\\\", \\\"Type\\\":\\\"*\\\"}\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Id\",\"formatter\":5},{\"columnMatch\":\"Type\",\"formatter\":5},{\"columnMatch\":\"Results Count\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"palette\":\"grayBlue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"greenDark\"}},{\"columnMatch\":\"ParentId\",\"formatter\":5}],\"hierarchySettings\":{\"idColumn\":\"Id\",\"parentColumn\":\"ParentId\",\"treeType\":0,\"expanderColumn\":\"Name\"}}},\"customWidth\":\"70\",\"name\":\"query - 5\"}],\"fallbackResourceIds\":[\"\"],\"fromTemplateId\":\"sentinel-AzureActiveDirectoryAuditLogs\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "version": "1.0", + "sourceId": "[variables('workspaceResourceId')]", + "category": "sentinel" } }, { - "type": "Microsoft.Logic/workflows", - "apiVersion": "2017-07-01", - "name": "[[parameters('PlaybookName')]", - "location": "[[variables('workspace-location-inline')]", - "tags": { - "LogicAppsCategory": "security", - "hidden-SentinelTemplateName": "Block-AADUser_alert", - "hidden-SentinelTemplateVersion": "1.1", - "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" - }, - "identity": { - "type": "SystemAssigned" - }, - "dependsOn": [ - "[[resourceId('Microsoft.Web/connections', variables('AzureADConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]" - ], + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]", "properties": { - "state": "Enabled", - "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "$connections": { - "type": "Object" - } - }, - "triggers": { - "Microsoft_Sentinel_alert": { - "type": "ApiConnectionWebhook", - "inputs": { - "body": { - "callback_url": "@{listCallbackUrl()}" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" - } - }, - "path": "/subscribe" - } - } - }, - "actions": { - "Alert_-_Get_incident": { - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" - } - }, - "method": "get", - "path": "/Incidents/subscriptions/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/resourceGroups/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/workspaces/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/alerts/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}" - } - }, - "Entities_-_Get_Accounts": { - "runAfter": { - "Alert_-_Get_incident": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "body": "@triggerBody()?['Entities']", - "host": { - "connection": { - "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" - } - }, - "method": "post", - "path": "/entities/account" - } + "description": "@{workbookKey=AzureActiveDirectoryAuditLogsWorkbook; logoFileName=azureactivedirectory_logo.svg; description=Gain insights into Azure Active Directory by connecting Microsoft Sentinel and using the audit logs to gather insights around Azure AD scenarios. \nYou can learn about user operations, including password and group management, device activities, and top active users and apps.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.2.0; title=Azure AD Audit logs; templateRelativePath=AzureActiveDirectoryAuditLogs.json; subtitle=; provider=Microsoft}.description", + "parentId": "[variables('workbookId1')]", + "contentId": "[variables('_workbookContentId1')]", + "kind": "Workbook", + "version": "[variables('workbookVersion1')]", + "source": { + "kind": "Solution", + "name": "Microsoft Entra ID", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "contentId": "AuditLogs", + "kind": "DataType" }, - "For_each": { - "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']", - "actions": { - "Condition": { - "actions": { - "Condition_-_if_user_have_manager": { - "actions": { - "Add_comment_to_incident_-_with_manager_-_no_admin": { - "runAfter": { - "Get_user_-_details": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "body": { - "incidentArmId": "@body('Alert_-_Get_incident')?['id']", - "message": "

User @{items('For_each')?['Name']} (UPN - @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}) was disabled in AAD via playbook Block-AADUser. Manager (@{body('Parse_JSON_-_get_user_manager')?['userPrincipalName']}) is notified.

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - } - }, - "Get_user_-_details": { - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['azuread']['connectionId']" - } - }, - "method": "get", - "path": "/v1.0/users/@{encodeURIComponent(concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix']))}" - } - }, - "Send_an_email_-_to_manager_-_no_admin": { - "runAfter": { - "Add_comment_to_incident_-_with_manager_-_no_admin": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "body": { - "Body": "

Security notification! This is automated email sent by Microsoft Sentinel Automation!
\n
\nYour direct report @{items('For_each')?['Name']} has been disabled in Azure AD due to the security incident. Can you please notify the user and work with him to reach our support.
\n
\nDirect report details:
\nFirst name: @{body('Get_user_-_details')?['displayName']}
\nSurname: @{body('Get_user_-_details')?['surname']}
\nJob title: @{body('Get_user_-_details')?['jobTitle']}
\nOffice location: @{body('Get_user_-_details')?['officeLocation']}
\nBusiness phone: @{body('Get_user_-_details')?['businessPhones']}
\nMobile phone: @{body('Get_user_-_details')?['mobilePhone']}
\nMail: @{body('Get_user_-_details')?['mail']}
\n
\nThank you!

", - "Importance": "High", - "Subject": "@{items('For_each')?['Name']} has been disabled in Azure AD due to the security risk!", - "To": "@body('Parse_JSON_-_get_user_manager')?['userPrincipalName']" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['office365']['connectionId']" - } - }, - "method": "post", - "path": "/v2/Mail" - } - } - }, - "runAfter": { - "Parse_JSON_-_get_user_manager": [ - "Succeeded" - ] - }, - "else": { - "actions": { - "Add_comment_to_incident_-_no_manager_-_no_admin": { - "type": "ApiConnection", - "inputs": { - "body": { - "incidentArmId": "@body('Alert_-_Get_incident')?['id']", - "message": "

User @{items('For_each')?['Name']} (UPN - @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}) was disabled in AAD via playbook Block-AADUser. Manager has not been notified, since it is not found for this user!

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - } - } - } - }, - "expression": { - "and": [ - { - "not": { - "equals": [ - "@body('Parse_JSON_-_get_user_manager')?['userPrincipalName']", - "@null" - ] - } - } - ] - }, - "type": "If" - }, - "HTTP_-_get_user_manager": { - "type": "Http", - "inputs": { - "authentication": { - "audience": "https://graph.microsoft.com/", - "type": "ManagedServiceIdentity" - }, - "method": "GET", - "uri": "https://graph.microsoft.com/v1.0/users/@{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}/manager" - } - }, - "Parse_JSON_-_get_user_manager": { - "runAfter": { - "HTTP_-_get_user_manager": [ - "Succeeded", - "Failed" - ] - }, - "type": "ParseJson", - "inputs": { - "content": "@body('HTTP_-_get_user_manager')", - "schema": { - "properties": { - "userPrincipalName": { - "type": "string" - } - }, - "type": "object" - } - } - } - }, - "runAfter": { - "Update_user_-_disable_user": [ - "Succeeded", - "Failed" - ] - }, - "else": { - "actions": { - "Add_comment_to_incident_-_error_details": { - "type": "ApiConnection", - "inputs": { - "body": { - "incidentArmId": "@body('Alert_-_Get_incident')?['id']", - "message": "

Block-AADUser playbook could not disable user @{items('For_each')?['Name']}.
\nError message: @{body('Update_user_-_disable_user')['error']['message']}
\nNote: If user is admin, this playbook don't have privilages to block admin users!

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - } - } - } - }, - "expression": { - "and": [ - { - "equals": [ - "@body('Update_user_-_disable_user')", - "@null" - ] - } - ] - }, - "type": "If" - }, - "Update_user_-_disable_user": { - "type": "ApiConnection", - "inputs": { - "body": { - "accountEnabled": false - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuread']['connectionId']" - } - }, - "method": "patch", - "path": "/v1.0/users/@{encodeURIComponent(concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix']))}" - } - } - }, - "runAfter": { - "Entities_-_Get_Accounts": [ - "Succeeded" - ] - }, - "type": "Foreach" - } - } - }, - "parameters": { - "$connections": { - "value": { - "azuread": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureADConnectionName'))]", - "connectionName": "[[variables('AzureADConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuread')]" - }, - "microsoftsentinel": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", - "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", - "connectionProperties": { - "authentication": { - "type": "ManagedServiceIdentity" - } - } - }, - "office365": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]", - "connectionName": "[[variables('Office365ConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]" - } + { + "contentId": "AzureActiveDirectory", + "kind": "DataConnector" } - } - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId1'),'/'))))]", - "properties": { - "parentId": "[variables('playbookId1')]", - "contentId": "[variables('_playbookContentId1')]", - "kind": "Playbook", - "version": "[variables('playbookVersion1')]", - "source": { - "kind": "Solution", - "name": "Microsoft Entra ID", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com/" + ] } } } - ], - "metadata": { - "title": "Block Microsoft Entra ID user - Alert", - "description": "For each account entity included in the alert, this playbook will disable the user in Microsoft Entra ID, add a comment to the incident that contains this alert and notify manager if available. Note: This playbook will not disable admin user!", - "prerequisites": [ - "None" - ], - "postDeployment": [ - "1. Assign Microsoft Sentinel Responder role to the Playbook's managed identity.", - "2. Grant User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All permissions to the managed identity.", - "3. Authorize Microsoft Entra ID and Office 365 Outlook Logic App connections." - ], - "lastUpdateTime": "2022-07-11T00:00:00Z", - "entities": [ - "Account" - ], - "tags": [ - "Remediation" - ], - "releaseNotes": [ - { - "version": "1.0.0", - "title": "Added manager notification action", - "notes": [ - "Initial version" - ] - } - ] - } + ] }, "packageKind": "Solution", "packageVersion": "[variables('_solutionVersion')]", "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_playbookContentId1')]", - "contentKind": "Playbook", - "displayName": "Block-AADUser-Alert", - "contentProductId": "[variables('_playbookcontentProductId1')]", - "id": "[variables('_playbookcontentProductId1')]", - "version": "[variables('playbookVersion1')]" + "contentId": "[variables('_workbookContentId1')]", + "contentKind": "Workbook", + "displayName": "[parameters('workbook1-name')]", + "contentProductId": "[variables('_workbookcontentProductId1')]", + "id": "[variables('_workbookcontentProductId1')]", + "version": "[variables('workbookVersion1')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('playbookTemplateSpecName2')]", + "name": "[variables('workbookTemplateSpecName2')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Block-AADUser-EntityTrigger Playbook with template version 3.0.7", + "description": "AzureActiveDirectorySigninsWorkbook Workbook with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion2')]", - "parameters": { - "PlaybookName": { - "defaultValue": "Block-AADUser-EntityTrigger", - "type": "string" - } - }, - "variables": { - "AzureADConnectionName": "[[concat('azuread-', parameters('PlaybookName'))]", - "MicrosoftSentinelConnectionName": "[[concat('microsoftsentinel-', parameters('PlaybookName'))]", - "Office365ConnectionName": "[[concat('office365-', parameters('PlaybookName'))]", - "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuread')]", - "_connection-1": "[[variables('connection-1')]", - "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", - "_connection-2": "[[variables('connection-2')]", - "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]", - "_connection-3": "[[variables('connection-3')]", - "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", - "workspace-name": "[parameters('workspace')]", - "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" - }, + "contentVersion": "[variables('workbookVersion2')]", + "parameters": {}, + "variables": {}, "resources": [ { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('AzureADConnectionName')]", - "location": "[[variables('workspace-location-inline')]", + "type": "Microsoft.Insights/workbooks", + "name": "[variables('workbookContentId2')]", + "location": "[parameters('workspace-location')]", + "kind": "shared", + "apiVersion": "2021-08-01", + "metadata": { + "description": "Gain insights into Azure Active Directory by connecting Microsoft Sentinel and using the sign-in logs to gather insights around Azure AD scenarios. \nYou can learn about sign-in operations, such as user sign-ins and locations, email addresses, and IP addresses of your users, as well as failed activities and the errors that triggered the failures." + }, "properties": { - "displayName": "[[variables('AzureADConnectionName')]", - "api": { - "id": "[[variables('_connection-1')]" - } + "displayName": "[parameters('workbook2-name')]", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Sign-in Analysis\"},\"name\":\"text - 0\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"13f56671-7604-4427-a4d8-663f3da0cbc5\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":1209600000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000,\"createdTime\":\"2018-11-13T19:33:10.162Z\",\"isInitialTime\":false,\"grain\":1,\"useDashboardTimeRange\":false},{\"durationMs\":900000,\"createdTime\":\"2018-11-13T19:33:10.164Z\",\"isInitialTime\":false,\"grain\":1,\"useDashboardTimeRange\":false},{\"durationMs\":1800000,\"createdTime\":\"2018-11-13T19:33:10.164Z\",\"isInitialTime\":false,\"grain\":1,\"useDashboardTimeRange\":false},{\"durationMs\":3600000,\"createdTime\":\"2018-11-13T19:33:10.164Z\",\"isInitialTime\":false,\"grain\":1,\"useDashboardTimeRange\":false},{\"durationMs\":14400000,\"createdTime\":\"2018-11-13T19:33:10.164Z\",\"isInitialTime\":false,\"grain\":1,\"useDashboardTimeRange\":false},{\"durationMs\":43200000,\"createdTime\":\"2018-11-13T19:33:10.164Z\",\"isInitialTime\":false,\"grain\":1,\"useDashboardTimeRange\":false},{\"durationMs\":86400000,\"createdTime\":\"2018-11-13T19:33:10.165Z\",\"isInitialTime\":false,\"grain\":1,\"useDashboardTimeRange\":false},{\"durationMs\":172800000,\"createdTime\":\"2018-11-13T19:33:10.166Z\",\"isInitialTime\":false,\"grain\":1,\"useDashboardTimeRange\":false},{\"durationMs\":259200000,\"createdTime\":\"2018-11-13T19:33:10.166Z\",\"isInitialTime\":false,\"grain\":1,\"useDashboardTimeRange\":false},{\"durationMs\":604800000,\"createdTime\":\"2018-11-13T19:33:10.166Z\",\"isInitialTime\":false,\"grain\":1,\"useDashboardTimeRange\":false},{\"durationMs\":1209600000,\"createdTime\":\"2018-11-13T19:33:10.166Z\",\"isInitialTime\":false,\"grain\":1,\"useDashboardTimeRange\":false},{\"durationMs\":2592000000,\"createdTime\":\"2018-11-13T19:33:10.167Z\",\"isInitialTime\":false,\"grain\":1,\"useDashboardTimeRange\":false}],\"allowCustom\":true}},{\"id\":\"3b5cc420-8ad8-4523-ba28-a54910756794\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Apps\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"SigninLogs\\r\\n| summarize Count = count() by AppDisplayName\\r\\n| order by Count desc, AppDisplayName asc\\r\\n| project Value = AppDisplayName, Label = strcat(AppDisplayName, ' - ', Count, ' sign-ins'), Selected = false\\r\\n\",\"value\":[\"value::all\"],\"typeSettings\":{\"limitSelectTo\":10,\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\"},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"0611ecce-d6a0-4a6f-a1bc-6be314ae36a7\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"UserNamePrefix\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"SigninLogs\\r\\n|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n| summarize Count = count() by UserDisplayName\\r\\n| order by Count desc, UserDisplayName asc\\r\\n| project Value = UserDisplayName, Label = strcat(UserDisplayName, ' - ', Count, ' sign-ins'), Selected = false\\r\\n| extend prefix = substring(Value, 0, 1)\\r\\n| distinct prefix\\r\\n| sort by prefix asc\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"f7f7970b-58c1-474f-9043-62243d2d4edd\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Users\",\"label\":\"UserName\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"SigninLogs\\r\\n|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n| summarize Count = count() by UserDisplayName\\r\\n| order by Count desc, UserDisplayName asc\\r\\n| project Value = UserDisplayName, Label = strcat(UserDisplayName, ' - ', Count, ' sign-ins'), Selected = false\\r\\n| where (substring(Value, 0, 1) in ({UserNamePrefix})) or ('*' in ({UserNamePrefix}))\\r\\n| sort by Value asc\\r\\n\",\"value\":[\"value::all\"],\"typeSettings\":{\"limitSelectTo\":10000000,\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"\",\"showDefault\":false},\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"85568f4e-9ad4-46c5-91d4-0ee1b2c8f3aa\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Category\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"\"},\"jsonData\":\"[\\\"SignInLogs\\\", \\\"NonInteractiveUserSignInLogs\\\"]\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let data = \\r\\nunion SigninLogs,AADNonInteractiveUserSignInLogs\\r\\n| where Category in ({Category})\\r\\n|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users});\\r\\ndata\\r\\n| summarize count() by UserPrincipalName, bin (TimeGenerated,5m)\\r\\n\",\"size\":0,\"title\":\"Sign-in Trend over Time\",\"timeContext\":{\"durationMs\":86400000},\"timeContextFromParameter\":\"TimeRange\",\"timeBrushParameterName\":\"TimeBrush\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\"},\"name\":\"query - 19\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let nonInteractive = AADNonInteractiveUserSignInLogs\\r\\n| extend LocationDetails = parse_json(LocationDetails)\\r\\n| extend Status = parse_json(Status);\\r\\nlet data = \\r\\nunion SigninLogs,nonInteractive\\r\\n| where Category in ({Category})\\r\\n|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users}) \\r\\n|extend errorCode = Status.errorCode\\r\\n|extend SigninStatus = case(errorCode == 0, \\\"Success\\\", errorCode == 50058, \\\"Pending user action\\\",errorCode == 50140, \\\"Pending user action\\\", errorCode == 51006, \\\"Pending user action\\\", errorCode == 50059, \\\"Pending user action\\\",errorCode == 65001, \\\"Pending user action\\\", errorCode == 52004, \\\"Pending user action\\\", errorCode == 50055, \\\"Pending user action\\\", errorCode == 50144, \\\"Pending user action\\\", errorCode == 50072, \\\"Pending user action\\\", errorCode == 50074, \\\"Pending user action\\\", errorCode == 16000, \\\"Pending user action\\\", errorCode == 16001, \\\"Pending user action\\\", errorCode == 16003, \\\"Pending user action\\\", errorCode == 50127, \\\"Pending user action\\\", errorCode == 50125, \\\"Pending user action\\\", errorCode == 50129, \\\"Pending user action\\\", errorCode == 50143, \\\"Pending user action\\\", errorCode == 81010, \\\"Pending user action\\\", errorCode == 81014, \\\"Pending user action\\\", errorCode == 81012 ,\\\"Pending user action\\\", \\\"Failure\\\");\\r\\ndata\\r\\n| summarize Count = count() by SigninStatus\\r\\n| join kind = fullouter (datatable(SigninStatus:string)['Success', 'Pending action (Interrupts)', 'Failure']) on SigninStatus\\r\\n| project SigninStatus = iff(SigninStatus == '', SigninStatus1, SigninStatus), Count = iff(SigninStatus == '', 0, Count)\\r\\n| join kind = inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SigninStatus)\\r\\n on SigninStatus\\r\\n| project-away SigninStatus1, TimeGenerated\\r\\n| extend Status = SigninStatus\\r\\n| union (\\r\\n data \\r\\n | summarize Count = count()\\r\\n | extend jkey = 1\\r\\n | join kind=inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\\r\\n | extend jkey = 1) on jkey\\r\\n | extend SigninStatus = 'All Sign-ins', Status = '*' \\r\\n)\\r\\n| order by Count desc\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":3,\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeBrush\",\"exportFieldName\":\"Status\",\"exportParameterName\":\"SigninStatus\",\"exportDefaultValue\":\"*\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"min\":0,\"palette\":\"blue\",\"showIcon\":true}},\"showBorder\":false}},\"name\":\"query - 5\"},{\"type\":1,\"content\":{\"json\":\"
\\r\\n💡 _Click on a tile or a row in the grid to drill-in further_\"},\"name\":\"text - 6 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let nonInteractive = AADNonInteractiveUserSignInLogs\\r\\n| extend LocationDetails = parse_json(LocationDetails)\\r\\n| extend Status = parse_json(Status);\\r\\nlet data = \\r\\nunion SigninLogs,nonInteractive\\r\\n| extend AppDisplayName = iff(AppDisplayName == '', 'Unknown', AppDisplayName)\\r\\n|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users}) \\r\\n| extend Country = iff(LocationDetails.countryOrRegion == '', 'Unknown country', tostring(LocationDetails.countryOrRegion))\\r\\n| extend City = iff(LocationDetails.city == '', 'Unknown city', tostring(LocationDetails.city))\\r\\n| extend errorCode = Status.errorCode\\r\\n| extend SigninStatus = case(errorCode == 0, \\\"Success\\\", errorCode == 50058, \\\"Pending user action\\\",errorCode == 50140, \\\"Pending user action\\\", errorCode == 51006, \\\"Pending user action\\\", errorCode == 50059, \\\"Pending user action\\\",errorCode == 65001, \\\"Pending user action\\\", errorCode == 52004, \\\"Pending user action\\\", errorCode == 50055, \\\"Pending user action\\\", errorCode == 50144, \\\"Pending user action\\\", errorCode == 50072, \\\"Pending user action\\\", errorCode == 50074, \\\"Pending user action\\\", errorCode == 16000, \\\"Pending user action\\\", errorCode == 16001, \\\"Pending user action\\\", errorCode == 16003, \\\"Pending user action\\\", errorCode == 50127, \\\"Pending user action\\\", errorCode == 50125, \\\"Pending user action\\\", errorCode == 50129, \\\"Pending user action\\\", errorCode == 50143, \\\"Pending user action\\\", errorCode == 81010, \\\"Pending user action\\\", errorCode == 81014, \\\"Pending user action\\\", errorCode == 81012 ,\\\"Pending user action\\\", \\\"Failure\\\")\\r\\n| where SigninStatus == '{SigninStatus}' or '{SigninStatus}' == '*' or '{SigninStatus}' == 'All Sign-ins';\\r\\nlet countryData = data\\r\\n| summarize TotalCount = count(), SuccessCount = countif(SigninStatus == \\\"Success\\\"), FailureCount = countif(SigninStatus == \\\"Failure\\\"), InterruptCount = countif(SigninStatus == \\\"Pending user action\\\") by Country,Category\\r\\n| join kind=inner\\r\\n(\\r\\n data\\r\\n| make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by Country\\r\\n| project-away TimeGenerated\\r\\n)\\r\\non Country\\r\\n| project Country, TotalCount, SuccessCount,FailureCount,InterruptCount,Trend,Category\\r\\n| order by TotalCount desc, Country asc;\\r\\ndata\\r\\n| summarize TotalCount = count(), SuccessCount = countif(SigninStatus == \\\"Success\\\"), FailureCount = countif(SigninStatus == \\\"Failure\\\"), InterruptCount = countif(SigninStatus == \\\"Pending user action\\\") by Country, City,Category\\r\\n| join kind=inner\\r\\n(\\r\\n data \\r\\n| make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by Country, City\\r\\n| project-away TimeGenerated\\r\\n)\\r\\non Country, City\\r\\n| order by TotalCount desc, Country asc\\r\\n| project Country, City,TotalCount, SuccessCount,FailureCount,InterruptCount, Trend,Category\\r\\n| join kind=inner\\r\\n(\\r\\n countryData\\r\\n)\\r\\non Country\\r\\n| summarize arg_max(TotalCount, SuccessCount, FailureCount, InterruptCount) by Country, City, Category, tostring(Trend)\\r\\n| project Id = strcat(City, '-', Category), Name = City, Type = 'City', ['Sign-in Count'] = TotalCount, Trend, ['Failure Count'] = FailureCount, ['Interrupt Count'] = InterruptCount, ['Success Rate'] = 1.0 * SuccessCount / TotalCount, ParentId = strcat(Country, '-', Category),Category\\r\\n| union (countryData\\r\\n| summarize arg_max(TotalCount, SuccessCount, FailureCount, InterruptCount) by Country, Category, tostring(Trend)\\r\\n| project Id = strcat(Country, '-', Category), Name = Country, Type = 'Country', ['Sign-in Count'] = TotalCount, Trend, ['Failure Count'] = FailureCount, ['Interrupt Count'] = InterruptCount, ['Success Rate'] = 1.0 * SuccessCount / TotalCount, ParentId = 'root',Category)\\r\\n| where Category in ({Category})\\r\\n| order by ['Sign-in Count'] desc, Name asc\\r\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"Sign-ins by Location\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeBrush\",\"showRefreshButton\":true,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"Name\",\"parameterName\":\"LocationDetail\",\"parameterType\":1}],\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Id\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Type\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Sign-in Count\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"palette\":\"blue\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"min\":0,\"palette\":\"blue\",\"showIcon\":true}},{\"columnMatch\":\"Failure Count|Interrupt Count\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"palette\":\"orange\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"Success Rate\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"percent\"}}},{\"columnMatch\":\"ParentId\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true,\"hierarchySettings\":{\"idColumn\":\"Id\",\"parentColumn\":\"ParentId\",\"treeType\":0,\"expanderColumn\":\"Name\",\"expandTopLevel\":false}}},\"customWidth\":\"67\",\"showPin\":true,\"name\":\"query - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let selectedCountry = dynamic([{LocationDetail}]);\\r\\nlet nonInteractive = AADNonInteractiveUserSignInLogs\\r\\n| extend LocationDetails = parse_json(LocationDetails),Status = parse_json(Status),ConditionalAccessPolicies = parse_json(ConditionalAccessPolicies),DeviceDetail =parse_json(DeviceDetail);\\r\\nlet details = dynamic({ \\\"Name\\\":\\\"\\\", \\\"Type\\\":\\\"*\\\"});\\r\\nlet data = union SigninLogs,nonInteractive\\r\\n| extend AppDisplayName = iff(AppDisplayName == '', 'Unknown', AppDisplayName)\\r\\n|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users}) \\r\\n| extend Country = tostring(LocationDetails.countryOrRegion)\\r\\n| extend City = tostring(LocationDetails.city) \\r\\n| where array_length(selectedCountry) == 0 or \\\"*\\\" in (selectedCountry) or Country in (selectedCountry) or City in (selectedCountry) \\r\\n| extend errorCode = Status.errorCode\\r\\n| extend SigninStatus = case(errorCode == 0, \\\"Success\\\", errorCode == 50058, \\\"Pending user action\\\",errorCode == 50140, \\\"Pending user action\\\", errorCode == 51006, \\\"Pending user action\\\", errorCode == 50059, \\\"Pending user action\\\",errorCode == 65001, \\\"Pending user action\\\", errorCode == 52004, \\\"Pending user action\\\", errorCode == 50055, \\\"Pending user action\\\", errorCode == 50144, \\\"Pending user action\\\", errorCode == 50072, \\\"Pending user action\\\", errorCode == 50074, \\\"Pending user action\\\", errorCode == 16000, \\\"Pending user action\\\", errorCode == 16001, \\\"Pending user action\\\", errorCode == 16003, \\\"Pending user action\\\", errorCode == 50127, \\\"Pending user action\\\", errorCode == 50125, \\\"Pending user action\\\", errorCode == 50129, \\\"Pending user action\\\", errorCode == 50143, \\\"Pending user action\\\", errorCode == 81010, \\\"Pending user action\\\", errorCode == 81014, \\\"Pending user action\\\", errorCode == 81012 ,\\\"Pending user action\\\", \\\"Failure\\\")\\r\\n| where SigninStatus == '{SigninStatus}' or '{SigninStatus}' == '*' or '{SigninStatus}' == 'All Sign-ins'\\r\\n| where details.Type == '*' or (details.Type == 'Country' and Country == details.Name) or (details.Type == 'City' and City == details.Name);\\r\\ndata\\r\\n| top 200 by TimeGenerated desc\\r\\n| extend TimeFromNow = now() - TimeGenerated\\r\\n| extend TimeAgo = strcat(case(TimeFromNow < 2m, strcat(toint(TimeFromNow / 1m), ' seconds'), TimeFromNow < 2h, strcat(toint(TimeFromNow / 1m), ' minutes'), TimeFromNow < 2d, strcat(toint(TimeFromNow / 1h), ' hours'), strcat(toint(TimeFromNow / 1d), ' days')), ' ago')\\r\\n| project User = UserDisplayName, ['Sign-in Status'] = strcat(iff(SigninStatus == 'Success', '✔️', '❌'), ' ', SigninStatus), ['Sign-in Time'] = TimeAgo, App = AppDisplayName, ['Error code'] = errorCode, ['Result type'] = ResultType, ['Result signature'] = ResultSignature, ['Result description'] = ResultDescription, ['Conditional access policies'] = ConditionalAccessPolicies, ['Conditional access status'] = ConditionalAccessStatus, ['Operating system'] = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser, ['Country or region'] = LocationDetails.countryOrRegion, ['State'] = LocationDetails.state, ['City'] = LocationDetails.city, ['Time generated'] = TimeGenerated, Status, ['User principal name'] = UserPrincipalName, Category\\r\\n| where Category in ({Category})\\r\\n\\r\\n\\r\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"Location Sign-in details\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeBrush\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Sign-in Status\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"showIcon\":true}},{\"columnMatch\":\"App\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Error code\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Result type\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Result signature\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Result description\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Conditional access policies\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Conditional access status\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Operating system\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Browser\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Time generated\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Status\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"User principal name\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"TimeGenerated\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true}},\"customWidth\":\"33\",\"name\":\"query - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let nonInteractive = AADNonInteractiveUserSignInLogs | extend LocationDetails = parse_json(LocationDetails), Status = parse_json(Status), DeviceDetail = parse_json(DeviceDetail);\\r\\nlet data = \\r\\nunion SigninLogs,nonInteractive\\r\\n|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users}) \\r\\n | extend errorCode = Status.errorCode\\r\\n | extend SigninStatus = case(errorCode == 0, \\\"Success\\\", errorCode == 50058, \\\"Pending user action\\\", errorCode == 50140, \\\"Pending user action\\\", errorCode == 51006, \\\"Pending user action\\\", errorCode == 50059, \\\"Pending user action\\\", errorCode == 65001, \\\"Pending user action\\\", errorCode == 52004, \\\"Pending user action\\\", errorCode == 50055, \\\"Pending user action\\\", errorCode == 50144, \\\"Pending user action\\\", errorCode == 50072, \\\"Pending user action\\\", errorCode == 50074, \\\"Pending user action\\\", errorCode == 16000, \\\"Pending user action\\\", errorCode == 16001, \\\"Pending user action\\\", errorCode == 16003, \\\"Pending user action\\\", errorCode == 50127, \\\"Pending user action\\\", errorCode == 50125, \\\"Pending user action\\\", errorCode == 50129, \\\"Pending user action\\\", errorCode == 50143, \\\"Pending user action\\\", errorCode == 81010, \\\"Pending user action\\\", errorCode == 81014, \\\"Pending user action\\\", errorCode == 81012, \\\"Pending user action\\\", \\\"Failure\\\")\\r\\n| where SigninStatus == '{SigninStatus}' or '{SigninStatus}' == '*' or '{SigninStatus}' == 'All Sign-ins';\\r\\nlet appData = data\\r\\n | summarize TotalCount = count(), SuccessCount = countif(SigninStatus == \\\"Success\\\"), FailureCount = countif(SigninStatus == \\\"Failure\\\"), InterruptCount = countif(SigninStatus == \\\"Pending user action\\\") by Os = tostring(DeviceDetail.operatingSystem) ,Category\\r\\n | where Os != ''\\r\\n | join kind=inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by Os = tostring(DeviceDetail.operatingSystem)\\r\\n | project-away TimeGenerated)\\r\\n on Os\\r\\n | order by TotalCount desc, Os asc\\r\\n | project Os, TotalCount, SuccessCount, FailureCount, InterruptCount, Trend,Category\\r\\n | serialize Id = row_number();\\r\\ndata\\r\\n| summarize TotalCount = count(), SuccessCount = countif(SigninStatus == \\\"Success\\\"), FailureCount = countif(SigninStatus == \\\"Failure\\\"), InterruptCount = countif(SigninStatus == \\\"Pending user action\\\") by Os = tostring(DeviceDetail.operatingSystem), Browser = tostring(DeviceDetail.browser),Category\\r\\n| join kind=inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain})by Os = tostring(DeviceDetail.operatingSystem), Browser = tostring(DeviceDetail.browser)\\r\\n | project-away TimeGenerated)\\r\\n on Os, Browser\\r\\n| order by TotalCount desc, Os asc\\r\\n| project Os, Browser, TotalCount, SuccessCount, FailureCount, InterruptCount, Trend,Category\\r\\n| serialize Id = row_number(1000000)\\r\\n| join kind=inner (appData) on Os\\r\\n| project Id, Name = Browser, Type = 'Browser', ['Sign-in Count'] = TotalCount, Trend, ['Failure Count'] = FailureCount, ['Interrupt Count'] = InterruptCount, ['Success Rate'] = 1.0 * SuccessCount / TotalCount, ParentId = Id1,Category\\r\\n| union (appData \\r\\n | project Id, Name = Os, Type = 'Operating System', ['Sign-in Count'] = TotalCount, Trend, ['Failure Count'] = FailureCount, ['Interrupt Count'] = InterruptCount, ['Success Rate'] = 1.0 * SuccessCount / TotalCount, ParentId = -1,Category)\\r\\n| where Category in ({Category})\\r\\n| order by ['Sign-in Count'] desc, Name asc\\r\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"Sign-ins by Device\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeBrush\",\"exportedParameters\":[{\"parameterName\":\"DeviceDetail\",\"defaultValue\":\"{ \\\"Name\\\":\\\"\\\", \\\"Type\\\":\\\"*\\\"}\"},{\"fieldName\":\"Category\",\"parameterName\":\"exportCategory\",\"parameterType\":1,\"defaultValue\":\"*\"},{\"fieldName\":\"Name\",\"parameterName\":\"exportName\",\"parameterType\":1,\"defaultValue\":\"*\"}],\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Id\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Type\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Sign-in Count\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"palette\":\"blue\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"min\":0,\"palette\":\"blue\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"Failure Count|Interrupt Count\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"palette\":\"orange\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"Success Rate\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"percent\"}}},{\"columnMatch\":\"ParentId\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true,\"hierarchySettings\":{\"idColumn\":\"Id\",\"parentColumn\":\"ParentId\",\"treeType\":0,\"expanderColumn\":\"Name\",\"expandTopLevel\":false}}},\"customWidth\":\"67\",\"showPin\":true,\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let nonInteractive = AADNonInteractiveUserSignInLogs\\r\\n| extend LocationDetails = parse_json(LocationDetails),Status = parse_json(Status),ConditionalAccessPolicies = parse_json(ConditionalAccessPolicies),DeviceDetail =parse_json(DeviceDetail);\\r\\nlet details = dynamic({ \\\"Name\\\":\\\"\\\", \\\"Type\\\":\\\"*\\\"});\\r\\nlet data = union SigninLogs,nonInteractive\\r\\n| extend AppDisplayName = iff(AppDisplayName == '', 'Unknown', AppDisplayName)\\r\\n|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users}) \\r\\n| extend Country = tostring(LocationDetails.countryOrRegion)\\r\\n| extend City = tostring(LocationDetails.city)\\r\\n| extend errorCode = Status.errorCode\\r\\n| extend SigninStatus = case(errorCode == 0, \\\"Success\\\", errorCode == 50058, \\\"Pending user action\\\",errorCode == 50140, \\\"Pending user action\\\", errorCode == 51006, \\\"Pending user action\\\", errorCode == 50059, \\\"Pending user action\\\",errorCode == 65001, \\\"Pending user action\\\", errorCode == 52004, \\\"Pending user action\\\", errorCode == 50055, \\\"Pending user action\\\", errorCode == 50144, \\\"Pending user action\\\", errorCode == 50072, \\\"Pending user action\\\", errorCode == 50074, \\\"Pending user action\\\", errorCode == 16000, \\\"Pending user action\\\", errorCode == 16001, \\\"Pending user action\\\", errorCode == 16003, \\\"Pending user action\\\", errorCode == 50127, \\\"Pending user action\\\", errorCode == 50125, \\\"Pending user action\\\", errorCode == 50129, \\\"Pending user action\\\", errorCode == 50143, \\\"Pending user action\\\", errorCode == 81010, \\\"Pending user action\\\", errorCode == 81014, \\\"Pending user action\\\", errorCode == 81012 ,\\\"Pending user action\\\", \\\"Failure\\\")\\r\\n| where SigninStatus == '{SigninStatus}' or '{SigninStatus}' == '*' or '{SigninStatus}' == 'All Sign-ins'\\r\\n| where details.Type == '*' or (details.Type == 'Country' and Country == details.Name) or (details.Type == 'City' and City == details.Name);\\r\\ndata\\r\\n| top 200 by TimeGenerated desc\\r\\n| extend TimeFromNow = now() - TimeGenerated\\r\\n| extend TimeAgo = strcat(case(TimeFromNow < 2m, strcat(toint(TimeFromNow / 1m), ' seconds'), TimeFromNow < 2h, strcat(toint(TimeFromNow / 1m), ' minutes'), TimeFromNow < 2d, strcat(toint(TimeFromNow / 1h), ' hours'), strcat(toint(TimeFromNow / 1d), ' days')), ' ago')\\r\\n| project User = UserDisplayName, ['Sign-in Status'] = strcat(iff(SigninStatus == 'Success', '✔️', '❌'), ' ', SigninStatus), ['Sign-in Time'] = TimeAgo, App = AppDisplayName, ['Error code'] = errorCode, ['Result type'] = ResultType, ['Result signature'] = ResultSignature, ['Result description'] = ResultDescription, ['Conditional access policies'] = ConditionalAccessPolicies, ['Conditional access status'] = ConditionalAccessStatus, ['Operating system'] = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser, ['Country or region'] = LocationDetails.countryOrRegion, ['State'] = LocationDetails.state, ['City'] = LocationDetails.city, ['Time generated'] = TimeGenerated, Status, ['User principal name'] = UserPrincipalName, Category, Name = tostring(DeviceDetail.operatingSystem)\\r\\n| where Category in ('{exportCategory}') or \\\"*\\\" in ('{exportCategory}')\\r\\n| where Name in ('{exportName}') or \\\"*\\\" in ('{exportName}')\",\"size\":1,\"showAnalytics\":true,\"title\":\"Device Sign-in details\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Sign-in Status\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\"}},{\"columnMatch\":\"App\",\"formatter\":5},{\"columnMatch\":\"Error code\",\"formatter\":5},{\"columnMatch\":\"Result type\",\"formatter\":5},{\"columnMatch\":\"Result signature\",\"formatter\":5},{\"columnMatch\":\"Result description\",\"formatter\":5},{\"columnMatch\":\"Conditional access policies\",\"formatter\":5},{\"columnMatch\":\"Conditional access status\",\"formatter\":5},{\"columnMatch\":\"Operating system\",\"formatter\":5},{\"columnMatch\":\"Browser\",\"formatter\":5},{\"columnMatch\":\"Country or region\",\"formatter\":5},{\"columnMatch\":\"State\",\"formatter\":5},{\"columnMatch\":\"City\",\"formatter\":5},{\"columnMatch\":\"Time generated\",\"formatter\":5},{\"columnMatch\":\"Status\",\"formatter\":5},{\"columnMatch\":\"User principal name\",\"formatter\":5},{\"columnMatch\":\"Category\",\"formatter\":5},{\"columnMatch\":\"Name\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"33\",\"name\":\"query - 8 - Copy\"},{\"type\":1,\"content\":{\"json\":\"## Sign-ins using Conditional Access\"},\"name\":\"text - 12\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let nonInteractive = AADNonInteractiveUserSignInLogs\\r\\n| extend LocationDetails = parse_json(LocationDetails)\\r\\n| extend Status = parse_json(Status)\\r\\n| extend ConditionalAccessPolicies = parse_json(ConditionalAccessPolicies);\\r\\nlet data = \\r\\nunion SigninLogs,nonInteractive\\r\\n|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users}) \\r\\n|extend CAStatus = case(ConditionalAccessStatus ==\\\"success\\\",\\\"Successful\\\",\\r\\n ConditionalAccessStatus == \\\"failure\\\", \\\"Failed\\\", \\r\\n ConditionalAccessStatus == \\\"notApplied\\\", \\\"Not applied\\\", \\r\\n isempty(ConditionalAccessStatus), \\\"Not applied\\\", \\r\\n \\\"Disabled\\\")\\r\\n|mvexpand ConditionalAccessPolicies\\r\\n|extend CAGrantControlName = tostring(ConditionalAccessPolicies.enforcedGrantControls[0])\\r\\n|extend CAGrantControl = case(CAGrantControlName contains \\\"MFA\\\", \\\"Require MFA\\\", \\r\\n CAGrantControlName contains \\\"Terms of Use\\\", \\\"Require Terms of Use\\\", \\r\\n CAGrantControlName contains \\\"Privacy\\\", \\\"Require Privacy Statement\\\", \\r\\n CAGrantControlName contains \\\"Device\\\", \\\"Require Device Compliant\\\", \\r\\n CAGrantControlName contains \\\"Azure AD Joined\\\", \\\"Require Hybird Azure AD Joined Device\\\", \\r\\n CAGrantControlName contains \\\"Apps\\\", \\\"Require Approved Apps\\\",\\r\\n \\\"Other\\\");\\r\\ndata\\r\\n| where Category in ({Category})\\r\\n| summarize Count = dcount(Id) by CAStatus\\r\\n| join kind = inner (data\\r\\n | make-series Trend = dcount(Id) default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by CAStatus\\r\\n ) on CAStatus\\r\\n| project-away CAStatus1, TimeGenerated\\r\\n| order by Count desc\",\"size\":4,\"title\":\"Conditional access status\",\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeBrush\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"CAStatus\",\"formatter\":1},\"subtitleContent\":{\"columnMatch\":\"Category\"},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false}},\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let nonInteractive = AADNonInteractiveUserSignInLogs\\r\\n| extend LocationDetails = parse_json(LocationDetails)\\r\\n| extend Status = parse_json(Status)\\r\\n| extend ConditionalAccessPolicies = parse_json(ConditionalAccessPolicies);\\r\\nlet data = \\r\\nunion SigninLogs,nonInteractive|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users}) \\r\\n|extend errorCode = toint(Status.errorCode)\\r\\n|extend Reason = tostring(Status.failureReason)\\r\\n|extend CAStatus = case(ConditionalAccessStatus ==0,\\\"✔️ Success\\\", \\r\\n ConditionalAccessStatus == 1, \\\"❌ Failure\\\", \\r\\n ConditionalAccessStatus == 2, \\\"⚠️ Not Applied\\\", \\r\\n ConditionalAccessStatus == \\\"\\\", \\\"⚠️ Not Applied\\\", \\r\\n \\\"🚫 Disabled\\\")\\r\\n|mvexpand ConditionalAccessPolicies\\r\\n|extend CAGrantControlName = tostring(ConditionalAccessPolicies.enforcedGrantControls[0])\\r\\n|extend CAGrantControl = case(CAGrantControlName contains \\\"MFA\\\", \\\"Require MFA\\\", \\r\\n CAGrantControlName contains \\\"Terms of Use\\\", \\\"Require Terms of Use\\\", \\r\\n CAGrantControlName contains \\\"Privacy\\\", \\\"Require Privacy Statement\\\", \\r\\n CAGrantControlName contains \\\"Device\\\", \\\"Require Device Compliant\\\", \\r\\n CAGrantControlName contains \\\"Azure AD Joined\\\", \\\"Require Hybird Azure AD Joined Device\\\", \\r\\n CAGrantControlName contains \\\"Apps\\\", \\\"Require Approved Apps\\\",\\\"Other\\\");\\r\\ndata\\r\\n| summarize Count = dcount(Id) by CAStatus, CAGrantControl\\r\\n| project Id = strcat(CAStatus, '/', CAGrantControl), Name = CAGrantControl, Parent = CAStatus, Count, Type = 'CAGrantControl'\\r\\n| join kind = inner (data\\r\\n | make-series Trend = dcount(Id) default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by CAStatus, CAGrantControl\\r\\n | project Id = strcat(CAStatus, '/', CAGrantControl), Trend\\r\\n ) on Id\\r\\n| project-away Id1\\r\\n| union (data\\r\\n | where Category in ({Category})\\r\\n | summarize Count = dcount(Id) by CAStatus\\r\\n | project Id = CAStatus, Name = CAStatus, Parent = '', Count, Type = 'CAStatus'\\r\\n | join kind = inner (data\\r\\n | make-series Trend = dcount(Id) default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by CAStatus\\r\\n | project Id = CAStatus, Trend\\r\\n ) on Id\\r\\n | project-away Id1)\\r\\n| order by Count desc\",\"size\":0,\"title\":\"Conditional access status\",\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeBrush\",\"exportParameterName\":\"Detail\",\"exportDefaultValue\":\"{ \\\"Name\\\":\\\"\\\", \\\"Type\\\":\\\"*\\\", \\\"Parent\\\":\\\"*\\\"}\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Id\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Parent\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Count\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"palette\":\"blue\",\"showIcon\":true},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"Type\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"min\":0,\"palette\":\"blue\",\"showIcon\":true}}],\"hierarchySettings\":{\"idColumn\":\"Id\",\"parentColumn\":\"Parent\",\"treeType\":0,\"expanderColumn\":\"Name\",\"expandTopLevel\":true}}},\"customWidth\":\"50\",\"name\":\"query - 10\",\"styleSettings\":{\"margin\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let details = dynamic({Detail});\\r\\nlet nonInteractive = AADNonInteractiveUserSignInLogs\\r\\n| extend LocationDetails = parse_json(LocationDetails)\\r\\n| extend Status = parse_json(Status)\\r\\n| extend ConditionalAccessPolicies = parse_json(ConditionalAccessPolicies);\\r\\nlet data = \\r\\nunion SigninLogs,nonInteractive\\r\\n|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users}) \\r\\n|extend errorCode = toint(Status.errorCode)\\r\\n|extend Reason = tostring(Status.failureReason)\\r\\n|extend CAStatus = case(ConditionalAccessStatus ==\\\"success\\\",\\\"✔️ Success\\\", \\r\\n ConditionalAccessStatus == \\\"failure\\\", \\\"❌ Failure\\\", \\r\\n ConditionalAccessStatus == \\\"notApplied\\\", \\\"⚠️ Not Applied\\\", \\r\\n ConditionalAccessStatus == \\\"\\\", \\\"⚠️ Not Applied\\\", \\r\\n \\\"🚫 Disabled\\\")\\r\\n|mvexpand ConditionalAccessPolicies\\r\\n|extend CAGrantControlName = tostring(ConditionalAccessPolicies.enforcedGrantControls[0])\\r\\n|extend CAGrantControl = case(CAGrantControlName contains \\\"MFA\\\", \\\"Require MFA\\\", \\r\\n CAGrantControlName contains \\\"Terms of Use\\\", \\\"Require Terms of Use\\\", \\r\\n CAGrantControlName contains \\\"Privacy\\\", \\\"Require Privacy Statement\\\", \\r\\n CAGrantControlName contains \\\"Device\\\", \\\"Require Device Compliant\\\", \\r\\n CAGrantControlName contains \\\"Azure AD Joined\\\", \\\"Require Hybird Azure AD Joined Device\\\", \\r\\n CAGrantControlName contains \\\"Apps\\\", \\\"Require Approved Apps\\\",\\r\\n \\\"Other\\\")\\r\\n|extend CAGrantControlRank = case(CAGrantControlName contains \\\"MFA\\\", 1, \\r\\n CAGrantControlName contains \\\"Terms of Use\\\", 2, \\r\\n CAGrantControlName contains \\\"Privacy\\\", 3, \\r\\n CAGrantControlName contains \\\"Device\\\", 4, \\r\\n CAGrantControlName contains \\\"Azure AD Joined\\\", 5, \\r\\n CAGrantControlName contains \\\"Apps\\\", 6,\\r\\n 7)\\r\\n| where details.Type == '*' or (details.Type == 'CAStatus' and CAStatus == details.Name) or (details.Type == 'CAGrantControl' and CAGrantControl == details.Name and CAStatus == details.Parent);\\r\\ndata\\r\\n| order by CAGrantControlRank desc\\r\\n| summarize CAGrantControls = make_set(CAGrantControl) by AppDisplayName, CAStatus, TimeGenerated, UserDisplayName, Category\\r\\n| extend CAGrantControlText = replace(@\\\",\\\", \\\", \\\", replace(@'\\\"', @'', replace(@\\\"\\\\]\\\", @\\\"\\\", replace(@\\\"\\\\[\\\", @\\\"\\\", tostring(CAGrantControls)))))\\r\\n| extend CAGrantControlSummary = case(array_length(CAGrantControls) > 1, strcat(CAGrantControls[0], ' + ', array_length(CAGrantControls) - 1, ' more'), array_length(CAGrantControls) == 1, tostring(CAGrantControls[0]), 'None')\\r\\n| top 200 by TimeGenerated desc\\r\\n| extend TimeFromNow = now() - TimeGenerated\\r\\n| extend TimeAgo = strcat(case(TimeFromNow < 2m, strcat(toint(TimeFromNow / 1m), ' seconds'), TimeFromNow < 2h, strcat(toint(TimeFromNow / 1m), ' minutes'), TimeFromNow < 2d, strcat(toint(TimeFromNow / 1h), ' hours'), strcat(toint(TimeFromNow / 1d), ' days')), ' ago')\\r\\n| project Application = AppDisplayName, ['CA Status'] = CAStatus, ['CA Grant Controls'] = CAGrantControlSummary, ['All CA Grant Controls'] = CAGrantControlText, ['Sign-in Time'] = TimeAgo, ['User'] = UserDisplayName, Category\\r\\n| where Category in ({Category})\",\"size\":0,\"showAnalytics\":true,\"title\":\"Recent sign-ins\",\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"CA Grant Controls\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"All CA Grant Controls\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"User\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}}]}},\"customWidth\":\"50\",\"showPin\":true,\"name\":\"query - 7 - Copy\"},{\"type\":1,\"content\":{\"json\":\"## Troubleshooting Sign-ins\"},\"name\":\"text - 13\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let nonInteractive = AADNonInteractiveUserSignInLogs\\r\\n| extend LocationDetails = parse_json(LocationDetails)\\r\\n| extend Status = parse_json(Status);\\r\\nlet data = \\r\\nunion SigninLogs,nonInteractive|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users}) \\r\\n|extend errorCode = Status.errorCode\\r\\n|extend SigninStatus = case(errorCode == 0, \\\"Success\\\", errorCode == 50058, \\\"Pending action (Interrupts)\\\",errorCode == 50140, \\\"Pending action (Interrupts)\\\", errorCode == 51006, \\\"Pending action (Interrupts)\\\", errorCode == 50059, \\\"Pending action (Interrupts)\\\",errorCode == 65001, \\\"Pending action (Interrupts)\\\", errorCode == 52004, \\\"Pending action (Interrupts)\\\", errorCode == 50055, \\\"Pending action (Interrupts)\\\", errorCode == 50144, \\\"Pending action (Interrupts)\\\", errorCode == 50072, \\\"Pending action (Interrupts)\\\", errorCode == 50074, \\\"Pending action (Interrupts)\\\", errorCode == 16000, \\\"Pending action (Interrupts)\\\", errorCode == 16001, \\\"Pending action (Interrupts)\\\", errorCode == 16003, \\\"Pending action (Interrupts)\\\", errorCode == 50127, \\\"Pending action (Interrupts)\\\", errorCode == 50125, \\\"Pending action (Interrupts)\\\", errorCode == 50129, \\\"Pending action (Interrupts)\\\", errorCode == 50143, \\\"Pending action (Interrupts)\\\", errorCode == 81010, \\\"Pending action (Interrupts)\\\", errorCode == 81014, \\\"Pending action (Interrupts)\\\", errorCode == 81012 ,\\\"Pending action (Interrupts)\\\", \\\"Failure\\\");\\r\\ndata\\r\\n| summarize Count = count() by SigninStatus, Category\\r\\n| join kind = fullouter (datatable(SigninStatus:string)['Success', 'Pending action (Interrupts)', 'Failure']) on SigninStatus\\r\\n| project SigninStatus = iff(SigninStatus == '', SigninStatus1, SigninStatus), Count = iff(SigninStatus == '', 0, Count), Category\\r\\n| join kind = inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SigninStatus)\\r\\n on SigninStatus\\r\\n| project-away SigninStatus1, TimeGenerated\\r\\n| extend Status = SigninStatus\\r\\n| union (\\r\\n data \\r\\n | summarize Count = count() \\r\\n | extend jkey = 1\\r\\n | join kind=inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\\r\\n | extend jkey = 1) on jkey\\r\\n | extend SigninStatus = 'All Sign-ins', Status = '*' \\r\\n)\\r\\n| where Category in ({Category})\\r\\n| order by Count desc\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":3,\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"min\":0,\"palette\":\"blue\",\"showIcon\":true}},\"showBorder\":false}},\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let nonInteractive = AADNonInteractiveUserSignInLogs\\r\\n| extend LocationDetails = parse_json(LocationDetails)\\r\\n| extend Status = parse_json(Status);\\r\\nlet data = \\r\\nunion SigninLogs,nonInteractive|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users}) \\r\\n| extend ErrorCode = tostring(Status.errorCode) \\r\\n| extend FailureReason = tostring(Status.failureReason) \\r\\n| where ErrorCode !in (\\\"0\\\",\\\"50058\\\",\\\"50148\\\",\\\"50140\\\", \\\"51006\\\", \\\"50059\\\", \\\"65001\\\", \\\"52004\\\", \\\"50055\\\", \\\"50144\\\",\\\"50072\\\", \\\"50074\\\", \\\"16000\\\",\\\"16001\\\", \\\"16003\\\", \\\"50127\\\", \\\"50125\\\", \\\"50129\\\",\\\"50143\\\", \\\"81010\\\", \\\"81014\\\", \\\"81012\\\") \\r\\n|summarize errCount = count() by ErrorCode, tostring(FailureReason), Category| sort by errCount, Category\\r\\n|project ['❌ Error Code'] = ErrorCode, ['Reason']= FailureReason, ['Error Count'] = toint(errCount), Category\\r\\n|where Category in ({Category});\\r\\ndata\",\"size\":1,\"showAnalytics\":true,\"title\":\"Summary of top errors\",\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeBrush\",\"exportFieldName\":\"❌ Error Code\",\"exportParameterName\":\"ErrorCode\",\"exportDefaultValue\":\"*\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Error Count\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"palette\":\"orange\",\"showIcon\":true}}],\"filter\":true}},\"customWidth\":\"67\",\"showPin\":true,\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let nonInteractive = AADNonInteractiveUserSignInLogs\\r\\n| extend LocationDetails = parse_json(LocationDetails)\\r\\n| extend Status = parse_json(Status)\\r\\n| extend DeviceDetail = parse_json(DeviceDetail)\\r\\n| extend ConditionalAccessPolicies = parse_json(ConditionalAccessPolicies);\\r\\nlet data=\\r\\nunion SigninLogs,nonInteractive\\r\\n|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users}) \\r\\n| extend ErrorCode = tostring(Status.errorCode) \\r\\n| extend FailureReason = tostring(Status.failureReason) \\r\\n| where ErrorCode !in (\\\"0\\\",\\\"50058\\\",\\\"50148\\\",\\\"50140\\\", \\\"51006\\\", \\\"50059\\\", \\\"65001\\\", \\\"52004\\\", \\\"50055\\\", \\\"50144\\\",\\\"50072\\\", \\\"50074\\\", \\\"16000\\\",\\\"16001\\\", \\\"16003\\\", \\\"50127\\\", \\\"50125\\\", \\\"50129\\\",\\\"50143\\\", \\\"81010\\\", \\\"81014\\\", \\\"81012\\\") \\r\\n| where '{ErrorCode}' == '*' or '{ErrorCode}' == ErrorCode\\r\\n| top 200 by TimeGenerated desc\\r\\n| extend TimeFromNow = now() - TimeGenerated\\r\\n| extend TimeAgo = strcat(case(TimeFromNow < 2m, strcat(toint(TimeFromNow / 1m), ' seconds'), TimeFromNow < 2h, strcat(toint(TimeFromNow / 1m), ' minutes'), TimeFromNow < 2d, strcat(toint(TimeFromNow / 1h), ' hours'), strcat(toint(TimeFromNow / 1d), ' days')), ' ago')\\r\\n| project User = UserDisplayName, IPAddress, ['❌ Error Code'] = ErrorCode, ['Sign-in Time'] = TimeAgo, App = AppDisplayName, ['Error code'] = ErrorCode, ['Result type'] = ResultType, ['Result signature'] = ResultSignature, ['Result description'] = ResultDescription, ['Conditional access policies'] = ConditionalAccessPolicies, ['Conditional access status'] = ConditionalAccessStatus, ['Operating system'] = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser, ['Country or region'] = LocationDetails.countryOrRegion, ['State'] = LocationDetails.state, ['City'] = LocationDetails.city, ['Time generated'] = TimeGenerated, Status, ['User principal name'] = UserPrincipalName, Category\\r\\n| where Category in ({Category});\\r\\ndata\\r\\n\\r\\n\\r\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"Sign-ins with errors\",\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeBrush\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"❌ Error Code\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"showIcon\":true}},{\"columnMatch\":\"App\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Error code\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Result type\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Result signature\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Result description\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Conditional access policies\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Conditional access status\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Operating system\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Browser\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Country or region\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"State\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"City\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Time generated\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Status\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"User principal name\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true}},\"customWidth\":\"33\",\"name\":\"query - 5 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let nonInteractive = AADNonInteractiveUserSignInLogs\\r\\n| extend LocationDetails = parse_json(LocationDetails)\\r\\n| extend Status = parse_json(Status);\\r\\nlet data = \\r\\nunion SigninLogs,nonInteractive|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users}) \\r\\n| extend ErrorCode = tostring(Status.errorCode) \\r\\n| extend FailureReason = Status.failureReason \\r\\n| where ErrorCode in (\\\"50058\\\",\\\"50140\\\", \\\"51006\\\", \\\"50059\\\", \\\"65001\\\", \\\"52004\\\", \\\"50055\\\", \\\"50144\\\",\\\"50072\\\", \\\"50074\\\", \\\"16000\\\",\\\"16001\\\", \\\"16003\\\", \\\"50127\\\", \\\"50125\\\", \\\"50129\\\",\\\"50143\\\", \\\"81010\\\", \\\"81014\\\", \\\"81012\\\") \\r\\n|summarize errCount = count() by ErrorCode, tostring(FailureReason), Category\\r\\n| sort by errCount\\r\\n|project ['❌ Error Code'] = ErrorCode, ['Reason'] = FailureReason, ['Interrupt Count'] = toint(errCount), Category\\r\\n| where Category in ({Category});\\r\\ndata\",\"size\":1,\"showAnalytics\":true,\"title\":\"Summary of sign-ins waiting on user action\",\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeBrush\",\"exportFieldName\":\"❌ Error Code\",\"exportParameterName\":\"InterruptErrorCode\",\"exportDefaultValue\":\"*\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Interrupt Count\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"palette\":\"orange\"}}],\"filter\":true}},\"customWidth\":\"67\",\"showPin\":true,\"name\":\"query - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let nonInteractive = AADNonInteractiveUserSignInLogs\\r\\n| extend LocationDetails = parse_json(LocationDetails)\\r\\n| extend ConditionalAccessPolicies = parse_json(ConditionalAccessPolicies)\\r\\n| extend DeviceDetail = parse_json(DeviceDetail)\\r\\n| extend Status = parse_json(Status);\\r\\nlet data = \\r\\nunion SigninLogs,nonInteractive \\r\\n|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users}) \\r\\n| extend ErrorCode = tostring(Status.errorCode) \\r\\n| extend FailureReason = Status.failureReason \\r\\n| where ErrorCode in (\\\"50058\\\",\\\"50140\\\", \\\"51006\\\", \\\"50059\\\", \\\"65001\\\", \\\"52004\\\", \\\"50055\\\", \\\"50144\\\",\\\"50072\\\", \\\"50074\\\", \\\"16000\\\",\\\"16001\\\", \\\"16003\\\", \\\"50127\\\", \\\"50125\\\", \\\"50129\\\",\\\"50143\\\", \\\"81010\\\", \\\"81014\\\", \\\"81012\\\") \\r\\n| where '{InterruptErrorCode}' == '*' or '{InterruptErrorCode}' == ErrorCode\\r\\n| top 200 by TimeGenerated desc\\r\\n| extend TimeFromNow = now() - TimeGenerated\\r\\n| extend TimeAgo = strcat(case(TimeFromNow < 2m, strcat(toint(TimeFromNow / 1m), ' seconds'), TimeFromNow < 2h, strcat(toint(TimeFromNow / 1m), ' minutes'), TimeFromNow < 2d, strcat(toint(TimeFromNow / 1h), ' hours'), strcat(toint(TimeFromNow / 1d), ' days')), ' ago')\\r\\n| project User = UserDisplayName, IPAddress, ['❌ Error Code'] = ErrorCode, ['Sign-in Time'] = TimeAgo, App = AppDisplayName, ['Error code'] = ErrorCode, ['Result type'] = ResultType, ['Result signature'] = ResultSignature, ['Result description'] = ResultDescription, ['Conditional access policies'] = ConditionalAccessPolicies, ['Conditional access status'] = ConditionalAccessStatus, ['Operating system'] = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser, ['Country or region'] = LocationDetails.countryOrRegion, ['State'] = LocationDetails.state, ['City'] = LocationDetails.city, ['Time generated'] = TimeGenerated, Status, ['User principal name'] = UserPrincipalName, Category\\r\\n| where Category in ({Category});\\r\\ndata\\r\\n\\r\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"Sign-ins waiting on user action\",\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeBrush\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"❌ Error Code\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"showIcon\":true}},{\"columnMatch\":\"App\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Error code\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Result type\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Result signature\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Result description\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Conditional access policies\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Conditional access status\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Operating system\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Browser\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Country or region\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"State\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"City\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Time generated\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Status\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"User principal name\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true}},\"customWidth\":\"33\",\"showPin\":true,\"name\":\"query - 7 - Copy\"}],\"fromTemplateId\":\"sentinel-AzureActiveDirectorySigninLogs\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "version": "1.0", + "sourceId": "[variables('workspaceResourceId')]", + "category": "sentinel" } }, { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('MicrosoftSentinelConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId2'),'/'))))]", "properties": { - "displayName": "[[variables('MicrosoftSentinelConnectionName')]", - "parameterValueType": "Alternative", - "api": { - "id": "[[variables('_connection-2')]" + "description": "@{workbookKey=AzureActiveDirectorySigninLogsWorkbook; logoFileName=azureactivedirectory_logo.svg; description=Gain insights into Azure Active Directory by connecting Microsoft Sentinel and using the sign-in logs to gather insights around Azure AD scenarios. \nYou can learn about sign-in operations, such as user sign-ins and locations, email addresses, and IP addresses of your users, as well as failed activities and the errors that triggered the failures.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=2.4.0; title=Azure AD Sign-in logs; templateRelativePath=AzureActiveDirectorySignins.json; subtitle=; provider=Microsoft}.description", + "parentId": "[variables('workbookId2')]", + "contentId": "[variables('_workbookContentId2')]", + "kind": "Workbook", + "version": "[variables('workbookVersion2')]", + "source": { + "kind": "Solution", + "name": "Microsoft Entra ID", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "contentId": "SigninLogs", + "kind": "DataType" + }, + { + "contentId": "AzureActiveDirectory", + "kind": "DataConnector" + } + ] } } - }, + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_workbookContentId2')]", + "contentKind": "Workbook", + "displayName": "[parameters('workbook2-name')]", + "contentProductId": "[variables('_workbookcontentProductId2')]", + "id": "[variables('_workbookcontentProductId2')]", + "version": "[variables('workbookVersion2')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject1').analyticRuleTemplateSpecName1]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "AccountCreatedandDeletedinShortTimeframe_AnalyticalRules Analytics Rule with template version 3.0.7", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", + "parameters": {}, + "variables": {}, + "resources": [ { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('Office365ConnectionName')]", - "location": "[[variables('workspace-location-inline')]", + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", "properties": { - "displayName": "[[variables('Office365ConnectionName')]", - "api": { - "id": "[[variables('_connection-3')]" - } + "description": "Search for user principal name (UPN) events. Look for accounts created and then deleted in under 24 hours. Attackers may create an account for their use, and then remove the account when no longer needed.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-account", + "displayName": "Account Created and Deleted in Short Timeframe", + "enabled": false, + "query": "let queryfrequency = 1h;\nlet queryperiod = 1d;\nAuditLogs\n| where TimeGenerated > ago(queryfrequency)\n| where OperationName =~ \"Delete user\"\n//extend UserPrincipalName = tostring(TargetResources[0].userPrincipalName)\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type == \"User\"\n | extend UserPrincipalName = extract(@'([a-f0-9]{32})?(.*)', 2, tostring(TargetResource.userPrincipalName))\n )\n| extend DeletedByUser = tostring(InitiatedBy.user.userPrincipalName), DeletedByIPAddress = tostring(InitiatedBy.user.ipAddress)\n| extend DeletedByApp = tostring(InitiatedBy.app.displayName)\n| project Deletion_TimeGenerated = TimeGenerated, UserPrincipalName, DeletedByUser, DeletedByIPAddress, DeletedByApp, Deletion_AdditionalDetails = AdditionalDetails, Deletion_InitiatedBy = InitiatedBy, Deletion_TargetResources = TargetResources\n| join kind=inner (\n AuditLogs\n | where TimeGenerated > ago(queryperiod)\n | where OperationName =~ \"Add user\" \n | mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type == \"User\"\n | extend UserPrincipalName = trim(@'\"',tostring(TargetResource.userPrincipalName))\n )\n | project-rename Creation_TimeGenerated = TimeGenerated\n) on UserPrincipalName\n| extend TimeDelta = Deletion_TimeGenerated - Creation_TimeGenerated\n| where TimeDelta between (time(0s) .. queryperiod)\n| extend CreatedByUser = tostring(InitiatedBy.user.userPrincipalName), CreatedByIPAddress = tostring(InitiatedBy.user.ipAddress)\n| extend CreatedByApp = tostring(InitiatedBy.app.displayName)\n| project Creation_TimeGenerated, Deletion_TimeGenerated, TimeDelta, UserPrincipalName, DeletedByUser, DeletedByIPAddress, DeletedByApp, CreatedByUser, CreatedByIPAddress, CreatedByApp, Creation_AdditionalDetails = AdditionalDetails, Creation_InitiatedBy = InitiatedBy, Creation_TargetResources = TargetResources, Deletion_AdditionalDetails, Deletion_InitiatedBy, Deletion_TargetResources\n| extend timestamp = Deletion_TimeGenerated, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n", + "queryFrequency": "PT1H", + "queryPeriod": "P1D", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "SigninLogs" + ], + "connectorId": "AzureActiveDirectory" + } + ], + "tactics": [ + "InitialAccess" + ], + "techniques": [ + "T1078" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "columnName": "Name", + "identifier": "Name" + }, + { + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "columnName": "DeletedByIPAddress", + "identifier": "Address" + } + ], + "entityType": "IP" + } + ] } }, { - "type": "Microsoft.Logic/workflows", - "apiVersion": "2017-07-01", - "name": "[[parameters('PlaybookName')]", - "location": "[[variables('workspace-location-inline')]", - "tags": { - "LogicAppsCategory": "security", - "hidden-SentinelTemplateName": "Block-AADUser-EntityTrigger", - "hidden-SentinelTemplateVersion": "1.1", - "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" - }, - "identity": { - "type": "SystemAssigned" - }, - "dependsOn": [ - "[[resourceId('Microsoft.Web/connections', variables('AzureADConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]" - ], + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject1').analyticRuleId1,'/'))))]", "properties": { - "state": "Enabled", - "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "$connections": { - "type": "Object" - } - }, - "triggers": { - "Microsoft_Sentinel_entity": { - "type": "ApiConnectionWebhook", - "inputs": { - "body": { - "callback_url": "@{listCallbackUrl()}" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" - } - }, - "path": "/entity/@{encodeURIComponent('Account')}" + "description": "Microsoft Entra ID Analytics Rule 1", + "parentId": "[variables('analyticRuleObject1').analyticRuleId1]", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]", + "source": { + "kind": "Solution", + "name": "Microsoft Entra ID", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "contentKind": "AnalyticsRule", + "displayName": "Account Created and Deleted in Short Timeframe", + "contentProductId": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", + "id": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject2').analyticRuleTemplateSpecName2]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "AccountCreatedDeletedByNonApprovedUser_AnalyticalRules Analytics Rule with template version 3.0.7", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies accounts that were created or deleted by a defined list of non-approved user principal names. Add to this list before running the query for accurate results.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts", + "displayName": "Account created or deleted by non-approved user", + "enabled": false, + "query": "// Add non-approved user principal names to the list below to search for their account creation/deletion activity\n// ex: dynamic([\"UPN1\", \"upn123\"])\nlet nonapproved_users = dynamic([]);\nAuditLogs\n| where OperationName =~ \"Add user\" or OperationName =~ \"Delete user\"\n| where Result =~ \"success\"\n| extend InitiatingUser = tostring(InitiatedBy.user.userPrincipalName)\n| where InitiatingUser has_any (nonapproved_users)\n| project-reorder TimeGenerated, ResourceId, OperationName, InitiatingUser, TargetResources\n| extend InitiatedUserIpAddress = tostring(InitiatedBy.user.ipAddress)\n| extend Name = tostring(split(InitiatingUser,'@',0)[0]), UPNSuffix = tostring(split(InitiatingUser,'@',1)[0])\n", + "queryFrequency": "P1D", + "queryPeriod": "P1D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "AuditLogs" + ], + "connectorId": "AzureActiveDirectory" + } + ], + "tactics": [ + "InitialAccess" + ], + "techniques": [ + "T1078" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "columnName": "Name", + "identifier": "Name" + }, + { + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } - } + ], + "entityType": "Account" }, - "actions": { - "Condition": { - "actions": { - "Condition_-_if_user_have_manager": { - "actions": { - "Condition_2": { - "actions": { - "Add_comment_to_incident_-_with_manager_-_no_admin": { - "type": "ApiConnection", - "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['IncidentArmID']", - "message": "

User @{triggerBody()?['Entity']?['properties']?['Name']}  (UPN - @{variables('AccountDetails')}) was disabled in AAD via playbook Block-AADUser. Manager (@{body('Parse_JSON_-_get_user_manager')?['userPrincipalName']}) is notified.

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - } - } - }, - "runAfter": { - "Get_user_-_details": [ - "Succeeded" - ] - }, - "expression": { - "and": [ - { - "not": { - "equals": [ - "@triggerBody()?['IncidentArmID']", - "@null" - ] - } - } - ] - }, - "type": "If" - }, - "Get_user_-_details": { - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['azuread']['connectionId']" - } - }, - "method": "get", - "path": "/v1.0/users/@{encodeURIComponent(variables('AccountDetails'))}" - } - }, - "Send_an_email_-_to_manager_-_no_admin": { - "runAfter": { - "Condition_2": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "body": { - "Body": "

Security notification! This is automated email sent by Microsoft Sentinel Automation!
\n
\nYour direct report @{triggerBody()?['Entity']?['properties']?['Name']} has been disabled in Azure AD due to the security incident. Can you please notify the user and work with him to reach our support.
\n
\nDirect report details:
\nFirst name: @{body('Get_user_-_details')?['displayName']}
\nSurname: @{body('Get_user_-_details')?['surname']}
\nJob title: @{body('Get_user_-_details')?['jobTitle']}
\nOffice location: @{body('Get_user_-_details')?['officeLocation']}
\nBusiness phone: @{body('Get_user_-_details')?['businessPhones']}
\nMobile phone: @{body('Get_user_-_details')?['mobilePhone']}
\nMail: @{body('Get_user_-_details')?['mail']}
\n
\nThank you!

", - "Importance": "High", - "Subject": "@{triggerBody()?['Entity']?['properties']?['Name']} has been disabled in Azure AD due to the security risk!", - "To": "@body('Parse_JSON_-_get_user_manager')?['userPrincipalName']" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['office365']['connectionId']" - } - }, - "method": "post", - "path": "/v2/Mail" - } - } - }, - "runAfter": { - "Parse_JSON_-_get_user_manager": [ - "Succeeded" - ] - }, - "else": { - "actions": { - "Condition_3": { - "actions": { - "Add_comment_to_incident_-_no_manager_-_no_admin": { - "type": "ApiConnection", - "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['IncidentArmID']", - "message": "

User @{triggerBody()?['Entity']?['properties']?['Name']} (UPN - @{variables('AccountDetails')}) was disabled in AAD via playbook Block-AADUser. Manager has not been notified, since it is not found for this user!

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - } - } - }, - "expression": { - "and": [ - { - "not": { - "equals": [ - "@triggerBody()?['IncidentArmID']", - "@null" - ] - } - } - ] - }, - "type": "If" - } - } - }, - "expression": { - "and": [ - { - "not": { - "equals": [ - "@body('Parse_JSON_-_get_user_manager')?['userPrincipalName']", - "@null" - ] - } - } - ] - }, - "type": "If" - }, - "HTTP_-_get_user_manager": { - "type": "Http", - "inputs": { - "authentication": { - "audience": "https://graph.microsoft.com/", - "type": "ManagedServiceIdentity" - }, - "method": "GET", - "uri": "https://graph.microsoft.com/v1.0/users/@{variables('AccountDetails')}/manager" - } - }, - "Parse_JSON_-_get_user_manager": { - "runAfter": { - "HTTP_-_get_user_manager": [ - "Succeeded", - "Failed" - ] - }, - "type": "ParseJson", - "inputs": { - "content": "@body('HTTP_-_get_user_manager')", - "schema": { - "properties": { - "userPrincipalName": { - "type": "string" - } - }, - "type": "object" - } - } - } - }, - "runAfter": { - "Update_user_-_disable_user": [ - "Succeeded", - "Failed" - ] - }, - "else": { - "actions": { - "Add_comment_to_incident_-_error_details": { - "type": "ApiConnection", - "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['IncidentArmID']", - "message": "

Block-AADUser playbook could not disable user @{triggerBody()?['Entity']?['properties']?['Name']}.
\nError message: @{body('Update_user_-_disable_user')['error']['message']}
\nNote: If user is admin, this playbook don't have privilages to block admin users!

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - } - } - } - }, - "expression": { - "and": [ - { - "equals": [ - "@body('Update_user_-_disable_user')", - "@null" - ] - } - ] - }, - "type": "If" - }, - "Initialize_variable_Account_Details": { - "type": "InitializeVariable", - "inputs": { - "variables": [ - { - "name": "AccountDetails", - "type": "string" - } - ] - } - }, - "Set_variable": { - "runAfter": { - "Initialize_variable_Account_Details": [ - "Succeeded" - ] - }, - "type": "SetVariable", - "inputs": { - "name": "AccountDetails", - "value": "@{concat(triggerBody()?['Entity']?['properties']?['Name'],'@',triggerBody()?['Entity']?['properties']?['UPNSuffix'])}" - } - }, - "Update_user_-_disable_user": { - "runAfter": { - "Set_variable": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "body": { - "accountEnabled": false - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuread']['connectionId']" - } - }, - "method": "patch", - "path": "/v1.0/users/@{encodeURIComponent(variables('AccountDetails'))}" - } - } - } - }, - "parameters": { - "$connections": { - "value": { - "azuread": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureADConnectionName'))]", - "connectionName": "[[variables('AzureADConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuread')]" - }, - "microsoftsentinel": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", - "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", - "connectionProperties": { - "authentication": { - "type": "ManagedServiceIdentity" - } - } - }, - "office365": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]", - "connectionName": "[[variables('Office365ConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]" + { + "fieldMappings": [ + { + "columnName": "InitiatedUserIpAddress", + "identifier": "Address" } - } + ], + "entityType": "IP" } - } + ] } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId2'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject2').analyticRuleId2,'/'))))]", "properties": { - "parentId": "[variables('playbookId2')]", - "contentId": "[variables('_playbookContentId2')]", - "kind": "Playbook", - "version": "[variables('playbookVersion2')]", + "description": "Microsoft Entra ID Analytics Rule 2", + "parentId": "[variables('analyticRuleObject2').analyticRuleId2]", + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -1511,412 +1372,326 @@ } } } - ], - "metadata": { - "title": "Block Microsoft Entra ID user - Entity trigger", - "description": "This playbook disables the selected user (account entity) in Microsoft Entra ID. If this playbook triggered from an incident context, it will add a comment to the incident. This playbook will notify the disabled user manager if available. Note: This playbook will not disable admin user!", - "postDeployment": [ - "1. Assign Microsoft Sentinel Responder role to the Playbook's managed identity.", - "2. Grant User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All permissions to the managed identity.", - "3. Authorize Microsoft Entra ID and Office 365 Outlook Logic App connections." - ], - "lastUpdateTime": "2022-12-08T00:00:00Z", - "entities": [ - "Account" - ], - "tags": [ - "Remediation" - ], - "releaseNotes": [ - { - "version": "1.0.0", - "title": "Added manager notification action", - "notes": [ - "Initial version" - ] - } - ] - } + ] }, "packageKind": "Solution", "packageVersion": "[variables('_solutionVersion')]", "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_playbookContentId2')]", - "contentKind": "Playbook", - "displayName": "Block-AADUser-EntityTrigger", - "contentProductId": "[variables('_playbookcontentProductId2')]", - "id": "[variables('_playbookcontentProductId2')]", - "version": "[variables('playbookVersion2')]" + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "contentKind": "AnalyticsRule", + "displayName": "Account created or deleted by non-approved user", + "contentProductId": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", + "id": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('playbookTemplateSpecName3')]", + "name": "[variables('analyticRuleObject3').analyticRuleTemplateSpecName3]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Block-AADUser-Incident Playbook with template version 3.0.7", + "description": "ADFSDomainTrustMods_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion3')]", - "parameters": { - "PlaybookName": { - "defaultValue": "Block-AADUser-Incident", - "type": "string" - } - }, - "variables": { - "AzureADConnectionName": "[[concat('azuread-', parameters('PlaybookName'))]", - "MicrosoftSentinelConnectionName": "[[concat('microsoftsentinel-', parameters('PlaybookName'))]", - "Office365ConnectionName": "[[concat('office365-', parameters('PlaybookName'))]", - "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuread')]", - "_connection-1": "[[variables('connection-1')]", - "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", - "_connection-2": "[[variables('connection-2')]", - "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]", - "_connection-3": "[[variables('connection-3')]", - "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", - "workspace-name": "[parameters('workspace')]", - "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" - }, + "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", + "parameters": {}, + "variables": {}, "resources": [ { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('AzureADConnectionName')]", - "location": "[[variables('workspace-location-inline')]", + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", "properties": { - "displayName": "[[variables('AzureADConnectionName')]", - "api": { - "id": "[[variables('_connection-1')]" - } + "description": "This will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated.\nFor example, this alert will trigger when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain.\nModification to domain federation settings should be rare. Confirm the added or modified target domain/URL is legitimate administrator behavior.\nTo understand why an authorized user may update settings for a federated domain in Office 365, Azure, or Intune, see: https://docs.microsoft.com/office365/troubleshoot/active-directory/update-federated-domain-office-365.\nFor details on security realms that accept security tokens, see the ADFS Proxy Protocol (MS-ADFSPP) specification: https://docs.microsoft.com/openspecs/windows_protocols/ms-adfspp/e7b9ea73-1980-4318-96a6-da559486664b.\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.", + "displayName": "Modified domain federation trust settings", + "enabled": false, + "query": "(union isfuzzy=true\n(\nAuditLogs\n| where OperationName =~ \"Set federation settings on domain\"\n//| where Result =~ \"success\" // commenting out, as it may be interesting to capture failed attempts\n| mv-expand TargetResources\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\n| mv-expand modifiedProperties\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName)\n),\n(\nAuditLogs\n| where OperationName =~ \"Set domain authentication\"\n//| where Result =~ \"success\" // commenting out, as it may be interesting to capture failed attempts\n| mv-expand TargetResources\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\n| mv-expand modifiedProperties\n| mv-apply Property = modifiedProperties on \n (\n where Property.displayName =~ \"LiveType\"\n | extend targetDisplayName = tostring(Property.displayName),\n NewDomainValue = tostring(Property.newValue)\n )\n| where NewDomainValue has \"Federated\"\n)\n)\n| mv-apply AdditionalDetail = AdditionalDetails on \n (\n where AdditionalDetail.key =~ \"User-Agent\"\n | extend UserAgent = tostring(AdditionalDetail.value)\n )\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, AADOperationType, targetDisplayName, Result, InitiatingIpAddress, UserAgent, CorrelationId, TenantId, AADTenantId\n| extend timestamp = TimeGenerated, Name = tostring(split(InitiatingUserOrApp,'@',0)[0]), UPNSuffix = tostring(split(InitiatingUserOrApp,'@',1)[0])\n", + "queryFrequency": "P1D", + "queryPeriod": "P1D", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "AuditLogs" + ], + "connectorId": "AzureActiveDirectory" + } + ], + "tactics": [ + "CredentialAccess" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "columnName": "Name", + "identifier": "Name" + }, + { + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "columnName": "InitiatingIpAddress", + "identifier": "Address" + } + ], + "entityType": "IP" + } + ] } }, { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('MicrosoftSentinelConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject3').analyticRuleId3,'/'))))]", "properties": { - "displayName": "[[variables('MicrosoftSentinelConnectionName')]", - "parameterValueType": "Alternative", - "api": { - "id": "[[variables('_connection-2')]" + "description": "Microsoft Entra ID Analytics Rule 3", + "parentId": "[variables('analyticRuleObject3').analyticRuleId3]", + "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject3').analyticRuleVersion3]", + "source": { + "kind": "Solution", + "name": "Microsoft Entra ID", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" } } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "contentKind": "AnalyticsRule", + "displayName": "Modified domain federation trust settings", + "contentProductId": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]", + "id": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]", + "version": "[variables('analyticRuleObject3').analyticRuleVersion3]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject4').analyticRuleTemplateSpecName4]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "ADFSSignInLogsPasswordSpray_AnalyticalRules Analytics Rule with template version 3.0.7", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject4')._analyticRulecontentId4]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies evidence of password spray activity against Connect Health for AD FS sign-in events by looking for failures from multiple accounts from the same IP address within a time window.\nReference: https://adfshelp.microsoft.com/References/ConnectHealthErrorCodeReference", + "displayName": "Password spray attack against ADFSSignInLogs", + "enabled": false, + "query": "let queryfrequency = 30m;\nlet accountthreshold = 10;\nlet successCodes = dynamic([0, 50144]);\nADFSSignInLogs\n| extend IngestionTime = ingestion_time()\n| where IngestionTime > ago(queryfrequency)\n| where not(todynamic(AuthenticationDetails)[0].authenticationMethod == \"Integrated Windows Authentication\")\n| summarize\n DistinctFailureCount = dcountif(UserPrincipalName, ResultType !in (successCodes)),\n DistinctSuccessCount = dcountif(UserPrincipalName, ResultType in (successCodes)),\n SuccessAccounts = make_set_if(UserPrincipalName, ResultType in (successCodes), 250),\n arg_min(TimeGenerated, *)\n by IPAddress\n| where DistinctFailureCount > DistinctSuccessCount and DistinctFailureCount >= accountthreshold\n//| extend SuccessAccounts = iff(array_length(SuccessAccounts) != 0, SuccessAccounts, dynamic([\"null\"]))\n//| mv-expand SuccessAccounts\n| project TimeGenerated, Category, OperationName, IPAddress, DistinctFailureCount, DistinctSuccessCount, SuccessAccounts, AuthenticationRequirement, ConditionalAccessStatus, IsInteractive, UserAgent, NetworkLocationDetails, DeviceDetail, TokenIssuerType, TokenIssuerName, ResourceIdentity\n", + "queryFrequency": "PT30M", + "queryPeriod": "PT1H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "ADFSSignInLogs" + ], + "connectorId": "AzureActiveDirectory" + } + ], + "tactics": [ + "CredentialAccess" + ], + "techniques": [ + "T1110" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "columnName": "IPAddress", + "identifier": "Address" + } + ], + "entityType": "IP" + } + ] + } }, { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('Office365ConnectionName')]", - "location": "[[variables('workspace-location-inline')]", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject4').analyticRuleId4,'/'))))]", "properties": { - "displayName": "[[variables('Office365ConnectionName')]", - "api": { - "id": "[[variables('_connection-3')]" + "description": "Microsoft Entra ID Analytics Rule 4", + "parentId": "[variables('analyticRuleObject4').analyticRuleId4]", + "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject4').analyticRuleVersion4]", + "source": { + "kind": "Solution", + "name": "Microsoft Entra ID", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" } } - }, + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", + "contentKind": "AnalyticsRule", + "displayName": "Password spray attack against ADFSSignInLogs", + "contentProductId": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]", + "id": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]", + "version": "[variables('analyticRuleObject4').analyticRuleVersion4]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject5').analyticRuleTemplateSpecName5]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "AdminPromoAfterRoleMgmtAppPermissionGrant_AnalyticalRules Analytics Rule with template version 3.0.7", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]", + "parameters": {}, + "variables": {}, + "resources": [ { - "type": "Microsoft.Logic/workflows", - "apiVersion": "2017-07-01", - "name": "[[parameters('PlaybookName')]", - "location": "[[variables('workspace-location-inline')]", - "tags": { - "LogicAppsCategory": "security", - "hidden-SentinelTemplateName": "Block-AADUser", - "hidden-SentinelTemplateVersion": "1.1", - "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" - }, - "identity": { - "type": "SystemAssigned" - }, - "dependsOn": [ - "[[resourceId('Microsoft.Web/connections', variables('AzureADConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]" - ], + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject5')._analyticRulecontentId5]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", "properties": { - "state": "Enabled", - "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "$connections": { - "type": "Object" - } - }, - "triggers": { - "Microsoft_Sentinel_incident": { - "type": "ApiConnectionWebhook", - "inputs": { - "body": { - "callback_url": "@{listCallbackUrl()}" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" - } - }, - "path": "/incident-creation" + "description": "This rule looks for a service principal being granted the Microsoft Graph RoleManagement.ReadWrite.Directory (application) permission before being used to add an Microsoft Entra ID object or user account to an Admin directory role (i.e. Global Administrators).\nThis is a known attack path that is usually abused when a service principal already has the AppRoleAssignment.ReadWrite.All permission granted. This permission allows an app to manage permission grants for application permissions to any API.\nA service principal can promote itself or other service principals to admin roles (i.e. Global Administrators). This would be considered a privilege escalation technique.\nRef : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions, https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0&tabs=http", + "displayName": "Admin promotion after Role Management Application Permission Grant", + "enabled": false, + "query": "let query_frequency = 1h;\nlet query_period = 2h;\nAuditLogs\n| where TimeGenerated > ago(query_period)\n| where Category =~ \"ApplicationManagement\" and LoggedByService =~ \"Core Directory\"\n| where OperationName =~ \"Add app role assignment to service principal\"\n| mv-expand TargetResource = TargetResources\n| mv-expand modifiedProperty = TargetResource[\"modifiedProperties\"]\n| where tostring(modifiedProperty[\"displayName\"]) == \"AppRole.Value\"\n| extend PermissionGrant = tostring(modifiedProperty[\"newValue\"])\n| where PermissionGrant has \"RoleManagement.ReadWrite.Directory\"\n| mv-apply modifiedProperty = TargetResource[\"modifiedProperties\"] on (\n summarize modifiedProperties = make_bag(\n bag_pack(tostring(modifiedProperty[\"displayName\"]),\n bag_pack(\"oldValue\", trim(@'[\\\"\\s]+', tostring(modifiedProperty[\"oldValue\"])),\n \"newValue\", trim(@'[\\\"\\s]+', tostring(modifiedProperty[\"newValue\"])))), 100)\n)\n| project\n PermissionGrant_TimeGenerated = TimeGenerated,\n PermissionGrant_OperationName = OperationName,\n PermissionGrant_Result = Result,\n PermissionGrant,\n AppDisplayName = tostring(modifiedProperties[\"ServicePrincipal.DisplayName\"][\"newValue\"]),\n AppServicePrincipalId = tostring(modifiedProperties[\"ServicePrincipal.ObjectID\"][\"newValue\"]),\n PermissionGrant_InitiatedBy = InitiatedBy,\n PermissionGrant_TargetResources = TargetResources,\n PermissionGrant_AdditionalDetails = AdditionalDetails,\n PermissionGrant_CorrelationId = CorrelationId\n| join kind=inner (\n AuditLogs\n | where TimeGenerated > ago(query_frequency)\n | where Category =~ \"RoleManagement\" and LoggedByService =~ \"Core Directory\" and AADOperationType =~ \"Assign\"\n | where isnotempty(InitiatedBy[\"app\"])\n | mv-expand TargetResource = TargetResources\n | mv-expand modifiedProperty = TargetResource[\"modifiedProperties\"]\n | where tostring(modifiedProperty[\"displayName\"]) in (\"Role.DisplayName\", \"RoleDefinition.DisplayName\")\n | extend RoleAssignment = tostring(modifiedProperty[\"newValue\"])\n | where RoleAssignment contains \"Admin\"\n | project\n RoleAssignment_TimeGenerated = TimeGenerated,\n RoleAssignment_OperationName = OperationName,\n RoleAssignment_Result = Result,\n RoleAssignment,\n TargetType = tostring(TargetResources[0][\"type\"]),\n Target = iff(isnotempty(TargetResources[0][\"displayName\"]), tostring(TargetResources[0][\"displayName\"]), tolower(TargetResources[0][\"userPrincipalName\"])),\n TargetId = tostring(TargetResources[0][\"id\"]),\n RoleAssignment_InitiatedBy = InitiatedBy,\n RoleAssignment_TargetResources = TargetResources,\n RoleAssignment_AdditionalDetails = AdditionalDetails,\n RoleAssignment_CorrelationId = CorrelationId,\n AppServicePrincipalId = tostring(InitiatedBy[\"app\"][\"servicePrincipalId\"])\n ) on AppServicePrincipalId\n| where PermissionGrant_TimeGenerated < RoleAssignment_TimeGenerated\n| extend\n TargetName = tostring(split(Target, \"@\")[0]),\n TargetUPNSuffix = tostring(split(Target, \"@\")[1])\n| project PermissionGrant_TimeGenerated, PermissionGrant_OperationName, PermissionGrant_Result, PermissionGrant, AppDisplayName, AppServicePrincipalId, PermissionGrant_InitiatedBy, PermissionGrant_TargetResources, PermissionGrant_AdditionalDetails, PermissionGrant_CorrelationId, RoleAssignment_TimeGenerated, RoleAssignment_OperationName, RoleAssignment_Result, RoleAssignment, TargetType, Target, TargetName, TargetUPNSuffix, TargetId, RoleAssignment_InitiatedBy, RoleAssignment_TargetResources, RoleAssignment_AdditionalDetails, RoleAssignment_CorrelationId\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT2H", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "AuditLogs" + ], + "connectorId": "AzureActiveDirectory" + } + ], + "tactics": [ + "PrivilegeEscalation", + "Persistence" + ], + "techniques": [ + "T1098", + "T1078" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "columnName": "AppDisplayName", + "identifier": "Name" } - } + ], + "entityType": "Account" }, - "actions": { - "Entities_-_Get_Accounts": { - "type": "ApiConnection", - "inputs": { - "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", - "host": { - "connection": { - "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" - } - }, - "method": "post", - "path": "/entities/account" - } - }, - "For_each": { - "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']", - "actions": { - "Condition": { - "actions": { - "Condition_-_if_user_have_manager": { - "actions": { - "Add_comment_to_incident_-_with_manager_-_no_admin": { - "runAfter": { - "Get_user_-_details": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "

User @{items('For_each')?['Name']} (UPN - @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}) was disabled in AAD via playbook Block-AADUser. Manager (@{body('Parse_JSON_-_get_user_manager')?['userPrincipalName']}) is notified.

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - } - }, - "Get_user_-_details": { - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['azuread']['connectionId']" - } - }, - "method": "get", - "path": "/v1.0/users/@{encodeURIComponent(concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix']))}" - } - }, - "Send_an_email_-_to_manager_-_no_admin": { - "runAfter": { - "Add_comment_to_incident_-_with_manager_-_no_admin": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "body": { - "Body": "

Security notification! This is automated email sent by Microsoft Sentinel Automation!
\n
\nYour direct report @{items('For_each')?['Name']} has been disabled in Azure AD due to the security incident. Can you please notify the user and work with him to reach our support.
\n
\nDirect report details:
\nFirst name: @{body('Get_user_-_details')?['displayName']}
\nSurname: @{body('Get_user_-_details')?['surname']}
\nJob title: @{body('Get_user_-_details')?['jobTitle']}
\nOffice location: @{body('Get_user_-_details')?['officeLocation']}
\nBusiness phone: @{body('Get_user_-_details')?['businessPhones']}
\nMobile phone: @{body('Get_user_-_details')?['mobilePhone']}
\nMail: @{body('Get_user_-_details')?['mail']}
\n
\nThank you!

", - "Importance": "High", - "Subject": "@{items('For_each')?['Name']} has been disabled in Azure AD due to the security risk!", - "To": "@body('Parse_JSON_-_get_user_manager')?['userPrincipalName']" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['office365']['connectionId']" - } - }, - "method": "post", - "path": "/v2/Mail" - } - } - }, - "runAfter": { - "Parse_JSON_-_get_user_manager": [ - "Succeeded" - ] - }, - "else": { - "actions": { - "Add_comment_to_incident_-_no_manager_-_no_admin": { - "type": "ApiConnection", - "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "

User @{items('For_each')?['Name']} (UPN - @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}) was disabled in AAD via playbook Block-AADUser. Manager has not been notified, since it is not found for this user!

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - } - } - } - }, - "expression": { - "and": [ - { - "not": { - "equals": [ - "@body('Parse_JSON_-_get_user_manager')?['userPrincipalName']", - "@null" - ] - } - } - ] - }, - "type": "If" - }, - "HTTP_-_get_user_manager": { - "type": "Http", - "inputs": { - "authentication": { - "audience": "https://graph.microsoft.com/", - "type": "ManagedServiceIdentity" - }, - "method": "GET", - "uri": "https://graph.microsoft.com/v1.0/users/@{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}/manager" - } - }, - "Parse_JSON_-_get_user_manager": { - "runAfter": { - "HTTP_-_get_user_manager": [ - "Succeeded", - "Failed" - ] - }, - "type": "ParseJson", - "inputs": { - "content": "@body('HTTP_-_get_user_manager')", - "schema": { - "properties": { - "userPrincipalName": { - "type": "string" - } - }, - "type": "object" - } - } - } - }, - "runAfter": { - "Update_user_-_disable_user": [ - "Succeeded", - "Failed" - ] - }, - "else": { - "actions": { - "Add_comment_to_incident_-_error_details": { - "type": "ApiConnection", - "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "

Block-AADUser playbook could not disable user @{items('For_each')?['Name']}.
\nError message: @{body('Update_user_-_disable_user')['error']['message']}
\nNote: If user is admin, this playbook don't have privilages to block admin users!

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - } - } - } - }, - "expression": { - "and": [ - { - "equals": [ - "@body('Update_user_-_disable_user')", - "@null" - ] - } - ] - }, - "type": "If" - }, - "Update_user_-_disable_user": { - "type": "ApiConnection", - "inputs": { - "body": { - "accountEnabled": false - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuread']['connectionId']" - } - }, - "method": "patch", - "path": "/v1.0/users/@{encodeURIComponent(concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix']))}" - } - } - }, - "runAfter": { - "Entities_-_Get_Accounts": [ - "Succeeded" - ] - }, - "type": "Foreach" - } - } - }, - "parameters": { - "$connections": { - "value": { - "azuread": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureADConnectionName'))]", - "connectionName": "[[variables('AzureADConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuread')]" - }, - "microsoftsentinel": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", - "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", - "connectionProperties": { - "authentication": { - "type": "ManagedServiceIdentity" - } - } + { + "fieldMappings": [ + { + "columnName": "TargetName", + "identifier": "Name" }, - "office365": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]", - "connectionName": "[[variables('Office365ConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]" + { + "columnName": "TargetUPNSuffix", + "identifier": "UPNSuffix" } - } + ], + "entityType": "Account" } - } + ] } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId3'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject5').analyticRuleId5,'/'))))]", "properties": { - "parentId": "[variables('playbookId3')]", - "contentId": "[variables('_playbookContentId3')]", - "kind": "Playbook", - "version": "[variables('playbookVersion3')]", + "description": "Microsoft Entra ID Analytics Rule 5", + "parentId": "[variables('analyticRuleObject5').analyticRuleId5]", + "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject5').analyticRuleVersion5]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -1934,426 +1709,247 @@ } } } - ], - "metadata": { - "title": "Block AAD user - Incident", - "description": "For each account entity included in the incident, this playbook will disable the user in Azure Active Directoy, add a comment to the incident that contains this alert and notify manager if available. Note: This playbook will not disable admin user!", - "prerequisites": [ - "None" - ], - "postDeployment": [ - "1. Assign Microsoft Sentinel Responder role to the Playbook's managed identity.", - "2. Grant User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All permissions to the managed identity.", - "3. Authorize Microsoft Entra ID and Office 365 Outlook Logic App connections." - ], - "lastUpdateTime": "2022-07-11T00:00:00Z", - "entities": [ - "Account" - ], - "tags": [ - "Remediation" - ], - "releaseNotes": [ - { - "version": "1.0.0", - "title": "Added manager notification action", - "notes": [ - "Initial version" - ] - } - ] - } + ] }, "packageKind": "Solution", "packageVersion": "[variables('_solutionVersion')]", "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_playbookContentId3')]", - "contentKind": "Playbook", - "displayName": "Block-AADUser-Incident", - "contentProductId": "[variables('_playbookcontentProductId3')]", - "id": "[variables('_playbookcontentProductId3')]", - "version": "[variables('playbookVersion3')]" + "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", + "contentKind": "AnalyticsRule", + "displayName": "Admin promotion after Role Management Application Permission Grant", + "contentProductId": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]", + "id": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]", + "version": "[variables('analyticRuleObject5').analyticRuleVersion5]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('playbookTemplateSpecName4')]", + "name": "[variables('analyticRuleObject6').analyticRuleTemplateSpecName6]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Prompt-User-Alert Playbook with template version 3.0.7", + "description": "AnomalousUserAppSigninLocationIncrease-detection_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion4')]", - "parameters": { - "PlaybookName": { - "defaultValue": "Prompt-User-Alert", - "type": "string" - }, - "TeamsId": { - "metadata": { - "description": "Enter the Teams Group ID" - }, - "type": "string" - }, - "TeamsChannelId": { - "metadata": { - "description": "Enter the Teams Channel ID" - }, - "type": "string" - } - }, - "variables": { - "AzureADConnectionName": "[[concat('azuread-', parameters('PlaybookName'))]", - "AzureSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]", - "Office365ConnectionName": "[[concat('office365-', parameters('PlaybookName'))]", - "TeamsConnectionName": "[[concat('teams-', parameters('PlaybookName'))]", - "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuread')]", - "_connection-1": "[[variables('connection-1')]", - "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", - "_connection-2": "[[variables('connection-2')]", - "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]", - "_connection-3": "[[variables('connection-3')]", - "connection-4": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/teams')]", - "_connection-4": "[[variables('connection-4')]", - "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", - "workspace-name": "[parameters('workspace')]", - "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" - }, + "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]", + "parameters": {}, + "variables": {}, "resources": [ { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('AzureADConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "properties": { - "displayName": "[[variables('AzureADConnectionName')]", - "api": { - "id": "[[variables('_connection-1')]" - } - } - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('AzureSentinelConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('AzureSentinelConnectionName')]", - "parameterValueType": "Alternative", - "api": { - "id": "[[variables('_connection-2')]" - } - } - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('Office365ConnectionName')]", - "location": "[[variables('workspace-location-inline')]", + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject6')._analyticRulecontentId6]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", "properties": { - "displayName": "[[variables('Office365ConnectionName')]", - "api": { - "id": "[[variables('_connection-3')]" + "description": "This query over Microsoft Entra ID sign-in considers all user sign-ins for each Microsoft Entra ID application and picks out the most anomalous change in location profile for a user within an\nindividual application", + "displayName": "Anomalous sign-in location by user account and authenticating application", + "enabled": false, + "query": "// Adjust this figure to adjust how sensitive this detection is\nlet sensitivity = 2.5;\nlet AuthEvents = materialize(\nunion isfuzzy=True SigninLogs, AADNonInteractiveUserSignInLogs\n| where TimeGenerated > ago(7d)\n| where ResultType == 0\n| extend LocationDetails = LocationDetails_dynamic\n| extend Location = strcat(LocationDetails.countryOrRegion, \"-\", LocationDetails.state,\"-\", LocationDetails.city)\n| where Location != \"--\");\nAuthEvents\n| summarize dcount(Location) by AppDisplayName, AppId, UserPrincipalName, UserId, bin(startofday(TimeGenerated), 1d)\n| where dcount_Location > 2\n| summarize CountOfLocations = make_list(dcount_Location, 10000), TimeStamp = make_list(TimeGenerated, 10000) by AppId, UserId\n| extend (Anomalies, Score, Baseline) = series_decompose_anomalies(CountOfLocations, sensitivity, -1, 'linefit')\n| mv-expand CountOfLocations to typeof(double), TimeStamp to typeof(datetime), Anomalies to typeof(double), Score to typeof(double), Baseline to typeof(long)\n| where Anomalies > 0\n| join kind=inner( AuthEvents | extend TimeStamp = startofday(TimeGenerated)) on UserId, AppId\n| extend SignInDetails = bag_pack(\"TimeGenerated\", TimeGenerated, \"Location\", Location, \"Source\", IPAddress, \"Device\", DeviceDetail_dynamic)\n| summarize SignInDetailsSet=make_set(SignInDetails, 1000) by UserId, UserPrincipalName, CountOfLocations, TimeStamp, AppId, AppDisplayName\n| extend Name = split(UserPrincipalName, \"@\")[0], UPNSuffix = split(UserPrincipalName, \"@\")[1]\n", + "queryFrequency": "P1D", + "queryPeriod": "P7D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "SigninLogs" + ], + "connectorId": "AzureActiveDirectory" + }, + { + "dataTypes": [ + "AADNonInteractiveUserSignInLogs" + ], + "connectorId": "AzureActiveDirectory" + } + ], + "tactics": [ + "InitialAccess" + ], + "techniques": [ + "T1078" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "columnName": "Name", + "identifier": "Name" + }, + { + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" + }, + { + "columnName": "UserId", + "identifier": "AadUserId" + } + ], + "entityType": "Account" + } + ], + "eventGroupingSettings": { + "aggregationKind": "SingleAlert" + }, + "customDetails": { + "Application": "AppDisplayName" + }, + "alertDetailsOverride": { + "alertDescriptionFormat": "This query over Microsoft Entra ID sign-in considers all user sign-ins for each Microsoft Entra ID application and picks out the most anomalous change in location profile for a user within an\nindividual application. This has detected {{UserPrincipalName}} signing into {{AppDisplayName}} from {{CountOfLocations}} \ndifferent locations.\n", + "alertDisplayNameFormat": "Anomalous sign-in location by {{UserPrincipalName}} to {{AppDisplayName}}" } } }, { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('TeamsConnectionName')]", - "location": "[[variables('workspace-location-inline')]", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject6').analyticRuleId6,'/'))))]", "properties": { - "displayName": "[[variables('TeamsConnectionName')]", - "api": { - "id": "[[variables('_connection-4')]" + "description": "Microsoft Entra ID Analytics Rule 6", + "parentId": "[variables('analyticRuleObject6').analyticRuleId6]", + "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject6').analyticRuleVersion6]", + "source": { + "kind": "Solution", + "name": "Microsoft Entra ID", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" } } - }, + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", + "contentKind": "AnalyticsRule", + "displayName": "Anomalous sign-in location by user account and authenticating application", + "contentProductId": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]", + "id": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]", + "version": "[variables('analyticRuleObject6').analyticRuleVersion6]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject7').analyticRuleTemplateSpecName7]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "AuthenticationMethodsChangedforPrivilegedAccount_AnalyticalRules Analytics Rule with template version 3.0.7", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]", + "parameters": {}, + "variables": {}, + "resources": [ { - "type": "Microsoft.Logic/workflows", - "apiVersion": "2017-07-01", - "name": "[[parameters('PlaybookName')]", - "location": "[[variables('workspace-location-inline')]", - "tags": { - "LogicAppsCategory": "security", - "hidden-SentinelTemplateName": "Prompt-User_alert", - "hidden-SentinelTemplateVersion": "1.1", - "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" - }, - "identity": { - "type": "SystemAssigned" - }, - "dependsOn": [ - "[[resourceId('Microsoft.Web/connections', variables('AzureADConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]" - ], + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject7')._analyticRulecontentId7]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", "properties": { - "state": "Enabled", - "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "actions": { - "Alert_-_Get_incident": { - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "get", - "path": "/Incidents/subscriptions/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/resourceGroups/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/workspaces/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/alerts/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}" - }, - "type": "ApiConnection" - }, - "Entities_-_Get_Accounts": { - "inputs": { - "body": "@triggerBody()?['Entities']", - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "path": "/entities/account" - }, - "runAfter": { - "Alert_-_Get_incident": [ - "Succeeded" - ] - }, - "type": "ApiConnection" - }, - "For_each": { - "actions": { - "Condition_2": { - "actions": { - "Add_comment_to_incident_(V3)": { - "inputs": { - "body": { - "incidentArmId": "@body('Alert_-_Get_incident')?['id']", - "message": "

@{body('Get_user')?['displayName']} confirms they completed the action that triggered the alert.  Closing the incident.

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - }, - "type": "ApiConnection" - }, - "Update_incident": { - "inputs": { - "body": { - "classification": { - "ClassificationAndReason": "BenignPositive - SuspiciousButExpected", - "ClassificationReasonText": "User Confirmed it was them" - }, - "incidentArmId": "@body('Alert_-_Get_incident')?['id']", - "status": "Closed" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "put", - "path": "/Incidents" - }, - "runAfter": { - "Add_comment_to_incident_(V3)": [ - "Succeeded" - ] - }, - "type": "ApiConnection" - } - }, - "else": { - "actions": { - "Add_comment_to_incident_(V3)_2": { - "inputs": { - "body": { - "incidentArmId": "@body('Alert_-_Get_incident')?['id']", - "message": "

@{body('Get_user')?['displayName']} confirms they did not complete the action. Further investigation is needed.

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - }, - "type": "ApiConnection" - }, - "Post_message_in_a_chat_or_channel": { - "inputs": { - "body": { - "messageBody": "

New alert from Microsoft Sentinel.
\nPlease investigate ASAP.
\nSeverity : @{body('Alert_-_Get_incident')?['properties']?['severity']}
\nDescription: @{body('Alert_-_Get_incident')?['properties']?['description']}
\n
\n@{body('Get_user')?['displayName']} user confirmed they did not complete the action.

", - "recipient": { - "channelId": "[[parameters('TeamsChannelId')]", - "groupId": "[[parameters('TeamsId')]" - }, - "subject": "Incident @{body('Alert_-_Get_incident')?['properties']?['incidentNumber']} - @{body('Alert_-_Get_incident')?['properties']?['title']}" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['teams']['connectionId']" - } - }, - "method": "post", - "path": "/beta/teams/conversation/message/poster/@{encodeURIComponent('User')}/location/@{encodeURIComponent('Channel')}" - }, - "runAfter": { - "Add_comment_to_incident_(V3)_2": [ - "Succeeded" - ] - }, - "type": "ApiConnection" - } - } - }, - "expression": { - "and": [ - { - "equals": [ - "", - "This was me" - ] - } - ] - }, - "runAfter": { - "Send_approval_email": [ - "Succeeded" - ] - }, - "type": "If" - }, - "Get_user": { - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['azuread']['connectionId']" - } - }, - "method": "get", - "path": "/v1.0/users/@{encodeURIComponent(concat(items('For_each')?['Name'], '@' ,items('For_each')?['UPNSuffix']))}" - }, - "type": "ApiConnection" - }, - "Send_approval_email": { - "inputs": { - "body": { - "Message": { - "Body": "New Alert from Microsoft Sentinel.\nPlease respond ASAP.\nSeverity: @{triggerBody()?['Severity']}\nName: @{triggerBody()?['AlertDisplayName']}\nDescription: @{triggerBody()?['Description']}", - "HideHTMLMessage": false, - "Importance": "High", - "Options": "This was me, This was not me", - "ShowHTMLConfirmationDialog": false, - "Subject": "Security Alert: @{body('Alert_-_Get_incident')?['properties']?['title']}", - "To": "@body('Get_user')?['mail']" - }, - "NotificationUrl": "@{listCallbackUrl()}" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['office365']['connectionId']" - } - }, - "path": "/approvalmail/$subscriptions" - }, - "runAfter": { - "Get_user": [ - "Succeeded" - ] - }, - "type": "ApiConnectionWebhook" - } - }, - "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']", - "runAfter": { - "Entities_-_Get_Accounts": [ - "Succeeded" - ] + "description": "Identifies authentication methods being changed for a privileged account. This could be an indication of an attacker adding an auth method to the account so they can have continued access.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1", + "displayName": "Authentication Methods Changed for Privileged Account", + "enabled": false, + "query": "let queryperiod = 14d;\nlet queryfrequency = 2h;\nlet security_info_actions = dynamic([\"User registered security info\", \"User changed default security info\", \"User deleted security info\", \"Admin updated security info\", \"User reviewed security info\", \"Admin deleted security info\", \"Admin registered security info\"]);\nlet VIPUsers = (\n IdentityInfo\n | where TimeGenerated > ago(queryperiod)\n | mv-expand AssignedRoles\n | where AssignedRoles contains 'Admin'\n | summarize by AccountUPN);\nAuditLogs\n| where TimeGenerated > ago(queryfrequency)\n| where Category =~ \"UserManagement\"\n| where ActivityDisplayName in (security_info_actions)\n| extend Initiator = tostring(InitiatedBy.user.userPrincipalName)\n| extend IP = tostring(InitiatedBy.user.ipAddress)\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"User\"\n | extend Target = tostring(TargetResource.userPrincipalName)\n )\n| where Target in~ (VIPUsers)\n// Uncomment the line below if you are experiencing high volumes of Target entities. If this is uncommented, the Target column will not be mapped to an entity.\n//| summarize Start=min(TimeGenerated), End=max(TimeGenerated), Actions = make_set(ResultReason, MaxSize=8), Targets=make_set(Target, MaxSize=256) by Initiator, IP, Result\n// Comment out this line below, if line above is used.\n| summarize Start=min(TimeGenerated), End=max(TimeGenerated), Actions = make_set(ResultReason, MaxSize=8) by Initiator, IP, Result, Targets = Target\n| extend InitiatorName = tostring(split(Initiator,'@',0)[0]), \n InitiatorUPNSuffix = tostring(split(Initiator,'@',1)[0]),\n TargetName = iff(tostring(Targets) has \"[\", \"\", tostring(split(Targets,'@',0)[0])), \n TargetUPNSuffix = iff(tostring(Targets) has \"[\", \"\", tostring(split(Targets,'@',1)[0]))\n", + "queryFrequency": "PT2H", + "queryPeriod": "P14D", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "AuditLogs" + ], + "connectorId": "AzureActiveDirectory" + } + ], + "tactics": [ + "Persistence" + ], + "techniques": [ + "T1098" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "columnName": "InitiatorName", + "identifier": "Name" }, - "type": "Foreach" - } - }, - "contentVersion": "1.0.0.0", - "parameters": { - "$connections": { - "type": "Object" - } + { + "columnName": "InitiatorUPNSuffix", + "identifier": "UPNSuffix" + } + ], + "entityType": "Account" }, - "triggers": { - "Microsoft_Sentinel_alert": { - "inputs": { - "body": { - "callback_url": "@{listCallbackUrl()}" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "path": "/subscribe" + { + "fieldMappings": [ + { + "columnName": "TargetName", + "identifier": "Name" }, - "type": "ApiConnectionWebhook" - } + { + "columnName": "TargetUPNSuffix", + "identifier": "UPNSuffix" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "columnName": "IP", + "identifier": "Address" + } + ], + "entityType": "IP" } - }, - "parameters": { - "$connections": { - "value": { - "azuread": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureADConnectionName'))]", - "connectionName": "[[variables('AzureADConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuread')]" - }, - "azuresentinel": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", - "connectionName": "[[variables('AzureSentinelConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", - "connectionProperties": { - "authentication": { - "type": "ManagedServiceIdentity" - } - } - }, - "office365": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]", - "connectionName": "[[variables('Office365ConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]" - }, - "teams": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]", - "connectionName": "[[variables('TeamsConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/teams')]" - } - } - } - } + ] } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId4'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject7').analyticRuleId7,'/'))))]", "properties": { - "parentId": "[variables('playbookId4')]", - "contentId": "[variables('_playbookContentId4')]", - "kind": "Playbook", - "version": "[variables('playbookVersion4')]", + "description": "Microsoft Entra ID Analytics Rule 7", + "parentId": "[variables('analyticRuleObject7').analyticRuleId7]", + "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject7').analyticRuleVersion7]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -2371,408 +1967,360 @@ } } } - ], - "metadata": { - "title": "Prompt User - Alert", - "description": "This playbook will ask the user if they completed the action from the alert in Microsoft Sentinel. If so, it will close the incident and add a comment. If not, it will post a message to teams for the SOC to investigate and add a comment to the incident.", - "prerequisites": [ - "1. You will need the Team Id and Channel Id." - ], - "postDeployment": [ - "1. Assign Microsoft Sentinel Responder role to the Playbook's managed identity.", - "2. Authorize Microsoft Entra ID, Microsoft Teams, and Office 365 Outlook Logic App connections." - ], - "lastUpdateTime": "2022-07-11T00:00:00Z", - "entities": [ - "Account" - ], - "tags": [ - "Remediation" - ], - "releaseNotes": [ - { - "version": "1.0.0", - "title": "Added new Post a Teams message action", - "notes": [ - "Initial version" - ] - } - ] - } + ] }, "packageKind": "Solution", "packageVersion": "[variables('_solutionVersion')]", "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_playbookContentId4')]", - "contentKind": "Playbook", - "displayName": "Prompt-User-Alert", - "contentProductId": "[variables('_playbookcontentProductId4')]", - "id": "[variables('_playbookcontentProductId4')]", - "version": "[variables('playbookVersion4')]" + "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]", + "contentKind": "AnalyticsRule", + "displayName": "Authentication Methods Changed for Privileged Account", + "contentProductId": "[variables('analyticRuleObject7')._analyticRulecontentProductId7]", + "id": "[variables('analyticRuleObject7')._analyticRulecontentProductId7]", + "version": "[variables('analyticRuleObject7').analyticRuleVersion7]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('playbookTemplateSpecName5')]", + "name": "[variables('analyticRuleObject8').analyticRuleTemplateSpecName8]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Prompt-User-Incident Playbook with template version 3.0.7", + "description": "AzureAADPowerShellAnomaly_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion5')]", - "parameters": { - "PlaybookName": { - "defaultValue": "Prompt-User-Incident", - "type": "string" - }, - "TeamsId": { - "metadata": { - "description": "Enter the Teams Group ID" - }, - "type": "string" - }, - "TeamsChannelId": { - "metadata": { - "description": "Enter the Teams Channel ID" - }, - "type": "string" - } - }, - "variables": { - "AzureADConnectionName": "[[concat('azuread-', parameters('PlaybookName'))]", - "AzureSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]", - "Office365ConnectionName": "[[concat('office365-', parameters('PlaybookName'))]", - "TeamsConnectionName": "[[concat('teams-', parameters('PlaybookName'))]", - "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuread')]", - "_connection-1": "[[variables('connection-1')]", - "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", - "_connection-2": "[[variables('connection-2')]", - "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]", - "_connection-3": "[[variables('connection-3')]", - "connection-4": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/teams')]", - "_connection-4": "[[variables('connection-4')]", - "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", - "workspace-name": "[parameters('workspace')]", - "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" - }, + "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]", + "parameters": {}, + "variables": {}, "resources": [ { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('AzureADConnectionName')]", - "location": "[[variables('workspace-location-inline')]", + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject8')._analyticRulecontentId8]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", "properties": { - "displayName": "[[variables('AzureADConnectionName')]", - "api": { - "id": "[[variables('_connection-1')]" - } + "description": "This will alert when a user or application signs in using Microsoft Entra ID PowerShell to access non-Active Directory resources, such as the Azure Key Vault, which may be undesired or unauthorized behavior.\nFor capabilities and expected behavior of the Microsoft Entra ID PowerShell module, see: https://docs.microsoft.com/powershell/module/azuread/?view=azureadps-2.0.\nFor further information on Microsoft Entra ID Signin activity reports, see: https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins.", + "displayName": "Microsoft Entra ID PowerShell accessing non-AAD resources", + "enabled": false, + "query": "let aadFunc = (tableName:string){\ntable(tableName)\n| where AppId =~ \"1b730954-1685-4b74-9bfd-dac224a7b894\" // AppDisplayName IS Azure Active Directory PowerShell\n| where TokenIssuerType =~ \"AzureAD\"\n| where ResourceIdentity !in (\"00000002-0000-0000-c000-000000000000\", \"00000003-0000-0000-c000-000000000000\") // ResourceDisplayName IS NOT Windows Azure Active Directory OR Microsoft Graph\n| extend Status = todynamic(Status)\n| where Status.errorCode == 0 // Success\n| project-reorder IPAddress, UserAgent, ResourceDisplayName, UserDisplayName, UserId, UserPrincipalName, Type\n| order by TimeGenerated desc\n// New entity mapping\n| extend timestamp = TimeGenerated, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Low", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "SigninLogs" + ], + "connectorId": "AzureActiveDirectory" + }, + { + "dataTypes": [ + "AADNonInteractiveUserSignInLogs" + ], + "connectorId": "AzureActiveDirectory" + } + ], + "tactics": [ + "InitialAccess" + ], + "techniques": [ + "T1078" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "columnName": "Name", + "identifier": "Name" + }, + { + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" + }, + { + "columnName": "UserId", + "identifier": "AadUserId" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "columnName": "IPAddress", + "identifier": "Address" + } + ], + "entityType": "IP" + } + ] } }, { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('AzureSentinelConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject8').analyticRuleId8,'/'))))]", "properties": { - "displayName": "[[variables('AzureSentinelConnectionName')]", - "parameterValueType": "Alternative", - "api": { - "id": "[[variables('_connection-2')]" + "description": "Microsoft Entra ID Analytics Rule 8", + "parentId": "[variables('analyticRuleObject8').analyticRuleId8]", + "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject8').analyticRuleVersion8]", + "source": { + "kind": "Solution", + "name": "Microsoft Entra ID", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" } } - }, + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]", + "contentKind": "AnalyticsRule", + "displayName": "Microsoft Entra ID PowerShell accessing non-AAD resources", + "contentProductId": "[variables('analyticRuleObject8')._analyticRulecontentProductId8]", + "id": "[variables('analyticRuleObject8')._analyticRulecontentProductId8]", + "version": "[variables('analyticRuleObject8').analyticRuleVersion8]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject9').analyticRuleTemplateSpecName9]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "AzureADRoleManagementPermissionGrant_AnalyticalRules Analytics Rule with template version 3.0.7", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]", + "parameters": {}, + "variables": {}, + "resources": [ { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('Office365ConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "properties": { - "displayName": "[[variables('Office365ConnectionName')]", - "api": { - "id": "[[variables('_connection-3')]" - } + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject9')._analyticRulecontentId9]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies when the Microsoft Graph RoleManagement.ReadWrite.Directory (Delegated or Application) permission is granted to a service principal.\nThis permission allows an application to read and manage the role-based access control (RBAC) settings for your company's directory.\nAn adversary could use this permission to add an Microsoft Entra ID object to an Admin directory role and escalate privileges.\nRef : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions\nRef : https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0&tabs=http", + "displayName": "Microsoft Entra ID Role Management Permission Grant", + "enabled": false, + "query": "AuditLogs\n| where Category =~ \"ApplicationManagement\" and LoggedByService =~ \"Core Directory\" and OperationName in~ (\"Add delegated permission grant\", \"Add app role assignment to service principal\")\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\" and array_length(TargetResource.modifiedProperties) > 0 and isnotnull(TargetResource.displayName)\n | extend props = TargetResource.modifiedProperties\n )\n| mv-apply Property = props on \n (\n where Property.displayName in~ (\"AppRole.Value\",\"DelegatedPermissionGrant.Scope\")\n | extend DisplayName = tostring(Property.displayName), PermissionGrant = trim('\"',tostring(Property.newValue))\n )\n| where PermissionGrant has \"RoleManagement.ReadWrite.Directory\"\n| mv-apply Property = props on \n (\n where Property.displayName =~ \"ServicePrincipal.DisplayName\"\n | extend AppDisplayName = trim('\"',tostring(Property.newValue))\n )\n| mv-apply Property = props on \n (\n where Property.displayName =~ \"ServicePrincipal.ObjectID\"\n | extend AppServicePrincipalId = trim('\"',tostring(Property.newValue))\n )\n| extend \n Initiator = iif(isnotempty(InitiatedBy.app), tostring(InitiatedBy.app.displayName), tostring(InitiatedBy.user.userPrincipalName)),\n InitiatorId = iif(isnotempty(InitiatedBy.app), tostring(InitiatedBy.app.servicePrincipalId), tostring(InitiatedBy.user.id))\n| project TimeGenerated, OperationName, Result, PermissionGrant, AppDisplayName, AppServicePrincipalId, Initiator, InitiatorId, InitiatedBy, TargetResources, AdditionalDetails, CorrelationId\n| extend Name = tostring(split(Initiator,'@',0)[0]), UPNSuffix = tostring(split(Initiator,'@',1)[0])\n", + "queryFrequency": "PT2H", + "queryPeriod": "PT2H", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "AuditLogs" + ], + "connectorId": "AzureActiveDirectory" + } + ], + "tactics": [ + "Persistence", + "Impact" + ], + "techniques": [ + "T1098", + "T1078" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "columnName": "Name", + "identifier": "Name" + }, + { + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "columnName": "AppDisplayName", + "identifier": "Name" + } + ], + "entityType": "Account" + } + ] } }, { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('TeamsConnectionName')]", - "location": "[[variables('workspace-location-inline')]", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject9').analyticRuleId9,'/'))))]", "properties": { - "displayName": "[[variables('TeamsConnectionName')]", - "api": { - "id": "[[variables('_connection-4')]" + "description": "Microsoft Entra ID Analytics Rule 9", + "parentId": "[variables('analyticRuleObject9').analyticRuleId9]", + "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject9').analyticRuleVersion9]", + "source": { + "kind": "Solution", + "name": "Microsoft Entra ID", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" } } - }, + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]", + "contentKind": "AnalyticsRule", + "displayName": "Microsoft Entra ID Role Management Permission Grant", + "contentProductId": "[variables('analyticRuleObject9')._analyticRulecontentProductId9]", + "id": "[variables('analyticRuleObject9')._analyticRulecontentProductId9]", + "version": "[variables('analyticRuleObject9').analyticRuleVersion9]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject10').analyticRuleTemplateSpecName10]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "AzurePortalSigninfromanotherAzureTenant_AnalyticalRules Analytics Rule with template version 3.0.7", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]", + "parameters": {}, + "variables": {}, + "resources": [ { - "type": "Microsoft.Logic/workflows", - "apiVersion": "2017-07-01", - "name": "[[parameters('PlaybookName')]", - "location": "[[variables('workspace-location-inline')]", - "tags": { - "LogicAppsCategory": "security", - "hidden-SentinelTemplateName": "Prompt-User", - "hidden-SentinelTemplateVersion": "1.1", - "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" - }, - "identity": { - "type": "SystemAssigned" - }, - "dependsOn": [ - "[[resourceId('Microsoft.Web/connections', variables('AzureADConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]" - ], + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject10')._analyticRulecontentId10]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", "properties": { - "state": "Enabled", - "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "actions": { - "Entities_-_Get_Accounts": { - "inputs": { - "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "path": "/entities/account" + "description": "This query looks for successful sign in attempts to the Azure Portal where the user who is signing in from another Azure tenant,\n and the IP address the login attempt is from is an Azure IP. A threat actor who compromises an Azure tenant may look\n to pivot to other tenants leveraging cross-tenant delegated access in this manner.", + "displayName": "Azure Portal sign in from another Azure Tenant", + "enabled": false, + "query": "// Get details of current Azure Ranges (note this URL updates regularly so will need to be manually updated over time)\n// You may find the name of the new JSON here: https://www.microsoft.com/download/details.aspx?id=56519\n// On the downloads page, click the 'details' button, and then replace just the filename in the URL below\nlet azure_ranges = externaldata(changeNumber: string, cloud: string, values: dynamic)\n[\"https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/MSFTIPRanges/ServiceTags_Public.json\"] with(format='multijson')\n| mv-expand values\n| mv-expand values.properties.addressPrefixes\n| mv-expand values_properties_addressPrefixes\n| summarize by tostring(values_properties_addressPrefixes)\n| extend isipv4 = parse_ipv4(values_properties_addressPrefixes)\n| extend isipv6 = parse_ipv6(values_properties_addressPrefixes)\n| extend ip_type = case(isnotnull(isipv4), \"v4\", \"v6\")\n| summarize make_list(values_properties_addressPrefixes) by ip_type\n;\nSigninLogs\n// Limiting to Azure Portal really reduces false positives and helps focus on potential admin activity\n| where ResultType == 0\n| where AppDisplayName =~ \"Azure Portal\"\n| extend isipv4 = parse_ipv4(IPAddress)\n| extend ip_type = case(isnotnull(isipv4), \"v4\", \"v6\")\n // Only get logons where the IP address is in an Azure range\n| join kind=fullouter (azure_ranges) on ip_type\n| extend ipv6_match = ipv6_is_in_any_range(IPAddress, list_values_properties_addressPrefixes)\n| extend ipv4_match = ipv4_is_in_any_range(IPAddress, list_values_properties_addressPrefixes)\n| where ipv4_match or ipv6_match \n// Limit to where the user is external to the tenant\n| where HomeTenantId != ResourceTenantId\n// Further limit it to just access to the current tenant (you can drop this if you wanted to look elsewhere as well but it helps reduce FPs)\n| where ResourceTenantId == AADTenantId\n| summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), make_set(ResourceDisplayName) by UserPrincipalName, IPAddress, UserAgent, Location, HomeTenantId, ResourceTenantId, UserId\n| extend AccountName = split(UserPrincipalName, \"@\")[0]\n| extend UPNSuffix = split(UserPrincipalName, \"@\")[1]\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "SigninLogs" + ], + "connectorId": "AzureActiveDirectory" + } + ], + "tactics": [ + "InitialAccess" + ], + "techniques": [ + "T1199" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "columnName": "AccountName", + "identifier": "Name" }, - "type": "ApiConnection" - }, - "For_each": { - "actions": { - "Condition_2": { - "actions": { - "Add_comment_to_incident_(V3)": { - "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "

@{body('Get_user')?['displayName']} confirms they completed the action that triggered the alert.  Closing the incident.

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - }, - "type": "ApiConnection" - }, - "Update_incident": { - "inputs": { - "body": { - "classification": { - "ClassificationAndReason": "BenignPositive - SuspiciousButExpected", - "ClassificationReasonText": "User Confirmed it was them" - }, - "incidentArmId": "@triggerBody()?['object']?['id']", - "status": "Closed" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "put", - "path": "/Incidents" - }, - "runAfter": { - "Add_comment_to_incident_(V3)": [ - "Succeeded" - ] - }, - "type": "ApiConnection" - } - }, - "else": { - "actions": { - "Add_comment_to_incident_(V3)_2": { - "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "

@{body('Get_user')?['displayName']} confirms they did not complete the action. Further investigation is needed.

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - }, - "type": "ApiConnection" - }, - "Post_message_in_a_chat_or_channel": { - "inputs": { - "body": { - "messageBody": "

New alert from Microsoft Sentinel.
\nPlease investigate ASAP.
\nSeverity : @{triggerBody()?['object']?['properties']?['severity']}
\nDescription: @{triggerBody()?['object']?['properties']?['description']}
\n
\n@{body('Get_user')?['displayName']} user confirmed they did not complete the action.

", - "recipient": { - "channelId": "[[parameters('TeamsChannelId')]", - "groupId": "[[parameters('TeamsId')]" - }, - "subject": "Incident @{triggerBody()?['object']?['properties']?['incidentNumber']} - @{triggerBody()?['object']?['properties']?['title']}" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['teams']['connectionId']" - } - }, - "method": "post", - "path": "/beta/teams/conversation/message/poster/@{encodeURIComponent('User')}/location/@{encodeURIComponent('Channel')}" - }, - "runAfter": { - "Add_comment_to_incident_(V3)_2": [ - "Succeeded" - ] - }, - "type": "ApiConnection" - } - } - }, - "expression": { - "and": [ - { - "equals": [ - "@body('Send_approval_email')?['SelectedOption']", - "This was me" - ] - } - ] - }, - "runAfter": { - "Send_approval_email": [ - "Succeeded" - ] - }, - "type": "If" - }, - "Get_user": { - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['azuread']['connectionId']" - } - }, - "method": "get", - "path": "/v1.0/users/@{encodeURIComponent(concat(items('For_each')?['Name'], '@' ,items('For_each')?['UPNSuffix']))}" - }, - "type": "ApiConnection" - }, - "Send_approval_email": { - "inputs": { - "body": { - "Message": { - "Body": "New Alert from Microsoft Sentinel.\nPlease respond ASAP.\nSeverity: @{triggerBody()?['object']?['properties']?['severity']}\nName: @{triggerBody()?['object']?['properties']?['title']}\nDescription: @{triggerBody()?['object']?['properties']?['description']}", - "HideHTMLMessage": false, - "Importance": "High", - "Options": "This was me, This was not me", - "ShowHTMLConfirmationDialog": false, - "Subject": "Security Alert: @{triggerBody()?['object']?['properties']?['title']}", - "To": "@body('Get_user')?['mail']" - }, - "NotificationUrl": "@{listCallbackUrl()}" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['office365']['connectionId']" - } - }, - "path": "/approvalmail/$subscriptions" - }, - "runAfter": { - "Get_user": [ - "Succeeded" - ] - }, - "type": "ApiConnectionWebhook" - } - }, - "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']", - "runAfter": { - "Entities_-_Get_Accounts": [ - "Succeeded" - ] + { + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" }, - "type": "Foreach" - } - }, - "contentVersion": "1.0.0.0", - "parameters": { - "$connections": { - "type": "Object" - } + { + "columnName": "UserId", + "identifier": "AadUserId" + } + ], + "entityType": "Account" }, - "triggers": { - "Microsoft_Sentinel_incident": { - "inputs": { - "body": { - "callback_url": "@{listCallbackUrl()}" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "path": "/incident-creation" - }, - "type": "ApiConnectionWebhook" - } - } - }, - "parameters": { - "$connections": { - "value": { - "azuread": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureADConnectionName'))]", - "connectionName": "[[variables('AzureADConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuread')]" - }, - "azuresentinel": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", - "connectionName": "[[variables('AzureSentinelConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", - "connectionProperties": { - "authentication": { - "type": "ManagedServiceIdentity" - } - } - }, - "office365": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]", - "connectionName": "[[variables('Office365ConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]" - }, - "teams": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]", - "connectionName": "[[variables('TeamsConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/teams')]" + { + "fieldMappings": [ + { + "columnName": "IPAddress", + "identifier": "Address" } - } + ], + "entityType": "IP" } + ], + "alertDetailsOverride": { + "alertDescriptionFormat": "This query looks for successful sign in attempts to the Azure Portal where the user who is signing in from another Azure tenant,\nand the IP address the login attempt is from is an Azure IP. A threat actor who compromises an Azure tenant may look\nto pivot to other tenants leveraging cross-tenant delegated access in this manner.\nIn this instance {{UserPrincipalName}} logged in at {{FirstSeen}} from IP Address {{IPAddress}}.\n", + "alertDisplayNameFormat": "Azure Portal sign in by {{UserPrincipalName}} from another Azure Tenant with IP Address {{IPAddress}}" } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId5'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject10').analyticRuleId10,'/'))))]", "properties": { - "parentId": "[variables('playbookId5')]", - "contentId": "[variables('_playbookContentId5')]", - "kind": "Playbook", - "version": "[variables('playbookVersion5')]", + "description": "Microsoft Entra ID Analytics Rule 10", + "parentId": "[variables('analyticRuleObject10').analyticRuleId10]", + "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject10').analyticRuleVersion10]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -2790,388 +2338,220 @@ } } } - ], - "metadata": { - "title": "Prompt User - Incident", - "description": "This playbook will ask the user if they completed the action from the Incident in Microsoft Sentinel. If so, it will close the incident and add a comment. If not, it will post a message to teams for the SOC to investigate and add a comment to the incident.", - "prerequisites": [ - "1. You will need the Team Id and Channel Id." - ], - "postDeployment": [ - "1. Assign Microsoft Sentinel Responder role to the Playbook's managed identity.", - "2. Authorize Microsoft Entra ID, Microsoft Teams, and Office 365 Outlook Logic App connections." - ], - "lastUpdateTime": "2022-07-11T00:00:00Z", - "entities": [ - "Account" - ], - "tags": [ - "Remediation" - ], - "releaseNotes": [ - { - "version": "1.0.0", - "title": "Added new Post a Teams message action", - "notes": [ - "Initial version" - ] - } - ] - } + ] }, "packageKind": "Solution", "packageVersion": "[variables('_solutionVersion')]", "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_playbookContentId5')]", - "contentKind": "Playbook", - "displayName": "Prompt-User-Incident", - "contentProductId": "[variables('_playbookcontentProductId5')]", - "id": "[variables('_playbookcontentProductId5')]", - "version": "[variables('playbookVersion5')]" + "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]", + "contentKind": "AnalyticsRule", + "displayName": "Azure Portal sign in from another Azure Tenant", + "contentProductId": "[variables('analyticRuleObject10')._analyticRulecontentProductId10]", + "id": "[variables('analyticRuleObject10')._analyticRulecontentProductId10]", + "version": "[variables('analyticRuleObject10').analyticRuleVersion10]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('playbookTemplateSpecName6')]", + "name": "[variables('analyticRuleObject11').analyticRuleTemplateSpecName11]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Reset-AADPassword-AlertTrigger Playbook with template version 3.0.7", + "description": "Brute Force Attack against GitHub Account_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion6')]", - "parameters": { - "PlaybookName": { - "defaultValue": "Reset-AADPassword-AlertTrigger", - "type": "string" - } - }, - "variables": { - "MicrosoftSentinelConnectionName": "[[concat('microsoftsentinel-', parameters('PlaybookName'))]", - "office365ConnectionName": "[[concat('office365-', parameters('PlaybookName'))]", - "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", - "_connection-2": "[[variables('connection-2')]", - "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]", - "_connection-3": "[[variables('connection-3')]", - "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", - "workspace-name": "[parameters('workspace')]", - "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" - }, + "contentVersion": "[variables('analyticRuleObject11').analyticRuleVersion11]", + "parameters": {}, + "variables": {}, "resources": [ { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject11')._analyticRulecontentId11]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", "properties": { - "provisioningState": "Succeeded", - "state": "Enabled", - "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "$connections": { - "type": "Object" - } - }, - "triggers": { - "Microsoft_Sentinel_alert": { - "type": "ApiConnectionWebhook", - "inputs": { - "body": { - "callback_url": "@{listCallbackUrl()}" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" - } - }, - "path": "/subscribe" - } - } + "description": "Attackers who are trying to guess your users' passwords or use brute-force methods to get in. If your organization is using SSO with Microsoft Entra ID, authentication logs to GitHub.com will be generated. Using the following query can help you identify a sudden increase in failed logon attempt of users.", + "displayName": "Brute Force Attack against GitHub Account", + "enabled": false, + "query": "let LearningPeriod = 7d;\nlet BinTime = 1h;\nlet RunTime = 1h;\nlet StartTime = 1h; \nlet sensitivity = 2.5;\nlet EndRunTime = StartTime - RunTime;\nlet EndLearningTime = StartTime + LearningPeriod;\nlet aadFunc = (tableName:string){\ntable(tableName) \n| where TimeGenerated between (ago(EndLearningTime) .. ago(EndRunTime))\n| where AppDisplayName =~ \"GitHub.com\"\n| where ResultType != 0\n| make-series FailedLogins = count() on TimeGenerated from ago(LearningPeriod) to ago(EndRunTime) step BinTime by UserPrincipalName, Type\n| extend (Anomalies, Score, Baseline) = series_decompose_anomalies(FailedLogins, sensitivity, -1, 'linefit')\n| mv-expand FailedLogins to typeof(double), TimeGenerated to typeof(datetime), Anomalies to typeof(double), Score to typeof(double), Baseline to typeof(long) \n| where TimeGenerated >= ago(RunTime)\n| where Anomalies > 0 and Baseline > 0\n| join kind=inner (\n table(tableName) \n | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime))\n | where AppDisplayName =~ \"GitHub.com\"\n | where ResultType != 0\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddresses = make_set(IPAddress,100), Locations = make_set(LocationDetails,20), Devices = make_set(DeviceDetail,20) by UserPrincipalName \n ) on UserPrincipalName\n| extend timestamp = TimeGenerated, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n", + "queryFrequency": "PT1H", + "queryPeriod": "P7D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "SigninLogs" + ], + "connectorId": "AzureActiveDirectory" }, - "actions": { - "Alert_-_Get_incident": { - "runAfter": { - "Set_variable_-_password": [ - "Succeeded" - ] + { + "dataTypes": [ + "AADNonInteractiveUserSignInLogs" + ], + "connectorId": "AzureActiveDirectory" + } + ], + "tactics": [ + "CredentialAccess" + ], + "techniques": [ + "T1110" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "columnName": "Name", + "identifier": "Name" }, - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" - } - }, - "method": "get", - "path": "/Incidents/subscriptions/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/resourceGroups/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/workspaces/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/alerts/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}" + { + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } - }, - "Entities_-_Get_Accounts": { - "runAfter": { - "Alert_-_Get_incident": [ - "Succeeded" - ] + ], + "entityType": "Account" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject11').analyticRuleId11,'/'))))]", + "properties": { + "description": "Microsoft Entra ID Analytics Rule 11", + "parentId": "[variables('analyticRuleObject11').analyticRuleId11]", + "contentId": "[variables('analyticRuleObject11')._analyticRulecontentId11]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject11').analyticRuleVersion11]", + "source": { + "kind": "Solution", + "name": "Microsoft Entra ID", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject11')._analyticRulecontentId11]", + "contentKind": "AnalyticsRule", + "displayName": "Brute Force Attack against GitHub Account", + "contentProductId": "[variables('analyticRuleObject11')._analyticRulecontentProductId11]", + "id": "[variables('analyticRuleObject11')._analyticRulecontentProductId11]", + "version": "[variables('analyticRuleObject11').analyticRuleVersion11]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject12').analyticRuleTemplateSpecName12]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "BruteForceCloudPC_AnalyticalRules Analytics Rule with template version 3.0.7", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject12').analyticRuleVersion12]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject12')._analyticRulecontentId12]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies evidence of brute force activity against a Windows 365 Cloud PC by highlighting multiple authentication failures and by a successful authentication within a given time window.", + "displayName": "Brute force attack against a Cloud PC", + "enabled": false, + "query": "let authenticationWindow = 20m;\nlet sensitivity = 2.5;\nSigninLogs\n| where AppDisplayName =~ \"Windows Sign In\"\n| extend FailureOrSuccess = iff(ResultType in (\"0\", \"50125\", \"50140\", \"70043\", \"70044\"), \"Success\", \"Failure\")\n| summarize FailureCount = countif(FailureOrSuccess==\"Failure\"), SuccessCount = countif(FailureOrSuccess==\"Success\"), IPAddresses = make_set(IPAddress,1000)\n by bin(TimeGenerated, authenticationWindow), UserDisplayName, UserPrincipalName\n| extend FailureSuccessDiff = FailureCount - SuccessCount\n| where FailureSuccessDiff > 0\n| summarize Diff = make_list(FailureSuccessDiff, 10000), TimeStamp = make_list(TimeGenerated, 10000) by UserDisplayName, UserPrincipalName//, tostring(IPAddresses)\n| extend (Anomalies, Score, Baseline) = series_decompose_anomalies(Diff, sensitivity, -1, 'linefit') \n| mv-expand Diff to typeof(double), TimeStamp to typeof(datetime), Anomalies to typeof(double), Score to typeof(double), Baseline to typeof(long)\n| where Anomalies > 0\n| summarize by UserDisplayName, UserPrincipalName\n| join kind=leftouter (\n SigninLogs\n | where AppDisplayName =~ \"Windows Sign In\"\n | extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\n | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)\n | summarize StartTime = min(TimeGenerated), \n EndTime = max(TimeGenerated), \n IPAddress = make_set(IPAddress,100), \n OS = make_set(OS,20), \n Browser = make_set(Browser,20), \n City = make_set(City,100), \n ResultType = make_set(ResultType,100)\n by UserDisplayName, UserPrincipalName\n ) on UserDisplayName, UserPrincipalName\n| extend IPAddressFirst = IPAddress[0]\n| extend timestamp = StartTime, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n", + "queryFrequency": "P1D", + "queryPeriod": "P1D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "SigninLogs" + ], + "connectorId": "AzureActiveDirectory" + } + ], + "tactics": [ + "CredentialAccess" + ], + "techniques": [ + "T1110" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "columnName": "Name", + "identifier": "Name" }, - "type": "ApiConnection", - "inputs": { - "body": "@triggerBody()?['Entities']", - "host": { - "connection": { - "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" - } - }, - "method": "post", - "path": "/entities/account" + { + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } - }, - "For_each": { - "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']", - "actions": { - "Condition_-_is_manager_available": { - "actions": { - "Add_comment_to_incident_-_manager_available": { - "runAfter": { - "Send_an_email_-_to_manager_with_password_details": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "body": { - "incidentArmId": "@body('Alert_-_Get_incident')?['id']", - "message": "

User @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])} password was reset in AAD and their manager @{body('Parse_JSON_-_HTTP_-_get_manager')?['userPrincipalName']} was contacted using playbook.

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - } - }, - "Parse_JSON_-_HTTP_-_get_manager": { - "type": "ParseJson", - "inputs": { - "content": "@body('HTTP_-_get_manager')", - "schema": { - "properties": { - "userPrincipalName": { - "type": "string" - } - }, - "type": "object" - } - } - }, - "Send_an_email_-_to_manager_with_password_details": { - "runAfter": { - "Parse_JSON_-_HTTP_-_get_manager": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "body": { - "Body": "

User, @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}, was involved in part of a security incident.  As part of remediation, the user password has been reset.
\n
\nThe temporary password is: @{variables('Password')}
\n
\nThe user will be required to reset this password upon login.

", - "Subject": "A user password was reset due to security incident.", - "To": "@body('Parse_JSON_-_HTTP_-_get_manager')?['userPrincipalName']" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['office365']['connectionId']" - } - }, - "method": "post", - "path": "/v2/Mail" - } - } - }, - "runAfter": { - "HTTP_-_get_manager": [ - "Succeeded", - "Failed" - ] - }, - "else": { - "actions": { - "Add_comment_to_incident_-_manager_not_available": { - "type": "ApiConnection", - "inputs": { - "body": { - "incidentArmId": "@body('Alert_-_Get_incident')?['id']", - "message": "

User @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])} password was reset in AAD but the user doesn't have a manager.
\n
\nThe temporary password is: @{variables('Password')}
\n
\nThe user will be required to reset this password upon login.

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - } - } - } - }, - "expression": { - "and": [ - { - "equals": [ - "@outputs('HTTP_-_get_manager')['statusCode']", - 200 - ] - } - ] - }, - "type": "If" - }, - "HTTP_-_get_manager": { - "runAfter": { - "HTTP_-_reset_a_password": [ - "Succeeded" - ] - }, - "type": "Http", - "inputs": { - "authentication": { - "audience": "https://graph.microsoft.com", - "type": "ManagedServiceIdentity" - }, - "method": "GET", - "uri": "https://graph.microsoft.com/v1.0/users/@{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}/manager" - } - }, - "HTTP_-_reset_a_password": { - "type": "Http", - "inputs": { - "authentication": { - "audience": "https://graph.microsoft.com", - "type": "ManagedServiceIdentity" - }, - "body": { - "passwordProfile": { - "forceChangePasswordNextSignIn": true, - "forceChangePasswordNextSignInWithMfa": false, - "password": "@{variables('Password')}" - } - }, - "method": "PATCH", - "uri": "https://graph.microsoft.com/v1.0/users/@{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}" - } - } - }, - "runAfter": { - "Entities_-_Get_Accounts": [ - "Succeeded" - ] - }, - "type": "Foreach" - }, - "Initialize_variable": { - "type": "InitializeVariable", - "inputs": { - "variables": [ - { - "name": "Password", - "type": "String", - "value": "null" - } - ] - } - }, - "Set_variable_-_password": { - "runAfter": { - "Initialize_variable": [ - "Succeeded" - ] - }, - "type": "SetVariable", - "inputs": { - "name": "Password", - "value": "@{substring(guid(), 0, 10)}" - } - } - } - }, - "parameters": { - "$connections": { - "value": { - "microsoftsentinel": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", - "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", - "connectionProperties": { - "authentication": { - "type": "ManagedServiceIdentity" - } - } - }, - "office365": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('office365ConnectionName'))]", - "connectionName": "[[variables('office365ConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]" + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "columnName": "IPAddressFirst", + "identifier": "Address" } - } + ], + "entityType": "IP" } - } - }, - "name": "[[parameters('PlaybookName')]", - "type": "Microsoft.Logic/workflows", - "location": "[[variables('workspace-location-inline')]", - "tags": { - "LogicAppsCategory": "security", - "hidden-SentinelTemplateName": "Reset-AADUserPassword_alert", - "hidden-SentinelTemplateVersion": "1.1", - "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" - }, - "identity": { - "type": "SystemAssigned" - }, - "apiVersion": "2017-07-01", - "dependsOn": [ - "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('office365ConnectionName'))]" - ] - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('MicrosoftSentinelConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('MicrosoftSentinelConnectionName')]", - "parameterValueType": "Alternative", - "api": { - "id": "[[variables('_connection-2')]" - } - } - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('office365ConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('office365ConnectionName')]", - "api": { - "id": "[[variables('_connection-3')]" - } + ] } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId6'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject12').analyticRuleId12,'/'))))]", "properties": { - "parentId": "[variables('playbookId6')]", - "contentId": "[variables('_playbookContentId6')]", - "kind": "Playbook", - "version": "[variables('playbookVersion6')]", + "description": "Microsoft Entra ID Analytics Rule 12", + "parentId": "[variables('analyticRuleObject12').analyticRuleId12]", + "contentId": "[variables('analyticRuleObject12')._analyticRulecontentId12]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject12').analyticRuleVersion12]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -3189,399 +2569,239 @@ } } } - ], - "metadata": { - "title": "Reset Microsoft Entra ID User Password - Alert Trigger", - "description": "This playbook will reset the user password using Graph API. It will send the password (which is a random guid substring) to the user's manager. The user will have to reset the password upon login.", - "prerequisites": [ - "None" - ], - "postDeployment": [ - "1. Assign Password Administrator permission to managed identity.", - "2. Assign Microsoft Sentinel Responder permission to managed identity.", - "3. Authorize Office 365 Outlook connection" - ], - "lastUpdateTime": "2022-07-11T00:00:00Z", - "entities": [ - "Account" - ], - "tags": [ - "Remediation" - ], - "releaseNotes": [ - { - "version": "1.0.0", - "title": " Added manager notification action", - "notes": [ - "Initial version" - ] - } - ] - } + ] }, "packageKind": "Solution", "packageVersion": "[variables('_solutionVersion')]", "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_playbookContentId6')]", - "contentKind": "Playbook", - "displayName": "Reset-AADPassword-AlertTrigger", - "contentProductId": "[variables('_playbookcontentProductId6')]", - "id": "[variables('_playbookcontentProductId6')]", - "version": "[variables('playbookVersion6')]" + "contentId": "[variables('analyticRuleObject12')._analyticRulecontentId12]", + "contentKind": "AnalyticsRule", + "displayName": "Brute force attack against a Cloud PC", + "contentProductId": "[variables('analyticRuleObject12')._analyticRulecontentProductId12]", + "id": "[variables('analyticRuleObject12')._analyticRulecontentProductId12]", + "version": "[variables('analyticRuleObject12').analyticRuleVersion12]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('playbookTemplateSpecName7')]", + "name": "[variables('analyticRuleObject13').analyticRuleTemplateSpecName13]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Reset-AADUserPassword-EntityTrigger Playbook with template version 3.0.7", + "description": "BulkChangestoPrivilegedAccountPermissions_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion7')]", - "parameters": { - "PlaybookName": { - "defaultValue": "Reset-AADUserPassword-EntityTrigger", - "type": "string" - } - }, - "variables": { - "MicrosoftSentinelConnectionName": "[[concat('microsoftsentinel-', parameters('PlaybookName'))]", - "office365ConnectionName": "[[concat('office365-', parameters('PlaybookName'))]", - "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", - "_connection-2": "[[variables('connection-2')]", - "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]", - "_connection-3": "[[variables('connection-3')]", - "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", - "workspace-name": "[parameters('workspace')]", - "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" - }, + "contentVersion": "[variables('analyticRuleObject13').analyticRuleVersion13]", + "parameters": {}, + "variables": {}, "resources": [ { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject13')._analyticRulecontentId13]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", "properties": { - "provisioningState": "Succeeded", - "state": "Enabled", - "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "$connections": { - "type": "Object" - } - }, - "triggers": { - "Microsoft_Sentinel_entity": { - "type": "ApiConnectionWebhook", - "inputs": { - "body": { - "callback_url": "@{listCallbackUrl()}" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" - } - }, - "path": "/entity/@{encodeURIComponent('Account')}" - } - } - }, - "actions": { - "Condition_-_is_manager_available": { - "actions": { - "Condition_2": { - "actions": { - "Add_comment_to_incident_-_manager_available": { - "type": "ApiConnection", - "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['IncidentArmID']", - "message": "

User @{variables('AccountDetails')} password was reset in AAD and their manager @{body('Parse_JSON_-_HTTP_-_get_manager')?['userPrincipalName']} was contacted using playbook.

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - } - } - }, - "runAfter": { - "Send_an_email_-_to_manager_with_password_details": [ - "Succeeded" - ] - }, - "expression": { - "and": [ - { - "not": { - "equals": [ - "@triggerBody()?['IncidentArmID']", - "@null" - ] - } - } - ] - }, - "type": "If" - }, - "Parse_JSON_-_HTTP_-_get_manager": { - "type": "ParseJson", - "inputs": { - "content": "@body('HTTP_-_get_manager')", - "schema": { - "properties": { - "userPrincipalName": { - "type": "string" - } - }, - "type": "object" - } - } - }, - "Send_an_email_-_to_manager_with_password_details": { - "runAfter": { - "Parse_JSON_-_HTTP_-_get_manager": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "body": { - "Body": "

User, @{variables('AccountDetails')}, was involved in part of a security incident.  As part of remediation, the user password has been reset.
\n
\nThe temporary password is: @{variables('Password')}
\n
\nThe user will be required to reset this password upon login.

", - "Subject": "A user password was reset due to security incident.", - "To": "@body('Parse_JSON_-_HTTP_-_get_manager')?['userPrincipalName']" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['office365']['connectionId']" - } - }, - "method": "post", - "path": "/v2/Mail" - } - } - }, - "runAfter": { - "HTTP_-_get_manager": [ - "Succeeded", - "Failed" - ] - }, - "else": { - "actions": { - "Condition": { - "actions": { - "Add_comment_to_incident_-_manager_not_available": { - "type": "ApiConnection", - "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['IncidentArmID']", - "message": "

User @{variables('AccountDetails')} password was reset in AAD but the user doesn't have a manager.
\n
\nThe temporary password is: @{variables('Password')}
\n
\nThe user will be required to reset this password upon login.

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - } - } - }, - "expression": { - "and": [ - { - "not": { - "equals": [ - "@triggerBody()?['IncidentArmID']", - "@null" - ] - } - } - ] - }, - "type": "If" - } - } - }, - "expression": { - "and": [ - { - "equals": [ - "@outputs('HTTP_-_get_manager')['statusCode']", - 200 - ] - } - ] - }, - "type": "If" - }, - "HTTP_-_get_manager": { - "runAfter": { - "HTTP_-_reset_a_password": [ - "Succeeded" - ] - }, - "type": "Http", - "inputs": { - "authentication": { - "audience": "https://graph.microsoft.com", - "type": "ManagedServiceIdentity" - }, - "method": "GET", - "uri": "https://graph.microsoft.com/v1.0/users/@{variables('AccountDetails')}/manager" - } - }, - "HTTP_-_reset_a_password": { - "runAfter": { - "Initialize_variable_Account": [ - "Succeeded" - ] - }, - "type": "Http", - "inputs": { - "authentication": { - "audience": "https://graph.microsoft.com", - "type": "ManagedServiceIdentity" - }, - "body": { - "passwordProfile": { - "forceChangePasswordNextSignIn": true, - "forceChangePasswordNextSignInWithMfa": false, - "password": "@{variables('Password')}" - } - }, - "method": "PATCH", - "uri": "https://graph.microsoft.com/v1.0/users/@{variables('AccountDetails')}" - } - }, - "Initialize_variable": { - "type": "InitializeVariable", - "inputs": { - "variables": [ - { - "name": "Password", - "type": "String", - "value": "null" - } - ] - } - }, - "Initialize_variable_Account": { - "runAfter": { - "Set_variable_-_password": [ - "Succeeded" - ] + "description": "Identifies when changes to multiple users permissions are changed at once. Investigate immediately if not a planned change. This setting could enable an attacker access to Azure subscriptions in your environment.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management", + "displayName": "Bulk Changes to Privileged Account Permissions", + "enabled": false, + "query": "let AdminRecords = AuditLogs\n| where Category =~ \"RoleManagement\"\n| where ActivityDisplayName has_any (\"Add eligible member to role\", \"Add member to role\")\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"User\"\n | extend Target = tostring(TargetResource.userPrincipalName),\n props = TargetResource.modifiedProperties\n )\n| mv-apply Property = props on \n (\n where Property.displayName =~ \"Role.DisplayName\"\n | extend RoleName = trim('\"',tostring(Property.newValue))\n )\n| where RoleName contains \"Admin\";\nAdminRecords\n| summarize dcount(Target) by bin(TimeGenerated, 1h)\n| where dcount_Target > 9\n| join kind=rightsemi (\n AdminRecords\n | extend TimeWindow = bin(TimeGenerated, 1h)\n) on $left.TimeGenerated == $right.TimeWindow\n| extend InitiatedByUser = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), \"\")\n| extend TargetName = tostring(split(Target,'@',0)[0]), TargetUPNSuffix = tostring(split(Target,'@',1)[0]),\n InitiatedByUserName = tostring(split(InitiatedByUser,'@',0)[0]), InitiatedByUserUPNSuffix = tostring(split(InitiatedByUser,'@',1)[0])\n", + "queryFrequency": "PT2H", + "queryPeriod": "PT2H", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "AuditLogs" + ], + "connectorId": "AzureActiveDirectory" + } + ], + "tactics": [ + "PrivilegeEscalation" + ], + "techniques": [ + "T1078" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "columnName": "TargetName", + "identifier": "Name" }, - "type": "InitializeVariable", - "inputs": { - "variables": [ - { - "name": "AccountDetails", - "type": "string", - "value": "@{concat(triggerBody()?['Entity']?['properties']?['Name'],'@',triggerBody()?['Entity']?['properties']?['UPNSuffix'])}" - } - ] + { + "columnName": "TargetUPNSuffix", + "identifier": "UPNSuffix" } - }, - "Set_variable_-_password": { - "runAfter": { - "Initialize_variable": [ - "Succeeded" - ] + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "columnName": "InitiatedByUserName", + "identifier": "Name" }, - "type": "SetVariable", - "inputs": { - "name": "Password", - "value": "@{substring(guid(), 0, 10)}" + { + "columnName": "InitiatedByUserUPNSuffix", + "identifier": "UPNSuffix" } - } - } - }, - "parameters": { - "$connections": { - "value": { - "microsoftsentinel": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", - "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", - "connectionProperties": { - "authentication": { - "type": "ManagedServiceIdentity" - } - } - }, - "office365": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('office365ConnectionName'))]", - "connectionName": "[[variables('office365ConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]" - } - } + ], + "entityType": "Account" } + ], + "customDetails": { + "TargetUser": "Target", + "InitiatedByUser": "InitiatedByUser" } - }, - "name": "[[parameters('PlaybookName')]", - "type": "Microsoft.Logic/workflows", - "location": "[[variables('workspace-location-inline')]", - "tags": { - "LogicAppsCategory": "security", - "hidden-SentinelTemplateName": "Reset-AADUserPassword-EntityTrigger", - "hidden-SentinelTemplateVersion": "1.1", - "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" - }, - "identity": { - "type": "SystemAssigned" - }, - "apiVersion": "2017-07-01", - "dependsOn": [ - "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('office365ConnectionName'))]" - ] + } }, { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('MicrosoftSentinelConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject13').analyticRuleId13,'/'))))]", "properties": { - "displayName": "[[variables('MicrosoftSentinelConnectionName')]", - "parameterValueType": "Alternative", - "api": { - "id": "[[variables('_connection-2')]" + "description": "Microsoft Entra ID Analytics Rule 13", + "parentId": "[variables('analyticRuleObject13').analyticRuleId13]", + "contentId": "[variables('analyticRuleObject13')._analyticRulecontentId13]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject13').analyticRuleVersion13]", + "source": { + "kind": "Solution", + "name": "Microsoft Entra ID", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" } } - }, + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject13')._analyticRulecontentId13]", + "contentKind": "AnalyticsRule", + "displayName": "Bulk Changes to Privileged Account Permissions", + "contentProductId": "[variables('analyticRuleObject13')._analyticRulecontentProductId13]", + "id": "[variables('analyticRuleObject13')._analyticRulecontentProductId13]", + "version": "[variables('analyticRuleObject13').analyticRuleVersion13]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject14').analyticRuleTemplateSpecName14]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "BypassCondAccessRule_AnalyticalRules Analytics Rule with template version 3.0.7", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject14').analyticRuleVersion14]", + "parameters": {}, + "variables": {}, + "resources": [ { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('office365ConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject14')._analyticRulecontentId14]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", "properties": { - "displayName": "[[variables('office365ConnectionName')]", - "api": { - "id": "[[variables('_connection-3')]" - } + "description": "Identifies an attempt to Bypass conditional access rule(s) in Microsoft Entra ID.\nThe ConditionalAccessStatus column value details if there was an attempt to bypass Conditional Access\nor if the Conditional access rule was not satisfied (ConditionalAccessStatus == 1).\nReferences:\nhttps://docs.microsoft.com/azure/active-directory/conditional-access/overview\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\nConditionalAccessStatus == 0 // Success\nConditionalAccessStatus == 1 // Failure\nConditionalAccessStatus == 2 // Not Applied\nConditionalAccessStatus == 3 // unknown", + "displayName": "Attempt to bypass conditional access rule in Microsoft Entra ID", + "enabled": false, + "query": "let threshold = 1; // Modify this threshold value to reduce false positives based on your environment\nlet aadFunc = (tableName:string){\ntable(tableName)\n| where ConditionalAccessStatus == 1 or ConditionalAccessStatus =~ \"failure\"\n| mv-apply CAP = parse_json(ConditionalAccessPolicies) on (\n project ConditionalAccessPoliciesName = CAP.displayName, result = CAP.result\n | where result =~ \"failure\"\n)\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(Status), LocationDetails = todynamic(LocationDetails)\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\n| extend Status = strcat(StatusCode, \": \", ResultDescription)\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Status = make_list(Status,10), StatusDetails = make_list(StatusDetails,50), IPAddresses = make_list(IPAddress,100), IPAddressCount = dcount(IPAddress), CorrelationIds = make_list(CorrelationId,100), ConditionalAccessPoliciesName = make_list(ConditionalAccessPoliciesName,100)\nby UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), City, State, Region, Type\n| where IPAddressCount > threshold and StatusDetails !has \"MFA successfully completed\"\n| mv-expand IPAddresses, Status, StatusDetails, CorrelationIds\n| extend Status = strcat(Status, \" \", StatusDetails)\n| summarize IPAddresses = make_set(IPAddresses,100), Status = make_set(Status,10), CorrelationIds = make_set(CorrelationIds,100), ConditionalAccessPoliciesName = make_set(ConditionalAccessPoliciesName,100)\nby StartTime, EndTime, UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), City, State, Region, IPAddressCount, Type\n| extend timestamp = StartTime, IPAddresses = tostring(IPAddresses), Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n", + "queryFrequency": "P1D", + "queryPeriod": "P1D", + "severity": "Low", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "SigninLogs" + ], + "connectorId": "AzureActiveDirectory" + }, + { + "dataTypes": [ + "AADNonInteractiveUserSignInLogs" + ], + "connectorId": "AzureActiveDirectory" + } + ], + "tactics": [ + "InitialAccess", + "Persistence" + ], + "techniques": [ + "T1078", + "T1098" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "columnName": "Name", + "identifier": "Name" + }, + { + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "columnName": "IPAddresses", + "identifier": "Address" + } + ], + "entityType": "IP" + } + ] } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId7'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject14').analyticRuleId14,'/'))))]", "properties": { - "parentId": "[variables('playbookId7')]", - "contentId": "[variables('_playbookContentId7')]", - "kind": "Playbook", - "version": "[variables('playbookVersion7')]", + "description": "Microsoft Entra ID Analytics Rule 14", + "parentId": "[variables('analyticRuleObject14').analyticRuleId14]", + "contentId": "[variables('analyticRuleObject14')._analyticRulecontentId14]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject14').analyticRuleVersion14]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -3599,367 +2819,224 @@ } } } - ], - "metadata": { - "title": "Reset Microsoft Entra ID User Password - Entity trigger", - "description": "This playbook will reset the user password using Graph API. It will send the password (which is a random guid substring) to the user's manager. The user will have to reset the password upon login.", - "postDeployment": [ - "1. Assign Password Administrator permission to managed identity.", - "2. Assign Microsoft Sentinel Responder permission to managed identity.", - "3. Authorize Office 365 Outlook connection" - ], - "lastUpdateTime": "2022-12-06T00:00:00Z", - "entities": [ - "Account" - ], - "tags": [ - "Remediation" - ], - "releaseNotes": { - "version": "1.1", - "title": "[variables('blanks')]", - "notes": [ - "Initial version" - ] - } - } + ] }, "packageKind": "Solution", "packageVersion": "[variables('_solutionVersion')]", "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_playbookContentId7')]", - "contentKind": "Playbook", - "displayName": "Reset-AADUserPassword-EntityTrigger", - "contentProductId": "[variables('_playbookcontentProductId7')]", - "id": "[variables('_playbookcontentProductId7')]", - "version": "[variables('playbookVersion7')]" + "contentId": "[variables('analyticRuleObject14')._analyticRulecontentId14]", + "contentKind": "AnalyticsRule", + "displayName": "Attempt to bypass conditional access rule in Microsoft Entra ID", + "contentProductId": "[variables('analyticRuleObject14')._analyticRulecontentProductId14]", + "id": "[variables('analyticRuleObject14')._analyticRulecontentProductId14]", + "version": "[variables('analyticRuleObject14').analyticRuleVersion14]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('playbookTemplateSpecName8')]", + "name": "[variables('analyticRuleObject15').analyticRuleTemplateSpecName15]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Reset-AADPassword-IncidentTrigger Playbook with template version 3.0.7", + "description": "CredentialAddedAfterAdminConsent_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion8')]", - "parameters": { - "PlaybookName": { - "defaultValue": "Reset-AADPassword-IncidentTrigger", - "type": "string" - } - }, - "variables": { - "MicrosoftSentinelConnectionName": "[[concat('microsoftsentinel-', parameters('PlaybookName'))]", - "office365ConnectionName": "[[concat('office365-', parameters('PlaybookName'))]", - "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", - "_connection-2": "[[variables('connection-2')]", - "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]", - "_connection-3": "[[variables('connection-3')]", - "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", - "workspace-name": "[parameters('workspace')]", - "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" - }, + "contentVersion": "[variables('analyticRuleObject15').analyticRuleVersion15]", + "parameters": {}, + "variables": {}, "resources": [ { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject15')._analyticRulecontentId15]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", "properties": { - "provisioningState": "Succeeded", - "state": "Enabled", - "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "$connections": { - "type": "Object" - } - }, - "triggers": { - "Microsoft_Sentinel_incident": { - "type": "ApiConnectionWebhook", - "inputs": { - "body": { - "callback_url": "@{listCallbackUrl()}" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" - } - }, - "path": "/incident-creation" - } - } - }, - "actions": { - "Entities_-_Get_Accounts": { - "runAfter": { - "Set_variable_-_password": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", - "host": { - "connection": { - "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" - } - }, - "method": "post", - "path": "/entities/account" - } - }, - "For_each": { - "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']", - "actions": { - "Condition_-_is_manager_available": { - "actions": { - "Add_comment_to_incident_-_manager_available": { - "runAfter": { - "Send_an_email_-_to_manager_with_password_details": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "

User @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])} password was reset in AAD and their manager @{body('Parse_JSON_-_HTTP_-_get_manager')?['userPrincipalName']} was contacted using playbook.

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - } - }, - "Parse_JSON_-_HTTP_-_get_manager": { - "type": "ParseJson", - "inputs": { - "content": "@body('HTTP_-_get_manager')", - "schema": { - "properties": { - "userPrincipalName": { - "type": "string" - } - }, - "type": "object" - } - } - }, - "Send_an_email_-_to_manager_with_password_details": { - "runAfter": { - "Parse_JSON_-_HTTP_-_get_manager": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "body": { - "Body": "

User, @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}, was involved in part of a security incident.  As part of remediation, the user password has been reset.
\n
\nThe temporary password is: @{variables('Password')}
\n
\nThe user will be required to reset this password upon login.

", - "Subject": "A user password was reset due to security incident.", - "To": "@body('Parse_JSON_-_HTTP_-_get_manager')?['userPrincipalName']" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['office365']['connectionId']" - } - }, - "method": "post", - "path": "/v2/Mail" - } - } - }, - "runAfter": { - "HTTP_-_get_manager": [ - "Succeeded", - "Failed" - ] - }, - "else": { - "actions": { - "Add_comment_to_incident_-_manager_not_available": { - "type": "ApiConnection", - "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "

User @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])} password was reset in AAD but the user doesn't have a manager.
\n
\nThe temporary password is: @{variables('Password')}
\n
\nThe user will be required to reset this password upon login.

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - } - } - } - }, - "expression": { - "and": [ - { - "equals": [ - "@outputs('HTTP_-_get_manager')['statusCode']", - 200 - ] - } - ] - }, - "type": "If" - }, - "HTTP_-_get_manager": { - "runAfter": { - "HTTP_-_reset_a_password": [ - "Succeeded" - ] - }, - "type": "Http", - "inputs": { - "authentication": { - "audience": "https://graph.microsoft.com", - "type": "ManagedServiceIdentity" - }, - "method": "GET", - "uri": "https://graph.microsoft.com/v1.0/users/@{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}/manager" - } - }, - "HTTP_-_reset_a_password": { - "type": "Http", - "inputs": { - "authentication": { - "audience": "https://graph.microsoft.com", - "type": "ManagedServiceIdentity" - }, - "body": { - "passwordProfile": { - "forceChangePasswordNextSignIn": true, - "forceChangePasswordNextSignInWithMfa": false, - "password": "@{variables('Password')}" - } - }, - "method": "PATCH", - "uri": "https://graph.microsoft.com/v1.0/users/@{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}" - } - } - }, - "runAfter": { - "Entities_-_Get_Accounts": [ - "Succeeded" - ] + "description": "This query will identify instances where Service Principal credentials were added to an application by one user after the application was granted admin consent rights by another user.\n If a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\n Additional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow.\n For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities", + "displayName": "Credential added after admin consented to Application", + "enabled": false, + "query": "let auditLookbackStart = 2d;\nlet auditLookbackEnd = 1d;\nAuditLogs\n| where TimeGenerated >= ago(auditLookbackStart)\n| where OperationName =~ \"Consent to application\" \n| where Result =~ \"success\"\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\"\n | extend targetResourceName = tostring(TargetResource.displayName),\n targetResourceID = tostring(TargetResource.id),\n targetResourceType = tostring(TargetResource.type),\n targetModifiedProp = TargetResource.modifiedProperties\n )\n| mv-apply Property = targetModifiedProp on \n (\n where Property.displayName =~ \"ConsentContext.IsAdminConsent\"\n | extend isAdminConsent = trim(@'\"',tostring(Property.newValue))\n )\n| mv-apply Property = targetModifiedProp on \n (\n where Property.displayName =~ \"ConsentAction.Permissions\"\n | extend Consent_Permissions = trim(@'\"',tostring(Property.newValue))\n )\n| mv-apply Property = targetModifiedProp on \n (\n where Property.displayName =~ \"TargetId.ServicePrincipalNames\"\n | extend Consent_ServicePrincipalNames = tostring(extract_all(@\"([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})\",trim(@'\"',tostring(Property.newValue)))[0])\n )\n| extend Consent_InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend Consent_InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n| join ( \nAuditLogs\n| where TimeGenerated >= ago(auditLookbackEnd)\n| where OperationName =~ \"Add service principal credentials\"\n| where Result =~ \"success\"\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\"\n | extend targetResourceName = tostring(TargetResource.displayName),\n targetResourceID = tostring(TargetResource.id),\n targetModifiedProp = TargetResource.modifiedProperties\n )\n| mv-apply Property = targetModifiedProp on \n (\n where Property.displayName =~ \"KeyDescription\"\n | extend Credential_KeyDescription = trim(@'\"',tostring(Property.newValue))\n )\n| mv-apply Property = targetModifiedProp on \n (\n where Property.displayName =~ \"Included Updated Properties\"\n | extend UpdatedProperties = trim(@'\"',tostring(Property.newValue))\n )\n| mv-apply Property = targetModifiedProp on \n (\n where Property.displayName =~ \"TargetId.ServicePrincipalNames\"\n | extend Credential_ServicePrincipalNames = tostring(extract_all(@\"([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})\",trim(@'\"',tostring(Property.newValue)))[0])\n )\n| extend Credential_InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend Credential_InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n) on targetResourceName, targetResourceID\n| extend TimeConsent = TimeGenerated, TimeCred = TimeGenerated1\n| where TimeConsent < TimeCred \n| project TimeConsent, TimeCred, Consent_InitiatingUserOrApp, Credential_InitiatingUserOrApp, targetResourceName, targetResourceType, isAdminConsent, Consent_ServicePrincipalNames, Credential_ServicePrincipalNames, Consent_Permissions, Credential_KeyDescription, Consent_InitiatingIpAddress, Credential_InitiatingIpAddress\n| extend timestamp = TimeConsent, Name = tostring(split(Credential_InitiatingUserOrApp,'@',0)[0]), UPNSuffix = tostring(split(Credential_InitiatingUserOrApp,'@',1)[0])\n", + "queryFrequency": "P1D", + "queryPeriod": "P2D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "AuditLogs" + ], + "connectorId": "AzureActiveDirectory" + } + ], + "tactics": [ + "CredentialAccess" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "columnName": "Name", + "identifier": "Name" }, - "type": "Foreach" - }, - "Initialize_variable": { - "type": "InitializeVariable", - "inputs": { - "variables": [ - { - "name": "Password", - "type": "String", - "value": "null" - } - ] + { + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } - }, - "Set_variable_-_password": { - "runAfter": { - "Initialize_variable": [ - "Succeeded" - ] - }, - "type": "SetVariable", - "inputs": { - "name": "Password", - "value": "@{substring(guid(), 0, 10)}" + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "columnName": "Consent_InitiatingIpAddress", + "identifier": "Address" } - } + ], + "entityType": "IP" } - }, - "parameters": { - "$connections": { - "value": { - "microsoftsentinel": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", - "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", - "connectionProperties": { - "authentication": { - "type": "ManagedServiceIdentity" - } - } - }, - "office365": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('office365ConnectionName'))]", - "connectionName": "[[variables('office365ConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]" - } - } - } - } - }, - "name": "[[parameters('PlaybookName')]", - "type": "Microsoft.Logic/workflows", - "location": "[[variables('workspace-location-inline')]", - "tags": { - "LogicAppsCategory": "security", - "hidden-SentinelTemplateName": "Reset-AADUserPassword", - "hidden-SentinelTemplateVersion": "1.1", - "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" - }, - "identity": { - "type": "SystemAssigned" - }, - "apiVersion": "2017-07-01", - "dependsOn": [ - "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('office365ConnectionName'))]" - ] + ] + } }, { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('MicrosoftSentinelConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject15').analyticRuleId15,'/'))))]", "properties": { - "displayName": "[[variables('MicrosoftSentinelConnectionName')]", - "parameterValueType": "Alternative", - "api": { - "id": "[[variables('_connection-2')]" + "description": "Microsoft Entra ID Analytics Rule 15", + "parentId": "[variables('analyticRuleObject15').analyticRuleId15]", + "contentId": "[variables('analyticRuleObject15')._analyticRulecontentId15]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject15').analyticRuleVersion15]", + "source": { + "kind": "Solution", + "name": "Microsoft Entra ID", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" } } - }, + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject15')._analyticRulecontentId15]", + "contentKind": "AnalyticsRule", + "displayName": "Credential added after admin consented to Application", + "contentProductId": "[variables('analyticRuleObject15')._analyticRulecontentProductId15]", + "id": "[variables('analyticRuleObject15')._analyticRulecontentProductId15]", + "version": "[variables('analyticRuleObject15').analyticRuleVersion15]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject16').analyticRuleTemplateSpecName16]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Cross-tenantAccessSettingsOrganizationAdded_AnalyticalRules Analytics Rule with template version 3.0.7", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject16').analyticRuleVersion16]", + "parameters": {}, + "variables": {}, + "resources": [ { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('office365ConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject16')._analyticRulecontentId16]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", "properties": { - "displayName": "[[variables('office365ConnectionName')]", - "api": { - "id": "[[variables('_connection-3')]" - } + "description": "Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when an Organization is added other than the list that is supposed to exist from the Microsoft Entra ID Cross-tenant Access Settings.", + "displayName": "Cross-tenant Access Settings Organization Added", + "enabled": false, + "query": "// Tenants IDs can be found by navigating to Azure Active Directory then from menu on the left, select External Identities, then from menu on the left, select Cross-tenant access settings and from the list shown of Tenants\nlet ExpectedTenantIDs = dynamic([\"List of expected tenant IDs\",\"Tenant ID 2\"]);\nAuditLogs\n| where OperationName has \"Add a partner to cross-tenant access setting\"\n| extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\n| extend InitiatedByIPAdress = InitiatedBy.user.ipAddress\n| mv-apply TargetResource = TargetResources on\n (\n where TargetResource.type =~ \"Policy\"\n | extend Properties = TargetResource.modifiedProperties\n )\n| mv-apply Property = Properties on\n (\n where Property.displayName =~ \"tenantId\"\n | extend ExtTenantIDAdded = trim('\"',tostring(Property.newValue))\n )\n| where ExtTenantIDAdded !in (ExpectedTenantIDs)\n| extend Name = tostring(split(InitiatedByActionUserInformation,'@',0)[0]), UPNSuffix = tostring(split(InitiatedByActionUserInformation,'@',1)[0])\n", + "queryFrequency": "P2D", + "queryPeriod": "P2D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "AuditLogs" + ], + "connectorId": "AzureActiveDirectory" + } + ], + "tactics": [ + "InitialAccess", + "Persistence", + "Discovery" + ], + "techniques": [ + "T1078", + "T1136", + "T1087" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "columnName": "Name", + "identifier": "Name" + }, + { + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "columnName": "InitiatedByIPAdress", + "identifier": "Address" + } + ], + "entityType": "IP" + } + ] } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId8'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject16').analyticRuleId16,'/'))))]", "properties": { - "parentId": "[variables('playbookId8')]", - "contentId": "[variables('_playbookContentId8')]", - "kind": "Playbook", - "version": "[variables('playbookVersion8')]", + "description": "Microsoft Entra ID Analytics Rule 16", + "parentId": "[variables('analyticRuleObject16').analyticRuleId16]", + "contentId": "[variables('analyticRuleObject16')._analyticRulecontentId16]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject16').analyticRuleVersion16]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -3977,322 +3054,352 @@ } } } - ], - "metadata": { - "title": "Reset Microsoft Entra ID User Password - Incident Trigger", - "description": "This playbook will reset the user password using Graph API. It will send the password (which is a random guid substring) to the user's manager. The user will have to reset the password upon login.", - "prerequisites": [ - "None" - ], - "postDeployment": [ - "1. Assign Password Administrator permission to managed identity.", - "2. Assign Microsoft Sentinel Responder permission to managed identity.", - "3. Authorize Office 365 Outlook connection" - ], - "lastUpdateTime": "2022-07-11T00:00:00Z", - "entities": [ - "Account" - ], - "tags": [ - "Remediation" - ], - "releaseNotes": [ - { - "version": "1.0.0", - "title": " Added manager notification action", - "notes": [ - "Initial version" - ] - } - ] - } + ] }, "packageKind": "Solution", "packageVersion": "[variables('_solutionVersion')]", "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_playbookContentId8')]", - "contentKind": "Playbook", - "displayName": "Reset-AADPassword-IncidentTrigger", - "contentProductId": "[variables('_playbookcontentProductId8')]", - "id": "[variables('_playbookcontentProductId8')]", - "version": "[variables('playbookVersion8')]" + "contentId": "[variables('analyticRuleObject16')._analyticRulecontentId16]", + "contentKind": "AnalyticsRule", + "displayName": "Cross-tenant Access Settings Organization Added", + "contentProductId": "[variables('analyticRuleObject16')._analyticRulecontentProductId16]", + "id": "[variables('analyticRuleObject16')._analyticRulecontentProductId16]", + "version": "[variables('analyticRuleObject16').analyticRuleVersion16]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('playbookTemplateSpecName9')]", + "name": "[variables('analyticRuleObject17').analyticRuleTemplateSpecName17]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Revoke-AADSignInSessions-alert Playbook with template version 3.0.7", + "description": "Cross-tenantAccessSettingsOrganizationDeleted_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion9')]", - "parameters": { - "PlaybookName": { - "defaultValue": "Revoke-AADSignInSessions-alert", - "type": "string" - }, - "UserName": { - "defaultValue": "@", - "type": "string" - } - }, - "variables": { - "AzureSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]", - "Office365ConnectionName": "[[concat('office365-', parameters('PlaybookName'))]", - "Office365UsersConnectionName": "[[concat('office365users-', parameters('PlaybookName'))]", - "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", - "_connection-1": "[[variables('connection-1')]", - "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]", - "_connection-2": "[[variables('connection-2')]", - "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365users')]", - "_connection-3": "[[variables('connection-3')]", - "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", - "workspace-name": "[parameters('workspace')]", - "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" - }, + "contentVersion": "[variables('analyticRuleObject17').analyticRuleVersion17]", + "parameters": {}, + "variables": {}, "resources": [ { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('AzureSentinelConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject17')._analyticRulecontentId17]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", "properties": { - "displayName": "[[parameters('PlaybookName')]", - "parameterValueType": "Alternative", - "api": { - "id": "[[variables('_connection-1')]" - } - } + "description": "Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when an Organization is deleted from the Microsoft Entra ID Cross-tenant Access Settings.", + "displayName": "Cross-tenant Access Settings Organization Deleted", + "enabled": false, + "query": "AuditLogs\n| where OperationName has \"Delete partner specific cross-tenant access setting\"\n| extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\n| extend InitiatedByIPAdress = InitiatedBy.user.ipAddress\n| mv-apply TargetResource = TargetResources on\n (\n where TargetResource.type =~ \"Policy\"\n | extend Properties = TargetResource.modifiedProperties\n )\n| mv-apply Property = Properties on\n (\n where Property.displayName =~ \"tenantId\"\n | extend ExtTenantDeleted = trim('\"',tostring(Property.oldValue))\n )\n| extend Name = tostring(split(InitiatedByActionUserInformation,'@',0)[0]), UPNSuffix = tostring(split(InitiatedByActionUserInformation,'@',1)[0])\n", + "queryFrequency": "P2D", + "queryPeriod": "P2D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "AuditLogs" + ], + "connectorId": "AzureActiveDirectory" + } + ], + "tactics": [ + "InitialAccess", + "Persistence", + "Discovery" + ], + "techniques": [ + "T1078", + "T1136", + "T1087" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "columnName": "Name", + "identifier": "Name" + }, + { + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "columnName": "InitiatedByIPAdress", + "identifier": "Address" + } + ], + "entityType": "IP" + } + ] + } }, { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('Office365ConnectionName')]", - "location": "[[variables('workspace-location-inline')]", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject17').analyticRuleId17,'/'))))]", "properties": { - "displayName": "[[parameters('UserName')]", - "api": { - "id": "[[variables('_connection-2')]" + "description": "Microsoft Entra ID Analytics Rule 17", + "parentId": "[variables('analyticRuleObject17').analyticRuleId17]", + "contentId": "[variables('analyticRuleObject17')._analyticRulecontentId17]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject17').analyticRuleVersion17]", + "source": { + "kind": "Solution", + "name": "Microsoft Entra ID", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" } } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject17')._analyticRulecontentId17]", + "contentKind": "AnalyticsRule", + "displayName": "Cross-tenant Access Settings Organization Deleted", + "contentProductId": "[variables('analyticRuleObject17')._analyticRulecontentProductId17]", + "id": "[variables('analyticRuleObject17')._analyticRulecontentProductId17]", + "version": "[variables('analyticRuleObject17').analyticRuleVersion17]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject18').analyticRuleTemplateSpecName18]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Cross-tenantAccessSettingsOrganizationInboundCollaborationSettingsChanged_AnalyticalRules Analytics Rule with template version 3.0.7", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject18').analyticRuleVersion18]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject18')._analyticRulecontentId18]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when Organization Inbound Collaboration Settings are changed for \"Users & Groups\" and for \"Applications\".", + "displayName": "Cross-tenant Access Settings Organization Inbound Collaboration Settings Changed", + "enabled": false, + "query": "//In User & Groups and in Applications, the following \"AccessType\" values in columns PremodifiedInboundSettings and ModifiedInboundSettings are interpreted accordingly:\n// When Access Type in premodified inbound settings value was 1 that means that the initial access was allowed. When Access Type in premodified inbound settings value was 2 that means that the initial access was blocked. \n// When Access Type in modified inbound settings value is 1 that means that now access is allowed. When Access Type in modified inbound settings value is 2 that means that now access is blocked. \nAuditLogs\n| where OperationName has \"Update a partner cross-tenant access setting\"\n| mv-apply TargetResource = TargetResources on\n (\n where TargetResource.type =~ \"Policy\"\n | extend Properties = TargetResource.modifiedProperties\n )\n| mv-apply Property = Properties on\n (\n where Property.displayName =~ \"b2bCollaborationInbound\"\n | extend PremodifiedInboundSettings = trim('\"',tostring(Property.oldValue)),\n ModifiedInboundSettings = trim(@'\"',tostring(Property.newValue))\n )\n| extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\n| extend InitiatedByIPAdress = InitiatedBy.user.ipAddress\n| where PremodifiedInboundSettings != ModifiedInboundSettings\n| extend Name = tostring(split(InitiatedByActionUserInformation,'@',0)[0]), UPNSuffix = tostring(split(InitiatedByActionUserInformation,'@',1)[0])\n", + "queryFrequency": "P2D", + "queryPeriod": "P2D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "AuditLogs" + ], + "connectorId": "AzureActiveDirectory" + } + ], + "tactics": [ + "InitialAccess", + "Persistence", + "Discovery" + ], + "techniques": [ + "T1078", + "T1136", + "T1087" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "columnName": "Name", + "identifier": "Name" + }, + { + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "columnName": "InitiatedByIPAdress", + "identifier": "Address" + } + ], + "entityType": "IP" + } + ] + } }, { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('Office365UsersConnectionName')]", - "location": "[[variables('workspace-location-inline')]", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject18').analyticRuleId18,'/'))))]", "properties": { - "displayName": "[[parameters('UserName')]", - "api": { - "id": "[[variables('_connection-3')]" + "description": "Microsoft Entra ID Analytics Rule 18", + "parentId": "[variables('analyticRuleObject18').analyticRuleId18]", + "contentId": "[variables('analyticRuleObject18')._analyticRulecontentId18]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject18').analyticRuleVersion18]", + "source": { + "kind": "Solution", + "name": "Microsoft Entra ID", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" } } - }, + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject18')._analyticRulecontentId18]", + "contentKind": "AnalyticsRule", + "displayName": "Cross-tenant Access Settings Organization Inbound Collaboration Settings Changed", + "contentProductId": "[variables('analyticRuleObject18')._analyticRulecontentProductId18]", + "id": "[variables('analyticRuleObject18')._analyticRulecontentProductId18]", + "version": "[variables('analyticRuleObject18').analyticRuleVersion18]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject19').analyticRuleTemplateSpecName19]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Cross-tenantAccessSettingsOrganizationInboundDirectSettingsChanged_AnalyticalRules Analytics Rule with template version 3.0.7", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject19').analyticRuleVersion19]", + "parameters": {}, + "variables": {}, + "resources": [ { - "type": "Microsoft.Logic/workflows", - "apiVersion": "2017-07-01", - "name": "[[parameters('PlaybookName')]", - "location": "[[variables('workspace-location-inline')]", - "tags": { - "LogicAppsCategory": "security", - "hidden-SentinelTemplateName": "Revoke-AADSigninSessions_alert", - "hidden-SentinelTemplateVersion": "1.0", - "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" - }, - "identity": { - "type": "SystemAssigned" - }, - "dependsOn": [ - "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('Office365UsersConnectionName'))]" - ], + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject19')._analyticRulecontentId19]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", "properties": { - "state": "Enabled", - "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "actions": { - "Alert_-_Get_incident": { - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "get", - "path": "/Incidents/subscriptions/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/resourceGroups/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/workspaces/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/alerts/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}" - }, - "type": "ApiConnection" - }, - "Entities_-_Get_Accounts": { - "inputs": { - "body": "@triggerBody()?['Entities']", - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "path": "/entities/account" - }, - "runAfter": { - "Alert_-_Get_incident": [ - "Succeeded" - ] - }, - "type": "ApiConnection" - }, - "For_each": { - "actions": { - "Add_comment_to_incident_(V3)": { - "inputs": { - "body": { - "incidentArmId": "@body('Alert_-_Get_incident')?['id']", - "message": "

User @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])} singin sessions were revoked in AAD and their manager @{body('Get_manager_(V2)')?['displayName']} was contacted using playbook.

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - }, - "runAfter": { - "Send_an_email_(V2)": [ - "Succeeded" - ] - }, - "type": "ApiConnection" - }, - "Get_manager_(V2)": { - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['office365users']['connectionId']" - } - }, - "method": "get", - "path": "/codeless/v1.0/users/@{encodeURIComponent(concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix']))}/manager" - }, - "runAfter": { - "HTTP": [ - "Succeeded" - ] - }, - "type": "ApiConnection" - }, - "HTTP": { - "inputs": { - "authentication": { - "audience": "https://graph.microsoft.com", - "type": "ManagedServiceIdentity" - }, - "method": "POST", - "uri": "https://graph.microsoft.com/v1.0/users/@{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}/revokeSignInSessions" - }, - "type": "Http" - }, - "Send_an_email_(V2)": { - "inputs": { - "body": { - "Body": "

User, @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}, was involved in part of a security incident.  As part of remediation, the user signin sessions have been revoked.  The user will need to reauthenticate in all applications.

", - "Subject": "User signin sessions were reset due to security incident.", - "To": "@body('Get_manager_(V2)')?['mail']" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['office365']['connectionId']" - } - }, - "method": "post", - "path": "/v2/Mail" - }, - "runAfter": { - "Get_manager_(V2)": [ - "Succeeded" - ] - }, - "type": "ApiConnection" - } - }, - "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']", - "runAfter": { - "Entities_-_Get_Accounts": [ - "Succeeded" - ] - }, - "type": "Foreach" - } - }, - "contentVersion": "1.0.0.0", - "parameters": { - "$connections": { - "type": "Object" - } - }, - "triggers": { - "Microsoft_Sentinel_alert": { - "inputs": { - "body": { - "callback_url": "@{listCallbackUrl()}" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "path": "/subscribe" - }, - "type": "ApiConnectionWebhook" - } + "description": "Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when Organization Inbound Direct Settings are changed for \"Users & Groups\" and for \"Applications\".", + "displayName": "Cross-tenant Access Settings Organization Inbound Direct Settings Changed", + "enabled": false, + "query": "//In User & Groups and in Applications, the following \"AccessType\" values in columns PremodifiedInboundSettings and ModifiedInboundSettings are interpreted accordingly:\n// When Access Type in premodified inbound settings value was 1 that means that the initial access was allowed. When Access Type in premodified inbound settings value was 2 that means that the initial access was blocked. \n// When Access Type in modified inbound settings value is 1 that means that now access is allowed. When Access Type in modified inbound settings value is 2 that means that now access is blocked. \nAuditLogs\n| where OperationName has \"Update a partner cross-tenant access setting\"\n| mv-apply TargetResource = TargetResources on\n (\n where TargetResource.type =~ \"Policy\"\n | extend Properties = TargetResource.modifiedProperties\n )\n| mv-apply Property = Properties on\n (\n where Property.displayName =~ \"b2bDirectConnectInbound\"\n | extend PremodifiedInboundSettings = trim('\"',tostring(Property.oldValue)),\n ModifiedInboundSettings = trim(@'\"',tostring(Property.newValue))\n )\n| extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\n| extend InitiatedByIPAdress = InitiatedBy.user.ipAddress\n| where PremodifiedInboundSettings != ModifiedInboundSettings\n| extend Name = tostring(split(InitiatedByActionUserInformation,'@',0)[0]), UPNSuffix = tostring(split(InitiatedByActionUserInformation,'@',1)[0])\n", + "queryFrequency": "P2D", + "queryPeriod": "P2D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "AuditLogs" + ], + "connectorId": "AzureActiveDirectory" } - }, - "parameters": { - "$connections": { - "value": { - "azuresentinel": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", - "connectionName": "[[variables('AzureSentinelConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", - "connectionProperties": { - "authentication": { - "type": "ManagedServiceIdentity" - } - } - }, - "office365": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]", - "connectionName": "[[variables('Office365ConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]" + ], + "tactics": [ + "InitialAccess", + "Persistence", + "Discovery" + ], + "techniques": [ + "T1078", + "T1136", + "T1087" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "columnName": "Name", + "identifier": "Name" }, - "office365users": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('Office365UsersConnectionName'))]", - "connectionName": "[[variables('Office365UsersConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365users')]" + { + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } - } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "columnName": "InitiatedByIPAdress", + "identifier": "Address" + } + ], + "entityType": "IP" } - } + ] } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId9'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject19').analyticRuleId19,'/'))))]", "properties": { - "parentId": "[variables('playbookId9')]", - "contentId": "[variables('_playbookContentId9')]", - "kind": "Playbook", - "version": "[variables('playbookVersion9')]", + "description": "Microsoft Entra ID Analytics Rule 19", + "parentId": "[variables('analyticRuleObject19').analyticRuleId19]", + "contentId": "[variables('analyticRuleObject19')._analyticRulecontentId19]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject19').analyticRuleVersion19]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -4310,208 +3417,110 @@ } } } - ], - "metadata": { - "title": "Revoke-AADSignInSessions alert trigger", - "description": "This playbook will revoke all signin sessions for the user using Graph API. It will send an email to the user's manager.", - "prerequisites": [ - "1. You must create an app registration for graph api with appropriate permissions.", - "2. You will need to add the managed identity that is created by the logic app to the Password Administrator role in Microsoft Entra ID." - ], - "comments": "This playbook will revoke all signin sessions for the user using Graph API using a Beta API. It will send and email to the user's manager.", - "lastUpdateTime": "2021-07-14T00:00:00Z", - "entities": [ - "Account" - ], - "tags": [ - "Remediation" - ], - "releaseNotes": { - "version": "1.0", - "title": "[variables('blanks')]", - "notes": [ - "Initial version" - ] - } - } + ] }, "packageKind": "Solution", "packageVersion": "[variables('_solutionVersion')]", "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_playbookContentId9')]", - "contentKind": "Playbook", - "displayName": "Revoke-AADSignInSessions-alert", - "contentProductId": "[variables('_playbookcontentProductId9')]", - "id": "[variables('_playbookcontentProductId9')]", - "version": "[variables('playbookVersion9')]" + "contentId": "[variables('analyticRuleObject19')._analyticRulecontentId19]", + "contentKind": "AnalyticsRule", + "displayName": "Cross-tenant Access Settings Organization Inbound Direct Settings Changed", + "contentProductId": "[variables('analyticRuleObject19')._analyticRulecontentProductId19]", + "id": "[variables('analyticRuleObject19')._analyticRulecontentProductId19]", + "version": "[variables('analyticRuleObject19').analyticRuleVersion19]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('playbookTemplateSpecName10')]", + "name": "[variables('analyticRuleObject20').analyticRuleTemplateSpecName20]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Revoke-AADSignIn-Session-entityTrigger Playbook with template version 3.0.7", + "description": "Cross-tenantAccessSettingsOrganizationOutboundCollaborationSettingsChanged_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion10')]", - "parameters": { - "PlaybookName": { - "defaultValue": "Revoke-AADSignIn-Session-entityTrigger", - "type": "string" - } - }, - "variables": { - "MicrosoftSentinelConnectionName": "[[concat('MicrosoftSentinel-', parameters('PlaybookName'))]", - "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", - "_connection-2": "[[variables('connection-2')]", - "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", - "workspace-name": "[parameters('workspace')]", - "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" - }, + "contentVersion": "[variables('analyticRuleObject20').analyticRuleVersion20]", + "parameters": {}, + "variables": {}, "resources": [ { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject20')._analyticRulecontentId20]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", "properties": { - "provisioningState": "Succeeded", - "state": "Enabled", - "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "$connections": { - "type": "Object" - } - }, - "triggers": { - "Microsoft_Sentinel_entity": { - "type": "ApiConnectionWebhook", - "inputs": { - "body": { - "callback_url": "@{listCallbackUrl()}" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" - } - }, - "path": "/entity/@{encodeURIComponent('Account')}" - } - } - }, - "actions": { - "Condition": { - "actions": { - "Add_comment_to_incident_(V3)_-_session_revoked": { - "type": "ApiConnection", - "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['IncidentArmID']", - "message": "

Sign-in session revoked for the user - @{concat(triggerBody()?['Entity']?['properties']?['Name'], '@', triggerBody()?['Entity']?['properties']?['upnSuffix'])}

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - } - } - }, - "runAfter": { - "HTTP_-_revoke_sign-in_session": [ - "Succeeded" - ] - }, - "expression": { - "and": [ - { - "not": { - "equals": [ - "@triggerBody()?['IncidentArmID']", - "@null" - ] - } - } - ] + "description": "Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when Organization Outbound Collaboration Settings are changed for \"Users & Groups\" and for \"Applications\".", + "displayName": "Cross-tenant Access Settings Organization Outbound Collaboration Settings Changed", + "enabled": false, + "query": "//In User & Groups and in Applications, the following \"AccessType\" values in columns PremodifiedOutboundSettings and ModifiedOutboundSettings are interpreted accordingly:\n// When Access Type in premodified outbound settings value was 1 that means that the initial access was allowed. When Access Type in premodified outbound settings value was 2 that means that the initial access was blocked. \n// When Access Type in modified outbound settings value is 1 that means that now access is allowed. When Access Type in modified outbound settings value is 2 that means that now access is blocked. \nAuditLogs\n| where OperationName has \"Update a partner cross-tenant access setting\"\n| mv-apply TargetResource = TargetResources on\n (\n where TargetResource.type =~ \"Policy\"\n | extend Properties = TargetResource.modifiedProperties\n )\n| mv-apply Property = Properties on\n (\n where Property.displayName =~ \"b2bCollaborationOutbound\"\n | extend PremodifiedOutboundSettings = trim('\"',tostring(Property.oldValue)),\n ModifiedOutboundSettings = trim(@'\"',tostring(Property.newValue))\n )\n| extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\n| extend InitiatedByIPAdress = InitiatedBy.user.ipAddress\n| where PremodifiedOutboundSettings != ModifiedOutboundSettings\n| extend Name = tostring(split(InitiatedByActionUserInformation,'@',0)[0]), UPNSuffix = tostring(split(InitiatedByActionUserInformation,'@',1)[0])\n", + "queryFrequency": "P2D", + "queryPeriod": "P2D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "AuditLogs" + ], + "connectorId": "AzureActiveDirectory" + } + ], + "tactics": [ + "InitialAccess", + "Persistence", + "Discovery" + ], + "techniques": [ + "T1078", + "T1136", + "T1087" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "columnName": "Name", + "identifier": "Name" }, - "type": "If" - }, - "HTTP_-_revoke_sign-in_session": { - "type": "Http", - "inputs": { - "authentication": { - "audience": "https://graph.microsoft.com", - "type": "ManagedServiceIdentity" - }, - "method": "POST", - "uri": "https://graph.microsoft.com/v1.0/users/@{concat(triggerBody()?['Entity']?['properties']?['Name'], '@', triggerBody()?['Entity']?['properties']?['upnSuffix'])}/revokeSignInSessions" + { + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } - } - } - }, - "parameters": { - "$connections": { - "value": { - "microsoftsentinel": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", - "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", - "connectionProperties": { - "authentication": { - "type": "ManagedServiceIdentity" - } - } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "columnName": "InitiatedByIPAdress", + "identifier": "Address" } - } + ], + "entityType": "IP" } - } - }, - "name": "[[parameters('PlaybookName')]", - "type": "Microsoft.Logic/workflows", - "location": "[[variables('workspace-location-inline')]", - "tags": { - "hidden-SentinelTemplateName": "Revoke-AADSignIn-Session-entityTrigger", - "hidden-SentinelTemplateVersion": "1.0", - "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" - }, - "identity": { - "type": "SystemAssigned" - }, - "apiVersion": "2017-07-01", - "dependsOn": [ - "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]" - ] - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('MicrosoftSentinelConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('MicrosoftSentinelConnectionName')]", - "parameterValueType": "Alternative", - "api": { - "id": "[[variables('_connection-2')]" - } + ] } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId10'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject20').analyticRuleId20,'/'))))]", "properties": { - "parentId": "[variables('playbookId10')]", - "contentId": "[variables('_playbookContentId10')]", - "kind": "Playbook", - "version": "[variables('playbookVersion10')]", + "description": "Microsoft Entra ID Analytics Rule 20", + "parentId": "[variables('analyticRuleObject20').analyticRuleId20]", + "contentId": "[variables('analyticRuleObject20')._analyticRulecontentId20]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject20').analyticRuleVersion20]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -4529,313 +3538,233 @@ } } } - ], - "metadata": { - "title": "Revoke AAD Sign-in session using entity trigger", - "description": "This playbook will revoke user's sign-in sessions and user will have to perform authentication again. It invalidates all the refresh tokens issued to applications for a user (as well as session cookies in a user's browser), by resetting the signInSessionsValidFromDateTime user property to the current date-time.", - "postDeployment": [ - "1. Add Microsoft Sentinel Responder role to the managed identity.", - "2. Assign User.ReadWrite.All and Directory.ReadWrite.All API permissions to the managed identity." - ], - "lastUpdateTime": "2022-12-22T00:00:00Z", - "entities": [ - "Account" - ], - "releaseNotes": { - "version": "1.0", - "title": "[variables('blanks')]", - "notes": [ - "Initial version" - ] - } - } + ] }, "packageKind": "Solution", "packageVersion": "[variables('_solutionVersion')]", "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_playbookContentId10')]", - "contentKind": "Playbook", - "displayName": "Revoke-AADSignIn-Session-entityTrigger", - "contentProductId": "[variables('_playbookcontentProductId10')]", - "id": "[variables('_playbookcontentProductId10')]", - "version": "[variables('playbookVersion10')]" + "contentId": "[variables('analyticRuleObject20')._analyticRulecontentId20]", + "contentKind": "AnalyticsRule", + "displayName": "Cross-tenant Access Settings Organization Outbound Collaboration Settings Changed", + "contentProductId": "[variables('analyticRuleObject20')._analyticRulecontentProductId20]", + "id": "[variables('analyticRuleObject20')._analyticRulecontentProductId20]", + "version": "[variables('analyticRuleObject20').analyticRuleVersion20]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('playbookTemplateSpecName11')]", + "name": "[variables('analyticRuleObject21').analyticRuleTemplateSpecName21]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Revoke-AADSignInSessions-incident Playbook with template version 3.0.7", + "description": "Cross-tenantAccessSettingsOrganizationOutboundDirectSettingsChanged_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion11')]", - "parameters": { - "PlaybookName": { - "defaultValue": "Revoke-AADSignInSessions-incident", - "type": "string" - }, - "UserName": { - "defaultValue": "@", - "type": "string" - } - }, - "variables": { - "AzureSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]", - "Office365ConnectionName": "[[concat('office365-', parameters('PlaybookName'))]", - "Office365UsersConnectionName": "[[concat('office365users-', parameters('PlaybookName'))]", - "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", - "_connection-1": "[[variables('connection-1')]", - "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]", - "_connection-2": "[[variables('connection-2')]", - "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365users')]", - "_connection-3": "[[variables('connection-3')]", - "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", - "workspace-name": "[parameters('workspace')]", - "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" - }, + "contentVersion": "[variables('analyticRuleObject21').analyticRuleVersion21]", + "parameters": {}, + "variables": {}, "resources": [ { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('AzureSentinelConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject21')._analyticRulecontentId21]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", "properties": { - "displayName": "[[parameters('PlaybookName')]", - "parameterValueType": "Alternative", - "api": { - "id": "[[variables('_connection-1')]" - } + "description": "Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when Organization Outbound Direct Settings are changed for \"Users & Groups\" and for \"Applications\".", + "displayName": "Cross-tenant Access Settings Organization Outbound Direct Settings Changed", + "enabled": false, + "query": "//In User & Groups and in Applications, the following \"AccessType\" values in columns PremodifiedOutboundSettings and ModifiedOutboundSettings are interpreted accordingly:\n// When Access Type in premodified outbound settings value was 1 that means that the initial access was allowed. When Access Type in premodified outbound settings value was 2 that means that the initial access was blocked. \n// When Access Type in modified outbound settings value is 1 that means that now access is allowed. When Access Type in modified outbound settings value is 2 that means that now access is blocked. \nAuditLogs\n| where OperationName has \"Update a partner cross-tenant access setting\"\n| mv-apply TargetResource = TargetResources on\n (\n where TargetResource.type =~ \"Policy\"\n | extend Properties = TargetResource.modifiedProperties\n )\n| mv-apply Property = Properties on\n (\n where Property.displayName =~ \"b2bDirectConnectOutbound\"\n | extend PremodifiedOutboundSettings = trim('\"',tostring(Property.oldValue)),\n ModifiedOutboundSettings = trim(@'\"',tostring(Property.newValue))\n )\n| extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\n| extend InitiatedByIPAdress = InitiatedBy.user.ipAddress\n| where PremodifiedOutboundSettings != ModifiedOutboundSettings\n| extend Name = tostring(split(InitiatedByActionUserInformation,'@',0)[0]), UPNSuffix = tostring(split(InitiatedByActionUserInformation,'@',1)[0])\n", + "queryFrequency": "P2D", + "queryPeriod": "P2D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "AuditLogs" + ], + "connectorId": "AzureActiveDirectory" + } + ], + "tactics": [ + "InitialAccess", + "Persistence", + "Discovery" + ], + "techniques": [ + "T1078", + "T1136", + "T1087" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "columnName": "Name", + "identifier": "Name" + }, + { + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "columnName": "InitiatedByIPAdress", + "identifier": "Address" + } + ], + "entityType": "IP" + } + ] } }, { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('Office365ConnectionName')]", - "location": "[[variables('workspace-location-inline')]", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject21').analyticRuleId21,'/'))))]", "properties": { - "displayName": "[[parameters('UserName')]", - "api": { - "id": "[[variables('_connection-2')]" + "description": "Microsoft Entra ID Analytics Rule 21", + "parentId": "[variables('analyticRuleObject21').analyticRuleId21]", + "contentId": "[variables('analyticRuleObject21')._analyticRulecontentId21]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject21').analyticRuleVersion21]", + "source": { + "kind": "Solution", + "name": "Microsoft Entra ID", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" } } - }, + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject21')._analyticRulecontentId21]", + "contentKind": "AnalyticsRule", + "displayName": "Cross-tenant Access Settings Organization Outbound Direct Settings Changed", + "contentProductId": "[variables('analyticRuleObject21')._analyticRulecontentProductId21]", + "id": "[variables('analyticRuleObject21')._analyticRulecontentProductId21]", + "version": "[variables('analyticRuleObject21').analyticRuleVersion21]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject22').analyticRuleTemplateSpecName22]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "DisabledAccountSigninsAcrossManyApplications_AnalyticalRules Analytics Rule with template version 3.0.7", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject22').analyticRuleVersion22]", + "parameters": {}, + "variables": {}, + "resources": [ { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('Office365UsersConnectionName')]", - "location": "[[variables('workspace-location-inline')]", + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject22')._analyticRulecontentId22]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", "properties": { - "displayName": "[[parameters('UserName')]", - "api": { - "id": "[[variables('_connection-3')]" - } + "description": "Identifies failed attempts to sign in to disabled accounts across multiple Azure Applications.\nDefault threshold for Azure Applications attempted to sign in to is 3.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\n50057 - User account is disabled. The account has been disabled by an administrator.", + "displayName": "Attempts to sign in to disabled accounts", + "enabled": false, + "query": "let threshold = 3;\nlet aadFunc = (tableName:string){\ntable(tableName)\n| where ResultType == \"50057\"\n| where ResultDescription =~ \"User account is disabled. The account has been disabled by an administrator.\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), applicationCount = dcount(AppDisplayName),\napplicationSet = make_set(AppDisplayName), count() by UserPrincipalName, IPAddress, Type\n| where applicationCount >= threshold\n| extend timestamp = StartTime, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n", + "queryFrequency": "P1D", + "queryPeriod": "P1D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "SigninLogs" + ], + "connectorId": "AzureActiveDirectory" + }, + { + "dataTypes": [ + "AADNonInteractiveUserSignInLogs" + ], + "connectorId": "AzureActiveDirectory" + } + ], + "tactics": [ + "InitialAccess" + ], + "techniques": [ + "T1078" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "columnName": "Name", + "identifier": "Name" + }, + { + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "columnName": "IPAddress", + "identifier": "Address" + } + ], + "entityType": "IP" + } + ] } }, { - "type": "Microsoft.Logic/workflows", - "apiVersion": "2017-07-01", - "name": "[[parameters('PlaybookName')]", - "location": "[[variables('workspace-location-inline')]", - "tags": { - "LogicAppsCategory": "security", - "hidden-SentinelTemplateName": "Revoke-AADSigninSessions", - "hidden-SentinelTemplateVersion": "1.0", - "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" - }, - "identity": { - "type": "SystemAssigned" - }, - "dependsOn": [ - "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('Office365UsersConnectionName'))]" - ], + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject22').analyticRuleId22,'/'))))]", "properties": { - "state": "Enabled", - "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "actions": { - "Alert_-_Get_incident": { - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "get", - "path": "/Incidents/subscriptions/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/resourceGroups/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/workspaces/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/alerts/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}" - }, - "type": "ApiConnection" - }, - "Entities_-_Get_Accounts": { - "inputs": { - "body": "@triggerBody()?['Entities']", - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "path": "/entities/account" - }, - "runAfter": { - "Alert_-_Get_incident": [ - "Succeeded" - ] - }, - "type": "ApiConnection" - }, - "For_each": { - "actions": { - "Add_comment_to_incident_(V3)": { - "inputs": { - "body": { - "incidentArmId": "@body('Alert_-_Get_incident')?['id']", - "message": "

User @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])} singin sessions were revoked in AAD and their manager @{body('Get_manager_(V2)')?['displayName']} was contacted using playbook.

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - }, - "runAfter": { - "Send_an_email_(V2)": [ - "Succeeded" - ] - }, - "type": "ApiConnection" - }, - "Get_manager_(V2)": { - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['office365users']['connectionId']" - } - }, - "method": "get", - "path": "/codeless/v1.0/users/@{encodeURIComponent(concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix']))}/manager" - }, - "runAfter": { - "HTTP": [ - "Succeeded" - ] - }, - "type": "ApiConnection" - }, - "HTTP": { - "inputs": { - "authentication": { - "audience": "https://graph.microsoft.com", - "type": "ManagedServiceIdentity" - }, - "method": "POST", - "uri": "https://graph.microsoft.com/v1.0/users/@{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}/revokeSignInSessions" - }, - "type": "Http" - }, - "Send_an_email_(V2)": { - "inputs": { - "body": { - "Body": "

User, @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}, was involved in part of a security incident.  As part of remediation, the user signin sessions have been revoked.  The user will need to reauthenticate in all applications.

", - "Subject": "User signin sessions were reset due to security incident.", - "To": "@body('Get_manager_(V2)')?['mail']" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['office365']['connectionId']" - } - }, - "method": "post", - "path": "/v2/Mail" - }, - "runAfter": { - "Get_manager_(V2)": [ - "Succeeded" - ] - }, - "type": "ApiConnection" - } - }, - "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']", - "runAfter": { - "Entities_-_Get_Accounts": [ - "Succeeded" - ] - }, - "type": "Foreach" - } - }, - "contentVersion": "1.0.0.0", - "parameters": { - "$connections": { - "type": "Object" - } - }, - "triggers": { - "Microsoft_Sentinel_alert": { - "inputs": { - "body": { - "callback_url": "@{listCallbackUrl()}" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "path": "/subscribe" - }, - "type": "ApiConnectionWebhook" - } - } - }, - "parameters": { - "$connections": { - "value": { - "azuresentinel": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", - "connectionName": "[[variables('AzureSentinelConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", - "connectionProperties": { - "authentication": { - "type": "ManagedServiceIdentity" - } - } - }, - "office365": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]", - "connectionName": "[[variables('Office365ConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]" - }, - "office365users": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('Office365UsersConnectionName'))]", - "connectionName": "[[variables('Office365UsersConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365users')]" - } - } - } - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId11'),'/'))))]", - "properties": { - "parentId": "[variables('playbookId11')]", - "contentId": "[variables('_playbookContentId11')]", - "kind": "Playbook", - "version": "[variables('playbookVersion11')]", + "description": "Microsoft Entra ID Analytics Rule 22", + "parentId": "[variables('analyticRuleObject22').analyticRuleId22]", + "contentId": "[variables('analyticRuleObject22')._analyticRulecontentId22]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject22').analyticRuleVersion22]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -4853,83 +3782,112 @@ } } } - ], - "metadata": { - "title": "Revoke AAD SignIn Sessions - incident trigger", - "description": "This playbook will revoke all signin sessions for the user using Graph API. It will send an email to the user's manager.", - "prerequisites": "1. You will need to grant User.ReadWrite.All permissions to the managed identity.", - "lastUpdateTime": "2021-07-14T00:00:00Z", - "entities": [ - "Account" - ], - "tags": [ - "Remediation" - ], - "releaseNotes": { - "version": "1.0", - "title": "[variables('blanks')]", - "notes": [ - "Initial version" - ] - } - } + ] }, "packageKind": "Solution", "packageVersion": "[variables('_solutionVersion')]", "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_playbookContentId11')]", - "contentKind": "Playbook", - "displayName": "Revoke-AADSignInSessions-incident", - "contentProductId": "[variables('_playbookcontentProductId11')]", - "id": "[variables('_playbookcontentProductId11')]", - "version": "[variables('playbookVersion11')]" + "contentId": "[variables('analyticRuleObject22')._analyticRulecontentId22]", + "contentKind": "AnalyticsRule", + "displayName": "Attempts to sign in to disabled accounts", + "contentProductId": "[variables('analyticRuleObject22')._analyticRulecontentProductId22]", + "id": "[variables('analyticRuleObject22')._analyticRulecontentProductId22]", + "version": "[variables('analyticRuleObject22').analyticRuleVersion22]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('workbookTemplateSpecName1')]", + "name": "[variables('analyticRuleObject23').analyticRuleTemplateSpecName23]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AzureActiveDirectoryAuditLogsWorkbook Workbook with template version 3.0.7", + "description": "DistribPassCrackAttempt_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('workbookVersion1')]", + "contentVersion": "[variables('analyticRuleObject23').analyticRuleVersion23]", "parameters": {}, "variables": {}, "resources": [ { - "type": "Microsoft.Insights/workbooks", - "name": "[variables('workbookContentId1')]", + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject23')._analyticRulecontentId23]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", "location": "[parameters('workspace-location')]", - "kind": "shared", - "apiVersion": "2021-08-01", - "metadata": { - "description": "Gain insights into Azure Active Directory by connecting Microsoft Sentinel and using the audit logs to gather insights around Azure AD scenarios. \nYou can learn about user operations, including password and group management, device activities, and top active users and apps." - }, "properties": { - "displayName": "[parameters('workbook1-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Azure AD audit logs\"},\"name\":\"text - 1\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"bc372bf5-2dcd-4efa-aa85-94b6e6fafe14\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":7776000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true}},{\"id\":\"e032b9f7-5449-4180-9c20-75760afa96f6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"User\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"AuditLogs\\r\\n| where SourceSystem == \\\"Azure AD\\\"\\r\\n| extend initiator = iif (tostring(InitiatedBy.user.userPrincipalName) != \\\"\\\", tostring(InitiatedBy.user.userPrincipalName), \\\"unknown\\\")\\r\\n//| where initiator!= \\\"\\\"\\r\\n| summarize Count = count() by initiator\\r\\n| order by Count desc, initiator asc\\r\\n| project Value = initiator, Label = strcat(initiator, ' - ', Count), Selected = false\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\"},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"0a59a0b3-6d93-4fee-bdbe-147383c510c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Category\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"AuditLogs\\r\\n| extend initiator = iif (tostring(InitiatedBy.user.userPrincipalName) != \\\"\\\", tostring(InitiatedBy.user.userPrincipalName), \\\"unknown\\\")\\r\\n| where \\\"{User:lable}\\\" == \\\"All\\\" or initiator in ({User})\\r\\n| summarize Count = count() by Category\\r\\n| order by Count desc, Category asc\\r\\n| project Value = Category, Label = strcat(Category, ' - ', Count)\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\"},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"4d2b245b-5e59-4eb6-9f51-ba926581ab47\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Result\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"AuditLogs\\r\\n| extend initiator = iif (tostring(InitiatedBy.user.userPrincipalName) != \\\"\\\", tostring(InitiatedBy.user.userPrincipalName), \\\"unknown\\\")\\r\\n| where \\\"{User:lable}\\\" == \\\"All\\\" or initiator in ({User})\\r\\n| summarize Count = count() by Result\\r\\n| order by Count desc, Result asc\\r\\n| project Value = Result, Label = strcat(Result, ' - ', Count, ' sign-ins')\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\"},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let data = AuditLogs\\r\\n| where \\\"{Category:lable}\\\" == \\\"All\\\" or Category in ({Category})\\r\\n| where \\\"{Result:lable}\\\" == \\\"All\\\" or Result in ({Result})\\r\\n| extend initiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\r\\n| where initiatingUserPrincipalName != \\\"\\\" \\r\\n| where \\\"{User:lable}\\\" == \\\"All\\\" or initiatingUserPrincipalName in ({User});\\r\\ndata\\r\\n| summarize Count = count() by Category\\r\\n| join kind = fullouter (datatable(Category:string)['Medium', 'high', 'low']) on Category\\r\\n| project Category = iff(Category == '', Category1, Category), Count = iff(Category == '', 0, Count)\\r\\n| join kind = inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by Category)\\r\\n on Category\\r\\n| project-away Category1, TimeGenerated\\r\\n| extend Category = Category\\r\\n| union (\\r\\n data \\r\\n | summarize Count = count() \\r\\n | extend jkey = 1\\r\\n | join kind=inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\\r\\n | extend jkey = 1) on jkey\\r\\n | extend Category = 'All', Categorys = '*' \\r\\n)\\r\\n| order by Count desc\\r\\n| take 10\",\"size\":4,\"title\":\"Categories volume\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"Category\",\"exportParameterName\":\"CategoryFIlter\",\"exportDefaultValue\":\"All\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Category\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":21,\"formatOptions\":{\"palette\":\"purple\",\"showIcon\":true}},\"showBorder\":false}},\"name\":\"query - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let data = AuditLogs\\r\\n| where \\\"{Result:lable}\\\" == \\\"All\\\" or Result in ({Result})\\r\\n| extend initiator = iif (tostring(InitiatedBy.user.userPrincipalName) != \\\"\\\", tostring(InitiatedBy.user.userPrincipalName), \\\"unknown\\\")\\r\\n| where \\\"{User:lable}\\\" == \\\"All\\\" or initiator in ({User})\\r\\n| where \\\"{Category:lable}\\\" == \\\"All\\\" or Category in ({Category})\\r\\n| where Category == '{CategoryFIlter}' or '{CategoryFIlter}' == \\\"All\\\";\\r\\nlet appData = data\\r\\n| summarize TotalCount = count() by OperationName, Category\\r\\n| join kind=inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by OperationName\\r\\n | project-away TimeGenerated) on OperationName\\r\\n| order by TotalCount desc, OperationName asc\\r\\n| project OperationName, TotalCount, Trend, Category\\r\\n| serialize Id = row_number();\\r\\ndata\\r\\n| summarize TotalCount = count() by initiator = iif (tostring(InitiatedBy.user.userPrincipalName) != \\\"\\\", tostring(InitiatedBy.user.userPrincipalName), \\\"unknown\\\"), Category, OperationName\\r\\n| join kind=inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by OperationName, initiator = iif (tostring(InitiatedBy.user.userPrincipalName) != \\\"\\\", tostring(InitiatedBy.user.userPrincipalName), \\\"unknown\\\")\\r\\n | project-away TimeGenerated) on OperationName, initiator\\r\\n| order by TotalCount desc, OperationName asc\\r\\n| project OperationName, initiator, TotalCount, Category, Trend\\r\\n| serialize Id = row_number(1000000)\\r\\n| join kind=inner (appData) on OperationName\\r\\n| project Id, Name = initiator, Type = 'initiator', ['Operations Count'] = TotalCount, Trend, Category, ParentId = Id1\\r\\n| union (appData \\r\\n | project Id, Name = OperationName, Type = 'Operation', ['Operations Count'] = TotalCount, Category, Trend)\\r\\n| order by ['Operations Count'] desc, Name asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"User activities\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"exportParameterName\":\"UserInfo\",\"exportDefaultValue\":\"{ \\\"Name\\\":\\\"\\\", \\\"Type\\\":\\\"*\\\"}\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Id\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Type\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Operations Count\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"palette\":\"blue\",\"showIcon\":true},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"min\":0,\"palette\":\"turquoise\",\"showIcon\":true},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"ParentId\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}}],\"rowLimit\":1000,\"filter\":true,\"hierarchySettings\":{\"idColumn\":\"Id\",\"parentColumn\":\"ParentId\",\"treeType\":0,\"expanderColumn\":\"Name\"}}},\"customWidth\":\"70\",\"showPin\":true,\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let details = dynamic({UserInfo});\\r\\nAuditLogs\\r\\n| where \\\"{Category:lable}\\\" == \\\"All\\\" or Category in ({Category})\\r\\n| where \\\"{Result:lable}\\\" == \\\"All\\\" or Result in ({Result})\\r\\n| extend initiatingUserPrincipalName = iif (tostring(InitiatedBy.user.userPrincipalName) != \\\"\\\", tostring(InitiatedBy.user.userPrincipalName), \\\"unknown\\\")\\r\\n//| where initiatingUserPrincipalName != \\\"\\\" \\r\\n| where \\\"{User:lable}\\\" == \\\"All\\\" or initiatingUserPrincipalName in ({User})\\r\\n| where details.Type == '*' or (details.Type == 'initiator' and initiatingUserPrincipalName == details.Name) or (details.Type == 'Operation' and OperationName == details.Name)\\r\\n| summarize Activities = count() by initiatingUserPrincipalName\\r\\n| sort by Activities desc nulls last \",\"size\":0,\"title\":\"Top active users\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"30\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let details = dynamic({UserInfo});\\r\\nlet data = AuditLogs\\r\\n| extend initiator = iif (tostring(InitiatedBy.user.userPrincipalName) != \\\"\\\", tostring(InitiatedBy.user.userPrincipalName), \\\"unknown\\\")\\r\\n| where details.Type == '*' or (details.Type == 'initiator' and initiator == details.Name) or (details.Type == 'Operation' and OperationName == details.Name)\\r\\n| where \\\"{Category:lable}\\\" == \\\"All\\\" or Category in ({Category})\\r\\n| where \\\"{Result:lable}\\\" == \\\"All\\\" or Result in ({Result})\\r\\n| where \\\"{User:lable}\\\" == \\\"All\\\" or initiator in ({User});\\r\\nlet appData = data\\r\\n| summarize TotalCount = count() by Result\\r\\n| join kind=inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by Result\\r\\n | project-away TimeGenerated) on Result\\r\\n| order by TotalCount desc, Result asc\\r\\n| project Result, TotalCount, Trend\\r\\n| serialize Id = row_number();\\r\\ndata\\r\\n| summarize TotalCount = count() by OperationName, Result\\r\\n| join kind=inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by Result, OperationName\\r\\n | project-away TimeGenerated) on Result, OperationName\\r\\n| order by TotalCount desc, Result asc\\r\\n| project Result, OperationName, TotalCount, Trend\\r\\n| serialize Id = row_number(1000000)\\r\\n| join kind=inner (appData) on Result\\r\\n| project Id, Name = OperationName, Type = 'Operation', ['Results Count'] = TotalCount, Trend, ParentId = Id1\\r\\n| union (appData \\r\\n | project Id, Name = Result, Type = 'Result', ['Results Count'] = TotalCount, Trend)\\r\\n| order by ['Results Count'] desc, Name asc\",\"size\":0,\"title\":\"Result status\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"exportParameterName\":\"ResultInfo\",\"exportDefaultValue\":\"{ \\\"Name\\\":\\\"\\\", \\\"Type\\\":\\\"*\\\"}\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Id\",\"formatter\":5},{\"columnMatch\":\"Type\",\"formatter\":5},{\"columnMatch\":\"Results Count\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"palette\":\"grayBlue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"greenDark\"}},{\"columnMatch\":\"ParentId\",\"formatter\":5}],\"hierarchySettings\":{\"idColumn\":\"Id\",\"parentColumn\":\"ParentId\",\"treeType\":0,\"expanderColumn\":\"Name\"}}},\"customWidth\":\"70\",\"name\":\"query - 5\"}],\"fallbackResourceIds\":[\"\"],\"fromTemplateId\":\"sentinel-AzureActiveDirectoryAuditLogs\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n", - "version": "1.0", - "sourceId": "[variables('workspaceResourceId')]", - "category": "sentinel" + "description": "Identifies distributed password cracking attempts from the Microsoft Entra ID SigninLogs.\nThe query looks for unusually high number of failed password attempts coming from multiple locations for a user account.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\n50053 Account is locked because the user tried to sign in too many times with an incorrect user ID or password.\n50055 Invalid password, entered expired password.\n50056 Invalid or null password - Password does not exist in store for this user.\n50126 Invalid username or password, or invalid on-premises username or password.", + "displayName": "Distributed Password cracking attempts in Microsoft Entra ID", + "enabled": false, + "query": "let s_threshold = 30;\nlet l_threshold = 3;\nlet aadFunc = (tableName:string){\ntable(tableName)\n| where OperationName =~ \"Sign-in activity\"\n// Error codes that we want to look at as they are related to the use of incorrect password.\n| where ResultType in (\"50126\", \"50053\" , \"50055\", \"50056\")\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\n| extend LocationString = strcat(tostring(LocationDetails.countryOrRegion), \"/\", tostring(LocationDetails.state), \"/\", tostring(LocationDetails.city))\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), LocationCount=dcount(LocationString), Location = make_set(LocationString,100),\nIPAddress = make_set(IPAddress,100), IPAddressCount = dcount(IPAddress), AppDisplayName = make_set(AppDisplayName,100), ResultDescription = make_set(ResultDescription,50),\nBrowser = make_set(Browser,20), OS = make_set(OS,20), SigninCount = count() by UserPrincipalName, Type\n// Setting a generic threshold - Can be different for different environment\n| where SigninCount > s_threshold and LocationCount >= l_threshold\n| extend Location = tostring(Location), IPAddress = tostring(IPAddress), AppDisplayName = tostring(AppDisplayName), ResultDescription = tostring(ResultDescription), Browser = tostring(Browser), OS = tostring(OS)\n| extend timestamp = StartTime, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n", + "queryFrequency": "P1D", + "queryPeriod": "P1D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "SigninLogs" + ], + "connectorId": "AzureActiveDirectory" + }, + { + "dataTypes": [ + "AADNonInteractiveUserSignInLogs" + ], + "connectorId": "AzureActiveDirectory" + } + ], + "tactics": [ + "CredentialAccess" + ], + "techniques": [ + "T1110" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "columnName": "Name", + "identifier": "Name" + }, + { + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "columnName": "IPAddress", + "identifier": "Address" + } + ], + "entityType": "IP" + } + ] } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject23').analyticRuleId23,'/'))))]", "properties": { - "description": "@{workbookKey=AzureActiveDirectoryAuditLogsWorkbook; logoFileName=azureactivedirectory_logo.svg; description=Gain insights into Azure Active Directory by connecting Microsoft Sentinel and using the audit logs to gather insights around Azure AD scenarios. \nYou can learn about user operations, including password and group management, device activities, and top active users and apps.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.2.0; title=Azure AD Audit logs; templateRelativePath=AzureActiveDirectoryAuditLogs.json; subtitle=; provider=Microsoft}.description", - "parentId": "[variables('workbookId1')]", - "contentId": "[variables('_workbookContentId1')]", - "kind": "Workbook", - "version": "[variables('workbookVersion1')]", + "description": "Microsoft Entra ID Analytics Rule 23", + "parentId": "[variables('analyticRuleObject23').analyticRuleId23]", + "contentId": "[variables('analyticRuleObject23')._analyticRulecontentId23]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject23').analyticRuleVersion23]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -4944,19 +3902,6 @@ "name": "Microsoft Corporation", "email": "support@microsoft.com", "link": "https://support.microsoft.com/" - }, - "dependencies": { - "operator": "AND", - "criteria": [ - { - "contentId": "AuditLogs", - "kind": "DataType" - }, - { - "contentId": "AzureActiveDirectory", - "kind": "DataConnector" - } - ] } } } @@ -4967,57 +3912,114 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_workbookContentId1')]", - "contentKind": "Workbook", - "displayName": "[parameters('workbook1-name')]", - "contentProductId": "[variables('_workbookcontentProductId1')]", - "id": "[variables('_workbookcontentProductId1')]", - "version": "[variables('workbookVersion1')]" + "contentId": "[variables('analyticRuleObject23')._analyticRulecontentId23]", + "contentKind": "AnalyticsRule", + "displayName": "Distributed Password cracking attempts in Microsoft Entra ID", + "contentProductId": "[variables('analyticRuleObject23')._analyticRulecontentProductId23]", + "id": "[variables('analyticRuleObject23')._analyticRulecontentProductId23]", + "version": "[variables('analyticRuleObject23').analyticRuleVersion23]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('workbookTemplateSpecName2')]", + "name": "[variables('analyticRuleObject24').analyticRuleTemplateSpecName24]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AzureActiveDirectorySigninsWorkbook Workbook with template version 3.0.7", + "description": "ExplicitMFADeny_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('workbookVersion2')]", + "contentVersion": "[variables('analyticRuleObject24').analyticRuleVersion24]", "parameters": {}, "variables": {}, "resources": [ { - "type": "Microsoft.Insights/workbooks", - "name": "[variables('workbookContentId2')]", + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject24')._analyticRulecontentId24]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", "location": "[parameters('workspace-location')]", - "kind": "shared", - "apiVersion": "2021-08-01", - "metadata": { - "description": "Gain insights into Azure Active Directory by connecting Microsoft Sentinel and using the sign-in logs to gather insights around Azure AD scenarios. \nYou can learn about sign-in operations, such as user sign-ins and locations, email addresses, and IP addresses of your users, as well as failed activities and the errors that triggered the failures." - }, "properties": { - "displayName": "[parameters('workbook2-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Sign-in Analysis\"},\"name\":\"text - 0\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"13f56671-7604-4427-a4d8-663f3da0cbc5\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":1209600000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000,\"createdTime\":\"2018-11-13T19:33:10.162Z\",\"isInitialTime\":false,\"grain\":1,\"useDashboardTimeRange\":false},{\"durationMs\":900000,\"createdTime\":\"2018-11-13T19:33:10.164Z\",\"isInitialTime\":false,\"grain\":1,\"useDashboardTimeRange\":false},{\"durationMs\":1800000,\"createdTime\":\"2018-11-13T19:33:10.164Z\",\"isInitialTime\":false,\"grain\":1,\"useDashboardTimeRange\":false},{\"durationMs\":3600000,\"createdTime\":\"2018-11-13T19:33:10.164Z\",\"isInitialTime\":false,\"grain\":1,\"useDashboardTimeRange\":false},{\"durationMs\":14400000,\"createdTime\":\"2018-11-13T19:33:10.164Z\",\"isInitialTime\":false,\"grain\":1,\"useDashboardTimeRange\":false},{\"durationMs\":43200000,\"createdTime\":\"2018-11-13T19:33:10.164Z\",\"isInitialTime\":false,\"grain\":1,\"useDashboardTimeRange\":false},{\"durationMs\":86400000,\"createdTime\":\"2018-11-13T19:33:10.165Z\",\"isInitialTime\":false,\"grain\":1,\"useDashboardTimeRange\":false},{\"durationMs\":172800000,\"createdTime\":\"2018-11-13T19:33:10.166Z\",\"isInitialTime\":false,\"grain\":1,\"useDashboardTimeRange\":false},{\"durationMs\":259200000,\"createdTime\":\"2018-11-13T19:33:10.166Z\",\"isInitialTime\":false,\"grain\":1,\"useDashboardTimeRange\":false},{\"durationMs\":604800000,\"createdTime\":\"2018-11-13T19:33:10.166Z\",\"isInitialTime\":false,\"grain\":1,\"useDashboardTimeRange\":false},{\"durationMs\":1209600000,\"createdTime\":\"2018-11-13T19:33:10.166Z\",\"isInitialTime\":false,\"grain\":1,\"useDashboardTimeRange\":false},{\"durationMs\":2592000000,\"createdTime\":\"2018-11-13T19:33:10.167Z\",\"isInitialTime\":false,\"grain\":1,\"useDashboardTimeRange\":false}],\"allowCustom\":true}},{\"id\":\"3b5cc420-8ad8-4523-ba28-a54910756794\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Apps\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"SigninLogs\\r\\n| summarize Count = count() by AppDisplayName\\r\\n| order by Count desc, AppDisplayName asc\\r\\n| project Value = AppDisplayName, Label = strcat(AppDisplayName, ' - ', Count, ' sign-ins'), Selected = false\\r\\n\",\"value\":[\"value::all\"],\"typeSettings\":{\"limitSelectTo\":10,\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\"},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"0611ecce-d6a0-4a6f-a1bc-6be314ae36a7\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"UserNamePrefix\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"SigninLogs\\r\\n|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n| summarize Count = count() by UserDisplayName\\r\\n| order by Count desc, UserDisplayName asc\\r\\n| project Value = UserDisplayName, Label = strcat(UserDisplayName, ' - ', Count, ' sign-ins'), Selected = false\\r\\n| extend prefix = substring(Value, 0, 1)\\r\\n| distinct prefix\\r\\n| sort by prefix asc\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"f7f7970b-58c1-474f-9043-62243d2d4edd\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Users\",\"label\":\"UserName\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"SigninLogs\\r\\n|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n| summarize Count = count() by UserDisplayName\\r\\n| order by Count desc, UserDisplayName asc\\r\\n| project Value = UserDisplayName, Label = strcat(UserDisplayName, ' - ', Count, ' sign-ins'), Selected = false\\r\\n| where (substring(Value, 0, 1) in ({UserNamePrefix})) or ('*' in ({UserNamePrefix}))\\r\\n| sort by Value asc\\r\\n\",\"value\":[\"value::all\"],\"typeSettings\":{\"limitSelectTo\":10000000,\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"\",\"showDefault\":false},\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"85568f4e-9ad4-46c5-91d4-0ee1b2c8f3aa\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Category\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"\"},\"jsonData\":\"[\\\"SignInLogs\\\", \\\"NonInteractiveUserSignInLogs\\\"]\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let data = \\r\\nunion SigninLogs,AADNonInteractiveUserSignInLogs\\r\\n| where Category in ({Category})\\r\\n|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users});\\r\\ndata\\r\\n| summarize count() by UserPrincipalName, bin (TimeGenerated,5m)\\r\\n\",\"size\":0,\"title\":\"Sign-in Trend over Time\",\"timeContext\":{\"durationMs\":86400000},\"timeContextFromParameter\":\"TimeRange\",\"timeBrushParameterName\":\"TimeBrush\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\"},\"name\":\"query - 19\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let nonInteractive = AADNonInteractiveUserSignInLogs\\r\\n| extend LocationDetails = parse_json(LocationDetails)\\r\\n| extend Status = parse_json(Status);\\r\\nlet data = \\r\\nunion SigninLogs,nonInteractive\\r\\n| where Category in ({Category})\\r\\n|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users}) \\r\\n|extend errorCode = Status.errorCode\\r\\n|extend SigninStatus = case(errorCode == 0, \\\"Success\\\", errorCode == 50058, \\\"Pending user action\\\",errorCode == 50140, \\\"Pending user action\\\", errorCode == 51006, \\\"Pending user action\\\", errorCode == 50059, \\\"Pending user action\\\",errorCode == 65001, \\\"Pending user action\\\", errorCode == 52004, \\\"Pending user action\\\", errorCode == 50055, \\\"Pending user action\\\", errorCode == 50144, \\\"Pending user action\\\", errorCode == 50072, \\\"Pending user action\\\", errorCode == 50074, \\\"Pending user action\\\", errorCode == 16000, \\\"Pending user action\\\", errorCode == 16001, \\\"Pending user action\\\", errorCode == 16003, \\\"Pending user action\\\", errorCode == 50127, \\\"Pending user action\\\", errorCode == 50125, \\\"Pending user action\\\", errorCode == 50129, \\\"Pending user action\\\", errorCode == 50143, \\\"Pending user action\\\", errorCode == 81010, \\\"Pending user action\\\", errorCode == 81014, \\\"Pending user action\\\", errorCode == 81012 ,\\\"Pending user action\\\", \\\"Failure\\\");\\r\\ndata\\r\\n| summarize Count = count() by SigninStatus\\r\\n| join kind = fullouter (datatable(SigninStatus:string)['Success', 'Pending action (Interrupts)', 'Failure']) on SigninStatus\\r\\n| project SigninStatus = iff(SigninStatus == '', SigninStatus1, SigninStatus), Count = iff(SigninStatus == '', 0, Count)\\r\\n| join kind = inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SigninStatus)\\r\\n on SigninStatus\\r\\n| project-away SigninStatus1, TimeGenerated\\r\\n| extend Status = SigninStatus\\r\\n| union (\\r\\n data \\r\\n | summarize Count = count()\\r\\n | extend jkey = 1\\r\\n | join kind=inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\\r\\n | extend jkey = 1) on jkey\\r\\n | extend SigninStatus = 'All Sign-ins', Status = '*' \\r\\n)\\r\\n| order by Count desc\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":3,\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeBrush\",\"exportFieldName\":\"Status\",\"exportParameterName\":\"SigninStatus\",\"exportDefaultValue\":\"*\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"min\":0,\"palette\":\"blue\",\"showIcon\":true}},\"showBorder\":false}},\"name\":\"query - 5\"},{\"type\":1,\"content\":{\"json\":\"
\\r\\n💡 _Click on a tile or a row in the grid to drill-in further_\"},\"name\":\"text - 6 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let nonInteractive = AADNonInteractiveUserSignInLogs\\r\\n| extend LocationDetails = parse_json(LocationDetails)\\r\\n| extend Status = parse_json(Status);\\r\\nlet data = \\r\\nunion SigninLogs,nonInteractive\\r\\n| extend AppDisplayName = iff(AppDisplayName == '', 'Unknown', AppDisplayName)\\r\\n|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users}) \\r\\n| extend Country = iff(LocationDetails.countryOrRegion == '', 'Unknown country', tostring(LocationDetails.countryOrRegion))\\r\\n| extend City = iff(LocationDetails.city == '', 'Unknown city', tostring(LocationDetails.city))\\r\\n| extend errorCode = Status.errorCode\\r\\n| extend SigninStatus = case(errorCode == 0, \\\"Success\\\", errorCode == 50058, \\\"Pending user action\\\",errorCode == 50140, \\\"Pending user action\\\", errorCode == 51006, \\\"Pending user action\\\", errorCode == 50059, \\\"Pending user action\\\",errorCode == 65001, \\\"Pending user action\\\", errorCode == 52004, \\\"Pending user action\\\", errorCode == 50055, \\\"Pending user action\\\", errorCode == 50144, \\\"Pending user action\\\", errorCode == 50072, \\\"Pending user action\\\", errorCode == 50074, \\\"Pending user action\\\", errorCode == 16000, \\\"Pending user action\\\", errorCode == 16001, \\\"Pending user action\\\", errorCode == 16003, \\\"Pending user action\\\", errorCode == 50127, \\\"Pending user action\\\", errorCode == 50125, \\\"Pending user action\\\", errorCode == 50129, \\\"Pending user action\\\", errorCode == 50143, \\\"Pending user action\\\", errorCode == 81010, \\\"Pending user action\\\", errorCode == 81014, \\\"Pending user action\\\", errorCode == 81012 ,\\\"Pending user action\\\", \\\"Failure\\\")\\r\\n| where SigninStatus == '{SigninStatus}' or '{SigninStatus}' == '*' or '{SigninStatus}' == 'All Sign-ins';\\r\\nlet countryData = data\\r\\n| summarize TotalCount = count(), SuccessCount = countif(SigninStatus == \\\"Success\\\"), FailureCount = countif(SigninStatus == \\\"Failure\\\"), InterruptCount = countif(SigninStatus == \\\"Pending user action\\\") by Country,Category\\r\\n| join kind=inner\\r\\n(\\r\\n data\\r\\n| make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by Country\\r\\n| project-away TimeGenerated\\r\\n)\\r\\non Country\\r\\n| project Country, TotalCount, SuccessCount,FailureCount,InterruptCount,Trend,Category\\r\\n| order by TotalCount desc, Country asc;\\r\\ndata\\r\\n| summarize TotalCount = count(), SuccessCount = countif(SigninStatus == \\\"Success\\\"), FailureCount = countif(SigninStatus == \\\"Failure\\\"), InterruptCount = countif(SigninStatus == \\\"Pending user action\\\") by Country, City,Category\\r\\n| join kind=inner\\r\\n(\\r\\n data \\r\\n| make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by Country, City\\r\\n| project-away TimeGenerated\\r\\n)\\r\\non Country, City\\r\\n| order by TotalCount desc, Country asc\\r\\n| project Country, City,TotalCount, SuccessCount,FailureCount,InterruptCount, Trend,Category\\r\\n| join kind=inner\\r\\n(\\r\\n countryData\\r\\n)\\r\\non Country\\r\\n| summarize arg_max(TotalCount, SuccessCount, FailureCount, InterruptCount) by Country, City, Category, tostring(Trend)\\r\\n| project Id = strcat(City, '-', Category), Name = City, Type = 'City', ['Sign-in Count'] = TotalCount, Trend, ['Failure Count'] = FailureCount, ['Interrupt Count'] = InterruptCount, ['Success Rate'] = 1.0 * SuccessCount / TotalCount, ParentId = strcat(Country, '-', Category),Category\\r\\n| union (countryData\\r\\n| summarize arg_max(TotalCount, SuccessCount, FailureCount, InterruptCount) by Country, Category, tostring(Trend)\\r\\n| project Id = strcat(Country, '-', Category), Name = Country, Type = 'Country', ['Sign-in Count'] = TotalCount, Trend, ['Failure Count'] = FailureCount, ['Interrupt Count'] = InterruptCount, ['Success Rate'] = 1.0 * SuccessCount / TotalCount, ParentId = 'root',Category)\\r\\n| where Category in ({Category})\\r\\n| order by ['Sign-in Count'] desc, Name asc\\r\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"Sign-ins by Location\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeBrush\",\"showRefreshButton\":true,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"Name\",\"parameterName\":\"LocationDetail\",\"parameterType\":1}],\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Id\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Type\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Sign-in Count\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"palette\":\"blue\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"min\":0,\"palette\":\"blue\",\"showIcon\":true}},{\"columnMatch\":\"Failure Count|Interrupt Count\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"palette\":\"orange\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"Success Rate\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"percent\"}}},{\"columnMatch\":\"ParentId\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true,\"hierarchySettings\":{\"idColumn\":\"Id\",\"parentColumn\":\"ParentId\",\"treeType\":0,\"expanderColumn\":\"Name\",\"expandTopLevel\":false}}},\"customWidth\":\"67\",\"showPin\":true,\"name\":\"query - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let selectedCountry = dynamic([{LocationDetail}]);\\r\\nlet nonInteractive = AADNonInteractiveUserSignInLogs\\r\\n| extend LocationDetails = parse_json(LocationDetails),Status = parse_json(Status),ConditionalAccessPolicies = parse_json(ConditionalAccessPolicies),DeviceDetail =parse_json(DeviceDetail);\\r\\nlet details = dynamic({ \\\"Name\\\":\\\"\\\", \\\"Type\\\":\\\"*\\\"});\\r\\nlet data = union SigninLogs,nonInteractive\\r\\n| extend AppDisplayName = iff(AppDisplayName == '', 'Unknown', AppDisplayName)\\r\\n|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users}) \\r\\n| extend Country = tostring(LocationDetails.countryOrRegion)\\r\\n| extend City = tostring(LocationDetails.city) \\r\\n| where array_length(selectedCountry) == 0 or \\\"*\\\" in (selectedCountry) or Country in (selectedCountry) or City in (selectedCountry) \\r\\n| extend errorCode = Status.errorCode\\r\\n| extend SigninStatus = case(errorCode == 0, \\\"Success\\\", errorCode == 50058, \\\"Pending user action\\\",errorCode == 50140, \\\"Pending user action\\\", errorCode == 51006, \\\"Pending user action\\\", errorCode == 50059, \\\"Pending user action\\\",errorCode == 65001, \\\"Pending user action\\\", errorCode == 52004, \\\"Pending user action\\\", errorCode == 50055, \\\"Pending user action\\\", errorCode == 50144, \\\"Pending user action\\\", errorCode == 50072, \\\"Pending user action\\\", errorCode == 50074, \\\"Pending user action\\\", errorCode == 16000, \\\"Pending user action\\\", errorCode == 16001, \\\"Pending user action\\\", errorCode == 16003, \\\"Pending user action\\\", errorCode == 50127, \\\"Pending user action\\\", errorCode == 50125, \\\"Pending user action\\\", errorCode == 50129, \\\"Pending user action\\\", errorCode == 50143, \\\"Pending user action\\\", errorCode == 81010, \\\"Pending user action\\\", errorCode == 81014, \\\"Pending user action\\\", errorCode == 81012 ,\\\"Pending user action\\\", \\\"Failure\\\")\\r\\n| where SigninStatus == '{SigninStatus}' or '{SigninStatus}' == '*' or '{SigninStatus}' == 'All Sign-ins'\\r\\n| where details.Type == '*' or (details.Type == 'Country' and Country == details.Name) or (details.Type == 'City' and City == details.Name);\\r\\ndata\\r\\n| top 200 by TimeGenerated desc\\r\\n| extend TimeFromNow = now() - TimeGenerated\\r\\n| extend TimeAgo = strcat(case(TimeFromNow < 2m, strcat(toint(TimeFromNow / 1m), ' seconds'), TimeFromNow < 2h, strcat(toint(TimeFromNow / 1m), ' minutes'), TimeFromNow < 2d, strcat(toint(TimeFromNow / 1h), ' hours'), strcat(toint(TimeFromNow / 1d), ' days')), ' ago')\\r\\n| project User = UserDisplayName, ['Sign-in Status'] = strcat(iff(SigninStatus == 'Success', '✔️', '❌'), ' ', SigninStatus), ['Sign-in Time'] = TimeAgo, App = AppDisplayName, ['Error code'] = errorCode, ['Result type'] = ResultType, ['Result signature'] = ResultSignature, ['Result description'] = ResultDescription, ['Conditional access policies'] = ConditionalAccessPolicies, ['Conditional access status'] = ConditionalAccessStatus, ['Operating system'] = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser, ['Country or region'] = LocationDetails.countryOrRegion, ['State'] = LocationDetails.state, ['City'] = LocationDetails.city, ['Time generated'] = TimeGenerated, Status, ['User principal name'] = UserPrincipalName, Category\\r\\n| where Category in ({Category})\\r\\n\\r\\n\\r\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"Location Sign-in details\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeBrush\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Sign-in Status\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"showIcon\":true}},{\"columnMatch\":\"App\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Error code\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Result type\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Result signature\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Result description\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Conditional access policies\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Conditional access status\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Operating system\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Browser\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Time generated\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Status\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"User principal name\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"TimeGenerated\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true}},\"customWidth\":\"33\",\"name\":\"query - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let nonInteractive = AADNonInteractiveUserSignInLogs | extend LocationDetails = parse_json(LocationDetails), Status = parse_json(Status), DeviceDetail = parse_json(DeviceDetail);\\r\\nlet data = \\r\\nunion SigninLogs,nonInteractive\\r\\n|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users}) \\r\\n | extend errorCode = Status.errorCode\\r\\n | extend SigninStatus = case(errorCode == 0, \\\"Success\\\", errorCode == 50058, \\\"Pending user action\\\", errorCode == 50140, \\\"Pending user action\\\", errorCode == 51006, \\\"Pending user action\\\", errorCode == 50059, \\\"Pending user action\\\", errorCode == 65001, \\\"Pending user action\\\", errorCode == 52004, \\\"Pending user action\\\", errorCode == 50055, \\\"Pending user action\\\", errorCode == 50144, \\\"Pending user action\\\", errorCode == 50072, \\\"Pending user action\\\", errorCode == 50074, \\\"Pending user action\\\", errorCode == 16000, \\\"Pending user action\\\", errorCode == 16001, \\\"Pending user action\\\", errorCode == 16003, \\\"Pending user action\\\", errorCode == 50127, \\\"Pending user action\\\", errorCode == 50125, \\\"Pending user action\\\", errorCode == 50129, \\\"Pending user action\\\", errorCode == 50143, \\\"Pending user action\\\", errorCode == 81010, \\\"Pending user action\\\", errorCode == 81014, \\\"Pending user action\\\", errorCode == 81012, \\\"Pending user action\\\", \\\"Failure\\\")\\r\\n| where SigninStatus == '{SigninStatus}' or '{SigninStatus}' == '*' or '{SigninStatus}' == 'All Sign-ins';\\r\\nlet appData = data\\r\\n | summarize TotalCount = count(), SuccessCount = countif(SigninStatus == \\\"Success\\\"), FailureCount = countif(SigninStatus == \\\"Failure\\\"), InterruptCount = countif(SigninStatus == \\\"Pending user action\\\") by Os = tostring(DeviceDetail.operatingSystem) ,Category\\r\\n | where Os != ''\\r\\n | join kind=inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by Os = tostring(DeviceDetail.operatingSystem)\\r\\n | project-away TimeGenerated)\\r\\n on Os\\r\\n | order by TotalCount desc, Os asc\\r\\n | project Os, TotalCount, SuccessCount, FailureCount, InterruptCount, Trend,Category\\r\\n | serialize Id = row_number();\\r\\ndata\\r\\n| summarize TotalCount = count(), SuccessCount = countif(SigninStatus == \\\"Success\\\"), FailureCount = countif(SigninStatus == \\\"Failure\\\"), InterruptCount = countif(SigninStatus == \\\"Pending user action\\\") by Os = tostring(DeviceDetail.operatingSystem), Browser = tostring(DeviceDetail.browser),Category\\r\\n| join kind=inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain})by Os = tostring(DeviceDetail.operatingSystem), Browser = tostring(DeviceDetail.browser)\\r\\n | project-away TimeGenerated)\\r\\n on Os, Browser\\r\\n| order by TotalCount desc, Os asc\\r\\n| project Os, Browser, TotalCount, SuccessCount, FailureCount, InterruptCount, Trend,Category\\r\\n| serialize Id = row_number(1000000)\\r\\n| join kind=inner (appData) on Os\\r\\n| project Id, Name = Browser, Type = 'Browser', ['Sign-in Count'] = TotalCount, Trend, ['Failure Count'] = FailureCount, ['Interrupt Count'] = InterruptCount, ['Success Rate'] = 1.0 * SuccessCount / TotalCount, ParentId = Id1,Category\\r\\n| union (appData \\r\\n | project Id, Name = Os, Type = 'Operating System', ['Sign-in Count'] = TotalCount, Trend, ['Failure Count'] = FailureCount, ['Interrupt Count'] = InterruptCount, ['Success Rate'] = 1.0 * SuccessCount / TotalCount, ParentId = -1,Category)\\r\\n| where Category in ({Category})\\r\\n| order by ['Sign-in Count'] desc, Name asc\\r\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"Sign-ins by Device\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeBrush\",\"exportedParameters\":[{\"parameterName\":\"DeviceDetail\",\"defaultValue\":\"{ \\\"Name\\\":\\\"\\\", \\\"Type\\\":\\\"*\\\"}\"},{\"fieldName\":\"Category\",\"parameterName\":\"exportCategory\",\"parameterType\":1,\"defaultValue\":\"*\"},{\"fieldName\":\"Name\",\"parameterName\":\"exportName\",\"parameterType\":1,\"defaultValue\":\"*\"}],\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Id\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Type\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Sign-in Count\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"palette\":\"blue\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"min\":0,\"palette\":\"blue\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"Failure Count|Interrupt Count\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"palette\":\"orange\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"Success Rate\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"percent\"}}},{\"columnMatch\":\"ParentId\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true,\"hierarchySettings\":{\"idColumn\":\"Id\",\"parentColumn\":\"ParentId\",\"treeType\":0,\"expanderColumn\":\"Name\",\"expandTopLevel\":false}}},\"customWidth\":\"67\",\"showPin\":true,\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let nonInteractive = AADNonInteractiveUserSignInLogs\\r\\n| extend LocationDetails = parse_json(LocationDetails),Status = parse_json(Status),ConditionalAccessPolicies = parse_json(ConditionalAccessPolicies),DeviceDetail =parse_json(DeviceDetail);\\r\\nlet details = dynamic({ \\\"Name\\\":\\\"\\\", \\\"Type\\\":\\\"*\\\"});\\r\\nlet data = union SigninLogs,nonInteractive\\r\\n| extend AppDisplayName = iff(AppDisplayName == '', 'Unknown', AppDisplayName)\\r\\n|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users}) \\r\\n| extend Country = tostring(LocationDetails.countryOrRegion)\\r\\n| extend City = tostring(LocationDetails.city)\\r\\n| extend errorCode = Status.errorCode\\r\\n| extend SigninStatus = case(errorCode == 0, \\\"Success\\\", errorCode == 50058, \\\"Pending user action\\\",errorCode == 50140, \\\"Pending user action\\\", errorCode == 51006, \\\"Pending user action\\\", errorCode == 50059, \\\"Pending user action\\\",errorCode == 65001, \\\"Pending user action\\\", errorCode == 52004, \\\"Pending user action\\\", errorCode == 50055, \\\"Pending user action\\\", errorCode == 50144, \\\"Pending user action\\\", errorCode == 50072, \\\"Pending user action\\\", errorCode == 50074, \\\"Pending user action\\\", errorCode == 16000, \\\"Pending user action\\\", errorCode == 16001, \\\"Pending user action\\\", errorCode == 16003, \\\"Pending user action\\\", errorCode == 50127, \\\"Pending user action\\\", errorCode == 50125, \\\"Pending user action\\\", errorCode == 50129, \\\"Pending user action\\\", errorCode == 50143, \\\"Pending user action\\\", errorCode == 81010, \\\"Pending user action\\\", errorCode == 81014, \\\"Pending user action\\\", errorCode == 81012 ,\\\"Pending user action\\\", \\\"Failure\\\")\\r\\n| where SigninStatus == '{SigninStatus}' or '{SigninStatus}' == '*' or '{SigninStatus}' == 'All Sign-ins'\\r\\n| where details.Type == '*' or (details.Type == 'Country' and Country == details.Name) or (details.Type == 'City' and City == details.Name);\\r\\ndata\\r\\n| top 200 by TimeGenerated desc\\r\\n| extend TimeFromNow = now() - TimeGenerated\\r\\n| extend TimeAgo = strcat(case(TimeFromNow < 2m, strcat(toint(TimeFromNow / 1m), ' seconds'), TimeFromNow < 2h, strcat(toint(TimeFromNow / 1m), ' minutes'), TimeFromNow < 2d, strcat(toint(TimeFromNow / 1h), ' hours'), strcat(toint(TimeFromNow / 1d), ' days')), ' ago')\\r\\n| project User = UserDisplayName, ['Sign-in Status'] = strcat(iff(SigninStatus == 'Success', '✔️', '❌'), ' ', SigninStatus), ['Sign-in Time'] = TimeAgo, App = AppDisplayName, ['Error code'] = errorCode, ['Result type'] = ResultType, ['Result signature'] = ResultSignature, ['Result description'] = ResultDescription, ['Conditional access policies'] = ConditionalAccessPolicies, ['Conditional access status'] = ConditionalAccessStatus, ['Operating system'] = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser, ['Country or region'] = LocationDetails.countryOrRegion, ['State'] = LocationDetails.state, ['City'] = LocationDetails.city, ['Time generated'] = TimeGenerated, Status, ['User principal name'] = UserPrincipalName, Category, Name = tostring(DeviceDetail.operatingSystem)\\r\\n| where Category in ('{exportCategory}') or \\\"*\\\" in ('{exportCategory}')\\r\\n| where Name in ('{exportName}') or \\\"*\\\" in ('{exportName}')\",\"size\":1,\"showAnalytics\":true,\"title\":\"Device Sign-in details\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Sign-in Status\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\"}},{\"columnMatch\":\"App\",\"formatter\":5},{\"columnMatch\":\"Error code\",\"formatter\":5},{\"columnMatch\":\"Result type\",\"formatter\":5},{\"columnMatch\":\"Result signature\",\"formatter\":5},{\"columnMatch\":\"Result description\",\"formatter\":5},{\"columnMatch\":\"Conditional access policies\",\"formatter\":5},{\"columnMatch\":\"Conditional access status\",\"formatter\":5},{\"columnMatch\":\"Operating system\",\"formatter\":5},{\"columnMatch\":\"Browser\",\"formatter\":5},{\"columnMatch\":\"Country or region\",\"formatter\":5},{\"columnMatch\":\"State\",\"formatter\":5},{\"columnMatch\":\"City\",\"formatter\":5},{\"columnMatch\":\"Time generated\",\"formatter\":5},{\"columnMatch\":\"Status\",\"formatter\":5},{\"columnMatch\":\"User principal name\",\"formatter\":5},{\"columnMatch\":\"Category\",\"formatter\":5},{\"columnMatch\":\"Name\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"33\",\"name\":\"query - 8 - Copy\"},{\"type\":1,\"content\":{\"json\":\"## Sign-ins using Conditional Access\"},\"name\":\"text - 12\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let nonInteractive = AADNonInteractiveUserSignInLogs\\r\\n| extend LocationDetails = parse_json(LocationDetails)\\r\\n| extend Status = parse_json(Status)\\r\\n| extend ConditionalAccessPolicies = parse_json(ConditionalAccessPolicies);\\r\\nlet data = \\r\\nunion SigninLogs,nonInteractive\\r\\n|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users}) \\r\\n|extend CAStatus = case(ConditionalAccessStatus ==\\\"success\\\",\\\"Successful\\\",\\r\\n ConditionalAccessStatus == \\\"failure\\\", \\\"Failed\\\", \\r\\n ConditionalAccessStatus == \\\"notApplied\\\", \\\"Not applied\\\", \\r\\n isempty(ConditionalAccessStatus), \\\"Not applied\\\", \\r\\n \\\"Disabled\\\")\\r\\n|mvexpand ConditionalAccessPolicies\\r\\n|extend CAGrantControlName = tostring(ConditionalAccessPolicies.enforcedGrantControls[0])\\r\\n|extend CAGrantControl = case(CAGrantControlName contains \\\"MFA\\\", \\\"Require MFA\\\", \\r\\n CAGrantControlName contains \\\"Terms of Use\\\", \\\"Require Terms of Use\\\", \\r\\n CAGrantControlName contains \\\"Privacy\\\", \\\"Require Privacy Statement\\\", \\r\\n CAGrantControlName contains \\\"Device\\\", \\\"Require Device Compliant\\\", \\r\\n CAGrantControlName contains \\\"Azure AD Joined\\\", \\\"Require Hybird Azure AD Joined Device\\\", \\r\\n CAGrantControlName contains \\\"Apps\\\", \\\"Require Approved Apps\\\",\\r\\n \\\"Other\\\");\\r\\ndata\\r\\n| where Category in ({Category})\\r\\n| summarize Count = dcount(Id) by CAStatus\\r\\n| join kind = inner (data\\r\\n | make-series Trend = dcount(Id) default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by CAStatus\\r\\n ) on CAStatus\\r\\n| project-away CAStatus1, TimeGenerated\\r\\n| order by Count desc\",\"size\":4,\"title\":\"Conditional access status\",\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeBrush\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"CAStatus\",\"formatter\":1},\"subtitleContent\":{\"columnMatch\":\"Category\"},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false}},\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let nonInteractive = AADNonInteractiveUserSignInLogs\\r\\n| extend LocationDetails = parse_json(LocationDetails)\\r\\n| extend Status = parse_json(Status)\\r\\n| extend ConditionalAccessPolicies = parse_json(ConditionalAccessPolicies);\\r\\nlet data = \\r\\nunion SigninLogs,nonInteractive|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users}) \\r\\n|extend errorCode = toint(Status.errorCode)\\r\\n|extend Reason = tostring(Status.failureReason)\\r\\n|extend CAStatus = case(ConditionalAccessStatus ==0,\\\"✔️ Success\\\", \\r\\n ConditionalAccessStatus == 1, \\\"❌ Failure\\\", \\r\\n ConditionalAccessStatus == 2, \\\"⚠️ Not Applied\\\", \\r\\n ConditionalAccessStatus == \\\"\\\", \\\"⚠️ Not Applied\\\", \\r\\n \\\"🚫 Disabled\\\")\\r\\n|mvexpand ConditionalAccessPolicies\\r\\n|extend CAGrantControlName = tostring(ConditionalAccessPolicies.enforcedGrantControls[0])\\r\\n|extend CAGrantControl = case(CAGrantControlName contains \\\"MFA\\\", \\\"Require MFA\\\", \\r\\n CAGrantControlName contains \\\"Terms of Use\\\", \\\"Require Terms of Use\\\", \\r\\n CAGrantControlName contains \\\"Privacy\\\", \\\"Require Privacy Statement\\\", \\r\\n CAGrantControlName contains \\\"Device\\\", \\\"Require Device Compliant\\\", \\r\\n CAGrantControlName contains \\\"Azure AD Joined\\\", \\\"Require Hybird Azure AD Joined Device\\\", \\r\\n CAGrantControlName contains \\\"Apps\\\", \\\"Require Approved Apps\\\",\\\"Other\\\");\\r\\ndata\\r\\n| summarize Count = dcount(Id) by CAStatus, CAGrantControl\\r\\n| project Id = strcat(CAStatus, '/', CAGrantControl), Name = CAGrantControl, Parent = CAStatus, Count, Type = 'CAGrantControl'\\r\\n| join kind = inner (data\\r\\n | make-series Trend = dcount(Id) default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by CAStatus, CAGrantControl\\r\\n | project Id = strcat(CAStatus, '/', CAGrantControl), Trend\\r\\n ) on Id\\r\\n| project-away Id1\\r\\n| union (data\\r\\n | where Category in ({Category})\\r\\n | summarize Count = dcount(Id) by CAStatus\\r\\n | project Id = CAStatus, Name = CAStatus, Parent = '', Count, Type = 'CAStatus'\\r\\n | join kind = inner (data\\r\\n | make-series Trend = dcount(Id) default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by CAStatus\\r\\n | project Id = CAStatus, Trend\\r\\n ) on Id\\r\\n | project-away Id1)\\r\\n| order by Count desc\",\"size\":0,\"title\":\"Conditional access status\",\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeBrush\",\"exportParameterName\":\"Detail\",\"exportDefaultValue\":\"{ \\\"Name\\\":\\\"\\\", \\\"Type\\\":\\\"*\\\", \\\"Parent\\\":\\\"*\\\"}\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Id\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Parent\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Count\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"palette\":\"blue\",\"showIcon\":true},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"Type\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"min\":0,\"palette\":\"blue\",\"showIcon\":true}}],\"hierarchySettings\":{\"idColumn\":\"Id\",\"parentColumn\":\"Parent\",\"treeType\":0,\"expanderColumn\":\"Name\",\"expandTopLevel\":true}}},\"customWidth\":\"50\",\"name\":\"query - 10\",\"styleSettings\":{\"margin\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let details = dynamic({Detail});\\r\\nlet nonInteractive = AADNonInteractiveUserSignInLogs\\r\\n| extend LocationDetails = parse_json(LocationDetails)\\r\\n| extend Status = parse_json(Status)\\r\\n| extend ConditionalAccessPolicies = parse_json(ConditionalAccessPolicies);\\r\\nlet data = \\r\\nunion SigninLogs,nonInteractive\\r\\n|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users}) \\r\\n|extend errorCode = toint(Status.errorCode)\\r\\n|extend Reason = tostring(Status.failureReason)\\r\\n|extend CAStatus = case(ConditionalAccessStatus ==\\\"success\\\",\\\"✔️ Success\\\", \\r\\n ConditionalAccessStatus == \\\"failure\\\", \\\"❌ Failure\\\", \\r\\n ConditionalAccessStatus == \\\"notApplied\\\", \\\"⚠️ Not Applied\\\", \\r\\n ConditionalAccessStatus == \\\"\\\", \\\"⚠️ Not Applied\\\", \\r\\n \\\"🚫 Disabled\\\")\\r\\n|mvexpand ConditionalAccessPolicies\\r\\n|extend CAGrantControlName = tostring(ConditionalAccessPolicies.enforcedGrantControls[0])\\r\\n|extend CAGrantControl = case(CAGrantControlName contains \\\"MFA\\\", \\\"Require MFA\\\", \\r\\n CAGrantControlName contains \\\"Terms of Use\\\", \\\"Require Terms of Use\\\", \\r\\n CAGrantControlName contains \\\"Privacy\\\", \\\"Require Privacy Statement\\\", \\r\\n CAGrantControlName contains \\\"Device\\\", \\\"Require Device Compliant\\\", \\r\\n CAGrantControlName contains \\\"Azure AD Joined\\\", \\\"Require Hybird Azure AD Joined Device\\\", \\r\\n CAGrantControlName contains \\\"Apps\\\", \\\"Require Approved Apps\\\",\\r\\n \\\"Other\\\")\\r\\n|extend CAGrantControlRank = case(CAGrantControlName contains \\\"MFA\\\", 1, \\r\\n CAGrantControlName contains \\\"Terms of Use\\\", 2, \\r\\n CAGrantControlName contains \\\"Privacy\\\", 3, \\r\\n CAGrantControlName contains \\\"Device\\\", 4, \\r\\n CAGrantControlName contains \\\"Azure AD Joined\\\", 5, \\r\\n CAGrantControlName contains \\\"Apps\\\", 6,\\r\\n 7)\\r\\n| where details.Type == '*' or (details.Type == 'CAStatus' and CAStatus == details.Name) or (details.Type == 'CAGrantControl' and CAGrantControl == details.Name and CAStatus == details.Parent);\\r\\ndata\\r\\n| order by CAGrantControlRank desc\\r\\n| summarize CAGrantControls = make_set(CAGrantControl) by AppDisplayName, CAStatus, TimeGenerated, UserDisplayName, Category\\r\\n| extend CAGrantControlText = replace(@\\\",\\\", \\\", \\\", replace(@'\\\"', @'', replace(@\\\"\\\\]\\\", @\\\"\\\", replace(@\\\"\\\\[\\\", @\\\"\\\", tostring(CAGrantControls)))))\\r\\n| extend CAGrantControlSummary = case(array_length(CAGrantControls) > 1, strcat(CAGrantControls[0], ' + ', array_length(CAGrantControls) - 1, ' more'), array_length(CAGrantControls) == 1, tostring(CAGrantControls[0]), 'None')\\r\\n| top 200 by TimeGenerated desc\\r\\n| extend TimeFromNow = now() - TimeGenerated\\r\\n| extend TimeAgo = strcat(case(TimeFromNow < 2m, strcat(toint(TimeFromNow / 1m), ' seconds'), TimeFromNow < 2h, strcat(toint(TimeFromNow / 1m), ' minutes'), TimeFromNow < 2d, strcat(toint(TimeFromNow / 1h), ' hours'), strcat(toint(TimeFromNow / 1d), ' days')), ' ago')\\r\\n| project Application = AppDisplayName, ['CA Status'] = CAStatus, ['CA Grant Controls'] = CAGrantControlSummary, ['All CA Grant Controls'] = CAGrantControlText, ['Sign-in Time'] = TimeAgo, ['User'] = UserDisplayName, Category\\r\\n| where Category in ({Category})\",\"size\":0,\"showAnalytics\":true,\"title\":\"Recent sign-ins\",\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"CA Grant Controls\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"All CA Grant Controls\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"User\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}}]}},\"customWidth\":\"50\",\"showPin\":true,\"name\":\"query - 7 - Copy\"},{\"type\":1,\"content\":{\"json\":\"## Troubleshooting Sign-ins\"},\"name\":\"text - 13\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let nonInteractive = AADNonInteractiveUserSignInLogs\\r\\n| extend LocationDetails = parse_json(LocationDetails)\\r\\n| extend Status = parse_json(Status);\\r\\nlet data = \\r\\nunion SigninLogs,nonInteractive|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users}) \\r\\n|extend errorCode = Status.errorCode\\r\\n|extend SigninStatus = case(errorCode == 0, \\\"Success\\\", errorCode == 50058, \\\"Pending action (Interrupts)\\\",errorCode == 50140, \\\"Pending action (Interrupts)\\\", errorCode == 51006, \\\"Pending action (Interrupts)\\\", errorCode == 50059, \\\"Pending action (Interrupts)\\\",errorCode == 65001, \\\"Pending action (Interrupts)\\\", errorCode == 52004, \\\"Pending action (Interrupts)\\\", errorCode == 50055, \\\"Pending action (Interrupts)\\\", errorCode == 50144, \\\"Pending action (Interrupts)\\\", errorCode == 50072, \\\"Pending action (Interrupts)\\\", errorCode == 50074, \\\"Pending action (Interrupts)\\\", errorCode == 16000, \\\"Pending action (Interrupts)\\\", errorCode == 16001, \\\"Pending action (Interrupts)\\\", errorCode == 16003, \\\"Pending action (Interrupts)\\\", errorCode == 50127, \\\"Pending action (Interrupts)\\\", errorCode == 50125, \\\"Pending action (Interrupts)\\\", errorCode == 50129, \\\"Pending action (Interrupts)\\\", errorCode == 50143, \\\"Pending action (Interrupts)\\\", errorCode == 81010, \\\"Pending action (Interrupts)\\\", errorCode == 81014, \\\"Pending action (Interrupts)\\\", errorCode == 81012 ,\\\"Pending action (Interrupts)\\\", \\\"Failure\\\");\\r\\ndata\\r\\n| summarize Count = count() by SigninStatus, Category\\r\\n| join kind = fullouter (datatable(SigninStatus:string)['Success', 'Pending action (Interrupts)', 'Failure']) on SigninStatus\\r\\n| project SigninStatus = iff(SigninStatus == '', SigninStatus1, SigninStatus), Count = iff(SigninStatus == '', 0, Count), Category\\r\\n| join kind = inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SigninStatus)\\r\\n on SigninStatus\\r\\n| project-away SigninStatus1, TimeGenerated\\r\\n| extend Status = SigninStatus\\r\\n| union (\\r\\n data \\r\\n | summarize Count = count() \\r\\n | extend jkey = 1\\r\\n | join kind=inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\\r\\n | extend jkey = 1) on jkey\\r\\n | extend SigninStatus = 'All Sign-ins', Status = '*' \\r\\n)\\r\\n| where Category in ({Category})\\r\\n| order by Count desc\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":3,\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"min\":0,\"palette\":\"blue\",\"showIcon\":true}},\"showBorder\":false}},\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let nonInteractive = AADNonInteractiveUserSignInLogs\\r\\n| extend LocationDetails = parse_json(LocationDetails)\\r\\n| extend Status = parse_json(Status);\\r\\nlet data = \\r\\nunion SigninLogs,nonInteractive|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users}) \\r\\n| extend ErrorCode = tostring(Status.errorCode) \\r\\n| extend FailureReason = tostring(Status.failureReason) \\r\\n| where ErrorCode !in (\\\"0\\\",\\\"50058\\\",\\\"50148\\\",\\\"50140\\\", \\\"51006\\\", \\\"50059\\\", \\\"65001\\\", \\\"52004\\\", \\\"50055\\\", \\\"50144\\\",\\\"50072\\\", \\\"50074\\\", \\\"16000\\\",\\\"16001\\\", \\\"16003\\\", \\\"50127\\\", \\\"50125\\\", \\\"50129\\\",\\\"50143\\\", \\\"81010\\\", \\\"81014\\\", \\\"81012\\\") \\r\\n|summarize errCount = count() by ErrorCode, tostring(FailureReason), Category| sort by errCount, Category\\r\\n|project ['❌ Error Code'] = ErrorCode, ['Reason']= FailureReason, ['Error Count'] = toint(errCount), Category\\r\\n|where Category in ({Category});\\r\\ndata\",\"size\":1,\"showAnalytics\":true,\"title\":\"Summary of top errors\",\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeBrush\",\"exportFieldName\":\"❌ Error Code\",\"exportParameterName\":\"ErrorCode\",\"exportDefaultValue\":\"*\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Error Count\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"palette\":\"orange\",\"showIcon\":true}}],\"filter\":true}},\"customWidth\":\"67\",\"showPin\":true,\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let nonInteractive = AADNonInteractiveUserSignInLogs\\r\\n| extend LocationDetails = parse_json(LocationDetails)\\r\\n| extend Status = parse_json(Status)\\r\\n| extend DeviceDetail = parse_json(DeviceDetail)\\r\\n| extend ConditionalAccessPolicies = parse_json(ConditionalAccessPolicies);\\r\\nlet data=\\r\\nunion SigninLogs,nonInteractive\\r\\n|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users}) \\r\\n| extend ErrorCode = tostring(Status.errorCode) \\r\\n| extend FailureReason = tostring(Status.failureReason) \\r\\n| where ErrorCode !in (\\\"0\\\",\\\"50058\\\",\\\"50148\\\",\\\"50140\\\", \\\"51006\\\", \\\"50059\\\", \\\"65001\\\", \\\"52004\\\", \\\"50055\\\", \\\"50144\\\",\\\"50072\\\", \\\"50074\\\", \\\"16000\\\",\\\"16001\\\", \\\"16003\\\", \\\"50127\\\", \\\"50125\\\", \\\"50129\\\",\\\"50143\\\", \\\"81010\\\", \\\"81014\\\", \\\"81012\\\") \\r\\n| where '{ErrorCode}' == '*' or '{ErrorCode}' == ErrorCode\\r\\n| top 200 by TimeGenerated desc\\r\\n| extend TimeFromNow = now() - TimeGenerated\\r\\n| extend TimeAgo = strcat(case(TimeFromNow < 2m, strcat(toint(TimeFromNow / 1m), ' seconds'), TimeFromNow < 2h, strcat(toint(TimeFromNow / 1m), ' minutes'), TimeFromNow < 2d, strcat(toint(TimeFromNow / 1h), ' hours'), strcat(toint(TimeFromNow / 1d), ' days')), ' ago')\\r\\n| project User = UserDisplayName, IPAddress, ['❌ Error Code'] = ErrorCode, ['Sign-in Time'] = TimeAgo, App = AppDisplayName, ['Error code'] = ErrorCode, ['Result type'] = ResultType, ['Result signature'] = ResultSignature, ['Result description'] = ResultDescription, ['Conditional access policies'] = ConditionalAccessPolicies, ['Conditional access status'] = ConditionalAccessStatus, ['Operating system'] = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser, ['Country or region'] = LocationDetails.countryOrRegion, ['State'] = LocationDetails.state, ['City'] = LocationDetails.city, ['Time generated'] = TimeGenerated, Status, ['User principal name'] = UserPrincipalName, Category\\r\\n| where Category in ({Category});\\r\\ndata\\r\\n\\r\\n\\r\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"Sign-ins with errors\",\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeBrush\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"❌ Error Code\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"showIcon\":true}},{\"columnMatch\":\"App\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Error code\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Result type\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Result signature\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Result description\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Conditional access policies\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Conditional access status\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Operating system\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Browser\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Country or region\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"State\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"City\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Time generated\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Status\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"User principal name\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true}},\"customWidth\":\"33\",\"name\":\"query - 5 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let nonInteractive = AADNonInteractiveUserSignInLogs\\r\\n| extend LocationDetails = parse_json(LocationDetails)\\r\\n| extend Status = parse_json(Status);\\r\\nlet data = \\r\\nunion SigninLogs,nonInteractive|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users}) \\r\\n| extend ErrorCode = tostring(Status.errorCode) \\r\\n| extend FailureReason = Status.failureReason \\r\\n| where ErrorCode in (\\\"50058\\\",\\\"50140\\\", \\\"51006\\\", \\\"50059\\\", \\\"65001\\\", \\\"52004\\\", \\\"50055\\\", \\\"50144\\\",\\\"50072\\\", \\\"50074\\\", \\\"16000\\\",\\\"16001\\\", \\\"16003\\\", \\\"50127\\\", \\\"50125\\\", \\\"50129\\\",\\\"50143\\\", \\\"81010\\\", \\\"81014\\\", \\\"81012\\\") \\r\\n|summarize errCount = count() by ErrorCode, tostring(FailureReason), Category\\r\\n| sort by errCount\\r\\n|project ['❌ Error Code'] = ErrorCode, ['Reason'] = FailureReason, ['Interrupt Count'] = toint(errCount), Category\\r\\n| where Category in ({Category});\\r\\ndata\",\"size\":1,\"showAnalytics\":true,\"title\":\"Summary of sign-ins waiting on user action\",\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeBrush\",\"exportFieldName\":\"❌ Error Code\",\"exportParameterName\":\"InterruptErrorCode\",\"exportDefaultValue\":\"*\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Interrupt Count\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"palette\":\"orange\"}}],\"filter\":true}},\"customWidth\":\"67\",\"showPin\":true,\"name\":\"query - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let nonInteractive = AADNonInteractiveUserSignInLogs\\r\\n| extend LocationDetails = parse_json(LocationDetails)\\r\\n| extend ConditionalAccessPolicies = parse_json(ConditionalAccessPolicies)\\r\\n| extend DeviceDetail = parse_json(DeviceDetail)\\r\\n| extend Status = parse_json(Status);\\r\\nlet data = \\r\\nunion SigninLogs,nonInteractive \\r\\n|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users}) \\r\\n| extend ErrorCode = tostring(Status.errorCode) \\r\\n| extend FailureReason = Status.failureReason \\r\\n| where ErrorCode in (\\\"50058\\\",\\\"50140\\\", \\\"51006\\\", \\\"50059\\\", \\\"65001\\\", \\\"52004\\\", \\\"50055\\\", \\\"50144\\\",\\\"50072\\\", \\\"50074\\\", \\\"16000\\\",\\\"16001\\\", \\\"16003\\\", \\\"50127\\\", \\\"50125\\\", \\\"50129\\\",\\\"50143\\\", \\\"81010\\\", \\\"81014\\\", \\\"81012\\\") \\r\\n| where '{InterruptErrorCode}' == '*' or '{InterruptErrorCode}' == ErrorCode\\r\\n| top 200 by TimeGenerated desc\\r\\n| extend TimeFromNow = now() - TimeGenerated\\r\\n| extend TimeAgo = strcat(case(TimeFromNow < 2m, strcat(toint(TimeFromNow / 1m), ' seconds'), TimeFromNow < 2h, strcat(toint(TimeFromNow / 1m), ' minutes'), TimeFromNow < 2d, strcat(toint(TimeFromNow / 1h), ' hours'), strcat(toint(TimeFromNow / 1d), ' days')), ' ago')\\r\\n| project User = UserDisplayName, IPAddress, ['❌ Error Code'] = ErrorCode, ['Sign-in Time'] = TimeAgo, App = AppDisplayName, ['Error code'] = ErrorCode, ['Result type'] = ResultType, ['Result signature'] = ResultSignature, ['Result description'] = ResultDescription, ['Conditional access policies'] = ConditionalAccessPolicies, ['Conditional access status'] = ConditionalAccessStatus, ['Operating system'] = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser, ['Country or region'] = LocationDetails.countryOrRegion, ['State'] = LocationDetails.state, ['City'] = LocationDetails.city, ['Time generated'] = TimeGenerated, Status, ['User principal name'] = UserPrincipalName, Category\\r\\n| where Category in ({Category});\\r\\ndata\\r\\n\\r\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"Sign-ins waiting on user action\",\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeBrush\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"❌ Error Code\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"showIcon\":true}},{\"columnMatch\":\"App\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Error code\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Result type\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Result signature\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Result description\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Conditional access policies\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Conditional access status\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Operating system\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Browser\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Country or region\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"State\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"City\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Time generated\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Status\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"User principal name\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true}},\"customWidth\":\"33\",\"showPin\":true,\"name\":\"query - 7 - Copy\"}],\"fromTemplateId\":\"sentinel-AzureActiveDirectorySigninLogs\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n", - "version": "1.0", - "sourceId": "[variables('workspaceResourceId')]", - "category": "sentinel" + "description": "User explicitly denies MFA push, indicating that login was not expected and the account's password may be compromised.", + "displayName": "Explicit MFA Deny", + "enabled": false, + "query": "let aadFunc = (tableName:string){\ntable(tableName)\n| where ResultType == 500121\n| where Status has \"MFA Denied; user declined the authentication\" or Status has \"MFA denied; Phone App Reported Fraud\"\n| extend Type = Type\n| extend timestamp = TimeGenerated, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n", + "queryFrequency": "P1D", + "queryPeriod": "P1D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "SigninLogs" + ], + "connectorId": "AzureActiveDirectory" + }, + { + "dataTypes": [ + "AADNonInteractiveUserSignInLogs" + ], + "connectorId": "AzureActiveDirectory" + } + ], + "tactics": [ + "CredentialAccess" + ], + "techniques": [ + "T1110" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "columnName": "Name", + "identifier": "Name" + }, + { + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "columnName": "IPAddress", + "identifier": "Address" + } + ], + "entityType": "IP" + }, + { + "fieldMappings": [ + { + "columnName": "ClientAppUsed", + "identifier": "Url" + } + ], + "entityType": "URL" + } + ] } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId2'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject24').analyticRuleId24,'/'))))]", "properties": { - "description": "@{workbookKey=AzureActiveDirectorySigninLogsWorkbook; logoFileName=azureactivedirectory_logo.svg; description=Gain insights into Azure Active Directory by connecting Microsoft Sentinel and using the sign-in logs to gather insights around Azure AD scenarios. \nYou can learn about sign-in operations, such as user sign-ins and locations, email addresses, and IP addresses of your users, as well as failed activities and the errors that triggered the failures.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=2.4.0; title=Azure AD Sign-in logs; templateRelativePath=AzureActiveDirectorySignins.json; subtitle=; provider=Microsoft}.description", - "parentId": "[variables('workbookId2')]", - "contentId": "[variables('_workbookContentId2')]", - "kind": "Workbook", - "version": "[variables('workbookVersion2')]", + "description": "Microsoft Entra ID Analytics Rule 24", + "parentId": "[variables('analyticRuleObject24').analyticRuleId24]", + "contentId": "[variables('analyticRuleObject24')._analyticRulecontentId24]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject24').analyticRuleVersion24]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -5032,19 +4034,6 @@ "name": "Microsoft Corporation", "email": "support@microsoft.com", "link": "https://support.microsoft.com/" - }, - "dependencies": { - "operator": "AND", - "criteria": [ - { - "contentId": "SigninLogs", - "kind": "DataType" - }, - { - "contentId": "AzureActiveDirectory", - "kind": "DataConnector" - } - ] } } } @@ -5055,44 +4044,44 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_workbookContentId2')]", - "contentKind": "Workbook", - "displayName": "[parameters('workbook2-name')]", - "contentProductId": "[variables('_workbookcontentProductId2')]", - "id": "[variables('_workbookcontentProductId2')]", - "version": "[variables('workbookVersion2')]" + "contentId": "[variables('analyticRuleObject24')._analyticRulecontentId24]", + "contentKind": "AnalyticsRule", + "displayName": "Explicit MFA Deny", + "contentProductId": "[variables('analyticRuleObject24')._analyticRulecontentProductId24]", + "id": "[variables('analyticRuleObject24')._analyticRulecontentProductId24]", + "version": "[variables('analyticRuleObject24').analyticRuleVersion24]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject1').analyticRuleTemplateSpecName1]", + "name": "[variables('analyticRuleObject25').analyticRuleTemplateSpecName25]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AccountCreatedandDeletedinShortTimeframe_AnalyticalRules Analytics Rule with template version 3.0.7", + "description": "ExchangeFullAccessGrantedToApp_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", + "contentVersion": "[variables('analyticRuleObject25').analyticRuleVersion25]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "name": "[variables('analyticRuleObject25')._analyticRulecontentId25]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Search for user principal name (UPN) events. Look for accounts created and then deleted in under 24 hours. Attackers may create an account for their use, and then remove the account when no longer needed.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-account", - "displayName": "Account Created and Deleted in Short Timeframe", + "description": "This detection looks for the full_access_as_app permission being granted to an OAuth application with Admin Consent.\nThis permission provide access to all Exchange mailboxes via the EWS API can could be exploited to access sensitive data \nby being added to a compromised application. The application granted this permission should be reviewed to ensure that it \nis absolutely necessary for the applications function.\nRef: https://learn.microsoft.com/graph/auth-limit-mailbox-access", + "displayName": "full_access_as_app Granted To Application", "enabled": false, - "query": "let queryfrequency = 1h;\nlet queryperiod = 1d;\nAuditLogs\n| where TimeGenerated > ago(queryfrequency)\n| where OperationName =~ \"Delete user\"\n//extend UserPrincipalName = tostring(TargetResources[0].userPrincipalName)\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type == \"User\"\n | extend UserPrincipalName = extract(@'([a-f0-9]{32})?(.*)', 2, tostring(TargetResource.userPrincipalName))\n )\n| extend DeletedByUser = tostring(InitiatedBy.user.userPrincipalName), DeletedByIPAddress = tostring(InitiatedBy.user.ipAddress)\n| extend DeletedByApp = tostring(InitiatedBy.app.displayName)\n| project Deletion_TimeGenerated = TimeGenerated, UserPrincipalName, DeletedByUser, DeletedByIPAddress, DeletedByApp, Deletion_AdditionalDetails = AdditionalDetails, Deletion_InitiatedBy = InitiatedBy, Deletion_TargetResources = TargetResources\n| join kind=inner (\n AuditLogs\n | where TimeGenerated > ago(queryperiod)\n | where OperationName =~ \"Add user\" \n | mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type == \"User\"\n | extend UserPrincipalName = trim(@'\"',tostring(TargetResource.userPrincipalName))\n )\n | project-rename Creation_TimeGenerated = TimeGenerated\n) on UserPrincipalName\n| extend TimeDelta = Deletion_TimeGenerated - Creation_TimeGenerated\n| where TimeDelta between (time(0s) .. queryperiod)\n| extend CreatedByUser = tostring(InitiatedBy.user.userPrincipalName), CreatedByIPAddress = tostring(InitiatedBy.user.ipAddress)\n| extend CreatedByApp = tostring(InitiatedBy.app.displayName)\n| project Creation_TimeGenerated, Deletion_TimeGenerated, TimeDelta, UserPrincipalName, DeletedByUser, DeletedByIPAddress, DeletedByApp, CreatedByUser, CreatedByIPAddress, CreatedByApp, Creation_AdditionalDetails = AdditionalDetails, Creation_InitiatedBy = InitiatedBy, Creation_TargetResources = TargetResources, Deletion_AdditionalDetails, Deletion_InitiatedBy, Deletion_TargetResources\n| extend timestamp = Deletion_TimeGenerated, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n", + "query": "AuditLogs\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Consent to application\"\n| where TargetResources has \"full_access_as_app\"\n| mv-expand TargetResources\n| extend OAuthAppName = TargetResources.displayName\n| extend ModifiedProperties = TargetResources.modifiedProperties \n| mv-apply Property = ModifiedProperties on \n (\n where Property.displayName =~ \"ConsentContext.isAdminConsent\"\n | extend AdminConsent = tostring(Property.newValue)\n )\n| mv-apply Property = ModifiedProperties on \n (\n where Property.displayName =~ \"ConsentAction.Permissions\"\n | extend Permissions = tostring(Property.newValue)\n )\n| mv-apply Property = ModifiedProperties on \n (\n where Property.displayName =~ \"TargetId.ServicePrincipalNames\"\n | extend AppId = tostring(Property.newValue)\n )\n| mv-expand AdditionalDetails\n| extend GrantUserAgent = tostring(iff(AdditionalDetails.key =~ \"User-Agent\", AdditionalDetails.value, \"\"))\n| parse Permissions with * \"ConsentType: \" GrantConsentType \", Scope: \" GrantScope1 \",\" *\n| where GrantScope1 =~ \"full_access_as_app\"\n| extend GrantIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\n| extend GrantInitiatedBy = tostring(iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName))\n| project-reorder TimeGenerated, OAuthAppName, AppId, AdminConsent, Permissions, GrantIpAddress, GrantInitiatedBy, GrantUserAgent, GrantScope1, GrantConsentType\n| extend Name = split(GrantInitiatedBy, \"@\")[0], UPNSuffix = split(GrantInitiatedBy, \"@\")[1]\n", "queryFrequency": "PT1H", - "queryPeriod": "P1D", - "severity": "High", + "queryPeriod": "PT1H", + "severity": "Medium", "suppressionDuration": "PT1H", "suppressionEnabled": false, "triggerOperator": "GreaterThan", @@ -5101,27 +4090,27 @@ "requiredDataConnectors": [ { "dataTypes": [ - "SigninLogs" + "AuditLogs" ], "connectorId": "AzureActiveDirectory" } ], "tactics": [ - "InitialAccess" + "DefenseEvasion" ], "techniques": [ - "T1078" + "T1550" ], "entityMappings": [ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } ], "entityType": "Account" @@ -5129,25 +4118,34 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "DeletedByIPAddress" + "columnName": "GrantIpAddress", + "identifier": "Address" } ], "entityType": "IP" } - ] + ], + "customDetails": { + "OAuthAppId": "AppId", + "OAuthApplication": "OAuthAppName", + "UserAgent": "GrantUserAgent" + }, + "alertDetailsOverride": { + "alertDescriptionFormat": "This detection looks for the full_access_as_app permission being granted to an OAuth application with Admin Consent.\nThis permission provide access to all Exchange mailboxes via the EWS API can could be exploited to access sensitive data \nby being added to a compromised application. The application granted this permission should be reviewed to ensure that it \nis absolutely necessary for the applications function.\nIn this case {{GrantInitiatedBy}} granted full_access_as_app to {{OAuthAppName}} from {{GrantIpAddress}}\nRef: https://learn.microsoft.com/graph/auth-limit-mailbox-access\n", + "alertDisplayNameFormat": "User {{GrantInitiatedBy}} granted full_access_as_app to {{OAuthAppName}}" + } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject1').analyticRuleId1,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject25').analyticRuleId25,'/'))))]", "properties": { - "description": "Microsoft Entra ID Analytics Rule 1", - "parentId": "[variables('analyticRuleObject1').analyticRuleId1]", - "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "description": "Microsoft Entra ID Analytics Rule 25", + "parentId": "[variables('analyticRuleObject25').analyticRuleId25]", + "contentId": "[variables('analyticRuleObject25')._analyticRulecontentId25]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject1').analyticRuleVersion1]", + "version": "[variables('analyticRuleObject25').analyticRuleVersion25]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -5172,44 +4170,44 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "contentId": "[variables('analyticRuleObject25')._analyticRulecontentId25]", "contentKind": "AnalyticsRule", - "displayName": "Account Created and Deleted in Short Timeframe", - "contentProductId": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", - "id": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", - "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" + "displayName": "full_access_as_app Granted To Application", + "contentProductId": "[variables('analyticRuleObject25')._analyticRulecontentProductId25]", + "id": "[variables('analyticRuleObject25')._analyticRulecontentProductId25]", + "version": "[variables('analyticRuleObject25').analyticRuleVersion25]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject2').analyticRuleTemplateSpecName2]", + "name": "[variables('analyticRuleObject26').analyticRuleTemplateSpecName26]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AccountCreatedandDeletedinShortTimeframe_AnalyticalRules Analytics Rule with template version 3.0.7", + "description": "FailedLogonToAzurePortal_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", + "contentVersion": "[variables('analyticRuleObject26').analyticRuleVersion26]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "name": "[variables('analyticRuleObject26')._analyticRulecontentId26]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Search for user principal name (UPN) events. Look for accounts created and then deleted in under 24 hours. Attackers may create an account for their use, and then remove the account when no longer needed.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-account", - "displayName": "Account Created and Deleted in Short Timeframe", + "description": "Identifies failed login attempts in the Microsoft Entra ID SigninLogs to the Azure Portal. Many failed logon\nattempts or some failed logon attempts from multiple IPs could indicate a potential brute force attack.\nThe following are excluded due to success and non-failure results:\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\n0 - successful logon\n50125 - Sign-in was interrupted due to a password reset or password registration entry.\n50140 - This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.", + "displayName": "Failed login attempts to Azure Portal", "enabled": false, - "query": "let queryfrequency = 1h;\nlet queryperiod = 1d;\nAuditLogs\n| where TimeGenerated > ago(queryfrequency)\n| where OperationName =~ \"Delete user\"\n//extend UserPrincipalName = tostring(TargetResources[0].userPrincipalName)\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type == \"User\"\n | extend UserPrincipalName = extract(@'([a-f0-9]{32})?(.*)', 2, tostring(TargetResource.userPrincipalName))\n )\n| extend DeletedByUser = tostring(InitiatedBy.user.userPrincipalName), DeletedByIPAddress = tostring(InitiatedBy.user.ipAddress)\n| extend DeletedByApp = tostring(InitiatedBy.app.displayName)\n| project Deletion_TimeGenerated = TimeGenerated, UserPrincipalName, DeletedByUser, DeletedByIPAddress, DeletedByApp, Deletion_AdditionalDetails = AdditionalDetails, Deletion_InitiatedBy = InitiatedBy, Deletion_TargetResources = TargetResources\n| join kind=inner (\n AuditLogs\n | where TimeGenerated > ago(queryperiod)\n | where OperationName =~ \"Add user\" \n | mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type == \"User\"\n | extend UserPrincipalName = trim(@'\"',tostring(TargetResource.userPrincipalName))\n )\n | project-rename Creation_TimeGenerated = TimeGenerated\n) on UserPrincipalName\n| extend TimeDelta = Deletion_TimeGenerated - Creation_TimeGenerated\n| where TimeDelta between (time(0s) .. queryperiod)\n| extend CreatedByUser = tostring(InitiatedBy.user.userPrincipalName), CreatedByIPAddress = tostring(InitiatedBy.user.ipAddress)\n| extend CreatedByApp = tostring(InitiatedBy.app.displayName)\n| project Creation_TimeGenerated, Deletion_TimeGenerated, TimeDelta, UserPrincipalName, DeletedByUser, DeletedByIPAddress, DeletedByApp, CreatedByUser, CreatedByIPAddress, CreatedByApp, Creation_AdditionalDetails = AdditionalDetails, Creation_InitiatedBy = InitiatedBy, Creation_TargetResources = TargetResources, Deletion_AdditionalDetails, Deletion_InitiatedBy, Deletion_TargetResources\n| extend timestamp = Deletion_TimeGenerated, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n", - "queryFrequency": "PT1H", - "queryPeriod": "P1D", - "severity": "High", + "query": "let timeRange = 1d;\nlet lookBack = 7d;\nlet threshold_Failed = 5;\nlet threshold_FailedwithSingleIP = 20;\nlet threshold_IPAddressCount = 2;\nlet isGUID = \"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\";\nlet aadFunc = (tableName:string){\nlet azPortalSignins = materialize(table(tableName)\n| where TimeGenerated >= ago(lookBack)\n// Azure Portal only\n| where AppDisplayName =~ \"Azure Portal\")\n;\nlet successPortalSignins = azPortalSignins\n| where TimeGenerated >= ago(timeRange)\n// Azure Portal only and exclude non-failure Result Types\n| where ResultType in (\"0\", \"50125\", \"50140\")\n// Tagging identities not resolved to friendly names\n//| extend Unresolved = iff(Identity matches regex isGUID, true, false)\n| distinct TimeGenerated, UserPrincipalName\n;\nlet failPortalSignins = azPortalSignins\n| where TimeGenerated >= ago(timeRange)\n// Azure Portal only and exclude non-failure Result Types\n| where ResultType !in (\"0\", \"50125\", \"50140\", \"70044\", \"70043\")\n// Tagging identities not resolved to friendly names\n| extend Unresolved = iff(Identity matches regex isGUID, true, false)\n;\n// Verify there is no success for the same connection attempt after the fail\nlet failnoSuccess = failPortalSignins | join kind= leftouter (\n successPortalSignins\n) on UserPrincipalName\n| where TimeGenerated > TimeGenerated1 or isempty(TimeGenerated1)\n| project-away TimeGenerated1, UserPrincipalName1\n;\n// Lookup up resolved identities from last 7 days\nlet identityLookup = azPortalSignins\n| where TimeGenerated >= ago(lookBack)\n| where not(Identity matches regex isGUID)\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName;\n// Join resolved names to unresolved list from portal signins\nlet unresolvedNames = failnoSuccess | where Unresolved == true | join kind= inner (\n identityLookup\n) on UserId\n| extend UserDisplayName = lu_UserDisplayName, UserPrincipalName = lu_UserPrincipalName\n| project-away lu_UserDisplayName, lu_UserPrincipalName;\n// Join Signins that had resolved names with list of unresolved that now have a resolved name\nlet u_azPortalSignins = failnoSuccess | where Unresolved == false | union unresolvedNames;\nu_azPortalSignins\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\n| extend Status = strcat(ResultType, \": \", ResultDescription), OS = tostring(DeviceDetail.operatingSystem), Browser = tostring(DeviceDetail.browser)\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\n| extend FullLocation = strcat(Region,'|', State, '|', City) \n| summarize TimeGenerated = make_list(TimeGenerated,100), Status = make_list(Status,100), IPAddresses = make_list(IPAddress,100), IPAddressCount = dcount(IPAddress), FailedLogonCount = count()\nby UserPrincipalName, UserId, UserDisplayName, AppDisplayName, Browser, OS, FullLocation, Type\n| mvexpand TimeGenerated, IPAddresses, Status\n| extend TimeGenerated = todatetime(tostring(TimeGenerated)), IPAddress = tostring(IPAddresses), Status = tostring(Status)\n| project-away IPAddresses\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserPrincipalName, UserId, UserDisplayName, Status, FailedLogonCount, IPAddress, IPAddressCount, AppDisplayName, Browser, OS, FullLocation, Type\n| where (IPAddressCount >= threshold_IPAddressCount and FailedLogonCount >= threshold_Failed) or FailedLogonCount >= threshold_FailedwithSingleIP\n| extend timestamp = StartTime, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n", + "queryFrequency": "P1D", + "queryPeriod": "P7D", + "severity": "Low", "suppressionDuration": "PT1H", "suppressionEnabled": false, "triggerOperator": "GreaterThan", @@ -5221,24 +4219,30 @@ "SigninLogs" ], "connectorId": "AzureActiveDirectory" + }, + { + "dataTypes": [ + "AADNonInteractiveUserSignInLogs" + ], + "connectorId": "AzureActiveDirectory" } ], "tactics": [ - "InitialAccess" + "CredentialAccess" ], "techniques": [ - "T1078" + "T1110" ], "entityMappings": [ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } ], "entityType": "Account" @@ -5246,8 +4250,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "DeletedByIPAddress" + "columnName": "IPAddress", + "identifier": "Address" } ], "entityType": "IP" @@ -5258,13 +4262,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject2').analyticRuleId2,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject26').analyticRuleId26,'/'))))]", "properties": { - "description": "Microsoft Entra ID Analytics Rule 2", - "parentId": "[variables('analyticRuleObject2').analyticRuleId2]", - "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "description": "Microsoft Entra ID Analytics Rule 26", + "parentId": "[variables('analyticRuleObject26').analyticRuleId26]", + "contentId": "[variables('analyticRuleObject26')._analyticRulecontentId26]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject2').analyticRuleVersion2]", + "version": "[variables('analyticRuleObject26').analyticRuleVersion26]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -5289,43 +4293,43 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "contentId": "[variables('analyticRuleObject26')._analyticRulecontentId26]", "contentKind": "AnalyticsRule", - "displayName": "Account Created and Deleted in Short Timeframe", - "contentProductId": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", - "id": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", - "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" + "displayName": "Failed login attempts to Azure Portal", + "contentProductId": "[variables('analyticRuleObject26')._analyticRulecontentProductId26]", + "id": "[variables('analyticRuleObject26')._analyticRulecontentProductId26]", + "version": "[variables('analyticRuleObject26').analyticRuleVersion26]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject3').analyticRuleTemplateSpecName3]", + "name": "[variables('analyticRuleObject27').analyticRuleTemplateSpecName27]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AccountCreatedandDeletedinShortTimeframe_AnalyticalRules Analytics Rule with template version 3.0.7", + "description": "FirstAppOrServicePrincipalCredential_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", + "contentVersion": "[variables('analyticRuleObject27').analyticRuleVersion27]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "name": "[variables('analyticRuleObject27')._analyticRulecontentId27]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Search for user principal name (UPN) events. Look for accounts created and then deleted in under 24 hours. Attackers may create an account for their use, and then remove the account when no longer needed.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-account", - "displayName": "Account Created and Deleted in Short Timeframe", + "description": "This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where there was no previous verify KeyCredential associated.\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.", + "displayName": "First access credential added to Application or Service Principal where no credential was present", "enabled": false, - "query": "let queryfrequency = 1h;\nlet queryperiod = 1d;\nAuditLogs\n| where TimeGenerated > ago(queryfrequency)\n| where OperationName =~ \"Delete user\"\n//extend UserPrincipalName = tostring(TargetResources[0].userPrincipalName)\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type == \"User\"\n | extend UserPrincipalName = extract(@'([a-f0-9]{32})?(.*)', 2, tostring(TargetResource.userPrincipalName))\n )\n| extend DeletedByUser = tostring(InitiatedBy.user.userPrincipalName), DeletedByIPAddress = tostring(InitiatedBy.user.ipAddress)\n| extend DeletedByApp = tostring(InitiatedBy.app.displayName)\n| project Deletion_TimeGenerated = TimeGenerated, UserPrincipalName, DeletedByUser, DeletedByIPAddress, DeletedByApp, Deletion_AdditionalDetails = AdditionalDetails, Deletion_InitiatedBy = InitiatedBy, Deletion_TargetResources = TargetResources\n| join kind=inner (\n AuditLogs\n | where TimeGenerated > ago(queryperiod)\n | where OperationName =~ \"Add user\" \n | mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type == \"User\"\n | extend UserPrincipalName = trim(@'\"',tostring(TargetResource.userPrincipalName))\n )\n | project-rename Creation_TimeGenerated = TimeGenerated\n) on UserPrincipalName\n| extend TimeDelta = Deletion_TimeGenerated - Creation_TimeGenerated\n| where TimeDelta between (time(0s) .. queryperiod)\n| extend CreatedByUser = tostring(InitiatedBy.user.userPrincipalName), CreatedByIPAddress = tostring(InitiatedBy.user.ipAddress)\n| extend CreatedByApp = tostring(InitiatedBy.app.displayName)\n| project Creation_TimeGenerated, Deletion_TimeGenerated, TimeDelta, UserPrincipalName, DeletedByUser, DeletedByIPAddress, DeletedByApp, CreatedByUser, CreatedByIPAddress, CreatedByApp, Creation_AdditionalDetails = AdditionalDetails, Creation_InitiatedBy = InitiatedBy, Creation_TargetResources = TargetResources, Deletion_AdditionalDetails, Deletion_InitiatedBy, Deletion_TargetResources\n| extend timestamp = Deletion_TimeGenerated, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n", + "query": "AuditLogs\n| where OperationName has (\"Certificates and secrets management\")\n| where Result =~ \"success\"\n| where tostring(InitiatedBy.user.userPrincipalName) has \"@\" or tostring(InitiatedBy.app.displayName) has \"@\"\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"Application\"\n | extend targetDisplayName = tostring(TargetResource.displayName),\n targetId = tostring(TargetResource.id),\n targetType = tostring(TargetResource.type),\n keyEvents = TargetResource.modifiedProperties\n )\n| mv-apply Property = keyEvents on \n (\n where Property.displayName =~ \"KeyDescription\"\n | extend new_value_set = parse_json(tostring(Property.newValue)),\n old_value_set = parse_json(tostring(Property.oldValue))\n )\n| where old_value_set == \"[]\" \n| mv-expand new_value_set\n| parse new_value_set with * \"KeyIdentifier=\" keyIdentifier:string \",KeyType=\" keyType:string \",KeyUsage=\" keyUsage:string \",DisplayName=\" keyDisplayName:string \"]\" *\n| where keyUsage =~ \"Verify\"\n| mv-apply AdditionalDetail = AdditionalDetails on \n (\n where AdditionalDetail.key =~ \"User-Agent\"\n | extend UserAgent = tostring(AdditionalDetail.value)\n )\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n| project-away new_value_set, old_value_set\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\n| extend timestamp = TimeGenerated, Name = tostring(split(InitiatingUserOrApp,'@',0)[0]), UPNSuffix = tostring(split(InitiatingUserOrApp,'@',1)[0])\n", "queryFrequency": "PT1H", - "queryPeriod": "P1D", + "queryPeriod": "PT1H", "severity": "High", "suppressionDuration": "PT1H", "suppressionEnabled": false, @@ -5335,27 +4339,27 @@ "requiredDataConnectors": [ { "dataTypes": [ - "SigninLogs" + "AuditLogs" ], "connectorId": "AzureActiveDirectory" } ], "tactics": [ - "InitialAccess" + "DefenseEvasion" ], "techniques": [ - "T1078" + "T1550" ], "entityMappings": [ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } ], "entityType": "Account" @@ -5363,11 +4367,20 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "DeletedByIPAddress" + "columnName": "InitiatingIpAddress", + "identifier": "Address" } ], "entityType": "IP" + }, + { + "fieldMappings": [ + { + "columnName": "targetDisplayName", + "identifier": "Name" + } + ], + "entityType": "CloudApplication" } ] } @@ -5375,13 +4388,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject3').analyticRuleId3,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject27').analyticRuleId27,'/'))))]", "properties": { - "description": "Microsoft Entra ID Analytics Rule 3", - "parentId": "[variables('analyticRuleObject3').analyticRuleId3]", - "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "description": "Microsoft Entra ID Analytics Rule 27", + "parentId": "[variables('analyticRuleObject27').analyticRuleId27]", + "contentId": "[variables('analyticRuleObject27')._analyticRulecontentId27]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject3').analyticRuleVersion3]", + "version": "[variables('analyticRuleObject27').analyticRuleVersion27]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -5406,43 +4419,43 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "contentId": "[variables('analyticRuleObject27')._analyticRulecontentId27]", "contentKind": "AnalyticsRule", - "displayName": "Account Created and Deleted in Short Timeframe", - "contentProductId": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]", - "id": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]", - "version": "[variables('analyticRuleObject3').analyticRuleVersion3]" + "displayName": "First access credential added to Application or Service Principal where no credential was present", + "contentProductId": "[variables('analyticRuleObject27')._analyticRulecontentProductId27]", + "id": "[variables('analyticRuleObject27')._analyticRulecontentProductId27]", + "version": "[variables('analyticRuleObject27').analyticRuleVersion27]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject4').analyticRuleTemplateSpecName4]", + "name": "[variables('analyticRuleObject28').analyticRuleTemplateSpecName28]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AccountCreatedandDeletedinShortTimeframe_AnalyticalRules Analytics Rule with template version 3.0.7", + "description": "GuestAccountsAddedinAADGroupsOtherThanTheOnesSpecified_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]", + "contentVersion": "[variables('analyticRuleObject28').analyticRuleVersion28]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject4')._analyticRulecontentId4]", + "name": "[variables('analyticRuleObject28')._analyticRulecontentId28]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Search for user principal name (UPN) events. Look for accounts created and then deleted in under 24 hours. Attackers may create an account for their use, and then remove the account when no longer needed.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-account", - "displayName": "Account Created and Deleted in Short Timeframe", + "description": "Guest Accounts are added in the Organization Tenants to perform various tasks i.e projects execution, support etc.. This detection notifies when guest users are added to Microsoft Entra ID Groups other than the ones specified and poses a risk to gain access to sensitive apps or data.", + "displayName": "Guest accounts added in AAD Groups other than the ones specified", "enabled": false, - "query": "let queryfrequency = 1h;\nlet queryperiod = 1d;\nAuditLogs\n| where TimeGenerated > ago(queryfrequency)\n| where OperationName =~ \"Delete user\"\n//extend UserPrincipalName = tostring(TargetResources[0].userPrincipalName)\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type == \"User\"\n | extend UserPrincipalName = extract(@'([a-f0-9]{32})?(.*)', 2, tostring(TargetResource.userPrincipalName))\n )\n| extend DeletedByUser = tostring(InitiatedBy.user.userPrincipalName), DeletedByIPAddress = tostring(InitiatedBy.user.ipAddress)\n| extend DeletedByApp = tostring(InitiatedBy.app.displayName)\n| project Deletion_TimeGenerated = TimeGenerated, UserPrincipalName, DeletedByUser, DeletedByIPAddress, DeletedByApp, Deletion_AdditionalDetails = AdditionalDetails, Deletion_InitiatedBy = InitiatedBy, Deletion_TargetResources = TargetResources\n| join kind=inner (\n AuditLogs\n | where TimeGenerated > ago(queryperiod)\n | where OperationName =~ \"Add user\" \n | mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type == \"User\"\n | extend UserPrincipalName = trim(@'\"',tostring(TargetResource.userPrincipalName))\n )\n | project-rename Creation_TimeGenerated = TimeGenerated\n) on UserPrincipalName\n| extend TimeDelta = Deletion_TimeGenerated - Creation_TimeGenerated\n| where TimeDelta between (time(0s) .. queryperiod)\n| extend CreatedByUser = tostring(InitiatedBy.user.userPrincipalName), CreatedByIPAddress = tostring(InitiatedBy.user.ipAddress)\n| extend CreatedByApp = tostring(InitiatedBy.app.displayName)\n| project Creation_TimeGenerated, Deletion_TimeGenerated, TimeDelta, UserPrincipalName, DeletedByUser, DeletedByIPAddress, DeletedByApp, CreatedByUser, CreatedByIPAddress, CreatedByApp, Creation_AdditionalDetails = AdditionalDetails, Creation_InitiatedBy = InitiatedBy, Creation_TargetResources = TargetResources, Deletion_AdditionalDetails, Deletion_InitiatedBy, Deletion_TargetResources\n| extend timestamp = Deletion_TimeGenerated, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n", - "queryFrequency": "PT1H", - "queryPeriod": "P1D", + "query": "// OBJECT ID of AAD Groups can be found by navigating to Azure Active Directory then from menu on the left, select Groups and from the list shown of AAD Groups, the Second Column shows the ObjectID of each\nlet GroupIDs = dynamic([\"List with Custom AAD GROUP OBJECT ID 1\",\"Custom AAD GROUP OBJECT ID 2\"]);\nAuditLogs\n| where OperationName in ('Add member to group', 'Add owner to group')\n| extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\n| extend InitiatedByIPAdress = InitiatedBy.user.ipAddress \n// Uncomment the following line to filter events where the inviting user was a guest user\n//| where InitiatedBy has_any (\"CUSTOM DOMAIN NAME#\", \"#EXT#\")\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"User\"\n | extend InvitedUser = trim(@'\"',tostring(TargetResource.userPrincipalName)),\n Properties = TargetResource.modifiedProperties\n )\n| mv-apply Property = Properties on \n (\n where Property.displayName =~ \"Group.DisplayName\"\n | extend AADGroup = trim('\"',tostring(Property.newValue))\n )\n| where InvitedUser has_any (\"CUSTOM DOMAIN NAME#\", \"#EXT#\")\n| mv-apply Property = Properties on\n (\n where Property.displayName =~ \"Group.ObjectID\"\n | extend AADGroupId = trim('\"',tostring(Property.newValue))\n )\n| where AADGroupId !in (GroupIDs)\n| extend Name = tostring(split(InitiatedByActionUserInformation,'@',0)[0]), UPNSuffix = tostring(split(InitiatedByActionUserInformation,'@',1)[0])\n", + "queryFrequency": "PT2H", + "queryPeriod": "PT2H", "severity": "High", "suppressionDuration": "PT1H", "suppressionEnabled": false, @@ -5452,27 +4465,40 @@ "requiredDataConnectors": [ { "dataTypes": [ - "SigninLogs" + "AuditLogs" ], "connectorId": "AzureActiveDirectory" } ], "tactics": [ - "InitialAccess" + "InitialAccess", + "Persistence", + "Discovery" ], "techniques": [ - "T1078" + "T1078", + "T1136", + "T1087" ], "entityMappings": [ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "Name" + "columnName": "InvitedUser", + "identifier": "Name" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } ], "entityType": "Account" @@ -5480,8 +4506,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "DeletedByIPAddress" + "columnName": "InitiatedByIPAdress", + "identifier": "Address" } ], "entityType": "IP" @@ -5492,13 +4518,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject4').analyticRuleId4,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject28').analyticRuleId28,'/'))))]", "properties": { - "description": "Microsoft Entra ID Analytics Rule 4", - "parentId": "[variables('analyticRuleObject4').analyticRuleId4]", - "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", + "description": "Microsoft Entra ID Analytics Rule 28", + "parentId": "[variables('analyticRuleObject28').analyticRuleId28]", + "contentId": "[variables('analyticRuleObject28')._analyticRulecontentId28]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject4').analyticRuleVersion4]", + "version": "[variables('analyticRuleObject28').analyticRuleVersion28]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -5523,44 +4549,44 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", + "contentId": "[variables('analyticRuleObject28')._analyticRulecontentId28]", "contentKind": "AnalyticsRule", - "displayName": "Account Created and Deleted in Short Timeframe", - "contentProductId": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]", - "id": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]", - "version": "[variables('analyticRuleObject4').analyticRuleVersion4]" + "displayName": "Guest accounts added in AAD Groups other than the ones specified", + "contentProductId": "[variables('analyticRuleObject28')._analyticRulecontentProductId28]", + "id": "[variables('analyticRuleObject28')._analyticRulecontentProductId28]", + "version": "[variables('analyticRuleObject28').analyticRuleVersion28]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject5').analyticRuleTemplateSpecName5]", + "name": "[variables('analyticRuleObject29').analyticRuleTemplateSpecName29]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AccountCreatedandDeletedinShortTimeframe_AnalyticalRules Analytics Rule with template version 3.0.7", + "description": "MailPermissionsAddedToApplication_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]", + "contentVersion": "[variables('analyticRuleObject29').analyticRuleVersion29]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject5')._analyticRulecontentId5]", + "name": "[variables('analyticRuleObject29')._analyticRulecontentId29]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Search for user principal name (UPN) events. Look for accounts created and then deleted in under 24 hours. Attackers may create an account for their use, and then remove the account when no longer needed.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-account", - "displayName": "Account Created and Deleted in Short Timeframe", + "description": "This query look for applications that have been granted (Delegated or App/Role) permissions to Read Mail (Permissions field has Mail.Read) and subsequently has been consented to. This can help identify applications that have been abused to gain access to mailboxes.", + "displayName": "Mail.Read Permissions Granted to Application", "enabled": false, - "query": "let queryfrequency = 1h;\nlet queryperiod = 1d;\nAuditLogs\n| where TimeGenerated > ago(queryfrequency)\n| where OperationName =~ \"Delete user\"\n//extend UserPrincipalName = tostring(TargetResources[0].userPrincipalName)\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type == \"User\"\n | extend UserPrincipalName = extract(@'([a-f0-9]{32})?(.*)', 2, tostring(TargetResource.userPrincipalName))\n )\n| extend DeletedByUser = tostring(InitiatedBy.user.userPrincipalName), DeletedByIPAddress = tostring(InitiatedBy.user.ipAddress)\n| extend DeletedByApp = tostring(InitiatedBy.app.displayName)\n| project Deletion_TimeGenerated = TimeGenerated, UserPrincipalName, DeletedByUser, DeletedByIPAddress, DeletedByApp, Deletion_AdditionalDetails = AdditionalDetails, Deletion_InitiatedBy = InitiatedBy, Deletion_TargetResources = TargetResources\n| join kind=inner (\n AuditLogs\n | where TimeGenerated > ago(queryperiod)\n | where OperationName =~ \"Add user\" \n | mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type == \"User\"\n | extend UserPrincipalName = trim(@'\"',tostring(TargetResource.userPrincipalName))\n )\n | project-rename Creation_TimeGenerated = TimeGenerated\n) on UserPrincipalName\n| extend TimeDelta = Deletion_TimeGenerated - Creation_TimeGenerated\n| where TimeDelta between (time(0s) .. queryperiod)\n| extend CreatedByUser = tostring(InitiatedBy.user.userPrincipalName), CreatedByIPAddress = tostring(InitiatedBy.user.ipAddress)\n| extend CreatedByApp = tostring(InitiatedBy.app.displayName)\n| project Creation_TimeGenerated, Deletion_TimeGenerated, TimeDelta, UserPrincipalName, DeletedByUser, DeletedByIPAddress, DeletedByApp, CreatedByUser, CreatedByIPAddress, CreatedByApp, Creation_AdditionalDetails = AdditionalDetails, Creation_InitiatedBy = InitiatedBy, Creation_TargetResources = TargetResources, Deletion_AdditionalDetails, Deletion_InitiatedBy, Deletion_TargetResources\n| extend timestamp = Deletion_TimeGenerated, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n", - "queryFrequency": "PT1H", + "query": "AuditLogs\n| where Category =~ \"ApplicationManagement\"\n| where ActivityDisplayName has_any (\"Add delegated permission grant\",\"Add app role assignment to service principal\") \n| where Result =~ \"success\"\n| where tostring(InitiatedBy.user.userPrincipalName) has \"@\" or tostring(InitiatedBy.app.displayName) has \"@\"\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\" and array_length(TargetResource.modifiedProperties) > 0 and isnotnull(TargetResource.displayName)\n | extend props = TargetResource.modifiedProperties,\n Type = tostring(TargetResource.type),\n PermissionsAddedTo = tostring(TargetResource.displayName)\n )\n| mv-apply Property = props on \n (\n where Property.displayName =~ \"DelegatedPermissionGrant.Scope\"\n | extend DisplayName = tostring(Property.displayName), Permissions = trim('\"',tostring(Property.newValue))\n )\n| where Permissions has_any (\"Mail.Read\", \"Mail.ReadWrite\")\n| mv-apply AdditionalDetail = AdditionalDetails on \n (\n where AdditionalDetail.key =~ \"User-Agent\"\n | extend UserAgent = tostring(AdditionalDetail.value)\n )\n| extend InitiatingUser = tostring(InitiatedBy.user.userPrincipalName)\n| extend UserIPAddress = tostring(InitiatedBy.user.ipAddress) \n| project-away props, TargetResource*, AdditionalDetail*, Property, InitiatedBy\n| join kind=leftouter(\n AuditLogs\n | where ActivityDisplayName has \"Consent to application\"\n | mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\"\n | extend AppName = tostring(TargetResource.displayName),\n AppId = tostring(TargetResource.id)\n )\n | project AppName, AppId, CorrelationId) on CorrelationId\n| project-reorder TimeGenerated, OperationName, InitiatingUser, UserIPAddress, UserAgent, PermissionsAddedTo, Permissions, AppName, AppId, CorrelationId\n| extend timestamp = TimeGenerated, Name = tostring(split(InitiatingUser,'@',0)[0]), UPNSuffix = tostring(split(InitiatingUser,'@',1)[0])\n", + "queryFrequency": "P1D", "queryPeriod": "P1D", - "severity": "High", + "severity": "Medium", "suppressionDuration": "PT1H", "suppressionEnabled": false, "triggerOperator": "GreaterThan", @@ -5569,27 +4595,27 @@ "requiredDataConnectors": [ { "dataTypes": [ - "SigninLogs" + "AuditLogs" ], "connectorId": "AzureActiveDirectory" } ], "tactics": [ - "InitialAccess" + "Persistence" ], "techniques": [ - "T1078" + "T1098" ], "entityMappings": [ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } ], "entityType": "Account" @@ -5597,8 +4623,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "DeletedByIPAddress" + "columnName": "UserIPAddress", + "identifier": "Address" } ], "entityType": "IP" @@ -5609,13 +4635,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject5').analyticRuleId5,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject29').analyticRuleId29,'/'))))]", "properties": { - "description": "Microsoft Entra ID Analytics Rule 5", - "parentId": "[variables('analyticRuleObject5').analyticRuleId5]", - "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", + "description": "Microsoft Entra ID Analytics Rule 29", + "parentId": "[variables('analyticRuleObject29').analyticRuleId29]", + "contentId": "[variables('analyticRuleObject29')._analyticRulecontentId29]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject5').analyticRuleVersion5]", + "version": "[variables('analyticRuleObject29').analyticRuleVersion29]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -5640,43 +4666,43 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", + "contentId": "[variables('analyticRuleObject29')._analyticRulecontentId29]", "contentKind": "AnalyticsRule", - "displayName": "Account Created and Deleted in Short Timeframe", - "contentProductId": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]", - "id": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]", - "version": "[variables('analyticRuleObject5').analyticRuleVersion5]" + "displayName": "Mail.Read Permissions Granted to Application", + "contentProductId": "[variables('analyticRuleObject29')._analyticRulecontentProductId29]", + "id": "[variables('analyticRuleObject29')._analyticRulecontentProductId29]", + "version": "[variables('analyticRuleObject29').analyticRuleVersion29]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject6').analyticRuleTemplateSpecName6]", + "name": "[variables('analyticRuleObject30').analyticRuleTemplateSpecName30]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AccountCreatedandDeletedinShortTimeframe_AnalyticalRules Analytics Rule with template version 3.0.7", + "description": "MaliciousOAuthApp_O365AttackToolkit_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]", + "contentVersion": "[variables('analyticRuleObject30').analyticRuleVersion30]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject6')._analyticRulecontentId6]", + "name": "[variables('analyticRuleObject30')._analyticRulecontentId30]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Search for user principal name (UPN) events. Look for accounts created and then deleted in under 24 hours. Attackers may create an account for their use, and then remove the account when no longer needed.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-account", - "displayName": "Account Created and Deleted in Short Timeframe", + "description": "This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the MDSec O365 Attack Toolkit (https://github.com/mdsecactivebreach/o365-attack-toolkit).\nThe default permissions/scope for the MDSec O365 Attack toolkit change sometimes but often include contacts.read, user.read, mail.read, notes.read.all, mailboxsettings.readwrite, files.readwrite.all, mail.send, files.read, and files.read.all.\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.", + "displayName": "Suspicious application consent similar to O365 Attack Toolkit", "enabled": false, - "query": "let queryfrequency = 1h;\nlet queryperiod = 1d;\nAuditLogs\n| where TimeGenerated > ago(queryfrequency)\n| where OperationName =~ \"Delete user\"\n//extend UserPrincipalName = tostring(TargetResources[0].userPrincipalName)\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type == \"User\"\n | extend UserPrincipalName = extract(@'([a-f0-9]{32})?(.*)', 2, tostring(TargetResource.userPrincipalName))\n )\n| extend DeletedByUser = tostring(InitiatedBy.user.userPrincipalName), DeletedByIPAddress = tostring(InitiatedBy.user.ipAddress)\n| extend DeletedByApp = tostring(InitiatedBy.app.displayName)\n| project Deletion_TimeGenerated = TimeGenerated, UserPrincipalName, DeletedByUser, DeletedByIPAddress, DeletedByApp, Deletion_AdditionalDetails = AdditionalDetails, Deletion_InitiatedBy = InitiatedBy, Deletion_TargetResources = TargetResources\n| join kind=inner (\n AuditLogs\n | where TimeGenerated > ago(queryperiod)\n | where OperationName =~ \"Add user\" \n | mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type == \"User\"\n | extend UserPrincipalName = trim(@'\"',tostring(TargetResource.userPrincipalName))\n )\n | project-rename Creation_TimeGenerated = TimeGenerated\n) on UserPrincipalName\n| extend TimeDelta = Deletion_TimeGenerated - Creation_TimeGenerated\n| where TimeDelta between (time(0s) .. queryperiod)\n| extend CreatedByUser = tostring(InitiatedBy.user.userPrincipalName), CreatedByIPAddress = tostring(InitiatedBy.user.ipAddress)\n| extend CreatedByApp = tostring(InitiatedBy.app.displayName)\n| project Creation_TimeGenerated, Deletion_TimeGenerated, TimeDelta, UserPrincipalName, DeletedByUser, DeletedByIPAddress, DeletedByApp, CreatedByUser, CreatedByIPAddress, CreatedByApp, Creation_AdditionalDetails = AdditionalDetails, Creation_InitiatedBy = InitiatedBy, Creation_TargetResources = TargetResources, Deletion_AdditionalDetails, Deletion_InitiatedBy, Deletion_TargetResources\n| extend timestamp = Deletion_TimeGenerated, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n", - "queryFrequency": "PT1H", - "queryPeriod": "P1D", + "query": "let detectionTime = 1d;\nlet joinLookback = 14d;\nlet threshold = 5;\nlet o365_attack_regex = \"contacts.read|user.read|mail.read|notes.read.all|mailboxsettings.readwrite|Files.ReadWrite.All|mail.send|files.read|files.read.all\";\nlet o365_attack = dynamic([\"contacts.read\", \"user.read\", \"mail.read\", \"notes.read.all\", \"mailboxsettings.readwrite\", \"Files.ReadWrite.All\", \"mail.send\", \"files.read\", \"files.read.all\"]);\nAuditLogs\n| where TimeGenerated > ago(detectionTime)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Consent to application\"\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\"\n | extend AppDisplayName = tostring(TargetResource.displayName),\n AppClientId = tostring(TargetResource.id),\n props = TargetResource.modifiedProperties\n )\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\"] with (format=\"csv\"))) // NOTE: a MATCH from this list will cause the alert to NOT fire - please modify for your environment!\n| mv-apply ConsentFull = props on \n (\n where ConsentFull.displayName =~ \"ConsentAction.Permissions\"\n )\n| parse ConsentFull with * \"ConsentType: \" GrantConsentType \", Scope: \" GrantScope1 \", CreatedDateTime\" * \"]\" *\n| where GrantConsentType != \"AllPrincipals\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\n| where ConsentFull has_any (o365_attack) \n| extend GrantScopeCount = countof(tolower(GrantScope1), o365_attack_regex, 'regex')\n| where GrantScopeCount > threshold\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| mv-apply AdditionalDetail = AdditionalDetails on \n (\n where AdditionalDetail.key =~ \"User-Agent\"\n | extend GrantUserAgent = AdditionalDetail.value\n )\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\n| join kind = leftouter (AuditLogs\n | where TimeGenerated > ago(joinLookback)\n | where LoggedByService =~ \"Core Directory\"\n | where Category =~ \"ApplicationManagement\"\n | where OperationName =~ \"Add service principal\"\n | mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\"\n | extend props = TargetResource.modifiedProperties,\n AppClientId = tostring(TargetResource.id)\n )\n | mv-apply Property = props on \n (\n where Property.displayName =~ \"AppAddress\" and Property.newValue has \"AddressType\"\n | extend AppReplyURLs = trim('\"',tostring(Property.newValue))\n )\n | distinct AppClientId, tostring(AppReplyURLs)\n) on AppClientId\n| join kind = innerunique (AuditLogs\n | where TimeGenerated > ago(joinLookback)\n | where LoggedByService =~ \"Core Directory\"\n | where Category =~ \"ApplicationManagement\"\n | where OperationName =~ \"Add OAuth2PermissionGrant\" or OperationName =~ \"Add delegated permission grant\"\n | mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\" and array_length(TargetResource.modifiedProperties) > 0 and isnotnull(TargetResource.displayName)\n | extend GrantAuthentication = tostring(TargetResource.displayName)\n )\n | extend GrantOperation = OperationName\n | project GrantAuthentication, GrantOperation, CorrelationId\n ) on CorrelationId\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\n| extend timestamp = TimeGenerated, Name = tostring(split(GrantInitiatedBy,'@',0)[0]), UPNSuffix = tostring(split(GrantInitiatedBy,'@',1)[0])\n", + "queryFrequency": "P1D", + "queryPeriod": "P14D", "severity": "High", "suppressionDuration": "PT1H", "suppressionEnabled": false, @@ -5686,27 +4712,29 @@ "requiredDataConnectors": [ { "dataTypes": [ - "SigninLogs" + "AuditLogs" ], "connectorId": "AzureActiveDirectory" } ], "tactics": [ - "InitialAccess" + "CredentialAccess", + "DefenseEvasion" ], "techniques": [ - "T1078" + "T1528", + "T1550" ], "entityMappings": [ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } ], "entityType": "Account" @@ -5714,11 +4742,20 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "DeletedByIPAddress" + "columnName": "GrantIpAddress", + "identifier": "Address" } ], "entityType": "IP" + }, + { + "fieldMappings": [ + { + "columnName": "AppDisplayName", + "identifier": "Name" + } + ], + "entityType": "CloudApplication" } ] } @@ -5726,13 +4763,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject6').analyticRuleId6,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject30').analyticRuleId30,'/'))))]", "properties": { - "description": "Microsoft Entra ID Analytics Rule 6", - "parentId": "[variables('analyticRuleObject6').analyticRuleId6]", - "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", + "description": "Microsoft Entra ID Analytics Rule 30", + "parentId": "[variables('analyticRuleObject30').analyticRuleId30]", + "contentId": "[variables('analyticRuleObject30')._analyticRulecontentId30]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject6').analyticRuleVersion6]", + "version": "[variables('analyticRuleObject30').analyticRuleVersion30]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -5757,43 +4794,43 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", + "contentId": "[variables('analyticRuleObject30')._analyticRulecontentId30]", "contentKind": "AnalyticsRule", - "displayName": "Account Created and Deleted in Short Timeframe", - "contentProductId": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]", - "id": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]", - "version": "[variables('analyticRuleObject6').analyticRuleVersion6]" + "displayName": "Suspicious application consent similar to O365 Attack Toolkit", + "contentProductId": "[variables('analyticRuleObject30')._analyticRulecontentProductId30]", + "id": "[variables('analyticRuleObject30')._analyticRulecontentProductId30]", + "version": "[variables('analyticRuleObject30').analyticRuleVersion30]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject7').analyticRuleTemplateSpecName7]", + "name": "[variables('analyticRuleObject31').analyticRuleTemplateSpecName31]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AccountCreatedDeletedByNonApprovedUser_AnalyticalRules Analytics Rule with template version 3.0.7", + "description": "MaliciousOAuthApp_PwnAuth_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]", + "contentVersion": "[variables('analyticRuleObject31').analyticRuleVersion31]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject7')._analyticRulecontentId7]", + "name": "[variables('analyticRuleObject31')._analyticRulecontentId31]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Identifies accounts that were created or deleted by a defined list of non-approved user principal names. Add to this list before running the query for accurate results.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts", - "displayName": "Account created or deleted by non-approved user", + "description": "This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the FireEye PwnAuth toolkit (https://github.com/fireeye/PwnAuth).\nThe default permissions/scope for the PwnAuth toolkit are user.read, offline_access, mail.readwrite, mail.send, and files.read.all.\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.", + "displayName": "Suspicious application consent similar to PwnAuth", "enabled": false, - "query": "// Add non-approved user principal names to the list below to search for their account creation/deletion activity\n// ex: dynamic([\"UPN1\", \"upn123\"])\nlet nonapproved_users = dynamic([]);\nAuditLogs\n| where OperationName =~ \"Add user\" or OperationName =~ \"Delete user\"\n| where Result =~ \"success\"\n| extend InitiatingUser = tostring(InitiatedBy.user.userPrincipalName)\n| where InitiatingUser has_any (nonapproved_users)\n| project-reorder TimeGenerated, ResourceId, OperationName, InitiatingUser, TargetResources\n| extend InitiatedUserIpAddress = tostring(InitiatedBy.user.ipAddress)\n| extend Name = tostring(split(InitiatingUser,'@',0)[0]), UPNSuffix = tostring(split(InitiatingUser,'@',1)[0])\n", + "query": "let detectionTime = 1d;\nlet joinLookback = 14d;\nAuditLogs\n| where TimeGenerated > ago(detectionTime)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Consent to application\"\n| where TargetResources has \"offline\"\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\"\n | extend AppDisplayName = tostring(TargetResource.displayName),\n AppClientId = tostring(TargetResource.id),\n props = TargetResource.modifiedProperties\n )\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\"] with (format=\"csv\")))\n| mv-apply ConsentFull = props on \n (\n where ConsentFull.displayName =~ \"ConsentAction.Permissions\"\n )\n| parse ConsentFull with * \"ConsentType: \" GrantConsentType \", Scope: \" GrantScope1 \"]\" *\n| where ConsentFull has_all (\"user.read\", \"offline_access\", \"mail.readwrite\", \"mail.send\", \"files.read.all\")\n| where GrantConsentType != \"AllPrincipals\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| mv-apply AdditionalDetail = AdditionalDetails on \n (\n where AdditionalDetail.key =~ \"User-Agent\"\n | extend GrantUserAgent = AdditionalDetail.value\n )\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\n| join kind = leftouter (AuditLogs\n| where TimeGenerated > ago(joinLookback)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Add service principal\"\n | mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\"\n | extend props = TargetResource.modifiedProperties,\n AppClientId = tostring(TargetResource.id)\n )\n | mv-apply Property = props on \n (\n where Property.displayName =~ \"AppAddress\" and Property.newValue has \"AddressType\"\n | extend AppReplyURLs = trim('\"',tostring(Property.newValue))\n )\n| distinct AppClientId, tostring(AppReplyURLs)\n)\non AppClientId\n| join kind = innerunique (AuditLogs\n| where TimeGenerated > ago(joinLookback)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Add OAuth2PermissionGrant\" or OperationName =~ \"Add delegated permission grant\"\n | mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\" and array_length(TargetResource.modifiedProperties) > 0 and isnotnull(TargetResource.displayName)\n | extend GrantAuthentication = tostring(TargetResource.displayName)\n )\n| extend GrantOperation = OperationName\n| project GrantAuthentication, GrantOperation, CorrelationId\n) on CorrelationId\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\n| extend timestamp = TimeGenerated, Name = tostring(split(GrantInitiatedBy,'@',0)[0]), UPNSuffix = tostring(split(GrantInitiatedBy,'@',1)[0])\n", "queryFrequency": "P1D", - "queryPeriod": "P1D", + "queryPeriod": "P14D", "severity": "Medium", "suppressionDuration": "PT1H", "suppressionEnabled": false, @@ -5809,21 +4846,23 @@ } ], "tactics": [ - "InitialAccess" + "CredentialAccess", + "DefenseEvasion" ], "techniques": [ - "T1078" + "T1528", + "T1550" ], "entityMappings": [ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } ], "entityType": "Account" @@ -5831,8 +4870,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "InitiatedUserIpAddress" + "columnName": "GrantIpAddress", + "identifier": "Address" } ], "entityType": "IP" @@ -5843,13 +4882,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject7').analyticRuleId7,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject31').analyticRuleId31,'/'))))]", "properties": { - "description": "Microsoft Entra ID Analytics Rule 7", - "parentId": "[variables('analyticRuleObject7').analyticRuleId7]", - "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]", + "description": "Microsoft Entra ID Analytics Rule 31", + "parentId": "[variables('analyticRuleObject31').analyticRuleId31]", + "contentId": "[variables('analyticRuleObject31')._analyticRulecontentId31]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject7').analyticRuleVersion7]", + "version": "[variables('analyticRuleObject31').analyticRuleVersion31]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -5874,44 +4913,44 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]", + "contentId": "[variables('analyticRuleObject31')._analyticRulecontentId31]", "contentKind": "AnalyticsRule", - "displayName": "Account created or deleted by non-approved user", - "contentProductId": "[variables('analyticRuleObject7')._analyticRulecontentProductId7]", - "id": "[variables('analyticRuleObject7')._analyticRulecontentProductId7]", - "version": "[variables('analyticRuleObject7').analyticRuleVersion7]" + "displayName": "Suspicious application consent similar to PwnAuth", + "contentProductId": "[variables('analyticRuleObject31')._analyticRulecontentProductId31]", + "id": "[variables('analyticRuleObject31')._analyticRulecontentProductId31]", + "version": "[variables('analyticRuleObject31').analyticRuleVersion31]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject8').analyticRuleTemplateSpecName8]", + "name": "[variables('analyticRuleObject32').analyticRuleTemplateSpecName32]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ADFSDomainTrustMods_AnalyticalRules Analytics Rule with template version 3.0.7", + "description": "MFARejectedbyUser_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]", + "contentVersion": "[variables('analyticRuleObject32').analyticRuleVersion32]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject8')._analyticRulecontentId8]", + "name": "[variables('analyticRuleObject32')._analyticRulecontentId32]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "This will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated.\nFor example, this alert will trigger when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain.\nModification to domain federation settings should be rare. Confirm the added or modified target domain/URL is legitimate administrator behavior.\nTo understand why an authorized user may update settings for a federated domain in Office 365, Azure, or Intune, see: https://docs.microsoft.com/office365/troubleshoot/active-directory/update-federated-domain-office-365.\nFor details on security realms that accept security tokens, see the ADFS Proxy Protocol (MS-ADFSPP) specification: https://docs.microsoft.com/openspecs/windows_protocols/ms-adfspp/e7b9ea73-1980-4318-96a6-da559486664b.\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.", - "displayName": "Modified domain federation trust settings", + "description": "Identifies occurances where a user has rejected an MFA prompt. This could be an indicator that a threat actor has compromised the username and password of this user account and is using it to try and log into the account.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\nThis query has also been updated to include UEBA logs IdentityInfo and BehaviorAnalytics for contextual information around the results.", + "displayName": "MFA Rejected by User", "enabled": false, - "query": "(union isfuzzy=true\n(\nAuditLogs\n| where OperationName =~ \"Set federation settings on domain\"\n//| where Result =~ \"success\" // commenting out, as it may be interesting to capture failed attempts\n| mv-expand TargetResources\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\n| mv-expand modifiedProperties\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName)\n),\n(\nAuditLogs\n| where OperationName =~ \"Set domain authentication\"\n//| where Result =~ \"success\" // commenting out, as it may be interesting to capture failed attempts\n| mv-expand TargetResources\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\n| mv-expand modifiedProperties\n| mv-apply Property = modifiedProperties on \n (\n where Property.displayName =~ \"LiveType\"\n | extend targetDisplayName = tostring(Property.displayName),\n NewDomainValue = tostring(Property.newValue)\n )\n| where NewDomainValue has \"Federated\"\n)\n)\n| mv-apply AdditionalDetail = AdditionalDetails on \n (\n where AdditionalDetail.key =~ \"User-Agent\"\n | extend UserAgent = tostring(AdditionalDetail.value)\n )\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, AADOperationType, targetDisplayName, Result, InitiatingIpAddress, UserAgent, CorrelationId, TenantId, AADTenantId\n| extend timestamp = TimeGenerated, Name = tostring(split(InitiatingUserOrApp,'@',0)[0]), UPNSuffix = tostring(split(InitiatingUserOrApp,'@',1)[0])\n", - "queryFrequency": "P1D", - "queryPeriod": "P1D", - "severity": "High", + "query": "let riskScoreCutoff = 20; //Adjust this based on volume of results\nSigninLogs\n| where ResultType == 500121\n| extend additionalDetails_ = tostring(Status.additionalDetails)\n| extend UserPrincipalName = tolower(UserPrincipalName)\n| where additionalDetails_ =~ \"MFA denied; user declined the authentication\" or additionalDetails_ has \"fraud\"\n| summarize StartTime = min(TimeGenerated), EndTIme = max(TimeGenerated) by UserPrincipalName, UserId, AADTenantId, IPAddress\n| extend Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n| join kind=leftouter (\n IdentityInfo\n | summarize LatestReportTime = arg_max(TimeGenerated, *) by AccountUPN\n | extend BlastRadiusInt = iif(BlastRadius == \"High\", 1, 0)\n | project AccountUPN, Tags, JobTitle, GroupMembership, AssignedRoles, UserType, IsAccountEnabled, BlastRadiusInt\n | summarize\n Tags = make_set(Tags, 1000),\n GroupMembership = make_set(GroupMembership, 1000),\n AssignedRoles = make_set(AssignedRoles, 1000),\n BlastRadiusInt = sum(BlastRadiusInt),\n UserType = make_set(UserType, 1000),\n UserAccountControl = make_set(UserType, 1000)\n by AccountUPN\n | extend UserPrincipalName=tolower(AccountUPN)\n) on UserPrincipalName\n| join kind=leftouter (\n BehaviorAnalytics\n | where ActivityType in (\"FailedLogOn\", \"LogOn\")\n | where isnotempty(SourceIPAddress)\n | project UsersInsights, DevicesInsights, ActivityInsights, InvestigationPriority, SourceIPAddress\n | project-rename IPAddress = SourceIPAddress\n | summarize\n UsersInsights = make_set(UsersInsights, 1000),\n DevicesInsights = make_set(DevicesInsights, 1000),\n IPInvestigationPriority = sum(InvestigationPriority)\n by IPAddress)\non IPAddress\n| extend UEBARiskScore = BlastRadiusInt + IPInvestigationPriority\n| where UEBARiskScore > riskScoreCutoff\n| sort by UEBARiskScore desc \n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", "suppressionDuration": "PT1H", "suppressionEnabled": false, "triggerOperator": "GreaterThan", @@ -5920,24 +4959,43 @@ "requiredDataConnectors": [ { "dataTypes": [ - "AuditLogs" + "SigninLogs" ], "connectorId": "AzureActiveDirectory" - } - ], - "tactics": [ - "CredentialAccess" + }, + { + "dataTypes": [ + "BehaviorAnalytics" + ], + "connectorId": "BehaviorAnalytics" + }, + { + "dataTypes": [ + "IdentityInfo" + ], + "connectorId": "IdentityInfo" + } + ], + "tactics": [ + "InitialAccess" + ], + "techniques": [ + "T1078" ], "entityMappings": [ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" + }, + { + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UserId", + "identifier": "AadUserId" } ], "entityType": "Account" @@ -5945,8 +5003,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "InitiatingIpAddress" + "columnName": "IPAddress", + "identifier": "Address" } ], "entityType": "IP" @@ -5957,13 +5015,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject8').analyticRuleId8,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject32').analyticRuleId32,'/'))))]", "properties": { - "description": "Microsoft Entra ID Analytics Rule 8", - "parentId": "[variables('analyticRuleObject8').analyticRuleId8]", - "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]", + "description": "Microsoft Entra ID Analytics Rule 32", + "parentId": "[variables('analyticRuleObject32').analyticRuleId32]", + "contentId": "[variables('analyticRuleObject32')._analyticRulecontentId32]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject8').analyticRuleVersion8]", + "version": "[variables('analyticRuleObject32').analyticRuleVersion32]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -5988,44 +5046,44 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]", + "contentId": "[variables('analyticRuleObject32')._analyticRulecontentId32]", "contentKind": "AnalyticsRule", - "displayName": "Modified domain federation trust settings", - "contentProductId": "[variables('analyticRuleObject8')._analyticRulecontentProductId8]", - "id": "[variables('analyticRuleObject8')._analyticRulecontentProductId8]", - "version": "[variables('analyticRuleObject8').analyticRuleVersion8]" + "displayName": "MFA Rejected by User", + "contentProductId": "[variables('analyticRuleObject32')._analyticRulecontentProductId32]", + "id": "[variables('analyticRuleObject32')._analyticRulecontentProductId32]", + "version": "[variables('analyticRuleObject32').analyticRuleVersion32]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject9').analyticRuleTemplateSpecName9]", + "name": "[variables('analyticRuleObject33').analyticRuleTemplateSpecName33]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ADFSSignInLogsPasswordSpray_AnalyticalRules Analytics Rule with template version 3.0.7", + "description": "MFASpammingfollowedbySuccessfullogin_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]", + "contentVersion": "[variables('analyticRuleObject33').analyticRuleVersion33]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject9')._analyticRulecontentId9]", + "name": "[variables('analyticRuleObject33')._analyticRulecontentId33]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Identifies evidence of password spray activity against Connect Health for AD FS sign-in events by looking for failures from multiple accounts from the same IP address within a time window.\nReference: https://adfshelp.microsoft.com/References/ConnectHealthErrorCodeReference", - "displayName": "Password spray attack against ADFSSignInLogs", + "description": "Identifies MFA Spamming followed by Successful logins and by a successful authentication within a given time window,\nDefault Failure count is 10 and 1 successful login with default Time Window is 5 minutes.", + "displayName": "MFA Spamming followed by Successful login", "enabled": false, - "query": "let queryfrequency = 30m;\nlet accountthreshold = 10;\nlet successCodes = dynamic([0, 50144]);\nADFSSignInLogs\n| extend IngestionTime = ingestion_time()\n| where IngestionTime > ago(queryfrequency)\n| where not(todynamic(AuthenticationDetails)[0].authenticationMethod == \"Integrated Windows Authentication\")\n| summarize\n DistinctFailureCount = dcountif(UserPrincipalName, ResultType !in (successCodes)),\n DistinctSuccessCount = dcountif(UserPrincipalName, ResultType in (successCodes)),\n SuccessAccounts = make_set_if(UserPrincipalName, ResultType in (successCodes), 250),\n arg_min(TimeGenerated, *)\n by IPAddress\n| where DistinctFailureCount > DistinctSuccessCount and DistinctFailureCount >= accountthreshold\n//| extend SuccessAccounts = iff(array_length(SuccessAccounts) != 0, SuccessAccounts, dynamic([\"null\"]))\n//| mv-expand SuccessAccounts\n| project TimeGenerated, Category, OperationName, IPAddress, DistinctFailureCount, DistinctSuccessCount, SuccessAccounts, AuthenticationRequirement, ConditionalAccessStatus, IsInteractive, UserAgent, NetworkLocationDetails, DeviceDetail, TokenIssuerType, TokenIssuerName, ResourceIdentity\n", - "queryFrequency": "PT30M", - "queryPeriod": "PT1H", - "severity": "Medium", + "query": "// Filter for sign-in logs ingested within the last day\nSigninLogs\n| where ingestion_time() > ago(1d)\n// Filter for records with AuthenticationRequirement set to multiFactorAuthentication\n| where AuthenticationRequirement == \"multiFactorAuthentication\"\n// Extract information from dynamic columns DeviceDetail and LocationDetails\n| extend DeviceDetail = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\n// Extract specific attributes from DeviceDetail and LocationDetails\n| extend\n OS = tostring(DeviceDetail.operatingSystem),\n Browser = tostring(DeviceDetail.browser),\n State = tostring(LocationDetails.state),\n City = tostring(LocationDetails.city),\n Region = tostring(LocationDetails.countryOrRegion)\n// Expand multi-value property AuthenticationDetails into separate records\n| mv-expand todynamic(AuthenticationDetails)\n// Parse AuthResult from JSON in AuthenticationDetails and convert to string\n| extend AuthResult = tostring(parse_json(AuthenticationDetails).authenticationStepResultDetail)\n// Summarize data by aggregating statistics for each user, IP, and AuthResult\n| summarize FailedAttempts = countif(AuthResult == \"MFA denied; user declined the authentication\" or AuthResult == \"MFA denied; user did not respond to mobile app notification\"), SuccessfulAttempts = countif(AuthResult == \"MFA successfully completed\"), InvolvedOS = make_set(OS, 5), InvolvedBrowser = make_set(Browser), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserPrincipalName, IPAddress, State, City, Region\n// Calculate AuthenticationWindow by finding time difference between start and end times\n| extend AuthenticationWindow = (EndTime - StartTime)\n// Filter for records with more than 10 failed attempts in 5-minute window and at least 1 successful attempt\n| where FailedAttempts > 10 and AuthenticationWindow <= 5m and SuccessfulAttempts >= 1\n// Extract user's name and UPN suffix using split function\n| extend Name = tostring(split(UserPrincipalName, '@', 0)[0]), UPNSuffix = tostring(split(UserPrincipalName, '@', 1)[0])\n", + "queryFrequency": "P1D", + "queryPeriod": "P1D", + "severity": "High", "suppressionDuration": "PT1H", "suppressionEnabled": false, "triggerOperator": "GreaterThan", @@ -6034,7 +5092,7 @@ "requiredDataConnectors": [ { "dataTypes": [ - "ADFSSignInLogs" + "SigninLogs" ], "connectorId": "AzureActiveDirectory" } @@ -6049,8 +5107,21 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "IPAddress" + "columnName": "Name", + "identifier": "Name" + }, + { + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "columnName": "IPAddress", + "identifier": "Address" } ], "entityType": "IP" @@ -6061,13 +5132,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject9').analyticRuleId9,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject33').analyticRuleId33,'/'))))]", "properties": { - "description": "Microsoft Entra ID Analytics Rule 9", - "parentId": "[variables('analyticRuleObject9').analyticRuleId9]", - "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]", + "description": "Microsoft Entra ID Analytics Rule 33", + "parentId": "[variables('analyticRuleObject33').analyticRuleId33]", + "contentId": "[variables('analyticRuleObject33')._analyticRulecontentId33]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject9').analyticRuleVersion9]", + "version": "[variables('analyticRuleObject33').analyticRuleVersion33]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -6092,44 +5163,44 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]", + "contentId": "[variables('analyticRuleObject33')._analyticRulecontentId33]", "contentKind": "AnalyticsRule", - "displayName": "Password spray attack against ADFSSignInLogs", - "contentProductId": "[variables('analyticRuleObject9')._analyticRulecontentProductId9]", - "id": "[variables('analyticRuleObject9')._analyticRulecontentProductId9]", - "version": "[variables('analyticRuleObject9').analyticRuleVersion9]" + "displayName": "MFA Spamming followed by Successful login", + "contentProductId": "[variables('analyticRuleObject33')._analyticRulecontentProductId33]", + "id": "[variables('analyticRuleObject33')._analyticRulecontentProductId33]", + "version": "[variables('analyticRuleObject33').analyticRuleVersion33]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject10').analyticRuleTemplateSpecName10]", + "name": "[variables('analyticRuleObject34').analyticRuleTemplateSpecName34]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AdminPromoAfterRoleMgmtAppPermissionGrant_AnalyticalRules Analytics Rule with template version 3.0.7", + "description": "MultipleAdmin_membership_removals_from_NewAdmin_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]", + "contentVersion": "[variables('analyticRuleObject34').analyticRuleVersion34]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject10')._analyticRulecontentId10]", + "name": "[variables('analyticRuleObject34')._analyticRulecontentId34]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "This rule looks for a service principal being granted the Microsoft Graph RoleManagement.ReadWrite.Directory (application) permission before being used to add an Microsoft Entra ID object or user account to an Admin directory role (i.e. Global Administrators).\nThis is a known attack path that is usually abused when a service principal already has the AppRoleAssignment.ReadWrite.All permission granted. This permission allows an app to manage permission grants for application permissions to any API.\nA service principal can promote itself or other service principals to admin roles (i.e. Global Administrators). This would be considered a privilege escalation technique.\nRef : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions, https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0&tabs=http", - "displayName": "Admin promotion after Role Management Application Permission Grant", + "description": "This query detects when newly created Global admin removes multiple existing global admins which can be an attempt by adversaries to lock down organization and retain sole access. \n Investigate reasoning and intention of multiple membership removal by new Global admins and take necessary actions accordingly.", + "displayName": "Multiple admin membership removals from newly created admin.", "enabled": false, - "query": "let query_frequency = 1h;\nlet query_period = 2h;\nAuditLogs\n| where TimeGenerated > ago(query_period)\n| where Category =~ \"ApplicationManagement\" and LoggedByService =~ \"Core Directory\"\n| where OperationName =~ \"Add app role assignment to service principal\"\n| mv-expand TargetResource = TargetResources\n| mv-expand modifiedProperty = TargetResource[\"modifiedProperties\"]\n| where tostring(modifiedProperty[\"displayName\"]) == \"AppRole.Value\"\n| extend PermissionGrant = tostring(modifiedProperty[\"newValue\"])\n| where PermissionGrant has \"RoleManagement.ReadWrite.Directory\"\n| mv-apply modifiedProperty = TargetResource[\"modifiedProperties\"] on (\n summarize modifiedProperties = make_bag(\n bag_pack(tostring(modifiedProperty[\"displayName\"]),\n bag_pack(\"oldValue\", trim(@'[\\\"\\s]+', tostring(modifiedProperty[\"oldValue\"])),\n \"newValue\", trim(@'[\\\"\\s]+', tostring(modifiedProperty[\"newValue\"])))), 100)\n)\n| project\n PermissionGrant_TimeGenerated = TimeGenerated,\n PermissionGrant_OperationName = OperationName,\n PermissionGrant_Result = Result,\n PermissionGrant,\n AppDisplayName = tostring(modifiedProperties[\"ServicePrincipal.DisplayName\"][\"newValue\"]),\n AppServicePrincipalId = tostring(modifiedProperties[\"ServicePrincipal.ObjectID\"][\"newValue\"]),\n PermissionGrant_InitiatedBy = InitiatedBy,\n PermissionGrant_TargetResources = TargetResources,\n PermissionGrant_AdditionalDetails = AdditionalDetails,\n PermissionGrant_CorrelationId = CorrelationId\n| join kind=inner (\n AuditLogs\n | where TimeGenerated > ago(query_frequency)\n | where Category =~ \"RoleManagement\" and LoggedByService =~ \"Core Directory\" and AADOperationType =~ \"Assign\"\n | where isnotempty(InitiatedBy[\"app\"])\n | mv-expand TargetResource = TargetResources\n | mv-expand modifiedProperty = TargetResource[\"modifiedProperties\"]\n | where tostring(modifiedProperty[\"displayName\"]) in (\"Role.DisplayName\", \"RoleDefinition.DisplayName\")\n | extend RoleAssignment = tostring(modifiedProperty[\"newValue\"])\n | where RoleAssignment contains \"Admin\"\n | project\n RoleAssignment_TimeGenerated = TimeGenerated,\n RoleAssignment_OperationName = OperationName,\n RoleAssignment_Result = Result,\n RoleAssignment,\n TargetType = tostring(TargetResources[0][\"type\"]),\n Target = iff(isnotempty(TargetResources[0][\"displayName\"]), tostring(TargetResources[0][\"displayName\"]), tolower(TargetResources[0][\"userPrincipalName\"])),\n TargetId = tostring(TargetResources[0][\"id\"]),\n RoleAssignment_InitiatedBy = InitiatedBy,\n RoleAssignment_TargetResources = TargetResources,\n RoleAssignment_AdditionalDetails = AdditionalDetails,\n RoleAssignment_CorrelationId = CorrelationId,\n AppServicePrincipalId = tostring(InitiatedBy[\"app\"][\"servicePrincipalId\"])\n ) on AppServicePrincipalId\n| where PermissionGrant_TimeGenerated < RoleAssignment_TimeGenerated\n| extend\n TargetName = tostring(split(Target, \"@\")[0]),\n TargetUPNSuffix = tostring(split(Target, \"@\")[1])\n| project PermissionGrant_TimeGenerated, PermissionGrant_OperationName, PermissionGrant_Result, PermissionGrant, AppDisplayName, AppServicePrincipalId, PermissionGrant_InitiatedBy, PermissionGrant_TargetResources, PermissionGrant_AdditionalDetails, PermissionGrant_CorrelationId, RoleAssignment_TimeGenerated, RoleAssignment_OperationName, RoleAssignment_Result, RoleAssignment, TargetType, Target, TargetName, TargetUPNSuffix, TargetId, RoleAssignment_InitiatedBy, RoleAssignment_TargetResources, RoleAssignment_AdditionalDetails, RoleAssignment_CorrelationId\n", + "query": "let lookback = 7d; \nlet timeframe = 1h; \nlet GlobalAdminsRemoved = AuditLogs \n| where TimeGenerated > ago(timeframe) \n| where Category =~ \"RoleManagement\" \n| where AADOperationType in (\"Unassign\", \"RemoveEligibleRole\") \n| where ActivityDisplayName has_any (\"Remove member from role\", \"Remove eligible member from role\") \n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"User\"\n | extend Target = tostring(TargetResource.userPrincipalName),\n props = TargetResource.modifiedProperties\n )\n| mv-apply Property = props on \n (\n where Property.displayName =~ \"Role.DisplayName\"\n | extend RoleName = trim('\"',tostring(Property.oldValue))\n )\n| where RoleName =~ \"Global Administrator\" // Add other Privileged role if applicable \n| extend InitiatingApp = tostring(InitiatedBy.app.displayName) \n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(InitiatedBy.user.userPrincipalName)) \n| where Initiator != \"MS-PIM\" // Filtering PIM events \n| summarize RemovedGlobalAdminTime = max(TimeGenerated), TargetAdmins = make_set(Target,100) by OperationName, RoleName, Initiator, Result; \nlet GlobalAdminsAdded = AuditLogs \n| where TimeGenerated > ago(lookback) \n| where Category =~ \"RoleManagement\" \n| where AADOperationType in (\"Assign\", \"AssignEligibleRole\") \n| where ActivityDisplayName has_any (\"Add eligible member to role\", \"Add member to role\") and Result == \"success\" \n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"User\"\n | extend Target = tostring(TargetResource.userPrincipalName),\n props = TargetResource.modifiedProperties\n )\n| mv-apply Property = props on \n (\n where Property.displayName =~ \"Role.DisplayName\"\n | extend RoleName = trim('\"',tostring(Property.newValue))\n )\n| where RoleName =~ \"Global Administrator\" // Add other Privileged role if applicable \n| extend InitiatingApp = tostring(InitiatedBy.app.displayName) \n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(InitiatedBy.user.userPrincipalName)) \n| where Initiator != \"MS-PIM\" // Filtering PIM events \n| summarize AddedGlobalAdminTime = max(TimeGenerated) by OperationName, RoleName, Target, Initiator, Result \n| extend AccountCustomEntity = Target; \nGlobalAdminsAdded \n| join kind= inner GlobalAdminsRemoved on $left.Target == $right.Initiator \n| where AddedGlobalAdminTime < RemovedGlobalAdminTime \n| extend NoofAdminsRemoved = array_length(TargetAdmins) \n| where NoofAdminsRemoved > 1\n| project AddedGlobalAdminTime, Initiator, Target, AccountCustomEntity, RemovedGlobalAdminTime, TargetAdmins, NoofAdminsRemoved\n| extend Name = tostring(split(AccountCustomEntity,'@',0)[0]), UPNSuffix = tostring(split(AccountCustomEntity,'@',1)[0])\n", "queryFrequency": "PT1H", - "queryPeriod": "PT2H", - "severity": "High", + "queryPeriod": "P7D", + "severity": "Medium", "suppressionDuration": "PT1H", "suppressionEnabled": false, "triggerOperator": "GreaterThan", @@ -6144,32 +5215,21 @@ } ], "tactics": [ - "PrivilegeEscalation", - "Persistence" + "Impact" ], "techniques": [ - "T1098", - "T1078" + "T1531" ], "entityMappings": [ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "AppDisplayName" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "identifier": "Name", - "columnName": "TargetName" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "TargetUPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } ], "entityType": "Account" @@ -6180,13 +5240,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject10').analyticRuleId10,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject34').analyticRuleId34,'/'))))]", "properties": { - "description": "Microsoft Entra ID Analytics Rule 10", - "parentId": "[variables('analyticRuleObject10').analyticRuleId10]", - "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]", + "description": "Microsoft Entra ID Analytics Rule 34", + "parentId": "[variables('analyticRuleObject34').analyticRuleId34]", + "contentId": "[variables('analyticRuleObject34')._analyticRulecontentId34]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject10').analyticRuleVersion10]", + "version": "[variables('analyticRuleObject34').analyticRuleVersion34]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -6211,43 +5271,43 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]", + "contentId": "[variables('analyticRuleObject34')._analyticRulecontentId34]", "contentKind": "AnalyticsRule", - "displayName": "Admin promotion after Role Management Application Permission Grant", - "contentProductId": "[variables('analyticRuleObject10')._analyticRulecontentProductId10]", - "id": "[variables('analyticRuleObject10')._analyticRulecontentProductId10]", - "version": "[variables('analyticRuleObject10').analyticRuleVersion10]" + "displayName": "Multiple admin membership removals from newly created admin.", + "contentProductId": "[variables('analyticRuleObject34')._analyticRulecontentProductId34]", + "id": "[variables('analyticRuleObject34')._analyticRulecontentProductId34]", + "version": "[variables('analyticRuleObject34').analyticRuleVersion34]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject11').analyticRuleTemplateSpecName11]", + "name": "[variables('analyticRuleObject35').analyticRuleTemplateSpecName35]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AnomalousUserAppSigninLocationIncrease-detection_AnalyticalRules Analytics Rule with template version 3.0.7", + "description": "NewOnmicrosoftDomainAdded_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject11').analyticRuleVersion11]", + "contentVersion": "[variables('analyticRuleObject35').analyticRuleVersion35]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject11')._analyticRulecontentId11]", + "name": "[variables('analyticRuleObject35')._analyticRulecontentId35]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "This query over Microsoft Entra ID sign-in considers all user sign-ins for each Azure Active\nDirectory application and picks out the most anomalous change in location profile for a user within an\nindividual application", - "displayName": "Anomalous sign-in location by user account and authenticating application", + "description": "This detection looks for new onmicrosoft domains being added to a tenant. \nAn attacker who compromises a tenant may register a new onmicrosoft domain in order to masquerade as a service provider for launching phishing campaigns.\nDomain additions are not a common occurrence and users should validate that the domain was added by a legitimate user, with a legitimate purpose.", + "displayName": "New onmicrosoft domain added to tenant", "enabled": false, - "query": "// Adjust this figure to adjust how sensitive this detection is\nlet sensitivity = 2.5;\nlet AuthEvents = materialize(\nunion isfuzzy=True SigninLogs, AADNonInteractiveUserSignInLogs\n| where TimeGenerated > ago(7d)\n| where ResultType == 0\n| extend LocationDetails = LocationDetails_dynamic\n| extend Location = strcat(LocationDetails.countryOrRegion, \"-\", LocationDetails.state,\"-\", LocationDetails.city)\n| where Location != \"--\");\nAuthEvents\n| summarize dcount(Location) by AppDisplayName, AppId, UserPrincipalName, UserId, bin(startofday(TimeGenerated), 1d)\n| where dcount_Location > 2\n| summarize CountOfLocations = make_list(dcount_Location, 10000), TimeStamp = make_list(TimeGenerated, 10000) by AppId, UserId\n| extend (Anomalies, Score, Baseline) = series_decompose_anomalies(CountOfLocations, sensitivity, -1, 'linefit')\n| mv-expand CountOfLocations to typeof(double), TimeStamp to typeof(datetime), Anomalies to typeof(double), Score to typeof(double), Baseline to typeof(long)\n| where Anomalies > 0\n| join kind=inner( AuthEvents | extend TimeStamp = startofday(TimeGenerated)) on UserId, AppId\n| extend SignInDetails = bag_pack(\"TimeGenerated\", TimeGenerated, \"Location\", Location, \"Source\", IPAddress, \"Device\", DeviceDetail_dynamic)\n| summarize SignInDetailsSet=make_set(SignInDetails, 1000) by UserId, UserPrincipalName, CountOfLocations, TimeStamp, AppId, AppDisplayName\n| extend Name = split(UserPrincipalName, \"@\")[0], UPNSuffix = split(UserPrincipalName, \"@\")[1]\n", - "queryFrequency": "P1D", - "queryPeriod": "P7D", + "query": "AuditLogs\n| where AADOperationType == \"Add\"\n| where Result == \"success\"\n| where OperationName in (\"Add verified domain\", \"Add unverified domain\")\n| extend InitiatedBy = parse_json(InitiatedBy)\n| extend InitiatingUser = tostring(InitiatedBy.user.userPrincipalName)\n| extend InitiatingIp = tostring(InitiatedBy.user.ipAddress)\n| extend InitiatingApp = tostring(InitiatedBy.app.displayName)\n| extend InitiatingSPID = tostring(InitiatedBy.app.servicePrincipalId)\n| extend DomainAdded = tostring(TargetResources[0].displayName)\n| where DomainAdded has \"onmicrosoft\"\n| extend ActionInitiatedBy = case(isnotempty(InitiatingUser), InitiatingUser, strcat(InitiatingApp, \" - \", InitiatingSPID))\n| extend UserName = split(InitiatingUser, \"@\")[0]\n| extend UPNSuffix = split(InitiatingUser, \"@\")[1]\n| project-reorder TimeGenerated, OperationName, DomainAdded, ActionInitiatedBy, InitiatingIp\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", "severity": "Medium", "suppressionDuration": "PT1H", "suppressionEnabled": false, @@ -6257,64 +5317,73 @@ "requiredDataConnectors": [ { "dataTypes": [ - "SigninLogs" - ], - "connectorId": "AzureActiveDirectory" - }, - { - "dataTypes": [ - "AADNonInteractiveUserSignInLogs" + "AuditLogs" ], "connectorId": "AzureActiveDirectory" } ], "tactics": [ - "InitialAccess" + "ResourceDevelopment" ], "techniques": [ - "T1078" + "T1585" ], "entityMappings": [ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "Name" + "columnName": "UserName", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" }, { - "identifier": "AadUserId", - "columnName": "UserId" + "columnName": "InitiatingSPID", + "identifier": "AadUserId" } ], "entityType": "Account" + }, + { + "fieldMappings": [ + { + "columnName": "InitiatingIp", + "identifier": "Address" + } + ], + "entityType": "IP" + }, + { + "fieldMappings": [ + { + "columnName": "DomainAdded", + "identifier": "DomainName" + } + ], + "entityType": "DNS" } ], "eventGroupingSettings": { "aggregationKind": "SingleAlert" }, - "customDetails": { - "Application": "AppDisplayName" - }, "alertDetailsOverride": { - "alertDescriptionFormat": "This query over Microsoft Entra ID sign-in considers all user sign-ins for each Azure Active\nDirectory application and picks out the most anomalous change in location profile for a user within an\nindividual application. This has detected {{UserPrincipalName}} signing into {{AppDisplayName}} from {{CountOfLocations}} \ndifferent locations.\n", - "alertDisplayNameFormat": "Anomalous sign-in location by {{UserPrincipalName}} to {{AppDisplayName}}" + "alertDescriptionFormat": "This detection looks for new onmicrosoft domains being added to a tenant. An attacker who compromises a tenant may register a new onmicrosoft domain in order to masquerade as a service provider for launching phishing accounts. Domain additions are not a common occurrence and users should validate that {{ActionInitiatedBy}} added {{DomainAdded}} with a legitimate purpose.", + "alertDisplayNameFormat": "{{DomainAdded}} added to tenant by {{ActionInitiatedBy}}" } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject11').analyticRuleId11,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject35').analyticRuleId35,'/'))))]", "properties": { - "description": "Microsoft Entra ID Analytics Rule 11", - "parentId": "[variables('analyticRuleObject11').analyticRuleId11]", - "contentId": "[variables('analyticRuleObject11')._analyticRulecontentId11]", + "description": "Microsoft Entra ID Analytics Rule 35", + "parentId": "[variables('analyticRuleObject35').analyticRuleId35]", + "contentId": "[variables('analyticRuleObject35')._analyticRulecontentId35]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject11').analyticRuleVersion11]", + "version": "[variables('analyticRuleObject35').analyticRuleVersion35]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -6339,44 +5408,44 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject11')._analyticRulecontentId11]", + "contentId": "[variables('analyticRuleObject35')._analyticRulecontentId35]", "contentKind": "AnalyticsRule", - "displayName": "Anomalous sign-in location by user account and authenticating application", - "contentProductId": "[variables('analyticRuleObject11')._analyticRulecontentProductId11]", - "id": "[variables('analyticRuleObject11')._analyticRulecontentProductId11]", - "version": "[variables('analyticRuleObject11').analyticRuleVersion11]" + "displayName": "New onmicrosoft domain added to tenant", + "contentProductId": "[variables('analyticRuleObject35')._analyticRulecontentProductId35]", + "id": "[variables('analyticRuleObject35')._analyticRulecontentProductId35]", + "version": "[variables('analyticRuleObject35').analyticRuleVersion35]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject12').analyticRuleTemplateSpecName12]", + "name": "[variables('analyticRuleObject36').analyticRuleTemplateSpecName36]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AuthenticationMethodsChangedforPrivilegedAccount_AnalyticalRules Analytics Rule with template version 3.0.7", + "description": "NewAppOrServicePrincipalCredential_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject12').analyticRuleVersion12]", + "contentVersion": "[variables('analyticRuleObject36').analyticRuleVersion36]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject12')._analyticRulecontentId12]", + "name": "[variables('analyticRuleObject36')._analyticRulecontentId36]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Identifies authentication methods being changed for a privileged account. This could be an indication of an attacker adding an auth method to the account so they can have continued access.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1", - "displayName": "Authentication Methods Changed for Privileged Account", + "description": "This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app.\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.", + "displayName": "New access credential added to Application or Service Principal", "enabled": false, - "query": "let queryperiod = 14d;\nlet queryfrequency = 2h;\nlet security_info_actions = dynamic([\"User registered security info\", \"User changed default security info\", \"User deleted security info\", \"Admin updated security info\", \"User reviewed security info\", \"Admin deleted security info\", \"Admin registered security info\"]);\nlet VIPUsers = (\n IdentityInfo\n | where TimeGenerated > ago(queryperiod)\n | mv-expand AssignedRoles\n | where AssignedRoles contains 'Admin'\n | summarize by AccountUPN);\nAuditLogs\n| where TimeGenerated > ago(queryfrequency)\n| where Category =~ \"UserManagement\"\n| where ActivityDisplayName in (security_info_actions)\n| extend Initiator = tostring(InitiatedBy.user.userPrincipalName)\n| extend IP = tostring(InitiatedBy.user.ipAddress)\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"User\"\n | extend Target = tostring(TargetResource.userPrincipalName)\n )\n| where Target in~ (VIPUsers)\n// Uncomment the line below if you are experiencing high volumes of Target entities. If this is uncommented, the Target column will not be mapped to an entity.\n//| summarize Start=min(TimeGenerated), End=max(TimeGenerated), Actions = make_set(ResultReason, MaxSize=8), Targets=make_set(Target, MaxSize=256) by Initiator, IP, Result\n// Comment out this line below, if line above is used.\n| summarize Start=min(TimeGenerated), End=max(TimeGenerated), Actions = make_set(ResultReason, MaxSize=8) by Initiator, IP, Result, Targets = Target\n| extend InitiatorName = tostring(split(Initiator,'@',0)[0]), \n InitiatorUPNSuffix = tostring(split(Initiator,'@',1)[0]),\n TargetName = iff(tostring(Targets) has \"[\", \"\", tostring(split(Targets,'@',0)[0])), \n TargetUPNSuffix = iff(tostring(Targets) has \"[\", \"\", tostring(split(Targets,'@',1)[0]))\n", - "queryFrequency": "PT2H", - "queryPeriod": "P14D", - "severity": "High", + "query": "AuditLogs\n| where OperationName has_any (\"Add service principal\", \"Certificates and secrets management\") // captures \"Add service principal\", \"Add service principal credentials\", and \"Update application - Certificates and secrets management\" events\n| where Result =~ \"success\"\n| where tostring(InitiatedBy.user.userPrincipalName) has \"@\" or tostring(InitiatedBy.app.displayName) has \"@\"\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"Application\"\n | extend targetDisplayName = tostring(TargetResource.displayName),\n targetId = tostring(TargetResource.id),\n targetType = tostring(TargetResource.type),\n keyEvents = TargetResource.modifiedProperties\n )\n| mv-apply Property = keyEvents on \n (\n where Property.displayName =~ \"KeyDescription\"\n | extend new_value_set = parse_json(tostring(Property.newValue)),\n old_value_set = parse_json(tostring(Property.oldValue))\n )\n| where old_value_set != \"[]\"\n| extend diff = set_difference(new_value_set, old_value_set)\n| where isnotempty(diff)\n| parse diff with * \"KeyIdentifier=\" keyIdentifier:string \",KeyType=\" keyType:string \",KeyUsage=\" keyUsage:string \",DisplayName=\" keyDisplayName:string \"]\" *\n| where keyUsage =~ \"Verify\"\n| mv-apply AdditionalDetail = AdditionalDetails on \n (\n where AdditionalDetail.key =~ \"User-Agent\"\n | extend UserAgent = tostring(AdditionalDetail.value)\n )\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\n//| where targetType =~ \"Application\" // or targetType =~ \"ServicePrincipal\"\n| project-away diff, new_value_set, old_value_set\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\n| extend timestamp = TimeGenerated, Name = tostring(split(InitiatingUserOrApp,'@',0)[0]), UPNSuffix = tostring(split(InitiatingUserOrApp,'@',1)[0])\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", "suppressionDuration": "PT1H", "suppressionEnabled": false, "triggerOperator": "GreaterThan", @@ -6391,34 +5460,21 @@ } ], "tactics": [ - "Persistence" + "DefenseEvasion" ], "techniques": [ - "T1098" + "T1550" ], "entityMappings": [ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "InitiatorName" - }, - { - "identifier": "UPNSuffix", - "columnName": "InitiatorUPNSuffix" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "identifier": "Name", - "columnName": "TargetName" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "TargetUPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } ], "entityType": "Account" @@ -6426,8 +5482,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "IP" + "columnName": "InitiatingIpAddress", + "identifier": "Address" } ], "entityType": "IP" @@ -6438,13 +5494,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject12').analyticRuleId12,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject36').analyticRuleId36,'/'))))]", "properties": { - "description": "Microsoft Entra ID Analytics Rule 12", - "parentId": "[variables('analyticRuleObject12').analyticRuleId12]", - "contentId": "[variables('analyticRuleObject12')._analyticRulecontentId12]", + "description": "Microsoft Entra ID Analytics Rule 36", + "parentId": "[variables('analyticRuleObject36').analyticRuleId36]", + "contentId": "[variables('analyticRuleObject36')._analyticRulecontentId36]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject12').analyticRuleVersion12]", + "version": "[variables('analyticRuleObject36').analyticRuleVersion36]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -6469,83 +5525,66 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject12')._analyticRulecontentId12]", + "contentId": "[variables('analyticRuleObject36')._analyticRulecontentId36]", "contentKind": "AnalyticsRule", - "displayName": "Authentication Methods Changed for Privileged Account", - "contentProductId": "[variables('analyticRuleObject12')._analyticRulecontentProductId12]", - "id": "[variables('analyticRuleObject12')._analyticRulecontentProductId12]", - "version": "[variables('analyticRuleObject12').analyticRuleVersion12]" + "displayName": "New access credential added to Application or Service Principal", + "contentProductId": "[variables('analyticRuleObject36')._analyticRulecontentProductId36]", + "id": "[variables('analyticRuleObject36')._analyticRulecontentProductId36]", + "version": "[variables('analyticRuleObject36').analyticRuleVersion36]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject13').analyticRuleTemplateSpecName13]", + "name": "[variables('analyticRuleObject37').analyticRuleTemplateSpecName37]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AzureAADPowerShellAnomaly_AnalyticalRules Analytics Rule with template version 3.0.7", + "description": "NRT_ADFSDomainTrustMods_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject13').analyticRuleVersion13]", + "contentVersion": "[variables('analyticRuleObject37').analyticRuleVersion37]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject13')._analyticRulecontentId13]", + "name": "[variables('analyticRuleObject37')._analyticRulecontentId37]", "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", + "kind": "NRT", "location": "[parameters('workspace-location')]", "properties": { - "description": "This will alert when a user or application signs in using Microsoft Entra ID PowerShell to access non-Active Directory resources, such as the Azure Key Vault, which may be undesired or unauthorized behavior.\nFor capabilities and expected behavior of the Microsoft Entra ID PowerShell module, see: https://docs.microsoft.com/powershell/module/azuread/?view=azureadps-2.0.\nFor further information on Microsoft Entra ID Signin activity reports, see: https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins.", - "displayName": "Microsoft Entra ID PowerShell accessing non-AAD resources", + "description": "This will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated.\nFor example, this alert will trigger when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain.\nModification to domain federation settings should be rare. Confirm the added or modified target domain/URL is legitimate administrator behavior.\nTo understand why an authorized user may update settings for a federated domain in Office 365, Azure, or Intune, see: https://docs.microsoft.com/office365/troubleshoot/active-directory/update-federated-domain-office-365.\nFor details on security realms that accept security tokens, see the ADFS Proxy Protocol (MS-ADFSPP) specification: https://docs.microsoft.com/openspecs/windows_protocols/ms-adfspp/e7b9ea73-1980-4318-96a6-da559486664b.\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.", + "displayName": "NRT Modified domain federation trust settings", "enabled": false, - "query": "let aadFunc = (tableName:string){\ntable(tableName)\n| where AppId =~ \"1b730954-1685-4b74-9bfd-dac224a7b894\" // AppDisplayName IS Azure Active Directory PowerShell\n| where TokenIssuerType =~ \"AzureAD\"\n| where ResourceIdentity !in (\"00000002-0000-0000-c000-000000000000\", \"00000003-0000-0000-c000-000000000000\") // ResourceDisplayName IS NOT Windows Azure Active Directory OR Microsoft Graph\n| extend Status = todynamic(Status)\n| where Status.errorCode == 0 // Success\n| project-reorder IPAddress, UserAgent, ResourceDisplayName, UserDisplayName, UserId, UserPrincipalName, Type\n| order by TimeGenerated desc\n// New entity mapping\n| extend timestamp = TimeGenerated, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n", - "queryFrequency": "PT1H", - "queryPeriod": "PT1H", - "severity": "Low", + "query": "AuditLogs\n| where OperationName =~ \"Set federation settings on domain\" or OperationName =~ \"Set domain authentication\"\n//| where Result =~ \"success\" // commenting out, as it may be interesting to capture failed attempts\n| mv-expand TargetResources\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\n| mv-apply Property = modifiedProperties on \n (\n where Property.displayName =~ \"LiveType\"\n | extend targetDisplayName = tostring(Property.displayName),\n NewDomainValue = tostring(Property.newValue)\n )\n| extend Federated = iif(OperationName =~ \"Set domain authentication\", iif(NewDomainValue has \"Federated\", True, False), True)\n| where Federated == True\n| mv-expand AdditionalDetails\n| mv-apply AdditionalDetail = AdditionalDetails on \n (\n where AdditionalDetail.key =~ \"User-Agent\"\n | extend UserAgent = tostring(AdditionalDetail.value)\n )\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, AADOperationType, targetDisplayName, Result, InitiatingIpAddress, UserAgent, CorrelationId, TenantId, AADTenantId\n| extend Name = tostring(split(InitiatingUserOrApp,'@',0)[0]), UPNSuffix = tostring(split(InitiatingUserOrApp,'@',1)[0])\n", + "severity": "High", "suppressionDuration": "PT1H", "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, "status": "Available", "requiredDataConnectors": [ { "dataTypes": [ - "SigninLogs" - ], - "connectorId": "AzureActiveDirectory" - }, - { - "dataTypes": [ - "AADNonInteractiveUserSignInLogs" + "AuditLogs" ], "connectorId": "AzureActiveDirectory" } ], "tactics": [ - "InitialAccess" - ], - "techniques": [ - "T1078" + "CredentialAccess" ], "entityMappings": [ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "Name" - }, - { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "AadUserId", - "columnName": "UserId" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } ], "entityType": "Account" @@ -6553,8 +5592,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "IPAddress" + "columnName": "InitiatingIpAddress", + "identifier": "Address" } ], "entityType": "IP" @@ -6565,13 +5604,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject13').analyticRuleId13,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject37').analyticRuleId37,'/'))))]", "properties": { - "description": "Microsoft Entra ID Analytics Rule 13", - "parentId": "[variables('analyticRuleObject13').analyticRuleId13]", - "contentId": "[variables('analyticRuleObject13')._analyticRulecontentId13]", + "description": "Microsoft Entra ID Analytics Rule 37", + "parentId": "[variables('analyticRuleObject37').analyticRuleId37]", + "contentId": "[variables('analyticRuleObject37')._analyticRulecontentId37]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject13').analyticRuleVersion13]", + "version": "[variables('analyticRuleObject37').analyticRuleVersion37]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -6596,48 +5635,44 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject13')._analyticRulecontentId13]", + "contentId": "[variables('analyticRuleObject37')._analyticRulecontentId37]", "contentKind": "AnalyticsRule", - "displayName": "Microsoft Entra ID PowerShell accessing non-AAD resources", - "contentProductId": "[variables('analyticRuleObject13')._analyticRulecontentProductId13]", - "id": "[variables('analyticRuleObject13')._analyticRulecontentProductId13]", - "version": "[variables('analyticRuleObject13').analyticRuleVersion13]" + "displayName": "NRT Modified domain federation trust settings", + "contentProductId": "[variables('analyticRuleObject37')._analyticRulecontentProductId37]", + "id": "[variables('analyticRuleObject37')._analyticRulecontentProductId37]", + "version": "[variables('analyticRuleObject37').analyticRuleVersion37]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject14').analyticRuleTemplateSpecName14]", + "name": "[variables('analyticRuleObject38').analyticRuleTemplateSpecName38]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AzureADRoleManagementPermissionGrant_AnalyticalRules Analytics Rule with template version 3.0.7", + "description": "NRT_AuthenticationMethodsChangedforVIPUsers_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject14').analyticRuleVersion14]", + "contentVersion": "[variables('analyticRuleObject38').analyticRuleVersion38]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject14')._analyticRulecontentId14]", + "name": "[variables('analyticRuleObject38')._analyticRulecontentId38]", "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", + "kind": "NRT", "location": "[parameters('workspace-location')]", "properties": { - "description": "Identifies when the Microsoft Graph RoleManagement.ReadWrite.Directory (Delegated or Application) permission is granted to a service principal.\nThis permission allows an application to read and manage the role-based access control (RBAC) settings for your company's directory.\nAn adversary could use this permission to add an Microsoft Entra ID object to an Admin directory role and escalate privileges.\nRef : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions\nRef : https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0&tabs=http", - "displayName": "Microsoft Entra ID Role Management Permission Grant", + "description": "Identifies authentication methods being changed for a list of VIP users watchlist. This could be an indication of an attacker adding an auth method to the account so they can have continued access.", + "displayName": "NRT Authentication Methods Changed for VIP Users", "enabled": false, - "query": "AuditLogs\n| where Category =~ \"ApplicationManagement\" and LoggedByService =~ \"Core Directory\" and OperationName in~ (\"Add delegated permission grant\", \"Add app role assignment to service principal\")\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\" and array_length(TargetResource.modifiedProperties) > 0 and isnotnull(TargetResource.displayName)\n | extend props = TargetResource.modifiedProperties\n )\n| mv-apply Property = props on \n (\n where Property.displayName in~ (\"AppRole.Value\",\"DelegatedPermissionGrant.Scope\")\n | extend DisplayName = tostring(Property.displayName), PermissionGrant = trim('\"',tostring(Property.newValue))\n )\n| where PermissionGrant has \"RoleManagement.ReadWrite.Directory\"\n| mv-apply Property = props on \n (\n where Property.displayName =~ \"ServicePrincipal.DisplayName\"\n | extend AppDisplayName = trim('\"',tostring(Property.newValue))\n )\n| mv-apply Property = props on \n (\n where Property.displayName =~ \"ServicePrincipal.ObjectID\"\n | extend AppServicePrincipalId = trim('\"',tostring(Property.newValue))\n )\n| extend \n Initiator = iif(isnotempty(InitiatedBy.app), tostring(InitiatedBy.app.displayName), tostring(InitiatedBy.user.userPrincipalName)),\n InitiatorId = iif(isnotempty(InitiatedBy.app), tostring(InitiatedBy.app.servicePrincipalId), tostring(InitiatedBy.user.id))\n| project TimeGenerated, OperationName, Result, PermissionGrant, AppDisplayName, AppServicePrincipalId, Initiator, InitiatorId, InitiatedBy, TargetResources, AdditionalDetails, CorrelationId\n| extend Name = tostring(split(Initiator,'@',0)[0]), UPNSuffix = tostring(split(Initiator,'@',1)[0])\n", - "queryFrequency": "PT2H", - "queryPeriod": "PT2H", - "severity": "High", + "query": "let security_info_actions = dynamic([\"User registered security info\", \"User changed default security info\", \"User deleted security info\", \"Admin updated security info\", \"User reviewed security info\", \"Admin deleted security info\", \"Admin registered security info\"]);\nlet VIPUsers = (_GetWatchlist('VIPUsers') | distinct \"User Principal Name\");\nAuditLogs\n| where Category =~ \"UserManagement\"\n| where ActivityDisplayName in (security_info_actions)\n| extend Initiator = tostring(InitiatedBy.user.userPrincipalName)\n| extend IP = tostring(InitiatedBy.user.ipAddress)\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"User\"\n | extend Target = trim(@'\"',tolower(tostring(TargetResource.userPrincipalName)))\n )\n| where Target in~ (VIPUsers)\n| summarize Start=min(TimeGenerated), End=max(TimeGenerated), Actions = make_set(ResultReason) by Initiator, IP, Result, Target\n| extend Name = tostring(split(Target,'@',0)[0]), UPNSuffix = tostring(split(Target,'@',1)[0])\n", + "severity": "Medium", "suppressionDuration": "PT1H", "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, "status": "Available", "requiredDataConnectors": [ { @@ -6648,23 +5683,21 @@ } ], "tactics": [ - "Persistence", - "Impact" + "Persistence" ], "techniques": [ - "T1098", - "T1078" + "T1098" ], "entityMappings": [ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } ], "entityType": "Account" @@ -6672,11 +5705,11 @@ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "AppDisplayName" + "columnName": "IP", + "identifier": "Address" } ], - "entityType": "Account" + "entityType": "IP" } ] } @@ -6684,13 +5717,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject14').analyticRuleId14,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject38').analyticRuleId38,'/'))))]", "properties": { - "description": "Microsoft Entra ID Analytics Rule 14", - "parentId": "[variables('analyticRuleObject14').analyticRuleId14]", - "contentId": "[variables('analyticRuleObject14')._analyticRulecontentId14]", + "description": "Microsoft Entra ID Analytics Rule 38", + "parentId": "[variables('analyticRuleObject38').analyticRuleId38]", + "contentId": "[variables('analyticRuleObject38')._analyticRulecontentId38]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject14').analyticRuleVersion14]", + "version": "[variables('analyticRuleObject38').analyticRuleVersion38]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -6715,77 +5748,69 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject14')._analyticRulecontentId14]", + "contentId": "[variables('analyticRuleObject38')._analyticRulecontentId38]", "contentKind": "AnalyticsRule", - "displayName": "Microsoft Entra ID Role Management Permission Grant", - "contentProductId": "[variables('analyticRuleObject14')._analyticRulecontentProductId14]", - "id": "[variables('analyticRuleObject14')._analyticRulecontentProductId14]", - "version": "[variables('analyticRuleObject14').analyticRuleVersion14]" + "displayName": "NRT Authentication Methods Changed for VIP Users", + "contentProductId": "[variables('analyticRuleObject38')._analyticRulecontentProductId38]", + "id": "[variables('analyticRuleObject38')._analyticRulecontentProductId38]", + "version": "[variables('analyticRuleObject38').analyticRuleVersion38]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject15').analyticRuleTemplateSpecName15]", + "name": "[variables('analyticRuleObject39').analyticRuleTemplateSpecName39]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AzurePortalSigninfromanotherAzureTenant_AnalyticalRules Analytics Rule with template version 3.0.7", + "description": "nrt_FirstAppOrServicePrincipalCredential_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject15').analyticRuleVersion15]", + "contentVersion": "[variables('analyticRuleObject39').analyticRuleVersion39]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject15')._analyticRulecontentId15]", + "name": "[variables('analyticRuleObject39')._analyticRulecontentId39]", "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", + "kind": "NRT", "location": "[parameters('workspace-location')]", "properties": { - "description": "This query looks for successful sign in attempts to the Azure Portal where the user who is signing in from another Azure tenant,\n and the IP address the login attempt is from is an Azure IP. A threat actor who compromises an Azure tenant may look\n to pivot to other tenants leveraging cross-tenant delegated access in this manner.", - "displayName": "Azure Portal sign in from another Azure Tenant", + "description": "This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where there was no previous verify KeyCredential associated.\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.", + "displayName": "NRT First access credential added to Application or Service Principal where no credential was present", "enabled": false, - "query": "// Get details of current Azure Ranges (note this URL updates regularly so will need to be manually updated over time)\n// You may find the name of the new JSON here: https://www.microsoft.com/download/details.aspx?id=56519\n// On the downloads page, click the 'details' button, and then replace just the filename in the URL below\nlet azure_ranges = externaldata(changeNumber: string, cloud: string, values: dynamic)\n[\"https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/MSFTIPRanges/ServiceTags_Public.json\"] with(format='multijson')\n| mv-expand values\n| mv-expand values.properties.addressPrefixes\n| mv-expand values_properties_addressPrefixes\n| summarize by tostring(values_properties_addressPrefixes)\n| extend isipv4 = parse_ipv4(values_properties_addressPrefixes)\n| extend isipv6 = parse_ipv6(values_properties_addressPrefixes)\n| extend ip_type = case(isnotnull(isipv4), \"v4\", \"v6\")\n| summarize make_list(values_properties_addressPrefixes) by ip_type\n;\nSigninLogs\n// Limiting to Azure Portal really reduces false positives and helps focus on potential admin activity\n| where ResultType == 0\n| where AppDisplayName =~ \"Azure Portal\"\n| extend isipv4 = parse_ipv4(IPAddress)\n| extend ip_type = case(isnotnull(isipv4), \"v4\", \"v6\")\n // Only get logons where the IP address is in an Azure range\n| join kind=fullouter (azure_ranges) on ip_type\n| extend ipv6_match = ipv6_is_in_any_range(IPAddress, list_values_properties_addressPrefixes)\n| extend ipv4_match = ipv4_is_in_any_range(IPAddress, list_values_properties_addressPrefixes)\n| where ipv4_match or ipv6_match \n// Limit to where the user is external to the tenant\n| where HomeTenantId != ResourceTenantId\n// Further limit it to just access to the current tenant (you can drop this if you wanted to look elsewhere as well but it helps reduce FPs)\n| where ResourceTenantId == AADTenantId\n| summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), make_set(ResourceDisplayName) by UserPrincipalName, IPAddress, UserAgent, Location, HomeTenantId, ResourceTenantId, UserId\n| extend AccountName = split(UserPrincipalName, \"@\")[0]\n| extend UPNSuffix = split(UserPrincipalName, \"@\")[1]\n", - "queryFrequency": "PT1H", - "queryPeriod": "PT1H", + "query": "AuditLogs\n| where OperationName has_any (\"Add service principal\", \"Certificates and secrets management\")\n| where Result =~ \"success\"\n| where tostring(InitiatedBy.user.userPrincipalName) has \"@\" or tostring(InitiatedBy.app.displayName) has \"@\"\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"Application\"\n | extend targetDisplayName = tostring(TargetResource.displayName),\n targetId = tostring(TargetResource.id),\n targetType = tostring(TargetResource.type),\n keyEvents = TargetResource.modifiedProperties\n )\n| mv-apply Property = keyEvents on \n (\n where Property.displayName =~ \"KeyDescription\"\n | extend new_value_set = parse_json(tostring(Property.newValue)),\n old_value_set = parse_json(tostring(Property.oldValue))\n )\n| where old_value_set == \"[]\"\n| mv-expand new_value_set\n| parse new_value_set with * \"KeyIdentifier=\" keyIdentifier:string \",KeyType=\" keyType:string \",KeyUsage=\" keyUsage:string \",DisplayName=\" keyDisplayName:string \"]\" *\n| where keyUsage == \"Verify\"\n | mv-apply AdditionalDetail = AdditionalDetails on \n (\n where AdditionalDetail.key =~ \"User-Agent\"\n | extend UserAgent = tostring(AdditionalDetail.value)\n )\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n//| where targetType =~ \"Application\" // or targetType =~ \"ServicePrincipal\"\n| project-away new_value_set, old_value_set\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\n| extend timestamp = TimeGenerated, Name = tostring(split(InitiatingUserOrApp,'@',0)[0]), UPNSuffix = tostring(split(InitiatingUserOrApp,'@',1)[0])\n", "severity": "Medium", "suppressionDuration": "PT1H", "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, "status": "Available", "requiredDataConnectors": [ { "dataTypes": [ - "SigninLogs" + "AuditLogs" ], "connectorId": "AzureActiveDirectory" } ], "tactics": [ - "InitialAccess" + "DefenseEvasion" ], "techniques": [ - "T1199" + "T1550" ], "entityMappings": [ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "AccountName" - }, - { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "AadUserId", - "columnName": "UserId" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } ], "entityType": "Account" @@ -6793,29 +5818,25 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "IPAddress" + "columnName": "InitiatingIpAddress", + "identifier": "Address" } ], "entityType": "IP" } - ], - "alertDetailsOverride": { - "alertDescriptionFormat": "This query looks for successful sign in attempts to the Azure Portal where the user who is signing in from another Azure tenant,\nand the IP address the login attempt is from is an Azure IP. A threat actor who compromises an Azure tenant may look\nto pivot to other tenants leveraging cross-tenant delegated access in this manner.\nIn this instance {{UserPrincipalName}} logged in at {{FirstSeen}} from IP Address {{IPAddress}}.\n", - "alertDisplayNameFormat": "Azure Portal sign in by {{UserPrincipalName}} from another Azure Tenant with IP Address {{IPAddress}}" - } + ] } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject15').analyticRuleId15,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject39').analyticRuleId39,'/'))))]", "properties": { - "description": "Microsoft Entra ID Analytics Rule 15", - "parentId": "[variables('analyticRuleObject15').analyticRuleId15]", - "contentId": "[variables('analyticRuleObject15')._analyticRulecontentId15]", + "description": "Microsoft Entra ID Analytics Rule 39", + "parentId": "[variables('analyticRuleObject39').analyticRuleId39]", + "contentId": "[variables('analyticRuleObject39')._analyticRulecontentId39]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject15').analyticRuleVersion15]", + "version": "[variables('analyticRuleObject39').analyticRuleVersion39]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -6840,82 +5861,81 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject15')._analyticRulecontentId15]", + "contentId": "[variables('analyticRuleObject39')._analyticRulecontentId39]", "contentKind": "AnalyticsRule", - "displayName": "Azure Portal sign in from another Azure Tenant", - "contentProductId": "[variables('analyticRuleObject15')._analyticRulecontentProductId15]", - "id": "[variables('analyticRuleObject15')._analyticRulecontentProductId15]", - "version": "[variables('analyticRuleObject15').analyticRuleVersion15]" + "displayName": "NRT First access credential added to Application or Service Principal where no credential was present", + "contentProductId": "[variables('analyticRuleObject39')._analyticRulecontentProductId39]", + "id": "[variables('analyticRuleObject39')._analyticRulecontentProductId39]", + "version": "[variables('analyticRuleObject39').analyticRuleVersion39]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject16').analyticRuleTemplateSpecName16]", + "name": "[variables('analyticRuleObject40').analyticRuleTemplateSpecName40]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Brute Force Attack against GitHub Account_AnalyticalRules Analytics Rule with template version 3.0.7", + "description": "NRT_NewAppOrServicePrincipalCredential_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject16').analyticRuleVersion16]", + "contentVersion": "[variables('analyticRuleObject40').analyticRuleVersion40]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject16')._analyticRulecontentId16]", + "name": "[variables('analyticRuleObject40')._analyticRulecontentId40]", "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", + "kind": "NRT", "location": "[parameters('workspace-location')]", "properties": { - "description": "Attackers who are trying to guess your users' passwords or use brute-force methods to get in. If your organization is using SSO with Microsoft Entra ID, authentication logs to GitHub.com will be generated. Using the following query can help you identify a sudden increase in failed logon attempt of users.", - "displayName": "Brute Force Attack against GitHub Account", + "description": "This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app.\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.", + "displayName": "NRT New access credential added to Application or Service Principal", "enabled": false, - "query": "let LearningPeriod = 7d;\nlet BinTime = 1h;\nlet RunTime = 1h;\nlet StartTime = 1h; \nlet sensitivity = 2.5;\nlet EndRunTime = StartTime - RunTime;\nlet EndLearningTime = StartTime + LearningPeriod;\nlet aadFunc = (tableName:string){\ntable(tableName) \n| where TimeGenerated between (ago(EndLearningTime) .. ago(EndRunTime))\n| where AppDisplayName =~ \"GitHub.com\"\n| where ResultType != 0\n| make-series FailedLogins = count() on TimeGenerated from ago(LearningPeriod) to ago(EndRunTime) step BinTime by UserPrincipalName, Type\n| extend (Anomalies, Score, Baseline) = series_decompose_anomalies(FailedLogins, sensitivity, -1, 'linefit')\n| mv-expand FailedLogins to typeof(double), TimeGenerated to typeof(datetime), Anomalies to typeof(double), Score to typeof(double), Baseline to typeof(long) \n| where TimeGenerated >= ago(RunTime)\n| where Anomalies > 0 and Baseline > 0\n| join kind=inner (\n table(tableName) \n | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime))\n | where AppDisplayName =~ \"GitHub.com\"\n | where ResultType != 0\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddresses = make_set(IPAddress,100), Locations = make_set(LocationDetails,20), Devices = make_set(DeviceDetail,20) by UserPrincipalName \n ) on UserPrincipalName\n| extend timestamp = TimeGenerated, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n", - "queryFrequency": "PT1H", - "queryPeriod": "P7D", + "query": "AuditLogs\n| where OperationName has_any (\"Add service principal\", \"Certificates and secrets management\") // captures \"Add service principal\", \"Add service principal credentials\", and \"Update application - Certificates and secrets management\" events\n| where Result =~ \"success\"\n| where tostring(InitiatedBy.user.userPrincipalName) has \"@\" or tostring(InitiatedBy.app.displayName) has \"@\"\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"Application\"\n | extend targetDisplayName = tostring(TargetResource.displayName),\n targetId = tostring(TargetResource.id),\n targetType = tostring(TargetResource.type),\n keyEvents = TargetResource.modifiedProperties\n )\n| mv-apply Property = keyEvents on \n (\n where Property.displayName =~ \"KeyDescription\"\n | extend new_value_set = parse_json(tostring(Property.newValue)),\n old_value_set = parse_json(tostring(Property.oldValue))\n )\n| where old_value_set != \"[]\"\n| extend diff = set_difference(new_value_set, old_value_set)\n| where diff != \"[]\"\n| parse diff with * \"KeyIdentifier=\" keyIdentifier:string \",KeyType=\" keyType:string \",KeyUsage=\" keyUsage:string \",DisplayName=\" keyDisplayName:string \"]\" *\n| where keyUsage =~ \"Verify\"\n| mv-apply AdditionalDetail = AdditionalDetails on \n (\n where AdditionalDetail.key =~ \"User-Agent\"\n | extend UserAgent = tostring(AdditionalDetail.value)\n )\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\n//| where targetType =~ \"Application\" // or targetType =~ \"ServicePrincipal\"\n| project-away diff, new_value_set, old_value_set\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\n| extend timestamp = TimeGenerated, Name = tostring(split(InitiatingUserOrApp,'@',0)[0]), UPNSuffix = tostring(split(InitiatingUserOrApp,'@',1)[0])\n", "severity": "Medium", "suppressionDuration": "PT1H", "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, "status": "Available", "requiredDataConnectors": [ { "dataTypes": [ - "SigninLogs" - ], - "connectorId": "AzureActiveDirectory" - }, - { - "dataTypes": [ - "AADNonInteractiveUserSignInLogs" + "AuditLogs" ], "connectorId": "AzureActiveDirectory" } ], "tactics": [ - "CredentialAccess" + "DefenseEvasion" ], "techniques": [ - "T1110" + "T1550" ], "entityMappings": [ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } ], "entityType": "Account" + }, + { + "fieldMappings": [ + { + "columnName": "InitiatingIpAddress", + "identifier": "Address" + } + ], + "entityType": "IP" } ] } @@ -6923,13 +5943,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject16').analyticRuleId16,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject40').analyticRuleId40,'/'))))]", "properties": { - "description": "Microsoft Entra ID Analytics Rule 16", - "parentId": "[variables('analyticRuleObject16').analyticRuleId16]", - "contentId": "[variables('analyticRuleObject16')._analyticRulecontentId16]", + "description": "Microsoft Entra ID Analytics Rule 40", + "parentId": "[variables('analyticRuleObject40').analyticRuleId40]", + "contentId": "[variables('analyticRuleObject40')._analyticRulecontentId40]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject16').analyticRuleVersion16]", + "version": "[variables('analyticRuleObject40').analyticRuleVersion40]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -6954,73 +5974,69 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject16')._analyticRulecontentId16]", + "contentId": "[variables('analyticRuleObject40')._analyticRulecontentId40]", "contentKind": "AnalyticsRule", - "displayName": "Brute Force Attack against GitHub Account", - "contentProductId": "[variables('analyticRuleObject16')._analyticRulecontentProductId16]", - "id": "[variables('analyticRuleObject16')._analyticRulecontentProductId16]", - "version": "[variables('analyticRuleObject16').analyticRuleVersion16]" + "displayName": "NRT New access credential added to Application or Service Principal", + "contentProductId": "[variables('analyticRuleObject40')._analyticRulecontentProductId40]", + "id": "[variables('analyticRuleObject40')._analyticRulecontentProductId40]", + "version": "[variables('analyticRuleObject40').analyticRuleVersion40]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject17').analyticRuleTemplateSpecName17]", + "name": "[variables('analyticRuleObject41').analyticRuleTemplateSpecName41]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "BruteForceCloudPC_AnalyticalRules Analytics Rule with template version 3.0.7", + "description": "NRT_PIMElevationRequestRejected_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject17').analyticRuleVersion17]", + "contentVersion": "[variables('analyticRuleObject41').analyticRuleVersion41]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject17')._analyticRulecontentId17]", + "name": "[variables('analyticRuleObject41')._analyticRulecontentId41]", "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", + "kind": "NRT", "location": "[parameters('workspace-location')]", "properties": { - "description": "Identifies evidence of brute force activity against a Windows 365 Cloud PC by highlighting multiple authentication failures and by a successful authentication within a given time window.", - "displayName": "Brute force attack against a Cloud PC", + "description": "Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management", + "displayName": "NRT PIM Elevation Request Rejected", "enabled": false, - "query": "let authenticationWindow = 20m;\nlet sensitivity = 2.5;\nSigninLogs\n| where AppDisplayName =~ \"Windows Sign In\"\n| extend FailureOrSuccess = iff(ResultType in (\"0\", \"50125\", \"50140\", \"70043\", \"70044\"), \"Success\", \"Failure\")\n| summarize FailureCount = countif(FailureOrSuccess==\"Failure\"), SuccessCount = countif(FailureOrSuccess==\"Success\"), IPAddresses = make_set(IPAddress,1000)\n by bin(TimeGenerated, authenticationWindow), UserDisplayName, UserPrincipalName\n| extend FailureSuccessDiff = FailureCount - SuccessCount\n| where FailureSuccessDiff > 0\n| summarize Diff = make_list(FailureSuccessDiff, 10000), TimeStamp = make_list(TimeGenerated, 10000) by UserDisplayName, UserPrincipalName//, tostring(IPAddresses)\n| extend (Anomalies, Score, Baseline) = series_decompose_anomalies(Diff, sensitivity, -1, 'linefit') \n| mv-expand Diff to typeof(double), TimeStamp to typeof(datetime), Anomalies to typeof(double), Score to typeof(double), Baseline to typeof(long)\n| where Anomalies > 0\n| summarize by UserDisplayName, UserPrincipalName\n| join kind=leftouter (\n SigninLogs\n | where AppDisplayName =~ \"Windows Sign In\"\n | extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\n | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)\n | summarize StartTime = min(TimeGenerated), \n EndTime = max(TimeGenerated), \n IPAddress = make_set(IPAddress,100), \n OS = make_set(OS,20), \n Browser = make_set(Browser,20), \n City = make_set(City,100), \n ResultType = make_set(ResultType,100)\n by UserDisplayName, UserPrincipalName\n ) on UserDisplayName, UserPrincipalName\n| extend IPAddressFirst = IPAddress[0]\n| extend timestamp = StartTime, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n", - "queryFrequency": "P1D", - "queryPeriod": "P1D", - "severity": "Medium", + "query": "AuditLogs\n| where ActivityDisplayName =~'Add member to role completed (PIM activation)'\n| where Result =~ \"failure\"\n| mv-apply ResourceItem = TargetResources on \n (\n where ResourceItem.type =~ \"Role\"\n | extend Role = trim(@'\"',tostring(ResourceItem.displayName))\n )\n| mv-apply ResourceItem = TargetResources on \n (\n where ResourceItem.type =~ \"User\"\n | extend User = trim(@'\"',tostring(ResourceItem.userPrincipalName))\n )\n| project-reorder TimeGenerated, User, Role, OperationName, Result, ResultDescription\n| where isnotempty(InitiatedBy.user)\n| extend InitiatingUser = tostring(InitiatedBy.user.userPrincipalName), InitiatingIpAddress = tostring(InitiatedBy.user.ipAddress)\n| extend InitiatingName = tostring(split(InitiatingUser,'@',0)[0]), InitiatingUPNSuffix = tostring(split(InitiatingUser,'@',1)[0])\n| extend UserName = tostring(split(User,'@',0)[0]), UserUPNSuffix = tostring(split(User,'@',1)[0])\n", + "severity": "High", "suppressionDuration": "PT1H", "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, "status": "Available", "requiredDataConnectors": [ { "dataTypes": [ - "SigninLogs" + "AuditLogs" ], "connectorId": "AzureActiveDirectory" } ], "tactics": [ - "CredentialAccess" + "Persistence" ], "techniques": [ - "T1110" + "T1078" ], "entityMappings": [ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "Name" + "columnName": "InitiatingName", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "InitiatingUPNSuffix", + "identifier": "UPNSuffix" } ], "entityType": "Account" @@ -7028,25 +6044,38 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "IPAddressFirst" + "columnName": "UserName", + "identifier": "Name" + }, + { + "columnName": "UserUPNSuffix", + "identifier": "UPNSuffix" } ], - "entityType": "IP" - } + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "columnName": "InitiatingIpAddress", + "identifier": "Address" + } + ], + "entityType": "IP" + } ] } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject17').analyticRuleId17,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject41').analyticRuleId41,'/'))))]", "properties": { - "description": "Microsoft Entra ID Analytics Rule 17", - "parentId": "[variables('analyticRuleObject17').analyticRuleId17]", - "contentId": "[variables('analyticRuleObject17')._analyticRulecontentId17]", + "description": "Microsoft Entra ID Analytics Rule 41", + "parentId": "[variables('analyticRuleObject41').analyticRuleId41]", + "contentId": "[variables('analyticRuleObject41')._analyticRulecontentId41]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject17').analyticRuleVersion17]", + "version": "[variables('analyticRuleObject41').analyticRuleVersion41]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -7071,48 +6100,44 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject17')._analyticRulecontentId17]", + "contentId": "[variables('analyticRuleObject41')._analyticRulecontentId41]", "contentKind": "AnalyticsRule", - "displayName": "Brute force attack against a Cloud PC", - "contentProductId": "[variables('analyticRuleObject17')._analyticRulecontentProductId17]", - "id": "[variables('analyticRuleObject17')._analyticRulecontentProductId17]", - "version": "[variables('analyticRuleObject17').analyticRuleVersion17]" + "displayName": "NRT PIM Elevation Request Rejected", + "contentProductId": "[variables('analyticRuleObject41')._analyticRulecontentProductId41]", + "id": "[variables('analyticRuleObject41')._analyticRulecontentProductId41]", + "version": "[variables('analyticRuleObject41').analyticRuleVersion41]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject18').analyticRuleTemplateSpecName18]", + "name": "[variables('analyticRuleObject42').analyticRuleTemplateSpecName42]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "BulkChangestoPrivilegedAccountPermissions_AnalyticalRules Analytics Rule with template version 3.0.7", + "description": "NRT_PrivlegedRoleAssignedOutsidePIM_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject18').analyticRuleVersion18]", + "contentVersion": "[variables('analyticRuleObject42').analyticRuleVersion42]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject18')._analyticRulecontentId18]", + "name": "[variables('analyticRuleObject42')._analyticRulecontentId42]", "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", + "kind": "NRT", "location": "[parameters('workspace-location')]", "properties": { - "description": "Identifies when changes to multiple users permissions are changed at once. Investigate immediately if not a planned change. This setting could enable an attacker access to Azure subscriptions in your environment.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management", - "displayName": "Bulk Changes to Privileged Account Permissions", + "description": "Identifies a privileged role being assigned to a user outside of PIM\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1", + "displayName": "NRT Privileged Role Assigned Outside PIM", "enabled": false, - "query": "let AdminRecords = AuditLogs\n| where Category =~ \"RoleManagement\"\n| where ActivityDisplayName has_any (\"Add eligible member to role\", \"Add member to role\")\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"User\"\n | extend Target = tostring(TargetResource.userPrincipalName),\n props = TargetResource.modifiedProperties\n )\n| mv-apply Property = props on \n (\n where Property.displayName =~ \"Role.DisplayName\"\n | extend RoleName = trim('\"',tostring(Property.newValue))\n )\n| where RoleName contains \"Admin\";\nAdminRecords\n| summarize dcount(Target) by bin(TimeGenerated, 1h)\n| where dcount_Target > 9\n| join kind=rightsemi (\n AdminRecords\n | extend TimeWindow = bin(TimeGenerated, 1h)\n) on $left.TimeGenerated == $right.TimeWindow\n| extend InitiatedByUser = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), \"\")\n| extend TargetName = tostring(split(Target,'@',0)[0]), TargetUPNSuffix = tostring(split(Target,'@',1)[0]),\n InitiatedByUserName = tostring(split(InitiatedByUser,'@',0)[0]), InitiatedByUserUPNSuffix = tostring(split(InitiatedByUser,'@',1)[0])\n", - "queryFrequency": "PT2H", - "queryPeriod": "PT2H", - "severity": "High", + "query": "AuditLogs\n| where Category =~ \"RoleManagement\"\n| where OperationName has \"Add member to role outside of PIM\"\n or (LoggedByService =~ \"Core Directory\" and OperationName =~ \"Add member to role\" and Identity != \"MS-PIM\")\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"User\"\n | extend UserPrincipalName = tostring(TargetResource.userPrincipalName)\n )\n| extend IpAddress = tostring(InitiatedBy.user.ipAddress), Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n", + "severity": "Low", "suppressionDuration": "PT1H", "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, "status": "Available", "requiredDataConnectors": [ { @@ -7132,12 +6157,12 @@ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "TargetName" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "TargetUPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } ], "entityType": "Account" @@ -7145,33 +6170,25 @@ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "InitiatedByUserName" - }, - { - "identifier": "UPNSuffix", - "columnName": "InitiatedByUserUPNSuffix" + "columnName": "IpAddress", + "identifier": "Address" } ], - "entityType": "Account" + "entityType": "IP" } - ], - "customDetails": { - "TargetUser": "Target", - "InitiatedByUser": "InitiatedByUser" - } + ] } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject18').analyticRuleId18,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject42').analyticRuleId42,'/'))))]", "properties": { - "description": "Microsoft Entra ID Analytics Rule 18", - "parentId": "[variables('analyticRuleObject18').analyticRuleId18]", - "contentId": "[variables('analyticRuleObject18')._analyticRulecontentId18]", + "description": "Microsoft Entra ID Analytics Rule 42", + "parentId": "[variables('analyticRuleObject42').analyticRuleId42]", + "contentId": "[variables('analyticRuleObject42')._analyticRulecontentId42]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject18').analyticRuleVersion18]", + "version": "[variables('analyticRuleObject42').analyticRuleVersion42]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -7196,81 +6213,71 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject18')._analyticRulecontentId18]", + "contentId": "[variables('analyticRuleObject42')._analyticRulecontentId42]", "contentKind": "AnalyticsRule", - "displayName": "Bulk Changes to Privileged Account Permissions", - "contentProductId": "[variables('analyticRuleObject18')._analyticRulecontentProductId18]", - "id": "[variables('analyticRuleObject18')._analyticRulecontentProductId18]", - "version": "[variables('analyticRuleObject18').analyticRuleVersion18]" + "displayName": "NRT Privileged Role Assigned Outside PIM", + "contentProductId": "[variables('analyticRuleObject42')._analyticRulecontentProductId42]", + "id": "[variables('analyticRuleObject42')._analyticRulecontentProductId42]", + "version": "[variables('analyticRuleObject42').analyticRuleVersion42]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject19').analyticRuleTemplateSpecName19]", + "name": "[variables('analyticRuleObject43').analyticRuleTemplateSpecName43]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "BypassCondAccessRule_AnalyticalRules Analytics Rule with template version 3.0.7", + "description": "NRT_UseraddedtoPrivilgedGroups_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject19').analyticRuleVersion19]", + "contentVersion": "[variables('analyticRuleObject43').analyticRuleVersion43]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject19')._analyticRulecontentId19]", + "name": "[variables('analyticRuleObject43')._analyticRulecontentId43]", "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", + "kind": "NRT", "location": "[parameters('workspace-location')]", "properties": { - "description": "Identifies an attempt to Bypass conditional access rule(s) in Microsoft Entra ID.\nThe ConditionalAccessStatus column value details if there was an attempt to bypass Conditional Access\nor if the Conditional access rule was not satisfied (ConditionalAccessStatus == 1).\nReferences:\nhttps://docs.microsoft.com/azure/active-directory/conditional-access/overview\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\nConditionalAccessStatus == 0 // Success\nConditionalAccessStatus == 1 // Failure\nConditionalAccessStatus == 2 // Not Applied\nConditionalAccessStatus == 3 // unknown", - "displayName": "Attempt to bypass conditional access rule in Microsoft Entra ID", + "description": "This will alert when a user is added to any of the Privileged Groups.\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\nFor Administrator role permissions in Microsoft Entra ID please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles", + "displayName": "NRT User added to Microsoft Entra ID Privileged Groups", "enabled": false, - "query": "let threshold = 1; // Modify this threshold value to reduce false positives based on your environment\nlet aadFunc = (tableName:string){\ntable(tableName)\n| where ConditionalAccessStatus == 1 or ConditionalAccessStatus =~ \"failure\"\n| mv-apply CAP = parse_json(ConditionalAccessPolicies) on (\n project ConditionalAccessPoliciesName = CAP.displayName, result = CAP.result\n | where result =~ \"failure\"\n)\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(Status), LocationDetails = todynamic(LocationDetails)\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\n| extend Status = strcat(StatusCode, \": \", ResultDescription)\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Status = make_list(Status,10), StatusDetails = make_list(StatusDetails,50), IPAddresses = make_list(IPAddress,100), IPAddressCount = dcount(IPAddress), CorrelationIds = make_list(CorrelationId,100), ConditionalAccessPoliciesName = make_list(ConditionalAccessPoliciesName,100)\nby UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), City, State, Region, Type\n| where IPAddressCount > threshold and StatusDetails !has \"MFA successfully completed\"\n| mv-expand IPAddresses, Status, StatusDetails, CorrelationIds\n| extend Status = strcat(Status, \" \", StatusDetails)\n| summarize IPAddresses = make_set(IPAddresses,100), Status = make_set(Status,10), CorrelationIds = make_set(CorrelationIds,100), ConditionalAccessPoliciesName = make_set(ConditionalAccessPoliciesName,100)\nby StartTime, EndTime, UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), City, State, Region, IPAddressCount, Type\n| extend timestamp = StartTime, IPAddresses = tostring(IPAddresses), Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n", - "queryFrequency": "P1D", - "queryPeriod": "P1D", - "severity": "Low", + "query": "let OperationList = dynamic([\"Add member to role\",\"Add member to role in PIM requested (permanent)\"]);\nlet PrivilegedGroups = dynamic([\"UserAccountAdmins\",\"PrivilegedRoleAdmins\",\"TenantAdmins\"]);\nAuditLogs\n//| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"RoleManagement\"\n| where OperationName in~ (OperationList)\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"User\"\n | extend TargetUserPrincipalName = tostring(TargetResource.userPrincipalName),\n modProps = TargetResource.modifiedProperties\n )\n| mv-apply Property = modProps on \n (\n where Property.displayName =~ \"Role.WellKnownObjectName\"\n | extend DisplayName = trim('\"',tostring(Property.displayName)),\n GroupName = trim('\"',tostring(Property.newValue))\n )\n| extend AppId = InitiatedBy.app.appId,\n InitiatedByDisplayName = case(isnotempty(InitiatedBy.app.displayName), InitiatedBy.app.displayName, isnotempty(InitiatedBy.user.displayName), InitiatedBy.user.displayName, \"not available\"),\n ServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId),\n ServicePrincipalName = tostring(InitiatedBy.app.servicePrincipalName),\n UserId = InitiatedBy.user.id,\n UserIPAddress = InitiatedBy.user.ipAddress,\n UserRoles = InitiatedBy.user.roles,\n UserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\n| where GroupName in~ (PrivilegedGroups)\n// If you don't want to alert for operations from PIM, remove below filtering for MS-PIM.\n//| where InitiatedByDisplayName != \"MS-PIM\"\n| project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, AppId, InitiatedByDisplayName, ServicePrincipalId, ServicePrincipalName, DisplayName, GroupName, UserId, UserIPAddress, UserRoles, UserPrincipalName, TargetUserPrincipalName\n| extend AccountCustomEntity = case(isnotempty(ServicePrincipalName), ServicePrincipalName, \n isnotempty(UserPrincipalName), UserPrincipalName, \n \"\")\n| extend AccountName = tostring(split(AccountCustomEntity,'@',0)[0]), AccountUPNSuffix = tostring(split(AccountCustomEntity,'@',1)[0])\n| extend TargetName = tostring(split(TargetUserPrincipalName,'@',0)[0]), TargetUPNSuffix = tostring(split(TargetUserPrincipalName,'@',1)[0])\n", + "severity": "Medium", "suppressionDuration": "PT1H", "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, "status": "Available", "requiredDataConnectors": [ { "dataTypes": [ - "SigninLogs" - ], - "connectorId": "AzureActiveDirectory" - }, - { - "dataTypes": [ - "AADNonInteractiveUserSignInLogs" + "AuditLogs" ], "connectorId": "AzureActiveDirectory" } ], "tactics": [ - "InitialAccess", - "Persistence" + "Persistence", + "PrivilegeEscalation" ], "techniques": [ - "T1078", - "T1098" + "T1098", + "T1078" ], "entityMappings": [ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "Name" + "columnName": "AccountName", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "AccountUPNSuffix", + "identifier": "UPNSuffix" } ], "entityType": "Account" @@ -7278,11 +6285,15 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "IPAddresses" + "columnName": "TargetName", + "identifier": "Name" + }, + { + "columnName": "TargetUPNSuffix", + "identifier": "UPNSuffix" } ], - "entityType": "IP" + "entityType": "Account" } ] } @@ -7290,13 +6301,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject19').analyticRuleId19,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject43').analyticRuleId43,'/'))))]", "properties": { - "description": "Microsoft Entra ID Analytics Rule 19", - "parentId": "[variables('analyticRuleObject19').analyticRuleId19]", - "contentId": "[variables('analyticRuleObject19')._analyticRulecontentId19]", + "description": "Microsoft Entra ID Analytics Rule 43", + "parentId": "[variables('analyticRuleObject43').analyticRuleId43]", + "contentId": "[variables('analyticRuleObject43')._analyticRulecontentId43]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject19').analyticRuleVersion19]", + "version": "[variables('analyticRuleObject43').analyticRuleVersion43]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -7321,44 +6332,44 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject19')._analyticRulecontentId19]", + "contentId": "[variables('analyticRuleObject43')._analyticRulecontentId43]", "contentKind": "AnalyticsRule", - "displayName": "Attempt to bypass conditional access rule in Microsoft Entra ID", - "contentProductId": "[variables('analyticRuleObject19')._analyticRulecontentProductId19]", - "id": "[variables('analyticRuleObject19')._analyticRulecontentProductId19]", - "version": "[variables('analyticRuleObject19').analyticRuleVersion19]" + "displayName": "NRT User added to Microsoft Entra ID Privileged Groups", + "contentProductId": "[variables('analyticRuleObject43')._analyticRulecontentProductId43]", + "id": "[variables('analyticRuleObject43')._analyticRulecontentProductId43]", + "version": "[variables('analyticRuleObject43').analyticRuleVersion43]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject20').analyticRuleTemplateSpecName20]", + "name": "[variables('analyticRuleObject44').analyticRuleTemplateSpecName44]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CredentialAddedAfterAdminConsent_AnalyticalRules Analytics Rule with template version 3.0.7", + "description": "PIMElevationRequestRejected_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject20').analyticRuleVersion20]", + "contentVersion": "[variables('analyticRuleObject44').analyticRuleVersion44]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject20')._analyticRulecontentId20]", + "name": "[variables('analyticRuleObject44')._analyticRulecontentId44]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "This query will identify instances where Service Principal credentials were added to an application by one user after the application was granted admin consent rights by another user.\n If a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\n Additional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow.\n For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities", - "displayName": "Credential added after admin consented to Application", + "description": "Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management", + "displayName": "PIM Elevation Request Rejected", "enabled": false, - "query": "let auditLookbackStart = 2d;\nlet auditLookbackEnd = 1d;\nAuditLogs\n| where TimeGenerated >= ago(auditLookbackStart)\n| where OperationName =~ \"Consent to application\" \n| where Result =~ \"success\"\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\"\n | extend targetResourceName = tostring(TargetResource.displayName),\n targetResourceID = tostring(TargetResource.id),\n targetResourceType = tostring(TargetResource.type),\n targetModifiedProp = TargetResource.modifiedProperties\n )\n| mv-apply Property = targetModifiedProp on \n (\n where Property.displayName =~ \"ConsentContext.IsAdminConsent\"\n | extend isAdminConsent = trim(@'\"',tostring(Property.newValue))\n )\n| mv-apply Property = targetModifiedProp on \n (\n where Property.displayName =~ \"ConsentAction.Permissions\"\n | extend Consent_Permissions = trim(@'\"',tostring(Property.newValue))\n )\n| mv-apply Property = targetModifiedProp on \n (\n where Property.displayName =~ \"TargetId.ServicePrincipalNames\"\n | extend Consent_ServicePrincipalNames = tostring(extract_all(@\"([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})\",trim(@'\"',tostring(Property.newValue)))[0])\n )\n| extend Consent_InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend Consent_InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n| join ( \nAuditLogs\n| where TimeGenerated >= ago(auditLookbackEnd)\n| where OperationName =~ \"Add service principal credentials\"\n| where Result =~ \"success\"\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\"\n | extend targetResourceName = tostring(TargetResource.displayName),\n targetResourceID = tostring(TargetResource.id),\n targetModifiedProp = TargetResource.modifiedProperties\n )\n| mv-apply Property = targetModifiedProp on \n (\n where Property.displayName =~ \"KeyDescription\"\n | extend Credential_KeyDescription = trim(@'\"',tostring(Property.newValue))\n )\n| mv-apply Property = targetModifiedProp on \n (\n where Property.displayName =~ \"Included Updated Properties\"\n | extend UpdatedProperties = trim(@'\"',tostring(Property.newValue))\n )\n| mv-apply Property = targetModifiedProp on \n (\n where Property.displayName =~ \"TargetId.ServicePrincipalNames\"\n | extend Credential_ServicePrincipalNames = tostring(extract_all(@\"([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})\",trim(@'\"',tostring(Property.newValue)))[0])\n )\n| extend Credential_InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend Credential_InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n) on targetResourceName, targetResourceID\n| extend TimeConsent = TimeGenerated, TimeCred = TimeGenerated1\n| where TimeConsent < TimeCred \n| project TimeConsent, TimeCred, Consent_InitiatingUserOrApp, Credential_InitiatingUserOrApp, targetResourceName, targetResourceType, isAdminConsent, Consent_ServicePrincipalNames, Credential_ServicePrincipalNames, Consent_Permissions, Credential_KeyDescription, Consent_InitiatingIpAddress, Credential_InitiatingIpAddress\n| extend timestamp = TimeConsent, Name = tostring(split(Credential_InitiatingUserOrApp,'@',0)[0]), UPNSuffix = tostring(split(Credential_InitiatingUserOrApp,'@',1)[0])\n", - "queryFrequency": "P1D", - "queryPeriod": "P2D", - "severity": "Medium", + "query": "AuditLogs\n| where ActivityDisplayName =~'Add member to role request denied (PIM activation)'\n| mv-apply ResourceItem = TargetResources on \n (\n where ResourceItem.type =~ \"Role\"\n | extend Role = trim(@'\"',tostring(ResourceItem.displayName))\n )\n| mv-apply ResourceItem = TargetResources on \n (\n where ResourceItem.type =~ \"User\"\n | extend User = trim(@'\"',tostring(ResourceItem.userPrincipalName))\n )\n| project-reorder TimeGenerated, User, Role, OperationName, Result, ResultDescription\n| where isnotempty(InitiatedBy.user)\n| extend InitiatingUser = tostring(InitiatedBy.user.userPrincipalName), InitiatingIpAddress = tostring(InitiatedBy.user.ipAddress)\n| extend InitiatingName = tostring(split(InitiatingUser,'@',0)[0]), InitiatingUPNSuffix = tostring(split(InitiatingUser,'@',1)[0])\n| extend UserName = tostring(split(User,'@',0)[0]), UserUPNSuffix = tostring(split(User,'@',1)[0])\n", + "queryFrequency": "PT2H", + "queryPeriod": "PT2H", + "severity": "High", "suppressionDuration": "PT1H", "suppressionEnabled": false, "triggerOperator": "GreaterThan", @@ -7373,18 +6384,34 @@ } ], "tactics": [ - "CredentialAccess" + "Persistence" + ], + "techniques": [ + "T1078" ], "entityMappings": [ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "Name" + "columnName": "InitiatingName", + "identifier": "Name" + }, + { + "columnName": "InitiatingUPNSuffix", + "identifier": "UPNSuffix" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "columnName": "UserName", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UserUPNSuffix", + "identifier": "UPNSuffix" } ], "entityType": "Account" @@ -7392,8 +6419,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "Consent_InitiatingIpAddress" + "columnName": "InitiatingIpAddress", + "identifier": "Address" } ], "entityType": "IP" @@ -7404,13 +6431,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject20').analyticRuleId20,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject44').analyticRuleId44,'/'))))]", "properties": { - "description": "Microsoft Entra ID Analytics Rule 20", - "parentId": "[variables('analyticRuleObject20').analyticRuleId20]", - "contentId": "[variables('analyticRuleObject20')._analyticRulecontentId20]", + "description": "Microsoft Entra ID Analytics Rule 44", + "parentId": "[variables('analyticRuleObject44').analyticRuleId44]", + "contentId": "[variables('analyticRuleObject44')._analyticRulecontentId44]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject20').analyticRuleVersion20]", + "version": "[variables('analyticRuleObject44').analyticRuleVersion44]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -7435,44 +6462,44 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject20')._analyticRulecontentId20]", + "contentId": "[variables('analyticRuleObject44')._analyticRulecontentId44]", "contentKind": "AnalyticsRule", - "displayName": "Credential added after admin consented to Application", - "contentProductId": "[variables('analyticRuleObject20')._analyticRulecontentProductId20]", - "id": "[variables('analyticRuleObject20')._analyticRulecontentProductId20]", - "version": "[variables('analyticRuleObject20').analyticRuleVersion20]" + "displayName": "PIM Elevation Request Rejected", + "contentProductId": "[variables('analyticRuleObject44')._analyticRulecontentProductId44]", + "id": "[variables('analyticRuleObject44')._analyticRulecontentProductId44]", + "version": "[variables('analyticRuleObject44').analyticRuleVersion44]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject21').analyticRuleTemplateSpecName21]", + "name": "[variables('analyticRuleObject45').analyticRuleTemplateSpecName45]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Cross-tenantAccessSettingsOrganizationAdded_AnalyticalRules Analytics Rule with template version 3.0.7", + "description": "PrivilegedAccountsSigninFailureSpikes_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject21').analyticRuleVersion21]", + "contentVersion": "[variables('analyticRuleObject45').analyticRuleVersion45]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject21')._analyticRulecontentId21]", + "name": "[variables('analyticRuleObject45')._analyticRulecontentId45]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when an Organization is added other than the list that is supposed to exist from the Microsoft Entra ID Cross-tenant Access Settings.", - "displayName": "Cross-tenant Access Settings Organization Added", + "description": " Identifies spike in failed sign-ins from Privileged accounts. Privileged accounts list can be based on IdentityInfo UEBA table.\nSpike is determined based on Time series anomaly which will look at historical baseline values.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor", + "displayName": "Privileged Accounts - Sign in Failure Spikes", "enabled": false, - "query": "// Tenants IDs can be found by navigating to Azure Active Directory then from menu on the left, select External Identities, then from menu on the left, select Cross-tenant access settings and from the list shown of Tenants\nlet ExpectedTenantIDs = dynamic([\"List of expected tenant IDs\",\"Tenant ID 2\"]);\nAuditLogs\n| where OperationName has \"Add a partner to cross-tenant access setting\"\n| extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\n| extend InitiatedByIPAdress = InitiatedBy.user.ipAddress\n| mv-apply TargetResource = TargetResources on\n (\n where TargetResource.type =~ \"Policy\"\n | extend Properties = TargetResource.modifiedProperties\n )\n| mv-apply Property = Properties on\n (\n where Property.displayName =~ \"tenantId\"\n | extend ExtTenantIDAdded = trim('\"',tostring(Property.newValue))\n )\n| where ExtTenantIDAdded !in (ExpectedTenantIDs)\n| extend Name = tostring(split(InitiatedByActionUserInformation,'@',0)[0]), UPNSuffix = tostring(split(InitiatedByActionUserInformation,'@',1)[0])\n", - "queryFrequency": "P2D", - "queryPeriod": "P2D", - "severity": "Medium", + "query": "let starttime = 14d;\nlet timeframe = 1d;\nlet scorethreshold = 3;\nlet baselinethreshold = 5;\nlet aadFunc = (tableName:string){\n IdentityInfo\n | where TimeGenerated > ago(starttime)\n | summarize arg_max(TimeGenerated, *) by AccountUPN\n | mv-expand AssignedRoles\n | where AssignedRoles contains 'Admin'\n | summarize Roles = make_list(AssignedRoles) by AccountUPN = tolower(AccountUPN)\n | join kind=inner (\n table(tableName)\n | where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\n | where ResultType != 0\n | extend UserPrincipalName = tolower(UserPrincipalName)\n ) on $left.AccountUPN == $right.UserPrincipalName\n | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, Roles = tostring(Roles)\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nlet allSignins = union isfuzzy=true aadSignin, aadNonInt;\nlet TimeSeriesAlerts = \n allSignins\n | make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step 1h by UserPrincipalName, Roles\n | extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, 'linefit')\n | mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\n // Filtering low count events per baselinethreshold\n | where anomalies > 0 and baseline > baselinethreshold\n | extend AnomalyHour = TimeGenerated\n | project UserPrincipalName, Roles, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\n// Filter the alerts for specified timeframe\nTimeSeriesAlerts\n| where TimeGenerated > startofday(ago(timeframe))\n| join kind=inner ( \n allSignins\n | where TimeGenerated > startofday(ago(timeframe))\n // create a new column and round to hour\n | extend DateHour = bin(TimeGenerated, 1h)\n | summarize PartialFailedSignins = count(), LatestAnomalyTime = arg_max(TimeGenerated, *) by bin(TimeGenerated, 1h), OperationName, Category, ResultType, ResultDescription, UserPrincipalName, Roles, UserDisplayName, AppDisplayName, ClientAppUsed, IPAddress, ResourceDisplayName\n) on UserPrincipalName, $left.AnomalyHour == $right.DateHour\n| project LatestAnomalyTime, OperationName, Category, UserPrincipalName, Roles = todynamic(Roles), UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, PartialFailedSignins, TotalFailedSignins = HourlyCount, baseline, anomalies, score\n| extend timestamp = LatestAnomalyTime, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n", + "queryFrequency": "P1D", + "queryPeriod": "P14D", + "severity": "High", "suppressionDuration": "PT1H", "suppressionEnabled": false, "triggerOperator": "GreaterThan", @@ -7481,31 +6508,33 @@ "requiredDataConnectors": [ { "dataTypes": [ - "AuditLogs" + "SigninLogs" + ], + "connectorId": "AzureActiveDirectory" + }, + { + "dataTypes": [ + "AADNonInteractiveUserSignInLogs" ], "connectorId": "AzureActiveDirectory" } ], "tactics": [ - "InitialAccess", - "Persistence", - "Discovery" + "InitialAccess" ], "techniques": [ - "T1078", - "T1136", - "T1087" + "T1078" ], "entityMappings": [ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } ], "entityType": "Account" @@ -7513,8 +6542,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "InitiatedByIPAdress" + "columnName": "IPAddress", + "identifier": "Address" } ], "entityType": "IP" @@ -7525,13 +6554,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject21').analyticRuleId21,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject45').analyticRuleId45,'/'))))]", "properties": { - "description": "Microsoft Entra ID Analytics Rule 21", - "parentId": "[variables('analyticRuleObject21').analyticRuleId21]", - "contentId": "[variables('analyticRuleObject21')._analyticRulecontentId21]", + "description": "Microsoft Entra ID Analytics Rule 45", + "parentId": "[variables('analyticRuleObject45').analyticRuleId45]", + "contentId": "[variables('analyticRuleObject45')._analyticRulecontentId45]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject21').analyticRuleVersion21]", + "version": "[variables('analyticRuleObject45').analyticRuleVersion45]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -7556,44 +6585,44 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject21')._analyticRulecontentId21]", + "contentId": "[variables('analyticRuleObject45')._analyticRulecontentId45]", "contentKind": "AnalyticsRule", - "displayName": "Cross-tenant Access Settings Organization Added", - "contentProductId": "[variables('analyticRuleObject21')._analyticRulecontentProductId21]", - "id": "[variables('analyticRuleObject21')._analyticRulecontentProductId21]", - "version": "[variables('analyticRuleObject21').analyticRuleVersion21]" + "displayName": "Privileged Accounts - Sign in Failure Spikes", + "contentProductId": "[variables('analyticRuleObject45')._analyticRulecontentProductId45]", + "id": "[variables('analyticRuleObject45')._analyticRulecontentProductId45]", + "version": "[variables('analyticRuleObject45').analyticRuleVersion45]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject22').analyticRuleTemplateSpecName22]", + "name": "[variables('analyticRuleObject46').analyticRuleTemplateSpecName46]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Cross-tenantAccessSettingsOrganizationDeleted_AnalyticalRules Analytics Rule with template version 3.0.7", + "description": "PrivlegedRoleAssignedOutsidePIM_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject22').analyticRuleVersion22]", + "contentVersion": "[variables('analyticRuleObject46').analyticRuleVersion46]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject22')._analyticRulecontentId22]", + "name": "[variables('analyticRuleObject46')._analyticRulecontentId46]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when an Organization is deleted from the Microsoft Entra ID Cross-tenant Access Settings.", - "displayName": "Cross-tenant Access Settings Organization Deleted", + "description": "Identifies a privileged role being assigned to a user outside of PIM\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1", + "displayName": "Privileged Role Assigned Outside PIM", "enabled": false, - "query": "AuditLogs\n| where OperationName has \"Delete partner specific cross-tenant access setting\"\n| extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\n| extend InitiatedByIPAdress = InitiatedBy.user.ipAddress\n| mv-apply TargetResource = TargetResources on\n (\n where TargetResource.type =~ \"Policy\"\n | extend Properties = TargetResource.modifiedProperties\n )\n| mv-apply Property = Properties on\n (\n where Property.displayName =~ \"tenantId\"\n | extend ExtTenantDeleted = trim('\"',tostring(Property.oldValue))\n )\n| extend Name = tostring(split(InitiatedByActionUserInformation,'@',0)[0]), UPNSuffix = tostring(split(InitiatedByActionUserInformation,'@',1)[0])\n", - "queryFrequency": "P2D", - "queryPeriod": "P2D", - "severity": "Medium", + "query": "AuditLogs\n| where Category =~ \"RoleManagement\"\n| where OperationName has \"Add member to role outside of PIM\"\n or (LoggedByService =~ \"Core Directory\" and OperationName =~ \"Add member to role\" and Identity != \"MS-PIM\")\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"User\"\n | extend UserPrincipalName = tostring(TargetResource.userPrincipalName)\n )\n| extend IpAddress = tostring(InitiatedBy.user.ipAddress), Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n", + "queryFrequency": "P1D", + "queryPeriod": "P1D", + "severity": "Low", "suppressionDuration": "PT1H", "suppressionEnabled": false, "triggerOperator": "GreaterThan", @@ -7608,25 +6637,21 @@ } ], "tactics": [ - "InitialAccess", - "Persistence", - "Discovery" + "PrivilegeEscalation" ], "techniques": [ - "T1078", - "T1136", - "T1087" + "T1078" ], "entityMappings": [ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } ], "entityType": "Account" @@ -7634,8 +6659,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "InitiatedByIPAdress" + "columnName": "IpAddress", + "identifier": "Address" } ], "entityType": "IP" @@ -7646,13 +6671,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject22').analyticRuleId22,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject46').analyticRuleId46,'/'))))]", "properties": { - "description": "Microsoft Entra ID Analytics Rule 22", - "parentId": "[variables('analyticRuleObject22').analyticRuleId22]", - "contentId": "[variables('analyticRuleObject22')._analyticRulecontentId22]", + "description": "Microsoft Entra ID Analytics Rule 46", + "parentId": "[variables('analyticRuleObject46').analyticRuleId46]", + "contentId": "[variables('analyticRuleObject46')._analyticRulecontentId46]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject22').analyticRuleVersion22]", + "version": "[variables('analyticRuleObject46').analyticRuleVersion46]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -7677,48 +6702,48 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject22')._analyticRulecontentId22]", + "contentId": "[variables('analyticRuleObject46')._analyticRulecontentId46]", "contentKind": "AnalyticsRule", - "displayName": "Cross-tenant Access Settings Organization Deleted", - "contentProductId": "[variables('analyticRuleObject22')._analyticRulecontentProductId22]", - "id": "[variables('analyticRuleObject22')._analyticRulecontentProductId22]", - "version": "[variables('analyticRuleObject22').analyticRuleVersion22]" + "displayName": "Privileged Role Assigned Outside PIM", + "contentProductId": "[variables('analyticRuleObject46')._analyticRulecontentProductId46]", + "id": "[variables('analyticRuleObject46')._analyticRulecontentProductId46]", + "version": "[variables('analyticRuleObject46').analyticRuleVersion46]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject23').analyticRuleTemplateSpecName23]", + "name": "[variables('analyticRuleObject47').analyticRuleTemplateSpecName47]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Cross-tenantAccessSettingsOrganizationInboundCollaborationSettingsChanged_AnalyticalRules Analytics Rule with template version 3.0.7", + "description": "RareApplicationConsent_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject23').analyticRuleVersion23]", + "contentVersion": "[variables('analyticRuleObject47').analyticRuleVersion47]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject23')._analyticRulecontentId23]", + "name": "[variables('analyticRuleObject47')._analyticRulecontentId47]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when Organization Inbound Collaboration Settings are changed for \"Users & Groups\" and for \"Applications\".", - "displayName": "Cross-tenant Access Settings Organization Inbound Collaboration Settings Changed", + "description": "This will alert when the \"Consent to application\" operation occurs by a user that has not done this operation before or rarely does this.\nThis could indicate that permissions to access the listed Azure App were provided to a malicious actor.\nConsent to application, Add service principal and Add OAuth2PermissionGrant should typically be rare events.\nThis may help detect the Oauth2 attack that can be initiated by this publicly available tool - https://github.com/fireeye/PwnAuth\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.", + "displayName": "Rare application consent", "enabled": false, - "query": "//In User & Groups and in Applications, the following \"AccessType\" values in columns PremodifiedInboundSettings and ModifiedInboundSettings are interpreted accordingly:\n// When Access Type in premodified inbound settings value was 1 that means that the initial access was allowed. When Access Type in premodified inbound settings value was 2 that means that the initial access was blocked. \n// When Access Type in modified inbound settings value is 1 that means that now access is allowed. When Access Type in modified inbound settings value is 2 that means that now access is blocked. \nAuditLogs\n| where OperationName has \"Update a partner cross-tenant access setting\"\n| mv-apply TargetResource = TargetResources on\n (\n where TargetResource.type =~ \"Policy\"\n | extend Properties = TargetResource.modifiedProperties\n )\n| mv-apply Property = Properties on\n (\n where Property.displayName =~ \"b2bCollaborationInbound\"\n | extend PremodifiedInboundSettings = trim('\"',tostring(Property.oldValue)),\n ModifiedInboundSettings = trim(@'\"',tostring(Property.newValue))\n )\n| extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\n| extend InitiatedByIPAdress = InitiatedBy.user.ipAddress\n| where PremodifiedInboundSettings != ModifiedInboundSettings\n| extend Name = tostring(split(InitiatedByActionUserInformation,'@',0)[0]), UPNSuffix = tostring(split(InitiatedByActionUserInformation,'@',1)[0])\n", - "queryFrequency": "P2D", - "queryPeriod": "P2D", + "query": "let current = 1d;\nlet auditLookback = 7d;\n// Setting threshold to 3 as a default, change as needed.\n// Any operation that has been initiated by a user or app more than 3 times in the past 7 days will be excluded\nlet threshold = 3;\n// Gather initial data from lookback period, excluding current, adjust current to more than a single day if no results\nlet AuditTrail = AuditLogs | where TimeGenerated >= ago(auditLookback) and TimeGenerated < ago(current)\n// 2 other operations that can be part of malicious activity in this situation are\n// \"Add OAuth2PermissionGrant\" and \"Add service principal\", extend the filter below to capture these too\n| where OperationName has \"Consent to application\"\n| extend InitiatedBy = iff(isnotempty(tostring(InitiatedBy.user.userPrincipalName)),\n tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\"\n | extend TargetResourceName = tolower(tostring(TargetResource.displayName))\n )\n| summarize max(TimeGenerated), OperationCount = count() by OperationName, InitiatedBy, TargetResourceName\n// only including operations initiated by a user or app that is above the threshold so we produce only rare and has not occurred in last 7 days\n| where OperationCount > threshold;\n// Gather current period of audit data\nlet RecentConsent = AuditLogs | where TimeGenerated >= ago(current)\n| where OperationName has \"Consent to application\"\n| extend IpAddress = case(\n isnotempty(tostring(InitiatedBy.user.ipAddress)) and tostring(InitiatedBy.user.ipAddress) != 'null', tostring(InitiatedBy.user.ipAddress),\n isnotempty(tostring(InitiatedBy.app.ipAddress)) and tostring(InitiatedBy.app.ipAddress) != 'null', tostring(InitiatedBy.app.ipAddress),\n 'Not Available')\n| extend InitiatedBy = iff(isnotempty(tostring(InitiatedBy.user.userPrincipalName)),\n tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\"\n | extend TargetResourceName = tolower(tostring(TargetResource.displayName)),\n props = TargetResource.modifiedProperties\n )\n| parse props with * \"ConsentType: \" ConsentType \"]\" *\n| mv-apply AdditionalDetail = AdditionalDetails on \n (\n where AdditionalDetail.key =~ \"User-Agent\"\n | extend UserAgent = tostring(AdditionalDetail.value)\n )\n| project TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type;\n// Exclude previously seen audit activity for \"Consent to application\" that was seen in the lookback period\n// First for rare InitiatedBy\nlet RareConsentBy = RecentConsent | join kind= leftanti AuditTrail on OperationName, InitiatedBy\n| extend Reason = \"Previously unseen user consenting\";\n// Second for rare TargetResourceName\nlet RareConsentApp = RecentConsent | join kind= leftanti AuditTrail on OperationName, TargetResourceName\n| extend Reason = \"Previously unseen app granted consent\";\nRareConsentBy | union RareConsentApp\n| summarize Reason = make_set(Reason,100) by TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type\n| extend timestamp = TimeGenerated, Name = tolower(tostring(split(InitiatedBy,'@',0)[0])), UPNSuffix = tolower(tostring(split(InitiatedBy,'@',1)[0]))\n", + "queryFrequency": "P1D", + "queryPeriod": "P7D", "severity": "Medium", "suppressionDuration": "PT1H", "suppressionEnabled": false, "triggerOperator": "GreaterThan", - "triggerThreshold": 0, + "triggerThreshold": 3, "status": "Available", "requiredDataConnectors": [ { @@ -7729,25 +6754,23 @@ } ], "tactics": [ - "InitialAccess", "Persistence", - "Discovery" + "PrivilegeEscalation" ], "techniques": [ - "T1078", "T1136", - "T1087" + "T1068" ], "entityMappings": [ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } ], "entityType": "Account" @@ -7755,8 +6778,17 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "InitiatedByIPAdress" + "columnName": "TargetResourceName", + "identifier": "Name" + } + ], + "entityType": "CloudApplication" + }, + { + "fieldMappings": [ + { + "columnName": "IpAddress", + "identifier": "Address" } ], "entityType": "IP" @@ -7767,13 +6799,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject23').analyticRuleId23,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject47').analyticRuleId47,'/'))))]", "properties": { - "description": "Microsoft Entra ID Analytics Rule 23", - "parentId": "[variables('analyticRuleObject23').analyticRuleId23]", - "contentId": "[variables('analyticRuleObject23')._analyticRulecontentId23]", + "description": "Microsoft Entra ID Analytics Rule 47", + "parentId": "[variables('analyticRuleObject47').analyticRuleId47]", + "contentId": "[variables('analyticRuleObject47')._analyticRulecontentId47]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject23').analyticRuleVersion23]", + "version": "[variables('analyticRuleObject47').analyticRuleVersion47]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -7798,43 +6830,43 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject23')._analyticRulecontentId23]", + "contentId": "[variables('analyticRuleObject47')._analyticRulecontentId47]", "contentKind": "AnalyticsRule", - "displayName": "Cross-tenant Access Settings Organization Inbound Collaboration Settings Changed", - "contentProductId": "[variables('analyticRuleObject23')._analyticRulecontentProductId23]", - "id": "[variables('analyticRuleObject23')._analyticRulecontentProductId23]", - "version": "[variables('analyticRuleObject23').analyticRuleVersion23]" + "displayName": "Rare application consent", + "contentProductId": "[variables('analyticRuleObject47')._analyticRulecontentProductId47]", + "id": "[variables('analyticRuleObject47')._analyticRulecontentProductId47]", + "version": "[variables('analyticRuleObject47').analyticRuleVersion47]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject24').analyticRuleTemplateSpecName24]", + "name": "[variables('analyticRuleObject48').analyticRuleTemplateSpecName48]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Cross-tenantAccessSettingsOrganizationInboundDirectSettingsChanged_AnalyticalRules Analytics Rule with template version 3.0.7", + "description": "SeamlessSSOPasswordSpray_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject24').analyticRuleVersion24]", + "contentVersion": "[variables('analyticRuleObject48').analyticRuleVersion48]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject24')._analyticRulecontentId24]", + "name": "[variables('analyticRuleObject48')._analyticRulecontentId48]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when Organization Inbound Direct Settings are changed for \"Users & Groups\" and for \"Applications\".", - "displayName": "Cross-tenant Access Settings Organization Inbound Direct Settings Changed", + "description": "This query detects when there is a spike in Microsoft Entra ID Seamless SSO errors. They may not be caused by a Password Spray attack, but the cause of the errors might need to be investigated.\nMicrosoft Entra ID only logs the requests that matched existing accounts, thus there might have been unlogged requests for non-existing accounts.", + "displayName": "Password spray attack against Microsoft Entra ID Seamless SSO", "enabled": false, - "query": "//In User & Groups and in Applications, the following \"AccessType\" values in columns PremodifiedInboundSettings and ModifiedInboundSettings are interpreted accordingly:\n// When Access Type in premodified inbound settings value was 1 that means that the initial access was allowed. When Access Type in premodified inbound settings value was 2 that means that the initial access was blocked. \n// When Access Type in modified inbound settings value is 1 that means that now access is allowed. When Access Type in modified inbound settings value is 2 that means that now access is blocked. \nAuditLogs\n| where OperationName has \"Update a partner cross-tenant access setting\"\n| mv-apply TargetResource = TargetResources on\n (\n where TargetResource.type =~ \"Policy\"\n | extend Properties = TargetResource.modifiedProperties\n )\n| mv-apply Property = Properties on\n (\n where Property.displayName =~ \"b2bDirectConnectInbound\"\n | extend PremodifiedInboundSettings = trim('\"',tostring(Property.oldValue)),\n ModifiedInboundSettings = trim(@'\"',tostring(Property.newValue))\n )\n| extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\n| extend InitiatedByIPAdress = InitiatedBy.user.ipAddress\n| where PremodifiedInboundSettings != ModifiedInboundSettings\n| extend Name = tostring(split(InitiatedByActionUserInformation,'@',0)[0]), UPNSuffix = tostring(split(InitiatedByActionUserInformation,'@',1)[0])\n", - "queryFrequency": "P2D", - "queryPeriod": "P2D", + "query": "let account_threshold = 5;\nAADNonInteractiveUserSignInLogs\n//| where ResultType == \"81016\"\n| where ResultType startswith \"81\"\n| summarize DistinctAccounts = dcount(UserPrincipalName), DistinctAddresses = make_set(IPAddress,100) by ResultType\n| where DistinctAccounts > account_threshold\n| mv-expand IPAddress = DistinctAddresses\n| extend IPAddress = tostring(IPAddress)\n| join kind=leftouter (union isfuzzy=true SigninLogs, AADNonInteractiveUserSignInLogs) on IPAddress\n| summarize\n StartTime = min(TimeGenerated),\n EndTime = max(TimeGenerated),\n UserPrincipalName = make_set(UserPrincipalName,100),\n UserAgent = make_set(UserAgent,100),\n ResultDescription = take_any(ResultDescription),\n ResultSignature = take_any(ResultSignature)\n by IPAddress, Type, ResultType\n| project Type, StartTime, EndTime, IPAddress, ResultType, ResultDescription, ResultSignature, UserPrincipalName, UserAgent = iff(array_length(UserAgent) == 1, UserAgent[0], UserAgent)\n| extend Name = tostring(split(UserPrincipalName[0],'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName[0],'@',1)[0])\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", "severity": "Medium", "suppressionDuration": "PT1H", "suppressionEnabled": false, @@ -7844,31 +6876,27 @@ "requiredDataConnectors": [ { "dataTypes": [ - "AuditLogs" + "AADNonInteractiveUserSignInLogs" ], "connectorId": "AzureActiveDirectory" } ], "tactics": [ - "InitialAccess", - "Persistence", - "Discovery" + "CredentialAccess" ], "techniques": [ - "T1078", - "T1136", - "T1087" + "T1110" ], "entityMappings": [ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } ], "entityType": "Account" @@ -7876,8 +6904,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "InitiatedByIPAdress" + "columnName": "IPAddress", + "identifier": "Address" } ], "entityType": "IP" @@ -7888,13 +6916,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject24').analyticRuleId24,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject48').analyticRuleId48,'/'))))]", "properties": { - "description": "Microsoft Entra ID Analytics Rule 24", - "parentId": "[variables('analyticRuleObject24').analyticRuleId24]", - "contentId": "[variables('analyticRuleObject24')._analyticRulecontentId24]", + "description": "Microsoft Entra ID Analytics Rule 48", + "parentId": "[variables('analyticRuleObject48').analyticRuleId48]", + "contentId": "[variables('analyticRuleObject48')._analyticRulecontentId48]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject24').analyticRuleVersion24]", + "version": "[variables('analyticRuleObject48').analyticRuleVersion48]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -7919,43 +6947,43 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject24')._analyticRulecontentId24]", + "contentId": "[variables('analyticRuleObject48')._analyticRulecontentId48]", "contentKind": "AnalyticsRule", - "displayName": "Cross-tenant Access Settings Organization Inbound Direct Settings Changed", - "contentProductId": "[variables('analyticRuleObject24')._analyticRulecontentProductId24]", - "id": "[variables('analyticRuleObject24')._analyticRulecontentProductId24]", - "version": "[variables('analyticRuleObject24').analyticRuleVersion24]" + "displayName": "Password spray attack against Microsoft Entra ID Seamless SSO", + "contentProductId": "[variables('analyticRuleObject48')._analyticRulecontentProductId48]", + "id": "[variables('analyticRuleObject48')._analyticRulecontentProductId48]", + "version": "[variables('analyticRuleObject48').analyticRuleVersion48]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject25').analyticRuleTemplateSpecName25]", + "name": "[variables('analyticRuleObject49').analyticRuleTemplateSpecName49]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Cross-tenantAccessSettingsOrganizationOutboundCollaborationSettingsChanged_AnalyticalRules Analytics Rule with template version 3.0.7", + "description": "Sign-in Burst from Multiple Locations_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject25').analyticRuleVersion25]", + "contentVersion": "[variables('analyticRuleObject49').analyticRuleVersion49]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject25')._analyticRulecontentId25]", + "name": "[variables('analyticRuleObject49')._analyticRulecontentId49]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when Organization Outbound Collaboration Settings are changed for \"Users & Groups\" and for \"Applications\".", - "displayName": "Cross-tenant Access Settings Organization Outbound Collaboration Settings Changed", + "description": "This detection triggers when there is a Signin burst from multiple locations in GitHub (AAD SSO).\n This detection is based on configurable threshold which can be prone to false positives. To view the anomaly based equivalent of thie detection, please see here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/Analytic%20Rules/AnomalousUserAppSigninLocationIncrease-detection.yaml. ", + "displayName": "GitHub Signin Burst from Multiple Locations", "enabled": false, - "query": "//In User & Groups and in Applications, the following \"AccessType\" values in columns PremodifiedOutboundSettings and ModifiedOutboundSettings are interpreted accordingly:\n// When Access Type in premodified outbound settings value was 1 that means that the initial access was allowed. When Access Type in premodified outbound settings value was 2 that means that the initial access was blocked. \n// When Access Type in modified outbound settings value is 1 that means that now access is allowed. When Access Type in modified outbound settings value is 2 that means that now access is blocked. \nAuditLogs\n| where OperationName has \"Update a partner cross-tenant access setting\"\n| mv-apply TargetResource = TargetResources on\n (\n where TargetResource.type =~ \"Policy\"\n | extend Properties = TargetResource.modifiedProperties\n )\n| mv-apply Property = Properties on\n (\n where Property.displayName =~ \"b2bCollaborationOutbound\"\n | extend PremodifiedOutboundSettings = trim('\"',tostring(Property.oldValue)),\n ModifiedOutboundSettings = trim(@'\"',tostring(Property.newValue))\n )\n| extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\n| extend InitiatedByIPAdress = InitiatedBy.user.ipAddress\n| where PremodifiedOutboundSettings != ModifiedOutboundSettings\n| extend Name = tostring(split(InitiatedByActionUserInformation,'@',0)[0]), UPNSuffix = tostring(split(InitiatedByActionUserInformation,'@',1)[0])\n", - "queryFrequency": "P2D", - "queryPeriod": "P2D", + "query": "let locationThreshold = 1;\nlet aadFunc = (tableName:string){\ntable(tableName)\n| where AppDisplayName =~ \"GitHub.com\"\n| where ResultType == 0\n| summarize CountOfLocations = dcount(Location), Locations = make_set(Location,100), BurstStartTime = min(TimeGenerated), BurstEndTime = max(TimeGenerated) by UserPrincipalName, Type\n| where CountOfLocations > locationThreshold\n| extend timestamp = BurstStartTime\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n| extend Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", "severity": "Medium", "suppressionDuration": "PT1H", "suppressionEnabled": false, @@ -7965,43 +6993,36 @@ "requiredDataConnectors": [ { "dataTypes": [ - "AuditLogs" + "SigninLogs" + ], + "connectorId": "AzureActiveDirectory" + }, + { + "dataTypes": [ + "AADNonInteractiveUserSignInLogs" ], "connectorId": "AzureActiveDirectory" } ], "tactics": [ - "InitialAccess", - "Persistence", - "Discovery" + "CredentialAccess" ], "techniques": [ - "T1078", - "T1136", - "T1087" + "T1110" ], "entityMappings": [ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } ], "entityType": "Account" - }, - { - "fieldMappings": [ - { - "identifier": "Address", - "columnName": "InitiatedByIPAdress" - } - ], - "entityType": "IP" } ] } @@ -8009,13 +7030,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject25').analyticRuleId25,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject49').analyticRuleId49,'/'))))]", "properties": { - "description": "Microsoft Entra ID Analytics Rule 25", - "parentId": "[variables('analyticRuleObject25').analyticRuleId25]", - "contentId": "[variables('analyticRuleObject25')._analyticRulecontentId25]", + "description": "Microsoft Entra ID Analytics Rule 49", + "parentId": "[variables('analyticRuleObject49').analyticRuleId49]", + "contentId": "[variables('analyticRuleObject49')._analyticRulecontentId49]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject25').analyticRuleVersion25]", + "version": "[variables('analyticRuleObject49').analyticRuleVersion49]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -8040,43 +7061,43 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject25')._analyticRulecontentId25]", + "contentId": "[variables('analyticRuleObject49')._analyticRulecontentId49]", "contentKind": "AnalyticsRule", - "displayName": "Cross-tenant Access Settings Organization Outbound Collaboration Settings Changed", - "contentProductId": "[variables('analyticRuleObject25')._analyticRulecontentProductId25]", - "id": "[variables('analyticRuleObject25')._analyticRulecontentProductId25]", - "version": "[variables('analyticRuleObject25').analyticRuleVersion25]" + "displayName": "GitHub Signin Burst from Multiple Locations", + "contentProductId": "[variables('analyticRuleObject49')._analyticRulecontentProductId49]", + "id": "[variables('analyticRuleObject49')._analyticRulecontentProductId49]", + "version": "[variables('analyticRuleObject49').analyticRuleVersion49]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject26').analyticRuleTemplateSpecName26]", + "name": "[variables('analyticRuleObject50').analyticRuleTemplateSpecName50]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Cross-tenantAccessSettingsOrganizationOutboundDirectSettingsChanged_AnalyticalRules Analytics Rule with template version 3.0.7", + "description": "SigninAttemptsByIPviaDisabledAccounts_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject26').analyticRuleVersion26]", + "contentVersion": "[variables('analyticRuleObject50').analyticRuleVersion50]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject26')._analyticRulecontentId26]", + "name": "[variables('analyticRuleObject50')._analyticRulecontentId50]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when Organization Outbound Direct Settings are changed for \"Users & Groups\" and for \"Applications\".", - "displayName": "Cross-tenant Access Settings Organization Outbound Direct Settings Changed", + "description": "Identifies IPs with failed attempts to sign in to one or more disabled accounts using the IP through which successful signins from other accounts have happened.\nThis could indicate an attacker who obtained credentials for a list of accounts and is attempting to login with those accounts, some of which may have already been disabled.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\n50057 - User account is disabled. The account has been disabled by an administrator.\nThis query has also been updated to include UEBA logs IdentityInfo and BehaviorAnalytics for contextual information around the results.", + "displayName": "Sign-ins from IPs that attempt sign-ins to disabled accounts", "enabled": false, - "query": "//In User & Groups and in Applications, the following \"AccessType\" values in columns PremodifiedOutboundSettings and ModifiedOutboundSettings are interpreted accordingly:\n// When Access Type in premodified outbound settings value was 1 that means that the initial access was allowed. When Access Type in premodified outbound settings value was 2 that means that the initial access was blocked. \n// When Access Type in modified outbound settings value is 1 that means that now access is allowed. When Access Type in modified outbound settings value is 2 that means that now access is blocked. \nAuditLogs\n| where OperationName has \"Update a partner cross-tenant access setting\"\n| mv-apply TargetResource = TargetResources on\n (\n where TargetResource.type =~ \"Policy\"\n | extend Properties = TargetResource.modifiedProperties\n )\n| mv-apply Property = Properties on\n (\n where Property.displayName =~ \"b2bDirectConnectOutbound\"\n | extend PremodifiedOutboundSettings = trim('\"',tostring(Property.oldValue)),\n ModifiedOutboundSettings = trim(@'\"',tostring(Property.newValue))\n )\n| extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\n| extend InitiatedByIPAdress = InitiatedBy.user.ipAddress\n| where PremodifiedOutboundSettings != ModifiedOutboundSettings\n| extend Name = tostring(split(InitiatedByActionUserInformation,'@',0)[0]), UPNSuffix = tostring(split(InitiatedByActionUserInformation,'@',1)[0])\n", - "queryFrequency": "P2D", - "queryPeriod": "P2D", + "query": "let aadFunc = (tableName: string) {\nlet failed_signins = table(tableName)\n| where ResultType == \"50057\"\n| where ResultDescription == \"User account is disabled. The account has been disabled by an administrator.\";\nlet disabled_users = failed_signins | summarize by UserPrincipalName;\ntable(tableName)\n | where ResultType == 0\n | where isnotempty(UserPrincipalName)\n | where UserPrincipalName !in (disabled_users)\n| summarize\n successfulAccountsTargettedCount = dcount(UserPrincipalName),\n successfulAccountSigninSet = make_set(UserPrincipalName, 100),\n successfulApplicationSet = make_set(AppDisplayName, 100)\n by IPAddress, Type\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\n | where successfulAccountsTargettedCount < 50\n | where isnotempty(successfulAccountsTargettedCount)\n | join kind=inner (failed_signins\n| summarize\n StartTime = min(TimeGenerated),\n EndTime = max(TimeGenerated),\n totalDisabledAccountLoginAttempts = count(),\n disabledAccountsTargettedCount = dcount(UserPrincipalName),\n applicationsTargeted = dcount(AppDisplayName),\n disabledAccountSet = make_set(UserPrincipalName, 100),\n disabledApplicationSet = make_set(AppDisplayName, 100)\nby IPAddress, Type\n| order by totalDisabledAccountLoginAttempts desc) on IPAddress\n| project StartTime, EndTime, IPAddress, totalDisabledAccountLoginAttempts, disabledAccountsTargettedCount, disabledAccountSet, disabledApplicationSet, successfulApplicationSet, successfulAccountsTargettedCount, successfulAccountSigninSet, Type\n| order by totalDisabledAccountLoginAttempts};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n| join kind=leftouter (\n BehaviorAnalytics\n | where ActivityType in (\"FailedLogOn\", \"LogOn\")\n | where EventSource =~ \"Azure AD\"\n | project UsersInsights, DevicesInsights, ActivityInsights, InvestigationPriority, SourceIPAddress, UserPrincipalName\n | project-rename IPAddress = SourceIPAddress\n | summarize\n Users = make_set(UserPrincipalName, 100),\n UsersInsights = make_set(UsersInsights, 100),\n DevicesInsights = make_set(DevicesInsights, 100),\n IPInvestigationPriority = sum(InvestigationPriority)\n by IPAddress\n) on IPAddress\n| extend SFRatio = toreal(toreal(disabledAccountsTargettedCount)/toreal(successfulAccountsTargettedCount))\n| where SFRatio >= 0.5\n| sort by IPInvestigationPriority desc\n", + "queryFrequency": "P1D", + "queryPeriod": "P1D", "severity": "Medium", "suppressionDuration": "PT1H", "suppressionEnabled": false, @@ -8086,40 +7107,37 @@ "requiredDataConnectors": [ { "dataTypes": [ - "AuditLogs" + "SigninLogs" + ], + "connectorId": "AzureActiveDirectory" + }, + { + "dataTypes": [ + "AADNonInteractiveUserSignInLogs" ], "connectorId": "AzureActiveDirectory" + }, + { + "dataTypes": [ + "BehaviorAnalytics" + ], + "connectorId": "BehaviorAnalytics" } ], "tactics": [ "InitialAccess", - "Persistence", - "Discovery" + "Persistence" ], "techniques": [ "T1078", - "T1136", - "T1087" + "T1098" ], "entityMappings": [ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "Name" - }, - { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "identifier": "Address", - "columnName": "InitiatedByIPAdress" + "columnName": "IPAddress", + "identifier": "Address" } ], "entityType": "IP" @@ -8130,13 +7148,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject26').analyticRuleId26,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject50').analyticRuleId50,'/'))))]", "properties": { - "description": "Microsoft Entra ID Analytics Rule 26", - "parentId": "[variables('analyticRuleObject26').analyticRuleId26]", - "contentId": "[variables('analyticRuleObject26')._analyticRulecontentId26]", + "description": "Microsoft Entra ID Analytics Rule 50", + "parentId": "[variables('analyticRuleObject50').analyticRuleId50]", + "contentId": "[variables('analyticRuleObject50')._analyticRulecontentId50]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject26').analyticRuleVersion26]", + "version": "[variables('analyticRuleObject50').analyticRuleVersion50]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -8161,43 +7179,43 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject26')._analyticRulecontentId26]", + "contentId": "[variables('analyticRuleObject50')._analyticRulecontentId50]", "contentKind": "AnalyticsRule", - "displayName": "Cross-tenant Access Settings Organization Outbound Direct Settings Changed", - "contentProductId": "[variables('analyticRuleObject26')._analyticRulecontentProductId26]", - "id": "[variables('analyticRuleObject26')._analyticRulecontentProductId26]", - "version": "[variables('analyticRuleObject26').analyticRuleVersion26]" + "displayName": "Sign-ins from IPs that attempt sign-ins to disabled accounts", + "contentProductId": "[variables('analyticRuleObject50')._analyticRulecontentProductId50]", + "id": "[variables('analyticRuleObject50')._analyticRulecontentProductId50]", + "version": "[variables('analyticRuleObject50').analyticRuleVersion50]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject27').analyticRuleTemplateSpecName27]", + "name": "[variables('analyticRuleObject51').analyticRuleTemplateSpecName51]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DisabledAccountSigninsAcrossManyApplications_AnalyticalRules Analytics Rule with template version 3.0.7", + "description": "SigninBruteForce-AzurePortal_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject27').analyticRuleVersion27]", + "contentVersion": "[variables('analyticRuleObject51').analyticRuleVersion51]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject27')._analyticRulecontentId27]", + "name": "[variables('analyticRuleObject51')._analyticRulecontentId51]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Identifies failed attempts to sign in to disabled accounts across multiple Azure Applications.\nDefault threshold for Azure Applications attempted to sign in to is 3.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\n50057 - User account is disabled. The account has been disabled by an administrator.", - "displayName": "Attempts to sign in to disabled accounts", + "description": "Detects Azure Portal brute force attacks by monitoring for multiple authentication failures and a successful login within a 20-minute window. Default settings: 10 failures, 25 deviations.\nRef: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.", + "displayName": "Brute force attack against Azure Portal", "enabled": false, - "query": "let threshold = 3;\nlet aadFunc = (tableName:string){\ntable(tableName)\n| where ResultType == \"50057\"\n| where ResultDescription =~ \"User account is disabled. The account has been disabled by an administrator.\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), applicationCount = dcount(AppDisplayName),\napplicationSet = make_set(AppDisplayName), count() by UserPrincipalName, IPAddress, Type\n| where applicationCount >= threshold\n| extend timestamp = StartTime, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n", + "query": "// Set threshold value for deviation\nlet threshold = 25;\n// Set the time range for the query\nlet timeRange = 24h;\n// Set the authentication window duration\nlet authenticationWindow = 20m;\n// Define a reusable function 'aadFunc' that takes a table name as input\nlet aadFunc = (tableName: string) {\n // Query the specified table\n table(tableName)\n // Filter data within the last 24 hours\n | where TimeGenerated > ago(1d)\n // Filter records related to \"Azure Portal\" applications\n | where AppDisplayName has \"Azure Portal\"\n // Extract and transform some fields\n | extend\n DeviceDetail = todynamic(DeviceDetail),\n LocationDetails = todynamic(LocationDetails)\n | extend\n OS = tostring(DeviceDetail.operatingSystem),\n Browser = tostring(DeviceDetail.browser),\n State = tostring(LocationDetails.state),\n City = tostring(LocationDetails.city),\n Region = tostring(LocationDetails.countryOrRegion)\n // Categorize records as Success or Failure based on ResultType\n | extend FailureOrSuccess = iff(ResultType in (\"0\", \"50125\", \"50140\", \"70043\", \"70044\"), \"Success\", \"Failure\")\n // Sort and identify sessions\n | sort by UserPrincipalName asc, TimeGenerated asc\n | extend SessionStartedUtc = row_window_session(TimeGenerated, timeRange, authenticationWindow, UserPrincipalName != prev(UserPrincipalName) or prev(FailureOrSuccess) == \"Success\")\n // Summarize data\n | summarize FailureOrSuccessCount = count() by FailureOrSuccess, UserId, UserDisplayName, AppDisplayName, IPAddress, Browser, OS, State, City, Region, Type, CorrelationId, bin(TimeGenerated, authenticationWindow), ResultType, UserPrincipalName, SessionStartedUtc\n | summarize FailureCountBeforeSuccess = sumif(FailureOrSuccessCount, FailureOrSuccess == \"Failure\"), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), makelist(FailureOrSuccess), IPAddress = make_set(IPAddress, 15), make_set(Browser, 15), make_set(City, 15), make_set(State, 15), make_set(Region, 15), make_set(ResultType, 15) by SessionStartedUtc, UserPrincipalName, CorrelationId, AppDisplayName, UserId, Type\n // Filter records where \"Success\" occurs in the middle of a session\n | where array_index_of(list_FailureOrSuccess, \"Success\") != 0\n | where array_index_of(list_FailureOrSuccess, \"Success\") == array_length(list_FailureOrSuccess) - 1\n // Remove unnecessary columns from the output\n | project-away SessionStartedUtc, list_FailureOrSuccess\n // Join with another table and calculate deviation\n | join kind=inner (\n table(tableName)\n | where TimeGenerated > ago(7d)\n | where AppDisplayName has \"Azure Portal\"\n | extend FailureOrSuccess = iff(ResultType in (\"0\", \"50125\", \"50140\", \"70043\", \"70044\"), \"Success\", \"Failure\")\n | summarize avgFailures = avg(todouble(FailureOrSuccess == \"Failure\")) by UserPrincipalName\n ) on UserPrincipalName\n | extend Deviation = abs(FailureCountBeforeSuccess - avgFailures) / avgFailures\n // Filter records based on deviation and failure count criteria\n | where Deviation > threshold and FailureCountBeforeSuccess >= 10\n // Expand the IPAddress array\n | mv-expand IPAddress\n | extend IPAddress = tostring(IPAddress)\n | extend timestamp = StartTime\n};\n// Call 'aadFunc' with different table names and union the results\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n// Additional transformation: Split UserPrincipalName\n| extend Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n", "queryFrequency": "P1D", - "queryPeriod": "P1D", + "queryPeriod": "P7D", "severity": "Medium", "suppressionDuration": "PT1H", "suppressionEnabled": false, @@ -8219,21 +7237,25 @@ } ], "tactics": [ - "InitialAccess" + "CredentialAccess" ], "techniques": [ - "T1078" + "T1110" ], "entityMappings": [ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" + }, + { + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UserId", + "identifier": "AadUserId" } ], "entityType": "Account" @@ -8241,8 +7263,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "IPAddress" + "columnName": "IPAddress", + "identifier": "Address" } ], "entityType": "IP" @@ -8253,13 +7275,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject27').analyticRuleId27,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject51').analyticRuleId51,'/'))))]", "properties": { - "description": "Microsoft Entra ID Analytics Rule 27", - "parentId": "[variables('analyticRuleObject27').analyticRuleId27]", - "contentId": "[variables('analyticRuleObject27')._analyticRulecontentId27]", + "description": "Microsoft Entra ID Analytics Rule 51", + "parentId": "[variables('analyticRuleObject51').analyticRuleId51]", + "contentId": "[variables('analyticRuleObject51')._analyticRulecontentId51]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject27').analyticRuleVersion27]", + "version": "[variables('analyticRuleObject51').analyticRuleVersion51]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -8284,43 +7306,43 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject27')._analyticRulecontentId27]", + "contentId": "[variables('analyticRuleObject51')._analyticRulecontentId51]", "contentKind": "AnalyticsRule", - "displayName": "Attempts to sign in to disabled accounts", - "contentProductId": "[variables('analyticRuleObject27')._analyticRulecontentProductId27]", - "id": "[variables('analyticRuleObject27')._analyticRulecontentProductId27]", - "version": "[variables('analyticRuleObject27').analyticRuleVersion27]" + "displayName": "Brute force attack against Azure Portal", + "contentProductId": "[variables('analyticRuleObject51')._analyticRulecontentProductId51]", + "id": "[variables('analyticRuleObject51')._analyticRulecontentProductId51]", + "version": "[variables('analyticRuleObject51').analyticRuleVersion51]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject28').analyticRuleTemplateSpecName28]", + "name": "[variables('analyticRuleObject52').analyticRuleTemplateSpecName52]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DistribPassCrackAttempt_AnalyticalRules Analytics Rule with template version 3.0.7", + "description": "SigninPasswordSpray_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject28').analyticRuleVersion28]", + "contentVersion": "[variables('analyticRuleObject52').analyticRuleVersion52]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject28')._analyticRulecontentId28]", + "name": "[variables('analyticRuleObject52')._analyticRulecontentId52]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Identifies distributed password cracking attempts from the Microsoft Entra ID SigninLogs.\nThe query looks for unusually high number of failed password attempts coming from multiple locations for a user account.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\n50053 Account is locked because the user tried to sign in too many times with an incorrect user ID or password.\n50055 Invalid password, entered expired password.\n50056 Invalid or null password - Password does not exist in store for this user.\n50126 Invalid username or password, or invalid on-premises username or password.", - "displayName": "Distributed Password cracking attempts in Microsoft Entra ID", + "description": "Identifies evidence of password spray activity against Microsoft Entra ID applications by looking for failures from multiple accounts from the same\nIP address within a time window. If the number of accounts breaches the threshold just once, all failures from the IP address within the time range\nare bought into the result. Details on whether there were successful authentications by the IP address within the time window are also included.\nThis can be an indicator that an attack was successful.\nThe default failure acccount threshold is 5, Default time window for failures is 20m and default look back window is 3 days\nNote: Due to the number of possible accounts involved in a password spray it is not possible to map identities to a custom entity.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.", + "displayName": "Password spray attack against Microsoft Entra ID application", "enabled": false, - "query": "let s_threshold = 30;\nlet l_threshold = 3;\nlet aadFunc = (tableName:string){\ntable(tableName)\n| where OperationName =~ \"Sign-in activity\"\n// Error codes that we want to look at as they are related to the use of incorrect password.\n| where ResultType in (\"50126\", \"50053\" , \"50055\", \"50056\")\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\n| extend LocationString = strcat(tostring(LocationDetails.countryOrRegion), \"/\", tostring(LocationDetails.state), \"/\", tostring(LocationDetails.city))\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), LocationCount=dcount(LocationString), Location = make_set(LocationString,100),\nIPAddress = make_set(IPAddress,100), IPAddressCount = dcount(IPAddress), AppDisplayName = make_set(AppDisplayName,100), ResultDescription = make_set(ResultDescription,50),\nBrowser = make_set(Browser,20), OS = make_set(OS,20), SigninCount = count() by UserPrincipalName, Type\n// Setting a generic threshold - Can be different for different environment\n| where SigninCount > s_threshold and LocationCount >= l_threshold\n| extend Location = tostring(Location), IPAddress = tostring(IPAddress), AppDisplayName = tostring(AppDisplayName), ResultDescription = tostring(ResultDescription), Browser = tostring(Browser), OS = tostring(OS)\n| extend timestamp = StartTime, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n", + "query": "let timeRange = 3d;\nlet lookBack = 7d;\nlet authenticationWindow = 20m;\nlet authenticationThreshold = 5;\nlet isGUID = \"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\";\nlet failureCodes = dynamic([50053, 50126, 50055]); // invalid password, account is locked - too many sign ins, expired password\nlet successCodes = dynamic([0, 50055, 50057, 50155, 50105, 50133, 50005, 50076, 50079, 50173, 50158, 50072, 50074, 53003, 53000, 53001, 50129]);\n// Lookup up resolved identities from last 7 days\nlet aadFunc = (tableName:string){\nlet identityLookup = table(tableName)\n| where TimeGenerated >= ago(lookBack)\n| where not(Identity matches regex isGUID)\n| where isnotempty(UserId)\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName, Type;\n// collect window threshold breaches\ntable(tableName)\n| where TimeGenerated > ago(timeRange)\n| where ResultType in(failureCodes)\n| summarize FailedPrincipalCount = dcount(UserPrincipalName) by bin(TimeGenerated, authenticationWindow), IPAddress, AppDisplayName, Type\n| where FailedPrincipalCount >= authenticationThreshold\n| summarize WindowThresholdBreaches = count() by IPAddress, Type\n| join kind= inner (\n// where we breached a threshold, join the details back on all failure data\ntable(tableName)\n| where TimeGenerated > ago(timeRange)\n| where ResultType in(failureCodes)\n| extend LocationDetails = todynamic(LocationDetails)\n| extend FullLocation = strcat(LocationDetails.countryOrRegion,'|', LocationDetails.state, '|', LocationDetails.city)\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), make_set(ClientAppUsed,20), make_set(FullLocation,20), FailureCount = count() by IPAddress, AppDisplayName, UserPrincipalName, UserDisplayName, Identity, UserId, Type\n// lookup any unresolved identities\n| extend UnresolvedUserId = iff(Identity matches regex isGUID, UserId, \"\")\n| join kind= leftouter (\n identityLookup\n) on $left.UnresolvedUserId==$right.UserId\n| extend UserDisplayName=iff(isempty(lu_UserDisplayName), UserDisplayName, lu_UserDisplayName)\n| extend UserPrincipalName=iff(isempty(lu_UserPrincipalName), UserPrincipalName, lu_UserPrincipalName)\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), make_set(UserPrincipalName,20), make_set(UserDisplayName,20), make_set(set_ClientAppUsed,20), make_set(set_FullLocation,20), make_list(FailureCount,20) by IPAddress, AppDisplayName, Type\n| extend FailedPrincipalCount = array_length(set_UserPrincipalName)\n) on IPAddress\n| project IPAddress, StartTime, EndTime, TargetedApplication=AppDisplayName, FailedPrincipalCount, UserPrincipalNames=set_UserPrincipalName, UserDisplayNames=set_UserDisplayName, ClientAppsUsed=set_set_ClientAppUsed, Locations=set_set_FullLocation, FailureCountByPrincipal=list_FailureCount, WindowThresholdBreaches, Type\n| join kind= inner (\ntable(tableName) // get data on success vs. failure history for each IP\n| where TimeGenerated > ago(timeRange)\n| where ResultType in(successCodes) or ResultType in(failureCodes) // success or failure types\n| summarize GlobalSuccessPrincipalCount = dcountif(UserPrincipalName, (ResultType in (successCodes))), ResultTypeSuccesses = make_set_if(ResultType, (ResultType in (successCodes))), GlobalFailPrincipalCount = dcountif(UserPrincipalName, (ResultType in (failureCodes))), ResultTypeFailures = make_set_if(ResultType, (ResultType in (failureCodes))) by IPAddress, Type\n| where GlobalFailPrincipalCount > GlobalSuccessPrincipalCount // where the number of failed principals is greater than success - eliminates FPs from IPs who authenticate successfully alot and as a side effect have alot of failures\n) on IPAddress\n| project-away IPAddress1\n| extend timestamp=StartTime\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n", "queryFrequency": "P1D", - "queryPeriod": "P1D", + "queryPeriod": "P7D", "severity": "Medium", "suppressionDuration": "PT1H", "suppressionEnabled": false, @@ -8351,21 +7373,8 @@ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "Name" - }, - { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "identifier": "Address", - "columnName": "IPAddress" + "columnName": "IPAddress", + "identifier": "Address" } ], "entityType": "IP" @@ -8376,13 +7385,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject28').analyticRuleId28,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject52').analyticRuleId52,'/'))))]", "properties": { - "description": "Microsoft Entra ID Analytics Rule 28", - "parentId": "[variables('analyticRuleObject28').analyticRuleId28]", - "contentId": "[variables('analyticRuleObject28')._analyticRulecontentId28]", + "description": "Microsoft Entra ID Analytics Rule 52", + "parentId": "[variables('analyticRuleObject52').analyticRuleId52]", + "contentId": "[variables('analyticRuleObject52')._analyticRulecontentId52]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject28').analyticRuleVersion28]", + "version": "[variables('analyticRuleObject52').analyticRuleVersion52]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -8407,41 +7416,41 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject28')._analyticRulecontentId28]", + "contentId": "[variables('analyticRuleObject52')._analyticRulecontentId52]", "contentKind": "AnalyticsRule", - "displayName": "Distributed Password cracking attempts in Microsoft Entra ID", - "contentProductId": "[variables('analyticRuleObject28')._analyticRulecontentProductId28]", - "id": "[variables('analyticRuleObject28')._analyticRulecontentProductId28]", - "version": "[variables('analyticRuleObject28').analyticRuleVersion28]" + "displayName": "Password spray attack against Microsoft Entra ID application", + "contentProductId": "[variables('analyticRuleObject52')._analyticRulecontentProductId52]", + "id": "[variables('analyticRuleObject52')._analyticRulecontentProductId52]", + "version": "[variables('analyticRuleObject52').analyticRuleVersion52]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject29').analyticRuleTemplateSpecName29]", + "name": "[variables('analyticRuleObject53').analyticRuleTemplateSpecName53]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ExplicitMFADeny_AnalyticalRules Analytics Rule with template version 3.0.7", + "description": "SuccessThenFail_DiffIP_SameUserandApp_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject29').analyticRuleVersion29]", + "contentVersion": "[variables('analyticRuleObject53').analyticRuleVersion53]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject29')._analyticRulecontentId29]", + "name": "[variables('analyticRuleObject53')._analyticRulecontentId53]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "User explicitly denies MFA push, indicating that login was not expected and the account's password may be compromised.", - "displayName": "Explicit MFA Deny", + "description": "Identifies when a user account successfully logs onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP (may indicate a malicious attempt at password guessing with known account). UEBA added for context.", + "displayName": "Successful logon from IP and failure from a different IP", "enabled": false, - "query": "let aadFunc = (tableName:string){\ntable(tableName)\n| where ResultType == 500121\n| where Status has \"MFA Denied; user declined the authentication\" or Status has \"MFA denied; Phone App Reported Fraud\"\n| extend Type = Type\n| extend timestamp = TimeGenerated, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n", + "query": "let riskScoreCutoff = 20; //Adjust this based on volume of results\nlet logonDiff = 10m; let aadFunc = (tableName:string){ table(tableName)\n| where ResultType == \"0\"\n| where AppDisplayName !in (\"Office 365 Exchange Online\", \"Skype for Business Online\") // To remove false-positives, add more Apps to this array\n// ---------- Fix for SuccessBlock to also consider IPv6\n| extend SuccessIPv6Block = strcat(split(IPAddress, \":\")[0], \":\", split(IPAddress, \":\")[1], \":\", split(IPAddress, \":\")[2], \":\", split(IPAddress, \":\")[3])\n| extend SuccessIPv4Block = strcat(split(IPAddress, \".\")[0], \".\", split(IPAddress, \".\")[1])\n// ------------------\n| project SuccessLogonTime = TimeGenerated, UserPrincipalName, SuccessIPAddress = IPAddress, SuccessLocation = Location, AppDisplayName, SuccessIPBlock = iff(IPAddress contains \":\", strcat(split(IPAddress, \":\")[0], \":\", split(IPAddress, \":\")[1]), strcat(split(IPAddress, \".\")[0], \".\", split(IPAddress, \".\")[1])), Type\n| join kind= inner (\n table(tableName)\n | where ResultType !in (\"0\", \"50140\")\n | where ResultDescription !~ \"Other\"\n | where AppDisplayName !in (\"Office 365 Exchange Online\", \"Skype for Business Online\")\n | project FailedLogonTime = TimeGenerated, UserPrincipalName, FailedIPAddress = IPAddress, FailedLocation = Location, AppDisplayName, ResultType, ResultDescription, Type \n) on UserPrincipalName, AppDisplayName\n| where SuccessLogonTime < FailedLogonTime and FailedLogonTime - SuccessLogonTime <= logonDiff and FailedIPAddress !startswith SuccessIPBlock\n| summarize FailedLogonTime = max(FailedLogonTime), SuccessLogonTime = max(SuccessLogonTime) by UserPrincipalName, SuccessIPAddress, SuccessLocation, AppDisplayName, FailedIPAddress, FailedLocation, ResultType, ResultDescription, Type\n| extend timestamp = SuccessLogonTime\n| extend UserPrincipalName = tolower(UserPrincipalName)};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n| extend Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n// UEBA context below - make sure you have these 2 datatypes, otherwise the query will not work. If so, comment all that is below.\n| join kind=leftouter (\n IdentityInfo\n | summarize LatestReportTime = arg_max(TimeGenerated, *) by AccountUPN\n | extend BlastRadiusInt = iif(BlastRadius == \"High\", 1, 0)\n | project AccountUPN, Tags, JobTitle, GroupMembership, AssignedRoles, UserType, IsAccountEnabled, BlastRadiusInt\n | summarize\n Tags = make_set(Tags, 1000),\n GroupMembership = make_set(GroupMembership, 1000),\n AssignedRoles = make_set(AssignedRoles, 1000),\n BlastRadiusInt = sum(BlastRadiusInt),\n UserType = make_set(UserType, 1000),\n UserAccountControl = make_set(UserType, 1000)\n by AccountUPN\n | extend UserPrincipalName=tolower(AccountUPN)\n) on UserPrincipalName\n| join kind=leftouter (\n BehaviorAnalytics\n | where ActivityType in (\"FailedLogOn\", \"LogOn\")\n | where isnotempty(SourceIPAddress)\n | project UsersInsights, DevicesInsights, ActivityInsights, InvestigationPriority, SourceIPAddress\n | project-rename FailedIPAddress = SourceIPAddress\n | summarize\n UsersInsights = make_set(UsersInsights, 1000),\n DevicesInsights = make_set(DevicesInsights, 1000),\n IPInvestigationPriority = sum(InvestigationPriority)\n by FailedIPAddress)\non FailedIPAddress\n| extend UEBARiskScore = BlastRadiusInt + IPInvestigationPriority\n| where UEBARiskScore > riskScoreCutoff\n| sort by UEBARiskScore desc \n", "queryFrequency": "P1D", "queryPeriod": "P1D", "severity": "Medium", @@ -8462,24 +7471,38 @@ "AADNonInteractiveUserSignInLogs" ], "connectorId": "AzureActiveDirectory" + }, + { + "dataTypes": [ + "BehaviorAnalytics" + ], + "connectorId": "BehaviorAnalytics" + }, + { + "dataTypes": [ + "IdentityInfo" + ], + "connectorId": "IdentityInfo" } ], "tactics": [ - "CredentialAccess" + "CredentialAccess", + "InitialAccess" ], "techniques": [ - "T1110" + "T1110", + "T1078" ], "entityMappings": [ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } ], "entityType": "Account" @@ -8487,8 +7510,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "IPAddress" + "columnName": "SuccessIPAddress", + "identifier": "Address" } ], "entityType": "IP" @@ -8496,11 +7519,11 @@ { "fieldMappings": [ { - "identifier": "Url", - "columnName": "ClientAppUsed" + "columnName": "FailedIPAddress", + "identifier": "Address" } ], - "entityType": "URL" + "entityType": "IP" } ] } @@ -8508,13 +7531,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject29').analyticRuleId29,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject53').analyticRuleId53,'/'))))]", "properties": { - "description": "Microsoft Entra ID Analytics Rule 29", - "parentId": "[variables('analyticRuleObject29').analyticRuleId29]", - "contentId": "[variables('analyticRuleObject29')._analyticRulecontentId29]", + "description": "Microsoft Entra ID Analytics Rule 53", + "parentId": "[variables('analyticRuleObject53').analyticRuleId53]", + "contentId": "[variables('analyticRuleObject53')._analyticRulecontentId53]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject29').analyticRuleVersion29]", + "version": "[variables('analyticRuleObject53').analyticRuleVersion53]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -8539,43 +7562,43 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject29')._analyticRulecontentId29]", + "contentId": "[variables('analyticRuleObject53')._analyticRulecontentId53]", "contentKind": "AnalyticsRule", - "displayName": "Explicit MFA Deny", - "contentProductId": "[variables('analyticRuleObject29')._analyticRulecontentProductId29]", - "id": "[variables('analyticRuleObject29')._analyticRulecontentProductId29]", - "version": "[variables('analyticRuleObject29').analyticRuleVersion29]" + "displayName": "Successful logon from IP and failure from a different IP", + "contentProductId": "[variables('analyticRuleObject53')._analyticRulecontentProductId53]", + "id": "[variables('analyticRuleObject53')._analyticRulecontentProductId53]", + "version": "[variables('analyticRuleObject53').analyticRuleVersion53]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject30').analyticRuleTemplateSpecName30]", + "name": "[variables('analyticRuleObject54').analyticRuleTemplateSpecName54]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ExchangeFullAccessGrantedToApp_AnalyticalRules Analytics Rule with template version 3.0.7", + "description": "SuspiciousAADJoinedDeviceUpdate_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject30').analyticRuleVersion30]", + "contentVersion": "[variables('analyticRuleObject54').analyticRuleVersion54]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject30')._analyticRulecontentId30]", + "name": "[variables('analyticRuleObject54')._analyticRulecontentId54]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "This detection looks for the full_access_as_app permission being granted to an OAuth application with Admin Consent.\nThis permission provide access to all Exchange mailboxes via the EWS API can could be exploited to access sensitive data \nby being added to a compromised application. The application granted this permission should be reviewed to ensure that it \nis absolutely necessary for the applications function.\nRef: https://learn.microsoft.com/graph/auth-limit-mailbox-access", - "displayName": "full_access_as_app Granted To Application", + "description": "This query looks for suspicious updates to an Microsoft Entra ID joined device where the device name is changed and the device falls out of compliance.\nThis could occur when a threat actor updates the details of an Autopilot provisioned device using a stolen device ticket, in order to access certificates and keys.\nRef: https://dirkjanm.io/assets/raw/Insomnihack%20Breaking%20and%20fixing%20Azure%20AD%20device%20identity%20security.pdf", + "displayName": "Suspicious AAD Joined Device Update", "enabled": false, - "query": "AuditLogs\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Consent to application\"\n| where TargetResources has \"full_access_as_app\"\n| mv-expand TargetResources\n| extend OAuthAppName = TargetResources.displayName\n| extend ModifiedProperties = TargetResources.modifiedProperties \n| mv-apply Property = ModifiedProperties on \n (\n where Property.displayName =~ \"ConsentContext.isAdminConsent\"\n | extend AdminConsent = tostring(Property.newValue)\n )\n| mv-apply Property = ModifiedProperties on \n (\n where Property.displayName =~ \"ConsentAction.Permissions\"\n | extend Permissions = tostring(Property.newValue)\n )\n| mv-apply Property = ModifiedProperties on \n (\n where Property.displayName =~ \"TargetId.ServicePrincipalNames\"\n | extend AppId = tostring(Property.newValue)\n )\n| mv-expand AdditionalDetails\n| extend GrantUserAgent = tostring(iff(AdditionalDetails.key =~ \"User-Agent\", AdditionalDetails.value, \"\"))\n| parse Permissions with * \"ConsentType: \" GrantConsentType \", Scope: \" GrantScope1 \",\" *\n| where GrantScope1 =~ \"full_access_as_app\"\n| extend GrantIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\n| extend GrantInitiatedBy = tostring(iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName))\n| project-reorder TimeGenerated, OAuthAppName, AppId, AdminConsent, Permissions, GrantIpAddress, GrantInitiatedBy, GrantUserAgent, GrantScope1, GrantConsentType\n| extend Name = split(GrantInitiatedBy, \"@\")[0], UPNSuffix = split(GrantInitiatedBy, \"@\")[1]\n", - "queryFrequency": "PT1H", - "queryPeriod": "PT1H", + "query": "AuditLogs\n| where OperationName =~ \"Update device\"\n| mv-apply TargetResource=TargetResources on (\n where TargetResource.type =~ \"Device\"\n | extend ModifiedProperties = TargetResource.modifiedProperties\n | extend DeviceId = TargetResource.id)\n| mv-apply Prop=ModifiedProperties on ( \n where Prop.displayName =~ \"CloudDisplayName\"\n | extend OldName = Prop.oldValue \n | extend NewName = Prop.newValue)\n| mv-apply Prop=ModifiedProperties on ( \n where Prop.displayName =~ \"IsCompliant\"\n | extend OldComplianceState = Prop.oldValue \n | extend NewComplianceState = Prop.newValue)\n| mv-apply Prop=ModifiedProperties on ( \n where Prop.displayName =~ \"TargetId.DeviceTrustType\"\n | extend OldTrustType = Prop.oldValue \n | extend NewTrustType = Prop.newValue)\n| mv-apply Prop=ModifiedProperties on ( \n where Prop.displayName =~ \"Included Updated Properties\" \n | extend UpdatedProperties = Prop.newValue)\n| extend OldDeviceName = tostring(parse_json(tostring(OldName))[0])\n| extend NewDeviceName = tostring(parse_json(tostring(NewName))[0])\n| extend OldComplianceState = tostring(parse_json(tostring(OldComplianceState))[0])\n| extend NewComplianceState = tostring(parse_json(tostring(NewComplianceState))[0])\n| extend InitiatedByUser = tostring(iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName))\n| extend UpdatedPropertiesCount = array_length(split(UpdatedProperties, ','))\n| where OldDeviceName != NewDeviceName\n| where OldComplianceState =~ 'true' and NewComplianceState =~ 'false'\n// Most common is transferring from AAD Registered to AAD Joined - we just want AAD Joined devices\n| where NewTrustType == '\"AzureAd\"' and OldTrustType != '\"Workplace\"'\n// We can modify this value to tune FPs - more properties changed about the device beyond its name the more suspicious it could be\n| where UpdatedPropertiesCount > 1\n| project-reorder TimeGenerated, DeviceId, NewDeviceName, OldDeviceName, NewComplianceState, InitiatedByUser, AADOperationType, OldTrustType, NewTrustType, UpdatedProperties, UpdatedPropertiesCount\n", + "queryFrequency": "P1D", + "queryPeriod": "P1D", "severity": "Medium", "suppressionDuration": "PT1H", "suppressionEnabled": false, @@ -8591,56 +7614,65 @@ } ], "tactics": [ - "DefenseEvasion" + "CredentialAccess" ], "techniques": [ - "T1550" + "T1528" ], "entityMappings": [ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "Name" - }, + "columnName": "NewDeviceName", + "identifier": "HostName" + } + ], + "entityType": "Host" + }, + { + "fieldMappings": [ { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "OldDeviceName", + "identifier": "HostName" } ], - "entityType": "Account" + "entityType": "Host" }, { "fieldMappings": [ { - "identifier": "Address", - "columnName": "GrantIpAddress" + "columnName": "DeviceId", + "identifier": "AzureID" } ], - "entityType": "IP" + "entityType": "Host" + }, + { + "fieldMappings": [ + { + "columnName": "InitiatedByUser", + "identifier": "AadUserId" + } + ], + "entityType": "Account" } ], - "customDetails": { - "OAuthApplication": "OAuthAppName", - "OAuthAppId": "AppId", - "UserAgent": "GrantUserAgent" - }, "alertDetailsOverride": { - "alertDescriptionFormat": "This detection looks for the full_access_as_app permission being granted to an OAuth application with Admin Consent.\nThis permission provide access to all Exchange mailboxes via the EWS API can could be exploited to access sensitive data \nby being added to a compromised application. The application granted this permission should be reviewed to ensure that it \nis absolutely necessary for the applications function.\nIn this case {{GrantInitiatedBy}} granted full_access_as_app to {{OAuthAppName}} from {{GrantIpAddress}}\nRef: https://learn.microsoft.com/graph/auth-limit-mailbox-access\n", - "alertDisplayNameFormat": "User {{GrantInitiatedBy}} granted full_access_as_app to {{OAuthAppName}}" + "alertDescriptionFormat": "This query looks for suspicious updates to an Microsoft Entra ID joined device where the device name is changed and the device falls out of compliance.\nIn this case {{OldDeviceName}} was renamed to {{NewDeviceName}} and {{UpdatedPropertiesCount}} properties were changed.\nThis could occur when a threat actor steals a Device ticket from an Autopilot provisioned device and uses it to AAD Join a new device.\nRef: https://dirkjanm.io/assets/raw/Insomnihack%20Breaking%20and%20fixing%20Azure%20AD%20device%20identity%20security.pdf\n", + "alertDisplayNameFormat": "Suspicious AAD Joined Device Update {{OldDeviceName}} renamed to {{NewDeviceName}} and {{UpdatedPropertiesCount}} properties changed" } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject30').analyticRuleId30,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject54').analyticRuleId54,'/'))))]", "properties": { - "description": "Microsoft Entra ID Analytics Rule 30", - "parentId": "[variables('analyticRuleObject30').analyticRuleId30]", - "contentId": "[variables('analyticRuleObject30')._analyticRulecontentId30]", + "description": "Microsoft Entra ID Analytics Rule 54", + "parentId": "[variables('analyticRuleObject54').analyticRuleId54]", + "contentId": "[variables('analyticRuleObject54')._analyticRulecontentId54]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject30').analyticRuleVersion30]", + "version": "[variables('analyticRuleObject54').analyticRuleVersion54]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -8665,43 +7697,43 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject30')._analyticRulecontentId30]", + "contentId": "[variables('analyticRuleObject54')._analyticRulecontentId54]", "contentKind": "AnalyticsRule", - "displayName": "full_access_as_app Granted To Application", - "contentProductId": "[variables('analyticRuleObject30')._analyticRulecontentProductId30]", - "id": "[variables('analyticRuleObject30')._analyticRulecontentProductId30]", - "version": "[variables('analyticRuleObject30').analyticRuleVersion30]" + "displayName": "Suspicious AAD Joined Device Update", + "contentProductId": "[variables('analyticRuleObject54')._analyticRulecontentProductId54]", + "id": "[variables('analyticRuleObject54')._analyticRulecontentProductId54]", + "version": "[variables('analyticRuleObject54').analyticRuleVersion54]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject31').analyticRuleTemplateSpecName31]", + "name": "[variables('analyticRuleObject55').analyticRuleTemplateSpecName55]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FailedLogonToAzurePortal_AnalyticalRules Analytics Rule with template version 3.0.7", + "description": "SuspiciousOAuthApp_OfflineAccess_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject31').analyticRuleVersion31]", + "contentVersion": "[variables('analyticRuleObject55').analyticRuleVersion55]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject31')._analyticRulecontentId31]", + "name": "[variables('analyticRuleObject55')._analyticRulecontentId55]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Identifies failed login attempts in the Microsoft Entra ID SigninLogs to the Azure Portal. Many failed logon\nattempts or some failed logon attempts from multiple IPs could indicate a potential brute force attack.\nThe following are excluded due to success and non-failure results:\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\n0 - successful logon\n50125 - Sign-in was interrupted due to a password reset or password registration entry.\n50140 - This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.", - "displayName": "Failed login attempts to Azure Portal", + "description": "This will alert when a user consents to provide a previously-unknown Azure application with offline access via OAuth.\nOffline access will provide the Azure App with access to the listed resources without requiring two-factor authentication.\nConsent to applications with offline access and read capabilities should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.", + "displayName": "Suspicious application consent for offline access", "enabled": false, - "query": "let timeRange = 1d;\nlet lookBack = 7d;\nlet threshold_Failed = 5;\nlet threshold_FailedwithSingleIP = 20;\nlet threshold_IPAddressCount = 2;\nlet isGUID = \"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\";\nlet aadFunc = (tableName:string){\nlet azPortalSignins = materialize(table(tableName)\n| where TimeGenerated >= ago(lookBack)\n// Azure Portal only\n| where AppDisplayName =~ \"Azure Portal\")\n;\nlet successPortalSignins = azPortalSignins\n| where TimeGenerated >= ago(timeRange)\n// Azure Portal only and exclude non-failure Result Types\n| where ResultType in (\"0\", \"50125\", \"50140\")\n// Tagging identities not resolved to friendly names\n//| extend Unresolved = iff(Identity matches regex isGUID, true, false)\n| distinct TimeGenerated, UserPrincipalName\n;\nlet failPortalSignins = azPortalSignins\n| where TimeGenerated >= ago(timeRange)\n// Azure Portal only and exclude non-failure Result Types\n| where ResultType !in (\"0\", \"50125\", \"50140\", \"70044\", \"70043\")\n// Tagging identities not resolved to friendly names\n| extend Unresolved = iff(Identity matches regex isGUID, true, false)\n;\n// Verify there is no success for the same connection attempt after the fail\nlet failnoSuccess = failPortalSignins | join kind= leftouter (\n successPortalSignins\n) on UserPrincipalName\n| where TimeGenerated > TimeGenerated1 or isempty(TimeGenerated1)\n| project-away TimeGenerated1, UserPrincipalName1\n;\n// Lookup up resolved identities from last 7 days\nlet identityLookup = azPortalSignins\n| where TimeGenerated >= ago(lookBack)\n| where not(Identity matches regex isGUID)\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName;\n// Join resolved names to unresolved list from portal signins\nlet unresolvedNames = failnoSuccess | where Unresolved == true | join kind= inner (\n identityLookup\n) on UserId\n| extend UserDisplayName = lu_UserDisplayName, UserPrincipalName = lu_UserPrincipalName\n| project-away lu_UserDisplayName, lu_UserPrincipalName;\n// Join Signins that had resolved names with list of unresolved that now have a resolved name\nlet u_azPortalSignins = failnoSuccess | where Unresolved == false | union unresolvedNames;\nu_azPortalSignins\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\n| extend Status = strcat(ResultType, \": \", ResultDescription), OS = tostring(DeviceDetail.operatingSystem), Browser = tostring(DeviceDetail.browser)\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\n| extend FullLocation = strcat(Region,'|', State, '|', City) \n| summarize TimeGenerated = make_list(TimeGenerated,100), Status = make_list(Status,100), IPAddresses = make_list(IPAddress,100), IPAddressCount = dcount(IPAddress), FailedLogonCount = count()\nby UserPrincipalName, UserId, UserDisplayName, AppDisplayName, Browser, OS, FullLocation, Type\n| mvexpand TimeGenerated, IPAddresses, Status\n| extend TimeGenerated = todatetime(tostring(TimeGenerated)), IPAddress = tostring(IPAddresses), Status = tostring(Status)\n| project-away IPAddresses\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserPrincipalName, UserId, UserDisplayName, Status, FailedLogonCount, IPAddress, IPAddressCount, AppDisplayName, Browser, OS, FullLocation, Type\n| where (IPAddressCount >= threshold_IPAddressCount and FailedLogonCount >= threshold_Failed) or FailedLogonCount >= threshold_FailedwithSingleIP\n| extend timestamp = StartTime, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n", + "query": "let detectionTime = 1d;\nlet joinLookback = 14d;\nAuditLogs\n| where TimeGenerated > ago(detectionTime)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Consent to application\"\n| where TargetResources has \"offline\"\n| mv-apply TargetResource=TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\"\n | extend ModifiedProperties = TargetResource.modifiedProperties,\n AppDisplayName = tostring(TargetResource.displayName),\n AppClientId = tolower(tostring(TargetResource.id))\n )\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\"] with (format=\"csv\")))\n| mv-apply Properties=ModifiedProperties on \n (\n where Properties.displayName =~ \"ConsentAction.Permissions\"\n | extend ConsentFull = tostring(Properties.newValue)\n | extend ConsentFull = trim(@'\"',tostring(ConsentFull))\n )\n| parse ConsentFull with * \"ConsentType: \" GrantConsentType \", Scope: \" GrantScope1 \"]\" *\n| where ConsentFull has \"offline_access\" and ConsentFull has_any (\"Files.Read\", \"Mail.Read\", \"Notes.Read\", \"ChannelMessage.Read\", \"Chat.Read\", \"TeamsActivity.Read\", \"Group.Read\", \"EWS.AccessAsUser.All\", \"EAS.AccessAsUser.All\")\n| where GrantConsentType != \"AllPrincipals\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\n| extend GrantIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\n| extend GrantInitiatedBy = tostring(iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName))\n| extend GrantUserAgent = tostring(iff(AdditionalDetails[0].key =~ \"User-Agent\", AdditionalDetails[0].value, \"\"))\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\n| join kind = leftouter (AuditLogs\n| where TimeGenerated > ago(joinLookback)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Add service principal\"\n| mv-apply TargetResource=TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\"\n | extend ModifiedProperties = TargetResource.modifiedProperties,\n AppClientId = tolower(TargetResource.id)\n )\n| mv-apply ModifiedProperties=TargetResource.modifiedProperties on \n (\n where ModifiedProperties.displayName =~ \"AppAddress\" and ModifiedProperties.newValue has \"AddressType\"\n | extend AppReplyURLs = ModifiedProperties.newValue\n )\n | distinct AppClientId, tostring(AppReplyURLs)\n)\non AppClientId\n| join kind = innerunique (AuditLogs\n| where TimeGenerated > ago(joinLookback)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Add OAuth2PermissionGrant\" or OperationName =~ \"Add delegated permission grant\"\n | mv-apply TargetResource=TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\" and array_length(TargetResource.modifiedProperties) > 0 and isnotnull(TargetResource.displayName)\n | extend GrantAuthentication = tostring(TargetResource.displayName)\n )\n| extend GrantOperation = OperationName\n| project GrantAuthentication, GrantOperation, CorrelationId\n) on CorrelationId\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\n| extend timestamp = TimeGenerated, Name = tostring(split(GrantInitiatedBy,'@',0)[0]), UPNSuffix = tostring(split(GrantInitiatedBy,'@',1)[0])\n", "queryFrequency": "P1D", - "queryPeriod": "P7D", + "queryPeriod": "P14D", "severity": "Low", "suppressionDuration": "PT1H", "suppressionEnabled": false, @@ -8711,13 +7743,7 @@ "requiredDataConnectors": [ { "dataTypes": [ - "SigninLogs" - ], - "connectorId": "AzureActiveDirectory" - }, - { - "dataTypes": [ - "AADNonInteractiveUserSignInLogs" + "AuditLogs" ], "connectorId": "AzureActiveDirectory" } @@ -8726,18 +7752,18 @@ "CredentialAccess" ], "techniques": [ - "T1110" + "T1528" ], "entityMappings": [ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } ], "entityType": "Account" @@ -8745,8 +7771,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "IPAddress" + "columnName": "GrantIpAddress", + "identifier": "Address" } ], "entityType": "IP" @@ -8757,13 +7783,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject31').analyticRuleId31,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject55').analyticRuleId55,'/'))))]", "properties": { - "description": "Microsoft Entra ID Analytics Rule 31", - "parentId": "[variables('analyticRuleObject31').analyticRuleId31]", - "contentId": "[variables('analyticRuleObject31')._analyticRulecontentId31]", + "description": "Microsoft Entra ID Analytics Rule 55", + "parentId": "[variables('analyticRuleObject55').analyticRuleId55]", + "contentId": "[variables('analyticRuleObject55')._analyticRulecontentId55]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject31').analyticRuleVersion31]", + "version": "[variables('analyticRuleObject55').analyticRuleVersion55]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -8788,44 +7814,44 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject31')._analyticRulecontentId31]", + "contentId": "[variables('analyticRuleObject55')._analyticRulecontentId55]", "contentKind": "AnalyticsRule", - "displayName": "Failed login attempts to Azure Portal", - "contentProductId": "[variables('analyticRuleObject31')._analyticRulecontentProductId31]", - "id": "[variables('analyticRuleObject31')._analyticRulecontentProductId31]", - "version": "[variables('analyticRuleObject31').analyticRuleVersion31]" + "displayName": "Suspicious application consent for offline access", + "contentProductId": "[variables('analyticRuleObject55')._analyticRulecontentProductId55]", + "id": "[variables('analyticRuleObject55')._analyticRulecontentProductId55]", + "version": "[variables('analyticRuleObject55').analyticRuleVersion55]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject32').analyticRuleTemplateSpecName32]", + "name": "[variables('analyticRuleObject56').analyticRuleTemplateSpecName56]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FirstAppOrServicePrincipalCredential_AnalyticalRules Analytics Rule with template version 3.0.7", + "description": "SuspiciousServicePrincipalcreationactivity_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject32').analyticRuleVersion32]", + "contentVersion": "[variables('analyticRuleObject56').analyticRuleVersion56]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject32')._analyticRulecontentId32]", + "name": "[variables('analyticRuleObject56')._analyticRulecontentId56]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where there was no previous verify KeyCredential associated.\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.", - "displayName": "First access credential added to Application or Service Principal where no credential was present", + "description": "This alert will detect creation of an SPN, permissions granted, credentials created, activity and deletion of the SPN in a time frame (default 10 minutes)", + "displayName": "Suspicious Service Principal creation activity", "enabled": false, - "query": "AuditLogs\n| where OperationName has (\"Certificates and secrets management\")\n| where Result =~ \"success\"\n| where tostring(InitiatedBy.user.userPrincipalName) has \"@\" or tostring(InitiatedBy.app.displayName) has \"@\"\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"Application\"\n | extend targetDisplayName = tostring(TargetResource.displayName),\n targetId = tostring(TargetResource.id),\n targetType = tostring(TargetResource.type),\n keyEvents = TargetResource.modifiedProperties\n )\n| mv-apply Property = keyEvents on \n (\n where Property.displayName =~ \"KeyDescription\"\n | extend new_value_set = parse_json(tostring(Property.newValue)),\n old_value_set = parse_json(tostring(Property.oldValue))\n )\n| where old_value_set == \"[]\" \n| mv-expand new_value_set\n| parse new_value_set with * \"KeyIdentifier=\" keyIdentifier:string \",KeyType=\" keyType:string \",KeyUsage=\" keyUsage:string \",DisplayName=\" keyDisplayName:string \"]\" *\n| where keyUsage =~ \"Verify\"\n| mv-apply AdditionalDetail = AdditionalDetails on \n (\n where AdditionalDetail.key =~ \"User-Agent\"\n | extend UserAgent = tostring(AdditionalDetail.value)\n )\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n| project-away new_value_set, old_value_set\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\n| extend timestamp = TimeGenerated, Name = tostring(split(InitiatingUserOrApp,'@',0)[0]), UPNSuffix = tostring(split(InitiatingUserOrApp,'@',1)[0])\n", + "query": "let queryfrequency = 1h;\nlet wait_for_deletion = 10m;\nlet account_created =\n AuditLogs \n | where ActivityDisplayName == \"Add service principal\"\n | where Result == \"success\"\n | extend AppID = tostring(AdditionalDetails[1].value)\n | extend creationTime = ActivityDateTime\n | extend userPrincipalName_creator = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\n | extend ipAddress_creator = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);\nlet account_activity =\n AADServicePrincipalSignInLogs\n | extend Activities = pack(\"ActivityTime\", TimeGenerated ,\"IpAddress\", IPAddress, \"ResourceDisplayName\", ResourceDisplayName)\n | extend AppID = AppId\n | summarize make_list(Activities) by AppID;\nlet account_deleted =\n AuditLogs \n | where OperationName == \"Remove service principal\"\n | where Result == \"success\"\n | extend AppID = tostring(AdditionalDetails[1].value)\n | extend deletionTime = ActivityDateTime\n | extend userPrincipalName_deleter = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\n | extend ipAddress_deleter = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);\nlet account_credentials =\n AuditLogs\n | where OperationName has_all (\"Update application\", \"Certificates and secrets management\")\n | where Result == \"success\"\n | extend AppID = tostring(AdditionalDetails[1].value)\n | extend credentialCreationTime = ActivityDateTime;\nlet roles_assigned =\n AuditLogs\n | where ActivityDisplayName == \"Add app role assignment to service principal\"\n | extend AppID = tostring(TargetResources[1].displayName)\n | extend AssignedRole = iff(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].displayName)==\"AppRole.Value\", tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue))),\"\")\n | extend AssignedRoles = pack(\"Role\", AssignedRole)\n | summarize make_list(AssignedRoles) by AppID;\naccount_created\n| where TimeGenerated between (ago(wait_for_deletion+queryfrequency)..ago(wait_for_deletion))\n| join kind= inner (account_activity) on AppID\n| join kind= inner (account_deleted) on AppID\n| join kind= inner (account_credentials) on AppID\n| join kind= inner (roles_assigned) on AppID\n| where deletionTime - creationTime between (time(0s)..wait_for_deletion)\n| extend AliveTime = deletionTime - creationTime\n| project AADTenantId, AppID, creationTime, deletionTime, userPrincipalName_creator, userPrincipalName_deleter, ipAddress_creator, ipAddress_deleter, list_Activities, list_AssignedRoles, AliveTime\n", "queryFrequency": "PT1H", - "queryPeriod": "PT1H", - "severity": "High", + "queryPeriod": "PT70M", + "severity": "Low", "suppressionDuration": "PT1H", "suppressionEnabled": false, "triggerOperator": "GreaterThan", @@ -8834,27 +7860,36 @@ "requiredDataConnectors": [ { "dataTypes": [ - "AuditLogs" + "AuditLogs", + "AADServicePrincipalSignInLogs" ], "connectorId": "AzureActiveDirectory" } ], "tactics": [ - "DefenseEvasion" + "CredentialAccess", + "PrivilegeEscalation", + "InitialAccess" ], "techniques": [ - "T1550" + "T1078", + "T1528" ], "entityMappings": [ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "Name" - }, + "columnName": "userPrincipalName_creator", + "identifier": "FullName" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "userPrincipalName_deleter", + "identifier": "FullName" } ], "entityType": "Account" @@ -8862,8 +7897,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "InitiatingIpAddress" + "columnName": "ipAddress_creator", + "identifier": "Address" } ], "entityType": "IP" @@ -8871,11 +7906,11 @@ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "targetDisplayName" + "columnName": "ipAddress_deleter", + "identifier": "Address" } ], - "entityType": "CloudApplication" + "entityType": "IP" } ] } @@ -8883,13 +7918,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject32').analyticRuleId32,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject56').analyticRuleId56,'/'))))]", "properties": { - "description": "Microsoft Entra ID Analytics Rule 32", - "parentId": "[variables('analyticRuleObject32').analyticRuleId32]", - "contentId": "[variables('analyticRuleObject32')._analyticRulecontentId32]", + "description": "Microsoft Entra ID Analytics Rule 56", + "parentId": "[variables('analyticRuleObject56').analyticRuleId56]", + "contentId": "[variables('analyticRuleObject56')._analyticRulecontentId56]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject32').analyticRuleVersion32]", + "version": "[variables('analyticRuleObject56').analyticRuleVersion56]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -8914,44 +7949,44 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject32')._analyticRulecontentId32]", + "contentId": "[variables('analyticRuleObject56')._analyticRulecontentId56]", "contentKind": "AnalyticsRule", - "displayName": "First access credential added to Application or Service Principal where no credential was present", - "contentProductId": "[variables('analyticRuleObject32')._analyticRulecontentProductId32]", - "id": "[variables('analyticRuleObject32')._analyticRulecontentProductId32]", - "version": "[variables('analyticRuleObject32').analyticRuleVersion32]" + "displayName": "Suspicious Service Principal creation activity", + "contentProductId": "[variables('analyticRuleObject56')._analyticRulecontentProductId56]", + "id": "[variables('analyticRuleObject56')._analyticRulecontentProductId56]", + "version": "[variables('analyticRuleObject56').analyticRuleVersion56]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject33').analyticRuleTemplateSpecName33]", + "name": "[variables('analyticRuleObject57').analyticRuleTemplateSpecName57]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "GuestAccountsAddedinAADGroupsOtherThanTheOnesSpecified_AnalyticalRules Analytics Rule with template version 3.0.7", + "description": "SuspiciousSignInFollowedByMFAModification_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject33').analyticRuleVersion33]", + "contentVersion": "[variables('analyticRuleObject57').analyticRuleVersion57]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject33')._analyticRulecontentId33]", + "name": "[variables('analyticRuleObject57')._analyticRulecontentId57]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Guest Accounts are added in the Organization Tenants to perform various tasks i.e projects execution, support etc.. This detection notifies when guest users are added to Microsoft Entra ID Groups other than the ones specified and poses a risk to gain access to sensitive apps or data.", - "displayName": "Guest accounts added in AAD Groups other than the ones specified", + "description": "This query looks uses Microsoft Sentinel's UEBA features to look for suspicious logons followed by modifications to MFA settings by that user.", + "displayName": "Suspicious Sign In Followed by MFA Modification", "enabled": false, - "query": "// OBJECT ID of AAD Groups can be found by navigating to Azure Active Directory then from menu on the left, select Groups and from the list shown of AAD Groups, the Second Column shows the ObjectID of each\nlet GroupIDs = dynamic([\"List with Custom AAD GROUP OBJECT ID 1\",\"Custom AAD GROUP OBJECT ID 2\"]);\nAuditLogs\n| where OperationName in ('Add member to group', 'Add owner to group')\n| extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\n| extend InitiatedByIPAdress = InitiatedBy.user.ipAddress \n// Uncomment the following line to filter events where the inviting user was a guest user\n//| where InitiatedBy has_any (\"CUSTOM DOMAIN NAME#\", \"#EXT#\")\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"User\"\n | extend InvitedUser = trim(@'\"',tostring(TargetResource.userPrincipalName)),\n Properties = TargetResource.modifiedProperties\n )\n| mv-apply Property = Properties on \n (\n where Property.displayName =~ \"Group.DisplayName\"\n | extend AADGroup = trim('\"',tostring(Property.newValue))\n )\n| where InvitedUser has_any (\"CUSTOM DOMAIN NAME#\", \"#EXT#\")\n| mv-apply Property = Properties on\n (\n where Property.displayName =~ \"Group.ObjectID\"\n | extend AADGroupId = trim('\"',tostring(Property.newValue))\n )\n| where AADGroupId !in (GroupIDs)\n| extend Name = tostring(split(InitiatedByActionUserInformation,'@',0)[0]), UPNSuffix = tostring(split(InitiatedByActionUserInformation,'@',1)[0])\n", - "queryFrequency": "PT2H", - "queryPeriod": "PT2H", - "severity": "High", + "query": "let PriorityScore = 9;\nBehaviorAnalytics\n| where ActionType == \"Sign-in\"\n| where InvestigationPriority > PriorityScore\n| extend UserPrincipalName = tolower(UserPrincipalName)\n| extend LogOnTime = TimeGenerated\n| join kind=inner (AuditLogs\n| where Category =~ \"UserManagement\" \n| where OperationName in~ (\"Admin registered security info\", \"Admin updated security info\", \"Admin deleted security info\", \"User registered security info\", \"User changed default security info\", \"User deleted security info\",\"User registered all required security info\",\"User started security info registration\") \n| extend InitiatorUPN = tolower(tostring(InitiatedBy.user.userPrincipalName))\n| extend InitiatorID = tostring(InitiatedBy.user.id)\n| extend FromIP = tostring(InitiatedBy.user.ipAddress) \n| extend TargetUPN = tolower(tostring(TargetResources[0].userPrincipalName))\n| extend TargetId = tostring(TargetResources[0].id)\n| extend MFAModTime = TimeGenerated\n| where isnotempty(InitiatorUPN)) on $left.UserPrincipalName == $right.InitiatorUPN\n| where MFAModTime between((LogOnTime-30m)..(LogOnTime+1h))\n| extend InitiatorName = tostring(split(InitiatorUPN, \"@\")[0]), InitiatorSuffix = tostring(split(InitiatorUPN, \"@\")[1]), TargetName = tostring(split(TargetUPN, \"@\")[0]), TargetSuffix = tostring(split(TargetUPN, \"@\")[1])\n", + "queryFrequency": "P1D", + "queryPeriod": "P1D", + "severity": "Medium", "suppressionDuration": "PT1H", "suppressionEnabled": false, "triggerOperator": "GreaterThan", @@ -8963,24 +7998,36 @@ "AuditLogs" ], "connectorId": "AzureActiveDirectory" + }, + { + "dataTypes": [ + "BehaviorAnalytics" + ], + "connectorId": "BehaviorAnalytics" } ], "tactics": [ "InitialAccess", - "Persistence", - "Discovery" + "DefenseEvasion" ], "techniques": [ "T1078", - "T1136", - "T1087" + "T1556" ], "entityMappings": [ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "InvitedUser" + "columnName": "InitiatorID", + "identifier": "AadUserId" + }, + { + "columnName": "InitiatorName", + "identifier": "Name" + }, + { + "columnName": "InitiatorSuffix", + "identifier": "UPNSuffix" } ], "entityType": "Account" @@ -8988,12 +8035,16 @@ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "Name" + "columnName": "TargetId", + "identifier": "AadUserId" + }, + { + "columnName": "TargetName", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "TargetSuffix", + "identifier": "UPNSuffix" } ], "entityType": "Account" @@ -9001,25 +8052,41 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "InitiatedByIPAdress" + "columnName": "FromIP", + "identifier": "Address" + } + ], + "entityType": "IP" + }, + { + "fieldMappings": [ + { + "columnName": "SourceIPAddress", + "identifier": "Address" } ], "entityType": "IP" } - ] + ], + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "alertDetailsOverride": { + "alertDescriptionFormat": "This query looks uses Microsoft Sentinel's UEBA features to look for suspicious logons followed by modifications to MFA settings by that user.\nIn this case {{InitiatorUPN}} logged in followed by a modification to MFA settings for {{TargetUPN}}.\nThe sign in was from {{SourceIPAddress}}.\n", + "alertDisplayNameFormat": "Suspicious Sign In by {{InitiatorUPN}} Followed by MFA Modification to {{TargetUPN}}" + } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject33').analyticRuleId33,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject57').analyticRuleId57,'/'))))]", "properties": { - "description": "Microsoft Entra ID Analytics Rule 33", - "parentId": "[variables('analyticRuleObject33').analyticRuleId33]", - "contentId": "[variables('analyticRuleObject33')._analyticRulecontentId33]", + "description": "Microsoft Entra ID Analytics Rule 57", + "parentId": "[variables('analyticRuleObject57').analyticRuleId57]", + "contentId": "[variables('analyticRuleObject57')._analyticRulecontentId57]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject33').analyticRuleVersion33]", + "version": "[variables('analyticRuleObject57').analyticRuleVersion57]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -9044,42 +8111,42 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject33')._analyticRulecontentId33]", + "contentId": "[variables('analyticRuleObject57')._analyticRulecontentId57]", "contentKind": "AnalyticsRule", - "displayName": "Guest accounts added in AAD Groups other than the ones specified", - "contentProductId": "[variables('analyticRuleObject33')._analyticRulecontentProductId33]", - "id": "[variables('analyticRuleObject33')._analyticRulecontentProductId33]", - "version": "[variables('analyticRuleObject33').analyticRuleVersion33]" + "displayName": "Suspicious Sign In Followed by MFA Modification", + "contentProductId": "[variables('analyticRuleObject57')._analyticRulecontentProductId57]", + "id": "[variables('analyticRuleObject57')._analyticRulecontentProductId57]", + "version": "[variables('analyticRuleObject57').analyticRuleVersion57]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject34').analyticRuleTemplateSpecName34]", + "name": "[variables('analyticRuleObject58').analyticRuleTemplateSpecName58]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MailPermissionsAddedToApplication_AnalyticalRules Analytics Rule with template version 3.0.7", + "description": "UnusualGuestActivity_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject34').analyticRuleVersion34]", + "contentVersion": "[variables('analyticRuleObject58').analyticRuleVersion58]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject34')._analyticRulecontentId34]", + "name": "[variables('analyticRuleObject58')._analyticRulecontentId58]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "This query look for applications that have been granted (Delegated or App/Role) permissions to Read Mail (Permissions field has Mail.Read) and subsequently has been consented to. This can help identify applications that have been abused to gain access to mailboxes.", - "displayName": "Mail.Read Permissions Granted to Application", + "description": "By default guests have capability to invite more external guest users, guests also can do suspicious Microsoft Entra ID enumeration. This detection look at guests\nusers, who have been invited or have invited recently, who also are logging via various PowerShell CLI.\nRef : 'https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/", + "displayName": "External guest invitation followed by Microsoft Entra ID PowerShell signin", "enabled": false, - "query": "AuditLogs\n| where Category =~ \"ApplicationManagement\"\n| where ActivityDisplayName has_any (\"Add delegated permission grant\",\"Add app role assignment to service principal\") \n| where Result =~ \"success\"\n| where tostring(InitiatedBy.user.userPrincipalName) has \"@\" or tostring(InitiatedBy.app.displayName) has \"@\"\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\" and array_length(TargetResource.modifiedProperties) > 0 and isnotnull(TargetResource.displayName)\n | extend props = TargetResource.modifiedProperties,\n Type = tostring(TargetResource.type),\n PermissionsAddedTo = tostring(TargetResource.displayName)\n )\n| mv-apply Property = props on \n (\n where Property.displayName =~ \"DelegatedPermissionGrant.Scope\"\n | extend DisplayName = tostring(Property.displayName), Permissions = trim('\"',tostring(Property.newValue))\n )\n| where Permissions has_any (\"Mail.Read\", \"Mail.ReadWrite\")\n| mv-apply AdditionalDetail = AdditionalDetails on \n (\n where AdditionalDetail.key =~ \"User-Agent\"\n | extend UserAgent = tostring(AdditionalDetail.value)\n )\n| extend InitiatingUser = tostring(InitiatedBy.user.userPrincipalName)\n| extend UserIPAddress = tostring(InitiatedBy.user.ipAddress) \n| project-away props, TargetResource*, AdditionalDetail*, Property, InitiatedBy\n| join kind=leftouter(\n AuditLogs\n | where ActivityDisplayName has \"Consent to application\"\n | mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\"\n | extend AppName = tostring(TargetResource.displayName),\n AppId = tostring(TargetResource.id)\n )\n | project AppName, AppId, CorrelationId) on CorrelationId\n| project-reorder TimeGenerated, OperationName, InitiatingUser, UserIPAddress, UserAgent, PermissionsAddedTo, Permissions, AppName, AppId, CorrelationId\n| extend timestamp = TimeGenerated, Name = tostring(split(InitiatingUser,'@',0)[0]), UPNSuffix = tostring(split(InitiatingUser,'@',1)[0])\n", - "queryFrequency": "P1D", + "query": "let queryfrequency = 1h;\nlet queryperiod = 1d;\nAuditLogs\n| where TimeGenerated > ago(queryperiod)\n| where OperationName in (\"Invite external user\", \"Bulk invite users - started (bulk)\", \"Invite external user with reset invitation status\")\n| extend InitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\n// Uncomment the following line to filter events where the inviting user was a guest user\n//| where InitiatedBy has_any (\"live.com#\", \"#EXT#\")\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"User\"\n | extend InvitedUser = tostring(TargetResource.userPrincipalName)\n )\n| mv-expand UserToCompare = pack_array(InitiatedBy, InvitedUser) to typeof(string)\n| where UserToCompare has_any (\"live.com#\", \"#EXT#\")\n| extend\n parsedUser = replace_string(tolower(iff(UserToCompare startswith \"live.com#\", tostring(split(UserToCompare, \"#\")[1]), tostring(split(UserToCompare, \"#EXT#\")[0]))), \"@\", \"_\"),\n InvitationTime = TimeGenerated\n| join (\n (union isfuzzy=true SigninLogs, AADNonInteractiveUserSignInLogs)\n | where TimeGenerated > ago(queryfrequency)\n | where UserType != \"Member\"\n | where AppId has_any // This web may contain a list of these apps: https://msshells.net/\n (\"1b730954-1685-4b74-9bfd-dac224a7b894\",// Azure Active Directory PowerShell\n \"04b07795-8ddb-461a-bbee-02f9e1bf7b46\",// Microsoft Azure CLI\n \"1950a258-227b-4e31-a9cf-717495945fc2\",// Microsoft Azure PowerShell\n \"a0c73c16-a7e3-4564-9a95-2bdf47383716\",// Microsoft Exchange Online Remote PowerShell\n \"fb78d390-0c51-40cd-8e17-fdbfab77341b\",// Microsoft Exchange REST API Based Powershell\n \"d1ddf0e4-d672-4dae-b554-9d5bdfd93547\",// Microsoft Intune PowerShell\n \"9bc3ab49-b65d-410a-85ad-de819febfddc\",// Microsoft SharePoint Online Management Shell\n \"12128f48-ec9e-42f0-b203-ea49fb6af367\",// MS Teams Powershell Cmdlets\n \"23d8f6bd-1eb0-4cc2-a08c-7bf525c67bcd\",// Power BI PowerShell\n \"31359c7f-bd7e-475c-86db-fdb8c937548e\",// PnP Management Shell\n \"90f610bf-206d-4950-b61d-37fa6fd1b224\",// Aadrm Admin Powershell\n \"14d82eec-204b-4c2f-b7e8-296a70dab67e\" // Microsoft Graph PowerShell\n )\n | summarize arg_min(TimeGenerated, *) by UserPrincipalName\n | extend\n parsedUser = replace_string(UserPrincipalName, \"@\", \"_\"),\n SigninTime = TimeGenerated\n )\n on parsedUser\n| project InvitationTime, InitiatedBy, OperationName, InvitedUser, SigninTime, SigninCategory = Category1, SigninUserPrincipalName = UserPrincipalName, IPAddress, AppDisplayName, ResourceDisplayName, UserAgent, InvitationAdditionalDetails = AdditionalDetails, InvitationTargetResources = TargetResources\n| extend InvitedUserName = tostring(split(InvitedUser,'@',0)[0]), InvitedUserUPNSuffix = tostring(split(InvitedUser,'@',1)[0]), \n InitiatedByName = tostring(split(InitiatedBy,'@',0)[0]), InitiatedByUPNSuffix = tostring(split(InitiatedBy,'@',1)[0])\n", + "queryFrequency": "PT1H", "queryPeriod": "P1D", "severity": "Medium", "suppressionDuration": "PT1H", @@ -9093,24 +8160,47 @@ "AuditLogs" ], "connectorId": "AzureActiveDirectory" + }, + { + "dataTypes": [ + "SigninLogs" + ], + "connectorId": "AzureActiveDirectory" } ], "tactics": [ - "Persistence" + "InitialAccess", + "Persistence", + "Discovery" ], "techniques": [ - "T1098" + "T1078", + "T1136", + "T1087" ], "entityMappings": [ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "Name" + "columnName": "InvitedUserName", + "identifier": "Name" + }, + { + "columnName": "InvitedUserUPNSuffix", + "identifier": "UPNSuffix" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "columnName": "InitiatedByName", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "InitiatedByUPNSuffix", + "identifier": "UPNSuffix" } ], "entityType": "Account" @@ -9118,8 +8208,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "UserIPAddress" + "columnName": "IPAddress", + "identifier": "Address" } ], "entityType": "IP" @@ -9130,13 +8220,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject34').analyticRuleId34,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject58').analyticRuleId58,'/'))))]", "properties": { - "description": "Microsoft Entra ID Analytics Rule 34", - "parentId": "[variables('analyticRuleObject34').analyticRuleId34]", - "contentId": "[variables('analyticRuleObject34')._analyticRulecontentId34]", + "description": "Microsoft Entra ID Analytics Rule 58", + "parentId": "[variables('analyticRuleObject58').analyticRuleId58]", + "contentId": "[variables('analyticRuleObject58')._analyticRulecontentId58]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject34').analyticRuleVersion34]", + "version": "[variables('analyticRuleObject58').analyticRuleVersion58]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -9161,44 +8251,44 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject34')._analyticRulecontentId34]", + "contentId": "[variables('analyticRuleObject58')._analyticRulecontentId58]", "contentKind": "AnalyticsRule", - "displayName": "Mail.Read Permissions Granted to Application", - "contentProductId": "[variables('analyticRuleObject34')._analyticRulecontentProductId34]", - "id": "[variables('analyticRuleObject34')._analyticRulecontentProductId34]", - "version": "[variables('analyticRuleObject34').analyticRuleVersion34]" + "displayName": "External guest invitation followed by Microsoft Entra ID PowerShell signin", + "contentProductId": "[variables('analyticRuleObject58')._analyticRulecontentProductId58]", + "id": "[variables('analyticRuleObject58')._analyticRulecontentProductId58]", + "version": "[variables('analyticRuleObject58').analyticRuleVersion58]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject35').analyticRuleTemplateSpecName35]", + "name": "[variables('analyticRuleObject59').analyticRuleTemplateSpecName59]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MaliciousOAuthApp_O365AttackToolkit_AnalyticalRules Analytics Rule with template version 3.0.7", + "description": "UserAccounts-CABlockedSigninSpikes_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject35').analyticRuleVersion35]", + "contentVersion": "[variables('analyticRuleObject59').analyticRuleVersion59]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject35')._analyticRulecontentId35]", + "name": "[variables('analyticRuleObject59')._analyticRulecontentId59]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the MDSec O365 Attack Toolkit (https://github.com/mdsecactivebreach/o365-attack-toolkit).\nThe default permissions/scope for the MDSec O365 Attack toolkit change sometimes but often include contacts.read, user.read, mail.read, notes.read.all, mailboxsettings.readwrite, files.readwrite.all, mail.send, files.read, and files.read.all.\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.", - "displayName": "Suspicious application consent similar to O365 Attack Toolkit", + "description": " Identifies spike in failed sign-ins from user accounts due to conditional access policied.\nSpike is determined based on Time series anomaly which will look at historical baseline values.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\nThis query has also been updated to include UEBA logs IdentityInfo and BehaviorAnalytics for contextual information around the results.", + "displayName": "User Accounts - Sign in Failure due to CA Spikes", "enabled": false, - "query": "let detectionTime = 1d;\nlet joinLookback = 14d;\nlet threshold = 5;\nlet o365_attack_regex = \"contacts.read|user.read|mail.read|notes.read.all|mailboxsettings.readwrite|Files.ReadWrite.All|mail.send|files.read|files.read.all\";\nlet o365_attack = dynamic([\"contacts.read\", \"user.read\", \"mail.read\", \"notes.read.all\", \"mailboxsettings.readwrite\", \"Files.ReadWrite.All\", \"mail.send\", \"files.read\", \"files.read.all\"]);\nAuditLogs\n| where TimeGenerated > ago(detectionTime)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Consent to application\"\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\"\n | extend AppDisplayName = tostring(TargetResource.displayName),\n AppClientId = tostring(TargetResource.id),\n props = TargetResource.modifiedProperties\n )\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\"] with (format=\"csv\"))) // NOTE: a MATCH from this list will cause the alert to NOT fire - please modify for your environment!\n| mv-apply ConsentFull = props on \n (\n where ConsentFull.displayName =~ \"ConsentAction.Permissions\"\n )\n| parse ConsentFull with * \"ConsentType: \" GrantConsentType \", Scope: \" GrantScope1 \", CreatedDateTime\" * \"]\" *\n| where GrantConsentType != \"AllPrincipals\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\n| where ConsentFull has_any (o365_attack) \n| extend GrantScopeCount = countof(tolower(GrantScope1), o365_attack_regex, 'regex')\n| where GrantScopeCount > threshold\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| mv-apply AdditionalDetail = AdditionalDetails on \n (\n where AdditionalDetail.key =~ \"User-Agent\"\n | extend GrantUserAgent = AdditionalDetail.value\n )\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\n| join kind = leftouter (AuditLogs\n | where TimeGenerated > ago(joinLookback)\n | where LoggedByService =~ \"Core Directory\"\n | where Category =~ \"ApplicationManagement\"\n | where OperationName =~ \"Add service principal\"\n | mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\"\n | extend props = TargetResource.modifiedProperties,\n AppClientId = tostring(TargetResource.id)\n )\n | mv-apply Property = props on \n (\n where Property.displayName =~ \"AppAddress\" and Property.newValue has \"AddressType\"\n | extend AppReplyURLs = trim('\"',tostring(Property.newValue))\n )\n | distinct AppClientId, tostring(AppReplyURLs)\n) on AppClientId\n| join kind = innerunique (AuditLogs\n | where TimeGenerated > ago(joinLookback)\n | where LoggedByService =~ \"Core Directory\"\n | where Category =~ \"ApplicationManagement\"\n | where OperationName =~ \"Add OAuth2PermissionGrant\" or OperationName =~ \"Add delegated permission grant\"\n | mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\" and array_length(TargetResource.modifiedProperties) > 0 and isnotnull(TargetResource.displayName)\n | extend GrantAuthentication = tostring(TargetResource.displayName)\n )\n | extend GrantOperation = OperationName\n | project GrantAuthentication, GrantOperation, CorrelationId\n ) on CorrelationId\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\n| extend timestamp = TimeGenerated, Name = tostring(split(GrantInitiatedBy,'@',0)[0]), UPNSuffix = tostring(split(GrantInitiatedBy,'@',1)[0])\n", + "query": "let riskScoreCutoff = 20; //Adjust this based on volume of results\nlet starttime = 14d;\nlet timeframe = 1d;\nlet scorethreshold = 3;\nlet baselinethreshold = 50;\nlet aadFunc = (tableName:string){\n // Failed Signins attempts with reasoning related to conditional access policies.\n table(tableName)\n | where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\n | where ResultDescription has_any (\"conditional access\", \"CA\") or ResultType in (50005, 50131, 53000, 53001, 53002, 52003, 70044)\n | extend UserPrincipalName = tolower(UserPrincipalName)\n | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nlet allSignins = union isfuzzy=true aadSignin, aadNonInt;\nlet TimeSeriesAlerts = \nallSignins\n| make-series DailyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step 1d by UserPrincipalName\n| extend (anomalies, score, baseline) = series_decompose_anomalies(DailyCount, scorethreshold, -1, 'linefit')\n| mv-expand DailyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\n// Filtering low count events per baselinethreshold\n| where anomalies > 0 and baseline > baselinethreshold\n| extend AnomalyHour = TimeGenerated\n| project UserPrincipalName, AnomalyHour, TimeGenerated, DailyCount, baseline, anomalies, score;\n// Filter the alerts for specified timeframe\nTimeSeriesAlerts\n| where TimeGenerated > startofday(ago(timeframe))\n| join kind=inner ( \n allSignins\n | where TimeGenerated > startofday(ago(timeframe))\n // create a new column and round to hour\n | extend DateHour = bin(TimeGenerated, 1h)\n | summarize PartialFailedSignins = count(), LatestAnomalyTime = arg_max(TimeGenerated, *) by bin(TimeGenerated, 1h), OperationName, Category, ResultType, ResultDescription, UserPrincipalName, UserDisplayName, AppDisplayName, ClientAppUsed, IPAddress, ResourceDisplayName\n) on UserPrincipalName, $left.AnomalyHour == $right.DateHour\n| project LatestAnomalyTime, OperationName, Category, UserPrincipalName, UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, PartialFailedSignins, TotalFailedSignins = DailyCount, baseline, anomalies, score\n| extend timestamp = LatestAnomalyTime, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n| extend UserPrincipalName = tolower(UserPrincipalName)\n| join kind=leftouter (\n IdentityInfo\n | summarize LatestReportTime = arg_max(TimeGenerated, *) by AccountUPN\n | extend BlastRadiusInt = iif(BlastRadius == \"High\", 1, 0)\n | project AccountUPN, Tags, JobTitle, GroupMembership, AssignedRoles, UserType, IsAccountEnabled, BlastRadiusInt\n | summarize\n Tags = make_set(Tags, 1000),\n GroupMembership = make_set(GroupMembership, 1000),\n AssignedRoles = make_set(AssignedRoles, 1000),\n BlastRadiusInt = sum(BlastRadiusInt),\n UserType = make_set(UserType, 1000),\n UserAccountControl = make_set(UserType, 1000)\n by AccountUPN\n | extend UserPrincipalName=tolower(AccountUPN)\n) on UserPrincipalName\n| join kind=leftouter (\n BehaviorAnalytics\n | where ActivityType in (\"FailedLogOn\", \"LogOn\")\n | where isnotempty(SourceIPAddress)\n | project UsersInsights, DevicesInsights, ActivityInsights, InvestigationPriority, SourceIPAddress\n | project-rename IPAddress = SourceIPAddress\n | summarize\n UsersInsights = make_set(UsersInsights, 1000),\n DevicesInsights = make_set(DevicesInsights, 1000),\n IPInvestigationPriority = sum(InvestigationPriority)\n by IPAddress)\non IPAddress\n| extend UEBARiskScore = BlastRadiusInt + IPInvestigationPriority\n| where UEBARiskScore > riskScoreCutoff\n| sort by UEBARiskScore desc \n", "queryFrequency": "P1D", "queryPeriod": "P14D", - "severity": "High", + "severity": "Medium", "suppressionDuration": "PT1H", "suppressionEnabled": false, "triggerOperator": "GreaterThan", @@ -9207,29 +8297,45 @@ "requiredDataConnectors": [ { "dataTypes": [ - "AuditLogs" + "SigninLogs" + ], + "connectorId": "AzureActiveDirectory" + }, + { + "dataTypes": [ + "AADNonInteractiveUserSignInLogs" ], "connectorId": "AzureActiveDirectory" + }, + { + "dataTypes": [ + "BehaviorAnalytics" + ], + "connectorId": "BehaviorAnalytics" + }, + { + "dataTypes": [ + "IdentityInfo" + ], + "connectorId": "IdentityInfo" } ], "tactics": [ - "CredentialAccess", - "DefenseEvasion" + "InitialAccess" ], "techniques": [ - "T1528", - "T1550" + "T1078" ], "entityMappings": [ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } ], "entityType": "Account" @@ -9237,20 +8343,11 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "GrantIpAddress" + "columnName": "IPAddress", + "identifier": "Address" } ], "entityType": "IP" - }, - { - "fieldMappings": [ - { - "identifier": "Name", - "columnName": "AppDisplayName" - } - ], - "entityType": "CloudApplication" } ] } @@ -9258,13 +8355,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject35').analyticRuleId35,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject59').analyticRuleId59,'/'))))]", "properties": { - "description": "Microsoft Entra ID Analytics Rule 35", - "parentId": "[variables('analyticRuleObject35').analyticRuleId35]", - "contentId": "[variables('analyticRuleObject35')._analyticRulecontentId35]", + "description": "Microsoft Entra ID Analytics Rule 59", + "parentId": "[variables('analyticRuleObject59').analyticRuleId59]", + "contentId": "[variables('analyticRuleObject59')._analyticRulecontentId59]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject35').analyticRuleVersion35]", + "version": "[variables('analyticRuleObject59').analyticRuleVersion59]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -9289,44 +8386,44 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject35')._analyticRulecontentId35]", + "contentId": "[variables('analyticRuleObject59')._analyticRulecontentId59]", "contentKind": "AnalyticsRule", - "displayName": "Suspicious application consent similar to O365 Attack Toolkit", - "contentProductId": "[variables('analyticRuleObject35')._analyticRulecontentProductId35]", - "id": "[variables('analyticRuleObject35')._analyticRulecontentProductId35]", - "version": "[variables('analyticRuleObject35').analyticRuleVersion35]" + "displayName": "User Accounts - Sign in Failure due to CA Spikes", + "contentProductId": "[variables('analyticRuleObject59')._analyticRulecontentProductId59]", + "id": "[variables('analyticRuleObject59')._analyticRulecontentProductId59]", + "version": "[variables('analyticRuleObject59').analyticRuleVersion59]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject36').analyticRuleTemplateSpecName36]", + "name": "[variables('analyticRuleObject60').analyticRuleTemplateSpecName60]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MaliciousOAuthApp_O365AttackToolkit_AnalyticalRules Analytics Rule with template version 3.0.7", + "description": "UseraddedtoPrivilgedGroups_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject36').analyticRuleVersion36]", + "contentVersion": "[variables('analyticRuleObject60').analyticRuleVersion60]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject36')._analyticRulecontentId36]", + "name": "[variables('analyticRuleObject60')._analyticRulecontentId60]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the MDSec O365 Attack Toolkit (https://github.com/mdsecactivebreach/o365-attack-toolkit).\nThe default permissions/scope for the MDSec O365 Attack toolkit change sometimes but often include contacts.read, user.read, mail.read, notes.read.all, mailboxsettings.readwrite, files.readwrite.all, mail.send, files.read, and files.read.all.\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.", - "displayName": "Suspicious application consent similar to O365 Attack Toolkit", + "description": "This will alert when a user is added to any of the Privileged Groups.\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\nFor Administrator role permissions in Microsoft Entra ID please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles", + "displayName": "User added to Microsoft Entra ID Privileged Groups", "enabled": false, - "query": "let detectionTime = 1d;\nlet joinLookback = 14d;\nlet threshold = 5;\nlet o365_attack_regex = \"contacts.read|user.read|mail.read|notes.read.all|mailboxsettings.readwrite|Files.ReadWrite.All|mail.send|files.read|files.read.all\";\nlet o365_attack = dynamic([\"contacts.read\", \"user.read\", \"mail.read\", \"notes.read.all\", \"mailboxsettings.readwrite\", \"Files.ReadWrite.All\", \"mail.send\", \"files.read\", \"files.read.all\"]);\nAuditLogs\n| where TimeGenerated > ago(detectionTime)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Consent to application\"\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\"\n | extend AppDisplayName = tostring(TargetResource.displayName),\n AppClientId = tostring(TargetResource.id),\n props = TargetResource.modifiedProperties\n )\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\"] with (format=\"csv\"))) // NOTE: a MATCH from this list will cause the alert to NOT fire - please modify for your environment!\n| mv-apply ConsentFull = props on \n (\n where ConsentFull.displayName =~ \"ConsentAction.Permissions\"\n )\n| parse ConsentFull with * \"ConsentType: \" GrantConsentType \", Scope: \" GrantScope1 \", CreatedDateTime\" * \"]\" *\n| where GrantConsentType != \"AllPrincipals\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\n| where ConsentFull has_any (o365_attack) \n| extend GrantScopeCount = countof(tolower(GrantScope1), o365_attack_regex, 'regex')\n| where GrantScopeCount > threshold\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| mv-apply AdditionalDetail = AdditionalDetails on \n (\n where AdditionalDetail.key =~ \"User-Agent\"\n | extend GrantUserAgent = AdditionalDetail.value\n )\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\n| join kind = leftouter (AuditLogs\n | where TimeGenerated > ago(joinLookback)\n | where LoggedByService =~ \"Core Directory\"\n | where Category =~ \"ApplicationManagement\"\n | where OperationName =~ \"Add service principal\"\n | mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\"\n | extend props = TargetResource.modifiedProperties,\n AppClientId = tostring(TargetResource.id)\n )\n | mv-apply Property = props on \n (\n where Property.displayName =~ \"AppAddress\" and Property.newValue has \"AddressType\"\n | extend AppReplyURLs = trim('\"',tostring(Property.newValue))\n )\n | distinct AppClientId, tostring(AppReplyURLs)\n) on AppClientId\n| join kind = innerunique (AuditLogs\n | where TimeGenerated > ago(joinLookback)\n | where LoggedByService =~ \"Core Directory\"\n | where Category =~ \"ApplicationManagement\"\n | where OperationName =~ \"Add OAuth2PermissionGrant\" or OperationName =~ \"Add delegated permission grant\"\n | mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\" and array_length(TargetResource.modifiedProperties) > 0 and isnotnull(TargetResource.displayName)\n | extend GrantAuthentication = tostring(TargetResource.displayName)\n )\n | extend GrantOperation = OperationName\n | project GrantAuthentication, GrantOperation, CorrelationId\n ) on CorrelationId\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\n| extend timestamp = TimeGenerated, Name = tostring(split(GrantInitiatedBy,'@',0)[0]), UPNSuffix = tostring(split(GrantInitiatedBy,'@',1)[0])\n", - "queryFrequency": "P1D", - "queryPeriod": "P14D", - "severity": "High", + "query": "let OperationList = dynamic([\"Add member to role\",\"Add member to role in PIM requested (permanent)\"]);\nlet PrivilegedGroups = dynamic([\"UserAccountAdmins\",\"PrivilegedRoleAdmins\",\"TenantAdmins\"]);\nAuditLogs\n//| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"RoleManagement\"\n| where OperationName in~ (OperationList)\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"User\"\n | extend TargetUserPrincipalName = tostring(TargetResource.userPrincipalName),\n modProps = TargetResource.modifiedProperties\n )\n| mv-apply Property = modProps on \n (\n where Property.displayName =~ \"Role.WellKnownObjectName\"\n | extend DisplayName = trim('\"',tostring(Property.displayName)),\n GroupName = trim('\"',tostring(Property.newValue))\n )\n| extend AppId = InitiatedBy.app.appId,\n InitiatedByDisplayName = case(isnotempty(InitiatedBy.app.displayName), InitiatedBy.app.displayName, isnotempty(InitiatedBy.user.displayName), InitiatedBy.user.displayName, \"not available\"),\n ServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId),\n ServicePrincipalName = tostring(InitiatedBy.app.servicePrincipalName),\n UserId = InitiatedBy.user.id,\n UserIPAddress = InitiatedBy.user.ipAddress,\n UserRoles = InitiatedBy.user.roles,\n UserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\n| where GroupName in~ (PrivilegedGroups)\n// If you don't want to alert for operations from PIM, remove below filtering for MS-PIM.\n//| where InitiatedByDisplayName != \"MS-PIM\"\n| project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, AppId, InitiatedByDisplayName, ServicePrincipalId, ServicePrincipalName, DisplayName, GroupName, UserId, UserIPAddress, UserRoles, UserPrincipalName, TargetUserPrincipalName\n| extend AccountCustomEntity = case(isnotempty(ServicePrincipalName), ServicePrincipalName, \n isnotempty(UserPrincipalName), UserPrincipalName, \n \"\")\n| extend AccountName = tostring(split(AccountCustomEntity,'@',0)[0]), AccountUPNSuffix = tostring(split(AccountCustomEntity,'@',1)[0])\n| extend TargetName = tostring(split(TargetUserPrincipalName,'@',0)[0]), TargetUPNSuffix = tostring(split(TargetUserPrincipalName,'@',1)[0])\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", "suppressionDuration": "PT1H", "suppressionEnabled": false, "triggerOperator": "GreaterThan", @@ -9341,23 +8438,23 @@ } ], "tactics": [ - "CredentialAccess", - "DefenseEvasion" + "Persistence", + "PrivilegeEscalation" ], "techniques": [ - "T1528", - "T1550" + "T1098", + "T1078" ], "entityMappings": [ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "Name" + "columnName": "AccountName", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "AccountUPNSuffix", + "identifier": "UPNSuffix" } ], "entityType": "Account" @@ -9365,20 +8462,15 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "GrantIpAddress" - } - ], - "entityType": "IP" - }, - { - "fieldMappings": [ + "columnName": "TargetName", + "identifier": "Name" + }, { - "identifier": "Name", - "columnName": "AppDisplayName" + "columnName": "TargetUPNSuffix", + "identifier": "UPNSuffix" } ], - "entityType": "CloudApplication" + "entityType": "Account" } ] } @@ -9386,13 +8478,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject36').analyticRuleId36,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject60').analyticRuleId60,'/'))))]", "properties": { - "description": "Microsoft Entra ID Analytics Rule 36", - "parentId": "[variables('analyticRuleObject36').analyticRuleId36]", - "contentId": "[variables('analyticRuleObject36')._analyticRulecontentId36]", + "description": "Microsoft Entra ID Analytics Rule 60", + "parentId": "[variables('analyticRuleObject60').analyticRuleId60]", + "contentId": "[variables('analyticRuleObject60')._analyticRulecontentId60]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject36').analyticRuleVersion36]", + "version": "[variables('analyticRuleObject60').analyticRuleVersion60]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -9417,43 +8509,43 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject36')._analyticRulecontentId36]", + "contentId": "[variables('analyticRuleObject60')._analyticRulecontentId60]", "contentKind": "AnalyticsRule", - "displayName": "Suspicious application consent similar to O365 Attack Toolkit", - "contentProductId": "[variables('analyticRuleObject36')._analyticRulecontentProductId36]", - "id": "[variables('analyticRuleObject36')._analyticRulecontentProductId36]", - "version": "[variables('analyticRuleObject36').analyticRuleVersion36]" + "displayName": "User added to Microsoft Entra ID Privileged Groups", + "contentProductId": "[variables('analyticRuleObject60')._analyticRulecontentProductId60]", + "id": "[variables('analyticRuleObject60')._analyticRulecontentProductId60]", + "version": "[variables('analyticRuleObject60').analyticRuleVersion60]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject37').analyticRuleTemplateSpecName37]", + "name": "[variables('analyticRuleObject61').analyticRuleTemplateSpecName61]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MaliciousOAuthApp_O365AttackToolkit_AnalyticalRules Analytics Rule with template version 3.0.7", + "description": "UserAssignedNewPrivilegedRole_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject37').analyticRuleVersion37]", + "contentVersion": "[variables('analyticRuleObject61').analyticRuleVersion61]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject37')._analyticRulecontentId37]", + "name": "[variables('analyticRuleObject61')._analyticRulecontentId61]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the MDSec O365 Attack Toolkit (https://github.com/mdsecactivebreach/o365-attack-toolkit).\nThe default permissions/scope for the MDSec O365 Attack toolkit change sometimes but often include contacts.read, user.read, mail.read, notes.read.all, mailboxsettings.readwrite, files.readwrite.all, mail.send, files.read, and files.read.all.\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.", - "displayName": "Suspicious application consent similar to O365 Attack Toolkit", + "description": "Identifies when a new eligible or active privileged role is assigned to a user. Does not alert on PIM activations. Any account eligible for a role is now being given privileged access. If the assignment is unexpected or into a role that isn't the responsibility of the account holder, investigate.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1", + "displayName": "User Assigned New Privileged Role", "enabled": false, - "query": "let detectionTime = 1d;\nlet joinLookback = 14d;\nlet threshold = 5;\nlet o365_attack_regex = \"contacts.read|user.read|mail.read|notes.read.all|mailboxsettings.readwrite|Files.ReadWrite.All|mail.send|files.read|files.read.all\";\nlet o365_attack = dynamic([\"contacts.read\", \"user.read\", \"mail.read\", \"notes.read.all\", \"mailboxsettings.readwrite\", \"Files.ReadWrite.All\", \"mail.send\", \"files.read\", \"files.read.all\"]);\nAuditLogs\n| where TimeGenerated > ago(detectionTime)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Consent to application\"\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\"\n | extend AppDisplayName = tostring(TargetResource.displayName),\n AppClientId = tostring(TargetResource.id),\n props = TargetResource.modifiedProperties\n )\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\"] with (format=\"csv\"))) // NOTE: a MATCH from this list will cause the alert to NOT fire - please modify for your environment!\n| mv-apply ConsentFull = props on \n (\n where ConsentFull.displayName =~ \"ConsentAction.Permissions\"\n )\n| parse ConsentFull with * \"ConsentType: \" GrantConsentType \", Scope: \" GrantScope1 \", CreatedDateTime\" * \"]\" *\n| where GrantConsentType != \"AllPrincipals\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\n| where ConsentFull has_any (o365_attack) \n| extend GrantScopeCount = countof(tolower(GrantScope1), o365_attack_regex, 'regex')\n| where GrantScopeCount > threshold\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| mv-apply AdditionalDetail = AdditionalDetails on \n (\n where AdditionalDetail.key =~ \"User-Agent\"\n | extend GrantUserAgent = AdditionalDetail.value\n )\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\n| join kind = leftouter (AuditLogs\n | where TimeGenerated > ago(joinLookback)\n | where LoggedByService =~ \"Core Directory\"\n | where Category =~ \"ApplicationManagement\"\n | where OperationName =~ \"Add service principal\"\n | mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\"\n | extend props = TargetResource.modifiedProperties,\n AppClientId = tostring(TargetResource.id)\n )\n | mv-apply Property = props on \n (\n where Property.displayName =~ \"AppAddress\" and Property.newValue has \"AddressType\"\n | extend AppReplyURLs = trim('\"',tostring(Property.newValue))\n )\n | distinct AppClientId, tostring(AppReplyURLs)\n) on AppClientId\n| join kind = innerunique (AuditLogs\n | where TimeGenerated > ago(joinLookback)\n | where LoggedByService =~ \"Core Directory\"\n | where Category =~ \"ApplicationManagement\"\n | where OperationName =~ \"Add OAuth2PermissionGrant\" or OperationName =~ \"Add delegated permission grant\"\n | mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\" and array_length(TargetResource.modifiedProperties) > 0 and isnotnull(TargetResource.displayName)\n | extend GrantAuthentication = tostring(TargetResource.displayName)\n )\n | extend GrantOperation = OperationName\n | project GrantAuthentication, GrantOperation, CorrelationId\n ) on CorrelationId\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\n| extend timestamp = TimeGenerated, Name = tostring(split(GrantInitiatedBy,'@',0)[0]), UPNSuffix = tostring(split(GrantInitiatedBy,'@',1)[0])\n", - "queryFrequency": "P1D", - "queryPeriod": "P14D", + "query": "AuditLogs\n| where Category =~ \"RoleManagement\"\n| where AADOperationType in (\"Assign\", \"AssignEligibleRole\", \"CreateRequestGrantedRole\", \"CreateRequestPermanentEligibleRole\", \"CreateRequestPermanentGrantedRole\")\n| where ActivityDisplayName has_any (\"Add eligible member to role\", \"Add member to role\")\n| mv-apply TargetResourceSubject = TargetResources on \n (\n where TargetResourceSubject.type in~ (\"User\", \"ServicePrincipal\")\n | extend Target = iff(TargetResourceSubject.type =~ \"ServicePrincipal\", tostring(TargetResourceSubject.displayName), tostring(TargetResourceSubject.userPrincipalName)),\n subjectProps = TargetResourceSubject.modifiedProperties\n )\n| mv-apply TargetResourceRole = TargetResources on \n (\n // mimic modifiedProperties so we can use the same logic to get the role name regardless of where it comes from\n where TargetResourceRole.type in~ (\"Role\")\n | extend roleProps = pack_array(bag_pack(\"displayName\",\"Role.DisplayName\", \"newValue\", TargetResourceRole.displayName))\n )\n| mv-apply Property = iff(array_length(subjectProps) > 0, subjectProps, roleProps) on \n ( \n where Property.displayName =~ \"Role.DisplayName\"\n | extend RoleName = trim('\"',tostring(Property.newValue))\n )\n| where RoleName contains \"Admin\"\n| extend InitiatingApp = tostring(InitiatedBy.app.displayName)\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(InitiatedBy.user.userPrincipalName))\n// Comment below to alert for PIM activations\n| where Initiator != \"MS-PIM\"\n| summarize by bin(TimeGenerated, 1h), OperationName, RoleName, Target, Initiator, Result\n| extend TargetName = tostring(split(Target,'@',0)[0]), TargetUPNSuffix = tostring(split(Target,'@',1)[0]), InitiatorName = tostring(split(Initiator,'@',0)[0]), InitiatorUPNSuffix = tostring(split(Initiator,'@',1)[0])\n", + "queryFrequency": "PT2H", + "queryPeriod": "PT2H", "severity": "High", "suppressionDuration": "PT1H", "suppressionEnabled": false, @@ -9469,23 +8561,21 @@ } ], "tactics": [ - "CredentialAccess", - "DefenseEvasion" + "Persistence" ], "techniques": [ - "T1528", - "T1550" + "T1078" ], "entityMappings": [ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "Name" + "columnName": "TargetName", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "TargetUPNSuffix", + "identifier": "UPNSuffix" } ], "entityType": "Account" @@ -9493,20 +8583,15 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "GrantIpAddress" - } - ], - "entityType": "IP" - }, - { - "fieldMappings": [ + "columnName": "InitiatorName", + "identifier": "Name" + }, { - "identifier": "Name", - "columnName": "AppDisplayName" + "columnName": "InitiatorUPNSuffix", + "identifier": "UPNSuffix" } ], - "entityType": "CloudApplication" + "entityType": "Account" } ] } @@ -9514,13 +8599,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject37').analyticRuleId37,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject61').analyticRuleId61,'/'))))]", "properties": { - "description": "Microsoft Entra ID Analytics Rule 37", - "parentId": "[variables('analyticRuleObject37').analyticRuleId37]", - "contentId": "[variables('analyticRuleObject37')._analyticRulecontentId37]", + "description": "Microsoft Entra ID Analytics Rule 61", + "parentId": "[variables('analyticRuleObject61').analyticRuleId61]", + "contentId": "[variables('analyticRuleObject61')._analyticRulecontentId61]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject37').analyticRuleVersion37]", + "version": "[variables('analyticRuleObject61').analyticRuleVersion61]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -9545,42 +8630,42 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject37')._analyticRulecontentId37]", + "contentId": "[variables('analyticRuleObject61')._analyticRulecontentId61]", "contentKind": "AnalyticsRule", - "displayName": "Suspicious application consent similar to O365 Attack Toolkit", - "contentProductId": "[variables('analyticRuleObject37')._analyticRulecontentProductId37]", - "id": "[variables('analyticRuleObject37')._analyticRulecontentProductId37]", - "version": "[variables('analyticRuleObject37').analyticRuleVersion37]" + "displayName": "User Assigned New Privileged Role", + "contentProductId": "[variables('analyticRuleObject61')._analyticRulecontentProductId61]", + "id": "[variables('analyticRuleObject61')._analyticRulecontentProductId61]", + "version": "[variables('analyticRuleObject61').analyticRuleVersion61]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject38').analyticRuleTemplateSpecName38]", + "name": "[variables('analyticRuleObject62').analyticRuleTemplateSpecName62]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MaliciousOAuthApp_O365AttackToolkit_AnalyticalRules Analytics Rule with template version 3.0.7", + "description": "UserAssignedPrivilegedRole_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject38').analyticRuleVersion38]", + "contentVersion": "[variables('analyticRuleObject62').analyticRuleVersion62]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject38')._analyticRulecontentId38]", + "name": "[variables('analyticRuleObject62')._analyticRulecontentId62]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the MDSec O365 Attack Toolkit (https://github.com/mdsecactivebreach/o365-attack-toolkit).\nThe default permissions/scope for the MDSec O365 Attack toolkit change sometimes but often include contacts.read, user.read, mail.read, notes.read.all, mailboxsettings.readwrite, files.readwrite.all, mail.send, files.read, and files.read.all.\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.", - "displayName": "Suspicious application consent similar to O365 Attack Toolkit", + "description": "Identifies when a privileged role is assigned to a new user. Any account eligible for a role is now being given privileged access. If the assignment is unexpected or into a role that isn't the responsibility of the account holder, investigate.", + "displayName": "New User Assigned to Privileged Role", "enabled": false, - "query": "let detectionTime = 1d;\nlet joinLookback = 14d;\nlet threshold = 5;\nlet o365_attack_regex = \"contacts.read|user.read|mail.read|notes.read.all|mailboxsettings.readwrite|Files.ReadWrite.All|mail.send|files.read|files.read.all\";\nlet o365_attack = dynamic([\"contacts.read\", \"user.read\", \"mail.read\", \"notes.read.all\", \"mailboxsettings.readwrite\", \"Files.ReadWrite.All\", \"mail.send\", \"files.read\", \"files.read.all\"]);\nAuditLogs\n| where TimeGenerated > ago(detectionTime)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Consent to application\"\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\"\n | extend AppDisplayName = tostring(TargetResource.displayName),\n AppClientId = tostring(TargetResource.id),\n props = TargetResource.modifiedProperties\n )\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\"] with (format=\"csv\"))) // NOTE: a MATCH from this list will cause the alert to NOT fire - please modify for your environment!\n| mv-apply ConsentFull = props on \n (\n where ConsentFull.displayName =~ \"ConsentAction.Permissions\"\n )\n| parse ConsentFull with * \"ConsentType: \" GrantConsentType \", Scope: \" GrantScope1 \", CreatedDateTime\" * \"]\" *\n| where GrantConsentType != \"AllPrincipals\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\n| where ConsentFull has_any (o365_attack) \n| extend GrantScopeCount = countof(tolower(GrantScope1), o365_attack_regex, 'regex')\n| where GrantScopeCount > threshold\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| mv-apply AdditionalDetail = AdditionalDetails on \n (\n where AdditionalDetail.key =~ \"User-Agent\"\n | extend GrantUserAgent = AdditionalDetail.value\n )\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\n| join kind = leftouter (AuditLogs\n | where TimeGenerated > ago(joinLookback)\n | where LoggedByService =~ \"Core Directory\"\n | where Category =~ \"ApplicationManagement\"\n | where OperationName =~ \"Add service principal\"\n | mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\"\n | extend props = TargetResource.modifiedProperties,\n AppClientId = tostring(TargetResource.id)\n )\n | mv-apply Property = props on \n (\n where Property.displayName =~ \"AppAddress\" and Property.newValue has \"AddressType\"\n | extend AppReplyURLs = trim('\"',tostring(Property.newValue))\n )\n | distinct AppClientId, tostring(AppReplyURLs)\n) on AppClientId\n| join kind = innerunique (AuditLogs\n | where TimeGenerated > ago(joinLookback)\n | where LoggedByService =~ \"Core Directory\"\n | where Category =~ \"ApplicationManagement\"\n | where OperationName =~ \"Add OAuth2PermissionGrant\" or OperationName =~ \"Add delegated permission grant\"\n | mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\" and array_length(TargetResource.modifiedProperties) > 0 and isnotnull(TargetResource.displayName)\n | extend GrantAuthentication = tostring(TargetResource.displayName)\n )\n | extend GrantOperation = OperationName\n | project GrantAuthentication, GrantOperation, CorrelationId\n ) on CorrelationId\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\n| extend timestamp = TimeGenerated, Name = tostring(split(GrantInitiatedBy,'@',0)[0]), UPNSuffix = tostring(split(GrantInitiatedBy,'@',1)[0])\n", - "queryFrequency": "P1D", + "query": "// Define the start and end times based on input values\nlet starttime = now()-1d;\nlet endtime = now();\n// Set a lookback period of 14 days\nlet lookback = starttime - 14d;\n// Define a reusable function to query audit logs\nlet awsFunc = (start:datetime, end:datetime) {\n AuditLogs\n | where TimeGenerated between (start..end)\n | where Category =~ \"RoleManagement\"\n | where AADOperationType in (\"Assign\", \"AssignEligibleRole\")\n | where ActivityDisplayName has_any (\"Add eligible member to role\", \"Add member to role\")\n | mv-apply TargetResource = TargetResources on\n (\n where TargetResource.type in~ (\"User\", \"ServicePrincipal\")\n | extend Target = iff(TargetResource.type =~ \"ServicePrincipal\", tostring(TargetResource.displayName), tostring(TargetResource.userPrincipalName)),\n props = TargetResource.modifiedProperties\n )\n | mv-apply Property = props on\n (\n where Property.displayName =~ \"Role.DisplayName\"\n | extend RoleName = trim('\"', tostring(Property.newValue))\n )\n | where RoleName contains \"Admin\" and Result == \"success\"\n};\n// Query for audit events in the current day\nlet EventInfo_CurrentDay = awsFunc(starttime, endtime);\n// Query for audit events in the historical period (lookback)\nlet EventInfo_historical = awsFunc(lookback, starttime);\n// Find unseen events by performing a left anti-join\nlet EventInfo_Unseen = (EventInfo_CurrentDay\n | join kind=leftanti(EventInfo_historical) on Target, RoleName, OperationName\n);\n// Extend and clean up the results\nEventInfo_Unseen\n| extend InitiatingApp = tostring(InitiatedBy.app.displayName)\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(InitiatedBy.user.userPrincipalName))\n// You can uncomment the lines below to filter out PIM activations\n// | where Initiator != \"MS-PIM\"\n// | summarize StartTime=min(TimeGenerated), EndTime=min(TimeGenerated) by OperationName, RoleName, Target, Initiator, Result\n// Project specific columns and split them for further analysis\n| project TimeGenerated, OperationName, RoleName, Target, Initiator, Result\n| extend TargetName = tostring(split(Target, '@', 0)[0]),\n TargetUPNSuffix = tostring(split(Target, '@', 1)[0]),\n InitiatorName = tostring(split(Initiator, '@', 0)[0]),\n InitiatorUPNSuffix = tostring(split(Initiator, '@', 1)[0])\n", + "queryFrequency": "PT1H", "queryPeriod": "P14D", "severity": "High", "suppressionDuration": "PT1H", @@ -9597,23 +8682,21 @@ } ], "tactics": [ - "CredentialAccess", - "DefenseEvasion" + "Persistence" ], "techniques": [ - "T1528", - "T1550" + "T1078" ], "entityMappings": [ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "Name" + "columnName": "TargetName", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "TargetUPNSuffix", + "identifier": "UPNSuffix" } ], "entityType": "Account" @@ -9621,20 +8704,15 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "GrantIpAddress" - } - ], - "entityType": "IP" - }, - { - "fieldMappings": [ + "columnName": "InitiatorName", + "identifier": "Name" + }, { - "identifier": "Name", - "columnName": "AppDisplayName" + "columnName": "InitiatorUPNSuffix", + "identifier": "UPNSuffix" } ], - "entityType": "CloudApplication" + "entityType": "Account" } ] } @@ -9642,13 +8720,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject38').analyticRuleId38,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject62').analyticRuleId62,'/'))))]", "properties": { - "description": "Microsoft Entra ID Analytics Rule 38", - "parentId": "[variables('analyticRuleObject38').analyticRuleId38]", - "contentId": "[variables('analyticRuleObject38')._analyticRulecontentId38]", + "description": "Microsoft Entra ID Analytics Rule 62", + "parentId": "[variables('analyticRuleObject62').analyticRuleId62]", + "contentId": "[variables('analyticRuleObject62')._analyticRulecontentId62]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject38').analyticRuleVersion38]", + "version": "[variables('analyticRuleObject62').analyticRuleVersion62]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -9673,1164 +8751,397 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject38')._analyticRulecontentId38]", + "contentId": "[variables('analyticRuleObject62')._analyticRulecontentId62]", "contentKind": "AnalyticsRule", - "displayName": "Suspicious application consent similar to O365 Attack Toolkit", - "contentProductId": "[variables('analyticRuleObject38')._analyticRulecontentProductId38]", - "id": "[variables('analyticRuleObject38')._analyticRulecontentProductId38]", - "version": "[variables('analyticRuleObject38').analyticRuleVersion38]" + "displayName": "New User Assigned to Privileged Role", + "contentProductId": "[variables('analyticRuleObject62')._analyticRulecontentProductId62]", + "id": "[variables('analyticRuleObject62')._analyticRulecontentProductId62]", + "version": "[variables('analyticRuleObject62').analyticRuleVersion62]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject39').analyticRuleTemplateSpecName39]", + "name": "[variables('playbookTemplateSpecName1')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MaliciousOAuthApp_O365AttackToolkit_AnalyticalRules Analytics Rule with template version 3.0.7", + "description": "Block-AADUser-Alert Playbook with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject39').analyticRuleVersion39]", - "parameters": {}, - "variables": {}, + "contentVersion": "[variables('playbookVersion1')]", + "parameters": { + "PlaybookName": { + "defaultValue": "Block-AADUser-Alert", + "type": "string" + } + }, + "variables": { + "AzureADConnectionName": "[[concat('azuread-', parameters('PlaybookName'))]", + "MicrosoftSentinelConnectionName": "[[concat('microsoftsentinel-', parameters('PlaybookName'))]", + "Office365ConnectionName": "[[concat('office365-', parameters('PlaybookName'))]", + "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuread')]", + "_connection-1": "[[variables('connection-1')]", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "_connection-2": "[[variables('connection-2')]", + "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]", + "_connection-3": "[[variables('connection-3')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, "resources": [ { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject39')._analyticRulecontentId39]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('AzureADConnectionName')]", + "location": "[[variables('workspace-location-inline')]", "properties": { - "description": "This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the MDSec O365 Attack Toolkit (https://github.com/mdsecactivebreach/o365-attack-toolkit).\nThe default permissions/scope for the MDSec O365 Attack toolkit change sometimes but often include contacts.read, user.read, mail.read, notes.read.all, mailboxsettings.readwrite, files.readwrite.all, mail.send, files.read, and files.read.all.\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.", - "displayName": "Suspicious application consent similar to O365 Attack Toolkit", - "enabled": false, - "query": "let detectionTime = 1d;\nlet joinLookback = 14d;\nlet threshold = 5;\nlet o365_attack_regex = \"contacts.read|user.read|mail.read|notes.read.all|mailboxsettings.readwrite|Files.ReadWrite.All|mail.send|files.read|files.read.all\";\nlet o365_attack = dynamic([\"contacts.read\", \"user.read\", \"mail.read\", \"notes.read.all\", \"mailboxsettings.readwrite\", \"Files.ReadWrite.All\", \"mail.send\", \"files.read\", \"files.read.all\"]);\nAuditLogs\n| where TimeGenerated > ago(detectionTime)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Consent to application\"\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\"\n | extend AppDisplayName = tostring(TargetResource.displayName),\n AppClientId = tostring(TargetResource.id),\n props = TargetResource.modifiedProperties\n )\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\"] with (format=\"csv\"))) // NOTE: a MATCH from this list will cause the alert to NOT fire - please modify for your environment!\n| mv-apply ConsentFull = props on \n (\n where ConsentFull.displayName =~ \"ConsentAction.Permissions\"\n )\n| parse ConsentFull with * \"ConsentType: \" GrantConsentType \", Scope: \" GrantScope1 \", CreatedDateTime\" * \"]\" *\n| where GrantConsentType != \"AllPrincipals\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\n| where ConsentFull has_any (o365_attack) \n| extend GrantScopeCount = countof(tolower(GrantScope1), o365_attack_regex, 'regex')\n| where GrantScopeCount > threshold\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| mv-apply AdditionalDetail = AdditionalDetails on \n (\n where AdditionalDetail.key =~ \"User-Agent\"\n | extend GrantUserAgent = AdditionalDetail.value\n )\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\n| join kind = leftouter (AuditLogs\n | where TimeGenerated > ago(joinLookback)\n | where LoggedByService =~ \"Core Directory\"\n | where Category =~ \"ApplicationManagement\"\n | where OperationName =~ \"Add service principal\"\n | mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\"\n | extend props = TargetResource.modifiedProperties,\n AppClientId = tostring(TargetResource.id)\n )\n | mv-apply Property = props on \n (\n where Property.displayName =~ \"AppAddress\" and Property.newValue has \"AddressType\"\n | extend AppReplyURLs = trim('\"',tostring(Property.newValue))\n )\n | distinct AppClientId, tostring(AppReplyURLs)\n) on AppClientId\n| join kind = innerunique (AuditLogs\n | where TimeGenerated > ago(joinLookback)\n | where LoggedByService =~ \"Core Directory\"\n | where Category =~ \"ApplicationManagement\"\n | where OperationName =~ \"Add OAuth2PermissionGrant\" or OperationName =~ \"Add delegated permission grant\"\n | mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\" and array_length(TargetResource.modifiedProperties) > 0 and isnotnull(TargetResource.displayName)\n | extend GrantAuthentication = tostring(TargetResource.displayName)\n )\n | extend GrantOperation = OperationName\n | project GrantAuthentication, GrantOperation, CorrelationId\n ) on CorrelationId\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\n| extend timestamp = TimeGenerated, Name = tostring(split(GrantInitiatedBy,'@',0)[0]), UPNSuffix = tostring(split(GrantInitiatedBy,'@',1)[0])\n", - "queryFrequency": "P1D", - "queryPeriod": "P14D", - "severity": "High", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "dataTypes": [ - "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" - } - ], - "tactics": [ - "CredentialAccess", - "DefenseEvasion" - ], - "techniques": [ - "T1528", - "T1550" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "identifier": "Name", - "columnName": "Name" - }, - { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "identifier": "Address", - "columnName": "GrantIpAddress" - } - ], - "entityType": "IP" - }, - { - "fieldMappings": [ - { - "identifier": "Name", - "columnName": "AppDisplayName" - } - ], - "entityType": "CloudApplication" - } - ] + "displayName": "[[variables('AzureADConnectionName')]", + "api": { + "id": "[[variables('_connection-1')]" + } } }, { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject39').analyticRuleId39,'/'))))]", + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('MicrosoftSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", "properties": { - "description": "Microsoft Entra ID Analytics Rule 39", - "parentId": "[variables('analyticRuleObject39').analyticRuleId39]", - "contentId": "[variables('analyticRuleObject39')._analyticRulecontentId39]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject39').analyticRuleVersion39]", - "source": { - "kind": "Solution", - "name": "Microsoft Entra ID", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com/" + "displayName": "[[variables('MicrosoftSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[[variables('_connection-2')]" } } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject39')._analyticRulecontentId39]", - "contentKind": "AnalyticsRule", - "displayName": "Suspicious application consent similar to O365 Attack Toolkit", - "contentProductId": "[variables('analyticRuleObject39')._analyticRulecontentProductId39]", - "id": "[variables('analyticRuleObject39')._analyticRulecontentProductId39]", - "version": "[variables('analyticRuleObject39').analyticRuleVersion39]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject40').analyticRuleTemplateSpecName40]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "MaliciousOAuthApp_O365AttackToolkit_AnalyticalRules Analytics Rule with template version 3.0.7", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject40').analyticRuleVersion40]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject40')._analyticRulecontentId40]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the MDSec O365 Attack Toolkit (https://github.com/mdsecactivebreach/o365-attack-toolkit).\nThe default permissions/scope for the MDSec O365 Attack toolkit change sometimes but often include contacts.read, user.read, mail.read, notes.read.all, mailboxsettings.readwrite, files.readwrite.all, mail.send, files.read, and files.read.all.\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.", - "displayName": "Suspicious application consent similar to O365 Attack Toolkit", - "enabled": false, - "query": "let detectionTime = 1d;\nlet joinLookback = 14d;\nlet threshold = 5;\nlet o365_attack_regex = \"contacts.read|user.read|mail.read|notes.read.all|mailboxsettings.readwrite|Files.ReadWrite.All|mail.send|files.read|files.read.all\";\nlet o365_attack = dynamic([\"contacts.read\", \"user.read\", \"mail.read\", \"notes.read.all\", \"mailboxsettings.readwrite\", \"Files.ReadWrite.All\", \"mail.send\", \"files.read\", \"files.read.all\"]);\nAuditLogs\n| where TimeGenerated > ago(detectionTime)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Consent to application\"\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\"\n | extend AppDisplayName = tostring(TargetResource.displayName),\n AppClientId = tostring(TargetResource.id),\n props = TargetResource.modifiedProperties\n )\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\"] with (format=\"csv\"))) // NOTE: a MATCH from this list will cause the alert to NOT fire - please modify for your environment!\n| mv-apply ConsentFull = props on \n (\n where ConsentFull.displayName =~ \"ConsentAction.Permissions\"\n )\n| parse ConsentFull with * \"ConsentType: \" GrantConsentType \", Scope: \" GrantScope1 \", CreatedDateTime\" * \"]\" *\n| where GrantConsentType != \"AllPrincipals\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\n| where ConsentFull has_any (o365_attack) \n| extend GrantScopeCount = countof(tolower(GrantScope1), o365_attack_regex, 'regex')\n| where GrantScopeCount > threshold\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| mv-apply AdditionalDetail = AdditionalDetails on \n (\n where AdditionalDetail.key =~ \"User-Agent\"\n | extend GrantUserAgent = AdditionalDetail.value\n )\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\n| join kind = leftouter (AuditLogs\n | where TimeGenerated > ago(joinLookback)\n | where LoggedByService =~ \"Core Directory\"\n | where Category =~ \"ApplicationManagement\"\n | where OperationName =~ \"Add service principal\"\n | mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\"\n | extend props = TargetResource.modifiedProperties,\n AppClientId = tostring(TargetResource.id)\n )\n | mv-apply Property = props on \n (\n where Property.displayName =~ \"AppAddress\" and Property.newValue has \"AddressType\"\n | extend AppReplyURLs = trim('\"',tostring(Property.newValue))\n )\n | distinct AppClientId, tostring(AppReplyURLs)\n) on AppClientId\n| join kind = innerunique (AuditLogs\n | where TimeGenerated > ago(joinLookback)\n | where LoggedByService =~ \"Core Directory\"\n | where Category =~ \"ApplicationManagement\"\n | where OperationName =~ \"Add OAuth2PermissionGrant\" or OperationName =~ \"Add delegated permission grant\"\n | mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\" and array_length(TargetResource.modifiedProperties) > 0 and isnotnull(TargetResource.displayName)\n | extend GrantAuthentication = tostring(TargetResource.displayName)\n )\n | extend GrantOperation = OperationName\n | project GrantAuthentication, GrantOperation, CorrelationId\n ) on CorrelationId\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\n| extend timestamp = TimeGenerated, Name = tostring(split(GrantInitiatedBy,'@',0)[0]), UPNSuffix = tostring(split(GrantInitiatedBy,'@',1)[0])\n", - "queryFrequency": "P1D", - "queryPeriod": "P14D", - "severity": "High", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "dataTypes": [ - "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" - } - ], - "tactics": [ - "CredentialAccess", - "DefenseEvasion" - ], - "techniques": [ - "T1528", - "T1550" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "identifier": "Name", - "columnName": "Name" - }, - { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "identifier": "Address", - "columnName": "GrantIpAddress" - } - ], - "entityType": "IP" - }, - { - "fieldMappings": [ - { - "identifier": "Name", - "columnName": "AppDisplayName" - } - ], - "entityType": "CloudApplication" - } - ] - } }, { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject40').analyticRuleId40,'/'))))]", + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('Office365ConnectionName')]", + "location": "[[variables('workspace-location-inline')]", "properties": { - "description": "Microsoft Entra ID Analytics Rule 40", - "parentId": "[variables('analyticRuleObject40').analyticRuleId40]", - "contentId": "[variables('analyticRuleObject40')._analyticRulecontentId40]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject40').analyticRuleVersion40]", - "source": { - "kind": "Solution", - "name": "Microsoft Entra ID", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com/" + "displayName": "[[variables('Office365ConnectionName')]", + "api": { + "id": "[[variables('_connection-3')]" } } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject40')._analyticRulecontentId40]", - "contentKind": "AnalyticsRule", - "displayName": "Suspicious application consent similar to O365 Attack Toolkit", - "contentProductId": "[variables('analyticRuleObject40')._analyticRulecontentProductId40]", - "id": "[variables('analyticRuleObject40')._analyticRulecontentProductId40]", - "version": "[variables('analyticRuleObject40').analyticRuleVersion40]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject41').analyticRuleTemplateSpecName41]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "MaliciousOAuthApp_PwnAuth_AnalyticalRules Analytics Rule with template version 3.0.7", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject41').analyticRuleVersion41]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject41')._analyticRulecontentId41]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the FireEye PwnAuth toolkit (https://github.com/fireeye/PwnAuth).\nThe default permissions/scope for the PwnAuth toolkit are user.read, offline_access, mail.readwrite, mail.send, and files.read.all.\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.", - "displayName": "Suspicious application consent similar to PwnAuth", - "enabled": false, - "query": "let detectionTime = 1d;\nlet joinLookback = 14d;\nAuditLogs\n| where TimeGenerated > ago(detectionTime)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Consent to application\"\n| where TargetResources has \"offline\"\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\"\n | extend AppDisplayName = tostring(TargetResource.displayName),\n AppClientId = tostring(TargetResource.id),\n props = TargetResource.modifiedProperties\n )\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\"] with (format=\"csv\")))\n| mv-apply ConsentFull = props on \n (\n where ConsentFull.displayName =~ \"ConsentAction.Permissions\"\n )\n| parse ConsentFull with * \"ConsentType: \" GrantConsentType \", Scope: \" GrantScope1 \"]\" *\n| where ConsentFull has_all (\"user.read\", \"offline_access\", \"mail.readwrite\", \"mail.send\", \"files.read.all\")\n| where GrantConsentType != \"AllPrincipals\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| mv-apply AdditionalDetail = AdditionalDetails on \n (\n where AdditionalDetail.key =~ \"User-Agent\"\n | extend GrantUserAgent = AdditionalDetail.value\n )\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\n| join kind = leftouter (AuditLogs\n| where TimeGenerated > ago(joinLookback)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Add service principal\"\n | mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\"\n | extend props = TargetResource.modifiedProperties,\n AppClientId = tostring(TargetResource.id)\n )\n | mv-apply Property = props on \n (\n where Property.displayName =~ \"AppAddress\" and Property.newValue has \"AddressType\"\n | extend AppReplyURLs = trim('\"',tostring(Property.newValue))\n )\n| distinct AppClientId, tostring(AppReplyURLs)\n)\non AppClientId\n| join kind = innerunique (AuditLogs\n| where TimeGenerated > ago(joinLookback)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Add OAuth2PermissionGrant\" or OperationName =~ \"Add delegated permission grant\"\n | mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\" and array_length(TargetResource.modifiedProperties) > 0 and isnotnull(TargetResource.displayName)\n | extend GrantAuthentication = tostring(TargetResource.displayName)\n )\n| extend GrantOperation = OperationName\n| project GrantAuthentication, GrantOperation, CorrelationId\n) on CorrelationId\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\n| extend timestamp = TimeGenerated, Name = tostring(split(GrantInitiatedBy,'@',0)[0]), UPNSuffix = tostring(split(GrantInitiatedBy,'@',1)[0])\n", - "queryFrequency": "P1D", - "queryPeriod": "P14D", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "dataTypes": [ - "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" - } - ], - "tactics": [ - "CredentialAccess", - "DefenseEvasion" - ], - "techniques": [ - "T1528", - "T1550" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "identifier": "Name", - "columnName": "Name" - }, - { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "identifier": "Address", - "columnName": "GrantIpAddress" - } - ], - "entityType": "IP" - } - ] - } }, { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject41').analyticRuleId41,'/'))))]", - "properties": { - "description": "Microsoft Entra ID Analytics Rule 41", - "parentId": "[variables('analyticRuleObject41').analyticRuleId41]", - "contentId": "[variables('analyticRuleObject41')._analyticRulecontentId41]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject41').analyticRuleVersion41]", - "source": { - "kind": "Solution", - "name": "Microsoft Entra ID", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject41')._analyticRulecontentId41]", - "contentKind": "AnalyticsRule", - "displayName": "Suspicious application consent similar to PwnAuth", - "contentProductId": "[variables('analyticRuleObject41')._analyticRulecontentProductId41]", - "id": "[variables('analyticRuleObject41')._analyticRulecontentProductId41]", - "version": "[variables('analyticRuleObject41').analyticRuleVersion41]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject42').analyticRuleTemplateSpecName42]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "MFARejectedbyUser_AnalyticalRules Analytics Rule with template version 3.0.7", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject42').analyticRuleVersion42]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject42')._analyticRulecontentId42]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[[parameters('PlaybookName')]", + "location": "[[variables('workspace-location-inline')]", + "tags": { + "LogicAppsCategory": "security", + "hidden-SentinelTemplateName": "Block-AADUser_alert", + "hidden-SentinelTemplateVersion": "1.1", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "identity": { + "type": "SystemAssigned" + }, + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('AzureADConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]" + ], "properties": { - "description": "Identifies occurances where a user has rejected an MFA prompt. This could be an indicator that a threat actor has compromised the username and password of this user account and is using it to try and log into the account.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\nThis query has also been updated to include UEBA logs IdentityInfo and BehaviorAnalytics for contextual information around the results.", - "displayName": "MFA Rejected by User", - "enabled": false, - "query": "let riskScoreCutoff = 20; //Adjust this based on volume of results\nSigninLogs\n| where ResultType == 500121\n| extend additionalDetails_ = tostring(Status.additionalDetails)\n| extend UserPrincipalName = tolower(UserPrincipalName)\n| where additionalDetails_ =~ \"MFA denied; user declined the authentication\" or additionalDetails_ has \"fraud\"\n| summarize StartTime = min(TimeGenerated), EndTIme = max(TimeGenerated) by UserPrincipalName, UserId, AADTenantId, IPAddress\n| extend Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n| join kind=leftouter (\n IdentityInfo\n | summarize LatestReportTime = arg_max(TimeGenerated, *) by AccountUPN\n | extend BlastRadiusInt = iif(BlastRadius == \"High\", 1, 0)\n | project AccountUPN, Tags, JobTitle, GroupMembership, AssignedRoles, UserType, IsAccountEnabled, BlastRadiusInt\n | summarize\n Tags = make_set(Tags, 1000),\n GroupMembership = make_set(GroupMembership, 1000),\n AssignedRoles = make_set(AssignedRoles, 1000),\n BlastRadiusInt = sum(BlastRadiusInt),\n UserType = make_set(UserType, 1000),\n UserAccountControl = make_set(UserType, 1000)\n by AccountUPN\n | extend UserPrincipalName=tolower(AccountUPN)\n) on UserPrincipalName\n| join kind=leftouter (\n BehaviorAnalytics\n | where ActivityType in (\"FailedLogOn\", \"LogOn\")\n | where isnotempty(SourceIPAddress)\n | project UsersInsights, DevicesInsights, ActivityInsights, InvestigationPriority, SourceIPAddress\n | project-rename IPAddress = SourceIPAddress\n | summarize\n UsersInsights = make_set(UsersInsights, 1000),\n DevicesInsights = make_set(DevicesInsights, 1000),\n IPInvestigationPriority = sum(InvestigationPriority)\n by IPAddress)\non IPAddress\n| extend UEBARiskScore = BlastRadiusInt + IPInvestigationPriority\n| where UEBARiskScore > riskScoreCutoff\n| sort by UEBARiskScore desc \n", - "queryFrequency": "PT1H", - "queryPeriod": "PT1H", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "dataTypes": [ - "SigninLogs" - ], - "connectorId": "AzureActiveDirectory" - }, - { - "dataTypes": [ - "BehaviorAnalytics" - ], - "connectorId": "BehaviorAnalytics" + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + } }, - { - "dataTypes": [ - "IdentityInfo" - ], - "connectorId": "IdentityInfo" - } - ], - "tactics": [ - "InitialAccess" - ], - "techniques": [ - "T1078" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "identifier": "Name", - "columnName": "Name" - }, - { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" - }, - { - "identifier": "AadUserId", - "columnName": "UserId" + "triggers": { + "Microsoft_Sentinel_alert": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "path": "/subscribe" } - ], - "entityType": "Account" + } }, - { - "fieldMappings": [ - { - "identifier": "Address", - "columnName": "IPAddress" + "actions": { + "Alert_-_Get_incident": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "method": "get", + "path": "/Incidents/subscriptions/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/resourceGroups/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/workspaces/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/alerts/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}" } - ], - "entityType": "IP" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject42').analyticRuleId42,'/'))))]", - "properties": { - "description": "Microsoft Entra ID Analytics Rule 42", - "parentId": "[variables('analyticRuleObject42').analyticRuleId42]", - "contentId": "[variables('analyticRuleObject42')._analyticRulecontentId42]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject42').analyticRuleVersion42]", - "source": { - "kind": "Solution", - "name": "Microsoft Entra ID", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject42')._analyticRulecontentId42]", - "contentKind": "AnalyticsRule", - "displayName": "MFA Rejected by User", - "contentProductId": "[variables('analyticRuleObject42')._analyticRulecontentProductId42]", - "id": "[variables('analyticRuleObject42')._analyticRulecontentProductId42]", - "version": "[variables('analyticRuleObject42').analyticRuleVersion42]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject43').analyticRuleTemplateSpecName43]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "MultipleAdmin_membership_removals_from_NewAdmin_AnalyticalRules Analytics Rule with template version 3.0.7", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject43').analyticRuleVersion43]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject43')._analyticRulecontentId43]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "This query detects when newly created Global admin removes multiple existing global admins which can be an attempt by adversaries to lock down organization and retain sole access. \n Investigate reasoning and intention of multiple membership removal by new Global admins and take necessary actions accordingly.", - "displayName": "Multiple admin membership removals from newly created admin.", - "enabled": false, - "query": "let lookback = 7d; \nlet timeframe = 1h; \nlet GlobalAdminsRemoved = AuditLogs \n| where TimeGenerated > ago(timeframe) \n| where Category =~ \"RoleManagement\" \n| where AADOperationType in (\"Unassign\", \"RemoveEligibleRole\") \n| where ActivityDisplayName has_any (\"Remove member from role\", \"Remove eligible member from role\") \n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"User\"\n | extend Target = tostring(TargetResource.userPrincipalName),\n props = TargetResource.modifiedProperties\n )\n| mv-apply Property = props on \n (\n where Property.displayName =~ \"Role.DisplayName\"\n | extend RoleName = trim('\"',tostring(Property.oldValue))\n )\n| where RoleName =~ \"Global Administrator\" // Add other Privileged role if applicable \n| extend InitiatingApp = tostring(InitiatedBy.app.displayName) \n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(InitiatedBy.user.userPrincipalName)) \n| where Initiator != \"MS-PIM\" // Filtering PIM events \n| summarize RemovedGlobalAdminTime = max(TimeGenerated), TargetAdmins = make_set(Target,100) by OperationName, RoleName, Initiator, Result; \nlet GlobalAdminsAdded = AuditLogs \n| where TimeGenerated > ago(lookback) \n| where Category =~ \"RoleManagement\" \n| where AADOperationType in (\"Assign\", \"AssignEligibleRole\") \n| where ActivityDisplayName has_any (\"Add eligible member to role\", \"Add member to role\") and Result == \"success\" \n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"User\"\n | extend Target = tostring(TargetResource.userPrincipalName),\n props = TargetResource.modifiedProperties\n )\n| mv-apply Property = props on \n (\n where Property.displayName =~ \"Role.DisplayName\"\n | extend RoleName = trim('\"',tostring(Property.newValue))\n )\n| where RoleName =~ \"Global Administrator\" // Add other Privileged role if applicable \n| extend InitiatingApp = tostring(InitiatedBy.app.displayName) \n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(InitiatedBy.user.userPrincipalName)) \n| where Initiator != \"MS-PIM\" // Filtering PIM events \n| summarize AddedGlobalAdminTime = max(TimeGenerated) by OperationName, RoleName, Target, Initiator, Result \n| extend AccountCustomEntity = Target; \nGlobalAdminsAdded \n| join kind= inner GlobalAdminsRemoved on $left.Target == $right.Initiator \n| where AddedGlobalAdminTime < RemovedGlobalAdminTime \n| extend NoofAdminsRemoved = array_length(TargetAdmins) \n| where NoofAdminsRemoved > 1\n| project AddedGlobalAdminTime, Initiator, Target, AccountCustomEntity, RemovedGlobalAdminTime, TargetAdmins, NoofAdminsRemoved\n| extend Name = tostring(split(AccountCustomEntity,'@',0)[0]), UPNSuffix = tostring(split(AccountCustomEntity,'@',1)[0])\n", - "queryFrequency": "PT1H", - "queryPeriod": "P7D", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "dataTypes": [ - "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" - } - ], - "tactics": [ - "Impact" - ], - "techniques": [ - "T1531" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "identifier": "Name", - "columnName": "Name" - }, - { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" - } - ], - "entityType": "Account" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject43').analyticRuleId43,'/'))))]", - "properties": { - "description": "Microsoft Entra ID Analytics Rule 43", - "parentId": "[variables('analyticRuleObject43').analyticRuleId43]", - "contentId": "[variables('analyticRuleObject43')._analyticRulecontentId43]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject43').analyticRuleVersion43]", - "source": { - "kind": "Solution", - "name": "Microsoft Entra ID", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject43')._analyticRulecontentId43]", - "contentKind": "AnalyticsRule", - "displayName": "Multiple admin membership removals from newly created admin.", - "contentProductId": "[variables('analyticRuleObject43')._analyticRulecontentProductId43]", - "id": "[variables('analyticRuleObject43')._analyticRulecontentProductId43]", - "version": "[variables('analyticRuleObject43').analyticRuleVersion43]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject44').analyticRuleTemplateSpecName44]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "NewAppOrServicePrincipalCredential_AnalyticalRules Analytics Rule with template version 3.0.7", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject44').analyticRuleVersion44]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject44')._analyticRulecontentId44]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app.\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.", - "displayName": "New access credential added to Application or Service Principal", - "enabled": false, - "query": "AuditLogs\n| where OperationName has_any (\"Add service principal\", \"Certificates and secrets management\") // captures \"Add service principal\", \"Add service principal credentials\", and \"Update application - Certificates and secrets management\" events\n| where Result =~ \"success\"\n| where tostring(InitiatedBy.user.userPrincipalName) has \"@\" or tostring(InitiatedBy.app.displayName) has \"@\"\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"Application\"\n | extend targetDisplayName = tostring(TargetResource.displayName),\n targetId = tostring(TargetResource.id),\n targetType = tostring(TargetResource.type),\n keyEvents = TargetResource.modifiedProperties\n )\n| mv-apply Property = keyEvents on \n (\n where Property.displayName =~ \"KeyDescription\"\n | extend new_value_set = parse_json(tostring(Property.newValue)),\n old_value_set = parse_json(tostring(Property.oldValue))\n )\n| where old_value_set != \"[]\"\n| extend diff = set_difference(new_value_set, old_value_set)\n| where isnotempty(diff)\n| parse diff with * \"KeyIdentifier=\" keyIdentifier:string \",KeyType=\" keyType:string \",KeyUsage=\" keyUsage:string \",DisplayName=\" keyDisplayName:string \"]\" *\n| where keyUsage =~ \"Verify\"\n| mv-apply AdditionalDetail = AdditionalDetails on \n (\n where AdditionalDetail.key =~ \"User-Agent\"\n | extend UserAgent = tostring(AdditionalDetail.value)\n )\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\n//| where targetType =~ \"Application\" // or targetType =~ \"ServicePrincipal\"\n| project-away diff, new_value_set, old_value_set\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\n| extend timestamp = TimeGenerated, Name = tostring(split(InitiatingUserOrApp,'@',0)[0]), UPNSuffix = tostring(split(InitiatingUserOrApp,'@',1)[0])\n", - "queryFrequency": "PT1H", - "queryPeriod": "PT1H", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "dataTypes": [ - "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" - } - ], - "tactics": [ - "DefenseEvasion" - ], - "techniques": [ - "T1550" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "identifier": "Name", - "columnName": "Name" - }, - { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "identifier": "Address", - "columnName": "InitiatingIpAddress" - } - ], - "entityType": "IP" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject44').analyticRuleId44,'/'))))]", - "properties": { - "description": "Microsoft Entra ID Analytics Rule 44", - "parentId": "[variables('analyticRuleObject44').analyticRuleId44]", - "contentId": "[variables('analyticRuleObject44')._analyticRulecontentId44]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject44').analyticRuleVersion44]", - "source": { - "kind": "Solution", - "name": "Microsoft Entra ID", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject44')._analyticRulecontentId44]", - "contentKind": "AnalyticsRule", - "displayName": "New access credential added to Application or Service Principal", - "contentProductId": "[variables('analyticRuleObject44')._analyticRulecontentProductId44]", - "id": "[variables('analyticRuleObject44')._analyticRulecontentProductId44]", - "version": "[variables('analyticRuleObject44').analyticRuleVersion44]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject45').analyticRuleTemplateSpecName45]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "NRT_ADFSDomainTrustMods_AnalyticalRules Analytics Rule with template version 3.0.7", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject45').analyticRuleVersion45]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject45')._analyticRulecontentId45]", - "apiVersion": "2022-04-01-preview", - "kind": "NRT", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "This will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated.\nFor example, this alert will trigger when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain.\nModification to domain federation settings should be rare. Confirm the added or modified target domain/URL is legitimate administrator behavior.\nTo understand why an authorized user may update settings for a federated domain in Office 365, Azure, or Intune, see: https://docs.microsoft.com/office365/troubleshoot/active-directory/update-federated-domain-office-365.\nFor details on security realms that accept security tokens, see the ADFS Proxy Protocol (MS-ADFSPP) specification: https://docs.microsoft.com/openspecs/windows_protocols/ms-adfspp/e7b9ea73-1980-4318-96a6-da559486664b.\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.", - "displayName": "NRT Modified domain federation trust settings", - "enabled": false, - "query": "AuditLogs\n| where OperationName =~ \"Set federation settings on domain\" or OperationName =~ \"Set domain authentication\"\n//| where Result =~ \"success\" // commenting out, as it may be interesting to capture failed attempts\n| mv-expand TargetResources\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\n| mv-apply Property = modifiedProperties on \n (\n where Property.displayName =~ \"LiveType\"\n | extend targetDisplayName = tostring(Property.displayName),\n NewDomainValue = tostring(Property.newValue)\n )\n| extend Federated = iif(OperationName =~ \"Set domain authentication\", iif(NewDomainValue has \"Federated\", True, False), True)\n| where Federated == True\n| mv-expand AdditionalDetails\n| mv-apply AdditionalDetail = AdditionalDetails on \n (\n where AdditionalDetail.key =~ \"User-Agent\"\n | extend UserAgent = tostring(AdditionalDetail.value)\n )\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, AADOperationType, targetDisplayName, Result, InitiatingIpAddress, UserAgent, CorrelationId, TenantId, AADTenantId\n| extend Name = tostring(split(InitiatingUserOrApp,'@',0)[0]), UPNSuffix = tostring(split(InitiatingUserOrApp,'@',1)[0])\n", - "severity": "High", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "status": "Available", - "requiredDataConnectors": [ - { - "dataTypes": [ - "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" - } - ], - "tactics": [ - "CredentialAccess" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "identifier": "Name", - "columnName": "Name" + }, + "Entities_-_Get_Accounts": { + "runAfter": { + "Alert_-_Get_incident": [ + "Succeeded" + ] }, - { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "identifier": "Address", - "columnName": "InitiatingIpAddress" + "type": "ApiConnection", + "inputs": { + "body": "@triggerBody()?['Entities']", + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "method": "post", + "path": "/entities/account" } - ], - "entityType": "IP" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject45').analyticRuleId45,'/'))))]", - "properties": { - "description": "Microsoft Entra ID Analytics Rule 45", - "parentId": "[variables('analyticRuleObject45').analyticRuleId45]", - "contentId": "[variables('analyticRuleObject45')._analyticRulecontentId45]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject45').analyticRuleVersion45]", - "source": { - "kind": "Solution", - "name": "Microsoft Entra ID", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject45')._analyticRulecontentId45]", - "contentKind": "AnalyticsRule", - "displayName": "NRT Modified domain federation trust settings", - "contentProductId": "[variables('analyticRuleObject45')._analyticRulecontentProductId45]", - "id": "[variables('analyticRuleObject45')._analyticRulecontentProductId45]", - "version": "[variables('analyticRuleObject45').analyticRuleVersion45]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject46').analyticRuleTemplateSpecName46]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "NRT_AuthenticationMethodsChangedforVIPUsers_AnalyticalRules Analytics Rule with template version 3.0.7", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject46').analyticRuleVersion46]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject46')._analyticRulecontentId46]", - "apiVersion": "2022-04-01-preview", - "kind": "NRT", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Identifies authentication methods being changed for a list of VIP users watchlist. This could be an indication of an attacker adding an auth method to the account so they can have continued access.", - "displayName": "NRT Authentication Methods Changed for VIP Users", - "enabled": false, - "query": "let security_info_actions = dynamic([\"User registered security info\", \"User changed default security info\", \"User deleted security info\", \"Admin updated security info\", \"User reviewed security info\", \"Admin deleted security info\", \"Admin registered security info\"]);\nlet VIPUsers = (_GetWatchlist('VIPUsers') | distinct \"User Principal Name\");\nAuditLogs\n| where Category =~ \"UserManagement\"\n| where ActivityDisplayName in (security_info_actions)\n| extend Initiator = tostring(InitiatedBy.user.userPrincipalName)\n| extend IP = tostring(InitiatedBy.user.ipAddress)\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"User\"\n | extend Target = trim(@'\"',tolower(tostring(TargetResource.userPrincipalName)))\n )\n| where Target in~ (VIPUsers)\n| summarize Start=min(TimeGenerated), End=max(TimeGenerated), Actions = make_set(ResultReason) by Initiator, IP, Result, Target\n| extend Name = tostring(split(Target,'@',0)[0]), UPNSuffix = tostring(split(Target,'@',1)[0])\n", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "status": "Available", - "requiredDataConnectors": [ - { - "dataTypes": [ - "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" - } - ], - "tactics": [ - "Persistence" - ], - "techniques": [ - "T1098" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "identifier": "Name", - "columnName": "Name" + }, + "For_each": { + "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']", + "actions": { + "Condition": { + "actions": { + "Condition_-_if_user_have_manager": { + "actions": { + "Add_comment_to_incident_-_with_manager_-_no_admin": { + "runAfter": { + "Get_user_-_details": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@body('Alert_-_Get_incident')?['id']", + "message": "

User @{items('For_each')?['Name']} (UPN - @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}) was disabled in AAD via playbook Block-AADUser. Manager (@{body('Parse_JSON_-_get_user_manager')?['userPrincipalName']}) is notified.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Get_user_-_details": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuread']['connectionId']" + } + }, + "method": "get", + "path": "/v1.0/users/@{encodeURIComponent(concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix']))}" + } + }, + "Send_an_email_-_to_manager_-_no_admin": { + "runAfter": { + "Add_comment_to_incident_-_with_manager_-_no_admin": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "Body": "

Security notification! This is automated email sent by Microsoft Sentinel Automation!
\n
\nYour direct report @{items('For_each')?['Name']} has been disabled in Azure AD due to the security incident. Can you please notify the user and work with him to reach our support.
\n
\nDirect report details:
\nFirst name: @{body('Get_user_-_details')?['displayName']}
\nSurname: @{body('Get_user_-_details')?['surname']}
\nJob title: @{body('Get_user_-_details')?['jobTitle']}
\nOffice location: @{body('Get_user_-_details')?['officeLocation']}
\nBusiness phone: @{body('Get_user_-_details')?['businessPhones']}
\nMobile phone: @{body('Get_user_-_details')?['mobilePhone']}
\nMail: @{body('Get_user_-_details')?['mail']}
\n
\nThank you!

", + "Importance": "High", + "Subject": "@{items('For_each')?['Name']} has been disabled in Azure AD due to the security risk!", + "To": "@body('Parse_JSON_-_get_user_manager')?['userPrincipalName']" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['office365']['connectionId']" + } + }, + "method": "post", + "path": "/v2/Mail" + } + } + }, + "runAfter": { + "Parse_JSON_-_get_user_manager": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Add_comment_to_incident_-_no_manager_-_no_admin": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@body('Alert_-_Get_incident')?['id']", + "message": "

User @{items('For_each')?['Name']} (UPN - @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}) was disabled in AAD via playbook Block-AADUser. Manager has not been notified, since it is not found for this user!

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + } + } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@body('Parse_JSON_-_get_user_manager')?['userPrincipalName']", + "@null" + ] + } + } + ] + }, + "type": "If" + }, + "HTTP_-_get_user_manager": { + "type": "Http", + "inputs": { + "authentication": { + "audience": "https://graph.microsoft.com/", + "type": "ManagedServiceIdentity" + }, + "method": "GET", + "uri": "https://graph.microsoft.com/v1.0/users/@{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}/manager" + } + }, + "Parse_JSON_-_get_user_manager": { + "runAfter": { + "HTTP_-_get_user_manager": [ + "Succeeded", + "Failed" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@body('HTTP_-_get_user_manager')", + "schema": { + "properties": { + "userPrincipalName": { + "type": "string" + } + }, + "type": "object" + } + } + } + }, + "runAfter": { + "Update_user_-_disable_user": [ + "Succeeded", + "Failed" + ] + }, + "else": { + "actions": { + "Add_comment_to_incident_-_error_details": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@body('Alert_-_Get_incident')?['id']", + "message": "

Block-AADUser playbook could not disable user @{items('For_each')?['Name']}.
\nError message: @{body('Update_user_-_disable_user')['error']['message']}
\nNote: If user is admin, this playbook don't have privilages to block admin users!

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@body('Update_user_-_disable_user')", + "@null" + ] + } + ] + }, + "type": "If" + }, + "Update_user_-_disable_user": { + "type": "ApiConnection", + "inputs": { + "body": { + "accountEnabled": false + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuread']['connectionId']" + } + }, + "method": "patch", + "path": "/v1.0/users/@{encodeURIComponent(concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix']))}" + } + } + }, + "runAfter": { + "Entities_-_Get_Accounts": [ + "Succeeded" + ] }, - { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "identifier": "Address", - "columnName": "IP" - } - ], - "entityType": "IP" + "type": "Foreach" + } } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject46').analyticRuleId46,'/'))))]", - "properties": { - "description": "Microsoft Entra ID Analytics Rule 46", - "parentId": "[variables('analyticRuleObject46').analyticRuleId46]", - "contentId": "[variables('analyticRuleObject46')._analyticRulecontentId46]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject46').analyticRuleVersion46]", - "source": { - "kind": "Solution", - "name": "Microsoft Entra ID", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject46')._analyticRulecontentId46]", - "contentKind": "AnalyticsRule", - "displayName": "NRT Authentication Methods Changed for VIP Users", - "contentProductId": "[variables('analyticRuleObject46')._analyticRulecontentProductId46]", - "id": "[variables('analyticRuleObject46')._analyticRulecontentProductId46]", - "version": "[variables('analyticRuleObject46').analyticRuleVersion46]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject47').analyticRuleTemplateSpecName47]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "nrt_FirstAppOrServicePrincipalCredential_AnalyticalRules Analytics Rule with template version 3.0.7", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject47').analyticRuleVersion47]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject47')._analyticRulecontentId47]", - "apiVersion": "2022-04-01-preview", - "kind": "NRT", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where there was no previous verify KeyCredential associated.\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.", - "displayName": "NRT First access credential added to Application or Service Principal where no credential was present", - "enabled": false, - "query": "AuditLogs\n| where OperationName has_any (\"Add service principal\", \"Certificates and secrets management\")\n| where Result =~ \"success\"\n| where tostring(InitiatedBy.user.userPrincipalName) has \"@\" or tostring(InitiatedBy.app.displayName) has \"@\"\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"Application\"\n | extend targetDisplayName = tostring(TargetResource.displayName),\n targetId = tostring(TargetResource.id),\n targetType = tostring(TargetResource.type),\n keyEvents = TargetResource.modifiedProperties\n )\n| mv-apply Property = keyEvents on \n (\n where Property.displayName =~ \"KeyDescription\"\n | extend new_value_set = parse_json(tostring(Property.newValue)),\n old_value_set = parse_json(tostring(Property.oldValue))\n )\n| where old_value_set == \"[]\"\n| mv-expand new_value_set\n| parse new_value_set with * \"KeyIdentifier=\" keyIdentifier:string \",KeyType=\" keyType:string \",KeyUsage=\" keyUsage:string \",DisplayName=\" keyDisplayName:string \"]\" *\n| where keyUsage == \"Verify\"\n | mv-apply AdditionalDetail = AdditionalDetails on \n (\n where AdditionalDetail.key =~ \"User-Agent\"\n | extend UserAgent = tostring(AdditionalDetail.value)\n )\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n//| where targetType =~ \"Application\" // or targetType =~ \"ServicePrincipal\"\n| project-away new_value_set, old_value_set\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\n| extend timestamp = TimeGenerated, Name = tostring(split(InitiatingUserOrApp,'@',0)[0]), UPNSuffix = tostring(split(InitiatingUserOrApp,'@',1)[0])\n", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "status": "Available", - "requiredDataConnectors": [ - { - "dataTypes": [ - "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" - } - ], - "tactics": [ - "DefenseEvasion" - ], - "techniques": [ - "T1550" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "identifier": "Name", - "columnName": "Name" + "parameters": { + "$connections": { + "value": { + "azuread": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureADConnectionName'))]", + "connectionName": "[[variables('AzureADConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuread')]" }, - { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "identifier": "Address", - "columnName": "InitiatingIpAddress" - } - ], - "entityType": "IP" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject47').analyticRuleId47,'/'))))]", - "properties": { - "description": "Microsoft Entra ID Analytics Rule 47", - "parentId": "[variables('analyticRuleObject47').analyticRuleId47]", - "contentId": "[variables('analyticRuleObject47')._analyticRulecontentId47]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject47').analyticRuleVersion47]", - "source": { - "kind": "Solution", - "name": "Microsoft Entra ID", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject47')._analyticRulecontentId47]", - "contentKind": "AnalyticsRule", - "displayName": "NRT First access credential added to Application or Service Principal where no credential was present", - "contentProductId": "[variables('analyticRuleObject47')._analyticRulecontentProductId47]", - "id": "[variables('analyticRuleObject47')._analyticRulecontentProductId47]", - "version": "[variables('analyticRuleObject47').analyticRuleVersion47]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject48').analyticRuleTemplateSpecName48]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "NRT_NewAppOrServicePrincipalCredential_AnalyticalRules Analytics Rule with template version 3.0.7", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject48').analyticRuleVersion48]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject48')._analyticRulecontentId48]", - "apiVersion": "2022-04-01-preview", - "kind": "NRT", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app.\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.", - "displayName": "NRT New access credential added to Application or Service Principal", - "enabled": false, - "query": "AuditLogs\n| where OperationName has_any (\"Add service principal\", \"Certificates and secrets management\") // captures \"Add service principal\", \"Add service principal credentials\", and \"Update application - Certificates and secrets management\" events\n| where Result =~ \"success\"\n| where tostring(InitiatedBy.user.userPrincipalName) has \"@\" or tostring(InitiatedBy.app.displayName) has \"@\"\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"Application\"\n | extend targetDisplayName = tostring(TargetResource.displayName),\n targetId = tostring(TargetResource.id),\n targetType = tostring(TargetResource.type),\n keyEvents = TargetResource.modifiedProperties\n )\n| mv-apply Property = keyEvents on \n (\n where Property.displayName =~ \"KeyDescription\"\n | extend new_value_set = parse_json(tostring(Property.newValue)),\n old_value_set = parse_json(tostring(Property.oldValue))\n )\n| where old_value_set != \"[]\"\n| extend diff = set_difference(new_value_set, old_value_set)\n| where diff != \"[]\"\n| parse diff with * \"KeyIdentifier=\" keyIdentifier:string \",KeyType=\" keyType:string \",KeyUsage=\" keyUsage:string \",DisplayName=\" keyDisplayName:string \"]\" *\n| where keyUsage =~ \"Verify\"\n| mv-apply AdditionalDetail = AdditionalDetails on \n (\n where AdditionalDetail.key =~ \"User-Agent\"\n | extend UserAgent = tostring(AdditionalDetail.value)\n )\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\n//| where targetType =~ \"Application\" // or targetType =~ \"ServicePrincipal\"\n| project-away diff, new_value_set, old_value_set\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\n| extend timestamp = TimeGenerated, Name = tostring(split(InitiatingUserOrApp,'@',0)[0]), UPNSuffix = tostring(split(InitiatingUserOrApp,'@',1)[0])\n", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "status": "Available", - "requiredDataConnectors": [ - { - "dataTypes": [ - "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" - } - ], - "tactics": [ - "DefenseEvasion" - ], - "techniques": [ - "T1550" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "identifier": "Name", - "columnName": "Name" + "microsoftsentinel": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } }, - { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "identifier": "Address", - "columnName": "InitiatingIpAddress" + "office365": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]", + "connectionName": "[[variables('Office365ConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]" } - ], - "entityType": "IP" + } } - ] + } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject48').analyticRuleId48,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId1'),'/'))))]", "properties": { - "description": "Microsoft Entra ID Analytics Rule 48", - "parentId": "[variables('analyticRuleObject48').analyticRuleId48]", - "contentId": "[variables('analyticRuleObject48')._analyticRulecontentId48]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject48').analyticRuleVersion48]", + "parentId": "[variables('playbookId1')]", + "contentId": "[variables('_playbookContentId1')]", + "kind": "Playbook", + "version": "[variables('playbookVersion1')]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -10848,228 +9159,415 @@ } } } - ] + ], + "metadata": { + "title": "Block Microsoft Entra ID user - Alert", + "description": "For each account entity included in the alert, this playbook will disable the user in Microsoft Entra ID, add a comment to the incident that contains this alert and notify manager if available. Note: This playbook will not disable admin user!", + "prerequisites": [ + "None" + ], + "postDeployment": [ + "1. Assign Microsoft Sentinel Responder role to the Playbook's managed identity.", + "2. Grant User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All permissions to the managed identity.", + "3. Authorize Microsoft Entra ID and Office 365 Outlook Logic App connections." + ], + "lastUpdateTime": "2022-07-11T00:00:00Z", + "entities": [ + "Account" + ], + "tags": [ + "Remediation" + ], + "releaseNotes": [ + { + "version": "1.0.0", + "title": "Added manager notification action", + "notes": [ + "Initial version" + ] + } + ] + } }, "packageKind": "Solution", "packageVersion": "[variables('_solutionVersion')]", "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject48')._analyticRulecontentId48]", - "contentKind": "AnalyticsRule", - "displayName": "NRT New access credential added to Application or Service Principal", - "contentProductId": "[variables('analyticRuleObject48')._analyticRulecontentProductId48]", - "id": "[variables('analyticRuleObject48')._analyticRulecontentProductId48]", - "version": "[variables('analyticRuleObject48').analyticRuleVersion48]" + "contentId": "[variables('_playbookContentId1')]", + "contentKind": "Playbook", + "displayName": "Block-AADUser-Alert", + "contentProductId": "[variables('_playbookcontentProductId1')]", + "id": "[variables('_playbookcontentProductId1')]", + "version": "[variables('playbookVersion1')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject49').analyticRuleTemplateSpecName49]", + "name": "[variables('playbookTemplateSpecName2')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "NRT_PIMElevationRequestRejected_AnalyticalRules Analytics Rule with template version 3.0.7", + "description": "Block-AADUser-Incident Playbook with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject49').analyticRuleVersion49]", - "parameters": {}, - "variables": {}, + "contentVersion": "[variables('playbookVersion2')]", + "parameters": { + "PlaybookName": { + "defaultValue": "Block-AADUser-Incident", + "type": "string" + } + }, + "variables": { + "AzureADConnectionName": "[[concat('azuread-', parameters('PlaybookName'))]", + "MicrosoftSentinelConnectionName": "[[concat('microsoftsentinel-', parameters('PlaybookName'))]", + "Office365ConnectionName": "[[concat('office365-', parameters('PlaybookName'))]", + "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuread')]", + "_connection-1": "[[variables('connection-1')]", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "_connection-2": "[[variables('connection-2')]", + "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]", + "_connection-3": "[[variables('connection-3')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, "resources": [ { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject49')._analyticRulecontentId49]", - "apiVersion": "2022-04-01-preview", - "kind": "NRT", - "location": "[parameters('workspace-location')]", + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('AzureADConnectionName')]", + "location": "[[variables('workspace-location-inline')]", "properties": { - "description": "Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management", - "displayName": "NRT PIM Elevation Request Rejected", - "enabled": false, - "query": "AuditLogs\n| where ActivityDisplayName =~'Add member to role completed (PIM activation)'\n| where Result =~ \"failure\"\n| mv-apply ResourceItem = TargetResources on \n (\n where ResourceItem.type =~ \"Role\"\n | extend Role = trim(@'\"',tostring(ResourceItem.displayName))\n )\n| mv-apply ResourceItem = TargetResources on \n (\n where ResourceItem.type =~ \"User\"\n | extend User = trim(@'\"',tostring(ResourceItem.userPrincipalName))\n )\n| project-reorder TimeGenerated, User, Role, OperationName, Result, ResultDescription\n| where isnotempty(InitiatedBy.user)\n| extend InitiatingUser = tostring(InitiatedBy.user.userPrincipalName), InitiatingIpAddress = tostring(InitiatedBy.user.ipAddress)\n| extend InitiatingName = tostring(split(InitiatingUser,'@',0)[0]), InitiatingUPNSuffix = tostring(split(InitiatingUser,'@',1)[0])\n| extend UserName = tostring(split(User,'@',0)[0]), UserUPNSuffix = tostring(split(User,'@',1)[0])\n", - "severity": "High", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "status": "Available", - "requiredDataConnectors": [ - { - "dataTypes": [ - "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" - } - ], - "tactics": [ - "Persistence" - ], - "techniques": [ - "T1078" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "identifier": "Name", - "columnName": "InitiatingName" + "displayName": "[[variables('AzureADConnectionName')]", + "api": { + "id": "[[variables('_connection-1')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('MicrosoftSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('MicrosoftSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('Office365ConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "properties": { + "displayName": "[[variables('Office365ConnectionName')]", + "api": { + "id": "[[variables('_connection-3')]" + } + } + }, + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[[parameters('PlaybookName')]", + "location": "[[variables('workspace-location-inline')]", + "tags": { + "LogicAppsCategory": "security", + "hidden-SentinelTemplateName": "Block-AADUser", + "hidden-SentinelTemplateVersion": "1.1", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "identity": { + "type": "SystemAssigned" + }, + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('AzureADConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]" + ], + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + } + }, + "triggers": { + "Microsoft_Sentinel_incident": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "path": "/incident-creation" + } + } + }, + "actions": { + "Entities_-_Get_Accounts": { + "type": "ApiConnection", + "inputs": { + "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "method": "post", + "path": "/entities/account" + } + }, + "For_each": { + "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']", + "actions": { + "Condition": { + "actions": { + "Condition_-_if_user_have_manager": { + "actions": { + "Add_comment_to_incident_-_with_manager_-_no_admin": { + "runAfter": { + "Get_user_-_details": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

User @{items('For_each')?['Name']} (UPN - @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}) was disabled in AAD via playbook Block-AADUser. Manager (@{body('Parse_JSON_-_get_user_manager')?['userPrincipalName']}) is notified.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Get_user_-_details": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuread']['connectionId']" + } + }, + "method": "get", + "path": "/v1.0/users/@{encodeURIComponent(concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix']))}" + } + }, + "Send_an_email_-_to_manager_-_no_admin": { + "runAfter": { + "Add_comment_to_incident_-_with_manager_-_no_admin": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "Body": "

Security notification! This is automated email sent by Microsoft Sentinel Automation!
\n
\nYour direct report @{items('For_each')?['Name']} has been disabled in Azure AD due to the security incident. Can you please notify the user and work with him to reach our support.
\n
\nDirect report details:
\nFirst name: @{body('Get_user_-_details')?['displayName']}
\nSurname: @{body('Get_user_-_details')?['surname']}
\nJob title: @{body('Get_user_-_details')?['jobTitle']}
\nOffice location: @{body('Get_user_-_details')?['officeLocation']}
\nBusiness phone: @{body('Get_user_-_details')?['businessPhones']}
\nMobile phone: @{body('Get_user_-_details')?['mobilePhone']}
\nMail: @{body('Get_user_-_details')?['mail']}
\n
\nThank you!

", + "Importance": "High", + "Subject": "@{items('For_each')?['Name']} has been disabled in Azure AD due to the security risk!", + "To": "@body('Parse_JSON_-_get_user_manager')?['userPrincipalName']" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['office365']['connectionId']" + } + }, + "method": "post", + "path": "/v2/Mail" + } + } + }, + "runAfter": { + "Parse_JSON_-_get_user_manager": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Add_comment_to_incident_-_no_manager_-_no_admin": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

User @{items('For_each')?['Name']} (UPN - @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}) was disabled in AAD via playbook Block-AADUser. Manager has not been notified, since it is not found for this user!

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + } + } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@body('Parse_JSON_-_get_user_manager')?['userPrincipalName']", + "@null" + ] + } + } + ] + }, + "type": "If" + }, + "HTTP_-_get_user_manager": { + "type": "Http", + "inputs": { + "authentication": { + "audience": "https://graph.microsoft.com/", + "type": "ManagedServiceIdentity" + }, + "method": "GET", + "uri": "https://graph.microsoft.com/v1.0/users/@{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}/manager" + } + }, + "Parse_JSON_-_get_user_manager": { + "runAfter": { + "HTTP_-_get_user_manager": [ + "Succeeded", + "Failed" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@body('HTTP_-_get_user_manager')", + "schema": { + "properties": { + "userPrincipalName": { + "type": "string" + } + }, + "type": "object" + } + } + } + }, + "runAfter": { + "Update_user_-_disable_user": [ + "Succeeded", + "Failed" + ] + }, + "else": { + "actions": { + "Add_comment_to_incident_-_error_details": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

Block-AADUser playbook could not disable user @{items('For_each')?['Name']}.
\nError message: @{body('Update_user_-_disable_user')['error']['message']}
\nNote: If user is admin, this playbook don't have privilages to block admin users!

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@body('Update_user_-_disable_user')", + "@null" + ] + } + ] + }, + "type": "If" + }, + "Update_user_-_disable_user": { + "type": "ApiConnection", + "inputs": { + "body": { + "accountEnabled": false + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuread']['connectionId']" + } + }, + "method": "patch", + "path": "/v1.0/users/@{encodeURIComponent(concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix']))}" + } + } }, - { - "identifier": "UPNSuffix", - "columnName": "InitiatingUPNSuffix" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "identifier": "Name", - "columnName": "UserName" + "runAfter": { + "Entities_-_Get_Accounts": [ + "Succeeded" + ] }, - { - "identifier": "UPNSuffix", - "columnName": "UserUPNSuffix" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "identifier": "Address", - "columnName": "InitiatingIpAddress" - } - ], - "entityType": "IP" + "type": "Foreach" + } } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject49').analyticRuleId49,'/'))))]", - "properties": { - "description": "Microsoft Entra ID Analytics Rule 49", - "parentId": "[variables('analyticRuleObject49').analyticRuleId49]", - "contentId": "[variables('analyticRuleObject49')._analyticRulecontentId49]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject49').analyticRuleVersion49]", - "source": { - "kind": "Solution", - "name": "Microsoft Entra ID", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject49')._analyticRulecontentId49]", - "contentKind": "AnalyticsRule", - "displayName": "NRT PIM Elevation Request Rejected", - "contentProductId": "[variables('analyticRuleObject49')._analyticRulecontentProductId49]", - "id": "[variables('analyticRuleObject49')._analyticRulecontentProductId49]", - "version": "[variables('analyticRuleObject49').analyticRuleVersion49]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject50').analyticRuleTemplateSpecName50]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "NRT_PrivlegedRoleAssignedOutsidePIM_AnalyticalRules Analytics Rule with template version 3.0.7", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject50').analyticRuleVersion50]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject50')._analyticRulecontentId50]", - "apiVersion": "2022-04-01-preview", - "kind": "NRT", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Identifies a privileged role being assigned to a user outside of PIM\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1", - "displayName": "NRT Privileged Role Assigned Outside PIM", - "enabled": false, - "query": "AuditLogs\n| where Category =~ \"RoleManagement\"\n| where OperationName has \"Add member to role outside of PIM\"\n or (LoggedByService =~ \"Core Directory\" and OperationName =~ \"Add member to role\" and Identity != \"MS-PIM\")\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"User\"\n | extend UserPrincipalName = tostring(TargetResource.userPrincipalName)\n )\n| extend IpAddress = tostring(InitiatedBy.user.ipAddress), Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n", - "severity": "Low", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "status": "Available", - "requiredDataConnectors": [ - { - "dataTypes": [ - "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" - } - ], - "tactics": [ - "PrivilegeEscalation" - ], - "techniques": [ - "T1078" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "identifier": "Name", - "columnName": "Name" + "parameters": { + "$connections": { + "value": { + "azuread": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureADConnectionName'))]", + "connectionName": "[[variables('AzureADConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuread')]" }, - { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "identifier": "Address", - "columnName": "IpAddress" + "microsoftsentinel": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + }, + "office365": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]", + "connectionName": "[[variables('Office365ConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]" } - ], - "entityType": "IP" + } } - ] + } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject50').analyticRuleId50,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId2'),'/'))))]", "properties": { - "description": "Microsoft Entra ID Analytics Rule 50", - "parentId": "[variables('analyticRuleObject50').analyticRuleId50]", - "contentId": "[variables('analyticRuleObject50')._analyticRulecontentId50]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject50').analyticRuleVersion50]", + "parentId": "[variables('playbookId2')]", + "contentId": "[variables('_playbookContentId2')]", + "kind": "Playbook", + "version": "[variables('playbookVersion2')]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -11087,478 +9585,426 @@ } } } - ] + ], + "metadata": { + "title": "Block AAD user - Incident", + "description": "For each account entity included in the incident, this playbook will disable the user in Azure Active Directoy, add a comment to the incident that contains this alert and notify manager if available. Note: This playbook will not disable admin user!", + "prerequisites": [ + "None" + ], + "postDeployment": [ + "1. Assign Microsoft Sentinel Responder role to the Playbook's managed identity.", + "2. Grant User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All permissions to the managed identity.", + "3. Authorize Microsoft Entra ID and Office 365 Outlook Logic App connections." + ], + "lastUpdateTime": "2022-07-11T00:00:00Z", + "entities": [ + "Account" + ], + "tags": [ + "Remediation" + ], + "releaseNotes": [ + { + "version": "1.0.0", + "title": "Added manager notification action", + "notes": [ + "Initial version" + ] + } + ] + } }, "packageKind": "Solution", "packageVersion": "[variables('_solutionVersion')]", "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject50')._analyticRulecontentId50]", - "contentKind": "AnalyticsRule", - "displayName": "NRT Privileged Role Assigned Outside PIM", - "contentProductId": "[variables('analyticRuleObject50')._analyticRulecontentProductId50]", - "id": "[variables('analyticRuleObject50')._analyticRulecontentProductId50]", - "version": "[variables('analyticRuleObject50').analyticRuleVersion50]" + "contentId": "[variables('_playbookContentId2')]", + "contentKind": "Playbook", + "displayName": "Block-AADUser-Incident", + "contentProductId": "[variables('_playbookcontentProductId2')]", + "id": "[variables('_playbookcontentProductId2')]", + "version": "[variables('playbookVersion2')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject51').analyticRuleTemplateSpecName51]", + "name": "[variables('playbookTemplateSpecName3')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "NRT_UseraddedtoPrivilgedGroups_AnalyticalRules Analytics Rule with template version 3.0.7", + "description": "Prompt-User-Alert Playbook with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject51').analyticRuleVersion51]", - "parameters": {}, - "variables": {}, + "contentVersion": "[variables('playbookVersion3')]", + "parameters": { + "PlaybookName": { + "defaultValue": "Prompt-User-Alert", + "type": "string" + }, + "TeamsId": { + "metadata": { + "description": "Enter the Teams Group ID" + }, + "type": "string" + }, + "TeamsChannelId": { + "metadata": { + "description": "Enter the Teams Channel ID" + }, + "type": "string" + } + }, + "variables": { + "AzureADConnectionName": "[[concat('azuread-', parameters('PlaybookName'))]", + "AzureSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]", + "Office365ConnectionName": "[[concat('office365-', parameters('PlaybookName'))]", + "TeamsConnectionName": "[[concat('teams-', parameters('PlaybookName'))]", + "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuread')]", + "_connection-1": "[[variables('connection-1')]", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "_connection-2": "[[variables('connection-2')]", + "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]", + "_connection-3": "[[variables('connection-3')]", + "connection-4": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/teams')]", + "_connection-4": "[[variables('connection-4')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, "resources": [ { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject51')._analyticRulecontentId51]", - "apiVersion": "2022-04-01-preview", - "kind": "NRT", - "location": "[parameters('workspace-location')]", + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('AzureADConnectionName')]", + "location": "[[variables('workspace-location-inline')]", "properties": { - "description": "This will alert when a user is added to any of the Privileged Groups.\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\nFor Administrator role permissions in Microsoft Entra ID please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles", - "displayName": "NRT User added to Microsoft Entra ID Privileged Groups", - "enabled": false, - "query": "let OperationList = dynamic([\"Add member to role\",\"Add member to role in PIM requested (permanent)\"]);\nlet PrivilegedGroups = dynamic([\"UserAccountAdmins\",\"PrivilegedRoleAdmins\",\"TenantAdmins\"]);\nAuditLogs\n//| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"RoleManagement\"\n| where OperationName in~ (OperationList)\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"User\"\n | extend TargetUserPrincipalName = tostring(TargetResource.userPrincipalName),\n modProps = TargetResource.modifiedProperties\n )\n| mv-apply Property = modProps on \n (\n where Property.displayName =~ \"Role.WellKnownObjectName\"\n | extend DisplayName = trim('\"',tostring(Property.displayName)),\n GroupName = trim('\"',tostring(Property.newValue))\n )\n| extend AppId = InitiatedBy.app.appId,\n InitiatedByDisplayName = case(isnotempty(InitiatedBy.app.displayName), InitiatedBy.app.displayName, isnotempty(InitiatedBy.user.displayName), InitiatedBy.user.displayName, \"not available\"),\n ServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId),\n ServicePrincipalName = tostring(InitiatedBy.app.servicePrincipalName),\n UserId = InitiatedBy.user.id,\n UserIPAddress = InitiatedBy.user.ipAddress,\n UserRoles = InitiatedBy.user.roles,\n UserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\n| where GroupName in~ (PrivilegedGroups)\n// If you don't want to alert for operations from PIM, remove below filtering for MS-PIM.\n//| where InitiatedByDisplayName != \"MS-PIM\"\n| project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, AppId, InitiatedByDisplayName, ServicePrincipalId, ServicePrincipalName, DisplayName, GroupName, UserId, UserIPAddress, UserRoles, UserPrincipalName, TargetUserPrincipalName\n| extend AccountCustomEntity = case(isnotempty(ServicePrincipalName), ServicePrincipalName, \n isnotempty(UserPrincipalName), UserPrincipalName, \n \"\")\n| extend AccountName = tostring(split(AccountCustomEntity,'@',0)[0]), AccountUPNSuffix = tostring(split(AccountCustomEntity,'@',1)[0])\n| extend TargetName = tostring(split(TargetUserPrincipalName,'@',0)[0]), TargetUPNSuffix = tostring(split(TargetUserPrincipalName,'@',1)[0])\n", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "status": "Available", - "requiredDataConnectors": [ - { - "dataTypes": [ - "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" - } - ], - "tactics": [ - "Persistence", - "PrivilegeEscalation" - ], - "techniques": [ - "T1098", - "T1078" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "identifier": "Name", - "columnName": "AccountName" - }, - { - "identifier": "UPNSuffix", - "columnName": "AccountUPNSuffix" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "identifier": "Name", - "columnName": "TargetName" - }, - { - "identifier": "UPNSuffix", - "columnName": "TargetUPNSuffix" - } - ], - "entityType": "Account" - } - ] + "displayName": "[[variables('AzureADConnectionName')]", + "api": { + "id": "[[variables('_connection-1')]" + } } }, { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject51').analyticRuleId51,'/'))))]", + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('AzureSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", "properties": { - "description": "Microsoft Entra ID Analytics Rule 51", - "parentId": "[variables('analyticRuleObject51').analyticRuleId51]", - "contentId": "[variables('analyticRuleObject51')._analyticRulecontentId51]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject51').analyticRuleVersion51]", - "source": { - "kind": "Solution", - "name": "Microsoft Entra ID", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com/" + "displayName": "[[variables('AzureSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[[variables('_connection-2')]" } } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject51')._analyticRulecontentId51]", - "contentKind": "AnalyticsRule", - "displayName": "NRT User added to Microsoft Entra ID Privileged Groups", - "contentProductId": "[variables('analyticRuleObject51')._analyticRulecontentProductId51]", - "id": "[variables('analyticRuleObject51')._analyticRulecontentProductId51]", - "version": "[variables('analyticRuleObject51').analyticRuleVersion51]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject52').analyticRuleTemplateSpecName52]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "PIMElevationRequestRejected_AnalyticalRules Analytics Rule with template version 3.0.7", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject52').analyticRuleVersion52]", - "parameters": {}, - "variables": {}, - "resources": [ + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('Office365ConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "properties": { + "displayName": "[[variables('Office365ConnectionName')]", + "api": { + "id": "[[variables('_connection-3')]" + } + } + }, { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject52')._analyticRulecontentId52]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('TeamsConnectionName')]", + "location": "[[variables('workspace-location-inline')]", "properties": { - "description": "Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management", - "displayName": "PIM Elevation Request Rejected", - "enabled": false, - "query": "AuditLogs\n| where ActivityDisplayName =~'Add member to role request denied (PIM activation)'\n| mv-apply ResourceItem = TargetResources on \n (\n where ResourceItem.type =~ \"Role\"\n | extend Role = trim(@'\"',tostring(ResourceItem.displayName))\n )\n| mv-apply ResourceItem = TargetResources on \n (\n where ResourceItem.type =~ \"User\"\n | extend User = trim(@'\"',tostring(ResourceItem.userPrincipalName))\n )\n| project-reorder TimeGenerated, User, Role, OperationName, Result, ResultDescription\n| where isnotempty(InitiatedBy.user)\n| extend InitiatingUser = tostring(InitiatedBy.user.userPrincipalName), InitiatingIpAddress = tostring(InitiatedBy.user.ipAddress)\n| extend InitiatingName = tostring(split(InitiatingUser,'@',0)[0]), InitiatingUPNSuffix = tostring(split(InitiatingUser,'@',1)[0])\n| extend UserName = tostring(split(User,'@',0)[0]), UserUPNSuffix = tostring(split(User,'@',1)[0])\n", - "queryFrequency": "PT2H", - "queryPeriod": "PT2H", - "severity": "High", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "dataTypes": [ - "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" - } - ], - "tactics": [ - "Persistence" - ], - "techniques": [ - "T1078" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "identifier": "Name", - "columnName": "InitiatingName" + "displayName": "[[variables('TeamsConnectionName')]", + "api": { + "id": "[[variables('_connection-4')]" + } + } + }, + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[[parameters('PlaybookName')]", + "location": "[[variables('workspace-location-inline')]", + "tags": { + "LogicAppsCategory": "security", + "hidden-SentinelTemplateName": "Prompt-User_alert", + "hidden-SentinelTemplateVersion": "1.1", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "identity": { + "type": "SystemAssigned" + }, + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('AzureADConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]" + ], + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "actions": { + "Alert_-_Get_incident": { + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "get", + "path": "/Incidents/subscriptions/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/resourceGroups/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/workspaces/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/alerts/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}" }, - { - "identifier": "UPNSuffix", - "columnName": "InitiatingUPNSuffix" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "identifier": "Name", - "columnName": "UserName" + "type": "ApiConnection" + }, + "Entities_-_Get_Accounts": { + "inputs": { + "body": "@triggerBody()?['Entities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/entities/account" + }, + "runAfter": { + "Alert_-_Get_incident": [ + "Succeeded" + ] + }, + "type": "ApiConnection" + }, + "For_each": { + "actions": { + "Condition_2": { + "actions": { + "Add_comment_to_incident_(V3)": { + "inputs": { + "body": { + "incidentArmId": "@body('Alert_-_Get_incident')?['id']", + "message": "

@{body('Get_user')?['displayName']} confirms they completed the action that triggered the alert.  Closing the incident.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + }, + "type": "ApiConnection" + }, + "Update_incident": { + "inputs": { + "body": { + "classification": { + "ClassificationAndReason": "BenignPositive - SuspiciousButExpected", + "ClassificationReasonText": "User Confirmed it was them" + }, + "incidentArmId": "@body('Alert_-_Get_incident')?['id']", + "status": "Closed" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "put", + "path": "/Incidents" + }, + "runAfter": { + "Add_comment_to_incident_(V3)": [ + "Succeeded" + ] + }, + "type": "ApiConnection" + } + }, + "else": { + "actions": { + "Add_comment_to_incident_(V3)_2": { + "inputs": { + "body": { + "incidentArmId": "@body('Alert_-_Get_incident')?['id']", + "message": "

@{body('Get_user')?['displayName']} confirms they did not complete the action. Further investigation is needed.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + }, + "type": "ApiConnection" + }, + "Post_message_in_a_chat_or_channel": { + "inputs": { + "body": { + "messageBody": "

New alert from Microsoft Sentinel.
\nPlease investigate ASAP.
\nSeverity : @{body('Alert_-_Get_incident')?['properties']?['severity']}
\nDescription: @{body('Alert_-_Get_incident')?['properties']?['description']}
\n
\n@{body('Get_user')?['displayName']} user confirmed they did not complete the action.

", + "recipient": { + "channelId": "[[parameters('TeamsChannelId')]", + "groupId": "[[parameters('TeamsId')]" + }, + "subject": "Incident @{body('Alert_-_Get_incident')?['properties']?['incidentNumber']} - @{body('Alert_-_Get_incident')?['properties']?['title']}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['teams']['connectionId']" + } + }, + "method": "post", + "path": "/beta/teams/conversation/message/poster/@{encodeURIComponent('User')}/location/@{encodeURIComponent('Channel')}" + }, + "runAfter": { + "Add_comment_to_incident_(V3)_2": [ + "Succeeded" + ] + }, + "type": "ApiConnection" + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "", + "This was me" + ] + } + ] + }, + "runAfter": { + "Send_approval_email": [ + "Succeeded" + ] + }, + "type": "If" + }, + "Get_user": { + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuread']['connectionId']" + } + }, + "method": "get", + "path": "/v1.0/users/@{encodeURIComponent(concat(items('For_each')?['Name'], '@' ,items('For_each')?['UPNSuffix']))}" + }, + "type": "ApiConnection" + }, + "Send_approval_email": { + "inputs": { + "body": { + "Message": { + "Body": "New Alert from Microsoft Sentinel.\nPlease respond ASAP.\nSeverity: @{triggerBody()?['Severity']}\nName: @{triggerBody()?['AlertDisplayName']}\nDescription: @{triggerBody()?['Description']}", + "HideHTMLMessage": false, + "Importance": "High", + "Options": "This was me, This was not me", + "ShowHTMLConfirmationDialog": false, + "Subject": "Security Alert: @{body('Alert_-_Get_incident')?['properties']?['title']}", + "To": "@body('Get_user')?['mail']" + }, + "NotificationUrl": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['office365']['connectionId']" + } + }, + "path": "/approvalmail/$subscriptions" + }, + "runAfter": { + "Get_user": [ + "Succeeded" + ] + }, + "type": "ApiConnectionWebhook" + } }, - { - "identifier": "UPNSuffix", - "columnName": "UserUPNSuffix" - } - ], - "entityType": "Account" + "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']", + "runAfter": { + "Entities_-_Get_Accounts": [ + "Succeeded" + ] + }, + "type": "Foreach" + } }, - { - "fieldMappings": [ - { - "identifier": "Address", - "columnName": "InitiatingIpAddress" - } - ], - "entityType": "IP" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject52').analyticRuleId52,'/'))))]", - "properties": { - "description": "Microsoft Entra ID Analytics Rule 52", - "parentId": "[variables('analyticRuleObject52').analyticRuleId52]", - "contentId": "[variables('analyticRuleObject52')._analyticRulecontentId52]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject52').analyticRuleVersion52]", - "source": { - "kind": "Solution", - "name": "Microsoft Entra ID", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject52')._analyticRulecontentId52]", - "contentKind": "AnalyticsRule", - "displayName": "PIM Elevation Request Rejected", - "contentProductId": "[variables('analyticRuleObject52')._analyticRulecontentProductId52]", - "id": "[variables('analyticRuleObject52')._analyticRulecontentProductId52]", - "version": "[variables('analyticRuleObject52').analyticRuleVersion52]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject53').analyticRuleTemplateSpecName53]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "PrivilegedAccountsSigninFailureSpikes_AnalyticalRules Analytics Rule with template version 3.0.7", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject53').analyticRuleVersion53]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject53')._analyticRulecontentId53]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": " Identifies spike in failed sign-ins from Privileged accounts. Privileged accounts list can be based on IdentityInfo UEBA table.\nSpike is determined based on Time series anomaly which will look at historical baseline values.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor", - "displayName": "Privileged Accounts - Sign in Failure Spikes", - "enabled": false, - "query": "let starttime = 14d;\nlet timeframe = 1d;\nlet scorethreshold = 3;\nlet baselinethreshold = 5;\nlet aadFunc = (tableName:string){\n IdentityInfo\n | where TimeGenerated > ago(starttime)\n | summarize arg_max(TimeGenerated, *) by AccountUPN\n | mv-expand AssignedRoles\n | where AssignedRoles contains 'Admin'\n | summarize Roles = make_list(AssignedRoles) by AccountUPN = tolower(AccountUPN)\n | join kind=inner (\n table(tableName)\n | where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\n | where ResultType != 0\n | extend UserPrincipalName = tolower(UserPrincipalName)\n ) on $left.AccountUPN == $right.UserPrincipalName\n | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, Roles = tostring(Roles)\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nlet allSignins = union isfuzzy=true aadSignin, aadNonInt;\nlet TimeSeriesAlerts = \n allSignins\n | make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step 1h by UserPrincipalName, Roles\n | extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, 'linefit')\n | mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\n // Filtering low count events per baselinethreshold\n | where anomalies > 0 and baseline > baselinethreshold\n | extend AnomalyHour = TimeGenerated\n | project UserPrincipalName, Roles, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\n// Filter the alerts for specified timeframe\nTimeSeriesAlerts\n| where TimeGenerated > startofday(ago(timeframe))\n| join kind=inner ( \n allSignins\n | where TimeGenerated > startofday(ago(timeframe))\n // create a new column and round to hour\n | extend DateHour = bin(TimeGenerated, 1h)\n | summarize PartialFailedSignins = count(), LatestAnomalyTime = arg_max(TimeGenerated, *) by bin(TimeGenerated, 1h), OperationName, Category, ResultType, ResultDescription, UserPrincipalName, Roles, UserDisplayName, AppDisplayName, ClientAppUsed, IPAddress, ResourceDisplayName\n) on UserPrincipalName, $left.AnomalyHour == $right.DateHour\n| project LatestAnomalyTime, OperationName, Category, UserPrincipalName, Roles = todynamic(Roles), UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, PartialFailedSignins, TotalFailedSignins = HourlyCount, baseline, anomalies, score\n| extend timestamp = LatestAnomalyTime, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n", - "queryFrequency": "P1D", - "queryPeriod": "P14D", - "severity": "High", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "dataTypes": [ - "SigninLogs" - ], - "connectorId": "AzureActiveDirectory" + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + } }, - { - "dataTypes": [ - "AADNonInteractiveUserSignInLogs" - ], - "connectorId": "AzureActiveDirectory" - } - ], - "tactics": [ - "InitialAccess" - ], - "techniques": [ - "T1078" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "identifier": "Name", - "columnName": "Name" + "triggers": { + "Microsoft_Sentinel_alert": { + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/subscribe" }, - { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "identifier": "Address", - "columnName": "IPAddress" - } - ], - "entityType": "IP" + "type": "ApiConnectionWebhook" + } } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject53').analyticRuleId53,'/'))))]", - "properties": { - "description": "Microsoft Entra ID Analytics Rule 53", - "parentId": "[variables('analyticRuleObject53').analyticRuleId53]", - "contentId": "[variables('analyticRuleObject53')._analyticRulecontentId53]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject53').analyticRuleVersion53]", - "source": { - "kind": "Solution", - "name": "Microsoft Entra ID", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject53')._analyticRulecontentId53]", - "contentKind": "AnalyticsRule", - "displayName": "Privileged Accounts - Sign in Failure Spikes", - "contentProductId": "[variables('analyticRuleObject53')._analyticRulecontentProductId53]", - "id": "[variables('analyticRuleObject53')._analyticRulecontentProductId53]", - "version": "[variables('analyticRuleObject53').analyticRuleVersion53]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject54').analyticRuleTemplateSpecName54]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "PrivlegedRoleAssignedOutsidePIM_AnalyticalRules Analytics Rule with template version 3.0.7", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject54').analyticRuleVersion54]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject54')._analyticRulecontentId54]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Identifies a privileged role being assigned to a user outside of PIM\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1", - "displayName": "Privileged Role Assigned Outside PIM", - "enabled": false, - "query": "AuditLogs\n| where Category =~ \"RoleManagement\"\n| where OperationName has \"Add member to role outside of PIM\"\n or (LoggedByService =~ \"Core Directory\" and OperationName =~ \"Add member to role\" and Identity != \"MS-PIM\")\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"User\"\n | extend UserPrincipalName = tostring(TargetResource.userPrincipalName)\n )\n| extend IpAddress = tostring(InitiatedBy.user.ipAddress), Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n", - "queryFrequency": "P1D", - "queryPeriod": "P1D", - "severity": "Low", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "dataTypes": [ - "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" - } - ], - "tactics": [ - "PrivilegeEscalation" - ], - "techniques": [ - "T1078" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "identifier": "Name", - "columnName": "Name" + "parameters": { + "$connections": { + "value": { + "azuread": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureADConnectionName'))]", + "connectionName": "[[variables('AzureADConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuread')]" }, - { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "identifier": "Address", - "columnName": "IpAddress" + "azuresentinel": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", + "connectionName": "[[variables('AzureSentinelConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + }, + "office365": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]", + "connectionName": "[[variables('Office365ConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]" + }, + "teams": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]", + "connectionName": "[[variables('TeamsConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/teams')]" } - ], - "entityType": "IP" + } } - ] + } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject54').analyticRuleId54,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId3'),'/'))))]", "properties": { - "description": "Microsoft Entra ID Analytics Rule 54", - "parentId": "[variables('analyticRuleObject54').analyticRuleId54]", - "contentId": "[variables('analyticRuleObject54')._analyticRulecontentId54]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject54').analyticRuleVersion54]", + "parentId": "[variables('playbookId3')]", + "contentId": "[variables('_playbookContentId3')]", + "kind": "Playbook", + "version": "[variables('playbookVersion3')]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -11576,466 +10022,408 @@ } } } - ] + ], + "metadata": { + "title": "Prompt User - Alert", + "description": "This playbook will ask the user if they completed the action from the alert in Microsoft Sentinel. If so, it will close the incident and add a comment. If not, it will post a message to teams for the SOC to investigate and add a comment to the incident.", + "prerequisites": [ + "1. You will need the Team Id and Channel Id." + ], + "postDeployment": [ + "1. Assign Microsoft Sentinel Responder role to the Playbook's managed identity.", + "2. Authorize Microsoft Entra ID, Microsoft Teams, and Office 365 Outlook Logic App connections." + ], + "lastUpdateTime": "2022-07-11T00:00:00Z", + "entities": [ + "Account" + ], + "tags": [ + "Remediation" + ], + "releaseNotes": [ + { + "version": "1.0.0", + "title": "Added new Post a Teams message action", + "notes": [ + "Initial version" + ] + } + ] + } }, "packageKind": "Solution", "packageVersion": "[variables('_solutionVersion')]", "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject54')._analyticRulecontentId54]", - "contentKind": "AnalyticsRule", - "displayName": "Privileged Role Assigned Outside PIM", - "contentProductId": "[variables('analyticRuleObject54')._analyticRulecontentProductId54]", - "id": "[variables('analyticRuleObject54')._analyticRulecontentProductId54]", - "version": "[variables('analyticRuleObject54').analyticRuleVersion54]" + "contentId": "[variables('_playbookContentId3')]", + "contentKind": "Playbook", + "displayName": "Prompt-User-Alert", + "contentProductId": "[variables('_playbookcontentProductId3')]", + "id": "[variables('_playbookcontentProductId3')]", + "version": "[variables('playbookVersion3')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject55').analyticRuleTemplateSpecName55]", + "name": "[variables('playbookTemplateSpecName4')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RareApplicationConsent_AnalyticalRules Analytics Rule with template version 3.0.7", + "description": "Prompt-User-Incident Playbook with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject55').analyticRuleVersion55]", - "parameters": {}, - "variables": {}, + "contentVersion": "[variables('playbookVersion4')]", + "parameters": { + "PlaybookName": { + "defaultValue": "Prompt-User-Incident", + "type": "string" + }, + "TeamsId": { + "metadata": { + "description": "Enter the Teams Group ID" + }, + "type": "string" + }, + "TeamsChannelId": { + "metadata": { + "description": "Enter the Teams Channel ID" + }, + "type": "string" + } + }, + "variables": { + "AzureADConnectionName": "[[concat('azuread-', parameters('PlaybookName'))]", + "AzureSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]", + "Office365ConnectionName": "[[concat('office365-', parameters('PlaybookName'))]", + "TeamsConnectionName": "[[concat('teams-', parameters('PlaybookName'))]", + "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuread')]", + "_connection-1": "[[variables('connection-1')]", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "_connection-2": "[[variables('connection-2')]", + "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]", + "_connection-3": "[[variables('connection-3')]", + "connection-4": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/teams')]", + "_connection-4": "[[variables('connection-4')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, "resources": [ { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject55')._analyticRulecontentId55]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('AzureADConnectionName')]", + "location": "[[variables('workspace-location-inline')]", "properties": { - "description": "This will alert when the \"Consent to application\" operation occurs by a user that has not done this operation before or rarely does this.\nThis could indicate that permissions to access the listed Azure App were provided to a malicious actor.\nConsent to application, Add service principal and Add OAuth2PermissionGrant should typically be rare events.\nThis may help detect the Oauth2 attack that can be initiated by this publicly available tool - https://github.com/fireeye/PwnAuth\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.", - "displayName": "Rare application consent", - "enabled": false, - "query": "let current = 1d;\nlet auditLookback = 7d;\n// Setting threshold to 3 as a default, change as needed.\n// Any operation that has been initiated by a user or app more than 3 times in the past 7 days will be excluded\nlet threshold = 3;\n// Gather initial data from lookback period, excluding current, adjust current to more than a single day if no results\nlet AuditTrail = AuditLogs | where TimeGenerated >= ago(auditLookback) and TimeGenerated < ago(current)\n// 2 other operations that can be part of malicious activity in this situation are\n// \"Add OAuth2PermissionGrant\" and \"Add service principal\", extend the filter below to capture these too\n| where OperationName has \"Consent to application\"\n| extend InitiatedBy = iff(isnotempty(tostring(InitiatedBy.user.userPrincipalName)),\n tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\"\n | extend TargetResourceName = tolower(tostring(TargetResource.displayName))\n )\n| summarize max(TimeGenerated), OperationCount = count() by OperationName, InitiatedBy, TargetResourceName\n// only including operations initiated by a user or app that is above the threshold so we produce only rare and has not occurred in last 7 days\n| where OperationCount > threshold;\n// Gather current period of audit data\nlet RecentConsent = AuditLogs | where TimeGenerated >= ago(current)\n| where OperationName has \"Consent to application\"\n| extend IpAddress = case(\n isnotempty(tostring(InitiatedBy.user.ipAddress)) and tostring(InitiatedBy.user.ipAddress) != 'null', tostring(InitiatedBy.user.ipAddress),\n isnotempty(tostring(InitiatedBy.app.ipAddress)) and tostring(InitiatedBy.app.ipAddress) != 'null', tostring(InitiatedBy.app.ipAddress),\n 'Not Available')\n| extend InitiatedBy = iff(isnotempty(tostring(InitiatedBy.user.userPrincipalName)),\n tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\"\n | extend TargetResourceName = tolower(tostring(TargetResource.displayName)),\n props = TargetResource.modifiedProperties\n )\n| parse props with * \"ConsentType: \" ConsentType \"]\" *\n| mv-apply AdditionalDetail = AdditionalDetails on \n (\n where AdditionalDetail.key =~ \"User-Agent\"\n | extend UserAgent = tostring(AdditionalDetail.value)\n )\n| project TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type;\n// Exclude previously seen audit activity for \"Consent to application\" that was seen in the lookback period\n// First for rare InitiatedBy\nlet RareConsentBy = RecentConsent | join kind= leftanti AuditTrail on OperationName, InitiatedBy\n| extend Reason = \"Previously unseen user consenting\";\n// Second for rare TargetResourceName\nlet RareConsentApp = RecentConsent | join kind= leftanti AuditTrail on OperationName, TargetResourceName\n| extend Reason = \"Previously unseen app granted consent\";\nRareConsentBy | union RareConsentApp\n| summarize Reason = make_set(Reason,100) by TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type\n| extend timestamp = TimeGenerated, Name = tolower(tostring(split(InitiatedBy,'@',0)[0])), UPNSuffix = tolower(tostring(split(InitiatedBy,'@',1)[0]))\n", - "queryFrequency": "P1D", - "queryPeriod": "P7D", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 3, - "status": "Available", - "requiredDataConnectors": [ - { - "dataTypes": [ - "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" - } - ], - "tactics": [ - "Persistence", - "PrivilegeEscalation" - ], - "techniques": [ - "T1136", - "T1068" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "identifier": "Name", - "columnName": "Name" - }, - { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "identifier": "Name", - "columnName": "TargetResourceName" - } - ], - "entityType": "CloudApplication" - }, - { - "fieldMappings": [ - { - "identifier": "Address", - "columnName": "IpAddress" - } - ], - "entityType": "IP" - } - ] + "displayName": "[[variables('AzureADConnectionName')]", + "api": { + "id": "[[variables('_connection-1')]" + } } }, { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject55').analyticRuleId55,'/'))))]", + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('AzureSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", "properties": { - "description": "Microsoft Entra ID Analytics Rule 55", - "parentId": "[variables('analyticRuleObject55').analyticRuleId55]", - "contentId": "[variables('analyticRuleObject55')._analyticRulecontentId55]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject55').analyticRuleVersion55]", - "source": { - "kind": "Solution", - "name": "Microsoft Entra ID", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject55')._analyticRulecontentId55]", - "contentKind": "AnalyticsRule", - "displayName": "Rare application consent", - "contentProductId": "[variables('analyticRuleObject55')._analyticRulecontentProductId55]", - "id": "[variables('analyticRuleObject55')._analyticRulecontentProductId55]", - "version": "[variables('analyticRuleObject55').analyticRuleVersion55]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject56').analyticRuleTemplateSpecName56]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "SeamlessSSOPasswordSpray_AnalyticalRules Analytics Rule with template version 3.0.7", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject56').analyticRuleVersion56]", - "parameters": {}, - "variables": {}, - "resources": [ + "displayName": "[[variables('AzureSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject56')._analyticRulecontentId56]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('Office365ConnectionName')]", + "location": "[[variables('workspace-location-inline')]", "properties": { - "description": "This query detects when there is a spike in Microsoft Entra ID Seamless SSO errors. They may not be caused by a Password Spray attack, but the cause of the errors might need to be investigated.\nMicrosoft Entra ID only logs the requests that matched existing accounts, thus there might have been unlogged requests for non-existing accounts.", - "displayName": "Password spray attack against Microsoft Entra ID Seamless SSO", - "enabled": false, - "query": "let account_threshold = 5;\nAADNonInteractiveUserSignInLogs\n//| where ResultType == \"81016\"\n| where ResultType startswith \"81\"\n| summarize DistinctAccounts = dcount(UserPrincipalName), DistinctAddresses = make_set(IPAddress,100) by ResultType\n| where DistinctAccounts > account_threshold\n| mv-expand IPAddress = DistinctAddresses\n| extend IPAddress = tostring(IPAddress)\n| join kind=leftouter (union isfuzzy=true SigninLogs, AADNonInteractiveUserSignInLogs) on IPAddress\n| summarize\n StartTime = min(TimeGenerated),\n EndTime = max(TimeGenerated),\n UserPrincipalName = make_set(UserPrincipalName,100),\n UserAgent = make_set(UserAgent,100),\n ResultDescription = take_any(ResultDescription),\n ResultSignature = take_any(ResultSignature)\n by IPAddress, Type, ResultType\n| project Type, StartTime, EndTime, IPAddress, ResultType, ResultDescription, ResultSignature, UserPrincipalName, UserAgent = iff(array_length(UserAgent) == 1, UserAgent[0], UserAgent)\n| extend Name = tostring(split(UserPrincipalName[0],'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName[0],'@',1)[0])\n", - "queryFrequency": "PT1H", - "queryPeriod": "PT1H", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "dataTypes": [ - "AADNonInteractiveUserSignInLogs" - ], - "connectorId": "AzureActiveDirectory" - } - ], - "tactics": [ - "CredentialAccess" - ], - "techniques": [ - "T1110" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "identifier": "Name", - "columnName": "Name" + "displayName": "[[variables('Office365ConnectionName')]", + "api": { + "id": "[[variables('_connection-3')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('TeamsConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "properties": { + "displayName": "[[variables('TeamsConnectionName')]", + "api": { + "id": "[[variables('_connection-4')]" + } + } + }, + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[[parameters('PlaybookName')]", + "location": "[[variables('workspace-location-inline')]", + "tags": { + "LogicAppsCategory": "security", + "hidden-SentinelTemplateName": "Prompt-User", + "hidden-SentinelTemplateVersion": "1.1", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "identity": { + "type": "SystemAssigned" + }, + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('AzureADConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]" + ], + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "actions": { + "Entities_-_Get_Accounts": { + "inputs": { + "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/entities/account" }, - { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" - } - ], - "entityType": "Account" + "type": "ApiConnection" + }, + "For_each": { + "actions": { + "Condition_2": { + "actions": { + "Add_comment_to_incident_(V3)": { + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

@{body('Get_user')?['displayName']} confirms they completed the action that triggered the alert.  Closing the incident.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + }, + "type": "ApiConnection" + }, + "Update_incident": { + "inputs": { + "body": { + "classification": { + "ClassificationAndReason": "BenignPositive - SuspiciousButExpected", + "ClassificationReasonText": "User Confirmed it was them" + }, + "incidentArmId": "@triggerBody()?['object']?['id']", + "status": "Closed" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "put", + "path": "/Incidents" + }, + "runAfter": { + "Add_comment_to_incident_(V3)": [ + "Succeeded" + ] + }, + "type": "ApiConnection" + } + }, + "else": { + "actions": { + "Add_comment_to_incident_(V3)_2": { + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

@{body('Get_user')?['displayName']} confirms they did not complete the action. Further investigation is needed.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + }, + "type": "ApiConnection" + }, + "Post_message_in_a_chat_or_channel": { + "inputs": { + "body": { + "messageBody": "

New alert from Microsoft Sentinel.
\nPlease investigate ASAP.
\nSeverity : @{triggerBody()?['object']?['properties']?['severity']}
\nDescription: @{triggerBody()?['object']?['properties']?['description']}
\n
\n@{body('Get_user')?['displayName']} user confirmed they did not complete the action.

", + "recipient": { + "channelId": "[[parameters('TeamsChannelId')]", + "groupId": "[[parameters('TeamsId')]" + }, + "subject": "Incident @{triggerBody()?['object']?['properties']?['incidentNumber']} - @{triggerBody()?['object']?['properties']?['title']}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['teams']['connectionId']" + } + }, + "method": "post", + "path": "/beta/teams/conversation/message/poster/@{encodeURIComponent('User')}/location/@{encodeURIComponent('Channel')}" + }, + "runAfter": { + "Add_comment_to_incident_(V3)_2": [ + "Succeeded" + ] + }, + "type": "ApiConnection" + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@body('Send_approval_email')?['SelectedOption']", + "This was me" + ] + } + ] + }, + "runAfter": { + "Send_approval_email": [ + "Succeeded" + ] + }, + "type": "If" + }, + "Get_user": { + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuread']['connectionId']" + } + }, + "method": "get", + "path": "/v1.0/users/@{encodeURIComponent(concat(items('For_each')?['Name'], '@' ,items('For_each')?['UPNSuffix']))}" + }, + "type": "ApiConnection" + }, + "Send_approval_email": { + "inputs": { + "body": { + "Message": { + "Body": "New Alert from Microsoft Sentinel.\nPlease respond ASAP.\nSeverity: @{triggerBody()?['object']?['properties']?['severity']}\nName: @{triggerBody()?['object']?['properties']?['title']}\nDescription: @{triggerBody()?['object']?['properties']?['description']}", + "HideHTMLMessage": false, + "Importance": "High", + "Options": "This was me, This was not me", + "ShowHTMLConfirmationDialog": false, + "Subject": "Security Alert: @{triggerBody()?['object']?['properties']?['title']}", + "To": "@body('Get_user')?['mail']" + }, + "NotificationUrl": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['office365']['connectionId']" + } + }, + "path": "/approvalmail/$subscriptions" + }, + "runAfter": { + "Get_user": [ + "Succeeded" + ] + }, + "type": "ApiConnectionWebhook" + } + }, + "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']", + "runAfter": { + "Entities_-_Get_Accounts": [ + "Succeeded" + ] + }, + "type": "Foreach" + } }, - { - "fieldMappings": [ - { - "identifier": "Address", - "columnName": "IPAddress" - } - ], - "entityType": "IP" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject56').analyticRuleId56,'/'))))]", - "properties": { - "description": "Microsoft Entra ID Analytics Rule 56", - "parentId": "[variables('analyticRuleObject56').analyticRuleId56]", - "contentId": "[variables('analyticRuleObject56')._analyticRulecontentId56]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject56').analyticRuleVersion56]", - "source": { - "kind": "Solution", - "name": "Microsoft Entra ID", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject56')._analyticRulecontentId56]", - "contentKind": "AnalyticsRule", - "displayName": "Password spray attack against Microsoft Entra ID Seamless SSO", - "contentProductId": "[variables('analyticRuleObject56')._analyticRulecontentProductId56]", - "id": "[variables('analyticRuleObject56')._analyticRulecontentProductId56]", - "version": "[variables('analyticRuleObject56').analyticRuleVersion56]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject57').analyticRuleTemplateSpecName57]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Sign-in Burst from Multiple Locations_AnalyticalRules Analytics Rule with template version 3.0.7", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject57').analyticRuleVersion57]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject57')._analyticRulecontentId57]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "This detection triggers when there is a Signin burst from multiple locations in GitHub (AAD SSO).\n This detection is based on configurable threshold which can be prone to false positives. To view the anomaly based equivalent of thie detection, please see here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/Analytic%20Rules/AnomalousUserAppSigninLocationIncrease-detection.yaml. ", - "displayName": "GitHub Signin Burst from Multiple Locations", - "enabled": false, - "query": "let locationThreshold = 1;\nlet aadFunc = (tableName:string){\ntable(tableName)\n| where AppDisplayName =~ \"GitHub.com\"\n| where ResultType == 0\n| summarize CountOfLocations = dcount(Location), Locations = make_set(Location,100), BurstStartTime = min(TimeGenerated), BurstEndTime = max(TimeGenerated) by UserPrincipalName, Type\n| where CountOfLocations > locationThreshold\n| extend timestamp = BurstStartTime\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n| extend Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n", - "queryFrequency": "PT1H", - "queryPeriod": "PT1H", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "dataTypes": [ - "SigninLogs" - ], - "connectorId": "AzureActiveDirectory" + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + } }, - { - "dataTypes": [ - "AADNonInteractiveUserSignInLogs" - ], - "connectorId": "AzureActiveDirectory" - } - ], - "tactics": [ - "CredentialAccess" - ], - "techniques": [ - "T1110" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "identifier": "Name", - "columnName": "Name" + "triggers": { + "Microsoft_Sentinel_incident": { + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/incident-creation" }, - { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" - } - ], - "entityType": "Account" + "type": "ApiConnectionWebhook" + } } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject57').analyticRuleId57,'/'))))]", - "properties": { - "description": "Microsoft Entra ID Analytics Rule 57", - "parentId": "[variables('analyticRuleObject57').analyticRuleId57]", - "contentId": "[variables('analyticRuleObject57')._analyticRulecontentId57]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject57').analyticRuleVersion57]", - "source": { - "kind": "Solution", - "name": "Microsoft Entra ID", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject57')._analyticRulecontentId57]", - "contentKind": "AnalyticsRule", - "displayName": "GitHub Signin Burst from Multiple Locations", - "contentProductId": "[variables('analyticRuleObject57')._analyticRulecontentProductId57]", - "id": "[variables('analyticRuleObject57')._analyticRulecontentProductId57]", - "version": "[variables('analyticRuleObject57').analyticRuleVersion57]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject58').analyticRuleTemplateSpecName58]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "SigninAttemptsByIPviaDisabledAccounts_AnalyticalRules Analytics Rule with template version 3.0.7", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject58').analyticRuleVersion58]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject58')._analyticRulecontentId58]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Identifies IPs with failed attempts to sign in to one or more disabled accounts using the IP through which successful signins from other accounts have happened.\nThis could indicate an attacker who obtained credentials for a list of accounts and is attempting to login with those accounts, some of which may have already been disabled.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\n50057 - User account is disabled. The account has been disabled by an administrator.\nThis query has also been updated to include UEBA logs IdentityInfo and BehaviorAnalytics for contextual information around the results.", - "displayName": "Sign-ins from IPs that attempt sign-ins to disabled accounts", - "enabled": false, - "query": "let aadFunc = (tableName: string) {\nlet failed_signins = table(tableName)\n| where ResultType == \"50057\"\n| where ResultDescription == \"User account is disabled. The account has been disabled by an administrator.\";\nlet disabled_users = failed_signins | summarize by UserPrincipalName;\ntable(tableName)\n | where ResultType == 0\n | where isnotempty(UserPrincipalName)\n | where UserPrincipalName !in (disabled_users)\n| summarize\n successfulAccountsTargettedCount = dcount(UserPrincipalName),\n successfulAccountSigninSet = make_set(UserPrincipalName, 100),\n successfulApplicationSet = make_set(AppDisplayName, 100)\n by IPAddress, Type\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\n | where successfulAccountsTargettedCount < 50\n | where isnotempty(successfulAccountsTargettedCount)\n | join kind=inner (failed_signins\n| summarize\n StartTime = min(TimeGenerated),\n EndTime = max(TimeGenerated),\n totalDisabledAccountLoginAttempts = count(),\n disabledAccountsTargettedCount = dcount(UserPrincipalName),\n applicationsTargeted = dcount(AppDisplayName),\n disabledAccountSet = make_set(UserPrincipalName, 100),\n disabledApplicationSet = make_set(AppDisplayName, 100)\nby IPAddress, Type\n| order by totalDisabledAccountLoginAttempts desc) on IPAddress\n| project StartTime, EndTime, IPAddress, totalDisabledAccountLoginAttempts, disabledAccountsTargettedCount, disabledAccountSet, disabledApplicationSet, successfulApplicationSet, successfulAccountsTargettedCount, successfulAccountSigninSet, Type\n| order by totalDisabledAccountLoginAttempts};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n| join kind=leftouter (\n BehaviorAnalytics\n | where ActivityType in (\"FailedLogOn\", \"LogOn\")\n | where EventSource =~ \"Azure AD\"\n | project UsersInsights, DevicesInsights, ActivityInsights, InvestigationPriority, SourceIPAddress, UserPrincipalName\n | project-rename IPAddress = SourceIPAddress\n | summarize\n Users = make_set(UserPrincipalName, 100),\n UsersInsights = make_set(UsersInsights, 100),\n DevicesInsights = make_set(DevicesInsights, 100),\n IPInvestigationPriority = sum(InvestigationPriority)\n by IPAddress\n) on IPAddress\n| extend SFRatio = toreal(toreal(disabledAccountsTargettedCount)/toreal(successfulAccountsTargettedCount))\n| where SFRatio >= 0.5\n| sort by IPInvestigationPriority desc\n", - "queryFrequency": "P1D", - "queryPeriod": "P1D", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "dataTypes": [ - "SigninLogs" - ], - "connectorId": "AzureActiveDirectory" - }, - { - "dataTypes": [ - "AADNonInteractiveUserSignInLogs" - ], - "connectorId": "AzureActiveDirectory" - }, - { - "dataTypes": [ - "BehaviorAnalytics" - ], - "connectorId": "BehaviorAnalytics" - } - ], - "tactics": [ - "InitialAccess", - "Persistence" - ], - "techniques": [ - "T1078", - "T1098" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "identifier": "Address", - "columnName": "IPAddress" + "parameters": { + "$connections": { + "value": { + "azuread": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureADConnectionName'))]", + "connectionName": "[[variables('AzureADConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuread')]" + }, + "azuresentinel": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", + "connectionName": "[[variables('AzureSentinelConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + }, + "office365": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]", + "connectionName": "[[variables('Office365ConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]" + }, + "teams": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]", + "connectionName": "[[variables('TeamsConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/teams')]" } - ], - "entityType": "IP" + } } - ] + } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject58').analyticRuleId58,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId4'),'/'))))]", "properties": { - "description": "Microsoft Entra ID Analytics Rule 58", - "parentId": "[variables('analyticRuleObject58').analyticRuleId58]", - "contentId": "[variables('analyticRuleObject58')._analyticRulecontentId58]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject58').analyticRuleVersion58]", + "parentId": "[variables('playbookId4')]", + "contentId": "[variables('_playbookContentId4')]", + "kind": "Playbook", + "version": "[variables('playbookVersion4')]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -12053,226 +10441,388 @@ } } } - ] + ], + "metadata": { + "title": "Prompt User - Incident", + "description": "This playbook will ask the user if they completed the action from the Incident in Microsoft Sentinel. If so, it will close the incident and add a comment. If not, it will post a message to teams for the SOC to investigate and add a comment to the incident.", + "prerequisites": [ + "1. You will need the Team Id and Channel Id." + ], + "postDeployment": [ + "1. Assign Microsoft Sentinel Responder role to the Playbook's managed identity.", + "2. Authorize Microsoft Entra ID, Microsoft Teams, and Office 365 Outlook Logic App connections." + ], + "lastUpdateTime": "2022-07-11T00:00:00Z", + "entities": [ + "Account" + ], + "tags": [ + "Remediation" + ], + "releaseNotes": [ + { + "version": "1.0.0", + "title": "Added new Post a Teams message action", + "notes": [ + "Initial version" + ] + } + ] + } }, "packageKind": "Solution", "packageVersion": "[variables('_solutionVersion')]", "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject58')._analyticRulecontentId58]", - "contentKind": "AnalyticsRule", - "displayName": "Sign-ins from IPs that attempt sign-ins to disabled accounts", - "contentProductId": "[variables('analyticRuleObject58')._analyticRulecontentProductId58]", - "id": "[variables('analyticRuleObject58')._analyticRulecontentProductId58]", - "version": "[variables('analyticRuleObject58').analyticRuleVersion58]" + "contentId": "[variables('_playbookContentId4')]", + "contentKind": "Playbook", + "displayName": "Prompt-User-Incident", + "contentProductId": "[variables('_playbookcontentProductId4')]", + "id": "[variables('_playbookcontentProductId4')]", + "version": "[variables('playbookVersion4')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject59').analyticRuleTemplateSpecName59]", + "name": "[variables('playbookTemplateSpecName5')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SigninBruteForce-AzurePortal_AnalyticalRules Analytics Rule with template version 3.0.7", + "description": "Reset-AADPassword-AlertTrigger Playbook with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject59').analyticRuleVersion59]", - "parameters": {}, - "variables": {}, + "contentVersion": "[variables('playbookVersion5')]", + "parameters": { + "PlaybookName": { + "defaultValue": "Reset-AADPassword-AlertTrigger", + "type": "string" + } + }, + "variables": { + "MicrosoftSentinelConnectionName": "[[concat('microsoftsentinel-', parameters('PlaybookName'))]", + "office365ConnectionName": "[[concat('office365-', parameters('PlaybookName'))]", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "_connection-2": "[[variables('connection-2')]", + "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]", + "_connection-3": "[[variables('connection-3')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, "resources": [ { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject59')._analyticRulecontentId59]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", "properties": { - "description": "Detects Azure Portal brute force attacks by monitoring for multiple authentication failures and a successful login within a 20-minute window. Default settings: 10 failures, 25 deviations.\nRef: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.", - "displayName": "Brute force attack against Azure Portal", - "enabled": false, - "query": "// Set threshold value for deviation\nlet threshold = 25;\n// Set the time range for the query\nlet timeRange = 24h;\n// Set the authentication window duration\nlet authenticationWindow = 20m;\n// Define a reusable function 'aadFunc' that takes a table name as input\nlet aadFunc = (tableName: string) {\n // Query the specified table\n table(tableName)\n // Filter data within the last 24 hours\n | where TimeGenerated > ago(1d)\n // Filter records related to \"Azure Portal\" applications\n | where AppDisplayName has \"Azure Portal\"\n // Extract and transform some fields\n | extend\n DeviceDetail = todynamic(DeviceDetail),\n LocationDetails = todynamic(LocationDetails)\n | extend\n OS = tostring(DeviceDetail.operatingSystem),\n Browser = tostring(DeviceDetail.browser),\n State = tostring(LocationDetails.state),\n City = tostring(LocationDetails.city),\n Region = tostring(LocationDetails.countryOrRegion)\n // Categorize records as Success or Failure based on ResultType\n | extend FailureOrSuccess = iff(ResultType in (\"0\", \"50125\", \"50140\", \"70043\", \"70044\"), \"Success\", \"Failure\")\n // Sort and identify sessions\n | sort by UserPrincipalName asc, TimeGenerated asc\n | extend SessionStartedUtc = row_window_session(TimeGenerated, timeRange, authenticationWindow, UserPrincipalName != prev(UserPrincipalName) or prev(FailureOrSuccess) == \"Success\")\n // Summarize data\n | summarize FailureOrSuccessCount = count() by FailureOrSuccess, UserId, UserDisplayName, AppDisplayName, IPAddress, Browser, OS, State, City, Region, Type, CorrelationId, bin(TimeGenerated, authenticationWindow), ResultType, UserPrincipalName, SessionStartedUtc\n | summarize FailureCountBeforeSuccess = sumif(FailureOrSuccessCount, FailureOrSuccess == \"Failure\"), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), makelist(FailureOrSuccess), IPAddress = make_set(IPAddress, 15), make_set(Browser, 15), make_set(City, 15), make_set(State, 15), make_set(Region, 15), make_set(ResultType, 15) by SessionStartedUtc, UserPrincipalName, CorrelationId, AppDisplayName, UserId, Type\n // Filter records where \"Success\" occurs in the middle of a session\n | where array_index_of(list_FailureOrSuccess, \"Success\") != 0\n | where array_index_of(list_FailureOrSuccess, \"Success\") == array_length(list_FailureOrSuccess) - 1\n // Remove unnecessary columns from the output\n | project-away SessionStartedUtc, list_FailureOrSuccess\n // Join with another table and calculate deviation\n | join kind=inner (\n table(tableName)\n | where TimeGenerated > ago(7d)\n | where AppDisplayName has \"Azure Portal\"\n | extend FailureOrSuccess = iff(ResultType in (\"0\", \"50125\", \"50140\", \"70043\", \"70044\"), \"Success\", \"Failure\")\n | summarize avgFailures = avg(todouble(FailureOrSuccess == \"Failure\")) by UserPrincipalName\n ) on UserPrincipalName\n | extend Deviation = abs(FailureCountBeforeSuccess - avgFailures) / avgFailures\n // Filter records based on deviation and failure count criteria\n | where Deviation > threshold and FailureCountBeforeSuccess >= 10\n // Expand the IPAddress array\n | mv-expand IPAddress\n | extend IPAddress = tostring(IPAddress)\n | extend timestamp = StartTime\n};\n// Call 'aadFunc' with different table names and union the results\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n// Additional transformation: Split UserPrincipalName\n| extend Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n", - "queryFrequency": "P1D", - "queryPeriod": "P7D", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "dataTypes": [ - "SigninLogs" - ], - "connectorId": "AzureActiveDirectory" + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + } }, - { - "dataTypes": [ - "AADNonInteractiveUserSignInLogs" - ], - "connectorId": "AzureActiveDirectory" - } - ], - "tactics": [ - "CredentialAccess" - ], - "techniques": [ - "T1110" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "identifier": "Name", - "columnName": "Name" + "triggers": { + "Microsoft_Sentinel_alert": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "path": "/subscribe" + } + } + }, + "actions": { + "Alert_-_Get_incident": { + "runAfter": { + "Set_variable_-_password": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "method": "get", + "path": "/Incidents/subscriptions/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/resourceGroups/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/workspaces/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/alerts/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}" + } + }, + "Entities_-_Get_Accounts": { + "runAfter": { + "Alert_-_Get_incident": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": "@triggerBody()?['Entities']", + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "method": "post", + "path": "/entities/account" + } + }, + "For_each": { + "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']", + "actions": { + "Condition_-_is_manager_available": { + "actions": { + "Add_comment_to_incident_-_manager_available": { + "runAfter": { + "Send_an_email_-_to_manager_with_password_details": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@body('Alert_-_Get_incident')?['id']", + "message": "

User @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])} password was reset in AAD and their manager @{body('Parse_JSON_-_HTTP_-_get_manager')?['userPrincipalName']} was contacted using playbook.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Parse_JSON_-_HTTP_-_get_manager": { + "type": "ParseJson", + "inputs": { + "content": "@body('HTTP_-_get_manager')", + "schema": { + "properties": { + "userPrincipalName": { + "type": "string" + } + }, + "type": "object" + } + } + }, + "Send_an_email_-_to_manager_with_password_details": { + "runAfter": { + "Parse_JSON_-_HTTP_-_get_manager": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "Body": "

User, @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}, was involved in part of a security incident.  As part of remediation, the user password has been reset.
\n
\nThe temporary password is: @{variables('Password')}
\n
\nThe user will be required to reset this password upon login.

", + "Subject": "A user password was reset due to security incident.", + "To": "@body('Parse_JSON_-_HTTP_-_get_manager')?['userPrincipalName']" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['office365']['connectionId']" + } + }, + "method": "post", + "path": "/v2/Mail" + } + } + }, + "runAfter": { + "HTTP_-_get_manager": [ + "Succeeded", + "Failed" + ] + }, + "else": { + "actions": { + "Add_comment_to_incident_-_manager_not_available": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@body('Alert_-_Get_incident')?['id']", + "message": "

User @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])} password was reset in AAD but the user doesn't have a manager.
\n
\nThe temporary password is: @{variables('Password')}
\n
\nThe user will be required to reset this password upon login.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@outputs('HTTP_-_get_manager')['statusCode']", + 200 + ] + } + ] + }, + "type": "If" + }, + "HTTP_-_get_manager": { + "runAfter": { + "HTTP_-_reset_a_password": [ + "Succeeded" + ] + }, + "type": "Http", + "inputs": { + "authentication": { + "audience": "https://graph.microsoft.com", + "type": "ManagedServiceIdentity" + }, + "method": "GET", + "uri": "https://graph.microsoft.com/v1.0/users/@{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}/manager" + } + }, + "HTTP_-_reset_a_password": { + "type": "Http", + "inputs": { + "authentication": { + "audience": "https://graph.microsoft.com", + "type": "ManagedServiceIdentity" + }, + "body": { + "passwordProfile": { + "forceChangePasswordNextSignIn": true, + "forceChangePasswordNextSignInWithMfa": false, + "password": "@{variables('Password')}" + } + }, + "method": "PATCH", + "uri": "https://graph.microsoft.com/v1.0/users/@{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}" + } + } }, - { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "runAfter": { + "Entities_-_Get_Accounts": [ + "Succeeded" + ] }, - { - "identifier": "AadUserId", - "columnName": "UserId" + "type": "Foreach" + }, + "Initialize_variable": { + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Password", + "type": "String", + "value": "null" + } + ] } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "identifier": "Address", - "columnName": "IPAddress" + }, + "Set_variable_-_password": { + "runAfter": { + "Initialize_variable": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "Password", + "value": "@{substring(guid(), 0, 10)}" } - ], - "entityType": "IP" + } } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject59').analyticRuleId59,'/'))))]", - "properties": { - "description": "Microsoft Entra ID Analytics Rule 59", - "parentId": "[variables('analyticRuleObject59').analyticRuleId59]", - "contentId": "[variables('analyticRuleObject59')._analyticRulecontentId59]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject59').analyticRuleVersion59]", - "source": { - "kind": "Solution", - "name": "Microsoft Entra ID", - "sourceId": "[variables('_solutionId')]" }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject59')._analyticRulecontentId59]", - "contentKind": "AnalyticsRule", - "displayName": "Brute force attack against Azure Portal", - "contentProductId": "[variables('analyticRuleObject59')._analyticRulecontentProductId59]", - "id": "[variables('analyticRuleObject59')._analyticRulecontentProductId59]", - "version": "[variables('analyticRuleObject59').analyticRuleVersion59]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject60').analyticRuleTemplateSpecName60]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "SigninPasswordSpray_AnalyticalRules Analytics Rule with template version 3.0.7", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject60').analyticRuleVersion60]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject60')._analyticRulecontentId60]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Identifies evidence of password spray activity against Microsoft Entra ID applications by looking for failures from multiple accounts from the same\nIP address within a time window. If the number of accounts breaches the threshold just once, all failures from the IP address within the time range\nare bought into the result. Details on whether there were successful authentications by the IP address within the time window are also included.\nThis can be an indicator that an attack was successful.\nThe default failure acccount threshold is 5, Default time window for failures is 20m and default look back window is 3 days\nNote: Due to the number of possible accounts involved in a password spray it is not possible to map identities to a custom entity.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.", - "displayName": "Password spray attack against Microsoft Entra ID application", - "enabled": false, - "query": "let timeRange = 3d;\nlet lookBack = 7d;\nlet authenticationWindow = 20m;\nlet authenticationThreshold = 5;\nlet isGUID = \"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\";\nlet failureCodes = dynamic([50053, 50126, 50055]); // invalid password, account is locked - too many sign ins, expired password\nlet successCodes = dynamic([0, 50055, 50057, 50155, 50105, 50133, 50005, 50076, 50079, 50173, 50158, 50072, 50074, 53003, 53000, 53001, 50129]);\n// Lookup up resolved identities from last 7 days\nlet aadFunc = (tableName:string){\nlet identityLookup = table(tableName)\n| where TimeGenerated >= ago(lookBack)\n| where not(Identity matches regex isGUID)\n| where isnotempty(UserId)\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName, Type;\n// collect window threshold breaches\ntable(tableName)\n| where TimeGenerated > ago(timeRange)\n| where ResultType in(failureCodes)\n| summarize FailedPrincipalCount = dcount(UserPrincipalName) by bin(TimeGenerated, authenticationWindow), IPAddress, AppDisplayName, Type\n| where FailedPrincipalCount >= authenticationThreshold\n| summarize WindowThresholdBreaches = count() by IPAddress, Type\n| join kind= inner (\n// where we breached a threshold, join the details back on all failure data\ntable(tableName)\n| where TimeGenerated > ago(timeRange)\n| where ResultType in(failureCodes)\n| extend LocationDetails = todynamic(LocationDetails)\n| extend FullLocation = strcat(LocationDetails.countryOrRegion,'|', LocationDetails.state, '|', LocationDetails.city)\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), make_set(ClientAppUsed,20), make_set(FullLocation,20), FailureCount = count() by IPAddress, AppDisplayName, UserPrincipalName, UserDisplayName, Identity, UserId, Type\n// lookup any unresolved identities\n| extend UnresolvedUserId = iff(Identity matches regex isGUID, UserId, \"\")\n| join kind= leftouter (\n identityLookup\n) on $left.UnresolvedUserId==$right.UserId\n| extend UserDisplayName=iff(isempty(lu_UserDisplayName), UserDisplayName, lu_UserDisplayName)\n| extend UserPrincipalName=iff(isempty(lu_UserPrincipalName), UserPrincipalName, lu_UserPrincipalName)\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), make_set(UserPrincipalName,20), make_set(UserDisplayName,20), make_set(set_ClientAppUsed,20), make_set(set_FullLocation,20), make_list(FailureCount,20) by IPAddress, AppDisplayName, Type\n| extend FailedPrincipalCount = array_length(set_UserPrincipalName)\n) on IPAddress\n| project IPAddress, StartTime, EndTime, TargetedApplication=AppDisplayName, FailedPrincipalCount, UserPrincipalNames=set_UserPrincipalName, UserDisplayNames=set_UserDisplayName, ClientAppsUsed=set_set_ClientAppUsed, Locations=set_set_FullLocation, FailureCountByPrincipal=list_FailureCount, WindowThresholdBreaches, Type\n| join kind= inner (\ntable(tableName) // get data on success vs. failure history for each IP\n| where TimeGenerated > ago(timeRange)\n| where ResultType in(successCodes) or ResultType in(failureCodes) // success or failure types\n| summarize GlobalSuccessPrincipalCount = dcountif(UserPrincipalName, (ResultType in (successCodes))), ResultTypeSuccesses = make_set_if(ResultType, (ResultType in (successCodes))), GlobalFailPrincipalCount = dcountif(UserPrincipalName, (ResultType in (failureCodes))), ResultTypeFailures = make_set_if(ResultType, (ResultType in (failureCodes))) by IPAddress, Type\n| where GlobalFailPrincipalCount > GlobalSuccessPrincipalCount // where the number of failed principals is greater than success - eliminates FPs from IPs who authenticate successfully alot and as a side effect have alot of failures\n) on IPAddress\n| project-away IPAddress1\n| extend timestamp=StartTime\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n", - "queryFrequency": "P1D", - "queryPeriod": "P7D", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "dataTypes": [ - "SigninLogs" - ], - "connectorId": "AzureActiveDirectory" - }, - { - "dataTypes": [ - "AADNonInteractiveUserSignInLogs" - ], - "connectorId": "AzureActiveDirectory" - } - ], - "tactics": [ - "CredentialAccess" - ], - "techniques": [ - "T1110" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "identifier": "Address", - "columnName": "IPAddress" + "parameters": { + "$connections": { + "value": { + "microsoftsentinel": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + }, + "office365": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('office365ConnectionName'))]", + "connectionName": "[[variables('office365ConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]" } - ], - "entityType": "IP" + } } - ] + } + }, + "name": "[[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[[variables('workspace-location-inline')]", + "tags": { + "LogicAppsCategory": "security", + "hidden-SentinelTemplateName": "Reset-AADUserPassword_alert", + "hidden-SentinelTemplateVersion": "1.1", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('office365ConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('MicrosoftSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('MicrosoftSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('office365ConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('office365ConnectionName')]", + "api": { + "id": "[[variables('_connection-3')]" + } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject60').analyticRuleId60,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId5'),'/'))))]", "properties": { - "description": "Microsoft Entra ID Analytics Rule 60", - "parentId": "[variables('analyticRuleObject60').analyticRuleId60]", - "contentId": "[variables('analyticRuleObject60')._analyticRulecontentId60]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject60').analyticRuleVersion60]", + "parentId": "[variables('playbookId5')]", + "contentId": "[variables('_playbookContentId5')]", + "kind": "Playbook", + "version": "[variables('playbookVersion5')]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -12290,270 +10840,372 @@ } } } - ] + ], + "metadata": { + "title": "Reset Microsoft Entra ID User Password - Alert Trigger", + "description": "This playbook will reset the user password using Graph API. It will send the password (which is a random guid substring) to the user's manager. The user will have to reset the password upon login.", + "prerequisites": [ + "None" + ], + "postDeployment": [ + "1. Assign Password Administrator permission to managed identity.", + "2. Assign Microsoft Sentinel Responder permission to managed identity.", + "3. Authorize Office 365 Outlook connection" + ], + "lastUpdateTime": "2022-07-11T00:00:00Z", + "entities": [ + "Account" + ], + "tags": [ + "Remediation" + ], + "releaseNotes": [ + { + "version": "1.0.0", + "title": " Added manager notification action", + "notes": [ + "Initial version" + ] + } + ] + } }, "packageKind": "Solution", "packageVersion": "[variables('_solutionVersion')]", "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject60')._analyticRulecontentId60]", - "contentKind": "AnalyticsRule", - "displayName": "Password spray attack against Microsoft Entra ID application", - "contentProductId": "[variables('analyticRuleObject60')._analyticRulecontentProductId60]", - "id": "[variables('analyticRuleObject60')._analyticRulecontentProductId60]", - "version": "[variables('analyticRuleObject60').analyticRuleVersion60]" + "contentId": "[variables('_playbookContentId5')]", + "contentKind": "Playbook", + "displayName": "Reset-AADPassword-AlertTrigger", + "contentProductId": "[variables('_playbookcontentProductId5')]", + "id": "[variables('_playbookcontentProductId5')]", + "version": "[variables('playbookVersion5')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject61').analyticRuleTemplateSpecName61]", + "name": "[variables('playbookTemplateSpecName6')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SuccessThenFail_DiffIP_SameUserandApp_AnalyticalRules Analytics Rule with template version 3.0.7", + "description": "Reset-AADPassword-IncidentTrigger Playbook with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject61').analyticRuleVersion61]", - "parameters": {}, - "variables": {}, + "contentVersion": "[variables('playbookVersion6')]", + "parameters": { + "PlaybookName": { + "defaultValue": "Reset-AADPassword-IncidentTrigger", + "type": "string" + } + }, + "variables": { + "MicrosoftSentinelConnectionName": "[[concat('microsoftsentinel-', parameters('PlaybookName'))]", + "office365ConnectionName": "[[concat('office365-', parameters('PlaybookName'))]", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "_connection-2": "[[variables('connection-2')]", + "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]", + "_connection-3": "[[variables('connection-3')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, "resources": [ { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject61')._analyticRulecontentId61]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", "properties": { - "description": "Identifies when a user account successfully logs onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP (may indicate a malicious attempt at password guessing with known account). UEBA added for context.", - "displayName": "Successful logon from IP and failure from a different IP", - "enabled": false, - "query": "let riskScoreCutoff = 20; //Adjust this based on volume of results\nlet logonDiff = 10m; let aadFunc = (tableName:string){ table(tableName)\n| where ResultType == \"0\"\n| where AppDisplayName !in (\"Office 365 Exchange Online\", \"Skype for Business Online\") // To remove false-positives, add more Apps to this array\n// ---------- Fix for SuccessBlock to also consider IPv6\n| extend SuccessIPv6Block = strcat(split(IPAddress, \":\")[0], \":\", split(IPAddress, \":\")[1], \":\", split(IPAddress, \":\")[2], \":\", split(IPAddress, \":\")[3])\n| extend SuccessIPv4Block = strcat(split(IPAddress, \".\")[0], \".\", split(IPAddress, \".\")[1])\n// ------------------\n| project SuccessLogonTime = TimeGenerated, UserPrincipalName, SuccessIPAddress = IPAddress, SuccessLocation = Location, AppDisplayName, SuccessIPBlock = iff(IPAddress contains \":\", strcat(split(IPAddress, \":\")[0], \":\", split(IPAddress, \":\")[1]), strcat(split(IPAddress, \".\")[0], \".\", split(IPAddress, \".\")[1])), Type\n| join kind= inner (\n table(tableName)\n | where ResultType !in (\"0\", \"50140\")\n | where ResultDescription !~ \"Other\"\n | where AppDisplayName !in (\"Office 365 Exchange Online\", \"Skype for Business Online\")\n | project FailedLogonTime = TimeGenerated, UserPrincipalName, FailedIPAddress = IPAddress, FailedLocation = Location, AppDisplayName, ResultType, ResultDescription, Type \n) on UserPrincipalName, AppDisplayName\n| where SuccessLogonTime < FailedLogonTime and FailedLogonTime - SuccessLogonTime <= logonDiff and FailedIPAddress !startswith SuccessIPBlock\n| summarize FailedLogonTime = max(FailedLogonTime), SuccessLogonTime = max(SuccessLogonTime) by UserPrincipalName, SuccessIPAddress, SuccessLocation, AppDisplayName, FailedIPAddress, FailedLocation, ResultType, ResultDescription, Type\n| extend timestamp = SuccessLogonTime\n| extend UserPrincipalName = tolower(UserPrincipalName)};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n| extend Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n// UEBA context below - make sure you have these 2 datatypes, otherwise the query will not work. If so, comment all that is below.\n| join kind=leftouter (\n IdentityInfo\n | summarize LatestReportTime = arg_max(TimeGenerated, *) by AccountUPN\n | extend BlastRadiusInt = iif(BlastRadius == \"High\", 1, 0)\n | project AccountUPN, Tags, JobTitle, GroupMembership, AssignedRoles, UserType, IsAccountEnabled, BlastRadiusInt\n | summarize\n Tags = make_set(Tags, 1000),\n GroupMembership = make_set(GroupMembership, 1000),\n AssignedRoles = make_set(AssignedRoles, 1000),\n BlastRadiusInt = sum(BlastRadiusInt),\n UserType = make_set(UserType, 1000),\n UserAccountControl = make_set(UserType, 1000)\n by AccountUPN\n | extend UserPrincipalName=tolower(AccountUPN)\n) on UserPrincipalName\n| join kind=leftouter (\n BehaviorAnalytics\n | where ActivityType in (\"FailedLogOn\", \"LogOn\")\n | where isnotempty(SourceIPAddress)\n | project UsersInsights, DevicesInsights, ActivityInsights, InvestigationPriority, SourceIPAddress\n | project-rename FailedIPAddress = SourceIPAddress\n | summarize\n UsersInsights = make_set(UsersInsights, 1000),\n DevicesInsights = make_set(DevicesInsights, 1000),\n IPInvestigationPriority = sum(InvestigationPriority)\n by FailedIPAddress)\non FailedIPAddress\n| extend UEBARiskScore = BlastRadiusInt + IPInvestigationPriority\n| where UEBARiskScore > riskScoreCutoff\n| sort by UEBARiskScore desc \n", - "queryFrequency": "P1D", - "queryPeriod": "P1D", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "dataTypes": [ - "SigninLogs" - ], - "connectorId": "AzureActiveDirectory" - }, - { - "dataTypes": [ - "AADNonInteractiveUserSignInLogs" - ], - "connectorId": "AzureActiveDirectory" + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + } }, - { - "dataTypes": [ - "BehaviorAnalytics" - ], - "connectorId": "BehaviorAnalytics" + "triggers": { + "Microsoft_Sentinel_incident": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "path": "/incident-creation" + } + } }, - { - "dataTypes": [ - "IdentityInfo" - ], - "connectorId": "IdentityInfo" - } - ], - "tactics": [ - "CredentialAccess", - "InitialAccess" - ], - "techniques": [ - "T1110", - "T1078" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "identifier": "Name", - "columnName": "Name" + "actions": { + "Entities_-_Get_Accounts": { + "runAfter": { + "Set_variable_-_password": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "method": "post", + "path": "/entities/account" + } + }, + "For_each": { + "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']", + "actions": { + "Condition_-_is_manager_available": { + "actions": { + "Add_comment_to_incident_-_manager_available": { + "runAfter": { + "Send_an_email_-_to_manager_with_password_details": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

User @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])} password was reset in AAD and their manager @{body('Parse_JSON_-_HTTP_-_get_manager')?['userPrincipalName']} was contacted using playbook.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Parse_JSON_-_HTTP_-_get_manager": { + "type": "ParseJson", + "inputs": { + "content": "@body('HTTP_-_get_manager')", + "schema": { + "properties": { + "userPrincipalName": { + "type": "string" + } + }, + "type": "object" + } + } + }, + "Send_an_email_-_to_manager_with_password_details": { + "runAfter": { + "Parse_JSON_-_HTTP_-_get_manager": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "Body": "

User, @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}, was involved in part of a security incident.  As part of remediation, the user password has been reset.
\n
\nThe temporary password is: @{variables('Password')}
\n
\nThe user will be required to reset this password upon login.

", + "Subject": "A user password was reset due to security incident.", + "To": "@body('Parse_JSON_-_HTTP_-_get_manager')?['userPrincipalName']" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['office365']['connectionId']" + } + }, + "method": "post", + "path": "/v2/Mail" + } + } + }, + "runAfter": { + "HTTP_-_get_manager": [ + "Succeeded", + "Failed" + ] + }, + "else": { + "actions": { + "Add_comment_to_incident_-_manager_not_available": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

User @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])} password was reset in AAD but the user doesn't have a manager.
\n
\nThe temporary password is: @{variables('Password')}
\n
\nThe user will be required to reset this password upon login.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@outputs('HTTP_-_get_manager')['statusCode']", + 200 + ] + } + ] + }, + "type": "If" + }, + "HTTP_-_get_manager": { + "runAfter": { + "HTTP_-_reset_a_password": [ + "Succeeded" + ] + }, + "type": "Http", + "inputs": { + "authentication": { + "audience": "https://graph.microsoft.com", + "type": "ManagedServiceIdentity" + }, + "method": "GET", + "uri": "https://graph.microsoft.com/v1.0/users/@{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}/manager" + } + }, + "HTTP_-_reset_a_password": { + "type": "Http", + "inputs": { + "authentication": { + "audience": "https://graph.microsoft.com", + "type": "ManagedServiceIdentity" + }, + "body": { + "passwordProfile": { + "forceChangePasswordNextSignIn": true, + "forceChangePasswordNextSignInWithMfa": false, + "password": "@{variables('Password')}" + } + }, + "method": "PATCH", + "uri": "https://graph.microsoft.com/v1.0/users/@{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}" + } + } }, - { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "identifier": "Address", - "columnName": "SuccessIPAddress" + "runAfter": { + "Entities_-_Get_Accounts": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Initialize_variable": { + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Password", + "type": "String", + "value": "null" + } + ] } - ], - "entityType": "IP" - }, - { - "fieldMappings": [ - { - "identifier": "Address", - "columnName": "FailedIPAddress" + }, + "Set_variable_-_password": { + "runAfter": { + "Initialize_variable": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "Password", + "value": "@{substring(guid(), 0, 10)}" } - ], - "entityType": "IP" + } } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject61').analyticRuleId61,'/'))))]", - "properties": { - "description": "Microsoft Entra ID Analytics Rule 61", - "parentId": "[variables('analyticRuleObject61').analyticRuleId61]", - "contentId": "[variables('analyticRuleObject61')._analyticRulecontentId61]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject61').analyticRuleVersion61]", - "source": { - "kind": "Solution", - "name": "Microsoft Entra ID", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject61')._analyticRulecontentId61]", - "contentKind": "AnalyticsRule", - "displayName": "Successful logon from IP and failure from a different IP", - "contentProductId": "[variables('analyticRuleObject61')._analyticRulecontentProductId61]", - "id": "[variables('analyticRuleObject61')._analyticRulecontentProductId61]", - "version": "[variables('analyticRuleObject61').analyticRuleVersion61]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject62').analyticRuleTemplateSpecName62]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "SuspiciousAADJoinedDeviceUpdate_AnalyticalRules Analytics Rule with template version 3.0.7", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject62').analyticRuleVersion62]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject62')._analyticRulecontentId62]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "This query looks for suspicious updates to an Microsoft Entra ID joined device where the device name is changed and the device falls out of compliance.\nThis could occur when a threat actor updates the details of an Autopilot provisioned device using a stolen device ticket, in order to access certificates and keys.\nRef: https://dirkjanm.io/assets/raw/Insomnihack%20Breaking%20and%20fixing%20Azure%20AD%20device%20identity%20security.pdf", - "displayName": "Suspicious AAD Joined Device Update", - "enabled": false, - "query": "AuditLogs\n| where OperationName =~ \"Update device\"\n| mv-apply TargetResource=TargetResources on (\n where TargetResource.type =~ \"Device\"\n | extend ModifiedProperties = TargetResource.modifiedProperties\n | extend DeviceId = TargetResource.id)\n| mv-apply Prop=ModifiedProperties on ( \n where Prop.displayName =~ \"CloudDisplayName\"\n | extend OldName = Prop.oldValue \n | extend NewName = Prop.newValue)\n| mv-apply Prop=ModifiedProperties on ( \n where Prop.displayName =~ \"IsCompliant\"\n | extend OldComplianceState = Prop.oldValue \n | extend NewComplianceState = Prop.newValue)\n| mv-apply Prop=ModifiedProperties on ( \n where Prop.displayName =~ \"TargetId.DeviceTrustType\"\n | extend OldTrustType = Prop.oldValue \n | extend NewTrustType = Prop.newValue)\n| mv-apply Prop=ModifiedProperties on ( \n where Prop.displayName =~ \"Included Updated Properties\" \n | extend UpdatedProperties = Prop.newValue)\n| extend OldDeviceName = tostring(parse_json(tostring(OldName))[0])\n| extend NewDeviceName = tostring(parse_json(tostring(NewName))[0])\n| extend OldComplianceState = tostring(parse_json(tostring(OldComplianceState))[0])\n| extend NewComplianceState = tostring(parse_json(tostring(NewComplianceState))[0])\n| extend InitiatedByUser = tostring(iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName))\n| extend UpdatedPropertiesCount = array_length(split(UpdatedProperties, ','))\n| where OldDeviceName != NewDeviceName\n| where OldComplianceState =~ 'true' and NewComplianceState =~ 'false'\n// Most common is transferring from AAD Registered to AAD Joined - we just want AAD Joined devices\n| where NewTrustType == '\"AzureAd\"' and OldTrustType != '\"Workplace\"'\n// We can modify this value to tune FPs - more properties changed about the device beyond its name the more suspicious it could be\n| where UpdatedPropertiesCount > 1\n| project-reorder TimeGenerated, DeviceId, NewDeviceName, OldDeviceName, NewComplianceState, InitiatedByUser, AADOperationType, OldTrustType, NewTrustType, UpdatedProperties, UpdatedPropertiesCount\n", - "queryFrequency": "P1D", - "queryPeriod": "P1D", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "dataTypes": [ - "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" - } - ], - "tactics": [ - "CredentialAccess" - ], - "techniques": [ - "T1528" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "identifier": "HostName", - "columnName": "NewDeviceName" - } - ], - "entityType": "Host" - }, - { - "fieldMappings": [ - { - "identifier": "HostName", - "columnName": "OldDeviceName" - } - ], - "entityType": "Host" - }, - { - "fieldMappings": [ - { - "identifier": "AzureID", - "columnName": "DeviceId" - } - ], - "entityType": "Host" - }, - { - "fieldMappings": [ - { - "identifier": "AadUserId", - "columnName": "InitiatedByUser" + "parameters": { + "$connections": { + "value": { + "microsoftsentinel": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + }, + "office365": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('office365ConnectionName'))]", + "connectionName": "[[variables('office365ConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]" } - ], - "entityType": "Account" + } } - ], - "alertDetailsOverride": { - "alertDescriptionFormat": "This query looks for suspicious updates to an Microsoft Entra ID joined device where the device name is changed and the device falls out of compliance.\nIn this case {{OldDeviceName}} was renamed to {{NewDeviceName}} and {{UpdatedPropertiesCount}} properties were changed.\nThis could occur when a threat actor steals a Device ticket from an Autopilot provisioned device and uses it to AAD Join a new device.\nRef: https://dirkjanm.io/assets/raw/Insomnihack%20Breaking%20and%20fixing%20Azure%20AD%20device%20identity%20security.pdf\n", - "alertDisplayNameFormat": "Suspicious AAD Joined Device Update {{OldDeviceName}} renamed to {{NewDeviceName}} and {{UpdatedPropertiesCount}} properties changed" + } + }, + "name": "[[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[[variables('workspace-location-inline')]", + "tags": { + "LogicAppsCategory": "security", + "hidden-SentinelTemplateName": "Reset-AADUserPassword", + "hidden-SentinelTemplateVersion": "1.1", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('office365ConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('MicrosoftSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('MicrosoftSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('office365ConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('office365ConnectionName')]", + "api": { + "id": "[[variables('_connection-3')]" } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject62').analyticRuleId62,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId6'),'/'))))]", "properties": { - "description": "Microsoft Entra ID Analytics Rule 62", - "parentId": "[variables('analyticRuleObject62').analyticRuleId62]", - "contentId": "[variables('analyticRuleObject62')._analyticRulecontentId62]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject62').analyticRuleVersion62]", + "parentId": "[variables('playbookId6')]", + "contentId": "[variables('_playbookContentId6')]", + "kind": "Playbook", + "version": "[variables('playbookVersion6')]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -12571,381 +11223,453 @@ } } } - ] + ], + "metadata": { + "title": "Reset Microsoft Entra ID User Password - Incident Trigger", + "description": "This playbook will reset the user password using Graph API. It will send the password (which is a random guid substring) to the user's manager. The user will have to reset the password upon login.", + "prerequisites": [ + "None" + ], + "postDeployment": [ + "1. Assign Password Administrator permission to managed identity.", + "2. Assign Microsoft Sentinel Responder permission to managed identity.", + "3. Authorize Office 365 Outlook connection" + ], + "lastUpdateTime": "2022-07-11T00:00:00Z", + "entities": [ + "Account" + ], + "tags": [ + "Remediation" + ], + "releaseNotes": [ + { + "version": "1.0.0", + "title": " Added manager notification action", + "notes": [ + "Initial version" + ] + } + ] + } }, "packageKind": "Solution", "packageVersion": "[variables('_solutionVersion')]", "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject62')._analyticRulecontentId62]", - "contentKind": "AnalyticsRule", - "displayName": "Suspicious AAD Joined Device Update", - "contentProductId": "[variables('analyticRuleObject62')._analyticRulecontentProductId62]", - "id": "[variables('analyticRuleObject62')._analyticRulecontentProductId62]", - "version": "[variables('analyticRuleObject62').analyticRuleVersion62]" + "contentId": "[variables('_playbookContentId6')]", + "contentKind": "Playbook", + "displayName": "Reset-AADPassword-IncidentTrigger", + "contentProductId": "[variables('_playbookcontentProductId6')]", + "id": "[variables('_playbookcontentProductId6')]", + "version": "[variables('playbookVersion6')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject63').analyticRuleTemplateSpecName63]", + "name": "[variables('playbookTemplateSpecName7')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SuspiciousOAuthApp_OfflineAccess_AnalyticalRules Analytics Rule with template version 3.0.7", + "description": "Block-AADUser-EntityTrigger Playbook with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject63').analyticRuleVersion63]", - "parameters": {}, - "variables": {}, + "contentVersion": "[variables('playbookVersion7')]", + "parameters": { + "PlaybookName": { + "defaultValue": "Block-AADUser-EntityTrigger", + "type": "string" + } + }, + "variables": { + "AzureADConnectionName": "[[concat('azuread-', parameters('PlaybookName'))]", + "MicrosoftSentinelConnectionName": "[[concat('microsoftsentinel-', parameters('PlaybookName'))]", + "Office365ConnectionName": "[[concat('office365-', parameters('PlaybookName'))]", + "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuread')]", + "_connection-1": "[[variables('connection-1')]", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "_connection-2": "[[variables('connection-2')]", + "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]", + "_connection-3": "[[variables('connection-3')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, "resources": [ { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject63')._analyticRulecontentId63]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('AzureADConnectionName')]", + "location": "[[variables('workspace-location-inline')]", "properties": { - "description": "This will alert when a user consents to provide a previously-unknown Azure application with offline access via OAuth.\nOffline access will provide the Azure App with access to the listed resources without requiring two-factor authentication.\nConsent to applications with offline access and read capabilities should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.", - "displayName": "Suspicious application consent for offline access", - "enabled": false, - "query": "let detectionTime = 1d;\nlet joinLookback = 14d;\nAuditLogs\n| where TimeGenerated > ago(detectionTime)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Consent to application\"\n| where TargetResources has \"offline\"\n| mv-apply TargetResource=TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\"\n | extend ModifiedProperties = TargetResource.modifiedProperties,\n AppDisplayName = tostring(TargetResource.displayName),\n AppClientId = tolower(tostring(TargetResource.id))\n )\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\"] with (format=\"csv\")))\n| mv-apply Properties=ModifiedProperties on \n (\n where Properties.displayName =~ \"ConsentAction.Permissions\"\n | extend ConsentFull = tostring(Properties.newValue)\n | extend ConsentFull = trim(@'\"',tostring(ConsentFull))\n )\n| parse ConsentFull with * \"ConsentType: \" GrantConsentType \", Scope: \" GrantScope1 \"]\" *\n| where ConsentFull has \"offline_access\" and ConsentFull has_any (\"Files.Read\", \"Mail.Read\", \"Notes.Read\", \"ChannelMessage.Read\", \"Chat.Read\", \"TeamsActivity.Read\", \"Group.Read\", \"EWS.AccessAsUser.All\", \"EAS.AccessAsUser.All\")\n| where GrantConsentType != \"AllPrincipals\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\n| extend GrantIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\n| extend GrantInitiatedBy = tostring(iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName))\n| extend GrantUserAgent = tostring(iff(AdditionalDetails[0].key =~ \"User-Agent\", AdditionalDetails[0].value, \"\"))\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\n| join kind = leftouter (AuditLogs\n| where TimeGenerated > ago(joinLookback)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Add service principal\"\n| mv-apply TargetResource=TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\"\n | extend ModifiedProperties = TargetResource.modifiedProperties,\n AppClientId = tolower(TargetResource.id)\n )\n| mv-apply ModifiedProperties=TargetResource.modifiedProperties on \n (\n where ModifiedProperties.displayName =~ \"AppAddress\" and ModifiedProperties.newValue has \"AddressType\"\n | extend AppReplyURLs = ModifiedProperties.newValue\n )\n | distinct AppClientId, tostring(AppReplyURLs)\n)\non AppClientId\n| join kind = innerunique (AuditLogs\n| where TimeGenerated > ago(joinLookback)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Add OAuth2PermissionGrant\" or OperationName =~ \"Add delegated permission grant\"\n | mv-apply TargetResource=TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\" and array_length(TargetResource.modifiedProperties) > 0 and isnotnull(TargetResource.displayName)\n | extend GrantAuthentication = tostring(TargetResource.displayName)\n )\n| extend GrantOperation = OperationName\n| project GrantAuthentication, GrantOperation, CorrelationId\n) on CorrelationId\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\n| extend timestamp = TimeGenerated, Name = tostring(split(GrantInitiatedBy,'@',0)[0]), UPNSuffix = tostring(split(GrantInitiatedBy,'@',1)[0])\n", - "queryFrequency": "P1D", - "queryPeriod": "P14D", - "severity": "Low", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "dataTypes": [ - "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" - } - ], - "tactics": [ - "CredentialAccess" - ], - "techniques": [ - "T1528" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "identifier": "Name", - "columnName": "Name" - }, - { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "identifier": "Address", - "columnName": "GrantIpAddress" - } - ], - "entityType": "IP" - } - ] + "displayName": "[[variables('AzureADConnectionName')]", + "api": { + "id": "[[variables('_connection-1')]" + } } }, { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject63').analyticRuleId63,'/'))))]", + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('MicrosoftSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", "properties": { - "description": "Microsoft Entra ID Analytics Rule 63", - "parentId": "[variables('analyticRuleObject63').analyticRuleId63]", - "contentId": "[variables('analyticRuleObject63')._analyticRulecontentId63]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject63').analyticRuleVersion63]", - "source": { - "kind": "Solution", - "name": "Microsoft Entra ID", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com/" + "displayName": "[[variables('MicrosoftSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[[variables('_connection-2')]" } } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject63')._analyticRulecontentId63]", - "contentKind": "AnalyticsRule", - "displayName": "Suspicious application consent for offline access", - "contentProductId": "[variables('analyticRuleObject63')._analyticRulecontentProductId63]", - "id": "[variables('analyticRuleObject63')._analyticRulecontentProductId63]", - "version": "[variables('analyticRuleObject63').analyticRuleVersion63]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject64').analyticRuleTemplateSpecName64]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "SuspiciousServicePrincipalcreationactivity_AnalyticalRules Analytics Rule with template version 3.0.7", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject64').analyticRuleVersion64]", - "parameters": {}, - "variables": {}, - "resources": [ + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('Office365ConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "properties": { + "displayName": "[[variables('Office365ConnectionName')]", + "api": { + "id": "[[variables('_connection-3')]" + } + } + }, { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject64')._analyticRulecontentId64]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[[parameters('PlaybookName')]", + "location": "[[variables('workspace-location-inline')]", + "tags": { + "LogicAppsCategory": "security", + "hidden-SentinelTemplateName": "Block-AADUser-EntityTrigger", + "hidden-SentinelTemplateVersion": "1.1", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "identity": { + "type": "SystemAssigned" + }, + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('AzureADConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]" + ], "properties": { - "description": "This alert will detect creation of an SPN, permissions granted, credentials created, activity and deletion of the SPN in a time frame (default 10 minutes)", - "displayName": "Suspicious Service Principal creation activity", - "enabled": false, - "query": "let queryfrequency = 1h;\nlet wait_for_deletion = 10m;\nlet account_created =\n AuditLogs \n | where ActivityDisplayName == \"Add service principal\"\n | where Result == \"success\"\n | extend AppID = tostring(AdditionalDetails[1].value)\n | extend creationTime = ActivityDateTime\n | extend userPrincipalName_creator = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\n | extend ipAddress_creator = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);\nlet account_activity =\n AADServicePrincipalSignInLogs\n | extend Activities = pack(\"ActivityTime\", TimeGenerated ,\"IpAddress\", IPAddress, \"ResourceDisplayName\", ResourceDisplayName)\n | extend AppID = AppId\n | summarize make_list(Activities) by AppID;\nlet account_deleted =\n AuditLogs \n | where OperationName == \"Remove service principal\"\n | where Result == \"success\"\n | extend AppID = tostring(AdditionalDetails[1].value)\n | extend deletionTime = ActivityDateTime\n | extend userPrincipalName_deleter = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\n | extend ipAddress_deleter = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);\nlet account_credentials =\n AuditLogs\n | where OperationName has_all (\"Update application\", \"Certificates and secrets management\")\n | where Result == \"success\"\n | extend AppID = tostring(AdditionalDetails[1].value)\n | extend credentialCreationTime = ActivityDateTime;\nlet roles_assigned =\n AuditLogs\n | where ActivityDisplayName == \"Add app role assignment to service principal\"\n | extend AppID = tostring(TargetResources[1].displayName)\n | extend AssignedRole = iff(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].displayName)==\"AppRole.Value\", tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue))),\"\")\n | extend AssignedRoles = pack(\"Role\", AssignedRole)\n | summarize make_list(AssignedRoles) by AppID;\naccount_created\n| where TimeGenerated between (ago(wait_for_deletion+queryfrequency)..ago(wait_for_deletion))\n| join kind= inner (account_activity) on AppID\n| join kind= inner (account_deleted) on AppID\n| join kind= inner (account_credentials) on AppID\n| join kind= inner (roles_assigned) on AppID\n| where deletionTime - creationTime between (time(0s)..wait_for_deletion)\n| extend AliveTime = deletionTime - creationTime\n| project AADTenantId, AppID, creationTime, deletionTime, userPrincipalName_creator, userPrincipalName_deleter, ipAddress_creator, ipAddress_deleter, list_Activities, list_AssignedRoles, AliveTime\n", - "queryFrequency": "PT1H", - "queryPeriod": "PT70M", - "severity": "Low", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "dataTypes": [ - "AuditLogs", - "AADServicePrincipalSignInLogs" - ], - "connectorId": "AzureActiveDirectory" - } - ], - "tactics": [ - "CredentialAccess", - "PrivilegeEscalation", - "InitialAccess" - ], - "techniques": [ - "T1078", - "T1528" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "identifier": "FullName", - "columnName": "userPrincipalName_creator" + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + } + }, + "triggers": { + "Microsoft_Sentinel_entity": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "path": "/entity/@{encodeURIComponent('Account')}" } - ], - "entityType": "Account" + } }, - { - "fieldMappings": [ - { - "identifier": "FullName", - "columnName": "userPrincipalName_deleter" + "actions": { + "Condition": { + "actions": { + "Condition_-_if_user_have_manager": { + "actions": { + "Condition_2": { + "actions": { + "Add_comment_to_incident_-_with_manager_-_no_admin": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['IncidentArmID']", + "message": "

User @{triggerBody()?['Entity']?['properties']?['Name']}  (UPN - @{variables('AccountDetails')}) was disabled in AAD via playbook Block-AADUser. Manager (@{body('Parse_JSON_-_get_user_manager')?['userPrincipalName']}) is notified.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + } + }, + "runAfter": { + "Get_user_-_details": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@triggerBody()?['IncidentArmID']", + "@null" + ] + } + } + ] + }, + "type": "If" + }, + "Get_user_-_details": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuread']['connectionId']" + } + }, + "method": "get", + "path": "/v1.0/users/@{encodeURIComponent(variables('AccountDetails'))}" + } + }, + "Send_an_email_-_to_manager_-_no_admin": { + "runAfter": { + "Condition_2": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "Body": "

Security notification! This is automated email sent by Microsoft Sentinel Automation!
\n
\nYour direct report @{triggerBody()?['Entity']?['properties']?['Name']} has been disabled in Azure AD due to the security incident. Can you please notify the user and work with him to reach our support.
\n
\nDirect report details:
\nFirst name: @{body('Get_user_-_details')?['displayName']}
\nSurname: @{body('Get_user_-_details')?['surname']}
\nJob title: @{body('Get_user_-_details')?['jobTitle']}
\nOffice location: @{body('Get_user_-_details')?['officeLocation']}
\nBusiness phone: @{body('Get_user_-_details')?['businessPhones']}
\nMobile phone: @{body('Get_user_-_details')?['mobilePhone']}
\nMail: @{body('Get_user_-_details')?['mail']}
\n
\nThank you!

", + "Importance": "High", + "Subject": "@{triggerBody()?['Entity']?['properties']?['Name']} has been disabled in Azure AD due to the security risk!", + "To": "@body('Parse_JSON_-_get_user_manager')?['userPrincipalName']" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['office365']['connectionId']" + } + }, + "method": "post", + "path": "/v2/Mail" + } + } + }, + "runAfter": { + "Parse_JSON_-_get_user_manager": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Condition_3": { + "actions": { + "Add_comment_to_incident_-_no_manager_-_no_admin": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['IncidentArmID']", + "message": "

User @{triggerBody()?['Entity']?['properties']?['Name']} (UPN - @{variables('AccountDetails')}) was disabled in AAD via playbook Block-AADUser. Manager has not been notified, since it is not found for this user!

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@triggerBody()?['IncidentArmID']", + "@null" + ] + } + } + ] + }, + "type": "If" + } + } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@body('Parse_JSON_-_get_user_manager')?['userPrincipalName']", + "@null" + ] + } + } + ] + }, + "type": "If" + }, + "HTTP_-_get_user_manager": { + "type": "Http", + "inputs": { + "authentication": { + "audience": "https://graph.microsoft.com/", + "type": "ManagedServiceIdentity" + }, + "method": "GET", + "uri": "https://graph.microsoft.com/v1.0/users/@{variables('AccountDetails')}/manager" + } + }, + "Parse_JSON_-_get_user_manager": { + "runAfter": { + "HTTP_-_get_user_manager": [ + "Succeeded", + "Failed" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@body('HTTP_-_get_user_manager')", + "schema": { + "properties": { + "userPrincipalName": { + "type": "string" + } + }, + "type": "object" + } + } + } + }, + "runAfter": { + "Update_user_-_disable_user": [ + "Succeeded", + "Failed" + ] + }, + "else": { + "actions": { + "Add_comment_to_incident_-_error_details": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['IncidentArmID']", + "message": "

Block-AADUser playbook could not disable user @{triggerBody()?['Entity']?['properties']?['Name']}.
\nError message: @{body('Update_user_-_disable_user')['error']['message']}
\nNote: If user is admin, this playbook don't have privilages to block admin users!

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@body('Update_user_-_disable_user')", + "@null" + ] + } + ] + }, + "type": "If" + }, + "Initialize_variable_Account_Details": { + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "AccountDetails", + "type": "string" + } + ] } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "identifier": "Address", - "columnName": "ipAddress_creator" + }, + "Set_variable": { + "runAfter": { + "Initialize_variable_Account_Details": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "AccountDetails", + "value": "@{concat(triggerBody()?['Entity']?['properties']?['Name'],'@',triggerBody()?['Entity']?['properties']?['UPNSuffix'])}" } - ], - "entityType": "IP" - }, - { - "fieldMappings": [ - { - "identifier": "Address", - "columnName": "ipAddress_deleter" + }, + "Update_user_-_disable_user": { + "runAfter": { + "Set_variable": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "accountEnabled": false + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuread']['connectionId']" + } + }, + "method": "patch", + "path": "/v1.0/users/@{encodeURIComponent(variables('AccountDetails'))}" } - ], - "entityType": "IP" + } } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject64').analyticRuleId64,'/'))))]", - "properties": { - "description": "Microsoft Entra ID Analytics Rule 64", - "parentId": "[variables('analyticRuleObject64').analyticRuleId64]", - "contentId": "[variables('analyticRuleObject64')._analyticRulecontentId64]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject64').analyticRuleVersion64]", - "source": { - "kind": "Solution", - "name": "Microsoft Entra ID", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject64')._analyticRulecontentId64]", - "contentKind": "AnalyticsRule", - "displayName": "Suspicious Service Principal creation activity", - "contentProductId": "[variables('analyticRuleObject64')._analyticRulecontentProductId64]", - "id": "[variables('analyticRuleObject64')._analyticRulecontentProductId64]", - "version": "[variables('analyticRuleObject64').analyticRuleVersion64]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject65').analyticRuleTemplateSpecName65]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "UnusualGuestActivity_AnalyticalRules Analytics Rule with template version 3.0.7", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject65').analyticRuleVersion65]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject65')._analyticRulecontentId65]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "By default guests have capability to invite more external guest users, guests also can do suspicious Microsoft Entra ID enumeration. This detection look at guests\nusers, who have been invited or have invited recently, who also are logging via various PowerShell CLI.\nRef : 'https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/", - "displayName": "External guest invitation followed by Microsoft Entra ID PowerShell signin", - "enabled": false, - "query": "let queryfrequency = 1h;\nlet queryperiod = 1d;\nAuditLogs\n| where TimeGenerated > ago(queryperiod)\n| where OperationName in (\"Invite external user\", \"Bulk invite users - started (bulk)\", \"Invite external user with reset invitation status\")\n| extend InitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\n// Uncomment the following line to filter events where the inviting user was a guest user\n//| where InitiatedBy has_any (\"live.com#\", \"#EXT#\")\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"User\"\n | extend InvitedUser = tostring(TargetResource.userPrincipalName)\n )\n| mv-expand UserToCompare = pack_array(InitiatedBy, InvitedUser) to typeof(string)\n| where UserToCompare has_any (\"live.com#\", \"#EXT#\")\n| extend\n parsedUser = replace_string(tolower(iff(UserToCompare startswith \"live.com#\", tostring(split(UserToCompare, \"#\")[1]), tostring(split(UserToCompare, \"#EXT#\")[0]))), \"@\", \"_\"),\n InvitationTime = TimeGenerated\n| join (\n (union isfuzzy=true SigninLogs, AADNonInteractiveUserSignInLogs)\n | where TimeGenerated > ago(queryfrequency)\n | where UserType != \"Member\"\n | where AppId has_any // This web may contain a list of these apps: https://msshells.net/\n (\"1b730954-1685-4b74-9bfd-dac224a7b894\",// Azure Active Directory PowerShell\n \"04b07795-8ddb-461a-bbee-02f9e1bf7b46\",// Microsoft Azure CLI\n \"1950a258-227b-4e31-a9cf-717495945fc2\",// Microsoft Azure PowerShell\n \"a0c73c16-a7e3-4564-9a95-2bdf47383716\",// Microsoft Exchange Online Remote PowerShell\n \"fb78d390-0c51-40cd-8e17-fdbfab77341b\",// Microsoft Exchange REST API Based Powershell\n \"d1ddf0e4-d672-4dae-b554-9d5bdfd93547\",// Microsoft Intune PowerShell\n \"9bc3ab49-b65d-410a-85ad-de819febfddc\",// Microsoft SharePoint Online Management Shell\n \"12128f48-ec9e-42f0-b203-ea49fb6af367\",// MS Teams Powershell Cmdlets\n \"23d8f6bd-1eb0-4cc2-a08c-7bf525c67bcd\",// Power BI PowerShell\n \"31359c7f-bd7e-475c-86db-fdb8c937548e\",// PnP Management Shell\n \"90f610bf-206d-4950-b61d-37fa6fd1b224\",// Aadrm Admin Powershell\n \"14d82eec-204b-4c2f-b7e8-296a70dab67e\" // Microsoft Graph PowerShell\n )\n | summarize arg_min(TimeGenerated, *) by UserPrincipalName\n | extend\n parsedUser = replace_string(UserPrincipalName, \"@\", \"_\"),\n SigninTime = TimeGenerated\n )\n on parsedUser\n| project InvitationTime, InitiatedBy, OperationName, InvitedUser, SigninTime, SigninCategory = Category1, SigninUserPrincipalName = UserPrincipalName, IPAddress, AppDisplayName, ResourceDisplayName, UserAgent, InvitationAdditionalDetails = AdditionalDetails, InvitationTargetResources = TargetResources\n| extend InvitedUserName = tostring(split(InvitedUser,'@',0)[0]), InvitedUserUPNSuffix = tostring(split(InvitedUser,'@',1)[0]), \n InitiatedByName = tostring(split(InitiatedBy,'@',0)[0]), InitiatedByUPNSuffix = tostring(split(InitiatedBy,'@',1)[0])\n", - "queryFrequency": "PT1H", - "queryPeriod": "P1D", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "dataTypes": [ - "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" - }, - { - "dataTypes": [ - "SigninLogs" - ], - "connectorId": "AzureActiveDirectory" - } - ], - "tactics": [ - "InitialAccess", - "Persistence", - "Discovery" - ], - "techniques": [ - "T1078", - "T1136", - "T1087" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "identifier": "Name", - "columnName": "InvitedUserName" + "parameters": { + "$connections": { + "value": { + "azuread": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureADConnectionName'))]", + "connectionName": "[[variables('AzureADConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuread')]" }, - { - "identifier": "UPNSuffix", - "columnName": "InvitedUserUPNSuffix" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "identifier": "Name", - "columnName": "InitiatedByName" + "microsoftsentinel": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } }, - { - "identifier": "UPNSuffix", - "columnName": "InitiatedByUPNSuffix" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "identifier": "Address", - "columnName": "IPAddress" + "office365": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]", + "connectionName": "[[variables('Office365ConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]" } - ], - "entityType": "IP" + } } - ] + } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject65').analyticRuleId65,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId7'),'/'))))]", "properties": { - "description": "Microsoft Entra ID Analytics Rule 65", - "parentId": "[variables('analyticRuleObject65').analyticRuleId65]", - "contentId": "[variables('analyticRuleObject65')._analyticRulecontentId65]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject65').analyticRuleVersion65]", + "parentId": "[variables('playbookId7')]", + "contentId": "[variables('_playbookContentId7')]", + "kind": "Playbook", + "version": "[variables('playbookVersion7')]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -12962,248 +11686,397 @@ "link": "https://support.microsoft.com/" } } - } - ] + } + ], + "metadata": { + "title": "Block Microsoft Entra ID user - Entity trigger", + "description": "This playbook disables the selected user (account entity) in Microsoft Entra ID. If this playbook triggered from an incident context, it will add a comment to the incident. This playbook will notify the disabled user manager if available. Note: This playbook will not disable admin user!", + "postDeployment": [ + "1. Assign Microsoft Sentinel Responder role to the Playbook's managed identity.", + "2. Grant User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All permissions to the managed identity.", + "3. Authorize Microsoft Entra ID and Office 365 Outlook Logic App connections." + ], + "lastUpdateTime": "2022-12-08T00:00:00Z", + "entities": [ + "Account" + ], + "tags": [ + "Remediation" + ], + "releaseNotes": [ + { + "version": "1.0.0", + "title": "Added manager notification action", + "notes": [ + "Initial version" + ] + } + ] + } }, "packageKind": "Solution", "packageVersion": "[variables('_solutionVersion')]", "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject65')._analyticRulecontentId65]", - "contentKind": "AnalyticsRule", - "displayName": "External guest invitation followed by Microsoft Entra ID PowerShell signin", - "contentProductId": "[variables('analyticRuleObject65')._analyticRulecontentProductId65]", - "id": "[variables('analyticRuleObject65')._analyticRulecontentProductId65]", - "version": "[variables('analyticRuleObject65').analyticRuleVersion65]" + "contentId": "[variables('_playbookContentId7')]", + "contentKind": "Playbook", + "displayName": "Block-AADUser-EntityTrigger", + "contentProductId": "[variables('_playbookcontentProductId7')]", + "id": "[variables('_playbookcontentProductId7')]", + "version": "[variables('playbookVersion7')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject66').analyticRuleTemplateSpecName66]", + "name": "[variables('playbookTemplateSpecName8')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "UserAccounts-CABlockedSigninSpikes_AnalyticalRules Analytics Rule with template version 3.0.7", + "description": "Reset-AADUserPassword-EntityTrigger Playbook with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject66').analyticRuleVersion66]", - "parameters": {}, - "variables": {}, + "contentVersion": "[variables('playbookVersion8')]", + "parameters": { + "PlaybookName": { + "defaultValue": "Reset-AADUserPassword-EntityTrigger", + "type": "string" + } + }, + "variables": { + "MicrosoftSentinelConnectionName": "[[concat('microsoftsentinel-', parameters('PlaybookName'))]", + "office365ConnectionName": "[[concat('office365-', parameters('PlaybookName'))]", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "_connection-2": "[[variables('connection-2')]", + "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]", + "_connection-3": "[[variables('connection-3')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, "resources": [ { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject66')._analyticRulecontentId66]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", "properties": { - "description": " Identifies spike in failed sign-ins from user accounts due to conditional access policied.\nSpike is determined based on Time series anomaly which will look at historical baseline values.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\nThis query has also been updated to include UEBA logs IdentityInfo and BehaviorAnalytics for contextual information around the results.", - "displayName": "User Accounts - Sign in Failure due to CA Spikes", - "enabled": false, - "query": "let riskScoreCutoff = 20; //Adjust this based on volume of results\nlet starttime = 14d;\nlet timeframe = 1d;\nlet scorethreshold = 3;\nlet baselinethreshold = 50;\nlet aadFunc = (tableName:string){\n // Failed Signins attempts with reasoning related to conditional access policies.\n table(tableName)\n | where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\n | where ResultDescription has_any (\"conditional access\", \"CA\") or ResultType in (50005, 50131, 53000, 53001, 53002, 52003, 70044)\n | extend UserPrincipalName = tolower(UserPrincipalName)\n | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nlet allSignins = union isfuzzy=true aadSignin, aadNonInt;\nlet TimeSeriesAlerts = \nallSignins\n| make-series DailyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step 1d by UserPrincipalName\n| extend (anomalies, score, baseline) = series_decompose_anomalies(DailyCount, scorethreshold, -1, 'linefit')\n| mv-expand DailyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\n// Filtering low count events per baselinethreshold\n| where anomalies > 0 and baseline > baselinethreshold\n| extend AnomalyHour = TimeGenerated\n| project UserPrincipalName, AnomalyHour, TimeGenerated, DailyCount, baseline, anomalies, score;\n// Filter the alerts for specified timeframe\nTimeSeriesAlerts\n| where TimeGenerated > startofday(ago(timeframe))\n| join kind=inner ( \n allSignins\n | where TimeGenerated > startofday(ago(timeframe))\n // create a new column and round to hour\n | extend DateHour = bin(TimeGenerated, 1h)\n | summarize PartialFailedSignins = count(), LatestAnomalyTime = arg_max(TimeGenerated, *) by bin(TimeGenerated, 1h), OperationName, Category, ResultType, ResultDescription, UserPrincipalName, UserDisplayName, AppDisplayName, ClientAppUsed, IPAddress, ResourceDisplayName\n) on UserPrincipalName, $left.AnomalyHour == $right.DateHour\n| project LatestAnomalyTime, OperationName, Category, UserPrincipalName, UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, PartialFailedSignins, TotalFailedSignins = DailyCount, baseline, anomalies, score\n| extend timestamp = LatestAnomalyTime, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n| extend UserPrincipalName = tolower(UserPrincipalName)\n| join kind=leftouter (\n IdentityInfo\n | summarize LatestReportTime = arg_max(TimeGenerated, *) by AccountUPN\n | extend BlastRadiusInt = iif(BlastRadius == \"High\", 1, 0)\n | project AccountUPN, Tags, JobTitle, GroupMembership, AssignedRoles, UserType, IsAccountEnabled, BlastRadiusInt\n | summarize\n Tags = make_set(Tags, 1000),\n GroupMembership = make_set(GroupMembership, 1000),\n AssignedRoles = make_set(AssignedRoles, 1000),\n BlastRadiusInt = sum(BlastRadiusInt),\n UserType = make_set(UserType, 1000),\n UserAccountControl = make_set(UserType, 1000)\n by AccountUPN\n | extend UserPrincipalName=tolower(AccountUPN)\n) on UserPrincipalName\n| join kind=leftouter (\n BehaviorAnalytics\n | where ActivityType in (\"FailedLogOn\", \"LogOn\")\n | where isnotempty(SourceIPAddress)\n | project UsersInsights, DevicesInsights, ActivityInsights, InvestigationPriority, SourceIPAddress\n | project-rename IPAddress = SourceIPAddress\n | summarize\n UsersInsights = make_set(UsersInsights, 1000),\n DevicesInsights = make_set(DevicesInsights, 1000),\n IPInvestigationPriority = sum(InvestigationPriority)\n by IPAddress)\non IPAddress\n| extend UEBARiskScore = BlastRadiusInt + IPInvestigationPriority\n| where UEBARiskScore > riskScoreCutoff\n| sort by UEBARiskScore desc \n", - "queryFrequency": "P1D", - "queryPeriod": "P14D", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "dataTypes": [ - "SigninLogs" - ], - "connectorId": "AzureActiveDirectory" - }, - { - "dataTypes": [ - "AADNonInteractiveUserSignInLogs" - ], - "connectorId": "AzureActiveDirectory" + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + } }, - { - "dataTypes": [ - "BehaviorAnalytics" - ], - "connectorId": "BehaviorAnalytics" + "triggers": { + "Microsoft_Sentinel_entity": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "path": "/entity/@{encodeURIComponent('Account')}" + } + } }, - { - "dataTypes": [ - "IdentityInfo" - ], - "connectorId": "IdentityInfo" - } - ], - "tactics": [ - "InitialAccess" - ], - "techniques": [ - "T1078" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "identifier": "Name", - "columnName": "Name" + "actions": { + "Condition_-_is_manager_available": { + "actions": { + "Condition_2": { + "actions": { + "Add_comment_to_incident_-_manager_available": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['IncidentArmID']", + "message": "

User @{variables('AccountDetails')} password was reset in AAD and their manager @{body('Parse_JSON_-_HTTP_-_get_manager')?['userPrincipalName']} was contacted using playbook.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + } + }, + "runAfter": { + "Send_an_email_-_to_manager_with_password_details": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@triggerBody()?['IncidentArmID']", + "@null" + ] + } + } + ] + }, + "type": "If" + }, + "Parse_JSON_-_HTTP_-_get_manager": { + "type": "ParseJson", + "inputs": { + "content": "@body('HTTP_-_get_manager')", + "schema": { + "properties": { + "userPrincipalName": { + "type": "string" + } + }, + "type": "object" + } + } + }, + "Send_an_email_-_to_manager_with_password_details": { + "runAfter": { + "Parse_JSON_-_HTTP_-_get_manager": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "Body": "

User, @{variables('AccountDetails')}, was involved in part of a security incident.  As part of remediation, the user password has been reset.
\n
\nThe temporary password is: @{variables('Password')}
\n
\nThe user will be required to reset this password upon login.

", + "Subject": "A user password was reset due to security incident.", + "To": "@body('Parse_JSON_-_HTTP_-_get_manager')?['userPrincipalName']" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['office365']['connectionId']" + } + }, + "method": "post", + "path": "/v2/Mail" + } + } + }, + "runAfter": { + "HTTP_-_get_manager": [ + "Succeeded", + "Failed" + ] + }, + "else": { + "actions": { + "Condition": { + "actions": { + "Add_comment_to_incident_-_manager_not_available": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['IncidentArmID']", + "message": "

User @{variables('AccountDetails')} password was reset in AAD but the user doesn't have a manager.
\n
\nThe temporary password is: @{variables('Password')}
\n
\nThe user will be required to reset this password upon login.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@triggerBody()?['IncidentArmID']", + "@null" + ] + } + } + ] + }, + "type": "If" + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@outputs('HTTP_-_get_manager')['statusCode']", + 200 + ] + } + ] + }, + "type": "If" + }, + "HTTP_-_get_manager": { + "runAfter": { + "HTTP_-_reset_a_password": [ + "Succeeded" + ] + }, + "type": "Http", + "inputs": { + "authentication": { + "audience": "https://graph.microsoft.com", + "type": "ManagedServiceIdentity" + }, + "method": "GET", + "uri": "https://graph.microsoft.com/v1.0/users/@{variables('AccountDetails')}/manager" + } + }, + "HTTP_-_reset_a_password": { + "runAfter": { + "Initialize_variable_Account": [ + "Succeeded" + ] }, - { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "type": "Http", + "inputs": { + "authentication": { + "audience": "https://graph.microsoft.com", + "type": "ManagedServiceIdentity" + }, + "body": { + "passwordProfile": { + "forceChangePasswordNextSignIn": true, + "forceChangePasswordNextSignInWithMfa": false, + "password": "@{variables('Password')}" + } + }, + "method": "PATCH", + "uri": "https://graph.microsoft.com/v1.0/users/@{variables('AccountDetails')}" } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "identifier": "Address", - "columnName": "IPAddress" + }, + "Initialize_variable": { + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Password", + "type": "String", + "value": "null" + } + ] } - ], - "entityType": "IP" + }, + "Initialize_variable_Account": { + "runAfter": { + "Set_variable_-_password": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "AccountDetails", + "type": "string", + "value": "@{concat(triggerBody()?['Entity']?['properties']?['Name'],'@',triggerBody()?['Entity']?['properties']?['UPNSuffix'])}" + } + ] + } + }, + "Set_variable_-_password": { + "runAfter": { + "Initialize_variable": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "Password", + "value": "@{substring(guid(), 0, 10)}" + } + } } - ] - } + }, + "parameters": { + "$connections": { + "value": { + "microsoftsentinel": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + }, + "office365": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('office365ConnectionName'))]", + "connectionName": "[[variables('office365ConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]" + } + } + } + } + }, + "name": "[[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[[variables('workspace-location-inline')]", + "tags": { + "LogicAppsCategory": "security", + "hidden-SentinelTemplateName": "Reset-AADUserPassword-EntityTrigger", + "hidden-SentinelTemplateVersion": "1.1", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('office365ConnectionName'))]" + ] }, { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject66').analyticRuleId66,'/'))))]", + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('MicrosoftSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", "properties": { - "description": "Microsoft Entra ID Analytics Rule 66", - "parentId": "[variables('analyticRuleObject66').analyticRuleId66]", - "contentId": "[variables('analyticRuleObject66')._analyticRulecontentId66]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject66').analyticRuleVersion66]", - "source": { - "kind": "Solution", - "name": "Microsoft Entra ID", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com/" + "displayName": "[[variables('MicrosoftSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[[variables('_connection-2')]" } } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject66')._analyticRulecontentId66]", - "contentKind": "AnalyticsRule", - "displayName": "User Accounts - Sign in Failure due to CA Spikes", - "contentProductId": "[variables('analyticRuleObject66')._analyticRulecontentProductId66]", - "id": "[variables('analyticRuleObject66')._analyticRulecontentProductId66]", - "version": "[variables('analyticRuleObject66').analyticRuleVersion66]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject67').analyticRuleTemplateSpecName67]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "UseraddedtoPrivilgedGroups_AnalyticalRules Analytics Rule with template version 3.0.7", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject67').analyticRuleVersion67]", - "parameters": {}, - "variables": {}, - "resources": [ + }, { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject67')._analyticRulecontentId67]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('office365ConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", "properties": { - "description": "This will alert when a user is added to any of the Privileged Groups.\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\nFor Administrator role permissions in Microsoft Entra ID please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles", - "displayName": "User added to Microsoft Entra ID Privileged Groups", - "enabled": false, - "query": "let OperationList = dynamic([\"Add member to role\",\"Add member to role in PIM requested (permanent)\"]);\nlet PrivilegedGroups = dynamic([\"UserAccountAdmins\",\"PrivilegedRoleAdmins\",\"TenantAdmins\"]);\nAuditLogs\n//| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"RoleManagement\"\n| where OperationName in~ (OperationList)\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"User\"\n | extend TargetUserPrincipalName = tostring(TargetResource.userPrincipalName),\n modProps = TargetResource.modifiedProperties\n )\n| mv-apply Property = modProps on \n (\n where Property.displayName =~ \"Role.WellKnownObjectName\"\n | extend DisplayName = trim('\"',tostring(Property.displayName)),\n GroupName = trim('\"',tostring(Property.newValue))\n )\n| extend AppId = InitiatedBy.app.appId,\n InitiatedByDisplayName = case(isnotempty(InitiatedBy.app.displayName), InitiatedBy.app.displayName, isnotempty(InitiatedBy.user.displayName), InitiatedBy.user.displayName, \"not available\"),\n ServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId),\n ServicePrincipalName = tostring(InitiatedBy.app.servicePrincipalName),\n UserId = InitiatedBy.user.id,\n UserIPAddress = InitiatedBy.user.ipAddress,\n UserRoles = InitiatedBy.user.roles,\n UserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\n| where GroupName in~ (PrivilegedGroups)\n// If you don't want to alert for operations from PIM, remove below filtering for MS-PIM.\n//| where InitiatedByDisplayName != \"MS-PIM\"\n| project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, AppId, InitiatedByDisplayName, ServicePrincipalId, ServicePrincipalName, DisplayName, GroupName, UserId, UserIPAddress, UserRoles, UserPrincipalName, TargetUserPrincipalName\n| extend AccountCustomEntity = case(isnotempty(ServicePrincipalName), ServicePrincipalName, \n isnotempty(UserPrincipalName), UserPrincipalName, \n \"\")\n| extend AccountName = tostring(split(AccountCustomEntity,'@',0)[0]), AccountUPNSuffix = tostring(split(AccountCustomEntity,'@',1)[0])\n| extend TargetName = tostring(split(TargetUserPrincipalName,'@',0)[0]), TargetUPNSuffix = tostring(split(TargetUserPrincipalName,'@',1)[0])\n", - "queryFrequency": "PT1H", - "queryPeriod": "PT1H", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "dataTypes": [ - "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" - } - ], - "tactics": [ - "Persistence", - "PrivilegeEscalation" - ], - "techniques": [ - "T1098", - "T1078" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "identifier": "Name", - "columnName": "AccountName" - }, - { - "identifier": "UPNSuffix", - "columnName": "AccountUPNSuffix" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "identifier": "Name", - "columnName": "TargetName" - }, - { - "identifier": "UPNSuffix", - "columnName": "TargetUPNSuffix" - } - ], - "entityType": "Account" - } - ] + "displayName": "[[variables('office365ConnectionName')]", + "api": { + "id": "[[variables('_connection-3')]" + } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject67').analyticRuleId67,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId8'),'/'))))]", "properties": { - "description": "Microsoft Entra ID Analytics Rule 67", - "parentId": "[variables('analyticRuleObject67').analyticRuleId67]", - "contentId": "[variables('analyticRuleObject67')._analyticRulecontentId67]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject67').analyticRuleVersion67]", + "parentId": "[variables('playbookId8')]", + "contentId": "[variables('_playbookContentId8')]", + "kind": "Playbook", + "version": "[variables('playbookVersion8')]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -13221,110 +12094,317 @@ } } } - ] + ], + "metadata": { + "title": "Reset Microsoft Entra ID User Password - Entity trigger", + "description": "This playbook will reset the user password using Graph API. It will send the password (which is a random guid substring) to the user's manager. The user will have to reset the password upon login.", + "postDeployment": [ + "1. Assign Password Administrator permission to managed identity.", + "2. Assign Microsoft Sentinel Responder permission to managed identity.", + "3. Authorize Office 365 Outlook connection" + ], + "lastUpdateTime": "2022-12-06T00:00:00Z", + "entities": [ + "Account" + ], + "tags": [ + "Remediation" + ], + "releaseNotes": { + "version": "1.1", + "title": "[variables('blanks')]", + "notes": [ + "Initial version" + ] + } + } }, "packageKind": "Solution", "packageVersion": "[variables('_solutionVersion')]", "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject67')._analyticRulecontentId67]", - "contentKind": "AnalyticsRule", - "displayName": "User added to Microsoft Entra ID Privileged Groups", - "contentProductId": "[variables('analyticRuleObject67')._analyticRulecontentProductId67]", - "id": "[variables('analyticRuleObject67')._analyticRulecontentProductId67]", - "version": "[variables('analyticRuleObject67').analyticRuleVersion67]" + "contentId": "[variables('_playbookContentId8')]", + "contentKind": "Playbook", + "displayName": "Reset-AADUserPassword-EntityTrigger", + "contentProductId": "[variables('_playbookcontentProductId8')]", + "id": "[variables('_playbookcontentProductId8')]", + "version": "[variables('playbookVersion8')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject68').analyticRuleTemplateSpecName68]", + "name": "[variables('playbookTemplateSpecName9')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "UserAssignedPrivilegedRole_AnalyticalRules Analytics Rule with template version 3.0.7", + "description": "Revoke-AADSignInSessions-alert Playbook with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject68').analyticRuleVersion68]", - "parameters": {}, - "variables": {}, + "contentVersion": "[variables('playbookVersion9')]", + "parameters": { + "PlaybookName": { + "defaultValue": "Revoke-AADSignInSessions-alert", + "type": "string" + }, + "UserName": { + "defaultValue": "@", + "type": "string" + } + }, + "variables": { + "AzureSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]", + "Office365ConnectionName": "[[concat('office365-', parameters('PlaybookName'))]", + "Office365UsersConnectionName": "[[concat('office365users-', parameters('PlaybookName'))]", + "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "_connection-1": "[[variables('connection-1')]", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]", + "_connection-2": "[[variables('connection-2')]", + "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365users')]", + "_connection-3": "[[variables('connection-3')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, "resources": [ { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject68')._analyticRulecontentId68]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('AzureSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", "properties": { - "description": "Identifies when a privileged role is assigned to a new user. Any account eligible for a role is now being given privileged access. If the assignment is unexpected or into a role that isn't the responsibility of the account holder, investigate.", - "displayName": "New User Assigned to Privileged Role", - "enabled": false, - "query": "// Define the start and end times based on input values\nlet starttime = now()-1d;\nlet endtime = now();\n// Set a lookback period of 14 days\nlet lookback = starttime - 14d;\n// Define a reusable function to query audit logs\nlet awsFunc = (start:datetime, end:datetime) {\n AuditLogs\n | where TimeGenerated between (start..end)\n | where Category =~ \"RoleManagement\"\n | where AADOperationType in (\"Assign\", \"AssignEligibleRole\")\n | where ActivityDisplayName has_any (\"Add eligible member to role\", \"Add member to role\")\n | mv-apply TargetResource = TargetResources on\n (\n where TargetResource.type in~ (\"User\", \"ServicePrincipal\")\n | extend Target = iff(TargetResource.type =~ \"ServicePrincipal\", tostring(TargetResource.displayName), tostring(TargetResource.userPrincipalName)),\n props = TargetResource.modifiedProperties\n )\n | mv-apply Property = props on\n (\n where Property.displayName =~ \"Role.DisplayName\"\n | extend RoleName = trim('\"', tostring(Property.newValue))\n )\n | where RoleName contains \"Admin\" and Result == \"success\"\n};\n// Query for audit events in the current day\nlet EventInfo_CurrentDay = awsFunc(starttime, endtime);\n// Query for audit events in the historical period (lookback)\nlet EventInfo_historical = awsFunc(lookback, starttime);\n// Find unseen events by performing a left anti-join\nlet EventInfo_Unseen = (EventInfo_CurrentDay\n | join kind=leftanti(EventInfo_historical) on Target, RoleName, OperationName\n);\n// Extend and clean up the results\nEventInfo_Unseen\n| extend InitiatingApp = tostring(InitiatedBy.app.displayName)\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(InitiatedBy.user.userPrincipalName))\n// You can uncomment the lines below to filter out PIM activations\n// | where Initiator != \"MS-PIM\"\n// | summarize StartTime=min(TimeGenerated), EndTime=min(TimeGenerated) by OperationName, RoleName, Target, Initiator, Result\n// Project specific columns and split them for further analysis\n| project TimeGenerated, OperationName, RoleName, Target, Initiator, Result\n| extend TargetName = tostring(split(Target, '@', 0)[0]),\n TargetUPNSuffix = tostring(split(Target, '@', 1)[0]),\n InitiatorName = tostring(split(Initiator, '@', 0)[0]),\n InitiatorUPNSuffix = tostring(split(Initiator, '@', 1)[0])\n", - "queryFrequency": "PT1H", - "queryPeriod": "P14D", - "severity": "High", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "dataTypes": [ - "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + "displayName": "[[parameters('PlaybookName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[[variables('_connection-1')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('Office365ConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "properties": { + "displayName": "[[parameters('UserName')]", + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('Office365UsersConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "properties": { + "displayName": "[[parameters('UserName')]", + "api": { + "id": "[[variables('_connection-3')]" + } + } + }, + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[[parameters('PlaybookName')]", + "location": "[[variables('workspace-location-inline')]", + "tags": { + "LogicAppsCategory": "security", + "hidden-SentinelTemplateName": "Revoke-AADSigninSessions_alert", + "hidden-SentinelTemplateVersion": "1.0", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "identity": { + "type": "SystemAssigned" + }, + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('Office365UsersConnectionName'))]" + ], + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "actions": { + "Alert_-_Get_incident": { + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "get", + "path": "/Incidents/subscriptions/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/resourceGroups/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/workspaces/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/alerts/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}" + }, + "type": "ApiConnection" + }, + "Entities_-_Get_Accounts": { + "inputs": { + "body": "@triggerBody()?['Entities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/entities/account" + }, + "runAfter": { + "Alert_-_Get_incident": [ + "Succeeded" + ] + }, + "type": "ApiConnection" + }, + "For_each": { + "actions": { + "Add_comment_to_incident_(V3)": { + "inputs": { + "body": { + "incidentArmId": "@body('Alert_-_Get_incident')?['id']", + "message": "

User @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])} singin sessions were revoked in AAD and their manager @{body('Get_manager_(V2)')?['displayName']} was contacted using playbook.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + }, + "runAfter": { + "Send_an_email_(V2)": [ + "Succeeded" + ] + }, + "type": "ApiConnection" + }, + "Get_manager_(V2)": { + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['office365users']['connectionId']" + } + }, + "method": "get", + "path": "/codeless/v1.0/users/@{encodeURIComponent(concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix']))}/manager" + }, + "runAfter": { + "HTTP": [ + "Succeeded" + ] + }, + "type": "ApiConnection" + }, + "HTTP": { + "inputs": { + "authentication": { + "audience": "https://graph.microsoft.com", + "type": "ManagedServiceIdentity" + }, + "method": "POST", + "uri": "https://graph.microsoft.com/v1.0/users/@{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}/revokeSignInSessions" + }, + "type": "Http" + }, + "Send_an_email_(V2)": { + "inputs": { + "body": { + "Body": "

User, @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}, was involved in part of a security incident.  As part of remediation, the user signin sessions have been revoked.  The user will need to reauthenticate in all applications.

", + "Subject": "User signin sessions were reset due to security incident.", + "To": "@body('Get_manager_(V2)')?['mail']" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['office365']['connectionId']" + } + }, + "method": "post", + "path": "/v2/Mail" + }, + "runAfter": { + "Get_manager_(V2)": [ + "Succeeded" + ] + }, + "type": "ApiConnection" + } + }, + "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']", + "runAfter": { + "Entities_-_Get_Accounts": [ + "Succeeded" + ] + }, + "type": "Foreach" + } + }, + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + } + }, + "triggers": { + "Microsoft_Sentinel_alert": { + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/subscribe" + }, + "type": "ApiConnectionWebhook" + } } - ], - "tactics": [ - "Persistence" - ], - "techniques": [ - "T1078" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "identifier": "Name", - "columnName": "TargetName" + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", + "connectionName": "[[variables('AzureSentinelConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } }, - { - "identifier": "UPNSuffix", - "columnName": "TargetUPNSuffix" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "identifier": "Name", - "columnName": "InitiatorName" + "office365": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]", + "connectionName": "[[variables('Office365ConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]" }, - { - "identifier": "UPNSuffix", - "columnName": "InitiatorUPNSuffix" + "office365users": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('Office365UsersConnectionName'))]", + "connectionName": "[[variables('Office365UsersConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365users')]" } - ], - "entityType": "Account" + } } - ] + } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject68').analyticRuleId68,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId9'),'/'))))]", "properties": { - "description": "Microsoft Entra ID Analytics Rule 68", - "parentId": "[variables('analyticRuleObject68').analyticRuleId68]", - "contentId": "[variables('analyticRuleObject68')._analyticRulecontentId68]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject68').analyticRuleVersion68]", + "parentId": "[variables('playbookId9')]", + "contentId": "[variables('_playbookContentId9')]", + "kind": "Playbook", + "version": "[variables('playbookVersion9')]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -13342,126 +12422,317 @@ } } } - ] + ], + "metadata": { + "title": "Revoke-AADSignInSessions alert trigger", + "description": "This playbook will revoke all signin sessions for the user using Graph API. It will send an email to the user's manager.", + "prerequisites": [ + "1. You must create an app registration for graph api with appropriate permissions.", + "2. You will need to add the managed identity that is created by the logic app to the Password Administrator role in Microsoft Entra ID." + ], + "comments": "This playbook will revoke all signin sessions for the user using Graph API using a Beta API. It will send and email to the user's manager.", + "lastUpdateTime": "2021-07-14T00:00:00Z", + "entities": [ + "Account" + ], + "tags": [ + "Remediation" + ], + "releaseNotes": { + "version": "1.0", + "title": "[variables('blanks')]", + "notes": [ + "Initial version" + ] + } + } }, "packageKind": "Solution", "packageVersion": "[variables('_solutionVersion')]", "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject68')._analyticRulecontentId68]", - "contentKind": "AnalyticsRule", - "displayName": "New User Assigned to Privileged Role", - "contentProductId": "[variables('analyticRuleObject68')._analyticRulecontentProductId68]", - "id": "[variables('analyticRuleObject68')._analyticRulecontentProductId68]", - "version": "[variables('analyticRuleObject68').analyticRuleVersion68]" + "contentId": "[variables('_playbookContentId9')]", + "contentKind": "Playbook", + "displayName": "Revoke-AADSignInSessions-alert", + "contentProductId": "[variables('_playbookcontentProductId9')]", + "id": "[variables('_playbookcontentProductId9')]", + "version": "[variables('playbookVersion9')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject69').analyticRuleTemplateSpecName69]", + "name": "[variables('playbookTemplateSpecName10')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "NewOnmicrosoftDomainAdded_AnalyticalRules Analytics Rule with template version 3.0.7", + "description": "Revoke-AADSignInSessions-incident Playbook with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject69').analyticRuleVersion69]", - "parameters": {}, - "variables": {}, + "contentVersion": "[variables('playbookVersion10')]", + "parameters": { + "PlaybookName": { + "defaultValue": "Revoke-AADSignInSessions-incident", + "type": "string" + }, + "UserName": { + "defaultValue": "@", + "type": "string" + } + }, + "variables": { + "AzureSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]", + "Office365ConnectionName": "[[concat('office365-', parameters('PlaybookName'))]", + "Office365UsersConnectionName": "[[concat('office365users-', parameters('PlaybookName'))]", + "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "_connection-1": "[[variables('connection-1')]", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]", + "_connection-2": "[[variables('connection-2')]", + "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365users')]", + "_connection-3": "[[variables('connection-3')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, "resources": [ { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject69')._analyticRulecontentId69]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('AzureSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", "properties": { - "description": "This detection looks for new onmicrosoft domains being added to a tenant. \nAn attacker who compromises a tenant may register a new onmicrosoft domain in order to masquerade as a service provider for launching phishing campaigns.\nDomain additions are not a common occurrence and users should validate that the domain was added by a legitimate user, with a legitimate purpose.", - "displayName": "New onmicrosoft domain added to tenant", - "enabled": false, - "query": "AuditLogs\n| where AADOperationType == \"Add\"\n| where Result == \"success\"\n| where OperationName in (\"Add verified domain\", \"Add unverified domain\")\n| extend InitiatedBy = parse_json(InitiatedBy)\n| extend InitiatingUser = tostring(InitiatedBy.user.userPrincipalName)\n| extend InitiatingIp = tostring(InitiatedBy.user.ipAddress)\n| extend InitiatingApp = tostring(InitiatedBy.app.displayName)\n| extend InitiatingSPID = tostring(InitiatedBy.app.servicePrincipalId)\n| extend DomainAdded = tostring(TargetResources[0].displayName)\n| where DomainAdded has \"onmicrosoft\"\n| extend ActionInitiatedBy = case(isnotempty(InitiatingUser), InitiatingUser, strcat(InitiatingApp, \" - \", InitiatingSPID))\n| extend UserName = split(InitiatingUser, \"@\")[0]\n| extend UPNSuffix = split(InitiatingUser, \"@\")[1]\n| project-reorder TimeGenerated, OperationName, DomainAdded, ActionInitiatedBy, InitiatingIp\n", - "queryFrequency": "PT1H", - "queryPeriod": "PT1H", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "dataTypes": [ - "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" - } - ], - "tactics": [ - "ResourceDevelopment" - ], - "techniques": [ - "T1585" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "identifier": "Name", - "columnName": "UserName" + "displayName": "[[parameters('PlaybookName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[[variables('_connection-1')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('Office365ConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "properties": { + "displayName": "[[parameters('UserName')]", + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('Office365UsersConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "properties": { + "displayName": "[[parameters('UserName')]", + "api": { + "id": "[[variables('_connection-3')]" + } + } + }, + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[[parameters('PlaybookName')]", + "location": "[[variables('workspace-location-inline')]", + "tags": { + "LogicAppsCategory": "security", + "hidden-SentinelTemplateName": "Revoke-AADSigninSessions", + "hidden-SentinelTemplateVersion": "1.0", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "identity": { + "type": "SystemAssigned" + }, + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('Office365UsersConnectionName'))]" + ], + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "actions": { + "Alert_-_Get_incident": { + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "get", + "path": "/Incidents/subscriptions/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/resourceGroups/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/workspaces/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/alerts/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}" + }, + "type": "ApiConnection" + }, + "Entities_-_Get_Accounts": { + "inputs": { + "body": "@triggerBody()?['Entities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/entities/account" + }, + "runAfter": { + "Alert_-_Get_incident": [ + "Succeeded" + ] + }, + "type": "ApiConnection" + }, + "For_each": { + "actions": { + "Add_comment_to_incident_(V3)": { + "inputs": { + "body": { + "incidentArmId": "@body('Alert_-_Get_incident')?['id']", + "message": "

User @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])} singin sessions were revoked in AAD and their manager @{body('Get_manager_(V2)')?['displayName']} was contacted using playbook.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + }, + "runAfter": { + "Send_an_email_(V2)": [ + "Succeeded" + ] + }, + "type": "ApiConnection" + }, + "Get_manager_(V2)": { + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['office365users']['connectionId']" + } + }, + "method": "get", + "path": "/codeless/v1.0/users/@{encodeURIComponent(concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix']))}/manager" + }, + "runAfter": { + "HTTP": [ + "Succeeded" + ] + }, + "type": "ApiConnection" + }, + "HTTP": { + "inputs": { + "authentication": { + "audience": "https://graph.microsoft.com", + "type": "ManagedServiceIdentity" + }, + "method": "POST", + "uri": "https://graph.microsoft.com/v1.0/users/@{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}/revokeSignInSessions" + }, + "type": "Http" + }, + "Send_an_email_(V2)": { + "inputs": { + "body": { + "Body": "

User, @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}, was involved in part of a security incident.  As part of remediation, the user signin sessions have been revoked.  The user will need to reauthenticate in all applications.

", + "Subject": "User signin sessions were reset due to security incident.", + "To": "@body('Get_manager_(V2)')?['mail']" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['office365']['connectionId']" + } + }, + "method": "post", + "path": "/v2/Mail" + }, + "runAfter": { + "Get_manager_(V2)": [ + "Succeeded" + ] + }, + "type": "ApiConnection" + } }, - { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']", + "runAfter": { + "Entities_-_Get_Accounts": [ + "Succeeded" + ] }, - { - "identifier": "AadUserId", - "columnName": "InitiatingSPID" - } - ], - "entityType": "Account" + "type": "Foreach" + } }, - { - "fieldMappings": [ - { - "identifier": "Address", - "columnName": "InitiatingIp" - } - ], - "entityType": "IP" + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + } }, - { - "fieldMappings": [ - { - "identifier": "DomainName", - "columnName": "DomainAdded" - } - ], - "entityType": "DNS" + "triggers": { + "Microsoft_Sentinel_alert": { + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/subscribe" + }, + "type": "ApiConnectionWebhook" + } } - ], - "eventGroupingSettings": { - "aggregationKind": "SingleAlert" }, - "alertDetailsOverride": { - "alertDescriptionFormat": "This detection looks for new onmicrosoft domains being added to a tenant. An attacker who compromises a tenant may register a new onmicrosoft domain in order to masquerade as a service provider for launching phishing accounts. Domain additions are not a common occurrence and users should validate that {{ActionInitiatedBy}} added {{DomainAdded}} with a legitimate purpose.", - "alertDisplayNameFormat": "{{DomainAdded}} added to tenant by {{ActionInitiatedBy}}" + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", + "connectionName": "[[variables('AzureSentinelConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + }, + "office365": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]", + "connectionName": "[[variables('Office365ConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]" + }, + "office365users": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('Office365UsersConnectionName'))]", + "connectionName": "[[variables('Office365UsersConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365users')]" + } + } + } } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject69').analyticRuleId69,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId10'),'/'))))]", "properties": { - "description": "Microsoft Entra ID Analytics Rule 69", - "parentId": "[variables('analyticRuleObject69').analyticRuleId69]", - "contentId": "[variables('analyticRuleObject69')._analyticRulecontentId69]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject69').analyticRuleVersion69]", + "parentId": "[variables('playbookId10')]", + "contentId": "[variables('_playbookContentId10')]", + "kind": "Playbook", + "version": "[variables('playbookVersion10')]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -13479,151 +12750,204 @@ } } } - ] + ], + "metadata": { + "title": "Revoke AAD SignIn Sessions - incident trigger", + "description": "This playbook will revoke all signin sessions for the user using Graph API. It will send an email to the user's manager.", + "prerequisites": "1. You will need to grant User.ReadWrite.All permissions to the managed identity.", + "lastUpdateTime": "2021-07-14T00:00:00Z", + "entities": [ + "Account" + ], + "tags": [ + "Remediation" + ], + "releaseNotes": { + "version": "1.0", + "title": "[variables('blanks')]", + "notes": [ + "Initial version" + ] + } + } }, "packageKind": "Solution", "packageVersion": "[variables('_solutionVersion')]", "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject69')._analyticRulecontentId69]", - "contentKind": "AnalyticsRule", - "displayName": "New onmicrosoft domain added to tenant", - "contentProductId": "[variables('analyticRuleObject69')._analyticRulecontentProductId69]", - "id": "[variables('analyticRuleObject69')._analyticRulecontentProductId69]", - "version": "[variables('analyticRuleObject69').analyticRuleVersion69]" + "contentId": "[variables('_playbookContentId10')]", + "contentKind": "Playbook", + "displayName": "Revoke-AADSignInSessions-incident", + "contentProductId": "[variables('_playbookcontentProductId10')]", + "id": "[variables('_playbookcontentProductId10')]", + "version": "[variables('playbookVersion10')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject70').analyticRuleTemplateSpecName70]", + "name": "[variables('playbookTemplateSpecName11')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SuspiciousSignInFollowedByMFAModification_AnalyticalRules Analytics Rule with template version 3.0.7", + "description": "Revoke-AADSignIn-Session-entityTrigger Playbook with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject70').analyticRuleVersion70]", - "parameters": {}, - "variables": {}, + "contentVersion": "[variables('playbookVersion11')]", + "parameters": { + "PlaybookName": { + "defaultValue": "Revoke-AADSignIn-Session-entityTrigger", + "type": "string" + } + }, + "variables": { + "MicrosoftSentinelConnectionName": "[[concat('MicrosoftSentinel-', parameters('PlaybookName'))]", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", + "_connection-2": "[[variables('connection-2')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, "resources": [ { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject70')._analyticRulecontentId70]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", "properties": { - "description": "This query looks uses Microsoft Sentinel's UEBA features to look for suspicious logons followed by modifications to MFA settings by that user.", - "displayName": "Suspicious Sign In Followed by MFA Modification", - "enabled": false, - "query": "let PriorityScore = 9;\nBehaviorAnalytics\n| where ActionType == \"Sign-in\"\n| where InvestigationPriority > PriorityScore\n| extend UserPrincipalName = tolower(UserPrincipalName)\n| extend LogOnTime = TimeGenerated\n| join kind=inner (AuditLogs\n| where Category =~ \"UserManagement\" \n| where OperationName in~ (\"Admin registered security info\", \"Admin updated security info\", \"Admin deleted security info\", \"User registered security info\", \"User changed default security info\", \"User deleted security info\",\"User registered all required security info\",\"User started security info registration\") \n| extend InitiatorUPN = tolower(tostring(InitiatedBy.user.userPrincipalName))\n| extend InitiatorID = tostring(InitiatedBy.user.id)\n| extend FromIP = tostring(InitiatedBy.user.ipAddress) \n| extend TargetUPN = tolower(tostring(TargetResources[0].userPrincipalName))\n| extend TargetId = tostring(TargetResources[0].id)\n| extend MFAModTime = TimeGenerated\n| where isnotempty(InitiatorUPN)) on $left.UserPrincipalName == $right.InitiatorUPN\n| where MFAModTime between((LogOnTime-30m)..(LogOnTime+1h))\n| extend InitiatorName = tostring(split(InitiatorUPN, \"@\")[0]), InitiatorSuffix = tostring(split(InitiatorUPN, \"@\")[1]), TargetName = tostring(split(TargetUPN, \"@\")[0]), TargetSuffix = tostring(split(TargetUPN, \"@\")[1])\n", - "queryFrequency": "P1D", - "queryPeriod": "P1D", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "dataTypes": [ - "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + } }, - { - "dataTypes": [ - "BehaviorAnalytics" - ], - "connectorId": "BehaviorAnalytics" - } - ], - "tactics": [ - "InitialAccess", - "DefenseEvasion" - ], - "techniques": [ - "T1078", - "T1556" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "identifier": "AadUserId", - "columnName": "InitiatorID" - }, - { - "identifier": "Name", - "columnName": "InitiatorName" - }, - { - "identifier": "UPNSuffix", - "columnName": "InitiatorSuffix" + "triggers": { + "Microsoft_Sentinel_entity": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "path": "/entity/@{encodeURIComponent('Account')}" } - ], - "entityType": "Account" + } }, - { - "fieldMappings": [ - { - "identifier": "AadUserId", - "columnName": "TargetId" + "actions": { + "Condition": { + "actions": { + "Add_comment_to_incident_(V3)_-_session_revoked": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['IncidentArmID']", + "message": "

Sign-in session revoked for the user - @{concat(triggerBody()?['Entity']?['properties']?['Name'], '@', triggerBody()?['Entity']?['properties']?['upnSuffix'])}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + } }, - { - "identifier": "Name", - "columnName": "TargetName" + "runAfter": { + "HTTP_-_revoke_sign-in_session": [ + "Succeeded" + ] }, - { - "identifier": "UPNSuffix", - "columnName": "TargetSuffix" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "identifier": "Address", - "columnName": "FromIP" - } - ], - "entityType": "IP" - }, - { - "fieldMappings": [ - { - "identifier": "Address", - "columnName": "SourceIPAddress" + "expression": { + "and": [ + { + "not": { + "equals": [ + "@triggerBody()?['IncidentArmID']", + "@null" + ] + } + } + ] + }, + "type": "If" + }, + "HTTP_-_revoke_sign-in_session": { + "type": "Http", + "inputs": { + "authentication": { + "audience": "https://graph.microsoft.com", + "type": "ManagedServiceIdentity" + }, + "method": "POST", + "uri": "https://graph.microsoft.com/v1.0/users/@{concat(triggerBody()?['Entity']?['properties']?['Name'], '@', triggerBody()?['Entity']?['properties']?['upnSuffix'])}/revokeSignInSessions" } - ], - "entityType": "IP" + } } - ], - "eventGroupingSettings": { - "aggregationKind": "AlertPerResult" }, - "alertDetailsOverride": { - "alertDescriptionFormat": "This query looks uses Microsoft Sentinel's UEBA features to look for suspicious logons followed by modifications to MFA settings by that user.\nIn this case {{InitiatorUPN}} logged in followed by a modification to MFA settings for {{TargetUPN}}.\nThe sign in was from {{SourceIPAddress}}.\n", - "alertDisplayNameFormat": "Suspicious Sign In by {{InitiatorUPN}} Followed by MFA Modification to {{TargetUPN}}" + "parameters": { + "$connections": { + "value": { + "microsoftsentinel": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + } + } + } + } + }, + "name": "[[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[[variables('workspace-location-inline')]", + "tags": { + "hidden-SentinelTemplateName": "Revoke-AADSignIn-Session-entityTrigger", + "hidden-SentinelTemplateVersion": "1.0", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('MicrosoftSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('MicrosoftSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[[variables('_connection-2')]" } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject70').analyticRuleId70,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId11'),'/'))))]", "properties": { - "description": "Microsoft Entra ID Analytics Rule 70", - "parentId": "[variables('analyticRuleObject70').analyticRuleId70]", - "contentId": "[variables('analyticRuleObject70')._analyticRulecontentId70]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject70').analyticRuleVersion70]", + "parentId": "[variables('playbookId11')]", + "contentId": "[variables('_playbookContentId11')]", + "kind": "Playbook", + "version": "[variables('playbookVersion11')]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -13641,19 +12965,38 @@ } } } - ] + ], + "metadata": { + "title": "Revoke AAD Sign-in session using entity trigger", + "description": "This playbook will revoke user's sign-in sessions and user will have to perform authentication again. It invalidates all the refresh tokens issued to applications for a user (as well as session cookies in a user's browser), by resetting the signInSessionsValidFromDateTime user property to the current date-time.", + "postDeployment": [ + "1. Add Microsoft Sentinel Responder role to the managed identity.", + "2. Assign User.ReadWrite.All and Directory.ReadWrite.All API permissions to the managed identity." + ], + "lastUpdateTime": "2022-12-22T00:00:00Z", + "entities": [ + "Account" + ], + "releaseNotes": { + "version": "1.0", + "title": "[variables('blanks')]", + "notes": [ + "Initial version" + ] + } + } }, "packageKind": "Solution", "packageVersion": "[variables('_solutionVersion')]", "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject70')._analyticRulecontentId70]", - "contentKind": "AnalyticsRule", - "displayName": "Suspicious Sign In Followed by MFA Modification", - "contentProductId": "[variables('analyticRuleObject70')._analyticRulecontentProductId70]", - "id": "[variables('analyticRuleObject70')._analyticRulecontentProductId70]", - "version": "[variables('analyticRuleObject70').analyticRuleVersion70]" + "contentId": "[variables('_playbookContentId11')]", + "contentKind": "Playbook", + "displayName": "Revoke-AADSignIn-Session-entityTrigger", + "contentProductId": "[variables('_playbookcontentProductId11')]", + "id": "[variables('_playbookcontentProductId11')]", + "version": "[variables('playbookVersion11')]" } }, { @@ -13666,11 +13009,11 @@ "contentSchemaVersion": "3.0.0", "displayName": "Microsoft Entra ID", "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation", - "descriptionHtml": "

Note: There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Microsoft Entra ID solution for Microsoft Sentinel enables you to ingest Microsoft Entra ID Audit, Sign-in, Provisioning, Risk Events and Risky User/Service Principal logs using Diagnostic Settings into Microsoft Sentinel.

\n

Workbooks: 2, Analytic Rules: 70, Playbooks: 11

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "descriptionHtml": "

Note: There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Microsoft Entra ID solution for Microsoft Sentinel enables you to ingest Microsoft Entra ID Audit, Sign-in, Provisioning, Risk Events and Risky User/Service Principal logs using Diagnostic Settings into Microsoft Sentinel.

\n

Data Connectors: 1, Workbooks: 2, Analytic Rules: 62, Playbooks: 11

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", - "icon": "", + "icon": "", "contentId": "[variables('_solutionId')]", "parentId": "[variables('_solutionId')]", "source": { @@ -13692,59 +13035,9 @@ "operator": "AND", "criteria": [ { - "kind": "Playbook", - "contentId": "[variables('_Block-AADUser-alert-trigger')]", - "version": "[variables('playbookVersion1')]" - }, - { - "kind": "Playbook", - "contentId": "[variables('_Block-AADUser-entity-trigger')]", - "version": "[variables('playbookVersion2')]" - }, - { - "kind": "Playbook", - "contentId": "[variables('_Block-AADUser-incident-trigger')]", - "version": "[variables('playbookVersion3')]" - }, - { - "kind": "Playbook", - "contentId": "[variables('_Prompt-User-alert-trigger')]", - "version": "[variables('playbookVersion4')]" - }, - { - "kind": "Playbook", - "contentId": "[variables('_Prompt-User-incident-trigger')]", - "version": "[variables('playbookVersion5')]" - }, - { - "kind": "Playbook", - "contentId": "[variables('_Reset-AADUserPassword-alert-trigger')]", - "version": "[variables('playbookVersion6')]" - }, - { - "kind": "Playbook", - "contentId": "[variables('_Reset-AADUserPassword-entity-trigger')]", - "version": "[variables('playbookVersion7')]" - }, - { - "kind": "Playbook", - "contentId": "[variables('_Reset-AADUserPassword-incident-trigger')]", - "version": "[variables('playbookVersion8')]" - }, - { - "kind": "Playbook", - "contentId": "[variables('_Revoke-AADSignInSessions-alert-trigger')]", - "version": "[variables('playbookVersion9')]" - }, - { - "kind": "Playbook", - "contentId": "[variables('_Revoke-AADSignInSessions-entity-trigger')]", - "version": "[variables('playbookVersion10')]" - }, - { - "kind": "Playbook", - "contentId": "[variables('_Revoke-AADSignInSessions-incident-trigger')]", - "version": "[variables('playbookVersion11')]" + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentId1')]", + "version": "[variables('dataConnectorVersion1')]" }, { "kind": "Workbook", @@ -14067,44 +13360,59 @@ "version": "[variables('analyticRuleObject62').analyticRuleVersion62]" }, { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject63')._analyticRulecontentId63]", - "version": "[variables('analyticRuleObject63').analyticRuleVersion63]" + "kind": "Playbook", + "contentId": "[variables('_Block-AADUser-alert-trigger')]", + "version": "[variables('playbookVersion1')]" }, { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject64')._analyticRulecontentId64]", - "version": "[variables('analyticRuleObject64').analyticRuleVersion64]" + "kind": "Playbook", + "contentId": "[variables('_Block-AADUser-incident-trigger')]", + "version": "[variables('playbookVersion2')]" }, { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject65')._analyticRulecontentId65]", - "version": "[variables('analyticRuleObject65').analyticRuleVersion65]" + "kind": "Playbook", + "contentId": "[variables('_Prompt-User-alert-trigger')]", + "version": "[variables('playbookVersion3')]" }, { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject66')._analyticRulecontentId66]", - "version": "[variables('analyticRuleObject66').analyticRuleVersion66]" + "kind": "Playbook", + "contentId": "[variables('_Prompt-User-incident-trigger')]", + "version": "[variables('playbookVersion4')]" }, { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject67')._analyticRulecontentId67]", - "version": "[variables('analyticRuleObject67').analyticRuleVersion67]" + "kind": "Playbook", + "contentId": "[variables('_Reset-AADUserPassword-alert-trigger')]", + "version": "[variables('playbookVersion5')]" }, { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject68')._analyticRulecontentId68]", - "version": "[variables('analyticRuleObject68').analyticRuleVersion68]" + "kind": "Playbook", + "contentId": "[variables('_Reset-AADUserPassword-incident-trigger')]", + "version": "[variables('playbookVersion6')]" }, { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject69')._analyticRulecontentId69]", - "version": "[variables('analyticRuleObject69').analyticRuleVersion69]" + "kind": "Playbook", + "contentId": "[variables('_Block-AADUser-entity-trigger')]", + "version": "[variables('playbookVersion7')]" }, { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject70')._analyticRulecontentId70]", - "version": "[variables('analyticRuleObject70').analyticRuleVersion70]" + "kind": "Playbook", + "contentId": "[variables('_Reset-AADUserPassword-entity-trigger')]", + "version": "[variables('playbookVersion8')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_Revoke-AADSignInSessions-alert-trigger')]", + "version": "[variables('playbookVersion9')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_Revoke-AADSignInSessions-incident-trigger')]", + "version": "[variables('playbookVersion10')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_Revoke-AADSignInSessions-entity-trigger')]", + "version": "[variables('playbookVersion11')]" } ] }, diff --git a/Solutions/Microsoft Entra ID/ReleaseNotes.md b/Solutions/Microsoft Entra ID/ReleaseNotes.md index bdf684207a8..1635f419212 100644 --- a/Solutions/Microsoft Entra ID/ReleaseNotes.md +++ b/Solutions/Microsoft Entra ID/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------------| +| 3.0.7 | 06-11-2023 | Changes for rebranding from Azure Active Directory to Microsoft Entra ID | | 3.0.6 | 30-10-2023 | 1 **Data Connector** added back in the solution | | 3.0.5 | 19-10-2023 | 1 **Analytic Rules** updated in the solution (PIMElevationRequestRejected) | | 3.0.4 | 16-10-2023 | 1 **Analytic Rules** got added in the solution (SuspiciousSignInFollowedByMFAModification), modified workbook query to fix duplicate locations for the query. | diff --git a/Workbooks/Images/Logos/MicrosoftEntraID_logo.svg b/Workbooks/Images/Logos/MicrosoftEntraID_logo.svg new file mode 100644 index 00000000000..0ed35fb73bc --- /dev/null +++ b/Workbooks/Images/Logos/MicrosoftEntraID_logo.svg @@ -0,0 +1,9 @@ + + + + + + + + + \ No newline at end of file From 895c3a472c4216f4a395cc010b3ea50de5aec2ff Mon Sep 17 00:00:00 2001 From: v-rusraut Date: Mon, 6 Nov 2023 07:11:28 +0530 Subject: [PATCH 08/17] update data file --- .../Microsoft Entra ID/Data/Solution_AAD.json | 2 +- .../Microsoft Entra ID/Package/3.0.7.zip | Bin 94755 -> 93890 bytes .../Package/createUiDefinition.json | 10 +- .../Package/mainTemplate.json | 1720 ++++++++--------- 4 files changed, 866 insertions(+), 866 deletions(-) diff --git a/Solutions/Microsoft Entra ID/Data/Solution_AAD.json b/Solutions/Microsoft Entra ID/Data/Solution_AAD.json index b211157937f..01dd4303aa8 100644 --- a/Solutions/Microsoft Entra ID/Data/Solution_AAD.json +++ b/Solutions/Microsoft Entra ID/Data/Solution_AAD.json @@ -72,7 +72,7 @@ "Solutions/Microsoft Entra ID/Analytic Rules/UserAccounts-CABlockedSigninSpikes.yaml", "Solutions/Microsoft Entra ID/Analytic Rules/UseraddedtoPrivilgedGroups.yaml", "Solutions/Microsoft Entra ID/Analytic Rules/UserAssignedNewPrivilegedRole.yaml", - "Solutions/Microsoft Entra ID/Analytic Rules/UserAssignedPrivilegedRole.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/UserAssignedPrivilegedRole.yaml" ], "Playbooks": [ "Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/alert-trigger/azuredeploy.json", diff --git a/Solutions/Microsoft Entra ID/Package/3.0.7.zip b/Solutions/Microsoft Entra ID/Package/3.0.7.zip index 0944f163483aefb760090fc8bdde6f06cd11d34a..f0cf87377021fe150699a558654024978de2af42 100644 GIT binary patch literal 93890 zcmZ^~W0YlEmo%KVv(mP$O53(=+qR8L+qP|^(yp{wX}(#v?$@LH>!<&namLtd&m9pn zW}LOxk&^@l`33+000E%MZlc;Q!h1(d0RZs$1OR~c^{t_UvA&bBvbm74iMfrrlew)8 zt%akl%|5rKE%I2(w(8oa-1zwx@u)SKe^6)&CnF^NTrUEN{wx%c(k1P>^U3Au`eN3v zw8+LDW8bxp1n#4Sf{EB55KOE~VTkifk4z5dts|x98Q)K~Vb%}95#;!rXi+Oe1?6C$ zg|jrW&8QWp<$tu=XO5fCbjyOB*{s3;4l>jKUm% z>bpzihF;-CJTe9BMtqO;3{Hpa_Io;82`ysbldx}I0px;~DbUbjZD?+0;g}2+E9HZdRS)4s(5?t+$p;?6i zmVFWoNF){CDo6vOmD0;4(_&ZUqLe67C!L4pzvcY$ton(${2T@=!8*G7`9AYmuPAUc zY5DM=lsae6_-->n(2u`!nhdYV;xxhA5C}^3G1G;k!Tjdywb0-=`)!kY)rOBF2f~kg zPf-ob^OZpL2YaH%G6DG;a9qWuIcF2FwxZ>{TLwyg<@Y!;T090~7Dqj2wYsogD@0rE zK@Nbytruf@4G>Nqi(GLf7|Uyr7zjeJ)0@@=G(rg@id~81`K{7v8y=4}rZ`7SDTfkeHhvsWG!S6-) z$*Et)9MecbV?;d%5eYZ$o2T;^C2fse{AOD73qxuj2f6^kF*@yV~yXq`6m_V7I+^^_Ke=bzWQp=z*#G3D%O71d#=1Ei?I4(yq zKeV5W;B)RAvt{h}=P{4r@bG4TCnm{yPi$&qKU_ffO=KF6ig}fuT8zCxM@gkRY;;b2 z^r4F0ARW9+>wN3=v9fgn60bSaCqD%y0ie?dQ2tSeuOS(g;EvU-mj~qunjbt*P1iMj z{+u?TUUND+zo%8;x7;P!+f3^Q!;x>-@c6xSDk9E%%8W^HmQ`yW{Vq1D>;R%MXbS?X z+p^mWN`(n40nx%kMnfV+<6-(7M+ zQ*GT`UG-^Uh&=5H?5;{d923gJX})bfjlxm)Jn|jBz z;KnF#ZXmVKw1zjlilR6p&kw{zYKE;n&TLF^*)cxvM+_7(+d>Qp`v80l*Hv3G_?_@M ztEBdz(I11Z8HV2m<6&hj)7Wq7;u4hgihkWDgZqO@kQ1|bRx{ZHkSOH==bWol@6n3l z-C8h^Mm;=g7_fyel15TE!xs)_8XPMY3@ZaCWU5p()EbVJBM>&g=y_c>gZ{3AokMsH zY$%I*JPg4wS_}$HUBL6G5FCAY$TS#SVsWKn|6qZ+q{S2yRxvxwQ5}(axjCpxw5uui ze}A4!ue_+5jML6(G2{X`9mLdeFoiDz)PosI{kvl z;^403Y&4x!q`JOV5)cT3T;%+AX!fr-gqm6?HYhtJlUJNFF6K59qxDKYb+{dC;qXwa zdjTOj2t@En)K_Y4w)#Kx^(8ADfJ4EgA<2g(j{K+C%YtxTl=#(Ryz8aRI!;KPfmymH*%t#B!NgSv; z#iemPMmAkkDmscn%4oe0kq-2G=JhAUOTdGr*rpr@wOkSjdde_hl>|F3^mU$80?>*d*4_p^iG-o!{+3YPABQBBXnlLiOIE61KCdr%8YHc{70s@ca&q>MW9GSgdP;8I4o{o5G@m$_XbGnq^t?4D0-sJ^zPr1>KWafz~g{f z{si9?FoP!?7=q%hyLg_hGax0RoL8amlxiv1j(?^=BbR_U&rkb^2FU3fKjt?v39F-jk<2J}C z`hDius4>_}zsPLCOjWc+*m9b~oB&M!87#IjP@`hqLinyi!x5?2l3WXIgWNYbri|-9 zrqK^aEJRQ>|M6ngWhl`VGa6wMS@k;PsW)Q<=U^=vu z;XSY*?<`WaRHa)5Cydp%B5~u4KK-#YqTYxfsW$X`_c}S$B){@u~7r~>PCx%^>l#0 z;_RuqAS~>4mODO`2DhpdlApq6d7`uyt9dfZmun<3fMt&YBVYg!&hrKUQmgyXK*r!B zW*`gW@9MEtEr2o*N0hs(mca*PYUn5NCIE6$ERIloXqKrJS)CoI2hGUJG^f!DowMD) z6rs@5H!gA8@gq5xZKJvHZB951CdSi7WViBqkw3k6%v}zEbIx^jbin6_g1_NQJbio& zc*4WM!Ck^${1kCE?{Z&>o@j27-$$!w<;P7W0E)z;hlg+xW(b9C z7*LFb&)7BY0f1H>4!FW&&_hH+XH?R3*J(gv#b1FsJ!KzFNdekJ|;fZji z2T(2+gRp}#$fWGGQ)C@}@weeYG$v(Hsi{38nL!I=(v@6!wIs5tmm{wX1UY6-Zno&E zO9%~c_|@ux#bA|R=9g$70AY2#42p&C4$L9ogw>%>MekM$x1ztewq}Afn{NaIAYb5P zedvB#4ishFm&tq1C36l8l-0Z}X`-?_Y%@li3Ob|664Z1j_+H&2Uq^&Gi=bazy&Az% z8N%oxYtY$zXb#oMO$<=w-55rZ9nddTY}Fr410EDqdSbc%%)W5f_X}!PZ*JWfMD{vh z+>==yOW6O6IW0Q4+vOAJr?rMzU=GDu4)#F8t0dpZb<+-XpHY!8hX6K}LI!lzlv|LM zP+d3fh>7@*X{iAX(n^AXS`avQg1!$VspHg=rC-Q5#6N!7Zw@wL5`jJhG>Paue+2ak zOOujAX*l!nlF}K?%p<`D$M2FOuOgiH<}heHr)u;^U3;~3{QeOEe{YEG)GnVbpisCOs0`|Dr{bpOx)wLNSwZz6)H-aaPVA-yzx645`@*2Z=Y(G*h@|986OhGR$Je z=p7yG4;E;vfWA>+LmcJtA35jMDVKPSVvmv_BakTv+0x{nk`Tk({kf)i8?dTX>)pH$ zde)7;k-eA_I^)dgT%Y$Vf{7srX0>d1Pq(F3`5H#M^8CFud^bIgc1s)pF+nX4mDnLs z%&1g}ed*vg`S^`Nh!Lr1UgYzn#&kTW#c@+CLN=LAT|a0D6~(i*@I93D(C&cdvri1% zV#v4+msf0qV; zAPMG`$i9TGH`wb_?gF;c^|GxmMDIoLU`qY?)rKKsTveLG-=7xe4X`2Ybztdbn7}-I zgB0y_10VY!`TkR!#@?;{PnWyWIF4?YSimxP#LY8N@$v zaj<}Ikq|BV6bwTzHlnh$v4P8!-bI{j@utq+pA^b{izFwdpq^041+1+m8M?pxiA8zO zL5 zx@NMZtc$;XM~vh^DP0q3n8n6U@v7}a5q>R%e-*(VH5$Tn8gMY%t)A_w-cXaae4JtC z08hkU+*R!T{2V11D#a{ry3_Tf+;B=Jw~;mF2_Y8oh;?F8=e2yTIA)ff)jjxvy?34Zm;uCw)si-JcvZjrG$;$ZS$1Pv z7)Lgh4=cnibtc>XVYtwTf%~#90C6-NTUMcROr+f6*3gjzfi^M($=i&4k}9FCna7?L ztb`~>Jf|vke2u!zU7-ZeiYw~73j;Rlca)1zaF=COH>NAOL0BZNw$$Ia`T-!u)sZRo zT+Pv;;;|W#JgJk6@nTO&GHHYLjKn_)g}pOYvRTtjq`fSgUQdtk<4l~Ic{>oY8_ASq zerkN#z7nam6L3XaaB5o5Ss}xw>Lj3b3e{cJGypSvNhxDmkD7mnTAH};xbc?aEA@?b z68*JE8jwM@RwO!?Pun*(ZAajF{rM`{u4zggeGh>m=M*N6m8*#e;@}#;HM(c6Z!Vqz zJE<79ae@AZ9Mhe!Z1ACiCJTHs=@y;M)d6QWhRq!~OG3w@fo~7gD0)sV=>rV#8gh+i;y9@D1?Lw2{2M3#OJA1gFGlxv+;`oubvcU{(UFwg?L#p;CSI|_>< zssit^t3X@w)Z8#v1h}LUJtB0}yDZyy`2_1p%7N0z9ktW%#n@>0iTxlLITr$9hmL@8 zEO?_1t_yq8oWz#_9!fHr_mgEwO#-_$yeh5IJt1`#Xaq~ep`0sgVsEF2SB$)weA!J& zA)~$y&N&+pT$@TS)(*Qbo#R`Nn^}99mMfgXDZotYxzBF!rPj(P%AuY*-`tEe3RFLX zPzP?TB#?z{4o-dG>mx4X1kSn6BQB7=XLw5QPetWB+6ThmijBzKZ}C_Jqa67-(buFj zAa9&huUd7p77h6O^e|i)eH$AlkCZSJckx8)XsTxwuMn!HS|CJDh2n}@k!cdov%CoM zDn~JZ#yrGZe25CFhrdUc8lIVsW3-#@DJJ=O&*2;>>}>p2b*6-!t>!wyi2`&D1XA59 zhmspk+R2lu8kt%WpUZ!es0W>?v{}HnO<^Wv%r|kHukaYx)cEa(7FxMZpNZxzu~PBc z$W)EEpus6abtQAt?X9n2mOX^Kd!rC+^D=Ck1on%4lli{lCaw4}q=irlj>X*Jj-uvr zZLkQkWr8wz0l7i^smix{MiukKPvPlf>VuuIWy$oz*D=B8;6Z;#z|+?IvJ z%K(rEpPOw=*;7>%ZiSW104=@UT-u2+6)o)f((1DKB6ah&aP(t( z`okM_E>`;Kn${s@2$)gB@eNS+0~S=Lac`EHnGH0^bXR2x%X$d~dxvnpb{O^+ynioY z#3^8Pe$qmr+;dwvnI9>)uoaVJS(rwuk88Nl+QPXTu6}wGL#fhN-#uEnR!!J2t*H%g zUK(7>Z+-@s=y4e)<44xq zbCFtd;czKd3jYsWZf&Lm9x3-s-CtS0AIhP9Ay8c91U#rtMuye%{IifDla^e)XS290 zlX2wwj6Xj@@tlImG7Ivr?*>8jf2!6E9%GTX-xZ!44!&aXI zWsb(c=olIRV{4Wx)i^dYUDzcrkZy<{O1j;(-x&EG{DZy%*5UF*)N>#Gsu-s{mahvf z0oh1)J9DQADCzP3NGyIO*{L@*Pfvj6L=NZOrWYSihUS+vDKGIa1Q$yq&`9&@g4AH% zR=5Zs(HWCA2kD~6B!CJ%o5@7jlU@1BqX|%f(F;&p#{-~RNM{*O17@QF%#-%*gHTm~ zM|nynbzxM)W(Bh$sZ|r)r!>0JY|bD=++MRBg5@9Y+D_qzOSDI_6*P562>gp16v?y$ z4c_x)so98H4_=MN?BSSjP3et!_Onw$_BK= zX+{SbgLMk+uIVdjN?h1*c{BoxT7gMbE)S^-*h2^3 z35Wq47t7nGDxaCu4cxo)V%@s4t(zUJ-K*j$uE&*Eux=Dnbz!V@11jkzy5CCMqrvc9 z!NJ-W%2=? zE5$j|P0Vgclkrz7YaiW<1CR6bD37z}Q+RN?L%7FFHI8S{q~f5w=b18Xoj431|D3r} z)Li9Flz~lwwy%!(^eDb4W$%<{=mA`?&hcbA0o1+%D9`ma65}ezYP-loj64<1PCY)S zt@l)Y2Og5Jy$XsVBSUTZ6CeQeD&6RWjG+y>Z-9n;6$bCj?>i1iTj|S|(A3t*CoxmO zB?GK}`(a&`7$}DV z=Mg(FgRX&@)92wtYg7l5F&>3P(g+?cxZlv87g|#%Z>R2&QsCir8i;{IP%MTdDJViM zC)k}aCFZ~_B~=ZsZxJQ(@yyQ{9E5mf=BpR+CRY1~xcDX6_ zeRYf!72`u@j4nAWFhUg1jgN!r;jsd73omH&At|Fpu5C7Tff{W;+&`nvk-GZDXIv$8 zSB4SNU-ZV69DVD+lf5a4rC~BIGWE2K$RiX@{VdbJ7Pd6>gxNK%t-1$By=UKwM_-*z z(WC+_2YFBYKC8GNt{QpCuABjgvNz%-v z^c-(Qwgl->u_*9eX5H36$7;QZ<;+kF0VU|l3R4y&Z=eiaezHL%gb4B~^2!#(;Iwas zE^nWX^!j9}Rj`OS414-`Rk8b_A-GZ@-^72ja!yIEEzE9-U&yd}{N5IvppVrS#}es? zAW7kdGEIVxS82sDg@K8!>;j}T`S$%9X%&}tM01q*t(0Np(9u#A*xI#s3XZ#$DzFpX zdk05_9J8DQc|0$pEYh;cU^tr1j{! z#Blg_W?9E3!jEk_S2$+2Xi;Qksy)lSK7w87y5(BY$=;8w>1CQH0(;@B1X^8-wV@Uu^=eNRb+w>q8}018Oabj1!May!Z&}GG$loGNM&o1csq=yF z#m~vu$0Yv9YQunMi>^2alDeEr$`0ez8cZ~Y39!wb*o>4?(qkXeg331o3XVJHZau<3 zN|2L-KT2fwRq;Zwg25qGM7dGAM%}*;A9&Ut%6!?Dt-wftK2u4E`;JFGrn>()U@7Yf zk?V5%cyp@74PC&Bu22~Suewfp-2(Y$OWuiylz4Y}$7NABbY8p@NxU&T>15+MDRR&} zV%2oPaE5EWZpgZ#fr}Is-1G*x+2zCSGb4X4sy4k2tn00=O1FNDt4L@wC9S2SwR6V0 z=2@lwAdp{(@41cJ?cQVTwz&3Q;1FrM)h_CLL38ge27r^&Bn^GawatvaX-KEBo;&Tb z_%czWK>%p0*0hD!6RlHnm?*VNkvngcsZK2UBwWTFv~KXVov=%cYbIRjT@y;@dd+0x zAr~i&ycD|?VRoF>%AIq@M+2()v2%YS4f*Gl0t{)m8ImAdzSeK#dL zG#E89TZv>XXfHSzZ7&+YfF`oM81>?tor}CcG6x2+FEid*JWHqt<@zQ3I~Q?1gusXs zk?W$ky8;D?;*M}Fcj}xrgFP>56p)wpb;_Y3u%HKH{(#7FYSXyrIcbGjOSerDwmcyg z`25cS*vNJ&OIfG3k(7qFR+B}@@Cc2Tx;flSb4x3$pgKgP)y9pj8aWLZYADn3O0(YPVp_QV`DIuAGxl?>fDJP zP~#CP2C1x<%p$P~HsVK3UIM?1X8E@AT1iogG9k%##qeXoejAuRy{(7mj7J9I*O%~R zF}_cda3SEp&a=fD0Xky}F@d?2QbT9%z?YrG7)OL!jBVD)TIVFF91TiC-E-;|4mE^3lQsAVx`p94NcNhfe$TNCrLL84t;2^%k8VA zBwkg)B8ey+6{hvj>1495I;+Kv5k);9mZh2JlE4b_9 z7X=S}2{@UUhw3XA#3i{n2#fgXW1Gfq3>M3z=lTDouBAm#bws^~!gj~N}WZy{L4 zrx(>q@@i8RNv3eW^?D@9H>4zGt?5%nCtAyG&$YyS$0~~}(dN=kQ~4BvSqiR*S)HEKW#+~7UIhg63d8pXKJUpC8G}V?NdsU=e_A1Zvi_KVa$cdAk zcElGf=8*!=w|<&upw<(Z<5zeL0aihDz~h^IdUy4Wyxi*P;PV%SCo%mehsF~X%Em{&<~ z>z*7t##1^;$T))CEd@VUVnuE;U7lUt&AVe`f|RHjP=8)G^%xqfZ#AJ`r;3XgWj zlz8EOBV5HD-cJE(r%JF_G!hhaFV@pXb3y&YXL31Inli^TrG;}=8uXcAs=$;|3Z0Ml zwVk$Yga+O^1KJU;Tf7(4+pvIfOJ2>>pW#Elb$ZL{Ug-i#zNuVuj@VCf8M2EVz^%uN4XP6TeNM9vYu+i z1ycrwr$SgX4{5x9Nd`CQh274o`#JYF*qEtsHfJx~!+H5|I{?Cz7^*X!1c7{79pA&3 zVI{0lVhoC;VQp`D4OXx1dE15ts>C%d8Mhk?_<$RSO993oKr{$Q;2ktGB+vYg#>B8D z>GPwD0NS3kBRL4RmN65aSRMIaK7fB#Z^nW z84=hs!2PuF0H84F=#tGO@s9?&UFf?wjUHGbl1>9g|#ULvhw(6Up7xWP&GE2Kdv znU#qY;^6=~&3KJhIu(+XrtDjikK=Pp9?}Bt+7R=RcpBFRnN@h0oIcv%QgyYFIvB&G zdfOz&r_Crj<~`t%Y2N4mob4LTPI7V1`KgE0WUTy&!$&SFs%QN`-xb@&Yh%$Y!qXYm#3Xy$&dJ6hUU* zOQwHjzwMrHW|I$vcMsN2SA9OWK97ZlQXV^cXu>i^F=9xRMMms<+!?!}8<+N@@^sht z{G5uNd?c2;1N{kC8dzqmi5k{g=4);h+K?vPZiXA`J@mP8l4KA7(anx3RF0Ft`ha+; z>ikOif^6a-bF4+t&qv#%_pu?ov14$4-G_~Vk3REiULE_Vw;y{%4Vfa^YWeB5dW%RT zcs|Rb>thuT8p+YCYi(nu%R|hhmRn1PzrsH`!TgUeiL);ymdt->Io!&+=4hqgPVLw} z6q04}bR2Jr#hwZAzCjZh_!3wCnc=BR6i{0LHW;7XwnzYP^<~ng`|K`2* zhV}&OK3`kkUT`h`JZ^@hVBG$O_ws);{mX_&Q>DDgS_ z`3WxfUk591zMH5@FjLFs3IPI?x4;4*ejTi|);G6NGPbs}`Z`|u&ymXWt}}-Xu@urL z-^oK9xyoh&bsT(Ph(VeLb!{nzY6F=wATXe!z%Ed`hL|N>II(o(hv(W(7B10sTTOS>_NN{b>eqe; zTkgLPCUxA&e4_(~Y~eZffn{pd`Z|1X`^_+^uQ`Xs(LM*ZX1bCu)~L?=OuYbN&+kuZ zA?l7R%8vO0l!P&gT(erIJ(;tB|@2rUZL4OiK5vY+7eOOit4^^9C!#OY*7 z7^yy5KU+P`IbTg*@Wk_wuZ6?8Dxp`Si;a zIOb7A!!>iSWsPDc$r-`SnR!;RD2g6rR`fnGb58WKs9l@g#-X(6dws{dmUjjsccCl8 zd_kAZsx3q{<5H(=?R;eZ>3|o6S5S1}#&LDnWA^B(cqEe{l71FEFMBP{3v*cbG;^e( z*6%p!?`|- zGhwPE-5tnkD-c0C?U#4h?pG~MC@7HfU(e0fotP-P#Xv{8_~d2PY@R@cJh7Iek_)f? zx+B!R?N&iDv^Slsm=ASA1LEabKmsM+Ea;v8ygV( zb|jm zz-xj}@wI$0iCa?P8IKo2wWs-Y$>p%4-yutCWhj+Ag(nHwab@By?`5JlE#yUld| zuFX9tUFZ=!1yP_ZM5%tfzt?wyq%qcwCdzXklS5dYk{y_7946@s=$th$kF*QNsodne zJO|HtHgu=EjGO$Ms0k1u6kj>wrVSC#4N4>eCw42yzr*D_u)T%qgDBl1V!S=)JMF_; zt>ZCA=sq4M$*%~c-Zk<{nR1;l@4PBc zIxm{Z=DraHT2YFfzFmysnMdNG%eQ-()O#O=;mV)cB|^$PWHBY7kD5AjN5QDch}1vm(BP5HnPe*&Z|EZjfn)LQHpqX#J7(PK zQ;vnM3Ov(O9RxnK2Y7(GuxL(Ho3M14gpQfGhP9lfJ$l@#{^BHZwn5!CbsfmIqwYq8 zu17RX;7)^y^5*GObvmP+t$&xfya)?kEG_Np@7iprMUn=B#)_b}Qm(5ln(i+&>)Aeg-YTt#?eLau z8Me{Iiym&id^wzD$=Y)JZU?RYb*wX3xw~e%eSM$YB5n*)LMHyQC0HG z`qbUzhWdfa^AM6Uf~ln<;IhU>@!+&KPcrPx9xMHMF#38tVr)G`T=mjbZq(gs*`X`E zbhCoNISuq#C@pHQ_5MJDY^dLF7eUQcX|O|}8!VdqXPw~`CRQ%^pbAbu!4B@FkwXa9 z7@KWY?Uu9G&E1A;JLqNh;H!$S530-TB!3pF1zl!GNe@zXD;(`FphU$jvm_Rq^J(F2 z^je>LkGDKlv4tVS9l$sph_{CIn3ay}6F|ka-l49%{vrtX;`FNuVOUh$reD;R0*b)V zgRK$4BbmWf5~#((-aWj>E+g%nCjz42U``9nFq=(Y%dD`=m+3>xZ8!gtgM0NaIeY(- zqxnUS6IER_EibI<8L`>w+$?i@4D2TMdWy}e-CLRzHI`3|h~Rhd=+J^)EF5bCCRUXb zK3KPc4k8{Eq5`tJ%EvleD9n zXq;BC)UtTb(?WPKV1hl{zxkd*hN3z_8)b@sSflnb02tGVgJaP~D=^b0)(r=7HmHvIXQ* z^3xwPs*?&pHadzUY6A#FHoO!pf~^3l|Eqo)3bR#x-(%SG9W}gG6ZoKMtmD0SP%x?L z3-p1@T;9~XNDOx@@@xTc3;Nq>JuVW)Q+fw1J1&%bOf^OHWIkMqyz$Y(N;ZsD!w~>$ z*Bn#!W#{Hm(tz)xhebnD##qQp^5@P%ry0gl5@)A)F>6QNl<|au(U^p3jN8 zuf77fU2*0@;5e>j!^9|<>%Eh%RiH51r@{C5OJTs>UkZEgz9{S;P0szd0LW$+Z^Mm6 zPomZ=jV+L?!mezd6X}p*_@e^-8lm@QP_2LO-}~?VN5Ae5i@sVZ^dJT)EK+PN?FbWb z0jU-r4!5TWC^ zN%GU_9h#7JaOk)cTp&35y61s2I!~ z7D|1IhzO2|4PbqVkP`5HhI;sUJW_d-)VR!B_>P~09G>&sWTWZB4i_&VwdwIIgxmv7 z?Gf!C2tEHoDDd!a7d-rhaP(gYtwcY$tWV4R@ z@;OlF|9FO^-qCUqK@*aCQ3>)jjoJF*RYx-Kk=bZSz1XE$oRb2?b0XxKruN~&WxN#< z)Boc!^epvN2t5ly=nu|Jj~;&bYPjgh!uUdX4)><|&8m~G$Z!$~;=x;O19zOp&(pDM zSp7#f5)ssr|DySA^$fnlyq)&kUU zy0@#Q_E(Wa=u3YEB{X31M-fSOjdGwu9{-eqIUk*L5gmPFw$X6sZ|=Io1&=i{8UVLW zG=P1VWivxJM>J2$%3P^>{J&*oRHGVxesA$~K37kh8_Sc+*3OB}r|XIDu6N5kC;Bjo zr@l1W#LuKVI{LSa|Gz4FO>0zfj2gh|MJLvXMgWn?R=#%<9Cwl}iRGv@1Dg=Co)g1` z?Ut?x2C>!=;OEc&<4^yc4KP2k8l=@PbBIMPtlV3BuVZ&`O7vrUC&-PfwjH?X=0yjD zVsETUaI5>z1?-#2|9Jp>&&Enn%Kotxpson>-b?-di-pT{Ztvsukoi#HcRj8C|D%3@ z)idQUJq4971-zU`zXtl-Vzi&Zhtvl1gYtk{lWIdC}`tCCQ?LbmiMYd(UkJpCsk&kdTn|4WY(I{&m4 zChS~&VxJqc!>s6%s4eRHX@S2YyiG}yQaSjR0Tb zF7J!5`Ugpiax8`BD;a9!3jr_aEP&oP%zfCeVe>jYh^-lN@`L_s&T;=8lLVfB=N!K0 z*PQ!Kr1@`4HC7(LYjs$j6!V63Yh;(i$}a;Qdc-i?fa$rO{xc^3)8$`d@(+TIJ_W|1 z+S?fE+JcYb0%76Y3uK1ytcleu81Nz518fm=o{izshCRxze|i#XRq-om5VibMzW;rO za+VOC$V15Dm&L+u=9wDkwd>dhHO~vyLNkcP5!-HDc@Ta7i6&ZEB5gG~`USyP(D?5b zi-hi8IzIZ(L$niq4f~0cuT!mHo4J8IU3_oDf!#%%f-{(R0Fx&V5!PR00!yRkuQmLS zGR7jb{@8rPDVxR;c2t$l_Ss2@WEKEDeDl@uUida%?1&&*@95XC51ILQRC_%n{mnXm zTt45YLg=9qlgG31yp*lZbMr$kv_Tf$Y3sd?=LWo)=knfb{!EtdNrKjMo$ukVmP5`d z{+Rr_-+39rVz22;`5$Lg=4PZglMR6zT~vF7ftDMkb#hz4b8Bb6^^DPXZ)Tuy;VF`~ zIwtrJ{Y>idmkH&b_GsPX4DI#$DQn`sXC+;@cErqG_(z-1paZ+j;~f(LtlVesu@kv|oj;x5t*!qelqp-q zHCN>HPWvB4jb&{C{qgw~L6B6Lgfj%mJYX?ltl%d|deEd2oUVRl4 z5sUiO+jO4)o6;7TWNEla%iIHNR4M+#rE zLdR3j`zL_@lRdry=%4h`AHgMO{1?>DFPrA>ID!%B>fX8#VC#!nTO!-kk!>023b%#Z zn6pzlKV8_C$nHA*6GJx-zGlsT>3huhugzkl5qf&hLc;O4F|u|D9#?=$4EUR#YTGhi z`s2=>{V2TtBKBW(a|-^Imi1R8`X__^1BGa@F?c~YWIGBL9Ipu8uR8`4a3?PqQYL2Z znsuzlNJY9?Qr4*V;{WY(U>-(tLCOrba+{IqDWHNUJF~|w&J9<5y3%|*+R29 zS#c@`|Cp4%7Ig4GQTl&)#C86q>L0VtzsI7n$5V@TG3 zkKrddZTZg`Nbh~A=8w9O7$tYi_{Sg4>((E&{BX!1w(hJHM=sB**_l0ycU}kd$09mG zjs6Xi|DB4uC4qM{hSGns12-d$Wt-td(|O$`$1#ZBui>453uZ15$^LlI1XZhH@r)I@ z*veTzXAu+bHGkZ%{|aJ8WfmKWdKi5r>f?Cue{|*c6-YyudY#DvanU8QkooL>>G~BE zfSwK>v-`j+g%44E*{$G!$A5t0I}!Xp5rY1z6yjGa^{G zpc|9Fp*$S}tQ_hif#9X>*W&b!cKITfbgEodc9ySy<>04WGNa+`J!$V zP%C@!-3DucotMOAA5c?q6PikR(mrt0#wVweQhhossp)Oi+RTELi{3i}rO)|D5E&I|E@rXhK zc13W4VVOkCqQ+QVISHBMfhOIp${XMB;TS@6LAD<4(r=OAGIi4N@+jp=V#+-Vh!ty%3l_-`Yq<)u zVA7@WEee#Dz-^VV&7_vVBjaY}lO(c`#xRv7mP&bWZdoNrtcZWq&MgsJ6%y+gph~QWDff$1CD+O~1sRuRPM!~q zgh}%zId>KeKthtn_=a!XF1>#9x{G74DQ=0J7)nOd4~#z-DOOU56J1Q1M=DdO5F&L) z4>L%^X3G=Vk|_?WE_B!sD8sIhIB0EBV6RRYr%n#$BJ0U5L#<9}J+(|X z7-Hm0#cD~$@81jwLTOZrL2!k}-@SaG->t?J+ps2**ia4$@3H3Gp8Yd(1+N-61@~v#_1akx+S*DkcjPL~ zVdb$C23U@sC`^GOt5zLBuGwZwX8k1s9pvQf%GdUK9-ZLT{6Ys>1g)QUL;cwr71p5> z;9&xPYGQUH0RefKn5{ULg88g_yp!;;sK?Nf?#^C%5!#oE(@U2#%)oSk#E3v{+20UHkq3iYx!CeI1nb z#jU_V{4zGr-P*g8b4k?-h*{2Yl0{eJD=ITrO9?cO?1^pvL{DTUr>)H%+LcO$@!jSL zg|`DE`1+WpEnH*vimztqRygwHYRB=yIi}$_O9{Pl!!N*zo7l`Z7AVvnlve;egFR9^ z9RfuXFijxI*}ljU7|7=Y9}G4!cQQn#4>A^9^XhFYWQ1oz;hYU4xnn*V0obnfL=q#TK!jE{YT}SWn-zeO=POm0t zJmyL`q6yFgHW&Ud)2HERWwzEZ5NskFz~bf5wy=a)3666P=M-?AY{Jns z>V~--Y#}6Aj-##JyMVZ_x}KrKyANXq|K%uJ*eb`9qkrIWZBWe zUpF2QAzQM9eLQ(hfEE5h4jMzbfgd#sY6Lpp=E@eU;F|G7~rIkh>V9A1ikvz zBCn#E))CE?m^W}KaHdOp)`;YiMp{QOT^rp?)S$u1r4hZwZM2SDxH*2B;+YB-^_o=X zsVih%AA;Ahqr`FNiSesWo3QbREEgYLhO24v^X>$B);kY!>4VDc{gX3ijN2P`e zv1~BZPpz#R16569G5Lz;;MP%ILm^o<_o|2M7SgYzw=APw<+R>5x@)R83(2o{3uxOY zG|_@qazc$OMhnNIk+QVT$zg}9g!CGcf0!$md5|67&)c+G0sX_zCZJT_t z+J_gSNfp|J;=~_C%h@z-Xqqy;Vo}Ua(-yFGY^0#q#IB4`vU5wxv|U-oP_mXmTw*@R zXj5uQ-VnD%OHGlq3yV#7FQHdlA)Wkfsd`Ub& zYc3e0A|i6VE9ev$j!tK}9+9UtIuosz%OG48_6Ed5$to{DrZ0jJTBeqc6%?>e{2^tz zRZt1-xKie|v~I@g>!88%D*hCfXK~nINg#I0e=1=#UZ%h_H*drKK~|gNkJ766vY=ii zlZtiNDsV-tkcIyC(t)M7uwL*6{#3PG9Jo_h*X@U2lw|Zk>c&vmy_|PPwwKh_b%O@# zE^@poV?NGnTk%=QZ|RME6pmBU#W^6 zMv51)N(T{jKMy7Uj=f*U-mjxIejOG59C^)41EWDjzYRryjcVo4W?d`+de!_e9=(Hg zk=afBE1rOuI#6nJzlkRxqz3lc*dO8v$fyP@>-sr7dZ#PU#Txz#PcXh!a9};ZgeT~5 z8GfhkZ}8Y1RRi2=`w=|V_$nY|&HMv)u!7g(Ze_dwwAwOrq%JmUD|XW_J&d%-c&&N{ z6^ztcWSmxmp4vy9wi}<-qP^D1sNKe8wdk&MkZQH@SS_j*&RuOZ4y!?9)iJGQ#$UB& zukuvaKI5)h^pze0+hx3^PM6}Dv6aSI^=D7zh}mA_tBrQf#*(>vSYMb3wTkNj-)w!vDW$vk8ms{#r;f~sNH`K4d{j}w7r(cJ==~v`t`Zc+ieo#Mh zNDRl;3^&hM9;p~Ov@%dFeoh+Uc^{*8OEGF?F*f7#+F#i4Ywfp`cx>eJHMg+5KKSnX;1{@DV>745N%#7obA15U$!!a6utHS zbq#EdpI?P*51U3+0HwuUQx9G>dv*_Qyr-4Z2oQEyL`Ni@I)FMq!ij z*Cg-y#>gsqCrsK0m^FJg3+`X6qg60x6aIzNVeIF1d*)>95B0ufjdcq~UmrVWS0DDF z72CJR1Aowf{qQa%a-LbhdGqybHN7Hilsx>`HHbE8=8&}Edb8;qm0;u-03%BJz$2-{5^u zE*CFgKUqQ79sK{JW8AIcio7)J5wMBC8(J85!j3>USP}A){MtdJ8V7_I>cHJ&0(;$= z1|*{4vhd~*R?5Q;Z5-&LlS=L@K3wDII>Z;6_w1kFeFyA$eeglLy4WrcE6yDcUXy)0 zk~csXqx0E}^qR5;z9UN)tcK(i^DA4jQxen76nPm2^O(OSt100FEP^+|w=J^Yn>3@pQu)_C`IYZ*-j|qWA(h@D@%m zyAsEC3K$nJeDoPttM6vGkA1=4@p1v|gFm6qN$=sjctk3EIaU(Gc=*etkQXWwLS7~( zgUO4O2<`>0O5iNloS0UBqW8T%?0w#3ppX5&p-=3wIp~iJdtwb62pp_dAVzy}+ljcb z!7mdwTBJh|w(;29Bx4w}I5}4ez^0&8M z#qBL6)5*3r^H$V$@=Pl@a1z$$YjHVy$ICt8ZvHFbaG^oUbLGu3h9-^Ce@?bu{~ADJsDi?y>Kd*~Yv3I12-_of z+jxWhj*imt`@>hBJ6+E)5%L|dBK|*IvJO8SV~(0^^L%lMCmqf|z8^P=bRXhs!hRdc zKjHAgyDzKJjdywpAyZIQF(T+|RI2$Y(o}A%yTO{*VwW4C^7t zrNE^TKKk7umZtTNOSWA83bQh523=Vr7;mPLB3_u{RRxFWQ!rcOYF>GH%jl@oZ*ktQ z=*9bT>do9=q<1A+AZ{X8=;h^%v>X?`pwpPSe{Of5!_(+ATBBx^6r*~|Dd_9jSj{rG zXfnD?gHNA0IJApb_R6`-6HRkh(GfG^-^s-rwSITO{UvOni8=|lM}JlR5#)ya7fksl zV3h|V=-AlnRX|xL^IhEW*Yk-Nz9bFMnjr4@FJlOAgH*5M^M~s>)45G&1|Zn!d_8|j z>~(_0#q@Rx7%sgavvrbV%~U8iQrpB@S2^+~3fp@u>WCTr`WVk-mh~ z%(#7h4Ap7dnpU5;1roN;<^q%;a(puXbRVtcc!Qn>j|(}3Ep5f38(Uq0q_G>a*g4om z@$?%%f@AUf!?>Y{9()f!K$#NB?PzeYBt{ib4lFA&*A>3}N@hyzR(7ReU5g*9buBZ* z`J=qF4LZy5Mo4d)b+m^m~g9W*IEk_(U2b<4JHQz z(qQ_CmTe+`T{urNrpvAivW~@#z^;fzg(mO-p)Ek+9+6O*TJ{K$oE6?>j1?bKE%?~F zy5-b!z|0l;EL);_87!HvNWCXrk;+s(?bgq1C|XF);|Wrm*Y(ZSTU$^brNR4FU+u-N zDqW-t3=?wK=3?svZhnxvRX&y$D092~>Sjl(GO96I1uCaa=B`S$w`KK4ddiwA5NInE zij8fkGhz;B-Jri!`ykU>WUG}cEs_%ln@M21)%q!Q6ZE@}qMc}^3ZjN`L0U95znkd{ zVEK6XfsF7L?)d43J#TSghaZbtF2046`*pi+&$**%pBZ=o06Cl3&c`H5JTug$=Gkb* zz}@SxKhOdXaI2TP4U(@iCqGgx4yZd_-K{6YsV{cNIz3-5XMok>ROsCCP3I1W(dlFs zOit%;+wel>2^f3D5uZO4mhf7d?n4ak4o7Rb(^5g0^;me4!71{4a@Z-4_`|UQ%DZH> zG_R70&bUvRSBcMTaXtnyCbidcg!Qm`+C_IlH3gH!7^WJ*!H_Y@Kdv#aNEo3439?s_z z+AQ{p3gcNU6JJh5Zj`MfsT3YX@=!OmmZC?n;L^)kziLIT3FmNjj8+^IwV*t~o4fmps5$c~Z%g{Hf$87gN*Vg1EKxmg$~I7A?h2 zCHZm+dbX_ulc@kFLckI+n#4W>TJ2>$oBT|+syFxfug-zSt2ar1rd+qiZuGq3-h7c8n8XJfEV3LmT zDS<-dT&&ry3v3ke;5XXko8*xe_}T+-7`6>6e5eb6L}H~zL+1d2UKqk% z68>qgGypGeZvj1{Z?Fzf^@MSB%pJ$kxngre%>ANiK@gqpV+PSNdVYT}7#cc&{+4c8 z=1{jSccc#nJ-_GLU1#F-cNIiOjQ_G(5FH#cP#6J7g&iY3gmrwR8-{N5-WlWXdOfhf zIxz<3|4Jt^qKNv86(=qtM0XE63Y%46`U^X{n*?^~3gj|(l7gr`${n#Dts^WCp-{R3%bH1FSVd6Jk*nNSNe}PK|HpUa$g3I)|WWER15kNN6%_OUy|jz1)WJ^ zfGKxoxUJ481P|*?`i^6nU43N3W^47~K02|@k#6^`vC$p&2g7lb*mZ#6MNbs1NCTDw(*YCcj zXj}us@Epg}-GSZJEqmbWwlQ(^!NltsmhJThc9Y;hXe)>F_$KuH>94!ua%%0DVNqhs zhq4DYROl@Vrjx=WCHX+=R0SkcwoF1YMROvOdtYBhV#C%YnHX$)Jz;jKq#GpOh7k_~ zT+BdTppUeC*36l;!flM6IPM+D8S`^srbEdN(+1J`wIl$T4(lX!-iMYxVSj zX<9wkbS=+y8;Ta)H^6w6IA0~=wimSa2pU~{j^y%{SQIC#k@V@$)kRMF!C)=AKNbIT?S5H9~Cp%EW~hfFkKUtkrjUFkHsLHyA_VV0JiC}`R8Fb2aB^DdR3%iB2f&bfOEf?8(3;uv zO1u(5!BX@3%=swg(9+Q+*iOmG-O zpg*$e_NZU40_dG3U%kf9M_$=S~QG|E+~R( zR;V>`Si#gfr4{h+mlR|r4xn|ze~Qb9atKhdQW6G~tuz?_lXsW)R68OoZ@6BrqGNo` zI?O_Z%DTX>VwqJA1AnF;(cqurGvHkDXC`c@toBzIIy6OJDtu_kSW@r4%t)1m5sgP( z*60R-M8EYoq8XmXSfbo&0EH)cQ7@vXckK2r*Bln#z6lt3ANMTQ&Ie%|KorEzqOkev#IkD zR|Z={F2j3+jo!?7BS32@bR)$j$PGb(ffrhT9ipk&jogT60RMXtEa8f_zv2~N@z|=H zxxUfUK=vU$4;=oPM$~|RrVBjfg)ojfjS?TnNzYuA!HSi@ZnI1 zD^k%!qCVywn63)HPF`g{2@gxZ2k&zqQMmUOY@hp!@BZSuzxeJizG;nK?wa>me8K}j zXPzYylBBOv=X62u$QIDrF@E5vPjAer=hOThHKWFZitGZdQc+Y6bhP*)u2Qu?=|Izl zP@+2(A+71-%r%jh-DON1PJr~1EV&gk{=y6$(u(nbq$0716WkFet&^UJ4hn$_ zTZf+t0MxA=%;;J09XXaX;=bfgy;}}UQPP+V)76z2rjT>VkTzmp7WSy_bO6 zZHKovaHTvd>}QHevz#a4AtB&%d}d8YP)cGm326pN)kBQ5AtWebR}1=*$8Ex2Bx)0f zDN7?qz319dp;(%t_lGe}LYeH0#QIq6E%c8R0bEb}U0V20Q(X|ER&g@dty!FE3}na3XVppx1Jj}&Yh6_l!`Mpq>F7q z;#cV_Z@LguSQ^A+<gLRp)Fq^Fp3vuJ0JryPB}5a}h#OvwjR>(akv)}YM> zFCZtOCmlXoCBl;?z--vj^;&}ia9@xo%qoeS^N z)bZ%Yv@@ZO_#$N?m5+8^Gj^uL-s)RZ!z(M&<$CmTy?7?>z8!}4!_CZF+^+79G8}(Q zjJ%M>czOs0xndYPoAti%J@!rda<8Y~8>sCK)b<8yU#p(JVL}9c^Cuxr;Tr7iLqb_~x4iltseT7HV^X=S zs7s2v_5+k8|Fmy|!<Qrq3@KRzq|Fi4 z@cToYcI}pnY|IIX+Y4hsEKAsR$sJ`h65j|bNc?BAdRY~XUy;e6k}{9e7sowfi`^qA z^mZPyKfO5QF8D+F1s{6w@g3;Cy%n|K^JX)~4C>k&SQWOaI!o4+tu`wxM~~5NypTOc zM+hdlwG(3(?rq(`h#B_zd zJL29Q@wvMrR#e!rwx=TNV%9P3*;&WEjzol^?1Fr(Wo&rp*wA@`W`2Vh%+tB!ZNZ+d z2JP8ym*hW87lnSmW{4oIS!{3z-HA?{QbmMEVuB3we2&&jZ6Un?Sq_~){=wln_ZzcMJv^8cb zNLs!Zw8Qd3+#*xfHxi?@j_D`;P`*IbNA}jBn`-0s)}T*ng1I*+-5Zp)z@YT&jBmF$ z4BZ=s)-w#<+hOkQF!y$tdppd%9p>H+b8m;ax5M1qVSW{Mn6dV=4lpHEB_4iG>#)8Y z9_M|3B!$vV#>OAKBt9r@iWR7>hop2qnpx(em5N<~*uNa?&GWzOGrL+|L;+gtKP4lmBrc9R8eFkt$C zdvhdMPzu%;{(8n9iRLQepW(fqmkfWa{Av8q-1f{zwAi0@%~F}eyV%O`*Si7L5^**81)KY^_W3Hclbv+Pl^u#ppQ z0jrqfxnk|;efPt0S@SW2+6@R_~6@16e*O(M=OwEqmI zDxxIu5C8FDG7ViVQ;u5*Y^xWTsy6p&cp3(u;A8RY>Mvoj*BJV`D5-^-u|+-yflF<$ zE?pW=jIF&nLmv!GQDo*Q{*l{x2_Jd%D1s>pWL+diN?Afv7F_&gQ9cM+$^qdzXr=Cb z<;UztN>;UoL=i>I0xby3YLKE>}_mR^C*y~lmPN3>m17#up%d!J}sTFwt>x6p0 zx)boO(w$L%{;ac6=0x+>vw>*wki;sm^DBLS-1LMEYX|H%)RmuG0&e2~T5$|!$+rIe zzyDWm%lHHzWv(3m{@?yDBo+_9sblz~emiaBSJZ{_=CREG{2%}A|Izjb@uCUXAH??u z@rr|Z#W7p;0Nu$jTWJ{HxX$6}VYZ?WjW_k2TVInG@i&=iI1ksGs&V-BAL`|!D(`ZW zk)}~d%Wn>suJq1u=^7a~fUEQoO;55Bcc0U?97JDsL)(tK*Kx7ySiFj=(Ki< zHIX*ZNHFbi4cb?nDXwrhpB~=iQD5%P~i9A#vrSwJEY&JZxph8GnP3K}O zXM;ybrScsbyPbjQBh+)eqd&xFAiDeWzvK6yxw$?7#m*m4yOXK~|GWM`OY`3ck|OVO zMH1_q^uQeBpVH1>kuiPXt4b<&L$)#P_qdqEYPzf)4@QsvdyF4l-U!@sNMP+C^f2Od zd0~n(6_JO=L(mpnMW888<~}g_69*Xxhcc~Db^L%~eGBe)VX%hTg0=%1!YJlHso{3-nVYSAWo9PwXtw|M zn1O7m*^_n@$DqRDg^E@2Y>Vnu#J=M((ZGGFX~jmtB$-lS#ccRYCCd#S zeG;y5;xd;%ril=^zn;y4^@_vbU-V?CvjXl$n1dA19}Pa{CTGK4K~Mt-pTs@Ct1_UF_ja=ONpX3?YQa@rQ)i z411@8Sqpgw@EinxXbVjPP71~tG_+*?Z{Y^k`-(498(Hh8c)amN>QRmKA1_^XnYDhW z+|ZvH^OGELpk*i}{c+P@tGg8R_jj|M-OczK_+tu!PlM_S3ZJdTju47)d?u}K^2y&| z&+rJVg(JHI2gg z3l0rne22AoTe-6tKO(-zgp0Is*y320MB!VQ-w<0r{18WqrVoZDmR-X4raUBet`)nXv6Q&}X)RveU`o=Xh<+q(90$PnO_4UfZrj(wA?} zT^F`F0?k$(Pc}{oojL66Q$p`kLN`tcozo;2>4)kiBe|ch?w;UG+v=013s(2eFo_#$snx|l5vC93j#N8(qCzK$4&gpzS$Jon+1pLOHGTO-DSPa_CMRb zBFj|Eg_>oqSk9}H_X^}EP$0)<5E(UcW96|X(H_eZ4OVH8wI@*_bDLQ0-Uj6sSYiOD zipf&jt5=T4bY}|YCXVuHM%a!bdFyK9;d9uDHdgCyMY+8F{g5w$`)zTLs}`t*^Gjn! zKU`E`uPD|;_3mC#yjK*LWML6=qRUdD6L+huQb3+$hL(CAz9nUdvj4d&ikqv5pZuh{ z^JC*)BV4V|DNRkYfu5*3fz9TPm!`SdNF`Y#8P0aUQlX)||M(xWp*6S;;ov*%08|IkB6O3zbg|6)PoVHaP&GO_jQ3MmJz0^% z;}6m%9Ci%BCin;)WXpX?KlqYq=ySF_(TiY<@j#uhr3n|n%lx)~is5vpU}PSh!V$y9 zqfoxL2ljIMPsyN|UDMRN2L5*$!r{`pmsCMMA)^DVhZZVJeuxoA2`pF+lQ})P@|<-D z2gJCahaFb?kk71s*wJP%tw*3VpRSHFLysjcU6V8mHZRArp+5kMVMtc6(Ln!lBM1eA zEe|R9!)M;~pS*{&avtX0{9c;{x53Nl%)@i(nT?gGj>P4aZm`5j^y&6{agROw$%aEJ zKcB%rRsm0VLRBpBM^PgTqqBftxbMWHs9iB;BB57khOX6}$JMFWu?QW5Zfy)Qlzhq# z;iNBQSBV^N0izp4C))MmpM$mL*ihNC!-Zx~f^{6TK#R|na9EGl&YfmsVlZerR^Vbs zX6zyWg+LfVPi0f__4glWu@`i3 zq0RELOa?CJ_N^E3DVLOE%gUK~Vx4rq*U0tZEFSJFVS3;tTS4D?@Hb5R8B>z&1 z)i2nJC?U9r=o(#-tyzklir3$wp2;46kW5?Ep-TKI)E6m-rP28a>-(Qd)(2ijI4Ma* zoxRVjP`oy79)(r$WkJ2lwMDGMrs#?sjD`O8PP*v>?nFc>338u5yZ7|2B|W<* zXLf-Sn<+luu4f)S%NU2pC*o87(W|BB;5-__2p#ZapLB8w89FbL8d|olMz0s?)$rgw zK`)V<fT?# z%>fkRaLT>#0FZ?X#NrBe{}t+ieeC}Y*G=0qoQ_C~b=4aFrgqExK*>*`8jAWb#mcak zF8Ew#cQSr2PwkuJ$;lje;g%$xJR#Q{vU}2Z(W%)r#+2PoVM1rY1D4|-A&1uArgsA_ z)&+}bH8-+~A``M@lFv2LmfqD4;x9 zDol#nRGcEsp#sJ4jSIMb6S+ck2yVd8plMMDn-lGPwE{5*YP7liz-mH8-WX{Z+L)4_ zbdn}RZyvy99WS4}C_qsQFgk$?9$3bN+QRc(&po+@Wz5&U)3{K%ffHp;qC~1rsrEpR z)d#0O^cBcmtn68I8Zj=@lgqe{W21Abe+!DdaHY>s1Hm6kFG!gUnJq#ZTZIUP7s+^$ zl}L-1B58}DM!+1y&>D$iAS*(2iTF9RI3Yj$(1ZV9I3)bY-S^ZMg}ea*rvU~=F=2;du zb-4hA4Nl4r52PJQW1XaS?0;6;#B|9@Nqaz@&!n|s5>5nOC)K${C8-ZQag%1H97HVv zpi{)lsOhA7*Gaww?-@>&n3Uz73FQT1prr6iD3fKW9FwKuL-EK&l!pY#q6}3bT~scQ z)1@Wi1vD|)qMRDXpsFhv_$L;Q+5%E3B)~FrjLv*;*r_QD_$M9*9&CIF^TbCdPRM{HhmxEm{49Rwmx+-h&01oHBtF`Y>e^sq$kctIpAd!KW{OEv(lsE5; zKNc5#L&SxYGo+e6K>Oel28T5)^GCQ8$P0m15;*~Fr9>XQKUN>O7(Vh^&`bVA z7%qHwXUoTdRe5&@U%3lr*nC&o5n^3I&W@jeL9i>*_HabuFzcpNeUeL7sk#xbi?n8a zb>l&d1r;k?wUjbdUPhvFlqx3^6@bt>TrcpZUetpFDpSn<`#`l(&$(Mnfg6k4eP?us zBh~g0P+UE{f&~=~!|F~EtxZ(S$%UeDQhao}sQOgN=SU-<6oZdKQ-rh0U8YdyOqd7_ zZupgl{C`pDB6WD3{>1B3jZP(X3VT+EJ3GxM@bb-5&K=tiYm8KW_ubBrNo1u8SomhG zHDV1UDy51|HmbFGpvl^%DMuc!%_>WcTEMsx0W|^hP1SsY)-E*-bd9An*+dr z-E!y`Y^iO`uz)!|wb?XUp#}0HSRf=p#7KrTBR&jZ2G~-s?xqo~Ht_%w_Ox)lSa8E@ z>L|e=XjJ9FYvNlKJsJ922kDiMPHrqVhI&s=$>>!MG96!!5AQ6v$0t!@13>Y2TkJlJ z0IVidqs&dk9}vm~)$@08Zu|Fu3BCEnAi+!z*2{%q_O1_556r?t@NV4@D|ApM#}z*u z%c19TxC{DP4L9?qnEM?m!n3I#2+DJ&YzHQ50Kz1n$ux6kN3dKxXh%8nMfe23ESixc zqpVLXvN~x>JDKkQpi+nm#NEe&m&?WwksLY5^g|IgkkqP+85Cdv4IqP8U;?(58aMAj zgSLPM@!GJ*4EC789y4e=W+2~l_PD`UgBxV;cyPaYTHL_g5I2wzurY2>@ACIJxPjv3 zn>D+~4U)0g;|6=&VE1lb%~zF;af1emhz7tx5jly=SAF21Zktig877EUAZ< zO_k87txqBhY4gCPZ~_S@;=!^=pGPcM9$M?;E0>5A*8cMnG)3_PjM#uzRMs3x*Zhhw zJi!lM(iVw7*h{GF{R&pmGmH_AU1Yt(jxr-$-qnS7pN|U@H>O>AA%=d`j!@c}4 z4Y&u~hfXm3u|Eyx)H{we4kWV?h7S?VFl+Dh&u@RmKFqvZxS`L9_nkYRE&vN4hRe|C zo&9MVgwUgR0d?O417uMD-roVFLkB*>0iAY0r}cGcfU$+k zO#aE>(&Yf4B$!QxZee`8Vu2Wwj4 zv0+7eI{&15zb;WiiyRIxitKS{;8>8ZT=t#F@LID6HNJZ?BrP;T@*suXHO_BCTz%oH15RW~- z&;YCCDMn~8S2X{c1p!cgOUm%H9u!WWgC27VC}HC9M;?>ZC#Z5v@{16;L)e9=DK&~< zQeQj@2`11d0-1N-Y?*->pSgwoTM}^pn@g7$qWyPIU5g7dVP7E2&=vBoP}6r zgSX;QzA(;em%U@~6VjLRhU<1T%n5H%ueelqQyTVLgrh(gje`!lb^iN?L>x@{q=_Xf z0=R;5{%95OzMQ9!G@gDLqp_wjwpSjQ1-LXWBxanwrO5wZD3}efa~hB%--}bbQ-B22 z=x}OsRxG1B&-Lz-@tgXRP;*S#j@n7>H<*f29MEG9Eb(@)_{&=D7B+Q1AZtI8cG&{hKwrhYFIh*h2+-sGyBdf$FN# z7%FJ0iD-Zp6wwklVbwbALsrS!R=1^o)Npua~8wu2U+_X_aiJUI8^toAmTd9QBg zE3jFFOYD3~;`jd)f;r{4jU8m!kyRAA@Y!Mq{lZl~OaAlo#tV_PQOD1{vLfcfmIQ^H zc&Pseg)IyUP4Ast5kPX5cN!6@gn!?9w)+=Mt$ULA$Q=pJeaG4|7Cj!nkA4KKw~6B$ z;0EYRCb^1GFFJGzBi>~^2p!g0Xhhbv*b7MupazJ0Tqu(gB%~iknLB@T2_&COx{kT# zfq~`$tZma(2q&B0lEA~6!kMw z621t}jg#(wTG^B63>#L8|40Uq4mz1>+@FXnF;7+OGxAV8qsfkif>)4Fun{(OQ=Il&~3B}h31b=`}+@h}rcc~>6Uf@y@FDhd6#)3eQC^KXg zuwxmd!7MWzO`9rm%#x>ZEA*{;$dv~WL*jpR@FD4c>|&8^3#tlygD?mM(b(E@Lj0Ig zfhsfS8qt44(l~dNqJcPhcd~6zKdI_tDv6m{>fuYu6(=)>QG+OF&)NnJp%@_uZZIQ;cn7pD&X zbO1Q+a_=>UgV9fBPrBt<7Ugv^0+zwi=7`QhaC)N<9y>!$q8pkC_t7PD3+J545Y zWqNB!FEw@c1X42VipO>YvI%g9Oa5WGzah*ltYLIjq^0ZZ4%r$T>=0sC>+BL}LqNwd zEgKkn8J}KY@NL2x>Gv_cY&%JxU~BCrV%Iax;1vs%Tx6eyb5JrVsg(==q-!cIUXp4m z>zAaOd#UNJ>ZJ>%P_1&aku5gxk0@6u5hjwPR@!jk(Jdn{ z|4=GU$tjY4kB+I_ftbF-)#MMbXb`7iu~LcuaHgg~51!m|r?mf_@^eZ4HFvkp9y&7T zjgEX&^X;Wlu2$^Z`2vz;uBH2Mr*yV*Z!=>dUCOeLd1QEILBysenfOk2KKTPl?^1(P zF0i@xlA$RRyzS?XeP>o1GVT4$TW`j+OF#2BT$}Y{tjv;=a{zo7fr^Y6EN|1ysXHDO zd~u(Dw$KPFy%p>{-)s95_9nYS>(cgSHmkh{{8wYvmPH@|eS2E7w*H1@Z4v@DHfyT~ zO+JoUn<6yKn%$eVC1bHSYulT(wb86ibyaB|QGTn?W&>llA`0Us`t^<7>bALs1@^fZ zyA3Lg-3EJOx9u3aErPi{3)T_wB?FBXi7?IG$SxO{;UV&L7mjxh@dW**ZQin6$tsG> z_-t+728CNdmi*^u^G5T-2EfiT3p4Hl&+U{j9Q=%0o3U5a)XKA+J6V0v1Ph_R<g~MYerkZnSFTnT-KF8_AUDF385;Mmm-{tP}i))Z(7j#T6*rSObQZhG+ zKgubLKRJ0wThn2;MfYv6%&YoX?L@SH#XvYD+P*)%#X!l#q>Mbh3+}-}2S%U7*(YV< z6${W><{QrnU|0h%O*-i_nQ*y>k)vf({a7ug=3U{U?c?^;;;S&t&Mc3LR0Ya(M>t%GiUj@W5>u+5`+aY z1BvH5NdgG3Cey_c^f6oozH0;IDULImw}@j*zjzaO^Y@yW?h^6Te(m!Dv8@oMH9pGJ zCZ;oBJOkJUeDjLM(M^hHU>91L(a32^h2uS<(gy2NN4s*sLZPGm06Xt&y70h$3+>O~ z)r||Q?i`E?Jy?lZ@uO_FJ0hodG~MWEhuDliT^;f`)y&8sM=_?5045ClBbTH@NYN*} z1gbD31iX&BEvriik-gxg3GZgX;#Qcgq}|_BdB|9k9EoxpkD@pkg?vFUQO-eRK7@Io z;+sgDVAqufK0zQdlYD)^2U3(4e11hXb$lvB55TWl}6 zI7+>tyhd1!lPHm&JkP`<7mHn58uMwJsfJF{c#Q9+V?tMzH$H4V5cF`Lsu_3!_t~#H z(m=B39y}VN@&rI*`DtOFhI*fdy2UZGx6re5n-3CP*b2g`2%D2gW>){@@-VSUn2^Ac@AXfkvj{C7$waZLn zzirq$%ayF6$c)bxwjLJl1X=Q*Ynb;;V)Ho_78XB+UYlKZM~;JQz>Y-)huw!A9*e`q zq}wiUEAUB}5fT6ecRbf6yBkfH%f7_ZlJo5_B0nEU{E#~v;98uJ>0(X43CM^_43B~& z(*Ank!q6^OfGD5x9NRjM9KB@g34uC~LH}FS2;4^cD&V=NbwddqPY)|wgR~dIfF{e3 zR$`*xEdE9uW5cjqG5CfUmV<=fpwKrRiW|(`eS^bB;Y}fAHtGsA&}5;H2}W9pGn8W$ z>H|!QaE5U`-$p;zqH?YWAC|X6ZT)CU_2Lgvc`Iw7@)O16kU01_GXHe>2ET@b!Q9h% zmB72-X^? zY@i#+cQC8C=H9`^seMA#Inw9zrU@&Z^76Q5%X8} zuUF9Y*$C|qNavyi?&cn+ypY)+5V$+$H$>Taas)D(FW6X8)iI1fGN2tCQS#HCfF7I1 z?($q9^2tan?0Zam%)&D1Doxf54T>q6g?KV?f$Fr)tPz^5S&T`Oa`wjP0~tw(j#(I> z_jFYzA!}rw-I37CbT{*^;hTSl5>g}WbdjTPE&$m;Ccp2rwNE_#^;;Y4)*<*2-F$bD z&7l3Bsi}3ebrvtIo+bZTfz~wb z1Huo)=9#C>Al6iwR22xG0hj?WVubLAWY=*hY!7F5Mnyxs%{k^_N+dK-eE3rk8`}` zO6NWTCn{)s`Pk9fM@AtGaDI`@`Bo5l+jd_9s)iu)3TtAozN7fV@#pIWd6v8py;@m<}u9n-Yz;bb(nt`9VHg--{*zr13snq%x_1O&`6 zodTMLIVW4tg$Vm*6G78-=+_76$P9mAg@HfxFNgn&|Dh-h`_U^ed5jeCk7daE<@LKH z-@BZ|*Kf1Ag+yOok~W**THMlsJ`!etJ~;8hFbFYoI`O~9KCy(|LZD$i^nwtMVWJbS zkb+x61bv@-P~en{^MRkE9|2S_jpyTHN#M+1ynBYl5_}ezOrROvvLogJo$*hWBZc{n zh=^ecIw-G5!L{qf7iM4qqQTaTGcG2;MTtizjS|30Qvb+Q$*LF&q*%$dIG!-n}^UXYXDtFbYMl9wRw>cesZ$rGQB*QLk^qz4%$f zaJH`)-5lMt{m8dp!T@;GRmqGF3RyGP@avDl+= zdo-?%Xq@V*(in}~igv33B3DFM+{CCpB3HM~Ev&201(6$9Aadh9BDY0E?joI0GMAa_ zTL$N{oX9GQ4ESupxpCoYpC$jfdXy4eE{#|b)w@=m?pZs!@W5t-D6|215+Yh1iwWuh z2W0u}33!)JzYV}uY2N!7D1_<=cM;@`3JvKw$<98pquA?|xZuH4?da_f=P!=oi!|^T zF?D$WUW5YkrM-AKjIX8Jti}h@ltt7C; zan2VL7qfgySILKB56pNxgapg96*>L9nAnea%9cx#HJRsS$H=~H0yC$ElPd?BiBl#E z6cnT~mwgssxlFTI15?2tULPEG@^yKR<>RaaYPK2bMOVFwQ=oV&Ln!5;bbjgFSmiUn z*CYNBJDy~Em-Skn-nU-oS!>K$UGTA@KR!sGrd6nUfOj^#?S`3sMJL^a-uMSiVw=laD@jwE$xE9JtgYnAThncK`_8WW z?6=P$w03KpU8Q6kT*8stkwwwnC%k=9FWIjZR(>M<_S?)@yoYh0z^O8;X#*|O)55sp z4Pjgf0UN`(^;B?=1LG>HKv}bU7&jS=|_fz;qlosH8xlN8Y^yJm6bLadYg*YNojG z+2Xi_dii>v8-QnpKW2Pa`%9MW+$*u}poAIBX)F@L3>aIsFt6pp15mmWi|(I_%iDBqTEMUZk_i z2@=O(V(1^ic0qJO&#dH|m>M@exRT+aOVY;R<>{&RlZQR0DJ%nD0~sR8hUjPBVhD#w zJ3{?DrRC3We`eu$BaE55p4lOQBT>LYfqE2$C*eRBYk=7w;^4g`^%KbiN<7p4Iarh7 z_JQrmgrX#J_g26%wEukd`WFp3Cjpl4@9#6XvK!nlW`XU(vPTom+R^gYf1J8!{XyRt zlMlV7_6NKqK<%)Ob~Fb-*^lJSA**|+P1dUw2Ha#Uhf#rHasc^c`Gh^_Ex?p4tS$b= z;UK|5nO_=?+D%AD?TqN^Ls&FWzj{QYA^);Qtou7mwhIh|-3Zoh^79iSIMH`J+A<8) z`|Efo2<`imTi9jR6O<#i0+C^e2jz4g!2)#(djfp<^v!w#RKA2siB4Z#y?l51hEC`y zgDl?Jx6utPL^g@*gAZgIJEE?=XNPkDL8ka7n+=xsQ}*m6Sz=C@yuJY|g6XgF;x|e0 z8%gn0P~#Z8sH`fYU(;y1{A3|)XNQq@gFhNHFc2FU)NEjRLosm80V|TD1h%GK!ziW) zpDYU3e;P0lKA}9x6kPpP947X;>&5ri3&D93W#Q-P9Pl1kxIjizOAV}%D64=%tP$5I zD~ATg86-$@$hc(s zVjq(YM;U#0UoU`e3~3A-3P#~gHY;Jn!C=U^6R|-f0-jDZ44WZHG6-$27W`F5ramKr1FBb~Fv={-!3!eX_*%t!=eWM@MKLHdTR`gvpS@ zGW$LZB3}^sF@f%!NyC2(=Ipc$;P7wGVn1pAjI{rfMIe}w@6b4z zZBd?IPQz$*<-zuHrpe+&|7<6(CE=pQAkkST@;H}s#$8&xt6Rw>6#tk-%0-+Q6@c9~S7{zOTb^xB0 z!3LEG%u+m@%+oc$UFRN=45Z0JP2-83LC#nx z?la9i>9gWLF5IM%q^{1JPKxo4<;wnjrq4-~-a4VKv7_?z#1n6IkAT<_W+~2e$TqcS&hpT_X;A({0bl?&UWbu-45x@g4Kt&j3-r&-0?uq3_Lrc`5vG{9qq~qLMZVAusLR>Jw`l@^!3Jt)ou>x zy$35GD}E&Qzauh3N7Idtc8E>*(^b~cBSki<4WU1Qf8+*WHG&?%Y2t+f@S7O>bYRw0-+fL$06 zynxB426T^MLjX#C#rD3f6wY6(@xX=*ntiknnY}TPmsPKzV&RE_JY!QJPe#M$KweGN z%Oe4Ks_HM+@E*uZ#$pfT?SZ^j0(r_SOJg9fk*2Q+hG$fwZAJqOuXd|jSx=u0hG$k` zc;+6%+a88Tr0fOyzrA_!jbn9YfpCfZ_I$BAvv^t04#0B_lMVfbAF$~FE=4dnG~tDx zaq?8Y3)yj&%if@`5$Vz1yg(J{9Zbv&CkH_?;<&lQh`(vr4Y4rbZ|c!Ep@3OzCY&jY zGKco9+ASzdz$zBC!uRCkH9#{)MtUo?>+S_i19UMpJbH@kWYQ%y87h>FGixvL#LZXgfMG3?Pa&}@mR2>Xk)fFu=Fmnt znWv{>VB2I8j<*5~($1Fvf)sH}AVD%11yCTR`w3vc0(39uGp@!&3H~?p{1x-#<%}$@ z6!b~W^@3MoQ}y}^CPW0ePH@`*-e25aJpd#;2dYD80{W0CH=&PnEz-oqG$nDuDcN+z zILzb`1K=cO?Q8(zeDHBBnfgoy);qzJulTJObhRxk=fHcRd3A(Rw!oC5ma-bL9F^gi zvWjH-;u^27D2^#BnapBboINV8!$vKxfWJ#RBl_5jSnPn>pI74bAKlmO3yVtc^z>xy!{TesppD!4}lTNkqWt4TRbHl00) zimH%OZAh$_VKC^Q>g$X9J-2ssPm99zfj=fV!T2d_e+=Myucr zPx9$9QRDeW5qfbk^ z7}N(YH{JkyuPDBQQ(yOYuyS zZJ2py3ZW`#V1Q^ni76mKiHMt}xA-&-1Cp;*C4DcEuv2Q_uE%+HPyO}6g&|+808BlN z7{BQZbHF6OagtzHr&n=!od~WH)(gv##?~VwDp`@Zy_ArxBH9Y*OL8B-1&&7V)ibR! z4R1PAsp$Ae^oKyR2<6<_5e7@;Np=B(x}D-2(p1GHQ#7=fWZ2C*G?0XHqhOz)IH#U=$!SRT@fkslz87 zmE!^++qe_HL~GozN%_4tP6Lf0S?<00l#NgN)8eecH)5NHqK^`!=I;=^JV`quo}Fob zM?Q6uv?Jm*Nj_3!DrUe?kdUs}Rl=^(;U3G5NR4e-otGIsugwg)I@EvRz(!Bsi@%9$q!{O>KnBk_-mFk-aYEAB@ z`wXiaXISNX_Ky)<7U+R(n?7mX;b`xZCW9}M^{;iFX_>Wl=SWoh9SkM=OY3H}XbXGN z(6`PSG#7Jb3?#qSX)yyrFB5i@Q<|kpLg+rk>63tZS)B`N8=e@{>un0^$!ORd)T^nF zc_dIzRVT(8-h+C{SnNT)J*d}8P)~VfX%6Z&R`E4K_j;8$T(1GTSG(1%EUM22-LtCD zJ!_BdZ3o?Zz`%@PC5wO_-~>3>-#CzG708#!a?cmYvx=AZ>;ODhAkR)>cf#&NB?OiD z++l@7Y9aLfC^|+AEq_q}6z$y|AVWztDqz(8MWfebnwc_AiV8>{M(_p+v$MUJ&|V15 z;a-UDatq9hM{}9JkoS=^hY(@};}s#aq8%0W3zYcAF+~8OBY;ar-(4^21A)S5>9i-O zn3NS6qDgb1w+zBnq|XDmW(TPF#xFSDa;0MkbREEzEj1f*y5oj*;?<-(0Wi$*4>fW_tfy%l72 z#ntW@KlXbh;1z;@4>T`M@|KDTLY_1wVm4{$#EvlSZyw8T6dhK;b;~9ZWV0V|Tw)3HnF~(J49u@>gJ;~z>a~y=BM`5Q+H{D$76>G9e>crY5C7FMu zJoa+hy;p#_8HbC=_vdg$dzPnVHh;Kv(i6@+D!*R5KZttcnZ(-J#Q#<~}SVGM}6Wh#PF` zO&uPfwUt;va71M?)OkF%NHan%(074@Y?oFi}p(r?47z!LIZ4T2jeNhcmCiw zDM^E|rbTA+gL`?I^%5>!L@Rc&rb?aiG{i~yAFB^;%u<5ti-Nsz z#Xgepu2Uh)!C8={2sUH9!)@KDq*L^6yf--cW`iJq3+~P!8INVLk$toe7`?GsL{@{1 zy4xoH$MB$Z@TjgzBd01g|C2N)D_h0s6Xwy|zkb7FadGFSw# zESl93?H&;BW}%@$SspB?54C2a)DcSuu>@K-+=e!cH~@qPlbkDFmJ#d@uvo~Ux zAOx1d+eRWR8=85X-+sT$DybeS+42jFDPngTq*AFWt17FM-~6imTVblhgIlXx)QHi^7fp1%liaS|ZPXL$SYYxn}Yu<8c4(8PD24msPVi_6|pPvnp6i$}4I&hdwVu z@Rrp;oh+^6gXUX5vFE*`%2D0$<>bIWJ&1kvDAmtYjzMV~1v1b4AF8|N&$b^F-yw-t zHFmnA57~)PD>XkI5i{bbxoWQvDl(`y&hq*+MR|f-&%;h<`G>QmK1e4%JW7c0aTkhtyf6i$MJaHW#^4%SWpI0s zZdHi!VeM^aWe0{+7+Q)Ns0yv*At#oD3VVrjGr?vwcq^gsC#gK`+`5jE#U$%~QyILe z%-e?WujoOeqq+1=KHBGI+4<3-NAYE+Pba?5x0IBk8EE1wc1RXdWuEh9pa$nz?+2@vI<3d=tI3?=;N4CVT!L>H#W{QK_{es><4+ zlR$0Aw5V0+CFjYo4zcQ`&Lv~KwyZ?)L|H3Wl&)UpGo_@L`TY{!pdn5-DR7ANDl!Bs z)H0)_8yi092I#nCiFnpYH}a$DbIQ3PSVP0uK#LOC#*@aLHEC?X?&3*g&nIDq4e1e> z^~fZ$?MX>wu0BjoA{!Czn-PhuDF_9QYT3r`~RB(k|AkyX|#W0S}xMkU9gj%^Pm zd2NqD9UHmUsp!^)p^ohgqmJ!(>e!U1V@aCUF|Z&s$S46KW`BCzy$a*@?>sk{R`$YK zWIH9xPM?X3%Ocw;SN^sD7K%ltuL6-8L+ni0kT|G~wtQsFn;=_2v`>+gx(Q&wVcu-DrTAjMlTJnV4v_wibNim!)XF z#S;VJE)MS~lL_NTE9Fo%~Q>BRE&j*7CExk_e!6s{EeG*iucVDp=;y5HOQaAU4EO5!MXG=fRlXxbQ z#RB;{6a)YT_$>P~*f?AIjhxCIxVQ;(izp0)bB7corUz_;=XiN<1ms=Ju^^}@WEnrw z_;TYVT^L@-EMo&z?iP}Bp#-POai&pOV55-0I5fk91I9G4*vTMqttw~Z%E4DL+DA=C z`>-goDang@+zcg!dcGn4Mq$?L<2N*mg>&9jMRzLIGb+AQ0^E3fhsEF%TRdTW0(XhS zc6v$C@*W;7enDe%r#!a7>s=3131N7cYLQ|a6i*@^o_ap;lx-`ZujEIDr*9Db+bX=<~#Yi2a31-)4^th!|h`;{YPAK1>dXjQI6BBS568 z1wmHq0TCq&4~Td`WG(@b%9`a701=0sWgJLkcPMzVI|d{&a;;O*s|y2(ydDOLy!MdD zBSIoa!h(B{bUNWhBIZk0PUNkB>2S&Gl0~V{)5V2LUYBnRwgB7;!^0&rf=i4YQ!eAc zSjTF2B~PSFv6}gXXG_FJPlNv___3SxZ_~3S;Yh-_G;dklm@RtK7$=!ZL7HJ9>-Vk0|H&KZ8 z@vqdUwqS2(4mO;Goq8EHS0{PdM%9;Hbdt+2^s>_K4SQYN)in+yF6wCy=~0FHH-^-& zb)q6-Cjua94o^e9onEFx(8b1up#bE9aW=Pf#Z`s5it$3r*6HZcDi_*WEgQws5%^}W zOq3o~6!~pEs_4V$c~p^qd^A8G4X}8m_ik1`mFy$AS=ojhGGRP2s`z?RRMFLk$x+1- zjXX0#6{{NBWW^p;)buE9tDORb#8(MDDoXFKGM-z~?YU<=nI5HsYCh3R9IZ3cqFN9K zNf$MjriIdbARF<6k?E@Bp-wygVpxpDvsRWYSNDgJHuOI=hR0tH>@LH>P9>!I-A>oGvbk!zib+FcmX@y#&M z@r?%^A0KoSv|x`m4w|XiYSbs_;-Zaj%C`$!0B%j;(ZiXPD7$p~n|JzUcAA zmw+#dl`qrxczn_0i$07aACgW!HGUfA<@jzm(?%wL7oU3xn}vR)obOTh6Al1N10MNw zjkjC_p2sum&W7~DUY|~z8RE(l|yE-b*vy?5^y1p&A< zh6flQ17OV7@%;NU4r}T20UWcQI6WGRHz##z%xBD__%sfB+boVfkBpbIj_U+ zc@+$D^jfE)cNYeOYz)I78ycop=;DHpjq(k{7Jyq-c<}L2!N>V^ zZ!B%1hZ{ZI=;6i}>gDL+#^(}9)x(X%YdML!?SwxNPc{zScCZMadLC}{a3i1AeS${$ z<3p)>xY1UXK9nl`cvr{A2&G!ESS1q;R9F50k@e-RE3VAHw)S zhZbITa>l}(%+{Sg6&Dv!+$i4?Yym73pm>xKmD8Yw(;B&-^*FCq8uXF?f+l#7er?K? z#O`TWO2F`V6$Ll_POp87^|4R0*6^WQJ&O;cR)_*YFAG)1m|n4H_FBBad@rEJP1N%- zYQgXuWAc0#WDBR6T&7lldR{qeWZk-p>P_BJlkUS>H=+|*TE9tPTu#Ud2$y7qb$VGH zTA?0wyGgfxnLtEm@%H-q_HIxYj)Jn!)R;^T1cOHT4a!+}5dr?p#dPri1TzSmH|@Bc z;_QysRzfcKD~f+&H^@$;kIG)K`S-J!u7zRqeLud$mE|7QMh*K;cuuYSaTfD6b!SBx z<$>B@q}jc0Zx5IXOHicd(+eD`2`I3aX-ZhUF74mkV731q1*g5R+xyfem?uEFW%~8U zD5f(()C8LGE^cOb!>@(A8ti?*jo1sC+?r)f-9ru3sGY@HSsdZG!Y|Qz8Wqb1qKXyj zz-I?|aw6f58oMeg@fBM0{hk^?4OZ!)7illNxkV%L{?`Hlb_KZ?oG?xl8}RCfSGDz( zU)O&_OFy6da@udT+Fz?a*x(1x;=j~n5_>KxkP~b9Y)M?=9FR*Zs^l*e&b()o+}}SG zS1~5MsOh!z_>uNFm<+^XNL&5ie}CBPb^DQeZ%tKv=8mPv3*tR_Awe7P$~b9MLt09T zd8FleId-YpxHL*6xZ0e#rwv{yBXw;i0W+&s8eLw;Z7j9&dOtPRcVAbnPZ;xu`Ez;K zv7$_zu59^^FoHjudZyH=ZDtGanPEBE-aj2lIhM$rHhj=O%L$h`bDm~ z7Y@a2mMk%S)-5g+vstd&Z2>GQ6w?&TqEB$hE!GBJ*$ggeflw&I9HD7-lN*k(=lDcW zRxO|>WJqW0Wzb2IFRAeEiu-9l>~tQ2Ym8wK_irv>hfi7=4wSz)e;rl@Hu}xU!Z^;sBKeVGggev2Hr=!GP4^FaQn+aMI zCq2}Ii9sz*Aq|R7iB6C+9{Wj9osA8>PP$BsPH%6G{%B_}jcJkGv{TgYDqIP%I@BiX zN%>?&tE7xs4etj~!b5+yRFk;d=Gjt^ z{l2X(qlE5&a|r!-86Cnb)9x_B(|o`TXkRYtHvj{javG^YC4QD#KwL13TKDt@9G{}3 zUezk8Oq7nVP9IWCoLca&rDQ1{`u`!Tx0WxW4vX^lpt^a)DZ6;&vAi5a)DGEKZQ zdjrFZdlKq2d#shxF;25kt+BpNm}qX!)Qc*7lS?VQ(}Gy@>nLMFsO8|QtkMBAt0xLK zYunsdHPP~-@=|SsD&@JF-#R`OSH(7)HGMF$E8tux2+8roZh1x0Z(nLad_6e8mU9u| z4AA18uE%O#{T0P`?QRm&sZ;3#y&2yd3X$BXjd3N|SW}ITxvj5>?3zAM`u%~Ul$R<% z;I0wMOBZh90W~^#F?lH)n*93l>B?N8;T{Y3K~6mu{=%{F104V9^KK?^c%!lI;cy`g zA4!#eJRDwaDSJ44>TtMiyd<;TBg5gFlfvPyK1>dWk7(GO5gcCCxGXF7aJZ6%hr>M_ zK9_KKWz8}+96l{0?>G?o=1?$ua}0=lyyZ+VD(DiHa*ujKa8?tOT_ ze;CCNFB}@*Dp^|kY+GDte5+i~+X7f9Xq;WdBDoNNSi_V;Fgcb)aNAF>YuI<1>>7o= zh!M9=a)qskGR+Ct6iSIx>ybfNIhDOi72J9gK9JQN(;1B;M6??CnXOK43$4$oAevM1 z!2{&i*l1`dfxz*|mF{dwHW(22-vzGSj4nIvIFb_TYs(GsqEWd|o5MVBz){{|%{#1hBg};Er|Zz|xrg;|bw&3jl!eu^ z?)-%1dCSM$J0PdDY@GFZBfXM^H`03}z4_zQotZ!0XKf}vYZG|)eg63KW4iZ!?si6S z?K|kS@i5LvILkJ@d*AbM@3X%+>09fO@rA2zAS?EGhLVNH zGd!L#mv}~H%`!HgG0<)^4oI;z6i(P01Ed(a)~V>tg#jtHhk+E^9;BEONFlO0z3+D< z!R^Oxh=Fc?N^sE~$j*FK=KKSd3QYoEAUGkn1erpHhJeZTM^$?8*SnF4~Cdz4T z`;hBUy|}|CPEJK0e)YKikex?N;7LU(iDz!^>X>~5+*!}*Ze+AJ&{*lzVHMQVPiYT* zDC8D%JX%aZ7L+9)bJU0VJ5m-hDLeerLnBw)DX(sM)sZ?)zpeYE>Pq;g?mlg!#b6&bSLNa`9C%zU#}qqiR&TSMxBIp~p*9Iw5fHk) ze`SqfyVY7QJh}QMl1r1Gsq;hRBUmhWN39_r!m}meBZw_8jSSiI{_(9EJTjwxhd)K5 zw2Qb_3r;T+{WkyEpgXwotySt}y4D47lx29c1<+0b-xIU!VYxgloGU3^ezTa2 zPCd6$Xoo5~N=qDR@+QraCx)z>&~GbG znl&41`e4=yvqBS|)Vso(TCDbL=?BchU)O&#UFe1sZ~Rt0VC$#GPn9CJmX-4%Tb~yK zo*#6c!j0$TmFm)yu>k^9RX zrLw&={}e-`_5Ib|*QI=~%sZ*BxSz->m8y|{shX9Gj54w#$1sw0F)F1Ul7(}N#QUUs z6LK@XUE&$oC5~e8#>)_g_CNlx4@rOhl{d^`T|h(r_(Pw)D9%BfvWl{W_}5>PTR_~0 zw0s7tGp(9|%;ud!r(6rizU1Q@PfUQY&DUhOePjZ}_M`*|S05%PK#XYGo)H0}D!d>o z_5=te3r~RX1c)Oj2OArsp!*%Ax7*BBS!3aV#HL4 z5$`#eDoj;L3@QX!!cLNIFYLT`y5cVOwL0S5*dUb&TYI>|lLAJDAm>t&};EQn@5;t0ciL7E^uFizq+wS=0FS&A2@ z-#tN~G^n<1D%m_4J^@xN;>DGLp)I z+`11UHt`m{lFd)tkRZ9l8tbY`U;QhJZUc-HH5ixM@hkOi!WYHtU}sfo7ZpQK(acJ& zy6>G+4)4`x(p21c$*J`t^K15kMl%aX38l`LnHTjAiT`e*_2?>wld?Es|AVbO|n^kdlx zIrZ&kS`8o4vV5RRn#Sv0>H=fk3qNgkhE4}WbzaXxH)B!ezi#2Gc;Bb+3Um1?5axO2 zK#;pTZGD|PVUcWg+dyc^_Q;$DJe8xipX0pXUO*VPP|sjjV63ohq_mKuuX6g-0!pk| z6Dxp6jDpky(C*o|bRiaME_3SrybAoAArhxwch}dqw$!hi6O6-@M&a-LejEdlV=yJc`|!bf(lH+!ncRMcV(H%o_+LH- z+7R-&fUKm!E+~!*d2x@eB52kexF?b(TZ2W(l=%l~zD&4EbPaq1+)N-t770)wVK$YIa^(Ec zrsC4f;)nPsM?T6?rJ3SjL6*}3ofJs^x0Lu;n?g96Y)2TOQR~qDvQswYEEqwYKY7Ytvz^wYw?Bsyy!6uJJ05-3w>1?Ut-J zeF`ovgKf85%i982Cf|L~Ee;kGf)?wmNC-;P0${Yg}4F|lhAdc>X z%Y5<3pgtPSngi_1AT9Z7leTOD?2Bv$0ZS}_-TzLY{{M;|)S?W)!AdUKp^Ci7T6i(p zrYYe#5ygV!0`L*ALM1vQ>0@czSkYc6QGBU=1`C!f;qK%P^oy!P}%g;ynZEE^jZbO0EP_y!;P#Xi=m`R ziy80aWycwpTaW^=&VrBc4}zWDtv7h7U`uSRZc!UX=jAog^G;zc`YNF+085k(&YoN+)}0280oBG2|TLW?jr)IP&(ACoyG zC}xuIqQ^K=h~4mDAu<5c4eL%w%WBGhL``OB9jk(Nv-CNcSfuPp>W<^tFVVw0(n`gsPmZ8Z10xZsnnn#k z1l6ta6dWSPrg6@Zd?@EUUd2It&guNJJRk;G@t5xhFvom@0AqXMog?IN*+ZX+UF`y zUXvD>si1nZOGLa-TCrwLbpAWP!Be|tE;sOjl5RJ`*8zV=f>eRcmX7t4q-=6^u_BkD z?9q(P@Du@}e!}OJrw;h=P(D1=>;PI1uD>X7y|~>yIU(Volk}TIg7ePF>@S=KJV)XA zq!+U7$Yeo%WR8Mij~|Dl;OfKV9EA~W%roLBRJHTViakd`$-;9KJV#+JISQ3E%lI6H z$25$O!*AFf%0$>5gWoW6ty9s%3&U@CJ&fP*+VdNx!f*Jo4-3}5fIU-uaYW5_yuW|= zV>jvFrpE-qQPSy8*U@ntr6hgE170}e;dRLh)F9dIRg=1CIGE zUh?ty^NA*a24^f8P+$WnAh|9MB@R%$kXP6{AcmU@8b8b$Y8O8K`LbXE7NJcd zV-EYwYMhU;Fu7pTq$BPYlIM#A;L5Qy;G39dpJQxEwDE|5B6&otPCMoRPpvjFhXfla zRoo_sk~k+Qn1^->wPh}X)`-%2h8A!jppYM!z47_<)A5Jk@c6_2(J#R-`ybx@mk87H zU+@0EPxy6ZrZfo}JqJ*GM7@fd9POF{T(obNe|UAa^h$xJR*l6mbs+fz(p8O0T$mtr z60g8j&E)9HmLv~US?A5ZJ7^0Q+d!A!*kfJRU2bjG-D5Fn8x>~ACMub`i*E2Hix=|5#Eh*=5SCWEH%TpmOkC?wQ`)o;00?fD+rvxHA zmXv@>yG-!u_Au4FKI^-$OWyaX(b#nQ2#V)k?^bPxK(B`3P}Q(6dD@?2$V=NBo*XHh ze`$H&^F@Hi^~1PFc%Ki#YunApV)V!e@9RksURNI`M|elHsm%!Ct!mel6?=qN$-*PN z9^su!gtxM085`l9rd@X&0QdD!sP*+20Pe`OPDRZw41oJ)7=Zi61GrNGa6eE;YL(oY zA>2=iMyhz>SnZpV#iq}{#l>phlxu%m01JiHGH%MIRn9iS!QYJxqcRRP@VtwNpj4Ug zYxxkk9e_XliYKs&);=bkXhq9+$|&f^C~O9_@`7b;?FIae%pR$9Z0C`^#plZ9?e$YIQHGn{PX6x=;Ix0elV>2H`Em19xF@v5|gu)YaF}4&ZpnVk! ztd8()K|j0A&?mqs!mINIc{|&oPS8RQd(iEM59ggIzUo~s4+Y#-g71TMevZ-GxZmjv z@`WydX0+rhA$vt+a6CWg;x1azje8)pD7rB!s+g-G)hJ$%tEZQE!~rpuIG?-T0Pss+ z=VM}$dKKF0%XNuBBJ)50jV%uCURfBIVIvs%@WpN=XK=?fFL%%tD#&oY<%w0ZmdCfX zf@E+h8%=}sKozPa6M5OL)_&!4z_ri+TsxKT6#$_9ee)(hHU@Fdp&!v=Ms!tN7ko`oWFVP5pW?4kLfOu%d@dhc{KO= zpt-hXjciJfjOM#lxvbgYwlaQ(Ks}=eYx3WOsoriiq{t}aC zrEuBQtkH66&rDMg9Zu+yn!aB&*-$jB=0+!J6^ zBS*zZyP(RiVjPrA-zuez|b$Epo_1#S`aZ!3{?RM z7mlzzzS~&?OO~rzVa)`ESWy+hWD#t zU!{d0k2|auc{>;Xt)G&;IgUDOIECWnYo`DpJJEk{tRJEcYwx3|nQEp_-so5VWvlm+Qb*)X;kmr3eZ-5I zxT3<)>o3fM(94S)R33kdFMsVK#gGq}g`#frpAEiqKsimKCWa!SW=Gyu(JHvG{1gqfa6-%3V8Dd1>l=WD>tO`#6oY zJ8gjCSorGT!P_Yj052~?5*!^PG_|A&E$6*xI$lyW|lg z7McKof){qPTJVbh6;U%Z@oANQuQo>e)$q_^cX+n~w>qG{#32&-NTgJLE=@KUmQJc<&&FbOHj>AD6JYX)wRWAgnt3 zFfn0uRI0&j2&))S!Y`1OVJRvRUYOrLj)%Uf-ft9)AkZUx|ZtK;%k-viuv z_W&?WEW?~Q>SC=DOC@@U)@0f0{8YPg;$~<()1=j+EEne@8j;33m5fr2JUTCgQBVCW zIWfthegeAZB5@5}C?f~W!EuFjX3>wzk^jynC`8)%_1gOl4i^BdE<*$lbn~dUrlARb-ndN)3VW{{G zm>ftIXYqv2xm=n?6^%7b;5yg;yCKyvz-`-@U~StBEzXpRaC-OsFq0%o%tS*D(&}@~ z*c6#Mo;}z)TAJe?oo@qth56~Y#&}6XhO`8GsBW%QHy>>BM4;qaUFr}Hll=tp*W=c- zl8mW&vnaf^;@Id3J>oeF1PYNpr1E|>BkjdS+rR9PztDSvAtLuPH<{$-)qs}hkqIJo zh?)kZ+uU_cinGs{`SVd+I+FLKWihGzlBf{hSI5fHeK^HKy43~k3gsLT9lo?_DD`th zX(bI@tu*+jls^n;67=!;qP<{k0?V~-#=e>f-Of{xYj+@^Nmfvxlc*FuNt|w;?C&yY z=Dz5j4^G_eUn+DgiAEzR{Al<8_Quu@b-695!9=aO@R{^I--?sk7_N!ohL$$~36EB# zk0KUjpGlB_C52_fI9CBi6(GH9amX)%Q%oiU`|2P3kch8i|97H=yK;jNHr}~c-bPJP zHeA!q*#i~HWFdO|cNEV@(ZbdqLvP=nhWWXK*txhi=UUtu1#hFeyjl#Hb*3{8F)?gr@8LxB&#+(OG$M!`ru2uAI2GMG7pSX!TKFUqcF5&cNo!6&!3@9Ro4O zvFP(~FTvQ^`_nvsj7HxFku_YfzhrqKh*+XRsl~wOF1v{mv~TIBObx2t*x0LN++OLi z?F7PR+ywa#JY=rithKr%o$q5nF_FBXilba32Q1&Z?>ng>H_p>BR$_WyR&BDQKJ>p^rzEXf8Y{S4?NDw1pvHV2ac3ZC+7w%9QN2*a{nZ zdut&-n=%Up6)j4>s^_h~q^fwIox#rvpQet*087Wb2Z`XhI_N55Hj0*TyFxhx#TM(!_ExM01e+h&(9Yoq+;#^H7~h|v<`I+kx9%iu-zQQ7<0dPE0HDll6sAHmckz^f$`x0whB7b!Cm|hB z1~yGjo)4Iu1bq*XNI$vCe?}F3{7m4M{Qr~jcrYQJcJadA?Y)-#wab6bY&}3_4=Yn$ z#yMagf0}0rYia}-bX)#m%7d-ZY1zM{>FSd7n|CO;f!CLd0&Tc9ilLZRg|rg3$U~(= z6wX+%*@ZAUpR~z7CTYOlMliJp%`=-bQt3u#P4HiygtG|138SYNEA4#>1>lm5`-;@1 z?^3H9U}%IncKJKoJ}z+t<^ai6ifpC6b2DG}v|@B)R(wO1r}+Q@U;o=?+Wgm}EFbc- zpkXivN4RC!<^fX3PpQRFC#f+D(XpDz7!-)93xj<*`ndW*RXtVA4?=_|%GVw!w0VQJ1WUZkwqr?0BvZBHi}%$<#Vaiv#*dav$W`m|jxZOgX(m@ip9~1EbzD9GFJ{X+ zHHq}lA8Z)O-^Oj&w3&ivAWeF`3{wy34t$nyCsM*S96J=O^cZqq$mua%-oHTm}G z!(@Z2k$<>X!#Nxl$;YsOVNC$*Nr=4AnILG?6{~IjdU5x5iYK$~5{)}mt z1-B%%V79jV!bth}C4WHVfU-&&g2~TLV0eGaxG+k0+pM`(nVy|BIXW7x);N{e!x|PC zYRr&oni3kGTyRAcc{iFR->|io67o)nttB?}cs?0=ZjB#-50OD;_Q2FO8>=edp7xW& zH4U=sWNKh5TP)lU1mxpj{hKdg1hy$>u71-n+WOY>LKxauC$|7;Jq(F?>gKLhHq}3} z5nYpwcvHCf{bNJG;l*cJK~Xuvm>I8Lh<#c-&mP$QXc#m`@1-HRvuzVFQX|8{^N&3z z-0IZs*^aoy7?v#Nw{#|Ko&3mrM^U5VB?vU~8TB~aZlR@E2X$>z)i0=O@Wpt(ZnRs@ z_&Z!Ug!`=34wRIUOY&W5e$6^{2mc?Y-7@x*fmz3Kzl=d=MYeOjGT-GexN?qsS}*d2 zJB4UChQjMHMAZxr-MBy`@3ad=SIETbEhXu0>Ua#>(bf`+N_7@E_hS%RG6rfcVmy}q z3*gX_0)rGnB-J(phtCy0kfV60-?p5NPZYq0paHUB38Os4lr!0IDzH&(YCpPBNoM)m>qfM(al-mImm?) z=Ho3GEZU>tETUU4LD`nX#iCuhq9kH9$KqfD44@HhXKt3uvmAx5ZZbdAvZV^Sz#r8L zcE+WM1hQ8Y;sk_%gb~UTSB6`NK-eKF1(}$2Dqz^I6k*s_4&hLFh93`0FIq<5d5RL% z0kiJ#y*wpQGI;;_f;?7xqKir?SXo78$WXf?!NE%dI_ivw&Yhu%>SQF$+Ny>})`GAF zwDIJqw-`HSR3#ZrpN6W6qH1Zbafzas47|FKvI;tSV(mzi1^j=WeZK|6n#_TcvZk1s z*{B+lC0aHmgY0IX(pu=U&B-q8_ezOEjv6_kTvI#GS3FBj4JuSpu^HjhpdF_V*Ny0% z+KslAjglx~$w9E8=&9qIo*c_?hSVDIu(s6HOl*m|&9I_X$b}iYNnZ*-4-I>vm28k6 z;j|y}8Zw}5RO)lj-jL!{E)}JrXT4lIuYWk)Xj=fpSBc_5I?@5I+jk;dH4p2wt)|Y@ z-N!WF-7jO~-zme&iSV7*aw8sD^@l>PnR;Um1{RHK-u3Bpp^1UnsI41bZ9$xIM zZM6UU|4KY=M)f~eMr%Kx9} z{Rah~AiHJjviT7Xd!%4|N*7>6d@~nl5&ZwoZ2F30b~TaFoHFWPe8uk@B8Q?p{c|kt zmKMA5Wa|*u4r+lqm0ll{R*|wnB=v-F(|=6iVYAlgDhgFg!)DOfIonX5|4mt2ZP0rS z_vwb!y8{JDY0MfoOg|_tmqVz_IDNuaq;d{J=VLt#%EdCFC64HpQjWQ8l~SFOIPr1g zPMRyfI}^jWu|sM`oZFWdJNTNW8tL|3x!WhRRSu)Rj?ic6KL092Wd*^5_J+O1Fp-)| z@?z1WoL2o~t#M$|UrqHv0X*Hv3p0H_7OLZw?+m|Bwx!k4Y{iLp#Ec3h#u#iSQ?LA+ zU!o1v+VVH_g*wGZSk7!-?%tG-5V(`p;TIQ4o%c~p?Q@6Iju6bIYXPw_+tZ1di@U9P zl+mma(oR|Id?(!Ec&ydp8dg1rUU{MkYla+MGj6*A{!fLLGBMT+lnZ^$*I=iyhHvX5 zC4kJEXw!UYRPBML}_O{v}3Sab&G}O59FHkq+VXtHk%xnO`TuHWtkB)iV0_ zm~7U|ez zP=2>gs2Ed8e9m85v|F$J`9(t)JdF3xWheA=(tsM~BrolTJ88j1kmckOl~tyx1xNM) z^dVjlrfj(HJ89wdAENE|{<(!g`WsaRYcCFYm(>MtvVda_y|WxeJgCC<{$}fJqS<+( zo!@434A2`{w=`8oY|bKwj7pVd^B*weq=g z7Wp6!^c6z30D&iM1YY&M1=L+rm5k3k&d((31={6|NYL~Cc6Smc*t_(X%it1YZ7jV{ zI%>~Iv#q@3csNF@-P!`wuJ}Y4YpXSCwM z3HYpQ%_^Cl$X+&6P9g45-|20FTp~z%=KqcDajIQCmekwjwEncNhYB)FK6OKz$ zd4&I`vh*ykrr0cC|mjn_QaYoJ$^Bl*&)$|DD6SZTMpl$B|Oz ztesZ#7Zw7fo_Ru&ivF=0jK*S+868#XyN@O>I=Pi%c~n73xlv^T)cZGdStTr<#5Jfi zun@I6SoZ>I;IpL;@z|Mw1MH^(cAJ7F!I+W+2$PGpvF{@hf&s}Ma*2Ao__CBN>g3kz zoAwhOw$rR6`@`rs}VWcE|(C@^0?({@LB&8PLIe{*%lR81e6%Y-lsJRMOc9b zvrEaB`(s%U{y725S>}&pHz0S{hC)z}^`a&xpckn#{&;I+f>q+)gabA&cg)5&<4Uwz zTS7bom?6k9gW|o{5%^i}S;0J}w^qxnn9lg=%(aXZ_I-eBTpfu#v%_jEry5FNI+Dv? zV7jk`n#<0dRvigQ-jS>fr^r72o1=CMLm_k<%~y%hy-;nw90WWFpQm=?&oSn4iHgtr z`+~Te2h)06W+!;%E17u)d!l&x|A_c-<2K!+O_1~yk-#&~zDwvtHFXEddwR(Oy&&kh zK{xVd$^x#-VPT7qW7W7a@`TJpU^!!uu~1~kNY6HJMyr_2DiHVh-a(KJ;vrggrPeqc znn*Y;mB4-qx3UTcO$Z3AeJ9Eq8DrL_*=hamADacbqdk}=B{P8SuoC34&|VqkF*Oas}fdXTXiw-<2-&UPmkZV|MSP_31==eK{e zOAs^MBuk)vMGF_VwK*>Hg$hzYyjA0b^go&zy z)khr{Jo`Xn!~6v|eOKE31!P8vH-iB?7h|vJ)!{b~^8_eOc3Jw41%}C}7+< zFJd|CRxfn2VppFydH3aeuSqTYy*_Xsk1V+qU{ zgTaIzvKi<5Z@4*>1s5Sa&2Z%t12TZ0kjfQ?0TdtD;^7r~7v}ocm(Ic20`hk~V=+5c znflQ#{BF0;V;r|+)HSJ_U^o+QJX+?!zviRHC#AoXqn5T0*w}Fd*k$a~3IFz*0hD{( zVw{C`7P7p~ayK>YGgnQi#NEgub%2vks%#>oYbCB&0CCNIr@Co>$;=R1cg5pX9sys)#Kq^3kKx^!mNLN5nNo7)kIEP?o zp?!E~l?!jcXCP(ApO5bA20a-N$HT=Bkx2PTvST_VIe=!$(NR=Y)oZc$N3OlNeu{=I zrVPl;uk&%jdJDUG`)WS*$SD6V(T6nne48wNxO4dbF)(Y>uL0T{pfavz^wzpaQOFo) zlX>E1;$zid=C3%RA;|unUf943X;(r<`_$gBs30DZ{_QdmNv(E+$f99S*%9A4wTxPY zneAcLa`pNXbYzpQF_KLNJ%I#b8NABrV zR2Z$0Uql!pBcO$(Hb1o%j@&0A^Q!m3dOjF>mNN1b8XqG6O~^03@@MTmYn31kY4G;j zBsxSU+rz!#2e)q&(GfyS zWBn)6Fv1a@^dAv&UAQqs-Ix%GIAFH7ay3eb;2Z+{2qM#AP>|idPi{81n@@tT<5&or z*vk}#MnZ{qQfPevL;{EipIp1%eKc?(W~p$tqTx0`s#e%0_84N5V^|lsD7t#L=!)M5 z9qAe-i~Do}e2c6V7ERNLi}N&OcSfT8c)cz+D0w>7J=zvy zU3vYoHy4=NyuH$Oj%Li*G{h>|z3;kztz2UhTL(`Vuf!2Ftc+Fp4tlh(#{Ha=_Wkud z)Ibbzh5|#jCqd-A%MNrPlyQaeIFIOX&$FhvR4Ofdna9;Lk0a-wjx6Tr6s~U6!!0dN zU|S0c{MR~?WaAnS7uT18hUX4&+8umEt&d~+?G7C08TsC^}t;R*ciZRkL}YPF7LyR^6kS0RU-T^25}%JywtW5PIRtwL7+L(uC3r+AN);uHDBg7=BcfEWd-b z3Itv`%Nkx-!sU+kufXS_tSn+3#+Na_rqs_yj4CprB}YCwTEgi-5O6`n4y=bqTEZ3K zB>omLDYqG)jU%&3W{i#gFcSjP9J{1L(4PQ3Xc0j^h?@5mE3H_NN7Lq{Q>;T|zZ8L= zMUE}#G|z|_y=}HMlHtu*HF{}*kuv%(N@|H2Ry>C#u596vG`J)QLn%SH<66j@3r%F3gsCRUJ)IY#d|<4RkTX zK;JL7rrQg*k%{e(K8?d=U({_~p+>G>w@8U0Vjg>DRus_@n;rL)SA%jLG{mw~c{~sB z0zoTPc!%o#k`JZd5pLYSwie8I`)k-haM88$BSjz07Z#EXyYb%If63qjdptZNNPSDx zl{ZMjL;^Kwb{rUNhw~850#ha8nooMMDT9b}N~^I4ITgUG34ww#&e^GnA;8V`V=26B z!rm0ag6^n$j42upp3wPx@1(NAvUXn#!FByx!jU$)&ZfhUI-A(0e;F~diu*ESrRQ@W zvON8yBpmOEC)VRbf6ZT*g>-1_`#P(7Ndzt%Ee=Qqm}{W&q#NMoU|eb~GviVGd&Q>v zz?3(fyzzcb%j{F40V=Mv%UmAHCRF!}SfC0x|IJtnp##YrVf#|J1PYl1xnMdhSxFOC zZF$Bh!%7eByE4qTn%<0fDjQTTe1}qxRH2&3Uo>F$h3vzBQ+Vo zAdDvX5N=70N+0{YRv))@Z^$!>Ot!zs4>okvAhAcs|M(NF3O<=*a3y4DB6IUjqwALYgN|DALc~`B zP?z3j6p~Eun&6$_A}TJV$*Bu+;MTE_(WsrXsG2J)7ehV1lF}M6dkR(fWUy^+~t-j0urbL%8nL!(4H+0T6BIS4sVRr^lW2 zo?sQ#FX>mMF?O7;=vSRBJ8A*?X_IdJt1ExpmzPO-iKhwN$J2k`*BpkJFE8ixFR#VT zx-#=V3TNOh!Y7o5z4{%$ONy_}$Iz@=P8sz~fj5j*mmaO!13=i*<$h?3lEi(!NY!e= zT6nWyI7us~uid9m>?36W*;LKK`+gz+3T?2%vdNc0Oayey{jX>ZSx3neErv{vetPW@ z=LHC8xwF2MV^ifs4)w*GCKrw#R&pf#ZBBWa?53bdM12PbVSU_2+Eibs+!lLT4!$x4 zoBn%ef;~j6FqVl{O*Z{k>pdWNyi?*u#ADbS2S%io!&gq-C&xd;RNP5S@@k6tijR|@ zpCq8xc&`v8)co%U_7A+0K;(cyO5XIP0i3*hvcqxrJjzAK{rM4khqq3yPJEcr)2>q4 zLmgK~d?-m-7Xq?oB z8h5lMGn%+Ck(yl7Tx3w&q!Rr<cRFDIV zH9qz{rcF#6fCQ|OYARfJB;B@$8&;@Q%<(yJQF?gAJ_bjpk4hdp=9B^Ro62i49f6&F z=|H2Z5hbVU0=S_9|8Y^@=|MhVXyoY1>Reh25oTlZt!P=_BJc65@w`TpIZT6S!yIwj zqps)!;(+!B5y)@Kii)c@vcZ9~$TT~qbe!dg9$Pgse*48Z=g>+aSiR3v@80~zN&_a; zs?zEjugOO4^{`j#;l{L#?RzV>v?ar%tl~MI?gfyx+7iXK|ktb68cxDK+04 zaE)fK{u9xH65@S2M|EnG5!Cvw`B8k!heudmKNKTjxyl7p4~*M0-W4Nfv7Z|0Q6A~P z$IDk&ip$dgFU}%;Qf*rE5HGbBEI_}+d5P)15@WpA4EeblAVd)BHNzo$u%d`(Wew+I z{h#$HiV3m3K@etV>+NFAbEZ6jvW^%KIXy6cSD6v|o8)JVy*UGR1_zP`F1T>j*nV z7TxNO)|RyQ(AD-K91j61guy6qZ*QxtVZVW9K(?AC9mMPOOmeeW7JH-#&7`6{{ivddC@D5?AxVx7MbD1@d!ZTA z&6_{zN`G$6O1e#*nK*yq4~PNkyU$ zHGN=`aL`pO59vS};uu?Ba^OW6kYPH3*Poay{mR0vKHV(>dfa}Uq49cDT#u zt}#Uf*^chrQ3e~Q%ZB`b%dlm#122ZnUs?o;AfY&|GR9>=Y|6Toagm2LTrVH6f)Sz0 zITSc&sEYQS{Z2NVlhV3uF?kgCG=MOkp-P;Tm<)ACe!4EALJ0XxQfKwioYBL>YzU0myXJkAEj-7N}Bmt0JP6)$4K88v14a!#uO+REbP>mF_DbD%4u zbLbqNq!lODGn2@~q6}h~8ldmvZxg!4u=d=O<955l&6LhnseF7f*wvMwmkwvj4zK%D zumE05>wW~)rQXtS<=A%t%@c>VH`qQ#e~t$fG+g?~QGHFViD{E&8wYDI@;_MCopY&V zY*Nx4MouR|dls0Nc(nIkrLUsKX>KjnIU~<3ieSjz3Ju53`jBS=;SdaZaz(2Q;V((T z2SjiO5#njp4}7xujY-BbLDu8rIB6n$#E?gY_?sVk|27&pbMuL>>O~|XB&`sY5u6%U zgYwRnwvtUo!fSd4J}N#&!2J!6sH)u%B#tG^?5mCkt+{}1c6V_62@NZU`E|vloH*6v z`n9$|YhJacD`)O_I(|-_1$F~iA}{0@z!Tw5Kl{HZU@M3@@Fc>+BkUshxMauBYq1L7 zwEXz@?gajzafsh>u4g&im;7U}k~UVXUegZpMVrlWaxg73wEoK-MxOT=^-y~-xXKs$ zM88A)Ru->&mEXdKK--{=qjT+)yL_L0U{e*mw=kW}PdFgreM|gA{n-jGNspcoPf+{y zdb%(2duyuL)pWDl-N;YC6k+pH9^yoT!r4Ya`q%+5d$5c}P`qI$a#s$L0LZgr#l~Ax z1cl>t85RjZ1Y01(L{{`Sp4Hg1BFgA9)>7PmjXu(PSXN_ynXJa*%G_jQH};zh)N{ht zl^1{S9whO&O+Izg2ZWNic4ygm#g<42QKT~?#nwE9i0|2j3znPGaY02S%Aj>S zq!?pFW4-L;tPq;0Ix-G(#Ov8=unrO+Uk(R}(A$SWBVv8m0X#6`cxgOlM;8Q!XOmPf zcXq=aN0VnGCFnLcMbg`-)XpEmu9RcCo?{4;-lSupcm|SdK=;)|rz@%e*s9XWAAAu; z@2%H=2{dqn1ZzbGq6#Htmb|RDNj6#`ZC|j>sLLmww{!2spm+j{q#APyU$E-9^!=Fg zBF%12geqAljL}x;Y$46f0(^(loM&NII%s3X?E2$;AKkj zMawj+in3X9hVtp!0A1smw@2H-6Mt00g2CJm&FI+inCFrRabs&1a}3;*8Al{LP+jlb z!C}Zwy&SpDC=Iw!Yc8ZC)Qo5iK65`h0=esxNo&^|@K?vFh!&YcNWcn{4A zXS@8$st!m0s;SzN26e7B635S?LTdY*^Kv_rq!I=y@)h(3ef1jp-cJVvfoUT1o( zMNFnSxu3ZAC5|=RAPgga)0SX+x=p+!e>*bSmI(b=e(#@rac?kC9IF7(OPB^@$C4|3 zgBavvyj5zHzdRazY((rbDO48GO(ojbSAoc=TJUC3B9b>O-B*c~gFPu44qA2^nUqI7 znvfA_7+}n8I`sTKyHwDGGd9IVd|I>$$(F^uIhIb^ykd>ZgW>+#gLLX!yofO&-v6}wm;30b%i1qflXZHx*#r~6cA6N zN|1Y+to(HrAf=H2(ct7K>x)09Py${;q*>5fnL_sRpyAlJ7`WVq(#~r&WdW^jm9FJr z(KUS#YTok>j%p#uTb@vMU%j0A^=~;%#ur`8jn^s4)~0N&W7zpq>a#}MEX2(>ToCli z{__pD*2kL4e;V&B$rJ185O|N|{rr;beD13QwBoM=)zXNOddeS0 zDRP_BOI`2wrI!G*q09)lmz7{JE4jm~;_7}EgVRO#gM7?eOo}*WB+|I^2Gz2+jIhrM zNT2SzRtLo8@!3h|5?7Rz+;crD-^$oFh?-et>wlF#u#9FZ(HC|nz;9&#_Lf!@La?^( za}*ab3Gd{B8dDD6L|wZHogX~=lJmf^W}8YbhvTf}mfcocty}{I@XO{PSF(~ZAX!WNix>XA`8&i~K{p`B_q@g_On$lKu;srrL;_ zI*6+_R-RT@uc=G`1hmv?m5Jjd>Hk8ea^zJY1#u#ToA}a?8~DKj9RIcWjKVwovN z33oW0H{$**4NBiXQX(B0UtnC_hqG zpy=LwRYxU|j59lp)N!wF3OAzG&SuN&y#c9VR0!n^5?8ixbS)Uj}XF z9OyLZ_hDvjH&HE(J3e7MJU#|IB`*JHVqM_U+y$WV@<~p&y+b%{KTOUh5;6T4s)MMS zys6$(TX~aw{tTn`QB)9{1!)WrxMZrcNG3l`hAp-{l0=}vek9D?3Hyn?rF0x^He>!) zM-B}qu#B4{l4`S{MpAx6m_(bF0qg`VOyoq`K?ZzT9wi^Z3aLWvf}@o=X;9$B?}axU z^de|Q@P80!D1L|$84HJ#w zU&niA5s4c6uFtxj6M+j?lR-rPE4M+4eLWH+4JfaC5(5-Dk^qVvkvsz|7=Q}_rr4(@ z=wc&DY%oa=LDWk(0jSu2qRr`AsBq#AoJiu12bv`hRnoWwZub@IY%U&)V1M^w?}!rR zl=ag>6IUO#mcu)quCC;nT*o^Ad-O<10!m)9)lTn$RR?+lTj9Nx$SuKEwri;~JToEuz}rHK%w)|wU>M_&4AEn3ms{Y#E{5uo z21#lezol~Ki>{oQbi*7(o7x%gxo|7SQDn`&sR&1?^W&(9{8>?0|3`ja4Jc!bW~Y;Y zo7kw}%PTIN10+LWLGk=1Y#ppKAO^(LsoRBWWZ$Vb{q5~pr-dYMsY(yyELCSWJKqCH z`>hngi<6SlK-m=+<-n6B!}vL4ll=W#=>CqF4tqYElCl;!u%qG^DNzeoJ#*F7BPcec zT{_a<)Ps~a%A^b^cV&^{dHxZB;0nPC4`42wBVsBg%czNTMBn)IRT?J0<};@yqE6 z5N8Jt9DFARnEgMSlkL1v2!8WIBtPuR6_H&Q-pXR^gFmh@wbz%6r^7nD-m<}w{vTtX zO?d$m_EGXEo~~wjp!bdXGdM7vmEAxQD)wwOxC+YjQ-Lmn=}{TbCmt;=uu%VeG&hWu z3Im`+fb>*FRJHYsFbByk;jylk+$rHXgLvcIy`2Z>(zpq=LFNHx&EyaVj$hL%i<~); z`k99G$>a7L$F}p-XkKZrJUfnNOXgQx{4_IW)B6N+;2i2aubu6$T!zye&HYtqL#U&L zBnqaOLXdgrIAd9QI9?&}Oted^bXkgUHTfngt4r~S^5R{l9d6PSDtqLWGW<@*iwhkV&xlkel zvXyS%wl{tEY01n{>F3o4gZyxXHLr@RRHT2qG{MML_nZwiRS*)tzigYHBB@f1( zIOgfh8Ogc(`Bq;!v~|<#7VkivfN29o)j@=4RVC>vA8d}30fl)x#=PKnP?$y-Lmk1B za;^}Hr|eel>gUW;!dIBVU>j0M{<=l2T_J4w-*MDG5FITgT(wZ?d#LiX8vRe zTdQG7mZUa12Sj)TbLWoK(z_SoD8_O*W&a8S&G81A`8`%C;aQ{8lJ1dRUO0^}p<5=o zMa=`KUyJ6JOO`=qOJmo!q9a;*7GyiW%pnJXquGYGEHjc>$(-;nhx$Rbc^Kyzb6Z<< zDo-8Kz@-x9)Z{qXhud!Pl488n3>PD^J?EESs=j}4`)_?GdX@u>vk#5 zNE75e$abD-6LjS1FGCxfm zAYwJbGbeUfb}8H`Szi^Q=NcBq4=!XdjaAf$a}u;12bzMUY}^r{N2*&iH#TzBs;m76 zB=M1Sy=JAB#J|5**uGt4ODe8$CDFp56R$-wPe>;@<@I0m0?v{^v+AIPG;Zla9kBYaYRHy{dOC($qDp4I_I}Ok}%WM!PvnFCZyJK!8Onfk>H2LbicCkiw%lm=s&bH^LvaCs}GG>k!jAE zioIh6TI~NA+;X&VmiICyq3BQ~-MM$7IoxAQVXZxzd6?bbLVWI<#XjSY^mIjPsH35i zV3x#7*l1Dp0se!ACOrrd(fY24^JFhoOh-<}fCaufB-{b9bDFakRp7Xr^;$t-BS^{l z^n5S|1t^6-twhayB*6?@kptd|o0`s!N0;t=BpnV>TA`d&qrbl`hUNW*)0zkulU*Wr ziSmZG<9$#S?DVqYwTI|O87wA=ytUNLd#3xuke6EgNY4j_g5QI<=VIS|`k}Rj+}nFK zP|iKc5ya4@61T#zBN4F@fH3p%cb@}yR7qHvl0JV}XhSmdj1`XPA`7KEZwBAF(+GY8 zA1_TgEjVrPOILL^pzDfcFoP&3-J~q$aAd06rib)TD}QcIP*G!ll2SmC)2t+@eu4i{ zsFF;z5}-ABzNYOx4kU0qR)lkw4nZG)IWRPC)DBcO^@tFXxnGLwDSiX;Y-3D&!i5o- zu;|q~kobbW*onGu9V_dEEd7pC%b?{1F!up>x8gkywwxW54tXi2 ziKFZ<_N$;NR?sYF9slf}tD%T0nN`7A8JMvvsiFRmnO-&dg@C>Dou-VG`*HSw~CHp3-~c7 zA=U_XIVup@OIoeu!4CuYsLdFz))3S|V?lNs#iork+0PC^CaA?oq#A)^Fd!xqO*$3D z+0t2<7WyDk2TD0C+G}-5+3A?#^frq`k}W7drLaeXWa;F&ik0rbz1C0a zWUoX|4wKDr6EDC-1cT!!x@LYgL_xycjW1pc6~aqbgt%)o0<{472U^X`zLWhivKqoy z3)Ua(MmWjo{&4w3f;8%WBGF^euygH+r5(upF7sYK%JLV0_wX7=Bx!IB;NKZ#we8p+ zr+V>xyJ@Kd@@nn&+>2#fdH6>f-isOYDtmLMjbiU8I>s5o!iLeSu8t^ZEJm;&tXx*) zi*g%eY3w(@s;%%rg=CNw^jzZDaFXaG-o3&X+`*Ic;NgpzjY4yp>HL8IIQ(1VnOH%e zh1Wtl8;3CCn|c8pQ65P*YcqjT#bVuW4Xy0wzpM|H?aH*KYpw&kW}$%j%y0-TE;#Au zNg}jHtQ52c;MyzSj)P2`g}h%$BMqQkLTKf@y#`Y$b!SNTD*-%cmIFHk2QNZfC36b+ zGFGq-`+p50rLaRa8(500cM|X#f%@V*7e>%5vEdisf&OKgH2bD84Ln({Awlxy zwAI%E1X3`T+i@yRd`O!_L(8@==o_UJ{CA)o9=B(m09$6vt3-;ACz_gN2poL#444!I zSseR15{5#Pe3+>-4oqltZL|lwX8@!^OI~D$0bAzL4FQ={WU#!QpF{`fo7UuoNjM5> zLklc#k6=9A3RF=llTiU^0CZK+pIeycEl2ggKK2~L$djIB}H@)8(ozH0=O zstLMu0F)`tAc=rVAzTQr7-^YmheC)PTVpz`34fP7hj&k!53*Vd`V{y{8RX_uSk)7C zNBR$B4M-;nL>iVKTr<-IpC44gy6NT$#?~+&f0jhsdI}b5?4gd;xPE<>9`1M=Eyf%x zxy=;H)#KRgDTr`ZU+wB{$kVR>$G<0or_Yxfm_AMpK|9wo_7oWR1>nEOE(@U11x@!m0yaQpiiK|8f(wD2 ze9>|08Fp#D*N;jg`fx4|^5pCY?d}D;3NyOwUw3LPKAx=|9YsEyLj5^bSI-E(3pn@k z!cLEHUE-Cx@|YdIHi3SMY&EKhTWBqs zV;+PV7j31D%(G_mRS6lKM0)SHh%1HQ7f#xi&5%b(?JwtmxX6mmAE{&6Oi>-D`3U}+ z&*gWy2ChTib$%Xi+Mse`{f^_}iZVty#6yKku$bpB4K9yJ-+rT79#(07U^{A^;YGhg zUz!(MI4~E8L!lsy&8ZlJjZSPotX@vB+uB@E;t%EdH|sa>9R{m`TdP?Jnmq z&0{NzFikhTXl`qw*H`8)zqRm2RN_1|g6V8p&j}r={Izz;GF=j<=+X@NXcA7dEdI~g z&tQpULJZV3%ZqePS`>qYq6PbKY^jGOVQRO0y7KG1r>D>LjMP%?vx0Ns@`IqIJ_jaM zTQy^Nlu9YXi@M5BWUH1_lek0Io^EmHQCQolfBeQAty44f&N05-s{mjqt z``$LEiMqV7ozoQI_q)7F1Gj4L0AVpkJD4T`tgLq*EuAI?xg6|F%kQ?uWu~#yQt!Vj z=*O8fzq`pX`ASf&oiYwQ%KLXbflY*Doz_Km68LiykTp{+BjD_%ut(+UILJ&v=?|S=hFuT%aMN;Jmi;TMdZy{*(rW6t82HUX4?%r z{Bhg+2rNn<44zi7!S;ORpqcO*0y|fzmK%M!?IsmpFi2L<_W8Ci+diP_=W2J;OQ==bHXI`fFYoo=7%>UIr#>Ym0|Bc{N zM~??!^!MpWp_K8S_iMUIV*r+`VZvnb7xI`q|M^6R{MoH{cD5pn5DYu29LCw7|lOMY`gYB*j&B*7@* z3_4qJ&^S>~t{qy0X9@@^5KTh9cdEJI?x^-a%nm%aIcs0G3T|reXu|LQ@baAbEcw^I z7)Od6vHu9WEIxGqhvg*EjJIpXW2_A9YhMzFu8F7IwBPjxYI`6eip&R$J(7F*FDdNa zyw^8sx4r+7`}n?(3>ZmiF0vWoL*VqD9^B@3T&}$cT4~imAl?Ax?hOu^L+c~{#>d6G z{r#%8qIxlN_xR{7N!FqKjm7E8ZCGt(SnZ$gplG&J^f0t0LQ>&G5BAGzqIf8wRg&8F zpm)Dw_6&v$SNCqoqg`2b|wZ7K7C!BF(nQVty$(tyu>IaMG6Z?Wxhs(iG zo}HQptL0=eOzJ}X(ReaOWasOa@e!{rwRQN5c)sED*^zWT>sU1cqPlH zbca>vdM^=dRdoM`lI!AuR7pJFs^O4gZb=#$RI4K%^fJX)B?o|C6CKP@>b|ih>eM6N z5=#^0^jm~4F}Xu4j)e?8`b)lp2!#nq6&VJ5qD{+|M}D@x>|s^R<#Uw>PD^Y#@GLiu z31u!R{=oY#GcCqz-Mb7HxYr;|)Rvy;&A7yBLkTX13*V4F3?6|&>Ku0q`Bs7N-jk(4 zHxkuWGf+RanfCr*acq96!a3v0f?O4HVSI(yqbf)4eb!>KAV-xk*?HX_Isd}RWxNc|x?GR-&>jSFPr*72WlbOrSL2!*s8o+(3@w}8c z^O~GZ8Cr7lgjCH7ek&F&i6ZltabLQ^ohe*1-4B+@7r{nnXyQ752PGyFeHyJ5KtSY}LCZ0HZ zP5jl&9YK?ayDIFp=X(g76@+>QwJ3gOwXs||8mnG+zMKA_erAeIs36Jak{v$0ZyUBq zIr5H(k&qLniP#iEY93W3vPRAD|4roq<EA##!<$xxu`9K5+oPyR5TDW8n!jp z-oPQsn6uTc+Vtmfy}je8uhuE|zq!$IU%U`m!8$Y=Qd2+iEXI_AIT?}R{U}{97eM6z zQ*jM5kv~rZ( z7@#-2vicQaPJnxJ<~0Jy8L7we3=3AwGl(YwF>oGa9? zKqJdT^%ao+LI)*2C(5kfUy%MG%K;cQ=aD|MCg1wKHf>Z7DgG8i`Ho2y5P=llffU|T zlo4OQWM2_1q5VvO?V5mt21<$^m@3T%p?Wy0Q?7t9p?Ut6}*Am z)?S8?bvgL&JcP%0{Cd{0oH`O;M`+RVo6+2)HR=mx`(otaG%s4NwN~ORP^X?xowYeT z{dXG1l1*dr1bO^)$&(RYd{(uQjezT5hUrQ|G40z7O)eE$UhJ(YmQ-h4b|8m)`lZ?g z%P0yJhuo8T#4rVtA*Xb)GmjPB$?B1dP9htTF2XWxVsfiuq%#V=;K|3PYPgZ8ssT6muFm0zao!56fy1bct%MYy)Op_VFy)JTtz(Gc(=eDkO zTNTFIUbYe2c{h{CJuBWBl<<$yL#(A$y~npp92nfA-*d#J2@#2CsW;=9f;C-CHxVg^ zKgLp~IKYB>Rs!HIxOsGr#uq1b`=Y4uj^7ArxtZE&@)D%Z0=@6|U?au0G7q%t5b1x& z2I0BnN1F9<6G7T}FE7k&xL}e)qse{{V%)gdrs&xi2MxK`g@JYz;pxz!!~9TyJA=mUzlrK z^mT`=L6w6YjQ5evq_VuFt#dBt zjZJA+&k9GCsgE1NQ5uwLY_{SeW46uw zP&PBxIi^0?I;zff%j)+pC_@qNeV3f8q}DQp{*lr{oAe9!|IXdU_SYakEiJ*einv6P zfU^looJvZ({s_?(&5HCAMvtqJT&H1RE7hcm*3`u;2@AD)9PdxPul0<;kLwAILZeSa zTPKZ}WH3y21pdHw&8YMu%(> z4VO(!pR9d`C=|f+qLuqNVty0%js(6%$Z0lf6F&G)l;V$*p2MR|*J7W3o^f{X#0}(8%YwVhEN?yTK^^~5_DNE;Lkv`

7KXi z1#*tZz_4)D>kEqBF-vlepNFF}QcGX$zfx3m@myCNtOll5x<%Q zzd>!=Txkq3(UejyMd()R73;wEx^DMj_6CVWueW?})q=92!D>9_kyZLwYsDi(wYxvJ zC*dIJwIQZc4PKre>6iV_W^ZoS;aFRa*MgBr?W$8To=Pq|L=}!Q0}`Qsag^KqiIjr@ z+4mTf3Fb;cy0UtgKj00+`7h{s=wD|0#})wrv3%8Ug3Xs4?+evWUl3#-$;-DQkg z@5P(3w|9X24skpRD2eD{l{<$bLYusM8<4@hOKQC|N<{4f)bPWKJtM0rIno=aMsRPD z-F#?3nrLI)fn8LZ*D0xRiCjpb&y%=L)O?U?IOs%0^YU7a69mBkW+C2b*2JU*U{eY zp?o-PROB(jTH54%sk2Aq%@TO(b?&SVW~f~Gba7QP(LE+;`7g|rN*24kQ_b>W)W6t2)BxW zS5w`^ShA}W6#rkf??Yp|8SiO&XNd>o5-4pPD8^&Kbg~TYg<^GDqNo|J-zD&5C?U_| zk1bbHXO{noa0p1IXr6|oT7MWv`bE8Ja)7YuCBPAN+IP zbSSKoXi5OYM;#dIHPY-Zqs#?;Hyo_sm}X8W*p}qM$OD#sb2UL=h1dBdx<=WDiX{Im4hQRKe3#}XLN_HiM-Qre*a4F0nvX0+uANNttHD~$( zRA$$7vymb;lcvjBiDc1vO<;r0Ubii+M4VZHgknK+<=M^aN_h6OQSx&xvvL2T7P+gd zO`JO>C8DVn6#r$EEsiV`3A2Pw#FeCrd!S0robQn=De=WIB>Dcrs!1)e=}Jkz{FS0P z2@zpha2+b!Q6{J|41F~aOq07~+S@WgIZLGj9G+q!Ub?;FLiII~Lw@x<2{cl+YIMqB&C783OGmW# zg9-#ZwE{5|{@Z_gXkhZZsyTy55#4!kBOC5;XKP^axRjwzOJ@mkh=4ggQd28pOtHfC zK{f$4THbByg8JxpN@$qVjr)dsk0f&+==t)X|K&iwgAwX2FK4Y;N-Z|}^5h(GowgF@ zYLo=bmy%wT*;?lYPcy6;#c)sj^8O=>?B?i_z*U|9ZNU41Xnz&Fw27MEbxw4J<~0$n z#T7o(AN7T9G;#Dh!;dw~HmX!L+r9&5J|Rh>1I$<~$0`-qzTpIE<;46g?mQj8hgl6O zn|?i`RC11G?!WV~&*X%m7Did&wjPwp52Q=K+$c&t|2xs2F%~WUjIkh44MhH-Q+fWJ z=x2qOdrp(j6gQb=Lj3GnSmDKu%_?$?&SK%k|5t)2>0-r=T{Fdv)tz|AW*-ikCB8_7 z|AGci^YQ3s{B;4AbO)d&=q8Vr&kv85xm%-OefuF>#~&1qiT#b}J+CH;cDbX0=kNFK zCTwZoG<0%;!uJ}8E1vdbr0%-^x4YBr&>l;BR^%V5&1!A4+h`+m-|YS)2Ffp9^>w4> zubuIG^Jr?NNUmp%7lozdc%1zGepU{JgiZp2<|k8TVaeP{6bkd7pn|+W02nz}U--@rp=S z^KY6Zl6-9THWwIJElfk=lBRNmm*Kl_485|6H_l;BUxMV!h_{!*^?X{1e$5_^VU!9_ zbRg$>%EprT$x-Ab_!kpee;`DFahSOE5W71%;vTu`Ks?Tfh!bD_PXHoj4tgn=(9~rg zY&t|a5+eSLH6@Vu5IBw{;g{gzgGqnLFTi>ycah{%&bjItr=d=c1gc6rr1Pf2@+eIq zDFm=QZLY`og8&eoG$5&1h?0217|bzBqkwxRU_YXC=k*7BtLherWJ=VQ7v_mBmp&ZO zj628bWg0qOnB=i}Hd~kEMN?<#g}}1IOV;pqGY;KIsp%r1`S1Ghx|uR9k_KIG8YFLX zb05a$1>u_b65IDKKbQASbmHbNs$TTBFSL;e<6T&PMcuu0v|9rezRVl!P-aYjtY58{ zY8O(^Sjh|XneTZwbB{K$boNFYZJ5Q<6Q9sHI{|U31e<;*sXI!x72K zW5q8%x(vff>@sU71L%bhTDg*A{sA;p1SzBx>%V@9ypi+$uHLYaDo$MR#ki+-pb^Ak zc2iAAwJiRt$?ug)mfgb-%P%(?yj|D>mc)GnalIr@5H|bm_WO5dAMQydQ>{oWQL4m) z6jD7;SK7jHjZxV~@@p|Xz#ll9+@hlZcnuJxw z!Z7c5=^-!+v84@B@HAvNu)#3Q6$#=+!Y%AF^c4v~iM1>Z3CTJ@V^Yu>lKWcL3stzF zu-r4jp*c7jlJpG;h)ZG(4V3)>=E)^OOk{-A>xUOIXq_`+0XbDq-cCRqFu?Z@##jhH z3ZpDtJ5x%7X zZw&68aBBb4NPL9Nmc@AG=Qu`p0^2Ph`=mt)}&yu-h2*V!^YO?V? zjI2apQou|XVDIrM7gp#q+Fxf;=g$h_idx3hL|%})t;dP?(uC1Dk|f5oi+Mk&zXEWs z=|{Y6(2CWjyth00~ZFs?K8Z6rzHoBxxh65GowB&btSr`%GAxnO})KH}4*g%BH z=wN8}0C-5+v|~0>y?()Qbp@|*#6`Pcg$WD{7BzgKl%hBoP5awf7KRZ2;^H^^`hRoq zpR9QS#0c|}rT$dY3Gs~xQdwX;$z&)=gQ|?>n|ttPo_h^(xHo`q2}Fouv{O_FKSz1@ z5%uc?S$Hne2Dvje`iDKbkUGMuuo5sxL?Lg{k<6nM!1m0BmLh`uS;9{ z9Y;VRon&@*S)Xs!?FRRQc9%cOZdjET&JHcTZ5_Xp5Jz za~=_9;}AA;50{Fc_xFw(d^xbVZN~`Qy2GC*_8u>h#0m7K?zxg0BbBV6&IPJ4y*wPa zxVX5vd9Ct!W(#~hwi-7<*AzD)w-+)uv18;R!pB;6EMyAp1Nd0flus^C2d)Wn+q$<= zD<-a7H=frW{_vmW;N{`x;uFM%>3YgVm90Y#CGRviZ?!3G>3!UuVs+Vw$aI66yLc?} zUgf$d$$5XJ7QNTFD;Iqvs9Dtc3|Tlhoj=YZY(Neb%YWP&oVF-z&q{e8!HGZb9hJDR zVN>niem_0My85|Ve!=Pahxd_4_5#khW={wBYMmVBV3pI`mMet0t!G1b7oe3%q57+haP#89M!s|W2XTFEGLg)A-;0Btz%PM_ z<+UsB^5Vn5rR$F1;OBjZHQPeDG9f=hSzh^Wcb2Aj z33+oM+UQ#9&AS`=s9&nGE+_NcS6$agG`wJUgl>hQlngat&Bh-`13zQpl=BR<9Q6IK z&zJHW3yQR2I_wScPy1h+k#vOr5Q(d$0#Q9Z9dRc%rIk|0pSZsZaWw1ZLZ5?4;`OMS znulLPGD4Flqe(8Cx&hH|{iKpk5%Sl!yC#B`QjFjbttPXW(2g5*e>JX#eO=-i0ujWU3!;Xas0ry-BZUWZlzW;j7j?pUg!BrhK| zBrv_Z*S+j*X()3}<5#icE6+N|(-BaUYsSi2+17xi+|8E)f2~}&0s|p(#^G9MGFm-%u4tH3x>l8pH*9AFY^$?Ishk$ICT4?nG3E z-~f(APLO8+4OW}U37n920rVbOLmN%p=o9g4-%LU{x4}X32=aWGb5r?-AdDdB@Ngf0 z27ZKC8wnUvfSN&CDMge(DlU#FL_PGB#vbc(JN!QABD|)=7w6cXck8T60OS@Oj(&KF za*)6Lx8>pZ!lqV0v(p!n%9H&I0T*!rGEgs$r(ZULg0~QIzAeA3M>kE63PhnV3_9sN z%dD74g8k40!11h>Wgr3E212n;B7iPfQZ5Q4K&g)s`6GyyGX1{TRM9142K{th;4J9>Y3y!f^14Ii!l zfg*zFqLHwJD6$_P|8|@2M*<=4qL4Ooz*3~C6hkzE`D0z#ad;U^CtR2IS09_bh1b0zG*B|fgx zD=kV$$nfyHX<9MMijbl;)ziOUblChm$4<+>3%NM^xeNKO0wq;8D zf|I;^1PJ-7!J+#c%^OD15&|8(+A8HKJEg~kx8T#a5!iCu znr;U8y#*dX+6npl@LO|I;nL6QmLUo^06gM{Z)zY;n5n1%E^+MvxlbxXkQ$6P;Q9m;6idJc%?7kDL@=?LR5y$QnW=-x0vjILtO>iLT|+w zkB&WxaJ$mKVan3rsK)kDQQ(3VS(x>@0ej+n7~(OpbGxDP$@Gz17-b*oK$JL1+0;ra z4aO89TCwMH5tbSfEW600d88enj;jqq!>$b z8Avg514OayXIrIBlDa~uL`l*wsgfcMsomCJptYOa*+gNP#6R4bYP=aze_I%=p?!w# zAhlh&8^mrF$H97|j5M;_V-PZ9o^bnpDN2aM#8Rvr6mW7+#AEsBNZ0YKQAn+n%Rd^X zKlll4Zqno>YvfZ@_yK_oWW*8726=<%qWoRua{)HF!ZHiWGU8`z5JGjLC=(K}skQ9# z5ovp7SRS!0Yw{sliHDLgwc$q-AkQOk?woRvP}34}#gZOyE9x+8jM!T?hq&jrUfze# z&e?Ng2&lsQV%J8Fe=!RMFB}EIAXXwVW5u@nGLtuNwBsB&x()02AxwQtw3-^6EGNWy zZ=CiHta%CsBvAN}VtA15hnl}!@qbMeP7p-{SD&!A?z^MP$;1kU90JmXr=$+L2gHK- zZA2k2`H^?hEuu7tmM2ZtP5Ap7Op16XoGKSWSM107(FhR(HvqUr$kJ*ITnPq-v%dC8 zzvD2bl0s5KzK2aYX_|_aqPPKcg-NA1apk#iaY*wcPGNTMWo7fjZtXt~uHQ`OGw6S*P};e&`DnNjE*=z2~dZ7bLtslJt$f%fa9YQiuljCuL7 z0!YXx1J;U9wVNJ+(_x5AVeCCEfYP%Qd>Y8q8Vw_+a*DrMkMV04Q5PPo)*>}j6%Zn7 zac8XzDp4x5Nrj>zDlHPCpvVJGb7Qk)SOeB35QxGGWy9EgSh_k)DzJh}XvJyrRK;i} z-xcvIHJD<0$V!UrsPa{95~3C~uu6)AXgE+RD{3{RNztnXK_>T*=bRFQ&B<>gLal4X zYVBYM?p}!?<2`%~ZX;Uvk!{Bub2}jkI>PUcR$L>DKQj-Jlu^c|N5Slk9V1F!oY?bm z0%8HgN@ciU-^k-YUPXy#VF3vHm`zF!FG2|@rhSd4O^%6JxeRzfO1;1ZgBJTkbAE8- zkp4p-J1aIIQ1rtDUE~G9{Lml}S5T->`mqDH{GrT^clZIgWQFiBR{#v;6~wF@cz&Uy zak0m-FRUU>Nq9u>nxkRm%G8kh8ef^P(pW~g=OMyPj>w``TO0JR-?+?Jv%!}DVJH3{ zWhrd)NFd?ylyb^5B$bW8?q8_oC*DO~2y&y?8gddT;}?6}?eg&rSt9`$e?mX}*lr#G zu<^F`KD?m$8_@#tpdJ+@z(g1s^9QP$I#^J0JM=Rnb*P`<4t3;;OpoIe1`rUqAD#&* zxC9xZE}YVmeZ*48kGMfwqBJv8h=D&&Myg>p^S9j7OSh4ODs2>a$pc-%&#V)*%px2l z7f`kh2|d&`?>7WusFB>!{w|Ts!;~A^$-g$a{|6#zC#}jIxl|S|IACMY{&n~DyfU`3 zV#fv4)P5=HB`2ybv!`L7hUPw|y~$4yqX@PI~E3C;`! z=~~)}Qrsl$+$u@Hcnjye(T0El6*_$F9>$b9513`Wi|DDPtE>dRG_A~cQWDgf}H|h0)F0iW@`LC#YP`5h;$NY4N7!xficU71NPibUq^b^K68*{Mbth2Q6! zMkN((2^n}4MUurM<=j()$%Su3lnr8DTE^g=_uZsMgR2a!FSyj`Ku`b%C|}eRCYSac zm|BOYv&U3!`}Y&kPr#jj$i`9ty`?!DZP;0?V@(smq@z{R^;m)xGJyoRhVpVkP>m&- z#0=O>Xr`l6QmGlp>G|IwB|dYg#yn8s9}~`lPgaEkt0#Vdc}SkTb!G?oq!<7s#D z-4)g-Or^Ai4&LYIzP#wrAP|)SZR9Y41&Z56DkOU%5DK)o2b+cLc>!=FpN3j|4k)!3 zvN-W&gINTSa1KZ@YWwYV<*So)c~dwtl5m{hh9FC{VCTr6FBqQWAF7*z)R1H;nZmEv zNn#yNrH8Cd24HzJPnCsMPNplCF|Bd>*C^=lEc<4SZi|5`M;l z15sFzR2|b_fn=UJc3gbes75blmdTwZ-%zAR+6Q_pUfW9~2bqrW94l)kQ6pBFcYg+`@F3`5Nzacvyl6#_}c}m zJJ>>G^l7p^g0hj!`OuEmE)Tk21)(D!A)ajs1%$Z`{h(gMROp(bk)#e3p+3nhCE*+r zq0xk>No`LRw$83T?X+`d@J%k)W94q`{)FZ_Flf*z!)l{kNK3!pB|1qWjY5u2HKREL zF8~4Q6yY%CRiIRb2)bkJ5$9>MXcBO6N_!_l_|8|6ra*r6XhX#aGDBd}rIUlh4c~%C z^6}w>R`^mE2o8f4Db%9I(WJLFXy?sEn!tpHO^F5>S7rcKr*=_V<&(T8re?p$(&+Ha zudPNiyWbqmOym;wkuql}S1<(+6%*hZFNNhmHFgJ_A@mS&2&KBIyq}A-7UzGdcwrOk>R*bTt-B1nX z7^2<8Oh9rWz(tlm>sDID3m7)_U$W9Xbgbj66Bm7cKPt zbt|i{tWJZ^jHe3qHh3g$5ydK;CU;4$)ekttq}WTpHg%RS$#!Xf;r6Brz%w5(ts~6k zfQU3?KvW>F$q?^B*$YviZg~h^bnXp-%#U@%g56HM_!gK7@lCwTQ`k{n5U@O@XZ~#9Fc!9p(-c&=1^pJlsO*zd%;GlY{N)!i-mvfRVzdhxlU^%tI!87*oNTYB)-n1Y-b za(jo-UBFYEJMYOf$T#f1m_#~s;Tt(X91Ab}s(2w%!YeEs(OuPK*1oj&)=rKJH zFU>i582&lwsx+9?U(CdD41rgwG@aqq7dj?vD*q^_*S<hEKrX5 ztOK3|w|rbaF;bByWGu)G%zy}&gMn!^9!azBB#$9CYJVIKC~{!E` zSW+c!ZWy4FK8ZeIgjaF+yul-SV1P9ohyceUPFNob5m>`9$Yb&wkZ&NO=a&t{a~$OR zF_>?2I|(qiap#yWTt64VGyOoWxuopz?6t4(tzF^I_S({&H(4n%tsiQa~#oS zG)VnhsbroVH`iK@ zLI1-y-&KMgQ)!-n#dX%&bguPH?Wm`w&}IU^@r*r;FNEaxUT?IY*WtI)QD@$Vjt zh5qIO9lloZCv+!8^`r{6tp%}lskguPh0)vh_gZTD7HN(*B@RthU&d6>17>UWH4b zo!=iTzrL230*{D-D54B!3#A!C5%;``G`Ek#>fnS1Rf_oda zK8j)*ji=+!|3c<ESEIqvnpa+Uu3qT~Xm%UT+^-_C@r=(kZmLYNK%-YJe-N2pMuV1j>9oN)n7N%P`Crp#}lqZ$@82sDQO^373SJK6p9MJEIB{y^RR< zMzZGGf(TFT?MMBXD0MCcG`1Y1Zg5M&h3AoZex?N(eQKM4eHrLpvN;>}bl4{t-*$KQ zAPC{27Y#y2NNqdO73t;$xU}Kw|DK2iaMpubyFqF(wWk4lf5PM=0JQvGAOeb4Y7X;$ z$y!Cw1n57&0{Q_ckNuqP&yTDyQ@at7Kb~a$pp};s4!!>Aj+$z!X(w1k3D4f@fggGC zpIQMmXP(0?m8q3|hc3S19>-Xo-|6*XQ02_@xHnn9G5A%OT3N~Y24tuXYQEKJ2`_Ys z!FAPlku0f|)<|BpTNt%t6t&?v-EMNzbsyT6I8!CYx^#y!SiuMr8JPl{YpMq6Er2IP z(IhU6kb%03-s*z;%eTBDt-jzS9}rwr`v42C#oepFom{k@jc$v6y^0+|hD{(Ula4}F zxsp~;jb_-1wrF|%kM7dQ&$+rtRZXD(gqY=Jr)+~V?@h?^@6+{)rP#hI{3_FiR{oBY-Hk7YG%Y!|iD zX*D@?jFlxMSkUO4Z~j=x79me3efNXYFBmgUC$Jj&%d1VWqNaD#y7x*D+sd6_b1JJkQkCMYEBWdX-8uTFJT0B|iHt zZR_5Rq!#r@iR5+GpB<%0TQhBW!Mw@^chdx!^1)XSQoPG4s{Vkn?llcosv?*N%Qc$= z#>sy1Su&v1z92WFv-dFE6NT9GLcnRo^0dwDP*3`gc1b)bw4I^ydGZSvk zF|A#3tOT1Kx(xF;^Hqx;`k435wvC>8&OFH(9f1}jPp#-E%7jwlN6rK`C(Bcf-l~y* zm+Ft9Or9^sHL55S?fTul$L>nE3G=}6+lJFW=+bjlBC z>{p-LToJ=|w#$&HyYo?#9I%1VTxUk5Io<%ZhL@L3Z|IVXQBX1--7xMO4Ow`q+S0l) z+yaZkr+1PL3I|r2S5h3}s;xHg1)nSwYa7`Fx%M{S1?FzpJ{ea1i-X!4Z@#QsalAjE zZGZ8G%4GY2F!bbLHx$u0s`-Q2Q3RsLlxOBlD0~p`D49nWS#Yq$Qp3FlyV5;^=UlHD zLNp4nF%A-HOXmdc*!wyqoM+?(FPv3;Onzvw;oIS2Z)K2wbTJB)u?e$v+q1ZNKo*8=!lA&}^LvCvQCaL^vSV#8UYWr-- z;gg2Gw%*4IE+2_;hRgTvsz3?9EoGj0DA;Qz%D$;fv&oCE-OuLqc?h%Lxt+o7^Bm$N z+!cV^?b*-9JRbZ%EB3E{e`xXuyFG?k@%Uo!OFvgm*#{ZJEXKJT+ws4vN#?&qu^%$+ z5rKWFB28;ET>9X8pRFpZ&e#F93b%9Pq;mYiDTtkmaOtf!zu?nbufN2GOmiQ`95gwz zrg%gQaR{u3jBPz?;NzdPkOcpCS4%DzHui2Qi}-&wT#G$x;1gSC9dJmjXXpV)n&lWp z#7#SjBo`Z7RKsspk~Pl%uu!ZG>0Cmm5;QPz;YEyWC2OLiVu%~n;C?%7c<#PEKy_K*{wBH4Sb;MHKB+>Edh>*0lqS2*uVyo#tFeHd|)ea z0|(g3|L!pxDB%L1x_$%Wf>?_f^!h3N{BAXLpsU*jHfJ6^BuMqjH|Hicbt&K}X*X1!cyZ&VL<*q-})6;bk~iKISuYz{rVTxm!@ zt(m)pWv}zWPZUM*<<=TVmwms=q{z>#DwVs!*w>z+nO?7?_VJ>%;p1o?Z0*&QQr6sM zZRtbjE~>*JER+-x#>Q^4MLuHZhG}+1p*od}EUh=M;^aUBhOIhx7YJAuH=J`bm%F#2 z=$=>jVQq%L7T2`gdb{VcDvX8|X0yX>=NO*W#!_-w|F89#!VVguKm^u2_1qSiKL0MP z`7t*ZQF_wKE=#rXp7MBOc{Q_trRdsQWYK&sV4D_SQnu(D!K8f1Dt{<2gGadxG-@(` zC^Wg=y+|!GoRKxjny@TODz9_f5f1Fir@8m*SRH#LW%WOrG^8*JI1k!pC*(%Qrk@&l$kwAvBh)GDmImveHuZB?G&Y*SO@2${_G$#M+ zno>*z8=Fx?A5mga&ph3skZU;_nBS9Hv9)c5=GWN=NUtw~QAhraRgMO1o?r#F}Xt2;_iH)2&k0#PR-rwR3{9}sju5z%F@TRAG*%zPK2li*py+s7?0!sj zIi=`Ny?ElT4a8@;u1bcqp1tbb(eVcyl&W~ZqXn{xv~m_k57Nt8c{z&Ltat|XG5Fc* z$F`2;austjo7+eHPTcJBnXq~jtnPT4&e-UIfu~eSNCV%w{)D{FxZhjsN(?)RZ2TVz zyz2yE6txqJOA#C7qL}zwXd54mH3Vp$#r-h<4d-ZT;&0eC*SYujGop;IFQWr+B!iei zh!-e*Grw$Cs5%&C^>ia|ojx^1w;+HR{pL>dF}d<9(hI^rQ$Ti>SX^5%)m{biyRH?ISOt94$1aeNCqx@F@u zUG}Sqs#@<{krq6%+^OwLHu_>hLtmzHmZk?KSupCH#@gmM#=B4VMU;-KmAVWEj?w&5 zL)o4H#~|pd)x1~p^%mJ)^H;~9kB>}BH#SYRJcx3(Uy2#AyaDHVomr!f6ch^V%e`A8qksn5YSLk1@R=Rp%`hZdd1vJnv}G% z%NFOa{E67?I1Aa+W+VcfRG%b;Da_b%u!aul>42tG_Pb z=!nCF$6L3d;pp5$T%T=U{4t(ILCRHr)pg?7-6}D^6B_KVI!pM_yed734JZen)odFje1css8f%(mwcIgrpRnBN!>mJ1@2nXcKp zj#3Ty^=~z~nIighczO2%Nsg*RmHoZM$x14#=4K6*?<@H^0orC2zj(QIsVDXML<*uz zc$h|&^mqrFL2y2uPnK{wA21fCxyQ$+5gORj1xRj@wrWe}YTZ8|j3@Fu z=Ub=WnpZl)K_c3I=!@F7FwsZH>|4cKRAzfIzG$En)fp2nV>#pje#1{>NzqRfwZ;YR)|pAR}U(dHigTEz@DZO@fv zN!|OTl-V~2%>&CkQygc4!KeXK_>yOIks2B+$Kx(S;8C9<&w8^h$g}$! z-GQFiGfj$egkADGt_bh(&3k%pSduuoGjY^9tALRKIC)~WhyiINv&qYGOc34ZMVhiI z@kD*bJFj-W{hm@3-zRDb{SiOTl<7v#8l(A?LX+7eW%{|%t?Gf%92)I`#|=7;zg)EX zIo)DbJK>O39zx(^k{66Gw2x5P_>E__QwmM%#VLDO=yA9nMN?e%x1He*z*MEfz@3C1 zQwGKeh0Sw;32zRmA=6cVhyY!zIn!au>kcfq@@7L5He8wTl+F7l968f+fA`q_|1Ee` z!~bn{)MCm1JpoMEtYsKqGY^gaTsh-nJ)gFk2|C4v?5fEb>V;0x&=QTuEwhE?tt0es zB_6XHv*0GGi9O|D5{Nx@zlzw&>J=*1;RY|1ktA`0R$~Oh_FR3T^{jtOo77@Csf%1! zp&^P~cR?T3z30XKGE)D_f~&m9O6)pUsLh#I?e8IWp2-r+m0~lgliuersSBG{HP1KG z(Lg~F2L!ub$xC|SNKcmgPI7M50}QaPSMe;Fx9Z7AOgi-8U#fR9MQ32L?QK`w(wH9` zUFXNrxEQd`*HrCD!+6qSQVZkQ|1^g2xJmtKSMM)-ZvOwt=R%)iB`<_xRH=ZZ~g&gR$;vkjSUQ6K(VJce&0s_F*(keu`qcrk|o1 zW1XUTysBa#O@s^=#2hZYWzB+7vdp-Lc=7GLmn9|Z z`+zjc*C=m3VceYX02ox?FuU@a)euD0edMb;=f90=0^6wjatHBEi-4QnR!3nocp*k> zC=+f=tx2_r+5B3j+GR!$Mv(to?3abXR1#m0i2aqTbHVRi{-s<(mX7cv^p|~;!vyv# zB!TT~L-(V>Kvl`kORqXt?Sr$`{h1s3fwztz*no`1NX=HK=5Vq`SM%7|JH49~uqbUh zfj+#eDPZO*9Ee_0j_#F&J}pes`N2Oq>cTG1W%QO!5;ZqXA2hP7xZeF@U60kkwbPZO zq4qmML=pcpWq<8*%6%RFl8(7YbX#^i?S|rjXScP=3~GI`H2d%(^XFK4Ge1rV#~*PS#SqsI|VI@yQqS zrD}oOD-5YBs{SG+*G+#2D!aD<8UOA6`PCB$9=g7xck^qFw*KXSFd;(ZL=a~DFgdXr z@3W?xln>+8O6nD)-M{t=cl$#7{+%tI!G8hEgCqY>YhM8rSJQ1vaCZnE28Tg{y9IZ5 zcOTp>xVuAe65QP_KyY`r;1b*dZ<6nO_rF!I>Q=paZ>H*W^;x}pclVh(wP&rChz^*b zUX86q!dQ#D;HD#9Pq-YQ(YTPI2S(33-e}5;KaB763jIh=*^}Vuwbu-+xnTU_j(Tjm z)sbWsP*SfO=Jo{PClv;6r>(FhitFL?G}bDgU}}S+wbpUk`1MkCU}6yGXMOj%Y1~oV z8O(O;GhXl4Pt1g^8=08lMGnR5mCohsl&hN_Pg`;%AJwk0MTDJ43ALIAGJY3E&oB7P z!u6hB90)%of1m_z#9XRxzxu+Zpy|3xb2<*1h`o73p_wSoUfaDf(=nr7Qq^v`90asi zW?u~N?CC+Du{$s%a<58QrVYu4atnw2ihS?T(nPftmNO%#XK#mepFN4?8)b`SAv|MH zJS3B5^c{=MRf^ZVKRTI?GbPLT3!lrqKirx2GQ}`ov_(_N=Lt}X%Jedz;9uDLo=b)nnqPuT! zJrLKNR38*w+D!ra?^) z(7KNsmKAm~L6^wuQM}$>Cr;j{mCvqz{9W1lJDJ(fNDS8XV_vV&&C3_$H$ky3r8Cfu z)}{{=n&Dnq0+%6$t+r_te=TV+*2dhrX+FUGJfU3Nse#H$QRK92yPfnPzM z7E_Gld~kn(>-0a%JEH`%{8vGBH7=&?z~h(ZLGF9t1@#dP#7&BDuMqtQ!mTF28pWK$Kpw8 zwVbo_63A7(GTV2n*7Zy0u_&wSGfU@OZdcqG8w2}Rl)>&1MjT(MZW;dz_J6~9Gg)dt{$n%3wuhXBONie8&FtSh;9BqxHM4=|p>pN891Q)1l*oD8 z(=2@2F}p(GYpBHNr6oQ|7sOr9`(xjl9(f@-3p)TSEKhZlw-Qr<}gyo$e+$CQwalUI^~AZjqAq4 zMNI3)RTC&fjOGnfl!^vyk`$=~A9datiY$L|IY~FDnxZ|yKSVN%{HJ zTZ4j051|ovtkl2g)+^FJnY_6t?&F{?iZ$#+0SV5sa4;QF?_%Fwj3S)ac>JR_iw`43 zZwTK&2(E`0N~>A@f-No%75r{CS-5^61}iVZ#Z-$%h#*E_FPYu2a;rRO1Jeg;G(-$*K&LVi;92@ zx?${7x>aeMRO%DGhFlf8<*W~U_3?2H3l0EXc(P>o^H=w{$U4FMPfnJHxNRMt?pwQa zC#&g+Qd#(Aqz86ZU1fb=)G|%U()zHfZ-zxxUC4%yOGBv0k0^Q1iZA|+Eml8NZ9qov z>~l`91J(Tn`;Ih25`9c!*(s!lC)@+iU}JS`7f$vdU9d zcjHvdzLgV)#|oN#A-EaOf=D|4l3Mvss`Tm{da_h2G7RoHkss}=#OWViJ-N$9oJsYN z9z(xN|DcL0xmPaJQ>eW5FjiR#HG*Ok=XilA9{2sSCj<(y&_v4^BCbUJDNRa*p54WN zhK0=(4$#cpryng?6%1n-cc&WEhd*c+osIZXxu6L#scg{yW>JO$lxp7Y`UqR`3}dCA@JSrIFPUm{EOy zr1)>kZG>@b6@9;I)n>bv(aFgm3oGnr0>jP)s$xcPd#ybJSij0!^e=9l3aTB(gN1m> zVZ^cS1ijf=el}c3By%3vUVY#NZpBYL`fURGZ6e(&?-~KP?L@tx7VpmtqVDMDyHG73 zqGN1g4#uu6VzzuyUlzl%p}YEUBsnGQIMcf<8cSGf0(mcKi2_#`dp`xKPcUe%Gi&DZ zirFjzkHvvMC1>5f;<$fHaVefZRRo?Y&$^Wz@wT~=JgX+PShg>6B;K`s4#&lvu$F+- z;}tT{bfx%K0Iyn$YO}v6ztp|S5uV}Y-(OlW>;W^J}Ek}(lLuRwV8p{hkJzA=x@TK zU)4+}EqtW;PweUo;=Rwf=V4V>`>m6WMmM@BS=D>=*O#{2 zQs^-QO0EnydoyO~@cr45sBi4ryZm@rkyzaUw?XWIF+cRGqnP#$z0HUz0~<{y!!k%? z&7iIk_0qxN@ZJ&M()axzwOqwq>7(6Qw4SbJZJ~1vCxa@-$x|k!tiyEQn)b3a*QFST z)Vt(ovxP~E@JfJo8b;fSLO2(`4jv9zH^IPzzBdMm8^(&J}pSqVC|##w_*s2=QU|5J28W`&?|)6>tAW4R`4=e&g8` z8v`?TrjSPOhU&I$cHDoWKOFK%cGMOHJ5W-HDkt96IaIKdXx%}5S-C9ckAh{|yA9q> zrQu3|T*I<|Dvv)=`}xJv^^RWJo4noTdIM$41A#Dd-}{noL9A-D3337SIf!M~TA`qz z-5V@KqL7Ok=3i{v*0>8~oQi*V3%2X~x;fp>nDa)%_x_F1X9=>?Uy$nj_H(mrF*pC= zN6q9MG(W)%!yR^FHz}A?sJ|hqBlQd8Umg;6NuLD3dk&g=c47UdL$hqpTeF|DK}7T- z^!ln{y&-vWl#`mn?A9^q%}yR8o#ubB(LRw*Fw5=wz}Pwx>_k&}qH||1o^Dg5qh9iX zlmzK|V8Eb*$b34!s)38I*e%kzo3U6U)v{B8Tbt>wJwGXK+z6+>1Ub8d3ZUgl_Lzhy zdIct%WLw9{5(U{suh=n$Wt^1-L_R&Xh%y8y>YLjow6W!k`>9NZPrhf&y7e<6ZU`s&sv=yDO;{g5K=)Q zW||9wy}qSCYHEAQ@mk=g{K%=bqtM|J`)i-O+cEZ>+u=5bJhwF2Q@Q0Lafn}PBY+wU z9cCvk1cmLU`PfOR3aeXEPh&i*hgJDS+LIMef+c+n-iXlvLQIodL*!Fk0%wd(8-zUw zOF|@}FxHv#XK^c$)wvkQoxUmVN=YzJ_&4!uHAs`*#p!UDq7DJO7@htn|Lv! zo_flre!|HZkIrV|S0`XnWW7GhT2vdxbg}!{cXxHw`cPK4j$0oU<#@qA4s)}!;%LH{ zV`GLwt6uy~1Csv0I49z&D7rP6-*eWG&;>osSdVK5cc)X1b(O{G_J( z;Fxx>LL*Vlem>gE>&3aPt7eDZYaZ{Wi^)5eZZN%gGPPLBRWX>d8d^j@8{aqbFn0gdIzK1fn3@X<4`c8uf62Rq!WC}SGx>8Z1MCg$}#O| zcwG(%O1?mm(!l`xy?4lmI}5$ez%o20G!CupLY}F0*tdD5W<~deMX4&HPXJ0QSYyO5qV+FjQW&O@n^_bXUUznyc4qt4B`KSW zYcNuZKcRUx<3201TlY*^gmF->C1fG+w6=n4@NWqA)s6p>9V1NdOkuL|doFj*zQguxEzU&6qS z`y3fUskgm!ZAzO~M*BA+(_^f{yk`og-L#?HF;O#G?0%tOWfXK(li9dd_-i~n=e@bs z&L=;VHMfLiDaPFmhlXD0u8dFaBt`1n69F^Q`>DwuHU=GGbktAUuo8<`W~D!xI$>E< z#}G@&U^?fedaq5adG&ZybTTpWxG0B@5YtzZFFwlJfnVX@n#`FSF`RY9!^LVG)� zm&MVoi4s$xO=h#)yA6qkc)Hux>MLXh8(`rXolcm%+@43*Jv<~Z+cX7)_&U6i)-BZ! z)mFE^7*Z6%SkPVP&v5C+_FO@K`2q|XRx?pYg1aDUT^XDb@;-lr48Z3QN|KfftEluC zU{+>Bc+U7d3!L+p-VILa0fx2Iwa>4TvJp$A3q|3(fFUmi>sHcyo?OXYhC|A1nz zWwlW^OW-kz*v2_>otCY>#Uzu$V7O(A>%W|_%~T!(J~-m}v|vx=beKKF3f9gWav&GR zRZBNL^^;yI`(TLHXkt5Q8U0z)OZXr*W8-@!e`sE0^OJ!x%UQ`MWa5zqO^Wi5xfy|w z-HdGwHC{w_LMOz~v#KF!mGu*jL;ss>*RhdRcrT+I&kns_0XY1LENssZ`WfD5gX^Yl zFrOM&X&ZScvWf_W*Zr_z3~SQ!=V08w^Xykh5fyaBmuYU2V+l7cR#c5lff#BLoaO3% zZN-;C7A0?uS0V2s(FDbAit44NlgJS4tdr8MKlPr~QU;51(0xoblj5I!)HC`4{P0Z~ zqE8W*zdlD2?-v^xT5l-3i3(B`X+wytcFO>`LHy>lVcju1DOALw@aVQM_mo9CL9e zkUw%+4(z0?gO3;6LF=;TQ24vTFNSn-fmt2C7JbGHJsNbj2RD9(KXOtU@w1V!e>A8JGq%w=S7J0o}~cPcPTHs-Dqg z(`7r`3%;q;mC+DZ`fo}!<5XXzm}qY7`MNJw`r8T8%hXQgR{d|>oCccxoVwULG57tF z#sL5y!a~IZ-Aa`NAoIlvo+^F?g+NJ>wp;#0AE7Jm9|9h|ozDUQGUbCwh98B!AGl3` zMu@Sd&gCTF1)q=G^mce2{~ms*k%y)rOWs*S%s%0jA7fsRS)j;lnzL|jue5>s+arBz zGsU8~FHb3LM=V>-Win>23E~h8iJb`7K8&L^RK&Pun%jJya;du&V0y%yk!qnn6IYQr zGVjSUu&lNmTbED+ytf2*kTgcXoVmxT3L!aaZ%Li3F}5=0SJ^gpUvIC}gB5XK?&PV% zKx{k7KqT|IsqgW7>;v2VDpNw(0`wIUV~}>s=>RW|tQr`CWJA|iQX4#0kj=hZYGx0O zU}$%1>C1TISu-YB4>g1Dl{g%k6M`& zN0WeA>MCHgUzw~7FbY#GAx?I4prYRfr&^A?%Z# zD7O808M)f(#6Ng!@# zqE^VrJ0MlpL{ToLE-=BJJ#3{nM_bes`wNQI9n2;rcPyj>E*#xe2zcGoi66#TCBTEN zhZ>3Loj*O>V=Bu>A)pkwR0o6~!7O3vC9)-}=BpwFnKC@K3-TTVvqH_8Vp$}`8KjTZ zWI|0K$51WoLy8PMRcMh}#Wi9R{ALz*`1{VVtYvd4bmxmKEA+)ZuVq>h`NQXvC31ngxug-`G$nsDq$p1XF{S* zuL#AR(G`kFx)&+fsrzj(e+44q`TdddT@Y4@_cPa0>wlS{VJ#IQUgL5fvYhG&{C3Hv zlzdH z-4+`krQdvR`9d=ZOCkMpu8n(k-%YKYrP`}xRvyD#u`zWGYRs!VLzieSTb}tahY5DP z-Df68-YP^AszP@N`(BWjqz@T9=w^I)F0Q_q@&yd4s}HUmXAoRraR;?-G=d5Ap z{C3NIWO<^GQUuw`qUtaEUWw)n^L6}T;G`+uiFsELKYI1KWHYBJ@Qx5tjzhh)+#zd?4}j^Muigyb>|;k zw1H&GGt+s)?v$q$rqx|mlFkKk3^4&l0=@LfYHI6xtC%}eUj=y@6(`g-63JvfLtBDc z%1!=Jb!1o3Vl1-? z`p=q7^tjp!aLff!0o{RS4ePQIXl9xjfNBDVvt!V71Z+O*dD{78^455KJ-o}@!1m+R_rRdr?>U< zMvar|iP&QF#UW!fO~viQ0o;%l1?}k6!kAM+>l#+)a~Ha7N3iANG!mG_OMEHQF!|u7 zKIt#}5_*)^K$^f!n_PsS*LEh~yne>W4V65+AxasylZy?JgAUhNdpJ0OITiB=H-(5k zB##qrQs#hRVgZ9L5jzMBbD)n=RyBSM-j*W2Y+?5t7i}tPpbDnVzF_Kd!VMbcYH|Lp zQD*F8u!M6Li8KiZ6^tr>x<2jqdh+7eXWS?Vi8zt9(bY5NCiv1aDWE0TcFzRb8ZSBc zP#IwJ+fv892I=jF*(G8%_nkl1sq-6&!C3D>>Ajh>+u@eU3CyD?=jqmv?=uXD(s}84 zm@$eMK@-PE@g0;z-RZU)8ZXhh<@xqmO|6NaXb+a$mZ(qr{jLBT+HT8-;wc!*;v&yj zPGn4Rya4z!lf$=OJ6@mm)ej8cP@_+=!H2nbH+8S|DjF-yB#Awl{EEf87O699hkn7< zjN5>0hdy%;YNePr`6}?hNRTc3OmeAp3DW_cwmg+RzKR#0(Qn)`Apd0-&i4MiPJd`j z$OoU5H|>cBBXyA1lhQ}y_da;@QH}A^3!}G*XO{bwM1#C`w2z&;It_0xj+c*{mx6J2 zm{ft^I>QtePT->bu?mp{1u>&+a~}&Tfrpz8eD&0#9W^pz`u^-q_Qi&Lv0wscRf?lf)ycwJ6Q>^Q)jt^@yTi@7QSBfpoYf?aCUx z4#0+7@#3ZfV;GM8&hxC`5@Pyn_gM#c8P-?xaF^Dp^Z5%CEKO_$8QBwsvd9}@TPq+L zs>#jMe7D?{W+xV|Ljz?E`(^35t1)4W^Dcm2T^tVeql ze9WCJEi)$8PtRNNq#lH3oQ4u_x<3LiPf$^`Ahv{dB5m`(h9RUzP(Rr@&45X+N0L>Z zOG`$Y5^)g*I&QP_fn^LCaSO~=cLSrcq2sMPuN9P>i=ChA+cxcr3R8WtA1V-C1K-=r zKewx`Y*xCYtt#6 z)$=TFk2!QvSU%GKDu2J1ea>Dm8#W^ULH+n9zhgEm=I|z=ZdM|N$Cu*bMv0uqx8n51 z@vHoYQC{D*aQR#sUSH+XS?VkKT(*MQ;t}~=uvuxxY%$m@qi)s$Y({l)qeadWbN^Fq zVOW^`dQZqGmx!%!7vEeo_#fXj{d}hwW2Wem+A_E9kCT*ub`-?HE)&^LoZRVoWK0DJjQ_OBNe9Z=_gn$Q^?Z#j@&LPxWLJX%@YwB|KW zEru{&O~=4CxvsWI+E&OXYs@&5vzDcZFXtJkkdjwi;NG|C;etT^#j{8z8tN}ASC z%e6p7=2}BpMy^Gz-xyktp4DXTi(99|E-q(%+~1_i>Up?z^e}*QlJ)?DBjX zc!n=SLI980|6Ek^fAlh+y6X7X%Mq9QYH(~hL-X!`hG7WYo0flj6S)8FTkTlO(aZIB zLO<~;Ito0iRjkF_X8d)7eBh*1WC@){j?E$bq@jw0K^yR5H09#Y5*e@JqWhxt66a5- z8XHOXlFvUvPDW4znQ|`XIN2pojuf+#TwcBteE!8aKb4deIwtSS&*K|NLdzns*c3XE zIa|z=ro@+hGkaGq@GhEFvQ9tZgCK2-k2qLyGfLu;xG@c7=Aoy;qcZ2Z;@V4FLfG523?tuF)ngctb%80dfBT z0r4Ju_s{1Y1nJ)t0>Z?}%*e$|%}UhF+zMpnVr36vw05=!{r5_KahYpKv(YQ$iN1p< sYes><_}BEGLD+wNsy1p+J=Nte^R(a3XQ`M!g55KyqeYD@JI47>_qZIxYXiA>kh?po+|R=`v(CYK_E=F+Wdy z&*MolR*s_lC7wEi7Yxr*kN9Te2nAYo)83j-Os|ImO%_Bl)iWM@GuP2_bF>Qo!H0`>k zsz7XP(z&iHS3y-G&CXl9(n0T+BI|11fiJgek%-{0m>4i?*z~*{;x^Pjb!h<24BR2a z)lF9pPH_w+PAL98Tfil!e$I35)l3bIQ7&ru;(dOMb|<0OC28O#L*YvMMrEvLgoA*1 zkB!!Dcs*?=)ooM>_c5(t<|li&#yGOYG!vInDU$NGa&Al(^O z0Jf?Obwl(>Y`8`IbuFdv&H#$0ead`>HX%v`6Gy!2;rvO$B56RI%EXd%0JSkfdIZr1 z!o2nFO+%a6qh>fG?R#wX*h$8$K_Q!5rx zM88HI(0@1s<@eWapB!})BCU%s46VR$2AqI1IO!?Q--5;3!e&qw;gRPf;=KTVrHPP* z_$tC1E1UhfAsi`c@h_x<4+rG;W1$DXRVDu2i9#f@ZtGlpn+Y&Srts)-zF47dy^{d! zNk8t!J`|^;#Ow0>jKjqv_R?M$gtBi*QvzR6XuFk zyiay|avH@h&z{eP+TsvNX=wU0h@~T~JXCdh_Xrlw^?u8)o4S&~ z>@9jgOCXjq!(Ior-4KwH0j*I{qNsylVyU7wFYQ_JLduta2y)U_CV>!LoZp&zH#Rpf zuQVcxKRJ#y=7fnDf|!>V>qt!^5+Rc_(`F*c!dg}!(~wBw#cVjXgU{%vW7=cm>hN)K z&#}*iJmB&=KCA$mtz0Z(SDkNm(=lC(>1C-t^5s!PbUmr+rC(J4EVpN2gd=B)(pd_3xLbPEFJM|B5M9{tSockL(aey~GLu~zDhUVv zv=EeE9!6Nb(suWi)AW>g{jC^fk+d!?CE@OoJHvVq#+nfPyQP-clIyerMXHHvdJTUq zCh}QV`F^6{-43k62T1AKyC8z1d{I-5m=$Ys2XZq)+$P5&&lDtL!S)`jQFm$Io~B)pX|&2pT&Y_lK|=+wAH(#A&=? z%poiFk-z}Aa9Y*7yc_Uoxigzzc_#+XPI4;RHk5<_A0ItSo8p;&E`&svDTQ-@5oh?x z>UMPp#&hLL<*h*hqa-fuY{+5Pw-KVTUgA=~KbxO*5mqKrR{dY=<<;osQ5X78EvBQU zv?7G`G!ub9=wu_7wnCVC@bR_vQLIt6iKreq|h-J2(8hVLycJIxy9{pOcsv3TV z*$u<)qTjU{yxpK}D48BODtUS&MBeM)WihzG%ysyBP33H`{tyqr!2dNG=Fhr+TIJXl zd3P;?xv7F@bHHov?x6qMS_M83d(m#MPU+EH?bQ|M)ECt%GQB|$U)umm%?(OA*oc<{ z5}W}sy-70PV0yAZv2{wgg#|^PK&mX1cD+~e;xXVNb;wNU)2gQd%#j3SG;#ctBz)5# z>~|=FkYD!<;xrm2hSIW$|6pSri8iu(+Stw1(1C~qoHtz8W~8Id? z9<-ZN02S^GagAK%1xHiPGp8a4LVUZHP3}W3VbJ@--H)408C1FfSVUZrJ zyFmaU$e%g9I@8fGCmN$61>vaMK(rK0$Cr?=w+w7Pv zy*^q7)y@ph$0F;TA#BVu7h=7B46f))j|B{lLUEDDp^y))&lFKrr1q-kqBYXSe}G*z9|Ekx+ z3czC?=eK_NM6gY}1CchVmUSj!pzE=8GEuM69v!UTB$tIfhK8<*oh9=`jl_?%JbDEl5lV5^Om!uW4KPzAgh9rHcC`(e;7!64!0g+5GDXuPXg<{8`3VDU zAnN~T30f^&GK&N9EM0s1PSa0$jBlb^GgOf1L+(>ta+&Z^jJ=CJq)Z4J+Tc(wUyYmz z?M3P9cN~`Q%aqVAu6K=j8^Vc;*^b-nlLlnlHVZ;zmgWIMYBljWFF*1u+l9^KE=S?~ zd0^yEnQ6mLP2C254sKS@G~Y-`O-JwA@LXaX{!y9uR!zUwmb}2)QHQFPPwg=K%d|3z zIF@e1Qu*yRr?=<`_r`#bD!ikbOTb0^uvbomHbLj-t&q%zW+IN-`P2 zFe6H&mOFEadkzIND{oq8M2SN~cc$hWRlQN;c&x|YPiF*tP>yh}LH^6nJ7jYfR+M>X zMb3ip-7>j#&)q%YzzEVHSHA^#voyB(CI&z;)qP%u6D%2i-UXp^^yL>7wVgw=$P-n8 z$S@QR`UE^i_4SRc@o9(aF{@JfLIG^wixD8|h#M^d>#F=LWNl1z;-+)!=aEbhsrvud?C-h1&q)$nW$S3kky>TcJ_dS+W z3xYhPChLq?$y6l7!-1~hX*c8>P+O@e*&&SE!M9Nb`0UJ-g!gH>+PI*jA9sg1wX-h8 z;x@;xL?#b+7dY|*Bt@}EFcwc!LO0k6GY25}!E5*?LhDQTqnfw}fk^)@4?+;@yfC2^ zFIZ47-9@+qZGRrB>^%;8S*(P6{6;5VKdCkgtq6gehi%2E72d9+M1`ip*DtpL$M;8k z@sE#6Ti{c^Lc(lGM>**Jj~juWtF7oqT<+zF%k@nkc&_%LDpT^IJmT~hAT z!U#l&tb~qXRKCTCk2au-_pH^y|`UPzGe}Vvugis(j1w6!GZ@`MVhVEiR^Cpoa0%iLD ztU}gpCZ{y$<7LSSrBA>p(^#&HKPu}{L217_#H$86IhrFAWqUN%@*S#?I7&NGAtkjwYB3Tsmz^LO)E z_Q+fY2Vu9e`IV*?hS^5=ri;ocvG8+|9{QneQ)nPsl~*8erPYLVv08oflq>9JHN1%Y z`Y{#2@o|Qt&=m@bA*~L*sSyhvG0(U-?kGi;0VIHuH$cE92Z6Ka2gTQnp%pS{<(x6Q z@@wnI578#G++W^@mag{D5;%>%(K{AnX#QgPLhO84l=2yr6&J37mVz~%7(>otXq%FK z>ZIj#ebpeaZqz-Wh?2*tMU&e|H&iLxc3MLX=>(v#{tdznw;zCh5$WTy$n~dQ?vmQW zd{PpO$im_Il7bmTsIiQ{3!4a6RXPWYxYvq6H5dfU1S4*?Z4c$(KhbXkf@9_elU~%LmzGCeVs)8c< zhztlILB+rV!DBuq`x&xjO4Lg>F}F7$Y2%T08LOHgZV_CyA+Ocsb0eXgO)CW5yCev- z?p<|cSIUe-0#gEGZFh+!dNm;`9Q@n6==`At3?hn$u_(&9qkscJdYNyi&J7*TjTl6R z7;g;xlEymt1si1$GZ6CFHY7Klp6L1Jme@{^Y_rAI0}PALGj)r#MGAeao6FU7k)VZf zQcs7ATRDwWkNq3MZoa2op8|krLB8Y&(t^KJ}K#tUr&p6b}scb zQ^Q?-FMnK5G&=1y=f!}{5xZ6fE38nSn#9^N8{z`EVC%df=asv#-M-)^qeT^*3GsUB6su$ z)meIUcs(3Uw^cLILOJ+NEBWBKRRW* zgm^!G{;IfgdvX2_SG6A`_!-GH^$&L{zqJYV(Of&{)KUsP(vS_LCl@Nr;A~FZB`pCT+Yfek|bxn|7 z!{ji*-Xh0IqU0p}I8^e}wf+ak8Ag*`jmgVbZ zloIjS3Kse2sS*Q`v;f(7SkmeiC9Nfu!AHX6s6TiZ^#NNxm)S3%613FbSXpWwBq!z%=~eJqnE_%mVMSKSNve z;8-`)0MJ&6rWQKvURP+j`}*Zg&Vy3V8@JQv`=i;Ufa@^?HU9^~HZ30gbjWT5Y$wK? z6@?!&9IQmFKmlcWO(Lr;l181{9Z^j#Xf#XpzM@-e;!vN2U#zUAT;)UYpGG4CuG4k^ z*jD9koE=twCMU9o-P{uj`;Rcu5@61~+7Pi{jw!vLG<4u&K;hoTWwP+mbgK`pwurKC zrziMrE?<)Zhs^;SCtG}Y*3>hIs_v!XJuiHJY?Hv{G70PnLDWR*^AR@dgM57qjB+ec z)wNIqv4Z_bDN{4nF13U4gYfMQpLWe1oN#we%OiAyqU+7VDd`Lpv0uRnMoZTjevc3J zW0LVx81Tqwa%p&xY}A!Ga|dx9hivdsgHFQGu8kEGM^m~t*$G}tSVADhG(6igYoP?$ zCpkYp*0z?`6GzxCP%K^GyQm4+d$l@~!n75gPoTtlrX*fWxp~pduNoZ;J(N5wU-agR z=Qi0N8J#v(3YU85Z)yq+H_42%to)`$3_^--)SgT9sX>D{ok5+j)&Wh%ZdYaTb5R4e za{y`@`C^iNJPar7R2bFXOuGvC1J^o!pp)}Q=haKKZkl^pv-OLE@IvNd+C^|z%lM2Z zpnr+D5so=!@=M$7jU#zY%lJ5iFDR~x-9IL5K6SJ#;;3yZ9mf+%%-ttsnW+WG5*Y1mWYS z5ca0fq`fPzuthY__DEMvcZ4%%`ru=s@3rK5t6Tn9t3RP;AeKrq--F+E^FCdcZl#$q z7x_YfP2MOTq^!JVbbMJJYNIZW!7Oz{t0uVG!6!7uVpny0FNJD(p56HBdgw_JFm?9{ zT1?#15_IrUKh}kHc#Ac#dI*fp&LrMiXzH53Ny;c7GR+tW`wxzyaBPpyteKYr)ucaz z#hA%_DNOFK&ZBL#2X@}kE}sik?$FGN+j1~BxxWc9C9*C-vvh~sdx6_=F68>4!w{JX zwZ3QrnO%F)>7>z7Q{-FQntb4+!(!sP1zb;r;ZH~>Zkk#wnaniyoFbB_Bbc&1c~S6S zJZ>C^qXoIIw3RI@-~AOsY$-ud!DjsIfm75K-Gf=yNdA10fe%GdvOXrkJjmhcWS{?Z z)?m3mn#3G%>bY4h$sOZ-0dYOcnkehsyKW-0bVjhXeROiz1IL_zgA8{w;gBoKg{l|8DOXA+p2zJW zauv$&b{nr~ zum&{?rqk1E$2hO&TJbzi;DucQ@;!prH6L9Th}G5GG`TAl^{4Rt$7jitxcln7?t&1X z_5EUzts8epIT!FH4-xM`v!6K+8l}470{H&T!=Xj%U-fj|f9>`eGtNep#sK3Hb zBhTvkb1_Nb4HFL6s#|^?7>TlY$C*_C^OU;%#w9y{G|_Z038f|0nyXzd@wv{4q&|In zWS-raj2pnl@f{YdGe9BUm54XB*8_LVc=|#okWAH>2BBzs(wV`Z zv}LUPML|v9t+OD;wI$oC#=fFsaTwM0fZ{yrnf#mv%9)0bImO6^r}Q!pFcf=!@00-U zO0j2@*5gUv7q@J-DokA=Wd$hyWXbbpGS)#(KX-#hA4eJAyh8uvGWdOo%I=Mta{XJ5 zOz&Thl^;!3gpgm9oWMde*$cYWL=n8+NiS~}Wx?YTp zQzXQ^8Py`h%km%$!(tBXja_iIJnPU9)o+m0$=!D(F-yVyg8N(0W)$6o`71q>W8zv& z;l%MB?2Zrh>6~VUF*7ZaC@Ov!`U!yL%N&RCl}Vwa?ROA)DJC5i^OIJ5T2fnLk^oGb zaxoqVePs&{5W|T&U~!+i1T8$orVLmhP1~p%%`BlU?RF|W5U6-i)N|KyfyEeY5a1wc z-Xue_7D`=5bY{wEao5Uh;CSoj7HZ~YcUlbL;NKzJ&2PFVNmwER%gQ=ppcpV(aOS73 znJ(q1#52$j$3fZNZR)iM1$HOJk&PS%S5i2r1-?z675HWY zuZY28H}p}Qtu7zuL=-7-vjTiTh?|L;q|Vc!Bk-UvV2NtPS1(BYMqYe$XVqRhD_H)% zXLUB|XS-)${ISTYdnDFO%v`<2!;pRBH4O`1_DLRo{Y__a%+;L7&zCNVvdC8(tkolP z(qx^V3!T<$OLD1$8m6DBS!pyO9fapFePEaxXv3K;(AUMp%J$6ic-azK-P zIa9Pg_aSOZ3Q}loW>`oHnruFATv+6v1c0n?I-xp?p2XO(ybmnkWadAeD?AL?7sn@fW4xZBnq2Kn6Pn}?_UzIPh3^11M++?Co8B!)QQ-sHo6!6|tYt%N!G zZ<;s2N6!gorlPGmn@zm_L=*(w;m8<7;ybpb5JtW$kJ}OLecOG*^hjDT&-WBVrpBotL?x)gu1bY6TS54cOV;T9s~`MwvT zi5wJM5KMuP5k(@Oh-eaA{1)Zq<9c-t2dFsf-K(8l zWvaIrCK#D=r*EMV^4$vP3lqvFu%D=dgDXbelCI6{nE;Z7ks)ghr%tZrf=ri5-h67Rxn#yx))T6dVaz`u~ z`S4~_h|Q)Ax^{!}SMmC8M$_etj)#O74kB-ek=2|(`xFa|@Y8a{B6D$_R>S9QnX+g% zrgFv8kWKzl$qP|}E7UO~x(VtCqPLtm+)m?iy#JW{1F z<{ekPodH)uU)8a^(h?yK&`hmF*#c>>5!{I(cf*O??9s+I0Uo$8D*tJ^jbSY(`D{h; z5k*%7OE_ak70LA&(0l+LwDy9R4q&D$SVD4#r6U4{ZV#-tdmHxGP1wRX; zIHG3q|7gs*{mPm4Bxj6uA*&PGJqTa zq+=|AXXiTq0%Jm^6cfb_l=!ISk9OQ-j{OF<`2+Wi^DvjGoU*8L&j(6G#?fcFn-WBr zscnDtfTQr0WA4Edl+VR@e?lVL&Xja74faJ3rZr_#tfzG^1hqx)2E#A@5oOw6`KeU(Y-V_2mVz~4u3#I$%-w6p5zxKHi zq4`p4D>JOXW1;)xYlk`aMUuk~8IGY>6BDbp=UTgg$SaNDmGTg#kjP058}*QoD^(TZ z@HW*bY(uJ8^0gC=b#*ZOtW6UG?_>>kjTI5|V9U#^-_kIaPV3o&R?-H&kZ>;lV5^}2Fzs-6f~Vi`S+w=wgQu7lui$mi zwrh!wMg_k(c;Rw^Nazl`Y17c)J#_$Z6XQ==(_B_$5>?4%b8~VlaNkRcg#uF})kz&* zM{y17A^@H>Y|kjC*YOg>2`?vFu@R2?9Fp43Y3o!@KAXESb?7Q=XdnHtcfkj$YJ388 z3vX$wABY+=eQYpe<9GK!r*88uHMRuDUwEiPT?578@F>^v8*X)M3b&-^lxGXd*~r<- z0@5VTcI{CgG6=*7C8e$vI%{n8Df{uyv1ZxoTih@6CQyK_{PYd&D$EP)>CHEC1kBtn zUiHsVj5g~u*tCkTIqh^ba0r@X%(xyFh_K(f$&H~Wz4xIe+&CGA>E{VduzKm7`s6d2+^Lwb&sWESSnju6{e-ivHeNaeeJVr>1X^9UTAt2c2kR z2we-Y-(|SrI`Yc2Y&N;-a!}R)&v0ZGo07xoP+EilHcHLb-FPV&(!!48{#M2v=0&gX zQ!B5loTbwT{Ldx~U~MC3(`5$uU`}kGA{yr^UL(#j=M8;K#EqRBQUdwgoXo6J!oFM& zawiy?+zUQVPST>ocd}D9c%32tA(it@TqA#BdcMl*L2o~i0euUJ8T|+A`y)E5Qc(E_ z)d9d)Q6$@1CNFJiFf~wf-qDTY=kV4f`-W9LrNcR*0mPU@m|BVlvH^jZ8Jk~0xMW+i z5zWlR>6Sv#4*kje^Fh7(!8#c)wLO{Rl{|whe{%MLXK@rz1JpbjSSN?QCgUkr=R4Ot zUgL$~&VspTosPHcZq+^=drApkMS=x!sa^xQS2fLi*fFZqdiV)sFY(EO-pPFmCcRyq zEZ~Ce(T=YzAjLE41}S++QN^TX(s^zG&VT*p&`wTBGuP}9RWsoq(H|>AzayTdlU4hJ zjac&5JmO&>H&U4EZXsT;%4UpT7cOF$DZQr`A5PqOfM!KE;0BLqws-Pr9|m_!i5>9@(B@Nk)Cw8ZZ5Rk_wpWSZk=O;}nM=%6*#W{gI`^e8_K*{ZC_(Y=Sx zysLF)67~Y&-8-2+Ku#1rh(;=S6jOIB5<`S|9>?t_;_7COuD!Qrg|fV0{x)trn2oHT zA0uYCd}1ua$D!%!jN<_(6ky=6D}|jC^5UpSfaM!nus7P8@+Y=9VkxJklWqZwUQ8IO zz)nRcF&Sp->3;3}eDn`<3X*pFYJhHgW?Srd0q>8%{vPWw2QlwyO?0tc_CPr9CSAy>0Vk6SJf!SA#8&)+fvB$j`5%-_4c$NrMQr>GSal!HJ9`?pwohALrOyOJod&?8Z`$=Cr_0GtzdA3g zFb;%Mo;n~P)nl>87kPZ)jB>e&+LPslmyn=v6}N3_wY@K;N-(_T9=hQw_u!!*%>jdL`N3=i+- zHH$xnMwB~>869bANei?#iWpM`t<)BLz~M*d5L7d`B(DrEV=&dOZV8BtfyCz(Dcu=j zDwQz(qGT&tRlI&X=kae9dV4lFF8VZIS%f_lu5}!lVN8WUcs*B*_MMc!w-g84+=mWQ zuBT0oSM^@PiWT1JkbkNH?NizW&)w!(X1gSs3}!&=rw^QC%t^RraI@x` zc3_bmm~sW)R#{{$wltNB5Jwg_A!cv}WT1>+f$6rooUVk5~p#wuKIFGdX5E%#(y79{=pyIhwjp^VI8zL*qJ zZ&mnV=Idk4&By*mg#MLpI)&@0+Q&BiEJg*3`|IF&n5sw)ExGs*Q?)^GBxLJh#`(51 zQ`yL%(b@WT#fdIzB)#e3r|a%lG#_3oM_5r?ywfUiO6L3A25Cy6r^9mw*NIrs6tz3c z>>m3J+?Rjog?*7c;>QNPPe5$a=cbG>cD(1ur18aa?#jhIK3SIZ(tC{OR&TZ+P21xm z%R|-)PpcJw_&CczNT*k@^wHC6&?RH`_-D-;Yrj@XjGA53)`Qh`<}An0w4B)CjoSamYkUX zsLi3b01pEkvT%)m0Pm|lTg}hPR<8QfxJUKAr9eas)23mVH487*>$`yp7jaaOt)R58 z@#phq>Z@M8<9R8|2bX6R%}2e%wQFnZ;`9Dc>S^RG=5bMbDCWlbYxQ&MgSqoDBPPVE zjRhGgfL0{69rEVV_|60AY3pWhBWh!4$!E>V`s-kz>=D4*p>1mI6Qil^;jobn)-5W- z2X>8Tumi?<%kVnpFyK9|W2w}tEWaXmiZ0*bdC@TKpg5~DX{fpa%IENdSZsjfGL+4_`t8FW0t$A(T#_K)i z;_&nG0Ie!U@h)Z(b=tW7|grgP(5<*DtbcE$RKw-cs8s9wWX`Q^EFQ|(%e zY1db*Os{p<>p?~z-*nqk##@H(ZRPP4!bi~tSl39~$E|zAD}Lo-Q=3Iky&%G3p(ljg^G^nje^=6@Ce~(uoea0adQ*)G=9N7{ zh0UJS-NWVX=clz|_?jg*{5+%Aipq22iK?#n}1Ad=4M(=vMa%&dp7pJGe${6NIbFJey&Hk4g{Tjj}Qp z!re;kq(|YN{4$lNrn9cCp~^{}Ug>T$0Seg6rjZ1hxhztXQ(CT9>o&-zPl#!`i%suP zIK-2HH}P$fyD}A(9-RiCa(2KgcEAv3Fc%w_kJ228B`8r>m-gJMC$i5ONOorpxG9*6 ztPBIemh4qPLO7!~+-R?zJ?7}6TTg5*vTTxfgnJo=7Iso2R8=1bgX-*wcfOKro-rQO zc^>2~E#3rxA8Amw`pNauZf}2 z0N5lE2GEhYsGHZ{3X9;N3*cJ1Ueo&jT$B)%jy27*^p!C(30#^2o<2TEU%Q{lErcKB z=K&WnA_9vUs9)=F_i(L5M?`Ua3WC+rp=I5%kTZmYpi!vchwRKSY1y8JmPxEH9gk2b#RI|1HjlvorzPYP8W~*kuqpyQq)?Mv{D;@RqEU9 zep#J7!3c%KfhP!h>VnNMNqn`QS!8jyig=emBFPqE->+aIaJ42BKp+iob_QfKAiBkuJ%yGY zEaVGZIU#y5#h3JjxI^s4inhh105KppkAy}=utNfwT~$R! zRPu8-PJ|ACxSJCBY46F}>q!!*M?nF9c=x@iBVcb{V72d5(AxALJ6eBLWP$5YBq93> z&`ADl2)3d-S;Tj|-rYNdU@Y9|>QqR*)NrW4fp>@iMlD*jWa7XKU$lB32M72aW<|H6 z1bIL=zPmqM_FqA&%z=u|l^Q+Fr)r&2}>7C|4EDWq> zBN&f>aLFZy46EVm*~u&>Vv`exfZ_y|5UWmw)tOBDAG(bHrHlD5UEetZMj&bKx5b>9 z3?6$TYE`Wu>)AYHj5-Ki_5^{8<^<`87AtqD;5_jV%ZAm$u0_n zf;VL}-(xuM+YV3!OLXcl!69FN3Q+;j5@j^v7VgloL!w9RCdlp<@+Xl364l|RL@$=q z_6!eF@$Zk&;0bcTw?OagvBeU+)ELhD`^!m3Lt0eC>|$61w~B{(NTUQrOhSYEmgr6- z&v7_zKvS^syr9DlY0k9hOn5Zi4ZvZohS8e!7Z6o{7i2~+6=HayYenY*sr5_ebXPUb z9MG2Mg1!Zr#3u5Cian~m)TKA))%JA(M|6T57P^bhTyMLTYNA%w8-Qtgv1h#HbT>VT z?GYm+5X7U9iFb7D!;{(G;zKM3aH9r>BgqHb2W54|ljDlbW!V&+>9rvAr6g}vC00yS zMkfL`YB|mm6n5})t1cBhf5tM?{KUWIP3=@_D?K3m8 zTSbxL9E@;G+_?qEk&F@|dQB_u{$#`fa|5D*`!`aze_A-uVkOs>>OsMr&rOs;>D$?lP;=(|3s?=RNRzAt}= zKXnwvzbF`KPiMc!mM{oQQ~&!PBn5Bw*h;`iF`ygZB#!7jF&HO_`8~p2+h++MKMu{G5^&b&Oh3-fBaW_b>N5# z!04@}p{QA0?)HzP7Qb3m#no(kkpwkoCpefGXW3&2sllSd4ER^$*#0;4qW@pC?IQ%p zK6CQxep(6wu{7JRw1r_i%dka4^JJYHfyibHym7FNwVKgGAx>rSIg%?N8gazz4EUlCjTEvxO36p*Z6!B zU0edt;_w*Q?++1EZJtAAxhP$>FY6e$B3K}AzprltWdaxbU8i+y9(aH2v}YwCv=zWm z+41owxAd>kU{SOT=%wTX`Fus@t5rNVFl2t-o={U!S_*as2>Oh_>jHqMO&px}7%KXX zqyF9XLm{fHKp;vMm-5cJQ_VPhKFpq|e8in6Hyl>_QD6m$B28Mc zwft41b__IF%kgb{{G@`>%kY~%>3?ilq7YTcBu0tVLyJl#lf4hg zK5>60;IK>~f?R+?ZC5CJT7m)Se~|`f0~x!=`8Q{m>W)+A==esvAVEY*IQ;g#%6h?^ zbIS6)mQZ~%a&`Z)<5Lj(0j-F|}l{5W@?PUw;I9uweAgY65#_ZMwH}jZ$cx7ms za+Cik!FghZe~_C!D+BUKQ9XjWqE5V;Eur-csBRZ1_+lCXBA4ot+vop!smcF%sRy21 zist!Wf^SGBsTala8*H-Uq$cL5k|T`$kj7MsX6b^7Ys_6|;Qvv@UxWI8s}WCNN&WhJ zzcN$jNgn&u%=Q>-I^NfdB>e#n!^{?ssRYp_cx+7H$>si=TmV@5oPW#)AdRN`Z{`0M zIs9f><(uVli0CFkZd))si#P1%*?(x2Vo}|*{R0Bm?MMgr_zyq;U&Oh1D znW}pkshCPc?^!eSUr?Ok=>?niK2Q zrrZzzWr?$HX+YkL6)6rMu{8uBeXB+)GJ(akeq6laLnpgn8_AGOqRgFg%{4|3%byv3JI3IzGA%tg*H&cSjCRl<^DD z=8h=g35fEGvrh^@b-KAc;{ESkM9%TCf5+t!Vq3o|0_CTNf0|G#LVzng;)yA=KDRq| zeZM$#m$LFdO7;z)I{fSE6uhYaG)!2$rfELD?;QJox4r@Ml%s1l0cs31M2#>iXDl`R z<|!dkf1GUf(EniT6!AMf*{t859PynX7AK<;zT`tS&ZbH?gREILJ#5(dgAcA;?Tq%ys#@lWtPhl9n-#Roa+Ba2RwZk zMuf7TSwZ^FR9N5DIUNlX5`@9Vr(~cIEJJX)9<>~L{cK+h`+qHd8XwW|y|N(aa8@1Z zPl<33Lo#JHmCD$-I0CFJz4R6`VeeiQ$(?h+zatd$w<~^+P{gbr@Ny}>-%08pS)tq# zxzsN}WlYt*+Yf>0&ocAIo-R5xq7NSoO+)D8>A?FhNB^#dx8c0w^RPJvkAtG(HdV|H zc@P7^ps5!5xGFJnYxyDyFaa)HHAbTU1zl7u^c^p$Nmcu6MMT4lbg?q_)(0K ziHVi`oyPvpal_rI-2yO2efXQSzpiyf=u*S^6Q`Mp?D-HMU=|t+pZQ7smWTgN)2(le z_2BR90LVIQPyN?0fec&z@4j+HIQBm;I2zU}-=zm3MHlyH?GLidjysruQWQy*fu3Vs zCmj0^xt#j5)l#v0-0q*B(0`AFsLSX>K!{ZJG@9dgZi|uunTo4s;=@1xm-_HR-RIe| zdXvu5sMYEWeDP9x-`&M`p;yR^npk;xga zOM7zQ5#p>&m2m%T%ZT`K*d~CX1xyUNAvftMAo7V*;t8?(x>zM(ZQg91EeM@B*^(Sw zc4T)i3OJ(=IFnvJb;YGFaPJ8d6(#4yB*@2fPemwe1S4k(qeXwrDFZWO55uLLrsUPW zmVYNOcs)2LhOyBVv#Yx;+EK0FL93g7sMb727>JU}SbW1>o7`buHu z2uB$|e^J|YHV>k{%%h|Lpe)raH zaY;0HL_c>#Vm{NxsD5$(MIBQkL{Y^8QPEu+;ZgOVkMeF^ zoO`722@}VPC#zJRvhN84XE1s`mSQp1|H#98Yi3mLh|uRw^;h}@hhW)|us)nv-2AU3rc$#cMYW2#q_kDV#rg>n zBl=hXV##;_a6ATuq=X~L=#}(}iz)+;^YhP5wB@5TwB>G-YVndtk+SABlN@B{k{W&14w!}0~ zsxZBG8WYiR$)z}$Cdct`J4C0fpQ>h@c1=XZcqGAySr+aa6eU!Ull!AR16qnsqdh_S zNun_!sjmMzS~f%(;$$$Wp}}8kclP18z*fVPxgo<49*$7ez{AoYDFpChVQ zrkX(bhT4YO41x>;xtLucr!Ju0!&Sh*q-)`%u`upwaR=>%4Vx+>aZkeTOQN zKA+S|lod84QA50s6+@jsj6MHMs-rt<3rwtT`U$t4M)ueKhZa3?s!7Ohp}+SidKL`p z6*9Cne#qo?zQfr7+eg&wG`zEWpe89(05#B{G55tymH2`t4UX`qB4di7-#gYgL5OB1 zlBF9xvXl(>TO9}e9yTv`4K=Zc+0!pPPP=#BdxciX=VzCj>&XmO)!hwC<|v)Z%UYI; zFeF}3QrV@(yEo3;)jr$au7S1=>8Dh&32Mg$*7h8--o?))R_M>-TL91-X9Xe}m14wz z3X3SwStHdro0FLM%$*Fq)UYFq*CL7sqdC_bg5RS;rQRcv#g(E^z-b7pR!)zRgo?&$ z`lX^bsFX2j9X3tI3ea^i8KhaVu^iag3h#QBW3HAvB@ai%%AwDfr0-{7c;=GdL4%2J+@`v5 z>tcTnzHe(sx~i59pR7Na^h0X;d(g3de`w^2nV`5xxt;>L`EzTNok5qLd?2is&5$_} z39bWRpDA)}U#FK1ot<~pA%!glFkX+0bNF92sin7?2OhkM0I%GV=AlT8bQuRv6 zJi1ErDdsXltGnrcYgfw=T9J8_O;4nd~_8<-tLjfDwR?)J+2D9@n(1oIHfzm_mMLi z`9s@!8S_4_>WQY;C-%yHmnHD%Dyp-%(C8~5l2c*R>uY0y;t+`Y`1>{J@Klyqtt3-Z9KRM&MmtPi5lk86Wf%@U!Nj#rS;C%JFM}Bo;-1fcWokLFG$nj<8 zy+84O@d7-udu~I|4X0ytPbLbxkWZ)dBXMrSog=rAUkjq_J0CHN#e2s`&3OI}@KLj! zyODd;TqXVAsvw=%Y;RnvaH^H7@_2O&aQvwNC6uLY}bl0}Ve z)O5KOw%9s7y814x&C73vMR#Y9ux%Dn`W3azBHO=5*e;9c28)_yf$ilZY?TTs#G=Nq z-?cuvHn7z+=2zcxAN=TQUO^#Q)c3ZV>ql6BE4^h=-EDU3kFDMn)tkB1uXYM}Y^|_} z7PM3nDjYE$VS6m3EUmJ0c)(f0^xAM_$)wX>=guY&UHIt1ww=BL!SjyE0mn2e*_=+m&gClBthn z260515AwQMQ8E(}wrHs?GN$~rjHx20!J6CLT?#Y8yx2T-Na?h;PZPbIX)M(~_1ZA} zO;h3)T62X_ZY46@0-Lzv*|Zx&E_-_F443}0 z1gcJQA}bd@A!~9hu69YUu#`XQB|P7sp_r7>gJ4l}?0naQ=eKWIe*Bm26DkiKHLrPJ zP_iGe-Un1)|5Iy*dA%=N=k3?`RAD*mdD%K%W&N(SZdYHgIf&T%d06>()P5bcU&o{I>nQQ($ZB2|Fd9^h1&eTF zOMi`W<z%i+LkehC|3xCpWj}&-vt0opTg*RT0~M$OX_e04`I4^w zyiO4=GHT1#SDdN}HzSY8c&)q#CA?U$cX>Rs@6d z^{9=%wkvf_>8+M)vs_9SZcDfQR6N9dRgunAEj}Y zeJ!hOF-v>$!Hlme)wj})w93l)0Haj>scn0OCb-0{HQQA7ZmdP_t5$pAO}NWsxF%NH z+6QB8(Y@#cGQ7wZ@&VahVC(mQ+}iKm9*jxL9oU2MXTOPhKo)KGLJ!4WwY|(kak;=Y z;D z8InqyQL{&cCa?zE94f7KLR-1^!V7MA_3m;J3baJWV?yWMuDzt!w- z!7+If!>13B5Jv(0*@f49*upP(kK>x={^K8$)=&DXzx54rAX_xi3?^>UB3*o)5Ixq3 zs$Bi`-^Q1st{1?NBIm>2VP1~?{hTlRd%c`5FAnqa zbdP#@9P|#3^XMIR_VaRed!6Gv)_eQiT#~Xh!?%O(i~YQBN~c{zuQ}s!`1x!e&%z1s z@NYB^7eBAF*Bcyx%`^T+)X#Ljlu-9oF9RL+)0Lz|M>rZik{>`zb$M&C8*fB%MBE&4mr2lbltE4pM}-N(QmIXNNy zet%1hc>G(Wrh79N=2Ms)9hm81f9?AtvNH?$JscP8i|77y-^Qtu{v&t(IKwr_9~gc7 zUz1eH*`)dA!N(x{9N?b~#@Fty)FKMTlrjYG$>HJ*){_~qKE(guY2a!lGm6x(M!+Hh zUsz&X37bm2op>lxiem>I)z}~+Q4`J{16b=$2viXbmz6KuFjK*~M{%`Kj18zoqMTY$m`aqto&DpLrqB-}sGAT`(KcUCb9g zWv50=M@#Z53MW#&``Ou)%HDe>*d6#S_GkPRNVVL1g~@*2&+g~>y26KI$2mB5I)lB| zp?kd7+8=pdYv2yNR(Jns@5SEmpxYTPG8E510&hbcEDtjrALjrQ!wX-1#o6lR7}v3H z_*+gFAU^mrj1=x+zqms)d}~+@L)rXAqfjI&8iXQEW(+1DQbVvFaAgB--|Y>0`v-&8 zfp-9FpEo#c9ghyWt$}mgJ3M&Nbq4!K3k*1DJQzmxaC?y9#v8wAu(2dXLye`#3^egt z9cK6|W^NAgc0K0IV~%n@yC1WRQ-3^;S6+rX0+X{=_Vl*bEIz%Z#&j~y#@>wCPM(mQ z4JQ?CF&7t$x18>&bcx4nXdH)5k2-sLBXW^H@YznMBAk zvw)GfGB5nVh-2?qO%eKv{I4MpLlqQmRp)SAnuFw!9i&IkwsL`e$y%xLVf(e``tu3Q z0o!*ViunI<$lAVcpf8h7UQ8~s(_um$jdqfsCuDm&*#dNvKO0TSz9~mXuJneA_(32l z!9Jr><=@G~`RKJ`>J&uYM;=Won#T1;4$9F9>0mul$OIX|bV0t#DFT|piDutWx23!U zdf#BO^rq^|+sN^QZ)(Fg5{~lQtL1!l?$uUF@uP{i(zZIec>sf(>?B3fQLMH}zObmN zcuD{I(Zf=@>L=OmC&pHP;Fi}J(JDe^7JnEjt2FC2j7vpIV|?|eZA{JbNg*^Wx#APv z%1F9wW{sh}`%EK6y)gUAQ3admQ#hVa*h*Bqu4y_d`vuPXf?m9@d~fW&F`kuJ0!bp1 z=+(t|#?m=ISI|9!Im{LQopACG^Ziz$_1yU~S{fXCV_Atz38& z%qIgcdPNDaoG{$+ukI0i4O3jp{fFxf{fWbRX5xJDC-ccGYOfOp=l-ofqsq7B8?}WR z`9mj|$eG2N9ec*gf8+0dqT>zTQYFi`)HaBU z9qfSiH@O2^?S|z!o?q6qT}*8czNROsZ`(-6@HSl--$`LlJJabo>umGBih2_nHdhkB z#^!8hR^yVTa*1UU=telV?_`$BroK=%vx{Vwca^EsmLzSlfs7dPDeIupQtbShN^Uxa zYHgShXtE~BHft=vGID_p7KNX0*wnaFygSb8#YZ#xlBzb%&HQu(s`+?Yby3+?s<3)7 zSD*w{;*u9OOciC<*dnytV!l$M*-?aY8g%8m@*a+<@q#XqjX@@yXc+dTB+jq)w#poO~*}yv*ns8(n8$2>hF^+1~tzsZ1fXJmbIvnV6riw1k+nIokaGyaGFHc zG94F8j7cJ}Dq>QF1a2TmFdxJ4Ku^H}$>Y9h@Q< zWTj70dm5H3W~9B1&PYY7p2w}9S#oG$b=EhK9`n4u$gG!EZ>>Oilm_n~_0e8s)#@Of zW0;URHs@O>2=jx?sj~b`yqFe9J6%4x-Z83-Ds)zk%4wOtD^u;2cV#8@M!L%uRUj}b zC5nwzs57L5b2iv-TOLe$3q4!0(jwV$@SX&*o6T*u8&!81dAbQ!?pm}HtKHbFNCifhyb1~7fx|3q7O1!w#;Vb2TBo# zNykPi2q2o&at+NGgnJ$G^Ah1x<~r3XbQ`3lawk8UO$OBUXLs`fb?TGuSi7gw>DV7q z;cW@Wx7Oc;_)q6>-0^Y zkPLa$uB`S95xakio-dn7@v}D`b8y!VN%=Q?;W+AefLG{ z@NjRm=Q^F?V0ggrc$-or>uH@m=e%kV9X0-o$phFvhz>Scq2#?*2apAEoIHi;o5kS;iVn{FEV=8 zBj6>Ot{(w2NenP+W{y_H41#tg!Nc|j2gBihuhV+rz+$_90O!$x(|gf!4)%|`ouh-p zqvQPrmfh3oG*(yKUUO~XQ?8Og_ZhPogGCH*cAo6WGWG_lEl4_PQM8eC%1qP|{d0cw z5kt@|S|sa&Dp5&jlQClNLzEVjzvV-f{OPd=Dp8|x9d^6k5Dstdq0?#YJBOo|(;W<3 zhXZe~yYF~=ht49wfzVbC`|&dJM*f$Fl5%G4r->-F<-@V}jT$|o>7???YJ6brYzK&z zwrGTCNi#zv^S$~Qk%p~P+A&CbKHzq#lnokhqbr*M4rVZ3fJc^IwhlLQ=2V1@QKiAR zl5y5#eh%Dps4rKT$1t=;N28qh~V{Niy9$$$?aWYGOYcMNp*-)9!`tW1*krk~z2D1yG+=eYbJS|6O zzf_m-;3N6P!NK8+(Z1I@cHI5e{^9VTb=-x&I-b`Z^oB1+dyccfNKQp0S=XqoBoC|T zbnG(Jo1q?#zWRX1nODi>EAWe%a28%71mCZpT}(ALPMNiEGKn_JE>ud*C?(z!i%-QY zr#_9!nJ6v^L8eXHDTkIO86X`TtkMF#c`#`x^On&*S?FAuVSNbgP1r%NbP7o#Usswy zFzHXxJig1?EWa0@RxN)`bF8C@>OdvsQ<$T6k5?v}K}z)Sq-H0Md?)!UM_3{ZA{;GwO(~Lc7P{EJtcGp*DxH#5O}5O? ziM<^q_X%zw=!`n2R~@nGG?n0>(>Zv-5?umCM62d84?_@Ace19IzPsNkPOlXJ`-H~(?7Map{CqVE_7(B zehF8_ZOOd*w3bTombdDfh%OOGR890f#u3$IdK(T#!fF5qPx7H!L{Y=P%7z&?ek(mq zCwp8|=uj>!$>;1wIVDv|!i;<0pEk6SUM6U0rY?^!aOgrofF6I~&`ME-a@*ir(>{La zLHb0MZw&O0gNW?@$cEzo`0xMw|4nYr#{Tdl&I}GgDZ_JvgWk+|B0y^?bR)$n$c_B* z7!S0gd4#57H)bQEL-^lWIK8irctuA%UVwIdW4i(UCEE{d|HdL}Z0oq?CJ%%%>NJk{ zNW@9kTCqK3U*AUWyjyGytpa!^-_1@2(QL%o?Yz7&5#ceXGZPX<4Aa0X2r|lc^^by@RB{;>atex7}YwegQ z(k^^>TR}`5Q31hAeh8e@`3rC8FlLkul8VHlc5qYev}U>^nk;OL-kABZb;Pc~iHDVg z89fWRquY{&q%S#BKdc0%YO=5xrn6fKOs?e8CS6E;iCKQjx?{*nK9{1KJIWG?cB0!G zI8yH9@|hA+UGfYvqy&7Hd)9OWr6e{JNv;{BS+`rtEierkxru#5)dZ?>&e(?d!!}<$ zilR1QGS0t}EM21y+pkvE-)D=fRzWM%DIO@wRcw-rSwYg(!@P5QfgQyjA;2&RNHL%CA4v-K%Q z*B2taK$&SMFf}jzyEX?c*LYzh?P507eCq7Ds7w{{*2!lLhT+h|CR=9^`3DafFTcGH zr@wlisQob4iDSd*(eMtBWcObd#*%-rGF^4d?P>WMO_B)CAHJsN-*4Bd3VD+{?q-2j zy9vvfu%bMr(tH_?{UM7ct|ZS*)@Yv7AYrU9a-!r>Kcv*>*=X1Fz(xDKk4@VziJfUs z#(!^Wcxy$vPJ!vsi}m8NSjM3fMb7=r*b8oFcRQNIH>j=~>nOX2)*zD%LuYgDbH5{R z#*bPh6g6F~r!VKI*3;W$sP*)g8EQR!Wj%emIO_`$#L1tAIFWO|)ny1&-NW*6cr=yC zpsvNJo-ppI-Y%tORIdx>vnnRQlkc1GGfb+mJnl4LTUBJnh2KtZ!$b{2XJVDkKa$?0 zDZb7^KbWOH?~?AMLEV|Cod)%0(z4&#WQWtkeCC<5yT#e>X!bie8Pm)~NnM)Mb?##p z1&cVh;dVwTgljx8_;)1=4<=Al@xqHU8V@QakN@$1{vZF}|NFnuzy8~Q*`{S{hKUWe z0OXr#ky!W8Jr2pbKY!T%8Alu$!jPlss>~DhlW~vuWY=H4LT|OovIP`k z>B%8;z&~ml5BM0A^}Q3_dNWGo%o~r-l{T`{-oUJoDb7}(V4|1IDJvzbOh@aWD<`sb z5Lafum69)*FxOp9Y?jkyO3^3cl@jMu_DX4{=h>B#&Y1?5A!(TDS4uyQ<~9P<5qz6w38HMJ^5N(e-4H!rnQjGt}B1n+&zK$1=mC)b^BQz<(c5+f#DuBAc_Gv31;AoP8z2P;@|U5Y2{%wGHbh zAoB;rVAL<`b;nzQJza&m>ueX?f0#}Re7}v=R>?QG19qf|OsW+4QeY%nXai-ov*S{| z!s{--mocDfiOe~;x+rV#_GmBsTvrPiB)NFJ(6J)vi*~acFzLbalhE0%a@4HsR#7n_ z81L{*Sm!2%{KbgB3&=0;T*!AuUHTywO#Prz-u`4Ptibe>6_ia-R!D6Px+KBW zV9HRgWYGAmtU=esb8S#sg}2(EbWH}OPcyzgFGxYQEOY z*P40T49`L{U)y17S!+AY+77d}!>sKvAJPs}YCrAN@dc{H?XPJa*0=3O*7wJdC{0ps zXGKbUQAmm>=vUQ4vU;w~EOafGIW!m2jHTzQ%rSidv(O4gpq0%#s~c`EXp*_Gv8Anf zW4;-sErrA z3d4Wjgw%j5d1>?HbKu9`WIDUgYuZLmq4@;yJ9IDNX|8&jo_u0T?tJmp`~H{6324aY zC>-ls#atq7FMwHW=(%d{_(SKqQAAz}Shi4{NgSM%urjY-ohCiOub3jr%e+PrPZ|C9 zUNoWi%>Nd9*@8@8mn{)C=bxP6eYPOm92q^MQWs^S2Sh8B|hfe2VuH$ zKsgTXH`Q}r@ix2o=(q3{1gkv*uKIQW+4%bQvrFU7&j%JHS#}Q16r50dI2etHPK}kIdR40W-B7%{$MDG0c6kN#Ys!{*`^tY=dlf z*f4j%dc#!6Bn61tJjKgeeyN0GX#erw{tJ1f?!#@Kg$w0a;(z?t{|hUNo8Qyb?YQwN zC>x7NHVSzx6qCm^|Kq>^*Z+sq8}Xc{jDEcluQ%c)+icqnbW>wV+h?Z3@X9>fyW4uk zMiPxT^iFuA*Tid(WgW{pH(cPOgv0=AXC1DoL)u+I%6) z`2u_HGE?)Fdp@kwdw}9&%NvWcp}d5tIAg{H%^k1j|zNyYzhcm7<7nl|XeXK0m-Br{!E2+IzkWC5e-YO`noxHyaf<|dOSP5k*L5CJna- z+Iu4ig#mLbI8Bxa8-Ikfc8Zfo&$MYmxuvj8wMk!>oV>Hru6i*jDwkA3+@hc=<0kfI z+PI*42Hh-PQ6Z$QrZYDE62a8AnyE70qp{lwi9Eh1=e82J$=6RD=t7i9EW_y_b` zC??WEBHLsVMjm=P6englQ(pCO7XY;2DB>kH{RuLNd_PN zLi>}54&^Bf0*cAeH_Ijq4#;A68Rixt{U8d*e2Gd}QxTTB7`*e)ah}?sqeX3h<@&;R zYjQGJv6?Q^k^PM2M{{xYl2KGLB`l-B`psw`Z%OdFNGntxKj5gk1^4?XoI`H`?U1?y zTuJ#e8gB1BbF-BNbv+NI<6B}6mS<*9WJd-`!RGCkJI&|iD|Mc?%$Rkex8l^` zOmA6W)~VhyW7fIeHe<%g-Zo>#+1@_mLM0lU@9i@#)Ex$Ae7lSWr+oX2i}s`Lq;H*3 zchT}j8>CFGS1R0Y$eD)YWp2h^Qsf_ex^(roI&@=&|Ih=R@~gX_{?$pg zVD#vv{KNxQ@{^vEl&^UDNhdx~f5J&c<>9E8N_(VarAGysmhS)4ANNvpdq?S?=~8>g zN~y3}PCn8taQf$d`X^;kHg2-aL$?_=owC&xEp)0ImHiiN8p3FXxdg4u-b`!}KVYCA zMw}pZs)|&~!nis}ef#<(Ej39{A6fv-$8@)%%}~^l z+DE<9G;FTb&8A(PKq?LXP=*R@T4L;{^$pVX4bqj%iOpKjWlAXzqqqd|pVn}LbY@Lh zDRsJVtdycTyyFrC)9cboN#|(Ummz6b85gE+cWloK4tZcSEqZo`_3uZ=Y&sd|9*o7g zIC~nd&%Zh6-&HD*MYrf`Wd6Ro@|YO3$I`5!f(E(5{=4#SJ5eFWa^vmzbg>0VoyWtVCyd+5}>$*45}Ord(eAdMGBr zdReTO#q_c$)xz1SQPU6SC8!m}wW7FI6xWL4O(=>hZ(1L2r~2UA##$p>PPWzvTWM-* zjc~0It~J7sOCxM?B2QGrlrk(>@4X4^;AS2MRD+Z;oX-8g8@Fiij8l44Joh8mQ^G2o z942Xbe-{t$yop2e-OXmx_~q{Itv|b)4`3%U*?lcmvt7l_ymi5sv)12WIU9uG$9Q)z z4hOpv2gYKw%Sh6-4nMY;BkVU=>w~T4|NK7@?GZYJt(Ro0+wK^XutoO5#WWv2IgyW` zYP_>8*VA{NNV46yHj)_fZ3vPOEwrVl`<8z3O(XPGPfztCNKrOa`)#u9Uu2j4T?|m; zyHMj@*kU-i70PnEGfKjF8()-U~}nxHe^9Lp{)a=hX;?T*u!L5E3X$9@gN`Uj^yEdiN*AGA!8qfsDi3@RdLIa9?`jU?!#`aYd#ZOwo=%-Tt7i zu_wPcut^pBGx%c`ipWJw#UcyEgDSsE9{1@*_|iUsmNH2jzPB$ z1{q3@(J9cQqlM#N0V`TCQ)xY;JekdJG09$KsJjVY=6%8EnX=D1>i8MD> zkeOz{pAKxbBLDUlw*Kr3SL?*>AE-JD_r~$LH-&S)7vP5DgdLjNZwGkL{cz2aow3FR zn#F1P7`T`?w_Yr|+>nk>D<{47e!KGnp~r_4+1yu3_rOO!gTC|NU+DHr=&SO%AP`*^DV+vw3es<};BZmj-&rVRkWy$|h$M zi+q~OErZR<=7F!Ua0TmcUNb3^TQcZ=hTW7yF3xi@1eBeEevmcbO#C@H?ZR#$Clj7M zF^||@@VxC*-d)@3yUN^<+Xifkq+Pak`X*0EU~Izr=sS?=gDHVwy%$e<{3Yv=xg?rH zi26C75e*f_$5d&2ELkzlS(Z%6`8SU<)9Y(Px9P9+O_lmn$*ceRl7@ z*XryW_wLD_U8#w~6`$|sV~_1+y4#Jm`c@QrHT8zrk6opOw#2s2*txVCEs-SEw0vHT z-v;T~aO(pFXs|lT5o;$({@k{0Jvd0@oJkM@DL9k}nPB4%>EsPMrPHsIn&q88^mE7Q zkm}yg;N&p#T-fEFdt+eM^@A%|{b#7a7$N^RLO1P|OG%p&*0(4Q_8;2P2_I>aS`st58b4V1=1?0laqf9e$S8fms4#_?{2%G*M--o zbJw3y?V&{b($)Y!BAC6CrrAgm%Qb=;nw5=%n{6W8zw zEp~SPyuI_mX^lFqE?w+G+m@gB$glc@;BMs)0o|Qr1XRJbt?81_P4RMc~hT zhkl}T48)pAZfRCfNW!1;R7MV%O@T2tbV6H^^@eKcK=Xr4+@wV*15q0Q=v3uRwP~if zYbIsEcaBpfCS{p-N_wR-kW%@jq|rqxBV<_XOk^S^L(0fv0#!1)*tl$@QyYdC)QOKR zCaE$8Rn>ukj~pD82T1840g;(tbmpz?X2rpPk8B4KuPXBB;zZ}sQqk%MG~!Z*EzLj) z`k5N%<;ZI*r?h1DQ>YBQ*=G+{s2wyu*y+R#(r%M<$0qiRY%y4Hgv;DZjBrU~!4Yn5 zm}X8(Hj{Q*&7e;;ps7WgsTwvDel2GSnZ96_NZO!mmMEH~%rjE{9Hew2N?JT~CevII zmY3nl4rZ`Vwhy-dyxr_HSOjp`|6R>TBmawS#xBj6g9g$u@JehQaFcTRzWbN_q?dHK z&~#m+rf(~Ty(wnVC z1*Vcbxtvv$Rn|@Kxe9`x+|1HxB(cE`%r21?T2ACxPrF@QS`TRbRc)=otu>?u5|vW< zCL872ybHIxN>h$3UaKohyT-LD4;Z(qKt;fOSv4O?w05a(Fs96bFUsqcqh{q~Ym_}n zSEK9|QTDP~RsC7RwU%)0;aVVQ|W?orY(#lt3bWGyR`L68=1AQCz^L0e#SR( zVgtbNcSmI(T40wlkMkHe6~9L)mv~=Z%De49^ic`ZrC#e>^J&oS?e(`%4?Je!Ap~1D z$QG)_Wyb4<8G0^;yMWhnxLJ^T$K3B|5^&%G6T@_IPj)iZ zSK*UZZGbskcMel(9~uR}NfzEJ{Q@OZ|( zYmM%6L<#nCr*ysgl<0Fo3ErdD{ zgXN*MK7MlPkiy)*OLPFZ}NyHY1hHF90Vu)=xLRNtR zEZ%iJS7_l`eSpo^v_*J*;3Kc7scquBa6X2`+anR2huRqEa^y!7<{d|gLzQ_8LqSwC z%<1j^_U>2YVeH+);eUcH>bMg>@Z%ZPK?2b`=aU~sz|s4Vx$ng@v^4m9cTXMl=w{si zU4RSd#y4kOBl)AyjNlvt$g--ye{V-4Y`?w3gC+}%(?nJ;g4sNPKV#1;glD z%M3mA3BFE*Eu*i-hXj;c(^~{RU6GC9*&5GFhc=? z|D+CZu{|Q{`>FuCm4pUAMDt|PggLMa^@?>IdgF=M4f=0-CY9Bi;FJK z5aE1AV>0#44$-F}7HfCa?OxW^WDzKJ6Cu{KuUc%Ru;n%?PPBmfIF{g^n*GM=@pchH6XExCXr zzYY4I(lojUmdODur-k%%?T_9)Yavvrw@z<8yhg$3LQKD@Rm;%&l&+r)xVi^d=s^O5sgKMhtDQ?4=Wg+4`?akM~-Wsl}Dec1`C1nN!Eu$=xe9G z8lNw~=g**laNVv7(R($du01uRZhGt+%rNU$Xu29tf3|qKt_{6#_cn{C?-`dDdpzAx zfu-^EYHCul7ChZjP0h*HczTkq#?xy&J)5soNYy-R!P9MLm4)&2g;bRbAnAD(ktDSG z*dXauX|7-%71W+OlD=Ppr0>^Ay1yzU{Yu^vdg;V5@aSGmBj^76M$~ly-J?4~sAw+Kgt0lj(ag!tn34UIUM z@<~%umIQDOLcG*e@N$|$(!}-47>zZJvAy=-OyRP)ka*+lEkpkQ#=vZHssVDeJbAS{ z14zz&1lNW$ewFYUzw6zl?dOjSq2`q9Ny#7ZDoV9M8vlP5O2kM*jhn^>GO(K#;CDnO1^&G8X1HQ#ceyrGH_JB3d$cyW zh+`P33~o|hNRi_EKaZ;V?6H~md!5($X%%!P7fGodC~3Nl0yOEB%bf1np)^*Gl-+K} zmY(<6P@g(vU-}$jefoc%P=S8TgCovnp@MzmL}w2b7%H$dR8Z~wN7e!rSf0N**%~TH z($!Ew4Habbl?thvXDv{H?X0peRIsQfVga-uuP%~=RwWy>peoH3Or?U_Q%4I9O3;FX z8ZGcwf)=3n3drLmJRJd#@4~V7`gSrqolfBpJMrmB@|Va7X5Tk%EhW5saMa9if9Nk>7Wo z&~ayyE1UxQ5L&=c|dSRwP6IlehAMz2-Mkw+2cMMuOqL4X zkqG!AJAT`1lV8T+0P1q8`m)6hbYjC+K&LzMF$g~gVhNr)INH(2%g4*r=gxQx%kzLT z$bA8`E#-_OsQNwiDxmIP(%-ZLkoL*i)l}`<<<6ZMpoF!py^JlR)9$_1Y)I}_ln$e?;jZGXEw=t{I zXW^0vgDb}67M)^{ZC;Uqn3!N5ZRpbU?5C)?0xus40m{Nf%wSA51zhNLQ9Hm$wPQi{&gZW97&-1b! znd{WT4TJtv+?PtCfM%aK3aSm9TjgRp_;rIv$ejv}syUfS68)`k?D7U`iYw|q^!rfJ zeti88+s(qpP4Zqh41R1xZT{-i)vjyce!JW02=6tHgRvs@oo?|hi{?Dq0Ml?ZbDnqH zl~Oo88B_7MAkR5Yf!S{VfXz-rqZ7Le+@3OvpIZ5weE3GCf z>lzt6Vxf|YuG14=>6FyWg-<%C)#PQ!W;1^ovYDr_Y(nJ&>sTgrNn>du@}Yxs$Bg<& zr&b@9j$~Y6jrsLOtfV+YayVRgkvVn7%~xN=Sg!O8YNX`5S|zncE}I_>S!}0BL)I#@ zq#=9ZM5$yeU2IH~4g3*jG9`nFUQ%l$oV#_?#>+nz4yR-n$;xAGsxQb4qh#N3Hu*D5 z8q{f6%~aq&tmW)pt2>rr{+q@7lI&+bY%`katmZ|eQol;b{ALaK3!2W;lMp=pW+UIj}g%e!OW_sR{KYCrRh zm@z$7Kl4kW&H7m?vvQE%OH?4oGitDGTeyvxQ|I_aPKi%DmVA1)Hdm2ntl|P+QNFyV z<7l2t;45paTsl>`dU8<%45LPWRhzXfYu2VCkQeU3X3g3Tj0>N=S(~8(OPjS-gC@yZ z%-SrWVNSL-YfIAAW^J`uTQ*;*kg9psV%BCmt1N8RwpwU&0b{qk8cGscMQx1Ts?uD+ z1S_aLbz`@~5@WZ++StusiLqM{PMmQ#kEt)&bb3W2Oba)%ivVwUh`p8z6&T{1@7v~0 zmr9=T@LHq$9BtkXbC&?U`jqIivUy|o!-gQvCJVEeyTA)OB@72YX4Yo>6En5)oZ+1* zziNVo(BIS_evC0*Ff|FAgfaTp@?lDbcTR9i{e49}an&68F!q=^9xYe6&j)=N&8`m< z_#Caxl7fsoaeYmeg^C)=A_w9wdOAD)Fbwn?s{Z|ZxL!<4F{M$LjHi^UD z-i4n@j1xAEvrp5=8H@Na_l@TXdAE{PO?-Eb$lM~WWY;!b^USLssbHn|f4S67O zJd5ytOcUW@MEM(?~^c#X(P3xQre9V&ahX3obUw4_o8S?V9q+NcFt*cH5@byE)d z+*w{S)Am#u5-VWYG*WWQQMf6cq7^Tk@V6mo#FSl zBauMb3gNZJJ6djPI@9Su8Cd2OkE5F;*I*ZxnAcI%DHV=)hmAHLfsU(Ti1!%$1S>C` zjJyW+BS@tOeGRkjWE#fajU$rp=xjGtNpF%?7j_y*X5`PdMVxAGWRR&bULgTO7>;&a zdL2Tle#%Fv6^4X>&ysCZURn{;2T?WU+c*qvmEKC|{>a9IW=*oAj$7G^YG>ri1;s># z1kwIb`hgAKWV9)EU1{KRt4Xv@?r({PR7VTGzoLsezEz?J;Jwm_9^z}&Or=sMECW+1v`-P{;PXC$~>ElO7Wja4oCav}J!zJ{7U8s_xaFt9bDU#sAZt}qqY zI(1y0Czq{?L&#eSlrzdB?kRqW!a0i6l?c3n5AJ$l<}?1ylQ z2`79B&n-()f6~gPA#Tf}=v8IBq_?mRM$kj~wPT6piTD-0`DyF|wutO?L)-r=jh>e${tc@TCtWkEqAdOfnm{&6^+D2MO(@4~h@y zX10yYE`qFR%-X1@tToNg6R*~_hZpYQX7TDn<1Wx1uQpU*X}r3cT9K>;ueMa{aKd=k<|`FaHP2e`YTH?5alCpRy72{I>%59e5?Xz2VC$+hS1`{CYEK=uJ}QB& zk80T3UkPk&2o)Tk(IbEh+kI(P?eYWR_YGU?QpqzOU2AloBW!(?yAtTtr$nC%Y^{WO z*Df}nu))IPr?6wQ%g@L%xP~iMFMb{#idY;DUb^iHTH%O>8KD7CaK&?7y1KFJa(PLF zUrR2Q!>fg(nNh@kY&NvY}=l;ZQHhOThq2}+nly-+qR8q+x>d( zy|k~;B_uT6(* zcr;QgKS3KD)6d9Jj-*(t-ZgKF{X1wP-1RH#R%+d>(p!Z2do_qcTXeifqpxf5vct^$8i9h!N) zQ=%B=`LUm!zN7Y72evYym3lH$do(kGK=If**YVMTQ^k`s5I}ze{YpEZUp z(X3Bm$1Z>iWM8<=#PEBP`!8i#exw0YF#2n5GSR`0ru!o(@!U>xh@Clh|Bm31GVw(& z_CIzlNo>MvLq`yeEHiFej7toS{PTG-)(US67(uz*s2vlI8<Sl;F(As-n8~`2CBE*gGCAU_&+BD!lN#7W@n%H@H+K#EcxyG%Ln;~ET}Gf%Em#|> z_a;&YC>8hC&$z|(wl?!R^lWV9xj=0D*LTl2K|KFD-Z%X@;bG#jGTa?QPE?%v%dYUGv&62`x|wKmvPJh)NA7( zLA|tm6RSt{+EDzS7+ZdE`5~w+R$g5HM^IaS2X7MN!D7I8?p2B4EAQIxo*2nMoD$wcZ@mT9$@Hc|BEQ|PeNCZl?u6V zUbNW^op-+*;3jv}6;pXD%FA*nkQu|l{9}fGypRR~#w>C#fqWCBAc4rT`viblVJN|0 z*E8Kj`?PS#9(QWjIUfx|O}Dw%UN4;XSBMzt;Jw`COlMPsfE%`NJ)U6+I~=(m^p?+a z+Bq=UWlT4FH^Ox(Fv?Hi+(Jf{4Y_x>ep|RYX=)*_WNBB?NJ$~EyboSdg z9t#>$FA$B(pO?7N3B$MtvPPGrLim`wpMc+J zUkg0i3Mxp1FggMYyQXjZd@4L&_Vb$f*w<}w;6-gFoI|>{yB(R`>^paM2v4DM;kAEZXD*a|^V|*6U8n-V zwh+=q>0=dh-V&O6j#uxpDhGJabdK7O4}JCSs}lrz!p@A0CG@A;cFtf&7QIkIq$`>^ zO~kZ;Hy-C&i$XO-m4+Dra+*(%_BQ$4L}RJ<&h9!6hoh6?i-fb0Mm+{)W(x?3nb0g@vXs1LV8ZfV-*KifowKSDEP6hM26}iab;5 zKr6|C%HpAT-j}@Z!#tF{k}PLdj~?bxW0qaX)o!I@jU2`}7+2#zfI(5mjIJnFC$JJY zphnTkvW^}mIkRN07Coqcl?+y%YCvV4c2U(pkJbuzu>usPtug%JxqMi{)jvFUvf>}l zJ&ch;Xgk1+zgG(#%`UM`>Rhxve#`0O&_Qw^KKLiUf}F%SntA?5eg!;1j#Z49C_VzhywX!|HdWHVN%8g z_a1!^%8^->!NCA%Nsv-)b0XrMmGqRjD+=3Q$VDVA)$L5PZJgF^tBd8xS`vI@i-`?@Ys7ZY6a8!U}AA$!bij2dME(<;ZshFIxb{0!i_pgmhV>o%tM5nL%) z?ZD--A?|a@Gy5>)x)Q%IO~}1_oQkWM0XiLyRz}%32(_~^+kWl``0HK4FjHo4<~%gA z{;agZSFt@Wuk~1Nc9}@3rQ+2T%vE|AxNL4OyDtrl!g$yby(rU*xtpD#_p3%z=Df=G zNhRAU@ogOM0!iyP>u*fj2-5YgMi2epRBGE1HXSH=wo+y*Z%-Q|0p5JjW@<#ST4=RL zxEVLiBzXsB9($LrKvZhT_Sa{-EoUmFf)yyPM{k&u^okE^EKwcQQ59C}w3`Q0{jDRz zk5jnAEI*(Hy(I%GrV@0xN!kAgv_xh8sW8~Y9G?0gXwldH0WHb&HYh5`Kmazn$;6OV zrmO%q|H=Uh|H=WoE?guKHZ4j*tzYB#n^I}I*$hmuBY)Ym@P*mP-Y&b)yq?KzM6unc zlaLk1XAnn0*TUwlUpu$9&s8-b3;ZiF@x(W^$WoYO#FahVu`u?kF3x-QJFJy`B$u zZ}L2)p*0q@kNe!!91f3rdr7=q_R}JRkb|w-3`beaq;;uoQ*xcR!B4odnO4$7S znop+|F#5XL9js!?+iO2)hQAI|ui!$)AT8ffOUggik$Mlfc!%O7+4=r=aVNl&gwvqVic6@;L$*MkFa;C$TZn*B%sVllY`fVudlStgd zKr9E!lCmmdp^EZ(XXN{4foH%)7SVb~!I*btP9Yf!35P0=TS}QM5d=dbt@WIb zI21(Q3~7BN4e?Eqb+h#p9O)VuSs3ajcGk0x2r=Ao_wseu{0H!sJH;5{4-JntvEP)n`PU=2`9AgHTT4qI>^4&>|MkyBe0bE4*h zJX6gLzm+9pU*PMUFcV@oXBlU{6|TK~RM{4p*)^MJRkGw_YieoK8jwZx&H#>urof+ES&%CWjR%%b!jT?<5dkd&83W%u*|QU6ts6;IM9~Hdh0+d08F1 zS)*5;sD(EnM3)9jDf(Pljj;^MLvCBUP|LJ>u4;^Qf^V7D4Xx}3YK4jH!T=e$w$CZ8gAk3)r^MI z3}Vj)N6uSmASdqa!Ef|4dzh?NhG=OVPh-Ep3YLOEsm-q_j<3A6 zTkawVxRsa9!sqYJV7%T7`n#;O{Rg7e#Xg1XeNRO+#29rfbqy1BISx@n6&S|ZuwAv8 zaQPDlit69ING+`2Aiv_}5L2sLt6#Uc?<2PPGdhWdwJ)&c*;h(}W2>z}@x1Ek2qoNe)DG-E~;WBrfx`*8kTeB&nqALN=Q&uOJD4rtoYC$56C)|`|dw>8!rYGsc zoexW`sTL17<`;&IAO1bc$=P@7tqe>myY-TG$oy(aQ0I_$IBJ=q-nM9ZZ+xgGQ?MmB zDP}iKGqhg;=#>H`MCYt$A3*2Ig%ec!nvo(&tP8bsj9bk8Jc~e)9Mff3Mjvl)Oq~1+ zrO1dOQ5J*Cx%FNqgo}@|XQx$kEth88=AQ(TqtScMbm~Q?o(e0_Vk9-=Y0V0<6MoAt zVqfJqkHx9$s{-sU1?=AL0g3{R1$NgyoLmGHXI4IN$FD201g!xdXIAmGA7q73C!q%H z&Jve8rAGP3GUpM%eVJ*ZpMP60qg#Z&v$LGoJX4j33Z{l}DS5IaU^{W-#=`_%w`Ta} zBiX>sDJeVud*f)$HD>87fDBCSTC?zjx~^UKtFf95faG1fmXk!fIdlO>Gc$xJqz^Hq zZ)`$oi1Kh$i}o1~9s-Bw@D4`hkLxUh(FHchSn0trGSOGD0o!0de|Ngrjvt`uytKMh zq!HYu)>ze#LCLL9^@WM16UcnHB3@S#XRI||UZt0Mip>fysFgDj?=GKiiK$-vk~RZt zAu$sFDDx$v>3Abd4pyX>IPIgV=uVi7RO*P9znRafyY35?qcR;bb)OpeS zmRDEh{=XAt<#~9~z`-!?LH+QBHj%{RSViHGN6)(e(dogrq+Byq{ubZ%)UjpQ^XU?d zo=f*_D`(LOlWwcn*5nB($5r6eZ)w|kI^zwHf?MJMLekAIz^?v<5piK)=ty9XNB;b= ze3-sP0NaH$#^Cy~V|igK6-UhJcd-)Ut1n|@{&rk|-RltC#?5Dzp&u$Oq6ozn6Jal= zAiCsDKe$90V346m)J+Sm z0#)^7j_vlS#uC=f99I6fOa7q20HMiDyNc4Uw3w3`zCd*`JpR$IwAn*KwiQev(TOEY zGq7~ct4Of?SOY%HlBa+L#vQA&1+qT@5VnY6+mc z2MNHL_sdNbIAXZrMp66j?Cw{ui38h-D_rF{5Cz!Qc9ZC<22h3Pt5VlCK+**hi0awr z0QCbcC@wL*WY>2Rmy*#r^_XHi`XV?Sn{K8yNUna^D>_ryOJexR{-yVUXA}-bP-~6= z9w^|UKF3DTu;D%%(7luoMvjCn*70^aF{H{E5b)r=eCpN2Rjrat19Ft)8P#2<*mjmSnn;oPXrz1 z=oMklXQXTw=hq9aq1A7=I*V3Vek3WnDuGtW$L+k@n`33%3#S6rBgx*%4!KmMh~xrI z6Y_1TS);K^1XmIk-~r^1Ek38<v?y&?Ss+YqF3noB{|#W2{Y-23P#%iG&KA*?a!_A zH2AXKvrNt>g>TE}>+v5z5W=66ICvGb6dH}7ybm3U0$3)}`!2i54@1+jV*MQW?25}F zRbK}1aH7}c?P4Z#o-gk=rY#?945ydR>VU0qLf%ZU9hl&g0t z0mzj$VP`XqN|xYY4QXB>ZuTn!x~t&@?I{q@r_y7;VYn(HtxVP**>!&fv_#NM(zQn! z>PZrEu8b2nLU^66=@f;XuKH&q$8}Zb5RaUKAa{xIvn^3dV?ILzE1qN(@+hdg{8UO( zMC++k04nIDr(D~ql;a!ieJu4;a1u6g_1J|DAtAaD4JB&-a-NK<_F8f%$Ldh|$_}C}WR9))ARTtFc6p6M-_l~YThl$K7q=hsg zd&686%TVmN*SYvB!qj&t7x?8b-5ySre&$}MVA)Oj;Qn=@Vuq`XDyOhh$ttPG5ZYv! zBq_=i3dRia6cMnSAmTqo@C&8=W+{N@V3}`d!)0!9Z7Q(JmKaOglMuw)KPt$|4qrQPvx>?1zBapD-b5)gphcXlM6EsgIwil3En) zeL|SFYZk>{79}}G+S|BYU}4Yy&Ry7JehrC6%E>|zEHdZ_fm2pJgpyHx=j79CfY1qy zZr^~-6uH1cyMZ!A{7LM#s0s=lGRsD&29fl3{Y@Ie3DvBTrBj6ejUp!PNR6P!$@*H2 zK`4}`$W@6$75X~!*>ejMGKKVWNmC7h>#+?9?4&gb>_r!(FUkwzBy)}GzilN%`blpJ z*}(!A-p_2k=MLn<>wW(+`?@st&+_g8EMGq}WE#MU-yo%U7F~YlpbXQymv;*gN?48X zhF8Exx^kJ2k1ZDmmdMUtY4=;G13ah$qww?#9c(f*gPr}nv?wqGs0z!5h>Rak7(A4? zI+C3f($VWrU&-s%>7r6C-tJ{R+>lTfMrBq5J>j0;t2yb_{3rw)+n+)M4@8u zBl72Q$6L17M8B4z>9kAV*t4#D&YJ`)O=?)MjSiaQj#@=L8(A;C> z_m+zz;y4I;+?8uT{+$72>FTuwYk6w)rR#ZMmeOHJi>u%U4wqlI7ol|so&Yvo(apoCV=$WxNf(< zMdbNTn*DS;nUB_I$323xW2=-Z*)i|626Zbekujnae;z3?&mrf*BVK-MoC5M|BGy19 zPjzz5q9#4PCuw|FGv4~P5nuShDCjn1Ua$SEN%Zi0gcz7K%|XeML_)A$qw$w{N?5Qi zkrK@r55_uavqopIWeQw*v4z;$WG=Z(Q&K{LlGH2DhzeFEcpg0>Mx1#edaD6Z zWANeR;sC_-GPnt>c$J{{QIDumYXUXdR#w6v7lNp96Qag{T?ipo41^6i8mO#>hp;njBtxWY9yV1WF3Ow$6cstub{JoIiR$f3xXv-eJwlqZ_)g>p4kp))9kc(N^i zeBbDpmsbhTjkV~jD;I-c&%}1TdorZF>-piCVrj+E;wo6pBE6cR#|a#uP_-ysb1=5y zc!fD%Cv=MiHqz=|#TZ@A+k|@M9IY~X)EU4XdM;p>jW4tx*l~8m=Y!HkK3_mq1lFOe zQkBP$i2hQ%4=p}JS#cu=V-R$3NKY*ppH9eJG!e`8!@+QX!pQs${$+1i-pcfUpkIc*iU4X;V z26Ynx`%n}_j<35^e=ng|dhuYO2ojv=p$A)$FOw?k`T6M;7uU*Kfa4!De+Uu2hFK#q}5e7FbA-AQ#JmW`CPEot{J#$IYtc{qZuMRXnDC*_wiXj1e}-{9 z$_y&(luVgB^EWyI2V=M)3jd&T=n-IiM2T8GF8`ovU@zo~pLjwwn6M>3@qcxuzktG( zW+|`$gkU@qgmL1!$w)VX73nC%ia#%N{O@Ii2j+Vn9u8|=7Uz`XX+ z&Q`k~ceu0*pexan=&D)9XOL*!<9n!2Vfn|F?Z%3C6BZ-JLK!5Y4}ypeeMd!^Xli>N zv1snD$LJK;bB8}^j>QG}D7Ncw42BRSAq&068B#Pr4c4~0AWmtL>LVHhW<4!0)oafY zYmt0JpL4!Y4{(|QW{DrlkJIFB4VASA4;k-*hI7@3Ee!F$Ij^;X&@}vd`|{v#Fh#TGZlx@Z1^BcwnZ1jUQo?Yc{Yu%nlLei3 z$TCE|(IPDGVL{ zYjr0jq9|uZJNhi;;<+Xd{xirbizpnW{j2ol=2>zTc@aOTC6-cE`7Z7;FQPeuRkl?W z<%f=zs~1N69~~_>=V`D8P^ql;&<1gutgr`yw?t_H!l6>q8Ed3E<#C_AZG~~-t`-pU zJ;)>CGFUM;ivJTa=jK(V;FDs0VE^Ti|D%;?6-L8Hu+{^9q#1~24`Aw5LcK1%7)I0a zig?9Gd&O`q{(D&d*O})2e0w`2)33zRZSH32rNBMGqW$wj;_lK48+nU51FzfFR(aK4 zG?^dLqE}hEOz^i4?YD|mmR&R*>6xWh-7s3ie~W{-UUMF%Yxv#f`HtEk>XQ|gK!BDk z%|NLCX72Sfb7%d!6$(I9&umQf2R3l(?jv@w%V~3(I&L#bd5WVG2>SW;%#}##AAH5q z`+^Tph&~d#lUo`pLY?`5?&ZfNhN(%Es#)f{}(vN1a{ZBIhTca7k?_dEtv&9Xp?82H5QGpq``UfHd zVz)j(h5n@oFg!d|FR#w4=r-zQy8|EqeOR`i&tJha9!vPO0o24b? zd&8JE+K`$mKcgifSVIlk150)XLjBS0xZo`4SRq&)!@>1Ho8~`qoSl&f4!j2Zrg??g z&%9fI<~D2tvY&CW^#{Zq0&b(lCw@lW_%s$<9Cfc;>`jda${;1vKUvF zD&4X5vJQXRaVSNkFg~CO#3OTC{bS+VDWDnUCt>MxC-j5y)G&c=*x!FO1}gk?jn$sY zGJo1GY4;It3H1Hi2W>5Or>#`r1FwEL_Zst3(Z6OIAB420VB^AXKY=Qpy8xHeT~Y2A4eQ0c>;}s z7R+cuj+zn2x{?vcKj?M{q?6xg33BpE$o|%c5gUaiYUeQw+6ok4^z#RVkR1|Y(SQ#y zs#x6(vH~HKP$Obz2}t~(9*ocaPY;HeCiF-Xxk>NLAQq2MC7|*u{?UV_|Dy++J&oU_ zcVXtxM07Z$^+CXfA?7^J+>Eo9$G=_+2d4){7Ey@8|xOh^^ctr=w9<_w? zc`2Ct1sd;<=vqr#2digO^;2q0Ls8lNc116bG8|%~z^)iT48EO`+^cHzL=ma3P6I)r zY@x>?d~58G@)30>R>n<7TQPG|1J(dh7`O%hEr|VbxTR#6D20mRWn7cPKM^@_mw8N1;RQo1JH@6~m#Psx(QNjdQhjK< z`3%{A$N0Ch?1BZ(%HvwhcyC?lB+3*}8v)&UEHPqL^KVXQk!RaN*KL|k8-2A4!`Q=P zey^bhaW;@}D`wSj*9au?PPhL2X{YF9Wy;}n*~JSN&aiMvnX(M#J~oSTkn2T!)mPm4 zKLm?jcFBp%08r$xKgvwuJjZbwtP@KbuvPRBjmvIBNt&vTfi6$snrUs87y z86wqy$F`}^J`S>C=l)6Rdo0*F|BI>Ky?-%f_fnqJ8OeX>-Xzs)U6r7U;BHb*m2L>y zMFt;#ohoqn&LVtO14Q`!3f=Dg(y&q^JJYrM#T7d2T=z@J>ia+N_4f0_UH4~gdTQf8 zSQME&054W0h!+u8Pcy5FzeQSh~u2?Vo-(CmuQmb*I4Oj;tB zHPC|>RP491h#ptvlH{AFL=E@PspH8H%z9OSYLXwC5_0%brjkqk_@1V4V!ij0Uzq4q zGJ*M~zB1oN3|m>2?QDNq^87ukvE(+g;1=Su-`B7ja2xKn?@$Dsq5t6s+=crVNtNI; zwM!5`93dzE$1NL$IrG15s2(>kKODh;yHMV?0YW@}!~uxRJWI!<)4Ko5pKY>U@ zlkf4FlyK&JY{MY5d;w}qe0|3N%oDdG*%Ei#%ryXcH&J;x;^cJS5>hd`I77KhA{EyX zh@zX>%sIVgqIN08;bXJ_YB{zNYLemn6ufa9NE8g0!48htVRz|%?BH4c{)z&x#GSXBKug_Z0qXhpA;i)Ap7N6R^F4fYr-RFbijC+x-J194b z;)tY=usS6FE&c0aAIWLaNB<%I*MJ5AP^BIhfECx%W!P5d5_ zgl2GJTMRW@#*syY?U<1cYH(|yrHC$i-_v12UKUa699S295AV`hOL$;pt(e3;?wsIX-8783n*_<~ zQm;vZ-}LolO5;Ks6Nfrq2&)Md<<@71GOU3Z4+2FnHKSVUHH4?Zn^3odibS^&x;z~! ze@SveboUAMN#Jl+8+|{^Z4-V>?ok*XFzByuD#;S!vVp9h-xpobjvMUttRHIh+dL>% z@FY^*p2u#MIArOMSH}A@veVrvMyZiV6q#7z%JB&}Ge;j!H64Hm_z;qRXl1Dvnz-sD z^6agc`MKfSi|{!{zCRpqe<8e+(k$^em8f8fTW^yvTjB;yms+JS%+1dZXCUEE9$0a= zdK&@_<~X-#`U4nP4eW!2MTl)!vw(!v-vl6N|H4;p&j3*Pg@5;IN?Dd;_A@@8Vqya{ zs9ie9Js4I{Ob!(|SD-i;Hm;azC|A^JCKt7uD-yL@6OP!&7>0PQ?Nt2c=!6xFN5omq z2`=>)PM4jef02)4xrQnB!cQhKO=#03fVbJA)c(&2pO<$@dW1bSbV!s}0iLeRjkR^a96JtbVe9Zz0K zfO~>Xs^`K!e2+Y%5OjD_k3h&AR<~bxR9Vt5dm#J%2FR>+q`w?KBc53juX_Rt4_U3o zE&Fu&pD^Cyw*uKx`S3yj|!iat}@-w zBL4*9mqSE)(2p3BJS_Ei`3~x5)%Nqk^-`&@?nma|ZACpwij&#oXB1VRcQ=${CskM_ zsK}$hfdwzYgnWT!8{ss>kZmD~&7G{|(cN6|^GbEuZHJBHG;{^1wc=|FTJ3E-Vki7= zaXfQ~QEm}Qz<)jaB~1`D_G;DPe#q+E@%4E#WBT@P6TZW>;j8;Q$uVDA!slRXtc2$I z8wwbbiTp)oQ@eRvZ<;^rv}~~}n$={6Wz@Z#SCbkFJeKk~e9te5om$i3&W9S4KzXOK zSm73fMGCw<&ysm3m}YeH9XjLL2}6_Wp#R}~Go?DyK(V;zs<{kDep~GM36%zpFNO>b zMAvns$kuK~j`-akfQz2n(V${XRcGk`z@`Rk~cNh#xnxrPu1w=U5RO<@PK~(}!`=$rOdZq8xe<2q{;uXvmE%#r%a2{%DUKHpRZ z-dF&FUsMnO&Ih0LF!4%8etqDB9gba?kC*ec1|Eh=%b10r%2NTm);F)-T&V7Mny%o} zy}k9vE!?RSg&nRZCADe~+VEUlsJunFdRkCW7<(aF80g8BVU{BXxa1Zo-VetFc{nC5 zOk5w|+?={XU9cDXZO@op3RDMwO@hYJaWtn%-XVmA(7-0Jw8yqNURsN|CJ)2Zb@?vg zk`ey=A>kvjcxM9c5$}cwssIP|u5~JG1HnXa-M~q|f^T2ZVqyNPvL`rKlD&XqXxw<$ z7ONGOB2oTZeF1sz?+BqAK}-ysDHrD(M?H3CUB-dM2leo+^7(@?v0O#(kfwqsM}b!n zdSz28(U%gF`q9iUxZV3(2jg_YtN*&yUItcmJ`+=Z`sdlh5asX{so8C@-veDN>;7)^K4L+p0eF1>f zK?}obNXG*b2>5efZC27@|MzLT7V<$bEh-Pb1BD^XZdF528}$R8I$bvR{#}-6!|jj}| zsZIy@K#60<{$8H5Qulc5etoZ4i67%kSbw;QuK!V-Y; zPeesVn4Di0G{Y&KxFeDfpHgFT^3g%5Io14GL5#R!&ff#w%u@2 z75;t;fl^H;5lIoB(O#HYgkLY!q}W5%e%30s)b`BRfmWlWdyO1wiJTG-B87ws4ub#L zvKv$iZHUN02=}Z0q&s;;*30JZmk7a#JDzaLG9j~uCIT^Pz`Vy)nC7RzF#$2o3(1Qk0|a;7U%GJ%ru!|IqU6pwxU2C4U} zy|vK(>iTu5zw2G`ip1~ILJg4-c_%ShY%-PKWL#U=+^vzH{u4b!I8TVETARygwdj(; z*7YoP#Hsn@6~;{J&)`%p2#@eDS@mS)Wx#JU0ePO6xZ~oA9ia()EUmP@Id%XvR*J#Z z@0|4SD_0GhoI3d<#WQ|CXLmax$Z&r~^fcYy!CS@j-*G@4b1>%Q@iK_*^|r67?UJvq z*RqS{?_)4&!HVTyaP%N(J0kzUl|p$(=p~o%15Xc#%Dn8CYuLUPiqWvdJLbN!~I?fTSjyYJZSeu`sg70 zo8aNsg?B%&F8e{>qAUk6{67dY=EhE~%QOjxU-!4)Ew8NqP@CX{)eG@gw+HWFiw*k6 zuo|O}rgSF|IS7MwM(?O9ddJvF5GajaPAu8vHxO{h>yNixd=l?jlg6}_9FAy@IcycR zMVWwme8mcwM6=uJCCC)f|J*2TUik=ultt>WlC;qkdGAO$bx7b2!(^*npfsL1NzTBP znb248g+vpI@Z|HP_>=4%Zc?V~Tw|g%z|Zz~9emCA>(c{~i}>OS^z;pG`)TGrZ)*_| zu1LwDSP7*jf+_{Tn^qup+k$HOU_kw+WuMNZfvF5_YOXq>@B% zE(dO&eB&&Telon8*6XLMmuTT}_a`t00(Xm#m5S)xI*|IllEeE6;0g|=ltoCtMB zlD?;wHJ>w@29nIx+@%rDbQ{EOXR5I0H8s*< zP5bRqa3&yj!7?bt0^~$1%9ZAHL5jphkEC zf>a>Ce$>9sd?IV*X2~Nsfzw_EgBRX)dv!Pt-SY|Ux^S1;@_l`v z2V!qz!VHPc11;|vQgz4U71^tb4a4^Rb#8f(3?v5|{>spV{~D20OK&gmOC`CDpQ*M8 z$9lbhBpf!`+N=2zbv>Yub@tu%s*cu@c1e}BMcb-~Mlv(Qio&cm$);jkT?WLRFo9Gy zH%V!3Nzh0U(K4I1gz>6f2g#L2TmY_3gJ`b~A2h8| z*Xdg8FDIYf1}{4``L$6=gHadJ=sgZ@QdQ`86<~M9Yjca-p$FsQ-%L@pR46#qaSFX$ zOx%*(I~>zB2DQ`n8sOLyyk&^%J4D_4O&GbT9Q3`WYF-rtT`eqBF*mB5vbrVw&L2z| zyow)Ycavd*55JdxaAJ8S%6Aex@2xn0nqXjHE9|@Q3Kp6)&Q_s zh}jF90=U}^Ug2FGp!F;0onc-ag$}!d1w}!&xzI}JPSdbSY-oAsKkJ-2&0eunqvRav z=xaxX7&?ki>9zOrqc_T?(|t7GjqU9LO1?~*h!)yhudVs5EF@^xjZW;|q*3PjrqKg~ z44dMu4zv=>3(C3#TmHcAt=}xBu6gW85Xqz}e^;2$_G@7L&Ha{dmZnt;mjwI1RbHdT z?5bj~wWdZfo9HnAgkodmUAbQ^D)TM!+dC?t%6<8zr`i_#G60YdlUC1kQ6XU%yT=)M zx&MKYbRHS0zmEw+6wMnXgpE+l5<&OWnHf^@;3>QDRKcga(Os|Sy!#6CF{@3be39*_@=`;~ z5al9s-ey|QxFH}0RBhgtWB@EQ?;N$hGv+i|wEU^=#S}YY#?Skm+QC;+;@7Min7=@h z(k?P^`QfU$$3tjNZIGB}skRbz*hU^7Q)7=X+zEy01Uz~CD8_`aI)a~-7#72(t2(E5 zO5Jh!pNlC}+nL875cKC$Kul=}cYK6CK~$h_Ne+P5 zJn#2{bFMfVbX4`o4n9umsyW|P1iLK7RPAnN(g>A21Ov%bK4VcU=jV9?>Q`yh-Zn%fd zr7TcJESM@#ZB;*ri&SOY^J?@`))UO3W1%{JL!V=mW|F8AQGD9XKy%A$b!~?WV*vd4 zBvyg>1v^TQ)g@C&B%Z0zpV%FzPRp`uYx#uJZ?GE0CG(zo+IA3fG-;>e=m}9*LTop1 z%C@Z;^KE-1vH@ca$+JCTd2El$3ZQN$C)EP^O)k z=!f7xx5l2?M7c7x5RR@nQJ6VSIRld}1XEW?ruHC%}pAn~4&%MUn!;U+)j!pq$X>nj7Mu zD|iT%-15wc%mr&cRLRP^-afeJXw$gxp7mRu_p_hMx-piv*d0rKEe#FHblQCG!s|bL zUgwky+)YR@?oY^>ri4KbC+MTYXty_6rGqU4mDd8?Tse4D=?pGix)DxN7AT_cbVic& z-|M^*!qP&^Jr6QvS+aSRZ{5h>o@sC+!Gp-Em5HiCZ1Ex$V6=`1aX z++FjV=3{(jU7w7q2tgN`)&ju=)gGzidP!KSUi_;Z5m6ZjgGp+F)|cSumvHY$cDLfs z6rXi6Oe8Q#5iFk;EPmXOa;%D;*P~0UGrcuPI#esxcRwX#VQhlAC%Y+8WxKuPcCgZ; zSF|y`>TQ1Oj6xQ$dKIVf=P2vD#XUTh3`lC@t^>)LBas!e*IYfdHvGQC>yH{H{_7@BH}}#Mb1;4R06`A+~qwoN#_M`nV^Ut*}&jNlaMk z$FYOdd)P_FXqQ_emPc3bB4n4Fxa`rM+}BYJkFhy^Sa5;vLN1PnqhuU0VGysZ?*rkC z!}g&gV~^n!}pZ6?LI-@3R#L?OUN1WXa9=*d1i}= zLEmT6S}bU=J{sDB_2Ix2C1QXlkHc2<7Q_sVc}|+6E^}60d6q$CwJk?Uf0Gyte{Ka| zM{L*vaK7zDPK0hL#|jLu^7)<`OwnfxL0@I)LXC%(J!W1dqAA;<3(li(=7n=r&L*q- z)^8LGiA5$(wlP@=#e20lNtpRyjv8!l56-qP*Qn%C2B%?$^P|%zz7f7T(vV<=1jgt* zdy18?-p?m`)`+=i$oA$Ww&H1f?Td6*ugK^p>5Pk%SPzl0~&#Gh%$8DW}n zaiuxR(0`1T;(RIRn9Gd>s!lDfge6+1wK?R%wU2VoWE>V70TD7C6edit{6DJRF}Tuj z=^CEcwkMb*6Wg|J+qN^YlZkEHwryu(+vdA-o^!sc@5ip%wd?+~@9L|s)oZQp9#%jY zMvSZflDlLI-kV#d_eNIHTCA94Olm8woU90p`1{Lol1eF!tY z^)F?_u~PU56)dTtOEmvQKa&O7$+iSuS++l`LFEF~-gs*VfCbd&G&usU(#!8buVwIb zcaw-Jj!wX!bJ|M8K%VS&vzfnbwP45!~zXiMU%$ zo6&4Rk&|JR`3(eaRX7Jpzkz_}ol5eMrZ>jG=ReWxF!K~-QR@n2qtfS?&m=L;tZWNt zQJdf)#;8~CNC*4=P9*aV#a{Bok^C)a{e~hR^z)PfInAJ|q{~(rEkT^I6vzpUiKMgy zwRmLHIOOFhYO@;P2jEb3z}Bxrw%OH#!EJHNi6a4j#|X$t(oC7^yLvt1C93Y!(v7r( zr^(uP3c9qeH4UBmHyzUUYKG=3ij0``CoR%m3o$RpsoV^c9od7{26)h}xrNR_F;8aW zt3icF3$hSq^J>zI(rhvk`q^%v|@h+2x%fQrRKMREH7Dwg7A3Bp+o!Dt*NX;x#EpCnh@0G$@Y6>(Lh3w_}uY*1Y*2NApxk zcow0mB%^K7l7~z_yGfVUmB0mSJ;K9&9qT=^5<+Sp6zIOUOSsjB8Qm{}X%=Y|hc*wY zsK7CzjpzNjDY?Up*<@oF^w`j1QESo7-9^Aqrr;h0A4qm<>G!pf!-W>5WUq8uGG`g- z+NrR0U-t8;7`K*3J{19Oc9<*uIIw1;(VSK!ngV!6XofNKA)X7!`<7rZcB-i(QAfO@ z2M{Vk^)D%fb^5y79(yDwOQPW*MB6A_#kOLh=*6tl(Hz5XVllSPm?o_q93vzKz~X26HeA{#hmb`uJ{a)h@s?8EF}1(p+^2M z5iiOCOK2vw{syXt-#Oy{h_I-7SDUpN5zOU&!lgusWZ#R9Jy@~JPoLx|u? z*i$}G)}+VA@Hmur!z0=CHVdRK8&c1LF#DEE)wc=*y7HUl^jn2tCIQ|qBPN52uLn&g zV3x&{P6(VabK9vC>Kw~UX3_+9(ssmIeuDC=GDJ`+DBE0iWt7OoBcT z9&Qs!o;Y0vO`9s<=ac~yj#6W@?)F(e>(mSiIl#ndI1I2}5anRn$KyY2o93PYzb*ZZ zl~MqWF_z-`0Hfjw4wO>Z(zB;^jzUQD!#g!UHIywa z0Y6SKw5A81D1sOw`PjRoEp_GCJwcarwqNtW|2AMpKaAI33ic96a*=u*a!2oaH07_3k}q~~PIoEm zp&O0Gm=%;?h`d2;KV!Jr_6pspfcM|yNLxD}C_g&o#20FH?M4w;{4iaXKZA3`>ZUv1 zOf65`X&%3`-gf5nJ=ZjuN9RbY4>~9Y3!%#F&FAJdLu6G$OmYE(lTLa|Igh2y0#cPp zYghc%c^oeI$jpQv{JXAq2ircMf!K|qmeQSwI=!uq?PN~r|0PtKm$}I5ss@K5#ayi; zE?Z4`2`Y{b!xgRQ#8;0R%pR#84#Q@qMAe_Qj}#{12%7pPv;$jid>y4+z@0P-`}%O1 zWJW5Bc6ue!PSgayxNtf>TY9cXm2ze_vlVuJuvA;TRjg~bPH~v#Oz%K zzIYx+1dw2%n@Sw;ZhJHMX<@@aQUP!gzbfVa-4y|XveP;w14f!--Xz(ldh-=J&jnRw zrTFZy(U`?QA|`1=vB|Y>t0AgtNfFKMCqGznB{%5t-4O7{bKC2zHZ5PUAu(zH%_pqT zbVF}PU}Qp2Ko9yof$Z)4zQ*h#xFg=5%JdrJ^sCTw;O~!s_f;N=Ig#;EOogM~DJ_3H zA8b!-tJk64868b`%ABP^@PXEDOCGg_zm@3318oMn2a;%Cn~{vi_`1(Q*mvgj64K{t z#{}8DpdXd1OQj9eRJe(wczdD7nFdDKriNc~_xR}8{7W~g{jMW|8GgVyIJ9G7POP|n zjU6v;XBb|8X12YWp&b$NTnbC2Heo$yNhj}AHXT5a<9Za@x6TK#2?6qj-hc&x1M(B{ zO0)z9`;rKEO+Z^lgxFiDi2bA)G8FN!A7||a6IhF7$A4{WF%ROnULaA7|L3MI%k=c7 zAVdwSj9@v`bc*klAs1QFpjFWCnF>L|nPW(}Jr*Gdh8M@;c^edLb2kPV(FyrR=RjVt zbZ39Ra-;MDB&{NIj#*fgFK?UvKo2u)d^N;G`##XaJ8)`64oGS~DfyQ*Id7EUvK~rb z>yjkBk~)|0NC7NL=8Ydvl8LNB9!FxfaPdaCa9hYqaTe6r6&E&&_I_)h zXd5&Q`+*!LzEL-d#f7h;^;AtFU$U{2OHiQl3#`o^NtnP~VLTEqk-Q8Jj*M|SLR89Q zPQ~Z?l4KlU%+oYfGF`}wrASSE60bhL$21bL<(J5Md#!AQF5U(y-On@BkNsqC}@zu}S;_@DJ93}&Qb**G+2A;76T!4JOgYoK3 z*g4(jCoPCtARiRkaQDl6zWjII)ej+FlLLV!0zNPrWpeLDh$Z#E5({Yt2PE95 z@!z)6gFdbnSA1(=&%ZFfb_7$>)>x7JZ=JYq`s95SfeuLiwX={^{~GI7wYr%E@b;EL zw~k%}jad9hK7I&D*J6_>hqFTBYRhC?nNzg%yQ~wCPOXtEZ%~9UbiN-c-0Q+=ybmPO z!@-xtRQAn4A~7Mwj|PY`VFodRI5}T#*oPi9YI!*%aOx9q%*w9YGJTtPD%POXdAc5# zcKhJX`g3j2FHEx9%4Dc(xU`?GYU6|sz%#>K-9^Ee&{+~>3|#C~!$2PVM_GF}b-5*^ z!MsP>{Hl`>GgbC<0}1b^#Ho=Jce9{P31Pb7WY-a$wsT!a+!l#SK}dQ~E9n8vkdnZZ zr4aLteNv~+hfLbLhFKxO@pd?~xL_vIee0APv+gVlZ7zk%p8DblY1gAIg<8P=HDm0Q z15#q)&?w#H`v#M~?(n*Yil8JSu-lBX$@!IzgLYcCmTw%YNIYpCK9?KX^HMzLzhMQ= zoJ<-#YH(1Zv zgpJ#B{!)slwbw(T9R;$?X7|6~hM)li_mE$C_RUnlGkT+-e!YmJ1Yy^AaHo6+_svFj z(DUVTsBI0&z>^WvD?nT(+aCk;OojMJODEJ@f35xPNSe9wsg3fqmXIl>}81i>O{E&%wy8NNB}x z%GVc=k)vHh1u~X`UG3geqD$Rz?R&1gp@F0!=;4j0lpwC^Lykq1MsxQ-rP%5nTP$Vc zsy)y(yyL)Cr=E*~zr6W$^QF%EvJEh3`NAw8yu&NuK-_OG6D|nO@%eM#pN*RvBb-a{ zJ=XV%zy3c-8Lq}QU2U(xJ>r1%E#Ph$r6Uim?^kRdPT{7NmT>kR|@QS>)NwW?e4*W;Atr-r80rN zC#@{aGcRXr4s;Uj^=Y?b@=W0mw?yN@W)tSbI;|``MV1c_yBlte&f6E92CcbO)ctNW zx1bj`paMEFmf^Uk`mg7ttr4yJ!>Tx=tIb`__L>2+qgjBm9CRM+)wSn+PgQQTR=MG2 zneV5nBex{$CsH>ekqcAZtz$ZZb}WU%4*mHo^0K%&!PGw*K09Cu3OgZXTau?mRhiLrT z=IU!srZ1(yVo*wuHYFyUX;f<2e|O>I@o8;N;WC21}sr9M!P zjmjz2Tx6=$012kbFkPi46wEm;m?v9VRyZup1;opQq9R3NAhXN2L(uoOW>pUp_=jMH zotyCl-o;*>KSnW`;Zo37d3}fE!rlx4VKJ!Ino`fknEK1t-bw{4y|P?r@ZPPxox zBYElJB8cd;A2L3(4s(mcv)G52D4Vh11LDOk@ywj?S$#vFJqM=1@NZ&dhNiF7w&5gn zE+K3|kxi**#Zd=?>1wyYZt_dY+CQq@wU}chzfvQHAHci*_6_)YUd`PItCtp%Yk4+0 zdcCWIi(3faSB8(B^2+)okZ>nnwN(qo*GZw@$xo)Kr7-K`TkqvwqSTWHN zqIyyae9!vD8qzTV1OdCrG(Zu!Bs7`!zap@P6i@^Psi8=6lx2s=$S?2-d(o|_hs($V zaArjX0B4?{Lew9lLNI3%sX=G%?(R*Frn@F*P`}e>k?cLiCU@Au2bKCbgyU)9#4X1O z+RItpe&2*JcI12?RJKQ%)1`mPaC|vE{Y4WG*2A2jklip$f$#NOck2n{aoYy`%mQ6X zaUEcOD#roU4}jjn^nW1FTRcTe-glx8Z+y_w45d0h`!$u|sVL#Lj+PNc1Q77l-rtKu zNvcjtXPm)_+^s*+c)8LUAw{(X5Gq^^L_tAgxsQ85UpQaO=^$avg9|WkDaM38_DIgk zX>Nt$AZuq2UJow#Ya6d1>=GW?{IxTy6G9z?s{h;kaI$M!5#Yk!xA<}FKg0RN6KYU0 zI~*!4pw%!0DbKskjhr0Fa@uRl(_O`nAxY|GHup*>KA6ZXTU|vAe+|@1_WaR&M8|RB zSW{-YKjKuJ*0__0G=x zjsB01j}4o%R0e4pp1LOmvgp%s1^yGoQW2-I~*WlGo_lN!|MJzyL%&PzMNBG@2AUT&`$o-NZy^_^| zrNRh|Q?{3=jY5CNbcTzIwPFmsR=lAGb-O;yb}iIL5AAOpu2hZ&HSGF>E3>d2d5k;{ z*=m75Jz52W9?n*-4C}Klwl9BqAARRIya)V2wK))NBzg^M;J@uHW8c*Y4rPy-W0ZDC_;yqYI~7>a4BEY*P#d@oeo70KjaPxw-XfO{R^TF{LZbDomJL!zwXvTtM9$k9_l+t zI613l6q#XbyXXR6tV4B$Wnl$zHI|E@>AurvKO$N;&Z>o8Xx-MOfE}D*i4!xdd_Us< zG-b@Z24i)|;FKplBYcv)5@BdYI&2l_uo8f#Yy!}fAH@b{sYrH9M2P&2e0`!zNCMnfjRYYUCYLGl%rYl`eTQpg5G(l;4pm0D_RJs0TdGYdq^YpF(veU$L zjs>#QNUQv*Xt;A)OfvLlZMgG*$NjFpujMJ-YkxO@JbjvliOXA8rHa;L4>))b!<1Pj zb&G%YjAau52M<^E#KNuveE5F{Z`;j$ybh7=vjC#@?&qoSMox`wKC1-b={Iymmvo=T zli#wQ=38+6$DD^x1tLG(?(K~DFMN&M!6e}?Ni}hnOl5O5N-N-nGH3A+Wa)%dR{}lQ zV#w*{>Ap9l*rL-^3$9e*4`f3O=>q-brA_FDOyQ-?&;_5Qy+T?7KiQjh(D!~%C0O(A zLu^W5CvJq-D?gD(v2(nsHrrEZM|oX$}OT-!plR;*=COF zy;YpY+@ChUQ=P}`B8nn(m5UTDkd-uCvDREJzhwfq#6br<%q?U>nMmj!MW-ZTIF0mn5i9q=;dnDT(m6QgR!rB;^6OXPkg3x_GW)JgUEO zEb7$sW;fpR(?U250WZQZ1`m9|Ri~Yce`&Bone#UxJ1TRGn(q6}_S~70naP9@G>p{n z_ZiR=24?S|t~{yX_Htbxyz4*tjq3?Cu6RZxMPvZI0u6Tb9oeCh?K`S*;DQeZkHH5F z3=fBH4ttRj;S(N%RZ^y8d9yG}m;%{tWCvzN-1Xy;XwHRLF~&7fnwNnyzpyfQsMJrl z1vOJ0%-AKRA(L7`#SaZo81v_>9RddLeCZInaNUP!6WFWr2(9$5b6=CH#J7c>uDThE z`qHcXaw_t>D}Vu3>zw1O$Py3Gr_Iqp*MlHn?C-5)1D%3o;6p(f)iRO3scHS;PoX%^ zg7{Rg4P7^^0T0*m>Zhby4z770Q9BxA?{lT^h@Dy$< z-Dv%(1h=E`WFZD!{u3{u3L?Y2oiNR+DE`1z4wUf?zJ3(n7AxItiwj%Jjl|3*D7YyY zmrBwXC~Vdb$2Xboi2q~GLZyO}4G-|-kQh>Ij|a6teBBHgW%Kh3X?^OW|D}j_;PkKS zJCzhQXj|?49})5Uz@8Yte-6zt&?eqtAz~3Rn%d2`HHLXRgof^hLtC@txz%G;A%#WKT%)w#Q0YO^K5UJ zbRFbNq*fYUsklu#*K#OBR(GElBecwkE>e3oo~28l0Nuwg<)G^CM*g^pRXc#m3hT!C z;W=WnjbU1qV>)Ryrc_Z<@3`s{u;qSX@6*jNQeyS@EPmDy1Z8!3%Xm4@hf}p@j8^Zz zxAY%Ion1gQUs0T-WveD>Vb?WzZ$=-QoJ-5>9IOE~FxfI%H_wWNOx3s#5OnXuXrqK` zw$?J)@_*BFTKpM+M6HcK3)fw~%h1JW6v|}6funHt(FR=N6W=WAbhWEVrta0k(Q2Sy6~8fIbCeo=;hcYhs>{i+26*44j9bP$ZTrPkJa<{Y4;Ud5qqQm~?V5fhdSmACnj>e)A9BFYXcVr0O`E(Wu( zt#`ii3!}J=G2zg3bOq-9;=)6TRWY1}EC)+p&v8u2R? zn@dtfCBmLzU&N1CS%+n|)xSAhzETQZNz&4R;XSpWP(#q&nlFQiLxOB{JLNIqt%>uj ze%P#!YlWvr1A!%O$wlMk<}eR9N}V@4*sKMwX1)Jdr)}U2;&>So$y#a}X(Gu+0Y-@h z#LdFBFU20?e1Bisf}(Yq#oWo!wg2ad=uYY6&fVy5@{L+Ey-zIJ)X}8JQevmU(XxR2 z;I&bNLPaA-XU-ms#(8mu=wMrRwv6n}rZSdrjlcCOO9av$RX%W*h7!=hI~!*Enr5dg zya!E8yaCVQPl|uGh@e^{Y`v(?0lgx{Qp!SUyJ=D=3fQ4l-cRPGS+wXE<&q9d998(0 zJRDTyFYd&vY0S0X{!0VCe+`Ogr;mB|*2W2x_bX$f^K=hrWsk}b^9;q4qRjVQboVw{ ze|J~6Q3S6zml9in?`;5wV8(NBUa<-LxbqyU2~kV%3czx9F3))Wj|lPru$<`rn;4wN z*$|<$7Rmk-QHP1ZyOfgJ;r5BQS=@--oG_tVm4459SbSa=2{jeaW9Chs-?~4lPxH!J zIv$?^2H%c-<}E2m`d(YBsS8EU=~TCiG+Vc2-z`R$B9!vXbjKp)sVG^^2?5d&^t;#aoHCMl4pyll0d( zBsZUgE54H{xn{@&WpGo^VAyqdRc+VUGXEwWPFwZ|PR5UPEGQ9WNC7NB70^+NUqt;T z3mOnTw95vW%M9IU=rvVBV_m}fICb{A2eE~Kb=6&R)f$t&dTG_5vDQxKv0}wUWx#$O zJk0CnSy4%ra@rrq%HUfX24l93`gPV5;$Gr9MgL|QiQZ-0T9No0Me|1^K{Vnm(`A+V zm4mvC!f33b9x2?4@^kT=ahLiZA%SYvYL;hWfm~K>iUZmjO{n421Tr$)XT=iiRLlxc z6JEx81aK`16;tHhLn5))_$?n#F8pB>UF8A!Uttw1&ysa<4WxNLHkBnz%06>)rS;{% zfW~jOZ%{c;Q`#)+38Sj!2pK*HUjs%wWCFIscnvZ+mEQ7rSce?q)1Q9WUd2w@E5OYE zIlRW+a^smJ&Ku|!kGHj`w1ag#s4;0Qp(YUal%lz2}e{D-4U#*d9Llzic;+{cTD%SIa~;&lGE`pxkjs8 zN}!&;zEK4Bsg|L-iM$U(?GnXaYb4=r*kERdryXi2Gc^%9x@N}x`}G2%jdYyTKa`F} z)rMr6!cyQ3c*XT-l>NL zEt}}F97fRMm_DJc+EtT0f`Qq3L4Dlsx`Zp9 zU}T6e6<+7b?}0xXeFb87X~V+xF4Tt04CxN??RBmsWW1sZ^Js69vSeAYf8oki4>>jl zEzQ;9w;ricXKH)4r7iZY%-3lwm|TvUQLFexG#U(v+>NFs`LbachU{(i{YX4mso*vZ z`J~2Vkoa6!h)!Gb<2~S{(vF~XQj^Fx3*B#`ZlPA!>gXFOo(Y`Ju;E$agD7g6N(vu~9VqEb zE!@z)pqd)fqN_TGSRcVBI0t5K()bMB&|>f*nFK)UlI0x2^dn|nO|B?=@>a_JJ1OR| zPX2ZZJ}iz#z3?P0-#2W$HPa}g$^5gnR(o&g+-*kIoHX}by;3G@;jvad zIh}ueZQ%az-*H^iS*xSkYv^3~-NRLUE?g;hv?F3Dky)pj)P|}^alrki_!yvGd=ByO z+p{K8@eyVvD8jLyvJRV+$WwCE3dV#r2w5sFVYc$>OTD8WeoIv{NW^?)cum#_BZX9t;TY5nLMs2|4 zi34K|%fo`LrXSLA>BtPU-iu|q&%H2oz5F4$ySQth;T^<0q-xEF4(Q4|_=E23ZIRxx zMU>9$M6jC4i#aQtHhg0ZxVIB z1?-LKByRN>qV|gSRr3geaOnlGM#tjglm3z4tngu{HzI<~VyQzJ5wXJ%+#@2pf*) zX?}EeP%|=>Feyhl63#@h%>)cN7qgAw4-<@1N^E-MD$w1!D7`tq@;hy3??C^!l+)Q_ z%RlJE=TWr&=mR*+tbl7vJCM~SB)lF@0n{dCrBDNmUzdRaPk#1piRIyAq{Pvk)x=*HkIFOW?{VOjX;9*v|kXxran}ogs*i%3z(5Z zgo?rte59A=N+m^0oG$B{-r=STd}LoP-gyXSAgp*qJ)#_rtn&hhcqkt`95H0ZliQUk zOAg`{YI6JJSR)p0%2QXE3bKv;`03%=N4cZdBtKSV^khXbeMdkwVn`dC5C#ThajfIF z%uw|MI=_>P?%=6{#-&55k8h;zpj36qjuLB?syW`F8im*xW)R4NGCMmncea6$8MI!` z1 z(Kg%gD7-zV{m#=*Kc$DcB7xOE!lr-0YZbhtyz#eXOQ8yXs@XJ+6$mxFDzjn1>Yzyx zqO4bHFlP7{QY1;U)$6S8w_0?*f}xTNGwP~m2-E)4O6651>BPNDysDEwK>SyeLE1GU znmypFSP!e8d$l85^a1Cq(;we$?18{UwtWO)`(C^96Eh~!cXP4ri%85Y2C0={ z4i3t?n1f^5rTI0_OF|5*20DHZ6R8)C%?TSw~X7li3WB93rsnjtnhE9#CjF2 zZkMTR83wBiU~f^#0L>0$i^pByE^(rJ75hf}Dr_F8($|K~uxVh->2kPM!w}P~vUY2A z=CnWA(UN8Xl?4vcy}#bjo0DsL!qDX%>o(p)>6wzYT}kY?&_UEeP+Ty)Gsd9L*-f?Rmdd$~`JVI13a0T+?^IPBW$DU>LDEsA zNDccWynGl?ssl-pbwofUW``*Ni2Wr2fY`my?a;l?Yl>pP#&cq{UoY+c_<+*#X0(d~ zqutYp*1kRWK^YZ&jVJ!~8_~1(xh9hNjEnxskc1^g zx!Yq4k4JxVJK{ywhqgbin)bLPiA8MAu#YUt*p^|h;M_@|kf0Ehc67H2&6n=L4HOL3 zc8)hAA@q z@oqhG@U;+T&}2r2!g)yp0dgflif2UD#&EsIng*XTbYjV6)Cq%cQpB~L<@j#s2c~{( zzf605^%mPQ@?V_YKr3?6{ZiD^n_!MwRvEknT*jDs8V8INeJpXsJ7Tzl3;Z4A13eWY z(lYEai&kLYiKoyWt{~S-B^uPE@;~sgmM5qT)CAZ(nMlduq$Bie4Q}eHU3_>fhFT-} zb{Y~zj_fHOVIV&{C=jHFN0BuEY%_y+7Dj*k%H?pecXqdRv|-Lc0;UZq1Vnm60!C4Q z{<*}&PH;?mYx1hr$}gJO1_$>!)joFSlHkLrlmK0IZE++ck7SozV$QMqd#*|0I(dk4 zL6gpizgjy(E%g8C_mXi|1}WAQmHe=L(|D6SvMgX*cPjotuBQ_M%wVgW4J<6DMzigL zWYokXwti<%Rik6$Et~sKudiaL-nMw2hH|=khk36!c-aboCMq7!+v&Gbr_+Fi4wt!o zmU-y;oXoU4DSilj+szP_-)~LJfkMZ!x&UB;uV8NRhddnO!GG;$Kk@)fiOnA~^J1~P z95LZZMYovQF$MB(Dyp^?Kt+khMw{e{i86fuJ}l@sr2 zbl#Is6)}uKxjKDEo!Cjq%KLZixD2hZtA}h+&vrSsC-H8V?z{+!JqATWDa2ar3qACe z;Sg%~L`xk0v>#m&52nUTi@^Bz!Andjn!U@h-_@jcSsHKmW zlc!ln@M<1_#`lXrA5`+fI^3>69v*6YdxH%mawn|Fj~=Yosvc9dYKr%;y=9w2wkb&# z_fLya$IdC;@H(a_oLvXvA3^imczvvI7?~GrPOb|#zd$$XlrqF{eVC8!rH1K6*9~$5 za~#$iLVPx+0OVBzm^N^oyUR+X3HL1b$f*rk)eDhW1x{dbP557I1;Ud6NGSn;OBQ|t zgc+4t#1B{`U4kF(n^MmMxIyqNRxGFgU_Y)gFCbFESU~p0)4Q)q=@ z9o6+&l@pY~5}t~LkK1<+#4dSoG0Z;u9y=fxfUbFcuJz1#*6%X(ga}i7;$Qq82I&mb zz1!-G>PTCXl_GF53CF@8Q{wdK>k_@f&(zw9GQ!W0n;-IN#JB5Dw-bT)q@5;_gG20k z9eWkx#6Eb4g5_O}tbl+;aG4{sK`+JOgqxVt z3@>}fResk}RU^(!?8)4XcqD>;X$Ehg>x}!how|-d1Jz`fEW3M@s~5eP14)KWFOBI$ zL$)5n-ObXVdSjDQPnu&qX>ka=$hq&I&`HF?n+=DPTPbAQJPtUa6B?fUn9fmi8Xe5N zDM{5$Bo`OYu*@DjyZ7VC#Tkl^su(yS7t9-y^Svbj2W6;%v4p*nnT^eVSmM6>_ zQOD5GdX!CR1Rt;{`dXldRCB_>55`qXwY`ikjRRFM?TQ{~lo9B+OoGEZac5#?0$UZ- z9cp#d1B(C=HiUX38dqGHCtu0=KX5<-BTB5t7Vu}*OhTe=R-t1EEJk6q0s~^5bL$3& zwsa>@cTeVB0izwMmF`RCl@1`K6>;kjcHJB~d&PaO);G*$zYU&~_U5Lw7wNA_FQ%di zMK?593yf~qX!4FZ;C-XBT2Rb7Was;(<4T4z590^M(c>_^jC#uhbn)w4qP9eNPBBvU`#RNKF< z3oExwIIQI}dgM-|=KKT;Qkm;uvK7v(Klw*c!+AZk_hcBB)xRP3xtZC)$g$u=iPV{eaO17 zCm2d|P|Y$>9c4AujA^v1@cgp~a+C{s2OL?II$Pqgqmltib^_d+Iz@9iE9w<){ctzT|ym z>n1~8R;DH=j1XT0OXU?+#FBDKGq`__-ODAgBg*2Brp*B9o9X-Cn=8npCX=(lO+fL& zACR1JOZe2(HIzqajm^jxYVI0>;$Nk|4EUD|g3}gyB${_M37IQ$%v&FfdxsL@o2fj& zpGK%!v6d)IxOS4Ln_xXbKs^3Q2D*w)FLzse`!afZXw6_?Hxn_ol?PZNm!Kiz>cS1zF$fH26DoS%6iit}om zOJVC{joHu^|Lc6rQk+d4EInSx2-kDZ2w%Q2I`59iv6p`R|5YxpXOK& z-ft{Wa0-v=`cI`*f@&N1B9>*lPq;L|CN?!cq^Q zp-dHg3g&cG)W^qhOj$|yeL2iSP$hoB=~)^aZC++Y`6Hi-2t0Lp8~yP zafg&3yr=Auu5g<61T+sgDIQprp;ruj|Hg+wRkV~3&)7Wp?7GPfle<;1Xog$VEJvf# z8n3r?h=ns8o{Q<+5eRdb9)f&v>}U&vPVDFLd3{3N6-r@?X@vI$Kf{zDF()K#C}K+= zqj9*MyS43Q?z<9Bcm^0~U4NF*E3wh79@_2ewAXhgf3{I(;Wzwi=R95BD31dFq!GHs z$omOooX5`R6y|3B&V;1Zt|MS(UEmLo z*l7ModV=6{MtXtO5Ql<^;p-V*w;PZ*09&~m0?zQ#nsZDxE@Byrn!;HlDNTe-@*SR*rPvyD^08M_lGb*ckwo>%{+YD)-%tk&}5gGLuA^)T|D0T-;CZnmgde+#KA{MYvgd?Yh*yu zm{DSO~5U}(eA z0185>I_xny+EGDc7OKsOd`#F?Q3eo9mH>ju(`NCJ%4X4JvJyIJxU$TU5~DmTL+9Ur z(wvetM!NHVx+dhxn68+3usdo*dsapu*N84JWMKZ~-SHvjV+zfhj&@0?tEgkVmM#aN z)<_)RKc8o`?uzjo=psRgDO69nT_4ynoWI%+JxQ@XY9H(3E2-x~eWm8aV4G$1Uq|w2 z66{D0lQT$iwL#A^3SwklM5-f36JKoOm+ECG`@`mQW`h_7T5~;PUBQ8iNq;cqJN2sd z&5a62+Ck;NKVF*w*^qlbA@V~*t<41>c-o;N%*_<;eCqtU)XP3^{go2)_?H^sjo99k_9uwLdp#7KElI1obZCUt^{A^R~Oo>K70#^OyhWxAB+vDs+$(i=@?SeF5hqH-qFNV_>?M}nZ0t1q@fJ|qU_GWcHfX9*f`HRXnCb3 zde%H^1Ul+XTUk+HfyU9(%R?cXJtrneiX`fxyz|hg0s^sN15;WTT z?pHE*5gPlF``i83{t#Wvd+#9Qo)oIK z-D4cZyf9hyzct}?8mBNZJMvOX9|Ujah|U{+dV6T++<@6xQAwkX6ARU`gjO&&T~h{K zP_I}fH&XT;MQm9x%8c`}s}>R(MnM|bbI>lVUTiQp*Lw@{V$J-kvgbULaw&I2^xj=t z4u_aoIOLsH48Dke)CV1zA1}4qzoI_>G+Jl+^w9r7Smqz7*2q!Re73puI(&LF(+gDH zGNYpO?_?PyvM+OZEy`E#NeFR&pB(nB_eoza7_j^MQc%`v``>A(DYO=kj5YH z6E6hXW(I6Iaw8zpmX*T)*OYb*y-yEtYLUe#4*;)Pj2IfQR}?J$9_=R(Jda!2avA;w=t zw6EHlo5R`PfTTYmFqHt!JsNk~fb=ZBUrLI=h#nND9%#id=0ngTSJoB|r@%r#rS>o*9`wZ{gUc=nXUdK-XS<^0$Pb>duJ2`i0y&?4}&mBc!le6Wq;m0i_GeXGz z-7@ds5fGapxXMFOZyQzAx8lF;OE;ZB0(b#@oc8ng5N@$^sOk#%j`HXPfwZCf2Xoup&iwr$(!*mgQ*#kOsmf3Exa z-hZjK8e7$@g&Jedfn(oKDnIAnN@$;~mKi|K@OzQq|D?_<@pw;mO3*UyDA1_PK{Ct9 zR&7BZl-s%H9n5lEk5NKvndM|drfg)xC}(k2@axqn_T5U<(40dID={;@qX3qYKc;_Ufi;8W&UFr)5EZCs`F`If5=U zmXPn)n>MQuEZ$tBfGwhEo;R@eiu2F&VgoRS=R=LM2GeJ}t=(*r@}}CUvk5^8#g1-L za7b}Cpx8OB_+#FMe@b{f?2KTLY_&qG`QlI0*CEVMNL%NqFNf)ZZi)%vqaiGOGiTZZ zVP8n?HQMYcBC+=E-r5ib1_y2Om7Iw%VIgtixivc*5k=s|3l7%e7``FP5V&!vtI}Fg zI?XOVv{lY6l||gJ`eOai@|X;08~@Sr3!Gt}G0EEQ*#1|E4Wgwz!~5^B%diyCghxat zc9w{*EhmIGHh~oNKeYVR9rfzyYJ14ltJ%UQRy1V(so>D8@xzt`i;yE`G+wj@G|i3| z<}45|3S`7|M5E{^a$T*_ANpm;xk>awVRnW=idxaqoETHnKVsAImBksH%2xcPvv{m} zHEzuInoobR_hPQa8k?B5L`v+vN#8Eenz&*il<#h>=h=uk^l;Jee5m8+Zz3^(cN|KuyiM#HA-t;61-i$NwoGC`_THk2cy8-3CZLZ>#51U}O5K+E)8~*Wk33dNu?$ZeR==o9 zve24qwsUzO;wsB;(P$Q2&tg~)$|}+p(rVC}2Q$)XxoSu!b;%O6)fsDiwTinH_`!;2 zCDw)^wnSQ9nL(*!esVBuJ(2cwTJV##bYu)*%WQ%vH6^c$Y(3uH8PXNU8b9qn`lqa;R=BlZKD3^K zpR#DCcNgO41XLD;_JYdj;1_Hu9>ta55{Tyk^fjoH@4p_RibkH@ zu4Wp1L=O<3*~o;!BO$Z8&zrz+I$1M0hQHlkNE`=p^E@SfEK6}=eu*0*&R{`Tvp01L zi}LpnL01RDt}NIRg+Pq7Nh%`&O3m3wm@_5-E}WOY-Y}rwtAxBz8Dh+LU3HTmEG~$h zO$yo~1RsZu-|2`jID>iLKh-`|k!;$f_JTr(uLdy6tk~d!cWReK~K~WeZjeJ zwta6xzNJb>U#@Xq5NlCBNOD4ZYa?d9mqyRE1Q{H&qMgzDwwP^iz$%8?0F9C5!XkVb z?tSUzFx2VE3@F(F{$wP&=_h7W(0E&%w`cu@H!{R&x%(G+2Z;*#x&2YXM?O}vFAS-- z6zH)L%JvsN2Z}&b_s+URX;iev=`u!8yA1%+=mhp1f~vWt{BR?gj1{<&R?zL{CgA-T zE__i`g;KH98&4oM#lQBt>*(nDrL>nuN4(b-G3TC`xvwtI83t{&7 zis~z-jdoEMH^I=Gz-l}^opTf+IwmGqc>GCK5cyRa77+L8r)^gO~ zW43b^W3FQx_p_za&JVtgYU5j;B2yLCsf0i@?R1fIF8G~^X1l_lC`i&?9b_3SZU?Z^ z*qp;td%wcB@n)$f|?F#cunF~X_13(20PbwQYO{?uc?N53^*Y^ zW6t4guX=p$4y0)Tq?DQWzgH!B^MVCD^er5DI@SuxbrdmMh1R;u&IQGPJ2T0@Ai(G; zn%Y=lL=SzHRl4}}`Tvy7#-Z=Te)kSDs#`zcIW~q|0wDY|!WJ0G21Ri7>_FdHpzb2g zksaZE_0%FzRJLpYyd}!bZ5{;P_<0D6f9*P&1DPDA2E07C98T-fmOCWY;&jglYIjBP3a=hIEtM+dmx*xun#Ks-4!?Vz)4U&se@|^TDGr z*a>dztIpCwXo~GUP+j1I4{g4rA`VUoch_FDM@;*E^BYlpeIylt**CD+g#N&lMxMmL z7!U8)Pjcx0mRyU`9)%WaFQo9S2WD~q(oUzn7-aU=nc|HovKq;PpR!tEtO{Ept_!)lnFVmZDmR%~W3K1uI|7KTueon39V-K72P z{NJ*(KpFXuLFM0*Wbl^Yoy>y5xka>`%z~u=D(`S0zn0ykyN74{Q^$tKE0;0$wjQiy<#W(zmnN=vIgDA1^c!UORKakkp zKk|uif5VIk98MO1qVq!(S5Lh_!{t2?oVSy<;`X*;`(9DFfj}5Bd*5#v<5zo;_(3N z3#wUY>L{T(Z46Us3jxHzxLrKyePOI0zjdGrTpW~W6YVKqp`_{#`>0HE~yRx*Gr+t-F#9|FR-%!3&y8>FHyhmry$4nUK^nOflFZVdPA99Tdn!p(vUIUY) zMXoWbLJhcZykS>rAS=gB4Eno!TWVXKeM0Z3B4=l{3P0Kn=Og}6@bM%c=B2NXlg(=jX>s$Uu=+KQwEy|z(cPB%yLb(F%JfARxXd)F$sk+mjXj&Q~;kIvF z6|OdJ(0aToHO9j$25Bd@1G6#m=pp3h$vAW=(sqLWijf`Ed^12F9;3$#HP54NZClCP zs(E96?iiJBm*Rn#&3$21;m>Ph!X379W(xYKYz*BZ%{z<2fYK{YyJuOEie-bLFP2J- zHsR*mAnf=bI2_a)MA?AK&$Vt_pQj<5h}Fzw#FU@h7T0eQ4nq-AqKrXO&gl40r@mWkz%1&3_x1u4zy%oZ?4^&L6>^FnJsaZbel#T2Y+^pJm&Vbl}E=oo^ zc!CyjUW9SgzTpLoDDkxeZ}?cVR7T$Zi->EcI@ST{xVdrYJs*!c?u=MA)Z8j3xmY#WUOLHq z&;^y7qu&ODrt7%UJZN72vh+E%pokAgT0@D!`<(3=xhrMf^SM$4+H8d;_Ka}&Mz56A;pzBi6q zzO!r4t21a!@&%pmQVO)l?ASAAx0qTMWxKrp@BUeRiMjqi{fXx65}46Xh$K5{;9vtu zAcKLqB!-7sK~WzPHIg(V*sMRyQG8Z|ouFMtar6X4Bf2JhmzeV02z9mO_<0kcPq!y6 zuTO=$#P58oNfQv}>{-b%dZtdUY9c&K=;QGfkzC6AE5y@2=oX%Co6{o7Lth+OIFe9s zBV68a#J!|O-Sj058-hY)m^(KVJhN}d-4S_Pnc{aZs`rTnWuM1KE9uR)I7Q)w!Y^PM zE9lAH-L|GCZvCuQ-Z6Le`d4da;ydvHkRr24>4bOi$loVD%$nsC_q#kEMhqmHZMCwL zr9}c|@K?6X+Ue0(K{?I4SSOiI%?>3*;u3NGZq3A)r_n*wk$I*9w(284g*RVt(Rrf` z_lU9_l^0VX0sY$I67lj1YFeO{?oOkjgB-^rH%h)@2UP+j9=zno4r`fHwM&vW?Hq0&aostVAv&pBgwT0LHQDCa6h$)?~PCUuN+E3hUBavQB zw#~5g`l}#`vL8s5zsW_TdR?H3qtDVZE2^bpO5cDpn$K0HtTKeQ)!p(70N*&XZ`8kA zpN>(AZ_PFD;@H=(EKclAjWk(Sx0(q*BpA_H)MYEnY~7I@ZNr+nPckL4Oepx`JIayp z7O%DQ&D)7>-lVx?oGp|R2X4i{66~c6URsLT(q`>ANiZ>%m_xC;@Xw0{qB&y|wJ0Zq zw{y}J)7>s-99ci7`AS&l0wI85m z9mYViQC6%hFe)xAyRJ?k&)DDeV;kT9_1?v90AJQv3tpyWNir|H&MV+Ww52%KFYr zUY&scc6lC;(Vat3S!1DBI`Shk&m6h4AUNvdCEylho;2F-2&oXd|1S@aDKRAC(SnmH zp`kAdRbxRwqa$};Wxhi$6#DC;b#ZTPh*d1?T z&mC_8FHRqThsdMkfeC*@@%Q=d_Olb!w=vdj1GdyX9fq26^M7$mY68e1j{mutRnZVP z8Cg6oRI-RpPxn;%1-g8E`rqm}0vr=z@h9}(6ieFDPINL9SVUDq*YFCxnXc9M;znK` zqoIf0uF~ZXH1rS|8Zm*0zMTu6>?>LzDh-r-#?=DL|Ui z{Yaojm#pG!`5|I;C3yKJp=7o;YI4xWO8nBex$_rpp}-Iv=hp1;0g4-6xQOGe9IYpbJ$Hn(#;;- zr9TI&;z6^zRSZJ@Q~%Qz?Qsie!P6GerILUxS0Sa;n1(D=#s9yp1KOe=$`^*Vh@^oX zk-n(xS7fh2QzaUG(GMb`{y&eVFoM~vFoKn)WF4I5XsLao>_(pgsv!2bR}Nz~u;E#5 zwqDqO41O*wwqJshUxt8gp-pazE^FPfA_}h=grD z{Qkm!=f`UKIbu*i?>|9*kwe&CMT-St2d;F9-FZ0t2^rVT=S{oQSw8W5r3^bd4)hW} zTH7 z6a#}3S!*K7Q3@>WkA}|yJB@$-C}AzhmSbk=xUcSFQlQ>Ib6k#F@ z9zi`MAo3^5u<_50sI)Z?354WFZvc987}07>xb}M{nle$YzV__{ zDW6E=XQ_f<;vFqtNSvz=l?K9j5THk>EWy|iuo>+V{g(C5Sk9&KZp?+y4&9FYRUw`} z%AgN&z>jo|Qi{FIYt>P56Lrp{kSwSu0U-V;2~EtZ9En4U3C8Ipde`e`yYn}E&mmR* zZ}|i(^G8+^5~WuB17*+WlRIB5rGO6*xbx>~pVwzkZz`hde)`DF08jb*EJ zEFJ|kj(PM6^Hw5GEUQuBJpYOX;pHU)n=gj@@ zs_=bDpF&|v^CLY#2u6!r=Vee(Vb{^$W0$PXcl_4X5b);Jtt-OU9NX{w&d%w>3i6ON zAS+{WrDOBjOWSLFj@DL0p~Rkfiw=n{-}`*0Id8C}(bVr%QZt6N;=<|lt``?^Kv~nLVWSjRct8@L6<3e?fS8jWg|IF=q^J}WR z>Vdov%0%;i^>ilaQ4k=xv2}~^{;pHIdfRzAW7+b@Z#Xr?qQ&UGU_Ik0Al9 ze%VZHa{Kh+0{;==ZL-D<$c1<1oE`D`my5v!f|mp@q*rHHcRX6Ig58l~XV12U+xz6@ zlfVPn3FCvsh}9L|!{%rA@@fABiqqKR9`XLfd|<%Ug=g4$_co|OXZ}~0P1$Y$V&ks) zHov)-t=o6+vBAPZ-3MA{A+ME)a%GYCVlR&?=%F2sqQIBI|`QX;Bh z>+#C~eZyw1)gz=x4a`DUqw#X^1Og={rkIuqezpEKbo%rUZhp`eH ziNIHe{#VhW0|&vvY~(D+|CpDLN(=FOeLu}q_Fq>F$ua8vxpkCe$Xl0rZce?e>PZVF z*3!qA_FrE{FZDcD(i!hRNp%<$1{wC)AYux#{S6EmDw68|AvgUMP{s9&@pWVU89&O@ zex*}O6jizY|Hlf(*Zlz7?NaKMz*@(B?yB4gY$itX6byF6ep)) zQv0X-LDl*a&2w}Ah5Ei-czs+PI-+?$C1Fl2v9K#n{a;m!hUVBvOpyQO3hJ6yGCsOx z)dT1K8L<0wAwQ$+Ia&8ok#2d(ro%l@4MT(&rQ8E=fdZ}3-~)AcysBvhYSZ-%hX#NO z4VnE49wwA7V8)t$6trB%#zmRZ9a#L{X$Ig>m zm2>Z;>H6b(40DB}I9|kvW7z!&fjVvGTxsoZVDkc%ulr0I>5|xauAtT~N!%0tSM=^V zu(f99tBrYKmXtvC#>jrR2>*+pOBBr^x1*M(Q#$SeMARW&baL4W;iv&)E>+n`w4!1~udI1iAQkZfs^Yd2A+^5b8gqKzptu45UVwJnqEo%B+W4_6+y; z?1=J3sL@&UWGGvQbjoNAW+n2OjeNonVi?G+DugW=W|p+>9H}CVIxAJG16na<<+0z# z!;2>t;g>|Q{fFHxn);%Sf@+aAc@}ZF7H%wOtQ7h5pE-zfg#m=nJWB8Of_7N3O5I^; z=8A4nWuhl%cz9=6XrOx1U|}=?7JP8g?|#E1PSMDlQkr{GtNDg_jE6%0JUHipB`cCXc`?$Mg@MpGdOZGiQ_6M3^D_l@I$6b!*4WfDIMvHR%I46 z1JQ0|c+<$&LV5T@!QB>#fVKNNxe1fMaYo^0FKk4HhcPSo59-4l20~2CK%0EqB~EEk zBrXUlP#eH{YRMr;tjh+1`&X`X5R&$$;gkEm%*9R|)8E@$tz4}(Rz6>}Wlvc#{8p<8 z#*{X#ty&}U>l-%8cG)dXtpIoPh?Yk&3>Pu#^49gwbxcS^6tY_`BI*oR|I?=Ca83jS zgsFWenbv%y;@M2yCo7G>3C_+jA zoVMf}Y}JsPihVr7`z)-c*7QwEFeHe>k#iIuU*M&D&ROFQ`F1$w9NkMQK}YXtLTa0! z88O7p(hOX^CmIb^PNL%g!F$1^@z(jpXa=yL{T+gl(@AGV?+%8|aqT2(`jP^I-9Jrg zXPPDmj)Dy4$xqq*-f6=?Gmtr0zuOgDu4!Gw=zpJ@v|GROcUKu(a2-0PtQL1|Q-772 zrZxU;iJ$)6?kE-@%6Vj&F+q3e&Wua`hw6ba(e<9BlcMB=$P_-A&aU(2!kD7J=iC9I z&!4QliSeuTV68^9BpZ`hgvJ=gNB*b4?HD3+{v55~sQf{XIkEM#Wcgnu-cJ)aoZRfz zIWgwsnRv&)Nk32zk5);@ocTgxNImz$4(k+49ltC^L6hf=AZez zrcBmePXQ@>|T5ArN z5tmP5MEEe&NJ6-pZnvPQ-u($=~dTSa8($iFa^q#p$VS?Pq4raFJKM!oANt5n0hH|e3dpqUn$FRAP zeaiKkQ&L5i89(g>+%h%_Llg|aE+5Epq+|S$GN2-_q@K%bFj^^({LX%ZW(xRU;nTSg zeuEZTU*WUHC<>~8RmV36p3YcGS>~^dcVbnl-^p}H1eLGMZ^R9==d0c(AnMI=Lx>5a zoBsQRPS`+lY($$?yRrp(EAj#JklD#xcksLG6cGB(-40LNz`eZfnvAE%CVeuoUr9re zNkeoH$&YNYR&59j8OThR#{vNlrIqf`z*C=4YbQ}|uI*Ns58;1(Z$?&6^u~j2_rPC7 zSje4V%&Lxt=gZQV>@2=Bfi?6j*~fuvDa%@rY*L`oY|>Z!Y@vVn z1gHBPZ9u_bhB0&p05eod3TkF3gHMmA8GJvxbG+x>AIxVrI+~VN%lDOQrp_>LU-5Y? zdo`rV`PZcAOqO9skW^%hV%F|7&^9EtFd z9oN=LA^6y*!1UaI{8gUpaIHAylf{&+YG3$oESrY-d-~WX(`4J9tvr!#WZ!6&yEM5Q z#^iZ-e?D5pF)wz*pz1(MywOqM+p=Ngc|P~=BR@R2s^300>`(*uCTdfI8d+GEcX{)d zHAHUZ9dLE0vxnDtM~4;8uMjPZBqgt6zs|KjBHEI1tzLC>Qo4DLWf!YZy_-MdpANDJ zRwXzz3|6n}W{c8r=YLM5pIBn|>;Kr0XY~)T@F;6~ePORd4pw}rk30Hebm|v0 z3>=v7#F}Qy*TodlUFc;17ZNl)>g@Ww-9{*BarCFPS4eCNSZR6t2D?wJ468LdGkG{) z>S8K4mW~U8y9Jb7fuP4QoUpW>Gu&L1$CB`GfHxVLUoh-cUXtTFUrBrQ6a+bGwtYE(MGE*J@4Q{Krn;_{IbVN zZ#iTl+TYe4$%}L?o!&6Zmko9-gx^ZD^i3831!b*eQ~;`cs(*o_ni1>Q0Rnm0Uw!bD zK8DGcZqv!8yGshs3Q|Ui$QiUo{6Kbf%$&(g2adodMX_Zwb+Hc`6xdXCLjk3>gQ`MO zRK4eW6=g80lh>YaIkw!#lQ$uxBZ9*Vcns*G`yr=}Z}XDPYF=QS=ef_ZDwDfV1?Bp* zN%Va&npl-@Gjnf3%|F3w(iPj_lVRJv7Kk4o==(-NkEseKUfq{M)^P(jPZ_JL24U-U%}ieLfnz zd6e}e=duLcp;suwIk0r7vinhE3GR?2B-jmw1fJ;7S`&aCTMb8A@*srIZTR_XAQVFa zKNMRVj1?r(#)1d;=q!eCA3=-FQ#8B=W1NH5n1)WFrvwTkpC1K z*zwd@#4GALRN_WMy(GuOGADu7im2lkk@Npcz86BHd@hUYX_myxLBXe8Qr-iGZ z4WsaS992b!I^^Tmz!7@>w%^V z%aH3iVz?38TcQ$t^YtcAdm;IK+9x=W^k~&t$04RW)`y!9gS1ocdfkYhQet);b!rrE ztGEnJ|K0)wnd}i5E$T1>8K|Q|)ZZ*v0#0%85~Z9eEhoFbMJ)0e31R^6GHE2brN~-W zkKS;DV5oz6w+6tU7a0V%z9Xf71P}(!J~Rag>mm6kzt+evim`^aqP-?f{PLC>Dvw-O zOVR%vdt#gkTj8?cihv6IJ=*9E31_!kSJj@D{3)QSHQ5iF_u^vONjp()n5i8O^%8U?{S2J`k^6{6T!{i%tJvo}TF@`!<>2ETEb{Iiu`EA^K!(j%(>7lpb3q+A}gH)mHT+=HnG8W_31$LC0 zol;A$Y!2*xw~3Z$|0PoZYfedO?;B6oEpt37lOU==yDFb;-LRvs?{Dfjj_fR+9Wzn2 z&Rv6_B!HFC&O;D3fBI|?cFqeHR}i*N5r=in8cj=EdSA4zqzzrUsa~2NjOoL$=|jUF z>K|V%jzYxdH`Rjl zMiOmt#BA>w;2}(;o@<)XRcX$>)Ki_+Z^y}Ae{-ZEMw(uCm^SM(UU%iA-v9OU_J+wS zpO&pTkezrdWQmYbLdkRp-JjGi$Qt)TTyP0I>)|H(Ht=Gg!^WPG4fs@8PlhCm^e6PDlB`P0fhZk9A zgTtR^I=f>tPQJTCQ`ev2Fa6u?YcSX^}U?t)bO zrTPXc5%&0V<{Qvu>i2qZlJ#>kuhVvsoT1yCe@~!(CeDem>hNUi+Fq=C$f@IoJ1d-H zfGnnIgrZhr2hMuW2hypq-o)lD+hmMX#UUdSGdfs0GKt~Y)D`jtO+>cha%-9DElmG# z|22PH6T$)8m!-X>;%uX-&M~z=M3U0&HIq6xHCwYi>C6&w>;phO7*a?S-*t6CKK&U? zmdVuk7w176(&Vha_Eb{b*&HKdgDb|=45AGYAUZ6Pz?^*3=Cs-toDFC=s5ly~#jwXl zJtBpZb{9Ao5`RU2xeX?aqCsUn}7_4@~FlmRTCVV+CajnwY}mAvp2TGf53cIK%y zEG<(ePVU4~N_Duh5~tPlrS#HKoXN=NW|8PdwmVDI`56pJ5dnHs8N;*I5MRld=j5!l z-p|X{nKkl*wLJ`Gyq$iya$6joeD=d+&9S*AV`&R1D%|be%7_dpG`SaFii;Hd9^YY( z)x~^jZkERY{ZX?#>j53nO5Bs|Kj7M$8`zo3#s_N<{3X)=PV_#IY8iTQQDc$(46UU@ z^01L-zBcU5`p#GMztOl^9X-gGDCke)yWeSZ1g0hc7e6CL<{;kq+jU5)R8 zU+#$!xX0k1b4kygeuQYwOx=%Nim;7mXi2epDh0gJxFq8+zaXS<=C-r|Opg!Y#g1tF zkwe4rb{twib|rqnZp|Ta-hZQ}EA}|`($vlfv2VAcq}7MzdzYk18EBl18AAzk?=}B) z9aZzpi)*Sr%*Np`nC#Iw!-r%EL^0x+B)fyZeH#9S7v9FC%+)3qkIug%V0axz81(Q3 zs7!y=Rdu}Q8@5x$$XE5-q@t=2j%O@Ny$f`8__qZ|Wt|v#_Z1tAxMHN_XBoA}Q6|A6 zZ`#*OvoHwp0#PWfGJQJbYS(cZJ3JP6#AkZe=~~ZxMoImPEMct-Gvoftm6RE+EiKpb znMkR3r9u_8YiubDJ!W|ZFyYtTy3^`jq3r#JpOf#};l!K3ZOtPn9#90DZ@KFxwb85iKfVTbXRQ%Cdmk2tFXEO zzGWG!CIK`1HESyw(eFA(FZL1qHG0)LRYLy$>{%X%?j2DmkLbT6UrRF7#pVEmh zIgGP3;@rWUsJZgW3L+rt59GhaopiEBdFkgmicCwF ztH1WjaM+K5hyNOGWD`f2kg=a1aB@*GNks?OaP6HW%;;R^nMJY#H zC4HbGXmm4ds|eO6x1zxT&L4#V6I@Z!b2pb~(h{PuW7zheHsbcl!a)O5P6imwo!$D( zsV4>E!ILEY{4j^-Z63-rm;_{3cza?&ESRWEyr*;L4$g5o=C>FA>*=JFNcjYJoX43D zr{1*v91z*D)M%1Zc|u0^B(bD;u0d@LUZL~i;`{C8I&0VHE?H<5reKXK?DLyDehytf z?uzP>W(3t>q+CgT+n}Ug?YT))8#N>+Z|8W$IG?-+5`Y`>#*4fQVbi7Uh%m7q!q5E` zW4@7~3%6Zdedem!)s#^3&E93M9$EW-4=p_BV23s!ixVVrh`NE(5ZL1D`ZUDEDzKx- zh@h`dx@{LZ?B|<|Iy8wU zV6n|~Ec6^lOQ5YF!ZE}2*`=W%utl+ALcsTPI57vtjecwWi$hrN?rovHWSw2f!R^ZXx-M`iOx2rgGiC>8$hJ7agBc zG)z!?ch5A`o?t0x;G@`(V$5uJ&|+9m@JQ&4Gknf!yqJQLtt{+F@1l*s=UqWJi&KUCKcM zw09dEsV$~R)g`EFVy>#+J8A2IY=5w%1r*K9!DCxZ+agd}4@F4syH+63*9#gQq6&(2 z1@R)PmTZ-6fU(Bf>fjMa?i7j%$DEak<0+7ma)wJ%k#J4bEz1wx*|F;^&w~`QgbHEl zPnc1LDS(z?HC{xIn3jkQ{14)rGvNG-<-x=i`H1+AUqSlsDUfqvW1d+Elru^Q?oUGy zn008&=g^jIo+2=g8>8E$8EL_6Y012_6MlLdGryKX8!fWeArcMkxs;%sS)*)W*6Z(i zltuZ=1alT*WWbimUU#|D^+cW~-nhhwI%}2GQ3CzHrjXSr*;+|5y@*vx?c(>AHD;B~ z>`H4|gu3MEp$m-+=Z-l+zd0{CyZK^pU%hg2DYa5;uBw*IzHXuLCGL?PgE*Nv(9oMw z%GVFcttT?{!cth0VEW1Z#I9X|R|D+XQ)2;LyAvIQZ+DLM@$Ziu0$k>Adao#PfZ7NB zIGjTErhEntOA7yhvsn|Oz<2UAWGJVk*eK5bUEn=Sd4Dk z?S%o-osIV>DHArYoa8?c?M^$QybkA$x+$!xJZfU4BWaIFr^eL3)DlY?x)u&_n6`N4 zypb8Xh$f?QkE@y}esmTvz8L!VDl?}sfs^Cyi;|GQb^<$-or_ZcdxiY>>d&e0$Dlkn zrpwyIYXEJS!P3M5ewRPymhP?yl^OTgo6x~vSL zLUO?4I7#>(2$fQ({+0&m0)3?i0Y;4AcvcxLPE6$hN6B(%ewCL28M#RkWyQkYXrdkU zG}Kt4^DwxvV09tMbg^JG`zjae9d*q4V^U8rymNmeeETZi7$Y4cTreUlW9BM6RR5}+ zjBJe!(0eqz>^2`N;652Hdl-oDUwif)>Z*(;2`Z6qd;wKj%7yWeHImRoOIQrsC2wGT zNG5mbO`d#tY^sGs5<#N}6MMPvj5Ca?K+qrH(2Dp)K!%s{Q^n$@jvQe`*l1+fWNJFV zgKL^PpdYBY+V_am{_1K;%2=+6LA4L~LRB&*|60zu{M9?9g@o}C(;tJ;gsL8g_@9Vv z5jCIlj8@vl>!*ia8o}#rPw#MnsuG^{$T06ZpO^mK+rD?7A0*SE+6JC&IAm?w<#cTm z~y4IP#cKvr_X_X2h`Vf$`B6I5-uUiKRx{c4IL`=86XuoLea zg7`OgPuUs`{Cwe#gtyY~W*i@=s+k%{-7Uou)c;WgxQ@UUuU8W?V=yxIb~JjJM-!}$ zqXikL>fRf;w<8K@X=i^RIm5>g1hxuRlRjnGe8Y0rg$Du-A3D?QNavD~h&`-k37_n7wvzVqUZ}Pv`7!?Zr(0_#RyABM93cF3Yfl$sPu6_3 zpKiT@7NaW{aqe1w#wu+_beRWk?}FaZY_fAU)?_&d!fWdCs_%^}(RxZ-4Y5W-)Hq#C zUg{|E&$u79GKmRJv&}apO0|~G<;~j>Rq@oMC7~v&L+b}JHmkq!2?%biU{ZhhV$uCP^k#%~?oH_-=3YFdr`Zzp>N`)!h9WvZRg0 z^KW!zi$iN?;F8|Hcdj;~xc0=Gfuw6{L|dwNzIH$I;E;ATA6n3_%M;$CLuJuQbiA4^ zS+Ql@pzVMZ?A&d5>M`9>jZ3HS_a*Z#B-ODW31fuJV%`P<-uJrWX8e}J^CW9 zX6?75x!y3xG;9SThM(?lyqar%i0^JN{pcCp5Zl^O2TcAVHrP%4){{eks2#H+>r7c5)F5PE3d)ipmm z>Gs`G*S!jM%u&Dq^ypacj`pNnec?OU2bVm1p@k%kMET=o@M!_Mq7ECa@!&mU4O7Bc ziuoh%ELjYMG?PAA=-ho1F`U6)ot+0ms>Y5gv?3=4{h!DH3#ON{13VM#EA?%@n2-f%RfwX(z>{K zFRq}K`o|i0V|^+IQ&a*I{u#4K>$4CKt4F!439PSgP{bolbZXV0ro7nODr|LW3@-%k zuxB`i<5Bxl-z^Kg`gRrh2`3MYaOud^wm)+KHL|b_jcGFU#{;4Wmkz?$4kd8Ee;#VhlM=vkN+K(qsA1|r2cm|E_&e#<9UQl*{jgt;%G<&y>Fh4Nu;mYuLh`>#l zJ-8JQUn2Dt;00{Pp9d^uPXqjy+flChCVlSHx}q1%9##Spd9+vLK2!i6_g3a{ zIll;L`KLjCAF&%K><0MffDQMcYFc*GS-P8*$H>2ZXg$7^79dy~w$6Cq<0%gjW%ncl zwvpqJr}_gXppT=3ZJwRX-}Tu739*&wsH!A(XBEBkWp?ogy0f+6cZ~Vo{Ce?wh?q8 zK?lz-cMvylbjJ~=N$u@hDgKueZVNJ9T8QiVtArRsV2($G=<($(s&YjNK9PSS|k)SZA^?Qe^R zC(ru739k}yB*l$wYaIBVN0URi89pB@EzdA17S6dj^4{u-xWD_3bo;=`Cej)Q%LZV*D;i%zGyTJdq^Q3D>@9Yt!bGg{v!c|$GAS!PN*}umu~PC zGhNHvsyoA-10hzZJjhUn38bqR(0gX???W)(KV1zpi>b3kwCaOU(Z_uPuWAh#qqFtt zNL;mmN@y$Qpp7i9zu}#M;5MLoTgtvhh5%iEBh?05*jNt&KN2%v}G`tZ9tm!4i$MDU=*=l18!}Y}stNx0~T@!J7=uUwa7IBaT!aeHK9+oV)soR&l`? z$^Y$A{xof`lNfoeTL=7Hv8%X?Qr0wY4>+bhwlqFX!7_;AP2R0F=H!$6hm!OIw*8_@p@<8`Uq# zq=qC`!xfdlriyt<9mr!7DJ&k)Pu)P5PTl7eTO|pa&+L}=Pd!q$#u9Y&+z80SCae+M zU(IX{$POB)HucYKCN1S4mQ}snx|vrN@J_Q_$wFW+dan-W2%;h$GC%hhiW+MM>~g&( z9GJ2TklSRR&TS?FW*u#J3D8-j^d_*&5MwpL47#3xf4ioVo4PNM6TE)SS{wrOr-6Sv z3>_Uj)IKVL7?)9Il-}SENX7^Ju0kKSfg~4-T&D;6WYz0SZ#t;^iznnWvLh*7(O`4V z)XEJT)1VOmb5oD-qW*CKd7`e>5`#|)%#&&YKT{9P!yz<6BY4)ShRB0qge3vsr^=wr zAHh)8sjZFX9X~veJFTgU90;#I?3;cF*7#IhrZFTXZdDXYSX^GU@$T^_iK=+(V|4g= zU*b=)u2KO{)evXS3>x|WEA13liMjf&~dWK#(B8 z-3jjQ?u32$`)jLq_t$Q1?M%(|yzV}?&)nBjb8q+UZsyrlckIQU*rLHB3>@t#4pO%< zZD5T|eLpYsSNlA+fZZDxu6Kh&k z+}nu2MEj;W)358GJeYRO{9@^%ILa_x)4o(h z$c7ag4qx%F|Lm^K0(p#OS0aQRmW^1p*$@c~t4+HrxBpIv)-!feb}SyltkmbHUpOi5 z*?{+tJ5L8K?YfOrlgr`n#3RdhqZkq4rv~eL*oP?fXB>~R56*>t{t0I$`w)>KJDXc% ziW-eftCp4U)t;{%o2YyfR#I&T8&C!+uBwsKQkW?uaSfr*?c~P7-ks0)Vq)OSALp^U z85(6P{jU}8R!tO$bu>X>aYVzVY#98~4qQqi*AGMwy;Mu1>9n)_{FSS)scnIl8(;N* zz%cL2KF}BZM17DGoX|=;rtZl*Hd2^DX0>Ev`xZat2EShvjqN;En^UT?*b!J+B|_{u zSbtqm&folVTFM5`yshAFxHkwGcKybmv$o~k2Uem?PAnQUFS5(?<5$o`>#?aH#a|R0 z(TB^}A3QR>Q$qijGpq+>^>sdhSH2mD~3|7%gJaJU(7Iv(M2T zOF8{FCHVBpBv*2TyW?U1k*(%%A;9nXF6M8997$4+Hj^=mh~Do4ys4P`L#KK86(*`k zR9ZWDBKo-$?e|1{!Q_wrX^Ro(BM_3mY{|RCgZ0LxaDlAml7ylQ?|n{>TqeXUGx~I_Ha%)QtB^Kz#mdH^NRgzi+A80( zn!MUM(x;<08hH3_Yx?b19w+mLL?jB+9u6&&;min6Ce5EuWabP!YmYyY7N-JZcmzPDB5jMLUd~dZO ztFRiw&%(K=bY#s}&I8WPkJ6dtXN>gUynZMCQBIPLvG~waro6hiavw34YcQrd@zRLNvjfxL!Ac47PfP7v+g!@% zB-5(=l1n{l_1#l}oryEEA9`QbXGEW^s85ljsb3MIxD{=XtYPf?q22HJNHKoRju?iK zvZK-CJDH4JlbTcmY7vFab2VadDJ@;OiN$1|eo%vjE05&Jbc$C$M=ztnfEuYU$yk%BGCRLU6#Z+s+^4~Et0cnQ=@5C~ci`VKHW9a;_j2&<%k%O< zBj3-%f(WKO8MO?0X%${?k>Z|#3Hx5Pb(*(g` z*)>;%{T0oPVb-Z2pX=Mv>VZ0y@80FYc#|g-R)!MP<;OPL0Yf=x%`73;g~@(XozKYn zllUbk`ZZ_&tM#I?k_k1=U$?Zs|i!(^2!eir$+C)mjcQk(JYr7A%^ti4zHepAjc5VvE*?E ziw{bqIF~TmFoTziOrnig)*d#aRGe4sg87c6+eBXP-cycPi^w`6T2IK7DlDfyI8I81 zpEebz;*wZpgvM=gVA+uX`z*Opt^ZQm+a*7`Pu2CqIIYKdpSPm4|4CrfI(70eI=%VR zo;_4gm-qsO=+z4oY59T|;b7Yfxrd@cP|N4870kHLblb^$!z1EQ+h?0*E2(gi0{EU@ z>J?Aco~Z#o1*;mvK7*R|DdZfohKn7xl=1P+aUSRfK73KI=_FSo%*!$6~|K`$I9ouA!!4Q{k8$QzIS+!>8(c+q(x!;`+a4&+;= zzr7kjm^5L}Z9T9zWkTebi-4GoRmR2XoE)i>4+oux$vyI-eZvXA=u2rOQeew4MCHd) zU<;@IBdDTeD29KjVRQ~`gG|*UExm4J?BaeZ2X+{A`VW6GPgZ21?bA>pRUjj>Ts(j7IxRKDuI9 z36>SBXL2Dg57F7_efRZPGQMw`O!tzm@qGP3rC$tQ1XhSgCYD>>1X@Z4!?MW(&y)xa zL@QxHE!r1!es^Fc)=#lws%$ajgK@7#!Lf5f))qZAADP(n#p z60kfH&!Pu~`-RWMAVJ5?!@EH89EhbW3CUT3j*Ec!QVqbqHUaGGVd^gydX-V? zfPI}cfBjnlmYZejI;Y{=6vS{c>XBR{>NWkO_9@31l9zsmZ9^nI!r4ujX-oyy9bhjX zD3gqZ%1$3e>)sR2^6JsyR|jTy88sEo_W~9P-~TDlwrW1%Hf?kRE8)#?&^vr5b1%`L zG2W*mFGz-S;}oe@DoS3BnARJ)tY$aziyv7! z*Cf%H#!gBezT39pe+<($TZ2EhReHVW-9bLxmz(v+rH(bM_(f zF#SQB6Cs`*OP~{Nc{x06kD`aXP!Ha>331QYyz3D*8(F%mqA!ue0}s}hj$VP6twC*L zZHv4slqh?v-JXGc*DjnZ=x`#75=p*jm zpp6X;g1jG~nR^aER_a{LR%^49xyxmiY0D@Szq@`?$H}~z=IKiqOZU&&EgkHU7}7^C zp4y6^`teY7Nf~6WUe^e=Qwsb+qBw)|5coS1|?z|ps7n!810=@eS z`|g{7%*KAOT@Ib{0(PFRd7Vlo*Nukaxck=$ z_FoIWEc0<@$J2S*@tIWgzZ+!|u;G=^jqepI+uJ|^1&O~|rh9NFNtrWh0+LG3IaILo zR7Y)(Ujmt)N2NtI#SBXHl)B9>kbk$kb!U12Gsl~1aNlUEIg3Jb zE57NGZ}fDC$dz4-++INEc=Ek40z)c3y%tRZl6yQq20?DNYVvY6!`05gedrK`BU;o$|ebCK(v)UC|O}Jpvj%e<8!n1*vhytBEqtDSCZR)Cv7TswGOR& zs=z&}#BLf&txM+|{W97Ydy&q>fVsenZ3@SJPupfcdq%L?{x@UzsCIK#4~$oKw!J~| zi%O*(SRC(`z~ z5VkO1&c1Z#Dpw~nPR7LD*J)%m!ah|LDd>_UJ}NqbU>Z^kPQ1D!40g4|bfK{1u%njK zIgJ$hX(b4uUhaF|(+sO6+17lX4@coqkuo3qfpxmq7|8ntX6}k6oOXSjK7E$9S-3~B zPtK@1xvK$BqQSG}-2;rCNe;{oV;S0tbdczis=wWAo?iKq*-g(P(JTvu&GfoQx1kY( zwx_&vYZK4Reg8S5E0YutzyA8zf4N%O_2t_EetfoVRgt8hrx_8{y6^XxGX*-@}rpuSN-@+vJ{ z<-d93u8ZLdK759A`sE6~|2J!kIZu5EogWcujd75gkT9B@bgQ*xqg*3%lUV)1Z;5Wj ztFVTSt9hqC>TAz0vhgYml+`uF=f6Fi-?(~L#MdX=y8m9JNl z3JTMj{w0ccmre7O>)3MAv4o=&`8NYw2EwhOPyo+N84q&#;kmYJ(_3F12G~gdVq*(} zQVtM}UtxpEd-*d;O0=;<#**WwV_ptJ7Y|EaiB4^FSd5V1S5g&0PbZJ~lmtmVEvMaj z^Ewv2GQzc_1PuY>W6U_H)HVLeS6r|uZ}pI7ndP9X$f)^2bRwuU&+p(xg~rIgj$Y5z z3kpmJ=TI*>{$%dngwPNCWLjn26RTfY$uTyvQkK zzXi%qg-&(+OF|48_$NSiST4r$)B`pMe#t17lJcx@NuoziLolD+*CY- z{O5iG?0tqCZ*HK1B^mz-MykCgbqi%8T1X-l!+-eWjwdTKLa%ug%NzusJHb41>n<5Vj8*F{Hu^0K%#)85 zpTAgl#f(Pa)flXF^;y<&HZ-@#B&TK@U$#&y{+WE;G5v5NOjN|l$mcl7f=0UMcO*kJN&shJ4F!YdREirphRZB)*Op5C&8@8!c&<7Qh9!*N8`S$&8~{S~y4z<9#|>YTs1C=SS6wka-$3<|&iGF?Z7KsM33bdc$t0?^=v6 zm#_-e$2ZiO1?)%R%K1wT3+JJG@$O+1`vTd+M|~pO#lA?%CqZqI^-LXhnJS*AwAW@4 z-5(KU@;IEd4+JB?27->`66ywra5<#N-5FOB^Cs~3v%AQzyv`6rJ(fRp$M{Y2m(OnQ*Vj1Kl>`Ezm8@S{ zeM^aCPJ2iPn8*Kl<3D*krUL%`95AX+2nJ(5y|1R3BTj@(qgDgC)nn@b4W@c^uq=BFkt@Wdp2&^8`JbN4%GZ7)j@ts&AGYmoH_A6X9-Pi z$pL50w**yA{Y%U*g*#X{wFa|(KUC@{jLR5q2`l{v)qOuKu%I6zOvw`S8!-$VP~@J7^gYaB0^rrki5yP)Zw({@99hFj(Trl{@Lbn4Y65 z1urL8g%e;^-Gp()(Umg#&1Es)yV1-Jn71S110P5UJ5Ab$zrI z5~1@CC2!W@wn*Q`I{s{ljTeoBls{E+5cM!MtGm)mTo=Fa~^i^?$zn>TZT!-WDC6-Rcfw(T%v~2<oI6ACFcB{OLp6U+2!Wl?Wh~}7C=2IjRpi|O7`e2b-PYNB! zOmmG_A3qd<$eK`T$dQv&v zM0xr#eQ{6QlTk-?WVnpHmf6jy1Ih%cX{mYL|Kl!ut8Ugt<5*W|-98t4f(@K}8ed)} z6m;i;g#S-Sl~2YU_8k1R&6T6fR2a%v9M6%E?Rr66(VvIRFhF!S^v`GHp%4lWyQXpFDBKw^mLx~4r0y6h(&9ArHc+{zn!zW{%H3K_oet5 zE3p$@+Sd(ZhO_8YQcTb-5%PYs2+6u-V(R8NIl&Z15LD&+9wxcJ^DXf5WBYIr@8}}p zbTBbY<_26!P^dJ$Vf||XrhPSJX=qm#@w_$e#{z;tZ|GK^IviIgR5+)wP z7r|U7f2Y~sRRWT+r&_58XlA#A^&t-b#=uYZY;(+DdZR_!IP7;y*q5UeDNx)szYaJc zVOs0J86~hR_3VF`P}~*AW}uLq(GiM-l+Fq1fWZWR&5X0Mdh~#Jf`@!5iT@GEJe*sG zIAS60wDjlzIsPU)D`iT+p*q5BhGQ6I)_FLe0M(&LhmVge{4;5?T9JXNNKjUZu`(@+ z@%$bvF^ieFDL1A9&ZFAky9=~tG?5ik5?aP;d5^KS-6$?H0Q=5=2+}JK5rV2I5 z3|oX5E$P;t;T-kP?1uNWFqYp?t#dy1ImQ>AvzQGr-s0wV2-u+@kzjeN8cdHPbLzkX z()G^CmW`<@LERw|kku8}G~wX^_qdIDn>gjXx;plum@fJUi!Ln@I!C|~6di<2nP+3G zc-pFE-dWp5?M;Rh!|%2<>a3$syA5;Kw4e;VgurogV^LcuO5SgJGn??HzJhB+lfj0O zhRl|xp`|=3xq)-;3gG4+rh;~o#(Poc0^nTV7N-4|U%(n6aTcV`md0yMsx9HkhCeq$ z-_Q&6rB-%!HQB8p3vq*gYgfDzKRHe1tkziW_;OG^#Vqm9{~^rV3N3s130K47{{0m{ zFiiP~XG(r{uFMiR0F0P*TVP3*R@$I4ay4{C5KNx`yW%~)mH~T4ye{n+ zA-t|4g6lf6{oGwv8*1p5>o*n@n*3tWTG5`}7a!ptf3x}N@tfGD*A%&$#K&R z?wVU$X+5KP)9{ZcO4VOQ=lMUM@UnXJ^wht6LXLAhU~iHRJ-wLguOq3T_ym~5WKA}J zNoLEy=y=pZ)D4I!FzTajxfa5^8ug=%m1x!x)=CRuMC?S2Bt=3= zzg$w3Pz$d?9Tzp`ijIE{zs96<9GKfsO__?d`Hf-XTeIoVW&R2Z$hwMD&x&y6l52#> zpcN+&Zs2P(!6`a(Z>r!}EWkaPL7=;k)^ZVB+RYw8#-^h_wD3-%(b}|JrCQal;jix` zf3Yd2U$DzA8%SJwN*Jmj&DI?CI_WenV8S?Kk`aptoPc8qnT@4|pid&}gH+H3p^4TE z$aud^E2A$&%ITml%BH=erX6BhW>MTZy_`3pf>%cVgy~ErG4XkCftXJ`i{}IKLF7BJ zI;5sBl0@%)TeMOTS>mDEFB3dyzg`b_dDbz{pm^{FW~(>;;vPkpH0(oUlW8=JAFRC6 z53O>d)dE7Y20c6MnHc(FAxp|gczL1?D$@HW_=iXznI6j1LeLDC1& z1vY3bGVuQdcB@&9Kl%!9y@oA;h@pnwP5^`N00!DQOa`d>rn>$MM7((xgn&FycTVdQ z)%rC1AGAotteZyso7hwQl7OmNH8@ANkS9CBKWf$S2-#|O&E>oxY3?iYPZa^=$2l!- zM0mj3EuFvRaCm%fPep-R z-`LzHQb()PghF%U7`){`tMI=C@qfp?Hn?3$>QKmKU2+#c=aQ!bkNhr6gh_vo7F zVoSKLw@A|-M)Sck#(`79pIKr2U3<(dvJ<5V(A9T?^9x@&o5Fy_$C~o#O>9-#wZ6J1 zc?1(b*_P>yJb&4h--LRZA`96n)sBO|lF~FsrRLV^kNaq|>QVPgzKI`jvW9VG*yW;* zGo_VFpMldb8<@2FZH1)ybB%YyV${KT}xF;3ry_kw@qxP|Uh>!EwLOk;QqD@2Kha$H60QHhN+poHZXSYEUpb^;a ziQX_=zE7@yD|({gxFMsA7GYRc&K1${6mc@KsrDB;JV|-h?26a!=kD+ajeBDU?qUIQ zMLkiKtKT1gGx?A4eDHCjMmPTv3u55c$*~L=zFSq(V#0D`OK=?zK9uSF!7|G^Zr)>3 zp48QpK-Uabj%->JAzkn2-t&KU1CLgnEcBRlYs+SL`1ebNI2q-!J>0o3H7jcjx_Sz- zI&t5hVXb-D)Fq}A9`A@vF?;x=26?V()VI?}PUTAcnR4qucMP22|AnN~oy=+x7h1q! z*srC2^|NsILoZ~{CabzHT0xGTX9hT3Y$z8T@{M9iU`$H5l%xzLy3b@p$%wVQn27Cg zZucqE@NQMHq)Qpq-=};k>wr+@hoF9_-fH`E8MVJW3YWP)3N= zCmgRjjt*;=pWYiAi&2v`iC@?b?8}98oF}sos;O@~+amN^EmtZ1##}MYv&89w7<-te ze!;x2Pvw|`{{%h!bk!rH7*tH`R990q-U^T{Q|rJ zaS5N{nlu^uz>?utDWi^fNlqr8jYVpHbXyk8WP^=kmihDs8y_q-WyQXomRji?*EpZN zx1X&RuH$^sPMxw^Bjy3GEEoMXo%|Sqi9p=8)A|~yV$i`&n$_$|QNr(6jWG1jsoj%>)fpy@PO9-u8k#&`*Az@410N9crg*)C6TT6frGelAyykvz7e8 z?XwMA;d}{aTIPpyjwSLyP=8JN44rdjp$1AA9a_ z3lwpyrB20z#iSr3D*Fb&p}FlQZ}^tINeJ(P5-8ev&pVfc0aM69;o%73pJP!(yHa@k z;k~Wa6+DqemsL+XXxH~6@wU)cOFCL4u!6@X~O+LuQXEOp<8Ld z*P`8=mEYs>tjV`>Tynf(Z+}L!kTfh`qN>}geTKsD)3;U|hme{=yZoj{lv21T$GzRA zI6eSdBd!@HyYXw5S`hdzb>>w&&ZmpUeWR3m8dd9g%Pns~cP#HxI^?AK8miUoY)JN! zqEGj=G4irTs|+tiE&26k`?hVZ?9kl((cr^E18 ztHnMS|7P<2fk}}V`fVtwhv_8Mc7b#(yzn%-&uo+!86krIg7sv?lNcFLB;7AY#zT0M z7%(Xfpt!aR@_{R^*MfX^)5(e0(111T$%$Jai4qI6A-+kEg?}vxm^1=_Mg$128bxA( zC1f{Rx%k|@W7);YWwGI7w(~JW6{o+uSWI<3wv19|xPRm%%8+aj<65*g#u$fRO&Eu_ zytJQG5Fx^cg^2M{LxOcAh`5ud;NdA8CQ%t2jB#h+$95pWVk$&#AJqV8qZpTtgE7WD z0G)@oba9weFa)4Y0JJGs#~gqz!owE=&~gB}3_zQJohtySD^V6rvkBLbgLMKB-2=QV zha46ZT!{#&n@#wrn+qk&=YgxNS=;}jOvjaoH+dx-9zdW10@7B(#{h(wE0M?lRqX!} znn}~F3NSKHSdju+l>!*e0vrgan^gfui2#%*c|{6nbrxvVoFfY00Bp5v{a=)&tw;fk z5&=f;0HgmWvHufPkXzm{0+94EbjJhus;868EhIpzXsAic|CIEx0mxQx737w2i~tCu zjRDzQKrQkX55); z^0fv(6Hr#j4t_?4Nn~4qaHL6XE;shOHYqsbRR*-lbGH65fwYiE=#dQ(1^K7+y5p7{ zmYMV0IN8Jra2D|59WKrfsPBL{1`KRXs3)35-n||{_`b27n@EJ?a%8pr?Bw{r3Q0|YUWAi@0#!7lf-wIR n`rn0U0HPgCY#h}s9GvX|QU3{tga20x8hC~QX_N~T@c!Qbi1aVH diff --git a/Solutions/Microsoft Entra ID/Package/createUiDefinition.json b/Solutions/Microsoft Entra ID/Package/createUiDefinition.json index 6f1a494bf0c..fb88d255b8b 100644 --- a/Solutions/Microsoft Entra ID/Package/createUiDefinition.json +++ b/Solutions/Microsoft Entra ID/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/ReleaseNotes.md)\r \n There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Microsoft Entra ID](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis) solution for Microsoft Sentinel enables you to ingest Microsoft Entra ID [Audit](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-audit-logs), [Sign-in](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins), [Provisioning](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-provisioning-logs), [Risk Events and Risky User/Service Principal](https://docs.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk#risky-users) logs using Diagnostic Settings into Microsoft Sentinel.\n\n**Data Connectors:** 1, **Workbooks:** 2, **Analytic Rules:** 62, **Playbooks:** 11\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Microsoft Entra ID](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis) solution for Microsoft Sentinel enables you to ingest Microsoft Entra ID [Audit](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-audit-logs), [Sign-in](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins), [Provisioning](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-provisioning-logs), [Risk Events and Risky User/Service Principal](https://docs.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk#risky-users) logs using Diagnostic Settings into Microsoft Sentinel.\n\n**Data Connectors:** 1, **Workbooks:** 2, **Analytic Rules:** 62, **Playbooks:** 11\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -104,13 +104,13 @@ { "name": "workbook1", "type": "Microsoft.Common.Section", - "label": "Microsoft Entra ID Audit logs", + "label": "Azure AD Audit logs", "elements": [ { "name": "workbook1-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Gain insights into Microsoft Entra ID by connecting Microsoft Sentinel and using the audit logs to gather insights around Microsoft Entra ID scenarios. \nYou can learn about user operations, including password and group management, device activities, and top active users and apps." + "text": "Gain insights into Azure Active Directory by connecting Microsoft Sentinel and using the audit logs to gather insights around Azure AD scenarios. \nYou can learn about user operations, including password and group management, device activities, and top active users and apps." } } ] @@ -118,13 +118,13 @@ { "name": "workbook2", "type": "Microsoft.Common.Section", - "label": "Microsoft Entra ID Sign-in logs", + "label": "Azure AD Sign-in logs", "elements": [ { "name": "workbook2-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Gain insights into Microsoft Entra ID by connecting Microsoft Sentinel and using the sign-in logs to gather insights around Microsoft Entra ID scenarios. \nYou can learn about sign-in operations, such as user sign-ins and locations, email addresses, and IP addresses of your users, as well as failed activities and the errors that triggered the failures." + "text": "Gain insights into Azure Active Directory by connecting Microsoft Sentinel and using the sign-in logs to gather insights around Azure AD scenarios. \nYou can learn about sign-in operations, such as user sign-ins and locations, email addresses, and IP addresses of your users, as well as failed activities and the errors that triggered the failures." } } ] diff --git a/Solutions/Microsoft Entra ID/Package/mainTemplate.json b/Solutions/Microsoft Entra ID/Package/mainTemplate.json index 9673e19cdbd..f1bc78c28b9 100644 --- a/Solutions/Microsoft Entra ID/Package/mainTemplate.json +++ b/Solutions/Microsoft Entra ID/Package/mainTemplate.json @@ -1190,10 +1190,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "SigninLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -1204,26 +1204,26 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "DeletedByIPAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "DeletedByIPAddress" } - ], - "entityType": "IP" + ] } ] } @@ -1307,10 +1307,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -1321,26 +1321,26 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "InitiatedUserIpAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "InitiatedUserIpAddress" } - ], - "entityType": "IP" + ] } ] } @@ -1424,10 +1424,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -1435,26 +1435,26 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "InitiatingIpAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "InitiatingIpAddress" } - ], - "entityType": "IP" + ] } ] } @@ -1538,10 +1538,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "ADFSSignInLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -1552,13 +1552,13 @@ ], "entityMappings": [ { + "entityType": "IP", "fieldMappings": [ { - "columnName": "IPAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "IPAddress" } - ], - "entityType": "IP" + ] } ] } @@ -1642,10 +1642,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -1658,26 +1658,26 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "AppDisplayName", - "identifier": "Name" + "identifier": "Name", + "columnName": "AppDisplayName" } - ], - "entityType": "Account" + ] }, { + "entityType": "Account", "fieldMappings": [ { - "columnName": "TargetName", - "identifier": "Name" + "identifier": "Name", + "columnName": "TargetName" }, { - "columnName": "TargetUPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "TargetUPNSuffix" } - ], - "entityType": "Account" + ] } ] } @@ -1761,16 +1761,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "SigninLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AADNonInteractiveUserSignInLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -1781,21 +1781,21 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" }, { - "columnName": "UserId", - "identifier": "AadUserId" + "identifier": "AadUserId", + "columnName": "UserId" } - ], - "entityType": "Account" + ] } ], "eventGroupingSettings": { @@ -1889,10 +1889,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -1903,39 +1903,39 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "InitiatorName", - "identifier": "Name" + "identifier": "Name", + "columnName": "InitiatorName" }, { - "columnName": "InitiatorUPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "InitiatorUPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "Account", "fieldMappings": [ { - "columnName": "TargetName", - "identifier": "Name" + "identifier": "Name", + "columnName": "TargetName" }, { - "columnName": "TargetUPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "TargetUPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "IP", - "identifier": "Address" + "identifier": "Address", + "columnName": "IP" } - ], - "entityType": "IP" + ] } ] } @@ -2019,16 +2019,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "SigninLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AADNonInteractiveUserSignInLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -2039,30 +2039,30 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" }, { - "columnName": "UserId", - "identifier": "AadUserId" + "identifier": "AadUserId", + "columnName": "UserId" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "IPAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "IPAddress" } - ], - "entityType": "IP" + ] } ] } @@ -2146,10 +2146,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -2162,26 +2162,26 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "Account", "fieldMappings": [ { - "columnName": "AppDisplayName", - "identifier": "Name" + "identifier": "Name", + "columnName": "AppDisplayName" } - ], - "entityType": "Account" + ] } ] } @@ -2265,10 +2265,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "SigninLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -2279,30 +2279,30 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "AccountName", - "identifier": "Name" + "identifier": "Name", + "columnName": "AccountName" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" }, { - "columnName": "UserId", - "identifier": "AadUserId" + "identifier": "AadUserId", + "columnName": "UserId" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "IPAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "IPAddress" } - ], - "entityType": "IP" + ] } ], "alertDetailsOverride": { @@ -2390,16 +2390,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "SigninLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AADNonInteractiveUserSignInLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -2410,17 +2410,17 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ], - "entityType": "Account" + ] } ] } @@ -2504,10 +2504,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "SigninLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -2518,26 +2518,26 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "IPAddressFirst", - "identifier": "Address" + "identifier": "Address", + "columnName": "IPAddressFirst" } - ], - "entityType": "IP" + ] } ] } @@ -2621,10 +2621,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -2635,30 +2635,30 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "TargetName", - "identifier": "Name" + "identifier": "Name", + "columnName": "TargetName" }, { - "columnName": "TargetUPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "TargetUPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "Account", "fieldMappings": [ { - "columnName": "InitiatedByUserName", - "identifier": "Name" + "identifier": "Name", + "columnName": "InitiatedByUserName" }, { - "columnName": "InitiatedByUserUPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "InitiatedByUserUPNSuffix" } - ], - "entityType": "Account" + ] } ], "customDetails": { @@ -2746,16 +2746,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "SigninLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AADNonInteractiveUserSignInLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -2768,26 +2768,26 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "IPAddresses", - "identifier": "Address" + "identifier": "Address", + "columnName": "IPAddresses" } - ], - "entityType": "IP" + ] } ] } @@ -2871,10 +2871,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -2882,26 +2882,26 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "Consent_InitiatingIpAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "Consent_InitiatingIpAddress" } - ], - "entityType": "IP" + ] } ] } @@ -2985,10 +2985,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -3003,26 +3003,26 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "InitiatedByIPAdress", - "identifier": "Address" + "identifier": "Address", + "columnName": "InitiatedByIPAdress" } - ], - "entityType": "IP" + ] } ] } @@ -3106,10 +3106,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -3124,26 +3124,26 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "InitiatedByIPAdress", - "identifier": "Address" + "identifier": "Address", + "columnName": "InitiatedByIPAdress" } - ], - "entityType": "IP" + ] } ] } @@ -3227,10 +3227,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -3245,26 +3245,26 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "InitiatedByIPAdress", - "identifier": "Address" + "identifier": "Address", + "columnName": "InitiatedByIPAdress" } - ], - "entityType": "IP" + ] } ] } @@ -3348,10 +3348,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -3366,26 +3366,26 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "InitiatedByIPAdress", - "identifier": "Address" + "identifier": "Address", + "columnName": "InitiatedByIPAdress" } - ], - "entityType": "IP" + ] } ] } @@ -3469,10 +3469,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -3487,26 +3487,26 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "InitiatedByIPAdress", - "identifier": "Address" + "identifier": "Address", + "columnName": "InitiatedByIPAdress" } - ], - "entityType": "IP" + ] } ] } @@ -3590,10 +3590,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -3608,26 +3608,26 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "InitiatedByIPAdress", - "identifier": "Address" + "identifier": "Address", + "columnName": "InitiatedByIPAdress" } - ], - "entityType": "IP" + ] } ] } @@ -3711,16 +3711,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "SigninLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AADNonInteractiveUserSignInLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -3731,26 +3731,26 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "IPAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "IPAddress" } - ], - "entityType": "IP" + ] } ] } @@ -3834,16 +3834,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "SigninLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AADNonInteractiveUserSignInLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -3854,26 +3854,26 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "IPAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "IPAddress" } - ], - "entityType": "IP" + ] } ] } @@ -3957,16 +3957,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "SigninLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AADNonInteractiveUserSignInLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -3977,35 +3977,35 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "IPAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "IPAddress" } - ], - "entityType": "IP" + ] }, { + "entityType": "URL", "fieldMappings": [ { - "columnName": "ClientAppUsed", - "identifier": "Url" + "identifier": "Url", + "columnName": "ClientAppUsed" } - ], - "entityType": "URL" + ] } ] } @@ -4089,10 +4089,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -4103,32 +4103,32 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "GrantIpAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "GrantIpAddress" } - ], - "entityType": "IP" + ] } ], "customDetails": { - "OAuthAppId": "AppId", "OAuthApplication": "OAuthAppName", - "UserAgent": "GrantUserAgent" + "UserAgent": "GrantUserAgent", + "OAuthAppId": "AppId" }, "alertDetailsOverride": { "alertDescriptionFormat": "This detection looks for the full_access_as_app permission being granted to an OAuth application with Admin Consent.\nThis permission provide access to all Exchange mailboxes via the EWS API can could be exploited to access sensitive data \nby being added to a compromised application. The application granted this permission should be reviewed to ensure that it \nis absolutely necessary for the applications function.\nIn this case {{GrantInitiatedBy}} granted full_access_as_app to {{OAuthAppName}} from {{GrantIpAddress}}\nRef: https://learn.microsoft.com/graph/auth-limit-mailbox-access\n", @@ -4215,16 +4215,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "SigninLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AADNonInteractiveUserSignInLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -4235,26 +4235,26 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "IPAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "IPAddress" } - ], - "entityType": "IP" + ] } ] } @@ -4338,10 +4338,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -4352,35 +4352,35 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "InitiatingIpAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "InitiatingIpAddress" } - ], - "entityType": "IP" + ] }, { + "entityType": "CloudApplication", "fieldMappings": [ { - "columnName": "targetDisplayName", - "identifier": "Name" + "identifier": "Name", + "columnName": "targetDisplayName" } - ], - "entityType": "CloudApplication" + ] } ] } @@ -4464,10 +4464,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -4482,35 +4482,35 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "InvitedUser", - "identifier": "Name" + "identifier": "Name", + "columnName": "InvitedUser" } - ], - "entityType": "Account" + ] }, { + "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "InitiatedByIPAdress", - "identifier": "Address" + "identifier": "Address", + "columnName": "InitiatedByIPAdress" } - ], - "entityType": "IP" + ] } ] } @@ -4594,10 +4594,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -4608,26 +4608,26 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "UserIPAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "UserIPAddress" } - ], - "entityType": "IP" + ] } ] } @@ -4711,10 +4711,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -4727,35 +4727,35 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "GrantIpAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "GrantIpAddress" } - ], - "entityType": "IP" + ] }, { + "entityType": "CloudApplication", "fieldMappings": [ { - "columnName": "AppDisplayName", - "identifier": "Name" + "identifier": "Name", + "columnName": "AppDisplayName" } - ], - "entityType": "CloudApplication" + ] } ] } @@ -4839,10 +4839,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -4855,26 +4855,26 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "GrantIpAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "GrantIpAddress" } - ], - "entityType": "IP" + ] } ] } @@ -4958,22 +4958,22 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "SigninLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "BehaviorAnalytics", "dataTypes": [ "BehaviorAnalytics" - ], - "connectorId": "BehaviorAnalytics" + ] }, { + "connectorId": "IdentityInfo", "dataTypes": [ "IdentityInfo" - ], - "connectorId": "IdentityInfo" + ] } ], "tactics": [ @@ -4984,30 +4984,30 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" }, { - "columnName": "UserId", - "identifier": "AadUserId" + "identifier": "AadUserId", + "columnName": "UserId" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "IPAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "IPAddress" } - ], - "entityType": "IP" + ] } ] } @@ -5091,10 +5091,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "SigninLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -5105,26 +5105,26 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "IPAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "IPAddress" } - ], - "entityType": "IP" + ] } ] } @@ -5208,10 +5208,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -5222,17 +5222,17 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ], - "entityType": "Account" + ] } ] } @@ -5316,10 +5316,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -5330,39 +5330,39 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "UserName", - "identifier": "Name" + "identifier": "Name", + "columnName": "UserName" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" }, { - "columnName": "InitiatingSPID", - "identifier": "AadUserId" + "identifier": "AadUserId", + "columnName": "InitiatingSPID" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "InitiatingIp", - "identifier": "Address" + "identifier": "Address", + "columnName": "InitiatingIp" } - ], - "entityType": "IP" + ] }, { + "entityType": "DNS", "fieldMappings": [ { - "columnName": "DomainAdded", - "identifier": "DomainName" + "identifier": "DomainName", + "columnName": "DomainAdded" } - ], - "entityType": "DNS" + ] } ], "eventGroupingSettings": { @@ -5453,10 +5453,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -5467,26 +5467,26 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "InitiatingIpAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "InitiatingIpAddress" } - ], - "entityType": "IP" + ] } ] } @@ -5566,10 +5566,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -5577,26 +5577,26 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "InitiatingIpAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "InitiatingIpAddress" } - ], - "entityType": "IP" + ] } ] } @@ -5676,10 +5676,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -5690,26 +5690,26 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "IP", - "identifier": "Address" + "identifier": "Address", + "columnName": "IP" } - ], - "entityType": "IP" + ] } ] } @@ -5789,10 +5789,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -5803,26 +5803,26 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "InitiatingIpAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "InitiatingIpAddress" } - ], - "entityType": "IP" + ] } ] } @@ -5902,10 +5902,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -5916,26 +5916,26 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "InitiatingIpAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "InitiatingIpAddress" } - ], - "entityType": "IP" + ] } ] } @@ -6015,10 +6015,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -6029,39 +6029,39 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "InitiatingName", - "identifier": "Name" + "identifier": "Name", + "columnName": "InitiatingName" }, { - "columnName": "InitiatingUPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "InitiatingUPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "Account", "fieldMappings": [ { - "columnName": "UserName", - "identifier": "Name" + "identifier": "Name", + "columnName": "UserName" }, { - "columnName": "UserUPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UserUPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "InitiatingIpAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "InitiatingIpAddress" } - ], - "entityType": "IP" + ] } ] } @@ -6141,10 +6141,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -6155,26 +6155,26 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "IpAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "IpAddress" } - ], - "entityType": "IP" + ] } ] } @@ -6254,10 +6254,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -6270,30 +6270,30 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "AccountName", - "identifier": "Name" + "identifier": "Name", + "columnName": "AccountName" }, { - "columnName": "AccountUPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "AccountUPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "Account", "fieldMappings": [ { - "columnName": "TargetName", - "identifier": "Name" + "identifier": "Name", + "columnName": "TargetName" }, { - "columnName": "TargetUPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "TargetUPNSuffix" } - ], - "entityType": "Account" + ] } ] } @@ -6377,10 +6377,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -6391,39 +6391,39 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "InitiatingName", - "identifier": "Name" + "identifier": "Name", + "columnName": "InitiatingName" }, { - "columnName": "InitiatingUPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "InitiatingUPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "Account", "fieldMappings": [ { - "columnName": "UserName", - "identifier": "Name" + "identifier": "Name", + "columnName": "UserName" }, { - "columnName": "UserUPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UserUPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "InitiatingIpAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "InitiatingIpAddress" } - ], - "entityType": "IP" + ] } ] } @@ -6507,16 +6507,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "SigninLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AADNonInteractiveUserSignInLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -6527,26 +6527,26 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "IPAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "IPAddress" } - ], - "entityType": "IP" + ] } ] } @@ -6630,10 +6630,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -6644,26 +6644,26 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "IpAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "IpAddress" } - ], - "entityType": "IP" + ] } ] } @@ -6747,10 +6747,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -6763,35 +6763,35 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "CloudApplication", "fieldMappings": [ { - "columnName": "TargetResourceName", - "identifier": "Name" + "identifier": "Name", + "columnName": "TargetResourceName" } - ], - "entityType": "CloudApplication" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "IpAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "IpAddress" } - ], - "entityType": "IP" + ] } ] } @@ -6875,10 +6875,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AADNonInteractiveUserSignInLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -6889,26 +6889,26 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "IPAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "IPAddress" } - ], - "entityType": "IP" + ] } ] } @@ -6992,16 +6992,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "SigninLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AADNonInteractiveUserSignInLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -7012,17 +7012,17 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ], - "entityType": "Account" + ] } ] } @@ -7106,22 +7106,22 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "SigninLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AADNonInteractiveUserSignInLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "BehaviorAnalytics", "dataTypes": [ "BehaviorAnalytics" - ], - "connectorId": "BehaviorAnalytics" + ] } ], "tactics": [ @@ -7134,13 +7134,13 @@ ], "entityMappings": [ { + "entityType": "IP", "fieldMappings": [ { - "columnName": "IPAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "IPAddress" } - ], - "entityType": "IP" + ] } ] } @@ -7224,16 +7224,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "SigninLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AADNonInteractiveUserSignInLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -7244,30 +7244,30 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" }, { - "columnName": "UserId", - "identifier": "AadUserId" + "identifier": "AadUserId", + "columnName": "UserId" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "IPAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "IPAddress" } - ], - "entityType": "IP" + ] } ] } @@ -7351,16 +7351,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "SigninLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AADNonInteractiveUserSignInLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -7371,13 +7371,13 @@ ], "entityMappings": [ { + "entityType": "IP", "fieldMappings": [ { - "columnName": "IPAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "IPAddress" } - ], - "entityType": "IP" + ] } ] } @@ -7461,28 +7461,28 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "SigninLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AADNonInteractiveUserSignInLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "BehaviorAnalytics", "dataTypes": [ "BehaviorAnalytics" - ], - "connectorId": "BehaviorAnalytics" + ] }, { + "connectorId": "IdentityInfo", "dataTypes": [ "IdentityInfo" - ], - "connectorId": "IdentityInfo" + ] } ], "tactics": [ @@ -7495,35 +7495,35 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "SuccessIPAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "SuccessIPAddress" } - ], - "entityType": "IP" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "FailedIPAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "FailedIPAddress" } - ], - "entityType": "IP" + ] } ] } @@ -7607,10 +7607,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -7621,40 +7621,40 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { - "columnName": "NewDeviceName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "NewDeviceName" } - ], - "entityType": "Host" + ] }, { + "entityType": "Host", "fieldMappings": [ { - "columnName": "OldDeviceName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "OldDeviceName" } - ], - "entityType": "Host" + ] }, { + "entityType": "Host", "fieldMappings": [ { - "columnName": "DeviceId", - "identifier": "AzureID" + "identifier": "AzureID", + "columnName": "DeviceId" } - ], - "entityType": "Host" + ] }, { + "entityType": "Account", "fieldMappings": [ { - "columnName": "InitiatedByUser", - "identifier": "AadUserId" + "identifier": "AadUserId", + "columnName": "InitiatedByUser" } - ], - "entityType": "Account" + ] } ], "alertDetailsOverride": { @@ -7742,10 +7742,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -7756,26 +7756,26 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "GrantIpAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "GrantIpAddress" } - ], - "entityType": "IP" + ] } ] } @@ -7859,11 +7859,11 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs", "AADServicePrincipalSignInLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -7877,40 +7877,40 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "userPrincipalName_creator", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "userPrincipalName_creator" } - ], - "entityType": "Account" + ] }, { + "entityType": "Account", "fieldMappings": [ { - "columnName": "userPrincipalName_deleter", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "userPrincipalName_deleter" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "ipAddress_creator", - "identifier": "Address" + "identifier": "Address", + "columnName": "ipAddress_creator" } - ], - "entityType": "IP" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "ipAddress_deleter", - "identifier": "Address" + "identifier": "Address", + "columnName": "ipAddress_deleter" } - ], - "entityType": "IP" + ] } ] } @@ -7994,16 +7994,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "BehaviorAnalytics", "dataTypes": [ "BehaviorAnalytics" - ], - "connectorId": "BehaviorAnalytics" + ] } ], "tactics": [ @@ -8016,56 +8016,56 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "InitiatorID", - "identifier": "AadUserId" + "identifier": "AadUserId", + "columnName": "InitiatorID" }, { - "columnName": "InitiatorName", - "identifier": "Name" + "identifier": "Name", + "columnName": "InitiatorName" }, { - "columnName": "InitiatorSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "InitiatorSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "Account", "fieldMappings": [ { - "columnName": "TargetId", - "identifier": "AadUserId" + "identifier": "AadUserId", + "columnName": "TargetId" }, { - "columnName": "TargetName", - "identifier": "Name" + "identifier": "Name", + "columnName": "TargetName" }, { - "columnName": "TargetSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "TargetSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "FromIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "FromIP" } - ], - "entityType": "IP" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "SourceIPAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "SourceIPAddress" } - ], - "entityType": "IP" + ] } ], "eventGroupingSettings": { @@ -8156,16 +8156,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "SigninLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -8180,39 +8180,39 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "InvitedUserName", - "identifier": "Name" + "identifier": "Name", + "columnName": "InvitedUserName" }, { - "columnName": "InvitedUserUPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "InvitedUserUPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "Account", "fieldMappings": [ { - "columnName": "InitiatedByName", - "identifier": "Name" + "identifier": "Name", + "columnName": "InitiatedByName" }, { - "columnName": "InitiatedByUPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "InitiatedByUPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "IPAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "IPAddress" } - ], - "entityType": "IP" + ] } ] } @@ -8296,28 +8296,28 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "SigninLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AADNonInteractiveUserSignInLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "BehaviorAnalytics", "dataTypes": [ "BehaviorAnalytics" - ], - "connectorId": "BehaviorAnalytics" + ] }, { + "connectorId": "IdentityInfo", "dataTypes": [ "IdentityInfo" - ], - "connectorId": "IdentityInfo" + ] } ], "tactics": [ @@ -8328,26 +8328,26 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "IPAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "IPAddress" } - ], - "entityType": "IP" + ] } ] } @@ -8431,10 +8431,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -8447,30 +8447,30 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "AccountName", - "identifier": "Name" + "identifier": "Name", + "columnName": "AccountName" }, { - "columnName": "AccountUPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "AccountUPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "Account", "fieldMappings": [ { - "columnName": "TargetName", - "identifier": "Name" + "identifier": "Name", + "columnName": "TargetName" }, { - "columnName": "TargetUPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "TargetUPNSuffix" } - ], - "entityType": "Account" + ] } ] } @@ -8554,10 +8554,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -8568,30 +8568,30 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "TargetName", - "identifier": "Name" + "identifier": "Name", + "columnName": "TargetName" }, { - "columnName": "TargetUPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "TargetUPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "Account", "fieldMappings": [ { - "columnName": "InitiatorName", - "identifier": "Name" + "identifier": "Name", + "columnName": "InitiatorName" }, { - "columnName": "InitiatorUPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "InitiatorUPNSuffix" } - ], - "entityType": "Account" + ] } ] } @@ -8675,10 +8675,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -8689,30 +8689,30 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "TargetName", - "identifier": "Name" + "identifier": "Name", + "columnName": "TargetName" }, { - "columnName": "TargetUPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "TargetUPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "Account", "fieldMappings": [ { - "columnName": "InitiatorName", - "identifier": "Name" + "identifier": "Name", + "columnName": "InitiatorName" }, { - "columnName": "InitiatorUPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "InitiatorUPNSuffix" } - ], - "entityType": "Account" + ] } ] } From 15288e9b7af218c4b6de670ace615f68d980df37 Mon Sep 17 00:00:00 2001 From: v-prasadboke <117061676+v-prasadboke@users.noreply.github.com> Date: Mon, 6 Nov 2023 18:02:25 +0530 Subject: [PATCH 09/17] Add files via upload --- Workbooks/Images/Logos/MicrosoftEntraID_logo.svg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Workbooks/Images/Logos/MicrosoftEntraID_logo.svg b/Workbooks/Images/Logos/MicrosoftEntraID_logo.svg index 0ed35fb73bc..d1b6eaf8163 100644 --- a/Workbooks/Images/Logos/MicrosoftEntraID_logo.svg +++ b/Workbooks/Images/Logos/MicrosoftEntraID_logo.svg @@ -1,5 +1,5 @@ - + From 36d955227aad9d4afe8e6de9197185f9af849d39 Mon Sep 17 00:00:00 2001 From: v-prasadboke <117061676+v-prasadboke@users.noreply.github.com> Date: Tue, 7 Nov 2023 10:56:40 +0530 Subject: [PATCH 10/17] Delete Workbooks/Images/Logos/MicrosoftEntraID_logo.svg --- Workbooks/Images/Logos/MicrosoftEntraID_logo.svg | 9 --------- 1 file changed, 9 deletions(-) delete mode 100644 Workbooks/Images/Logos/MicrosoftEntraID_logo.svg diff --git a/Workbooks/Images/Logos/MicrosoftEntraID_logo.svg b/Workbooks/Images/Logos/MicrosoftEntraID_logo.svg deleted file mode 100644 index d1b6eaf8163..00000000000 --- a/Workbooks/Images/Logos/MicrosoftEntraID_logo.svg +++ /dev/null @@ -1,9 +0,0 @@ - - - - - - - - - \ No newline at end of file From 796b2706b2907293d0e2b580cf851d6cd32fd5b4 Mon Sep 17 00:00:00 2001 From: v-prasadboke <117061676+v-prasadboke@users.noreply.github.com> Date: Tue, 7 Nov 2023 10:57:50 +0530 Subject: [PATCH 11/17] Add files via upload --- Workbooks/Images/Logos/MicrosoftEntraID_logo.svg | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 Workbooks/Images/Logos/MicrosoftEntraID_logo.svg diff --git a/Workbooks/Images/Logos/MicrosoftEntraID_logo.svg b/Workbooks/Images/Logos/MicrosoftEntraID_logo.svg new file mode 100644 index 00000000000..0f3f7275d02 --- /dev/null +++ b/Workbooks/Images/Logos/MicrosoftEntraID_logo.svg @@ -0,0 +1,9 @@ + + + + + + + + + \ No newline at end of file From e0cec15d87268e79272a46d7e0a6a4437f27ff2b Mon Sep 17 00:00:00 2001 From: PrasadBoke Date: Wed, 8 Nov 2023 21:23:08 +0530 Subject: [PATCH 12/17] Rebranded azure active directory --- .../AzureAADPowerShellAnomaly.yaml | 6 +- ...tenantAccessSettingsOrganizationAdded.yaml | 2 +- ...dinAADGroupsOtherThanTheOnesSpecified.yaml | 4 +- ...Sign-in Burst from Multiple Locations.yaml | 4 +- .../SuspiciousAADJoinedDeviceUpdate.yaml | 2 +- .../Analytic Rules/UnusualGuestActivity.yaml | 2 +- .../template_AzureActiveDirectory.JSON | 2 +- .../Microsoft Entra ID/Package/3.0.7.zip | Bin 93890 -> 94678 bytes .../Package/createUiDefinition.json | 16 +- .../Package/mainTemplate.json | 666 +++++++++--------- .../alert-trigger/azuredeploy.json | 2 +- .../entity-trigger/azuredeploy.json | 2 +- .../incident-trigger/azuredeploy.json | 4 +- .../alert-trigger/azuredeploy.json | 2 +- .../entity-trigger/azuredeploy.json | 2 +- .../incident-trigger/azuredeploy.json | 2 +- .../alert-trigger/azuredeploy.json | 4 +- .../entity-trigger/azuredeploy.json | 4 +- .../incident-trigger/azuredeploy.json | 4 +- .../AzureActiveDirectoryAuditLogs.json | 2 +- Workbooks/WorkbooksMetadata.json | 8 +- 21 files changed, 370 insertions(+), 370 deletions(-) diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/AzureAADPowerShellAnomaly.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/AzureAADPowerShellAnomaly.yaml index 17454ed649a..85580c99010 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/AzureAADPowerShellAnomaly.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/AzureAADPowerShellAnomaly.yaml @@ -1,5 +1,5 @@ id: 50574fac-f8d1-4395-81c7-78a463ff0c52 -name: Microsoft Entra ID PowerShell accessing non-AAD resources +name: Microsoft Entra ID PowerShell accessing non-Entra ID resources description: | 'This will alert when a user or application signs in using Microsoft Entra ID PowerShell to access non-Active Directory resources, such as the Azure Key Vault, which may be undesired or unauthorized behavior. For capabilities and expected behavior of the Microsoft Entra ID PowerShell module, see: https://docs.microsoft.com/powershell/module/azuread/?view=azureadps-2.0. @@ -27,9 +27,9 @@ tags: query: | let aadFunc = (tableName:string){ table(tableName) - | where AppId =~ "1b730954-1685-4b74-9bfd-dac224a7b894" // AppDisplayName IS Azure Active Directory PowerShell + | where AppId =~ "1b730954-1685-4b74-9bfd-dac224a7b894" // AppDisplayName IS Microsoft Entra ID PowerShell | where TokenIssuerType =~ "AzureAD" - | where ResourceIdentity !in ("00000002-0000-0000-c000-000000000000", "00000003-0000-0000-c000-000000000000") // ResourceDisplayName IS NOT Windows Azure Active Directory OR Microsoft Graph + | where ResourceIdentity !in ("00000002-0000-0000-c000-000000000000", "00000003-0000-0000-c000-000000000000") // ResourceDisplayName IS NOT Windows Microsoft Entra ID OR Microsoft Graph | extend Status = todynamic(Status) | where Status.errorCode == 0 // Success | project-reorder IPAddress, UserAgent, ResourceDisplayName, UserDisplayName, UserId, UserPrincipalName, Type diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationAdded.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationAdded.yaml index 8969ddde21c..f20620b641d 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationAdded.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationAdded.yaml @@ -21,7 +21,7 @@ relevantTechniques: - T1136.003 - T1087.004 query: | - // Tenants IDs can be found by navigating to Azure Active Directory then from menu on the left, select External Identities, then from menu on the left, select Cross-tenant access settings and from the list shown of Tenants + // Tenants IDs can be found by navigating to Microsoft Entra ID then from menu on the left, select External Identities, then from menu on the left, select Cross-tenant access settings and from the list shown of Tenants let ExpectedTenantIDs = dynamic(["List of expected tenant IDs","Tenant ID 2"]); AuditLogs | where OperationName has "Add a partner to cross-tenant access setting" diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/GuestAccountsAddedinAADGroupsOtherThanTheOnesSpecified.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/GuestAccountsAddedinAADGroupsOtherThanTheOnesSpecified.yaml index 3878ba80c5d..c413f5988c7 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/GuestAccountsAddedinAADGroupsOtherThanTheOnesSpecified.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/GuestAccountsAddedinAADGroupsOtherThanTheOnesSpecified.yaml @@ -1,5 +1,5 @@ id: 6ab1f7b2-61b8-442f-bc81-96afe7ad8c53 -name: Guest accounts added in AAD Groups other than the ones specified +name: Guest accounts added in Entra ID Groups other than the ones specified description: | 'Guest Accounts are added in the Organization Tenants to perform various tasks i.e projects execution, support etc.. This detection notifies when guest users are added to Microsoft Entra ID Groups other than the ones specified and poses a risk to gain access to sensitive apps or data.' severity: High @@ -21,7 +21,7 @@ relevantTechniques: - T1136.003 - T1087.004 query: | - // OBJECT ID of AAD Groups can be found by navigating to Azure Active Directory then from menu on the left, select Groups and from the list shown of AAD Groups, the Second Column shows the ObjectID of each + // OBJECT ID of AAD Groups can be found by navigating to Microsoft Entra ID then from menu on the left, select Groups and from the list shown of AAD Groups, the Second Column shows the ObjectID of each let GroupIDs = dynamic(["List with Custom AAD GROUP OBJECT ID 1","Custom AAD GROUP OBJECT ID 2"]); AuditLogs | where OperationName in ('Add member to group', 'Add owner to group') diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/Sign-in Burst from Multiple Locations.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/Sign-in Burst from Multiple Locations.yaml index b71215197e6..22e528f1544 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/Sign-in Burst from Multiple Locations.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/Sign-in Burst from Multiple Locations.yaml @@ -1,8 +1,8 @@ id: d3980830-dd9d-40a5-911f-76b44dfdce16 name: GitHub Signin Burst from Multiple Locations description: | - 'This detection triggers when there is a Signin burst from multiple locations in GitHub (AAD SSO). - This detection is based on configurable threshold which can be prone to false positives. To view the anomaly based equivalent of thie detection, please see here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/Analytic%20Rules/AnomalousUserAppSigninLocationIncrease-detection.yaml. ' + 'This detection triggers when there is a Signin burst from multiple locations in GitHub (Entra ID SSO). + This detection is based on configurable threshold which can be prone to false positives. To view the anomaly based equivalent of thie detection, please see here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/AnomalousUserAppSigninLocationIncrease-detection.yaml. ' severity: Medium requiredDataConnectors: - connectorId: AzureActiveDirectory diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/SuspiciousAADJoinedDeviceUpdate.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/SuspiciousAADJoinedDeviceUpdate.yaml index 4095d1129cc..b823ea6fb56 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/SuspiciousAADJoinedDeviceUpdate.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/SuspiciousAADJoinedDeviceUpdate.yaml @@ -1,5 +1,5 @@ id: 3a3c6835-0086-40ca-b033-a93bf26d878f -name: Suspicious AAD Joined Device Update +name: Suspicious Entra ID Joined Device Update description: | 'This query looks for suspicious updates to an Microsoft Entra ID joined device where the device name is changed and the device falls out of compliance. This could occur when a threat actor updates the details of an Autopilot provisioned device using a stolen device ticket, in order to access certificates and keys. diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/UnusualGuestActivity.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/UnusualGuestActivity.yaml index 5cdc6f7a6c2..b5af4883ca3 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/UnusualGuestActivity.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/UnusualGuestActivity.yaml @@ -49,7 +49,7 @@ query: | | where TimeGenerated > ago(queryfrequency) | where UserType != "Member" | where AppId has_any // This web may contain a list of these apps: https://msshells.net/ - ("1b730954-1685-4b74-9bfd-dac224a7b894",// Azure Active Directory PowerShell + ("1b730954-1685-4b74-9bfd-dac224a7b894",// Microsoft Entra ID PowerShell "04b07795-8ddb-461a-bbee-02f9e1bf7b46",// Microsoft Azure CLI "1950a258-227b-4e31-a9cf-717495945fc2",// Microsoft Azure PowerShell "a0c73c16-a7e3-4564-9a95-2bdf47383716",// Microsoft Exchange Online Remote PowerShell diff --git a/Solutions/Microsoft Entra ID/Data Connectors/template_AzureActiveDirectory.JSON b/Solutions/Microsoft Entra ID/Data Connectors/template_AzureActiveDirectory.JSON index 0cb9fe2fcbb..d0a6f2c04bf 100644 --- a/Solutions/Microsoft Entra ID/Data Connectors/template_AzureActiveDirectory.JSON +++ b/Solutions/Microsoft Entra ID/Data Connectors/template_AzureActiveDirectory.JSON @@ -194,7 +194,7 @@ { "title": "Sign-In Logs", "name": "SignInLogs", - "infoBoxHtmlTemplate": "In order to export Sign-in data, your organization needs Azure AD P1 or P2 license. If you don't have a P1 or P2, start a free trial." + "infoBoxHtmlTemplate": "In order to export Sign-in data, your organization needs Microsoft Entra ID P1 or P2 license. If you don't have a P1 or P2, start a free trial." }, { "title": "Audit Logs", diff --git a/Solutions/Microsoft Entra ID/Package/3.0.7.zip b/Solutions/Microsoft Entra ID/Package/3.0.7.zip index f0cf87377021fe150699a558654024978de2af42..8a91c6a2c525cc3334239e756a859cdd92c6aa3d 100644 GIT binary patch literal 94678 zcmZ^}V~}QBuq|4)ZQHhOy9-^mZQFKr*|u$?%eHO5?!C{A7w_GDBEDZ=#8^3Vc)=^gsU^IvDFa8LOI$7@L^em^+!<+R#}z z+S(lOTH3BlBy7XCe$U=)R9y-rSsmkQyX4j-Mlp^JhGj#-%@LTz)0VN5WKNJ>nwbD^ z*tY$0={YDb$G4JfG$fBox&RX-ivKLFu69*z`TBVFHMBbCcj7_D-1Zo3Hc?eQ5fAit zpPzA?E+Im8Up)5xU34-+)o}grv!-X8KP*BiOWK~1g9fx_@O+<`F}|&`aQvPAtTCa- z__N16`MY+ppv{CwUP*CJo8Cy9s)|h2SHcjScxCuF|2G2yn{L`SVD@>g|5~h};}WM8 z$?}bo4Hji;!=;p+3GXSfBg3gc6WglYGWL+YYE-rMx$x^0$HX|_d%j=wo+1=FZ!)^P zNheP@(!ab%2>S_k?~-GcSzRXhn*u?pzh(k?wOBrUy;y1;XHhlNG9mqV_Z>CB zJm2}$(K!>fmI*07c;hPY%($C?b(Ad^+)`2VD>>rG>F^mzSRH>pYScyaTA|u{4{`wv zZoL^ZXn}C^S>#Hpz*ydZ#6S>%VcoPQ91}?yQSM14-}eV#t!ghqa05^|4XFtl*@ik3Rm}J|q6AY>;~GP~{77aP0+8TG6GgSh zVFv17?BIQRQjxotIKrLDn<`})kSv=fjQ}&7y=4()Xw;jdF57M(KlZbl67XaE;4`gZ zO=zN+F{W98j6#|SDES2(D`SUW!8xtl$DHQFpp2dzp|u5oG_CJ=h*D^*0z|^U!+#H9 zj2H*iKWP!o;zRPvqCU$4CRFC9uoFG$&!YxeY8y0$Si`}s;x6ZBo<#l5>vEows`GLH z@C(K2y}_2u3I+e4RdIN z?oxcoNShd74LG`=wayKOlgO?KzMVoQD&c#?99l@Ob!$H32|lLs1f&^c7b@FF*Xtdl zh-SILRs@~GAP?Y~rjI|D9+|*UskCnj@{6*`!gy z`u%qO=$TO44<(_}a(618a8 zWOtO8@cS1DWvQhE{+P%tF?2>5^(fCehvouEfTAbZ2|-}*fKH*htI7sA@gKv=D-LVD zQRv(u1gbv zhzjg`X=e>al;)m(5eMGSEfvfyxy0%-pDh}$7gTMTMG~0%zT0Dme0hh<#WxGulUFbi z4Qdc4^oym;`nb*m!|d-R_5&ALT&Oy5v(lbk28-<{k?+ZYppxR++UM`)|Rm z`ly7%FGh5?CGk(^KFa4pZPhp_2G3oNRQfpFC5XrNNuLF}lcc=eCah+RY? zI1Jo7a{etW$mW7Ek0`&9n~8`A+?2u=BhY>%I}%L)Hk04`txA5bya$Mvn(VyQ|M?aX zwM~$-a!XD8WkRzJtE|r2{=(zD=}qi(rH7wbGF+v1x`Q~MpG6TST>T~0 zGQk1=-MH%wdZz|gSjDXdC`%HkI?bhVB1S$#Tt+skOvY$q z0FfSqqwwY%C&%@~YVNCp?Ed6P-dc2n z{`vU~>$DcRp`J-rldzle{-p2|Erw~NJ1saCwdF&hh*}}ez4)*CMgu6zVBM8|i8pF3 zZCJMNQ`%~gpVLI;CSlgNn5l0g?53YIKIDlbEVzjmD~#+K9txC9wh>txy%fMLQ(~GnhYTf_1Vkh zJy%SE;SGGAF*z`7hhREu4*GjZ0&vCg;#d@H7&kj`nf_FQA=OlPJ>ne@$bC7!n?G3? zq6i@qbeWAPnVfA%E3G~JXBwKwH9pUK~)x_6E`FgCpg~O`H2VqHQx4 znUEU|as-gw9|BdNuHE+SPJkF085G0CTA}IMJyf}cKnM5LubIoL%ynE7)w;5Kq zi);ZTmdW{FFNrRn7wxX&&fh>M@9>e)C}L*ZBFBN7gkyAp2U%wFUT1mO+D3VdwdeC7 zlBPt<94uAP&RxqC)xGvHNWi2go-XbT>jzUNO4hFgZq-DBP|ou0utM#P!-}Wt8va1k z;b$dI0P%s!9s-9`!wIt^a)ZVNve*Oyx1gh2nSGfMk1@*ZOQW7#!NlX`-843BjVE#^ zb<1F6{ladv#le%?g1b|KY3MTmQ~>}ekw=Peb)ag%16V+a(t+>PF2at*MtE}0__?bz zCOv0rbe~GLXbl!hY8nGTt!u#5AI0wWdB)iv7eV4>}P z@r@$1eUXIXZ)`4jDm$e*HuGYYCMrW1o_KHqCIFFQUl3r8dVn8DID$lM|=z%EMV@QxoXN_A4J(~%1hzkX$1FzJM?*q$v)Q~&&FRt3Hj zKyoJ3Lw(`r5qBC!j;w%f4$}HcHGzH`Fs_1 zIZx(n{^_w2J&AzuQADuq==5oAjzxEPq|{lo5^k{}0{6n2{3DwG>rn0~y6`0%uIME^ zvi&q4MCjOvo+(Dq6JfV?3d4hI`j;!F+a2_38Ug$yg8vX=8aYTuzD9q@>TcUes4QT^ zFaKaF!#?;}jM^}07|aUX=oFL-m!#;GVNk;;l$qN8770;9fLA8G=qF!fR3J#WJ)9vn z38p@neT;=c1%mL#IHcSKm9_H6VJST5@%a5S z>%rRaP$0PoOv2heJ$x&_1K1OYIopen?B1O`F8xqdOUq12fye|#0FmgoCekYl8t9`B z{bPFre1wz6E?uSuBz70^r#>3Dlyb&OV~jJ`uE+@7I=>JIX6G5TO8us!IZvehCRTan zol8bQv&#ZinOhVT6DCt;8!Ju%5|Jqd;u-op69_PMKd{IxK4P~3bd|4yu{8=P?UFI4 z%7>hO3!F?+9S&w# z%k0`=m;oe?gEo+NX@)$*9IZh4!3OPs5og?GiwG1Bh$Srd!*^gHbk_7d3bV!chqTT( zV0md46tRc`86(45VBbNrLqiKl=KlN7uPr?)zNJ|EoyUk#Po0QSoQnaKMJ|aLjQ}9k zre3EcerPXv7KwJn&2ow z5L@Yv1iLFOF!GOe*|*qbX5j4>$tjAc!bR|uXOkQbUVMKMtBMm3_YZPIu; zk52m13)KeUerX{I4*LXBeYT(_PQk5h48f4RI#CrPG*q!)!+=6S`k5SP&Gnov_2~tM z8Lf4_$g^>XTablZJr2{&6HVvuRpd9xM2QW2s&g9PQb`;#ABu9J9IFn~7*+C%nI=cCCk zeOaOAstIY3pw#pA@RDWCA}@Ff)t{i_K5cP$n(_RIcdK|6LhXs8QKyWWjs#~Z!szwW zh>k$odC_%Zk#4*Gsdu7pBhHs$3*ZJXSceuNJcwyY~P|=YO&ptfu&qplxrA?0P*sq+5 zhNZh_A8>FpU1@Q@pQY}Wj(#Kx?IaFHsM}}>f!qS`*AX+|6&xs&Fzlw6Ux!#-RLZ~b+Ws`U z9Shyuvz*7k@HVJo8}}vjC>qay11Ry4fo4kdjpgvu*VZtA;HEJn7o}9|AYXEm060o1 z9yQtJ=oo02?u3JzkIiRRhH$0>MunS-TFBTo={=y0pgBTMnbrDe=++ED@{bMJd(E2) zn^@Q@Tv9T#*0ZrBYk^o#IT;b|aET8N2J@&7mVq%WfGsE!0KFt#xc73Rg)1HpLUU6a z8`+2eGw9Hbvr-Ry(w%$zP+7)_{{Yw`XPT-Tt$CZ5iR+?{myUqO!jKJs?4vJ_M0JZ$?IpkO$atN)eLUFaql z33f``kyfp-bO9n|X&4@RTWN2jJay4TUvC`&32T^Wc@pE5cK?iAxiQO%XE@AsoltK- zT3VciYI|Yk25n<2)Eu*Y*qCNB1 z*+Um>1mZ~b@E}l0{`*bu*HO7`3T{NJU;sI~BLvB0Lhht9A#;pr$L-*$y(2b6q9z#< zs82HonR~4 z0(;YY5Q-Q#mnQ*rmS|wArU6)Dk4u@-d%XQS{L;t#$JwsSJX2oC&M@2xWB?iYb;2=t z3RWXByW5ISYfsq?Whw$NPF2anZLz zGD8OlnJscnWrKCOQ~MrY7}vL9p@|;~6nz|1plVSuCBV|Kgkm2YLpsFlDhl*7=SkS@ zM8pI0HAsQT+JJ05tr&imG;JnVAVk6b!g};H9sss_si-GKCu*y|wYJhePAb-GkT|Oc zJFG<+4CiTj3@?TlDqLXnrqDLCctK4pd&jQkW~>Hyh1~+p9S|9fUkcP~dxMVbroCz` z1A0CzkdEhMcvi9b^bORLQUaw_FluGk0lLyOpZ>}lG7|>jfC+-)E)aO#VejdVga=K!Wlk-I9l@O!iVEmW$pmuo|^i zoFnF^EMtTo4~vdyH8&civ!AK<6T_{LE9J#E5^^0)?ultJ3g|9Iflh1*Ibc&w4qmVTZi+k_|+zyL#<+KH#72E@*oehA7F71f3m2p>Oagd(DAckA3$O`iXXGMx1Hm21K z_eDjtnn4w6Z8q?26G92+3r)N>E4;?G)e#3Bg;uUB=bm{>bQAp5@>L@)=y0k~UCF#G z`|E2$Wmn7}ml zt!Q(7dlp?@YuLD^=i!5)idCOM@R2DQQq8E(y8dG2eIZMDxFV{vGyvoy;AJ0EP5ccr zmd8IHI|y=KKxtBTi)Q0U<5ESXSr4IOT|t5E-i-9Gec8e>TxHt zlt}_82_?1Qpu9AgGHoQSQMQV1S#YV1J1pXno~EV_3a!G7rh#qQp#9Vj+U{+r;oz&f z@1{1bXj7JP*;?Sdc9(hs(+C^UQTfJ7nbU92I9&kT;8>;35U!7zYY?R(;Wvi!0Mp5Q zL5Xc~C$uu&@v+l@!FN7`OU7+Ksy<)C=k4U>E!?kcJmnidE;`)b*!2nl}?(Kw+F!G0Gf5^@}UI_p74s_XmkK^+dqQuJG#g?*no z6)&J;mgQh|j>gD)e_YGxKH`SMN1Bkm53!P^2kHbE$~)(=m*XI6}K6j=@861Z`qz_8DYwQ=;v{Uj^mkuQzB`Yb&4f zlJ-)iVc#1WwtJ(TzdHCMICxI1E42Yw31u(jV8E`HinZUjeBMCq@JShyRg4-;szFty zQ+7-O^FM;FN{2G^17mD59~{;9RM5@MuN~f*H=%jLA*#@3E1fd)th4J;*yA7iXb=ci zG0kZK_IPp5-iCAcTRVsKmaC|)W<=deRkbzI2mbJpHd61@#XXX;5F|^Xd>{%A4Ar;h zZ0dNrnFFI4;$^4{z_N*CZp^#t$9BEtESCv4(bi0aHeVjV77g#wQ4dx_=1IpIff)kd ziH_Os>vgr0LW%`}Pj6?vPn3UZ^*;utXvYBSeaFp1<7Xo5fuFB|`%-~NZ zO*zJX3rjs;MWbF`vy7JUSFi5h3j5XnQTg*3$;eUj>8aq14a;vukhhxd?#2MM5{4O_ z0qlj5>NBIX$}63gAl+vPogR)8ofK{DljukvHGhdJ9iL8AP}4G#QS?lNDdy`v)7HeLE$Ki! zF}bu6Dqt|>MT5@N<@k1roiGoTKkrvQ`gCKSM@y!3ttXyRvMI^wxK&%kgQ%w)RC*jS zJK_Cnq}bh#wzR6bJpnUL0EV}aD~y)Icq;)q*=b%Qk2ob)*^{ZGJ~k6zuvlb1CA|l{ z5p}hjK*q^UUXQd)%}6JWZZ3fTfKnt}Pb->hZn=8}L|eZDr1#qwZb$H>#$cZ3xfY#*)I*U*J^2%o-fq4;RFlCN=mV4#H*cKTtEje( zKgQEN&r)Joq)#^6^|TL=_koxr*_Wj?On6$S6A&@fC@|=Ys&T$($(PJ2MB#ta;zABi z#3~?t#y8^;i$CnKTxxvQ4bpy0(XNHD!syBHW}mN`-raDD2X02iwFx(2*x)jR%79KLa$Ue|D*l4E?n zMT%=_Qd~2_=M$XS!_heQqwH>Cf@Lg<47f8{dYQ!bbv239w8QQ9_GjA=F-bY(=`i!X zqEa}??5I?T9zGjT-(a3rPnJq5q{g~3H>i=0BbZA@EctV7UcDL-$YPY}u98pvc!&ol z<;+!4G(EFzLGkA~1HO=Wia)u&wMe3&S5);$^|w86W*rs~L{!C*Ow}TQmyphwpcAUk z9%`Yd9BOd@T}~uEk*xR%Vx7q{eT^O-q;p(nfrE=s`6T?i(kgANiVw+txO2dk1uJ^u zLP}N|`nsR_)EfqpBVd%MRI#4A$Qc8#Bira;dI^- zEM~{dwH!Y!x@~Cs_)CAs&S07TSS&{?zLqEU*Uz>4WRA_P3u7 z@Pdx(ZY+vTOx=ulWJKKvp0J*SC_Fo-R+|C%NZJoEIh->aTc=!QZ8k;~`b#`30!E6> zPE<63o!}Gkoc=qw?mTMHD5-ocMTLv{cN_MZVamB?BIAPNKwKEHQBP5hgPj+XvhJ`9x<*AnQ|>2=dLxDvAS8DK{oowvAVDAP_$0B-Kq32v zXZ4x%5amH_1$9R_vbGg>%D!IE%}%7%VCX zL1kXjnyk@$Gl#xI`mqW9C9kKa3(zvBY_LWp`eCPJj+@u5RBSq?)YfepuI8FIO#-V9 z2@y3lCh+Hu&zBRQafWpJ9JcUY&L-YGS5uzTknAmO_V4zv@LT3iET`(xkw`&T-=74g z!D$C7mag!Vf5hD{@xEEwmdywQozzxZYbhMR7WbW~b(vWQa;>YL)Av{egLLXIdidV4 zd1PnEGliS_$tBvG#MA7e7d;`^+-FO(geAJ=qSifi*>rCV&$ONjsVTVX3uPB(P{Q;QW`EhHnE5e}%<@H=lA^5%_&s>0x{l45}wfrh3Z z#s(bJLQ$2aU8CH&$Pc1&W|H_a<69!OgnLwJ-lTkUmoP#Mis2N$sz|&mRFW$0kNoM$ zQ1EWB=R<>``qI8bJ2?Ut@?az)9zDxwnH;+!o1$pzy-C5DFTw^_Toj3o=4`oCed3Tx zYx?RiRgR2=+GJx`z`L=qw6X$WNK8_1UN@qbw}GL7Li1wJAZarRrS|@GBO6aX0h$9B zTX8{&R!1`?WgBv_wf*BMZ*XBTGs$I(Qn zYX?8M9icsi>8-YZ`ciQ)dOd7l)=%Q^+J?@~ivhWVAOVH6c_Y~}-l7DZ6*zITt>L=f zx2U`}kU%mTm<$~TiX#{UNvMgR>?8g|>RA;FE%Eb~ry)VI^Y!r3!kj}H<+`&>*3z_u z>#l0k&a+SB0~Kq3`m5?CL^%1Kl^H;siZ(513mNUh$wZ$N>8EonXco9K0E9;>xbOI` z_&Qg{FBNvGJ1D7XN69XtZ2sML?%!wL`Im9nbNQ8Vl>wpDXzVken)l@hNOLQAgqSLA!nEnJ3LuS=Ff}1HYP73Bl}4pQl1)!#s5W?9#dc*30T?Gs z>5%HM@#iU2^W^E+t4?{!qv%GkTe>iSpYAI=?6RHDMI{=C38D(SA4hr+hwIt<5`%v zL?&l{e&g;BAG!4YL>OaTP-_{NtS(Gi<}S0Y2xknYZGN+tu3Sh|tD=-#&X!hfalOca zC#26D{vgSn$(K)9I)YoyxK5Jn$SFFjYOLQCvl*T3?P}S#780OAm5KB!Mpsas!+MFJ z=1g01DXTSnB=D+g376~zV(15CcQZPA(i4xTZjEhvzqNFagKydLfV3N&0No*)IT(eY zCCr=}PMUf@+9SYld>7sx2jbdZQ=vEdr*m{Di68VmA>Ry}G(L}i^w&*xThs2+AlYo^ z)a1pLRsuPuEay4uyniiJt7KbhdeYacUN!^mcqTQhpF8J&3a`2HlNyjb9Fo`JU9i*sXi02~;mkF8 zi<=9hqqJFiIi@i1(Qu^V~H@y!~)Wp%FMp&btrgWv_w*uu?2~UsM=#JKg7x45t<`N6JcaB8+(gLC<&m7IgpT%5RF(6)!J_R}$H@fr?^ifsS z_(c0^h60t7aIl_WLh&X0+vnk%)EbyGsI-6)+Q=nGGN zcsV7?%)Tg(B4GoDga^{iH?d5D#OVa;K8F0g1qMS+pyqY$9B+@LmzAJMQ5xfbpAyIn z4Xn6&a*&#|7622QCod80zZ|C46jhHBNrt#$2VotkA1Q`pW9K|*gPAFQ%}2H}lD=7s z#<&lniTpn7H;CL$Tg_k0lCk9*UTsZ1@Kz#JM*B4PTIU}d4V_M~TwCp4_kBwcgGUba zDLkL;NgXqNO@74t#$VuPB6;gGP&g6KWW1CWOSN38kK;%JHpom8Y>muh2j)Yjk>6NbBKa{TkYID z7y=@_yOl9SNs=*)P9Ah3Uw+oztlPN;Y|xq2);gIC024IcXEVV(<~OU2IToCL#Nr?;Fp@JNNCA>9 z)<*9rO}1#Xs9~=It>a6BqDJ>dxZp_utVT?1Bs1AOfWNkFUcq`&Ml^EoS33bL1_%r` zoM0_;(6yp&D~Hqh6u!Q^PeZuBRpNf&$qqYKJmWnt zw|^Q^v$#56^Kw@*<^=}arbh?iHAQIS(_I2pF9^ilN+5na@+lX0ov7z^`BSxE{J1Y_3IMAf8- zm{xF#L{B&mY)+BQQ4_(HSde;^I*?kVV~JU>$Ms%Aa+)=h+OYS+aUg2aD<=)Q>6>G} z96fpKO7y9)vEn@lEU}cf;_X^N$ejzwwITFE=kTjFUX`9+2#7paM7AlPy}_Ys4Z<(T zVlnUxxCt5cjqP#2qNw3($Xi#sl6~`vSAO1&P2^<2R~1jg^mJL2)vG|9MR#}F$ifFT z##MqT`&$Zd7KuR5gE=b&-T1z9pNDzN=tZlAS!O?;Q-1vS25*1I;1^x6Gw~0qOFe?q zXG!;kb}AHeT)?e?aGvITCjmsH@iJLFsR|{8uX={*J1A}W@m&ut(2wG*wS=$bT4#|5=NPgv$C174xU{!=@ zb^sq^*}(CTrN%~)J{B~F8csP%O#H>4g!)3&$5FSpPMhkSt_NX0)gkv%zh_fNXt$eK zX02$t*LvrBpEcSsmONgD2N$9YMWjcyhl6A+56Rq#Kz zd$OO0(S1n@@IeAro#EfXOWMBNhIa4u(fX$EuC8UB*bsznz}Pk}0=wK2793>X!}CyO2-qJ?G%R z1HvvHdX$hpH<^3`+@%3-Py# z0|Lah!U7=vxm0PbZ*HSvY;9-t=W69Y*C{8nEo1k^Tta%lM|}~<06k!2rhb3c|6;NP z4+k8vbW3;yAE-TFE6C1Kt0`>Wr}@}cCLx9G_+gYik09Icw}}QHd0dpEta|XH@auNw zyHTs_WjWgypMMSASF6jdXM6kd>)}ZDdF(v)X-Rh^_SWTl?Q8p!t@|l6Hq^R<9R)d% zK|HM!^7hK)-V^zG`*wdbdUIsicir0N`*5h@3Bbp(V`lvetEJ=dsF@SaJv!4DZk>O) z3)W@Z=qC0k@FTu!yJy=fbM{;7{nDgG@*P#{^6L7EZT+*yo5yE~+sm`_8eNw6uel<7(-yXpgoX=JhlX31ZDa2j3g6c6 zPdYa7)ytOi^>ag@=!C~h_S+|qZ$4YnUwm+ktM8egdY4n)9ow<%t?L`M-XF1-M_*Tm z=ryt8uVvdyi46{Bmd7pU9l~<--J2Kc&m9=LRU4l^&e(=w`c2!FR~I%d_3N=_J>PNi z{Wd*shnWL{vmMWw@0osg)h9EEpCy}MJ!2i8cOFe|gw;ze9o~(3=FUyN`070$&8t2u zo0|A@j8l4QJzaY5&lQh0sCzD-mV8EQHhj&y+nqYuE^hXd@3B|0{4siq3uOAo&$r=~ zd^-FlX!n46y59ITKX}+G;Iqf40&UrrD_UBfj-Ef)uJ2qiTk6!YuN@GpZ1-jF zAFuYlzHC$?)~)yuezSP5s=qXnsoP!;c>I!odaTygs&%}%RCE_UVLZ>L;i{^1JwN}^ z*qtq?asNx0{JCPYx~e1mlaJ2z_&if>(d_%}p7Lr$nVP<44Zf!PL@cE0|X7f+$^*43-AGY1~I6mt>U&ib=f-YXQ+xnsS``<^KnfG^} zdGc>uof|%H_h(Kfdf$h1HtW?RTVC1Etv)^5U7XG=9Tn;oKJ3nGaqng76}r^d`90g! z&pp2~+~QOhWUj4XC9S!8?vM9NE0)LiFF%>Tf3Dk`++NYWh0x4jPlNyNYWH9!x;j%e zw?*M;_i*;@_8SLQ!c)4&a}IZ1;Aarx(t0Gi05mq z0kL7~@o+}{P<wlg!ddv;l_d24g3@(Xeu!G80I-NVn$HEemj*_hpG;}lCe zFT>@!yJ>#kT|wuw*>|IxS)L2rGw;V2{ANk4a8xq!e`IF|J71l|Pda;T_%Iaw6uz}) z`{hwVZu+)w7VDf*9`&eU%9N9@<>QF1J`vwk66|ml#9J0W@)4T~ZrwPy>{ZEgqTtS= z9LKYXQ3KCq?5&{SJqx-7PW#WVD_}nC;d;V8H-^!O8 zi&2;P?aZgZcdoR991}`V>DNl#WgGh87bn2=gZU<)h2OY0<)GEbE2r;< z82Va5X?TdmqCx8lm?RVGQAm{XpnG(7Mr|phTBixUlp@yPh&%*KRbpC4w49>*+3gb!3Sy<=pBC6eaN z*B`e(fM~)@2&1g%&yb0)A6Jam4-&>ePdK>?(UK>`kdi+<`V$e6U67zET9i-`wbWE> zj3JES+bf80B$Rm4R0yLuA4s2%|4&eK0vag@=ojr)SXnG^;xJK0kXQ~yl4Y%4ii7Yt zM=p5MK6oM;K79Sr+g*srbcB$yQUQ(0SO$p&P)B`Dp;kyY!FP6ca6}v7WLGXq)Hrk& z`8DFy(bEs~`*5)U(jqT6IvW0e(G&lJp8ksl+(qLc=r0ed<$CIG53|Fjf_)AdOpAn` z;4yCj!z{n=^$#v0+)28*(bo8%bk+V%w>IN%y1Mk0{t)L#{cmA*uQ4LnRJ95`nz0FR zAoeDAQK4?ZNzK~zStiwefEaFIM9>eAhG{{(v}*N| z&yQS;K)SG&ThNGUom#*@Zk_tBXd1sKD0sL*)ma`q)`yVwA z_k%%N%tREvmX52J6yHg8)~QrvqqyRfB23GomL8Q%jSEvD&p`=y8!XQ3EeRx10KC%{ z!<7+(9fh_#6Ue7)Z6p@0h?#|oTh~a*D&bhhwm~{d5HC!0m5?e+_{oU=3k%F0s0A)T z0Cd!G)tLd4m4Lpt1~|MOxQUG_lb2zdBumeyxR|3UUKW&!l(XlS-ZKrbsRJ9GeOnPzRnS#(1ILs^- zA|a6cI}%B8c9=VmFI*CTsJLUMo1aV;0=j;I;7E(Wm>&DlD72kyK&=V+k*Y$X=E;Ig z3Mr9vQbsK3Vc_TC{Ynz#A%Z#mL%@FtvSP!N_(PEN%`HK`2SMPq7D_ZvK9#_qw`>bb zZhMM3oeMm_Ofk&!d5Gq~tx019_x0n*Z|?rhH2vR9H+cSJDnPg9E~4(YG3;R-gg#A> z)hUAWo)$?*j?+Y@C7of0@rNM0hks#3|H629|AA$A466KrDUk*efDsqpFH*)EwIuc&bWD+NfW>s|e~m<{5Rprh6_WN9Lm!gQ?o zcV1f*MzVtx=)~+f%;pz2LeT#pbAb-pvUt;?u;S2nF8oDwfE?yl3s~iMo9d)QsCk%2 zYt!h(o9sv9CE|YndBq3>n+6}q^EcxE5BDe#vgK1CY8qSrR|cs#w_xOj_6?Isit)$y zbVM~u7BEtM1GNp}JEr1Z67f}|*sy0{CtLVAPbRs;K{hoqhi4oJl|arv#Q}5&oW_&*4QT`f z-ga^^m)M~0bI=o+ycAz}mqr*qAv$6%G;J9W)ksN&-H1-C90{5AuOtrtUrCfN6AR;|IZX{_JmvQY|76g^#5g^E<1?y1=B3E*#^W;TE){OMDqEZ(qE zXaSQyxZVBV`Bq_0bz^qcnslsE#`o2*38n&sASh8`As_|$%z*?A|HQS6Th*S%lMw?Q zwfcK%6Iho7I(~ntAlDjC(u+=%_ag`*vv>7hEBt%rzgGApknh3E^cz9{ zPtK~HmJN}QeNe(p;*G4fK}e%PM)wc85|=!xDY2dOF8^`lb|VW#rzefzhUKBV!7^qZ zLUBnvUbAklrZlF)1XA4t$SxM*|3z4R%8~gEBXHArC)J|QlR1b=WO51;N{56bwS+w4dFjs%`Oc}J9p>foCIaA>pY9LjFpu^Vvmm0yDoT@OK#_ZLNiPI6|!&Okyeb(x4KQnR&#I{weMb!TmpG0~PlQ^tbb&J&bgn zp4|Sj9I?Y;y%bEc#RDRMI`jC)$TJRbS+izYfbRb5$bC5J=-Iq-)B;xq?g@PcF=kAh z>UhLVQ(b8LUF399F_JicX59ZR#J@AHVMKmf*ZuJadWGFxgh7DPdmzFz)q%`pAmq`s zM6e{$0J^8we?ZUtVRSx+|A?5M)3Y4L0lOj~qS2iZ*RWlay9#2y&|6Z81xP%*d+*IFe73T<#|HnzT#dS#M?_^7^>776^iHlm;4C=ZF^9&d3A3mb0gStAhmTBqL!A!^L(TZlkp?WOpwB|Bhz1KNIKAXeQ%` z=b@txCJN+p*nUtB|t}YDqY;+elZ{9+Y{C$j~a}`qXxWd zI}x4imIbH%2U~Q2f65d7$CJBP&JEm^)l;yH%yWhu&okJUD6^4M`ho>e@ZA^U{tN1% z41F?`^QUbCa6OGQ!P=sSSjccyM8=K@gN|>3G;?Z{i+abPL<8UkdWz`C{$m2_#?s^w z{1LR`?PLze$28u(60<+U(&dbZ#sP!jDAo~DvLH3@M`_}J1*dCUq2}@w`mp-dg01pcm20S(}Y&X9kKB%hVlb?1FR zr)D7-2+1bz6DF{cezXkeZJ|q6U>22z$@sAVZSddS&=pG)F`dJ~`)7znv`040QHwH& zsk~%SqrPS&?U6Z`8!-I7j~5mGU(ntWS}57P_6|?u72E9^=e*A>v6xH6JRTTVama08 z;ZjrbWpzBTSZ$yG<#d0RjcT92GI6q936iCiaji2A2qVltYS}_GP01(oMk&pYN=Qn= z`n!$&-|L3@NC(Ly81zq6Auz`QJJqku5OV+No&^7S5` zC1^l$PoHI<7I7=Q^(w|joGwK_^ zPlBRO9XCw&o}7k7ELfjGlQGZ5jKrnH)}_IQn|c1|E=V4jQJ-E3$Y>wm%^i17Ib=#s z9>_~}9D_Q+1HY zTt-T=HA`nGtNg*%^(!5j$-sHetdpteEyMZx`k0o|II5nx@xq%f&sR?)>PA0 zRZ|~JOFxyS&LanE;SkERa(;7V9lm2=`In)$m-`{sa@ptdVxZQC^F1M(UH1>YZ6EJ< zx~mK@*W>C@f%q;DkfCpW&+GOLj)X$!FTDouP_xGsi3>u?g!ZC(G1jUCstV_JCgsfW zjONus88D>WAW4KB03#|*PA+-7$t5dmU)*&=)92^zUcQ;m-W+j_=T<@lhz+-R3eumO znnVb@_V+hoH#3{Wti%%sB%EQ4NA7gWHagTX2!_qGp&1uT4Pb}es(2xdvzp5&=cuiQA&J58;tTj zHaV)=O|PM%NojtY;&mPs9KhzA(z1P5M8!6-%;0s1qKOQPvoc@I)&dixv^oBw>$6I$ zcP4r*ZconW7D`~*A8o0|IdwwsQ3+sJ*yeePTOx*m)-2-~=7m^P5x=q91(*wlGTn!^ z3p3NDq-FHn@7?xmttZ_qrR~^ky7=qZMxH_!UI+VJhC82p_JYum8hOTS5*qS1B{97G zQ5mCL++8Jw1?KVu7BgBqxgnjt+75 z<&X={JsxajZ^cvM1Kb6}Qm#t3+XC*^9ljZ4B^dXQ^hAcZPOtPMT^BD%K6tpMcA3Z0 z;$v}yG&fgmo8~Rxff;_$u3b8}k3?Cz=$Cf>{&Xo@qIdPd<+vbo(O8y%Wv%t`kvFCn*9d!(6j=eu`pNG0_xK zAvr_CG^6K=B=w)EmOp%4L_vb}?O-4o%RpoDKX~8PF1;A-Vl4?wqN6=Waes2+aPHwa zwvlk0UO1eGsg1r($RxMP%{LR$@qnFIJ zVNGJt=La|X{PP#!t@5o(W!$)iVcq6f$tsOfGHq6a-Z@h|2AtBJ;K$G!joe|`b{X?- zR`W#H>w>-V*rf?h=oibIIoV~=H1Y1V@2emFokX+o7|vI}JLFd@!foFNJ~-qAjvQZiKDuM)7stmV zyJI)>+;BQZ_hh0}7xL+pek9gyuybTLvRgrvedh*OF@Nv4(G}0$0d91)GdFS@U2A<~ zw!xK6?6x+zp8Ec2qpKS4iZ-{JrcKV~);4pyve8w}-gG=|wX-Yz+S1KLd@%o^1IfJ>w~hI z#_Z;o+y`%5%PS}(^TxjH=6VC$UrKM8*Y+~I^-XJcMfGN8^Q)Z#Hmw&H(SjCoLWLv7 z2KL87%F-%3hbNR0rq_leODdiALhs+SrPUHvOJiqh;Tb61+Z7BPWtJ70eDU1d=c-8+ z+Jxf3??e;NO&XdeOs{wpv)!ZxtWwEB8!4zYwJW17d2&n1q+OY2D4FvzK-tO}2iXE%i9aVSw=y!J z9T(=2=Cv%ZX7y!ievx=pe=6cx?KThz)K2-YIgBRKWSHirZP>3(xdr}c%!(f~@)a_v znukk)D{6(T)ORl#Sb7EWLJ;_Ck+|5h-3Xl+-j$l8f^5=_A+vgV>QpV=WeHRjaw02d zKEZ2pF0OV-udtMF^b(%!&yY{b=s~ckId-<|!OPn>EIta zU;h(phIzd&TIb8J?}@@P*7Kruyvq7rY2B{AUdwejQzouRG?n7w#EdWRNV1IFPEJ^b z=E9OH+hHVIhz&&zvK&Op`+1b|@2LGcYQK(+@#`q?=SXW_7BCuAj0N*>j4&6NK}O z+S2V6r>fk|$Oaj&6_22V7jyP5n`4|-p*@wiI-72MR;lfkc1Beo;tg+im5tO!8;@0L zb%}k~CK`uTXk*bfZNrSeDzvP`u5R;;yDGIWcN17>vh%3MTjkqTa?iMt##!ZCS!Ih^ zIFe6hd{wEvm3E|6R?a7wrRq;@+bcA|1#YeBt}5@wn&-Y+YA^g4?lP%blTzE-C#%|` zd(kJX@FH8tC#>!QTfZl)ZTY?1lU1_h4(!S5SAG-qgjFoF7kaAdRolxvRV^3ThCE?a z7uh{LMs@YtYBt(=TMmQa*o@=mn&nX$1BWGy2Zn14RExzKBRtnJYF8Aa))Zq??$`dt zyPwEEUQ)nX!CX%rt2RCJ5{!gZG@X_5=1Znc9M8MxgpmYg+^4uWVZAQhR%>w z+Kie#A~c3w#5TuZ@_~jr%!mYyLM+9IB-1p9P8D*RFv#iqCX*brUm<}I3{ewE4Lv9V zN}C8P8LR-ca8b-!n#6XfElq3?)1(Qf!GyhIwlNWXX-y_kJGFr5hw~g+AQNcz&nb>T zmg=^U;WC{h@Vx86qG_MAk=**$7uJ>it=IjncW|&qGP~V&r@z(gZ^03H9KokgkPv48 z{Mm)qe9FQvc#m_M=KkX!O@kbdT7T;S@?r&P@+pXK(jr}a9g{!S$*cAI>%V!IqSY5r zHCfNNFL-5Ln`Rgc_l|ml(Lt+c5AD{zGqPHi_3EH?ygxW}4oB9=>F!ekrAm=i$KAyT z%fEH#YhLqx?62s9^KUZ{(OCR6oHf1V}C#6%l=+3QAJDxj6RTzEOr2qRj)NRqG%6vLh|C@A~oHi z*&ta#Oj;OA|Ae^ii0n)QejCRH`{LL?&D$t6=|6J+kFu^o{=n$t|C^*r&L+(_^FRB+ zy^nu3SiN?4r7lraOesUuJw9Tb!OAj)st@tMI}Kd7WJZx1Rts28;0sHP>tR!Aw-pUV zN^$t0vl=@@Bx=G5WB{w)34tb}`Lgn58zd!cFDY?o7aLT1Y8k;{j>#b*Xg={jU%v+S z>~CEgrHf??BUG_@eot5L$V`9)_bx4E9=w_VHe8f8;o=fjw|q z-TkAzS9`;QZfCg2R6GL?ybW-&Jk506%n2r@7ry$2((1K`>(~SSmf`}~2Y&{kQhV4n z?$8VmjZ)K4c7NV16p8XCp-7XOgYk#N6s#v)(S+N#dxPHo!Ju{E9KhP=3=Uhzql0d1 zU>)}k4_x`7@| zI(Z>nWkS| zjw;wiUjlD7W-C$tx~A!<$}e!vSM=q5<2s)G&UjX02_%VBqBj@blxsOy(sMS9+S0t* zbq;cWaibaPNNF;fed>Dr8~&BtV9?$@Qy07;cCG)`nhx*Mjb@&XtjD_Ycf2Qo{Lx)- ze=(#*b9E9fkE3aRA;=Bs5_;w$K*~cSSl?K)X~0-UD;Hk*v+=+Q-%tW9Cro$zt9t}r zgG8<6{=;^L?$}}@Gq%3E$Qz+Um%G>eyB| z&uu!L?Wv~sGJ02S`eYVPJjdAh2mbCSI^WQiLcTuB%kyR(^EjSH5_C6-B`8=`FA zNiCI4eW7fo7s+(p)k-C{BuTpstcW3>vJNUe#m=9JLUH`S~zZb8~uiQQlUXuzEIEpahlU zDiR#RMO*gNm9|$f)A$KltsJbPxcil_U|alYTM~-c#&`P~(&WtCCb{I1mLT1Q-4$i? z|N*eJ`vRW|hd$v%rlWwcbJoEj*N{*#+7ADaFg;#3LiYHhK=lxI=arK=C6LmoHDByaAh=lmW$)s;HB+Ia9RRa?KQJ z0d8IO_wg2k8tUbC`iUgVdelfT-WX7V$t{{rB7IyqjpJ*Xjti!WNg}W+Vp4?!ZXk$1 z^I&?QzaG)I5b<8&qh_{PVzaQYT5z>1by`<9ah>5EoFW)xrHiON4NDdhY41@bQl6@3 zv-LAePAzQC`Xyx-`fy;{{$2k8vMgw(M)+d4s*AEZu|#b@Hh zv_RVF^4X1!QDszNurgFm%Zy!-YOi=GE2%e&-enr?#dC+`wyOdEUSpe*Pfc8!00IYf{TKG-D7>c37X+ z2%j=1s#dP^AT5=<`q6AMtgbt~n+>RIpLFWkJ)KNEcSxDHCEVXye-rL+y8|y6?2h5I z;e^~DQ2NHTnU~N52od9@A8L^IZt{u=nMAbQ!E0-Qi`f(NugqQL>NPbe z8V&8m$JAzg%GSgnv`SV=3gWDqnO-k)*`)fjz74JHZD@sJUF7|1j#OVf27sV`nRy?Y z$gU?$)zc8srgYv4tC7g{GGgKM>R32yjD^GEDt=#)aC+L@A}=8lPP$Pv@1oO15_n;e za3byUs-;htf}nc9jAp|-VnyuaDZDUgMMPgiBD$j_mTdzIMdD~lE-vF&Bp9)KsOTxP zi4^Z0&%^(YAg^O9CsTGXg$6od2q#MT)0&cL=-%EsFl_V-=7Cl{VoaUh6UWrK;$uS% z{vtOrhtcV*GmK7mZ**{Yc+_nj9fCmH-|ro@tbO}c>+o=Iv}aqL;b3^c5cx8t$f_r` z_Ppj*!|13HU`#&1<-_P;mxT_(R9G=uLy+OGTHS7|yZ5ns{CaQib+^;*9`^oMHjoj+ z)IFY@I*Cy2y+w84II6((=T>w#2&~Xnn#&zZGUE1>uE_q{D#8N=Z9q+UWTFkIi3o+X z0aX#Pmo}g(BG^;usvNAXDl)oM>AD=Qtu8Xa)CSZ=#?RV-y2Rpo11b|o0V`dZqg7P~ zVY`CxVS9sv;c&m#X}z*wvE4s_v*^I;y=qwp`^VkR(ZS)-@%{qK?&)L_sVi=;xwZf* zS8>4mlwpj)CI)JD9`DFf76+;|NHS?&ypd$eRNN8$b9Vd@L)a}^BpZS%aY<;GF=8JB za_N)!%@rX4u-A6fwR}$x17C0Ymx9kXf221 zco{k)_v=$}IkWfESd?1x;oN(mW{+q*sk|yRKd^OWCy16dZ-!_|Q&S}Mz4{!HrmYh? zFi3kg;FhVh8Z_cYS9Sv&%wWDi9a(zWJKWHjQxR51l_uXx=2??@I&kBmzFc88VQP(z zMn}g-ok8p1)v(*zKiVI)jywB%t;1e#f6wmO`;KidIJMZi;URk@rdvJHHfN%-KG`wP zuh^zImXZ$*W``|1D)m{PeylyRq1ESLdI6N%u;r&`$=TU2)FnLmOn!B6aQJGp@3f9B zd%v}RI6P<_cj2#&<8%kT;j7V}Wi2q16ER8FHES#J!zu z9h|Jv2EBPOZYXlgXrU~0uFSMPfc_@zpjRkD;@H=f1PCVmDV#-jX{+Ur;?t`6uW62U zG*(@xB!3En)b8=hc+*d?9-h?7u_NC}{>o8^bLn#hb0~6dPzLO1A9WAQD{6Y4%);Io zytFbVPqO+OGgpMGC2uK3QqBS!`}Z1I<8QoL&(srR6wuO*{_rV zYIIO7LwCPw2}ixE87h^~#XVBh43)YSGwfB#0KL>Zs+ytdIP?lwDLrtN+VHB|=~n7i z%us3IFhh?tb2H$-Zy3mme^w3vs)`Yjp)d%jnkfzh$|Vg(02S3`H6=S#@`kg?G-}{y zUSS?2)Kmp=6w{;}hW<>xV&Om4cirSqEpVtQ_p=KgnrL5KtNgxX{(V|cCF+*7>Y9iy z5lU1|^gTur)p&Xv4o1Ri04GoUp;}B)!@tUg88?0_Jx#}ZTvPB+&Mfig^hP?c7J43@qhgH z|NZ|aH)ozZ{EU*pBFJTUZm`gw8BYXgErpJxD1z+J^*lV#j%Fd6irtuvhz{ZZXTfA% zAMx^zc)S4Z_{Mev`b)MS*#3>h)Y#T>%f~zr%DB@w<3kZCUF*g6kbQk0esFHFH?$TI z{(W1CEK)$Cp^wa&JIySee$tDCm$~J^_f#Pz&b=ASXMON3RX~04Et#QGx7G*WvKcB3 z+#&~GAtjiEO&#;Tsc%FGXzksJjFDvgl-Q>$ixL;0=T)Qpz*e7$sKk3WeMZIhDbfrw z@`jhmsP<8l$b)#9tQmdZkf)Du-jv`JZ?bl3W3RPiqDZ^&;cW#`aYO?|U9yAVB+g%W zM~5+^?2tq(7IlD|>Yz1~1JPuGWAx6q=4dOty@4a;PG&t5OsaF9frpfk&vMV2 zjG+`qXCm=MgEZ@QOSuQ8A!9eOkEohJHO?8^5P#a{i$`AECQQcbuOv&h=+m}rlafXs z5vh+QAE16T2^{*!pOTY*H&KPlIBu0_rsyiIrTR#7bzo{h*EVtsjaf!xH zXE%7;VGvBW34S_>IQGxQZLBPv4*qn(RA6c!;4hy7xxzN%Uh>+!)E zg-&$$(`-7G%ATgsG`>Y!nTg_Pl=$k{k~lSM`G%pKRTZZ+q?@Evo5>?@G7(o;cB#qA z+O?Vp*U)b(ic!`qsme6z@8+gRW=jxEFlUN#rFduSQ;x1LNP3Pk(@WJIZ@->>oF`PerOUmDeYgL8(m^$uej#j$~%b2jDJf+-x8F=oH#S>SO zXC`Yj&uOSIRv0-^@~9sY>hpBGYkJ_KW8TNE?H5GPG$`Z0H#K}|MY>Lb>CyA`;<8v) zLn{oe`HkoJx6`{FjpG|s*NttI!$Vt;N`}F+dF?a5W8I7&wMHmvx>`?PT%%e~UnWDX zr!SeI*3(zk(U}~od&KyO?=)Z-Eo7uGf_JY z>dmBOzblg+P7kxGW6EylXTPJ_@8D!iGv_6>X;RyoM=Sysv2KIylu`)Scw+GHiWMG= zp{U}87iTmcR7@WKxBs$D%hn7N8)^YqZ>B|J!$bEtB<=qEY5QlK zabyTnj;5CrFpdOIa5qgqvfs#x%GU^rgz`f*$(4Agq*Fp6DJjq6x0qJhj>0sjhp-9X zkkU+<+trNBQQXm~tgPFVYx_XHL^J{|O|R~9g?hxlWg%*tZP>Ji z-VN!FjZ!Vx)zLAW3ZjoM_{hIoXE_l%ao!E z;*}ETB73DYlX7;Yq%*|8G9(R>ex>x2`@}^lr!bMrwNs zGT^^YsO>4Zcah1g7i=B(9;L5D81fFt4Wilbu)bmA1Z4hz7>xR5z3zA`u&1lgcD>p; zHy|dHLcQNdYOiD)+(C7uiAyBJnrj1PwzK10y}}DGzn3|nYKhD_xVk89@V2p6 zey*zr44j-lU+7$s^hLjwn=r}A@{`cnt#a0^>|RkJ5RA8Y##QGgh5W^{Gby~VyIDq` zVx=|7I`w+hD0QbQ%wWcc&#pUK-REFk$tH4t^{UuR6UnqKq$*5kUVHf)T&eybX^km) zliNUPwO|!CClVH!rn>#fSXhqfCo3qOps0}A8gxm5iOH0rT*;vEMOlNctIoASX_dOw z2Bm8Of73|hgsWU z)^?b+9p+QoVM^_1Idy!FDslT;Qit`h-AMcX7!oB(%I&O3i7#?V@dW*O2?9!GUkCfu|cMm%$ZQ;7bkybro5yrqcH+!nfrn9qGseJ zl`Gk5YmW8V?LA9Hm#&M*R(qw?DoZNCHs0P+T;yPlTDT`{G<427@rmK41>SRJPViX2UF-k&lQE?zwZKSz!kqN^JLe+jhyjh zI?w9bMn<981o1lzFXCyodYT@8VM^|7_SMJ!m(cQQ$mcNd^sQnhk+$Q56dO9WnmhW` zxo+f=YEwnS+c5azP!+!rTty{eviBJJn$9kRuBM!^Mfwf`o1P<$}b2dp5R(j%_Hi&D7?YPbD~s#n9T>AN zrBnPAGOnYmXc)=fGcHVid3cjv5U^Iljb$rV_eFJw8NW6xb=YQA#Mhjn@nP<(88 zV{tZ>moOD)l`%nc2kd~K(iU{tdpa)3dc#_C>-sYD!-|v&1{-Q7O%k@zwd!G`z_(3P zK;XilLwt{}j=&;Pc;MqIC$I<;Fj#9VYHdZWtyo!k&rMrVR1zkO^%;3w4JWA2l{ve+ ziq@t%wYLhg31;0}1x0m`_g6vC$ZZEJp)5J*umqPJX-2W-y%B`MfVmZ%#!EyQe}trV zijzo6+9aXOQrM>2q_2xl-f3=Ey%-dgOClj|QBaj}6FF0DUQj)QZWgbo5Rz8YDVu(Y zU}{^V8^*zJUb4&)m;JAdZWUWf+qul&A^zqgy@u=xkX4nh}=0}pc2+pgoQ2!9~^X?r#9$lQQKd+zVO4EoD5d1rb`WEKV|vRTwJ|m zWR+A2%P6pZGup?OBzT>t6)KJ&a8%ub`(qf)V6=dCK-~eZB>x!=xA$JS*~)^to~P3C z==z;x%C$JlGqWeMBZH)1_x6jO=Ckq@I?tEPn0BHsRa1jAeaQmTPW2@-rk(4{W=uKR zm(7@RwlAM?p%M+w_vJG#G#mzJ{Bju$PWk0CE;^37lYZ%py0d<{j0UIu@);Lm0D}{M zW=8y1b>=T+xxvtAdW=)WTzZ?PLg1sB=LN7k<}f(jrzHHZU$gT>``pNLGastDB>T^9zEoH5r;PHhIQfoER zU&v&kRCv5*jlKT)K4iw>orVh5yh4obs!?pZwK{w_x<>rToMLRs55lla#M` z`bj1}P=CTnMXke8FOl|0$x4q3GA-TzCqM2b==P41Ka-{Qj+IhjvmAe4-30PYBCv6?CzWJr zOG(+oN~)Bx9>jgCVGj{>yoxA-_cCQv>QF|YYV4lCmYabb}#TiKqz~{x~scpkDN1@rG z?MXJadRi_Np|;tnLlM@Y2p7H*I;BZY{9Acb%XL}g-ksh(!k%`ccbbOHwYu3X7blQ% zgFBR=0-Gf<_S5G}rg%H>36E$A|(6o*khgNJ+J>MsG3Y^6J+^Aq4AXv0fIF%c4{Zr$wWt zAI?fpD~fAHajht>6~&LCD6YI|eY&0MlW!Yqjc_s9S|eOaQ(J3SKn?)r|`qQNsx=~40A4Pj3St8jdnq~-lxG`w@h7R`4z zolc_HySumU^lmnQoyd6itys-=6*u$N1z*lue}m<05Cos2-GLVjcE=XX#c-FAq-!01 zY%@pL2UzR*vyKN0N_I)ts)WUJfm7?ZF?_QJ+ApT1b3i=b+>vn|)t4~|H(-MBWA z81iihk`O(#rKfvHzIf0GebduZy$Dj29o2pxFZ&niWq%g~)VMaZco()97H);owcWBN z?mx$!((CkktxgyJHwj^L>D(K#AfM3Q0oKEV$3$#m)Lw#v$#y)Z?JH+E3t^(mdTuv) z?rkx$t?ef9U|4tHjNndpw64b#7j}=5-Ns-ShOXa&7DJazVWENgrFsw&C`%r;;LqO# z>AyPjlYAZ))%<~Y!ENxy^&H%no>-WP=}2sm=>}7@qc68VsB7%WFBWW4#r_QbmU81{jKqu|il5ln_bL z(D9*XgQ!jV{=Wn>GPEGGV}(Ak2Ek0mDqKI> z4e7W@Iq9|c+npZ>Jvy8i#`Q`WC`iWT=m!V>1>U)YVas8_h)T8}h`5d81nb9UcU;y( zTV-#PU}Etv&9Y5Sund{TRI%y2HzM#Gm6cFYFmIGT{jn^N39b&)ZJq-7VXETagl(eZYhz z9kQ*{cUepVa}!oc*Md}^ObHCDzIc-JFJ6_*CD9y$)z7(XG&C3=Q={=ISrwDaDp@Hh ziL+{EdVOseHvN^pwNig7`PG(#XdHe9N&nXz`5@B#vspsPsm{M^5=!KLCw5P!toSh_ zU!iPK^Y9_MqT6GozI*LXa@)I%To-x&nj_Y?>{#VXOVBrqn4#D54ejRCFT=o|4f86f zCrs7TT_SIV{3h5-PNZda@VuVl_@&JI^bUTn)!8@h;NzXU(h`fSKR?VohwW;* z+l{vRRupA}=+|+}vQ8oT>Em=rHSlL}ewaEo?03%{4=QWB{uQkL zQ&eM&u>LnfLv49D91)QkYl6R-^|IJdiv1|TseY7TWmrpnF_!vDCQj#xb(6knkAW9% zX&l)$J?zlclYNVJd!6nvW4B!xP%oH|6)vTl);}g!12L^LglI80@{HYUjcz>F*tX=V zwk1n2d=tDCrI+P0hwv2poO&?$>bx;5(iLXnjrv+jYrXlDsOcqz{L1 zIz#Mx4u9@v*#x zebW-H{$qqPqvfFCASgREH=rzobpTj|ge+BxyF{#BzDbP{1J7JKPSduUxX?v!pr^SxHw5-X*o0DV?L_w1z z5K6>=D?1`O3vXQ_ReQ<<^olryBC#}QFx479q212TpSO2DS*=m0b$tD8ulLaSr=9kn zFvL->nbj~uqZ(LbBVm(7+2f})O4m3aT#7&ZwQb4rqE>|tU7V;KEo7~}Pvb77s->AJ!8lVBy$pVBWt0|6KZVM`nch3FLhYal z!cHe@kan9S2R621WQ)OqGhF6gVuni^3(jzJ$22o~vKjZ&Y9@W615G{BOti2W*SDmU zkm+-zMBE2OQX)@EnI%%T3{nOWIW3x6<4Gn9%PaBZ05k9>JqFu<-fngpEDkvA|E^}E zk^8l5#xBj6feF$%@J4JMaFcTRvHO?oq?dHM&~#m+rf(~Py(wgvWVi3(*EN>eGyRC5}G%F(Etyf*eK?(2t{HP~Wv zikk%*Dqtq+4DWmwxG|gV$8P87RatrnEl%feL7<{}Sk)mKp)*BMW_&VL$^>LVpig-XSFGHaH>Z(01zhUp_$LGY8Ck-E9fk2rvQ znXAxU=|y!-{dRF_?lQw%(O=az8{B3?Y9LW5m2J3Dtj)WyyQ?(lFyQW*vb1YltFnOc zQVpmGm@lj5BeB*lF$~6(8Sq7MyE4?QoNSG<$LVU6y&}q9BvsX)HC$T~u3cQJ=rC@k zP+6VoxDeYd-x^6mYg8KZU7qF&gsGtR+%e)_0Y==bF=BW17_rg*a?RG3-k%gzr)7Edbykl+f>BPAt4PO2}AB&$HZySuda3OkwguOqtG3-0kv6x#qW{M}Nk4?VC;E01!F8;#Eq$|cU% z*Ybw@PkmIvbgA$9)@I6UGO3zpEx18hsj@U~uz(_B0pK93IkC%Eb>N^X%@s&fLG8H%2YUs; z!Cnm}2UMXS&Z6ntz>dCelt5=Zo^kJ5qx%w3g1tCQM#%aP|;GPhV zi<}(2wD~P%c#0pqVHBx9*c-^~e6?UqF;X~Ik=G6@%JpfYs=jkinBs~^%~ec{Tsa{I zfFwIO+Z%+=bjSYSSl*ZfbmZgMEfx*jf|$h+`*4I+g$iKtw(ZzL3(wjE)qG2PgtrGi z@`jrFCb|n|9xUDt3E@1{#&DM-HyktXI7%Fv%zGFLqMBh&Z}+zkzhWIc=N69gW9(7O z9=pC9O{oqNh~8OW+#rM+eGHiUUNl8ZgZsNVb=0GqarbutE}$FVj17&fABAQ_%`uED zYYP1D{b+>!w|98ZWFc~zSk()EI`iSr$Z>L^n}Ftq%)8StnBnBR3xa7H%VG6t$qKYs z1zIeB3kYzwu(`=U?OY}fNQk4!(JhQ}H<`xYrom^2#^-UED#${82M5RduMQ6n_XoUbqgluU6R|*M$UyKvsYfL+9jwTqO{tESg$|w} zqSiR@U3dYb4zETI9L}MCEi9uIhZbrZkEYrt^{rsnG~Z8gnn~_5603rf?Xb|>ZZw+x z{`>p{gR%AfowD%L6-=cJdBtkZTpV*zC#cTuE`jdFMHeMRFq_ioOzxD@Zps;@X6{G|i7S3pM>1JIk^V-d0mu3_=>L?i(LJzC4qzEQq^E0t zcIK>yP(j{0y>;+11)~cw{iZf8Me9qleMXr2eaQUv+|g*qjr@Qz;k*oD-K+v{EAGpA z4uR%+s*rP0J!9ZGqsVfpuwrqdGDv$ax=wq!iMLwFWGpaxirJf7yfjViZ^i@PL~UP4 zW6|N^vq?U}3WnzcT8j9Q;o4WqqtDcWg~0hZ>(e3hwNqb>&*$LtXV5{oZdZlqof=Zt zo*Gg&J>@%WVMtwFC)U()HJ<*2c)G3)y|DKl7f;_aE-&TrbVCD{#?z~*Ny%F9^pa|7 zPPWF=<8(EiUgPQMe1%M^=2;7#URJ6sjHfT8s$2j`&uWMyp|z(Bl3tbO3goDu_S}*5 z{Q@L?zedvCRUzqD@~+TJD~h0w_SGb`=HEA>t}`IdxPPtDeTj(rex^{@n@@?p6hvL| zyK_+F`9lXC=_Y(qkO*gmbjTvsEiiV3TOX?LA%Af!Z_1pyPS44kD|y)n3+9UEUtSP= zMo0tGhzmX#oIaj;Q+MLYfUEp9y#xhSj`2++blxHCLe-RnA(+e;k3oVl^oc;`o#Rck z?UGCx?ee;_s>>@XWdh^2Tw9SvAHWhU_ zO(1FF5@w9Xn#9=NI&h}2SzJiGclMSc|9@j(HaXP*Ia;2);GF>^=PrV4!zsT|_>AB9 zZqxpAM}|;y$|a@b4|pM^+Mx{rED5?-;$tPcnPfS+Q!zPC$k_Vq+`!)NraI9k=^b;|wjkfTJ5G_<&B>>xvR zlMMWUY2|T+Z)RUMdl4xYdMCi2cg_@74DCkOX5xO?Ci#fgCKpizGnK(j$_vR-eE;WA zRbP2*=Hp)HZFX7(oykN}Y6nW1?%4n|$yLvsZX;2eQjV0}Zl^3gXVXxh1wey3WZ%n$ z3iM+h9C02OD%dv)y7Ewgp#e)n1=Y@fWGzrZ$@4cSTSEnLx*95|p@MY2LMB!7tOY74 zD^(VT3KrEwEPxhdwMCN9np6fYs7iAMqEt|O?r6b50a|cSqXq6t&;s;c0e&0@rz5E2 zhrn~*-j1iIlL;JR$1Xid{t{aL^!vsRbavz!53V)3FA+O9$dvMW^C{7nf*nwAybxI% zb^O9BE8;F}aZtE{gZlqloFfjq=sVsR!OWT55jv@2{{7%s_TTVo-FECFx1%`sHONFx zJrTc;6*7yM(~B(Z|chYu0C$=fUzkpcUl4fa#vHybzi`r(Olr{cAG8 zt~remR?)iV)brGC;N9CMv_8rQC>Ryw=vgol0Zl$N zR2^@fpP-Zk+2&3o#~WcE2h>F@m739`osC@_<@Ygb(!Fp=gvk}*a*IweNb-y8InW;9 zP0Qm(5<;O)*w1T!p0My9(I9tAnSBG(zrg+xkTd0gghiiG+wa?U9ya&EQC$n zWMBVxGZFXy_3kR(|Hrc`;E~Y7^H7a(+u|1Yw73!cmF^;uO`YWwgI_mzgxsmnshX3SB+=grJezk=Q(RH^so#f&_M_{6*ly-_Zk+eJVen%kYWG*C zt`1!T_uJi0M|iJs9E=sI?{xETSv2R-CYXk!ne%+$u9U**$(V}21%A$O3QQ0CCv@hd zGgv~X?eoNVYP}Peq364>s~5#~jTh&c<>>v8eJ5PT_!Qm`XUyp6nj^V1Bt=b?HG!toUGeyeKoNKoo%JCo8a(1uP9ZP=woB8{a z^k+V8Q=1NLztJ@JYMP$PoJH$)IzgJv^4H;J?r5dHYJFi8W%}!;BCo{XO=aMl`gk_w zyib*o=$!lsoBD3(n!Jfu!IG)u-LW5g#fD6^pZUg{F+HW9`K8ci{VbJP=H_f&q5?UZ zQiJ8Pg_kjN>KwnyDDk_BC7%@TYchh`Xh-vk9Tv;`jf)qcEk92&n1)%SzpBmJmNjeB z5y%Vs;Bn2`4vY(5d9yY{1C};xs|HPywV1V)goZiU+N>>3SDUrfW^L(wg-ojES&La) zS*fzHS=(x%%>|6zvRWufXbml6>{gZL3Iwd6_S}u#4hxLk4r^mKcO}MdelWJYU=~qd zvdQF%Mwk|EWEVc(@DMpI8yYagH{Z9-o6eOyI5qE(Xc1joy-ecBg{1Y>^a;)K2Jz@=bnuYJI6 zme3LRXBNExjYEK)T+4HRcXs-IGOqW>aOMypAa5fYSoIwWN$HY{Li8%(S)Yw=7#${8}dNnXd2=nTg%g?qZZEJhaa3@kUnjN774H=?uTWABhCgRtT>(-qCVX)0s{O%D^(OcpTk0xdywi z#Jr87O^I;4J8ZVO2y|Qx1H8xJCs=vmWaKn(9Dyqx7;BKa<4F)XH7NeR0kuIFDND|IEapiG7fC|#q-KjTTP-3a(_#7q&i#h z{S{r*@vRa)0PmGX^blXGZu(+ECnH)UD|Y2fPegEtox~T$Yn0VQ6Akkx%`>v+(I69*naT_+>(yZF% z2g2_gw${0lXFR&r=)OeQ`Y3ZH(3?+*z7*J63G=R9Y(8d_g~v}}hgX}QRAq1tTdZFE zR5}!~I4rz$+ZMEf5e+j!1EAoFXWMjjW7p;Kk_f++Tr7tX{W+)cL+-3EG`t5aiZfQG z6GdfWcw}56J(~Hph119KqFr&vb}JCFE^5UMY>623f5db7ZPc0u;_m5I*SPQ3cK|e9 zV~`}#(jD8jcI?@)ZQHhO+qP}b?AW$#+xF}?``-J0R7H1nL`OwcX5Mp7=FJ?lIr<%z zMS+VINl1jENZPL)XNPHINMvB;^kU8Y8iJKlNY?KVR@2(o(P2v+5lOZ`(0E}ie!5u@ z3n`)z&zfY2b_^_)2oX}B9Utsdqkd)u4#l#d-|TZK@pKum>NQa)rzYg$Xoll;neN-& zIyhg)*y`CH=H=}VIpJO=D>RFg!ZECxPM2X=h+BAko%4#q$!fchVH^2};WKoW;UIs9 zc88fVM43VOh__Mc#{Cjx$x{c=;7u99q6!qtdV5eYd8XBaJ-vcEnIE9e7RHrUvgZOu)x>ZCNmbGjs^)L*Sd5+!RzuF`@k8c7`Du~Z zTklw}!rGBJp)yinp3%6y zYEUq?_wrP~dInN+Q7I&bthP3;yR2YRB~S!yI*Bpvq3mtYT~cfAK%&m9pqH7UW2ie` z%06(PY(3=c$<#9C&AD6pw;l#8*Zv;r*!GfmEcRQzTn7)rFMDcfWeLGsjezj|Fb$APJVY`NRN7jAIZEp3l&u|G<#@VL&vqXQQ|f3NZ7yBNoGc)ZOleJ6}mHqi;(+HE;3g zXY-kbeD5aP`sXUBu`2J#vqqfTruaBj$T~|1~&q2$9ptXB&}7@0$LS=S}GO=JQ4 z_WQ$rpQl#2EQT^KQ1a3k}o;H1e7vmB_^E{8lz?*r6pkEe>76#0vLiprPbs zN@zj*N=0iLzcJ$`nS@y^b+E+BA6DD1{KIO~HthjPU9}7yuFvV)9uBh;Qs1|$Ml4oG&Y{ZYkx6wiaeZO5iVb7f|* z{(=Np|M7Aj7$G(40mL4n7S+fU8lisnD(UJxq3iCbi8(4O#vicKqBp%f7}+?`~`L zxA!sU@d&Qwec<9w>_>}EVkL!Yd@QaB2`GXuxs087jW8A&+VqK+st(0z7z0snps_I- zS?%@$Xwnw^u)vVom;4#6Zlq;mL)jeP4vONqYka%$Refc`QQKsjYq2;IcIcI$P1h^hc%Z zQvIXoP6gH0dJlo}f?xBGn{szJ6LxrqAM+w7p{`+%M)ZZ`&Q)dm+3-~|?<#Y1 z29q^bO$6!s)E^JCD~0J!R9si8-5ruG?TZgvT_AvNhU=PP6D#fB6i+jtt(4x_3o2XV z`>MrCKD(758q+%SWoo+|_%Ka-0NKcW-bT}CT$414_e!h@ZM2CcW^454y90x^k>RIm zt`tkN-gz|}W>g$?=oC!_(DAWlHJhxOVFycU*6i9i@g*+HK8Fd3WMzXkWupl&Ft}srAI8t2AI`N?dF4sT@I;LDRdl#_F7|8bP_<6o2r^Zc~^uegw8SC zC^5ov_>Q?__n4M%mL(x|q0ZCnHR?dU)M+|@93viY($hY?j@;r|t!!eKg%+O+#t|``&~WWs{SJC(Z!+qm?6gzXxwepNeWEe3dMLNH4oM&Ty5mcv2|Xb_xH(B* zH3oe8FhL;~Io_G|`;AatcfM_i!sBT!s>frDigZw5XACG=;DC3=i9lN-FS@RP@NH0u zt%Yxrw7F}%HZL!GQYdiMoi?(+XXjs>0a?hv6E80>>u9TR*WPq>m)hGw&8X7d--(vF zI5>DtvF7|Y>0kb0n0*#b7ffTbj-k0{sn$8JnJ^{`6d{|3)S>qN`gS33d#q5LAas@m zsLq(mmvC5kNt~tnwOc_|D>7v@JRtf06(P82@NZi%_17yw=6m&6eUmZ1KKvkL9@6`n z+`Lam5(pYESDI?ZCcs&uT0nC)aoG)=F?@Vi{TToxH#*Z`v*WDvm8|%5v}=CX z4x{^p&e&UZLQe6gw%QBER-x=KIaaZz+lxbV@7{G)IVG-FYJ-2?yt-hr<3EQD5k3_ByCwTf@el~-!z8V4og;M$tM1YX8!T^&AQaQL7tY#>~9;DfL zubJ9?r3%9JkI=;4K+)2oc7&s^y!f7eM1Ye_2kUOtOWvURvu7YM6a2ET38}j$sF5WB zPY1cou{w_SIdMZy`a6I*#6t$?kQ=F*C{Km5cba_*yLCX#T{D9y=86cy+ZOrM=VLc0fN zyB7v~n-C;|ck^`kNk5dq6w?*uL_fgLSCQ*k{QZOS>q~jgw5u>KR9M+uYSL&_f4v<( zn;fKIm9#FIk@PcFZ_;%Gon;%2HU@7WxAX*pr)X|!k)o_~Cd*yyLawmjrSN$%*S}Ly*DueQv z+14u5G^&}ao?_lqPP6<(nJ$6zHw3#3kUa}-7;GP+VkkXCcYRM?<0B{QaSVjbCLAid z(6LO?E$S0t)jYnyxU}TSQa=B&TH@2jl%+&r z%wlYBLk}I`4;*Y?S19dM=tOagmp8%lZGZ*pLGkB6nmk~jNyzc>J9q6Cn36N7(NoC& z9ntE1S5E4V+x;9~qzYa_{ilwCUBo~c=J#yauIdPse1|;+tql*-3(H@SfYIVGNmZ@Y zPyG}R;TwWzT_mC!muHHs3kCdToew{<7+*lbzy-K7QI5Q z;@lKl6Xb|oco=e)l|vDM6BEdG7cTdd{}%iwfi(OIkLO&1=e#dZU{@DaFG9I4LS7~lAq?I|HxUb6`?jp#L+lTpr5?Kp&t9}lXJs3U2(7k!( zgwTI%sX-L)M&Xs|nRdU)FIXhR@f=ayFEpHv$ST8>G(DumVSK&FFoVx{{3d?~JHkBv zZ6NPrm@m5$0UPDv0~UDmdeK05>M}m>n9~N^=g5pVs@F!%Q|mX64W{F(4D2om?B4DH ziV7VIbLbpRB?(F}vlw#Z-x*PX-hf9?TlF4^T;t#QgBA~$_;mh<7J(0wQ>dYV-J#9j z(fV#1GLQ^ z!kYiPb|6ru#g*Xi=80`ANA_3O>&(|TnzJ$rdgMHOXI_#exvy^sCla7UTOn?j4jCC` zcuDJ@KT<5}(Fx;!Wq@X8@poJOW7tn;=`U_YhKtM8$Gvr2b+#Naz{(5?JT<~iMgna{ z$K>-{bJ@FAky*3L#p|AM;lj1;vk0g2o6^}yOwahesnG6(;1nKB*ubOyvLi}!6SC7}}`<5#?>(i2dQF2SwZ zO!stUh}MnytAz6PLq0hHKXVAjZ^=wvlfSrIpldHHovH{2Bpcz2l* zFNJ$MDW(FPL%jtJ&b2^isZ=Kd$_jzXl;Ac9sMYV9T0>%a-UtQP`2!qH>LOtq>h{mM#MsNoA#7Q^G8{K|}<60+=I3x>}u5SqZ`7v7-Km8Kf;5SsoNsUrzh z=e=oz@J(5Wz&Kk}Q-J2Fl(ZwMQ=W2r0yx(~@NHEBD!GyXoKJpui2z54EbJ<1-J3rk z_ZoY#p18tQox@O&Zf!S-ya@wUdaf1d{4-flpvuQ@eKe0$Ab2E<;%(pY>~cis6e9|2 zm|Wmc>{4mkPdfS`t*B|i&AZk5yJsHTnEGE|04t0bzji`#s7*6x%S1m#^nAwX1{lw* z2R1nq2lFY__593O;%M^re9JP64}9$h{I*v#j^A}S23*qpJtemrJ2?NTVocO@>(OjI zO+bVIzc923c{MI4;c^ecEjQ0DsCdGDIiS5bP{#*#B{^sY%Y(~dJ{G&;`vSy>+$;b=(kP#;r-Wnxy@ zmI{*lz;(Goq+uHEk^alud}$LJ^vNk3+5#I7b8&;w2AI;%i!0%z9)P+)1C%CSGqrdfHTuxpAjVa zwO?PD&w_B#o6LeBBxT#O`Qv+pGc;>xZ571unl1>pVr?qvUO_2UM;xmkrtwh&MvVr= zA!zR6!;KEFW8!gAOH=}ma1i31O291m(rD@8FvtlT1~4e%_4delrxp%`vTMnJd2L8i zJ)RJa5S^nHGD_nBK;{sTvb#PgpE12z59*a>C00d<1?4IwNOQ5WoEgRnq`=|5I?$C1 zifp(uNLz|Li}(TQnSPHGqjdoiCj^(1^$w3T=PmbZcf0C*8F;KTjVf?x>eHIKfUmHb8mnOj1(FIugGg%rrh-)o5?7cW2n5y5>cR}r0U``)Zi`5oEf7{qcG|ZlO zQxAFcXzh#yku_@HAvq^J)&B%e+b5q4^pYsQg`?(bm8mP3F9EakR<45g7{PY`W3QL3z(ni%O zn~_-#?qrBb%6)UBNm5I*B_jQ zQK31Wv7o)%Rjl-g4-S<_hmWnb3s``fL+wJSEI}03%LcWGyg0vYU}R2x8x?qy<@*yg z2$eFLEirmYHnX!~TdUN3l{1B@t*QTOMokbuhCw?6)Pu@lCo+YV7Htxr(u9+Q zG1&Ijsfm8llfsK8i2qGbV%7{%7yNkADz!l{)Q9jTaRU~HCX?9}wK17|`ng0=Ro=_x z6){}IB{7@@C!{N?3zEbi>J6961w^H!clm5kpF^(~*4}e3^5gZse?fg+3dd-|rwf>T zE!BXLA2)7|r2J7t*`1vdY`1RK%})?f72*qi4nOh2WlV0GOe|2GI!mRsIe!bdf2*qC z^c&-KGBiVt?V_wWFaxL>+eUCg6kiCsl(;66jSSM!tEjK^ZR>PVvF_&JssU|Cu!^E8 zYk`2c&+pA__En zogbRL(N8H#!%Vma*|A zY|OQ|0{RJikX8phFMMC7Fd%li_(Ao)X72e=Ma~OYg7VfayJOa#$D8wdci19#vcBA= z5Kuq&!(Xj!X5X$Ww&LIQ)oP{K>jW-Q5*1VC5C>t<9n~`kQVA`o*zq|xiK{$88^V25= z_oFC9D(FeU24==lzCCrN4H6DVo?k@#Y1>1AQq%`M5Q4>YFbGXjlZ=Xlq!xLTgbd*g zf3-0+SeGcFQ?Er&{uDM|Knwa2@`rGyh;0wec8C{jVqm&%L$_gEy?Ugr#;+t^im?Zg zhs;?@3760V-RyFnJP=q9)~F#%C~f;I_^Q(u3~JL8bR`V!s>52`G!Tg183x@1$LO{W zHGbXyHOvA;mTIMFN+2d(o7{k8f?gG{jW17r%z?2+-k97GV1_1BUiedJWdbdsNJUa= z^hd#GrVd-mskFO_VYEH(MM482B~O9*R$hFdQ>R{E$NOyfc;lGce78{eX4B51km0I4 zdiX!3zcx%Mjb>Hlz?Q!nN|}fj2)RKT@z%mFdt2v~=!qDc^xc0oMA+f0$0Dk$k0vA6 zM33$}H6f~73#I%wNx7#HH7X&Q5*$66B0_@BfIDH4Qk36PlXRwLTtO9I9kAWVipxp; z8<(?6dSr7cEe2G6F`$4N1j0NC0IiYN1Akki`-9UOo0;lkx_Z4gG-|xW6|IsI46s*MQHtMH z6;V?%yY|%>14jq!V zzaSlW0Gyf=`sN2QM))&5V|i{*KL>;+;WJXEn}E=4g6vndE(6)2z1#2p$iSelY7^g! z!dG#Ruj-4CwQfpC`$hoTi4pn^W|$e7o!Z_>IXNny{MB((Lq1aC3O4!Q z(QpdsmSK2dIBDazSrxQuV{$Q9DE2!VMr9~Cl| z21GSFB>WZr(bbB7bTx^C5~w)FLT=ofOYVF#zh1Y;QBA^Bg5fTvhIyRsC&@dG_UZ8> z7&B8p1=S@@kzSVYNo)CFgsT8%N*It;u|eht)tT|R!dgNUhscFN3hZ5~1LT9`R11%1&SlW6W7lFdv zqr@_BSke-KT|YAcQfVb%JQjlZe-n@%0P*t)M~DE3fjP#AV#Jl=3~u>NRVc&?Kg-`? z#n19b7_TZEH(H5>WRDMz)TW2E+1UF~1&IDhgxk^h?HMZR6oQ&~|C51y6YeLeZAbL6j*BjiMOCde5)gUhWj+!vi)b%`J)7;;T(dpA?3VqQWiwW>j)bKp(js?6N+rP* zZU3snE@Dt}OLaGk#+`^=&0Qr;rJw@k5Ter?QQ>g$Oz-zFhQ{u-`iu%TW~nV>TUlhn z63Cjfht^OE@M&ijf0y_rLF7XHn!kUm1hM3uYqp%nDh2_-qaU?2m1S?NU*l9YTjj37 zt#A}6qA^5n64Q$>)6m`^f@-N$FM=u_O*t(4?|6G(EF<#%F~n%fc~ea9U1(ucXJNPs zdOS>Jrtt;JvVtGvQW$}n%w@z~W}q&NO{P^C@l!XdTqQsBzq(OyWojCAJV52D8V@ZH zr%4NY7;2-z)BU!*I9xmykOzVdDeOV=yrl_>KK$F=O=m#Tj!Dc+x74|G`zebcXU9(kTT)+Zq8z z+i}b)bTOr#s^>Bdkf%6Gg`l5b&RmK7mvLe4eI*7cOdH9(nNd?(I00shNWnlHc^ok& z6dhxT4PZY`Zibs>sO(J6k6{O0tUEyNkAY+$Fp=iDPRr1o0FG5Bwmf72c9(Ka1L8j4 zvAC=s#(nS<+=x@0I`;`bgtFo^An38$gbiyda6 zj^9&;-@8 z)gBO_E(F`M^)9_X8j@}V%cg2iL@;;B&QRw4-{)bW2rL^dR1M{U=#bJ7?4d@jktMqW z#s27aJaA@=SQu89XlP^5*14Y`w>KQYf!Bc7T3?kDja;)g{1fC@m+cJyKghABq)^8~ zvZl=P(grY^G%<^SG?AwEV^S$xbaxQIzopee{M(x`42P(BG(Bsv=9=hTjA$2lUV9Qp$m$6 zrf9}M$ebaLK<`tE*oDs$HsX3Hxdu4~R}LWIt9IGpbrnG)CQ!`pDNNJhC?`jQ5=*%d zp&xoDC=-zhYcDxvMnoQg3yE*8EMPQUDadF|p;5B$$PeVKD`SS+Rl?0HK+~}gprNh; zRmeXI(nn|x@sFk-;4gKw6ViZb`vIKeVLp5qi}Cmf)|hND_^t~-yRmZBo>!l?er_HvE%dlMyV zs4WyO>94z$tbMq`!R7o}N@gR>ETYNeAlJT4!1m*7_{75ovgGx!;29X}nb9HahS$$* z>s3*@HZ2AzcJ$dE%!!W9&e%Pn4F$-U(IVIAk}etX-N&Lu8h3nibEO8-kyAIKAX7y( z+K=K=qKug5`{%jQi%5=#CFCOOXG<-G`=rVj|2$5h=7|}HrwsW?%sX08i+Wm6k31&b z)PdIF)ECv3cUXX&P$1%b?M8_Xi;CEJ41=};1sMK>3J94YL1uOM07aGhKFAdanXDQS zI|~r9|Ah*EyMOo%F-!Q7K5~~)ohCdUrJBF^HhuiZePsT*&&(z29-}8S&p{1DZhFY| z?tDZ6BU_8lapN^-sDaZnvZB?`{;f}<{Io8swVEGi`T)wu$dr!6>?cG{!WYhz=jRE4Rz!KHXZtkkiv)G}?usDZ{;@*N{9lz_o#bnEYZ_ z%x9!9+)LF*P&k0efaO5fplmOlis14iqWh#vIT_|&A%?3s$b&h#0AbGeC=nz~@XmZ4Kn;Fp6CbuY z6dE2ZMyPZQRyR&wn1pJgb;YQNG7x5k#Hk!W1idjSzEzp;iXc)|jRJ-|(nJUig~M?&jbg$j>~_g+=f}Az&)X}r7h&=Fpzt|f4B#0r zRpG5jb^8saP*JoFcwzka*#ZynfN4xt-!8UMM)Id=8>&WCg6Zr9rP|PTb9q>=Z3DA~ zbfP)UhRa&axSZi!8dV0UgP_hLzBrMF<%SYe@Waa<_z9X0s~x$Ez0hw*g6{n!F;?V&R;g= z6Ur43TFrxu&KE~QD8Y<=e@nnbd;R^E$gY!(4Ovlhiw<5)Wk~8Idc2_^gf@1f81)G;8L-aFr@PP9XNyQZ&Cfp8VO&{v6og#Kh=l~TZ%b3UR zZNs>+Ol!!%&;BPIoq@go6=cKX=x8)h!-UpKjCDW=fNQXo!Khhz> zn-8K;x31vfH6_7)Zco8RD5v+w@#E&*$qqYHO=EVN#>ao+dGw9xg!_Nvd9)%rL#Ql> zt;{Y!1U)vTOb|Ik&|6Bu?`S#sUCXi-ei3^|QD+AyQT6HBBYin?;l9!T|ZF<->L*v0x2yWkaYQ2bHAnZ@>Mz>4%**t^o* zKQBKe&G_e@M*vtxcGykw9rM%7!T&w%aP=Qu$>Bc_J3!s6rD!O|^|631jg0m3y%-z% zn>8JQfXAi0ISB>_1j0Dh@WBOG0MPBpU7A&&bh6qq_UWOpX95u ztk}duSXvE8i)`R7mDCtrjj-kO!%ofU*%2tFhTF>Oq+ky_R2N81SyU@CR4eF{3kbY- z(GC1@=l-Pxhg5k#g~gV;8E-K|L%qgVA*Vbz%X<_(N;Dub#Uik!+s?>F3z$+C`*zkV z-102cNkb0}^Wve|@dAVXb$GpQ!HHUa?G;eIPGX1lrfmzC>!pll=ZJ>N@fP{J$^iYc z7F$BBKNiS>SQV6$Q7a0J&(=OJlB!JDw&JAi6-+jGF`g>yoEw4x1ZD*( z>+7JsO3?tmsVd{yOBe$e#g^nf&+lCxkn2BQ71)^5uw~SuQGbHYpA;oZTFN_yVAL1T zv3$0&eP@I6UjVp~Drx`PW!iG&@6CO5=yWs%`H($1p+n;?N-EX> z`^Cdn#$e!O5v9iUv-f_9VgE3qp@gS$cgi?}Y(Sj}cGyePh^I}EvOdKjT=*}&iflwV0w9m3gAiZ|6eOXFOke>d#Iqwsvh+~(bA7#GQra&KIyo&A zLw*rOSf5@)DFQ=Y{aoR)Jn7{y9I>M@46%cmfk+LEVLv-^T4_ggMgEndAhAxd?$7mZ zup*JvSE8fU%Y57?H3eeF(DK$L0MdsRIpUjM;%83DHIH5iry=QP(LF|j7fTbyfLTq( zB6%l-V*Tw@rjQ`-!}@JO);l8)yY!%GcdH`Q&bSrI-Yv+rpR?g>!Eo(qPApQd7sSi> zml=K7^{FNA@Pq%hUI6~r_TUH<8M2RvpPL>=uyoZ}kXFyW_tasi?JjxSR7QhF9eSL1 zh>wx$?o^wdb)>2pu-r6Tj+~v$9GGm+u8CM8p ze*xZPy&9zV6WtCz0|r@DT`cgeL~``2L75k;VHeVTxMi71d1d=e6(#u5d4>_HQg9%@ zK67BcugHjaXw`wZ>!AGO5%VcD*GA%u0$rABfkUWO=`JcQ#L2A2s|$CqQRbCad)BWd z>3Cu>pKlmN2t$YObsN0asU2G1oxhFg-`(2#FVn}l=$1!XYMS1*aF-Y*>Ec zJHchNv=)c!9LJTT)tBMb?TyJJ+jskljje5^ZVMVlC`ojGtP+nET);OsmZ+JcUvMdO z4A+gcodAR$i(DnX0~`a~|cg zHJJOxwHE-%Cgs45}mv0NDShL)>!==MVspht&`iyOT4=<#|+2{s8!vT?tX4iXd zv5DrdC3C zOB)7U*F`k4g>XuQk6RUo_(n~<>fi>>KY$FL$V#|A1JzMb*zvGK^a~r^xkjbwZZo-u zsX{cmE_vwT=<*0hd38O(GKV4b$oD*zz>cs;EglykEPd~qujN6%G8C(%z`mRPH{yOn zKE*OiBX)aJ2cYktn%OoN7QVzEtwt^3$R3<**mEUQst~zrK!3SZmv!On$xi7h^B!F& zGOC^Z=pM?Zbv{&dqA3&xJQeAd(2OfmNr-n%;3hR!8Y{a{lgygfXr?vFLIi6TX_m(F zdW5YeHRVpsj@2eLM-Nj<3fwb4*NbT;HYc0L*{->&nhH$FebVPL6snrW6;cf(i#y3? zG&VAaG&U;LE&CMIEcvtYR3~EZ+U%Kiyt%sVz%t7t9lEcyu@Z7g0Jh`VvVIMC-Y znN|Y7StOh+AG;GadtCEo6jykwFw9>X#{`4!=h5aR#=IZTTh<(OlP$y2F1nQ#Fv_lP zbRDsBwfz8qI=&_N@jPT`4QH0ga7wLN!xwTzcau+e zB4dbYQong@=fsBf>P$<0{l-a7mq2o=k17c>f`7=zDTZ5tESJh~DMiOKg)1oHJ8hGn zyOYBG{-aU=g*&s4M4_Dt>B@g2c!6#?Vg~wNB z_2?qijhOh^j2hd1IuXGw)B~b-B^w#bNWx2`?_acPh3$*Pp|b@gSs@7pWpE+AcIKRb z;z<3uRw7v*3`e{OA~GJ;R$uv1`)%;};wA{`6f}_V;JiOuog^VBL`gaU>k_$YKsYmt z8Fgm&+)36_=iU$;gh#<6p#)cv-+Z?c@oRvP_GQ9I_bN&5Z|wfzl-u(+>z2}z!cbS? z60YgaCd8n3bNkeshU4iusd=`J(`itT{Zgi`*GUVIUg-~L$%)RHPa-7uP?gqc>- z)MLiv)c7YffvKFur(V#Th4K%N6TqC8tsY6KVRSq|*u1V@-o zS~24UH=KM5*iFgHoms>POv#U)WR@3sH`h8xPIISn~f3@^h#Z?CVJmXX}L!Lpg&)v*A^!%$j|vR2rdv&E7; z#rO)sEYi0{d-XZ&7-pLyx{bu`;$XGQN*-w&H;(Z z0WIh5`%z80g^j4-LN0uLo$H?^@=HSoKhrewyoMyy(%SOEDT9j?8NCUJG#gR*8$IEXm@)^p* znq*QHG2OPPAv@8ED*aW5Ep}0TO@L~(e2?L!e;_uYrfTT3&+J~$a*DR9x zZ8khVK##o7otmpsLEO8)x*DEtbJ_MQ)jv@CbYih|s#i6cd2Bwt9sskj@mF3}sm@#9 zvEEyP+@=Bxa{IBLs%P4}Yl)(3 zdhWo#nSEl3dLbLl4ydtSVQF5;_47@;FBr1it+X>eqq@t^bSS$m^((-7#5m7Lort*b z5R3+(ukHYqbrKwskq7@Ci0 z2wI^yb%IHmiL)X|0qttYIr+M?*(Z(zdytE9S@?tXp1#bt0~dGEkQ+zxEnpwvO%(Y2 zt$RlFX)eDwLbLXg=s<6d_WIsz1W#1w5>ner_ai$omGg%dVag@uysWZc2qHmEsapeV zr~p}L-??gmmd(|&X$3O9%W3xPjNVUr^ur&dweBf&ah5@o(k?S_0#K@RrXp+49FUpj zYj+b2*oPlqx5u7fxDpD}^?CC6P%VgH^#s1EFwKWeR<%#>4ZGv=zZO%dw!a+HC_cqQ zHDTRB9g9s>0GMM(v>g;qu7JP&qSR@zjJm;WyD%8l+XsX(T%#ybM32V`Qp>WdGK_6x zPGGf<(;2&JCOSa15tCLNm4kOB-=*lpN`Pfd6mGW+BZ)Mcvss4N;Y7k$tWYCjmk&LrVs%yZY#Dxwl-|3IuzC#szG`X#=0 zV_BZyU95TKGYhen5T}PX6Uy=&Q|34u^NHWAMVvSKw_Kyv@|GyW7EBc=4w^pr5A zWifuE`WfcXrBeG>OP@oWW}2uQU7Xf^|DX2v)}{_erV#i^y4(V@TM~>Ot4o&B2qIGv zVDWp$L7Va?7tP#@AFf$dw~^&*??WTQSMupX(-M0t(GHBi$x61DicqV1&xWyX{wIy< zHw>F=VD&&dNU;k=0Nckcm`KW=laUwCZwA7(_AH_m0-O0_Oom6Ko)KTo@X+tXxcG7M(SqySLD z*q0a%AZ2k4ImDTK8RVY*5V_9?R!aAX6iy5_BwCqI2E2xQR#%8sHaE?=6}+-X8Vqn* z-<#XYnzNlWly$2SummSIBwj|SF=-}DH#bbykXp9THz8zT`ImVzj_8|s+6bGaf>39N zuE^4vheM0{1#xs8Mf72Q*ZxHQu3$;s`vzJY+x_ATPG5k+8{ZeEt(08Z1Vmk*-;F|2 z^eG?%db{&W+7nE5XmY`ze&}fn6IVp-HY3P=Du~Jb)&Hx)Ge@?5a;jkwv{;#6D{UJ z314WlaY7TI64nEgH-!gWjIS-p|#9{0ud{B)D zV_wVin^3@yE0IOm?H8*>7|-Nx-EFkdRZ_pQA~?&RrZ{nIKi^*>oi;E#Txq&%_Jt5O zaDPYs$$I$9GINK(_6Uw$2OZqcI<38G@%FcIO+?M&Ap6EM+~rXm+WSJcZSZ(Hp`MDVGHcwzC<2BH~?wuC9$a{+$+b8=b9# zNG*C=djUH9SQFRhSkGruC=4t}z1*VZd!wLj3}k{((Co-rZ1{jnd*y^r>O!ijcJP3eOmd&Pl>wab)MUv4#9jCnFac;Qg-V zHq3#t%I_~fQ}%eIPh~CinIe5~Y7Q8g=d)BNYZP(W>+CW|Sj;Mv>{PdJ9)QPeA>-dRmZJ>tni(&x+E7c)-wLRI)XhZ4L zvp*!K^{__3n7pl44wIS_nmCTsz2x*@pEFtKuv)2fz5_b&hA9y^oHu0|&5^1|g^4L1in%8Z$mLk@h$pwJR>W%&3*ss83f$DGd@OG?NCPo0Fil%S!jTq)@boQc z6o1%i7qyoD*CR}^X>d;YLi>-9_!NefvHTlNQonVjCt18rQS4i-z{08%d4V$ z0XGi32D7T}ubBU1>z#rt3$!lW*tTtTY}>YNqhs4i$L`opI<{?gY<6tjopb(kt8UeO z*j1_IDXWr+Z;UZlL*LQ3FZT(_9k0!=tT^b1$(VR)h7~*+K0Fc0=}(ci1*|w3gOPhF zO((TR_8HByl0WQ?C=9}>lWdJ-dh?kMY9V8nYcXT%W=d0O+5Ks%`BbG|^x9^U*c~=d z>fu>R0&M5XpS(Lj>K1zDY3=9_Yb=qhNt>)yWwmFFEb(D=nT4oC37>T#OVxkm1Za`e ztL-$?>$Fp>d)0+C>E)gPl&`-6K>5^d`mO&<`R>()0Fsc_5k(b4>?k8-aC4n!Ib36k z8CKO&F~iWXw5LLD-+IQ7;pHOSvLPGX@FAWhqc90qx`QNBAO0g%1ay%%q@8r%C<)oF*P=D6Nh=wW0Yfg zUp1i$*&Z4VN65m~XLbEu6afq1X;)9&)fW>omR-;7`E*0@T+<8dJ-a9Cr zWj0az6F36pVOh;ED@;nTJ=hwZWkf=eU_ACNHpaO%R|@hqHXAveX^Ax@REK$~W7MMu z*_>raYpBdvpK1N?0Soid+G!C4c$ot$ALnPGvq>Qj#H6MaWT~aLqjk_6@_Dwe9nrO~ znagp&rV4X-ySpBlq`m1s5g-QZb52dF@^ZDY{{YNezs&z=*=~J5=$TOSpCmo(sDmMt z*Ow8HhwntXbyG-;kwdaVP1qC&xqlHPOt8%v#M0(meuu+iCU$HvMF?6jKf@9zCsHZe zOyVn6wc*M?_6rrT+$3g^&8o(W`N}61;6xXj-UW9X5Dt}0wv~iAX2sI=^4cUm#?~%(@X{dx%d_)_ou)Qg5Tnr%0K4m63{*v7g zLM82I3uY9O*2R%T>HrCm;C)y8o+lkDI>i)OYfgbDRkSVl6i{=5o}6W_EF2waZ2#vx)Q7R=f#%z;O7BA zQ^K|3;l!srDdwZXEjJ~e-?uFuO}mBc5$y&c$Fo^b)~B;8*j;4pL%YO(ty*}p@GlQG z*%F^=KW5*vkjetgo~o_%iBZv z?jU7|p-3>l)$`nNzNgBDiPSmwyuhua#e=iiV}+b!cLHPVwB$dXhV;1g;5ZywTC9_i z2zny$aC_ZB4`&CHTgf6+*IpQk>l;h44&*BJV=tGPpsX!WBKQ|P&3WrG4O@stpy?eB zuV}O(IITV{Qto9VRnVA4Li7v=XR)lnQj9?}F$MkZso@jN=_DEfA0;^BtlCUKA^R*g zHG%tcK4|n6)1DV}6VO{?$^5#5*inbH0Y-`i9L03%jU}r(xVJ~NCPi`pWjn}Jk$Mga z4sM)Z1aI(OIY?N0C+)g^`DePCrJ}%MbZLGvtGqdP!7?u6$4ZCd+rxzjU)u$I7ub?W zi6aQGXC6MO4hN3x*hr(?LP&NEfi!7;gCqxkTN6t%m&Lu=T96po-l@{x#1@bG$GBAD zx@1BTc^%Xq_69CCh9$1;qY0@T6_qL%k|zTM?|o8&8oq=SMFshOopjSaHZ5jL`w-aj zfta8e=gfKq9uU47BO!!n8VedLgi>`a70j6B6D}8cw!7SHZCskBrC0g#q^<4WSnOF* zS%EBVjzOv>%J0=>AlBr}qVJ|P15JJbI9q&LH2S7tw?*-i6+udstG2| zgq2|UIQQ6eGb^H|7xdAo*OCLl||Y_(gM(5Zm`u+zyy zmw7ZysEa^TdABowtt11b)RcfNCI|R*XGm8ZYr&KMZZgZrLSZ~d@*`O6DO-lg1Db+TdkWZxo>81+8g+B+Q>DoBov(%4{rN>aT*MC+0`U^AEoVrkSpm;7wjg*Gu%rLoX5C zhl`zubz31ODu)Yb3yw8fJBxQ$>}p6Ep8{pLe34*x(Z$gcH8IQyqKHP#ejK&SOO5B( zlUSB}u&5C7y;UYZ<3uPb@r@!0K93)+dWPFL%)g|fcIsmyOM3!_MiLUFtUGN?X=Dfj zUKP3AC%ayH;qs-^YKsOV`E$>&|K#?Nmyz#2yzp5LC>qJs?w=q)gNR{wymyTUxQ4-f z+N)NE0)-se9;WZBhK_khs1=vbyq^ScMP=KW zpE+$c-xNnQLZQ(LhPhap(j0Sa;y+jnMPB@xTlx;hTTHU=<%_@1X4$07`O~9PSJ97= zm+nR)A+nFpu)N(2n-~v{9|v_l`b=RT?SAE97;jokE`y%ISvuFj3lcugpO9V9c8rbVWEeaNewYp`~qI-QGe^1Xx zZFKtSi`lm5Y;tm;;H+U-{q{xBkVD+{=VV49yeg^wtSqe-MVu9M^6upxvkZnQfwL0zgcJ>#Prhw>|5Y3reU|7cG^jtC|}Yi&s^suf|NO|2Ebw zU*g!nrv^3eSzTG~5a!G5RT_D5oX|Xm&sFnC)?Cv)o?(8)m3pkzRhFkZpV=9Fk4_iu zdbaof>FD4;m+ZmrPC%jK?~z~KJyPXH3<%ylk=!-|uP@~qAxlOSWq%y`lS?$NTxiRL zIR|aQpSR_=X41!LKr3H6zV-$@qosjl-iLZ(F_J~qZZbZ{inw?%;E=K+Gc&@tR^wod zV7w}-rNts;ISGB$`?TlD4TP-~c2^W+zRSw`RY9;aFR;dS#%%uJ@9b~T?c9`utb^7& zi@WLdb~HfPOfkFDpI8y>^;pX-8T|R824v8A!mFr6_1H;>ji?Yfa{ZA`NbGKZpt1#R z3ZBG*qwo4$DeNcfew#IJYY82%w`uWXt9mi#!5TU~ZmZ}#=BMYi%gKC~te;DQ#@QuN zE5dI?#r2^~{mjniQb=E-+P7UknEkaOtZVytsjy#DKExZpqS92?W*pW$Fg$=9oa&|* z&W|6$LZtrfJu&wy(rr_-BWTFrW`KmRq{{~3s$}a)fX*CUXzLCtm>KpN+b8JPxT;1kS4uMmX+x!LXX^tuJ+4k&iS(U$WVe%B$~=c=bOrfNI zm4Y#k!!l!D$P(BX@GjA?GbOAFklOd=eC?q8@pWou7_+KHS5PuKwJoI69MUc}*s6^2avH+vb576}c{}PjU!*6C#8+WxPv45EY}Bkp zwerBc8{3eZWr9X#;+{*UFBHN^C6!Y96{Aq<8<(hQXKJaDhi6nuMKvL|d{jX{U_n2Q zPHA&__!(z=?3&xq1N;CW2=bLScd}s#=)+851OS3gG)}F5_dvY<4+IJN13-|#Y!4Zn zA;CpYnHx+o2f)|$_T2(0)B!DU^=q2$!oPI*GuX`VtLNFBaA0wP^IV>cU8zvO4a}4nizzj+_RrIlM4F$HKcUmg~FDqnHl`JjU8@TZA{|4qw>nL5aF!-ApuMqE>U@)*Yx9+MI@0v zl~d6$%J4%@!5=3ZF1-5eXiJ0F$DOn%6)!;RYzSfLzYKiIk`g`nGka5+Z)9%3{OX_N z)}J~hs()25g3tkbyIf-!Ng0wq7`CgYOLa|Wm&o``-px9q*pp@!_Et%ydl&O?&xC2O z)HGTDpgR>p<;QJFmJvi!=b{Wvhn7+@+QSUht$LYJ*q!i+3K)z4_SrjiZgQ&utfGE) z21hjg5-Kw@T^%-=W8r+ELY6txG3qmNK0KQD8QZ2){EpYgECg9tMDs&9Hq5H&wzaJH zVa9$=>oW=(vU8X={*XgKsb?8Y!Jp-A+-W!!b1}a5MR27T5OGCrIZ0Rel!b;9kOl@uEEEl!-S9rl57B{wYsaZ{h$ z^JIX_RN{Rc+1EqFoM}yy`!86+fiuu`?#D!r25JIndGM-xmvF|~{zi#IR~?wE}7I}Jy3NXR~Z0a9u6Ee_h%TnLl1#vsFn)3-QA?ox6-oN#vgUZ}cb;9Dl6qfGtU4O#46{>~y>*LiS zSj9bU-#lZR0m0lZ9`g?GzmSSl0_bb@b|&~0;RH|5r(gfCf(&}`mtvXIO5fyV>XWFw zqn8wWId9OFZ>p@NJ&#LRp^{(5$3Jd-5DlNpssiZvy6kG9O=4k)Ig_Es2s_!eJx+%y zUpmvdl&4-x#FE}v2#-HHAGbwhX)Un~ID9^S4kBU2IR7jXaSC`yu@X)nZF3b!4m&pA z0hL`X_aS9j1e#*NnPHh6FT>r!UA4)qKP;Eoi z{c=@_a_U5*$#{tYB15-Cr3Sx$aHRCw)Eo#@@hm{GqHjo@E zQi(o71L~gj^9*xNEv8J5*nq%{Q+T!H=wkFc?=3s4$=GM4k}1rOKEzJ0(Sd-FGCUIK z&rDx{pbX9MUqQL{KY}vkl*M)>g`|*=&sY3UlwmS8T5}w)J|ER0Df4y=w9W58G2J<|=sRyQW5oO3N4axk&+2mjYM)?!6EY9-i(VC95%`@lVsX`W5&ofAE+BBsrU`O|3Yw#ClZ*)V=8HmT!eubxQ zhU>C?PT#&4sDY%>UQd_X>2pEVqB2@d&N>(WCtWaEGs&xZU_bh4uJXf;I(B zW?B(!^+koRo+oHx@T!B5g*nA1Xej^~H~tOdj}_C;C`(tjzMG*l)nk-g_Zl$SPhbS_vb@8~&O0u2MYnwi3x(^lhHRch z1|g8EJ=p+$It`yk(kPKMPNdjbh7=Kd;38>e!_;&^KciLyW9`c=r^xP=z1EJer6JBn z1c6zM=7FdvQVuOOQ>W`j`cwjYYNOMNwm6rrKFi#G|U zrK+oScYnsc2Sk|Y9klJwgHRYO3R&re5=Tk=p85QVxL}Ehd>A%~yU&@qGuRPX;FJs5 zcfKG?J9~g`dHXJhM6}qiGOIx%3k)HN1&8W~4fdo`SntIV*Zq8=j(&!U3LBQ9*%z$BYlv!Wng2=8C(z0={X zGd11k*U{FswB|r?(cU39v$@8#y0yKzx%ux;F4e-p1?n4-8hh=VNw#%)m=-ugiUx^b ziBqE8uPrP^Usz{tdh|V2n3o1-ZY(Zm3=jPEcuNp-a60K;2Msr0n7_zxyfIMeFhbf) z`&_V4nuCA~`Pew3$;Skyb6%tt1JdescW874l_(fn!AHAoMr!O4as{EqKzVXL3*z^n zl>x~Ih9FDUMmse(*Zs13zicK^*-P{m`#ZI9>YidTj8v}QQ2?$lXr`+ zzTb4;IGS;WtjbQroCUa*Xnx*E3Niu8deWpNafoC>|ojI#g$I$IHmvF z!FHMeJJ>ttWhbQG-R}mmDW&J~xeDbnTeEVR`f}y1Bnh)8i~NQ+HX2+y_>`&acHe8G zm)l?axE!62U4Cd^+hf$ZAf2v7%c@dbmyiGHq~)7G*k8XpX=(goiM!;l4Ri;7kr2#Q zf;=jaIb5(hRxw|QBynBzc9)SZT%QeNu+K*_##54wi5K^g7@RO&i=l5f=e!=IEx-BG=NL z*D!r8wAd&g37${C6NDT-H2kD>tUV_}Ql=hZaGQLbS@^#@lnb2K9#m?;KSBm8h1CCxHM?BQVa8jH zW=po{yN=W2Q)fC_G(oR){lhtM61&OmnA-SZiM)MUs&Z$}S5kYC$@Vz4xHE`V@pMI^ zenr%NXX0kHf|TiC_Yb8O2{+`+?A$r~v^h%JoB!wj4RP6AJ2uUm-3k7>uq9#f9ZhWR z6mbO0b|_n7|4PaJpYyUYf9PQQknRX#CWA%Mnk9`O z#0R8_k-tl56`+I?L~^EwisCIwiq^rAk;IH>Tm^Ar6E4ZS)1DM&yFjLe9aun%;GyCA zHiAlCEQAwx$98NoePDK-hanesM^Qv>g4bq|DaB7)*f?}Fw`_*Df{Im!sFry$+`^JW zE-gD3Ho#)eFGr~gwVH3`XqPDHtA#z(Bzx(B$G(_vIaI!N)4Q*f2Oa-?dEc78dicqo z*HWClrCd7Q&ToF_-l1#Ia`)Co@9N@R*3qWc(#E`0T*-G(&i*&5^soT~_tn3ALi^9^ zVbht$!dbKx%Q@HGxK^8LTeKDJ)0eilpYK7gfeq1n8}M%P54BGflijmYvf;Oly6e}t zt!SW;DO4HWN^e8Q_g+9l0vh@Lx5KOT$Q)A#jZ5QG!U(c))Ge;;yTQSm`9HHr!2UP- z*m({n7@Q6+!*mPo?~dJ~3N6zBXcszkfU#ZFw}TH+EogQC=0AfrJ2$8=& zl|M40zdmOVT&BSmX%+nZNZw)p>obc$(^mkoEwzidHGZ%9LLrT7Kqiu6K`u-Fr*k=7 zNC0=hWf_8@&H|S6sSS?EztR$>h&)KqJ{z3iL%`Rgc|+VaB}_gdfFJ$FikBoz9j@E_ zQ=@Tc1-HyjCu>sX6)~wUY(nLm@B?gx6#{@}nHE{Y{;wZH$L4ne`tfkx;QketBur?m ztXaApy@+xdgBx|~_g+dCI!*UWxRin#Y=VS3JJ-j9=h~qh-GbkbAa2G74`SPU_X11> z{!sP5QW;OaitXn&?@`Fh`OSsjy+ASm0UbRQg5(#bVz_PM1a{Y(b{D=0!4M3+WK75@ zPUj490*Q79lQ*E0oiJl`>WGDgOTz<)LP$vJMR=DH;Sus1vx&jb>v3(7DhIsR%^$^! zVH(jr!BVM=nnrl=fe@xb8VT6>EB9Am2?S!6)VS~|UsTownlG8sJ3IxBBu;Hz8s z!s7(7gMY8aC!#LA&3nhKioy+fsqtn!?$fwR`a~A=SPB!Y&Z{_3lP?KkAXli1t`~vd zJSUD$E z3}2OwES*or8*mm=y@eu_bS36uBbV_wrDdFD^ELeKyOWwXX`BgcJE8*7cyN3wy<_i> zBeh$Q5ZTL9VoH+xlW1i0qKH#&b9r-{xL_65t8R)6tvrbJy|76@zD=_~nP8 z;dm#zFyp8*DyT~T9(_+;#?o0s7+e2A5RApV_Jbyx?Z$DlcFG7`Vm|FeSYRqgMgfGt zEad*!+dGgyUGT=DabNsMx$ATlD}=Mi9rorz6MY?-VfUMRv>kz#@yC^2oksQ zx2d0=C7r(>aQ|Nwc5&7NJk_7hdN=1@xp(IUsbxv#g+j&CwX}f8$_03=?=KI_Rd?sr zukYNN%P(vMn6nRsPJ@(qlP!7smdw)n&vVV?q0S|C-wx`-xd-+7NDiKWLH>_In~uie zdwEeWF+|^iNFCU9n4wbH^P88$eKv04_#`0^Z^QQDzzJ&CX~y4oT(@N=FVk9OsRys6 zo^qS>gCI$<_hv~ZKytUiV+Ps+5Oi4}1y!XcM&+*dvQ@t-@p=*8>$%tc5OYQmGTagG zs7|WCtOfRdRvll=PDBhxcQANxfR6OS8)>sKEHmH==!a;gS_3->{^7g@9YnOWR79nb zJ0!+Z?s^s_@Hqgb5dlR@o+(l;eUBzV5_&fHlY2Vu;Jh=l@Z;x2p1V9p%;?hAUhcE9 zkQ)BYE@RW@B_hNZOkqa?uCtHLDagP!vA)&VmSug4vCEhQjka)%^SK2Gg+w9pi!5tS zV%sw>y`pzkwKt-yYN9{u!dhk$t*H08Y=;1gSj-DfmuC>(ku=f1vE0Mowq0|&bNcxz zyY(Fs&t?Z$8;D0%)$`dmF{%~s<20)vnMYeO%}kgVbiM4j(lVUuZYQ&_ z8$O#m3;qcDWq|gp8aqz{(lYChotWTd;czo8LTSTpygh5|;jRu`iJ5#>y!DB%(a9z+ z@lazQWY|_q6|D>S$tIwpQA3w+W z5s?fQ8Nf4er)a?kznkX%x8P6Y=Z%5XqX&A^#~kpyPHm)xp1ffD_O06~JzpBzH~>7x zdO)EgZsS>SwsGf2xohPC6+B<-Y`gC@&=UsF^5m*Q1DMV-RIk5;CW1(|Luj2&HFyZC zauB;MkAqqLx98qry;&0#1nk!5P^7)iMuZOJI26a_SOstFY{ab5EZL|OwGxZ#a?*mg7i&-^@ZNRAc(;U7DtilYrzbP-P#~S- zY)YCd2QdS^GAL1==|6kRR{pqADg!?>07kRL$~`M^9r!b~$3aP`8l@j8HR4^?i?sh& z6oS1{{?NG;>K`gh9SOBWoz*&06=E09R)1ShMFG~+c>Bvq;g+A)uC$sk?J2od(e(b# z1iIlu&v7H!T!i2T?`eL27gfc%c7OiIfO@=6{pad?fEQ~@E{Bhb7ECTUuUOfG9qSi z!_D>xXTk%6q&_pXxxf_?#~^leKznh#=Uxy+bu+q8+W#J<8qSc>GU5S8Mf>4Rju?`R z{^s0d|1wo<@KDgCP&GCyx@!qVI@FrdFkT6gw+lXFdNI83BpCjcW2d0|HVFBVE&_u8 z!gwlHFOX`nbZsuvnSfv2^B4I_cg33n+WXoxCkz|+6?6m+r^m%qN(1UsbdM8TG2&xz zI005}zx&N2vc_$y z&(s9YARnUP8vCHujc^;bHv6$>unVR+Bgt4Hj5H1y@%P;x812^lNw8d5F~WtQs+G#{ z_g%!@tVFu%-Sq(i-;3X<$CsGzOqapTPm98(`K{2oO|L>D2WC>DHvB8=zaY%VUlEPgIE=O8f8rnQAE8sgOEOzKGys6f^}U!z_f zJ(~>?g=<(t9mZeEj1!V@Oy{_3Tfv|Q=MXPweAF;IGB;%6gHwXV9g21d@j8l?#*rWb zC(Qvh^-$wtqJ^uFPZG%EA%V+nrZ;HnzUsZf7C)rvyN4T8eqP?SgQq8=ho(*&9@=Tt z^|wNAcS;wCA19XCpD?&0#KZ%J`lh|U9g0rCqWJ)mID=ir$@pW=jbAUoH2yrT$VHF6 z_(o*~_f$Ff2WKk8%t<@;N8nyujc>NG_DUzF0b+tLhzbo}wC0sXwkTuK{fN>D_`A(l z1j$eyDtg~~eVp2e;kd+p=T=JgGmeay!5%$do;|BH=WqSkV{6#zViP{+nR;#RzmKkL zm7(>e1J+8oebP-BHu>8%=q&8zfHzwCb7Go=7q0aKr5vs*fKG8uU?DRN0=9ZO<_6-y&_S@tbWsR34i#kfr^z$bGZnJ#)=Nur0YGR(Q+ zQvX}uEjMXdo&Im|t6XH?mG=%SeVto}Mp%NT6vm_=&VQ_wlh(VwwSvc%$NhH|>Bare z8`L=eHozSMT+wHCU^W}Lz!ZMpuM!RujmwWFe!J4V*CxGh``@(Fy1qe<&v5DG(G!v% zH1D<5Ta81=S|jhzO6lc`4@-*bOk?K4BS472 zF1;+42R`C5`(Yi*jmUwca+cf$(6iH(0eW^`!_^eG*>*!m%TJ@jbaALQeO`38`zL!NS6T`KnhGJqUGwN`tfB;S^ zNY=~gjK90@E!w`H(KripHx`Lb@bKi-m-kHUE1wY>@+kr8DpRmvSxhn|@aig%ax?N( zcTY09I&z5^gIo>Op_G^|mIZ?A-~u7uHWV1s1E`_iTZmPPXrD7GA7IhI3mch;Xu_KGxpG(9a8w}YT4^fq2jI&~xN1?}z`$6>h;qAYF&oIa> z&`njbd_`zN7^1FCNYL3DQD{D;0}kBBWB$A4IkI9K-px}&)S#UcC){>sU*qTW2a{)| znudsw-JkSm$K>NDz1xGe4yOSdLc*|a#7v3Ab3^d96<2{AJiX4LbZld2?V(je_97c~ zBIKxiT2RSG!BFhBvGhxTodz=rLv`qD9aomOb5gWLKenS7n^5K(3O4VIxLhVpDRZv?|vA9KD+fvJpERlHoQ zkFQXq9VZJr1VXOMw*9Nvw1A)YeupBuEEFbrVv?M(&}6WH**pO6;?_QNECp;InvfLp z$|gV-flbSzQ!v{jD!aK=(`EiI0i!W*MLv`hRM(1Gm!@4Q*K+_)O_wVlozWe9hPluFaMkZO9FEjEdEhS$n4M+78H~7Efwb48?~GX{S#k z&uWwRQ8@B$`(7!_MsdYKMKMa8f_f=QDhqei;vpqK5bOVpW8@aa%y54}ElcT=?>0^z z?^%rrccoTxRA1J|%P{3g!gQF-X>5(=CBMgPCYA)_Vml+mxny4;wV+z~A)-jC{jj4+ zhSzk3utK688d*FB{!GqPgb6w{uauP*tuzQt>f2H4Lu2mStY90U)~qmI3t>4=k;|=I zt~3w~RA#+P8Pd9Mm`Zt35u2Z2GI(LYRYRzUpRn4C_PLjO@5(fTg8cyUXTEfJzC+3N z$vfqn%?`*T?7SH<4mRYaITK>hJCF9Sea4b&C)4g7|Lx8_Kuj6EQFXxEX>l2E)TnZ9 z#Imgt1ZSg{+_vR~7pS#A$|epz{IrqVeTd5^ZjfFV8)z@0_O1fM=}E3FaQ37|#Aix@;|) z<(VRKR%d8vz1;eltmtgPi;^GKkoU*(K^%UrXT`riW=obJe%uWC@PB@dvw^2w*lg(c zgHURVPL2J%BkWHR|8ukkF9kSA#drjn65W44|(W%g>$l#wQ4vEHCwRKh}^I2~dUv(38UVle@8v(WKqFBjIImkCGi zPjCfvq|u1(wthpD>4DRJ&*@!T@~irT5tHOyw%nBBHN15NRAubZc3d-5+8j^=RU4v4 ziFDvos_3|B!B$k60a)kPl4`?$2lUhG5NY-A(+1?Up!w4xgtQfHBwpC?RAPjcfTDi% zZMnOz|Ih+_GWjv+g86^`>lgrjMdtnTIHQ18o#i1M`u71#nUL{HdA$1hz4D`sK1Rp3 z0fd%EE#%RY6BWj+U&$gENu)j+o_j4mV54n=hRjR?afO^#^?-08A94v&_`lbxV|f&4 zrwQy4%W>#`$ph`E^5q3Z%!{mPBVnBDgA+oWA**UFSb?uNh=Dqo`Ni5`k%&k^%fjlg z+GDf$`#_9eHVM!sIh@yizamoagdH|?@)mq4b^{prX^o&1LX=h~$Eb(mq~D0=UIW`! zPS$*RD@&`vRf`oP&-61G?kw7%5IF#v^(rDV#@baAPseMl3q5cfvHWP5v2d<*K7m6S zs`vh)&=m0<=Q)XcAa-gZE1ST);?_T81|r$V1s7V!%WBEg2qc)fm zq_$Lf;)UD%-34r?a?2pRLbvENx5JqQBbMP%UYOEiQ|`3j@?%b*{>s}~*KE4{!mSH21i6i$@K}xx)m29Jx^u-KjrND}sd{g4kmUna@B*dSl0d6XfY^o1CzxGgjVQ z{5@@&7{9aen0hYXW%~;_wUY%(RKfSgZxS&2-ac}*4ha$QSY4?B9x(dNnF^u|K5f~6 zl-3q70h}oUz?q0DfD8V&6$%14(kRv{hK9H&G*rv zo&FY23@ZLD$xA@*%}1Qer$746h#eD*Z0lyKTbV{MwD!IJ{5OB6%uU7q^r}fn2>c<~FZ6<}1p&x?f7y0hJ$mC~Lfq=;1Z?m=LaQ?KlQTa@zDOt6 zrsyPI?Z!?`JPF~i-Zolg+i+k?wGfL&0A%|!kcp*)B^3uM_@^SpcCnu}y2JxAM)L&OVV z%As%r5yX;N_I6y84W7hBZp)spwTJTwMr-xZ#(adHcrhuf$mOW%s>w>ny-~s^oh8HW zXUB_Yhbc^lP#m~Vc?>v;!t7Ltz|d8Zs=CTOnh4m{36~v^!Wor!$q~n~P7)L2b>dq5 zX5yV=Wi27fw8J9!S=XQish$^;ZG+FdWOF5JsAjeGb<0^|5k5b6>mrrt08=; z-tqxPUceO?jY34W*Mu1k6{!c_N+Ci(1i5W4oJ#@ns1GL!r%(~NP_DS{KM7=|;?B}I zwu>eULwFv5QxGaOlnrcmE`7t6y!J{#-U0MUE@8H%gN(7qwu-nk1`uR}{0_3=ls)`3 z`A?8dw+@27b!V*H(Q-NbGUkdHOMU@d;TaYA9K&yj<%{abUXhO}biNYTHi$v#bmQv) z%_-Q@*_Tu?*i={o@nbAt5ZtIAljmP2Yl@(Txcv_4Hsa~es3~e@ZUgc%0_Lqv!JKxJ zbk`Fu8ouM5CmCJm1X+2^VxP{)fNN+6{3Z7ON`_f({sD)A!IghaWOE4&i`U`_xF%Kk zJQ2Pt9mi=prUFe=(*+9h{z;w%^zsiR*^Yy(R`XrC=09$)*9YZ0x*A6^T~p~RW8r1b zLslZ^G0WdJT~DsnkzGqU;Dk?TxC@fIrfb=ZFivJ9H}B z#0Yz!Jd&QBtnj<4BMprw@0HDNymIHZ2FI|NV>XGk#>Tc0ZYpyGf+f&3K{uz@P)7or zH>}hRbNM!p*TS@G2BK3Wpg-~mOdcnlNn7*lS5x)tG*FEX;lw%;n2&Az<3#)XN-Y5f z9KlH_ubExJTmEYq5qG_cltO4XieeHPk?2+YGBjymG>>}pW6=jP$&*j#u4+a55K>u- zybW9FL$E`QBM*xv>8L}n6(Val^=5LPq`QxvZMWdw&4{ZyUwc9=| zlt|}g%F+P()(Vb@?zxQg#_a{JaTItpgF3}Z-G(@k4Pso#le#w4tcO8WSK$l%!!uTa!b>#UjSXqm9ldx4C#HM^wJ0-U z=#BVmui9Biwamdv@W9sdiKC`B5p8~Mb`fTAKBD2P=<~-eqkeWtWZRk<+GYrRw#>4| zrY&2@C|)Z0S)-<>jQkO6v~75XnoUFE)CmfoNli;k6=mu2Gzju+f!jIHM1dRfQFR~@ zRdx^0z=kMWK=qTM-aCtL6bHL#gO*EEzFn`Wl0aWvQL~5)?8UgJ*k!dSk9zL1;(VZW zq~R=Ec|HYO9i-I|vlM(ZD}74>-D*u|Ck_3WKz4L)pB}S}eOR*)wnnR2H2uIUTTKz&~P_$ zqUU6)Ak)RG+;Hc{e7GaC)<_ZNlo|$X_Q94ar*l&sYaM^1!E&@5{lQ}0oZ-qUmF!I5G%GRfa&MR;5#Z8k##dyiMX(gXH>&?Mk>~6Wyxj1Mw+s569X>k~pq+mGsVVB*o0v z$sUB(toi=?R;&0cfnnZq)i9GZ;alP_Q5rC~BQB1VQC07e*xdHNHJp@Q2IH=TCK+ko zNK05Wcz9}G59g0V+MxcJBrmW^2?5M=ctq`@oveOAk%9Ek z5ySqi@Bq!6lf0f4#C>Qq4=cpSO^?3V zhug(|WoN^=3k;>Xw-EAgd~AjBWnTDYQ~bFT7XJvN70QUsK3dG5aCo-Jlx(Z>mdqv9 z;qu9jSGwntny_eQA1uE%^f(Sojk^bgqG1evcR~A_S@Uqy=E*XM{=tX)l>M7|;n`+N z&Vj`{(V`dVfuF48ip9ZN7Ci zKG8X>bD1@yZ9QkffLeCKBO;C z!+y1qcD6FX)^FV3uO=1}Qyu20hEWXg?DVGqqNO#~{c8U^Am^y|y=Ap#f@bA}>!>Xv z4Fxf;t3>Ij0W7ao-Q(s%Ov zg?+HzU@@^VW%PSn|C(Cqxe>vbqJ+?V6E7;0%~Brn^St;Zfh$Ag;}zsHXyXo4KGB^5 z$R5r@Bn%KJ2Wki{d}drtwnIM;l~T|%uk)Z^%L0eF;AT!5ACS9UV@MhY3!{s<3(I6ZH67IP__rPh*eq>l{ico|Uv#kfe=J9DKb%^>cdya9nV;RKhIhP%%T>VEAXZIo{J-+OY+vze4x3}yO z&tvUJt*~5EQ`krW>W_0*N#p%dL~Pj_I1-dab_qF@@=42G3~d+!&)b?yG0;`Qm|{B> z2o(nY1!3RSQTWrz#*Q+WemA|ISPD|ff8JJR_C4o_`YZ}>|qaQ3?ar9q}L^zfPlJEF6(m=x%==Nv{o#BP#5ULw5KGAmB)Z^^jSi|;_0ldyIAhjW|` z52A=LOE;@Bvu1mKbw7Ng!A)4C$YJZlWI}UX6~HP$(E;ab)eDbb1DrH#EZsc!oZWq_ z4Ay2@VW&c_UxlniRk)}{DWLV27O(9ceW7Wx01@#EXJ0}&`m0=n`R}7hl~ICYQYJ?R zyo`mGGWIRYrX6jc;$^D3;ycS{OMpccq+}@l3J0Y`M|7c8`q}@4pu|B!MMat zifY%nKt%5M{@+)$bfCkgbLbM==_qnO<3S;6$xF%x9&qu-4gbDYXM)Sl5x{V34X=>z z?d+RmYs^agV&RN*BA(nZ?$l;y7^5ws_SuGRbjva`{KnN)=1FK5=M&WHI(7%NRs-@% z;)L7b$Nh|-tit-UF(Xg!J~CNGt~Ufv&5~Y%fhK8kE9>1$*FPNYA*<}p??K~$eOeJn z{FXp+*8AO)j#+xPB|u3#U&T$dkT064F(Oq`7C7*yKuUNg2P6o;re5vzlTaG9td$F1 zRFY6^l#S&GPzBgLZC?(UP_IOa&I89xveZ%a19`t`)j@rfCV*CXR?!gvXw?BzN)1K) z(n0ZTJ{KN|i*dQOQl)xs znW^)azL|=84H~bo{P(sE%=)>{;)dq$2QWiyB}2W z;fHME(*sF%FPYbI3dl|2yjF^NY!XT+J5uUWqA|D9;2Tuz)eLRg2JPtW#7_?L4)FbHe-X0bK$7 zIEV@&&?<9E$yWs%b|h_SE7xqGsyHA?@~O1ok3;vM7%1f0lp-{Bv+<8ZtkdER zfX7O+G1pRct0YmDj}8!lroiR)3z%B@nFkq>`k>p!-M^#^q|Es1+Uo};4%Se|A-$$? z9G*qPqhM@;Q&SqU``rjJ76_ZKbwQ!e?7QPO`)#1hfNMfwRmkUWvlh7>5TybAes9~N z$Z!M!JmQ|s;@nXBr0m>35X4y9+KdsUE@&{|z2N=oWNR4WIN-aG7v zMwf=P?dfbm+xj z=)nbiv^_>!gui`lkeS19Lz*0tWyeIOr&%0l_zJE{bh!bfzd52w3*dR<0pl}t4|FFb zgP`U?e(M)xwX`FLJ z9i_hhAa(o}>fxslY&_}Gi-K}KZ@Mzm^|O#s&#le!fTHXTwR%6+bYg4BIddyRI7&5=q@zkP&TZWKz9NVF zq2-YF^SUkl4tWxC{N?-^q`y>@Fq_yIevIti>hsM4?P^oRLj^$1j`32sD>bBJ7<@mq z&k5o&>iNbI)D@e!!m9%O@t7ydTTFX@<3h5_Cx1IiYqt}?I zD&y<7mI9f)0c3W0{gIsxb3rnWFpuHPiba;>A(%D@_0^ zJ^WBjsZn^O33DyVP|d#zqw3GHSMj6SME;}MBK%J+PWT_jJ>tBA0yYffq30KYt7F6q zoKJL_E2bqmnWjt0-**kf&sON`p8w>y4usEf$c%7p`4y3YFPP$-@_z%1!JY?D*C0;5 z^W22w4cxn(P1Lyw9>6{`5%B{@g64FdHv!+YGiI~&Eg><6-Q+(jcufn!2^;x~Rf zf&^U6-LT6q$=rhlTpb8HGh>Pt0MJn-D3AClG-V>7&l-)fW4+{gLIHmd;d4Qx2{YVv z)lPjdI>C1|%4+?_`#6m7$$^K$8vOIMA3UIfVAU$V7Z5yrwFy>g!3-0CU2FZ19drzQ zq6+T~%5k&peUtPpF1qq^jr{^&gY-d^72I1BHv7FidalVwYo8J6h_W!Zry|R*8M)3= zQAw#aSP+ID8CDTXBylRyX9h7!ycZNUeKgp+YlVDGw*h^OV*kl8`6cfC3i3dqMPazr zG7NI3k7=W@o60Uc$}5B?yvr?3296Y7FBsg$9E?DlvC)sA4tzCCX$2e3-k2CRrR&ah zqb-TevK6{7zuh6P?K7#t4bd^ zjZCg%XkckpY9pACFrOK@9kjTu`$UmN!h4*bPkb;+6FEStDSRXAPbo|t!CP>2nW{_@ zOGpEHEiZezqh(MRswF1*LcL;JUN8~F#rB6TeE#i5D5&lrSSi6=!6^c#IYkLIbvz1r zhym|-d+s3w;S{zJq%dAJtI!-PA^SZRKasg=hSN2OMxIzr5EUs)=5SI3o>VzPIDOB! z(7(LtwlpiYrM~%cMb9;z=GZ3lMduN;(WKfKye0yOH0ypJ&TfRC3mkSYyupUpJsD$g zCmHc)q&B96zW~xQ{sk1slL)Piv_1A0=?88q*(dCufW|{gE+hC=D#Wmx(GIo!q$xGu zYx1EUJxQ?7sB_qws~#`=V+pD;9+QlF*VR#;oIu_-Ju`cm_O+6-DtYv0fwiO3^KDT% zM|znTR;WMn##TOPkwc_q6;57#zTbnKSZp1b@17Y3avKMn$A;j`V{n}Yn7kvIz;Mp) z?Wj8+6kWfvq(-=2-8J##70rjmr`YR?BwX@i{GsJktT8ivOzuzhU%vsEWbjEq10>a9 zxc{*6Pyw;lX~ZByWfu%E4!;gLVWhgcFWA=b~REvqh?D4tTkhN!F` z@5SZbc)Z`DwS?<1tc@dANZ)gXM|LFhaLzSHr70pmypGe5bIaS|+P?@;MSe&_H{ey1}%O|3I6Gc^I3JTdVK(Q%3W(C}EdEjoknL2wy_ z>>$OH=wS8Vo?93P*O18nw7j7l2cUl4FHF@fxzI@X`{#XZCG^o4I`G&K38uE&nSmQ4 zsL#Dcub~GHBzp~#^_sI?Xj9xT3ZJQ7!l<#rJ0sn9r^4|Ln~enE8@ydF45 zWV#i=DSKG9$q0`VakRKpQ6pGiD~J$}U1(fcj=L-z4WR*7fn)&^wuX+RYb~O=2kark~VVcEe z_V#QD)B>hL%N5Nal|1M?DinBQ*%*F-E9-(^0myrpC}3h|cez1XR-Sr<7_0eZhJogx zEC-##4HFK0#XQ(1s|2y>dot|>^#%xTQF>bBS;bWN^FjQw)_I((sOmF@jG5M2j)Ekd z?Tj2yWq9ZFKfsRg#FM~834%6S=!GKYYw*1hTjU}{A{aeRyFSX`5ip{wB*y}IVyYXg z191UtA8mlwa*dJT;o9OIfyH)aNXDoe$K%3gL5si#|L5~;>WJ|XFL)6Ahe zp@h^(l5d-P9BJ*JvX$-%K#)ylM=kT-7_NRf_O<7>WFr%$b@aCpR)q>(TbEkL0h(PF zcIrR`i~E}C!I-e8Ar!d?T9rH`bt7~2qA2r#Mu|5!3`Cy{H5T!_{vfH>UzS^}b5r*% zc8u!p&!wR?Dl*i9qS@heQ?9g)Mak`o@?Wzzz#n7Y(b{)+MEH!3;r3e*4=WEQ;9s4A zWZM?Y0#pP{7B#JIfs561P-4zOfG4wvk^t|S%b3(!8}Jk0Y#63K`nKAik3Vb;|7lNv zHeI)Ry5Y5)98Z^2u@tH`2m7Id&(EjrW18*~-u@j;yK_@|1e<6}n?~`(^M>o$B*a1q z8c0?zgMiPw+l6)fSoZ)616$mA${~N=ZGA(wU$kI!Ky4of_+6a4D0^H;FuoVCdhM*3 zm3@0IHhWC)D(@EIj#bGX8gHJQM=r>32v{2yFy!SQV`6SG6w*^rhQ%VuHc4J-$NFWS zQCd7o^OP*=4C0aHA~LbnUPK{AlweViFW|)hD?hID=I$5$s6k8V@sM#tX-Oe+M3TC^ zx>%{FxH98tUhFI_@FVRJqmVU*wZoGLzXa_LT(9{(e7g&Ht*@{M78xE!fn!tNGzn{& zhp4HRjST*g-mL`m=7k|Am z;uW#F>CgvG0rhi11lObAlK-5B(-}n3_4?=^fW^#y(va?13ns#x_fBcCeq8zU@#ziz zoe46b6A#44pjC1i<`%!3frr7n{h;h!zj}L$mm}x3JjDwL-FrEP44zH{x6q-CD$k35y3V|mRe zX+@WZF)bDsn~js{t9+cmOGP}UWSQWckJHuXrAt|I9+1p=IMjR_I(RY~-+AkCUh2~8 zEIt+^H`D9RSGHPSW*ASxRS@BSI$LCk8=;q@KB`|zo@v@IN)aFuHi93OUaFy2K;itO zpC6YhgJ7HNGzOMmF+qE$zw|D&JF+K}Kh{ga8|uzXr};rMdFt5=nZhpQMj zR-&j^{R5vU|D7OU@QQEfuut)7`*U24p=gQ+juG*sZ1(#W>FYv#iHAH)~ox z|3^6qZzjdC7{%Ss#34NnzL|E6p0ipEa|;LJN|nPIBj!ftO=Jq6F25bs4i^+bAJum} zgo5W#$IlpD=IObX0W(0ijv7!LUUAUmxB%m@vSx1Q+{&g~OFI&jH2|>A- zg&kR=``Rs`Ir*D8Tvy@aWmm!xiEEI_X^3&4XVRA*lW}^NnR*rmdL$u2EQiq#D0}C( zEEnYTeh;qSH!CBikq;DcI!S1I@Mlwf9QAg**l|K>9okDU9s^w{?{Zka&KRXlmJ#{7XEO@{p)4=`FC^lV#o&2cguxw?wq-Lf*p`DFJ)!hD8iLAYG$_1-@W=V77uzV zN#}G!#rvx))0&fi%u{nowjmb-3-JwnfP@uLRi03|0ni>|GEGthW!c9+&XTfh@Vx*+jWI z1R?Tb4SQb41ps?hPJaT{w!nbD*L*S_Hu@SD9+p5i`g1j&7;{(;Vj}axYkl$%)x!Zf|rjJxRK`Z+m z>HX~AFvo<4+*z_P$JF=$U>f2azady|z%=w6&J1kvW`wIQi&o%%r_hWC3-M%)Nok~- zYjfd@zT<8GBEOx1@k|1B0~t1GJI?5eiZD7|u~nbr*&z6!0~!`RI3-lk(=PmNa91|i zXOL}7w1@Xop{E9x1gcz$6eJIOaHhc&7CsFRA5RHvZ52Wek0&!=n-)hF)CbIGOJy|% znvL0;Dd{oY*MfM_!~liOXr-RbeD>WvZQB}}yE$-l4^A}7UCAEk1XXU)?OmXv8*rBn z7!?p}zVbApn|H6Sc6-KI+=c~W{SN0P)JPV08U4cAKU@rBWt4TP{Cu_ zsBzY}&B^xUCqd?V#9OUHTz^&mZ`tYfhZXME^oMn{i3W@+|eColghm8HCa zp6#XG8hv}82q5Eu#3g4&(_r|^e&WfWW^|%rKK^5%jbMdZ(A;Wv4Z8;(-}7r-^R7$@ zZA}YDWOJ29bGaZu9vz~_KjKotMqV|Lj7f4rf{JzK(c0is12O)wm2iQ>QTi%Mg)MQMAA0Z_b%SRQ>FweTqlm2EixGh7u^M!5^)ZIw9)J?W(yNp-~;mPw$POpA?>| z&^YM-r|@coKPkL|8X;<2m76J{FsuRyT!D6xDd9g8Z}~qC0$M#^1X}%{1wntKSwY^A z1j9Wz@9dW`wXJi{T^Iz#=Yx;6|DgR~quzC1|2fCd!A8&DQQ&%p$9!)sti4dfPw{#X z0}zfv;B%tuWOYe~HFw9{V!=g^oWR9F+F=Oa=SJTv$18dc0CItUb32+twVrj#6oJSet@b z$RJTxBR|i_dZRKnr>qmw7g1Jh5@64tee394GcIk-$-doJ_%3L)D_P)swgV1h^}@3< zXEPA}8l?jLC{NjSCdyu;*f2@N$T@b?Qz;3{!Az_>vthc$gh_(*rV`!jwt`Y%v!_Y@ zGMwpUy^DP~HYf#43##=dZX82>5SZoCL0%5{yg;Y_L_ zE=0l(+fvvHA({{~sD$3XL>|4_~MidPC~PoW7}c<5x|^?OgeW zwtUrPiFSkGsZ40!r`E@uWTqQO{mly8bfW_%@DHUav8o_~|28TfGWP|X5I^Gf&|!J9 zr8p{(lBq7QBzUz;Nq9^#25;8ds~4Z^Hynz$4_mg&&a}+A*;Vz_H|^Ze(9yH7adle)8SJK%L6|o!}2LX+F0GSX?1;xd%^t7Q?tIYb=f*aOI2+Zs<_xb56$LGM;`02| zRTbdeu(^K9+_KJ7({}Chluu78EuXA!aY^iaT@O z@_AX@($TWI@ubzWy6H#AedC;qxz)Ek{gkZ^LjFWdUHKr;(sJnB0-wIQiCfdQY1T3I ziTl^m^~?J>_c}n(l}B;!6?Sq-F;&lCl_9)->`vH`l`G@@^YXKJo9iZHJ>!%0LTOD? zdV7=i#KmRvYq`4efurEWP~(2}b~d1iZ%k}sFbL%U}6w&U{1xu#{+as9pPNT;Qz zp>1J(^ZbdMHV&k2g-m#A`^@qZ=i%vXs=5W-X?^{a<=I8RNpJGW16?!j!t!us-YbF+Kpw7+sMKU#|pk8zrl2IFM9xuxgyod=;A z_H27S5bNrd9vjYiv#a^o+2z?2Pf!|mVy2F(y^fW+No-sewo*@3?yDVfci+QaDd89C z_{STPKi@)fTqZ&X%?Q4A)Mc|)1s{f;a_&_cNe7;xGh16K`5M%@Dd@yDDlUf+smno! zRs=y@QBwMI2U&0weZWh|pd)mX~KmDri-q#6rC4L^Iyh~|=-WvH(q zR0W~gdu}R>!?u~A6uq=h`I_7?_ILl|5y`qC)%=k+nl|hhdq)NdAbHK>8m6FD&K*?3G z5y-Wa{ic>IAeHrU#Ryu+wLfW-uQGD&|4*AhDu2=@YoKLw-(|N}bzv)IYRZDKqE_{P zF<|Fk49IYzkH~P6b7=4{vTeBORi-CS9}%s|%jtf>Zw-;+$+KsooUY=&W?+CB-9OAKaihJ+|~bf$IlW4 z)?a7GqY9e0CRJB&XaL}so+IR0VA$_b_)!@0c2VZQY7-YWf$QLrpm@is3<6A11{sNQ ziP2v}$6^ZR%Hx&c?qPK;`Du-Ph+oBI@Y-x|39}A%P;CK*zuV=^MCSWRq%AEaO5Y~v zp@1ueTsJR7?GjvM9r{I`jOdQiJdqMm@KERVHfL;Mb6(JV?TRdC0w`s9%W^X?);XDXXtTBJ{zII^Li1pL%7`Y zq|Yyi8(PdXxB~ui%k^72e|l zyl?0gcdjxD_Uwnd`iDn1cSLAOf_Q%d)FaZd^e_IX9$hwh=}4r!e0i^wT82La;Ucp9 zw!<}rn%Ejclt@L<4}iJjQDgv#Otd4qG$HJc2J3xrmD0&N&5|l#H4IHH8x`_3}5)-3vwn6?S|6 zpgyk|eK*H^@>NZck>Tqc9jg_HMwNoYhCIO@EJJL97elOw!w@Z8K?6}ViMU=LduB{) zzC8qpR*)p7)Z_}iheGNMTW;>%;3D|$6dbGt;+Xf=8T;+d69+)fyuKZgoGrdWtc z*1BW3q9F2|c!@S}`Lu=GVIL7qz71OH_$-@WVAQ?OEd`aVMRo zK#JvhV0;Tmz1xdgAw|lyhb8HMbqXuu-PuAzTS9{UF%kyzBCjxD0}EyQ^%K~H!Y@iF z?~yGQ>SNI!5_oc8><3oneR@?UMB)=3AfZD9CQefoCGb(y+m{XUeY_X3q$T4gl#{N= z2hd@Mj1-37h?tYwQ|By7%_s*Vorp815wH1kaEA=L&Em(_?qj7Vjq+j)Ldou!3G@%6 z{=z<}4YTUe(=z~Ua&H$qBt#H6K`BFQ0RB-;3_@U9(Yv;D;X(r@W@j2avg=8o=g1h* zv5dy}bxIp;yp;9vw)1xp6yJ!QhV=FjgZUTEfTGx`5ji88#H6qo*ti1Rb4IfK`JzGk zg{gLfgBMHDl2JNKfr)XW2H9IFoGTscZS3c_&9!FcdUF%+H>%S6)Nppwg;;%7^ZI%e za*5Sda~Ye=dfU1&ccaky8&O1ie&XW#<=16I061j4D^6^p6j!g~n#LeDI5_z6?Lhif z!mGsKcGuxFatrnM#0T*a>662ezupb`d>q2&@L0KoO6yeR4a#HXl9Y|Jt!k%dghR#K zgBp(8185PKtktT(ArimB7*=cI4Z2FuP5C|!{{1>eV@v8L83+Q{{>V9!mp9;YZp)lu zyG$DlLzd1ZIiJ1d3_iJ4z^pKQM@bs?pC=-96}H?XKe~IqgbA00rAS(kfW4iq;nOKc zdCz9r&54b83Yy}4yj`V6)iVtvID0-?)5NDt9`}@CfNAh747oO0r)w%FVH&wpqc+P| zn(j(NGxkIKq}8IXZHli_pUDXc zoZE@?i3~@9k7q+;nr?H&P06f7K1@#hVN4W@H&(A}aF~kY5Ua4cv8axcAlJ5GL5JKh za49i;yNo?D9@`K&7QtaOjvcj@VjH{6)M9YbE zlyKSMZrwX&KetpIW(t)j{~J$lSbS2l+(VKZ!JlK!-*Bj9rcdO{cd4qXRaW2r{VdAu zeRlKnf%Sn{V)gnz9Ejj-|H=s5 zqz`imw#9SImd9yUQj9Nr?%zy(07K~X`sF)D-9#ncPJ>aeJMiUTAgz?&`JbZ%kAF6@ zB1AJV*;gg$OAIM39^*##7Q$wW-yHKXkFUPtvig;_pj*>jf%z?3M}Vp*ikaiA6CjhW z(3D>iyuPRfCV3sKL4qQFqi^>Dq$n5SS51}y9Uo5Aers}Pe9pMtnN6#6G%To;>?qMl zo}}8iWPi+g)Tc=MRwrpsm12ewm8Xs5c!T9dwTCyZlGDf9iU?_t!aIQ?^!j{}fpHZV!)ZtRbVHbuN!d2pgL5kT zl%J-w;cyR`F|8e>e2;yy^w0grUuB7Q*YeX|8T64VwgsKznUsXzvd3QOM%%uOW%1M_ zdj_il?UP?4fed>?)4+j3)y*(Jg}fDK0gGwp?Z!@hc z;*c)SvZgOfuMH;?o7b_*fI?WEu=im@nZEna^cFG;|hE1gI@1xN4aDOr(Z^bas{Du8^$Bwy#fm@EPhmVc>D z*n6XO=;qfC94K=}8)wSYMio$B{7C~W;Qe*p(ND=`5=iH;2aB1)Wfk$PHT^Mox?!FS z*YK_;HI+^Kjj{on-VUwA+@3qJQQgsdtB9-Z-U@9xGW%D%S9M*Ib&u9}xium@po2e~ zt`!=@#m}6BEUw(>-}o{0)CQ>eIFt7HiD`GH(Ed({f z{K_M@yD+U`-K^GPtC^)?j?8ghHGT|spmSgk^}uA!nSDNr8Liuu<6?(p1{DgAY_D|x zHlf}RYEzTqJrbT>SV9j_EJ@cx{q&)ip$rg-anY0kk}7Nd&AC4$^Wyn@vpU3$Um^C| zR85v7s4uAAK!l<%Uvfn5qpzo9;R&CuKS)RLa(O6 zcF)ruBy1Ps52=(&F!l@`tIWR?=)HS|iGFQ|LxawBsQl#yn_h`TU2?=hC~Er#Xuy$x z2Re~l?N1aYQN@9V@Zp+K;LtoY4;qIydg~Yd)%eR{NwAz@yM()8%T8c9@b(XRGKhq2 zb$=gVTh{!iZ24mXGhvSY(;6u**giD{!VGm=@hb&QFEbM@2y7pq@avpYW9DQpqqJKb z1j--8abu(u!o055%sClQ*ER!o$Qzy=k_}y@mdm9UKBJ z!W}wkQ7AZc6;Z@o#^sO*b?zRW&5P2CHt0|uk08*kiICciDp2|3pZhCb*kPrxZL0{kvnd3}gH2ktc5#wvg{@*F$t{77N z3(eB~eR!66{B0A#*ODxJ5*|0RlPeR*z2#n=Pr4<$=rF?@FYoj;9U8kGjt~QNn%tpg z;A^Z^csQ{OFX21^0Hg)Vjam$mA22-JK7Wlk|5U2(!RDN0&|V~kc|Qe1)6{tHz{6w? zNMc0jFA^mhbRcW~CC-cr)y@GNmPbEbs^3~=FxzxnGpTnArR5!^g z78#~%)s7t4DY3ZyK=3IIv0nWiVkOxhw=@VZQ6et_Uda=sJTdnLz1e(&;sr*#7?S)t zW%j2)%3$|7GnTDS)0Scyk1+JVzYtSt(6m+^%V?o;xIXkWQ|-yrAz6K8PV(-y&Q=iClIy{Y@4}k-(e0jn-xebk!Jh73iUTgowfR5`k zBo3lt%N^0@rklqr{xs6LF$8X|`lVWb)QxywS4%%YzWW);+`@AI;ut@xSgmha?8JUK zMJ;P>&kIiEr?`*bVl=^oJ74iScmpd|VwfP3R%mu_LPW3AxypoAvsGy6m&S=c>^0FG z8n~_pWWp&;Kyr1eN&a6UY{5qVXH zLXyEyV1T-izo#oQa}WCO5vmg$VM;U&m`t2MNfv9tyZOzz+PrkZsMS_cUoQ3OR#S7o zgpn8gL_8docN#JN_|cuf+=cc^CECSd7rLW9?*r2qXtPodrp{Pe>bs~BMhXZCFFd8n za{OzDEAPWWCIqb#Y7g11a$|N?YW+567gnF*6@N7l74Dy)f-&Pny2sRWb(x?o5gZ&# zl|tRGz$tg;(-c!>+;ilp(oBbNht~Va{j{pM3riVc8tKHGTk^{c~^t(A)g33cw%(@CUQgdL&eWi9HkRkUum2h z8b%IvsRiIV4XkJ1Enz1Z3G6dbZL`Do+IwVzvQZY;-|NgUxC``Wcg%)~SLyz7R!}1C z^TRr|=?9JNUf5W$HfOzpl73CkYq#*?m)ditdN!L`a>TnR9e+Wt0-IeMT1yxKk$N-{>^-c-lWm z$4b4?YI%-J)o9GRkx@GpU`JfAd$4tED2&`yRCh#~=1tdz5;ZWiQ7v@&kGbLbg_T)p zVDXY_FhZzg6y=E+?k(&aL-VX{34TM^B3+!hvPkmgp}nbppE9ioW(4g>(_T}yv(ivw zACKwBN$~NSO8&I+Ub!~rOdGuKK7hP?BNGqUu9K0G*>!e8Jhf3hGEbzyy*LNnk|1Fc z*mFv9WwsBG4lEB>(_7M?25UD<0CDh6neS*_bl0O~CFiKW7RDSObqg0v*j;43=+%&B zhYw)IW~xV-+Ecdjv33TVMzj1ZoC&EuMz-zA3jZuQR?T)t*#r$_!V(@JnvRHkKG>W! zQ>(9zq)JZ)B#(M->g^w_Rv%;h3~^t^Y@m4etKfw_(yY2wv2jecW@?@`a&RRSSE$97 z5wU`s?iHwi~Ipxs@j$W5b72=n_xo;EyZ3D%v2eon&F#Qkl-Dy>R4RMSIk z!qwq}J+;k>&0{-E+!UQ{G@i1Uq|DKlT>+jVfhz0lQ)8Zx-TAHEwycm{!PRtcNPpHK z+q_GgzXaJf3 z28Cy0wsoReBqTeE&3uO+?;9e0-#tA}95}}TcyC7Q3elZxZLNOd_wbDkM&0{+pN_q6 z_P|4NVr;){l?SOig}aT^P|o2F!^Rl}5df38nq5~Jrn`hYk`7H-8ru~Tc-5^ zfkp3u)uoOFjPBurjiuc5NG7A(F?ZJ~yeZeCxVg{h)wyJ2JWU|0Jzl_1ly|^WCP&Pl z3{q|wbI3o|WvXX2UN2NYhsw9MhVc%gYhgKCn#e=8b0ohTGPWVa!J$_W?*lag>yjtI zF7O?XfqKZIsnVr`mz9B^4}op=qz+b?ayGboBqN72m5q%SEgG)Vx!oP=1l4266q6?A zRu*S#Ehik(^c+TX<#Pf26-kr1h^$K`-xgDpAd|aii?B%}o4D^Oe&8?cl(sfdq3a0h z{?54guzw1EFe_$g=}Em0*M*GRm6(cc>*#mukmMDnNRv{}Jq8hM`}vEHjhG1)CS{^1 zQN0I_sMC&3-}k&&W(rR*cfTCJ&e)tJYDsFKX!7HViIc5C`N}VfAr$mR^3QzBowsOzEim{e%7ADS z{~jrlkmf-3#<}1-r0YDV!?$9Pt|%s!4PEVyTFK&7k#E6NaKyehh}4r|(z@d^j|-BB`{Rcsw!w$<#*tpu^&j@-cI8hif<)Zf^h* zm&|Gcx`BQodb&qh;Z`R@2*pJbfjthI)ua`EVG_$VW&TRhmN~6&h}%NVR6$td>+OUd zm*X$V}R<%?m+ zEopE7(Dfj!LTJ7vlx;yexQJk24#8-+pN?|Z>qKE2*$b?BK^`X&$0HcC$Kb&fTp=;4 zTwk1z=o|4wzwleTr7jYy@UI1}Sn0xuJ7fv&d8cE9aeiObo_WKJBj|kQL0% zl#H4@u!Iv}yo2%ZI>acdsNRCV-pV=^h9hGz?0V5_(r8^7IX^L++v;s*T#*nWRIy}? z8X^&SbJwOT7?S3gU0u~y(LS;p4-lK?NZqzLbvmgYVEK+kVSV|ma7oR6JlPy&>GyZ8 zX<~ZkpAV@>h>qGxM=#;OAO`;fxzULzM=cZAg$ONn?;}b_t%|}X%Zgi^4WZz z`UCpTFW2MExoFQQel)_%2ptYvPf|*8Pf`T?qmrgzbx=k@7!5w@E;!B^`!|zg>A-TM z$;2w>GVAGYWY-@w0H2K0j+aN@&#=`9-gkr+@T&J22Fnf5)nj|hHjI%8lEZZ!(yq4@ zJ-R3UhIeg$HV;5rZExt5$&V`zndJt^4pAtqgEi-K8ugQvKYbDia}w3VEQ+jJD}V3$ zP^A+mm^*CZQL7FfQEl)i(Q|MA?x(C(b|ir8^z_Au0)zvD0F^4z>A7~oR1gkr`^9CB zUSDb6Z*^R9)g)-vOSM9lJIq))k2pPf2Xt;7^G0+{5RDGr%TRKJTPYH$LV0XDO4?^| zg~_prRIC&~YBg8OW+{Ssb?3?^XW!t^0FH7#`JHF`A9`(R!H-;@aTT><_*(2h$wsIc zlr+^kSd%5+V)Lbufl};fY+O`HK^v_y)Pqa598Q18u(O{tnUe|K7gQ4pL0~ifnC#^V zKrqQ#$(jQU5Erw60%}k{PEaSy%rvyv&-XbEoyKi1?8q2YQ7*Eu9@OKGo9h}`0!&%5 zW@+mi-oSe{&Ic3Al(pewO>**wQKYtTOdx zJ5{`d>Qj-ti|v6`TVv-rNh99TDP3UDyaMwAy3sVt;Y0IjmY7Eu!Y4R>Cg#9OR)N92 zoj~yKJU8{t;6H% zhA-WltJ8&=Rle_z`nS4SB2!hVZ%>gTGe1^kns3%0%z@%`JdP8!0a_fuVr7-23jkHf zdM}7)!hJ*n!_2mH_}(QPjan20)EXObJX89=h570mx(UBm}OI z;4*yx3}QI;=o4o})b$ebIb@Aa7UnW@JT+KoiQY>^Iupv7ZsIsZMb%b~DQsDf{0S4QJ>kmc?x;y}>*c`Myz%WB&tD>L4xUs^7U%evvcs^J;?;GWk-{elNgfHeDg4!}%X zT19mVz^qE#bnAHP(e|Udn=L#7uoVoCplT@)#TvMg&VW0wb_eruc)B&f|X;8o12iAKaO53>RlI%U)GYq%iJzbQkG zt_5PKp-*U-N6*P`y*ivJ*VN4 zxd`4={V)%_*sieryD^~%#7}&0oK-pDyw~+ScUc%^8o-?9hkvcaT*^XHy*^YvL!PDA z;)5o(tcu+9akF%|f2)nNSzOaJZW>WJ$(xd#S>NJ1CWN6vrf1t|i%f-H zwWV|R@OmgMWR$up(oTD3U37nzGt~bagg#w9tQ&;BShzK1i9wc$>{oP#YIsx4ni2{8 z;p&TTvMs8e9SqwaL$wXx!3}Cz&=Kroiv5*W?a2S91xFjut4kwBu?l~7Mbbz^-4Gtw z$wIP=B$qYN%>X_7~Fasa-?R7SY+;5xRzh-pLJ-fycU~AACzoFQ7^f zX=Qi*ecO+q8sC8gP@^YWH9lqCFo5(!>-mi3;8ah!29c&^UQT3{Gh{bD2BBpeQ)I

`!`{UbUm~%A~yD4D;8P7%my0V zKzK)UTeFG2LWUvvRhguH01nYmy)QNogid>ePXk}QV8*(<7_FVxToGgL&M0CNWT0nT z`Vb1S5;)L?l)!K!+|SH>5U6OjI6wspkq7Ex+bz9Ti;fB9GcN+fj-@`cnBY3=k7&o$ z-Y8AF(Xhx|-Q?1!C7xti0TNnDP|P&#ka0>L9gAGSj-3;W_Le`ijwkq*dxSbnZnduC z!NQdGBM5T*pWK@FK!bwrOp;SaZ|$4wf&7Y}YNZspOtR6_t|_BccEgzAuB|%SWa18o zj!L0`SYwBzj-@cEY7?V5+AmXMBi0tXk%mwmfSTDlCdNk{G^p%JGMjz!!<23G+e{sb znG-Pmtp+dqZW;82TW0kVy5$O0AKDWk{aAKa%BH~#H}r2vrWFGKSh`ndaK35O-|&SQ zPs?pzv04#B3nFdU8?DQ=jXb&>G8>3usXE|a3gVPL>MKTc({LRg{)x5q7tsdWly*i* zy2Ny8kw~dhp$yCVS!1q_l=RzdBnd=EIHpvW41g_G>I5eVAy5S#9vfY|= zr#T1~w+u3>3l>)cuozX5Qg!vo5%h+4dm$_wd#r9m;Z*r#BY*D9Nj-KsRU*Q4%dg~D z4V?%_Gpu7HPV}X&fzcm;*pIeCTZOl8uF!Bj;|yn1JHz?^{05p5MsJ_JHN zZH5jGJ`SWjd1Cm6VFdZW^BEZ<=NE#?$kPSnvyP^-zM3eq^NNn4=qH1N%%hlAXU6P3 z@pw;Y_HP{-gvXB=ABV$pEXQ;pEowkD{0 zy41II=1B@Am!GQ*NVe|yqu|-vX>ma}vaWXV0aI=%_qzRbTm0F9owM;F(3}CBh9$eO zKE~)Q1HQA`$gt|ertU!=Em4dYv;Emch=m~cv-j8q2}Gk?j@-;=X2r~XFnVoAH+%bC z1io!G;To4nj`KN>HZ`^wu3h`lYl>-l1+k}S4KLapwq{Yb3^Aq%FA6<((;*rQLwL11 zV^BBz=0RWB1`7hL0(##UI7*UE9yH5I-UhZ9-1&@JJWO=rd-A~9Vv)~b zi95WgIWPcv+zwjcT1l0tw_ls~;E!hWCkE4bXf^;TpJVLP7W!cagp(`_`DTCpsE_$R zQ)l3R2MwZB{UD&OkAsvX%0x%;#=d;9r>d44S`}7arSBl!=^Xc@vN^Lv8V=S>2*x|C zRwKeJ-#)Kh(*R=3T5d!%cdtfr8XcGzOsKlppp1LzB*6;rK5AB(wYwsX8zxLY{JvWE z6B)E&H=j9X4;WgC$pnViNn!$qxL#uX3uKXvF9^HHk3Cw1lKTbjG(FvbOTm)w2Oq{Z zw5}xxT#vZUlD4WstZFadBlLkd?qi@9lr$?y6|(eFPUa*b!0r-t1!R+MKP){C`b^mO z{x&+%a-Gs0h|}Q|THy|f(U6A~v7t@A>T5?BX&y4bR6OY~u%m4b!pNuln%CyOq>fb%Thkc_Tk2_z2FFXkmdwK&ah4$nBfGY& zkN7`vud%N+z-0%a;_lnQL^(BvK3Q7+%H=tJ1zK}xnay_dWC1=T_R1GtqS_xa6$z(q1@_HiL4yX8JuMo;bHERI8`%ld4s-@f+y;7KqGOR&abvKx&&3R! z0Up3GhH&|)dQHvz{y_3p>Z+$)N@ggc3LS(fJnrLtRjo&RnX5}hV6PcFhqPb_*vMc9 z4D0ZRunN%KQuH>^AJYLaQmMCwPISZbAu{oVwlx%OLj2=5OrpzWh{!&kY(&FyIO3#w9x(tj ztOnw;Mu=4pIiU?->Sf!4sI}`gG=5#;iwFWHb?7y$uBwJkodita&}9UdGLDizSf-RP zhL8qKP*1dhE}bj$bkV=ff0M+@vjvknVom1MW#q%cx~rRP5#fsx`(Hk&%ecM%zxeg@ z#IB+)GAZMnJ;128=#tnJS@WN`_3`WcCvJ_a)WrD?Z!lurQyJWZ=7HQsFqP`hkWxqb z3s)rhuOu_r#)n-f0FnF-=@Q%*HU#C z1Du6RYyvtB(N*EiqW_!32wzxC1C{roQWC0bW5hb6C%F=YS_r(WE2 zLRlS%Di}ROK>e4wIZpj#ZshepnOnH!&pL0^8B=%}1hg5GV0F@tRCf%FdexUivs}_e z?dKb@?wH0PmU=U7a%J@Q1m{fWt|3*|z3=}k?JJ<-2)1nphv4oWEI@E~m*DR1?hFbMJj$?)&Tg_12$RGrfAM_UYYc^>o!ayQ(^|D(Nn+&x}q) zE1|3&c~RVf)R9=>zKj_YLP6t}|FG1GTbs8VyqG$S$rCx3Rr_gw%63E+s-$>nkge1U%#J2 z3k^As{&9eHjMRF;@+9-ZKbKf4*UC8p{!BYXl&OA{eY? zLgAHkYo?rZD$zs$Qw8Ky=iFsabLulA3~_PI`|bw&wU*65P3=thrmq) zOSp0i4BtecXNgl&O2v;#F7rRRq*W4y%$udN)O)71z2h9P)*4R3huDR%lyzd8aC!M% z!}6gUHL8GNAepZF(vd&G_2LrFW_cBI-l0L zm20l1Jk}59*KtunU$ut^mR3TA%QF^HTkgt-H-0Za$#VRWxY?!LFA_5%dmUi!Ja^IL zwQy0l>&W|-HX-<>VvbBU2T40SD*S~V1D?3T=knZ=I}S# z56zvzt=S2qHMx}8>yJz<^5oyNl-oZIY$k5@j1Ot+PNW`Vm@K??<*@2)i-#f6ACObi z8_bV$q*E=ck|xn{+&>kuH|uexSEj$HxOc}zV|~fC9b*aG+@XHGfTxo$NFnFZW^m!n zfTtl1g%b+QEvbl#TwfPlhui6E@VV1!+=Nyidm+w7rXg*)b{ckS3Hy-oBld7~>@r60 zE$)inf*+NjewL52ZCH1A-#eL9A@RM!p`ymE-7{X0;zz^p3fb~$PlL5gik}S<3r)Se zb#WDGhOyF}F!!c+WC{^!3myph(MaBX)2%mv$elOT^Y`ypUNNLj#2fz{qL|y>&~}NM z$=8uVnfGK%X)^*B<)<%h^};|O*)`C_;xAOGfygJ5H?4H}Xry7r8Vz%hc$?B@AQ_oy zk`%-|c@lwU|lLwag8xChl*0t|SzfWLF$zK`1FUcdw5rEibR2GBB1W z&<3&`-?NEGDWj^i6 zW_h8<7gd)=zfigIZZyMBg(_T2_`l+|=CR1GwizhW@OAj?9h2bmSM3B8zi8hSI_RJ& zOi1HeK+mb~$6Tao-#w$aY9NLWqLa*HB@b%<5tF2KhH1kJNl;V+$*9~ki4KL7Rg^5) zR^F4V0v(rfawf(%HL9dF)Edn~&&|s|p~2xbFSPy9QQ!eo`^R*UO8nn^Zev?gcdOy1 zK~O)-Ey^;z4mZ69@r?p)I4n%v_BmxCjl51iROGE{7k68gG_t->w96&BSDV&NtMN_)lzhJz{$zaz$MIsfd^>CD!k}I^rX2&FE;?*S-+s zHM;O#a!AX)na&gZbg7Bm;OXH2hcCi2iBojuLJB0gcP>BGUas=s-`sHA6F9G;s0gQWzox%(Qmbx84s+tBk6VwLtx08ojG?X5Wd>t|e^JZ_TnDxuY33<{)f6NWra{R>%|ESZv*Ue{lvGMLv=X}BtB=BX= zek>OSL_O?!T!|**`2~-pEUv1jiU(vAYJ5Y*1LS& zn?7Q5$*B@Q?$^zn8T}p%d8(o4zSU;a++~u(_{Z_ILUYRF2k^T}KUs3pJCq+l|N91WBEX zzWc_FOv621*pj6bA6L#;-T{g}hoz_#q%VsW)@A7FkGHL>qK>od2OdUOPVOVPYtuC) zRr{MIu}D3(2&DMSjN^Kng%3%qVK0$8x148#e^vhAzbZe@^Ab-ZSr84L7_1?W?y zs}jxXl`xv<2s-p1x^ZR=2PUUIo4a&KAKX3= zhl^WBvfW(QEn-$;%20;ZHO`ebkffXzzYF(rhk)Hhti>)A%Tb=J&GJ$e^K{6~&~{)e zgAY1P7@_zR>E(hRXpXO0V_lf(3C?G*XsJMGx>@`hfa_JY$367@L2M2xDyiZSBLk&5 z70|BVaNsrhda}C6|4?j)t|*rhu|_*o>ceu1G9jL^CxakCMtFOu(Cq)~Ny{cH1jpJh_IhlQ2Fk}MTfH*ZyEY@`s{!CuK9d0|NVnc#2MVII~1 z1vyxX8eUh&X-GeQoG<(I2x0o&ka|+PKh-H!vR%Vo*9n?wMIUv}Sj%~f{H4s1*iF)h>QZi9lc5`IICi`-EvV}*jLgtv6P?w}}b z<(*pkyRE5rt>&*%#{tw8UJwo&YHQ?xSe%yiUx~#|K@U`NLsqX4Vf%=vdt1w(oz@6w z$vM>dQ$jNlnCq6QoU%H)e+b1RTj_OQ>XxOTgWPYXFW}K3=s{UyDf`(Cjw&y z&#K_MOoa)1A*c2;(5ZV2&l!5OS-5NHJFnC z1{KlDch@Ozg-cv|-Kg08_ad6P^4|ngCJ6$aWXaBC>!KXq=*ID+uo_up=civ12+o84PX^m676YgF?3Tb=il%Eg4@4=pAgzQjcr;WP}sqLlFL$uE{-b180*kK4xgV9)7YH-}Vevpv!w48KCH_c+Gf{?S&g0>v@UCYbw zIYq^^)vx;7Fapk|Qpf^dnY}x|xRVu}>$NzP=(h?q3v$)uX)|0-Z*X4Uup3o9-9zVs29(BJ&dl&_Lc@1+bv1JqRp5YBS&>_eES9L{i=Y7jR^8)L$ZL7Uu(&oc_oa8(r77N#B=5FgRGN1pXwZQ8!3xOrB7B?Jmh3&gUZTgg1dQR2(MkU9EP}`A{ zvwKtccSQ=wf*Ng!cBa<0-v@1Y^Y#C!x(q}zt~GAr>e}@!wMxvY)R6LvYuL7w-+wl+ zqkH|QvMZA8%N}+)%^CA(5X^)nF${jMZc5BZ(M`AxA9m^09q_otIOu7?F+<+X=I5L1 zqz=+v4D`aqeNt=9nLgUVQUnk2{nU_sOz%N_jaXDT3o_2LLO>(Vztdw()Ww)=ctq)6 z>C2@D|49yNmr6tk538k?!F}W>5)YE8`TEr?C#kXr!`R1Lq9E4o&(6Hy&UZvVf%G;i zE(JBBi$8HcIO;fgPq;gdsQ}pxGwB^s`B%CEH~$Hs~>3ZKt*pXe%_ZwJqb-Kl5jU>s`_W(#*e~4KdtE z5{-wGyKMgKzxI4Jp#GYFW63Uo-;+KKnU@x7Lt zY|A=Z0+V^V-(#ZO`i?5A_M>_V3>#zj>-LB7n>%>V`?cp)L82l=@^PC!PE)jY7pTW= zrGgD)a(sOha-Q#D?yi>U=+zf-XbW9CE4vzxM14=AH)i@!Iax2`@%f{ye8gwu+Qk@f zd>)Jk0>Pg`q(^08Y0e$#ROTe@I9AHDpZT@gfQ13=tmv~kLOR2LsA=)2N`ym;I8Boy zT(BJ5{Ubin0{q0d&noRYTBX3l;?b>lfgp1$n)M@%f2 zVPTykyxImW8ee3mK4*k`TL#mH3$TcLoVE4Mm#||M=@SnDad<8V5QjH_Z=`J)dEFO` zN=AmNz@iPdIi2a8irh<^DH#K!BNEgb&`&Jx%4LD=P_r*3he@%r0eQ)gv`wHZ6(ltO zMUZvu5E|(nNLFN9k5>&xN^ELhs{EZ!DtE1TC^^@%R}@Xg){R-$7bv9~wZ}gQX?n}Y z<7Qt(s|W@CY^F_mP&0&<&_l9L?LJiCzC63#1i8HlC_s) zpK;$WA_}*2Y2FGO*l7P2{WHGAs(FzC0vlVo5gfA!;fYNOiwXB)8tYxVbUk?%&FU@n zdZJ+_$ATw!2J_!sSGg58$9KOu3+qn)BG7ZETi9gV6t*F~ z=eBV6xW3p&)iuSfszaDGXs!=~gQj`EyhYW#XT`YzyEB&4H^m*is{<*21EZGaY-&)` zKRmNr#3nipl_$iXfKIPb|Fx~&6YDqp9OuZETxzt8!8FEY>IN66G1xfvLvmmw7v*I3 z>784BLx)t(MSR~pfo1%K`0ec}mi#w;W$GYQpBBtWmm z=NiB!RmPJQRE9X0m|T8`O$h0cp;A+~7An{D5OlASUc;YIkCvf=lruNcKnFc9K@`B#W<{2w8{u*}~OA6PGX-hQ~bxd|HP zA0fV{36FTs-w@xUK5oNvZrw=IKYf13cR_Z)7Pe%7lP@u;8@qrD87!Ra_kd`?I&G7Jcnq{D$wscszzmCl;^4SO9&U`(nftrVK7IuXT)SidkZx$8Rot+tXtlS1_5(@F!_T z86h|bMjLH9FsP8$Mry}X8s`c+h+M~2fA5)8W$KwH8EDzA?q!3#*ONS$b*MhU%pvgx zh_Dg<++P1p|FO5o`q#`gTcddTRb-@+* zG|a*f+k%2DBRuEOZVqbp%=DUk>Nxi$Kg%_BvXOMsiYgZ-ZB?^)Qeq8`&2_r*BCGyq zTJp4nk>L@EAJk85yAH=(e=#byc8d(B=1EX_9StWlnGMW(3RizR1a;4fxF4vg(mU-Q zYZ3Ow<=R1dHX11c+jG2Rw_Y5_XlzhADPa)R}JPe%d#K_m7hpP`kTg;X;(y1;;VPA0F zAW@j}!K3$3pK5uQZD>+ysJ2gen+wQ~n9(9|RT{d9(Am=eXpM4ij(Cm++;S6Tp)TSe8p%Xtc$Bq$c zwn8m?cqsths21cHsjB?~_`vRS(M&I8u>H&{4EvvP4s9N5GWhjq|fYWI|#Sn?EL z3GceJaO8}oUawb)Wft;{=7{@B?7(!#?o%?ii~Z`Xn+NZ~7lbBS@x!Gl-RQ6f;c0_; znn=L_7kuZ$RNcP3Sra~rmjRbU356~RSC5{I_{+hlBQ~2uEkj#y7Anc%E>36jLjJw! zZ*;->WpO5D&D@MDV`Hb*s8cJcrj1X6ZAW6!i=^&V6dtH9mt=WACkA3EHHy z+u~Vq5RdpV)vB-CUT`u;jE6S^X`%$ktXLpTbaL1DY)i1LQXNa0sRDF`ao`Svw6r`{ zf1I3TY%s2AnN$j8s@y?oA5PS*x2_a<}J;t&t$F4QLWd`INybgcq3ll9d9t zyjc?9mIth0ZYb#;&rYm%{f+VeRI zo?cO#0BfTvtlPfXuVPwBJ9tO2v+n{Jz@F55*D?E0+u3E$G5+>;rX&!B3r1ziP z?z;K)`={UAd!i5hK=%?kR_ghN*<-$FB8$|k?CbP+#7xCLRvSQf1f?R&15ukI+R3z^Fp=10}%+ zU_dAp!~v`Q`FS9dP7i3^gJ_NA3>Z)n?(Bd%B?}}&aKhoDOCZ|7b>Z$E{`VkRXki3D zboR-7n9+Y2)H<2q@vo8U%vB-;QIS36b^!u{pD-v1jSeKc2k5J~AgT@GUq(CJ_nZH? zL<#=V8l;3@^=O;M0TTHtpd=+Ak>8c0;V-|dGj?}nq-t}{xd=Bcy*0XO|AsUudE^F0Dg5IXS+k<| z1+X$9A7-Z)LQzR|L@8vj)Ebw^!(xzukg>&?{VBSB2>kZdLJ34^7GzEo2J%rFMKeMr z5j+#wf4>g82>eLYCU`5-G)%Grx7aTT*UdnEBtNIq?4AK1v3p)fiWOu6^&AL{{iGu- zAiW(zIl95zBNkE>LWTco(|e~uhIXr3&DX&RAr_}h0UME*&?bZDU%I=j=-dDJ$8<&P ztT|Y(%cNz~6HJD&V(2!VHU5~pL885Cv8Nn@pw6>nX|)u^IO|uCv|IJ7!GUs2y*H5It3v+?ajhk^{A$*R2ScSK^zd#$(rZ(|OYx0MC}kxV z#!$q!?#?8~2TkxxKy*nKXwL7c#S7M63!D-^nKq4Eyi8+r?&lYAg2R%L_tlg8ZqQoRgk{$-v=;i=>yE zSCuX&Jn)(VXgc`ODTPyE~Py5b0eJ0gg~@z-fqEk&3UX@E3WzMc0XaP<0`?x z=;I~W?e1L(?3x^+=c!@7;t$5eb=95c;dS(lUkbcvDmX|RvBD28^cnKIjcG*{^Aj%x zmSD6~Ggf7T*aSG%{QiB4^m)wCTAGqthsdv8{zK+c+4S!j7LVOzrkBmUG@oH>r1JHs zBIPyoP@8fR2VRX#cSq<*lGV$ZdEaAGkUQm)b0U7%HITPv%_ldgu&;2GcD0V~AbB~q!hxlGd&d}Qg=n%H<`Pi%coM(gV9nRzS4Oi?;rI&k9FCfUD5my;l?6J9?vR+Z@!M#a~b z_7HO5qhtfWVvfvMs}8w7t^1V!AI`A zszTpqT@)OQ52aE^y^HawGV|VSE#!kgu)T_F8fbQziAH_8x>$P;yDnlRcx+BHhL3*8 z-+q)v3Or8Bu|}qyhSwuX%psS-$K}&`MA`Du&(BxSv0J6bX6|C^ejbgFH?bsb;Uah=udfhXH5Sgck3w~RAx{nHg>8mk*T}M z7)trjyeuskF3JH%9_d;7*3Jy&_QpYt;QO{8p3xtE!WJft_0?sAEo*A`HTc<8!(*F; z+pp`S#$}b4u2+N7EqtZfkOJ- zydD5pa~t&f4KpYN?49U#-8fsTJ(=Mw)})WuD#2h&o0<;Y;2>=Q)nLVGMV*O^)W4cX zIJer%kb|5tY6%q-zfUf7IZvapS0O}ytu*Ydf-G+>uuwF}; zus*}khMXzmAQrU8c^0zA*+{#X0qiB}RQ=~N_D>E2765{*4Y`B74S5nUkiN&sF6}Vz z|1|qwLMZ`8Hq>p=ND1p@z)?pS+M)ptlmMd>fD!Oq%|hU)BV=vS?c{CI4AirK_sp=) z|8v;{U;tpmD(z4RF#2zq{Xe0h7Nh6Dxp`Q{ZJ+?BN}NH}^7qX1MO^p*CwW+ z3xx%00fh6lUHAZx5)-^{`Rj>LoY3aKl}C&J`taWi|9>n?0bt++JKsk%3IRREJhvw?eq>QxjioV?HpYRuy6Ei3z|0Yax# zApV&D=NcU1`HY&xViYE;gx>XWf?rDp_d3$nD&81A*|(#k-V)<%w7uCkxr$pCI0wSS zjlX~R-rDbUcaU~kMBgABQ=KOJB1OE)y*<4teS(0*0%3tbAb8O9H!Dr#0Lw@+IuMBF z2?W9ge*OD`0FnJ;3j&$Cm>av9t6PhkTUa|-yIDIre6(?Oboh58B;le$tx^!6*j8i^ p`oEz6G@=fewl}tRP&2o8vI9*03l0POw-zMu{t9gQogskl{{bvmv$+5O literal 93890 zcmZ^~W0YlEmo%KVv(mP$O53(=+qR8L+qP|^(yp{wX}(#v?$@LH>!<&namLtd&m9pn zW}LOxk&^@l`33+000E%MZlc;Q!h1(d0RZs$1OR~c^{t_UvA&bBvbm74iMfrrlew)8 zt%akl%|5rKE%I2(w(8oa-1zwx@u)SKe^6)&CnF^NTrUEN{wx%c(k1P>^U3Au`eN3v zw8+LDW8bxp1n#4Sf{EB55KOE~VTkifk4z5dts|x98Q)K~Vb%}95#;!rXi+Oe1?6C$ zg|jrW&8QWp<$tu=XO5fCbjyOB*{s3;4l>jKUm% z>bpzihF;-CJTe9BMtqO;3{Hpa_Io;82`ysbldx}I0px;~DbUbjZD?+0;g}2+E9HZdRS)4s(5?t+$p;?6i zmVFWoNF){CDo6vOmD0;4(_&ZUqLe67C!L4pzvcY$ton(${2T@=!8*G7`9AYmuPAUc zY5DM=lsae6_-->n(2u`!nhdYV;xxhA5C}^3G1G;k!Tjdywb0-=`)!kY)rOBF2f~kg zPf-ob^OZpL2YaH%G6DG;a9qWuIcF2FwxZ>{TLwyg<@Y!;T090~7Dqj2wYsogD@0rE zK@Nbytruf@4G>Nqi(GLf7|Uyr7zjeJ)0@@=G(rg@id~81`K{7v8y=4}rZ`7SDTfkeHhvsWG!S6-) z$*Et)9MecbV?;d%5eYZ$o2T;^C2fse{AOD73qxuj2f6^kF*@yV~yXq`6m_V7I+^^_Ke=bzWQp=z*#G3D%O71d#=1Ei?I4(yq zKeV5W;B)RAvt{h}=P{4r@bG4TCnm{yPi$&qKU_ffO=KF6ig}fuT8zCxM@gkRY;;b2 z^r4F0ARW9+>wN3=v9fgn60bSaCqD%y0ie?dQ2tSeuOS(g;EvU-mj~qunjbt*P1iMj z{+u?TUUND+zo%8;x7;P!+f3^Q!;x>-@c6xSDk9E%%8W^HmQ`yW{Vq1D>;R%MXbS?X z+p^mWN`(n40nx%kMnfV+<6-(7M+ zQ*GT`UG-^Uh&=5H?5;{d923gJX})bfjlxm)Jn|jBz z;KnF#ZXmVKw1zjlilR6p&kw{zYKE;n&TLF^*)cxvM+_7(+d>Qp`v80l*Hv3G_?_@M ztEBdz(I11Z8HV2m<6&hj)7Wq7;u4hgihkWDgZqO@kQ1|bRx{ZHkSOH==bWol@6n3l z-C8h^Mm;=g7_fyel15TE!xs)_8XPMY3@ZaCWU5p()EbVJBM>&g=y_c>gZ{3AokMsH zY$%I*JPg4wS_}$HUBL6G5FCAY$TS#SVsWKn|6qZ+q{S2yRxvxwQ5}(axjCpxw5uui ze}A4!ue_+5jML6(G2{X`9mLdeFoiDz)PosI{kvl z;^403Y&4x!q`JOV5)cT3T;%+AX!fr-gqm6?HYhtJlUJNFF6K59qxDKYb+{dC;qXwa zdjTOj2t@En)K_Y4w)#Kx^(8ADfJ4EgA<2g(j{K+C%YtxTl=#(Ryz8aRI!;KPfmymH*%t#B!NgSv; z#iemPMmAkkDmscn%4oe0kq-2G=JhAUOTdGr*rpr@wOkSjdde_hl>|F3^mU$80?>*d*4_p^iG-o!{+3YPABQBBXnlLiOIE61KCdr%8YHc{70s@ca&q>MW9GSgdP;8I4o{o5G@m$_XbGnq^t?4D0-sJ^zPr1>KWafz~g{f z{si9?FoP!?7=q%hyLg_hGax0RoL8amlxiv1j(?^=BbR_U&rkb^2FU3fKjt?v39F-jk<2J}C z`hDius4>_}zsPLCOjWc+*m9b~oB&M!87#IjP@`hqLinyi!x5?2l3WXIgWNYbri|-9 zrqK^aEJRQ>|M6ngWhl`VGa6wMS@k;PsW)Q<=U^=vu z;XSY*?<`WaRHa)5Cydp%B5~u4KK-#YqTYxfsW$X`_c}S$B){@u~7r~>PCx%^>l#0 z;_RuqAS~>4mODO`2DhpdlApq6d7`uyt9dfZmun<3fMt&YBVYg!&hrKUQmgyXK*r!B zW*`gW@9MEtEr2o*N0hs(mca*PYUn5NCIE6$ERIloXqKrJS)CoI2hGUJG^f!DowMD) z6rs@5H!gA8@gq5xZKJvHZB951CdSi7WViBqkw3k6%v}zEbIx^jbin6_g1_NQJbio& zc*4WM!Ck^${1kCE?{Z&>o@j27-$$!w<;P7W0E)z;hlg+xW(b9C z7*LFb&)7BY0f1H>4!FW&&_hH+XH?R3*J(gv#b1FsJ!KzFNdekJ|;fZji z2T(2+gRp}#$fWGGQ)C@}@weeYG$v(Hsi{38nL!I=(v@6!wIs5tmm{wX1UY6-Zno&E zO9%~c_|@ux#bA|R=9g$70AY2#42p&C4$L9ogw>%>MekM$x1ztewq}Afn{NaIAYb5P zedvB#4ishFm&tq1C36l8l-0Z}X`-?_Y%@li3Ob|664Z1j_+H&2Uq^&Gi=bazy&Az% z8N%oxYtY$zXb#oMO$<=w-55rZ9nddTY}Fr410EDqdSbc%%)W5f_X}!PZ*JWfMD{vh z+>==yOW6O6IW0Q4+vOAJr?rMzU=GDu4)#F8t0dpZb<+-XpHY!8hX6K}LI!lzlv|LM zP+d3fh>7@*X{iAX(n^AXS`avQg1!$VspHg=rC-Q5#6N!7Zw@wL5`jJhG>Paue+2ak zOOujAX*l!nlF}K?%p<`D$M2FOuOgiH<}heHr)u;^U3;~3{QeOEe{YEG)GnVbpisCOs0`|Dr{bpOx)wLNSwZz6)H-aaPVA-yzx645`@*2Z=Y(G*h@|986OhGR$Je z=p7yG4;E;vfWA>+LmcJtA35jMDVKPSVvmv_BakTv+0x{nk`Tk({kf)i8?dTX>)pH$ zde)7;k-eA_I^)dgT%Y$Vf{7srX0>d1Pq(F3`5H#M^8CFud^bIgc1s)pF+nX4mDnLs z%&1g}ed*vg`S^`Nh!Lr1UgYzn#&kTW#c@+CLN=LAT|a0D6~(i*@I93D(C&cdvri1% zV#v4+msf0qV; zAPMG`$i9TGH`wb_?gF;c^|GxmMDIoLU`qY?)rKKsTveLG-=7xe4X`2Ybztdbn7}-I zgB0y_10VY!`TkR!#@?;{PnWyWIF4?YSimxP#LY8N@$v zaj<}Ikq|BV6bwTzHlnh$v4P8!-bI{j@utq+pA^b{izFwdpq^041+1+m8M?pxiA8zO zL5 zx@NMZtc$;XM~vh^DP0q3n8n6U@v7}a5q>R%e-*(VH5$Tn8gMY%t)A_w-cXaae4JtC z08hkU+*R!T{2V11D#a{ry3_Tf+;B=Jw~;mF2_Y8oh;?F8=e2yTIA)ff)jjxvy?34Zm;uCw)si-JcvZjrG$;$ZS$1Pv z7)Lgh4=cnibtc>XVYtwTf%~#90C6-NTUMcROr+f6*3gjzfi^M($=i&4k}9FCna7?L ztb`~>Jf|vke2u!zU7-ZeiYw~73j;Rlca)1zaF=COH>NAOL0BZNw$$Ia`T-!u)sZRo zT+Pv;;;|W#JgJk6@nTO&GHHYLjKn_)g}pOYvRTtjq`fSgUQdtk<4l~Ic{>oY8_ASq zerkN#z7nam6L3XaaB5o5Ss}xw>Lj3b3e{cJGypSvNhxDmkD7mnTAH};xbc?aEA@?b z68*JE8jwM@RwO!?Pun*(ZAajF{rM`{u4zggeGh>m=M*N6m8*#e;@}#;HM(c6Z!Vqz zJE<79ae@AZ9Mhe!Z1ACiCJTHs=@y;M)d6QWhRq!~OG3w@fo~7gD0)sV=>rV#8gh+i;y9@D1?Lw2{2M3#OJA1gFGlxv+;`oubvcU{(UFwg?L#p;CSI|_>< zssit^t3X@w)Z8#v1h}LUJtB0}yDZyy`2_1p%7N0z9ktW%#n@>0iTxlLITr$9hmL@8 zEO?_1t_yq8oWz#_9!fHr_mgEwO#-_$yeh5IJt1`#Xaq~ep`0sgVsEF2SB$)weA!J& zA)~$y&N&+pT$@TS)(*Qbo#R`Nn^}99mMfgXDZotYxzBF!rPj(P%AuY*-`tEe3RFLX zPzP?TB#?z{4o-dG>mx4X1kSn6BQB7=XLw5QPetWB+6ThmijBzKZ}C_Jqa67-(buFj zAa9&huUd7p77h6O^e|i)eH$AlkCZSJckx8)XsTxwuMn!HS|CJDh2n}@k!cdov%CoM zDn~JZ#yrGZe25CFhrdUc8lIVsW3-#@DJJ=O&*2;>>}>p2b*6-!t>!wyi2`&D1XA59 zhmspk+R2lu8kt%WpUZ!es0W>?v{}HnO<^Wv%r|kHukaYx)cEa(7FxMZpNZxzu~PBc z$W)EEpus6abtQAt?X9n2mOX^Kd!rC+^D=Ck1on%4lli{lCaw4}q=irlj>X*Jj-uvr zZLkQkWr8wz0l7i^smix{MiukKPvPlf>VuuIWy$oz*D=B8;6Z;#z|+?IvJ z%K(rEpPOw=*;7>%ZiSW104=@UT-u2+6)o)f((1DKB6ah&aP(t( z`okM_E>`;Kn${s@2$)gB@eNS+0~S=Lac`EHnGH0^bXR2x%X$d~dxvnpb{O^+ynioY z#3^8Pe$qmr+;dwvnI9>)uoaVJS(rwuk88Nl+QPXTu6}wGL#fhN-#uEnR!!J2t*H%g zUK(7>Z+-@s=y4e)<44xq zbCFtd;czKd3jYsWZf&Lm9x3-s-CtS0AIhP9Ay8c91U#rtMuye%{IifDla^e)XS290 zlX2wwj6Xj@@tlImG7Ivr?*>8jf2!6E9%GTX-xZ!44!&aXI zWsb(c=olIRV{4Wx)i^dYUDzcrkZy<{O1j;(-x&EG{DZy%*5UF*)N>#Gsu-s{mahvf z0oh1)J9DQADCzP3NGyIO*{L@*Pfvj6L=NZOrWYSihUS+vDKGIa1Q$yq&`9&@g4AH% zR=5Zs(HWCA2kD~6B!CJ%o5@7jlU@1BqX|%f(F;&p#{-~RNM{*O17@QF%#-%*gHTm~ zM|nynbzxM)W(Bh$sZ|r)r!>0JY|bD=++MRBg5@9Y+D_qzOSDI_6*P562>gp16v?y$ z4c_x)so98H4_=MN?BSSjP3et!_Onw$_BK= zX+{SbgLMk+uIVdjN?h1*c{BoxT7gMbE)S^-*h2^3 z35Wq47t7nGDxaCu4cxo)V%@s4t(zUJ-K*j$uE&*Eux=Dnbz!V@11jkzy5CCMqrvc9 z!NJ-W%2=? zE5$j|P0Vgclkrz7YaiW<1CR6bD37z}Q+RN?L%7FFHI8S{q~f5w=b18Xoj431|D3r} z)Li9Flz~lwwy%!(^eDb4W$%<{=mA`?&hcbA0o1+%D9`ma65}ezYP-loj64<1PCY)S zt@l)Y2Og5Jy$XsVBSUTZ6CeQeD&6RWjG+y>Z-9n;6$bCj?>i1iTj|S|(A3t*CoxmO zB?GK}`(a&`7$}DV z=Mg(FgRX&@)92wtYg7l5F&>3P(g+?cxZlv87g|#%Z>R2&QsCir8i;{IP%MTdDJViM zC)k}aCFZ~_B~=ZsZxJQ(@yyQ{9E5mf=BpR+CRY1~xcDX6_ zeRYf!72`u@j4nAWFhUg1jgN!r;jsd73omH&At|Fpu5C7Tff{W;+&`nvk-GZDXIv$8 zSB4SNU-ZV69DVD+lf5a4rC~BIGWE2K$RiX@{VdbJ7Pd6>gxNK%t-1$By=UKwM_-*z z(WC+_2YFBYKC8GNt{QpCuABjgvNz%-v z^c-(Qwgl->u_*9eX5H36$7;QZ<;+kF0VU|l3R4y&Z=eiaezHL%gb4B~^2!#(;Iwas zE^nWX^!j9}Rj`OS414-`Rk8b_A-GZ@-^72ja!yIEEzE9-U&yd}{N5IvppVrS#}es? zAW7kdGEIVxS82sDg@K8!>;j}T`S$%9X%&}tM01q*t(0Np(9u#A*xI#s3XZ#$DzFpX zdk05_9J8DQc|0$pEYh;cU^tr1j{! z#Blg_W?9E3!jEk_S2$+2Xi;Qksy)lSK7w87y5(BY$=;8w>1CQH0(;@B1X^8-wV@Uu^=eNRb+w>q8}018Oabj1!May!Z&}GG$loGNM&o1csq=yF z#m~vu$0Yv9YQunMi>^2alDeEr$`0ez8cZ~Y39!wb*o>4?(qkXeg331o3XVJHZau<3 zN|2L-KT2fwRq;Zwg25qGM7dGAM%}*;A9&Ut%6!?Dt-wftK2u4E`;JFGrn>()U@7Yf zk?V5%cyp@74PC&Bu22~Suewfp-2(Y$OWuiylz4Y}$7NABbY8p@NxU&T>15+MDRR&} zV%2oPaE5EWZpgZ#fr}Is-1G*x+2zCSGb4X4sy4k2tn00=O1FNDt4L@wC9S2SwR6V0 z=2@lwAdp{(@41cJ?cQVTwz&3Q;1FrM)h_CLL38ge27r^&Bn^GawatvaX-KEBo;&Tb z_%czWK>%p0*0hD!6RlHnm?*VNkvngcsZK2UBwWTFv~KXVov=%cYbIRjT@y;@dd+0x zAr~i&ycD|?VRoF>%AIq@M+2()v2%YS4f*Gl0t{)m8ImAdzSeK#dL zG#E89TZv>XXfHSzZ7&+YfF`oM81>?tor}CcG6x2+FEid*JWHqt<@zQ3I~Q?1gusXs zk?W$ky8;D?;*M}Fcj}xrgFP>56p)wpb;_Y3u%HKH{(#7FYSXyrIcbGjOSerDwmcyg z`25cS*vNJ&OIfG3k(7qFR+B}@@Cc2Tx;flSb4x3$pgKgP)y9pj8aWLZYADn3O0(YPVp_QV`DIuAGxl?>fDJP zP~#CP2C1x<%p$P~HsVK3UIM?1X8E@AT1iogG9k%##qeXoejAuRy{(7mj7J9I*O%~R zF}_cda3SEp&a=fD0Xky}F@d?2QbT9%z?YrG7)OL!jBVD)TIVFF91TiC-E-;|4mE^3lQsAVx`p94NcNhfe$TNCrLL84t;2^%k8VA zBwkg)B8ey+6{hvj>1495I;+Kv5k);9mZh2JlE4b_9 z7X=S}2{@UUhw3XA#3i{n2#fgXW1Gfq3>M3z=lTDouBAm#bws^~!gj~N}WZy{L4 zrx(>q@@i8RNv3eW^?D@9H>4zGt?5%nCtAyG&$YyS$0~~}(dN=kQ~4BvSqiR*S)HEKW#+~7UIhg63d8pXKJUpC8G}V?NdsU=e_A1Zvi_KVa$cdAk zcElGf=8*!=w|<&upw<(Z<5zeL0aihDz~h^IdUy4Wyxi*P;PV%SCo%mehsF~X%Em{&<~ z>z*7t##1^;$T))CEd@VUVnuE;U7lUt&AVe`f|RHjP=8)G^%xqfZ#AJ`r;3XgWj zlz8EOBV5HD-cJE(r%JF_G!hhaFV@pXb3y&YXL31Inli^TrG;}=8uXcAs=$;|3Z0Ml zwVk$Yga+O^1KJU;Tf7(4+pvIfOJ2>>pW#Elb$ZL{Ug-i#zNuVuj@VCf8M2EVz^%uN4XP6TeNM9vYu+i z1ycrwr$SgX4{5x9Nd`CQh274o`#JYF*qEtsHfJx~!+H5|I{?Cz7^*X!1c7{79pA&3 zVI{0lVhoC;VQp`D4OXx1dE15ts>C%d8Mhk?_<$RSO993oKr{$Q;2ktGB+vYg#>B8D z>GPwD0NS3kBRL4RmN65aSRMIaK7fB#Z^nW z84=hs!2PuF0H84F=#tGO@s9?&UFf?wjUHGbl1>9g|#ULvhw(6Up7xWP&GE2Kdv znU#qY;^6=~&3KJhIu(+XrtDjikK=Pp9?}Bt+7R=RcpBFRnN@h0oIcv%QgyYFIvB&G zdfOz&r_Crj<~`t%Y2N4mob4LTPI7V1`KgE0WUTy&!$&SFs%QN`-xb@&Yh%$Y!qXYm#3Xy$&dJ6hUU* zOQwHjzwMrHW|I$vcMsN2SA9OWK97ZlQXV^cXu>i^F=9xRMMms<+!?!}8<+N@@^sht z{G5uNd?c2;1N{kC8dzqmi5k{g=4);h+K?vPZiXA`J@mP8l4KA7(anx3RF0Ft`ha+; z>ikOif^6a-bF4+t&qv#%_pu?ov14$4-G_~Vk3REiULE_Vw;y{%4Vfa^YWeB5dW%RT zcs|Rb>thuT8p+YCYi(nu%R|hhmRn1PzrsH`!TgUeiL);ymdt->Io!&+=4hqgPVLw} z6q04}bR2Jr#hwZAzCjZh_!3wCnc=BR6i{0LHW;7XwnzYP^<~ng`|K`2* zhV}&OK3`kkUT`h`JZ^@hVBG$O_ws);{mX_&Q>DDgS_ z`3WxfUk591zMH5@FjLFs3IPI?x4;4*ejTi|);G6NGPbs}`Z`|u&ymXWt}}-Xu@urL z-^oK9xyoh&bsT(Ph(VeLb!{nzY6F=wATXe!z%Ed`hL|N>II(o(hv(W(7B10sTTOS>_NN{b>eqe; zTkgLPCUxA&e4_(~Y~eZffn{pd`Z|1X`^_+^uQ`Xs(LM*ZX1bCu)~L?=OuYbN&+kuZ zA?l7R%8vO0l!P&gT(erIJ(;tB|@2rUZL4OiK5vY+7eOOit4^^9C!#OY*7 z7^yy5KU+P`IbTg*@Wk_wuZ6?8Dxp`Si;a zIOb7A!!>iSWsPDc$r-`SnR!;RD2g6rR`fnGb58WKs9l@g#-X(6dws{dmUjjsccCl8 zd_kAZsx3q{<5H(=?R;eZ>3|o6S5S1}#&LDnWA^B(cqEe{l71FEFMBP{3v*cbG;^e( z*6%p!?`|- zGhwPE-5tnkD-c0C?U#4h?pG~MC@7HfU(e0fotP-P#Xv{8_~d2PY@R@cJh7Iek_)f? zx+B!R?N&iDv^Slsm=ASA1LEabKmsM+Ea;v8ygV( zb|jm zz-xj}@wI$0iCa?P8IKo2wWs-Y$>p%4-yutCWhj+Ag(nHwab@By?`5JlE#yUld| zuFX9tUFZ=!1yP_ZM5%tfzt?wyq%qcwCdzXklS5dYk{y_7946@s=$th$kF*QNsodne zJO|HtHgu=EjGO$Ms0k1u6kj>wrVSC#4N4>eCw42yzr*D_u)T%qgDBl1V!S=)JMF_; zt>ZCA=sq4M$*%~c-Zk<{nR1;l@4PBc zIxm{Z=DraHT2YFfzFmysnMdNG%eQ-()O#O=;mV)cB|^$PWHBY7kD5AjN5QDch}1vm(BP5HnPe*&Z|EZjfn)LQHpqX#J7(PK zQ;vnM3Ov(O9RxnK2Y7(GuxL(Ho3M14gpQfGhP9lfJ$l@#{^BHZwn5!CbsfmIqwYq8 zu17RX;7)^y^5*GObvmP+t$&xfya)?kEG_Np@7iprMUn=B#)_b}Qm(5ln(i+&>)Aeg-YTt#?eLau z8Me{Iiym&id^wzD$=Y)JZU?RYb*wX3xw~e%eSM$YB5n*)LMHyQC0HG z`qbUzhWdfa^AM6Uf~ln<;IhU>@!+&KPcrPx9xMHMF#38tVr)G`T=mjbZq(gs*`X`E zbhCoNISuq#C@pHQ_5MJDY^dLF7eUQcX|O|}8!VdqXPw~`CRQ%^pbAbu!4B@FkwXa9 z7@KWY?Uu9G&E1A;JLqNh;H!$S530-TB!3pF1zl!GNe@zXD;(`FphU$jvm_Rq^J(F2 z^je>LkGDKlv4tVS9l$sph_{CIn3ay}6F|ka-l49%{vrtX;`FNuVOUh$reD;R0*b)V zgRK$4BbmWf5~#((-aWj>E+g%nCjz42U``9nFq=(Y%dD`=m+3>xZ8!gtgM0NaIeY(- zqxnUS6IER_EibI<8L`>w+$?i@4D2TMdWy}e-CLRzHI`3|h~Rhd=+J^)EF5bCCRUXb zK3KPc4k8{Eq5`tJ%EvleD9n zXq;BC)UtTb(?WPKV1hl{zxkd*hN3z_8)b@sSflnb02tGVgJaP~D=^b0)(r=7HmHvIXQ* z^3xwPs*?&pHadzUY6A#FHoO!pf~^3l|Eqo)3bR#x-(%SG9W}gG6ZoKMtmD0SP%x?L z3-p1@T;9~XNDOx@@@xTc3;Nq>JuVW)Q+fw1J1&%bOf^OHWIkMqyz$Y(N;ZsD!w~>$ z*Bn#!W#{Hm(tz)xhebnD##qQp^5@P%ry0gl5@)A)F>6QNl<|au(U^p3jN8 zuf77fU2*0@;5e>j!^9|<>%Eh%RiH51r@{C5OJTs>UkZEgz9{S;P0szd0LW$+Z^Mm6 zPomZ=jV+L?!mezd6X}p*_@e^-8lm@QP_2LO-}~?VN5Ae5i@sVZ^dJT)EK+PN?FbWb z0jU-r4!5TWC^ zN%GU_9h#7JaOk)cTp&35y61s2I!~ z7D|1IhzO2|4PbqVkP`5HhI;sUJW_d-)VR!B_>P~09G>&sWTWZB4i_&VwdwIIgxmv7 z?Gf!C2tEHoDDd!a7d-rhaP(gYtwcY$tWV4R@ z@;OlF|9FO^-qCUqK@*aCQ3>)jjoJF*RYx-Kk=bZSz1XE$oRb2?b0XxKruN~&WxN#< z)Boc!^epvN2t5ly=nu|Jj~;&bYPjgh!uUdX4)><|&8m~G$Z!$~;=x;O19zOp&(pDM zSp7#f5)ssr|DySA^$fnlyq)&kUU zy0@#Q_E(Wa=u3YEB{X31M-fSOjdGwu9{-eqIUk*L5gmPFw$X6sZ|=Io1&=i{8UVLW zG=P1VWivxJM>J2$%3P^>{J&*oRHGVxesA$~K37kh8_Sc+*3OB}r|XIDu6N5kC;Bjo zr@l1W#LuKVI{LSa|Gz4FO>0zfj2gh|MJLvXMgWn?R=#%<9Cwl}iRGv@1Dg=Co)g1` z?Ut?x2C>!=;OEc&<4^yc4KP2k8l=@PbBIMPtlV3BuVZ&`O7vrUC&-PfwjH?X=0yjD zVsETUaI5>z1?-#2|9Jp>&&Enn%Kotxpson>-b?-di-pT{Ztvsukoi#HcRj8C|D%3@ z)idQUJq4971-zU`zXtl-Vzi&Zhtvl1gYtk{lWIdC}`tCCQ?LbmiMYd(UkJpCsk&kdTn|4WY(I{&m4 zChS~&VxJqc!>s6%s4eRHX@S2YyiG}yQaSjR0Tb zF7J!5`Ugpiax8`BD;a9!3jr_aEP&oP%zfCeVe>jYh^-lN@`L_s&T;=8lLVfB=N!K0 z*PQ!Kr1@`4HC7(LYjs$j6!V63Yh;(i$}a;Qdc-i?fa$rO{xc^3)8$`d@(+TIJ_W|1 z+S?fE+JcYb0%76Y3uK1ytcleu81Nz518fm=o{izshCRxze|i#XRq-om5VibMzW;rO za+VOC$V15Dm&L+u=9wDkwd>dhHO~vyLNkcP5!-HDc@Ta7i6&ZEB5gG~`USyP(D?5b zi-hi8IzIZ(L$niq4f~0cuT!mHo4J8IU3_oDf!#%%f-{(R0Fx&V5!PR00!yRkuQmLS zGR7jb{@8rPDVxR;c2t$l_Ss2@WEKEDeDl@uUida%?1&&*@95XC51ILQRC_%n{mnXm zTt45YLg=9qlgG31yp*lZbMr$kv_Tf$Y3sd?=LWo)=knfb{!EtdNrKjMo$ukVmP5`d z{+Rr_-+39rVz22;`5$Lg=4PZglMR6zT~vF7ftDMkb#hz4b8Bb6^^DPXZ)Tuy;VF`~ zIwtrJ{Y>idmkH&b_GsPX4DI#$DQn`sXC+;@cErqG_(z-1paZ+j;~f(LtlVesu@kv|oj;x5t*!qelqp-q zHCN>HPWvB4jb&{C{qgw~L6B6Lgfj%mJYX?ltl%d|deEd2oUVRl4 z5sUiO+jO4)o6;7TWNEla%iIHNR4M+#rE zLdR3j`zL_@lRdry=%4h`AHgMO{1?>DFPrA>ID!%B>fX8#VC#!nTO!-kk!>023b%#Z zn6pzlKV8_C$nHA*6GJx-zGlsT>3huhugzkl5qf&hLc;O4F|u|D9#?=$4EUR#YTGhi z`s2=>{V2TtBKBW(a|-^Imi1R8`X__^1BGa@F?c~YWIGBL9Ipu8uR8`4a3?PqQYL2Z znsuzlNJY9?Qr4*V;{WY(U>-(tLCOrba+{IqDWHNUJF~|w&J9<5y3%|*+R29 zS#c@`|Cp4%7Ig4GQTl&)#C86q>L0VtzsI7n$5V@TG3 zkKrddZTZg`Nbh~A=8w9O7$tYi_{Sg4>((E&{BX!1w(hJHM=sB**_l0ycU}kd$09mG zjs6Xi|DB4uC4qM{hSGns12-d$Wt-td(|O$`$1#ZBui>453uZ15$^LlI1XZhH@r)I@ z*veTzXAu+bHGkZ%{|aJ8WfmKWdKi5r>f?Cue{|*c6-YyudY#DvanU8QkooL>>G~BE zfSwK>v-`j+g%44E*{$G!$A5t0I}!Xp5rY1z6yjGa^{G zpc|9Fp*$S}tQ_hif#9X>*W&b!cKITfbgEodc9ySy<>04WGNa+`J!$V zP%C@!-3DucotMOAA5c?q6PikR(mrt0#wVweQhhossp)Oi+RTELi{3i}rO)|D5E&I|E@rXhK zc13W4VVOkCqQ+QVISHBMfhOIp${XMB;TS@6LAD<4(r=OAGIi4N@+jp=V#+-Vh!ty%3l_-`Yq<)u zVA7@WEee#Dz-^VV&7_vVBjaY}lO(c`#xRv7mP&bWZdoNrtcZWq&MgsJ6%y+gph~QWDff$1CD+O~1sRuRPM!~q zgh}%zId>KeKthtn_=a!XF1>#9x{G74DQ=0J7)nOd4~#z-DOOU56J1Q1M=DdO5F&L) z4>L%^X3G=Vk|_?WE_B!sD8sIhIB0EBV6RRYr%n#$BJ0U5L#<9}J+(|X z7-Hm0#cD~$@81jwLTOZrL2!k}-@SaG->t?J+ps2**ia4$@3H3Gp8Yd(1+N-61@~v#_1akx+S*DkcjPL~ zVdb$C23U@sC`^GOt5zLBuGwZwX8k1s9pvQf%GdUK9-ZLT{6Ys>1g)QUL;cwr71p5> z;9&xPYGQUH0RefKn5{ULg88g_yp!;;sK?Nf?#^C%5!#oE(@U2#%)oSk#E3v{+20UHkq3iYx!CeI1nb z#jU_V{4zGr-P*g8b4k?-h*{2Yl0{eJD=ITrO9?cO?1^pvL{DTUr>)H%+LcO$@!jSL zg|`DE`1+WpEnH*vimztqRygwHYRB=yIi}$_O9{Pl!!N*zo7l`Z7AVvnlve;egFR9^ z9RfuXFijxI*}ljU7|7=Y9}G4!cQQn#4>A^9^XhFYWQ1oz;hYU4xnn*V0obnfL=q#TK!jE{YT}SWn-zeO=POm0t zJmyL`q6yFgHW&Ud)2HERWwzEZ5NskFz~bf5wy=a)3666P=M-?AY{Jns z>V~--Y#}6Aj-##JyMVZ_x}KrKyANXq|K%uJ*eb`9qkrIWZBWe zUpF2QAzQM9eLQ(hfEE5h4jMzbfgd#sY6Lpp=E@eU;F|G7~rIkh>V9A1ikvz zBCn#E))CE?m^W}KaHdOp)`;YiMp{QOT^rp?)S$u1r4hZwZM2SDxH*2B;+YB-^_o=X zsVih%AA;Ahqr`FNiSesWo3QbREEgYLhO24v^X>$B);kY!>4VDc{gX3ijN2P`e zv1~BZPpz#R16569G5Lz;;MP%ILm^o<_o|2M7SgYzw=APw<+R>5x@)R83(2o{3uxOY zG|_@qazc$OMhnNIk+QVT$zg}9g!CGcf0!$md5|67&)c+G0sX_zCZJT_t z+J_gSNfp|J;=~_C%h@z-Xqqy;Vo}Ua(-yFGY^0#q#IB4`vU5wxv|U-oP_mXmTw*@R zXj5uQ-VnD%OHGlq3yV#7FQHdlA)Wkfsd`Ub& zYc3e0A|i6VE9ev$j!tK}9+9UtIuosz%OG48_6Ed5$to{DrZ0jJTBeqc6%?>e{2^tz zRZt1-xKie|v~I@g>!88%D*hCfXK~nINg#I0e=1=#UZ%h_H*drKK~|gNkJ766vY=ii zlZtiNDsV-tkcIyC(t)M7uwL*6{#3PG9Jo_h*X@U2lw|Zk>c&vmy_|PPwwKh_b%O@# zE^@poV?NGnTk%=QZ|RME6pmBU#W^6 zMv51)N(T{jKMy7Uj=f*U-mjxIejOG59C^)41EWDjzYRryjcVo4W?d`+de!_e9=(Hg zk=afBE1rOuI#6nJzlkRxqz3lc*dO8v$fyP@>-sr7dZ#PU#Txz#PcXh!a9};ZgeT~5 z8GfhkZ}8Y1RRi2=`w=|V_$nY|&HMv)u!7g(Ze_dwwAwOrq%JmUD|XW_J&d%-c&&N{ z6^ztcWSmxmp4vy9wi}<-qP^D1sNKe8wdk&MkZQH@SS_j*&RuOZ4y!?9)iJGQ#$UB& zukuvaKI5)h^pze0+hx3^PM6}Dv6aSI^=D7zh}mA_tBrQf#*(>vSYMb3wTkNj-)w!vDW$vk8ms{#r;f~sNH`K4d{j}w7r(cJ==~v`t`Zc+ieo#Mh zNDRl;3^&hM9;p~Ov@%dFeoh+Uc^{*8OEGF?F*f7#+F#i4Ywfp`cx>eJHMg+5KKSnX;1{@DV>745N%#7obA15U$!!a6utHS zbq#EdpI?P*51U3+0HwuUQx9G>dv*_Qyr-4Z2oQEyL`Ni@I)FMq!ij z*Cg-y#>gsqCrsK0m^FJg3+`X6qg60x6aIzNVeIF1d*)>95B0ufjdcq~UmrVWS0DDF z72CJR1Aowf{qQa%a-LbhdGqybHN7Hilsx>`HHbE8=8&}Edb8;qm0;u-03%BJz$2-{5^u zE*CFgKUqQ79sK{JW8AIcio7)J5wMBC8(J85!j3>USP}A){MtdJ8V7_I>cHJ&0(;$= z1|*{4vhd~*R?5Q;Z5-&LlS=L@K3wDII>Z;6_w1kFeFyA$eeglLy4WrcE6yDcUXy)0 zk~csXqx0E}^qR5;z9UN)tcK(i^DA4jQxen76nPm2^O(OSt100FEP^+|w=J^Yn>3@pQu)_C`IYZ*-j|qWA(h@D@%m zyAsEC3K$nJeDoPttM6vGkA1=4@p1v|gFm6qN$=sjctk3EIaU(Gc=*etkQXWwLS7~( zgUO4O2<`>0O5iNloS0UBqW8T%?0w#3ppX5&p-=3wIp~iJdtwb62pp_dAVzy}+ljcb z!7mdwTBJh|w(;29Bx4w}I5}4ez^0&8M z#qBL6)5*3r^H$V$@=Pl@a1z$$YjHVy$ICt8ZvHFbaG^oUbLGu3h9-^Ce@?bu{~ADJsDi?y>Kd*~Yv3I12-_of z+jxWhj*imt`@>hBJ6+E)5%L|dBK|*IvJO8SV~(0^^L%lMCmqf|z8^P=bRXhs!hRdc zKjHAgyDzKJjdywpAyZIQF(T+|RI2$Y(o}A%yTO{*VwW4C^7t zrNE^TKKk7umZtTNOSWA83bQh523=Vr7;mPLB3_u{RRxFWQ!rcOYF>GH%jl@oZ*ktQ z=*9bT>do9=q<1A+AZ{X8=;h^%v>X?`pwpPSe{Of5!_(+ATBBx^6r*~|Dd_9jSj{rG zXfnD?gHNA0IJApb_R6`-6HRkh(GfG^-^s-rwSITO{UvOni8=|lM}JlR5#)ya7fksl zV3h|V=-AlnRX|xL^IhEW*Yk-Nz9bFMnjr4@FJlOAgH*5M^M~s>)45G&1|Zn!d_8|j z>~(_0#q@Rx7%sgavvrbV%~U8iQrpB@S2^+~3fp@u>WCTr`WVk-mh~ z%(#7h4Ap7dnpU5;1roN;<^q%;a(puXbRVtcc!Qn>j|(}3Ep5f38(Uq0q_G>a*g4om z@$?%%f@AUf!?>Y{9()f!K$#NB?PzeYBt{ib4lFA&*A>3}N@hyzR(7ReU5g*9buBZ* z`J=qF4LZy5Mo4d)b+m^m~g9W*IEk_(U2b<4JHQz z(qQ_CmTe+`T{urNrpvAivW~@#z^;fzg(mO-p)Ek+9+6O*TJ{K$oE6?>j1?bKE%?~F zy5-b!z|0l;EL);_87!HvNWCXrk;+s(?bgq1C|XF);|Wrm*Y(ZSTU$^brNR4FU+u-N zDqW-t3=?wK=3?svZhnxvRX&y$D092~>Sjl(GO96I1uCaa=B`S$w`KK4ddiwA5NInE zij8fkGhz;B-Jri!`ykU>WUG}cEs_%ln@M21)%q!Q6ZE@}qMc}^3ZjN`L0U95znkd{ zVEK6XfsF7L?)d43J#TSghaZbtF2046`*pi+&$**%pBZ=o06Cl3&c`H5JTug$=Gkb* zz}@SxKhOdXaI2TP4U(@iCqGgx4yZd_-K{6YsV{cNIz3-5XMok>ROsCCP3I1W(dlFs zOit%;+wel>2^f3D5uZO4mhf7d?n4ak4o7Rb(^5g0^;me4!71{4a@Z-4_`|UQ%DZH> zG_R70&bUvRSBcMTaXtnyCbidcg!Qm`+C_IlH3gH!7^WJ*!H_Y@Kdv#aNEo3439?s_z z+AQ{p3gcNU6JJh5Zj`MfsT3YX@=!OmmZC?n;L^)kziLIT3FmNjj8+^IwV*t~o4fmps5$c~Z%g{Hf$87gN*Vg1EKxmg$~I7A?h2 zCHZm+dbX_ulc@kFLckI+n#4W>TJ2>$oBT|+syFxfug-zSt2ar1rd+qiZuGq3-h7c8n8XJfEV3LmT zDS<-dT&&ry3v3ke;5XXko8*xe_}T+-7`6>6e5eb6L}H~zL+1d2UKqk% z68>qgGypGeZvj1{Z?Fzf^@MSB%pJ$kxngre%>ANiK@gqpV+PSNdVYT}7#cc&{+4c8 z=1{jSccc#nJ-_GLU1#F-cNIiOjQ_G(5FH#cP#6J7g&iY3gmrwR8-{N5-WlWXdOfhf zIxz<3|4Jt^qKNv86(=qtM0XE63Y%46`U^X{n*?^~3gj|(l7gr`${n#Dts^WCp-{R3%bH1FSVd6Jk*nNSNe}PK|HpUa$g3I)|WWER15kNN6%_OUy|jz1)WJ^ zfGKxoxUJ481P|*?`i^6nU43N3W^47~K02|@k#6^`vC$p&2g7lb*mZ#6MNbs1NCTDw(*YCcj zXj}us@Epg}-GSZJEqmbWwlQ(^!NltsmhJThc9Y;hXe)>F_$KuH>94!ua%%0DVNqhs zhq4DYROl@Vrjx=WCHX+=R0SkcwoF1YMROvOdtYBhV#C%YnHX$)Jz;jKq#GpOh7k_~ zT+BdTppUeC*36l;!flM6IPM+D8S`^srbEdN(+1J`wIl$T4(lX!-iMYxVSj zX<9wkbS=+y8;Ta)H^6w6IA0~=wimSa2pU~{j^y%{SQIC#k@V@$)kRMF!C)=AKNbIT?S5H9~Cp%EW~hfFkKUtkrjUFkHsLHyA_VV0JiC}`R8Fb2aB^DdR3%iB2f&bfOEf?8(3;uv zO1u(5!BX@3%=swg(9+Q+*iOmG-O zpg*$e_NZU40_dG3U%kf9M_$=S~QG|E+~R( zR;V>`Si#gfr4{h+mlR|r4xn|ze~Qb9atKhdQW6G~tuz?_lXsW)R68OoZ@6BrqGNo` zI?O_Z%DTX>VwqJA1AnF;(cqurGvHkDXC`c@toBzIIy6OJDtu_kSW@r4%t)1m5sgP( z*60R-M8EYoq8XmXSfbo&0EH)cQ7@vXckK2r*Bln#z6lt3ANMTQ&Ie%|KorEzqOkev#IkD zR|Z={F2j3+jo!?7BS32@bR)$j$PGb(ffrhT9ipk&jogT60RMXtEa8f_zv2~N@z|=H zxxUfUK=vU$4;=oPM$~|RrVBjfg)ojfjS?TnNzYuA!HSi@ZnI1 zD^k%!qCVywn63)HPF`g{2@gxZ2k&zqQMmUOY@hp!@BZSuzxeJizG;nK?wa>me8K}j zXPzYylBBOv=X62u$QIDrF@E5vPjAer=hOThHKWFZitGZdQc+Y6bhP*)u2Qu?=|Izl zP@+2(A+71-%r%jh-DON1PJr~1EV&gk{=y6$(u(nbq$0716WkFet&^UJ4hn$_ zTZf+t0MxA=%;;J09XXaX;=bfgy;}}UQPP+V)76z2rjT>VkTzmp7WSy_bO6 zZHKovaHTvd>}QHevz#a4AtB&%d}d8YP)cGm326pN)kBQ5AtWebR}1=*$8Ex2Bx)0f zDN7?qz319dp;(%t_lGe}LYeH0#QIq6E%c8R0bEb}U0V20Q(X|ER&g@dty!FE3}na3XVppx1Jj}&Yh6_l!`Mpq>F7q z;#cV_Z@LguSQ^A+<gLRp)Fq^Fp3vuJ0JryPB}5a}h#OvwjR>(akv)}YM> zFCZtOCmlXoCBl;?z--vj^;&}ia9@xo%qoeS^N z)bZ%Yv@@ZO_#$N?m5+8^Gj^uL-s)RZ!z(M&<$CmTy?7?>z8!}4!_CZF+^+79G8}(Q zjJ%M>czOs0xndYPoAti%J@!rda<8Y~8>sCK)b<8yU#p(JVL}9c^Cuxr;Tr7iLqb_~x4iltseT7HV^X=S zs7s2v_5+k8|Fmy|!<Qrq3@KRzq|Fi4 z@cToYcI}pnY|IIX+Y4hsEKAsR$sJ`h65j|bNc?BAdRY~XUy;e6k}{9e7sowfi`^qA z^mZPyKfO5QF8D+F1s{6w@g3;Cy%n|K^JX)~4C>k&SQWOaI!o4+tu`wxM~~5NypTOc zM+hdlwG(3(?rq(`h#B_zd zJL29Q@wvMrR#e!rwx=TNV%9P3*;&WEjzol^?1Fr(Wo&rp*wA@`W`2Vh%+tB!ZNZ+d z2JP8ym*hW87lnSmW{4oIS!{3z-HA?{QbmMEVuB3we2&&jZ6Un?Sq_~){=wln_ZzcMJv^8cb zNLs!Zw8Qd3+#*xfHxi?@j_D`;P`*IbNA}jBn`-0s)}T*ng1I*+-5Zp)z@YT&jBmF$ z4BZ=s)-w#<+hOkQF!y$tdppd%9p>H+b8m;ax5M1qVSW{Mn6dV=4lpHEB_4iG>#)8Y z9_M|3B!$vV#>OAKBt9r@iWR7>hop2qnpx(em5N<~*uNa?&GWzOGrL+|L;+gtKP4lmBrc9R8eFkt$C zdvhdMPzu%;{(8n9iRLQepW(fqmkfWa{Av8q-1f{zwAi0@%~F}eyV%O`*Si7L5^**81)KY^_W3Hclbv+Pl^u#ppQ z0jrqfxnk|;efPt0S@SW2+6@R_~6@16e*O(M=OwEqmI zDxxIu5C8FDG7ViVQ;u5*Y^xWTsy6p&cp3(u;A8RY>Mvoj*BJV`D5-^-u|+-yflF<$ zE?pW=jIF&nLmv!GQDo*Q{*l{x2_Jd%D1s>pWL+diN?Afv7F_&gQ9cM+$^qdzXr=Cb z<;UztN>;UoL=i>I0xby3YLKE>}_mR^C*y~lmPN3>m17#up%d!J}sTFwt>x6p0 zx)boO(w$L%{;ac6=0x+>vw>*wki;sm^DBLS-1LMEYX|H%)RmuG0&e2~T5$|!$+rIe zzyDWm%lHHzWv(3m{@?yDBo+_9sblz~emiaBSJZ{_=CREG{2%}A|Izjb@uCUXAH??u z@rr|Z#W7p;0Nu$jTWJ{HxX$6}VYZ?WjW_k2TVInG@i&=iI1ksGs&V-BAL`|!D(`ZW zk)}~d%Wn>suJq1u=^7a~fUEQoO;55Bcc0U?97JDsL)(tK*Kx7ySiFj=(Ki< zHIX*ZNHFbi4cb?nDXwrhpB~=iQD5%P~i9A#vrSwJEY&JZxph8GnP3K}O zXM;ybrScsbyPbjQBh+)eqd&xFAiDeWzvK6yxw$?7#m*m4yOXK~|GWM`OY`3ck|OVO zMH1_q^uQeBpVH1>kuiPXt4b<&L$)#P_qdqEYPzf)4@QsvdyF4l-U!@sNMP+C^f2Od zd0~n(6_JO=L(mpnMW888<~}g_69*Xxhcc~Db^L%~eGBe)VX%hTg0=%1!YJlHso{3-nVYSAWo9PwXtw|M zn1O7m*^_n@$DqRDg^E@2Y>Vnu#J=M((ZGGFX~jmtB$-lS#ccRYCCd#S zeG;y5;xd;%ril=^zn;y4^@_vbU-V?CvjXl$n1dA19}Pa{CTGK4K~Mt-pTs@Ct1_UF_ja=ONpX3?YQa@rQ)i z411@8Sqpgw@EinxXbVjPP71~tG_+*?Z{Y^k`-(498(Hh8c)amN>QRmKA1_^XnYDhW z+|ZvH^OGELpk*i}{c+P@tGg8R_jj|M-OczK_+tu!PlM_S3ZJdTju47)d?u}K^2y&| z&+rJVg(JHI2gg z3l0rne22AoTe-6tKO(-zgp0Is*y320MB!VQ-w<0r{18WqrVoZDmR-X4raUBet`)nXv6Q&}X)RveU`o=Xh<+q(90$PnO_4UfZrj(wA?} zT^F`F0?k$(Pc}{oojL66Q$p`kLN`tcozo;2>4)kiBe|ch?w;UG+v=013s(2eFo_#$snx|l5vC93j#N8(qCzK$4&gpzS$Jon+1pLOHGTO-DSPa_CMRb zBFj|Eg_>oqSk9}H_X^}EP$0)<5E(UcW96|X(H_eZ4OVH8wI@*_bDLQ0-Uj6sSYiOD zipf&jt5=T4bY}|YCXVuHM%a!bdFyK9;d9uDHdgCyMY+8F{g5w$`)zTLs}`t*^Gjn! zKU`E`uPD|;_3mC#yjK*LWML6=qRUdD6L+huQb3+$hL(CAz9nUdvj4d&ikqv5pZuh{ z^JC*)BV4V|DNRkYfu5*3fz9TPm!`SdNF`Y#8P0aUQlX)||M(xWp*6S;;ov*%08|IkB6O3zbg|6)PoVHaP&GO_jQ3MmJz0^% z;}6m%9Ci%BCin;)WXpX?KlqYq=ySF_(TiY<@j#uhr3n|n%lx)~is5vpU}PSh!V$y9 zqfoxL2ljIMPsyN|UDMRN2L5*$!r{`pmsCMMA)^DVhZZVJeuxoA2`pF+lQ})P@|<-D z2gJCahaFb?kk71s*wJP%tw*3VpRSHFLysjcU6V8mHZRArp+5kMVMtc6(Ln!lBM1eA zEe|R9!)M;~pS*{&avtX0{9c;{x53Nl%)@i(nT?gGj>P4aZm`5j^y&6{agROw$%aEJ zKcB%rRsm0VLRBpBM^PgTqqBftxbMWHs9iB;BB57khOX6}$JMFWu?QW5Zfy)Qlzhq# z;iNBQSBV^N0izp4C))MmpM$mL*ihNC!-Zx~f^{6TK#R|na9EGl&YfmsVlZerR^Vbs zX6zyWg+LfVPi0f__4glWu@`i3 zq0RELOa?CJ_N^E3DVLOE%gUK~Vx4rq*U0tZEFSJFVS3;tTS4D?@Hb5R8B>z&1 z)i2nJC?U9r=o(#-tyzklir3$wp2;46kW5?Ep-TKI)E6m-rP28a>-(Qd)(2ijI4Ma* zoxRVjP`oy79)(r$WkJ2lwMDGMrs#?sjD`O8PP*v>?nFc>338u5yZ7|2B|W<* zXLf-Sn<+luu4f)S%NU2pC*o87(W|BB;5-__2p#ZapLB8w89FbL8d|olMz0s?)$rgw zK`)V<fT?# z%>fkRaLT>#0FZ?X#NrBe{}t+ieeC}Y*G=0qoQ_C~b=4aFrgqExK*>*`8jAWb#mcak zF8Ew#cQSr2PwkuJ$;lje;g%$xJR#Q{vU}2Z(W%)r#+2PoVM1rY1D4|-A&1uArgsA_ z)&+}bH8-+~A``M@lFv2LmfqD4;x9 zDol#nRGcEsp#sJ4jSIMb6S+ck2yVd8plMMDn-lGPwE{5*YP7liz-mH8-WX{Z+L)4_ zbdn}RZyvy99WS4}C_qsQFgk$?9$3bN+QRc(&po+@Wz5&U)3{K%ffHp;qC~1rsrEpR z)d#0O^cBcmtn68I8Zj=@lgqe{W21Abe+!DdaHY>s1Hm6kFG!gUnJq#ZTZIUP7s+^$ zl}L-1B58}DM!+1y&>D$iAS*(2iTF9RI3Yj$(1ZV9I3)bY-S^ZMg}ea*rvU~=F=2;du zb-4hA4Nl4r52PJQW1XaS?0;6;#B|9@Nqaz@&!n|s5>5nOC)K${C8-ZQag%1H97HVv zpi{)lsOhA7*Gaww?-@>&n3Uz73FQT1prr6iD3fKW9FwKuL-EK&l!pY#q6}3bT~scQ z)1@Wi1vD|)qMRDXpsFhv_$L;Q+5%E3B)~FrjLv*;*r_QD_$M9*9&CIF^TbCdPRM{HhmxEm{49Rwmx+-h&01oHBtF`Y>e^sq$kctIpAd!KW{OEv(lsE5; zKNc5#L&SxYGo+e6K>Oel28T5)^GCQ8$P0m15;*~Fr9>XQKUN>O7(Vh^&`bVA z7%qHwXUoTdRe5&@U%3lr*nC&o5n^3I&W@jeL9i>*_HabuFzcpNeUeL7sk#xbi?n8a zb>l&d1r;k?wUjbdUPhvFlqx3^6@bt>TrcpZUetpFDpSn<`#`l(&$(Mnfg6k4eP?us zBh~g0P+UE{f&~=~!|F~EtxZ(S$%UeDQhao}sQOgN=SU-<6oZdKQ-rh0U8YdyOqd7_ zZupgl{C`pDB6WD3{>1B3jZP(X3VT+EJ3GxM@bb-5&K=tiYm8KW_ubBrNo1u8SomhG zHDV1UDy51|HmbFGpvl^%DMuc!%_>WcTEMsx0W|^hP1SsY)-E*-bd9An*+dr z-E!y`Y^iO`uz)!|wb?XUp#}0HSRf=p#7KrTBR&jZ2G~-s?xqo~Ht_%w_Ox)lSa8E@ z>L|e=XjJ9FYvNlKJsJ922kDiMPHrqVhI&s=$>>!MG96!!5AQ6v$0t!@13>Y2TkJlJ z0IVidqs&dk9}vm~)$@08Zu|Fu3BCEnAi+!z*2{%q_O1_556r?t@NV4@D|ApM#}z*u z%c19TxC{DP4L9?qnEM?m!n3I#2+DJ&YzHQ50Kz1n$ux6kN3dKxXh%8nMfe23ESixc zqpVLXvN~x>JDKkQpi+nm#NEe&m&?WwksLY5^g|IgkkqP+85Cdv4IqP8U;?(58aMAj zgSLPM@!GJ*4EC789y4e=W+2~l_PD`UgBxV;cyPaYTHL_g5I2wzurY2>@ACIJxPjv3 zn>D+~4U)0g;|6=&VE1lb%~zF;af1emhz7tx5jly=SAF21Zktig877EUAZ< zO_k87txqBhY4gCPZ~_S@;=!^=pGPcM9$M?;E0>5A*8cMnG)3_PjM#uzRMs3x*Zhhw zJi!lM(iVw7*h{GF{R&pmGmH_AU1Yt(jxr-$-qnS7pN|U@H>O>AA%=d`j!@c}4 z4Y&u~hfXm3u|Eyx)H{we4kWV?h7S?VFl+Dh&u@RmKFqvZxS`L9_nkYRE&vN4hRe|C zo&9MVgwUgR0d?O417uMD-roVFLkB*>0iAY0r}cGcfU$+k zO#aE>(&Yf4B$!QxZee`8Vu2Wwj4 zv0+7eI{&15zb;WiiyRIxitKS{;8>8ZT=t#F@LID6HNJZ?BrP;T@*suXHO_BCTz%oH15RW~- z&;YCCDMn~8S2X{c1p!cgOUm%H9u!WWgC27VC}HC9M;?>ZC#Z5v@{16;L)e9=DK&~< zQeQj@2`11d0-1N-Y?*->pSgwoTM}^pn@g7$qWyPIU5g7dVP7E2&=vBoP}6r zgSX;QzA(;em%U@~6VjLRhU<1T%n5H%ueelqQyTVLgrh(gje`!lb^iN?L>x@{q=_Xf z0=R;5{%95OzMQ9!G@gDLqp_wjwpSjQ1-LXWBxanwrO5wZD3}efa~hB%--}bbQ-B22 z=x}OsRxG1B&-Lz-@tgXRP;*S#j@n7>H<*f29MEG9Eb(@)_{&=D7B+Q1AZtI8cG&{hKwrhYFIh*h2+-sGyBdf$FN# z7%FJ0iD-Zp6wwklVbwbALsrS!R=1^o)Npua~8wu2U+_X_aiJUI8^toAmTd9QBg zE3jFFOYD3~;`jd)f;r{4jU8m!kyRAA@Y!Mq{lZl~OaAlo#tV_PQOD1{vLfcfmIQ^H zc&Pseg)IyUP4Ast5kPX5cN!6@gn!?9w)+=Mt$ULA$Q=pJeaG4|7Cj!nkA4KKw~6B$ z;0EYRCb^1GFFJGzBi>~^2p!g0Xhhbv*b7MupazJ0Tqu(gB%~iknLB@T2_&COx{kT# zfq~`$tZma(2q&B0lEA~6!kMw z621t}jg#(wTG^B63>#L8|40Uq4mz1>+@FXnF;7+OGxAV8qsfkif>)4Fun{(OQ=Il&~3B}h31b=`}+@h}rcc~>6Uf@y@FDhd6#)3eQC^KXg zuwxmd!7MWzO`9rm%#x>ZEA*{;$dv~WL*jpR@FD4c>|&8^3#tlygD?mM(b(E@Lj0Ig zfhsfS8qt44(l~dNqJcPhcd~6zKdI_tDv6m{>fuYu6(=)>QG+OF&)NnJp%@_uZZIQ;cn7pD&X zbO1Q+a_=>UgV9fBPrBt<7Ugv^0+zwi=7`QhaC)N<9y>!$q8pkC_t7PD3+J545Y zWqNB!FEw@c1X42VipO>YvI%g9Oa5WGzah*ltYLIjq^0ZZ4%r$T>=0sC>+BL}LqNwd zEgKkn8J}KY@NL2x>Gv_cY&%JxU~BCrV%Iax;1vs%Tx6eyb5JrVsg(==q-!cIUXp4m z>zAaOd#UNJ>ZJ>%P_1&aku5gxk0@6u5hjwPR@!jk(Jdn{ z|4=GU$tjY4kB+I_ftbF-)#MMbXb`7iu~LcuaHgg~51!m|r?mf_@^eZ4HFvkp9y&7T zjgEX&^X;Wlu2$^Z`2vz;uBH2Mr*yV*Z!=>dUCOeLd1QEILBysenfOk2KKTPl?^1(P zF0i@xlA$RRyzS?XeP>o1GVT4$TW`j+OF#2BT$}Y{tjv;=a{zo7fr^Y6EN|1ysXHDO zd~u(Dw$KPFy%p>{-)s95_9nYS>(cgSHmkh{{8wYvmPH@|eS2E7w*H1@Z4v@DHfyT~ zO+JoUn<6yKn%$eVC1bHSYulT(wb86ibyaB|QGTn?W&>llA`0Us`t^<7>bALs1@^fZ zyA3Lg-3EJOx9u3aErPi{3)T_wB?FBXi7?IG$SxO{;UV&L7mjxh@dW**ZQin6$tsG> z_-t+728CNdmi*^u^G5T-2EfiT3p4Hl&+U{j9Q=%0o3U5a)XKA+J6V0v1Ph_R<g~MYerkZnSFTnT-KF8_AUDF385;Mmm-{tP}i))Z(7j#T6*rSObQZhG+ zKgubLKRJ0wThn2;MfYv6%&YoX?L@SH#XvYD+P*)%#X!l#q>Mbh3+}-}2S%U7*(YV< z6${W><{QrnU|0h%O*-i_nQ*y>k)vf({a7ug=3U{U?c?^;;;S&t&Mc3LR0Ya(M>t%GiUj@W5>u+5`+aY z1BvH5NdgG3Cey_c^f6oozH0;IDULImw}@j*zjzaO^Y@yW?h^6Te(m!Dv8@oMH9pGJ zCZ;oBJOkJUeDjLM(M^hHU>91L(a32^h2uS<(gy2NN4s*sLZPGm06Xt&y70h$3+>O~ z)r||Q?i`E?Jy?lZ@uO_FJ0hodG~MWEhuDliT^;f`)y&8sM=_?5045ClBbTH@NYN*} z1gbD31iX&BEvriik-gxg3GZgX;#Qcgq}|_BdB|9k9EoxpkD@pkg?vFUQO-eRK7@Io z;+sgDVAqufK0zQdlYD)^2U3(4e11hXb$lvB55TWl}6 zI7+>tyhd1!lPHm&JkP`<7mHn58uMwJsfJF{c#Q9+V?tMzH$H4V5cF`Lsu_3!_t~#H z(m=B39y}VN@&rI*`DtOFhI*fdy2UZGx6re5n-3CP*b2g`2%D2gW>){@@-VSUn2^Ac@AXfkvj{C7$waZLn zzirq$%ayF6$c)bxwjLJl1X=Q*Ynb;;V)Ho_78XB+UYlKZM~;JQz>Y-)huw!A9*e`q zq}wiUEAUB}5fT6ecRbf6yBkfH%f7_ZlJo5_B0nEU{E#~v;98uJ>0(X43CM^_43B~& z(*Ank!q6^OfGD5x9NRjM9KB@g34uC~LH}FS2;4^cD&V=NbwddqPY)|wgR~dIfF{e3 zR$`*xEdE9uW5cjqG5CfUmV<=fpwKrRiW|(`eS^bB;Y}fAHtGsA&}5;H2}W9pGn8W$ z>H|!QaE5U`-$p;zqH?YWAC|X6ZT)CU_2Lgvc`Iw7@)O16kU01_GXHe>2ET@b!Q9h% zmB72-X^? zY@i#+cQC8C=H9`^seMA#Inw9zrU@&Z^76Q5%X8} zuUF9Y*$C|qNavyi?&cn+ypY)+5V$+$H$>Taas)D(FW6X8)iI1fGN2tCQS#HCfF7I1 z?($q9^2tan?0Zam%)&D1Doxf54T>q6g?KV?f$Fr)tPz^5S&T`Oa`wjP0~tw(j#(I> z_jFYzA!}rw-I37CbT{*^;hTSl5>g}WbdjTPE&$m;Ccp2rwNE_#^;;Y4)*<*2-F$bD z&7l3Bsi}3ebrvtIo+bZTfz~wb z1Huo)=9#C>Al6iwR22xG0hj?WVubLAWY=*hY!7F5Mnyxs%{k^_N+dK-eE3rk8`}` zO6NWTCn{)s`Pk9fM@AtGaDI`@`Bo5l+jd_9s)iu)3TtAozN7fV@#pIWd6v8py;@m<}u9n-Yz;bb(nt`9VHg--{*zr13snq%x_1O&`6 zodTMLIVW4tg$Vm*6G78-=+_76$P9mAg@HfxFNgn&|Dh-h`_U^ed5jeCk7daE<@LKH z-@BZ|*Kf1Ag+yOok~W**THMlsJ`!etJ~;8hFbFYoI`O~9KCy(|LZD$i^nwtMVWJbS zkb+x61bv@-P~en{^MRkE9|2S_jpyTHN#M+1ynBYl5_}ezOrROvvLogJo$*hWBZc{n zh=^ecIw-G5!L{qf7iM4qqQTaTGcG2;MTtizjS|30Qvb+Q$*LF&q*%$dIG!-n}^UXYXDtFbYMl9wRw>cesZ$rGQB*QLk^qz4%$f zaJH`)-5lMt{m8dp!T@;GRmqGF3RyGP@avDl+= zdo-?%Xq@V*(in}~igv33B3DFM+{CCpB3HM~Ev&201(6$9Aadh9BDY0E?joI0GMAa_ zTL$N{oX9GQ4ESupxpCoYpC$jfdXy4eE{#|b)w@=m?pZs!@W5t-D6|215+Yh1iwWuh z2W0u}33!)JzYV}uY2N!7D1_<=cM;@`3JvKw$<98pquA?|xZuH4?da_f=P!=oi!|^T zF?D$WUW5YkrM-AKjIX8Jti}h@ltt7C; zan2VL7qfgySILKB56pNxgapg96*>L9nAnea%9cx#HJRsS$H=~H0yC$ElPd?BiBl#E z6cnT~mwgssxlFTI15?2tULPEG@^yKR<>RaaYPK2bMOVFwQ=oV&Ln!5;bbjgFSmiUn z*CYNBJDy~Em-Skn-nU-oS!>K$UGTA@KR!sGrd6nUfOj^#?S`3sMJL^a-uMSiVw=laD@jwE$xE9JtgYnAThncK`_8WW z?6=P$w03KpU8Q6kT*8stkwwwnC%k=9FWIjZR(>M<_S?)@yoYh0z^O8;X#*|O)55sp z4Pjgf0UN`(^;B?=1LG>HKv}bU7&jS=|_fz;qlosH8xlN8Y^yJm6bLadYg*YNojG z+2Xi_dii>v8-QnpKW2Pa`%9MW+$*u}poAIBX)F@L3>aIsFt6pp15mmWi|(I_%iDBqTEMUZk_i z2@=O(V(1^ic0qJO&#dH|m>M@exRT+aOVY;R<>{&RlZQR0DJ%nD0~sR8hUjPBVhD#w zJ3{?DrRC3We`eu$BaE55p4lOQBT>LYfqE2$C*eRBYk=7w;^4g`^%KbiN<7p4Iarh7 z_JQrmgrX#J_g26%wEukd`WFp3Cjpl4@9#6XvK!nlW`XU(vPTom+R^gYf1J8!{XyRt zlMlV7_6NKqK<%)Ob~Fb-*^lJSA**|+P1dUw2Ha#Uhf#rHasc^c`Gh^_Ex?p4tS$b= z;UK|5nO_=?+D%AD?TqN^Ls&FWzj{QYA^);Qtou7mwhIh|-3Zoh^79iSIMH`J+A<8) z`|Efo2<`imTi9jR6O<#i0+C^e2jz4g!2)#(djfp<^v!w#RKA2siB4Z#y?l51hEC`y zgDl?Jx6utPL^g@*gAZgIJEE?=XNPkDL8ka7n+=xsQ}*m6Sz=C@yuJY|g6XgF;x|e0 z8%gn0P~#Z8sH`fYU(;y1{A3|)XNQq@gFhNHFc2FU)NEjRLosm80V|TD1h%GK!ziW) zpDYU3e;P0lKA}9x6kPpP947X;>&5ri3&D93W#Q-P9Pl1kxIjizOAV}%D64=%tP$5I zD~ATg86-$@$hc(s zVjq(YM;U#0UoU`e3~3A-3P#~gHY;Jn!C=U^6R|-f0-jDZ44WZHG6-$27W`F5ramKr1FBb~Fv={-!3!eX_*%t!=eWM@MKLHdTR`gvpS@ zGW$LZB3}^sF@f%!NyC2(=Ipc$;P7wGVn1pAjI{rfMIe}w@6b4z zZBd?IPQz$*<-zuHrpe+&|7<6(CE=pQAkkST@;H}s#$8&xt6Rw>6#tk-%0-+Q6@c9~S7{zOTb^xB0 z!3LEG%u+m@%+oc$UFRN=45Z0JP2-83LC#nx z?la9i>9gWLF5IM%q^{1JPKxo4<;wnjrq4-~-a4VKv7_?z#1n6IkAT<_W+~2e$TqcS&hpT_X;A({0bl?&UWbu-45x@g4Kt&j3-r&-0?uq3_Lrc`5vG{9qq~qLMZVAusLR>Jw`l@^!3Jt)ou>x zy$35GD}E&Qzauh3N7Idtc8E>*(^b~cBSki<4WU1Qf8+*WHG&?%Y2t+f@S7O>bYRw0-+fL$06 zynxB426T^MLjX#C#rD3f6wY6(@xX=*ntiknnY}TPmsPKzV&RE_JY!QJPe#M$KweGN z%Oe4Ks_HM+@E*uZ#$pfT?SZ^j0(r_SOJg9fk*2Q+hG$fwZAJqOuXd|jSx=u0hG$k` zc;+6%+a88Tr0fOyzrA_!jbn9YfpCfZ_I$BAvv^t04#0B_lMVfbAF$~FE=4dnG~tDx zaq?8Y3)yj&%if@`5$Vz1yg(J{9Zbv&CkH_?;<&lQh`(vr4Y4rbZ|c!Ep@3OzCY&jY zGKco9+ASzdz$zBC!uRCkH9#{)MtUo?>+S_i19UMpJbH@kWYQ%y87h>FGixvL#LZXgfMG3?Pa&}@mR2>Xk)fFu=Fmnt znWv{>VB2I8j<*5~($1Fvf)sH}AVD%11yCTR`w3vc0(39uGp@!&3H~?p{1x-#<%}$@ z6!b~W^@3MoQ}y}^CPW0ePH@`*-e25aJpd#;2dYD80{W0CH=&PnEz-oqG$nDuDcN+z zILzb`1K=cO?Q8(zeDHBBnfgoy);qzJulTJObhRxk=fHcRd3A(Rw!oC5ma-bL9F^gi zvWjH-;u^27D2^#BnapBboINV8!$vKxfWJ#RBl_5jSnPn>pI74bAKlmO3yVtc^z>xy!{TesppD!4}lTNkqWt4TRbHl00) zimH%OZAh$_VKC^Q>g$X9J-2ssPm99zfj=fV!T2d_e+=Myucr zPx9$9QRDeW5qfbk^ z7}N(YH{JkyuPDBQQ(yOYuyS zZJ2py3ZW`#V1Q^ni76mKiHMt}xA-&-1Cp;*C4DcEuv2Q_uE%+HPyO}6g&|+808BlN z7{BQZbHF6OagtzHr&n=!od~WH)(gv##?~VwDp`@Zy_ArxBH9Y*OL8B-1&&7V)ibR! z4R1PAsp$Ae^oKyR2<6<_5e7@;Np=B(x}D-2(p1GHQ#7=fWZ2C*G?0XHqhOz)IH#U=$!SRT@fkslz87 zmE!^++qe_HL~GozN%_4tP6Lf0S?<00l#NgN)8eecH)5NHqK^`!=I;=^JV`quo}Fob zM?Q6uv?Jm*Nj_3!DrUe?kdUs}Rl=^(;U3G5NR4e-otGIsugwg)I@EvRz(!Bsi@%9$q!{O>KnBk_-mFk-aYEAB@ z`wXiaXISNX_Ky)<7U+R(n?7mX;b`xZCW9}M^{;iFX_>Wl=SWoh9SkM=OY3H}XbXGN z(6`PSG#7Jb3?#qSX)yyrFB5i@Q<|kpLg+rk>63tZS)B`N8=e@{>un0^$!ORd)T^nF zc_dIzRVT(8-h+C{SnNT)J*d}8P)~VfX%6Z&R`E4K_j;8$T(1GTSG(1%EUM22-LtCD zJ!_BdZ3o?Zz`%@PC5wO_-~>3>-#CzG708#!a?cmYvx=AZ>;ODhAkR)>cf#&NB?OiD z++l@7Y9aLfC^|+AEq_q}6z$y|AVWztDqz(8MWfebnwc_AiV8>{M(_p+v$MUJ&|V15 z;a-UDatq9hM{}9JkoS=^hY(@};}s#aq8%0W3zYcAF+~8OBY;ar-(4^21A)S5>9i-O zn3NS6qDgb1w+zBnq|XDmW(TPF#xFSDa;0MkbREEzEj1f*y5oj*;?<-(0Wi$*4>fW_tfy%l72 z#ntW@KlXbh;1z;@4>T`M@|KDTLY_1wVm4{$#EvlSZyw8T6dhK;b;~9ZWV0V|Tw)3HnF~(J49u@>gJ;~z>a~y=BM`5Q+H{D$76>G9e>crY5C7FMu zJoa+hy;p#_8HbC=_vdg$dzPnVHh;Kv(i6@+D!*R5KZttcnZ(-J#Q#<~}SVGM}6Wh#PF` zO&uPfwUt;va71M?)OkF%NHan%(074@Y?oFi}p(r?47z!LIZ4T2jeNhcmCiw zDM^E|rbTA+gL`?I^%5>!L@Rc&rb?aiG{i~yAFB^;%u<5ti-Nsz z#Xgepu2Uh)!C8={2sUH9!)@KDq*L^6yf--cW`iJq3+~P!8INVLk$toe7`?GsL{@{1 zy4xoH$MB$Z@TjgzBd01g|C2N)D_h0s6Xwy|zkb7FadGFSw# zESl93?H&;BW}%@$SspB?54C2a)DcSuu>@K-+=e!cH~@qPlbkDFmJ#d@uvo~Ux zAOx1d+eRWR8=85X-+sT$DybeS+42jFDPngTq*AFWt17FM-~6imTVblhgIlXx)QHi^7fp1%liaS|ZPXL$SYYxn}Yu<8c4(8PD24msPVi_6|pPvnp6i$}4I&hdwVu z@Rrp;oh+^6gXUX5vFE*`%2D0$<>bIWJ&1kvDAmtYjzMV~1v1b4AF8|N&$b^F-yw-t zHFmnA57~)PD>XkI5i{bbxoWQvDl(`y&hq*+MR|f-&%;h<`G>QmK1e4%JW7c0aTkhtyf6i$MJaHW#^4%SWpI0s zZdHi!VeM^aWe0{+7+Q)Ns0yv*At#oD3VVrjGr?vwcq^gsC#gK`+`5jE#U$%~QyILe z%-e?WujoOeqq+1=KHBGI+4<3-NAYE+Pba?5x0IBk8EE1wc1RXdWuEh9pa$nz?+2@vI<3d=tI3?=;N4CVT!L>H#W{QK_{es><4+ zlR$0Aw5V0+CFjYo4zcQ`&Lv~KwyZ?)L|H3Wl&)UpGo_@L`TY{!pdn5-DR7ANDl!Bs z)H0)_8yi092I#nCiFnpYH}a$DbIQ3PSVP0uK#LOC#*@aLHEC?X?&3*g&nIDq4e1e> z^~fZ$?MX>wu0BjoA{!Czn-PhuDF_9QYT3r`~RB(k|AkyX|#W0S}xMkU9gj%^Pm zd2NqD9UHmUsp!^)p^ohgqmJ!(>e!U1V@aCUF|Z&s$S46KW`BCzy$a*@?>sk{R`$YK zWIH9xPM?X3%Ocw;SN^sD7K%ltuL6-8L+ni0kT|G~wtQsFn;=_2v`>+gx(Q&wVcu-DrTAjMlTJnV4v_wibNim!)XF z#S;VJE)MS~lL_NTE9Fo%~Q>BRE&j*7CExk_e!6s{EeG*iucVDp=;y5HOQaAU4EO5!MXG=fRlXxbQ z#RB;{6a)YT_$>P~*f?AIjhxCIxVQ;(izp0)bB7corUz_;=XiN<1ms=Ju^^}@WEnrw z_;TYVT^L@-EMo&z?iP}Bp#-POai&pOV55-0I5fk91I9G4*vTMqttw~Z%E4DL+DA=C z`>-goDang@+zcg!dcGn4Mq$?L<2N*mg>&9jMRzLIGb+AQ0^E3fhsEF%TRdTW0(XhS zc6v$C@*W;7enDe%r#!a7>s=3131N7cYLQ|a6i*@^o_ap;lx-`ZujEIDr*9Db+bX=<~#Yi2a31-)4^th!|h`;{YPAK1>dXjQI6BBS568 z1wmHq0TCq&4~Td`WG(@b%9`a701=0sWgJLkcPMzVI|d{&a;;O*s|y2(ydDOLy!MdD zBSIoa!h(B{bUNWhBIZk0PUNkB>2S&Gl0~V{)5V2LUYBnRwgB7;!^0&rf=i4YQ!eAc zSjTF2B~PSFv6}gXXG_FJPlNv___3SxZ_~3S;Yh-_G;dklm@RtK7$=!ZL7HJ9>-Vk0|H&KZ8 z@vqdUwqS2(4mO;Goq8EHS0{PdM%9;Hbdt+2^s>_K4SQYN)in+yF6wCy=~0FHH-^-& zb)q6-Cjua94o^e9onEFx(8b1up#bE9aW=Pf#Z`s5it$3r*6HZcDi_*WEgQws5%^}W zOq3o~6!~pEs_4V$c~p^qd^A8G4X}8m_ik1`mFy$AS=ojhGGRP2s`z?RRMFLk$x+1- zjXX0#6{{NBWW^p;)buE9tDORb#8(MDDoXFKGM-z~?YU<=nI5HsYCh3R9IZ3cqFN9K zNf$MjriIdbARF<6k?E@Bp-wygVpxpDvsRWYSNDgJHuOI=hR0tH>@LH>P9>!I-A>oGvbk!zib+FcmX@y#&M z@r?%^A0KoSv|x`m4w|XiYSbs_;-Zaj%C`$!0B%j;(ZiXPD7$p~n|JzUcAA zmw+#dl`qrxczn_0i$07aACgW!HGUfA<@jzm(?%wL7oU3xn}vR)obOTh6Al1N10MNw zjkjC_p2sum&W7~DUY|~z8RE(l|yE-b*vy?5^y1p&A< zh6flQ17OV7@%;NU4r}T20UWcQI6WGRHz##z%xBD__%sfB+boVfkBpbIj_U+ zc@+$D^jfE)cNYeOYz)I78ycop=;DHpjq(k{7Jyq-c<}L2!N>V^ zZ!B%1hZ{ZI=;6i}>gDL+#^(}9)x(X%YdML!?SwxNPc{zScCZMadLC}{a3i1AeS${$ z<3p)>xY1UXK9nl`cvr{A2&G!ESS1q;R9F50k@e-RE3VAHw)S zhZbITa>l}(%+{Sg6&Dv!+$i4?Yym73pm>xKmD8Yw(;B&-^*FCq8uXF?f+l#7er?K? z#O`TWO2F`V6$Ll_POp87^|4R0*6^WQJ&O;cR)_*YFAG)1m|n4H_FBBad@rEJP1N%- zYQgXuWAc0#WDBR6T&7lldR{qeWZk-p>P_BJlkUS>H=+|*TE9tPTu#Ud2$y7qb$VGH zTA?0wyGgfxnLtEm@%H-q_HIxYj)Jn!)R;^T1cOHT4a!+}5dr?p#dPri1TzSmH|@Bc z;_QysRzfcKD~f+&H^@$;kIG)K`S-J!u7zRqeLud$mE|7QMh*K;cuuYSaTfD6b!SBx z<$>B@q}jc0Zx5IXOHicd(+eD`2`I3aX-ZhUF74mkV731q1*g5R+xyfem?uEFW%~8U zD5f(()C8LGE^cOb!>@(A8ti?*jo1sC+?r)f-9ru3sGY@HSsdZG!Y|Qz8Wqb1qKXyj zz-I?|aw6f58oMeg@fBM0{hk^?4OZ!)7illNxkV%L{?`Hlb_KZ?oG?xl8}RCfSGDz( zU)O&_OFy6da@udT+Fz?a*x(1x;=j~n5_>KxkP~b9Y)M?=9FR*Zs^l*e&b()o+}}SG zS1~5MsOh!z_>uNFm<+^XNL&5ie}CBPb^DQeZ%tKv=8mPv3*tR_Awe7P$~b9MLt09T zd8FleId-YpxHL*6xZ0e#rwv{yBXw;i0W+&s8eLw;Z7j9&dOtPRcVAbnPZ;xu`Ez;K zv7$_zu59^^FoHjudZyH=ZDtGanPEBE-aj2lIhM$rHhj=O%L$h`bDm~ z7Y@a2mMk%S)-5g+vstd&Z2>GQ6w?&TqEB$hE!GBJ*$ggeflw&I9HD7-lN*k(=lDcW zRxO|>WJqW0Wzb2IFRAeEiu-9l>~tQ2Ym8wK_irv>hfi7=4wSz)e;rl@Hu}xU!Z^;sBKeVGggev2Hr=!GP4^FaQn+aMI zCq2}Ii9sz*Aq|R7iB6C+9{Wj9osA8>PP$BsPH%6G{%B_}jcJkGv{TgYDqIP%I@BiX zN%>?&tE7xs4etj~!b5+yRFk;d=Gjt^ z{l2X(qlE5&a|r!-86Cnb)9x_B(|o`TXkRYtHvj{javG^YC4QD#KwL13TKDt@9G{}3 zUezk8Oq7nVP9IWCoLca&rDQ1{`u`!Tx0WxW4vX^lpt^a)DZ6;&vAi5a)DGEKZQ zdjrFZdlKq2d#shxF;25kt+BpNm}qX!)Qc*7lS?VQ(}Gy@>nLMFsO8|QtkMBAt0xLK zYunsdHPP~-@=|SsD&@JF-#R`OSH(7)HGMF$E8tux2+8roZh1x0Z(nLad_6e8mU9u| z4AA18uE%O#{T0P`?QRm&sZ;3#y&2yd3X$BXjd3N|SW}ITxvj5>?3zAM`u%~Ul$R<% z;I0wMOBZh90W~^#F?lH)n*93l>B?N8;T{Y3K~6mu{=%{F104V9^KK?^c%!lI;cy`g zA4!#eJRDwaDSJ44>TtMiyd<;TBg5gFlfvPyK1>dWk7(GO5gcCCxGXF7aJZ6%hr>M_ zK9_KKWz8}+96l{0?>G?o=1?$ua}0=lyyZ+VD(DiHa*ujKa8?tOT_ ze;CCNFB}@*Dp^|kY+GDte5+i~+X7f9Xq;WdBDoNNSi_V;Fgcb)aNAF>YuI<1>>7o= zh!M9=a)qskGR+Ct6iSIx>ybfNIhDOi72J9gK9JQN(;1B;M6??CnXOK43$4$oAevM1 z!2{&i*l1`dfxz*|mF{dwHW(22-vzGSj4nIvIFb_TYs(GsqEWd|o5MVBz){{|%{#1hBg};Er|Zz|xrg;|bw&3jl!eu^ z?)-%1dCSM$J0PdDY@GFZBfXM^H`03}z4_zQotZ!0XKf}vYZG|)eg63KW4iZ!?si6S z?K|kS@i5LvILkJ@d*AbM@3X%+>09fO@rA2zAS?EGhLVNH zGd!L#mv}~H%`!HgG0<)^4oI;z6i(P01Ed(a)~V>tg#jtHhk+E^9;BEONFlO0z3+D< z!R^Oxh=Fc?N^sE~$j*FK=KKSd3QYoEAUGkn1erpHhJeZTM^$?8*SnF4~Cdz4T z`;hBUy|}|CPEJK0e)YKikex?N;7LU(iDz!^>X>~5+*!}*Ze+AJ&{*lzVHMQVPiYT* zDC8D%JX%aZ7L+9)bJU0VJ5m-hDLeerLnBw)DX(sM)sZ?)zpeYE>Pq;g?mlg!#b6&bSLNa`9C%zU#}qqiR&TSMxBIp~p*9Iw5fHk) ze`SqfyVY7QJh}QMl1r1Gsq;hRBUmhWN39_r!m}meBZw_8jSSiI{_(9EJTjwxhd)K5 zw2Qb_3r;T+{WkyEpgXwotySt}y4D47lx29c1<+0b-xIU!VYxgloGU3^ezTa2 zPCd6$Xoo5~N=qDR@+QraCx)z>&~GbG znl&41`e4=yvqBS|)Vso(TCDbL=?BchU)O&#UFe1sZ~Rt0VC$#GPn9CJmX-4%Tb~yK zo*#6c!j0$TmFm)yu>k^9RX zrLw&={}e-`_5Ib|*QI=~%sZ*BxSz->m8y|{shX9Gj54w#$1sw0F)F1Ul7(}N#QUUs z6LK@XUE&$oC5~e8#>)_g_CNlx4@rOhl{d^`T|h(r_(Pw)D9%BfvWl{W_}5>PTR_~0 zw0s7tGp(9|%;ud!r(6rizU1Q@PfUQY&DUhOePjZ}_M`*|S05%PK#XYGo)H0}D!d>o z_5=te3r~RX1c)Oj2OArsp!*%Ax7*BBS!3aV#HL4 z5$`#eDoj;L3@QX!!cLNIFYLT`y5cVOwL0S5*dUb&TYI>|lLAJDAm>t&};EQn@5;t0ciL7E^uFizq+wS=0FS&A2@ z-#tN~G^n<1D%m_4J^@xN;>DGLp)I z+`11UHt`m{lFd)tkRZ9l8tbY`U;QhJZUc-HH5ixM@hkOi!WYHtU}sfo7ZpQK(acJ& zy6>G+4)4`x(p21c$*J`t^K15kMl%aX38l`LnHTjAiT`e*_2?>wld?Es|AVbO|n^kdlx zIrZ&kS`8o4vV5RRn#Sv0>H=fk3qNgkhE4}WbzaXxH)B!ezi#2Gc;Bb+3Um1?5axO2 zK#;pTZGD|PVUcWg+dyc^_Q;$DJe8xipX0pXUO*VPP|sjjV63ohq_mKuuX6g-0!pk| z6Dxp6jDpky(C*o|bRiaME_3SrybAoAArhxwch}dqw$!hi6O6-@M&a-LejEdlV=yJc`|!bf(lH+!ncRMcV(H%o_+LH- z+7R-&fUKm!E+~!*d2x@eB52kexF?b(TZ2W(l=%l~zD&4EbPaq1+)N-t770)wVK$YIa^(Ec zrsC4f;)nPsM?T6?rJ3SjL6*}3ofJs^x0Lu;n?g96Y)2TOQR~qDvQswYEEqwYKY7Ytvz^wYw?Bsyy!6uJJ05-3w>1?Ut-J zeF`ovgKf85%i982Cf|L~Ee;kGf)?wmNC-;P0${Yg}4F|lhAdc>X z%Y5<3pgtPSngi_1AT9Z7leTOD?2Bv$0ZS}_-TzLY{{M;|)S?W)!AdUKp^Ci7T6i(p zrYYe#5ygV!0`L*ALM1vQ>0@czSkYc6QGBU=1`C!f;qK%P^oy!P}%g;ynZEE^jZbO0EP_y!;P#Xi=m`R ziy80aWycwpTaW^=&VrBc4}zWDtv7h7U`uSRZc!UX=jAog^G;zc`YNF+085k(&YoN+)}0280oBG2|TLW?jr)IP&(ACoyG zC}xuIqQ^K=h~4mDAu<5c4eL%w%WBGhL``OB9jk(Nv-CNcSfuPp>W<^tFVVw0(n`gsPmZ8Z10xZsnnn#k z1l6ta6dWSPrg6@Zd?@EUUd2It&guNJJRk;G@t5xhFvom@0AqXMog?IN*+ZX+UF`y zUXvD>si1nZOGLa-TCrwLbpAWP!Be|tE;sOjl5RJ`*8zV=f>eRcmX7t4q-=6^u_BkD z?9q(P@Du@}e!}OJrw;h=P(D1=>;PI1uD>X7y|~>yIU(Volk}TIg7ePF>@S=KJV)XA zq!+U7$Yeo%WR8Mij~|Dl;OfKV9EA~W%roLBRJHTViakd`$-;9KJV#+JISQ3E%lI6H z$25$O!*AFf%0$>5gWoW6ty9s%3&U@CJ&fP*+VdNx!f*Jo4-3}5fIU-uaYW5_yuW|= zV>jvFrpE-qQPSy8*U@ntr6hgE170}e;dRLh)F9dIRg=1CIGE zUh?ty^NA*a24^f8P+$WnAh|9MB@R%$kXP6{AcmU@8b8b$Y8O8K`LbXE7NJcd zV-EYwYMhU;Fu7pTq$BPYlIM#A;L5Qy;G39dpJQxEwDE|5B6&otPCMoRPpvjFhXfla zRoo_sk~k+Qn1^->wPh}X)`-%2h8A!jppYM!z47_<)A5Jk@c6_2(J#R-`ybx@mk87H zU+@0EPxy6ZrZfo}JqJ*GM7@fd9POF{T(obNe|UAa^h$xJR*l6mbs+fz(p8O0T$mtr z60g8j&E)9HmLv~US?A5ZJ7^0Q+d!A!*kfJRU2bjG-D5Fn8x>~ACMub`i*E2Hix=|5#Eh*=5SCWEH%TpmOkC?wQ`)o;00?fD+rvxHA zmXv@>yG-!u_Au4FKI^-$OWyaX(b#nQ2#V)k?^bPxK(B`3P}Q(6dD@?2$V=NBo*XHh ze`$H&^F@Hi^~1PFc%Ki#YunApV)V!e@9RksURNI`M|elHsm%!Ct!mel6?=qN$-*PN z9^su!gtxM085`l9rd@X&0QdD!sP*+20Pe`OPDRZw41oJ)7=Zi61GrNGa6eE;YL(oY zA>2=iMyhz>SnZpV#iq}{#l>phlxu%m01JiHGH%MIRn9iS!QYJxqcRRP@VtwNpj4Ug zYxxkk9e_XliYKs&);=bkXhq9+$|&f^C~O9_@`7b;?FIae%pR$9Z0C`^#plZ9?e$YIQHGn{PX6x=;Ix0elV>2H`Em19xF@v5|gu)YaF}4&ZpnVk! ztd8()K|j0A&?mqs!mINIc{|&oPS8RQd(iEM59ggIzUo~s4+Y#-g71TMevZ-GxZmjv z@`WydX0+rhA$vt+a6CWg;x1azje8)pD7rB!s+g-G)hJ$%tEZQE!~rpuIG?-T0Pss+ z=VM}$dKKF0%XNuBBJ)50jV%uCURfBIVIvs%@WpN=XK=?fFL%%tD#&oY<%w0ZmdCfX zf@E+h8%=}sKozPa6M5OL)_&!4z_ri+TsxKT6#$_9ee)(hHU@Fdp&!v=Ms!tN7ko`oWFVP5pW?4kLfOu%d@dhc{KO= zpt-hXjciJfjOM#lxvbgYwlaQ(Ks}=eYx3WOsoriiq{t}aC zrEuBQtkH66&rDMg9Zu+yn!aB&*-$jB=0+!J6^ zBS*zZyP(RiVjPrA-zuez|b$Epo_1#S`aZ!3{?RM z7mlzzzS~&?OO~rzVa)`ESWy+hWD#t zU!{d0k2|auc{>;Xt)G&;IgUDOIECWnYo`DpJJEk{tRJEcYwx3|nQEp_-so5VWvlm+Qb*)X;kmr3eZ-5I zxT3<)>o3fM(94S)R33kdFMsVK#gGq}g`#frpAEiqKsimKCWa!SW=Gyu(JHvG{1gqfa6-%3V8Dd1>l=WD>tO`#6oY zJ8gjCSorGT!P_Yj052~?5*!^PG_|A&E$6*xI$lyW|lg z7McKof){qPTJVbh6;U%Z@oANQuQo>e)$q_^cX+n~w>qG{#32&-NTgJLE=@KUmQJc<&&FbOHj>AD6JYX)wRWAgnt3 zFfn0uRI0&j2&))S!Y`1OVJRvRUYOrLj)%Uf-ft9)AkZUx|ZtK;%k-viuv z_W&?WEW?~Q>SC=DOC@@U)@0f0{8YPg;$~<()1=j+EEne@8j;33m5fr2JUTCgQBVCW zIWfthegeAZB5@5}C?f~W!EuFjX3>wzk^jynC`8)%_1gOl4i^BdE<*$lbn~dUrlARb-ndN)3VW{{G zm>ftIXYqv2xm=n?6^%7b;5yg;yCKyvz-`-@U~StBEzXpRaC-OsFq0%o%tS*D(&}@~ z*c6#Mo;}z)TAJe?oo@qth56~Y#&}6XhO`8GsBW%QHy>>BM4;qaUFr}Hll=tp*W=c- zl8mW&vnaf^;@Id3J>oeF1PYNpr1E|>BkjdS+rR9PztDSvAtLuPH<{$-)qs}hkqIJo zh?)kZ+uU_cinGs{`SVd+I+FLKWihGzlBf{hSI5fHeK^HKy43~k3gsLT9lo?_DD`th zX(bI@tu*+jls^n;67=!;qP<{k0?V~-#=e>f-Of{xYj+@^Nmfvxlc*FuNt|w;?C&yY z=Dz5j4^G_eUn+DgiAEzR{Al<8_Quu@b-695!9=aO@R{^I--?sk7_N!ohL$$~36EB# zk0KUjpGlB_C52_fI9CBi6(GH9amX)%Q%oiU`|2P3kch8i|97H=yK;jNHr}~c-bPJP zHeA!q*#i~HWFdO|cNEV@(ZbdqLvP=nhWWXK*txhi=UUtu1#hFeyjl#Hb*3{8F)?gr@8LxB&#+(OG$M!`ru2uAI2GMG7pSX!TKFUqcF5&cNo!6&!3@9Ro4O zvFP(~FTvQ^`_nvsj7HxFku_YfzhrqKh*+XRsl~wOF1v{mv~TIBObx2t*x0LN++OLi z?F7PR+ywa#JY=rithKr%o$q5nF_FBXilba32Q1&Z?>ng>H_p>BR$_WyR&BDQKJ>p^rzEXf8Y{S4?NDw1pvHV2ac3ZC+7w%9QN2*a{nZ zdut&-n=%Up6)j4>s^_h~q^fwIox#rvpQet*087Wb2Z`XhI_N55Hj0*TyFxhx#TM(!_ExM01e+h&(9Yoq+;#^H7~h|v<`I+kx9%iu-zQQ7<0dPE0HDll6sAHmckz^f$`x0whB7b!Cm|hB z1~yGjo)4Iu1bq*XNI$vCe?}F3{7m4M{Qr~jcrYQJcJadA?Y)-#wab6bY&}3_4=Yn$ z#yMagf0}0rYia}-bX)#m%7d-ZY1zM{>FSd7n|CO;f!CLd0&Tc9ilLZRg|rg3$U~(= z6wX+%*@ZAUpR~z7CTYOlMliJp%`=-bQt3u#P4HiygtG|138SYNEA4#>1>lm5`-;@1 z?^3H9U}%IncKJKoJ}z+t<^ai6ifpC6b2DG}v|@B)R(wO1r}+Q@U;o=?+Wgm}EFbc- zpkXivN4RC!<^fX3PpQRFC#f+D(XpDz7!-)93xj<*`ndW*RXtVA4?=_|%GVw!w0VQJ1WUZkwqr?0BvZBHi}%$<#Vaiv#*dav$W`m|jxZOgX(m@ip9~1EbzD9GFJ{X+ zHHq}lA8Z)O-^Oj&w3&ivAWeF`3{wy34t$nyCsM*S96J=O^cZqq$mua%-oHTm}G z!(@Z2k$<>X!#Nxl$;YsOVNC$*Nr=4AnILG?6{~IjdU5x5iYK$~5{)}mt z1-B%%V79jV!bth}C4WHVfU-&&g2~TLV0eGaxG+k0+pM`(nVy|BIXW7x);N{e!x|PC zYRr&oni3kGTyRAcc{iFR->|io67o)nttB?}cs?0=ZjB#-50OD;_Q2FO8>=edp7xW& zH4U=sWNKh5TP)lU1mxpj{hKdg1hy$>u71-n+WOY>LKxauC$|7;Jq(F?>gKLhHq}3} z5nYpwcvHCf{bNJG;l*cJK~Xuvm>I8Lh<#c-&mP$QXc#m`@1-HRvuzVFQX|8{^N&3z z-0IZs*^aoy7?v#Nw{#|Ko&3mrM^U5VB?vU~8TB~aZlR@E2X$>z)i0=O@Wpt(ZnRs@ z_&Z!Ug!`=34wRIUOY&W5e$6^{2mc?Y-7@x*fmz3Kzl=d=MYeOjGT-GexN?qsS}*d2 zJB4UChQjMHMAZxr-MBy`@3ad=SIETbEhXu0>Ua#>(bf`+N_7@E_hS%RG6rfcVmy}q z3*gX_0)rGnB-J(phtCy0kfV60-?p5NPZYq0paHUB38Os4lr!0IDzH&(YCpPBNoM)m>qfM(al-mImm?) z=Ho3GEZU>tETUU4LD`nX#iCuhq9kH9$KqfD44@HhXKt3uvmAx5ZZbdAvZV^Sz#r8L zcE+WM1hQ8Y;sk_%gb~UTSB6`NK-eKF1(}$2Dqz^I6k*s_4&hLFh93`0FIq<5d5RL% z0kiJ#y*wpQGI;;_f;?7xqKir?SXo78$WXf?!NE%dI_ivw&Yhu%>SQF$+Ny>})`GAF zwDIJqw-`HSR3#ZrpN6W6qH1Zbafzas47|FKvI;tSV(mzi1^j=WeZK|6n#_TcvZk1s z*{B+lC0aHmgY0IX(pu=U&B-q8_ezOEjv6_kTvI#GS3FBj4JuSpu^HjhpdF_V*Ny0% z+KslAjglx~$w9E8=&9qIo*c_?hSVDIu(s6HOl*m|&9I_X$b}iYNnZ*-4-I>vm28k6 z;j|y}8Zw}5RO)lj-jL!{E)}JrXT4lIuYWk)Xj=fpSBc_5I?@5I+jk;dH4p2wt)|Y@ z-N!WF-7jO~-zme&iSV7*aw8sD^@l>PnR;Um1{RHK-u3Bpp^1UnsI41bZ9$xIM zZM6UU|4KY=M)f~eMr%Kx9} z{Rah~AiHJjviT7Xd!%4|N*7>6d@~nl5&ZwoZ2F30b~TaFoHFWPe8uk@B8Q?p{c|kt zmKMA5Wa|*u4r+lqm0ll{R*|wnB=v-F(|=6iVYAlgDhgFg!)DOfIonX5|4mt2ZP0rS z_vwb!y8{JDY0MfoOg|_tmqVz_IDNuaq;d{J=VLt#%EdCFC64HpQjWQ8l~SFOIPr1g zPMRyfI}^jWu|sM`oZFWdJNTNW8tL|3x!WhRRSu)Rj?ic6KL092Wd*^5_J+O1Fp-)| z@?z1WoL2o~t#M$|UrqHv0X*Hv3p0H_7OLZw?+m|Bwx!k4Y{iLp#Ec3h#u#iSQ?LA+ zU!o1v+VVH_g*wGZSk7!-?%tG-5V(`p;TIQ4o%c~p?Q@6Iju6bIYXPw_+tZ1di@U9P zl+mma(oR|Id?(!Ec&ydp8dg1rUU{MkYla+MGj6*A{!fLLGBMT+lnZ^$*I=iyhHvX5 zC4kJEXw!UYRPBML}_O{v}3Sab&G}O59FHkq+VXtHk%xnO`TuHWtkB)iV0_ zm~7U|ez zP=2>gs2Ed8e9m85v|F$J`9(t)JdF3xWheA=(tsM~BrolTJ88j1kmckOl~tyx1xNM) z^dVjlrfj(HJ89wdAENE|{<(!g`WsaRYcCFYm(>MtvVda_y|WxeJgCC<{$}fJqS<+( zo!@434A2`{w=`8oY|bKwj7pVd^B*weq=g z7Wp6!^c6z30D&iM1YY&M1=L+rm5k3k&d((31={6|NYL~Cc6Smc*t_(X%it1YZ7jV{ zI%>~Iv#q@3csNF@-P!`wuJ}Y4YpXSCwM z3HYpQ%_^Cl$X+&6P9g45-|20FTp~z%=KqcDajIQCmekwjwEncNhYB)FK6OKz$ zd4&I`vh*ykrr0cC|mjn_QaYoJ$^Bl*&)$|DD6SZTMpl$B|Oz ztesZ#7Zw7fo_Ru&ivF=0jK*S+868#XyN@O>I=Pi%c~n73xlv^T)cZGdStTr<#5Jfi zun@I6SoZ>I;IpL;@z|Mw1MH^(cAJ7F!I+W+2$PGpvF{@hf&s}Ma*2Ao__CBN>g3kz zoAwhOw$rR6`@`rs}VWcE|(C@^0?({@LB&8PLIe{*%lR81e6%Y-lsJRMOc9b zvrEaB`(s%U{y725S>}&pHz0S{hC)z}^`a&xpckn#{&;I+f>q+)gabA&cg)5&<4Uwz zTS7bom?6k9gW|o{5%^i}S;0J}w^qxnn9lg=%(aXZ_I-eBTpfu#v%_jEry5FNI+Dv? zV7jk`n#<0dRvigQ-jS>fr^r72o1=CMLm_k<%~y%hy-;nw90WWFpQm=?&oSn4iHgtr z`+~Te2h)06W+!;%E17u)d!l&x|A_c-<2K!+O_1~yk-#&~zDwvtHFXEddwR(Oy&&kh zK{xVd$^x#-VPT7qW7W7a@`TJpU^!!uu~1~kNY6HJMyr_2DiHVh-a(KJ;vrggrPeqc znn*Y;mB4-qx3UTcO$Z3AeJ9Eq8DrL_*=hamADacbqdk}=B{P8SuoC34&|VqkF*Oas}fdXTXiw-<2-&UPmkZV|MSP_31==eK{e zOAs^MBuk)vMGF_VwK*>Hg$hzYyjA0b^go&zy z)khr{Jo`Xn!~6v|eOKE31!P8vH-iB?7h|vJ)!{b~^8_eOc3Jw41%}C}7+< zFJd|CRxfn2VppFydH3aeuSqTYy*_Xsk1V+qU{ zgTaIzvKi<5Z@4*>1s5Sa&2Z%t12TZ0kjfQ?0TdtD;^7r~7v}ocm(Ic20`hk~V=+5c znflQ#{BF0;V;r|+)HSJ_U^o+QJX+?!zviRHC#AoXqn5T0*w}Fd*k$a~3IFz*0hD{( zVw{C`7P7p~ayK>YGgnQi#NEgub%2vks%#>oYbCB&0CCNIr@Co>$;=R1cg5pX9sys)#Kq^3kKx^!mNLN5nNo7)kIEP?o zp?!E~l?!jcXCP(ApO5bA20a-N$HT=Bkx2PTvST_VIe=!$(NR=Y)oZc$N3OlNeu{=I zrVPl;uk&%jdJDUG`)WS*$SD6V(T6nne48wNxO4dbF)(Y>uL0T{pfavz^wzpaQOFo) zlX>E1;$zid=C3%RA;|unUf943X;(r<`_$gBs30DZ{_QdmNv(E+$f99S*%9A4wTxPY zneAcLa`pNXbYzpQF_KLNJ%I#b8NABrV zR2Z$0Uql!pBcO$(Hb1o%j@&0A^Q!m3dOjF>mNN1b8XqG6O~^03@@MTmYn31kY4G;j zBsxSU+rz!#2e)q&(GfyS zWBn)6Fv1a@^dAv&UAQqs-Ix%GIAFH7ay3eb;2Z+{2qM#AP>|idPi{81n@@tT<5&or z*vk}#MnZ{qQfPevL;{EipIp1%eKc?(W~p$tqTx0`s#e%0_84N5V^|lsD7t#L=!)M5 z9qAe-i~Do}e2c6V7ERNLi}N&OcSfT8c)cz+D0w>7J=zvy zU3vYoHy4=NyuH$Oj%Li*G{h>|z3;kztz2UhTL(`Vuf!2Ftc+Fp4tlh(#{Ha=_Wkud z)Ibbzh5|#jCqd-A%MNrPlyQaeIFIOX&$FhvR4Ofdna9;Lk0a-wjx6Tr6s~U6!!0dN zU|S0c{MR~?WaAnS7uT18hUX4&+8umEt&d~+?G7C08TsC^}t;R*ciZRkL}YPF7LyR^6kS0RU-T^25}%JywtW5PIRtwL7+L(uC3r+AN);uHDBg7=BcfEWd-b z3Itv`%Nkx-!sU+kufXS_tSn+3#+Na_rqs_yj4CprB}YCwTEgi-5O6`n4y=bqTEZ3K zB>omLDYqG)jU%&3W{i#gFcSjP9J{1L(4PQ3Xc0j^h?@5mE3H_NN7Lq{Q>;T|zZ8L= zMUE}#G|z|_y=}HMlHtu*HF{}*kuv%(N@|H2Ry>C#u596vG`J)QLn%SH<66j@3r%F3gsCRUJ)IY#d|<4RkTX zK;JL7rrQg*k%{e(K8?d=U({_~p+>G>w@8U0Vjg>DRus_@n;rL)SA%jLG{mw~c{~sB z0zoTPc!%o#k`JZd5pLYSwie8I`)k-haM88$BSjz07Z#EXyYb%If63qjdptZNNPSDx zl{ZMjL;^Kwb{rUNhw~850#ha8nooMMDT9b}N~^I4ITgUG34ww#&e^GnA;8V`V=26B z!rm0ag6^n$j42upp3wPx@1(NAvUXn#!FByx!jU$)&ZfhUI-A(0e;F~diu*ESrRQ@W zvON8yBpmOEC)VRbf6ZT*g>-1_`#P(7Ndzt%Ee=Qqm}{W&q#NMoU|eb~GviVGd&Q>v zz?3(fyzzcb%j{F40V=Mv%UmAHCRF!}SfC0x|IJtnp##YrVf#|J1PYl1xnMdhSxFOC zZF$Bh!%7eByE4qTn%<0fDjQTTe1}qxRH2&3Uo>F$h3vzBQ+Vo zAdDvX5N=70N+0{YRv))@Z^$!>Ot!zs4>okvAhAcs|M(NF3O<=*a3y4DB6IUjqwALYgN|DALc~`B zP?z3j6p~Eun&6$_A}TJV$*Bu+;MTE_(WsrXsG2J)7ehV1lF}M6dkR(fWUy^+~t-j0urbL%8nL!(4H+0T6BIS4sVRr^lW2 zo?sQ#FX>mMF?O7;=vSRBJ8A*?X_IdJt1ExpmzPO-iKhwN$J2k`*BpkJFE8ixFR#VT zx-#=V3TNOh!Y7o5z4{%$ONy_}$Iz@=P8sz~fj5j*mmaO!13=i*<$h?3lEi(!NY!e= zT6nWyI7us~uid9m>?36W*;LKK`+gz+3T?2%vdNc0Oayey{jX>ZSx3neErv{vetPW@ z=LHC8xwF2MV^ifs4)w*GCKrw#R&pf#ZBBWa?53bdM12PbVSU_2+Eibs+!lLT4!$x4 zoBn%ef;~j6FqVl{O*Z{k>pdWNyi?*u#ADbS2S%io!&gq-C&xd;RNP5S@@k6tijR|@ zpCq8xc&`v8)co%U_7A+0K;(cyO5XIP0i3*hvcqxrJjzAK{rM4khqq3yPJEcr)2>q4 zLmgK~d?-m-7Xq?oB z8h5lMGn%+Ck(yl7Tx3w&q!Rr<cRFDIV zH9qz{rcF#6fCQ|OYARfJB;B@$8&;@Q%<(yJQF?gAJ_bjpk4hdp=9B^Ro62i49f6&F z=|H2Z5hbVU0=S_9|8Y^@=|MhVXyoY1>Reh25oTlZt!P=_BJc65@w`TpIZT6S!yIwj zqps)!;(+!B5y)@Kii)c@vcZ9~$TT~qbe!dg9$Pgse*48Z=g>+aSiR3v@80~zN&_a; zs?zEjugOO4^{`j#;l{L#?RzV>v?ar%tl~MI?gfyx+7iXK|ktb68cxDK+04 zaE)fK{u9xH65@S2M|EnG5!Cvw`B8k!heudmKNKTjxyl7p4~*M0-W4Nfv7Z|0Q6A~P z$IDk&ip$dgFU}%;Qf*rE5HGbBEI_}+d5P)15@WpA4EeblAVd)BHNzo$u%d`(Wew+I z{h#$HiV3m3K@etV>+NFAbEZ6jvW^%KIXy6cSD6v|o8)JVy*UGR1_zP`F1T>j*nV z7TxNO)|RyQ(AD-K91j61guy6qZ*QxtVZVW9K(?AC9mMPOOmeeW7JH-#&7`6{{ivddC@D5?AxVx7MbD1@d!ZTA z&6_{zN`G$6O1e#*nK*yq4~PNkyU$ zHGN=`aL`pO59vS};uu?Ba^OW6kYPH3*Poay{mR0vKHV(>dfa}Uq49cDT#u zt}#Uf*^chrQ3e~Q%ZB`b%dlm#122ZnUs?o;AfY&|GR9>=Y|6Toagm2LTrVH6f)Sz0 zITSc&sEYQS{Z2NVlhV3uF?kgCG=MOkp-P;Tm<)ACe!4EALJ0XxQfKwioYBL>YzU0myXJkAEj-7N}Bmt0JP6)$4K88v14a!#uO+REbP>mF_DbD%4u zbLbqNq!lODGn2@~q6}h~8ldmvZxg!4u=d=O<955l&6LhnseF7f*wvMwmkwvj4zK%D zumE05>wW~)rQXtS<=A%t%@c>VH`qQ#e~t$fG+g?~QGHFViD{E&8wYDI@;_MCopY&V zY*Nx4MouR|dls0Nc(nIkrLUsKX>KjnIU~<3ieSjz3Ju53`jBS=;SdaZaz(2Q;V((T z2SjiO5#njp4}7xujY-BbLDu8rIB6n$#E?gY_?sVk|27&pbMuL>>O~|XB&`sY5u6%U zgYwRnwvtUo!fSd4J}N#&!2J!6sH)u%B#tG^?5mCkt+{}1c6V_62@NZU`E|vloH*6v z`n9$|YhJacD`)O_I(|-_1$F~iA}{0@z!Tw5Kl{HZU@M3@@Fc>+BkUshxMauBYq1L7 zwEXz@?gajzafsh>u4g&im;7U}k~UVXUegZpMVrlWaxg73wEoK-MxOT=^-y~-xXKs$ zM88A)Ru->&mEXdKK--{=qjT+)yL_L0U{e*mw=kW}PdFgreM|gA{n-jGNspcoPf+{y zdb%(2duyuL)pWDl-N;YC6k+pH9^yoT!r4Ya`q%+5d$5c}P`qI$a#s$L0LZgr#l~Ax z1cl>t85RjZ1Y01(L{{`Sp4Hg1BFgA9)>7PmjXu(PSXN_ynXJa*%G_jQH};zh)N{ht zl^1{S9whO&O+Izg2ZWNic4ygm#g<42QKT~?#nwE9i0|2j3znPGaY02S%Aj>S zq!?pFW4-L;tPq;0Ix-G(#Ov8=unrO+Uk(R}(A$SWBVv8m0X#6`cxgOlM;8Q!XOmPf zcXq=aN0VnGCFnLcMbg`-)XpEmu9RcCo?{4;-lSupcm|SdK=;)|rz@%e*s9XWAAAu; z@2%H=2{dqn1ZzbGq6#Htmb|RDNj6#`ZC|j>sLLmww{!2spm+j{q#APyU$E-9^!=Fg zBF%12geqAljL}x;Y$46f0(^(loM&NII%s3X?E2$;AKkj zMawj+in3X9hVtp!0A1smw@2H-6Mt00g2CJm&FI+inCFrRabs&1a}3;*8Al{LP+jlb z!C}Zwy&SpDC=Iw!Yc8ZC)Qo5iK65`h0=esxNo&^|@K?vFh!&YcNWcn{4A zXS@8$st!m0s;SzN26e7B635S?LTdY*^Kv_rq!I=y@)h(3ef1jp-cJVvfoUT1o( zMNFnSxu3ZAC5|=RAPgga)0SX+x=p+!e>*bSmI(b=e(#@rac?kC9IF7(OPB^@$C4|3 zgBavvyj5zHzdRazY((rbDO48GO(ojbSAoc=TJUC3B9b>O-B*c~gFPu44qA2^nUqI7 znvfA_7+}n8I`sTKyHwDGGd9IVd|I>$$(F^uIhIb^ykd>ZgW>+#gLLX!yofO&-v6}wm;30b%i1qflXZHx*#r~6cA6N zN|1Y+to(HrAf=H2(ct7K>x)09Py${;q*>5fnL_sRpyAlJ7`WVq(#~r&WdW^jm9FJr z(KUS#YTok>j%p#uTb@vMU%j0A^=~;%#ur`8jn^s4)~0N&W7zpq>a#}MEX2(>ToCli z{__pD*2kL4e;V&B$rJ185O|N|{rr;beD13QwBoM=)zXNOddeS0 zDRP_BOI`2wrI!G*q09)lmz7{JE4jm~;_7}EgVRO#gM7?eOo}*WB+|I^2Gz2+jIhrM zNT2SzRtLo8@!3h|5?7Rz+;crD-^$oFh?-et>wlF#u#9FZ(HC|nz;9&#_Lf!@La?^( za}*ab3Gd{B8dDD6L|wZHogX~=lJmf^W}8YbhvTf}mfcocty}{I@XO{PSF(~ZAX!WNix>XA`8&i~K{p`B_q@g_On$lKu;srrL;_ zI*6+_R-RT@uc=G`1hmv?m5Jjd>Hk8ea^zJY1#u#ToA}a?8~DKj9RIcWjKVwovN z33oW0H{$**4NBiXQX(B0UtnC_hqG zpy=LwRYxU|j59lp)N!wF3OAzG&SuN&y#c9VR0!n^5?8ixbS)Uj}XF z9OyLZ_hDvjH&HE(J3e7MJU#|IB`*JHVqM_U+y$WV@<~p&y+b%{KTOUh5;6T4s)MMS zys6$(TX~aw{tTn`QB)9{1!)WrxMZrcNG3l`hAp-{l0=}vek9D?3Hyn?rF0x^He>!) zM-B}qu#B4{l4`S{MpAx6m_(bF0qg`VOyoq`K?ZzT9wi^Z3aLWvf}@o=X;9$B?}axU z^de|Q@P80!D1L|$84HJ#w zU&niA5s4c6uFtxj6M+j?lR-rPE4M+4eLWH+4JfaC5(5-Dk^qVvkvsz|7=Q}_rr4(@ z=wc&DY%oa=LDWk(0jSu2qRr`AsBq#AoJiu12bv`hRnoWwZub@IY%U&)V1M^w?}!rR zl=ag>6IUO#mcu)quCC;nT*o^Ad-O<10!m)9)lTn$RR?+lTj9Nx$SuKEwri;~JToEuz}rHK%w)|wU>M_&4AEn3ms{Y#E{5uo z21#lezol~Ki>{oQbi*7(o7x%gxo|7SQDn`&sR&1?^W&(9{8>?0|3`ja4Jc!bW~Y;Y zo7kw}%PTIN10+LWLGk=1Y#ppKAO^(LsoRBWWZ$Vb{q5~pr-dYMsY(yyELCSWJKqCH z`>hngi<6SlK-m=+<-n6B!}vL4ll=W#=>CqF4tqYElCl;!u%qG^DNzeoJ#*F7BPcec zT{_a<)Ps~a%A^b^cV&^{dHxZB;0nPC4`42wBVsBg%czNTMBn)IRT?J0<};@yqE6 z5N8Jt9DFARnEgMSlkL1v2!8WIBtPuR6_H&Q-pXR^gFmh@wbz%6r^7nD-m<}w{vTtX zO?d$m_EGXEo~~wjp!bdXGdM7vmEAxQD)wwOxC+YjQ-Lmn=}{TbCmt;=uu%VeG&hWu z3Im`+fb>*FRJHYsFbByk;jylk+$rHXgLvcIy`2Z>(zpq=LFNHx&EyaVj$hL%i<~); z`k99G$>a7L$F}p-XkKZrJUfnNOXgQx{4_IW)B6N+;2i2aubu6$T!zye&HYtqL#U&L zBnqaOLXdgrIAd9QI9?&}Oted^bXkgUHTfngt4r~S^5R{l9d6PSDtqLWGW<@*iwhkV&xlkel zvXyS%wl{tEY01n{>F3o4gZyxXHLr@RRHT2qG{MML_nZwiRS*)tzigYHBB@f1( zIOgfh8Ogc(`Bq;!v~|<#7VkivfN29o)j@=4RVC>vA8d}30fl)x#=PKnP?$y-Lmk1B za;^}Hr|eel>gUW;!dIBVU>j0M{<=l2T_J4w-*MDG5FITgT(wZ?d#LiX8vRe zTdQG7mZUa12Sj)TbLWoK(z_SoD8_O*W&a8S&G81A`8`%C;aQ{8lJ1dRUO0^}p<5=o zMa=`KUyJ6JOO`=qOJmo!q9a;*7GyiW%pnJXquGYGEHjc>$(-;nhx$Rbc^Kyzb6Z<< zDo-8Kz@-x9)Z{qXhud!Pl488n3>PD^J?EESs=j}4`)_?GdX@u>vk#5 zNE75e$abD-6LjS1FGCxfm zAYwJbGbeUfb}8H`Szi^Q=NcBq4=!XdjaAf$a}u;12bzMUY}^r{N2*&iH#TzBs;m76 zB=M1Sy=JAB#J|5**uGt4ODe8$CDFp56R$-wPe>;@<@I0m0?v{^v+AIPG;Zla9kBYaYRHy{dOC($qDp4I_I}Ok}%WM!PvnFCZyJK!8Onfk>H2LbicCkiw%lm=s&bH^LvaCs}GG>k!jAE zioIh6TI~NA+;X&VmiICyq3BQ~-MM$7IoxAQVXZxzd6?bbLVWI<#XjSY^mIjPsH35i zV3x#7*l1Dp0se!ACOrrd(fY24^JFhoOh-<}fCaufB-{b9bDFakRp7Xr^;$t-BS^{l z^n5S|1t^6-twhayB*6?@kptd|o0`s!N0;t=BpnV>TA`d&qrbl`hUNW*)0zkulU*Wr ziSmZG<9$#S?DVqYwTI|O87wA=ytUNLd#3xuke6EgNY4j_g5QI<=VIS|`k}Rj+}nFK zP|iKc5ya4@61T#zBN4F@fH3p%cb@}yR7qHvl0JV}XhSmdj1`XPA`7KEZwBAF(+GY8 zA1_TgEjVrPOILL^pzDfcFoP&3-J~q$aAd06rib)TD}QcIP*G!ll2SmC)2t+@eu4i{ zsFF;z5}-ABzNYOx4kU0qR)lkw4nZG)IWRPC)DBcO^@tFXxnGLwDSiX;Y-3D&!i5o- zu;|q~kobbW*onGu9V_dEEd7pC%b?{1F!up>x8gkywwxW54tXi2 ziKFZ<_N$;NR?sYF9slf}tD%T0nN`7A8JMvvsiFRmnO-&dg@C>Dou-VG`*HSw~CHp3-~c7 zA=U_XIVup@OIoeu!4CuYsLdFz))3S|V?lNs#iork+0PC^CaA?oq#A)^Fd!xqO*$3D z+0t2<7WyDk2TD0C+G}-5+3A?#^frq`k}W7drLaeXWa;F&ik0rbz1C0a zWUoX|4wKDr6EDC-1cT!!x@LYgL_xycjW1pc6~aqbgt%)o0<{472U^X`zLWhivKqoy z3)Ua(MmWjo{&4w3f;8%WBGF^euygH+r5(upF7sYK%JLV0_wX7=Bx!IB;NKZ#we8p+ zr+V>xyJ@Kd@@nn&+>2#fdH6>f-isOYDtmLMjbiU8I>s5o!iLeSu8t^ZEJm;&tXx*) zi*g%eY3w(@s;%%rg=CNw^jzZDaFXaG-o3&X+`*Ic;NgpzjY4yp>HL8IIQ(1VnOH%e zh1Wtl8;3CCn|c8pQ65P*YcqjT#bVuW4Xy0wzpM|H?aH*KYpw&kW}$%j%y0-TE;#Au zNg}jHtQ52c;MyzSj)P2`g}h%$BMqQkLTKf@y#`Y$b!SNTD*-%cmIFHk2QNZfC36b+ zGFGq-`+p50rLaRa8(500cM|X#f%@V*7e>%5vEdisf&OKgH2bD84Ln({Awlxy zwAI%E1X3`T+i@yRd`O!_L(8@==o_UJ{CA)o9=B(m09$6vt3-;ACz_gN2poL#444!I zSseR15{5#Pe3+>-4oqltZL|lwX8@!^OI~D$0bAzL4FQ={WU#!QpF{`fo7UuoNjM5> zLklc#k6=9A3RF=llTiU^0CZK+pIeycEl2ggKK2~L$djIB}H@)8(ozH0=O zstLMu0F)`tAc=rVAzTQr7-^YmheC)PTVpz`34fP7hj&k!53*Vd`V{y{8RX_uSk)7C zNBR$B4M-;nL>iVKTr<-IpC44gy6NT$#?~+&f0jhsdI}b5?4gd;xPE<>9`1M=Eyf%x zxy=;H)#KRgDTr`ZU+wB{$kVR>$G<0or_Yxfm_AMpK|9wo_7oWR1>nEOE(@U11x@!m0yaQpiiK|8f(wD2 ze9>|08Fp#D*N;jg`fx4|^5pCY?d}D;3NyOwUw3LPKAx=|9YsEyLj5^bSI-E(3pn@k z!cLEHUE-Cx@|YdIHi3SMY&EKhTWBqs zV;+PV7j31D%(G_mRS6lKM0)SHh%1HQ7f#xi&5%b(?JwtmxX6mmAE{&6Oi>-D`3U}+ z&*gWy2ChTib$%Xi+Mse`{f^_}iZVty#6yKku$bpB4K9yJ-+rT79#(07U^{A^;YGhg zUz!(MI4~E8L!lsy&8ZlJjZSPotX@vB+uB@E;t%EdH|sa>9R{m`TdP?Jnmq z&0{NzFikhTXl`qw*H`8)zqRm2RN_1|g6V8p&j}r={Izz;GF=j<=+X@NXcA7dEdI~g z&tQpULJZV3%ZqePS`>qYq6PbKY^jGOVQRO0y7KG1r>D>LjMP%?vx0Ns@`IqIJ_jaM zTQy^Nlu9YXi@M5BWUH1_lek0Io^EmHQCQolfBeQAty44f&N05-s{mjqt z``$LEiMqV7ozoQI_q)7F1Gj4L0AVpkJD4T`tgLq*EuAI?xg6|F%kQ?uWu~#yQt!Vj z=*O8fzq`pX`ASf&oiYwQ%KLXbflY*Doz_Km68LiykTp{+BjD_%ut(+UILJ&v=?|S=hFuT%aMN;Jmi;TMdZy{*(rW6t82HUX4?%r z{Bhg+2rNn<44zi7!S;ORpqcO*0y|fzmK%M!?IsmpFi2L<_W8Ci+diP_=W2J;OQ==bHXI`fFYoo=7%>UIr#>Ym0|Bc{N zM~??!^!MpWp_K8S_iMUIV*r+`VZvnb7xI`q|M^6R{MoH{cD5pn5DYu29LCw7|lOMY`gYB*j&B*7@* z3_4qJ&^S>~t{qy0X9@@^5KTh9cdEJI?x^-a%nm%aIcs0G3T|reXu|LQ@baAbEcw^I z7)Od6vHu9WEIxGqhvg*EjJIpXW2_A9YhMzFu8F7IwBPjxYI`6eip&R$J(7F*FDdNa zyw^8sx4r+7`}n?(3>ZmiF0vWoL*VqD9^B@3T&}$cT4~imAl?Ax?hOu^L+c~{#>d6G z{r#%8qIxlN_xR{7N!FqKjm7E8ZCGt(SnZ$gplG&J^f0t0LQ>&G5BAGzqIf8wRg&8F zpm)Dw_6&v$SNCqoqg`2b|wZ7K7C!BF(nQVty$(tyu>IaMG6Z?Wxhs(iG zo}HQptL0=eOzJ}X(ReaOWasOa@e!{rwRQN5c)sED*^zWT>sU1cqPlH zbca>vdM^=dRdoM`lI!AuR7pJFs^O4gZb=#$RI4K%^fJX)B?o|C6CKP@>b|ih>eM6N z5=#^0^jm~4F}Xu4j)e?8`b)lp2!#nq6&VJ5qD{+|M}D@x>|s^R<#Uw>PD^Y#@GLiu z31u!R{=oY#GcCqz-Mb7HxYr;|)Rvy;&A7yBLkTX13*V4F3?6|&>Ku0q`Bs7N-jk(4 zHxkuWGf+RanfCr*acq96!a3v0f?O4HVSI(yqbf)4eb!>KAV-xk*?HX_Isd}RWxNc|x?GR-&>jSFPr*72WlbOrSL2!*s8o+(3@w}8c z^O~GZ8Cr7lgjCH7ek&F&i6ZltabLQ^ohe*1-4B+@7r{nnXyQ752PGyFeHyJ5KtSY}LCZ0HZ zP5jl&9YK?ayDIFp=X(g76@+>QwJ3gOwXs||8mnG+zMKA_erAeIs36Jak{v$0ZyUBq zIr5H(k&qLniP#iEY93W3vPRAD|4roq<EA##!<$xxu`9K5+oPyR5TDW8n!jp z-oPQsn6uTc+Vtmfy}je8uhuE|zq!$IU%U`m!8$Y=Qd2+iEXI_AIT?}R{U}{97eM6z zQ*jM5kv~rZ( z7@#-2vicQaPJnxJ<~0Jy8L7we3=3AwGl(YwF>oGa9? zKqJdT^%ao+LI)*2C(5kfUy%MG%K;cQ=aD|MCg1wKHf>Z7DgG8i`Ho2y5P=llffU|T zlo4OQWM2_1q5VvO?V5mt21<$^m@3T%p?Wy0Q?7t9p?Ut6}*Am z)?S8?bvgL&JcP%0{Cd{0oH`O;M`+RVo6+2)HR=mx`(otaG%s4NwN~ORP^X?xowYeT z{dXG1l1*dr1bO^)$&(RYd{(uQjezT5hUrQ|G40z7O)eE$UhJ(YmQ-h4b|8m)`lZ?g z%P0yJhuo8T#4rVtA*Xb)GmjPB$?B1dP9htTF2XWxVsfiuq%#V=;K|3PYPgZ8ssT6muFm0zao!56fy1bct%MYy)Op_VFy)JTtz(Gc(=eDkO zTNTFIUbYe2c{h{CJuBWBl<<$yL#(A$y~npp92nfA-*d#J2@#2CsW;=9f;C-CHxVg^ zKgLp~IKYB>Rs!HIxOsGr#uq1b`=Y4uj^7ArxtZE&@)D%Z0=@6|U?au0G7q%t5b1x& z2I0BnN1F9<6G7T}FE7k&xL}e)qse{{V%)gdrs&xi2MxK`g@JYz;pxz!!~9TyJA=mUzlrK z^mT`=L6w6YjQ5evq_VuFt#dBt zjZJA+&k9GCsgE1NQ5uwLY_{SeW46uw zP&PBxIi^0?I;zff%j)+pC_@qNeV3f8q}DQp{*lr{oAe9!|IXdU_SYakEiJ*einv6P zfU^looJvZ({s_?(&5HCAMvtqJT&H1RE7hcm*3`u;2@AD)9PdxPul0<;kLwAILZeSa zTPKZ}WH3y21pdHw&8YMu%(> z4VO(!pR9d`C=|f+qLuqNVty0%js(6%$Z0lf6F&G)l;V$*p2MR|*J7W3o^f{X#0}(8%YwVhEN?yTK^^~5_DNE;Lkv`

7KXi z1#*tZz_4)D>kEqBF-vlepNFF}QcGX$zfx3m@myCNtOll5x<%Q zzd>!=Txkq3(UejyMd()R73;wEx^DMj_6CVWueW?})q=92!D>9_kyZLwYsDi(wYxvJ zC*dIJwIQZc4PKre>6iV_W^ZoS;aFRa*MgBr?W$8To=Pq|L=}!Q0}`Qsag^KqiIjr@ z+4mTf3Fb;cy0UtgKj00+`7h{s=wD|0#})wrv3%8Ug3Xs4?+evWUl3#-$;-DQkg z@5P(3w|9X24skpRD2eD{l{<$bLYusM8<4@hOKQC|N<{4f)bPWKJtM0rIno=aMsRPD z-F#?3nrLI)fn8LZ*D0xRiCjpb&y%=L)O?U?IOs%0^YU7a69mBkW+C2b*2JU*U{eY zp?o-PROB(jTH54%sk2Aq%@TO(b?&SVW~f~Gba7QP(LE+;`7g|rN*24kQ_b>W)W6t2)BxW zS5w`^ShA}W6#rkf??Yp|8SiO&XNd>o5-4pPD8^&Kbg~TYg<^GDqNo|J-zD&5C?U_| zk1bbHXO{noa0p1IXr6|oT7MWv`bE8Ja)7YuCBPAN+IP zbSSKoXi5OYM;#dIHPY-Zqs#?;Hyo_sm}X8W*p}qM$OD#sb2UL=h1dBdx<=WDiX{Im4hQRKe3#}XLN_HiM-Qre*a4F0nvX0+uANNttHD~$( zRA$$7vymb;lcvjBiDc1vO<;r0Ubii+M4VZHgknK+<=M^aN_h6OQSx&xvvL2T7P+gd zO`JO>C8DVn6#r$EEsiV`3A2Pw#FeCrd!S0robQn=De=WIB>Dcrs!1)e=}Jkz{FS0P z2@zpha2+b!Q6{J|41F~aOq07~+S@WgIZLGj9G+q!Ub?;FLiII~Lw@x<2{cl+YIMqB&C783OGmW# zg9-#ZwE{5|{@Z_gXkhZZsyTy55#4!kBOC5;XKP^axRjwzOJ@mkh=4ggQd28pOtHfC zK{f$4THbByg8JxpN@$qVjr)dsk0f&+==t)X|K&iwgAwX2FK4Y;N-Z|}^5h(GowgF@ zYLo=bmy%wT*;?lYPcy6;#c)sj^8O=>?B?i_z*U|9ZNU41Xnz&Fw27MEbxw4J<~0$n z#T7o(AN7T9G;#Dh!;dw~HmX!L+r9&5J|Rh>1I$<~$0`-qzTpIE<;46g?mQj8hgl6O zn|?i`RC11G?!WV~&*X%m7Did&wjPwp52Q=K+$c&t|2xs2F%~WUjIkh44MhH-Q+fWJ z=x2qOdrp(j6gQb=Lj3GnSmDKu%_?$?&SK%k|5t)2>0-r=T{Fdv)tz|AW*-ikCB8_7 z|AGci^YQ3s{B;4AbO)d&=q8Vr&kv85xm%-OefuF>#~&1qiT#b}J+CH;cDbX0=kNFK zCTwZoG<0%;!uJ}8E1vdbr0%-^x4YBr&>l;BR^%V5&1!A4+h`+m-|YS)2Ffp9^>w4> zubuIG^Jr?NNUmp%7lozdc%1zGepU{JgiZp2<|k8TVaeP{6bkd7pn|+W02nz}U--@rp=S z^KY6Zl6-9THWwIJElfk=lBRNmm*Kl_485|6H_l;BUxMV!h_{!*^?X{1e$5_^VU!9_ zbRg$>%EprT$x-Ab_!kpee;`DFahSOE5W71%;vTu`Ks?Tfh!bD_PXHoj4tgn=(9~rg zY&t|a5+eSLH6@Vu5IBw{;g{gzgGqnLFTi>ycah{%&bjItr=d=c1gc6rr1Pf2@+eIq zDFm=QZLY`og8&eoG$5&1h?0217|bzBqkwxRU_YXC=k*7BtLherWJ=VQ7v_mBmp&ZO zj628bWg0qOnB=i}Hd~kEMN?<#g}}1IOV;pqGY;KIsp%r1`S1Ghx|uR9k_KIG8YFLX zb05a$1>u_b65IDKKbQASbmHbNs$TTBFSL;e<6T&PMcuu0v|9rezRVl!P-aYjtY58{ zY8O(^Sjh|XneTZwbB{K$boNFYZJ5Q<6Q9sHI{|U31e<;*sXI!x72K zW5q8%x(vff>@sU71L%bhTDg*A{sA;p1SzBx>%V@9ypi+$uHLYaDo$MR#ki+-pb^Ak zc2iAAwJiRt$?ug)mfgb-%P%(?yj|D>mc)GnalIr@5H|bm_WO5dAMQydQ>{oWQL4m) z6jD7;SK7jHjZxV~@@p|Xz#ll9+@hlZcnuJxw z!Z7c5=^-!+v84@B@HAvNu)#3Q6$#=+!Y%AF^c4v~iM1>Z3CTJ@V^Yu>lKWcL3stzF zu-r4jp*c7jlJpG;h)ZG(4V3)>=E)^OOk{-A>xUOIXq_`+0XbDq-cCRqFu?Z@##jhH z3ZpDtJ5x%7X zZw&68aBBb4NPL9Nmc@AG=Qu`p0^2Ph`=mt)}&yu-h2*V!^YO?V? zjI2apQou|XVDIrM7gp#q+Fxf;=g$h_idx3hL|%})t;dP?(uC1Dk|f5oi+Mk&zXEWs z=|{Y6(2CWjyth00~ZFs?K8Z6rzHoBxxh65GowB&btSr`%GAxnO})KH}4*g%BH z=wN8}0C-5+v|~0>y?()Qbp@|*#6`Pcg$WD{7BzgKl%hBoP5awf7KRZ2;^H^^`hRoq zpR9QS#0c|}rT$dY3Gs~xQdwX;$z&)=gQ|?>n|ttPo_h^(xHo`q2}Fouv{O_FKSz1@ z5%uc?S$Hne2Dvje`iDKbkUGMuuo5sxL?Lg{k<6nM!1m0BmLh`uS;9{ z9Y;VRon&@*S)Xs!?FRRQc9%cOZdjET&JHcTZ5_Xp5Jz za~=_9;}AA;50{Fc_xFw(d^xbVZN~`Qy2GC*_8u>h#0m7K?zxg0BbBV6&IPJ4y*wPa zxVX5vd9Ct!W(#~hwi-7<*AzD)w-+)uv18;R!pB;6EMyAp1Nd0flus^C2d)Wn+q$<= zD<-a7H=frW{_vmW;N{`x;uFM%>3YgVm90Y#CGRviZ?!3G>3!UuVs+Vw$aI66yLc?} zUgf$d$$5XJ7QNTFD;Iqvs9Dtc3|Tlhoj=YZY(Neb%YWP&oVF-z&q{e8!HGZb9hJDR zVN>niem_0My85|Ve!=Pahxd_4_5#khW={wBYMmVBV3pI`mMet0t!G1b7oe3%q57+haP#89M!s|W2XTFEGLg)A-;0Btz%PM_ z<+UsB^5Vn5rR$F1;OBjZHQPeDG9f=hSzh^Wcb2Aj z33+oM+UQ#9&AS`=s9&nGE+_NcS6$agG`wJUgl>hQlngat&Bh-`13zQpl=BR<9Q6IK z&zJHW3yQR2I_wScPy1h+k#vOr5Q(d$0#Q9Z9dRc%rIk|0pSZsZaWw1ZLZ5?4;`OMS znulLPGD4Flqe(8Cx&hH|{iKpk5%Sl!yC#B`QjFjbttPXW(2g5*e>JX#eO=-i0ujWU3!;Xas0ry-BZUWZlzW;j7j?pUg!BrhK| zBrv_Z*S+j*X()3}<5#icE6+N|(-BaUYsSi2+17xi+|8E)f2~}&0s|p(#^G9MGFm-%u4tH3x>l8pH*9AFY^$?Ishk$ICT4?nG3E z-~f(APLO8+4OW}U37n920rVbOLmN%p=o9g4-%LU{x4}X32=aWGb5r?-AdDdB@Ngf0 z27ZKC8wnUvfSN&CDMge(DlU#FL_PGB#vbc(JN!QABD|)=7w6cXck8T60OS@Oj(&KF za*)6Lx8>pZ!lqV0v(p!n%9H&I0T*!rGEgs$r(ZULg0~QIzAeA3M>kE63PhnV3_9sN z%dD74g8k40!11h>Wgr3E212n;B7iPfQZ5Q4K&g)s`6GyyGX1{TRM9142K{th;4J9>Y3y!f^14Ii!l zfg*zFqLHwJD6$_P|8|@2M*<=4qL4Ooz*3~C6hkzE`D0z#ad;U^CtR2IS09_bh1b0zG*B|fgx zD=kV$$nfyHX<9MMijbl;)ziOUblChm$4<+>3%NM^xeNKO0wq;8D zf|I;^1PJ-7!J+#c%^OD15&|8(+A8HKJEg~kx8T#a5!iCu znr;U8y#*dX+6npl@LO|I;nL6QmLUo^06gM{Z)zY;n5n1%E^+MvxlbxXkQ$6P;Q9m;6idJc%?7kDL@=?LR5y$QnW=-x0vjILtO>iLT|+w zkB&WxaJ$mKVan3rsK)kDQQ(3VS(x>@0ej+n7~(OpbGxDP$@Gz17-b*oK$JL1+0;ra z4aO89TCwMH5tbSfEW600d88enj;jqq!>$b z8Avg514OayXIrIBlDa~uL`l*wsgfcMsomCJptYOa*+gNP#6R4bYP=aze_I%=p?!w# zAhlh&8^mrF$H97|j5M;_V-PZ9o^bnpDN2aM#8Rvr6mW7+#AEsBNZ0YKQAn+n%Rd^X zKlll4Zqno>YvfZ@_yK_oWW*8726=<%qWoRua{)HF!ZHiWGU8`z5JGjLC=(K}skQ9# z5ovp7SRS!0Yw{sliHDLgwc$q-AkQOk?woRvP}34}#gZOyE9x+8jM!T?hq&jrUfze# z&e?Ng2&lsQV%J8Fe=!RMFB}EIAXXwVW5u@nGLtuNwBsB&x()02AxwQtw3-^6EGNWy zZ=CiHta%CsBvAN}VtA15hnl}!@qbMeP7p-{SD&!A?z^MP$;1kU90JmXr=$+L2gHK- zZA2k2`H^?hEuu7tmM2ZtP5Ap7Op16XoGKSWSM107(FhR(HvqUr$kJ*ITnPq-v%dC8 zzvD2bl0s5KzK2aYX_|_aqPPKcg-NA1apk#iaY*wcPGNTMWo7fjZtXt~uHQ`OGw6S*P};e&`DnNjE*=z2~dZ7bLtslJt$f%fa9YQiuljCuL7 z0!YXx1J;U9wVNJ+(_x5AVeCCEfYP%Qd>Y8q8Vw_+a*DrMkMV04Q5PPo)*>}j6%Zn7 zac8XzDp4x5Nrj>zDlHPCpvVJGb7Qk)SOeB35QxGGWy9EgSh_k)DzJh}XvJyrRK;i} z-xcvIHJD<0$V!UrsPa{95~3C~uu6)AXgE+RD{3{RNztnXK_>T*=bRFQ&B<>gLal4X zYVBYM?p}!?<2`%~ZX;Uvk!{Bub2}jkI>PUcR$L>DKQj-Jlu^c|N5Slk9V1F!oY?bm z0%8HgN@ciU-^k-YUPXy#VF3vHm`zF!FG2|@rhSd4O^%6JxeRzfO1;1ZgBJTkbAE8- zkp4p-J1aIIQ1rtDUE~G9{Lml}S5T->`mqDH{GrT^clZIgWQFiBR{#v;6~wF@cz&Uy zak0m-FRUU>Nq9u>nxkRm%G8kh8ef^P(pW~g=OMyPj>w``TO0JR-?+?Jv%!}DVJH3{ zWhrd)NFd?ylyb^5B$bW8?q8_oC*DO~2y&y?8gddT;}?6}?eg&rSt9`$e?mX}*lr#G zu<^F`KD?m$8_@#tpdJ+@z(g1s^9QP$I#^J0JM=Rnb*P`<4t3;;OpoIe1`rUqAD#&* zxC9xZE}YVmeZ*48kGMfwqBJv8h=D&&Myg>p^S9j7OSh4ODs2>a$pc-%&#V)*%px2l z7f`kh2|d&`?>7WusFB>!{w|Ts!;~A^$-g$a{|6#zC#}jIxl|S|IACMY{&n~DyfU`3 zV#fv4)P5=HB`2ybv!`L7hUPw|y~$4yqX@PI~E3C;`! z=~~)}Qrsl$+$u@Hcnjye(T0El6*_$F9>$b9513`Wi|DDPtE>dRG_A~cQWDgf}H|h0)F0iW@`LC#YP`5h;$NY4N7!xficU71NPibUq^b^K68*{Mbth2Q6! zMkN((2^n}4MUurM<=j()$%Su3lnr8DTE^g=_uZsMgR2a!FSyj`Ku`b%C|}eRCYSac zm|BOYv&U3!`}Y&kPr#jj$i`9ty`?!DZP;0?V@(smq@z{R^;m)xGJyoRhVpVkP>m&- z#0=O>Xr`l6QmGlp>G|IwB|dYg#yn8s9}~`lPgaEkt0#Vdc}SkTb!G?oq!<7s#D z-4)g-Or^Ai4&LYIzP#wrAP|)SZR9Y41&Z56DkOU%5DK)o2b+cLc>!=FpN3j|4k)!3 zvN-W&gINTSa1KZ@YWwYV<*So)c~dwtl5m{hh9FC{VCTr6FBqQWAF7*z)R1H;nZmEv zNn#yNrH8Cd24HzJPnCsMPNplCF|Bd>*C^=lEc<4SZi|5`M;l z15sFzR2|b_fn=UJc3gbes75blmdTwZ-%zAR+6Q_pUfW9~2bqrW94l)kQ6pBFcYg+`@F3`5Nzacvyl6#_}c}m zJJ>>G^l7p^g0hj!`OuEmE)Tk21)(D!A)ajs1%$Z`{h(gMROp(bk)#e3p+3nhCE*+r zq0xk>No`LRw$83T?X+`d@J%k)W94q`{)FZ_Flf*z!)l{kNK3!pB|1qWjY5u2HKREL zF8~4Q6yY%CRiIRb2)bkJ5$9>MXcBO6N_!_l_|8|6ra*r6XhX#aGDBd}rIUlh4c~%C z^6}w>R`^mE2o8f4Db%9I(WJLFXy?sEn!tpHO^F5>S7rcKr*=_V<&(T8re?p$(&+Ha zudPNiyWbqmOym;wkuql}S1<(+6%*hZFNNhmHFgJ_A@mS&2&KBIyq}A-7UzGdcwrOk>R*bTt-B1nX z7^2<8Oh9rWz(tlm>sDID3m7)_U$W9Xbgbj66Bm7cKPt zbt|i{tWJZ^jHe3qHh3g$5ydK;CU;4$)ekttq}WTpHg%RS$#!Xf;r6Brz%w5(ts~6k zfQU3?KvW>F$q?^B*$YviZg~h^bnXp-%#U@%g56HM_!gK7@lCwTQ`k{n5U@O@XZ~#9Fc!9p(-c&=1^pJlsO*zd%;GlY{N)!i-mvfRVzdhxlU^%tI!87*oNTYB)-n1Y-b za(jo-UBFYEJMYOf$T#f1m_#~s;Tt(X91Ab}s(2w%!YeEs(OuPK*1oj&)=rKJH zFU>i582&lwsx+9?U(CdD41rgwG@aqq7dj?vD*q^_*S<hEKrX5 ztOK3|w|rbaF;bByWGu)G%zy}&gMn!^9!azBB#$9CYJVIKC~{!E` zSW+c!ZWy4FK8ZeIgjaF+yul-SV1P9ohyceUPFNob5m>`9$Yb&wkZ&NO=a&t{a~$OR zF_>?2I|(qiap#yWTt64VGyOoWxuopz?6t4(tzF^I_S({&H(4n%tsiQa~#oS zG)VnhsbroVH`iK@ zLI1-y-&KMgQ)!-n#dX%&bguPH?Wm`w&}IU^@r*r;FNEaxUT?IY*WtI)QD@$Vjt zh5qIO9lloZCv+!8^`r{6tp%}lskguPh0)vh_gZTD7HN(*B@RthU&d6>17>UWH4b zo!=iTzrL230*{D-D54B!3#A!C5%;``G`Ek#>fnS1Rf_oda zK8j)*ji=+!|3c<ESEIqvnpa+Uu3qT~Xm%UT+^-_C@r=(kZmLYNK%-YJe-N2pMuV1j>9oN)n7N%P`Crp#}lqZ$@82sDQO^373SJK6p9MJEIB{y^RR< zMzZGGf(TFT?MMBXD0MCcG`1Y1Zg5M&h3AoZex?N(eQKM4eHrLpvN;>}bl4{t-*$KQ zAPC{27Y#y2NNqdO73t;$xU}Kw|DK2iaMpubyFqF(wWk4lf5PM=0JQvGAOeb4Y7X;$ z$y!Cw1n57&0{Q_ckNuqP&yTDyQ@at7Kb~a$pp};s4!!>Aj+$z!X(w1k3D4f@fggGC zpIQMmXP(0?m8q3|hc3S19>-Xo-|6*XQ02_@xHnn9G5A%OT3N~Y24tuXYQEKJ2`_Ys z!FAPlku0f|)<|BpTNt%t6t&?v-EMNzbsyT6I8!CYx^#y!SiuMr8JPl{YpMq6Er2IP z(IhU6kb%03-s*z;%eTBDt-jzS9}rwr`v42C#oepFom{k@jc$v6y^0+|hD{(Ula4}F zxsp~;jb_-1wrF|%kM7dQ&$+rtRZXD(gqY=Jr)+~V?@h?^@6+{)rP#hI{3_FiR{oBY-Hk7YG%Y!|iD zX*D@?jFlxMSkUO4Z~j=x79me3efNXYFBmgUC$Jj&%d1VWqNaD#y7x*D+sd6_b1JJkQkCMYEBWdX-8uTFJT0B|iHt zZR_5Rq!#r@iR5+GpB<%0TQhBW!Mw@^chdx!^1)XSQoPG4s{Vkn?llcosv?*N%Qc$= z#>sy1Su&v1z92WFv-dFE6NT9GLcnRo^0dwDP*3`gc1b)bw4I^ydGZSvk zF|A#3tOT1Kx(xF;^Hqx;`k435wvC>8&OFH(9f1}jPp#-E%7jwlN6rK`C(Bcf-l~y* zm+Ft9Or9^sHL55S?fTul$L>nE3G=}6+lJFW=+bjlBC z>{p-LToJ=|w#$&HyYo?#9I%1VTxUk5Io<%ZhL@L3Z|IVXQBX1--7xMO4Ow`q+S0l) z+yaZkr+1PL3I|r2S5h3}s;xHg1)nSwYa7`Fx%M{S1?FzpJ{ea1i-X!4Z@#QsalAjE zZGZ8G%4GY2F!bbLHx$u0s`-Q2Q3RsLlxOBlD0~p`D49nWS#Yq$Qp3FlyV5;^=UlHD zLNp4nF%A-HOXmdc*!wyqoM+?(FPv3;Onzvw;oIS2Z)K2wbTJB)u?e$v+q1ZNKo*8=!lA&}^LvCvQCaL^vSV#8UYWr-- z;gg2Gw%*4IE+2_;hRgTvsz3?9EoGj0DA;Qz%D$;fv&oCE-OuLqc?h%Lxt+o7^Bm$N z+!cV^?b*-9JRbZ%EB3E{e`xXuyFG?k@%Uo!OFvgm*#{ZJEXKJT+ws4vN#?&qu^%$+ z5rKWFB28;ET>9X8pRFpZ&e#F93b%9Pq;mYiDTtkmaOtf!zu?nbufN2GOmiQ`95gwz zrg%gQaR{u3jBPz?;NzdPkOcpCS4%DzHui2Qi}-&wT#G$x;1gSC9dJmjXXpV)n&lWp z#7#SjBo`Z7RKsspk~Pl%uu!ZG>0Cmm5;QPz;YEyWC2OLiVu%~n;C?%7c<#PEKy_K*{wBH4Sb;MHKB+>Edh>*0lqS2*uVyo#tFeHd|)ea z0|(g3|L!pxDB%L1x_$%Wf>?_f^!h3N{BAXLpsU*jHfJ6^BuMqjH|Hicbt&K}X*X1!cyZ&VL<*q-})6;bk~iKISuYz{rVTxm!@ zt(m)pWv}zWPZUM*<<=TVmwms=q{z>#DwVs!*w>z+nO?7?_VJ>%;p1o?Z0*&QQr6sM zZRtbjE~>*JER+-x#>Q^4MLuHZhG}+1p*od}EUh=M;^aUBhOIhx7YJAuH=J`bm%F#2 z=$=>jVQq%L7T2`gdb{VcDvX8|X0yX>=NO*W#!_-w|F89#!VVguKm^u2_1qSiKL0MP z`7t*ZQF_wKE=#rXp7MBOc{Q_trRdsQWYK&sV4D_SQnu(D!K8f1Dt{<2gGadxG-@(` zC^Wg=y+|!GoRKxjny@TODz9_f5f1Fir@8m*SRH#LW%WOrG^8*JI1k!pC*(%Qrk@&l$kwAvBh)GDmImveHuZB?G&Y*SO@2${_G$#M+ zno>*z8=Fx?A5mga&ph3skZU;_nBS9Hv9)c5=GWN=NUtw~QAhraRgMO1o?r#F}Xt2;_iH)2&k0#PR-rwR3{9}sju5z%F@TRAG*%zPK2li*py+s7?0!sj zIi=`Ny?ElT4a8@;u1bcqp1tbb(eVcyl&W~ZqXn{xv~m_k57Nt8c{z&Ltat|XG5Fc* z$F`2;austjo7+eHPTcJBnXq~jtnPT4&e-UIfu~eSNCV%w{)D{FxZhjsN(?)RZ2TVz zyz2yE6txqJOA#C7qL}zwXd54mH3Vp$#r-h<4d-ZT;&0eC*SYujGop;IFQWr+B!iei zh!-e*Grw$Cs5%&C^>ia|ojx^1w;+HR{pL>dF}d<9(hI^rQ$Ti>SX^5%)m{biyRH?ISOt94$1aeNCqx@F@u zUG}Sqs#@<{krq6%+^OwLHu_>hLtmzHmZk?KSupCH#@gmM#=B4VMU;-KmAVWEj?w&5 zL)o4H#~|pd)x1~p^%mJ)^H;~9kB>}BH#SYRJcx3(Uy2#AyaDHVomr!f6ch^V%e`A8qksn5YSLk1@R=Rp%`hZdd1vJnv}G% z%NFOa{E67?I1Aa+W+VcfRG%b;Da_b%u!aul>42tG_Pb z=!nCF$6L3d;pp5$T%T=U{4t(ILCRHr)pg?7-6}D^6B_KVI!pM_yed734JZen)odFje1css8f%(mwcIgrpRnBN!>mJ1@2nXcKp zj#3Ty^=~z~nIighczO2%Nsg*RmHoZM$x14#=4K6*?<@H^0orC2zj(QIsVDXML<*uz zc$h|&^mqrFL2y2uPnK{wA21fCxyQ$+5gORj1xRj@wrWe}YTZ8|j3@Fu z=Ub=WnpZl)K_c3I=!@F7FwsZH>|4cKRAzfIzG$En)fp2nV>#pje#1{>NzqRfwZ;YR)|pAR}U(dHigTEz@DZO@fv zN!|OTl-V~2%>&CkQygc4!KeXK_>yOIks2B+$Kx(S;8C9<&w8^h$g}$! z-GQFiGfj$egkADGt_bh(&3k%pSduuoGjY^9tALRKIC)~WhyiINv&qYGOc34ZMVhiI z@kD*bJFj-W{hm@3-zRDb{SiOTl<7v#8l(A?LX+7eW%{|%t?Gf%92)I`#|=7;zg)EX zIo)DbJK>O39zx(^k{66Gw2x5P_>E__QwmM%#VLDO=yA9nMN?e%x1He*z*MEfz@3C1 zQwGKeh0Sw;32zRmA=6cVhyY!zIn!au>kcfq@@7L5He8wTl+F7l968f+fA`q_|1Ee` z!~bn{)MCm1JpoMEtYsKqGY^gaTsh-nJ)gFk2|C4v?5fEb>V;0x&=QTuEwhE?tt0es zB_6XHv*0GGi9O|D5{Nx@zlzw&>J=*1;RY|1ktA`0R$~Oh_FR3T^{jtOo77@Csf%1! zp&^P~cR?T3z30XKGE)D_f~&m9O6)pUsLh#I?e8IWp2-r+m0~lgliuersSBG{HP1KG z(Lg~F2L!ub$xC|SNKcmgPI7M50}QaPSMe;Fx9Z7AOgi-8U#fR9MQ32L?QK`w(wH9` zUFXNrxEQd`*HrCD!+6qSQVZkQ|1^g2xJmtKSMM)-ZvOwt=R%)iB`<_xRH=ZZ~g&gR$;vkjSUQ6K(VJce&0s_F*(keu`qcrk|o1 zW1XUTysBa#O@s^=#2hZYWzB+7vdp-Lc=7GLmn9|Z z`+zjc*C=m3VceYX02ox?FuU@a)euD0edMb;=f90=0^6wjatHBEi-4QnR!3nocp*k> zC=+f=tx2_r+5B3j+GR!$Mv(to?3abXR1#m0i2aqTbHVRi{-s<(mX7cv^p|~;!vyv# zB!TT~L-(V>Kvl`kORqXt?Sr$`{h1s3fwztz*no`1NX=HK=5Vq`SM%7|JH49~uqbUh zfj+#eDPZO*9Ee_0j_#F&J}pes`N2Oq>cTG1W%QO!5;ZqXA2hP7xZeF@U60kkwbPZO zq4qmML=pcpWq<8*%6%RFl8(7YbX#^i?S|rjXScP=3~GI`H2d%(^XFK4Ge1rV#~*PS#SqsI|VI@yQqS zrD}oOD-5YBs{SG+*G+#2D!aD<8UOA6`PCB$9=g7xck^qFw*KXSFd;(ZL=a~DFgdXr z@3W?xln>+8O6nD)-M{t=cl$#7{+%tI!G8hEgCqY>YhM8rSJQ1vaCZnE28Tg{y9IZ5 zcOTp>xVuAe65QP_KyY`r;1b*dZ<6nO_rF!I>Q=paZ>H*W^;x}pclVh(wP&rChz^*b zUX86q!dQ#D;HD#9Pq-YQ(YTPI2S(33-e}5;KaB763jIh=*^}Vuwbu-+xnTU_j(Tjm z)sbWsP*SfO=Jo{PClv;6r>(FhitFL?G}bDgU}}S+wbpUk`1MkCU}6yGXMOj%Y1~oV z8O(O;GhXl4Pt1g^8=08lMGnR5mCohsl&hN_Pg`;%AJwk0MTDJ43ALIAGJY3E&oB7P z!u6hB90)%of1m_z#9XRxzxu+Zpy|3xb2<*1h`o73p_wSoUfaDf(=nr7Qq^v`90asi zW?u~N?CC+Du{$s%a<58QrVYu4atnw2ihS?T(nPftmNO%#XK#mepFN4?8)b`SAv|MH zJS3B5^c{=MRf^ZVKRTI?GbPLT3!lrqKirx2GQ}`ov_(_N=Lt}X%Jedz;9uDLo=b)nnqPuT! zJrLKNR38*w+D!ra?^) z(7KNsmKAm~L6^wuQM}$>Cr;j{mCvqz{9W1lJDJ(fNDS8XV_vV&&C3_$H$ky3r8Cfu z)}{{=n&Dnq0+%6$t+r_te=TV+*2dhrX+FUGJfU3Nse#H$QRK92yPfnPzM z7E_Gld~kn(>-0a%JEH`%{8vGBH7=&?z~h(ZLGF9t1@#dP#7&BDuMqtQ!mTF28pWK$Kpw8 zwVbo_63A7(GTV2n*7Zy0u_&wSGfU@OZdcqG8w2}Rl)>&1MjT(MZW;dz_J6~9Gg)dt{$n%3wuhXBONie8&FtSh;9BqxHM4=|p>pN891Q)1l*oD8 z(=2@2F}p(GYpBHNr6oQ|7sOr9`(xjl9(f@-3p)TSEKhZlw-Qr<}gyo$e+$CQwalUI^~AZjqAq4 zMNI3)RTC&fjOGnfl!^vyk`$=~A9datiY$L|IY~FDnxZ|yKSVN%{HJ zTZ4j051|ovtkl2g)+^FJnY_6t?&F{?iZ$#+0SV5sa4;QF?_%Fwj3S)ac>JR_iw`43 zZwTK&2(E`0N~>A@f-No%75r{CS-5^61}iVZ#Z-$%h#*E_FPYu2a;rRO1Jeg;G(-$*K&LVi;92@ zx?${7x>aeMRO%DGhFlf8<*W~U_3?2H3l0EXc(P>o^H=w{$U4FMPfnJHxNRMt?pwQa zC#&g+Qd#(Aqz86ZU1fb=)G|%U()zHfZ-zxxUC4%yOGBv0k0^Q1iZA|+Eml8NZ9qov z>~l`91J(Tn`;Ih25`9c!*(s!lC)@+iU}JS`7f$vdU9d zcjHvdzLgV)#|oN#A-EaOf=D|4l3Mvss`Tm{da_h2G7RoHkss}=#OWViJ-N$9oJsYN z9z(xN|DcL0xmPaJQ>eW5FjiR#HG*Ok=XilA9{2sSCj<(y&_v4^BCbUJDNRa*p54WN zhK0=(4$#cpryng?6%1n-cc&WEhd*c+osIZXxu6L#scg{yW>JO$lxp7Y`UqR`3}dCA@JSrIFPUm{EOy zr1)>kZG>@b6@9;I)n>bv(aFgm3oGnr0>jP)s$xcPd#ybJSij0!^e=9l3aTB(gN1m> zVZ^cS1ijf=el}c3By%3vUVY#NZpBYL`fURGZ6e(&?-~KP?L@tx7VpmtqVDMDyHG73 zqGN1g4#uu6VzzuyUlzl%p}YEUBsnGQIMcf<8cSGf0(mcKi2_#`dp`xKPcUe%Gi&DZ zirFjzkHvvMC1>5f;<$fHaVefZRRo?Y&$^Wz@wT~=JgX+PShg>6B;K`s4#&lvu$F+- z;}tT{bfx%K0Iyn$YO}v6ztp|S5uV}Y-(OlW>;W^J}Ek}(lLuRwV8p{hkJzA=x@TK zU)4+}EqtW;PweUo;=Rwf=V4V>`>m6WMmM@BS=D>=*O#{2 zQs^-QO0EnydoyO~@cr45sBi4ryZm@rkyzaUw?XWIF+cRGqnP#$z0HUz0~<{y!!k%? z&7iIk_0qxN@ZJ&M()axzwOqwq>7(6Qw4SbJZJ~1vCxa@-$x|k!tiyEQn)b3a*QFST z)Vt(ovxP~E@JfJo8b;fSLO2(`4jv9zH^IPzzBdMm8^(&J}pSqVC|##w_*s2=QU|5J28W`&?|)6>tAW4R`4=e&g8` z8v`?TrjSPOhU&I$cHDoWKOFK%cGMOHJ5W-HDkt96IaIKdXx%}5S-C9ckAh{|yA9q> zrQu3|T*I<|Dvv)=`}xJv^^RWJo4noTdIM$41A#Dd-}{noL9A-D3337SIf!M~TA`qz z-5V@KqL7Ok=3i{v*0>8~oQi*V3%2X~x;fp>nDa)%_x_F1X9=>?Uy$nj_H(mrF*pC= zN6q9MG(W)%!yR^FHz}A?sJ|hqBlQd8Umg;6NuLD3dk&g=c47UdL$hqpTeF|DK}7T- z^!ln{y&-vWl#`mn?A9^q%}yR8o#ubB(LRw*Fw5=wz}Pwx>_k&}qH||1o^Dg5qh9iX zlmzK|V8Eb*$b34!s)38I*e%kzo3U6U)v{B8Tbt>wJwGXK+z6+>1Ub8d3ZUgl_Lzhy zdIct%WLw9{5(U{suh=n$Wt^1-L_R&Xh%y8y>YLjow6W!k`>9NZPrhf&y7e<6ZU`s&sv=yDO;{g5K=)Q zW||9wy}qSCYHEAQ@mk=g{K%=bqtM|J`)i-O+cEZ>+u=5bJhwF2Q@Q0Lafn}PBY+wU z9cCvk1cmLU`PfOR3aeXEPh&i*hgJDS+LIMef+c+n-iXlvLQIodL*!Fk0%wd(8-zUw zOF|@}FxHv#XK^c$)wvkQoxUmVN=YzJ_&4!uHAs`*#p!UDq7DJO7@htn|Lv! zo_flre!|HZkIrV|S0`XnWW7GhT2vdxbg}!{cXxHw`cPK4j$0oU<#@qA4s)}!;%LH{ zV`GLwt6uy~1Csv0I49z&D7rP6-*eWG&;>osSdVK5cc)X1b(O{G_J( z;Fxx>LL*Vlem>gE>&3aPt7eDZYaZ{Wi^)5eZZN%gGPPLBRWX>d8d^j@8{aqbFn0gdIzK1fn3@X<4`c8uf62Rq!WC}SGx>8Z1MCg$}#O| zcwG(%O1?mm(!l`xy?4lmI}5$ez%o20G!CupLY}F0*tdD5W<~deMX4&HPXJ0QSYyO5qV+FjQW&O@n^_bXUUznyc4qt4B`KSW zYcNuZKcRUx<3201TlY*^gmF->C1fG+w6=n4@NWqA)s6p>9V1NdOkuL|doFj*zQguxEzU&6qS z`y3fUskgm!ZAzO~M*BA+(_^f{yk`og-L#?HF;O#G?0%tOWfXK(li9dd_-i~n=e@bs z&L=;VHMfLiDaPFmhlXD0u8dFaBt`1n69F^Q`>DwuHU=GGbktAUuo8<`W~D!xI$>E< z#}G@&U^?fedaq5adG&ZybTTpWxG0B@5YtzZFFwlJfnVX@n#`FSF`RY9!^LVG)� zm&MVoi4s$xO=h#)yA6qkc)Hux>MLXh8(`rXolcm%+@43*Jv<~Z+cX7)_&U6i)-BZ! z)mFE^7*Z6%SkPVP&v5C+_FO@K`2q|XRx?pYg1aDUT^XDb@;-lr48Z3QN|KfftEluC zU{+>Bc+U7d3!L+p-VILa0fx2Iwa>4TvJp$A3q|3(fFUmi>sHcyo?OXYhC|A1nz zWwlW^OW-kz*v2_>otCY>#Uzu$V7O(A>%W|_%~T!(J~-m}v|vx=beKKF3f9gWav&GR zRZBNL^^;yI`(TLHXkt5Q8U0z)OZXr*W8-@!e`sE0^OJ!x%UQ`MWa5zqO^Wi5xfy|w z-HdGwHC{w_LMOz~v#KF!mGu*jL;ss>*RhdRcrT+I&kns_0XY1LENssZ`WfD5gX^Yl zFrOM&X&ZScvWf_W*Zr_z3~SQ!=V08w^Xykh5fyaBmuYU2V+l7cR#c5lff#BLoaO3% zZN-;C7A0?uS0V2s(FDbAit44NlgJS4tdr8MKlPr~QU;51(0xoblj5I!)HC`4{P0Z~ zqE8W*zdlD2?-v^xT5l-3i3(B`X+wytcFO>`LHy>lVcju1DOALw@aVQM_mo9CL9e zkUw%+4(z0?gO3;6LF=;TQ24vTFNSn-fmt2C7JbGHJsNbj2RD9(KXOtU@w1V!e>A8JGq%w=S7J0o}~cPcPTHs-Dqg z(`7r`3%;q;mC+DZ`fo}!<5XXzm}qY7`MNJw`r8T8%hXQgR{d|>oCccxoVwULG57tF z#sL5y!a~IZ-Aa`NAoIlvo+^F?g+NJ>wp;#0AE7Jm9|9h|ozDUQGUbCwh98B!AGl3` zMu@Sd&gCTF1)q=G^mce2{~ms*k%y)rOWs*S%s%0jA7fsRS)j;lnzL|jue5>s+arBz zGsU8~FHb3LM=V>-Win>23E~h8iJb`7K8&L^RK&Pun%jJya;du&V0y%yk!qnn6IYQr zGVjSUu&lNmTbED+ytf2*kTgcXoVmxT3L!aaZ%Li3F}5=0SJ^gpUvIC}gB5XK?&PV% zKx{k7KqT|IsqgW7>;v2VDpNw(0`wIUV~}>s=>RW|tQr`CWJA|iQX4#0kj=hZYGx0O zU}$%1>C1TISu-YB4>g1Dl{g%k6M`& zN0WeA>MCHgUzw~7FbY#GAx?I4prYRfr&^A?%Z# zD7O808M)f(#6Ng!@# zqE^VrJ0MlpL{ToLE-=BJJ#3{nM_bes`wNQI9n2;rcPyj>E*#xe2zcGoi66#TCBTEN zhZ>3Loj*O>V=Bu>A)pkwR0o6~!7O3vC9)-}=BpwFnKC@K3-TTVvqH_8Vp$}`8KjTZ zWI|0K$51WoLy8PMRcMh}#Wi9R{ALz*`1{VVtYvd4bmxmKEA+)ZuVq>h`NQXvC31ngxug-`G$nsDq$p1XF{S* zuL#AR(G`kFx)&+fsrzj(e+44q`TdddT@Y4@_cPa0>wlS{VJ#IQUgL5fvYhG&{C3Hv zlzdH z-4+`krQdvR`9d=ZOCkMpu8n(k-%YKYrP`}xRvyD#u`zWGYRs!VLzieSTb}tahY5DP z-Df68-YP^AszP@N`(BWjqz@T9=w^I)F0Q_q@&yd4s}HUmXAoRraR;?-G=d5Ap z{C3NIWO<^GQUuw`qUtaEUWw)n^L6}T;G`+uiFsELKYI1KWHYBJ@Qx5tjzhh)+#zd?4}j^Muigyb>|;k zw1H&GGt+s)?v$q$rqx|mlFkKk3^4&l0=@LfYHI6xtC%}eUj=y@6(`g-63JvfLtBDc z%1!=Jb!1o3Vl1-? z`p=q7^tjp!aLff!0o{RS4ePQIXl9xjfNBDVvt!V71Z+O*dD{78^455KJ-o}@!1m+R_rRdr?>U< zMvar|iP&QF#UW!fO~viQ0o;%l1?}k6!kAM+>l#+)a~Ha7N3iANG!mG_OMEHQF!|u7 zKIt#}5_*)^K$^f!n_PsS*LEh~yne>W4V65+AxasylZy?JgAUhNdpJ0OITiB=H-(5k zB##qrQs#hRVgZ9L5jzMBbD)n=RyBSM-j*W2Y+?5t7i}tPpbDnVzF_Kd!VMbcYH|Lp zQD*F8u!M6Li8KiZ6^tr>x<2jqdh+7eXWS?Vi8zt9(bY5NCiv1aDWE0TcFzRb8ZSBc zP#IwJ+fv892I=jF*(G8%_nkl1sq-6&!C3D>>Ajh>+u@eU3CyD?=jqmv?=uXD(s}84 zm@$eMK@-PE@g0;z-RZU)8ZXhh<@xqmO|6NaXb+a$mZ(qr{jLBT+HT8-;wc!*;v&yj zPGn4Rya4z!lf$=OJ6@mm)ej8cP@_+=!H2nbH+8S|DjF-yB#Awl{EEf87O699hkn7< zjN5>0hdy%;YNePr`6}?hNRTc3OmeAp3DW_cwmg+RzKR#0(Qn)`Apd0-&i4MiPJd`j z$OoU5H|>cBBXyA1lhQ}y_da;@QH}A^3!}G*XO{bwM1#C`w2z&;It_0xj+c*{mx6J2 zm{ft^I>QtePT->bu?mp{1u>&+a~}&Tfrpz8eD&0#9W^pz`u^-q_Qi&Lv0wscRf?lf)ycwJ6Q>^Q)jt^@yTi@7QSBfpoYf?aCUx z4#0+7@#3ZfV;GM8&hxC`5@Pyn_gM#c8P-?xaF^Dp^Z5%CEKO_$8QBwsvd9}@TPq+L zs>#jMe7D?{W+xV|Ljz?E`(^35t1)4W^Dcm2T^tVeql ze9WCJEi)$8PtRNNq#lH3oQ4u_x<3LiPf$^`Ahv{dB5m`(h9RUzP(Rr@&45X+N0L>Z zOG`$Y5^)g*I&QP_fn^LCaSO~=cLSrcq2sMPuN9P>i=ChA+cxcr3R8WtA1V-C1K-=r zKewx`Y*xCYtt#6 z)$=TFk2!QvSU%GKDu2J1ea>Dm8#W^ULH+n9zhgEm=I|z=ZdM|N$Cu*bMv0uqx8n51 z@vHoYQC{D*aQR#sUSH+XS?VkKT(*MQ;t}~=uvuxxY%$m@qi)s$Y({l)qeadWbN^Fq zVOW^`dQZqGmx!%!7vEeo_#fXj{d}hwW2Wem+A_E9kCT*ub`-?HE)&^LoZRVoWK0DJjQ_OBNe9Z=_gn$Q^?Z#j@&LPxWLJX%@YwB|KW zEru{&O~=4CxvsWI+E&OXYs@&5vzDcZFXtJkkdjwi;NG|C;etT^#j{8z8tN}ASC z%e6p7=2}BpMy^Gz-xyktp4DXTi(99|E-q(%+~1_i>Up?z^e}*QlJ)?DBjX zc!n=SLI980|6Ek^fAlh+y6X7X%Mq9QYH(~hL-X!`hG7WYo0flj6S)8FTkTlO(aZIB zLO<~;Ito0iRjkF_X8d)7eBh*1WC@){j?E$bq@jw0K^yR5H09#Y5*e@JqWhxt66a5- z8XHOXlFvUvPDW4znQ|`XIN2pojuf+#TwcBteE!8aKb4deIwtSS&*K|NLdzns*c3XE zIa|z=ro@+hGkaGq@GhEFvQ9tZgCK2-k2qLyGfLu;xG@c7=Aoy;qcZ2Z;@V4FLfG523?tuF)ngctb%80dfBT z0r4Ju_s{1Y1nJ)t0>Z?}%*e$|%}UhF+zMpnVr36vw05=!{r5_KahYpKv(YQ$iN1p< sYes><_}BEGL locationThreshold\n| extend timestamp = BurstStartTime\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n| extend Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n", @@ -7012,7 +7012,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -7022,7 +7021,8 @@ "identifier": "UPNSuffix", "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" } ] } @@ -7134,13 +7134,13 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "IPAddress" } - ] + ], + "entityType": "IP" } ] } @@ -7244,7 +7244,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -7258,16 +7257,17 @@ "identifier": "AadUserId", "columnName": "UserId" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "IPAddress" } - ] + ], + "entityType": "IP" } ] } @@ -7371,13 +7371,13 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "IPAddress" } - ] + ], + "entityType": "IP" } ] } @@ -7495,7 +7495,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -7505,25 +7504,26 @@ "identifier": "UPNSuffix", "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "SuccessIPAddress" } - ] + ], + "entityType": "IP" }, { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "FailedIPAddress" } - ] + ], + "entityType": "IP" } ] } @@ -7594,7 +7594,7 @@ "location": "[parameters('workspace-location')]", "properties": { "description": "This query looks for suspicious updates to an Microsoft Entra ID joined device where the device name is changed and the device falls out of compliance.\nThis could occur when a threat actor updates the details of an Autopilot provisioned device using a stolen device ticket, in order to access certificates and keys.\nRef: https://dirkjanm.io/assets/raw/Insomnihack%20Breaking%20and%20fixing%20Azure%20AD%20device%20identity%20security.pdf", - "displayName": "Suspicious AAD Joined Device Update", + "displayName": "Suspicious Entra ID Joined Device Update", "enabled": false, "query": "AuditLogs\n| where OperationName =~ \"Update device\"\n| mv-apply TargetResource=TargetResources on (\n where TargetResource.type =~ \"Device\"\n | extend ModifiedProperties = TargetResource.modifiedProperties\n | extend DeviceId = TargetResource.id)\n| mv-apply Prop=ModifiedProperties on ( \n where Prop.displayName =~ \"CloudDisplayName\"\n | extend OldName = Prop.oldValue \n | extend NewName = Prop.newValue)\n| mv-apply Prop=ModifiedProperties on ( \n where Prop.displayName =~ \"IsCompliant\"\n | extend OldComplianceState = Prop.oldValue \n | extend NewComplianceState = Prop.newValue)\n| mv-apply Prop=ModifiedProperties on ( \n where Prop.displayName =~ \"TargetId.DeviceTrustType\"\n | extend OldTrustType = Prop.oldValue \n | extend NewTrustType = Prop.newValue)\n| mv-apply Prop=ModifiedProperties on ( \n where Prop.displayName =~ \"Included Updated Properties\" \n | extend UpdatedProperties = Prop.newValue)\n| extend OldDeviceName = tostring(parse_json(tostring(OldName))[0])\n| extend NewDeviceName = tostring(parse_json(tostring(NewName))[0])\n| extend OldComplianceState = tostring(parse_json(tostring(OldComplianceState))[0])\n| extend NewComplianceState = tostring(parse_json(tostring(NewComplianceState))[0])\n| extend InitiatedByUser = tostring(iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName))\n| extend UpdatedPropertiesCount = array_length(split(UpdatedProperties, ','))\n| where OldDeviceName != NewDeviceName\n| where OldComplianceState =~ 'true' and NewComplianceState =~ 'false'\n// Most common is transferring from AAD Registered to AAD Joined - we just want AAD Joined devices\n| where NewTrustType == '\"AzureAd\"' and OldTrustType != '\"Workplace\"'\n// We can modify this value to tune FPs - more properties changed about the device beyond its name the more suspicious it could be\n| where UpdatedPropertiesCount > 1\n| project-reorder TimeGenerated, DeviceId, NewDeviceName, OldDeviceName, NewComplianceState, InitiatedByUser, AADOperationType, OldTrustType, NewTrustType, UpdatedProperties, UpdatedPropertiesCount\n", "queryFrequency": "P1D", @@ -7621,45 +7621,45 @@ ], "entityMappings": [ { - "entityType": "Host", "fieldMappings": [ { "identifier": "HostName", "columnName": "NewDeviceName" } - ] + ], + "entityType": "Host" }, { - "entityType": "Host", "fieldMappings": [ { "identifier": "HostName", "columnName": "OldDeviceName" } - ] + ], + "entityType": "Host" }, { - "entityType": "Host", "fieldMappings": [ { "identifier": "AzureID", "columnName": "DeviceId" } - ] + ], + "entityType": "Host" }, { - "entityType": "Account", "fieldMappings": [ { "identifier": "AadUserId", "columnName": "InitiatedByUser" } - ] + ], + "entityType": "Account" } ], "alertDetailsOverride": { - "alertDescriptionFormat": "This query looks for suspicious updates to an Microsoft Entra ID joined device where the device name is changed and the device falls out of compliance.\nIn this case {{OldDeviceName}} was renamed to {{NewDeviceName}} and {{UpdatedPropertiesCount}} properties were changed.\nThis could occur when a threat actor steals a Device ticket from an Autopilot provisioned device and uses it to AAD Join a new device.\nRef: https://dirkjanm.io/assets/raw/Insomnihack%20Breaking%20and%20fixing%20Azure%20AD%20device%20identity%20security.pdf\n", - "alertDisplayNameFormat": "Suspicious AAD Joined Device Update {{OldDeviceName}} renamed to {{NewDeviceName}} and {{UpdatedPropertiesCount}} properties changed" + "alertDisplayNameFormat": "Suspicious AAD Joined Device Update {{OldDeviceName}} renamed to {{NewDeviceName}} and {{UpdatedPropertiesCount}} properties changed", + "alertDescriptionFormat": "This query looks for suspicious updates to an Microsoft Entra ID joined device where the device name is changed and the device falls out of compliance.\nIn this case {{OldDeviceName}} was renamed to {{NewDeviceName}} and {{UpdatedPropertiesCount}} properties were changed.\nThis could occur when a threat actor steals a Device ticket from an Autopilot provisioned device and uses it to AAD Join a new device.\nRef: https://dirkjanm.io/assets/raw/Insomnihack%20Breaking%20and%20fixing%20Azure%20AD%20device%20identity%20security.pdf\n" } } }, @@ -7699,7 +7699,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('analyticRuleObject54')._analyticRulecontentId54]", "contentKind": "AnalyticsRule", - "displayName": "Suspicious AAD Joined Device Update", + "displayName": "Suspicious Entra ID Joined Device Update", "contentProductId": "[variables('analyticRuleObject54')._analyticRulecontentProductId54]", "id": "[variables('analyticRuleObject54')._analyticRulecontentProductId54]", "version": "[variables('analyticRuleObject54').analyticRuleVersion54]" @@ -7756,7 +7756,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -7766,16 +7765,17 @@ "identifier": "UPNSuffix", "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "GrantIpAddress" } - ] + ], + "entityType": "IP" } ] } @@ -7877,40 +7877,40 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", "columnName": "userPrincipalName_creator" } - ] + ], + "entityType": "Account" }, { - "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", "columnName": "userPrincipalName_deleter" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "ipAddress_creator" } - ] + ], + "entityType": "IP" }, { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "ipAddress_deleter" } - ] + ], + "entityType": "IP" } ] } @@ -8016,7 +8016,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "AadUserId", @@ -8030,10 +8029,10 @@ "identifier": "UPNSuffix", "columnName": "InitiatorSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "Account", "fieldMappings": [ { "identifier": "AadUserId", @@ -8047,33 +8046,34 @@ "identifier": "UPNSuffix", "columnName": "TargetSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "FromIP" } - ] + ], + "entityType": "IP" }, { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "SourceIPAddress" } - ] + ], + "entityType": "IP" } ], "eventGroupingSettings": { "aggregationKind": "AlertPerResult" }, "alertDetailsOverride": { - "alertDescriptionFormat": "This query looks uses Microsoft Sentinel's UEBA features to look for suspicious logons followed by modifications to MFA settings by that user.\nIn this case {{InitiatorUPN}} logged in followed by a modification to MFA settings for {{TargetUPN}}.\nThe sign in was from {{SourceIPAddress}}.\n", - "alertDisplayNameFormat": "Suspicious Sign In by {{InitiatorUPN}} Followed by MFA Modification to {{TargetUPN}}" + "alertDisplayNameFormat": "Suspicious Sign In by {{InitiatorUPN}} Followed by MFA Modification to {{TargetUPN}}", + "alertDescriptionFormat": "This query looks uses Microsoft Sentinel's UEBA features to look for suspicious logons followed by modifications to MFA settings by that user.\nIn this case {{InitiatorUPN}} logged in followed by a modification to MFA settings for {{TargetUPN}}.\nThe sign in was from {{SourceIPAddress}}.\n" } } }, @@ -8145,7 +8145,7 @@ "description": "By default guests have capability to invite more external guest users, guests also can do suspicious Microsoft Entra ID enumeration. This detection look at guests\nusers, who have been invited or have invited recently, who also are logging via various PowerShell CLI.\nRef : 'https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/", "displayName": "External guest invitation followed by Microsoft Entra ID PowerShell signin", "enabled": false, - "query": "let queryfrequency = 1h;\nlet queryperiod = 1d;\nAuditLogs\n| where TimeGenerated > ago(queryperiod)\n| where OperationName in (\"Invite external user\", \"Bulk invite users - started (bulk)\", \"Invite external user with reset invitation status\")\n| extend InitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\n// Uncomment the following line to filter events where the inviting user was a guest user\n//| where InitiatedBy has_any (\"live.com#\", \"#EXT#\")\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"User\"\n | extend InvitedUser = tostring(TargetResource.userPrincipalName)\n )\n| mv-expand UserToCompare = pack_array(InitiatedBy, InvitedUser) to typeof(string)\n| where UserToCompare has_any (\"live.com#\", \"#EXT#\")\n| extend\n parsedUser = replace_string(tolower(iff(UserToCompare startswith \"live.com#\", tostring(split(UserToCompare, \"#\")[1]), tostring(split(UserToCompare, \"#EXT#\")[0]))), \"@\", \"_\"),\n InvitationTime = TimeGenerated\n| join (\n (union isfuzzy=true SigninLogs, AADNonInteractiveUserSignInLogs)\n | where TimeGenerated > ago(queryfrequency)\n | where UserType != \"Member\"\n | where AppId has_any // This web may contain a list of these apps: https://msshells.net/\n (\"1b730954-1685-4b74-9bfd-dac224a7b894\",// Azure Active Directory PowerShell\n \"04b07795-8ddb-461a-bbee-02f9e1bf7b46\",// Microsoft Azure CLI\n \"1950a258-227b-4e31-a9cf-717495945fc2\",// Microsoft Azure PowerShell\n \"a0c73c16-a7e3-4564-9a95-2bdf47383716\",// Microsoft Exchange Online Remote PowerShell\n \"fb78d390-0c51-40cd-8e17-fdbfab77341b\",// Microsoft Exchange REST API Based Powershell\n \"d1ddf0e4-d672-4dae-b554-9d5bdfd93547\",// Microsoft Intune PowerShell\n \"9bc3ab49-b65d-410a-85ad-de819febfddc\",// Microsoft SharePoint Online Management Shell\n \"12128f48-ec9e-42f0-b203-ea49fb6af367\",// MS Teams Powershell Cmdlets\n \"23d8f6bd-1eb0-4cc2-a08c-7bf525c67bcd\",// Power BI PowerShell\n \"31359c7f-bd7e-475c-86db-fdb8c937548e\",// PnP Management Shell\n \"90f610bf-206d-4950-b61d-37fa6fd1b224\",// Aadrm Admin Powershell\n \"14d82eec-204b-4c2f-b7e8-296a70dab67e\" // Microsoft Graph PowerShell\n )\n | summarize arg_min(TimeGenerated, *) by UserPrincipalName\n | extend\n parsedUser = replace_string(UserPrincipalName, \"@\", \"_\"),\n SigninTime = TimeGenerated\n )\n on parsedUser\n| project InvitationTime, InitiatedBy, OperationName, InvitedUser, SigninTime, SigninCategory = Category1, SigninUserPrincipalName = UserPrincipalName, IPAddress, AppDisplayName, ResourceDisplayName, UserAgent, InvitationAdditionalDetails = AdditionalDetails, InvitationTargetResources = TargetResources\n| extend InvitedUserName = tostring(split(InvitedUser,'@',0)[0]), InvitedUserUPNSuffix = tostring(split(InvitedUser,'@',1)[0]), \n InitiatedByName = tostring(split(InitiatedBy,'@',0)[0]), InitiatedByUPNSuffix = tostring(split(InitiatedBy,'@',1)[0])\n", + "query": "let queryfrequency = 1h;\nlet queryperiod = 1d;\nAuditLogs\n| where TimeGenerated > ago(queryperiod)\n| where OperationName in (\"Invite external user\", \"Bulk invite users - started (bulk)\", \"Invite external user with reset invitation status\")\n| extend InitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\n// Uncomment the following line to filter events where the inviting user was a guest user\n//| where InitiatedBy has_any (\"live.com#\", \"#EXT#\")\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"User\"\n | extend InvitedUser = tostring(TargetResource.userPrincipalName)\n )\n| mv-expand UserToCompare = pack_array(InitiatedBy, InvitedUser) to typeof(string)\n| where UserToCompare has_any (\"live.com#\", \"#EXT#\")\n| extend\n parsedUser = replace_string(tolower(iff(UserToCompare startswith \"live.com#\", tostring(split(UserToCompare, \"#\")[1]), tostring(split(UserToCompare, \"#EXT#\")[0]))), \"@\", \"_\"),\n InvitationTime = TimeGenerated\n| join (\n (union isfuzzy=true SigninLogs, AADNonInteractiveUserSignInLogs)\n | where TimeGenerated > ago(queryfrequency)\n | where UserType != \"Member\"\n | where AppId has_any // This web may contain a list of these apps: https://msshells.net/\n (\"1b730954-1685-4b74-9bfd-dac224a7b894\",// Microsoft Entra ID PowerShell\n \"04b07795-8ddb-461a-bbee-02f9e1bf7b46\",// Microsoft Azure CLI\n \"1950a258-227b-4e31-a9cf-717495945fc2\",// Microsoft Azure PowerShell\n \"a0c73c16-a7e3-4564-9a95-2bdf47383716\",// Microsoft Exchange Online Remote PowerShell\n \"fb78d390-0c51-40cd-8e17-fdbfab77341b\",// Microsoft Exchange REST API Based Powershell\n \"d1ddf0e4-d672-4dae-b554-9d5bdfd93547\",// Microsoft Intune PowerShell\n \"9bc3ab49-b65d-410a-85ad-de819febfddc\",// Microsoft SharePoint Online Management Shell\n \"12128f48-ec9e-42f0-b203-ea49fb6af367\",// MS Teams Powershell Cmdlets\n \"23d8f6bd-1eb0-4cc2-a08c-7bf525c67bcd\",// Power BI PowerShell\n \"31359c7f-bd7e-475c-86db-fdb8c937548e\",// PnP Management Shell\n \"90f610bf-206d-4950-b61d-37fa6fd1b224\",// Aadrm Admin Powershell\n \"14d82eec-204b-4c2f-b7e8-296a70dab67e\" // Microsoft Graph PowerShell\n )\n | summarize arg_min(TimeGenerated, *) by UserPrincipalName\n | extend\n parsedUser = replace_string(UserPrincipalName, \"@\", \"_\"),\n SigninTime = TimeGenerated\n )\n on parsedUser\n| project InvitationTime, InitiatedBy, OperationName, InvitedUser, SigninTime, SigninCategory = Category1, SigninUserPrincipalName = UserPrincipalName, IPAddress, AppDisplayName, ResourceDisplayName, UserAgent, InvitationAdditionalDetails = AdditionalDetails, InvitationTargetResources = TargetResources\n| extend InvitedUserName = tostring(split(InvitedUser,'@',0)[0]), InvitedUserUPNSuffix = tostring(split(InvitedUser,'@',1)[0]), \n InitiatedByName = tostring(split(InitiatedBy,'@',0)[0]), InitiatedByUPNSuffix = tostring(split(InitiatedBy,'@',1)[0])\n", "queryFrequency": "PT1H", "queryPeriod": "P1D", "severity": "Medium", @@ -8180,7 +8180,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -8190,10 +8189,10 @@ "identifier": "UPNSuffix", "columnName": "InvitedUserUPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -8203,16 +8202,17 @@ "identifier": "UPNSuffix", "columnName": "InitiatedByUPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "IPAddress" } - ] + ], + "entityType": "IP" } ] } @@ -8328,7 +8328,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -8338,16 +8337,17 @@ "identifier": "UPNSuffix", "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "IPAddress" } - ] + ], + "entityType": "IP" } ] } @@ -8447,7 +8447,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -8457,10 +8456,10 @@ "identifier": "UPNSuffix", "columnName": "AccountUPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -8470,7 +8469,8 @@ "identifier": "UPNSuffix", "columnName": "TargetUPNSuffix" } - ] + ], + "entityType": "Account" } ] } @@ -8568,7 +8568,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -8578,10 +8577,10 @@ "identifier": "UPNSuffix", "columnName": "TargetUPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -8591,7 +8590,8 @@ "identifier": "UPNSuffix", "columnName": "InitiatorUPNSuffix" } - ] + ], + "entityType": "Account" } ] } @@ -8689,7 +8689,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -8699,10 +8698,10 @@ "identifier": "UPNSuffix", "columnName": "TargetUPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -8712,7 +8711,8 @@ "identifier": "UPNSuffix", "columnName": "InitiatorUPNSuffix" } - ] + ], + "entityType": "Account" } ] } @@ -8768,13 +8768,13 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Block-AADUser-Alert Playbook with template version 3.0.7", + "description": "Block-Entra ID User-Alert Playbook with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion1')]", "parameters": { "PlaybookName": { - "defaultValue": "Block-AADUser-Alert", + "defaultValue": "Block-Entra ID User-Alert", "type": "string" } }, @@ -9196,7 +9196,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('_playbookContentId1')]", "contentKind": "Playbook", - "displayName": "Block-AADUser-Alert", + "displayName": "Block-Entra ID User-Alert", "contentProductId": "[variables('_playbookcontentProductId1')]", "id": "[variables('_playbookcontentProductId1')]", "version": "[variables('playbookVersion1')]" @@ -9211,13 +9211,13 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Block-AADUser-Incident Playbook with template version 3.0.7", + "description": "Block-Entra ID User-Incident Playbook with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion2')]", "parameters": { "PlaybookName": { - "defaultValue": "Block-AADUser-Incident", + "defaultValue": "Block-Entra ID User-Incident", "type": "string" } }, @@ -9587,7 +9587,7 @@ } ], "metadata": { - "title": "Block AAD user - Incident", + "title": "Block Entra ID user - Incident", "description": "For each account entity included in the incident, this playbook will disable the user in Azure Active Directoy, add a comment to the incident that contains this alert and notify manager if available. Note: This playbook will not disable admin user!", "prerequisites": [ "None" @@ -9622,7 +9622,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('_playbookContentId2')]", "contentKind": "Playbook", - "displayName": "Block-AADUser-Incident", + "displayName": "Block-Entra ID User-Incident", "contentProductId": "[variables('_playbookcontentProductId2')]", "id": "[variables('_playbookcontentProductId2')]", "version": "[variables('playbookVersion2')]" @@ -10492,13 +10492,13 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Reset-AADPassword-AlertTrigger Playbook with template version 3.0.7", + "description": "Reset-Entra ID Password-AlertTrigger Playbook with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion5')]", "parameters": { "PlaybookName": { - "defaultValue": "Reset-AADPassword-AlertTrigger", + "defaultValue": "Reset-Entra ID Password-AlertTrigger", "type": "string" } }, @@ -10877,7 +10877,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('_playbookContentId5')]", "contentKind": "Playbook", - "displayName": "Reset-AADPassword-AlertTrigger", + "displayName": "Reset-Entra ID Password-AlertTrigger", "contentProductId": "[variables('_playbookcontentProductId5')]", "id": "[variables('_playbookcontentProductId5')]", "version": "[variables('playbookVersion5')]" @@ -10892,13 +10892,13 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Reset-AADPassword-IncidentTrigger Playbook with template version 3.0.7", + "description": "Reset-Entra ID Password-IncidentTrigger Playbook with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion6')]", "parameters": { "PlaybookName": { - "defaultValue": "Reset-AADPassword-IncidentTrigger", + "defaultValue": "Reset-Entra ID Password-IncidentTrigger", "type": "string" } }, @@ -11260,7 +11260,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('_playbookContentId6')]", "contentKind": "Playbook", - "displayName": "Reset-AADPassword-IncidentTrigger", + "displayName": "Reset-Entra ID Password-IncidentTrigger", "contentProductId": "[variables('_playbookcontentProductId6')]", "id": "[variables('_playbookcontentProductId6')]", "version": "[variables('playbookVersion6')]" @@ -11275,13 +11275,13 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Block-AADUser-EntityTrigger Playbook with template version 3.0.7", + "description": "Block-Entra ID User-EntityTrigger Playbook with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion7')]", "parameters": { "PlaybookName": { - "defaultValue": "Block-AADUser-EntityTrigger", + "defaultValue": "Block-Entra ID User-EntityTrigger", "type": "string" } }, @@ -11721,7 +11721,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('_playbookContentId7')]", "contentKind": "Playbook", - "displayName": "Block-AADUser-EntityTrigger", + "displayName": "Block-Entra ID User-EntityTrigger", "contentProductId": "[variables('_playbookcontentProductId7')]", "id": "[variables('_playbookcontentProductId7')]", "version": "[variables('playbookVersion7')]" @@ -11736,13 +11736,13 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Reset-AADUserPassword-EntityTrigger Playbook with template version 3.0.7", + "description": "Reset-Entra ID UserPassword-EntityTrigger Playbook with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion8')]", "parameters": { "PlaybookName": { - "defaultValue": "Reset-AADUserPassword-EntityTrigger", + "defaultValue": "Reset-Entra ID UserPassword-EntityTrigger", "type": "string" } }, @@ -12126,7 +12126,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('_playbookContentId8')]", "contentKind": "Playbook", - "displayName": "Reset-AADUserPassword-EntityTrigger", + "displayName": "Reset-Entra ID UserPassword-EntityTrigger", "contentProductId": "[variables('_playbookcontentProductId8')]", "id": "[variables('_playbookcontentProductId8')]", "version": "[variables('playbookVersion8')]" @@ -12141,13 +12141,13 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Revoke-AADSignInSessions-alert Playbook with template version 3.0.7", + "description": "Revoke-Entra ID SignInSessions-alert Playbook with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion9')]", "parameters": { "PlaybookName": { - "defaultValue": "Revoke-AADSignInSessions-alert", + "defaultValue": "Revoke-Entra ID SignInSessions-alert", "type": "string" }, "UserName": { @@ -12424,7 +12424,7 @@ } ], "metadata": { - "title": "Revoke-AADSignInSessions alert trigger", + "title": "Revoke-Entra ID SignInSessions alert trigger", "description": "This playbook will revoke all signin sessions for the user using Graph API. It will send an email to the user's manager.", "prerequisites": [ "1. You must create an app registration for graph api with appropriate permissions.", @@ -12454,7 +12454,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('_playbookContentId9')]", "contentKind": "Playbook", - "displayName": "Revoke-AADSignInSessions-alert", + "displayName": "Revoke-Entra ID SignInSessions-alert", "contentProductId": "[variables('_playbookcontentProductId9')]", "id": "[variables('_playbookcontentProductId9')]", "version": "[variables('playbookVersion9')]" @@ -12469,13 +12469,13 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Revoke-AADSignInSessions-incident Playbook with template version 3.0.7", + "description": "Revoke-Entra ID SignInSessions-incident Playbook with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion10')]", "parameters": { "PlaybookName": { - "defaultValue": "Revoke-AADSignInSessions-incident", + "defaultValue": "Revoke-Entra ID SignInSessions-incident", "type": "string" }, "UserName": { @@ -12752,7 +12752,7 @@ } ], "metadata": { - "title": "Revoke AAD SignIn Sessions - incident trigger", + "title": "Revoke Entra ID SignIn Sessions - incident trigger", "description": "This playbook will revoke all signin sessions for the user using Graph API. It will send an email to the user's manager.", "prerequisites": "1. You will need to grant User.ReadWrite.All permissions to the managed identity.", "lastUpdateTime": "2021-07-14T00:00:00Z", @@ -12778,7 +12778,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('_playbookContentId10')]", "contentKind": "Playbook", - "displayName": "Revoke-AADSignInSessions-incident", + "displayName": "Revoke-Entra ID SignInSessions-incident", "contentProductId": "[variables('_playbookcontentProductId10')]", "id": "[variables('_playbookcontentProductId10')]", "version": "[variables('playbookVersion10')]" @@ -12793,13 +12793,13 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Revoke-AADSignIn-Session-entityTrigger Playbook with template version 3.0.7", + "description": "Revoke-Entra ID SignIn-Session-entityTrigger Playbook with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion11')]", "parameters": { "PlaybookName": { - "defaultValue": "Revoke-AADSignIn-Session-entityTrigger", + "defaultValue": "Revoke-Entra ID SignIn-Session-entityTrigger", "type": "string" } }, @@ -12967,7 +12967,7 @@ } ], "metadata": { - "title": "Revoke AAD Sign-in session using entity trigger", + "title": "Revoke Entra ID Sign-in session using entity trigger", "description": "This playbook will revoke user's sign-in sessions and user will have to perform authentication again. It invalidates all the refresh tokens issued to applications for a user (as well as session cookies in a user's browser), by resetting the signInSessionsValidFromDateTime user property to the current date-time.", "postDeployment": [ "1. Add Microsoft Sentinel Responder role to the managed identity.", @@ -12993,7 +12993,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('_playbookContentId11')]", "contentKind": "Playbook", - "displayName": "Revoke-AADSignIn-Session-entityTrigger", + "displayName": "Revoke-Entra ID SignIn-Session-entityTrigger", "contentProductId": "[variables('_playbookcontentProductId11')]", "id": "[variables('_playbookcontentProductId11')]", "version": "[variables('playbookVersion11')]" diff --git a/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/alert-trigger/azuredeploy.json b/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/alert-trigger/azuredeploy.json index fcc39066f70..b1c3bf5611d 100644 --- a/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/alert-trigger/azuredeploy.json +++ b/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/alert-trigger/azuredeploy.json @@ -25,7 +25,7 @@ }, "parameters": { "PlaybookName": { - "defaultValue": "Block-AADUser-Alert", + "defaultValue": "Block-Entra ID User-Alert", "type": "string" } }, diff --git a/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/entity-trigger/azuredeploy.json b/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/entity-trigger/azuredeploy.json index 271de72309d..595acaf1593 100644 --- a/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/entity-trigger/azuredeploy.json +++ b/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/entity-trigger/azuredeploy.json @@ -24,7 +24,7 @@ }, "parameters": { "PlaybookName": { - "defaultValue": "Block-AADUser-EntityTrigger", + "defaultValue": "Block-Entra ID User-EntityTrigger", "type": "string" } }, diff --git a/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/incident-trigger/azuredeploy.json b/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/incident-trigger/azuredeploy.json index c8d069e538b..698f86e99a3 100644 --- a/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/incident-trigger/azuredeploy.json +++ b/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/incident-trigger/azuredeploy.json @@ -2,7 +2,7 @@ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { - "title": "Block AAD user - Incident", + "title": "Block Entra ID user - Incident", "description": "For each account entity included in the incident, this playbook will disable the user in Azure Active Directoy, add a comment to the incident that contains this alert and notify manager if available. Note: This playbook will not disable admin user!", "prerequisites": [ "None" ], "postDeployment": [ "1. Assign Microsoft Sentinel Responder role to the Playbook's managed identity.", "2. Grant User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All permissions to the managed identity.", "3. Authorize Microsoft Entra ID and Office 365 Outlook Logic App connections." ], @@ -25,7 +25,7 @@ }, "parameters": { "PlaybookName": { - "defaultValue": "Block-AADUser-Incident", + "defaultValue": "Block-Entra ID User-Incident", "type": "string" } }, diff --git a/Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword/alert-trigger/azuredeploy.json b/Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword/alert-trigger/azuredeploy.json index 6d58c9ef7dc..df1ae2cd72e 100644 --- a/Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword/alert-trigger/azuredeploy.json +++ b/Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword/alert-trigger/azuredeploy.json @@ -28,7 +28,7 @@ }, "parameters": { "PlaybookName": { - "defaultValue": "Reset-AADPassword-AlertTrigger", + "defaultValue": "Reset-Entra ID Password-AlertTrigger", "type": "string" } }, diff --git a/Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword/entity-trigger/azuredeploy.json b/Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword/entity-trigger/azuredeploy.json index b1a46465f45..44cc213c7ed 100644 --- a/Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword/entity-trigger/azuredeploy.json +++ b/Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword/entity-trigger/azuredeploy.json @@ -19,7 +19,7 @@ }, "parameters": { "PlaybookName": { - "defaultValue": "Reset-AADUserPassword-EntityTrigger", + "defaultValue": "Reset-Entra ID UserPassword-EntityTrigger", "type": "string" } }, diff --git a/Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword/incident-trigger/azuredeploy.json b/Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword/incident-trigger/azuredeploy.json index 488ddf25943..07c8959a8af 100644 --- a/Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword/incident-trigger/azuredeploy.json +++ b/Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword/incident-trigger/azuredeploy.json @@ -28,7 +28,7 @@ }, "parameters": { "PlaybookName": { - "defaultValue": "Reset-AADPassword-IncidentTrigger", + "defaultValue": "Reset-Entra ID Password-IncidentTrigger", "type": "string" } }, diff --git a/Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/alert-trigger/azuredeploy.json b/Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/alert-trigger/azuredeploy.json index 904173a18a2..dedaa6a9a7d 100644 --- a/Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/alert-trigger/azuredeploy.json +++ b/Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/alert-trigger/azuredeploy.json @@ -2,7 +2,7 @@ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { - "title": "Revoke-AADSignInSessions alert trigger", + "title": "Revoke-Entra ID SignInSessions alert trigger", "description": "This playbook will revoke all signin sessions for the user using Graph API. It will send an email to the user's manager.", "prerequisites": ["1. You must create an app registration for graph api with appropriate permissions.", "2. You will need to add the managed identity that is created by the logic app to the Password Administrator role in Microsoft Entra ID."], "comments": "This playbook will revoke all signin sessions for the user using Graph API using a Beta API. It will send and email to the user's manager.", @@ -20,7 +20,7 @@ }, "parameters": { "PlaybookName": { - "defaultValue": "Revoke-AADSignInSessions-alert", + "defaultValue": "Revoke-Entra ID SignInSessions-alert", "type": "string" }, "UserName": { diff --git a/Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/entity-trigger/azuredeploy.json b/Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/entity-trigger/azuredeploy.json index af9b0018901..c75052b1de8 100644 --- a/Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/entity-trigger/azuredeploy.json +++ b/Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/entity-trigger/azuredeploy.json @@ -2,7 +2,7 @@ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { - "title": "Revoke AAD Sign-in session using entity trigger", + "title": "Revoke Entra ID Sign-in session using entity trigger", "description": "This playbook will revoke user's sign-in sessions and user will have to perform authentication again. It invalidates all the refresh tokens issued to applications for a user (as well as session cookies in a user's browser), by resetting the signInSessionsValidFromDateTime user property to the current date-time.", "prerequisites": "", "postDeployment": ["1. Add Microsoft Sentinel Responder role to the managed identity.", "2. Assign User.ReadWrite.All and Directory.ReadWrite.All API permissions to the managed identity."], @@ -20,7 +20,7 @@ }, "parameters": { "PlaybookName": { -"defaultValue": "Revoke-AADSignIn-Session-entityTrigger", +"defaultValue": "Revoke-Entra ID SignIn-Session-entityTrigger", "type": "string" } }, diff --git a/Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/incident-trigger/azuredeploy.json b/Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/incident-trigger/azuredeploy.json index 14faea977ee..717ad1b80af 100644 --- a/Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/incident-trigger/azuredeploy.json +++ b/Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/incident-trigger/azuredeploy.json @@ -2,7 +2,7 @@ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { - "title": "Revoke AAD SignIn Sessions - incident trigger", + "title": "Revoke Entra ID SignIn Sessions - incident trigger", "description": "This playbook will revoke all signin sessions for the user using Graph API. It will send an email to the user's manager.", "prerequisites": "1. You will need to grant User.ReadWrite.All permissions to the managed identity.", "lastUpdateTime": "2021-07-14T00:00:00.000Z", @@ -17,7 +17,7 @@ }, "parameters": { "PlaybookName": { - "defaultValue": "Revoke-AADSignInSessions-incident", + "defaultValue": "Revoke-Entra ID SignInSessions-incident", "type": "string" }, "UserName": { diff --git a/Solutions/Microsoft Entra ID/Workbooks/AzureActiveDirectoryAuditLogs.json b/Solutions/Microsoft Entra ID/Workbooks/AzureActiveDirectoryAuditLogs.json index 80e746d93c8..ba5b66bba12 100644 --- a/Solutions/Microsoft Entra ID/Workbooks/AzureActiveDirectoryAuditLogs.json +++ b/Solutions/Microsoft Entra ID/Workbooks/AzureActiveDirectoryAuditLogs.json @@ -4,7 +4,7 @@ { "type": 1, "content": { - "json": "## Azure AD audit logs" + "json": "## Microsoft Entra ID audit logs" }, "name": "text - 1" }, diff --git a/Workbooks/WorkbooksMetadata.json b/Workbooks/WorkbooksMetadata.json index b11844b36a2..76575be126c 100644 --- a/Workbooks/WorkbooksMetadata.json +++ b/Workbooks/WorkbooksMetadata.json @@ -360,7 +360,7 @@ { "workbookKey": "AzureActiveDirectorySigninLogsWorkbook", "logoFileName": "azureactivedirectory_logo.svg", - "description": "Gain insights into Azure Active Directory by connecting Microsoft Sentinel and using the sign-in logs to gather insights around Azure AD scenarios. \nYou can learn about sign-in operations, such as user sign-ins and locations, email addresses, and IP addresses of your users, as well as failed activities and the errors that triggered the failures.", + "description": "Gain insights into Microsoft Entra ID by connecting Microsoft Sentinel and using the sign-in logs to gather insights around Microsoft Entra ID scenarios. \nYou can learn about sign-in operations, such as user sign-ins and locations, email addresses, and IP addresses of your users, as well as failed activities and the errors that triggered the failures.", "dataTypesDependencies": [ "SigninLogs" ], @@ -374,7 +374,7 @@ "AADsigninWhite2.png" ], "version": "2.4.0", - "title": "Azure AD Sign-in logs", + "title": "Microsoft Entra ID Sign-in logs", "templateRelativePath": "AzureActiveDirectorySignins.json", "subtitle": "", "provider": "Microsoft" @@ -417,7 +417,7 @@ { "workbookKey": "AzureActiveDirectoryAuditLogsWorkbook", "logoFileName": "azureactivedirectory_logo.svg", - "description": "Gain insights into Azure Active Directory by connecting Microsoft Sentinel and using the audit logs to gather insights around Azure AD scenarios. \nYou can learn about user operations, including password and group management, device activities, and top active users and apps.", + "description": "Gain insights into Microsoft Entra ID by connecting Microsoft Sentinel and using the audit logs to gather insights around Microsoft Entra ID scenarios. \nYou can learn about user operations, including password and group management, device activities, and top active users and apps.", "dataTypesDependencies": [ "AuditLogs" ], @@ -429,7 +429,7 @@ "AzureADAuditLogsWhite1.png" ], "version": "1.2.0", - "title": "Azure AD Audit logs", + "title": "Microsoft Entra ID Audit logs", "templateRelativePath": "AzureActiveDirectoryAuditLogs.json", "subtitle": "", "provider": "Microsoft" From d2fa1e6dd09ad3c77b7bb89f5c6330d95323bcdb Mon Sep 17 00:00:00 2001 From: PrasadBoke Date: Thu, 9 Nov 2023 11:16:41 +0530 Subject: [PATCH 13/17] reversed query changes from analytic rules --- .../AzureAADPowerShellAnomaly.yaml | 4 ++-- ...tenantAccessSettingsOrganizationAdded.yaml | 2 +- ...dinAADGroupsOtherThanTheOnesSpecified.yaml | 2 +- .../Analytic Rules/UnusualGuestActivity.yaml | 2 +- .../Microsoft Entra ID/Package/3.0.7.zip | Bin 94678 -> 94146 bytes .../Package/mainTemplate.json | 18 +++++++++--------- .../incident-trigger/azuredeploy.json | 2 +- 7 files changed, 15 insertions(+), 15 deletions(-) diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/AzureAADPowerShellAnomaly.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/AzureAADPowerShellAnomaly.yaml index 85580c99010..b06497e3beb 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/AzureAADPowerShellAnomaly.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/AzureAADPowerShellAnomaly.yaml @@ -27,9 +27,9 @@ tags: query: | let aadFunc = (tableName:string){ table(tableName) - | where AppId =~ "1b730954-1685-4b74-9bfd-dac224a7b894" // AppDisplayName IS Microsoft Entra ID PowerShell + | where AppId =~ "1b730954-1685-4b74-9bfd-dac224a7b894" // AppDisplayName IS Azure Active Directory PowerShell | where TokenIssuerType =~ "AzureAD" - | where ResourceIdentity !in ("00000002-0000-0000-c000-000000000000", "00000003-0000-0000-c000-000000000000") // ResourceDisplayName IS NOT Windows Microsoft Entra ID OR Microsoft Graph + | where ResourceIdentity !in ("00000002-0000-0000-c000-000000000000", "00000003-0000-0000-c000-000000000000") // ResourceDisplayName IS NOT Windows Azure Active Directory OR Microsoft Graph | extend Status = todynamic(Status) | where Status.errorCode == 0 // Success | project-reorder IPAddress, UserAgent, ResourceDisplayName, UserDisplayName, UserId, UserPrincipalName, Type diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationAdded.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationAdded.yaml index f20620b641d..8969ddde21c 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationAdded.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationAdded.yaml @@ -21,7 +21,7 @@ relevantTechniques: - T1136.003 - T1087.004 query: | - // Tenants IDs can be found by navigating to Microsoft Entra ID then from menu on the left, select External Identities, then from menu on the left, select Cross-tenant access settings and from the list shown of Tenants + // Tenants IDs can be found by navigating to Azure Active Directory then from menu on the left, select External Identities, then from menu on the left, select Cross-tenant access settings and from the list shown of Tenants let ExpectedTenantIDs = dynamic(["List of expected tenant IDs","Tenant ID 2"]); AuditLogs | where OperationName has "Add a partner to cross-tenant access setting" diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/GuestAccountsAddedinAADGroupsOtherThanTheOnesSpecified.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/GuestAccountsAddedinAADGroupsOtherThanTheOnesSpecified.yaml index c413f5988c7..c99b2c98024 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/GuestAccountsAddedinAADGroupsOtherThanTheOnesSpecified.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/GuestAccountsAddedinAADGroupsOtherThanTheOnesSpecified.yaml @@ -21,7 +21,7 @@ relevantTechniques: - T1136.003 - T1087.004 query: | - // OBJECT ID of AAD Groups can be found by navigating to Microsoft Entra ID then from menu on the left, select Groups and from the list shown of AAD Groups, the Second Column shows the ObjectID of each + // OBJECT ID of AAD Groups can be found by navigating to Azure Active Directory then from menu on the left, select Groups and from the list shown of AAD Groups, the Second Column shows the ObjectID of each let GroupIDs = dynamic(["List with Custom AAD GROUP OBJECT ID 1","Custom AAD GROUP OBJECT ID 2"]); AuditLogs | where OperationName in ('Add member to group', 'Add owner to group') diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/UnusualGuestActivity.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/UnusualGuestActivity.yaml index b5af4883ca3..5cdc6f7a6c2 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/UnusualGuestActivity.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/UnusualGuestActivity.yaml @@ -49,7 +49,7 @@ query: | | where TimeGenerated > ago(queryfrequency) | where UserType != "Member" | where AppId has_any // This web may contain a list of these apps: https://msshells.net/ - ("1b730954-1685-4b74-9bfd-dac224a7b894",// Microsoft Entra ID PowerShell + ("1b730954-1685-4b74-9bfd-dac224a7b894",// Azure Active Directory PowerShell "04b07795-8ddb-461a-bbee-02f9e1bf7b46",// Microsoft Azure CLI "1950a258-227b-4e31-a9cf-717495945fc2",// Microsoft Azure PowerShell "a0c73c16-a7e3-4564-9a95-2bdf47383716",// Microsoft Exchange Online Remote PowerShell diff --git a/Solutions/Microsoft Entra ID/Package/3.0.7.zip b/Solutions/Microsoft Entra ID/Package/3.0.7.zip index 8a91c6a2c525cc3334239e756a859cdd92c6aa3d..2ace9e46be25f693a186e57b4b26b9a18393185e 100644 GIT binary patch literal 94146 zcmZ^}b8w|?w>%u%wmGpqv28n<*iI(4ZQHi(WHPaB+xjx|Jm0U*srNlq`>$Pft$nZV zUfpZgeaT4zgP;Ha06+jRs+g&|Q^%*-PyhhPJOKcpe|>9cZ>;ZVtZXJ^{KL%J%+buo zn%3OG#`@gT!(mmV>F`staWhx7{!v2WnovIJt>j*6G%o%q3b&k^tE!S>A1IV86au6M zfI^*#ZPU~HFylhRzrbkOSB!I7X^c3Ik5?x9vHbI$_cK@l`?DP*;+|y5wTN}dI2CoO zP5Zfs2{KNvfSi+(tGBzT^#W!l^ttlr!qJ(l(>dvMTuj#~+8#II<$bgkPefcv#B9cm zCvyDgQ2el&Ncy8`dZ%@WA8ClQxK&5gpPObzf0<*iwi9upKbez`9)U+Iec~+x)Qx_c z6t55Yv#9!NpFlcjy5t2&S9mb^NS7aPXIvivy=~v?7+je7YU6-TP#flkf@*T&lRPa# zDHc8}o9k$=SJ?z5ao5aS;|PZ-353uO_EPA>DtmjJV%iS9r;n%|f95SOy9izQ(Fmvn zZC&-4f~E})hAy5FUM7ln=&4OnE9w_pRbCB_;l}Xma`7!J%fhs&R@;;}uk5e*%dS^S zn)~|8E=By!NT;fKk`@)uO0QP2nQ|dvVTSp^YE9?;UQoEkBeWl8!dS9q*`T~M@HXXA zhsHjFQX*wi${bNpPCxK0OQ{$5bCs)tIg_*RL6G4TCvZuHF$WlQ&VCjQ>Ib)6UEI!P$QxI2ZEyGe) zh$=I!=F4$HzSPprIdK*a8Wy%u%)cSc(*@7cf9w8H*!pXxgL)+%#VF<=B@Y?~^QgiS zocRa#p{8Z?9G%HDg_)>$zXJ;6w<+7S;$%d51UysMvyAM$MKpTG2g$^0f?XixAT%I!7hG zMSiqeBaZ?pn@*Z*AjIK|_ELyn9|43Y0LfoTCIIjpAeIm_yWk}Fa!SMppsOG}pEu39 zY;qtK+qmCN>LU#-GT*FHUPX0%-@26D-CE&kZI|r-xRC&N%OevK=jY8#f4QK=D znzSg>;J7~VQNh-UF+dJ!`%?>Tor|^m?~;f6{f#1sxwzO^((@et z$cNcS4X~=;LT(V99kQ+S3fsfe$(8?VSa;bC=dNg(p`GbE#{_w>I*2{>Ept_OV$pSb zh;!|A)W8ybn7Fpw`ze$GXb)zB#B3Jd1I$`87+9EZ4iv8cZznZu>9e*;TVkZnMiXYlGf!nP#U|N}csAL z8(4ewj|zgUUZU-6vf?d;N$_mjF743qb6-U>cTnv*?jEP<5NDl~OQ*AJ-9DE+#^L5b?Ag&jOGf}jd!QqpdUPl!9hA>O-KVKy zhU#eGrZHWYpt%?^WQn>R_0lbu2+rRJWa^v8oq|RxgcM4Qhp-2<@1A>eepH?h7tE(V zrLzU9&XZF(5aMs&XI?;YZV)m-jTP}T1<80CBi{@KOitDeHcv{x${mwsn$w4Apoy0egpX^LeW^!A;$Zc=+gY9HjMe!`Hca_arQI{pIR(J#Z`|PX!(MmRFFqi&1timEjFSZ=eT_syiB|50Pji2i4k$9_i!~w>Y%g z{@sg7P`#s%&Y0BNc-(|&5C^$7eA$l!)WWP{Hv;w)aR8ZTP$Ec80c1XoP4i%p@0VHu zx#CGj>^;YWPxb8#hRuiDI`OuukBPk&Rh&&w$v9=|6TfBUJ8P{S*)<*UIUUg9#X6xI z*^l=%XgC7s0Awz^rMYa6bFwkbnv+2)T`^zXP?&7N5Gul2 z%_dZNq|#dckTU!^JBcKN@L)l-0&@j?(T|vX&G&r3dV>HxqUSL30wCG~f_MDx zh{8a)UK;(cdoYN15*x}09eBj)V1rqrb*3N1p-O}3&8mRbZJHV>z`)Y!RMMqLltX+A&klSTadm{uRT0T$(iCj zsuo{o+L}6#NJI#ms_1SNFR=9x_kb6~Zuz?&2Hzs2UY#Q4wa7#f<~Z ziFAN|fD39VZs8g;qKqg~CIu~y4{mpoRVFYOIKU{U2($`Efj;?K#&$dcxa#K}MjBpj zjMXGJQbi%#>8ZOK=v8Rw$tMlQ9=*xIU~r4vm+2Yi`VquGt%JI|zIuWg&wCWrrkTXPEDkOW6zzysCX(``?CAB;dQQ5zH zIn^}J#VLl{HP6p2Z}!Q?t&7PGsL3TH2|N)rX;7*LARYa?G532rKD8pk&>1-IuiZ$0 z*pzo>uycPr;5|S2BV&wxq?4rHT4P{+DU>~wsF>@v%gwGlmH{jd_340pZFc?-q`@6_ zv7F&v2@U$vN>&tu5t#oNC3RBrEY2y!d{NVe7jS_Bz;w#Sbz@?rUA6Z6|N;4 zN|gzXhPn8H46>*C-!CdjaW|{3t>Ihu3HI?rW*Wb4G1O&OX>w?wO~+rYVDx?iwUNN^ zi?EJ|_3YTD1)ciA5_%WER7%k?V>fC9@a6*6InKx~-r1z~sg^hCWH%na&dypX8@X@6 z-9J#K{1&sYDOst(h11X7pF zH3gyO1(8H449wfLf{$o{fkcCgl7`{Vc_;EN!f6NsJzI{5I;LL1M+-}q|HXSB6$l)h zi@XU|Ca4DtIjV%rFBEkU@m+4j7_5CgUU;!WJLw}1M^x0TWF2^1c>A3!(ahjd4q#S% zOo~8{d}tK~p=xGqE|)xA*6BOHJJtKMAYM<5DOT;HYI$yrW-!8UiL$TPy zi^$=cn_wWaI%3UVClb;oI-V zjfuS`hz+l`AG~qTRc7gJI>%_0_s=3*KHK)rjC#^I`cj7=iAxCj*^L=ET$o`-`$`kg zS_ju!9*>ooC7cRz{Mbv%A*9=`9rAKyfH26vI__l;)w5e4Z0I|vw_9AbScTl|p59qe zHYz#inSXgp8L>R&)Y{1%QC!P9632Jn;vLa^&d45!c=Bqlzs)xOO_w#>Gj1FUE?qYQ z@}i$115L+nfB=V7Y z5N_K0`h6QotKJkKNy?YRfCQNUud9ii2?N}=g7VXnuU+hLHYoJALxq?xh`j;uw>ku^ z3Ri9+(eW->Y=iZ6*FnRg04{@;09aq?J~d&4+BG0+WK8rTKY1p@2Ptq1{f*-m;DBKh z3V~4!#s+sy2d03J++YMKP4Yn0HFUgOQV7D7*^j!S_I*fD?|@H?=w8$&mjF_Jg=A!1K&H>EcE~^MX)kmQIZp3vZxF_ zWWITm+$+KWQU4vi^Ub=Nw-;K$9Ue)10rg5a-KQB^sxhH5PG zIRW)t$K=pibqv;xg2byr-*Sy4TX$hGxr%1F_2$lt(qngjDtFH-4A=_U&D^>5h+MxTA?hMX#;b$?7LLr@!^X~q0sW={0aG#JX}B)|QA3O9 z?&&XLZ!WT>3z_&6nsMaO4ZUaKop2uS8o-qIG33h_4F~w2dM+lo)RkkDpz@MR%o!>@ zJ_=z$ zLRcY43H3Q^JT9b9n*mf6&rYZP03ZkavS5(w5)NRY`hr5_NHY_$G?f~_aZ~hbEI}?=qPFbSn0y=faC=9Q%VzTrV%wXoHiAsTG}U&r3?U+_5S~ke zIi5Dr?#2*F7oiwI>AXRHfQdTU4(|N8FqDI##Aka%BuwCy5a3$nl*%6z?*uud?gT79 zZIss!;Z2BvB5#dJNXeK-Xd`%AWLJubx@me&3%YV!6gn~FCq#TTeyyIs)VwfioKTF! zr4h9|!6HEBR z%ki)G$iA*A48|Ym41!=Q4JIJb5M#C6REi&QlR!r%30tWl$?#@E9>|*z2%yBLQlX*d z47VC4^pu~D6V5{IZAbg_Ycqzea^q!!SJ8wQ_~iIAS-sLbO1TW3e+B{7j`f>5OQCnb zrT7b0Wr3J(dU+SX;qkhc!8nzOW{Nh1&>fl*HsKYkKh`bEm?d{U07L*^2y56+A0S&P zw$o@lrR{ssrkb&&qT26qWd$&((p+vl(Sj04cDBkhotZn0;(uHW2q6?1u5hhGVO{~B zzJMc17lo4cP#iN^AwZ`l-89qO*asdbX+aw*iZ$YQ!gcLovJo_`AhtBP?}`R!6VXbQ zS=Dk_4Kn-FX{Qu7&^weCLgzs=pW82^-RvfAHBz!!;?=7r3*Sf^G|@b~sMOq#O4QsB zWb`5atmfxs5oWqjkEfXDW~`R|Vdi@K z8ZGZO1(4*ePb7K|r%}XBiXT&16V3iJotcR_ci0|ql0Q~D=L2868RkCLAUy>sy4p2R zbkSBXDrqx5D|a5)CYrI&+qaD|mMe(MgrcFK_FG|I4)TjS8zE*^MGRa5fIbL*R{519 z&D~7{!nGRm6ug-}sH4pVYK|Ek;x*2Ox%8!@k94R;ua^{p2tT+uKj4?MZi;QMwF{|( z!3miv!-6D!-m^HZ*6JDP+IP10)S2avcK8{t2+fI}fFUtj;@%O6>ZL;qQU9VQFIdqG zr}qC1Ebh!CW__z6*2n!^AZ_Zz3U8mbB%n0rEkBx2r$-q+gkUj`HY)@EZL9A_gQoSA ze4WVnuGdLzcdZ#vKq&cZPIWu!#s*1;42 zu#{7~5aE!N=a**>Zw$v47iasG$*X=s&NBfQb#az6!tiwImCUIX*Eh(aJ|#-k-Mj(a zEUngAsui^Fe!{`5Tp*DCP6(Shl|N<;*6agaaQywFb&#U0e)v;?)*X)q>9Ha9)QOp# zM3x2Y78(l1+u0i(58{(ny)g86tCLL&_iU}d4-I)xMMbKUc3a4bSB?WqScV=!l@eFP`iNGo8@%*y*ZD zNsMHPI5RM!kWmxSmhFy%{z5htsk{0XcS&5+?VNAqmR{PlAFyNbDV0D)S%69n z+9NR`ZCCf*1;6lTm(VO!>C8~yDqA7ITfmeMi4iGQ>*3|j4r)&qt|;<=5A1+c(eJp> zx>5G4M_NLUB8Yyv9@8uW_=ORYwB>e&L!0?SH04r9l=%nkMTNB~WH#!=&H{w6+M_&1TsI>I=!qWyTkM{3 z!MubN89nv_OA^v}59V{yKj%0V*~vBNxm;MwTgx>>N(G^`5RsBvEvMIv=H6Z@itm0Z zuCk|3sZ42UW>}Cw>WH6oOJDg~OEQ+a!QHq{O3X*H^`Mkf6)?XM3R>0eY}T(HoeRT1`Yt?` zX{LQIlNMg@!CD94v`@KEJOB!51O>ga0iLjXOrb=m(r!KP2Kj>3S4kk|G$W zR7#0p;XY+zo__=Hv2SNgXx;A~6eo_OpJW>Rq%k{F*Q)hTSTXH5Ne$`(P&l<3ZQH7} z0NY8ZNwdlaQ0vJ3okjXh)Ywzl=S+Y!Q6A(^iMqdPx(*9&H)fqEsk5z;Ox)M(hl!lm zHD~Rs3WbtiKf;VxDqT$Ij*U0TTYpzN=KcwaZ0e$)-t zDd(Qil(WJ@9U?BLo=Fa^cakYm{wfj%yT(|u1{KzhG7ms*W`_w1=u}pD$QXSI?Avaxlcl!93FNUqG7jO+TaZh!K2I6o+;owLbRw} z2m~RPKLDhtruDlNR-8ViaIi*m!vG?kH&Sd0FQGdh)tw7?RdrG!{%T90cWd4S6HObI zhKH`wl#4A~?q|DJn!IO`XsyX^u;JuNv6Tmo+{T+?2^+WQfFEhv9XTpX%2YF&?EZv} zLK&~InqLw7uxiJ=eDUmeucS2)C};Hta@i0Anr5i_kggd98Qst7?zW<~=5{1n*RWd< zShlHW=g+YW_+RkvHyWBpoD20Km$26rT?^W`XX_kmXInzjc*PRI{p=DAkYKJE<5win z?-kJFZhCmSBg;-Ym6Kh3 zRY(O(vk^Q#oR(OR$#wYKOq38Q=v}`#hiGwrZGg({8{I$cC@TH;BF0XUj{rNC(Tmy( z+ofWc2`Dkyl~2^qEMN{KWG?DWX!SJe=xy$PkPvLDqe+oS2k$Znq?k0)i_Ue>bTy-y zDY|TY;-Brzmc_wK>jLe^MLN5PtgZ)8u?%NwvFO zX_VQ~3pg%kk78_{j~+YYmdAdM zWYfrgT6W1HjeYspTEU??c3swFvXf4_No);a7dcYEAHk7v&%8d0(P^OyWfj%zG zkY8vNIB;LAFm`abIxf&TX{$IMJt85O-7q<$H*LHamK#MYcns*7%?1cNu~=xDwoY!# zJ=={I%o?f8)g?wYwjiJIFRNwNO&k4~eZ%z*JdWg->LugNGM)xCZLm|)(e{eJv2D#+ zcY6$8i7*!baYtZe>}@igyd%q&>S3SB*4X?|pUhF(T7Va=Hx8rNng`&;M=vmjR#$EJ zK*3(3)g4rVa|1=n5<`lzSfD^jUK9X=A@>7Mr;rG~Rp4A^(QdPxwZSOOlrh$fW$aOd znZ{kN>oUw%`XIMs9}M(%-ffb2Ijt}w2FbIlwx#3jryxfbv3iRAXqwqMW#ZY)Ieo$S zYKvZxdwzAUheNgGH-UV(usOqcygJ;oAMSeBAxus$O+*`OK|%sE&iF~t`%+b<3=+LX zR;8r1GuTvz8jk0Q$<^k>J_&jf-L}H|)h94L?`W1Yl)pkTzB?O1ofSMruA-67*h2%1 zZX{k{uVD`9;7)R}_(7=va=#RHNMh~UP1DYwXba%n2sbFHKvZtsqK2QEd{C>yu%u3J zwe_Q^M=@o#K6=Q5bKpuDSi^Wf6uB*28=a5Q6qundA0$FOV%CW1vR*hw8-Wm^?%>aX zCUSzOJ6eH1F~MKaT)^@TkVpqbLh}tNBDaAcjkfnerc`NFg5Hm6)KoA7M%o3YA9AtK zaPl$xGc=>J3KOYJ<-w`Wkp{ca#;crj7eNLYR;S`dAV16&@UZ==JI))m49CyA88+Lz zlT@N3K%X#ntl~aSv{GN^M&;H{4uhEmu*yP#(RxAELTk7g0tSoFM9s|T%niF;ZjyM~ znm{@t?Kfqf6#mxI^wyY18X^=oL|IXq0@bf*7AnM?Otj$R%6JHhnJ*Fq)+JJ-DW)KC zTwaCtyDSuXP%$Ok#@8v)%VzElqQ1h8%Q%lpKa>7KNY_O-9 zu!+bXZZ8;Eg?^Y$es9|-X@uU>1EHN&@t{{+}ru{^!; zC|EMyb+k$Rk#-1SiZ{JT6abIX7YrC4VhP4=kfytd$R~xicizOjZQEV7%qf0gJ(0U0 zbqEPU3)Jk|RZ`M-diz_R++avKdAB9D;1=gK;-~f_TN$KeZ7bTQy_{}z>@}0(4FEIc z8apv{*iTkZ1)!rM^muZ*iA)F-1#G{x6~%}~GqJJG)Z=Vy4|V#C?@aBM>S?)gM~r!8 zGvr#czRRqvD)lj0d)BZ_=cSgzE_`x(=Ag{xKGXIS!@APvQrBuWCViHZaAUDi->1&q z&CW{cTY?fkzb-j2IZ;>6pB6)u=ZB1l*$qSbb4St@5?axRCn8#a??Ktp+55Jh=Zja7 zI4pxi;e*oSfwr)K{T0{^27~lP0^%KsW9PqG)wB&75a__ZkIc*Qh6If z6H+o3D2(3yd+}DoAwl;IjU-+s!I@v6jk?XvcAiIEPmp{XBMug?7+sC0l>G^LcWYDs zPW(IL`s^qEF1|X_M-624(=6B#mpZ!^W8yhowKU~+_OXFk&L(&3`6uOS!b0xQS$2PT z&n(-0wkx1>*vSWBl#_io)*{|oc(8z#WHG&=@H$Cc;g%o?x`S5Xd2Wo6w&uH*F zq+~fjRs{j{i#+wol3?;QDj4S@{6+A?VYxwTI+jOY#QqZZc6EzvOs-qrcjP)3542Jz z=NHBDq*Og?Y}0wI_M&sGai-eksIW%dun{!FP|yL9C3oAHN&c#TiRcpCz9 zPUbJ3ATj930R`1S1%*ROanwfi%Yv$C80fdbiBv(FF1sv43dZkyTq< zEa0a@QTb<)|9}hgQBFmyBkPI}>~6^34<c-gDDIXdR}A^h3c=NIDx7+UUjWgg`*ca3#PnpB9Odng zTD4&deaj7e$`rrO86}Bkp}65vYsQ0v7xwZVBI@>EA0kbm0m-eRU{WTUR2=1GLCtAu zh=C!7i;U$BX3(!vNUvCKWwZiep}fy(|Hd@U&n!Pl60NTQJEw1do=0F!G^$cZJj+sb zu;6~Ncqwh2o{?@^RpFa6h5m!&MUku$p(P!VE&@EUeLdVr5y?Xz!dOkp$Wh&pp`Dr# zgt646K6!cdxjZogpLyjFfL)oKsx9E8tF)|HMCo4rhOiD9>4o)p7v9k1zSmP%zXIIa z<(E2+*5l~?HhyAqMg7&G!HTzWRtfGl*xDJdWVB14QHQq?QqCZMmo1|^4b9k#$1nu5 zThCRgbv{0Lt`~Y@&jYrqEAq;wP>r=QbnQD8{W~jlwS{WnXag7#%9iz&lzll!J%KRb z{t_7cewo70-gd=B2-4q?OA|2j=@~ON6t4;rMF{Qn;<2`tU8qI@k2hzN+pFhgH{k)J zF|>&Ex2tQK?X+DaIG43(AwQGlOzhlY_rOJmG_7+l*94@IBAWre*SWWbI#s65AjL}= zA|FUcC`t_Ve^WnV@s{t6xZP!-y^65jlj9}o_6!Q~`m}%0)(6h9v)f$iaiBH|LdETx z;m@jxHYJn<1^TU+janWkeNSh{>PW}^Mjn7>TVufrziM5N z&oOa-9kPCSDH~JJaE*y}|7xP1@OE9kyaLu|u$&OO2xtu4ih?eTMldz3V*ESG8&d&W zp2WyV)1Kh~P0GFi!p17f@%igwkf)hLdq0``zxQE~!>q173;EtF89jw*sct>Up_+Z4 z54f-!4S{Ve+66=EI@bmE;7&q3{ktrekJs(lny-1Kpg)%b$P0Nno#9tkyH&v3WhIOCtOy5aE6)SJBf1~ zNHBq7;jd9oKNha~`d5qdg@=brPhXELH{VrJ_QxjxAU*&HpM(%4#&#|)NFk6l;52jSfe{C*Eeh$EzoM}6n zV;+dHS+3K|@^~}A;@7NcdN-wTQhn}K%d>x;^9TRzfjy*heKhgLlM5nk0K|;HWiGDCE2TOq%Gu4%$B9>w5$)Fupn{KtZ;aUy=aSqF1YQ*$+IKHf4I1)W zO&I`t#?;TfDH~Ons|6`M53j9?;&NWDS(egA>toSv_v05{+Wz~Uqo)Ax{mvzoDpfVj z*!B!+3~BK004gioXB|=OYSopsN1n}DmE0!VJTZqPCeOwffJ}tS2Jh!kPoeHM=tV`@ z;Ify;t`BgN<5ohY*JNbr*YIlTgXu9BZcAm&_2-rDwcv61={`Hp%=l-zmG||5&RMe9 zgXi&4(I=xC7?Xl0*+UI2-#glmXQ@wqF07Ohw$g>}<*15v?MptiZGX{Vn>S4&yj+n$ z)$o>qtJ+XzT#{d+rF_@?AMCYPt|#qJ)%`L=ETX}0@7vecujU(y)XBCg)K(JIpMl=8 z>A<-{@Lo_hjkm2#o@&x-5JNM%FMifqzDUvsA1J|WH>#(?lvKO)Z+a(7j`f5Srv=Vk z4`ftFXR9R|jVO%)4pB&BrBz1bE3}%b@vE)hQ!jlO^y6NSsL6l1o`gH#NFBygZkIWF zb%u_2hHG+glEB0BZ|oXq#mBI^sqT$KSqP%51o3P6p|{*!;i?A`k!3qd&pgX!qR)>y zfZrjL6^$aHuxNeX;}zFLQ5WARcv6?u3Aoj>_c%^f+r`o3C9l-o(;O!B-*LEk1J!;~ z`c`yO3w8OXo6Gqyj?GH0?JoM$-On3uh{xl`e7m0+lr;00bgrdSQ@HqA2pQLz*)A1>O#sf|5RyfDLM`1R1ZJw{2H|O5NpPmTc!PS9p2gWu8&$j-yVG z_Tg1SKx@B@veml7eg7}_@6U^kvMe8BmB0hEVu=R!)ZMT_IVHQTj(*qf;i z{j-ULP}XFo_{QM5g0notK62&3swjXfBKuAXP6EZCt%O7EUOMx(_a{s^Lu56NyJ`cv zwn@wGL#c6VI)uHq9rT-EHTm>o?E!QcHZ{FRj|r;n%8M2rE~nsam$SUuxZ%bU*3F`b6FPC3T)N z__#b@LuDCmGvHS-obn@j*t7l;mS&wf$k!Uaqw4$3PgVSTkEBZs9T%Ltz@&koF_X^> zrA*oPeW+7AUtv35rROgCD@-KkI#%}aiZd#ELKv&w982a?&ha4w9DKc4w3RR{**pJW zp)Csk)LUJhfXZ)(WZxoaG!luV!X7%k&}AY#J-0M?*6}==E|&VcF4*7gelr10;d2HO zSz6KdecMz;*S8QQsu&W6MQn1W>yzMyB(kIovu&0LXx9pult3gC7Uh|0#O*GB7129> zusu88oi3?v&oWWpjYW*e$dLOZGmX|sK ziLT}ZeVyMBFG?>1#i#X5UGuY!kGjBzzOCY<o8WbSAKXSjG1K5Qd1`JsCYr(W!@ocY-4!)|c!dB}tyQ3MW z-GF{%`?res|6k?rV;B%gfyl@QfGZPmZ`EJbC z@bJ8UuE~kB3kVn9EbftiuHj=lAK8&!E(CmY4Z6xxR~rPpOC!3<&KI!onqS{+m--4D zD3SIN)Al(RLd@pz|31YY5_=p1Ls((+l^bVvnu6mVX5<;J35#~fpA=Txe?1}MUWtV$ zx04qP5N$`-C(QyuY(f=YV*XYO>wg(kZiUovW~-MPbPAA4JiK59-o(3Gd)_m(Z42<4 zGp(ogGcRA-l5FT3$ea&b1ny`p7PiwBtl^_y#Xv$0u}Y(4$~-}4saHk5u_*8`_EJ?P zcorLwM!WBKFzlv{+e&>saNt=s3B5L&Eyu4C2z%OqPUe<#h?^5>a=4Va z-$n{7*)ZCZ0AGF(^g3@o-0N>e-FtQOLbz+=C)mhQk7)9pDnXPGj*>m>KaiH^m zj`N*=9j_Cu3OE;oROTl$ZkGX2Nx-xA5)stmac|pICsyOhxG+7#u-?Q%gT6tF;X(y6 zhq$TA;bLJufv|_J;UX7md;M*`j2a@45P+BH&sOkVg(m!*vAv*2RQz>^XJf zH}mZ2$=uNEJL;h2pm*o-Zdd(P!FPx9Zw0Vj%0CrWeRfOf=X=uoDnM@j>EQkPH)boD zTDym~thL#*7}{c&Cwm~CN|cfUk50)Y@iR8Uk4SvY-A*--x?6JY-lN&pBCg{ zEK-@D)L2`;{M31*Xd7aS4>wj7yaYJNYkw{W&O>Dn5M81G{{~QAu>c<|{|0J7@sJ2E zzcpY{@qiLCe-+66Kfh0N)p(jpEO-gG?P&gL$Q|$8{?fvQrv`Wy4YrPSyNYJZ^AChR zJpVu#!$Vqx1yQFQdKQZm<|j3-u>b+HYIsG2>pa|M)%y$Y?P{pajMH2VDBHsMXk9i(z;qppc zyfp2{TANBx{ujc)vwulA`yxRorriJPL})v<4!8#LVU6}_&&iWL3Qp9})AFTg10PIg z6W1-tWa$rpM*jl%_xHa5H2MM%?0~HtX_=T*2{bhU7u;|bbT{Wa^Y6(9i+ep@UNCAC z1P}T>7^ZlOXEzZ};6%VAydKmx%?nT((cY2BBUUo?K#CC%Rt@hr|wGU!D= z^kAR#6IKu#Zq~y(texLy#_@cO!oNJm{7)XAG}IEmXaMxHEQ4UAv}pBRb$ac>TSDtO z-dZb&)^aKEr{S&%u1RNmCFM|U@;Uow8vZ8{sL*w#v?G6t{|933KegCTIOU<#JI-5tSJgRJ9By|X$#o)bakHg>D zuhrjsb9C*OR>A6u`Tl4b^Q-?qS_ZBw?o$Hhzfd9aC;(a3peX1gGWL(dvsBI%#nP53jFNvV{9`Qt4mO!)_}{_gIg71Z7{QN( zamWFt0PC6sww=L_5{1i&x#(f`&t+nis6hM2nZB|~;NjnJ`D0A>OXWfjVvxecgc{Ck z_^`pWLnB}qlRHa1j(c#(ns%UE}sB^1^<^^-{75 zOWn-|wok=zW(B;gNRSgma0#=lXpkR8&po3@6kg-M}$p5VXwXA6PrvkuNrLs`me-N0oDWE1069iTa zbl-rG6YB?*<>AA>=l8Z;)!AxI;cA!rKX~kUTlk~oP+;gEZh_&m;>%h3Ek)Cy__I|U zKvzYJi@^Xjr`n4y!5cO3RmFp5#%9Rr8?GACe39j|F8|2!;_j~;2N8(~9LxU6t1pip zhXd?51`1@&kd;4v*|O(saw=Y|*OqI`Vx!*B_)W&j{V$yVGbR3?sLc7tS4vc)K+({k zov)jih9aE&2@%#Fhq6rIdXx+PFG=>8PyZcCM&ifvufS%Z=Ed+^*M!$n6R=dHbF{U` zI(pASWbgDnhV9&GpZgNkfvC!V04k9Z`}%JeVZl5aO{b3QA2qA9u)rfAyyl|#*y~jn z5pBCYCm#L1HSBYx&50fl|A@QYL^km6=JjWBAPesNH~7QO?t94C0d~hm7{U0;VMY48 zY>tC?@tk_2jvghdt_r0sDMtQ=L?)q!#Glof^=py%e~Uu{@oe3@{uIz^7;rj%J-F=) zgblbOuoM|n&CkuFDEC2Cx-Tdv-i!X`9qRwceI;NnMvT5P5VssWVd-(d{5w58tRU-q zt(5Eq+-IakZ_|x`MZ7pulYm}UjN79F4;5|?6g-K^(JjI092x5 zc@~Cwe)BsZY$=;-FM%bdZ2s58pYM77dd>DFZ4%?8z6HO8b57#wLk|G1D8!Cq&ZMZl z(=3*nwj@jtfBw;k|Gs=Jndf#j9;tqXc0e9(YEolo?D_I9u}3W!AbPv)s~#6DJU{a7 z-(Zte&btNDmZo1^@@dCl3Uk#EQ`O1~#>{4%jYL&^1wWU4_aBcyc^qjt>$&jQXxRic zF>`={fO~_sb-d%lP1j~S@}sPE6)BRoJW{LvPbmF){;3c`0RLB4?nAE37w+!Wr?COy zHQARttfp)DFvEi5%;O+#&?8w;{}H%fMpfwd_Rj3cdvth+?j814c#(s0#J6-_*)4=N zu5(Lf{cXjS{7OYZDJCBnAwAd*!%Hu%Uj=~a@k99Mej{V;O&L+-GZN#Bt8lB=JIaR4 znj*@C9@a)at@2O4o4_^LCD~k_a5EJTq0s~d+8Mm$5p${dRBr~W3i@hH%m&|YXh*6f z!~^?u{l;IT=isu#uQ=!)PbHtjS(g;nNUqr?|Sln4}e4QF$CwSRkkZ z?KGk=Pgvf_X{3BAmn6Am-lTSXLz@3&ye3|FFDy?@t(Hf(F5!9nEsnBUt?Zk2Ynfwn z(Kl^U<>Mwf<+if28LP@N$8u%T@j{9pb)qZHG;=tb$_{4>=26;}9O|^2PqE!Q*lCM0DE#>D&-(&}YHN03R$+c+a)ma_bnwIY}^EsFkYszx*6orI@eD)#?w@oUO@?3xd@w(HB&P#copR51PkH z+PCL+I>0AleUn?bkA@p2NoD^al^DnVG<@n6-R?+R`$c!C>J8rddS7>g$VxnS^y&O{L=RD?AJ;Gxc{(%_=hgEs^Th3+Lv^F{@EM6o^ z{$rFnA9g7st=?@gYj1fXao)%V(<6doFOt&+*LHNM@{w!IVaL10UF~Vagvg>A?PI1F zEYpnIy4FazINbONQDwl`ajcEX83d*C6%APgE;OzO8w*yGP0F+Oj#uW*BlierfUUee ztKMEu>Trt|lh$D+-kAgh7%?}gfp8uy6J1>O?k$k_F;DfjKy&2Q<)gX>ZRUe46=|e|*UQ#goJ)8H;q};T!IV|rfTtmyqwEw5RC6tELiEZsJ}U9JC!N*)=t73S?5E0Z{wK>yxX-| zgC@^LM)o*99`i|NHSq z=B8T4{-s31nj~iJrD(&jKT{?~e|k3h30!2;k_v~-2_)c4Y-f}4S<<&ACi}-B-&8sz zEIYWcJRj*wB^4Y9ezZ4Sl9iXzEw=h$h2Oh!hF%JtNhss*MA9S*~5?dn&~{94>FD&%mG?eE0M@NO`3#WpJ~Q*EJ3e^vbHep=x(vPboc zQA^Nx)P-m<+rJ}dI`m;`Tf+g@bj2mfVG=Xg;%Uzyw~{yoo>L4CfqzfJK?|W!Ofz6M z6k2f6m$NzQHHX6@B`xWDY6`dazElySk|-P>v|7KLq_xBT{gN+{l5Eik61U0Ih`=g-ATDFUy?zlQx5>V!-OY`<6ZDI0z60X=x)MWlKX4 zK*n>N?dHer7?R(_&IC)ry8V9ub3ly0h4jS#bgU2&sl!Q9p=FGmU;F|a7?7kTQ5hdG z2zvCZ#a=}-tz()^F|XlJ;7%6Kv=PfCjkJzoIyZWkXhDOWOCx@Z+h`rTaB}=O!95jB z>NUB{Rc#q_7cZ|Gj9$7{%UGh&=bK6N;fIePTXjY&Q?Yf7A#D#xWF4l2O6_9k7k`Dv zfOE1Fe7kglVB)IsC9T^o_ITH4C-&N7mv5kTjAlt}qcYrptgq)f6qy`GCN{!NS4vl*PP{^n~xIT3FA z-mt;Z&fv)L>(SfE%>U7!j{nErXSk^5KwwEpJ zl^Q0*vd&Q7wYIJgR4t9g>?`hrTgQ0~gJjv*t8T7a$iI@^vW$0?-Fn;ju4&#ZWWU}i zpl!X-#0pv|2{n!wE$oj*#?m@FhaJum(ql;eVXj=}LAHNCZPRNBtlkcufmGb53LPAC z1G^o+-@^;hr3!sQao~@l#dMN(G)=i)u`Fh%X%E;sK2kt6@hc;o?A%i_?N^p@l&s|t zm$(ly-jrIBH^hC>QbQyy`Ee6hMb-xG?m}0!*fEZ|jTSiTaOqU`PvfJU>nzbfHE~ZZ zpArwyn+y7=h>09^1w?`4=wzCsh&-)9OtfAs!sV)v8c+`U>dSR!b=Oo3}|-iQ6YtTx9VrB(4| zLA^>L73;8B;EH%53-or=iKVwNU+@P0ST$W7coUe{orhnPbo4+P#!yIJF1jO2CG~aP zpnSG1#dDS{zXZ^0VZr5M0KUdC)Tbi0`>p_h`lE(-j zX+BdG2aFU?VwC|R>Tw=Q@g4iPj(uE5YvMX8;yLn`mj+IQig6o?@fy{}q0LAv0eaQq zFdm)2y2$J%@fATk2w`w&F1T(#=SV zoY$&HP{B#9Mb2q8_^G|sX}j}TE#7PGjN0v7R*UaC8>v=1kJaK@Vc*q8=dc<)R&CQ- z=KNJ_^eT6C?Q`y`#b4U=5g8C&U`Re$tUwwUd8zS?NzY^<5Pcdjbi_9}+8 z7W+?Chq0E0ueLdCwZ-A8UtE~#7Z#rSWrd}F5#gw94@3O|!cSWscKT(6n|?uIre9Kc z>3j7phs1Gg&2aOK=aGtoLn{;2;^(9pp7%Lwx0It+mSZ#Cul9U(br!<4Jnb6L_=%uuSKCX&94I?$*)g^$5^7d#Itl0tHr3W-ZQn&*>jsY%My z4k@?_7xWp;ej1U7&SDXrKznBU4Va@@R%tt{DSAG-K6$!e=8e@Wc;oV zK0{q3kQ85mE3Bq#CO%G@A7z^t>HFiqPG57bFM+g}&ZI9Gu@jF}7`xqpH4b{Z<++}2 z`+=i7&akJC>~Y`k2TtIdHfccVD>3P~&v@g^Z+-HZQEp>@MQ{9nUBhIJpIg zs5#SVc>iJ@t-=`_@Xw?U6F=YRTH{eL(0jH$(rxH{edJn(KIlO!PT-9CLBE0c;n_%( zJgY$RX6xx{az(@_dHAnuP;%1DA!)<&r;`~P#mF;wK+1rXi~LUPL)Xje>p8c^U6Cd9 z>LCL9w6inq`WlMju0T7#z<=}7#M|A2nH8o<2eay*X_HBy9j!ukFUKW)<9pvfoZzHM z{)$fmIM*F(zoG5p|2kTonjKPaJ^wHd@8|f>V@lWQX>3*GgbCl^v?qs+7qG^xfOHrC z|L7Q3u(%>G4XXt#C-8Vnyj>}q~xQ+7&Yj7*W2%WxLUw`4XYvWH#@SQmct{Th1&QXTKb;>8;lwfrfF ztt(6w4W~D9jB!`*d!w#y2fnY5y|J&G_MkiLx;@iyo2cRokic8mm+wj)+o@n&z3|Z| zoUOi@;yU&jf5+1Wh!6e*niJ|_|9C_yd_GoE!?^p)w2&7nQ$k)Qr-R9hlnU+@u1eu- z&l+2HZ>;zH9;|)-xUY|bo~e(Wk=5@FO=oNm8YmphR-i_Eb=!%$vCc13Hd>@i)o6*F zqVdO~n&GdAUS|;37SuG2 zW$g-UwzkPEAZ=Wj7rv#9yH zeQ&a!;l;>zAd2|^aL77*e~fq5WSi%cOFZbX{|SP)QRMp&XA}0@O#TU*7f!ych7qsy z5=JIqzG6(!*Jxh(H?R?X@O3n@_>uN@iIS0YjR&>|l%q4vKt57Pg%-e`So;+3gP|*& zUPSK=ynMI#Iaj|RX zKRYY;F3&W*%Zm1x8UIcW-e~o^3-2#s2~EsNxI6}{@{gc2-)c=t=43b5P@A8$1|6BJ^W?jtthtxW_kc7UXw9kS>5ZW9J?h#3?sb#ki$zI`Y#%=L2&4Q0@t6NNb7u;TfX4w?g z&0xuVM(RH4j8taoX}5i5L)Aid9#4_lJg;wV-r9okC=K4X`e-kbs&tSpa7@S@n~S{@ zxcfowRQXs|pv>v=iyIxO$*9I)6_}hh8M`Xe-j>Z9=^<-sK%lKu7&f+H&WI(PkwJf} z(jc>2WUG}MEs`Av8%Yqm)%q!I6ZE@}Vx4HE38IE^L0U95zMI($VETCYp7ih*&iLtu zeSd!8EI$;rTzm>A=j(Qzo^xB%9&_*l0CGBZ+z(0Cc;={0-Luh+frr~6J^j!$QB+VGbwGBA#k zBQb!eEX!-@^&euoci39X!l9XdJ z!kKwuofzM0WczR?2{1g50}P=Mn*-nY@Ha5@+F9L|OAnctzJ>kzn0^51qsp0l>+^{y zow9i)b;U=Ke$>5sOEF?t2>IozP&LEW3bkg{_jhe2eX+l5tL9x>GJ*1hSwg-jKq0zW zCfB7Loc~gEA)CvxddU-Tm0voU(m$2^%f+i}aBAGz^_OW%B$JjRQOSKe1(a>;0?JeZ z6d|FBm~CQzL)tfWr}gaRXtG(oc{YIRJJNXdCfB1W*R8P{J+J&Y);>SZBj(4UxfZ{! z>^NzOdM4R%@=TGs`|LRB>^Lks@-gz`@TSESInmm^1KTdmox>wD2}yilpb*&|YmVoE zFhx8$j&}Jvd8CDb_5gB5&zn#n((e5!)QPkJ>H4>*BEB{^_hVfHZG! z0aK%Iuny?l6Xw~mcARJDij56%0*odFsdbFUOs!*fgI>QsFm-SRuyxzE2D)Q=L%rYc z23^lF+_Br+RcakEE6ir8b+F68j0DgX5=JP5*?g#*rfzoMnxk*JUGU2~G5gm4P6slg zIQx_pCxIixq7Ul|8&wec3n#i8htARy*kwT`1-X2b39%oI5SBcs1(dLCMJ=F&r$=f5 zDLfxj3rOJ!pp;4JJ>CHEj8n?A^dF6uIO$XiXo+)bwSbmnx^4k6NoFu*Vg}nHMj@qG zcieMb+cNZ_1Be==BGqCK>Gj*^8bihmnvDUnQXcPGm2AW4_ZgUPSEl5*+;m=RIp;fJ~ho>dq_3J#UR zBPIPn?o<^dQ?^V)GDUMLl6zlYM`Cx^1sND@dp%~}s)P)Zg~N=y0S;!MFF+$LpLKp_ zt#HqyC(eckdd8w3m_t#r!n8rPflNk~?rZhJ**kD}4Z=SZ$!iJx&YOMX74zS;4NlzW|3Kgv(c=r$I>cpJ94dMavX zwJl-inmp|F`oqBX^^xO&-KFpL^pOewGJM}0TkbIEI!;>?Sw8WcOt(I0H$yuddGrol zHiau%V#m(XtA^nH`)8MFjp`}&Ax?HHovLe>%=fVA1cF>*y};$^4eTdZG+S zGcl|x=cHhg-Xqo=FTXOhUR z0_91Q-x^)v;g^h4f~33%J?vk~;Ys``U6QgE_l)aA{*h4o3^x#DMqQH&k?3@qD$p~G z-jEi04J{&WMZhDP5{gvFls9doynN;ZuutgMssI#?YEaaN3TCYjfc?m>OHr?01+Y8U z{KCMhTcOq$Oxz>Ytx&65u|l_IFIj`S73z+IHL5#swRjks1{i{BR;V>_Si#adr4{h+ zmlR|rVWD-Cf{N3Ka$-=iQj#2$%`})5l#@#-)sD!_yIe0;(J{Ve1hd4UG7|VvEHlet zI?(hZni5oe29hiO%p?<))&AlVil+EWB^52{OB(Z+>8Y~hqH(Xw8r>kh=+~ZIG$YfP zVU&9fpzg5@g{4H#lyW2iZCwp93LQy6xWg&klsVWKj``s6iN;Jny`_hRvN)6Qh zbfUF#4Hfo5ovfn0^ogq28R#F!OYQXcR2Bc%fB!%Khj#N~I&nYX%;0D!Wq59IFvb~A z1n4b=!KF9_c}p;0;DI(+FVSi2M(#w^hyT3@7jQ(|AMuKhcx=|q9N*|}Ap4N+2M+&4 z^K8IB(*>ULKp5wuMvafNr)Lhz;LA$hzFNNVZ*f7+a6s3><-?(nZKR@!#C*&Nn5+uF zPF`g{2@gxZ2k&zqQ8@P&ET8*>@BZMsKlttszG;hI?wI#Ue8SU0XPzZ_lccXw`*gwX z$R^O*nSWrbPfyIL=ac*yHDktuitGTbQc*MxbhP*&u2QwY=s+(Mp-guw5?#~BnPVa^ zyUR>DoB`<}S#m07@`d+yNGrx2lFH8_4sb^tv`%^;Iy9L~;hkx@j5~Z+0HAK|6i3fO z?#Q;Jk@O{J>fK6Uij&4-n69oQFolv!y0nq_vSdhgheMb-E3_<;XlHqQ14qiELON4I znw30>3<+tV<2`FSuTqk+Nw|EFR6WG}8^X0k>}Ww>@@!7{i{x_RFlA{zsdwBuDilj| z^zJa`Nhp&Yk=P!qy#e}25y17d-=&rRG)01t%ZjtfyDGzJ!EHmi0e!TQYcysB%*4YM zPvLyz;?vWYHF$^1FkBtRgH&{3MnQH(A&pp;=}a22oR!g3$$-xHQ1}UcINVyQvBWHi zbiDBcFcjW>zh13kV^3^p{26^^7DAv=>aFj^jq@O+AZ6l=9qD3UkoZ;l$eS+243;Kw zS$TA;Cc-t_%v;u`)afbV+$;y$;~7UEFL8Q_F;nuv)V%a>nK@{)&I`#-=t;XzoE@9W zRKwKrpoT87^*&~5`JE?{kKerw7eDzQiT^OOiOX{2^#_U>=7(FeRa2)z-%ISHJg@V+ zPwDyh^Lx=t=qcTpIwg)v9azS=7v(vT=GP&>12o6DP`t3%ap%JSIB|XYG3`vKBfdy^ zNab^2*UYFX@wfWg%<#&Fbh#b9+%BHU#_ueb&cn^rpWm+TjxrK|Oq{%s$9Q-M2f1RH zP@7R-_#SDKzTDgC_YP`%2erL}+LvmlZ+J}tKlzgsC-K~`bVUL&_t1I_9!*t}m}^(z zLIcNCVz*0K8O2M4*(!ns@Z|docnzGvX67C&m3pZg7rr~c4HGj6K}^MV{!z1L9sYI& zHoH~o^{Hmgj!8HZ@zWsDOquF;D%Iii0FH#R>Rx&EJ5v1)PR68iSy7J^^_&MNN&e~F zhKD($5V?a*65o{=Jg7hs!wdVI)Ok>FdHnbP`~Uj?{@?$D{OiB{7bNo#L%}khh{*?# zZfZrM!$bBslJMtuhd-dkfvMD^ci_m^UkEB;I@S_>w*W$Xe7T8R*=NcWbLvl7QZ5wK_z1z=P%BC#3s8(FzD?(k$-w}$Q|$p z@&i6l@Zl}kzWo*T;Pa~`(X+wWeQ+FqoK6q@1c2P!^+sVfzuQ09Y0u6(?o}ir3}px8V=d#uL;Hq~6EyQ1#9*E-9B&K$bTxR-l3j8uV!9~M z{fZ%iv}Uox9gq{d$fUjkZ%Uj*OMRf^es)Z%w|EKW*P;WWl}KKLnTzrcZ>_xs^s#zC zBFW|YLUbi=zuH4pRG74~uqL*vHCwxDluroKn>`cKnM)yi@Wr_lUV3Jc)2HGkr)1ho z-?IuDOy%&4>ki%g61*#^B0qvDw$Mc~?+YnTCM^5d#<#i>`$5_pGnFJQPX#4dUWj{S z%4j1wTI;xe(hubeRDERc4Z5i{Zto5Hq%N3yhtj=6X$u@mzs&r0d&khdV`x3c(7hk# z-Vbx{hq?E|-1}kf{V?}_n0r6Wy&vWm;fEPpKkEQfQd8pLr?d_0^Wkwm_D51E-DK?i z!As(U(xzB}+IC3F=cBoWKFVbdZE*{&;RIUSy|cdKWbj5mPDpdUjCX7)lTID@i%P+FI$D^DL(U@OdJT^lGsiGVDGDr6*+t!HFD{HF!`~`@8h?2nuAl>_6aFy*28P6eD|xsX1(V31EmjXj zU3*;c(c%X2Jq#~qS0QEj;Lko%BX_a*X2JO3NHM4Vq}{|Q`GL`~u!{=>s~ zvh=h}Iqo5_Eh_M;+T5q%=`#EXAB$gCe+i4d!qnGAms+SfTjcK`@Td>grAPCLvAH+r z=!1zVirgHbKKAenljdH;-lh*MI-7|5Mv<#ES-CzY*VW#49%9729mp z4Rj|XY^7;<<2r|@huMlkHr~{8?tM*O#NTAD;XGY$s>b1$zp0n^s+{B|Jx#NamY*Ch zJ?WX@(law*0NDT-l@l5*S?`o4VK?D3mL2{emKw|`n3ETl=0_UmrYbG1l9(zo3%adB z5OTthYAhCr(mU!3FK^z-fwAaPIw4M>;5xdR(F!bHmPlbPj^QiI0L^+~yID_mll$4& zAocUMv*SE!F6sAM$v(Vs?qN!d44UiF1AhMIbNZZ&OPX$2Yi>y|(8`~;WK@tO*Jb&K zca?tli!(huJ^0o(1B49XdvbGx6c2n_<3tfKxVKj9VZ%LaxQ7i3=Nr+UQ3i&?3F<>_ zK-_#B_}kh##@*dEhHXC@NZs2m@Z47bmj}m9vqE!&0Zs25uj*=fq0`nW)~;pOk5JF`kG_ldKy>xzf5-2^a&vtEhMn)wx|6B}|GR!qOY`3ck|OVNMH26ubjKXy zpHkwlNS{9NStWIML$)#P_c)ovX1c5&4`z@42h1N`-Uys>NMh}9>0`#}^1>8nDq;_v zhoCJuia=AG&3$6>Cr(UG_PZ>hvMd+)i*qqEd7^ye4H-|34=5`k5l}3SS<_UiphA|X zEvI1-aU4Xc&R3X(GbX~y5Q8^9-o!+F(9xrI`}V@e3NqNTnJzbwdC!jx%u7;H*{T5x z<)(3i@5`)0)%gPk^*y-XF2gm97PKAG6h^W9NgcPl&)jY03v)A(XS4mc$4q2P-JZ0g zI0qGWFI23`XIoUSGOw*-#e9BSB}ye}ZWTXh8HU}I(q6NQrrq?5gG{bd^@@$YXyUrm zv|^*-z>3|5y=o1bR%|+s+4Q;U0?>#@NjhEiij4$7a+y+L#ccXaCC?3>eG-mw;xw1v zril=Eu%1rC^@_vbWS^2s$@vXEPaMYy_3#Ru5(e-!BmM9_0hPtpvK!*ed@Q|$Cv(k? znY(p|cR*2X7-xFLba_{7JJDwVdrmC}`NN?r3;M&s!e8Wp|Lj1fb8nXPDh2E_eJ1t% z&aVElMw$CZ@^P{YDEIH+{UerQ-}>tZACJ)H)8!uCbR4pTWEdebjz1*KX2d(4%v!j2 z0QW)ghqll(;iTYq#o5t|M9M?F7wv!lsoz}XMS== z99S7jS%2K?uhl~edi%54&dz3h4*Ven!KXp>1clGmVp|ABI6iZ&Zt}_BAZ56PGGbFR zIlu|OOgsI{NVZ_)=q3Eb16A^qoRfsNc=|~f?ukF)q$1KVuu^3QLRE59h|7}wfBI!N z)vh&2|4e_?q7-u)gsNl|EbB%98-*99wdY8Zw67i=29`3`IG zwsLzjzD0b87cSDqVToh6Bnscc`wg-6!}oEfX!;MXQoB0i4`I0Mc!)xbl zX6OL`gJ^aqlK%uQkS|k-jnh3@>M0rbaGA5@@7ixX6(nFYKf;js@D_W~RcDz{PI~&> zm#s`m#T&LB*@^9}Z7yv41@xIMplo+?_$i)SGuIzwo+nfA9}gxQ)0Awk>*on1X3L4Yzd?F` zgY^Ce=_k2CS|KIl2CWw)Zrp@kX?n*^;>*6;E3`LD4%w5s7CpPedYk=!wtGaDnU)JJ z%iOS>Hz)56$WLHEj@=+KX5_}kV@+Z`mR&ShWkJ@S#DvU!Vzqk*j9cJ|0g@_SmfBvs za@?moGcY#^lurx7b_~f|HyaP0!%DQVS$8YO^k=E}!}YEUwQ)A?lXPj!+!08rA?Bx4qu+o zK-kZ)*3S<*|M5R$Q)_S=!ofG%0hkV?Md%`X>0z07AHm>z@e(*Wd(5Gy9Vi&;{k$~uC#$1O*JFuG&mzr&&&#o_>koiq=#mvIG(caj2cdwlCKJH7;9IQlbBp$DHgC$O)kGJ27YwX#N4s25S{tW)H z3bnX{v>#wA?r4`6Xbpy*nL|ss<|GBKm>`j~EA)1*)t%2xsYq0WK|!|;CKyUS<1As9 z@5w$Cx&9pbIE+rT>-j&2Yt40_8Q)pXHD?^Iv;l5%WvIkQge6XRQr93svn9e*VZ85CnP>Kh;a1}SI#S= z8kwVrJgq@Yv|b?0QAiDF>r#c9e4oAum(VhqKdLxjM0}T=eqr}ePzk-0unymDu(~Iy zx~Hn_d%`SH*avj7Btv#^{!5XNfNsKiIdP!WJ6QqA`Y+eNWPOr7Ttu1d@q5XzRc*4wpF(|+bC??44=~gJv1ESWWrUrRRMpx0%nZeA<1$iM z6<-$AtDIZJI&6rp$VOS9w|iowH^7_B>%8tCOQ!V$FY$&TU&wA7v4W)&6QI2H*UQjb zyJZAs3+CvYY*4qxa>Q#fdE??0E7B%=c}6EchzWY1-^+J(!uv!NH>7jDo)NC5IF)6IAc8og$?Z2K{})S#nAffH=6{5afK%*GFbk8S4ppZ}bE!h{ z6XYC@<3z6zErL@qG-%m0;O0a-U#&pRfg5e+Jg}NjkvB#fhBhXIl1|d((w~LkAA!eE zUKF6IIXI!f0S`Q7mfGC+J>NUIhG{I&zR|c+d7&F+cA`Y9PN_9PkIf0E0niHU&R5Pf zI*pi=>B+HN$G*`y*S`hB-g2c+(IUYgN)Jex1({7k8k>a(hZjkIk(o$~ry^;KU{Jt2 zhoLo+)j(E+*cS0~=z&6h1WO-FTCmfP|o@FHDg=4QD8P)I#J$R13J3M;l z=z*b+-hb*^pO63P=;U{p?8p+F6*J$KjfCy-c$SOIV6k3sqSfEP{Kg5v#FDhMR;I2bYJmb_LDydUQ zS%JJ2$uk`$V#`lXZqnA}JU`(8vSqGDcjXt=N9woB*YYlt=t>o^@YQ;6#1=?2N)@|s zR9o}FlC@3O4him_F_xOOfN>=TY69k)n)w8)U1}KWpy`dxtgP8R%AWMa9%ZkIvhU&A zM}TXa&nj6Mw{TL~p6R#}+g0Z#Zo;g>d^c}%3zO+{!HBI2jM&;^#E*ax$9v>o!a10Y zVB~!dEgoMtLY$RF?vwE~AjDSTB%fvfSs}!i{ID4%urKitzDKJ!2Y>;)<8r)Bg2&_fErmd=e!-02F_BMDn2rU^bx^W$rZo zfKV=&p1+Cjx_<|l(Cc4JlHBxQy_lO;_xb?sz${$^C+mjzqk}OyuK4~~4n3E{T|jF! z+{~L|;drD7zg_)6FrG7GI|x|=5GMIdrkOh@g6ZNxJIb*y!Y2S`(HlB4#`?q~tCQxm zllcw+Dut*(OgH7qGR|xp@y7v;{PX=Y~CI zu*VFzQ0y^-C&moqOUWKLcz(D+_KXMTo2SJMtPODk2?HDB2K5eqkAoX19==(#d)y%D zi#=|z#|?HL=GA;w*%&uyV2Ee{92BvWgnZQp4(hhKh1vAE00-R);Gnw)4z>dvT)e!x z2#G;|xsFyphhFq`qXb#OV--btd$uS+w{S|&vj415g12b3zn@@+5$sDEq2*8`G+OJE zj6>Qi^eCJ_5{vjSEz;)^OP+_``uNHtDuuQGw187q`~WjH;8~V6N3L)FnFu_=4_?w1 zNj%s~sOX1<8gv&{t`}Z0(Txqf8Drro+@|TzjQaeIzKh}t*``#Ph zna;G3jC_*2#UY7X5VLTx5Amj4OznuD_dH5v!XS_dGX^b${J=}bsH|_mU3fi(#T#%B zI1im*I^bHkkt!KpdB$(L3kk zBwPYTZ$lcs2M)+!{=L5gNQZWOi22zWxPW1NYdSPBeFU1}ltV$r3jFsKn1iAJy8T{9 zBUZu=l6pB`t>^I1$oEU3n~>Co%BQPkxJKo>3&T|&%c1n>F#$RyK&SO}Xn=`@$6WqN z=hEo_pd=VghHhcLyTvMbw+cV_BtMT&LlIF7G}wgv`hb70La>%-M?YWb`26+jV=aP3 zHXhV+))vq(l!hGxXm)rX-7Hvx;F%cdju%9W#i>6Sk9=p))y>h+(Cw}{)JJ`%uX|3f zH?oKQe%~H5)`Intr6{5)%}{{gzp))v19fmB95lZHTDJ7j_bAe5Ay|Y!9Ok$1C;fhrZu zSCn!Z;#i700Xcx2LHFXKOVXXLVd8)}W3nRp1d2VuEY5yJ-oj+yIt$EC8K-Sp;kIE# zD4l)O{a+WTp~Vmop9@~c6M8ypd8X#^Nxnk*Q}Xvb4285NUdtiiKf+h@jT~p>ssO(Nx$y#y^rBd$x+WWeB?|y6=%H-6lMns_?IARf>*u%RS_Nqc zF?lDlmTT){nm;K_{c1_$^(H}ZG>PUR5yA(hu)%sUhDrf}aymuGxr)vNcrN&)S}7zf zDWrn5m!j*Wmtn(lei0W#>F?x)y~C!Lj*S0KGVmSD#kC~4=$bUtdGxs;>2?K@Zts!wts&{jt)Z`-D1xE)t`_ z?uy;8&hLKrNdHX&Nvb(!Y)9*)_8YvKQtZ%U4lMC@ulUPa?G`r6nq$tDIDRwdgMR~i zznl7vb~LMJ@Rk8oxB-`pql}&ZcPs@aC~cgwDH%3t@BLoRJV_iOEq|7iR|=i-8?SRb zBcS6facQ3V^V`+kQKrbT_M0;e-WBgTx**V8G+i5}B$C75QWl9+EY(>MG|(maqO zWQ>$>+>v&Wgxs_MzoDu2W(>*6+%nEDUcHQjtG!d;&oBN8SB%WvuAS6Pvw#Vqx5;G` zfu>TpNq7*86pIg~rtBIS7rVyKO6W{sdc=JI%t7GU%W$m1+L4`8qMCY<^|-_BOx zvj~US*@Wcp|8WWKlwUV?kQGN(QIx`Giyia|XZbAq&o3HpiK2}*ejb$-u@JT-Dcsmc z`#%_Lp;PEZ-^mdHG-q+A5v5Ax_l@s(f5EGDPm&n9BO$o&SX;!Z$Mg5mkAU|!348qi$O8i2Yx^{9qR6` z#ReUfbdA9L;_g)7RgVMBev8EE$;7G)r8?DZf}WqovP7C%gwaZ$`Li+T zGPAD{<2NLY^FS$@h?A3(ZG*;1RnPNrKhn^t#vOz4R4kS%Mgiq9aRgKwJGa8cbnxp2 zkB~<-IyDny7B_Ky02mkRpbo#H?%nk@FnS%m{|7MJm3<_s3+Pooj!hH0zkciD(7~S$ z0LKQ8USl{I{bY8hTYk%;yiP{JGB}#N4iBZ|K~K_B>?z1|K~P|R*nxL8EyNHih@d#0 znchjhk*#;>)&CUTHC|p6eka=x#dpFLj8EnLaPoR;ch$-3rsB<@Uh4N2Z>>yLn#|3W z>7^k()zn!NNXcv{9$OK}BESPK`G@84hA^@)htXM)maelpWNU1&LWrc+StZbifc9fr zH!$}yKE1%?+e9?d?_+-1a+2P`)>=(O(lgEA5eto6WSxe6P%gR zm!z6}3dGqFkj!naCxz(uNDSZW(>~ z$5M4lc9HaZv`^&$#Pl7`Cf~uNL4t^2W)&NN&{B$f;;S|r0X4|EJL*Tie5~hQnQg1W%in?0)j(aDoFS=kM z^tYI};9M83SHvZ32BvU$%+yqK@0>X}Kf&iXpSWrUU_@f>c;vf0e13in+U$Xi$pe2h z@k2`PM)5~Ehw&%J4{2{YBwGyM2G6{zkJY}2_OF--hh*CiCbyU;>o?0^&4rrrn8HeQJB$|$_FUGb9qL-5p$ql|bhTxl%iRc9qGf!?<+_R((6b2Xt580VI zCuG!?53iPQ{9Aa8$cm0YZ?;^t!Yc*}Ub@he0uS+5e}mpeI#i)o@bcbG1?aP2`IxX{ z6e$V9f|!9M@}1lk2(QMI`4P~#T!n$>0OTq5GrG5keN4Z26O;LS%}SF*BDG%yyg=+L zgx4A$Woi@G8E~EfYy-Y|#q#JT#WS!AEzEf2Jf+g{9#L(Bd8wmax!|GD(Y}Y3cRHE- z;J=0bXYlIAgIRY5PK7?q#H{#Hmh6rw=^afsJK7;O6HHczJWn-qGRSd^S4e;mhQX0X zu0u%iC%go%FeL=Mj>(qQC5*^kaMpx(({O$(j8@X_@2Ngyyh)Bky^VWO9E?J_AebnZ zATl1pI8gOXv`z5qN&}yu5Sc-~KHwcGY70KUB8xgc6|x85z0!yt;$tyPpDT1aqeYsq zD}QyylS3S(-cVU1qQ+U2=uci|;+~7uF0GCEYn!QsPSSXc@1}D?SCu#4Z#@z8V1HFJ z$ONvlUv#E{WX-LG(REq|G?woc_SaBA?i| z6hAJ*HHy>~PrNBTEaEx$_IBytl2w!&J+Ghw_@Us@TSADe-w#|k#e_4qgcp8GFn=mx z*3wUrtIF7yUcrfW2}4@U9VwiA$!uNvh!J1=)yuu<4H7sy%if{JLT5 ztW>g!qA)&N*m_X75@gwbu4&#g7n{$hvatLq^ziDjlWLq?16C}mIP6sF@?0DaUb^k^ zw!(m<86gQ!aK-aHvbxdha@m*owd8y`jL6Ril0W3m0k{?iWHMjVZvrx+lEb6m66s() z_n>R%D?pS_`5oIj_8dLx>Is87&q4oNJeS`_`YPmiPwS=g9B)6I`Z} zzLDIy9LHT3gfdH6OIoRdaQ$vp+r# zzO88gWzFvK?W8aE`1T&(ZX>>}I;%9tw>PzJH^8!sn2MVi)W@>xwz-8l^|@f#!wM{W zxW}@$gJlyF#`(o-Ossiz=TE29x#TOqn>;IitfDA&&la>E7EbQ~wLnV0S@xe5Xicwu zK=^@pfAecIh&NT{stN?p0L%awF+%u5ayCfRiNF^GS_W8Su2XAak^mZD!Z^ibv<8Q8 zeisJ{z4k|ds{f2gX9vicz}uPgfXE0S&3=UDOmefx90BhTu>wTN0oI;`OTZAoX&rFx zg)^SO;fY}JV7W)!hIn`Lf{53oFG-OxF@ptb>SJ)HUkZ&cunOLYK0T#XC|K@zr}P2} z_G=O87R(fs#$df9_jVwZhi>)++n3&^LPN2V`{9@VB3$Bi##Lk$Aoi?2hu&cb3Eu8qn@ps{b5hH#{*j*jRQ~j9M`gJXD}X)?CS#!Iyym1k=>`FK zOy2{|a-EZP=t9JPv$sLhJJGKXFq#?uz%&DY=wB}X7ym<{81|!EUh)_@;vdVf^~;>x&lsB>u`uXNkg^;u z%o8HQh9wZ8ydp)|uIHbbmj$Q>n>fz6nt&7~VVyKp04qs@BvU1;5-pJG>0}KnOx6&8 zx05vd2zh`NE;RosyqA|*FJO@-X{;{R^bAnmW>Wr#>iG#q>h{)O(&I%)jI}?)9N2_Y&&_OJUG5;Cr)Y&z%z}XXXfQk!CO%lP`81aBf;0u(o|kCCi*N}omtEx$bHIrBE@dexs02Q$ zA5unIS~p{5X%fgU{uF%MK1+bFIKu@)yAC8}3Jkn4LdM=_VKP>muS(LY__DQ-oa(I7 z7?RtbiK_uNSHxZ1#IQa#SGUbAOs>xbn;TVNbE7>rw?%C3B7L`H?vAdn8K%ohBC9A0 z;IoD4Muk&;mi^}%TS^eRGXL~;Bn3C4q`+R>Zu&tDwF7ikJG z;`H(WvIqrc3updt7-=z(1yr2F=R8zz2biM)vw&REfFpr8lC>DAkilyqkt-H&#iAS& zoRVBijtC;XER1vlb-{@q@#1^smO;KxV`@o*3jhoBnListuTb=nl!WiXbMwUbdw|2D zGiMk21nZLpK81wy-dgLnG`Fc9dRuaVGI2Vah{1@+bp;N5=M>;4|x=a6K(HDRxE`{yNWxm{TR z-2Up@uM}H;z5$hA+}*_zt*k;FI`vIC%9hyY8D5#Sw1JiBX|deVhFGqIfsL`;dM3EX z!EzN%psd+FmYej&9?RWhxoyO9RcDoLV!3Z>m@*pxxJ4|*O^oUTxOLmy!i@S{09@0k zKyXcC58-YP!hH>{GR~C70^s!+4w$6Cphw=l1w7zuM{#rF$ZDpf@Y&+HgnRjXpX-2U zh2#oX=}g1$1BEyv8uJvarzFY}gDjmDG2qfW9^=qRs#MG}j*sa@H+La|w#g+m^gbG< zajYtIF4|kcWQ<4;*1ddHp2(}BV z3wCCuD8*F2@y?ZW51o=W1}{%fwI6+?oL*)b1{&xPx%`KI<_#uuh_oZL&r@Fh^yVj) zm^Z@gx$CL31aKq@SyE7+qVOa!=zI+@`$L?@mt4g}?gS;_Y5yFqNp}Yz_GCa&6M3L3 zU>Vwfx_b4ChLV#2%lG&98C=;5@8{Fd@nG7cSI#=o;@5wgcxSzS&m55ty`ugHyd*&F zFpqXL7eLt$`#>$glq|t5{>JVgX+l|W8ur@F zlJ?pevDGhO(m+$g5zUMI%NnunZ}8e(5FjKYTzkpSkBHzz-|)Q4&{glQXb2Cli_MRJtD)|52NXL|6_rf~hoJ_F$s z&XYTXtG|lf#6EXD|Mq$=L{OqG{4|*X-UAaC=xA!HfjJU&6;OyZ;`(If(7-u^+?P$G z(!q%oP|qNA*97}qz?1;?KfI!hc%krs@6s!)<8bB_CL6~VGioSgTrzxdM9PM}i~+o_ z=D;^5H--fT^YJE&m9XGoT4Y>_Sf>#MPhU9$-D4ljBP6Fg6;dnpppZMpAh*r zfv%iM!+!{8Y_|>I@NdrIU}^r0wEvRjBAAlz&`*&Gnk~DmZN8GR)%ggsV&jzp9&pGq zUDH(A_p$RBF8!JhqED#-4~Kj7oQ7oqKSLFOs)+XTwb&t9I#J-y&o2_PMSXrbSw^cX zAC{LhO_nkGCntF=NgOSvi_S)p$G19XV#ej6=*b1tV!tOL>dBMbW#r7*uYA$7Q1!8H zeBNd-_RqdISxW;g_VL(X_?^$K4_Y=yqpu}sS(rt>M11+HyB~Siu=f`oyZo3}Ez7J1 zg_kTBniHrA6Slpq&!B$Xf16#yyd&GuZcInpw;Wy1FWH01JX$&61644zz!_%SB-}xf zc&Euny=ZLrH#|R)i$>0jjt1nXb{> z)!6%Lw9!{XeP(H%47)LG)4)-qke|4XEL$qB8ueS<%B1>i+%?Q9cMWszuCWz&jqjIW zX4l}D0lVOHaJRHNH%@-#4jX2H(us2Td>uB-;yFLt0nf@|gK7lc zSBnQ$yajZ%d|-&*Ef^jn8laAcX#l(zP80zp0E%OdYJmL4s9btLl#Aa3jWx+7q~wlJ zQaxPWI`hfjXxKct5feXgb@hrWRsIkHn0orY2so*dmZ{33Zcq;b@Eo}1V8;pI4uo_B z-a`!8$6wT3EN_KUL z2A?|6J%$ef82P^vAA&E{dEoI-dda|NAMInUHwN;u<`pz7JTZ`GZVKedc-S1st7&?9 zBp^@K{KXpH19?eb?18*Jkk?8ePkCl(4CFPk^fkfo%u2M)Y=Gg_Zgng3>9fJ`tSSu8 z+GBXz!|;ffy}E>Yf|FIHz2PwUwZc&=%(fo}K#iw@vY1cO6oS@;=W zqsmtyC%)>k+wW;ad$iXt&_sF%12e_JL6D3DZZ0t6ZyI((EDYqEM)Zv-U=};%X3C<@ zp(m+!3kDPLKSitXJ^6SI(2TK>UP_&q@T~x5X}W3uAjDYz-vRgng*e(c;1WP=-4V6Y6_6*bN#s9R~(}7{w-Q=J4^#KW05Kv>kn;TmFkk_?mx~!!6QTtFoBF|u#qn}M7H10j zq~?6VE3u(^bp-<=f?OxKY=G>~Z?7Hz5}pCqOK1XU$dnt?$GH~i?Zot6;zUxicNSwe zlSd4IlazI`35fH_$FXGUGZ|R#1n+&tZ@r+iZDBbV-V4pEBb2fUrX01D)rj?|49ApJ zB*Pcicy&c_Oj*ff6yxITQE?sCYjFkqT|$f)W1or)W=~1gY(+)25Fl0MX*ljc5_$qO z#ShX!z~cSW@pwP+-P5Xwr+J|Scor1f1D;=2mh0Vy74K2OxGVOkV5um5MX|eNE!lkl z?;b?mdNgF#?u8bgCk9ciO+i!{51WIiHEm*#1fr_iC0WCJ5H;zGJ&3voQCkV3D$gt% zf~YktzfAyCs}kz88UU!ZTiwcB`fLEyZWVyq-2;#Zx zhL65-V6|JIbfO$SUtqOcJk@7A;91{4OjGX?;2{P^N%Ws^XDUFVV9}=~Jxreiha3L{ zEchQm#U_}YN1M!MzK6H>O&>6K$qLHje>_%XA$uGq-$!)_dI#Wnh zNfQG^>v7BhN&iE_EdBY%$ucDOwW?g-OEm11I=JicJ-esDdhS7&&sPAZo<>aGbcQ+L zCBN|{!Jbaf?C?5KTqUd*rX!8bN61t%BXNHz;kJrsE1)mA`}hq=G)AwUX_eRT;_VsY z{ksBy#4vUd%DHnQOqR+o*#!vdc7kI_uPP=tMMHbZ4ZGRrk9&_U+O;LX5-l&9!80x7 zFXd!+ateQTbUki7MiuwDVv%Myxw0rZULU7I+>??41W~#^0H**^sM1iPM*}`-uN)Tu z+2)<_C0gT#4a)DeQ5tAmlIh-`O<4b=KP`?bd?WU0DEcTtYW@zv%ae2<;@O$@cjQwi zNjoB5liWv&Ld6^y3NBH=P%#Ff+1ZCpcij%@jYy=?!qZ93Wn6)L{MvTHr?N_ zy73LGe9itLg2Mvcux&FY%@_>7mYB3;Mr&PUT4whA8nejO98AfI(YjGBT9jH6ekcV) z)?m4qF=rt8u};e|CgHUpEiIFCR)_wQ(3_)n9~rqZsF$_5pta$NLA~y#pq`9}%|X4I z_LxTk^;B(Qtl>SVm-NLR)Z2r4tpxRyXO`xmUSktq6LhaziNkdppnJ7j-O8l;Y|uTs z3f;5!=-zhFy$4Lp2wt)X=mAcEo&A*qd3J$*i6ZxWfjql-de3&ia|QC8BzGsQK2$@{ zh|dF7IHa}&+K-}R#L)5w1whf>-T^X{RHF(;!(TLdsHQhl#+RZ3(uWzmLBpIZ6=O<; z&>XIX7%n%*d-3R9rZ40)lI9RXjG(_FgjTepBD%ncZyr+w5C{QWGWzCvULOb)dP}F2 zoZ_XdC=gAWTl$M|xr+2z2q*Fo4d3_$*I%r3Oo6TgxU!{Ymz?joVVy)Z>23%Db3HHV zHv{i@bdj4S^-pfth*+lX=;VKYuxqNR0 zSzU3nJLZr578&>%!M_K315NUlstH1#^h(6+rJ-Xd!fSu?SazfAumY}IHi)2ih3^q! zWC73=|BaE$7w50z8%A-t%4_25a5`~e9wI;+0qkHd!?{^2EXuGYXj?=&JJ4MioyFeJ z9~AJT?D5wbYDL6M3<@N;6T2=rl{zyH_e+(akAxJRVlW^tlzAt9dJDmej}%IX_g3EG zo~NuJo>P_&ua>l^$k?OCP-eb@0lBLsn%R=CA};z3{Eu9}2?8Kosg()(-YkP_OhFQw zOdoYjL&9CQ6i?pTGvoo`q-ZvbGXBjY&Ka7X+~W&l94?nWg`FGTboc)T+)zLyetvl_ zq-lWZ3WK;|3Wc@jARU@537b#E{RyCn#qV{Rb~JnhYnj>`ml^Bd~z8e zVX&z;b!33nRuTar5S8gr=kdfMEeN?p-vt4(>5i5r1$g2p+RsU{cN#hg4X~vhoTr4? z`Ge!6Bu&PeDp`@Dl~!MGJDc(LVtaoI@8xCI3pjKUtJuYw8gt@W{ zO}x&;pTgelv&8v;1Nm3XPWl?g1cpCXc)`WMEFn#A+0)Q zI_M>c-Eh?lA#ng3v?OU?q%|1`$43r6Epwx@rywBEqfQVq9umSxOk{u{y%0W{%3Yco zBI$;_dNZ;xz?6@_3pZvF-5PDrM60zTe zlynwIzFrS16>niSfUFor%fb~oa=CsbXX-X|SAJfIlTO;Zk(DID@jhM@C@mNKL=w%o z9TyZ~Wq^J{wC~;=1UtK1ukcow>hR#!>J~L(eDXybUGJv1Yj+#XlzO?*yadM~={Kp# zS(8V!+3BYD)bKZWMQ70CF|=AH){^Rq;`Yer zWeDD?8mN<%b-dMl>!SXjYyRW*gW@}+ z$*RUqcl04YF>0merz2uU9JN>N6+%UZ^~PCVpQb2JaO-*4?JoatwzT})dh=D-?Cdw+ z{Ql?5&rSW$t#STrZG2t{* zdvvQpjE`z>oR=LMPGMvzYM?5#QiPmX4r=Tr&dmgy(eSN=!k=XFv~%k^N|uwX`%Pu| zrZR6E!oQ*ijgIEhH^pe5n`P%mhaM%D-2t8WKHO4LiguuhuiPP7NR|1THv=^|U-f>V zy7AR)39cs3!>+(A=JHv(Q92asVS2Dvs3V>ggotmVxAvWux!2^+|3f`M1#&92Rzy|V z7O!uvVoxGdvhXA_Pa>O35?O7{GBJs4 zYE*I(>e%*3lGpYG)UmN^or!K;80y&0DC*dbr;g2tI+kWx69WrEgNza&V)kdpy{j;Z z|KPd7w6bT;BHO80cKS?QTo&0*weq(Guuv>AeHDn*7-DC_hQvW_wB;jX-URsqqJ4^_ z)Jp*arZ+c(B!pkHd!a{lb}ky{)D{{$02c%y15tRflGcn zTl$5b#50jB7RcA3AOI-9XZfGO#@W*EKv3aq*oB;Kt)SEC!$0 z;tR$naF;lYvrCGW_wZ!#3tF2y)v*m;?s}LCKR&j>*Ad&Ge8BMV)B?g&wyl7^lAjo! z+L;!fa`j<)cxp^L!Xv>`b!|DaVh>L#S$KHL!&7q!Pu12eQ@~RbTd^hqrgla`NIMe% zQ)AaU6Ro;1z|`(2U~1O`Q%?v?9m1fB+kC*fb!nOAn!V2*nAZ$mux(LP@)A8$$7b2)3W79S@u_ z>wGY3^XHj5ym&yw2YWVWg!kKV{CGgb)E+k0R_6n#wlQNt0TKHPmA=iM7!WbO^d|vC zTz!}x5E=99^^pLPx)uaku?IwyEIc6M0g<@`L~3i6Cjdkoc9uyXk=>Et#qI=<$k?^c zM6WIkB=T|;B=XWjB2Ng390?2VLE7zx7c$y^UQXn#f9`O}%Zf#*&(p<)OI}uQ3$_5< z3d6%Cj|7((JEmO5fw7L&?n<6Wmtr;Z3(uB_jh+SnPw-PO9o%MTOTv+aZ)x7LxG`f0 zWkf@z%9(*n&r!lzD2py~2V;;ewBCte)g3e?y(jk`^qt$zStXZ5s^*Ly61>bTIO#>X z(}e7Z5;3ZOTXhfOk10nZc1;fLeR-Mo+PKwy`0gxOTMPb811jalF>&$ETlKDD;uLN_ zB8xPI3vUT8t(z!B`}kMtQ!Loqxq}TSVW(b3?bT^swo&(G7v1#oBfYG$d!t?#ySm0< z#6>;vh#u9be`7@bS|@5Eb|L_x=I}Jq+v#~a1YK-g7z#ix7-w@US6p3~s~j)1YMqWB zt#YBA)$&oS9D#54szm8g#Xj#t9#!;V^gOD_KRz1Zkk2~p4C_%v$B#!9J*qe@s%RT> z$b|94sN&0MQAJlDrbiXWH1a$Ws#w?1CM))+qLPJ26+Nmrm#AWG&GH1O;`pY=NkGS! zBjLf96M&9m*E$omyD*^Rt5KliD-Sw8J?JQC!5(cKHdFJ}s87(vMH^pLZx^-z+?v9p zjZcX-iUmB+Fr(c)%a$kW4zam;^w z7{~m_hjA1EBTtsm-u3B&GLl!Vhx+)B*5aUkr3dk34q11Yn_R{T@+w(V|@g$xUuem#U}(7 zk0s9G-5G1oSh*mKiMp@=Blq6DUz7yk))*dOdpd+Rp~t&D?A%Z0@GX@ z?R(z0(fc-1Rz7^@w-3X9C^-gcuQGP1kC^IH$c;NU9w7r6pKj}?ALDX1F-X|cx*!-zit_UP=x)Y#*=7N5t#9&20OWW^qPRI>2cqsJcS5qqq! zS)KrUoWKk@0R~yw<)RL|=XEg1@oSxl-dz|BvNZ~WY%Sdt+r2J>2NwMh`bWQ!hskH-0UFR6X2Cyq1%w7pMGzc(QTm zwu43Z)bntoha35{?h`c1A0J9}$XA`FK71%u$B%~_eJIr_T^&ny9I{|MG2Gai7H)L) zVS2c6OdHQ5!Hsq8Y_ehxH!4|pxY5Ina|t)r)+|p6H$IN9V`X0zBG{S$XB@lMnJC)_Bof-+c0_1p@rw2oUt?~^L3|B#l-~_ zH>$S;TL23MC?4gk*evLTF&Y(wea@?u1^qODpa~wNU)ypev3nYp5->boMZwLW+mCOt zKK5zW8a{NZXUSpI2~i;E=b_3N(<>LvUyB!*?*-JjiF)2e9T;xWc;&2-b?Yu_ws}WQdk<^9=r-;3v*t|-<8n$)K)56;Y|_h`&Cy zOSae7w|9f4a1@k%rpDxQAQ&_%Zcxs;iwN*%A*PE5AeceezKN4K!-p4MTMN0|uPOei z-5|S>J}P^`=HJf}x)z4*H-qF7SC;!!8#U}Z;W@SP=UKwn)SVS&lm}{qk!JV0y**$m zEJ2Z)PcLw&CZNDxW+`Fux@>TBgVp{=6rA?MUjKbeFi(JT%k=9{Q9@^es0}pZb<)o7 zhM!7zHQ4)r8?hI(xi!m}x`!I5(Kt)AvN*zVg&(8yEGm}`L=`L4fe#Mwonb z#GmRu*y0DzlFw=~i9Ht;$ceRlwj?fb4#=eyRq|H~XWlnT?(ZLps~8hr)bv_<{78Eo zOa@{xWSzkue?085x1lONbH`HT1@VTwkf05CWt_C?AuScfJks)YId-YpSmB~m zittwLwetnt(}u5ZKL8pEHh z*cYmu+A8K-)g%|gMAMwthuHL&7R7Ze-_jpRTs~MOFc|08(u);fDMLOXUo@r;R$2OR zrccHvMsPN!MQ~hwm>$6y^P~Ea5S+S(4Oy{Aa5OaoTUNJZuIH;{eke=tb5%HWe15xU zJ8k(=u@)2Ety&9Hj#>~0X%96Ei^+%{$VU8N*b6Ei>c+`O!$K#XwQLQp?vDb<^*^<< z*JlS#l4B015*%4_l&P@p6@ZGoZ=)*m>3n-~K1w&|7s08mStdqsCb7dzg3oM>L{c^; zz-Pv;btdX`VepyFQTWWJ$7kXh;WIEQU7Unjc7X5Jk8;&Lb0}uBVu|UqZgHWQ&1&6l z3t&;9n6_9J1A;?tu{Q9^c5q1xghCM(2u-J#-f)CH$0vfaY5_eVLpob8gKnCB%!GGW zGROvDxBC!WV+@02aB~4WeA>xzpyIv7>#z#w_59WX^~q%*Dh=6bEZ-cz6mGK#>Fz5) zLBtvadT<${bu2J$B}8n)O)1Rw$%8PV3oQeP0Y>h$$K(ut48lcEbMdT-S8n5#N6B5- zjg{mY0R|L}ZNoBuOO{akp&jiZRGAFAT_yHraFYMpPSKhq?V}z{3~FfxX;5@Zbb_4m z*iVA$Y;EXu(q&q7dV3r6N1VSjp+#~NXQdA^$m#67WP^|3Sz_HdP zqR>5`DZEvjRFv1yshEKQ&s(TNLZ8;wg4Z-31D=l}D&;*z$HZL3RHO9=nFK(yFb{!X zq2^vh8k1+DoSU=^)vVKIjRR}L`vH{j(4Q?eB<{9(wiM*QZ>!5Fp*!FlLO)(chfyCZ zo)Mn*17<*cxvbv+40OtAq=uFFMQQQ4 zo>rYz?m}GF>Jp7SfYf!cN?cuK6+!ok-smkg%ZBZCEKa137U!Kg%|eaV z`Z{5vh22vxs_;!NrSMJ*VlA$tj0vGugR8Pi2hgmZDBWyqb7R#+D~ifXjSZ@l=W225 z_*7gK+ic$S;mEFlbDxqP-x~^%+^CIlCD>R~jgGmkuZjGcK2ZAop`%okDna0`5h_ZTZsGwoIz=&gDIc2R z`tj+?T%q9}3->`zJr@4VvG4;N|LODYQQ+`aYu&@)G+338taoh`bH&5q=8_wQ*EGhr zjn%ej!=4n9KC5ZcY7IAO6~?tM4TsytOETL%F&w@*EgbIZ!}M_Yn1;SSJ;Xu)0}`!p_Dka9vOs{Q`w75!L2vp16kcMozXZ#MC*Z{`Re4h z(E6MSqB$cUJV1V}jh2QI2po@G>CTp9g8_m6UEtd7=n}-oNJ?mc|H57+MiFQtFo@FQ zZTa}gb(*j{C*DthJ?ePV3kRI6tuVxkMioA74)eSLM|p=e@37X3FcW(3uS2)z9@fLv z72TIm7FN%?^AncmEgyI9fSl5@an|RJ^hy@qNbimGKHVArc%L;}Q$D88+L!k3`_Su- z;n{c4jqxx}J~*MaAIZD#!@FPHqH;ip9?zILo?(A+(zn(V;~87i;u)?!Opj-b`8E1T zct%}|fUMZ#8A=u&&+vH0T;dtEHOs_!#!$P>Bp}7sNH}3@0+3?tT4$m+7Y3x*9tBct zdyryAAce^0^k&eN1h=1hAqKkrKE>hqnPV2)6)R1je2a@&Y**`YTL24%Sy)-pl;a(l z*E?7z=OHhY^AP`o=^T{aXg0tj;02F2ewA-?z4yWjCm!bW%&J>-s+7H97Y=anmQ88Xk0VEmf z!5)5=;Gyt>Pbm@LA<&D_!m#&H$Xicf2jM3?Cc-^Y`6YIvu$NeliD=jD^%|ie&2D@X z_nT5;O(BIk5Rqf7rE(13r+N^~siC9&K|AhqT)YDE!CzODO6fG}k@uAFTRR}^x!uPby1EJaco`#Ox#B&U#LFBcru} z#!9CStDv5KN_*&SDYuy8(Q*Q^pep&8qdv^vv9gd!+2Nl)8o3&0yt?I8N9r{Fw(gTs zydjD1|0nDY2q7GjHf?q--xurZq*%Y1E8&~E`(+y~2K%VJDi??0z~gE;rr1%tew*dI z-M9S-wMoc|fY9yzD{BnnPG`CFL|YH{l~xuI3-S{J}kp5e_FK%4=-CuZ5h za&=lbS5ms-W;q$1dTyoE4pnrVmN?SnO`9c83|TLw6I8PofuI0@-onRqt;f!HN4Th~ zgoZxc4NKJd->MM}Yc@9Y!EBUfg(f_ycZD^zTM7{!p z$WbERcp2hrVFt5AM2pHR%2mbZ&(oV;a5{7>98Z9lIRU~pUz6eXi3t$f(-I(DeVCpA zF{Wwzkq8iV;RRW-CqO7!cmjkcK+GipqPAw4m;f;mDlrK$VtXWoVS55%#MrgYM4v7U zF=A&FF=EFPBW6O3c*DU|VX8_KP$9??c9Qn`VfUF+B6cd)m_F?mmlCm4t=(+_EO@d> z;isvG4;UHFI1iI5a!88Rv>F7I%~h)vkaJR0i*Md61w^6WwxTE(@r;j7D9|x|VoRS= zd@BdHz`$m1XVHbI zuLljrl`D~ukyIAs)_V}KiMQyLYz5+m1nDK#SWi{@;$Km88(^HM!MGeJFVwpUUlg;0 zomHt_R17^uGi$l(zHv@DyjPz|GjZP~r`C7Ouh|P)?K~VY2tYq#zTnz!eyxbYc`h5b z7i?GDq7C5`y~Vfd35sp3m&%m_scy(3arV;(EFsFt`P+K)RoMLF_dj2LZWh09)%d-& z@%e12UI=9_@`n(oOt{REQ!$WOLGd5bbJ^*?Y(Sh8sWiMwmvhOjaPU-pv;g^cAJo%! z08-|#XvI1DvFwDL`gSv|hL31jG0+uF=&#Oc@F_4TbS_3P#o<1nL9 z_&dKJhl9BDK*|w)f_hEVhLhWSGg=T5m?gC=^LzsZT{Wjp!J#HUzm3crbKujK3GpW=3^_D z+b>WogWCZAE5<+@LOvIel{DA|#qlAN%2W=Ie0JOktm(469Hz?fLAPRj%iz+)_UI1I z=~pxAvUQ~>WynC5Gp-4t{F6qukOxm!n!p1!PrHp@M7`Fdeo<~nTK za^iJu6LgD1r!y_sQXHP zlTIdfnj^G$DM0wJgahtSLcDsyl;#D#I4`_|=jfm+_eV|+cLkn7I1+>PH4~7=X zy$}_ZYrOai&<{7a5%BNSqLm;pRg9^+WY~L}r>63i;r5GBQN_e1JHmft7MdgzfM!pz zg6=Z`-4S&^*OjHUYo!jz$DL+N!w{lM#C~&^bCJy>kJiIn9D3v%OPZMK_>GP-Ds6o9*(4W{*vCi%M5N|Rb#Hj;XtMq9ZDTlnQOH*%f!sJv2ol_=lD5~Xg&vuPhdF-A!gKf8Bz3EeMaT#p8 z)mq*bz(O(Dn7wo#ce?@mxd~EIi2rdI9$1HoN1fgiaw&5RP&6FyzJesW4=#(vBZK;A zG;0p9FN3rct4-Rn1+Xu&83Zh`6n6hRf%^X|dQgip00%3*WM?gM=IY?ZWSgdh<3tn- z(hI;xzzVf+KuOV3Ua=Wjl`ko(E#4I0VXM8u+9nG*cZ7Y%x)3thb#|73g5wiNGp9($ zKzy$|jwe758_l60Lj-eb^`KJmmXWdl4D*LMYARehV+i6%w&)CP>)ha`$RsOwAo!mfT}sc zF|DqRYb@!ORdsYQi}iNh=$YW$0{;@TXpJ< zZ{#%XRer)6hsns-|%R5J7coJOzh{ zv1y!hBp=E-k5_RJpL06DEDwo6%oAbF+4>_9;pYFUJ%6&W`_WLT*3F8{9G)@G?Jp| zDENC@;@>!`<@C4Oz+@q8|f^|4% ze4}ynTce&%bGK6u4K+?gsOkoeEaeCiWsoV1dE77;MV+us`u5Xs4T*kHi`S$DW-6)P z{1Oo_lvZq56P^DqZt&D@n9B`(ptRSE@O8l7kswuIv!!GGG%1^0U98DvsCqPKGkl2v zQ9t8z%2Nk?cqktpY8-5~IyR0InB{*fFZ<_P%e&YU!|aW(Ytomt^+yudK{p+= zbr*lnQE(a$U#x&F@W>nm+m1{Y)FKD z0(O-EX}(I<_?ltwh+qq|Wo4whzSOnFM6U=;mm?c$LEuvdHCKjS*Lxrv@q=M!t$3&# zCm#*KN<3@XXeS9?rvIt Wj06D6DD&hYnN0|z+tDp?X`!;VtKAmq`&PVCy{Bjg( zYnI753QuVmpM>AAJCcd8I|098>{@4{hZlz5@NyKt;icy{%!J?Y(*PDMNoCIPX%e;L zWPktgr(Qa^&5j9zqomXCucPB6%1HW*2Rw7e!^?^ls87npWjwsB-ZN|gEEMB`mr9VY z6%KAAHZd8i=eTzjCh;F)Cll6U<`v*2gkc9HRbngj!|Y=g#H&$m9|tSo69!E9?#VM! z5cMxtDHg7gItdnk5j2R|7FXOLGUe;7!5bZ4I$}WwDTC^LENO0XibWk{`Ko5L_ckTx z)G+A9*+;7D3QJTYNvK>$Fb{A%A&OI93nCZtlN5_g$!@GRP7Q;vtp&$F{`2+0dwOHq z383uq7aQb<3kpzi7hkc}MsX@d^nR5xh?c9Ajp`F5Y!N?-xQ?}*e1fo1QSH8K+*6hyu21}iTvczApt|V=lE}DOTW+?SP>s^ z;BWDgcgG)2Gy$|YZOM=V8-N1Ie{m#xfP#j+zy<;_++5K3Vd_x3U;*IEf(lezbzocs zIf=A6>^Q3tKPCd^f@w34xLZhmG7^QW2Gjs@VxE0SurJZ>Bch5FVX^R8#8I9)G0}$v zB`8w_Cy0`WCn#9NcM7$&E+W^6(t4T}5FwzIADF`N;q?9S+u-o{?f%iP!LR#oU;meg z)$(7j|G)S6b>&gH5;S@awDyR46}36&Iz_pNZ}aklhAA*fc3T*c{&awx=FsZ7SiTZh*(Hu$GQPosNRyxtF_j+aX|{Q5e?z0$`f9e~$jk9wUFQ z7`cAN_O9skab44-(i(13DU3T`8s@c)XJj^dVwm^kv@ox$57WcEV;a^T3FfV9+>{l2 zm{-Zd!@M5molBUvwq}_a=AF55cM>S~tBS>@&%eb*ZC_Py0k!}Z3bkbfmF=sXcY?#f8!10!L~4L~ z7ZHJ~GWFN;A;3GJfA|$oU=^*sOS{pEmVlJ;(05VT4rt{C%i7ut_=}o-Q|aC+m0A(b zw1bO`Ey8_RN2*Hl+VidK^u{_3%d{Pk#RM5lN zQpAAxDiMGkA>D$AcAG;`z*2;N=QHwqwu7Fag&Y8(*9#xcyHRr0zg`}Rx~&A?2kZPC zL%7MH+a2Z=T|&-i$=8DS%JAT19?|7pw5CJ%P<&BzV_aylP(!LwydGCiFY$;2XRL5T zcfA1!n7+;@1Sa(=wAEMW5&=gRfBqX=9NN9IFwVn9Sn|<}-AdEoj&5Gg98R z!M*eI*AMI(+mDBI7ZB35Eo)>`dSXcT)wGbVs}Ivdx?@`19tqN|Yx$HFdq`Kw!b7?q z(w$34x3*@P7}A~87(5Ab`)VY{`f38?cI;YbqEZ(Hx!qhJf!uDcd*pUT$Su|p`37=W zUM#EgSxz3J+VM zA8{)W3Eq8Z4w8=vxmOCmP0boD*GirWT!g~bVO@q&FW9v+czcME4QM$AVm$_OK?ckD z61hTkg9}~}H|;FC6w#(HdgP$Fmg31~$WJ!=;>nfOGjga0G}#FWLDXK2B?So;smjYQ zmsJFpAW&VQ11W}pOs~PkfHEgzQh;145SJ&ciDvCb4u>qO-8QskyV-&LMbN~$f zA_{u=ifaTB)5K5}kZ|D*%j2sZLNei1OHtN2{4QCaCwXc$I2l~vHjA(qL$o>CFT?tB zq;=`NNsia|Q5T~hee-pOE=q#cfC9wW_HH z;!o9f`)~28DsONzwe$Buc$F?2QWD96tZtF=Sns&BLj;!3hi4C zI==E7$Sk=&?1lHMVqc|&Adfq&7I`}t|81U?F8`j=L zQ9IL2pS;np{>xVXtC!gwrnT6HmW9gR!=6)EGgtU5)Cb<(A0Xx+O77xb%7mkDjF~8>D<$B1rf^?g)js0IOk7a`>Gc;D;ppW>4lj>C#h1T!k)p{5%tBGO`Og;LIiTz&Q5!=M z(ekHw^5wYlr8>VMoekYotQs^{4Z%I+i>JWS;+-#uJM#Eu9PhBv=PW*2@aU6>k#ZM@ zDnm_^k4)nC_5i1`xEli$$HG?!58h6R0C;&BlHlkVp{XTJXa(;@)A5q3A(y%mkI0q2 zhYc40rk&+}+D-34x6lL#6uh*XHG&uXuLzx?iBGHad$lpzubz+a@kWcZ;1!ca_;{?? z`(Kcj#FEjuNp4D#TECK1Vv#QFbtSKe*(Lwb#K8OxBRsx2XXM`+b41haCH{%FFdU4L zf@y@#6ApuL}L4+ABkUsA6^S2EAdiR|V6#;)!9LZF4Xu zT41GVH|IR)(%fYU?wbkc>hqKHpEA#y>n+9vRT|@?isyTdqaAXiC>|{7f4p}X!*S;O zn7#eLZq}qrI-h$i!sOOy#-z^|Lm#F-UrYtFQKh3C8nx&U z=1wfD*LVC)HdAKhwmUS0xVOFTS(o_nDQCV4)}^`C`D`=8WMv*2e5x76H(5-=YKcxj zK>E`XRyPgi*93%BXCI~}td2`Hcx;_hbfgW?tz+AhWMbR4t%+^hw(VqM+qP}nww+9J z`uqR0*10(s-50(3s@Ljzt9Ctm7w&+iO-ESO8mejv4UfSxs_JP%ou*!+jEs8ruLJ`S z2rHA~ zTA)^tyRKzPk4ihBn=W6Vbh10&>z=5>h&BtvN&R)O43O zxAvh3wpPq2@@mFhYUr83xvq!iMr7W}*~YIPq10Wh=o0#tG%wfPN8{I+>1%FjGU8Vs z+NeDT3GbXfcG7@aHWxdtg`CnWUag57M8`2YnVhCmNw2R%VbYP@k%)h3RvoA5LwD4~ z*PP)^FQk>xwEJBCi%z9E>)`|j2J$kzR*?nE#EP>QL@fXwkQcxME-}mV zW=dZGc)$m+C1%KYF6iwl)k6-;oV$(!<4qBr( zc{F5|Xbyf}DS2&qQf~Pp4ZdI%Xf}W4Pm9!?8Dty}KVX~0G{9;UPk=(3Ko9|vQcCo? zvxkve4zfLKMDOeV?~u=h8g>Y4e(1JnYaPGv@{Ufh`v92@2S&%RAN zhJz2Gho?&ydtuL=crxc}k?2HQ;x_-#mAG?vkPt;;mCpIAf{C1zNfP|c#*_FB;yVe! z&OYbpCj$JjbSZ6#`$jMcu>K4CeG#!?qacn$) zd;;Dy*{UkSv<-i1AI@y09+!CqGq$Z@@(go>5hy{CMuw8g-}IC;fF;mQgKR-AyyV1X z9N|YIG}Fz18_!rA*N!rldvZfGBgqW6&3{dpK&46=PHys4Wl5HEtwx~m&CK(j@5b$~ zegcB+t{6M!8dS}pRy5FQdh|xJjPl6=%2Z6D%*vx?)p+P~Qz9H1ngspv`W++JY{7Sf zxrmjIj}GFS8LOyY-jdX(M&a^DlB(O)snmk#W!iL<=e;)e2TpSE)x_UYB4Y?Tsopf# zFdlL|95z%bCl`7(l#2wOX!-K1@NsRWkN3`LZ_h0^m=gDvr_feH^NB-|xs{_@>XRhR zp{754x#&?HEVAX(8ou9_U|}2=du@4iM==U&v5DL?4OkR>&X^rhvWZNPn)D4ji^1p# z$>BMxbqCO+%52ych@~s)UUcf+^SLxGOTI5>L+gs1TG_8l&I`ve5&H|}&RFhgc3EZ1 znrJ^d%RtSj8Y|b!VL5B4P7{m>AyFUPSl`{cS)MQ#ow%6Z;DTzE6VK$-Jl?(#fYr7^iIH$@887^!BUC zn%_D~KH5Q(4DYVXAG_h<92N5~ioTZJxb6E;vVV*PB``p&kcY-vZ1|K&_U~A6(Woy4 z1MEno{7b>6NJ;YmLlckB0Tl5UN!ibcgtxB|$dccGy(||d#Pcq0$cLThlAmhX&$*2| zsLWAClIu7d?9-2PAAWTmndf*VxVs3JcK=y=9VS{0>Gc!d%cJlw{LnlYsd@@~UxGeb zA|##aBRIIaQP%imFPoFQ$%0PD$}Y zQ?M7}D6b+5CK-A65%j{*mGITsG~e!t^7v@jIFE)%1>$xBv&IO`_#bl&(6cI`uJ_=< z7zJQK6l9~<*~LRWXi}HnOscSr(U}=oVQ1w`Crz6S0*<6^yV?i ziECckH)!Kx!(&gEWny;o1tk{OBNaMI{$#w=cjBQTB;-2fO&PIpprF^!=%ooS$a z`WZ=*wytHZ!rI(Z&^wBo4&r3?;Q3X4@>xt%=u>(bsG&QW>2^g_!)*o;HtfSWH0(YJk0tmDT!TIBy_2O&u13@Aw~v1U8n1tV?k_{_ zxKCzZy#y!cE?DUGj0FXGz(xW}7(gZGVAs#E{UOKdqsj8v!A1VSkP&f2h~rNhZJw&1 zFN|Mv2HwP_7@MS;+f^Pr6-{w&XfYn=6n8dRhn9jGT@c5HgDNrR@=A{k+yRF&9MN8bp%ksM{M%7Upc|BhAKeQ!G!iGvBuy~GRo`-W@ILi>w{b1-n#OS6bxwU2MJHWVt z;AL`m!@tPyeD4fdnxKtm$f2~L>*7KcKdqS%s)r>JDJmsk_6{pSKQ3vTsf8h|!|k?6 zjErcX6;)~wj&Pt(>2?eCTC?*I{Y4(;Wb^bRHWiE$&2_{PB-%D7c=)1lBcnsdJh~|} zJR7M%{Cu1_oq1anoOx8s6)4M+m}r!9XQX(H`e-bSzaBKA&GhYZS*C;F^=;^r!A=gFeC&=8kRWhr!pcxH0SGHZ1wR9$RyhpIwE{E?+YuZp*U-~Z$>o2z zRAGWD*tg+Oq+BUb5_sRmf*e*`z4MW{T>s*zva3;{7MhIkp9gg5 zy*X~h##MeaEv*$r@QWXU^hM4b-gRV|hW<*g5e|uoPEN-ZE7}f8SO#C3up0F$^K#L# z7TC%J>flfLBCjD2?;l0I_3!q{%;i#&8hSOVwDJWs$AJv{fPK`4q1^jTfZFLj5H6QO zeArx4um8@)I@`^_ICBFu$a#J;lUKyR|6HmM0m$zYwT64%F6cie=%>{cnk3MF%mYAV z{ok!(1y5S2`al1n=;)mcYdC{_!=fyt9Fpxn=Db5_h7y*lO^%p@n=iXK;i>C zC|$$qC{0B1?J?~AD3e-X^rqE3`}01f)F2loGTKq z(5ces{Mqz6oxL}9b^aXs>)P8?TD4|3s-3z)_D|w~>+89RE&4>+d&q8Io2&_`fG@^o zSRBtM_at9qfuvP72Su3kAkI`=SbMMqP08RF$q82JBOZy)KPkE@xi~wHM3nCLS$@`g z-*0Qb{<+b`T)$K~v0VPnQF=R-``?wiES+!jbDi_Fgj9$c#VX)4YA`# z4tsyOy*FPt8)SGH5xRJ35v~BJAje&LOQ-liz~zQK02PE(ZMfs88x1%`fvf?bf+GQ= zt@m<)Z?=GATCL;)-lKrs@PxAg(r&h5_-(AXw^_*BfVcM+cQefqmHHZUn6Dd^Y9=2r zCg#U>x#|Nz7DxQ(j_cg^=PwI!WA`v(CXPV)1gV$0Mdh7#>C7HS+@3VNzYB9hxq{u5 z*w^2NJu-xiTvjc*F-^WDd{cYM!^jg*>a6?Mihsw5Yl7DPwa(#)OQ z1WB?pIL|9_t7fftv%qf%Z6vmM^T3fO4sOR4W#}0PNeDn>*;6bTKj`@~T!)-EBWFs} zxK7rP82rA`-W^$}tw$KuW`cEq{{o@}r2Ud1=W-*|cK?t*5!-J2eJyFMoX?nZ+O9PwL{lqCnhtO<)o$GqmB55VXFhgP8&#|6=bdM zmEErO!{(-jfc0p=ZWH&gHPA?I&T!2^ugOx$p>aH*Q7&@9vCI^h- zkM{7gE?dVuL*;zMDiqce!|r})q@~B`muh(RSo{3uV8eTv-kY3rm^&7QM3OK@zTR{u zJ`;_-N1ETNt<|Gu>Re5kMV2fmWOiNX#Cu)<~=~z1g-PI(+uQ_UGfjLH5!>{I4GNu@AdN*Ow_yv`%zsnOv8s z$^5ly)%O;ll4Aw^k7;@@A>$PEtq4QdME5j(5a&7_=xa#|1a1c;?0n9YLksAl6Jvp- z^gagz5pBbr>z#1y!k3D^?LzrFf7kIlDcR)e!cZw9;T>f|hw!sdLF63;71gVZ$)*)G z5ZzP7PaQN@yS}bGMLUJaC9CtXJ`4QXK^51x*Z-A1i!apCKE0?=-=leRj&8zjuZ$5NSPgA@-#8 zN1mVydU}2J>7c<7E&K7y(nnLicp(hUBVUjuNvE`Q+iFk|>}9r4KfX6@!EmKeFy8Ut z&i)Ao>h*iR*st4XSgovaU<(O2H=WsuheIj#L>j~uTMiz(6KJSvY9a)7yM8*7=quZTQA-^ zGO`@a_1D=5J4>nBkRG<5pw$50E;D3z@Pn6TA9Er26xe=?(Jlw0P5zYF;68dfYws|y z{w$a+%I-FpOISSiZ7W4x5}J76F#8 zq{F5p><%(P6F2dL(oWR8hX4K;*&PgJSCfimSJH74GYBcHRkn7-d6?H%dt5U9X#Gsz z{Nm)s;O;jP*OQSZrL#lBqLzB9)II>dJ8%huk3?g9SgQ)@7x;}54O+yRO8|;efjtfO zIh8a13w`bRgJs{|tqFn*2&G6I?0}+p2@7WbA%y}CIl*b#q}qwU`At>MeJYJ_F(5uei(x@~y8kzCmBq@1`ayS2&HsH27-v#Zee3h=_LCW&T_zz%B$x)lGVIdzt z@$||NBURp@M}Ez#24jOt(#2*(6$C95q+t%D=w zj?;YD9|MWnb3;-k)VinhJ=9j`BE#; zf?ok=&l1$d_);%qz)p?IeI@O;TGSJ(ZzB5d)fNK}|NDVr<1D7VN$k67L^V{e`T@_N zt-ZtY;NS<9hVK=bG&x2DeKMz6S1u)q4n@ZK?bFD;(!42W*0e#*A$OdG7tooS$ z>lG6g=CK+U%^>M-{VsKd`@Hhci~4#(anl7j#qMq>>MT8WA*zlS+o$K>DYmop?7INZ zB^X>kCE+WQ@Q=!bwbx2$r04$}vUIv=B0g3=UDkBqmF@yvt|UU*Nt^^svMR0xOC5?NK=MX+ zETNnQj7zIDf9A1ztTopr>C7^*ry2vcM^RdO-fBlO6OfKX0^iSck5*eEx5~3`Ds6Yj8*d2$>{2gxh@qdT=F< z6kL?9M=0?A2j=F0r7u_wVFxZolRHG4;G#T&E9doV6n6#`!N{<%o}DqzLc4@wkhdO% z6Rtj-rp`0;cpbVY6R7P5E|IM$?P<`qC3Q63CeglaS>umO86}Ufy;gNkhXflJ9$E!S zd#RKYN(OPggC3FC1n3r^V{$v zzo$rusG?*jhPV{!?`5B|sC(Q%ly-xXE^#ALedj`D7h;OE4FyORhC7gJRh^?gAo%Ee z=icroxekUSn_{$jeMwY8-$h&6`-c53eFO261qIBA62#W*CI{IitmwV~h! z5 zLump;Q{P~ZhzVdOm~>+hzTe`V6yLHTDJ$p=kFseUhV&m@h+K`&Z5pc5DgHt3Q$D{m zjoW<_Nn-G?5sb#Ccho2+qHK&O#4rjbP_;%VRbFt(w&7RB$b9`T(oCrULs>c)0QVSl zKz^&mA4m1$`D8u&Vc;jgWoq$*AVHGiwj#yBXsYvxM3x@JBI*7eWAoNCm8&h|7a>I3 zJ!5}`Bzz1U8DYKtXfgW2c2#e^w&N(9n+I#z-qOo(X8ms{^)kkSb`?;I?Aq}jFAo!F zR$Y35Oon$HtBv<*S9ctF(^4-tGEBH8pVReLlh$h4#WXY6$?Ej}GrldI4*)(8U$15F z{^x1>V#S16_o>K_4vTPk{XghqPW!oMqhaxRlAVL>YUVQ4f3!0>KaDpL3?{EsFESoz2(vQNubqBjV{`O4l~|IF(^~1)t7kk7SXZ~L zqhSdoJxWDpy2#$hXwZ)g%%3f!%h>qeiussqe1i)GPdESbcR>Rr#-Fe`uxGitO8lL3 zKfe^}`NaZZ5NOiu*z)u_0q{|Krd=s4$TR(7dxjf~zX%QAOVZnOGxraa z`cR&n;HL#aCjY^q!72D6g78!H5;sJ8oeob6(qko5D*GyOTmOXsi;w+E~x@` zx8yTup7}GNCFICCO(HpNCIma0KAk|(^jr$X`W6M&? z+;-3=o9!1|pGH8%Egn3zWvRa2mxe1bl8u{ySi#x_dfm!*+Z2*&=_e1}VJ{8Y(E(Vq zJ@FSkKP2Y7bYNSm)`V{XHbc+Xxle7OTL8=K?y`4%Cray%k>9fW*3iLp`ee0)rDg`XhsJ}NQ}a4_ zo*aQm^FI?^wf`reX(2r%yso-Wx@;6*taghRAf|BKLipiRIRGo-0^W5Y7s8~_lcsCxq%)yET zuB8=-v(Tc+jR@?l%a8)1gDcHwr?z6H@n5_Nbu6x z{^8;FmdfW&fQ5CS9fVfbP;AoQ8;lYiwGa6vJ{tB1RkUr47_+8>4noIKp$jf)j|hft z0Is!8=E2-cT#_7~uj|`^|7=koXzXBE{JYxb;zCyD9zAk&jF{Bl&)Mr1d?%x;lK5nEBG}&i(I=YadK7 zAu_u>aR>aW`l8fUdx9pcInvMB4?*+B4^}&OoZn07vSw>*?~nW@h7ow-?S=2N2WiYoKN7nLM9N^{-VA8eqU zNm*98)=k`@9}HKhQ9b%10;TYXtG)ye9jQahrr~CdfKfG%_^HM*_%> zVZXw(BgrdpX=girxcs2w^x??KQ~r?f=kJnx-wYsYfi7wg1ZLc$`@gIOMwss8PT9ko zT8?TGpTeW>@BFsNlKRMevAIL>m&5IvvXl&Fi8Fg-v;P;lz*>~QLxNvCliQGb#G62c zRG{R7v53#yM9F$FyB6Dt2uV`Li?PZS7tR@`{;oEQFSH`f45e1Endc(A*dukaqD}|< z9BaxNJY#`|Z3@1POv`6yq}S6f+j!PR(Npy-#HU$SBsOOafX0*oT0*ZnXQP6N`BSv)9J;t|;nk?;cJV{fra60BvNLVDL z+6^2r1NY1^uW+d!JWbz34AWejt+Gj9m=wT}z2xgpoD?C?`NAM-v}F%h>B3$U1rG?| z62ryP2!7#_DQHO67x%Lo8^=r%=EMg%B9p)Pu6DRy#gLmz;JTheAxmBhP6*Pyh~2?v zXM8$Vz120dd-J>WwjCi>;f5^F?2qA|KiMp6yTe27{oB+!yakm>DT=G4kh~e0K<0?^ z%0uUuR&VCiC4a^DnZd+SpmW%k>>z0%%*OB7JtAZs3Ozi#gPMv7%^m9+qgMAwq8i#urlgAjX#W#?(}{gzQ$*E7sb z@^ehA#%)epJ*Zigx{}(NW!CI1>(H_+Xisx`GLq$Cj>uo+3*BoY$esW*CXVPOdX?)PD_6)TUa3-(pU#%qm&MQw5J+&H zKV$YDxMXVPw5Pr(2Br?DT-F5fn%ebfVqqT)SwcA=t38+Y_d>U;6o_>P=|Dvq^Prtz zCk5(ong$`;%^6h+xt=9f_V-;n!N<1+H z)<0(Pln(i)6%GdR`7~ri8>mCStKNa=!#J4cF>*9+z0zyUqccp=eZ{=4u&v+*VCZ=p zxA@!At>Ywk+mMU4glR|fdQ$VmKEXh-E&V~SVCoGWOdR|OMxdNxFVUdQvZ?W~<1yA*jQMFP}Ct3ck0u_OQ4NO0j6PLebmm3gg z#yRJZXRBB=#y*$BXXUKUZm45YwE3<&UeQXaT)7AkIZghfIo>YwijP{89ukF3>oVCb zg{nR{FOU;$0pgLb<>+Af=pBx-Pbv`6LQgSDHZ59=(}4C#a-H}_6D9K8WisD2<7T(B z=~ebCs;KfQ)~F{^&bRi0{YkEdD>yMfWXvk-IerfHwm=$ftkly+CEvNPiCQ8^os++$ z2jQ%AB~S^eNvyY36POh%AW^MB$MjyQQTHnnx+xc5dF;=7 z{c_5`!{sz-pA=D7Zr4Z~>(aIMA*V0NuWC(`-~yj8e$Z>XuXpYmZz~GFDcti!4=8gn zT%;;#6&!yZ+h-$^#S+v%`Qvg02-|ub@fUDmN;K8TV`RS{$M zcDxe#Dx{Z8xrX@$yUva`nDMLwl;X!5Ka7VRk6V#U!)j6^B8= znX{kSUo?I0Ikd;*uG&_WEuAeYm9S6e96@|-JIb}xO(uHt_b517SIBOoXpeeK$)W3x zj{-_vp@Xf)ihdf}7ELRw?_duhW=pV_GK{zQx^Uup=NWbme0xUr<2 z+bqRGvg^@iTP#9;=)F15R?CtP&AzU<<;ZrJ$%kr&gUx=}zDU3|1le+#Tb(7ACbC+N zU!M(~=6pLUGvWLr-nxt^H-?Dhf=-zNU@+yzMnpkzBBYg3GXM-GMdlAP&`~Gp4w4=z zTr*AgtjehskoL{GTo`3LEjnuV!BX8TynefW(w8 zr3xvO9n9Clop{#F4eVq6Up3{!4CQ-qMDw{SE{&TG=5xgkVaE!-dU|>znPQ6e{(Ne| z2L(xG5Dh-Q58<+5l`1Hfausu3LAsDzW z|2E0%AtGi7=ZZCDB-tT_%D4cCt)$gpOO)6^YjsA%F|0Bt1o|corw7HWgmrEupKvJ3 zqqdhGCSdX;77H}Xf1-Y?j1ev#0cmFub-s#AdXk}0t#3JT8-JG}?F*RW2CTh8VR)=- z+Fe6g_bB@hBAHbQm*-IwE5r$79GLV%DKug>fnOHj)^_Jh!PW_jc9OS=fTvF*qb|cO zH!Z;S(o2gN<}h)&DbnkzTKXd-SRJFqX6rQ>a-q_tAcPw=U4=K)9C!q7ad>NU6xiQm z2)BXA@D>BdE2h|8^^J2jeQ{ZwicWN4DGs4)^~U?GZ)S}McrlII$B=`q6{XOCW05H? zpc*{XX?Ixgi4sBoEmH9;X(J8#V`OPQAO5^H@~%yZWZa_`UY7tn5&OhLBhs)8VJ2Xz zBO+1*<>kz9{y#`bgk?yomNYdyn9Qg2snt?6nE<*BwgQ2l>s9b(bp~{6B|+n`;6aY~ z#PvJur58|r!mm$7qR$r1OFZ4e{)%)qzLh@jVeGpEA54xF|9>v>yUp@&NZnZ&1pnn{ z`kPPD|A>QxUufz9#u);@I0KXb8GeF7@ZUHS$I3uWy+A^-Fqz;!I|;2&^q+tktAmAh zzD$93o+6%L8blP~-P9ikda|A*e4>@^cA$mp^3bI^%NzAr`M)zwNV2Xu<67IN@0UJnS&)+C{A2=l#f530@$yLSkH@XyQ36 zMRP3dKMB(-VC_;i-#s)3Fn)NADe_qXZKebJ_YSe8F&S6Lv8N&SZ%Q>7_r1(H+#mXWPz&U9sD+5NC8GHMC8GIYJrdt1%!PH}UjSA>e1PTXQ-2|% zQv~1A3Ju_EsG5*u{n)xOBH+5R{;bgeVTt9UKp%edlDIDP+9i&43eGA#=^tO%`h>4H z2UmNP@LJPaTPkXLF8hi?M)ZTE5ds~}N?*4d^=Bdw25bA?d<2~NN&qEv$%g_RX2abd zFkgh!6cF6KyJ1|2X4*7`{SIU}3KFW#e{ph9>=KY_t0=5v5HiTua2?vekzDK7Ble0# z;jfq+W8%EkEjQ5x6DZ%PgrD8-zOijO&Wz?2kIDk$sJ^6y5aOo57g>#5o7nOy2k5nB#n(inO;aQ4z`_FNo0~!)jWSRxp$>9Htzzl{hE+W zwT#!)e~GuIlE;H39$Ob^Oxa2~`g_#e+cdSY=$Rct9f7EVL{x$KtCq#9E1$kkk*`Kl zbq&A393ayT(uBG}revPO<*ivQ-E=K+4rdg)YWno<`iyY97ETIZD(!BXx(U6>h&tzu34 zkwE??UOP!}iM=i>JyxKOtHq)ap;u=+-6#IAdS3KhYet9?*jVyV8fH(GKVr5!_*EQ2 z6OU+A6*)R}U+aFZ&Rpy6I>mXKVduB+>@QD=u*I+B=!{Lty>l#QM7%XDrn-y8h*JD{ z=3FR*6*Ez6u~qIa-|U$#V*Ln1%H7R03`hMNOva~=p#Uya^i+oB2ENv=>5wBo{lQH7 zVHN#xd^OqRKzT%g+%!-o#36mOPh~N}GwoOpF=h`5(giNEBc5GIhm#7om=Kf(KWpp* zF-D+EE;FKd*`&K80u=XJy2GqeMe;k?DC)p9t~CZrrx|~_!U z0o=3cs_S&EX(q9OEgmdnk^T0}q6B;IY+EPw2Tt#R+Nxn~%tnmc|G4%8k34bNW=GSW z3KQPtHSuXJO#%`+zV~v`7b=-8kX=vKaocNZt^k@qs@S zJRyd7lxWX@gbcJujbA_Hd&5?UyfA1SN#*O zWFe%LmDpkxr7qoOK1uE4~fIJ|ylmms(A2bN_dZa*DO?)uVK^|HP z*ep8D{ZF`XOyA68q`!QICT*4jZ3=%0XoIteY?7$B5l{bVLPrm3S+A~u) zeXi0ZkaftKm!du~`bIcx((!p%hA2%T(NJeDgef}4@8*zU2_`}?5P_rj12BX(rX}g0183U2OgfZ2|SmnDFPvu z_@ieUqVULkRh~trs4V%aqs~vhc*xS1<)tB~Inycbp~Bu0Xhp#+CP0Of18|J0ZdSl2 zA*E}C`gL-Wl7{&Wf#u5#V<%Sh_B~jjw<}GX9Z%}|4XpCa5zGCKG?)pmBT^T%Zcbc= zNhTT<2GdjmxM)kSA;-9Tv{&pX-bhN{PyXURlUI3B*R1}|y}(QV;8rzh*gCp+0v;K} zd7i=dI_C}eR6*1Y|GWUst5;9abf`3`Jc=nxAVL89`lIocNRU_X)OjWqN?A=KANH~{ z=pc_aO&%mOF8-C|Eu_yNA5uY5f(;zOQWIj=iI=ZD8BaO+`}M(06ihKDpU8jQ1z6m+ zww0{~5HEDJ{9go+?DHkYoz#bpDy8ihrX)qu5^%oslr$=ajFk2GJ@fI_#C$0eAQFcT zXT`9ev{0+GfNEr+@Fk3o)(-BvU4gCd<*h~1$DE>h*`A63@<@`?$zs&C4%-~F*?9Q11`uzHa6aa5uft20)^*hE{hU+lapjcVKa$5 z*QDK*@>bRGXP&HkjAbT)%Ur%IV$;TYRzzcZ*}umj!ha;4f4=mwsZoZBk6zx@M|OTd zJGTL53V}GW;qfneoq|@w;%xzrR3{(76+){}7FIBMb<>i9ydctkVVGPp)UEKT1cx5Q z?z4PB_8qxNIuuhq$9}xnFy`5@e=k!rYIc%*s+~v;D%?Lf?u@Gz>0wJeh9P1-S4b2a z1u4?5&P4Ds@HbfHC|53m`e-Gbn=Vy6m&ZOFi)zeK@mL>vto!zz!)B75 z1E@GVC=+7_@9HW%-=RpJ0mx!owNH{ga6k-5L2Yx-iy}b}8~C;Kq2Vm?akP82D2$T} z*XjKS9S7;CF+|w-g(KwuD3x3P6hi_JD1SD0aNODr$}9A|R&?Kz7-)k_o*?1Xp%Y6a$QsH2{WTe*(4U zdzJ^K20$@HK&zqZHzwIvY7%QGR71C^{710ZbTDjH#3*i6z|U4^5VlT`tJUOqzCSFO zZ5=38uvPpg5Q)af1-Tx^Nkfd-R#(w3*tx0iU}QrI0c?S?{3lnHfdIUFj=lg7&0l3? z<*+b`Aernv&~F$wFU!+~q=BA1C=-?d$@A)OlrEZ34^d@<5b8H`9v15vZuDl|eCBmR zy>pdX#!z8nFcGu1LR~f=0}+xz@_tU4exQmFT;Zhzka4ulR^~hoO?<{N%fWSGy@=f@ z5+f5ybmS&66Zl>)lPe->QFvaq_#O03Ky*3VT@cs`^owTftUw@0fufM`_2$tKEzCtV z;|SWYK#HLRac%Mloq;tm~td@VnzNh-XQ#jRw(-?}tAfQq%u81FbzgpP2j*STb|KUBYzL4sFe> z5g94AQ~0OK&hDq@!A%IBv2nn5i|#~OIPMbk_a|~vO~kq|DwW6Bpc8O2WU55KP86gl z=+OritG-T;%2(s0EV5to$}oTC7T?y9pQ|Xdo8Eo5&iu=D+QC8Sn;GnnbxrLe@0YM$ zA3yEx0@|-}u{~h7SY5R2nS5IEOE9 zK8xcz|Fp+CRV3HkWjFecNWO84f|O<=jNi!AeaQF`Z-m?Z?V=(=R?W`-M` z+}pDSL2OsUPVt4WqOqILF^N4cGYuRpg z{Xy0f{0&b+dow?(IB;}0{|7zWWbXQ;H6m{1HbK+_th(|3fFA2__R@mbUe_p(lG9Mh zX$^F&2K&fS-_!t)4LjS)vzO=T5N$T15+}R1H={U=S5iF1a@;iCp!NlfsJK@jfkT;+ z4GSOIt0--vHj8p=IeTEWh%up&Ql_A<%r-S>`&Z0F)kf{k=BHL1U!v-8t|#$y&#fZt zp-kCQ!vqPNSjfbZw8k^efopd^%=j@jvDx^(Q{7u9%g>SC#}!rYLY9wf>vZSa&wE|F z^y}nfn%!lVtRVVuH?kAQsvCCHbp8YUH$ihBY2Ssq{>G<{LH`4Vg{FB8Z)bK*D5n_v zrc+A|%c?TxA#KPWWwv_eWb&vm_zN8j7N}w3Bwl3b)j5yEdO+m0#T%co-EZf!V4#pN zh!KGtte{To<~8R#L2*5-FCWp{zI2(+!!yV~B@u}0@nsPnjZ2ui0wq|?UwU_c*t?-R z6JyjIUVvCP7>C$a7tD7f1=muSA2|v1G)~J@%rN4r};L-Jr;?K z-Se8J{y}1THqF;Eh`#e!I~z?x;ia5U8a;}WcW3i@NRN3%UU(ils*kZ4Hv)+4@_0C? zu-+sO>N-5C0QuhtApi56j2k&g;#C4hce1!?7}2a?#TLfI&t^v8!v7J53^79$TR0;X zTh4!(G#VsB6GOG3L;tdxK{R;f36njt8}WAT-`s%z!K<}AR5Q=XkU5G(pK$)oDpzoao#!~+M}_(v4*VW*U@G6 zJLfnbkt6|O%drk{_}cyR5{b*hRRt1Uj(oOFoM2J4*-=KaKa>^lYq(K_iC^soln zc_dC!fFh~srlEbr8Ta^Mwj2tQg>ph933O7#ivAy_&M`=oCRo$MGq!Epwv98kZQHhO z^NelVwrzW6=ev6&c7L?0>qkd)b=R9&nfdS?Yy>G0viDq&OqHIKPEVr@KFmDsdvD$t zl>978fwkBY5ds^n+|ew<$Tq1;Ec&GG7mARJ)RD$8s?S*3msqLEP>tckIilQ3J+(R( zAXGauWu`A7fB7p?U71F!U~wQ%U9Zk07fFRLOh&pyu-T)snCml^WGi!Q#WQmCQePKu z5zK^-giHl7#?r13pT}oSA3^s%k|=^&JX%q`ZIAyghO8QeQrq4bnS@oNTiRi6`!-3v zoH?hq(MwQ6d$NYgc+vi*2xC*5IP9s!ESx4)LD|{RP4NieYamaD3`kEj^3v(yieja( zDQy)mIvj8aqj|)S)naiGts9ATFP`R?OZl{!CUT{b)#)+!D8L&oxeQWRV!!gOLbr&< zJcBY#&#GN=IF_bDMDwX0gUFSDZjPY%pbpGla|sYjz>K!5|~x3EO)w;WOUFcrKSw*(M_WWpW^`$I&-wBgy< zJ4EGhwAoe~{7>BAn78H<=YJWY@gMBq>3&)iN}|J`QB`W>eSWDSVFSOJ5T`+Z{q;rF z4f((2c_;3H3fYiPqTcWc>7rb)ifAG_SoLxZq}{v_g2#-NgvF%5wwlF%k{sbE;Gu)X zh#U(nvQc3|`p5h|!FTsrNllHH&za>bl7;!&2yaaE9Lkh*hI)OY-eCeJdohT8Egsd` z|LP`)_u1^FDxmR-!W|Xm+20)a_8*$C$gc2nN6`y;?tNjFSb8K5uCQ-^?nFC7^77k1 z-BO+R`Rd~$`qrOieDe(Y3Mbx5;WC5tm^ggbY&UZ~wT2IoqZX1h<^(kZ<-e316JEou z+vm1Hf)*%UHU@<7OB3EPQdkK2zClR zO3ft`3qG@2JEBe}8rZ|(^F?q-y0*nc*Xe*ISAUTrzQTIHa|CW5;(!XvU5V2J#(Qlno3IP3Qe7g^}H zD|Z%fDB0M9oj9|FGQ++X#>Yz?=}b%`Tj1CSnnp6+({=Y`@Wv+;9UFOaQE?LQCu6bf zCD?}qJ}EyvBdgb`j>j<;jB-Ej+IB)#0ipP;zVV)#*RZ(gO^^;^yt!eRX6AX?xdE?& ztP*<6mW8pxm~A#9I$(kL`BqwY%IVGqTGKfF7dp4b7`EW$3_ zu=V-QfBaS%XH-%5w?IdrgF9+6YU0V6^wdJ#98y0_PFiUL3ys{!@2|z3(~yuVc5tCQ z(q=4zM^0?4|G|k{&Xm@j^Y_<+%$M9j-Av%L8B8hDO|RsM91T-&;Y&en^tMPI2EhR(n%Z|=p{ zg{H1HFLWkH6yA7tiGK924sai$L7N$eJfjVBI!l3EOBu3D;I5IK{|5GC0h;b@d`Jhm zB)Fz1*>!>#?~!w7Z2K(u9Gj_8Bm`$5E?HbuBCMu~`01;zzcfh8R@f!JI`R~!tG@V+ z*|sbEkWpX(h(y)`)Jn@~NTA-~ zc!_~h1;Mf#;&UDzo@^m*?i$EMh~Hwrm>QgtiyvhTc{Eh&!twZq0nuzESDEZ}com-! zQ`SEQo|%-Qyb)3{ge4)wB2mSnB6vtjfobRT4BBE5zBoRWH1cS8edQ7)w5+ADP5#NQ z@c}cXB~V6GF~!+o-5NhbWtzWYo~wUH^{qHmA>1)A&i*N!LRKTWBX{ojuv5iA&~I1k z2#CPYigQd{g`+W0N!{%nQSD4q3$)g#vAGZ5~wBH=~S?92~uDqY#ZzFN9<_GdEC7bmVD#l345rXIeL58i7tQ zrZ7z8z0`QZyfAxh=z2AI1FNOcVUDn9L|j*6vL12ED1NNA-~@!(*_+uVgO_+;7tyi= zDNQZ+$^5a}o7u5H(v;ycqoY^(b)LnN%VY*ALzAU}!44uGWHr3QVx@)++@tabKa-KH zEZO4qCPi~Rpgsvcq_MrP=iU_Fl1>QyGh5+6j(vW)@Xh@f!SuvSvU6U2?b>la-F*?$ z945&K4Dn~Zu5unzVWltN?dkRF;wH>P$kWg(`IZ)C5XXLy9*!t(2W5$h`UiO_JSC1j zULNT1879S&sTY^p*EUdQVc5oZDE;4(%Zw%-XnQBfXfIxZc8o3I2{POFsftK!xy)3= zLnwK=$I{naz-9;5dqFXuM;ACA-DkL^ zuu*_rW12Jz9NBx{u~d!>K6)0<&_o2Y0hH6e9X5)VlXaUpvNmmtp6%g>qrhqc`HJ$k z%-lS8LgFetHr$bC(Wa@9dv;z`I6O*sAmIMqFCjzRO{n5POajDLAlZaHNq&*TTltr) zR+AWzY>!V_{R>K9=REUklh!?I-^H;I!m(C!)$_WAQMwc6Iu}*l%-q|QFFfYl{mXx=_`H}aflWtIh*BJHtjy&$TzNXc=x`ic zeVS{@(SG~|%HG!%q0*-$!4M+`Jr80xU72%O{MwB(3Rp-+Uc@mP+IgxfmmC(qc4Of& zhlS&q!mr(E(x-rh*P9(w)y$Ki(#!*>ZvCG?Q$-7@YG#V4YCagVU?QztV{MgsA1rkz zux~Y$)%=BOI=>5RX|1ozHf{eG{olwkrbcv~wtEQjwjMW^E=$o7U7v#H zEsXYnGSqCr*mk0fPzdF$Fj^89oh1<3j_wD!2m!X$JxLFdN2`gE2%QWJH*~M!J(|gc zM2h?~H+GdP?B1TDRQ5rCooo2POXoqY$UJVO*#Buq8;pDzFQZ*Ic}mAc5G63Yh7|(3 zZoVgMpMJ(fm*+?3b!win%lN&K@Ol$*r$;L%0Z640ejPTbrLl%sOYI`o|xh7KE$#7NXL)N6p3m&Lcn@dZ&59tDk7&Iu*<>YwXP9|HP!1% zxO9@5+3=>AWi=fk%XglY{fUz7sG>S{Y^NNH`Zp)$Y8;x&>GQr-cc$k&$e$}9LaIcc<( z1=8SG53&Cp#)lCXcXuVs^q=Dldj4WuXSC!6fwH?gMt>SED!^Y zVpeSdCW;|E#FIp4Zepnq5&F1b%KEtVyh@?&$WG&Q5Xbpg==vyFX`y*0_^7NhLyu!E z=-uM6+i)mpD-S1W9r~VGL*Z9<|p&kU{&~TGAR~&b(Xh*Gmpw`(_)ZImOj8$4%OHI3+ zdXCTXkF=t0=1-;<=mElXTb3WN-LOqTy$XWimTKSeax_+^riceo9GP2feO?YC>!Xz| zIU_s7CEgP4sXjIkumywB1sjAy5K7?z3);AHL}H zyadv4K1s{LNSH{nB$(VKGxDMrQDE%j{PzH3bBSMw_u!@-$66dkDw|n~mnatiCd1J7${I zNGp`w7@*v2Y(l7N7k0Y*YfT@Ae4T2JkVtw)sJanFoKz^mCpokaT5EV%_KU%0v)My{#tbaxPB ziqOoms_nDi3K7r!-pl( z&04r65U8+|OHBcgB4#j3pd4T!1m58A!cwpQxys}0#esyk>s_N6uTFNi2LMxYWQEMZ zIJE!{#u2tSA2>dd-R~bLJ>W%2cdjL1nvx*Zxq*xNzpi~N`$R)^Je7poLCW^@fR3zsKCUko|D%PN*AV#_; z2?US6%j2LZ&c^l-D}~um2P<326U?chD}@OJGb5rDRI6JE1S3aTCHn_s9|N(&O7#l< zH~dw!vD8KtaH$VRdj&20gT1n70)lzGp>kvr{`AFp6&c0W&?y`)qX9Y;E#Hg*s!@TA zPJGZ~`vgY8eoF+IoBtl(O2!rLayvvP=^%5)#*db@%wuy&QsB>vHV zhUA7dyoZz)^H1=b;vCt19BP6R_+048o!gvVX0jxjJTjW;g<)%d?pkwVa0DlYGHLHv z2<{Q{o38)*fEBQGwkl;JOO@ji9N~-v&{+eN8#l1{$kw-ACD1;vy=du+f!#lH_Ue`3 zJ3G_nUX=<_JH^e}A!{H>%!<>s86#23`6HRgu0!5dESiL$cNisUKpsSniQIPQ!0^=% znrwo57Bm|T+{0abu0MvSuu|(*ukY?{b)TDnHaZ;+nld>rdM`Nr6Ea8a@wnBL3I$HZ+kw zQhf{{NVr_#Cmgk8#>pIx2HP`_1P8dho|-N(6@hUpkQfbh{H}T$?JX&|ynvx->>F&V zofby*^=)mBXJ^mK87}sf>vKq`XZFF~>KXfU*~&%(T&UQHC;k1cM#@NhluVMMko=EA z*X+Pn*WUHs-ks0MsC`IwSKz-bjQ)`IwX5jZt!q0k_D!z5Cs9pEZ{W-Lx{UUbj}8~x zpR$Du96=eIo{hR#v4d&-7rPs`A2(ZH?(;EAMdqn(9Gqvdt-u)X(`PQv53pHdERA(6 z&V#OjZ-t-QOpEmkTjV9vu3Utz&_+SWBdp}O8Tm@Ai%5BlhlXnhfdsDaC8>i>?4wn-%JZRVvo^#w-ZFor2q^i4p%;gJ? zs(KE*H1KBgV%@nbXHT(%uEH2DP8TlEt~**as*bN1%Nv~7P_XA#-(Dwmi$L44hRg8bSmtOkvY3cFh z=EQalnI>qwvh!W!-~^Zp=HSA_d4YR*iP2J7xa9809O*a+yuP;EJiEf}6%Y9APjktZ z{jsyci^{%+S3%YM+kCL2hU{LEc6y!TxahcrpwtYu&vz~W1*feBGXnO!_sN zd7L5TTecd$`JZCw!nACR7=K7uOqhhUIgwXhqBf~|=BW#y2V99(dZBc`MI~8`y^l#$ zr3vanso;gF8S0133u)AOs7%tf$%Wtu+I*yV^$n#oa_TGqI<`qs$VFAC$Nka3CdVE| zX!91jBmBIh7+5@-?ne3$re-2$SY5IWw;aOhf7r~awhb^@%a1nS$fZr}UiAWDz1-Jf zE_Y^8E&$FlO!OoJ#^~f44B!`Kl;Bd!q38Hj0r`z2{Dd@K}}hDmKa{k3bYC5WgxtjcGXSfn@xSDI464zF)+N9xL&B7S{RZAjvn`j{B*in zq3?3EHe|Y+yWtN{*i_27=Hs`#-ec z*GuIYfM^c1m_goHGib3>bxwhx)q70GVM zCdk^p-oejt-~U_zvLbSLp-zhBa`J8kchvhTNTUamAXw`JKxht)qyI$h$y@6}myP0% zsL9Y3y0f&60I%o$@P|rx-T0=Ru`=YcMQuRvYT_8V-V5U~bj!Lyp9*-Tia~5lxW=WQ za|Bv}WIvzy;~f=8zLR}#u1bfTWH>=s6QP4HWnDOmC@9*G#RWhiC@slOuc^7Q(QnIi zb3y6`KL~jiEwv|E08TF1l2m-iA)rD4FRYP)uLbYe(9_Y;u@iE4@l0UWz7rbz__JDy z`>AW|+OpFO>+1UQyq~TbF)t4xQdc=UmAPT`+B$XgjvO@J0T`HZxR?Oi>MQIhdxD5- z_y9+Q0IHgIGM9+Vh3v@)ra+9GE88~vX(gd2sV}rXm#L<3c>t=AYP2%|$vai>4*og$ zz3-AH=?zNg;Tth<%Y+dn(=UXKMpCe{WFR~b^Gh@6wzt)froac@d$dx_mUT#u3tojy z-9lx~Zg$x1<@I#D0KLZd@?x^!pu(VCXkG%$U+?7{PJ9yuazIN)@^gx5@goT)7OKmE zg6lP%*G9MB22ppPM_hy3`-l9+`ULI*hXN`fgNR-Hf|3Nl8Y4ii-ylI%0Dg`VCZ)0!==$hlB_nD9^~CW36vjhzmtDJbYp+SUQ#>e9gP?MdgPC zGd6`xVY$kHBv>u_L^{Y^MU;LMhA@M$>EFt^=+|A95#CG&(mso3dAyHZAeJKyzTpli z1WSavAd?0kCDThE-EyW=S}&e0goK|U`I0OyRGYlf{2jA=l_di|FbU5b`y~@|9N)tV z8ntJa+MKtvarTu@gM{`;8DcI0q$?}HXyW*an&V^ukD(sXhoK;!@FIWRn5Gt5W$u+H zGA0|XEL!8-p3KC^(S_>II|uNYjd3UM1$Y6{O#c1`T>LGxfNT-rVt{GTgMVueS|Cm; zSR2*lu2J=f+K~5muuFxp(}7ve!%9S2?oXVUPTYVyrM#M`29U_OW?qUxn*JQP9Po)* zE?=v7)xU=KG(f?!Pc!YRDLMws$G$&K^8D6eV@916UJ`FSzJP0@g;1;=TkykZCL~Z7 zqQ~5WOh4x^bYu?{(jfTa;BFv+q-{srv^6@|tc!%z|U%pkRp9 zlWjLLOyhF~>IrcPv$<`Tq9V;ok_=*LBue#!GpCaKePWa5>Qhc8{q#_D}gyVIhq@{n& ztQ1iZyAY&GI5Vg{U1(3vi{~l7Xb{QlI|b;2ctrz1V}jv6^I)1tQHOlXF!488!k2Ej z-K|EzfaQY@LEt@+y`@rkcNGDPr1xlEpm!Z`65vt>DOsWI(;XLm3pxvxJqR;&P`D5( z&-(!DoCnl%!Ks_#^F#ubn8km0N=V%1ugH5Sj?cM;%R9B;$GI{w6}Vd2iX zV6UWm?)rCRO4n$GvJdC7!!nTgR~bp)E~AEud(f#ql>g2T*o4OI0=szr(0OE-={De} z@IC}opssiz6bi>!k+fK79AjtwfcQ&T0GLr|yq}jN@(#Cboj2B7vVi%)t3oXxPP1eJ zy?IFbKzo%8ty8A-q^#Y*c7eo=0{Pmjg#GUVi4A>ZVc2b9->vEV%uwoU`mxDbZj?<4 zx5>``Mr)mJgZpG(4M#{78e^iX3-~OE{tURsX{(7(i_xU@*=2rmCE$KpalF(fkQPqy zF+}GYZpG0PHiL5sIvf`F3?uOJeMA#42lj&9x9q)cFsZ3&=4#|}a8jKEUh#iA3j)MR zlke~IHWe_UCn5W^5?^|MLfymqchVM!1kT969`VR+N`sHfGGrmPR}Bfr-aUrD%KpMa zO`Zo=<$1yTFeiZVVKy%ksv+{3pHGGzd)tW?lF4QMBDEfxRz%m@bzWSuLH7oujCoGv zB9A>3n6G{h{Hi4+eg~$CafvKe9uOcC;EpRf8&)>nCf4;mfYI%Gk~051Z9Z1KUW37u~t-Rq$2UfUS5ax6%-sQ1Q2+%e+)adOw z285WvX2m4*UpU^3D%9A2A$R%|8SL}$K>g$j7=x!#p8Sw$v$eMCOKi$L;^tN6`2?@b zds7;jGEfE{huKxs;f~l@Bwh@~o4{iWfvUv;VVl<-Fan{TGKmWdzl2~N}EJiW0!&ygBop%CY4pKxn520AOuk^s?CAuq|KD6QAgj>>PHJ zyh=5*g3D^U-;?F1{{+~iAHVkCE|8nRPPXhnQhF6}Wx<2}-4i%hLQL2{{D7Jg#LxT> zxtcZHW#J%k;`IH60)~oUFydAN_3bCv;&YMokouu4LLl(_$mrRv0j@KHsed_>t)u+l z9YE&)B&dUo)0kYd&8AZWZyAYVic*qLtoNzH?jedkI6_6I*IIc%!}MteTfwIt86a-o zIi^Y^AwSU;NM-02b`&zbu!|QgER_=PKLAn6HsZ^VDGwuwCybnhEF>}zxY(w!rs|{@ z|M*N50aY3das=@L***^hbv_ZO2|G6*t~ka>j+T>n(W+#_haI$74&A2q-UY&k%X|HW zhm?Y?9uE{9zG zSMN6<-3Z?urq%VlMYZ9o=NPaO^(J!H2C6YsOrZ6yxHgEi8N_~(k3V99wlf4KDPF|Z zSo7xV*DThMSG9?ak}Z;CwrL68EuYNQy-)TUa^oSASV z$l#C(;Q+((wEmTe9mFQt1kbUF=`Z3GYHZVM^Wk*QH+vH!*?7LjR?v$S09sv|Q)XkZ zn!*#^6HRn_bb$Sbau7FS!uyoVmG7e_8a!~7!vrQbfpl$iA@Gx#_gVmE(s3=z%h$8P zP#J#v=z@VdoP2x0{l{fPgF(xTPtv14p`E1&!@;cz1_O1xijgoVkCzl=qUERB`UsgQ zc1$RwUk2g6=x|sQi_{R+Q3mZ6Bf*}H&26(LA+gr)4D@)q9u(y1POz5)0kMLM$a=R6 z4RKg0jokSZ4fe9=!NUPyi3>Lk^J&nV_FJ#S)JT==U&Mxu7g5NcMH~&#+z%>O>3Mv; zQE-YU2r-{gTwD^D^hp~u$CLrG?1f;X^wS^?t-Q`xU>SNl|8!>YkURqPziz3xUW4pf zTRanWH|o`UH+)cZr?o{43ZD9un<9QZP5A3D-$G`D(C{(`LbQ*G%skY-BP)Jnp#;vn z2WLd0~wQaWB5dd{?H`7vGA68eT-0`Zl{%)Q0-E1lPB z_HFoeI!^3N)Lxp0-<;uFL&HkoGV>Y8hHAb^bK_7g~f;31bwu;)bM_tEVl4 zqKu>;tQ?dZlD%qftsZs0nFqrLjJUWRA))&WQ1e9f=z{%-IziK=?G6B|PXgee`0)~9 z5qrsYUgA?gpNKEGvcuTzxmB7dEa|7v1_@IYsF_fYKA8<+MyN|?owEAo7DaA*tJ4xL z7pT_;#V}RBLtFAz!!UZWM!#da20t+bkS$AI7HHsH+LUTB&PSu!5={%@9zY=>t}*#` zh>2!qi&vP$?yw?c2}!F_5<*r6G)V1mQyNSM>$mj^c)_|sElvkMeRqip(5qoE5eEmP+89}93l z8RH*yY$iKY2@`aF$FS1bK~&K}6kH!m8gweKQSab{Wq4{&klR73tXbP`!g*Y8rStT# zPc^NiqrU;)$dNeWcZ_WZ4KJxQRPn%i3|DiXm{`_V`T!LJ_ZwspZEX+*Lg0rf=n)c4 z$qI^2-38p_jJRkp)-jgRqBU5w#hf_Whh!1;+`jl@jHVQ#<~E^HW57SsOCIu4F5+7yJ2Ofp)llu0cHG;@}<6XgmN~5%+=F3Cs|k zY5K=ZZs`1?6Bq$LOYryl`Eix7lecI-j_pwTHU5{if!V_7wUbMafi9grlu_~t;J(QK zC{6oga7j^%j!%Sj+6sXYlOa~6&%boz5T<;Xz8D1*=8Vp8oE^8SKtr+8r1mbwn7T2f z5qSNQB^Zfzt2fA`Rx-CIP_uxne$oZLbJC9 zI>S}4`X;ir+q{c2)aK=SGeEFM#HP6?ALz1sF2aH7mtj{RK3_*f0(0sBE<#Hy0rgqP z6{G2kwyyrkj?KpHvW8h@5ps!;3Yyo@cVJ8Q{;AhL0CKd)>s8P4>~f+E31spU33y?8 z^Ii{vDPH8ZFO;aWq*BoJ>u1K8t(iX%iG!4Y)o5d**p(y%F!><#@JpQCC zz!z}|AczvZtFQkdQs!A;GRjSjk&{Bp8GT@5C^I9u$Y)>kmzT5(?EGCx_^_CJ?Y?6p z%bT#$eh(eCRh-eea6z8ENu(aM-VG)~&HJH41b;7G2mlU-M=YN%C={TTUBv20Z%?j{ zfUa8(aL#SK`|DJWt;L5N0Y+VQOMwYUkE#byzvTfJ#pNH`{xFH;(C~7ux$XS$316@w z&8gPfKbpsKBUjt2Hx~crhQe?9K!Ut>;dS>30BNnbZUNKVk&B9((S40&`;+~X@stzrmnW9p6^ZYsp!Zw zU-N^9<=E^rxDqpOyutn=PJ+(ARg}xv1u!fVj6#2;X6J)b6C#{Le}{H;8Vz(#4~L`v zYvkG(`XRO0A_|nO#9u*3ZG5vGXX0fI*bzAuy40q$wUl{}_$)f!irR|F7<`34EoGoh zjs6p&4x!qHl`^+GZr{C4Vk_whumH}_(ifnz&&MGKT~@nQp?HiYJidj5a{f`A>BH7_ z@B7Yz8^75h+Y0Df8?M)W8Uq{?ZKoHb3uG}&dTcm<9O)K;W&xm+?$HKD(%JCejGoSy zmIdkv*>#H+vi%RHuf~`Ynah(*=I0gLGfmyEl+_YZSd)-!^A&iFg+mpj}VJtnIH@r~MK7gm2Jf6!n* z&7Yb!(NUM{%0}7KLbcD*{GZQ-sP7lNT@U~!fHo_dovtT~wAmZJSn_rO#1C?cLe!F1z!*TZy6ePYDx^r$Kpn0~cd31Twv-pC4A} zo8K^*5!{2bqt~8=2vFlMr+tOp#c$XWoI2^5C3;V&->|!8OXPc{9OB zK2IU2S(PPkBtH{aI{Sh83Ybx~ZbdXLKoOwtT&6L5OPyLEZctpcHZ=lJ$IFaHvAG8e z0%{Ys+wk;D8P1z=p%O3(ptqJj0%zwSP9ylM%NZJFnFDyt0XCYcLQRjfKLP1BReGLS&0A9*U`cF=*gAV}AWG$URk1DY{F zLyTbvX_G9Ych}#s>t4`z7&}~n}}!z ze?*sp&n*>$NLDnFoKlLY(FQwZeC$AVr0r~0m?fhq*wC3omglhKUFFrt8J(}Xz2UmB zPM;a;Xjkjf(#;%^j<{Z_d;;ZFe7;dMIwx#wmo*ET73Zw^30o4=MEX6o-(PK92`B+fyfG;`9sxJ+nw~B2F5(xRK*7Y4ZKF z!j6RMDRnrkEX9huGWxiO5ScPGKD38Uu0!a3ZEjz5AV^K!P z?|Kg3AvO_*3G~HOTS7|d@=W7?t^JhVBCD)@oTYgc^%2+JJ?gIVLS0!n5s@v?COW2( zl)+T&xjET#n9_n|o{i2#u$lhhz{*-TNL$#|V|GJbJAtTXLI`I$_~LL_eiD+Vy`vV;&yYuv=P@#tMTEum z5xZl1(fYmcA|=q-Di-9tFr3@o-|wJ$SXtn~4y_VJ6 z4EAqe31$c^Xel9yk z;PerYKr1d=AiI`A9~NnQl&hZ5Y?~Jc*B6YpkD0~Ghl$yF3`5@FPF1Gna;G=A>*xzT z7bZ0;4(C_ews^mJ>go&6=VQ?_+agW1GCKTq(1#(kc(=^JL!m@Z1cWJKTllwRlhF(Z z6_aq(ß!yc%fuQ>XNA5&2W(C?@KH;$q_(;hPSQ}wf1=~NVJ_!IB$^dzI^RCNi7 z1TLE9Q!UbuTI(^ezcSJfOBbm$daKoFFJ4(Jtxl4rC^VWEatWJonK%lg*5fmiYlTUA zy{NEEZYGoLQ@3rUQdIWHx{NQ}aPYhk?{C{evoj9}tk91k{@e7kSbsbQ_-)Zo4?4p1 z^Vpyt3%Jq$w*>~cOFwVrw{i2K4!C?T=l2-m=|i#kaD?&um46l*;r1N08uC75BkUrO z%vGZ-%%&1->d?5ebg8x8VSHn_myU^reGqtN=(nUqm+H4Hcg>ltRy%&9yIhDiXqu8s z4_H~JRl_ti={NfzC&h)Vt(3t4xSEG{>-DTF;N&1#%{Gc+#utDQoo<~Px@VumcQ&uXBdUy3tHu(r)Lz(Ik=MYIyx8Omnb+W94w>gHk%ca9%5R+J z`G+NGDP(R)?iCkpNLe)Rdg>aYDeFjj`Yudi&DGiX&Df$XKC8Ocz{H!NL`aR6k0UN1 zkio=om8rwp4qoe!Sh{BpPC#Q$CeDHs5M6Tg%Cl=ycx_nlCdOb-)J8A*!0#0LR8Y}) z?RrUbR2&Y;Pi2Ab%F;jO!;H0ChJS1b$;)K|@sz;@s-Jym?@3+y;!!s@h7yjw7fl;X zv~rzwex`pkF?{Ce*q&upel2Di7sXI8>lth$XG<@6#xu}BKJzndFnG>2y4b%-BsQ9t zuumVguZZuh_nch|?%ATI^KC1dxEo~gJs;Df$o1J*Qsb0hhK+&D#r#t{n5e6GQbQVh z7D3v^-+#1Tk`XHAb3-cv3wab56N7%3W;a#?CAXJ};dC@ztr=oK_A^2&B%+ANCZvok zwX9`a@NvOBmjEmjNT%M>v_$G=>x?ArV2&uZ<96=7l(8!`nV!zncRsMiSekOQmLx-Y zb~1KlZ3jtPOf^Hs+zAMbf}B5iVnFcf^@kX#dT&V=Sm$ffyL%dq!ZngpmvBi1ap}G- zC5fEC3(<_t6nuT4GEDca)s#tB&n3}6r5r>pLaSau@qNxmn(bNHu(0+f@n0jC1 z@>!#5mlHWTm=*vzufU7G|C&m*f?=Ubnwt=fcoU1RyQ3lgq!o`ZD?5Pl+2nT8k~4LoA`MSxnm0x7_FsKQ|CHznC*E%F0EkVP2N{ETtej3Y4q(_WdS zxa_G?;fO60;zu71g*1IdQ<=N^4R$~<83CWi10;Dqi4>Y{P~iD3KPaaG(L~Z+K;v70 zPF17HVv;y^>$9sTSy#(3Jf%I2rY$9UsP8^O975lFu_q(DHSKGks~W>nxCp;ohJBMD znYe2DZZLF}P#EK84{7zawiXA`sb~P^r||^!uiz(|)kX8uO@qGON6SJv8owVy2=*pv zXZoA2utqJ2swsCy*9G| z>jROcaS=GByRcIU5Am=g38i3Ek!fBjuO$Zev~Tl zQBP8)b1q8`08!%D@F^L3(z~oFRx(BL2{*?VaZYAwb{OW_`R9qxnzfGn7bYZ?$-XL` z4GxCB?|Z#@o7(I3G|=AplhaOo7y!-J?(Q7aAVxnG=|fJx3t^NN4Wt8y#Hipb_{K13r~Z zVt~&dLm^8kJhykBTSGwj7(4iB84Z?Zk{SPwCy_bd5-KFVoo3LhclsB)Vs7t*z;pOz z8RhWz&VZS@Ci8{laOcW_VlLq{!jho%9_AH?dTZkaISIWrIGYKwmy z-Zpj$?=S{*_Rf)MQpu~Iat!b^W(+jNHz4_T!~ZOI%W9*oY^z%FJcJ{8o-YmNc&LhS z5)xY(lQQ@)d`ll_cu=^LpE?ZQg>HFHIj3I7_16;dCSN*~GkbsaM zTz$aE@~E6hy-+2!Z3F=01eMLU;?DXGmG0Y%7N~kxqCMd@%8NjcW~Q z5M{rd@vJDWbPcu6RF8&oeFxk*!{BeHl~#i-iKIB`D@YojZXC&hFQZnPlE#2rB3ml3 ztF$5^O&xwrt#7fY!kubbXg55B#Q>o5@Eea;x391xPKotO?QFl_8Ws~Aq|oZ2BdDq~ zZmu_{aoNb5Jw$DCrIpac^(Sd zXFB1s>-&o9;F+8RG~=ZNEdYB9Fu<+mI78?e0UE=uxHk0h_ft{WxVVC(c#w;%d=Iec zQs~nIk$+I?ToG6`=?TtOU?a$EJkDx{({U6_Xq?CNqmEuM*YEB6Ez!5FUy6OiQu8$? zjl_Ch%ECcI@3-tK+5?3oT-#r(?9FYBfbt}+KdoeQnpmkw?RRt9_q7XGI@i~{M7}@i z8RR|~a-3$9WEn3O!`^YUKYgH+8$mh74(GSph_QjKp`A244K4Wlt4TJ@dli4wpeJ{s z1p~pWK=ex{W4s7vo5-sTN-U7yo}g=7H~vm*QqHO7IzB32y6&;ftpa80J%X-}Nrcd$ zpV&*?M+IasA4-_?kV*Lb3f{OBlw`Hp&dmWNrWZ?mlj+01G&94SHNC@Gl$yPd8g#73 z>{Pm09U>OnpFiFu^6ns$4(ck$;y+Qr%@J22TdA#cNoFayfADb*$rd|4WY+%_JWnD zB_nYinBVY8Kj^WGbF^v#cW?eF6L1~80RDCOPLodtkeb-k-6qsx;pGSdSC+$nl6Uln z|1S8iD{jt4iCmUy#^Ty}85LE(%9D}W&r{iq{;4;VF@=XrDpPEROfJQ>onJ0QK}iYr zi@Vj*Zc<3d2}!&)%Dw$kRnegbzA}htLOzm(gP>n3_k5PP63f)}AF8L;rx`KGU6LO7S@M`*)2RmeWd^<%B6J*jiMr$=3lv57gKFi_P82rbo& zU?QvZ<7x7XrOGr12sh;S75=yNQc~UMC1sj0lT?UOw!OIp2vz-v3p&z@88t+td5pTA zlCt&)ek`OHV}Qi6)d(iFYA=CBs~%-4qe82m@k=*H)};n0+p59}5X-9T)JQ@US%^#% zIQtUJ?tX?V>wJ^5B@p0vH6MCB_1Eb|d}@3^*aYICo*hps&4zV=7u&*nSy6PiN0>_X z5pgmHab=GSODX-1(VkbYgT$*8{I~HXts$=I&sh$*EuwEyGOEuFA7-f0|L9i!l-!bH ztKc+QGa_mGC)6A9|KByQEx9KkD_iUQdhW9Qb_Nxj;?>+5VZaBJCU58}>$Es{Ox`4}(DD;sYO*bP0m&!9e-{wDuK1 zaWBojxCghz3GM`Ux8Q-`?!FKpxVr@R;1VRr;<~s8m*DPh!S(Jr-?{I*_r0oH_3FLd zs@aD|WS<>(^gXy2odkNn(z@QgAR5C|LCH~cw6zbctlMKo?tz6Jj7?vDh+!}jiP z%o8gCPZ=C$Fs{&rw0gb=Qe3_dfOR9(T6?wGzxA|hKY%SidaIs@OOjxJ3IyXfIrk|l z$T}N{A3buH8mX}JMphqKpi0=4O0LJ{EbKkh6osmdsCC-s4Eo_+lYpVGj|yWOwHxD8 z7c}hF7yl4MEe_qxC5thJ3OclnS2ij&b`GD6XRetn?E%7q_ELEp?W60SWf#jU{d3<1 zFL!3cZL0evH#d`-fO=k@h#1LR&%Ob-zRg6v-eHpsOcw7izxsYQ#onki?LHibbtl#n zP3#|TL%Om%(4~%UjALhu%RqAp!raDV+i-GF>c$W*%xqm-!aozqrGCU;q#X|`>QRnM zV_lA*vp!068~qMo&;YXV_VcwIpFSfjHPn7g^dy|H{{)@A%2-lRC#f1~wccgDLpCI$ zbx{hLWu|8C!DDYMIy+$`7aw&g5MJfmh%l$fPT7~{uGIhs!q|O;x)}ZwCHDZt zz5OAXQzdSq66tHtk1-ub!B$B_H&NtbcIQ-_*{tQ?Q4RTf>A}ZTfN&O)Nhf8F> zyY@?|G5xn>mssxN_jA5)IYqe>A% zoMHs!NLiTqR~eFJ(e4{ej9OsNTvqD}it|fBzYOEXbmbBGQm>z=%6UYTT7U|ww3u)_ zmjj>yjFyyg!AJi~Qc7znH69Q?j+INf!)asX84wvN^~7#Ct=421Owdb)6}JRfP+H?| z02hrP@KZ67t)Zs9e=1*ppTM~!}+$anQI`}_TgTRt%V-pNMBG{?;i8|^T$No zrmCOvpxUJyx{p6g6_Sj8z|*wC>9JpWJ>IgmZ}x!d;Or7BvJDI12m}OQs+qkta6eR3SDeHzh{l;j)e`}1uQHvQ&vqQx;m&G1%ax|&U+^+og?2fy;<1Bi&TSG zaWXP@7;k9eJ}dwAYkptZHfEcIzEZt|AhHN`c)3B~@#({mTEgig){yFli;$@~&ohu|*B;2`v$t7fDuP-1S&=7Hj}1RP^O4O>1m>>RGIk}mhX>(nvb*yR5f1m7Rvc6GDQ11WUY@=R36I7uj zS+8@)kMMOkm%od1stLjjP!|H{!d-MBqw(616y_$UhVRcpW1Z#glc-{oUh~T$_WKd| z;k=_?*q1fR`<>Nx+LOte_-=24-Z}>XnyJ@M#ksU*I=_a2iLr*=lRpyBt?-F0Kszjh zj9>>PdUDOr8M~a2!Q%cb%2_>SzjGPX<(~#I_Ih;LUfW=M{hQ2R1!D_+s6TJuDY+^7bRXO2>cqr^ldSPdI z$U}!a0k^y2uHy09P<2Dz5 zr6{r>^OEQVsRCjv5#Nt+k?4h)jX2pudRuzQe@%+oT+qGrOwfJ^Ga9+D1Nc>fcTMjb z&^l8kI3SI!%ZDP_)}WqS(_WCpeS@aNuI1n0=6uxKhiBctX)K7G!;GTeMQqM<{4)aK zg63K={=>Z&q=DL*YBGn7Fv)HQu&f-Yc@Js5dn+u`8_??JGF+-%Ei13NFSm;D5SfhU z)H-_E?WE02(i_Ma>hNW|iJe&_t1N~Z%#X+7?I7Mq%K4v`C9@x^Qo6m=bBvDjU^+D+ z_LiVs`+WoYyG~7|XI-{#&Z{3db*2|Md5SsMb(;D)sa+K*f}`bIvjW}u!k&0>27R3V z@l#EtMUk3xEpp_my8PFdmuW?E;wYVG?O8TLuixWi!A>_YGagOD8J`yHKaNjV{;vcH z>7JLttVwzvwDt;Eh#h9}Bc&2^_>i|}l)};1@eAsz6^3LSk7aJ% z@w+=e_6E_AlwWFzs*TUS*oJN@5z4>4XYu3uXmy3thZi7_Jf?R?=rTD~hu=H2 zlUmtI#vB-?Q3z8p3Pb7owW0OimF|Ame)sJkk!2me<~^%8E14qZ*PbBNGpL< zs8t82TE-wv?;nXo+Ujg%4Pex?_=)=;Y`4qA-@%z%q{7TNEc@g zC&_#P%+Cz%xZK%rf7EYJW&K+-5}F0}&yKmL!-U1FbOg=?|BGMGi??YFtpjmauFR14 z=og}4Y9LQh&1mujc5?bQw51u5@%v)v5vwF7xTQYwo^me%AtgwWs!7fxKI6mHyaJNZ z_IOsJ*3ekTHPU;&KL|X<4%2&4j6*?s-@AXZN2frFon~D0G5LC7;dRT^dfDa=TYC>H zKRty1&4CH4a!)$8f2((S z(vPnGls2iX{v%ZrRIb$!n(>B$rt#(R*H7HkBG0d?G4;oL&)y?6&74jL9K(gMY*MH> z-hqu`6Dy9G__Q`hTu+us^qrbkt~Yedn-bBZFXy3^qD2*|zKr-xnJmTXr$15!RivBw zw5afX-h_y?EJWg~LVYAnX|9u`XT2GISC!0p3e_+?_f|s_6q0uY&+MTqJ5x0Ea8`tm zZpUgOy3k;vM~rvnyhExY=)+_lb56CGa-aYT@v6V^e&0*6nv115c#f7%+%i2|>R)N= zrpCd~&>eLVYzn)p1y|5re`0=}nS_+ck$HQ{+c9<4KQjwmKisQx$X?<+UegPx{Kl_hqjFw&-BG=&dw^D;ng@x(k2TuG zRh5Otl5WU3)L4N`vrWI>0bWkW`Y`tJe->NeH+9X}eotSOK!OsGk2YfVsjP+eWo5oA z=dDL76>Qq^_v}^hVQ2nTyXoBN4ut38cyqt?&>mA5O+cHA{p$TLilHf$()*bt7rjT< z?@w4#S-H;OJJ0l4Obw{cJ%SMbP?`gOHqhxJ0d8t%d|m9C%`IATwP=$SRqd#MARpMW zI~xA$J{FtCCHE)OPxnb1BSu_$?uQ9s8hj#+woAOkrczSI$%B~#8&yrgc7?Ul)kMV` zie)p47Y)2m6LoRJx$PLYN@-9w!rnr-VQ@&9?&G4sfUeY-KC3j{gAPmg_Ceph_1!*YaHv4QS` z6rR_pP(7KK;)1H_jyAWiJhgNa)jAc$KV5HN)1PfavueXFIE&IYTc2(F7z@lE6q%=H zT{>%MpzdL%C231^k}N~I$IGZ%Z-I&8#gQCjea zl)M!fiRK=1{FDPCUtr$%qu+3&-vDaIW>Rh%Mr5BAN{XJatA~?pWC%?e%OZ=yp?ZM_ zJgXPlsMcF`-7c>cX)#nrEA$V5{`+J3iFF?w@MOMEj?5N|gjM69OX2Trlr{%z2Z*+0 zD&|K)WiLsdaIr|*B3jsTJccs? zvCLWMV*r!~JJR)fU59M%lGiQ~|GRQSP+MZMOGIn4@GxaZ9ywy26W(yH3 zgI_Oykl2GN3Z<&uP9ErS`fBWr4f9bs5823tx)C#*N%-;iaS>e}+&O7LRf_ZRtrn{u z^4Zv4%wK7B`e#$YIOT%FyZ0mHGp<&cNDL4YdRar84_CF{+vpE6yOeXKL{uHCo>u&t z={07Yl&zVM%E%H)nwVYw7$cze!#<7?#2#f}FiTOyF|JwtH=J_159ase6+@3wSAt|*>TEP@u*NJrruxTsSG9h7vER42f zUQW&Vs`f22cpW+cUHfEx&!LamFI%w$6W@uMxP#Wu3Oz8cD!7kWK^{p>5Y*-gSPj@h2~l`xo<|$a&WV8oX)@NVNU|cQE^+O`EQ%Db+Z@VgFP8_L)q( z3dENgn)uR)s&_WEdv?Zob(dS_NmW_mt?MT>NhBbXwf~GRAaK(4 zz#9oJRb!RkL{KCnrtw6~Q4zz92*>A{oP;eOQGQ4#ls#(oS%ce4*h(AC>=sY#c95ZW zeSo3wk!&H-O>6*r3xW3K!7WB4@1$b|##htH_gafu7#0^Y6Lszjv5)E-QGY!It)Yz> z^sLPqeQtFt9>R_cGZq}gw#PZP=V<#=?4BHf#GKi(E54&I^GmJ;PbKJrK@`P*i(Aai z=mQs-HEKC9pGL+MLr~iCcs+Lf^BTF8$Hm0k^Wnrt z&s~~kJePfRRnIi`V13vs>_E7DbIB&@pCEhx4tVOT<$0OFx1ay zif@8B#36TM4rdM4vzmop7v^1VaJQG3hU=PaV}*rf1PqL{zZkaLW_gLGwyWT6PtNR5 z%utKc_hf1Xae~H4M5UXrL_mx&zxJbMK*N!DQU~}De+REvi~8ooyHS&7BxPaQ=!UAM zHoaY;1>Esa)3w~70qVsK1UHX9HsepMRz9_nm)B>e1a0so3Sntx5@{VDOFZBB!{2}n zEAG-d@Uzp6ik2u;qhr{XEU|E`!~uk4z4@QFyLfM*5L~?+CaUy-+np|*V{Eiqb)5Py zF8-U1<+GQFeB%DZ%UK}G^%P8bcZIJoIvhGZ55v2MY)t9|4Q0r~x`qS-lp=RaQW6BX zl$m!Pa)L>AB%mNSdOg6rJUQ(0N3(CK4JCEcsXdknvn)n3DxIfSU zm=V@MLl)ZcJ} z!yg|}=v!ixS$$(m*0drIXSNjhxqAWS29H3m7=5?S5U#DATOPiK{j-#P99+b3JULLB zz6uE+(EUDz$4@j~;eC6^Abs&y(0W-pUKPGuQ=0(I+lE;$L9zXcNJzAX3>kHX+qg^~ z;lLzJ3kJoG>@XpsycS-g$>(LHSVK9>RYPw~48VuF{Q9f3)Yqi)X zd=nTw(Bss^9o-g_zReNE92B~J>nV-R8>G4&Ur$Y#xd!%*{z7uR^K8FdJ5G2K_8p zKnnzyTOSQ6Tk8HW^hjOiMve4MMe!sfftf@m3c1T`2l9MBVpw~h|nD-Z++mjPS;T;wAwG0JX4peA1;J|{z?`BF~sqI_}uepm`Oxez=i)Nt#J_G~nj zpsi{H)xG;dF_vusBopLK8Jc4TM?W@re4|njql|Yp?pWd%IR_i?V{OP0K}Xe!A`ct@ zQR3N{Q7JhS9EZi&6upp-cW!*rH}3kMQ2^G{zoP&eAf41QC1!DjwBZ3pI$s8lgpd#( zF@J3l;0yv*o-_9UU2`nd(YK$@yh`3=g(5J`=GjP{2b8~wGT zkpIR~;W1HjxrUE&X6Id#bAOXxYX{dRwncE#7-fDyW}fQ4exv#n%ZKwNxX*wJYLU_+ zUAO-69zi#JZ)0W=%r<2!%0zPx*cGG^!n@x$3HZn{wsg54i3Ix>>v;Un9TEtT1{(zA z3Nw{`w4@yqUWG9q3_gSvSzrki&hC`eBhtPyw=_}D%lHbEF(}4yRbRwo=bE7m!jm~j z^6kQZsfCRk(@t~yO`%ohZbNzV%ZrtEuI@X&>WAsP$B5vcmzB8s#QW!L96BNLpMqyC zJx)}KsnEMiYZXn4)M$PvwsQOWd#vp*$@ub9PaOo|I>-g#TAEMw#qV(UL-%t|is7m< zSICayIxMD3Ki<0i!nalp+J7jlFd1#GOgYuDg(-X{l-V!l5SVXVmsbSKw%(;)AO@tG z(0O*?;*zn{zVE>RSQ#2LMJ&18R_7$}+DqYzB)|-JPd9%|=$1FvMc@lxTNCx*25+s4c)~oZIBIsPJEs>lx>=6WO$~&Ww=?%K7b>$(qB1S6n0jwj zgHAU+4(%}xqt*M_oXJ1|r{a)opps&sJr*#p6qh#s0A8;cnZdYw=O4I@%E%4k>xpsc*%zff&OBRUkp>yc^;7K7<@F;b)-?K(OeWSe3k5v&*kPJ5 z(%qBt5rU!lDeQlBw```+33VfHa*QOIEHNX{f7ie0bXA6ALb#ZtAM{GO{Eyx zqK49dR|e=QaT!pSiDBLb;bDtH)6RL8AnUnMn@I%FP~R0tt#5zUQllyfd87&Z{GJF^ zl5t8(4VmeS-6V<*jQ}P2>2^u#h9dTd*l?!xunx*0ucu%;LH__<*Cv$>=s@z9h;;e@`k6iSa zTeS@wC~yz)1bgB`&1l58I@6J=*t^&DU%Uoqdp%IpOU8Zs?&eiY@6f18BUdFAS4|ZR z)f7{C+?$SD+p_(`WGTCE;O+K;=#pc$5>87J+~+QK+GfNxTdhfDzH&>fUmRQI=}6G^ zNPan)@k}dW-+tiXsl{H=R5^*yy#w@(4S%Ndy4kUOCUHd=ZTn#SG2B_w(pgdAsryeD z?aXZsvI>|nffM(%MtSE2xz2kaODvmyESbyU;$^_<-m0D@A+Bae{jndvsg9oJH<3A1 z(5|w2kalni|L;6@?HO-HRoQZJ zlmaUr-gsB&bD0~3{BVrgCCU-iCVIk#Nkj_D6!oE??{Drwb+V)6=V15La=b+`DH9Bx z4w7M^E8{v-{d-q~6+}!PzCdN8F>3tcqAhczGVh4%=eE_ksQVOGF6%1;WI?9I@^hl; zENgWIGvjm>c2pk?4fpxR5Wa%LJ0OdqYf4km5H^L$cZIW~^d8>7Zn`~1=%6-GwNT>H z87+CW%SgVqj)Xt|*bbp#M_bhpdrfBh5Z?(21MPqo<3*VcQ-81vwKfr>DJ_ zcr}ry+`6E_Fj{tJ?Ku(i4B)*Vh$6m7^@aBccL;%1wsfM%GB%}D^yH@TGg~JOet~XA z_8^}{D{Y7TWtA)H_ivV*-0l=z4WxLD7H^09pC}8Vf^(CliyT-aarna9y6T5)ej!?DmY|tyjfjr; zMLi_55U7xN;V8!;e8MzLw?NYH;`HfImg#4$S+`_y$}c|+m3$VAgx^Fii7n%%gXH(j z^%H5o9er(WR|YlhgnXi1#7Pl~ickyilrW!NDj;i9kQCk{mthhkZ_~(&E9;R)%f%BT z=a&bOT-9)SeTuxq38RY{-cH?x$5~0_$iysjP3*dV)Ilpr+E}_VDvP>Y&1X3wEXlzb zKqAdrXe%^$NqZPe?sxEqk;>w2^NKyZ$a$&n710rG;hkXH94kFNugtf5G1r@~CU|>h zaE)6wf{MmDaWWz|n(j`^xce$|d$^%~%>N+Obh=SO`os^UcUia?HjI8kUcmQJg~pIo z`?Fb$@kFu;1a6#Gx0|U+ci}5-y81M{%%F2&n6>6wPQqK46nVz-qF^Hc0#Q#X&^E?T z`Fv)U0c@7&-%ikMG1NNUIt+VNO;x6oq#w;LV{xdYYQMC>A>nD?t--Xxow^6NP>Y)X z5V>b1$`jv5sMfuJ2g9W;4z*{yv-5F=_dA7V^L1k^oZZ$M4t^8&0dR_>JqlnI3N~FNm3Zu6E+%+IeV+my$3jID^>1cc@Mi$rQ&8>}N;%{2S zpJ6YHJp3q_Z&=YVo_M|Zzc69?pGk}62H18E&iiWzh@no9AYoiqa@|G&XUS5?B5Txp zg<{Ix={C1&{s>gKzruN4-V3oRitwrnv6Fq_5 zK6wNj+zyYW;N4T1X!|@J-{J*K5=i38YGPseVmIW!y)#(DoP%zv>%>9nA76ZTHZO?D zc@Z*%HDzQ4LZB#Hb8~XPDZBZ)H455n4}WS}7ip-lBZvvS_~W9)r0hWT^H~ufy`!8t z>R{kBU~xWUa?`>R^(%txBlgsl+I{l%G7j5sw~ju;0Ux{vM|A-9R;G>x8%NLcMi#{a zu?4TO?3>z92KF)fJ0qxjv8`15{2$>u8If9#2F}x6L@*CI3j(S(tn{Tak}Qn;cIEwx zSPC+9I4vbcCO-#{Hg3I^XmZZa_EtCT+Ei60dt%8!C|`pJ9F?EEHI~-Pr~Nt#5t<9} z4@1UKOk3`H-(Ug*zO0Z%7=>H3!3)rVw4PH{^r!?@)!kaP%4UQ;OT1$aT#XhF{eCFl z?Pj0x7R-46Qa;x>y3PU5K%nc6+L@;mfp)g@YdvD#SPUI_?T59B6}`4?DUwWJ6E zXZ{7MLBIwex86TsL)DT#1f2gDXbJ%vf!vw@fQ?m4_7HISU!e1G8B3EP_Xq@ZspabZ zFI~tIn41j4)GG_Lly)`k!glA>^?>cRsl;VEbC;IdK;eenxpK>vgzpxlj{hG)UkF>! z-)s{KAX5I_{acEb9`NPgOL+MfZ{43>%1FP2Hc|;{TzUM>%&S&cu{~D3@@P9!X*A|c z#XTah_WuGps5rEoYSgXBjU~pKH7Ff4FF7y&d)JL6jVrf5b$~^dI)j-eEvFD&{ud2- z0|FYOB6#qMDgmj>IsZ3=wj&Op@4GU#sb9hWCn;p3x8;Ay{5V*%MC+;#S)kTm3;gRT zabAXK=;_~Txc!~F?DzNS{(YPfZ8rW}D-NRD0uudCNIy}LAsYLiryBiFQqX5pm&N~< za>%E-91>g3(iHsfQ$n;IInDcLH$l6_#r31jhtJMOF&z|NIIzFDo|GL=2!6W;O{VNq zOMgybn&5T~v8pR8WNS~k+g-T>0{64MN{Zg{R!dzZZZ+4EFyvl`LXTI_gFrdwv%K6- z?+#V7lUy&lhypHIe@`a$hK(xw3JZ7zko6-!_9{*`ROWB*U6+kp;Hq%GRKNUGf!an( ztkBvToIqjCy@Uke_LHwMhux^AuV0k!#Ozg=%##!o?~u48r{>?Y*xSKz8+mqoV;j0; zzpD*#YQ(cd{fH(X?E;bnwk7qG{K8@E8jHT8BX2Y{qj3BF#(Csx06u>}1`UrK2Gj@K zeWMEw0&SkZA*w1s!{9>ULP0?xL2+o>Xn8RweRrgXf>OSRf+B#7{`Z%evxSMPg@%ok zg{2M9#?{6V$ZG522>jofz>!UiYsf%D4K=@m!uoF>;fFA%{o! RYZeUT9Rm5JcZ7zt{{a+NAgurZ literal 94678 zcmZ^}V~}QBuq|4)ZQHhOy9-^mZQFKr*|u$?%eHO5?!C{A7w_GDBEDZ=#8^3Vc)=^gsU^IvDFa8LOI$7@L^em^+!<+R#}z z+S(lOTH3BlBy7XCe$U=)R9y-rSsmkQyX4j-Mlp^JhGj#-%@LTz)0VN5WKNJ>nwbD^ z*tY$0={YDb$G4JfG$fBox&RX-ivKLFu69*z`TBVFHMBbCcj7_D-1Zo3Hc?eQ5fAit zpPzA?E+Im8Up)5xU34-+)o}grv!-X8KP*BiOWK~1g9fx_@O+<`F}|&`aQvPAtTCa- z__N16`MY+ppv{CwUP*CJo8Cy9s)|h2SHcjScxCuF|2G2yn{L`SVD@>g|5~h};}WM8 z$?}bo4Hji;!=;p+3GXSfBg3gc6WglYGWL+YYE-rMx$x^0$HX|_d%j=wo+1=FZ!)^P zNheP@(!ab%2>S_k?~-GcSzRXhn*u?pzh(k?wOBrUy;y1;XHhlNG9mqV_Z>CB zJm2}$(K!>fmI*07c;hPY%($C?b(Ad^+)`2VD>>rG>F^mzSRH>pYScyaTA|u{4{`wv zZoL^ZXn}C^S>#Hpz*ydZ#6S>%VcoPQ91}?yQSM14-}eV#t!ghqa05^|4XFtl*@ik3Rm}J|q6AY>;~GP~{77aP0+8TG6GgSh zVFv17?BIQRQjxotIKrLDn<`})kSv=fjQ}&7y=4()Xw;jdF57M(KlZbl67XaE;4`gZ zO=zN+F{W98j6#|SDES2(D`SUW!8xtl$DHQFpp2dzp|u5oG_CJ=h*D^*0z|^U!+#H9 zj2H*iKWP!o;zRPvqCU$4CRFC9uoFG$&!YxeY8y0$Si`}s;x6ZBo<#l5>vEows`GLH z@C(K2y}_2u3I+e4RdIN z?oxcoNShd74LG`=wayKOlgO?KzMVoQD&c#?99l@Ob!$H32|lLs1f&^c7b@FF*Xtdl zh-SILRs@~GAP?Y~rjI|D9+|*UskCnj@{6*`!gy z`u%qO=$TO44<(_}a(618a8 zWOtO8@cS1DWvQhE{+P%tF?2>5^(fCehvouEfTAbZ2|-}*fKH*htI7sA@gKv=D-LVD zQRv(u1gbv zhzjg`X=e>al;)m(5eMGSEfvfyxy0%-pDh}$7gTMTMG~0%zT0Dme0hh<#WxGulUFbi z4Qdc4^oym;`nb*m!|d-R_5&ALT&Oy5v(lbk28-<{k?+ZYppxR++UM`)|Rm z`ly7%FGh5?CGk(^KFa4pZPhp_2G3oNRQfpFC5XrNNuLF}lcc=eCah+RY? zI1Jo7a{etW$mW7Ek0`&9n~8`A+?2u=BhY>%I}%L)Hk04`txA5bya$Mvn(VyQ|M?aX zwM~$-a!XD8WkRzJtE|r2{=(zD=}qi(rH7wbGF+v1x`Q~MpG6TST>T~0 zGQk1=-MH%wdZz|gSjDXdC`%HkI?bhVB1S$#Tt+skOvY$q z0FfSqqwwY%C&%@~YVNCp?Ed6P-dc2n z{`vU~>$DcRp`J-rldzle{-p2|Erw~NJ1saCwdF&hh*}}ez4)*CMgu6zVBM8|i8pF3 zZCJMNQ`%~gpVLI;CSlgNn5l0g?53YIKIDlbEVzjmD~#+K9txC9wh>txy%fMLQ(~GnhYTf_1Vkh zJy%SE;SGGAF*z`7hhREu4*GjZ0&vCg;#d@H7&kj`nf_FQA=OlPJ>ne@$bC7!n?G3? zq6i@qbeWAPnVfA%E3G~JXBwKwH9pUK~)x_6E`FgCpg~O`H2VqHQx4 znUEU|as-gw9|BdNuHE+SPJkF085G0CTA}IMJyf}cKnM5LubIoL%ynE7)w;5Kq zi);ZTmdW{FFNrRn7wxX&&fh>M@9>e)C}L*ZBFBN7gkyAp2U%wFUT1mO+D3VdwdeC7 zlBPt<94uAP&RxqC)xGvHNWi2go-XbT>jzUNO4hFgZq-DBP|ou0utM#P!-}Wt8va1k z;b$dI0P%s!9s-9`!wIt^a)ZVNve*Oyx1gh2nSGfMk1@*ZOQW7#!NlX`-843BjVE#^ zb<1F6{ladv#le%?g1b|KY3MTmQ~>}ekw=Peb)ag%16V+a(t+>PF2at*MtE}0__?bz zCOv0rbe~GLXbl!hY8nGTt!u#5AI0wWdB)iv7eV4>}P z@r@$1eUXIXZ)`4jDm$e*HuGYYCMrW1o_KHqCIFFQUl3r8dVn8DID$lM|=z%EMV@QxoXN_A4J(~%1hzkX$1FzJM?*q$v)Q~&&FRt3Hj zKyoJ3Lw(`r5qBC!j;w%f4$}HcHGzH`Fs_1 zIZx(n{^_w2J&AzuQADuq==5oAjzxEPq|{lo5^k{}0{6n2{3DwG>rn0~y6`0%uIME^ zvi&q4MCjOvo+(Dq6JfV?3d4hI`j;!F+a2_38Ug$yg8vX=8aYTuzD9q@>TcUes4QT^ zFaKaF!#?;}jM^}07|aUX=oFL-m!#;GVNk;;l$qN8770;9fLA8G=qF!fR3J#WJ)9vn z38p@neT;=c1%mL#IHcSKm9_H6VJST5@%a5S z>%rRaP$0PoOv2heJ$x&_1K1OYIopen?B1O`F8xqdOUq12fye|#0FmgoCekYl8t9`B z{bPFre1wz6E?uSuBz70^r#>3Dlyb&OV~jJ`uE+@7I=>JIX6G5TO8us!IZvehCRTan zol8bQv&#ZinOhVT6DCt;8!Ju%5|Jqd;u-op69_PMKd{IxK4P~3bd|4yu{8=P?UFI4 z%7>hO3!F?+9S&w# z%k0`=m;oe?gEo+NX@)$*9IZh4!3OPs5og?GiwG1Bh$Srd!*^gHbk_7d3bV!chqTT( zV0md46tRc`86(45VBbNrLqiKl=KlN7uPr?)zNJ|EoyUk#Po0QSoQnaKMJ|aLjQ}9k zre3EcerPXv7KwJn&2ow z5L@Yv1iLFOF!GOe*|*qbX5j4>$tjAc!bR|uXOkQbUVMKMtBMm3_YZPIu; zk52m13)KeUerX{I4*LXBeYT(_PQk5h48f4RI#CrPG*q!)!+=6S`k5SP&Gnov_2~tM z8Lf4_$g^>XTablZJr2{&6HVvuRpd9xM2QW2s&g9PQb`;#ABu9J9IFn~7*+C%nI=cCCk zeOaOAstIY3pw#pA@RDWCA}@Ff)t{i_K5cP$n(_RIcdK|6LhXs8QKyWWjs#~Z!szwW zh>k$odC_%Zk#4*Gsdu7pBhHs$3*ZJXSceuNJcwyY~P|=YO&ptfu&qplxrA?0P*sq+5 zhNZh_A8>FpU1@Q@pQY}Wj(#Kx?IaFHsM}}>f!qS`*AX+|6&xs&Fzlw6Ux!#-RLZ~b+Ws`U z9Shyuvz*7k@HVJo8}}vjC>qay11Ry4fo4kdjpgvu*VZtA;HEJn7o}9|AYXEm060o1 z9yQtJ=oo02?u3JzkIiRRhH$0>MunS-TFBTo={=y0pgBTMnbrDe=++ED@{bMJd(E2) zn^@Q@Tv9T#*0ZrBYk^o#IT;b|aET8N2J@&7mVq%WfGsE!0KFt#xc73Rg)1HpLUU6a z8`+2eGw9Hbvr-Ry(w%$zP+7)_{{Yw`XPT-Tt$CZ5iR+?{myUqO!jKJs?4vJ_M0JZ$?IpkO$atN)eLUFaql z33f``kyfp-bO9n|X&4@RTWN2jJay4TUvC`&32T^Wc@pE5cK?iAxiQO%XE@AsoltK- zT3VciYI|Yk25n<2)Eu*Y*qCNB1 z*+Um>1mZ~b@E}l0{`*bu*HO7`3T{NJU;sI~BLvB0Lhht9A#;pr$L-*$y(2b6q9z#< zs82HonR~4 z0(;YY5Q-Q#mnQ*rmS|wArU6)Dk4u@-d%XQS{L;t#$JwsSJX2oC&M@2xWB?iYb;2=t z3RWXByW5ISYfsq?Whw$NPF2anZLz zGD8OlnJscnWrKCOQ~MrY7}vL9p@|;~6nz|1plVSuCBV|Kgkm2YLpsFlDhl*7=SkS@ zM8pI0HAsQT+JJ05tr&imG;JnVAVk6b!g};H9sss_si-GKCu*y|wYJhePAb-GkT|Oc zJFG<+4CiTj3@?TlDqLXnrqDLCctK4pd&jQkW~>Hyh1~+p9S|9fUkcP~dxMVbroCz` z1A0CzkdEhMcvi9b^bORLQUaw_FluGk0lLyOpZ>}lG7|>jfC+-)E)aO#VejdVga=K!Wlk-I9l@O!iVEmW$pmuo|^i zoFnF^EMtTo4~vdyH8&civ!AK<6T_{LE9J#E5^^0)?ultJ3g|9Iflh1*Ibc&w4qmVTZi+k_|+zyL#<+KH#72E@*oehA7F71f3m2p>Oagd(DAckA3$O`iXXGMx1Hm21K z_eDjtnn4w6Z8q?26G92+3r)N>E4;?G)e#3Bg;uUB=bm{>bQAp5@>L@)=y0k~UCF#G z`|E2$Wmn7}ml zt!Q(7dlp?@YuLD^=i!5)idCOM@R2DQQq8E(y8dG2eIZMDxFV{vGyvoy;AJ0EP5ccr zmd8IHI|y=KKxtBTi)Q0U<5ESXSr4IOT|t5E-i-9Gec8e>TxHt zlt}_82_?1Qpu9AgGHoQSQMQV1S#YV1J1pXno~EV_3a!G7rh#qQp#9Vj+U{+r;oz&f z@1{1bXj7JP*;?Sdc9(hs(+C^UQTfJ7nbU92I9&kT;8>;35U!7zYY?R(;Wvi!0Mp5Q zL5Xc~C$uu&@v+l@!FN7`OU7+Ksy<)C=k4U>E!?kcJmnidE;`)b*!2nl}?(Kw+F!G0Gf5^@}UI_p74s_XmkK^+dqQuJG#g?*no z6)&J;mgQh|j>gD)e_YGxKH`SMN1Bkm53!P^2kHbE$~)(=m*XI6}K6j=@861Z`qz_8DYwQ=;v{Uj^mkuQzB`Yb&4f zlJ-)iVc#1WwtJ(TzdHCMICxI1E42Yw31u(jV8E`HinZUjeBMCq@JShyRg4-;szFty zQ+7-O^FM;FN{2G^17mD59~{;9RM5@MuN~f*H=%jLA*#@3E1fd)th4J;*yA7iXb=ci zG0kZK_IPp5-iCAcTRVsKmaC|)W<=deRkbzI2mbJpHd61@#XXX;5F|^Xd>{%A4Ar;h zZ0dNrnFFI4;$^4{z_N*CZp^#t$9BEtESCv4(bi0aHeVjV77g#wQ4dx_=1IpIff)kd ziH_Os>vgr0LW%`}Pj6?vPn3UZ^*;utXvYBSeaFp1<7Xo5fuFB|`%-~NZ zO*zJX3rjs;MWbF`vy7JUSFi5h3j5XnQTg*3$;eUj>8aq14a;vukhhxd?#2MM5{4O_ z0qlj5>NBIX$}63gAl+vPogR)8ofK{DljukvHGhdJ9iL8AP}4G#QS?lNDdy`v)7HeLE$Ki! zF}bu6Dqt|>MT5@N<@k1roiGoTKkrvQ`gCKSM@y!3ttXyRvMI^wxK&%kgQ%w)RC*jS zJK_Cnq}bh#wzR6bJpnUL0EV}aD~y)Icq;)q*=b%Qk2ob)*^{ZGJ~k6zuvlb1CA|l{ z5p}hjK*q^UUXQd)%}6JWZZ3fTfKnt}Pb->hZn=8}L|eZDr1#qwZb$H>#$cZ3xfY#*)I*U*J^2%o-fq4;RFlCN=mV4#H*cKTtEje( zKgQEN&r)Joq)#^6^|TL=_koxr*_Wj?On6$S6A&@fC@|=Ys&T$($(PJ2MB#ta;zABi z#3~?t#y8^;i$CnKTxxvQ4bpy0(XNHD!syBHW}mN`-raDD2X02iwFx(2*x)jR%79KLa$Ue|D*l4E?n zMT%=_Qd~2_=M$XS!_heQqwH>Cf@Lg<47f8{dYQ!bbv239w8QQ9_GjA=F-bY(=`i!X zqEa}??5I?T9zGjT-(a3rPnJq5q{g~3H>i=0BbZA@EctV7UcDL-$YPY}u98pvc!&ol z<;+!4G(EFzLGkA~1HO=Wia)u&wMe3&S5);$^|w86W*rs~L{!C*Ow}TQmyphwpcAUk z9%`Yd9BOd@T}~uEk*xR%Vx7q{eT^O-q;p(nfrE=s`6T?i(kgANiVw+txO2dk1uJ^u zLP}N|`nsR_)EfqpBVd%MRI#4A$Qc8#Bira;dI^- zEM~{dwH!Y!x@~Cs_)CAs&S07TSS&{?zLqEU*Uz>4WRA_P3u7 z@Pdx(ZY+vTOx=ulWJKKvp0J*SC_Fo-R+|C%NZJoEIh->aTc=!QZ8k;~`b#`30!E6> zPE<63o!}Gkoc=qw?mTMHD5-ocMTLv{cN_MZVamB?BIAPNKwKEHQBP5hgPj+XvhJ`9x<*AnQ|>2=dLxDvAS8DK{oowvAVDAP_$0B-Kq32v zXZ4x%5amH_1$9R_vbGg>%D!IE%}%7%VCX zL1kXjnyk@$Gl#xI`mqW9C9kKa3(zvBY_LWp`eCPJj+@u5RBSq?)YfepuI8FIO#-V9 z2@y3lCh+Hu&zBRQafWpJ9JcUY&L-YGS5uzTknAmO_V4zv@LT3iET`(xkw`&T-=74g z!D$C7mag!Vf5hD{@xEEwmdywQozzxZYbhMR7WbW~b(vWQa;>YL)Av{egLLXIdidV4 zd1PnEGliS_$tBvG#MA7e7d;`^+-FO(geAJ=qSifi*>rCV&$ONjsVTVX3uPB(P{Q;QW`EhHnE5e}%<@H=lA^5%_&s>0x{l45}wfrh3Z z#s(bJLQ$2aU8CH&$Pc1&W|H_a<69!OgnLwJ-lTkUmoP#Mis2N$sz|&mRFW$0kNoM$ zQ1EWB=R<>``qI8bJ2?Ut@?az)9zDxwnH;+!o1$pzy-C5DFTw^_Toj3o=4`oCed3Tx zYx?RiRgR2=+GJx`z`L=qw6X$WNK8_1UN@qbw}GL7Li1wJAZarRrS|@GBO6aX0h$9B zTX8{&R!1`?WgBv_wf*BMZ*XBTGs$I(Qn zYX?8M9icsi>8-YZ`ciQ)dOd7l)=%Q^+J?@~ivhWVAOVH6c_Y~}-l7DZ6*zITt>L=f zx2U`}kU%mTm<$~TiX#{UNvMgR>?8g|>RA;FE%Eb~ry)VI^Y!r3!kj}H<+`&>*3z_u z>#l0k&a+SB0~Kq3`m5?CL^%1Kl^H;siZ(513mNUh$wZ$N>8EonXco9K0E9;>xbOI` z_&Qg{FBNvGJ1D7XN69XtZ2sML?%!wL`Im9nbNQ8Vl>wpDXzVken)l@hNOLQAgqSLA!nEnJ3LuS=Ff}1HYP73Bl}4pQl1)!#s5W?9#dc*30T?Gs z>5%HM@#iU2^W^E+t4?{!qv%GkTe>iSpYAI=?6RHDMI{=C38D(SA4hr+hwIt<5`%v zL?&l{e&g;BAG!4YL>OaTP-_{NtS(Gi<}S0Y2xknYZGN+tu3Sh|tD=-#&X!hfalOca zC#26D{vgSn$(K)9I)YoyxK5Jn$SFFjYOLQCvl*T3?P}S#780OAm5KB!Mpsas!+MFJ z=1g01DXTSnB=D+g376~zV(15CcQZPA(i4xTZjEhvzqNFagKydLfV3N&0No*)IT(eY zCCr=}PMUf@+9SYld>7sx2jbdZQ=vEdr*m{Di68VmA>Ry}G(L}i^w&*xThs2+AlYo^ z)a1pLRsuPuEay4uyniiJt7KbhdeYacUN!^mcqTQhpF8J&3a`2HlNyjb9Fo`JU9i*sXi02~;mkF8 zi<=9hqqJFiIi@i1(Qu^V~H@y!~)Wp%FMp&btrgWv_w*uu?2~UsM=#JKg7x45t<`N6JcaB8+(gLC<&m7IgpT%5RF(6)!J_R}$H@fr?^ifsS z_(c0^h60t7aIl_WLh&X0+vnk%)EbyGsI-6)+Q=nGGN zcsV7?%)Tg(B4GoDga^{iH?d5D#OVa;K8F0g1qMS+pyqY$9B+@LmzAJMQ5xfbpAyIn z4Xn6&a*&#|7622QCod80zZ|C46jhHBNrt#$2VotkA1Q`pW9K|*gPAFQ%}2H}lD=7s z#<&lniTpn7H;CL$Tg_k0lCk9*UTsZ1@Kz#JM*B4PTIU}d4V_M~TwCp4_kBwcgGUba zDLkL;NgXqNO@74t#$VuPB6;gGP&g6KWW1CWOSN38kK;%JHpom8Y>muh2j)Yjk>6NbBKa{TkYID z7y=@_yOl9SNs=*)P9Ah3Uw+oztlPN;Y|xq2);gIC024IcXEVV(<~OU2IToCL#Nr?;Fp@JNNCA>9 z)<*9rO}1#Xs9~=It>a6BqDJ>dxZp_utVT?1Bs1AOfWNkFUcq`&Ml^EoS33bL1_%r` zoM0_;(6yp&D~Hqh6u!Q^PeZuBRpNf&$qqYKJmWnt zw|^Q^v$#56^Kw@*<^=}arbh?iHAQIS(_I2pF9^ilN+5na@+lX0ov7z^`BSxE{J1Y_3IMAf8- zm{xF#L{B&mY)+BQQ4_(HSde;^I*?kVV~JU>$Ms%Aa+)=h+OYS+aUg2aD<=)Q>6>G} z96fpKO7y9)vEn@lEU}cf;_X^N$ejzwwITFE=kTjFUX`9+2#7paM7AlPy}_Ys4Z<(T zVlnUxxCt5cjqP#2qNw3($Xi#sl6~`vSAO1&P2^<2R~1jg^mJL2)vG|9MR#}F$ifFT z##MqT`&$Zd7KuR5gE=b&-T1z9pNDzN=tZlAS!O?;Q-1vS25*1I;1^x6Gw~0qOFe?q zXG!;kb}AHeT)?e?aGvITCjmsH@iJLFsR|{8uX={*J1A}W@m&ut(2wG*wS=$bT4#|5=NPgv$C174xU{!=@ zb^sq^*}(CTrN%~)J{B~F8csP%O#H>4g!)3&$5FSpPMhkSt_NX0)gkv%zh_fNXt$eK zX02$t*LvrBpEcSsmONgD2N$9YMWjcyhl6A+56Rq#Kz zd$OO0(S1n@@IeAro#EfXOWMBNhIa4u(fX$EuC8UB*bsznz}Pk}0=wK2793>X!}CyO2-qJ?G%R z1HvvHdX$hpH<^3`+@%3-Py# z0|Lah!U7=vxm0PbZ*HSvY;9-t=W69Y*C{8nEo1k^Tta%lM|}~<06k!2rhb3c|6;NP z4+k8vbW3;yAE-TFE6C1Kt0`>Wr}@}cCLx9G_+gYik09Icw}}QHd0dpEta|XH@auNw zyHTs_WjWgypMMSASF6jdXM6kd>)}ZDdF(v)X-Rh^_SWTl?Q8p!t@|l6Hq^R<9R)d% zK|HM!^7hK)-V^zG`*wdbdUIsicir0N`*5h@3Bbp(V`lvetEJ=dsF@SaJv!4DZk>O) z3)W@Z=qC0k@FTu!yJy=fbM{;7{nDgG@*P#{^6L7EZT+*yo5yE~+sm`_8eNw6uel<7(-yXpgoX=JhlX31ZDa2j3g6c6 zPdYa7)ytOi^>ag@=!C~h_S+|qZ$4YnUwm+ktM8egdY4n)9ow<%t?L`M-XF1-M_*Tm z=ryt8uVvdyi46{Bmd7pU9l~<--J2Kc&m9=LRU4l^&e(=w`c2!FR~I%d_3N=_J>PNi z{Wd*shnWL{vmMWw@0osg)h9EEpCy}MJ!2i8cOFe|gw;ze9o~(3=FUyN`070$&8t2u zo0|A@j8l4QJzaY5&lQh0sCzD-mV8EQHhj&y+nqYuE^hXd@3B|0{4siq3uOAo&$r=~ zd^-FlX!n46y59ITKX}+G;Iqf40&UrrD_UBfj-Ef)uJ2qiTk6!YuN@GpZ1-jF zAFuYlzHC$?)~)yuezSP5s=qXnsoP!;c>I!odaTygs&%}%RCE_UVLZ>L;i{^1JwN}^ z*qtq?asNx0{JCPYx~e1mlaJ2z_&if>(d_%}p7Lr$nVP<44Zf!PL@cE0|X7f+$^*43-AGY1~I6mt>U&ib=f-YXQ+xnsS``<^KnfG^} zdGc>uof|%H_h(Kfdf$h1HtW?RTVC1Etv)^5U7XG=9Tn;oKJ3nGaqng76}r^d`90g! z&pp2~+~QOhWUj4XC9S!8?vM9NE0)LiFF%>Tf3Dk`++NYWh0x4jPlNyNYWH9!x;j%e zw?*M;_i*;@_8SLQ!c)4&a}IZ1;Aarx(t0Gi05mq z0kL7~@o+}{P<wlg!ddv;l_d24g3@(Xeu!G80I-NVn$HEemj*_hpG;}lCe zFT>@!yJ>#kT|wuw*>|IxS)L2rGw;V2{ANk4a8xq!e`IF|J71l|Pda;T_%Iaw6uz}) z`{hwVZu+)w7VDf*9`&eU%9N9@<>QF1J`vwk66|ml#9J0W@)4T~ZrwPy>{ZEgqTtS= z9LKYXQ3KCq?5&{SJqx-7PW#WVD_}nC;d;V8H-^!O8 zi&2;P?aZgZcdoR991}`V>DNl#WgGh87bn2=gZU<)h2OY0<)GEbE2r;< z82Va5X?TdmqCx8lm?RVGQAm{XpnG(7Mr|phTBixUlp@yPh&%*KRbpC4w49>*+3gb!3Sy<=pBC6eaN z*B`e(fM~)@2&1g%&yb0)A6Jam4-&>ePdK>?(UK>`kdi+<`V$e6U67zET9i-`wbWE> zj3JES+bf80B$Rm4R0yLuA4s2%|4&eK0vag@=ojr)SXnG^;xJK0kXQ~yl4Y%4ii7Yt zM=p5MK6oM;K79Sr+g*srbcB$yQUQ(0SO$p&P)B`Dp;kyY!FP6ca6}v7WLGXq)Hrk& z`8DFy(bEs~`*5)U(jqT6IvW0e(G&lJp8ksl+(qLc=r0ed<$CIG53|Fjf_)AdOpAn` z;4yCj!z{n=^$#v0+)28*(bo8%bk+V%w>IN%y1Mk0{t)L#{cmA*uQ4LnRJ95`nz0FR zAoeDAQK4?ZNzK~zStiwefEaFIM9>eAhG{{(v}*N| z&yQS;K)SG&ThNGUom#*@Zk_tBXd1sKD0sL*)ma`q)`yVwA z_k%%N%tREvmX52J6yHg8)~QrvqqyRfB23GomL8Q%jSEvD&p`=y8!XQ3EeRx10KC%{ z!<7+(9fh_#6Ue7)Z6p@0h?#|oTh~a*D&bhhwm~{d5HC!0m5?e+_{oU=3k%F0s0A)T z0Cd!G)tLd4m4Lpt1~|MOxQUG_lb2zdBumeyxR|3UUKW&!l(XlS-ZKrbsRJ9GeOnPzRnS#(1ILs^- zA|a6cI}%B8c9=VmFI*CTsJLUMo1aV;0=j;I;7E(Wm>&DlD72kyK&=V+k*Y$X=E;Ig z3Mr9vQbsK3Vc_TC{Ynz#A%Z#mL%@FtvSP!N_(PEN%`HK`2SMPq7D_ZvK9#_qw`>bb zZhMM3oeMm_Ofk&!d5Gq~tx019_x0n*Z|?rhH2vR9H+cSJDnPg9E~4(YG3;R-gg#A> z)hUAWo)$?*j?+Y@C7of0@rNM0hks#3|H629|AA$A466KrDUk*efDsqpFH*)EwIuc&bWD+NfW>s|e~m<{5Rprh6_WN9Lm!gQ?o zcV1f*MzVtx=)~+f%;pz2LeT#pbAb-pvUt;?u;S2nF8oDwfE?yl3s~iMo9d)QsCk%2 zYt!h(o9sv9CE|YndBq3>n+6}q^EcxE5BDe#vgK1CY8qSrR|cs#w_xOj_6?Isit)$y zbVM~u7BEtM1GNp}JEr1Z67f}|*sy0{CtLVAPbRs;K{hoqhi4oJl|arv#Q}5&oW_&*4QT`f z-ga^^m)M~0bI=o+ycAz}mqr*qAv$6%G;J9W)ksN&-H1-C90{5AuOtrtUrCfN6AR;|IZX{_JmvQY|76g^#5g^E<1?y1=B3E*#^W;TE){OMDqEZ(qE zXaSQyxZVBV`Bq_0bz^qcnslsE#`o2*38n&sASh8`As_|$%z*?A|HQS6Th*S%lMw?Q zwfcK%6Iho7I(~ntAlDjC(u+=%_ag`*vv>7hEBt%rzgGApknh3E^cz9{ zPtK~HmJN}QeNe(p;*G4fK}e%PM)wc85|=!xDY2dOF8^`lb|VW#rzefzhUKBV!7^qZ zLUBnvUbAklrZlF)1XA4t$SxM*|3z4R%8~gEBXHArC)J|QlR1b=WO51;N{56bwS+w4dFjs%`Oc}J9p>foCIaA>pY9LjFpu^Vvmm0yDoT@OK#_ZLNiPI6|!&Okyeb(x4KQnR&#I{weMb!TmpG0~PlQ^tbb&J&bgn zp4|Sj9I?Y;y%bEc#RDRMI`jC)$TJRbS+izYfbRb5$bC5J=-Iq-)B;xq?g@PcF=kAh z>UhLVQ(b8LUF399F_JicX59ZR#J@AHVMKmf*ZuJadWGFxgh7DPdmzFz)q%`pAmq`s zM6e{$0J^8we?ZUtVRSx+|A?5M)3Y4L0lOj~qS2iZ*RWlay9#2y&|6Z81xP%*d+*IFe73T<#|HnzT#dS#M?_^7^>776^iHlm;4C=ZF^9&d3A3mb0gStAhmTBqL!A!^L(TZlkp?WOpwB|Bhz1KNIKAXeQ%` z=b@txCJN+p*nUtB|t}YDqY;+elZ{9+Y{C$j~a}`qXxWd zI}x4imIbH%2U~Q2f65d7$CJBP&JEm^)l;yH%yWhu&okJUD6^4M`ho>e@ZA^U{tN1% z41F?`^QUbCa6OGQ!P=sSSjccyM8=K@gN|>3G;?Z{i+abPL<8UkdWz`C{$m2_#?s^w z{1LR`?PLze$28u(60<+U(&dbZ#sP!jDAo~DvLH3@M`_}J1*dCUq2}@w`mp-dg01pcm20S(}Y&X9kKB%hVlb?1FR zr)D7-2+1bz6DF{cezXkeZJ|q6U>22z$@sAVZSddS&=pG)F`dJ~`)7znv`040QHwH& zsk~%SqrPS&?U6Z`8!-I7j~5mGU(ntWS}57P_6|?u72E9^=e*A>v6xH6JRTTVama08 z;ZjrbWpzBTSZ$yG<#d0RjcT92GI6q936iCiaji2A2qVltYS}_GP01(oMk&pYN=Qn= z`n!$&-|L3@NC(Ly81zq6Auz`QJJqku5OV+No&^7S5` zC1^l$PoHI<7I7=Q^(w|joGwK_^ zPlBRO9XCw&o}7k7ELfjGlQGZ5jKrnH)}_IQn|c1|E=V4jQJ-E3$Y>wm%^i17Ib=#s z9>_~}9D_Q+1HY zTt-T=HA`nGtNg*%^(!5j$-sHetdpteEyMZx`k0o|II5nx@xq%f&sR?)>PA0 zRZ|~JOFxyS&LanE;SkERa(;7V9lm2=`In)$m-`{sa@ptdVxZQC^F1M(UH1>YZ6EJ< zx~mK@*W>C@f%q;DkfCpW&+GOLj)X$!FTDouP_xGsi3>u?g!ZC(G1jUCstV_JCgsfW zjONus88D>WAW4KB03#|*PA+-7$t5dmU)*&=)92^zUcQ;m-W+j_=T<@lhz+-R3eumO znnVb@_V+hoH#3{Wti%%sB%EQ4NA7gWHagTX2!_qGp&1uT4Pb}es(2xdvzp5&=cuiQA&J58;tTj zHaV)=O|PM%NojtY;&mPs9KhzA(z1P5M8!6-%;0s1qKOQPvoc@I)&dixv^oBw>$6I$ zcP4r*ZconW7D`~*A8o0|IdwwsQ3+sJ*yeePTOx*m)-2-~=7m^P5x=q91(*wlGTn!^ z3p3NDq-FHn@7?xmttZ_qrR~^ky7=qZMxH_!UI+VJhC82p_JYum8hOTS5*qS1B{97G zQ5mCL++8Jw1?KVu7BgBqxgnjt+75 z<&X={JsxajZ^cvM1Kb6}Qm#t3+XC*^9ljZ4B^dXQ^hAcZPOtPMT^BD%K6tpMcA3Z0 z;$v}yG&fgmo8~Rxff;_$u3b8}k3?Cz=$Cf>{&Xo@qIdPd<+vbo(O8y%Wv%t`kvFCn*9d!(6j=eu`pNG0_xK zAvr_CG^6K=B=w)EmOp%4L_vb}?O-4o%RpoDKX~8PF1;A-Vl4?wqN6=Waes2+aPHwa zwvlk0UO1eGsg1r($RxMP%{LR$@qnFIJ zVNGJt=La|X{PP#!t@5o(W!$)iVcq6f$tsOfGHq6a-Z@h|2AtBJ;K$G!joe|`b{X?- zR`W#H>w>-V*rf?h=oibIIoV~=H1Y1V@2emFokX+o7|vI}JLFd@!foFNJ~-qAjvQZiKDuM)7stmV zyJI)>+;BQZ_hh0}7xL+pek9gyuybTLvRgrvedh*OF@Nv4(G}0$0d91)GdFS@U2A<~ zw!xK6?6x+zp8Ec2qpKS4iZ-{JrcKV~);4pyve8w}-gG=|wX-Yz+S1KLd@%o^1IfJ>w~hI z#_Z;o+y`%5%PS}(^TxjH=6VC$UrKM8*Y+~I^-XJcMfGN8^Q)Z#Hmw&H(SjCoLWLv7 z2KL87%F-%3hbNR0rq_leODdiALhs+SrPUHvOJiqh;Tb61+Z7BPWtJ70eDU1d=c-8+ z+Jxf3??e;NO&XdeOs{wpv)!ZxtWwEB8!4zYwJW17d2&n1q+OY2D4FvzK-tO}2iXE%i9aVSw=y!J z9T(=2=Cv%ZX7y!ievx=pe=6cx?KThz)K2-YIgBRKWSHirZP>3(xdr}c%!(f~@)a_v znukk)D{6(T)ORl#Sb7EWLJ;_Ck+|5h-3Xl+-j$l8f^5=_A+vgV>QpV=WeHRjaw02d zKEZ2pF0OV-udtMF^b(%!&yY{b=s~ckId-<|!OPn>EIta zU;h(phIzd&TIb8J?}@@P*7Kruyvq7rY2B{AUdwejQzouRG?n7w#EdWRNV1IFPEJ^b z=E9OH+hHVIhz&&zvK&Op`+1b|@2LGcYQK(+@#`q?=SXW_7BCuAj0N*>j4&6NK}O z+S2V6r>fk|$Oaj&6_22V7jyP5n`4|-p*@wiI-72MR;lfkc1Beo;tg+im5tO!8;@0L zb%}k~CK`uTXk*bfZNrSeDzvP`u5R;;yDGIWcN17>vh%3MTjkqTa?iMt##!ZCS!Ih^ zIFe6hd{wEvm3E|6R?a7wrRq;@+bcA|1#YeBt}5@wn&-Y+YA^g4?lP%blTzE-C#%|` zd(kJX@FH8tC#>!QTfZl)ZTY?1lU1_h4(!S5SAG-qgjFoF7kaAdRolxvRV^3ThCE?a z7uh{LMs@YtYBt(=TMmQa*o@=mn&nX$1BWGy2Zn14RExzKBRtnJYF8Aa))Zq??$`dt zyPwEEUQ)nX!CX%rt2RCJ5{!gZG@X_5=1Znc9M8MxgpmYg+^4uWVZAQhR%>w z+Kie#A~c3w#5TuZ@_~jr%!mYyLM+9IB-1p9P8D*RFv#iqCX*brUm<}I3{ewE4Lv9V zN}C8P8LR-ca8b-!n#6XfElq3?)1(Qf!GyhIwlNWXX-y_kJGFr5hw~g+AQNcz&nb>T zmg=^U;WC{h@Vx86qG_MAk=**$7uJ>it=IjncW|&qGP~V&r@z(gZ^03H9KokgkPv48 z{Mm)qe9FQvc#m_M=KkX!O@kbdT7T;S@?r&P@+pXK(jr}a9g{!S$*cAI>%V!IqSY5r zHCfNNFL-5Ln`Rgc_l|ml(Lt+c5AD{zGqPHi_3EH?ygxW}4oB9=>F!ekrAm=i$KAyT z%fEH#YhLqx?62s9^KUZ{(OCR6oHf1V}C#6%l=+3QAJDxj6RTzEOr2qRj)NRqG%6vLh|C@A~oHi z*&ta#Oj;OA|Ae^ii0n)QejCRH`{LL?&D$t6=|6J+kFu^o{=n$t|C^*r&L+(_^FRB+ zy^nu3SiN?4r7lraOesUuJw9Tb!OAj)st@tMI}Kd7WJZx1Rts28;0sHP>tR!Aw-pUV zN^$t0vl=@@Bx=G5WB{w)34tb}`Lgn58zd!cFDY?o7aLT1Y8k;{j>#b*Xg={jU%v+S z>~CEgrHf??BUG_@eot5L$V`9)_bx4E9=w_VHe8f8;o=fjw|q z-TkAzS9`;QZfCg2R6GL?ybW-&Jk506%n2r@7ry$2((1K`>(~SSmf`}~2Y&{kQhV4n z?$8VmjZ)K4c7NV16p8XCp-7XOgYk#N6s#v)(S+N#dxPHo!Ju{E9KhP=3=Uhzql0d1 zU>)}k4_x`7@| zI(Z>nWkS| zjw;wiUjlD7W-C$tx~A!<$}e!vSM=q5<2s)G&UjX02_%VBqBj@blxsOy(sMS9+S0t* zbq;cWaibaPNNF;fed>Dr8~&BtV9?$@Qy07;cCG)`nhx*Mjb@&XtjD_Ycf2Qo{Lx)- ze=(#*b9E9fkE3aRA;=Bs5_;w$K*~cSSl?K)X~0-UD;Hk*v+=+Q-%tW9Cro$zt9t}r zgG8<6{=;^L?$}}@Gq%3E$Qz+Um%G>eyB| z&uu!L?Wv~sGJ02S`eYVPJjdAh2mbCSI^WQiLcTuB%kyR(^EjSH5_C6-B`8=`FA zNiCI4eW7fo7s+(p)k-C{BuTpstcW3>vJNUe#m=9JLUH`S~zZb8~uiQQlUXuzEIEpahlU zDiR#RMO*gNm9|$f)A$KltsJbPxcil_U|alYTM~-c#&`P~(&WtCCb{I1mLT1Q-4$i? z|N*eJ`vRW|hd$v%rlWwcbJoEj*N{*#+7ADaFg;#3LiYHhK=lxI=arK=C6LmoHDByaAh=lmW$)s;HB+Ia9RRa?KQJ z0d8IO_wg2k8tUbC`iUgVdelfT-WX7V$t{{rB7IyqjpJ*Xjti!WNg}W+Vp4?!ZXk$1 z^I&?QzaG)I5b<8&qh_{PVzaQYT5z>1by`<9ah>5EoFW)xrHiON4NDdhY41@bQl6@3 zv-LAePAzQC`Xyx-`fy;{{$2k8vMgw(M)+d4s*AEZu|#b@Hh zv_RVF^4X1!QDszNurgFm%Zy!-YOi=GE2%e&-enr?#dC+`wyOdEUSpe*Pfc8!00IYf{TKG-D7>c37X+ z2%j=1s#dP^AT5=<`q6AMtgbt~n+>RIpLFWkJ)KNEcSxDHCEVXye-rL+y8|y6?2h5I z;e^~DQ2NHTnU~N52od9@A8L^IZt{u=nMAbQ!E0-Qi`f(NugqQL>NPbe z8V&8m$JAzg%GSgnv`SV=3gWDqnO-k)*`)fjz74JHZD@sJUF7|1j#OVf27sV`nRy?Y z$gU?$)zc8srgYv4tC7g{GGgKM>R32yjD^GEDt=#)aC+L@A}=8lPP$Pv@1oO15_n;e za3byUs-;htf}nc9jAp|-VnyuaDZDUgMMPgiBD$j_mTdzIMdD~lE-vF&Bp9)KsOTxP zi4^Z0&%^(YAg^O9CsTGXg$6od2q#MT)0&cL=-%EsFl_V-=7Cl{VoaUh6UWrK;$uS% z{vtOrhtcV*GmK7mZ**{Yc+_nj9fCmH-|ro@tbO}c>+o=Iv}aqL;b3^c5cx8t$f_r` z_Ppj*!|13HU`#&1<-_P;mxT_(R9G=uLy+OGTHS7|yZ5ns{CaQib+^;*9`^oMHjoj+ z)IFY@I*Cy2y+w84II6((=T>w#2&~Xnn#&zZGUE1>uE_q{D#8N=Z9q+UWTFkIi3o+X z0aX#Pmo}g(BG^;usvNAXDl)oM>AD=Qtu8Xa)CSZ=#?RV-y2Rpo11b|o0V`dZqg7P~ zVY`CxVS9sv;c&m#X}z*wvE4s_v*^I;y=qwp`^VkR(ZS)-@%{qK?&)L_sVi=;xwZf* zS8>4mlwpj)CI)JD9`DFf76+;|NHS?&ypd$eRNN8$b9Vd@L)a}^BpZS%aY<;GF=8JB za_N)!%@rX4u-A6fwR}$x17C0Ymx9kXf221 zco{k)_v=$}IkWfESd?1x;oN(mW{+q*sk|yRKd^OWCy16dZ-!_|Q&S}Mz4{!HrmYh? zFi3kg;FhVh8Z_cYS9Sv&%wWDi9a(zWJKWHjQxR51l_uXx=2??@I&kBmzFc88VQP(z zMn}g-ok8p1)v(*zKiVI)jywB%t;1e#f6wmO`;KidIJMZi;URk@rdvJHHfN%-KG`wP zuh^zImXZ$*W``|1D)m{PeylyRq1ESLdI6N%u;r&`$=TU2)FnLmOn!B6aQJGp@3f9B zd%v}RI6P<_cj2#&<8%kT;j7V}Wi2q16ER8FHES#J!zu z9h|Jv2EBPOZYXlgXrU~0uFSMPfc_@zpjRkD;@H=f1PCVmDV#-jX{+Ur;?t`6uW62U zG*(@xB!3En)b8=hc+*d?9-h?7u_NC}{>o8^bLn#hb0~6dPzLO1A9WAQD{6Y4%);Io zytFbVPqO+OGgpMGC2uK3QqBS!`}Z1I<8QoL&(srR6wuO*{_rV zYIIO7LwCPw2}ixE87h^~#XVBh43)YSGwfB#0KL>Zs+ytdIP?lwDLrtN+VHB|=~n7i z%us3IFhh?tb2H$-Zy3mme^w3vs)`Yjp)d%jnkfzh$|Vg(02S3`H6=S#@`kg?G-}{y zUSS?2)Kmp=6w{;}hW<>xV&Om4cirSqEpVtQ_p=KgnrL5KtNgxX{(V|cCF+*7>Y9iy z5lU1|^gTur)p&Xv4o1Ri04GoUp;}B)!@tUg88?0_Jx#}ZTvPB+&Mfig^hP?c7J43@qhgH z|NZ|aH)ozZ{EU*pBFJTUZm`gw8BYXgErpJxD1z+J^*lV#j%Fd6irtuvhz{ZZXTfA% zAMx^zc)S4Z_{Mev`b)MS*#3>h)Y#T>%f~zr%DB@w<3kZCUF*g6kbQk0esFHFH?$TI z{(W1CEK)$Cp^wa&JIySee$tDCm$~J^_f#Pz&b=ASXMON3RX~04Et#QGx7G*WvKcB3 z+#&~GAtjiEO&#;Tsc%FGXzksJjFDvgl-Q>$ixL;0=T)Qpz*e7$sKk3WeMZIhDbfrw z@`jhmsP<8l$b)#9tQmdZkf)Du-jv`JZ?bl3W3RPiqDZ^&;cW#`aYO?|U9yAVB+g%W zM~5+^?2tq(7IlD|>Yz1~1JPuGWAx6q=4dOty@4a;PG&t5OsaF9frpfk&vMV2 zjG+`qXCm=MgEZ@QOSuQ8A!9eOkEohJHO?8^5P#a{i$`AECQQcbuOv&h=+m}rlafXs z5vh+QAE16T2^{*!pOTY*H&KPlIBu0_rsyiIrTR#7bzo{h*EVtsjaf!xH zXE%7;VGvBW34S_>IQGxQZLBPv4*qn(RA6c!;4hy7xxzN%Uh>+!)E zg-&$$(`-7G%ATgsG`>Y!nTg_Pl=$k{k~lSM`G%pKRTZZ+q?@Evo5>?@G7(o;cB#qA z+O?Vp*U)b(ic!`qsme6z@8+gRW=jxEFlUN#rFduSQ;x1LNP3Pk(@WJIZ@->>oF`PerOUmDeYgL8(m^$uej#j$~%b2jDJf+-x8F=oH#S>SO zXC`Yj&uOSIRv0-^@~9sY>hpBGYkJ_KW8TNE?H5GPG$`Z0H#K}|MY>Lb>CyA`;<8v) zLn{oe`HkoJx6`{FjpG|s*NttI!$Vt;N`}F+dF?a5W8I7&wMHmvx>`?PT%%e~UnWDX zr!SeI*3(zk(U}~od&KyO?=)Z-Eo7uGf_JY z>dmBOzblg+P7kxGW6EylXTPJ_@8D!iGv_6>X;RyoM=Sysv2KIylu`)Scw+GHiWMG= zp{U}87iTmcR7@WKxBs$D%hn7N8)^YqZ>B|J!$bEtB<=qEY5QlK zabyTnj;5CrFpdOIa5qgqvfs#x%GU^rgz`f*$(4Agq*Fp6DJjq6x0qJhj>0sjhp-9X zkkU+<+trNBQQXm~tgPFVYx_XHL^J{|O|R~9g?hxlWg%*tZP>Ji z-VN!FjZ!Vx)zLAW3ZjoM_{hIoXE_l%ao!E z;*}ETB73DYlX7;Yq%*|8G9(R>ex>x2`@}^lr!bMrwNs zGT^^YsO>4Zcah1g7i=B(9;L5D81fFt4Wilbu)bmA1Z4hz7>xR5z3zA`u&1lgcD>p; zHy|dHLcQNdYOiD)+(C7uiAyBJnrj1PwzK10y}}DGzn3|nYKhD_xVk89@V2p6 zey*zr44j-lU+7$s^hLjwn=r}A@{`cnt#a0^>|RkJ5RA8Y##QGgh5W^{Gby~VyIDq` zVx=|7I`w+hD0QbQ%wWcc&#pUK-REFk$tH4t^{UuR6UnqKq$*5kUVHf)T&eybX^km) zliNUPwO|!CClVH!rn>#fSXhqfCo3qOps0}A8gxm5iOH0rT*;vEMOlNctIoASX_dOw z2Bm8Of73|hgsWU z)^?b+9p+QoVM^_1Idy!FDslT;Qit`h-AMcX7!oB(%I&O3i7#?V@dW*O2?9!GUkCfu|cMm%$ZQ;7bkybro5yrqcH+!nfrn9qGseJ zl`Gk5YmW8V?LA9Hm#&M*R(qw?DoZNCHs0P+T;yPlTDT`{G<427@rmK41>SRJPViX2UF-k&lQE?zwZKSz!kqN^JLe+jhyjh zI?w9bMn<981o1lzFXCyodYT@8VM^|7_SMJ!m(cQQ$mcNd^sQnhk+$Q56dO9WnmhW` zxo+f=YEwnS+c5azP!+!rTty{eviBJJn$9kRuBM!^Mfwf`o1P<$}b2dp5R(j%_Hi&D7?YPbD~s#n9T>AN zrBnPAGOnYmXc)=fGcHVid3cjv5U^Iljb$rV_eFJw8NW6xb=YQA#Mhjn@nP<(88 zV{tZ>moOD)l`%nc2kd~K(iU{tdpa)3dc#_C>-sYD!-|v&1{-Q7O%k@zwd!G`z_(3P zK;XilLwt{}j=&;Pc;MqIC$I<;Fj#9VYHdZWtyo!k&rMrVR1zkO^%;3w4JWA2l{ve+ ziq@t%wYLhg31;0}1x0m`_g6vC$ZZEJp)5J*umqPJX-2W-y%B`MfVmZ%#!EyQe}trV zijzo6+9aXOQrM>2q_2xl-f3=Ey%-dgOClj|QBaj}6FF0DUQj)QZWgbo5Rz8YDVu(Y zU}{^V8^*zJUb4&)m;JAdZWUWf+qul&A^zqgy@u=xkX4nh}=0}pc2+pgoQ2!9~^X?r#9$lQQKd+zVO4EoD5d1rb`WEKV|vRTwJ|m zWR+A2%P6pZGup?OBzT>t6)KJ&a8%ub`(qf)V6=dCK-~eZB>x!=xA$JS*~)^to~P3C z==z;x%C$JlGqWeMBZH)1_x6jO=Ckq@I?tEPn0BHsRa1jAeaQmTPW2@-rk(4{W=uKR zm(7@RwlAM?p%M+w_vJG#G#mzJ{Bju$PWk0CE;^37lYZ%py0d<{j0UIu@);Lm0D}{M zW=8y1b>=T+xxvtAdW=)WTzZ?PLg1sB=LN7k<}f(jrzHHZU$gT>``pNLGastDB>T^9zEoH5r;PHhIQfoER zU&v&kRCv5*jlKT)K4iw>orVh5yh4obs!?pZwK{w_x<>rToMLRs55lla#M` z`bj1}P=CTnMXke8FOl|0$x4q3GA-TzCqM2b==P41Ka-{Qj+IhjvmAe4-30PYBCv6?CzWJr zOG(+oN~)Bx9>jgCVGj{>yoxA-_cCQv>QF|YYV4lCmYabb}#TiKqz~{x~scpkDN1@rG z?MXJadRi_Np|;tnLlM@Y2p7H*I;BZY{9Acb%XL}g-ksh(!k%`ccbbOHwYu3X7blQ% zgFBR=0-Gf<_S5G}rg%H>36E$A|(6o*khgNJ+J>MsG3Y^6J+^Aq4AXv0fIF%c4{Zr$wWt zAI?fpD~fAHajht>6~&LCD6YI|eY&0MlW!Yqjc_s9S|eOaQ(J3SKn?)r|`qQNsx=~40A4Pj3St8jdnq~-lxG`w@h7R`4z zolc_HySumU^lmnQoyd6itys-=6*u$N1z*lue}m<05Cos2-GLVjcE=XX#c-FAq-!01 zY%@pL2UzR*vyKN0N_I)ts)WUJfm7?ZF?_QJ+ApT1b3i=b+>vn|)t4~|H(-MBWA z81iihk`O(#rKfvHzIf0GebduZy$Dj29o2pxFZ&niWq%g~)VMaZco()97H);owcWBN z?mx$!((CkktxgyJHwj^L>D(K#AfM3Q0oKEV$3$#m)Lw#v$#y)Z?JH+E3t^(mdTuv) z?rkx$t?ef9U|4tHjNndpw64b#7j}=5-Ns-ShOXa&7DJazVWENgrFsw&C`%r;;LqO# z>AyPjlYAZ))%<~Y!ENxy^&H%no>-WP=}2sm=>}7@qc68VsB7%WFBWW4#r_QbmU81{jKqu|il5ln_bL z(D9*XgQ!jV{=Wn>GPEGGV}(Ak2Ek0mDqKI> z4e7W@Iq9|c+npZ>Jvy8i#`Q`WC`iWT=m!V>1>U)YVas8_h)T8}h`5d81nb9UcU;y( zTV-#PU}Etv&9Y5Sund{TRI%y2HzM#Gm6cFYFmIGT{jn^N39b&)ZJq-7VXETagl(eZYhz z9kQ*{cUepVa}!oc*Md}^ObHCDzIc-JFJ6_*CD9y$)z7(XG&C3=Q={=ISrwDaDp@Hh ziL+{EdVOseHvN^pwNig7`PG(#XdHe9N&nXz`5@B#vspsPsm{M^5=!KLCw5P!toSh_ zU!iPK^Y9_MqT6GozI*LXa@)I%To-x&nj_Y?>{#VXOVBrqn4#D54ejRCFT=o|4f86f zCrs7TT_SIV{3h5-PNZda@VuVl_@&JI^bUTn)!8@h;NzXU(h`fSKR?VohwW;* z+l{vRRupA}=+|+}vQ8oT>Em=rHSlL}ewaEo?03%{4=QWB{uQkL zQ&eM&u>LnfLv49D91)QkYl6R-^|IJdiv1|TseY7TWmrpnF_!vDCQj#xb(6knkAW9% zX&l)$J?zlclYNVJd!6nvW4B!xP%oH|6)vTl);}g!12L^LglI80@{HYUjcz>F*tX=V zwk1n2d=tDCrI+P0hwv2poO&?$>bx;5(iLXnjrv+jYrXlDsOcqz{L1 zIz#Mx4u9@v*#x zebW-H{$qqPqvfFCASgREH=rzobpTj|ge+BxyF{#BzDbP{1J7JKPSduUxX?v!pr^SxHw5-X*o0DV?L_w1z z5K6>=D?1`O3vXQ_ReQ<<^olryBC#}QFx479q212TpSO2DS*=m0b$tD8ulLaSr=9kn zFvL->nbj~uqZ(LbBVm(7+2f})O4m3aT#7&ZwQb4rqE>|tU7V;KEo7~}Pvb77s->AJ!8lVBy$pVBWt0|6KZVM`nch3FLhYal z!cHe@kan9S2R621WQ)OqGhF6gVuni^3(jzJ$22o~vKjZ&Y9@W615G{BOti2W*SDmU zkm+-zMBE2OQX)@EnI%%T3{nOWIW3x6<4Gn9%PaBZ05k9>JqFu<-fngpEDkvA|E^}E zk^8l5#xBj6feF$%@J4JMaFcTRvHO?oq?dHM&~#m+rf(~Py(wgvWVi3(*EN>eGyRC5}G%F(Etyf*eK?(2t{HP~Wv zikk%*Dqtq+4DWmwxG|gV$8P87RatrnEl%feL7<{}Sk)mKp)*BMW_&VL$^>LVpig-XSFGHaH>Z(01zhUp_$LGY8Ck-E9fk2rvQ znXAxU=|y!-{dRF_?lQw%(O=az8{B3?Y9LW5m2J3Dtj)WyyQ?(lFyQW*vb1YltFnOc zQVpmGm@lj5BeB*lF$~6(8Sq7MyE4?QoNSG<$LVU6y&}q9BvsX)HC$T~u3cQJ=rC@k zP+6VoxDeYd-x^6mYg8KZU7qF&gsGtR+%e)_0Y==bF=BW17_rg*a?RG3-k%gzr)7Edbykl+f>BPAt4PO2}AB&$HZySuda3OkwguOqtG3-0kv6x#qW{M}Nk4?VC;E01!F8;#Eq$|cU% z*Ybw@PkmIvbgA$9)@I6UGO3zpEx18hsj@U~uz(_B0pK93IkC%Eb>N^X%@s&fLG8H%2YUs; z!Cnm}2UMXS&Z6ntz>dCelt5=Zo^kJ5qx%w3g1tCQM#%aP|;GPhV zi<}(2wD~P%c#0pqVHBx9*c-^~e6?UqF;X~Ik=G6@%JpfYs=jkinBs~^%~ec{Tsa{I zfFwIO+Z%+=bjSYSSl*ZfbmZgMEfx*jf|$h+`*4I+g$iKtw(ZzL3(wjE)qG2PgtrGi z@`jrFCb|n|9xUDt3E@1{#&DM-HyktXI7%Fv%zGFLqMBh&Z}+zkzhWIc=N69gW9(7O z9=pC9O{oqNh~8OW+#rM+eGHiUUNl8ZgZsNVb=0GqarbutE}$FVj17&fABAQ_%`uED zYYP1D{b+>!w|98ZWFc~zSk()EI`iSr$Z>L^n}Ftq%)8StnBnBR3xa7H%VG6t$qKYs z1zIeB3kYzwu(`=U?OY}fNQk4!(JhQ}H<`xYrom^2#^-UED#${82M5RduMQ6n_XoUbqgluU6R|*M$UyKvsYfL+9jwTqO{tESg$|w} zqSiR@U3dYb4zETI9L}MCEi9uIhZbrZkEYrt^{rsnG~Z8gnn~_5603rf?Xb|>ZZw+x z{`>p{gR%AfowD%L6-=cJdBtkZTpV*zC#cTuE`jdFMHeMRFq_ioOzxD@Zps;@X6{G|i7S3pM>1JIk^V-d0mu3_=>L?i(LJzC4qzEQq^E0t zcIK>yP(j{0y>;+11)~cw{iZf8Me9qleMXr2eaQUv+|g*qjr@Qz;k*oD-K+v{EAGpA z4uR%+s*rP0J!9ZGqsVfpuwrqdGDv$ax=wq!iMLwFWGpaxirJf7yfjViZ^i@PL~UP4 zW6|N^vq?U}3WnzcT8j9Q;o4WqqtDcWg~0hZ>(e3hwNqb>&*$LtXV5{oZdZlqof=Zt zo*Gg&J>@%WVMtwFC)U()HJ<*2c)G3)y|DKl7f;_aE-&TrbVCD{#?z~*Ny%F9^pa|7 zPPWF=<8(EiUgPQMe1%M^=2;7#URJ6sjHfT8s$2j`&uWMyp|z(Bl3tbO3goDu_S}*5 z{Q@L?zedvCRUzqD@~+TJD~h0w_SGb`=HEA>t}`IdxPPtDeTj(rex^{@n@@?p6hvL| zyK_+F`9lXC=_Y(qkO*gmbjTvsEiiV3TOX?LA%Af!Z_1pyPS44kD|y)n3+9UEUtSP= zMo0tGhzmX#oIaj;Q+MLYfUEp9y#xhSj`2++blxHCLe-RnA(+e;k3oVl^oc;`o#Rck z?UGCx?ee;_s>>@XWdh^2Tw9SvAHWhU_ zO(1FF5@w9Xn#9=NI&h}2SzJiGclMSc|9@j(HaXP*Ia;2);GF>^=PrV4!zsT|_>AB9 zZqxpAM}|;y$|a@b4|pM^+Mx{rED5?-;$tPcnPfS+Q!zPC$k_Vq+`!)NraI9k=^b;|wjkfTJ5G_<&B>>xvR zlMMWUY2|T+Z)RUMdl4xYdMCi2cg_@74DCkOX5xO?Ci#fgCKpizGnK(j$_vR-eE;WA zRbP2*=Hp)HZFX7(oykN}Y6nW1?%4n|$yLvsZX;2eQjV0}Zl^3gXVXxh1wey3WZ%n$ z3iM+h9C02OD%dv)y7Ewgp#e)n1=Y@fWGzrZ$@4cSTSEnLx*95|p@MY2LMB!7tOY74 zD^(VT3KrEwEPxhdwMCN9np6fYs7iAMqEt|O?r6b50a|cSqXq6t&;s;c0e&0@rz5E2 zhrn~*-j1iIlL;JR$1Xid{t{aL^!vsRbavz!53V)3FA+O9$dvMW^C{7nf*nwAybxI% zb^O9BE8;F}aZtE{gZlqloFfjq=sVsR!OWT55jv@2{{7%s_TTVo-FECFx1%`sHONFx zJrTc;6*7yM(~B(Z|chYu0C$=fUzkpcUl4fa#vHybzi`r(Olr{cAG8 zt~remR?)iV)brGC;N9CMv_8rQC>Ryw=vgol0Zl$N zR2^@fpP-Zk+2&3o#~WcE2h>F@m739`osC@_<@Ygb(!Fp=gvk}*a*IweNb-y8InW;9 zP0Qm(5<;O)*w1T!p0My9(I9tAnSBG(zrg+xkTd0gghiiG+wa?U9ya&EQC$n zWMBVxGZFXy_3kR(|Hrc`;E~Y7^H7a(+u|1Yw73!cmF^;uO`YWwgI_mzgxsmnshX3SB+=grJezk=Q(RH^so#f&_M_{6*ly-_Zk+eJVen%kYWG*C zt`1!T_uJi0M|iJs9E=sI?{xETSv2R-CYXk!ne%+$u9U**$(V}21%A$O3QQ0CCv@hd zGgv~X?eoNVYP}Peq364>s~5#~jTh&c<>>v8eJ5PT_!Qm`XUyp6nj^V1Bt=b?HG!toUGeyeKoNKoo%JCo8a(1uP9ZP=woB8{a z^k+V8Q=1NLztJ@JYMP$PoJH$)IzgJv^4H;J?r5dHYJFi8W%}!;BCo{XO=aMl`gk_w zyib*o=$!lsoBD3(n!Jfu!IG)u-LW5g#fD6^pZUg{F+HW9`K8ci{VbJP=H_f&q5?UZ zQiJ8Pg_kjN>KwnyDDk_BC7%@TYchh`Xh-vk9Tv;`jf)qcEk92&n1)%SzpBmJmNjeB z5y%Vs;Bn2`4vY(5d9yY{1C};xs|HPywV1V)goZiU+N>>3SDUrfW^L(wg-ojES&La) zS*fzHS=(x%%>|6zvRWufXbml6>{gZL3Iwd6_S}u#4hxLk4r^mKcO}MdelWJYU=~qd zvdQF%Mwk|EWEVc(@DMpI8yYagH{Z9-o6eOyI5qE(Xc1joy-ecBg{1Y>^a;)K2Jz@=bnuYJI6 zme3LRXBNExjYEK)T+4HRcXs-IGOqW>aOMypAa5fYSoIwWN$HY{Li8%(S)Yw=7#${8}dNnXd2=nTg%g?qZZEJhaa3@kUnjN774H=?uTWABhCgRtT>(-qCVX)0s{O%D^(OcpTk0xdywi z#Jr87O^I;4J8ZVO2y|Qx1H8xJCs=vmWaKn(9Dyqx7;BKa<4F)XH7NeR0kuIFDND|IEapiG7fC|#q-KjTTP-3a(_#7q&i#h z{S{r*@vRa)0PmGX^blXGZu(+ECnH)UD|Y2fPegEtox~T$Yn0VQ6Akkx%`>v+(I69*naT_+>(yZF% z2g2_gw${0lXFR&r=)OeQ`Y3ZH(3?+*z7*J63G=R9Y(8d_g~v}}hgX}QRAq1tTdZFE zR5}!~I4rz$+ZMEf5e+j!1EAoFXWMjjW7p;Kk_f++Tr7tX{W+)cL+-3EG`t5aiZfQG z6GdfWcw}56J(~Hph119KqFr&vb}JCFE^5UMY>623f5db7ZPc0u;_m5I*SPQ3cK|e9 zV~`}#(jD8jcI?@)ZQHhO+qP}b?AW$#+xF}?``-J0R7H1nL`OwcX5Mp7=FJ?lIr<%z zMS+VINl1jENZPL)XNPHINMvB;^kU8Y8iJKlNY?KVR@2(o(P2v+5lOZ`(0E}ie!5u@ z3n`)z&zfY2b_^_)2oX}B9Utsdqkd)u4#l#d-|TZK@pKum>NQa)rzYg$Xoll;neN-& zIyhg)*y`CH=H=}VIpJO=D>RFg!ZECxPM2X=h+BAko%4#q$!fchVH^2};WKoW;UIs9 zc88fVM43VOh__Mc#{Cjx$x{c=;7u99q6!qtdV5eYd8XBaJ-vcEnIE9e7RHrUvgZOu)x>ZCNmbGjs^)L*Sd5+!RzuF`@k8c7`Du~Z zTklw}!rGBJp)yinp3%6y zYEUq?_wrP~dInN+Q7I&bthP3;yR2YRB~S!yI*Bpvq3mtYT~cfAK%&m9pqH7UW2ie` z%06(PY(3=c$<#9C&AD6pw;l#8*Zv;r*!GfmEcRQzTn7)rFMDcfWeLGsjezj|Fb$APJVY`NRN7jAIZEp3l&u|G<#@VL&vqXQQ|f3NZ7yBNoGc)ZOleJ6}mHqi;(+HE;3g zXY-kbeD5aP`sXUBu`2J#vqqfTruaBj$T~|1~&q2$9ptXB&}7@0$LS=S}GO=JQ4 z_WQ$rpQl#2EQT^KQ1a3k}o;H1e7vmB_^E{8lz?*r6pkEe>76#0vLiprPbs zN@zj*N=0iLzcJ$`nS@y^b+E+BA6DD1{KIO~HthjPU9}7yuFvV)9uBh;Qs1|$Ml4oG&Y{ZYkx6wiaeZO5iVb7f|* z{(=Np|M7Aj7$G(40mL4n7S+fU8lisnD(UJxq3iCbi8(4O#vicKqBp%f7}+?`~`L zxA!sU@d&Qwec<9w>_>}EVkL!Yd@QaB2`GXuxs087jW8A&+VqK+st(0z7z0snps_I- zS?%@$Xwnw^u)vVom;4#6Zlq;mL)jeP4vONqYka%$Refc`QQKsjYq2;IcIcI$P1h^hc%Z zQvIXoP6gH0dJlo}f?xBGn{szJ6LxrqAM+w7p{`+%M)ZZ`&Q)dm+3-~|?<#Y1 z29q^bO$6!s)E^JCD~0J!R9si8-5ruG?TZgvT_AvNhU=PP6D#fB6i+jtt(4x_3o2XV z`>MrCKD(758q+%SWoo+|_%Ka-0NKcW-bT}CT$414_e!h@ZM2CcW^454y90x^k>RIm zt`tkN-gz|}W>g$?=oC!_(DAWlHJhxOVFycU*6i9i@g*+HK8Fd3WMzXkWupl&Ft}srAI8t2AI`N?dF4sT@I;LDRdl#_F7|8bP_<6o2r^Zc~^uegw8SC zC^5ov_>Q?__n4M%mL(x|q0ZCnHR?dU)M+|@93viY($hY?j@;r|t!!eKg%+O+#t|``&~WWs{SJC(Z!+qm?6gzXxwepNeWEe3dMLNH4oM&Ty5mcv2|Xb_xH(B* zH3oe8FhL;~Io_G|`;AatcfM_i!sBT!s>frDigZw5XACG=;DC3=i9lN-FS@RP@NH0u zt%Yxrw7F}%HZL!GQYdiMoi?(+XXjs>0a?hv6E80>>u9TR*WPq>m)hGw&8X7d--(vF zI5>DtvF7|Y>0kb0n0*#b7ffTbj-k0{sn$8JnJ^{`6d{|3)S>qN`gS33d#q5LAas@m zsLq(mmvC5kNt~tnwOc_|D>7v@JRtf06(P82@NZi%_17yw=6m&6eUmZ1KKvkL9@6`n z+`Lam5(pYESDI?ZCcs&uT0nC)aoG)=F?@Vi{TToxH#*Z`v*WDvm8|%5v}=CX z4x{^p&e&UZLQe6gw%QBER-x=KIaaZz+lxbV@7{G)IVG-FYJ-2?yt-hr<3EQD5k3_ByCwTf@el~-!z8V4og;M$tM1YX8!T^&AQaQL7tY#>~9;DfL zubJ9?r3%9JkI=;4K+)2oc7&s^y!f7eM1Ye_2kUOtOWvURvu7YM6a2ET38}j$sF5WB zPY1cou{w_SIdMZy`a6I*#6t$?kQ=F*C{Km5cba_*yLCX#T{D9y=86cy+ZOrM=VLc0fN zyB7v~n-C;|ck^`kNk5dq6w?*uL_fgLSCQ*k{QZOS>q~jgw5u>KR9M+uYSL&_f4v<( zn;fKIm9#FIk@PcFZ_;%Gon;%2HU@7WxAX*pr)X|!k)o_~Cd*yyLawmjrSN$%*S}Ly*DueQv z+14u5G^&}ao?_lqPP6<(nJ$6zHw3#3kUa}-7;GP+VkkXCcYRM?<0B{QaSVjbCLAid z(6LO?E$S0t)jYnyxU}TSQa=B&TH@2jl%+&r z%wlYBLk}I`4;*Y?S19dM=tOagmp8%lZGZ*pLGkB6nmk~jNyzc>J9q6Cn36N7(NoC& z9ntE1S5E4V+x;9~qzYa_{ilwCUBo~c=J#yauIdPse1|;+tql*-3(H@SfYIVGNmZ@Y zPyG}R;TwWzT_mC!muHHs3kCdToew{<7+*lbzy-K7QI5Q z;@lKl6Xb|oco=e)l|vDM6BEdG7cTdd{}%iwfi(OIkLO&1=e#dZU{@DaFG9I4LS7~lAq?I|HxUb6`?jp#L+lTpr5?Kp&t9}lXJs3U2(7k!( zgwTI%sX-L)M&Xs|nRdU)FIXhR@f=ayFEpHv$ST8>G(DumVSK&FFoVx{{3d?~JHkBv zZ6NPrm@m5$0UPDv0~UDmdeK05>M}m>n9~N^=g5pVs@F!%Q|mX64W{F(4D2om?B4DH ziV7VIbLbpRB?(F}vlw#Z-x*PX-hf9?TlF4^T;t#QgBA~$_;mh<7J(0wQ>dYV-J#9j z(fV#1GLQ^ z!kYiPb|6ru#g*Xi=80`ANA_3O>&(|TnzJ$rdgMHOXI_#exvy^sCla7UTOn?j4jCC` zcuDJ@KT<5}(Fx;!Wq@X8@poJOW7tn;=`U_YhKtM8$Gvr2b+#Naz{(5?JT<~iMgna{ z$K>-{bJ@FAky*3L#p|AM;lj1;vk0g2o6^}yOwahesnG6(;1nKB*ubOyvLi}!6SC7}}`<5#?>(i2dQF2SwZ zO!stUh}MnytAz6PLq0hHKXVAjZ^=wvlfSrIpldHHovH{2Bpcz2l* zFNJ$MDW(FPL%jtJ&b2^isZ=Kd$_jzXl;Ac9sMYV9T0>%a-UtQP`2!qH>LOtq>h{mM#MsNoA#7Q^G8{K|}<60+=I3x>}u5SqZ`7v7-Km8Kf;5SsoNsUrzh z=e=oz@J(5Wz&Kk}Q-J2Fl(ZwMQ=W2r0yx(~@NHEBD!GyXoKJpui2z54EbJ<1-J3rk z_ZoY#p18tQox@O&Zf!S-ya@wUdaf1d{4-flpvuQ@eKe0$Ab2E<;%(pY>~cis6e9|2 zm|Wmc>{4mkPdfS`t*B|i&AZk5yJsHTnEGE|04t0bzji`#s7*6x%S1m#^nAwX1{lw* z2R1nq2lFY__593O;%M^re9JP64}9$h{I*v#j^A}S23*qpJtemrJ2?NTVocO@>(OjI zO+bVIzc923c{MI4;c^ecEjQ0DsCdGDIiS5bP{#*#B{^sY%Y(~dJ{G&;`vSy>+$;b=(kP#;r-Wnxy@ zmI{*lz;(Goq+uHEk^alud}$LJ^vNk3+5#I7b8&;w2AI;%i!0%z9)P+)1C%CSGqrdfHTuxpAjVa zwO?PD&w_B#o6LeBBxT#O`Qv+pGc;>xZ571unl1>pVr?qvUO_2UM;xmkrtwh&MvVr= zA!zR6!;KEFW8!gAOH=}ma1i31O291m(rD@8FvtlT1~4e%_4delrxp%`vTMnJd2L8i zJ)RJa5S^nHGD_nBK;{sTvb#PgpE12z59*a>C00d<1?4IwNOQ5WoEgRnq`=|5I?$C1 zifp(uNLz|Li}(TQnSPHGqjdoiCj^(1^$w3T=PmbZcf0C*8F;KTjVf?x>eHIKfUmHb8mnOj1(FIugGg%rrh-)o5?7cW2n5y5>cR}r0U``)Zi`5oEf7{qcG|ZlO zQxAFcXzh#yku_@HAvq^J)&B%e+b5q4^pYsQg`?(bm8mP3F9EakR<45g7{PY`W3QL3z(ni%O zn~_-#?qrBb%6)UBNm5I*B_jQ zQK31Wv7o)%Rjl-g4-S<_hmWnb3s``fL+wJSEI}03%LcWGyg0vYU}R2x8x?qy<@*yg z2$eFLEirmYHnX!~TdUN3l{1B@t*QTOMokbuhCw?6)Pu@lCo+YV7Htxr(u9+Q zG1&Ijsfm8llfsK8i2qGbV%7{%7yNkADz!l{)Q9jTaRU~HCX?9}wK17|`ng0=Ro=_x z6){}IB{7@@C!{N?3zEbi>J6961w^H!clm5kpF^(~*4}e3^5gZse?fg+3dd-|rwf>T zE!BXLA2)7|r2J7t*`1vdY`1RK%})?f72*qi4nOh2WlV0GOe|2GI!mRsIe!bdf2*qC z^c&-KGBiVt?V_wWFaxL>+eUCg6kiCsl(;66jSSM!tEjK^ZR>PVvF_&JssU|Cu!^E8 zYk`2c&+pA__En zogbRL(N8H#!%Vma*|A zY|OQ|0{RJikX8phFMMC7Fd%li_(Ao)X72e=Ma~OYg7VfayJOa#$D8wdci19#vcBA= z5Kuq&!(Xj!X5X$Ww&LIQ)oP{K>jW-Q5*1VC5C>t<9n~`kQVA`o*zq|xiK{$88^V25= z_oFC9D(FeU24==lzCCrN4H6DVo?k@#Y1>1AQq%`M5Q4>YFbGXjlZ=Xlq!xLTgbd*g zf3-0+SeGcFQ?Er&{uDM|Knwa2@`rGyh;0wec8C{jVqm&%L$_gEy?Ugr#;+t^im?Zg zhs;?@3760V-RyFnJP=q9)~F#%C~f;I_^Q(u3~JL8bR`V!s>52`G!Tg183x@1$LO{W zHGbXyHOvA;mTIMFN+2d(o7{k8f?gG{jW17r%z?2+-k97GV1_1BUiedJWdbdsNJUa= z^hd#GrVd-mskFO_VYEH(MM482B~O9*R$hFdQ>R{E$NOyfc;lGce78{eX4B51km0I4 zdiX!3zcx%Mjb>Hlz?Q!nN|}fj2)RKT@z%mFdt2v~=!qDc^xc0oMA+f0$0Dk$k0vA6 zM33$}H6f~73#I%wNx7#HH7X&Q5*$66B0_@BfIDH4Qk36PlXRwLTtO9I9kAWVipxp; z8<(?6dSr7cEe2G6F`$4N1j0NC0IiYN1Akki`-9UOo0;lkx_Z4gG-|xW6|IsI46s*MQHtMH z6;V?%yY|%>14jq!V zzaSlW0Gyf=`sN2QM))&5V|i{*KL>;+;WJXEn}E=4g6vndE(6)2z1#2p$iSelY7^g! z!dG#Ruj-4CwQfpC`$hoTi4pn^W|$e7o!Z_>IXNny{MB((Lq1aC3O4!Q z(QpdsmSK2dIBDazSrxQuV{$Q9DE2!VMr9~Cl| z21GSFB>WZr(bbB7bTx^C5~w)FLT=ofOYVF#zh1Y;QBA^Bg5fTvhIyRsC&@dG_UZ8> z7&B8p1=S@@kzSVYNo)CFgsT8%N*It;u|eht)tT|R!dgNUhscFN3hZ5~1LT9`R11%1&SlW6W7lFdv zqr@_BSke-KT|YAcQfVb%JQjlZe-n@%0P*t)M~DE3fjP#AV#Jl=3~u>NRVc&?Kg-`? z#n19b7_TZEH(H5>WRDMz)TW2E+1UF~1&IDhgxk^h?HMZR6oQ&~|C51y6YeLeZAbL6j*BjiMOCde5)gUhWj+!vi)b%`J)7;;T(dpA?3VqQWiwW>j)bKp(js?6N+rP* zZU3snE@Dt}OLaGk#+`^=&0Qr;rJw@k5Ter?QQ>g$Oz-zFhQ{u-`iu%TW~nV>TUlhn z63Cjfht^OE@M&ijf0y_rLF7XHn!kUm1hM3uYqp%nDh2_-qaU?2m1S?NU*l9YTjj37 zt#A}6qA^5n64Q$>)6m`^f@-N$FM=u_O*t(4?|6G(EF<#%F~n%fc~ea9U1(ucXJNPs zdOS>Jrtt;JvVtGvQW$}n%w@z~W}q&NO{P^C@l!XdTqQsBzq(OyWojCAJV52D8V@ZH zr%4NY7;2-z)BU!*I9xmykOzVdDeOV=yrl_>KK$F=O=m#Tj!Dc+x74|G`zebcXU9(kTT)+Zq8z z+i}b)bTOr#s^>Bdkf%6Gg`l5b&RmK7mvLe4eI*7cOdH9(nNd?(I00shNWnlHc^ok& z6dhxT4PZY`Zibs>sO(J6k6{O0tUEyNkAY+$Fp=iDPRr1o0FG5Bwmf72c9(Ka1L8j4 zvAC=s#(nS<+=x@0I`;`bgtFo^An38$gbiyda6 zj^9&;-@8 z)gBO_E(F`M^)9_X8j@}V%cg2iL@;;B&QRw4-{)bW2rL^dR1M{U=#bJ7?4d@jktMqW z#s27aJaA@=SQu89XlP^5*14Y`w>KQYf!Bc7T3?kDja;)g{1fC@m+cJyKghABq)^8~ zvZl=P(grY^G%<^SG?AwEV^S$xbaxQIzopee{M(x`42P(BG(Bsv=9=hTjA$2lUV9Qp$m$6 zrf9}M$ebaLK<`tE*oDs$HsX3Hxdu4~R}LWIt9IGpbrnG)CQ!`pDNNJhC?`jQ5=*%d zp&xoDC=-zhYcDxvMnoQg3yE*8EMPQUDadF|p;5B$$PeVKD`SS+Rl?0HK+~}gprNh; zRmeXI(nn|x@sFk-;4gKw6ViZb`vIKeVLp5qi}Cmf)|hND_^t~-yRmZBo>!l?er_HvE%dlMyV zs4WyO>94z$tbMq`!R7o}N@gR>ETYNeAlJT4!1m*7_{75ovgGx!;29X}nb9HahS$$* z>s3*@HZ2AzcJ$dE%!!W9&e%Pn4F$-U(IVIAk}etX-N&Lu8h3nibEO8-kyAIKAX7y( z+K=K=qKug5`{%jQi%5=#CFCOOXG<-G`=rVj|2$5h=7|}HrwsW?%sX08i+Wm6k31&b z)PdIF)ECv3cUXX&P$1%b?M8_Xi;CEJ41=};1sMK>3J94YL1uOM07aGhKFAdanXDQS zI|~r9|Ah*EyMOo%F-!Q7K5~~)ohCdUrJBF^HhuiZePsT*&&(z29-}8S&p{1DZhFY| z?tDZ6BU_8lapN^-sDaZnvZB?`{;f}<{Io8swVEGi`T)wu$dr!6>?cG{!WYhz=jRE4Rz!KHXZtkkiv)G}?usDZ{;@*N{9lz_o#bnEYZ_ z%x9!9+)LF*P&k0efaO5fplmOlis14iqWh#vIT_|&A%?3s$b&h#0AbGeC=nz~@XmZ4Kn;Fp6CbuY z6dE2ZMyPZQRyR&wn1pJgb;YQNG7x5k#Hk!W1idjSzEzp;iXc)|jRJ-|(nJUig~M?&jbg$j>~_g+=f}Az&)X}r7h&=Fpzt|f4B#0r zRpG5jb^8saP*JoFcwzka*#ZynfN4xt-!8UMM)Id=8>&WCg6Zr9rP|PTb9q>=Z3DA~ zbfP)UhRa&axSZi!8dV0UgP_hLzBrMF<%SYe@Waa<_z9X0s~x$Ez0hw*g6{n!F;?V&R;g= z6Ur43TFrxu&KE~QD8Y<=e@nnbd;R^E$gY!(4Ovlhiw<5)Wk~8Idc2_^gf@1f81)G;8L-aFr@PP9XNyQZ&Cfp8VO&{v6og#Kh=l~TZ%b3UR zZNs>+Ol!!%&;BPIoq@go6=cKX=x8)h!-UpKjCDW=fNQXo!Khhz> zn-8K;x31vfH6_7)Zco8RD5v+w@#E&*$qqYHO=EVN#>ao+dGw9xg!_Nvd9)%rL#Ql> zt;{Y!1U)vTOb|Ik&|6Bu?`S#sUCXi-ei3^|QD+AyQT6HBBYin?;l9!T|ZF<->L*v0x2yWkaYQ2bHAnZ@>Mz>4%**t^o* zKQBKe&G_e@M*vtxcGykw9rM%7!T&w%aP=Qu$>Bc_J3!s6rD!O|^|631jg0m3y%-z% zn>8JQfXAi0ISB>_1j0Dh@WBOG0MPBpU7A&&bh6qq_UWOpX95u ztk}duSXvE8i)`R7mDCtrjj-kO!%ofU*%2tFhTF>Oq+ky_R2N81SyU@CR4eF{3kbY- z(GC1@=l-Pxhg5k#g~gV;8E-K|L%qgVA*Vbz%X<_(N;Dub#Uik!+s?>F3z$+C`*zkV z-102cNkb0}^Wve|@dAVXb$GpQ!HHUa?G;eIPGX1lrfmzC>!pll=ZJ>N@fP{J$^iYc z7F$BBKNiS>SQV6$Q7a0J&(=OJlB!JDw&JAi6-+jGF`g>yoEw4x1ZD*( z>+7JsO3?tmsVd{yOBe$e#g^nf&+lCxkn2BQ71)^5uw~SuQGbHYpA;oZTFN_yVAL1T zv3$0&eP@I6UjVp~Drx`PW!iG&@6CO5=yWs%`H($1p+n;?N-EX> z`^Cdn#$e!O5v9iUv-f_9VgE3qp@gS$cgi?}Y(Sj}cGyePh^I}EvOdKjT=*}&iflwV0w9m3gAiZ|6eOXFOke>d#Iqwsvh+~(bA7#GQra&KIyo&A zLw*rOSf5@)DFQ=Y{aoR)Jn7{y9I>M@46%cmfk+LEVLv-^T4_ggMgEndAhAxd?$7mZ zup*JvSE8fU%Y57?H3eeF(DK$L0MdsRIpUjM;%83DHIH5iry=QP(LF|j7fTbyfLTq( zB6%l-V*Tw@rjQ`-!}@JO);l8)yY!%GcdH`Q&bSrI-Yv+rpR?g>!Eo(qPApQd7sSi> zml=K7^{FNA@Pq%hUI6~r_TUH<8M2RvpPL>=uyoZ}kXFyW_tasi?JjxSR7QhF9eSL1 zh>wx$?o^wdb)>2pu-r6Tj+~v$9GGm+u8CM8p ze*xZPy&9zV6WtCz0|r@DT`cgeL~``2L75k;VHeVTxMi71d1d=e6(#u5d4>_HQg9%@ zK67BcugHjaXw`wZ>!AGO5%VcD*GA%u0$rABfkUWO=`JcQ#L2A2s|$CqQRbCad)BWd z>3Cu>pKlmN2t$YObsN0asU2G1oxhFg-`(2#FVn}l=$1!XYMS1*aF-Y*>Ec zJHchNv=)c!9LJTT)tBMb?TyJJ+jskljje5^ZVMVlC`ojGtP+nET);OsmZ+JcUvMdO z4A+gcodAR$i(DnX0~`a~|cg zHJJOxwHE-%Cgs45}mv0NDShL)>!==MVspht&`iyOT4=<#|+2{s8!vT?tX4iXd zv5DrdC3C zOB)7U*F`k4g>XuQk6RUo_(n~<>fi>>KY$FL$V#|A1JzMb*zvGK^a~r^xkjbwZZo-u zsX{cmE_vwT=<*0hd38O(GKV4b$oD*zz>cs;EglykEPd~qujN6%G8C(%z`mRPH{yOn zKE*OiBX)aJ2cYktn%OoN7QVzEtwt^3$R3<**mEUQst~zrK!3SZmv!On$xi7h^B!F& zGOC^Z=pM?Zbv{&dqA3&xJQeAd(2OfmNr-n%;3hR!8Y{a{lgygfXr?vFLIi6TX_m(F zdW5YeHRVpsj@2eLM-Nj<3fwb4*NbT;HYc0L*{->&nhH$FebVPL6snrW6;cf(i#y3? zG&VAaG&U;LE&CMIEcvtYR3~EZ+U%Kiyt%sVz%t7t9lEcyu@Z7g0Jh`VvVIMC-Y znN|Y7StOh+AG;GadtCEo6jykwFw9>X#{`4!=h5aR#=IZTTh<(OlP$y2F1nQ#Fv_lP zbRDsBwfz8qI=&_N@jPT`4QH0ga7wLN!xwTzcau+e zB4dbYQong@=fsBf>P$<0{l-a7mq2o=k17c>f`7=zDTZ5tESJh~DMiOKg)1oHJ8hGn zyOYBG{-aU=g*&s4M4_Dt>B@g2c!6#?Vg~wNB z_2?qijhOh^j2hd1IuXGw)B~b-B^w#bNWx2`?_acPh3$*Pp|b@gSs@7pWpE+AcIKRb z;z<3uRw7v*3`e{OA~GJ;R$uv1`)%;};wA{`6f}_V;JiOuog^VBL`gaU>k_$YKsYmt z8Fgm&+)36_=iU$;gh#<6p#)cv-+Z?c@oRvP_GQ9I_bN&5Z|wfzl-u(+>z2}z!cbS? z60YgaCd8n3bNkeshU4iusd=`J(`itT{Zgi`*GUVIUg-~L$%)RHPa-7uP?gqc>- z)MLiv)c7YffvKFur(V#Th4K%N6TqC8tsY6KVRSq|*u1V@-o zS~24UH=KM5*iFgHoms>POv#U)WR@3sH`h8xPIISn~f3@^h#Z?CVJmXX}L!Lpg&)v*A^!%$j|vR2rdv&E7; z#rO)sEYi0{d-XZ&7-pLyx{bu`;$XGQN*-w&H;(Z z0WIh5`%z80g^j4-LN0uLo$H?^@=HSoKhrewyoMyy(%SOEDT9j?8NCUJG#gR*8$IEXm@)^p* znq*QHG2OPPAv@8ED*aW5Ep}0TO@L~(e2?L!e;_uYrfTT3&+J~$a*DR9x zZ8khVK##o7otmpsLEO8)x*DEtbJ_MQ)jv@CbYih|s#i6cd2Bwt9sskj@mF3}sm@#9 zvEEyP+@=Bxa{IBLs%P4}Yl)(3 zdhWo#nSEl3dLbLl4ydtSVQF5;_47@;FBr1it+X>eqq@t^bSS$m^((-7#5m7Lort*b z5R3+(ukHYqbrKwskq7@Ci0 z2wI^yb%IHmiL)X|0qttYIr+M?*(Z(zdytE9S@?tXp1#bt0~dGEkQ+zxEnpwvO%(Y2 zt$RlFX)eDwLbLXg=s<6d_WIsz1W#1w5>ner_ai$omGg%dVag@uysWZc2qHmEsapeV zr~p}L-??gmmd(|&X$3O9%W3xPjNVUr^ur&dweBf&ah5@o(k?S_0#K@RrXp+49FUpj zYj+b2*oPlqx5u7fxDpD}^?CC6P%VgH^#s1EFwKWeR<%#>4ZGv=zZO%dw!a+HC_cqQ zHDTRB9g9s>0GMM(v>g;qu7JP&qSR@zjJm;WyD%8l+XsX(T%#ybM32V`Qp>WdGK_6x zPGGf<(;2&JCOSa15tCLNm4kOB-=*lpN`Pfd6mGW+BZ)Mcvss4N;Y7k$tWYCjmk&LrVs%yZY#Dxwl-|3IuzC#szG`X#=0 zV_BZyU95TKGYhen5T}PX6Uy=&Q|34u^NHWAMVvSKw_Kyv@|GyW7EBc=4w^pr5A zWifuE`WfcXrBeG>OP@oWW}2uQU7Xf^|DX2v)}{_erV#i^y4(V@TM~>Ot4o&B2qIGv zVDWp$L7Va?7tP#@AFf$dw~^&*??WTQSMupX(-M0t(GHBi$x61DicqV1&xWyX{wIy< zHw>F=VD&&dNU;k=0Nckcm`KW=laUwCZwA7(_AH_m0-O0_Oom6Ko)KTo@X+tXxcG7M(SqySLD z*q0a%AZ2k4ImDTK8RVY*5V_9?R!aAX6iy5_BwCqI2E2xQR#%8sHaE?=6}+-X8Vqn* z-<#XYnzNlWly$2SummSIBwj|SF=-}DH#bbykXp9THz8zT`ImVzj_8|s+6bGaf>39N zuE^4vheM0{1#xs8Mf72Q*ZxHQu3$;s`vzJY+x_ATPG5k+8{ZeEt(08Z1Vmk*-;F|2 z^eG?%db{&W+7nE5XmY`ze&}fn6IVp-HY3P=Du~Jb)&Hx)Ge@?5a;jkwv{;#6D{UJ z314WlaY7TI64nEgH-!gWjIS-p|#9{0ud{B)D zV_wVin^3@yE0IOm?H8*>7|-Nx-EFkdRZ_pQA~?&RrZ{nIKi^*>oi;E#Txq&%_Jt5O zaDPYs$$I$9GINK(_6Uw$2OZqcI<38G@%FcIO+?M&Ap6EM+~rXm+WSJcZSZ(Hp`MDVGHcwzC<2BH~?wuC9$a{+$+b8=b9# zNG*C=djUH9SQFRhSkGruC=4t}z1*VZd!wLj3}k{((Co-rZ1{jnd*y^r>O!ijcJP3eOmd&Pl>wab)MUv4#9jCnFac;Qg-V zHq3#t%I_~fQ}%eIPh~CinIe5~Y7Q8g=d)BNYZP(W>+CW|Sj;Mv>{PdJ9)QPeA>-dRmZJ>tni(&x+E7c)-wLRI)XhZ4L zvp*!K^{__3n7pl44wIS_nmCTsz2x*@pEFtKuv)2fz5_b&hA9y^oHu0|&5^1|g^4L1in%8Z$mLk@h$pwJR>W%&3*ss83f$DGd@OG?NCPo0Fil%S!jTq)@boQc z6o1%i7qyoD*CR}^X>d;YLi>-9_!NefvHTlNQonVjCt18rQS4i-z{08%d4V$ z0XGi32D7T}ubBU1>z#rt3$!lW*tTtTY}>YNqhs4i$L`opI<{?gY<6tjopb(kt8UeO z*j1_IDXWr+Z;UZlL*LQ3FZT(_9k0!=tT^b1$(VR)h7~*+K0Fc0=}(ci1*|w3gOPhF zO((TR_8HByl0WQ?C=9}>lWdJ-dh?kMY9V8nYcXT%W=d0O+5Ks%`BbG|^x9^U*c~=d z>fu>R0&M5XpS(Lj>K1zDY3=9_Yb=qhNt>)yWwmFFEb(D=nT4oC37>T#OVxkm1Za`e ztL-$?>$Fp>d)0+C>E)gPl&`-6K>5^d`mO&<`R>()0Fsc_5k(b4>?k8-aC4n!Ib36k z8CKO&F~iWXw5LLD-+IQ7;pHOSvLPGX@FAWhqc90qx`QNBAO0g%1ay%%q@8r%C<)oF*P=D6Nh=wW0Yfg zUp1i$*&Z4VN65m~XLbEu6afq1X;)9&)fW>omR-;7`E*0@T+<8dJ-a9Cr zWj0az6F36pVOh;ED@;nTJ=hwZWkf=eU_ACNHpaO%R|@hqHXAveX^Ax@REK$~W7MMu z*_>raYpBdvpK1N?0Soid+G!C4c$ot$ALnPGvq>Qj#H6MaWT~aLqjk_6@_Dwe9nrO~ znagp&rV4X-ySpBlq`m1s5g-QZb52dF@^ZDY{{YNezs&z=*=~J5=$TOSpCmo(sDmMt z*Ow8HhwntXbyG-;kwdaVP1qC&xqlHPOt8%v#M0(meuu+iCU$HvMF?6jKf@9zCsHZe zOyVn6wc*M?_6rrT+$3g^&8o(W`N}61;6xXj-UW9X5Dt}0wv~iAX2sI=^4cUm#?~%(@X{dx%d_)_ou)Qg5Tnr%0K4m63{*v7g zLM82I3uY9O*2R%T>HrCm;C)y8o+lkDI>i)OYfgbDRkSVl6i{=5o}6W_EF2waZ2#vx)Q7R=f#%z;O7BA zQ^K|3;l!srDdwZXEjJ~e-?uFuO}mBc5$y&c$Fo^b)~B;8*j;4pL%YO(ty*}p@GlQG z*%F^=KW5*vkjetgo~o_%iBZv z?jU7|p-3>l)$`nNzNgBDiPSmwyuhua#e=iiV}+b!cLHPVwB$dXhV;1g;5ZywTC9_i z2zny$aC_ZB4`&CHTgf6+*IpQk>l;h44&*BJV=tGPpsX!WBKQ|P&3WrG4O@stpy?eB zuV}O(IITV{Qto9VRnVA4Li7v=XR)lnQj9?}F$MkZso@jN=_DEfA0;^BtlCUKA^R*g zHG%tcK4|n6)1DV}6VO{?$^5#5*inbH0Y-`i9L03%jU}r(xVJ~NCPi`pWjn}Jk$Mga z4sM)Z1aI(OIY?N0C+)g^`DePCrJ}%MbZLGvtGqdP!7?u6$4ZCd+rxzjU)u$I7ub?W zi6aQGXC6MO4hN3x*hr(?LP&NEfi!7;gCqxkTN6t%m&Lu=T96po-l@{x#1@bG$GBAD zx@1BTc^%Xq_69CCh9$1;qY0@T6_qL%k|zTM?|o8&8oq=SMFshOopjSaHZ5jL`w-aj zfta8e=gfKq9uU47BO!!n8VedLgi>`a70j6B6D}8cw!7SHZCskBrC0g#q^<4WSnOF* zS%EBVjzOv>%J0=>AlBr}qVJ|P15JJbI9q&LH2S7tw?*-i6+udstG2| zgq2|UIQQ6eGb^H|7xdAo*OCLl||Y_(gM(5Zm`u+zyy zmw7ZysEa^TdABowtt11b)RcfNCI|R*XGm8ZYr&KMZZgZrLSZ~d@*`O6DO-lg1Db+TdkWZxo>81+8g+B+Q>DoBov(%4{rN>aT*MC+0`U^AEoVrkSpm;7wjg*Gu%rLoX5C zhl`zubz31ODu)Yb3yw8fJBxQ$>}p6Ep8{pLe34*x(Z$gcH8IQyqKHP#ejK&SOO5B( zlUSB}u&5C7y;UYZ<3uPb@r@!0K93)+dWPFL%)g|fcIsmyOM3!_MiLUFtUGN?X=Dfj zUKP3AC%ayH;qs-^YKsOV`E$>&|K#?Nmyz#2yzp5LC>qJs?w=q)gNR{wymyTUxQ4-f z+N)NE0)-se9;WZBhK_khs1=vbyq^ScMP=KW zpE+$c-xNnQLZQ(LhPhap(j0Sa;y+jnMPB@xTlx;hTTHU=<%_@1X4$07`O~9PSJ97= zm+nR)A+nFpu)N(2n-~v{9|v_l`b=RT?SAE97;jokE`y%ISvuFj3lcugpO9V9c8rbVWEeaNewYp`~qI-QGe^1Xx zZFKtSi`lm5Y;tm;;H+U-{q{xBkVD+{=VV49yeg^wtSqe-MVu9M^6upxvkZnQfwL0zgcJ>#Prhw>|5Y3reU|7cG^jtC|}Yi&s^suf|NO|2Ebw zU*g!nrv^3eSzTG~5a!G5RT_D5oX|Xm&sFnC)?Cv)o?(8)m3pkzRhFkZpV=9Fk4_iu zdbaof>FD4;m+ZmrPC%jK?~z~KJyPXH3<%ylk=!-|uP@~qAxlOSWq%y`lS?$NTxiRL zIR|aQpSR_=X41!LKr3H6zV-$@qosjl-iLZ(F_J~qZZbZ{inw?%;E=K+Gc&@tR^wod zV7w}-rNts;ISGB$`?TlD4TP-~c2^W+zRSw`RY9;aFR;dS#%%uJ@9b~T?c9`utb^7& zi@WLdb~HfPOfkFDpI8y>^;pX-8T|R824v8A!mFr6_1H;>ji?Yfa{ZA`NbGKZpt1#R z3ZBG*qwo4$DeNcfew#IJYY82%w`uWXt9mi#!5TU~ZmZ}#=BMYi%gKC~te;DQ#@QuN zE5dI?#r2^~{mjniQb=E-+P7UknEkaOtZVytsjy#DKExZpqS92?W*pW$Fg$=9oa&|* z&W|6$LZtrfJu&wy(rr_-BWTFrW`KmRq{{~3s$}a)fX*CUXzLCtm>KpN+b8JPxT;1kS4uMmX+x!LXX^tuJ+4k&iS(U$WVe%B$~=c=bOrfNI zm4Y#k!!l!D$P(BX@GjA?GbOAFklOd=eC?q8@pWou7_+KHS5PuKwJoI69MUc}*s6^2avH+vb576}c{}PjU!*6C#8+WxPv45EY}Bkp zwerBc8{3eZWr9X#;+{*UFBHN^C6!Y96{Aq<8<(hQXKJaDhi6nuMKvL|d{jX{U_n2Q zPHA&__!(z=?3&xq1N;CW2=bLScd}s#=)+851OS3gG)}F5_dvY<4+IJN13-|#Y!4Zn zA;CpYnHx+o2f)|$_T2(0)B!DU^=q2$!oPI*GuX`VtLNFBaA0wP^IV>cU8zvO4a}4nizzj+_RrIlM4F$HKcUmg~FDqnHl`JjU8@TZA{|4qw>nL5aF!-ApuMqE>U@)*Yx9+MI@0v zl~d6$%J4%@!5=3ZF1-5eXiJ0F$DOn%6)!;RYzSfLzYKiIk`g`nGka5+Z)9%3{OX_N z)}J~hs()25g3tkbyIf-!Ng0wq7`CgYOLa|Wm&o``-px9q*pp@!_Et%ydl&O?&xC2O z)HGTDpgR>p<;QJFmJvi!=b{Wvhn7+@+QSUht$LYJ*q!i+3K)z4_SrjiZgQ&utfGE) z21hjg5-Kw@T^%-=W8r+ELY6txG3qmNK0KQD8QZ2){EpYgECg9tMDs&9Hq5H&wzaJH zVa9$=>oW=(vU8X={*XgKsb?8Y!Jp-A+-W!!b1}a5MR27T5OGCrIZ0Rel!b;9kOl@uEEEl!-S9rl57B{wYsaZ{h$ z^JIX_RN{Rc+1EqFoM}yy`!86+fiuu`?#D!r25JIndGM-xmvF|~{zi#IR~?wE}7I}Jy3NXR~Z0a9u6Ee_h%TnLl1#vsFn)3-QA?ox6-oN#vgUZ}cb;9Dl6qfGtU4O#46{>~y>*LiS zSj9bU-#lZR0m0lZ9`g?GzmSSl0_bb@b|&~0;RH|5r(gfCf(&}`mtvXIO5fyV>XWFw zqn8wWId9OFZ>p@NJ&#LRp^{(5$3Jd-5DlNpssiZvy6kG9O=4k)Ig_Es2s_!eJx+%y zUpmvdl&4-x#FE}v2#-HHAGbwhX)Un~ID9^S4kBU2IR7jXaSC`yu@X)nZF3b!4m&pA z0hL`X_aS9j1e#*NnPHh6FT>r!UA4)qKP;Eoi z{c=@_a_U5*$#{tYB15-Cr3Sx$aHRCw)Eo#@@hm{GqHjo@E zQi(o71L~gj^9*xNEv8J5*nq%{Q+T!H=wkFc?=3s4$=GM4k}1rOKEzJ0(Sd-FGCUIK z&rDx{pbX9MUqQL{KY}vkl*M)>g`|*=&sY3UlwmS8T5}w)J|ER0Df4y=w9W58G2J<|=sRyQW5oO3N4axk&+2mjYM)?!6EY9-i(VC95%`@lVsX`W5&ofAE+BBsrU`O|3Yw#ClZ*)V=8HmT!eubxQ zhU>C?PT#&4sDY%>UQd_X>2pEVqB2@d&N>(WCtWaEGs&xZU_bh4uJXf;I(B zW?B(!^+koRo+oHx@T!B5g*nA1Xej^~H~tOdj}_C;C`(tjzMG*l)nk-g_Zl$SPhbS_vb@8~&O0u2MYnwi3x(^lhHRch z1|g8EJ=p+$It`yk(kPKMPNdjbh7=Kd;38>e!_;&^KciLyW9`c=r^xP=z1EJer6JBn z1c6zM=7FdvQVuOOQ>W`j`cwjYYNOMNwm6rrKFi#G|U zrK+oScYnsc2Sk|Y9klJwgHRYO3R&re5=Tk=p85QVxL}Ehd>A%~yU&@qGuRPX;FJs5 zcfKG?J9~g`dHXJhM6}qiGOIx%3k)HN1&8W~4fdo`SntIV*Zq8=j(&!U3LBQ9*%z$BYlv!Wng2=8C(z0={X zGd11k*U{FswB|r?(cU39v$@8#y0yKzx%ux;F4e-p1?n4-8hh=VNw#%)m=-ugiUx^b ziBqE8uPrP^Usz{tdh|V2n3o1-ZY(Zm3=jPEcuNp-a60K;2Msr0n7_zxyfIMeFhbf) z`&_V4nuCA~`Pew3$;Skyb6%tt1JdescW874l_(fn!AHAoMr!O4as{EqKzVXL3*z^n zl>x~Ih9FDUMmse(*Zs13zicK^*-P{m`#ZI9>YidTj8v}QQ2?$lXr`+ zzTb4;IGS;WtjbQroCUa*Xnx*E3Niu8deWpNafoC>|ojI#g$I$IHmvF z!FHMeJJ>ttWhbQG-R}mmDW&J~xeDbnTeEVR`f}y1Bnh)8i~NQ+HX2+y_>`&acHe8G zm)l?axE!62U4Cd^+hf$ZAf2v7%c@dbmyiGHq~)7G*k8XpX=(goiM!;l4Ri;7kr2#Q zf;=jaIb5(hRxw|QBynBzc9)SZT%QeNu+K*_##54wi5K^g7@RO&i=l5f=e!=IEx-BG=NL z*D!r8wAd&g37${C6NDT-H2kD>tUV_}Ql=hZaGQLbS@^#@lnb2K9#m?;KSBm8h1CCxHM?BQVa8jH zW=po{yN=W2Q)fC_G(oR){lhtM61&OmnA-SZiM)MUs&Z$}S5kYC$@Vz4xHE`V@pMI^ zenr%NXX0kHf|TiC_Yb8O2{+`+?A$r~v^h%JoB!wj4RP6AJ2uUm-3k7>uq9#f9ZhWR z6mbO0b|_n7|4PaJpYyUYf9PQQknRX#CWA%Mnk9`O z#0R8_k-tl56`+I?L~^EwisCIwiq^rAk;IH>Tm^Ar6E4ZS)1DM&yFjLe9aun%;GyCA zHiAlCEQAwx$98NoePDK-hanesM^Qv>g4bq|DaB7)*f?}Fw`_*Df{Im!sFry$+`^JW zE-gD3Ho#)eFGr~gwVH3`XqPDHtA#z(Bzx(B$G(_vIaI!N)4Q*f2Oa-?dEc78dicqo z*HWClrCd7Q&ToF_-l1#Ia`)Co@9N@R*3qWc(#E`0T*-G(&i*&5^soT~_tn3ALi^9^ zVbht$!dbKx%Q@HGxK^8LTeKDJ)0eilpYK7gfeq1n8}M%P54BGflijmYvf;Oly6e}t zt!SW;DO4HWN^e8Q_g+9l0vh@Lx5KOT$Q)A#jZ5QG!U(c))Ge;;yTQSm`9HHr!2UP- z*m({n7@Q6+!*mPo?~dJ~3N6zBXcszkfU#ZFw}TH+EogQC=0AfrJ2$8=& zl|M40zdmOVT&BSmX%+nZNZw)p>obc$(^mkoEwzidHGZ%9LLrT7Kqiu6K`u-Fr*k=7 zNC0=hWf_8@&H|S6sSS?EztR$>h&)KqJ{z3iL%`Rgc|+VaB}_gdfFJ$FikBoz9j@E_ zQ=@Tc1-HyjCu>sX6)~wUY(nLm@B?gx6#{@}nHE{Y{;wZH$L4ne`tfkx;QketBur?m ztXaApy@+xdgBx|~_g+dCI!*UWxRin#Y=VS3JJ-j9=h~qh-GbkbAa2G74`SPU_X11> z{!sP5QW;OaitXn&?@`Fh`OSsjy+ASm0UbRQg5(#bVz_PM1a{Y(b{D=0!4M3+WK75@ zPUj490*Q79lQ*E0oiJl`>WGDgOTz<)LP$vJMR=DH;Sus1vx&jb>v3(7DhIsR%^$^! zVH(jr!BVM=nnrl=fe@xb8VT6>EB9Am2?S!6)VS~|UsTownlG8sJ3IxBBu;Hz8s z!s7(7gMY8aC!#LA&3nhKioy+fsqtn!?$fwR`a~A=SPB!Y&Z{_3lP?KkAXli1t`~vd zJSUD$E z3}2OwES*or8*mm=y@eu_bS36uBbV_wrDdFD^ELeKyOWwXX`BgcJE8*7cyN3wy<_i> zBeh$Q5ZTL9VoH+xlW1i0qKH#&b9r-{xL_65t8R)6tvrbJy|76@zD=_~nP8 z;dm#zFyp8*DyT~T9(_+;#?o0s7+e2A5RApV_Jbyx?Z$DlcFG7`Vm|FeSYRqgMgfGt zEad*!+dGgyUGT=DabNsMx$ATlD}=Mi9rorz6MY?-VfUMRv>kz#@yC^2oksQ zx2d0=C7r(>aQ|Nwc5&7NJk_7hdN=1@xp(IUsbxv#g+j&CwX}f8$_03=?=KI_Rd?sr zukYNN%P(vMn6nRsPJ@(qlP!7smdw)n&vVV?q0S|C-wx`-xd-+7NDiKWLH>_In~uie zdwEeWF+|^iNFCU9n4wbH^P88$eKv04_#`0^Z^QQDzzJ&CX~y4oT(@N=FVk9OsRys6 zo^qS>gCI$<_hv~ZKytUiV+Ps+5Oi4}1y!XcM&+*dvQ@t-@p=*8>$%tc5OYQmGTagG zs7|WCtOfRdRvll=PDBhxcQANxfR6OS8)>sKEHmH==!a;gS_3->{^7g@9YnOWR79nb zJ0!+Z?s^s_@Hqgb5dlR@o+(l;eUBzV5_&fHlY2Vu;Jh=l@Z;x2p1V9p%;?hAUhcE9 zkQ)BYE@RW@B_hNZOkqa?uCtHLDagP!vA)&VmSug4vCEhQjka)%^SK2Gg+w9pi!5tS zV%sw>y`pzkwKt-yYN9{u!dhk$t*H08Y=;1gSj-DfmuC>(ku=f1vE0Mowq0|&bNcxz zyY(Fs&t?Z$8;D0%)$`dmF{%~s<20)vnMYeO%}kgVbiM4j(lVUuZYQ&_ z8$O#m3;qcDWq|gp8aqz{(lYChotWTd;czo8LTSTpygh5|;jRu`iJ5#>y!DB%(a9z+ z@lazQWY|_q6|D>S$tIwpQA3w+W z5s?fQ8Nf4er)a?kznkX%x8P6Y=Z%5XqX&A^#~kpyPHm)xp1ffD_O06~JzpBzH~>7x zdO)EgZsS>SwsGf2xohPC6+B<-Y`gC@&=UsF^5m*Q1DMV-RIk5;CW1(|Luj2&HFyZC zauB;MkAqqLx98qry;&0#1nk!5P^7)iMuZOJI26a_SOstFY{ab5EZL|OwGxZ#a?*mg7i&-^@ZNRAc(;U7DtilYrzbP-P#~S- zY)YCd2QdS^GAL1==|6kRR{pqADg!?>07kRL$~`M^9r!b~$3aP`8l@j8HR4^?i?sh& z6oS1{{?NG;>K`gh9SOBWoz*&06=E09R)1ShMFG~+c>Bvq;g+A)uC$sk?J2od(e(b# z1iIlu&v7H!T!i2T?`eL27gfc%c7OiIfO@=6{pad?fEQ~@E{Bhb7ECTUuUOfG9qSi z!_D>xXTk%6q&_pXxxf_?#~^leKznh#=Uxy+bu+q8+W#J<8qSc>GU5S8Mf>4Rju?`R z{^s0d|1wo<@KDgCP&GCyx@!qVI@FrdFkT6gw+lXFdNI83BpCjcW2d0|HVFBVE&_u8 z!gwlHFOX`nbZsuvnSfv2^B4I_cg33n+WXoxCkz|+6?6m+r^m%qN(1UsbdM8TG2&xz zI005}zx&N2vc_$y z&(s9YARnUP8vCHujc^;bHv6$>unVR+Bgt4Hj5H1y@%P;x812^lNw8d5F~WtQs+G#{ z_g%!@tVFu%-Sq(i-;3X<$CsGzOqapTPm98(`K{2oO|L>D2WC>DHvB8=zaY%VUlEPgIE=O8f8rnQAE8sgOEOzKGys6f^}U!z_f zJ(~>?g=<(t9mZeEj1!V@Oy{_3Tfv|Q=MXPweAF;IGB;%6gHwXV9g21d@j8l?#*rWb zC(Qvh^-$wtqJ^uFPZG%EA%V+nrZ;HnzUsZf7C)rvyN4T8eqP?SgQq8=ho(*&9@=Tt z^|wNAcS;wCA19XCpD?&0#KZ%J`lh|U9g0rCqWJ)mID=ir$@pW=jbAUoH2yrT$VHF6 z_(o*~_f$Ff2WKk8%t<@;N8nyujc>NG_DUzF0b+tLhzbo}wC0sXwkTuK{fN>D_`A(l z1j$eyDtg~~eVp2e;kd+p=T=JgGmeay!5%$do;|BH=WqSkV{6#zViP{+nR;#RzmKkL zm7(>e1J+8oebP-BHu>8%=q&8zfHzwCb7Go=7q0aKr5vs*fKG8uU?DRN0=9ZO<_6-y&_S@tbWsR34i#kfr^z$bGZnJ#)=Nur0YGR(Q+ zQvX}uEjMXdo&Im|t6XH?mG=%SeVto}Mp%NT6vm_=&VQ_wlh(VwwSvc%$NhH|>Bare z8`L=eHozSMT+wHCU^W}Lz!ZMpuM!RujmwWFe!J4V*CxGh``@(Fy1qe<&v5DG(G!v% zH1D<5Ta81=S|jhzO6lc`4@-*bOk?K4BS472 zF1;+42R`C5`(Yi*jmUwca+cf$(6iH(0eW^`!_^eG*>*!m%TJ@jbaALQeO`38`zL!NS6T`KnhGJqUGwN`tfB;S^ zNY=~gjK90@E!w`H(KripHx`Lb@bKi-m-kHUE1wY>@+kr8DpRmvSxhn|@aig%ax?N( zcTY09I&z5^gIo>Op_G^|mIZ?A-~u7uHWV1s1E`_iTZmPPXrD7GA7IhI3mch;Xu_KGxpG(9a8w}YT4^fq2jI&~xN1?}z`$6>h;qAYF&oIa> z&`njbd_`zN7^1FCNYL3DQD{D;0}kBBWB$A4IkI9K-px}&)S#UcC){>sU*qTW2a{)| znudsw-JkSm$K>NDz1xGe4yOSdLc*|a#7v3Ab3^d96<2{AJiX4LbZld2?V(je_97c~ zBIKxiT2RSG!BFhBvGhxTodz=rLv`qD9aomOb5gWLKenS7n^5K(3O4VIxLhVpDRZv?|vA9KD+fvJpERlHoQ zkFQXq9VZJr1VXOMw*9Nvw1A)YeupBuEEFbrVv?M(&}6WH**pO6;?_QNECp;InvfLp z$|gV-flbSzQ!v{jD!aK=(`EiI0i!W*MLv`hRM(1Gm!@4Q*K+_)O_wVlozWe9hPluFaMkZO9FEjEdEhS$n4M+78H~7Efwb48?~GX{S#k z&uWwRQ8@B$`(7!_MsdYKMKMa8f_f=QDhqei;vpqK5bOVpW8@aa%y54}ElcT=?>0^z z?^%rrccoTxRA1J|%P{3g!gQF-X>5(=CBMgPCYA)_Vml+mxny4;wV+z~A)-jC{jj4+ zhSzk3utK688d*FB{!GqPgb6w{uauP*tuzQt>f2H4Lu2mStY90U)~qmI3t>4=k;|=I zt~3w~RA#+P8Pd9Mm`Zt35u2Z2GI(LYRYRzUpRn4C_PLjO@5(fTg8cyUXTEfJzC+3N z$vfqn%?`*T?7SH<4mRYaITK>hJCF9Sea4b&C)4g7|Lx8_Kuj6EQFXxEX>l2E)TnZ9 z#Imgt1ZSg{+_vR~7pS#A$|epz{IrqVeTd5^ZjfFV8)z@0_O1fM=}E3FaQ37|#Aix@;|) z<(VRKR%d8vz1;eltmtgPi;^GKkoU*(K^%UrXT`riW=obJe%uWC@PB@dvw^2w*lg(c zgHURVPL2J%BkWHR|8ukkF9kSA#drjn65W44|(W%g>$l#wQ4vEHCwRKh}^I2~dUv(38UVle@8v(WKqFBjIImkCGi zPjCfvq|u1(wthpD>4DRJ&*@!T@~irT5tHOyw%nBBHN15NRAubZc3d-5+8j^=RU4v4 ziFDvos_3|B!B$k60a)kPl4`?$2lUhG5NY-A(+1?Up!w4xgtQfHBwpC?RAPjcfTDi% zZMnOz|Ih+_GWjv+g86^`>lgrjMdtnTIHQ18o#i1M`u71#nUL{HdA$1hz4D`sK1Rp3 z0fd%EE#%RY6BWj+U&$gENu)j+o_j4mV54n=hRjR?afO^#^?-08A94v&_`lbxV|f&4 zrwQy4%W>#`$ph`E^5q3Z%!{mPBVnBDgA+oWA**UFSb?uNh=Dqo`Ni5`k%&k^%fjlg z+GDf$`#_9eHVM!sIh@yizamoagdH|?@)mq4b^{prX^o&1LX=h~$Eb(mq~D0=UIW`! zPS$*RD@&`vRf`oP&-61G?kw7%5IF#v^(rDV#@baAPseMl3q5cfvHWP5v2d<*K7m6S zs`vh)&=m0<=Q)XcAa-gZE1ST);?_T81|r$V1s7V!%WBEg2qc)fm zq_$Lf;)UD%-34r?a?2pRLbvENx5JqQBbMP%UYOEiQ|`3j@?%b*{>s}~*KE4{!mSH21i6i$@K}xx)m29Jx^u-KjrND}sd{g4kmUna@B*dSl0d6XfY^o1CzxGgjVQ z{5@@&7{9aen0hYXW%~;_wUY%(RKfSgZxS&2-ac}*4ha$QSY4?B9x(dNnF^u|K5f~6 zl-3q70h}oUz?q0DfD8V&6$%14(kRv{hK9H&G*rv zo&FY23@ZLD$xA@*%}1Qer$746h#eD*Z0lyKTbV{MwD!IJ{5OB6%uU7q^r}fn2>c<~FZ6<}1p&x?f7y0hJ$mC~Lfq=;1Z?m=LaQ?KlQTa@zDOt6 zrsyPI?Z!?`JPF~i-Zolg+i+k?wGfL&0A%|!kcp*)B^3uM_@^SpcCnu}y2JxAM)L&OVV z%As%r5yX;N_I6y84W7hBZp)spwTJTwMr-xZ#(adHcrhuf$mOW%s>w>ny-~s^oh8HW zXUB_Yhbc^lP#m~Vc?>v;!t7Ltz|d8Zs=CTOnh4m{36~v^!Wor!$q~n~P7)L2b>dq5 zX5yV=Wi27fw8J9!S=XQish$^;ZG+FdWOF5JsAjeGb<0^|5k5b6>mrrt08=; z-tqxPUceO?jY34W*Mu1k6{!c_N+Ci(1i5W4oJ#@ns1GL!r%(~NP_DS{KM7=|;?B}I zwu>eULwFv5QxGaOlnrcmE`7t6y!J{#-U0MUE@8H%gN(7qwu-nk1`uR}{0_3=ls)`3 z`A?8dw+@27b!V*H(Q-NbGUkdHOMU@d;TaYA9K&yj<%{abUXhO}biNYTHi$v#bmQv) z%_-Q@*_Tu?*i={o@nbAt5ZtIAljmP2Yl@(Txcv_4Hsa~es3~e@ZUgc%0_Lqv!JKxJ zbk`Fu8ouM5CmCJm1X+2^VxP{)fNN+6{3Z7ON`_f({sD)A!IghaWOE4&i`U`_xF%Kk zJQ2Pt9mi=prUFe=(*+9h{z;w%^zsiR*^Yy(R`XrC=09$)*9YZ0x*A6^T~p~RW8r1b zLslZ^G0WdJT~DsnkzGqU;Dk?TxC@fIrfb=ZFivJ9H}B z#0Yz!Jd&QBtnj<4BMprw@0HDNymIHZ2FI|NV>XGk#>Tc0ZYpyGf+f&3K{uz@P)7or zH>}hRbNM!p*TS@G2BK3Wpg-~mOdcnlNn7*lS5x)tG*FEX;lw%;n2&Az<3#)XN-Y5f z9KlH_ubExJTmEYq5qG_cltO4XieeHPk?2+YGBjymG>>}pW6=jP$&*j#u4+a55K>u- zybW9FL$E`QBM*xv>8L}n6(Val^=5LPq`QxvZMWdw&4{ZyUwc9=| zlt|}g%F+P()(Vb@?zxQg#_a{JaTItpgF3}Z-G(@k4Pso#le#w4tcO8WSK$l%!!uTa!b>#UjSXqm9ldx4C#HM^wJ0-U z=#BVmui9Biwamdv@W9sdiKC`B5p8~Mb`fTAKBD2P=<~-eqkeWtWZRk<+GYrRw#>4| zrY&2@C|)Z0S)-<>jQkO6v~75XnoUFE)CmfoNli;k6=mu2Gzju+f!jIHM1dRfQFR~@ zRdx^0z=kMWK=qTM-aCtL6bHL#gO*EEzFn`Wl0aWvQL~5)?8UgJ*k!dSk9zL1;(VZW zq~R=Ec|HYO9i-I|vlM(ZD}74>-D*u|Ck_3WKz4L)pB}S}eOR*)wnnR2H2uIUTTKz&~P_$ zqUU6)Ak)RG+;Hc{e7GaC)<_ZNlo|$X_Q94ar*l&sYaM^1!E&@5{lQ}0oZ-qUmF!I5G%GRfa&MR;5#Z8k##dyiMX(gXH>&?Mk>~6Wyxj1Mw+s569X>k~pq+mGsVVB*o0v z$sUB(toi=?R;&0cfnnZq)i9GZ;alP_Q5rC~BQB1VQC07e*xdHNHJp@Q2IH=TCK+ko zNK05Wcz9}G59g0V+MxcJBrmW^2?5M=ctq`@oveOAk%9Ek z5ySqi@Bq!6lf0f4#C>Qq4=cpSO^?3V zhug(|WoN^=3k;>Xw-EAgd~AjBWnTDYQ~bFT7XJvN70QUsK3dG5aCo-Jlx(Z>mdqv9 z;qu9jSGwntny_eQA1uE%^f(Sojk^bgqG1evcR~A_S@Uqy=E*XM{=tX)l>M7|;n`+N z&Vj`{(V`dVfuF48ip9ZN7Ci zKG8X>bD1@yZ9QkffLeCKBO;C z!+y1qcD6FX)^FV3uO=1}Qyu20hEWXg?DVGqqNO#~{c8U^Am^y|y=Ap#f@bA}>!>Xv z4Fxf;t3>Ij0W7ao-Q(s%Ov zg?+HzU@@^VW%PSn|C(Cqxe>vbqJ+?V6E7;0%~Brn^St;Zfh$Ag;}zsHXyXo4KGB^5 z$R5r@Bn%KJ2Wki{d}drtwnIM;l~T|%uk)Z^%L0eF;AT!5ACS9UV@MhY3!{s<3(I6ZH67IP__rPh*eq>l{ico|Uv#kfe=J9DKb%^>cdya9nV;RKhIhP%%T>VEAXZIo{J-+OY+vze4x3}yO z&tvUJt*~5EQ`krW>W_0*N#p%dL~Pj_I1-dab_qF@@=42G3~d+!&)b?yG0;`Qm|{B> z2o(nY1!3RSQTWrz#*Q+WemA|ISPD|ff8JJR_C4o_`YZ}>|qaQ3?ar9q}L^zfPlJEF6(m=x%==Nv{o#BP#5ULw5KGAmB)Z^^jSi|;_0ldyIAhjW|` z52A=LOE;@Bvu1mKbw7Ng!A)4C$YJZlWI}UX6~HP$(E;ab)eDbb1DrH#EZsc!oZWq_ z4Ay2@VW&c_UxlniRk)}{DWLV27O(9ceW7Wx01@#EXJ0}&`m0=n`R}7hl~ICYQYJ?R zyo`mGGWIRYrX6jc;$^D3;ycS{OMpccq+}@l3J0Y`M|7c8`q}@4pu|B!MMat zifY%nKt%5M{@+)$bfCkgbLbM==_qnO<3S;6$xF%x9&qu-4gbDYXM)Sl5x{V34X=>z z?d+RmYs^agV&RN*BA(nZ?$l;y7^5ws_SuGRbjva`{KnN)=1FK5=M&WHI(7%NRs-@% z;)L7b$Nh|-tit-UF(Xg!J~CNGt~Ufv&5~Y%fhK8kE9>1$*FPNYA*<}p??K~$eOeJn z{FXp+*8AO)j#+xPB|u3#U&T$dkT064F(Oq`7C7*yKuUNg2P6o;re5vzlTaG9td$F1 zRFY6^l#S&GPzBgLZC?(UP_IOa&I89xveZ%a19`t`)j@rfCV*CXR?!gvXw?BzN)1K) z(n0ZTJ{KN|i*dQOQl)xs znW^)azL|=84H~bo{P(sE%=)>{;)dq$2QWiyB}2W z;fHME(*sF%FPYbI3dl|2yjF^NY!XT+J5uUWqA|D9;2Tuz)eLRg2JPtW#7_?L4)FbHe-X0bK$7 zIEV@&&?<9E$yWs%b|h_SE7xqGsyHA?@~O1ok3;vM7%1f0lp-{Bv+<8ZtkdER zfX7O+G1pRct0YmDj}8!lroiR)3z%B@nFkq>`k>p!-M^#^q|Es1+Uo};4%Se|A-$$? z9G*qPqhM@;Q&SqU``rjJ76_ZKbwQ!e?7QPO`)#1hfNMfwRmkUWvlh7>5TybAes9~N z$Z!M!JmQ|s;@nXBr0m>35X4y9+KdsUE@&{|z2N=oWNR4WIN-aG7v zMwf=P?dfbm+xj z=)nbiv^_>!gui`lkeS19Lz*0tWyeIOr&%0l_zJE{bh!bfzd52w3*dR<0pl}t4|FFb zgP`U?e(M)xwX`FLJ z9i_hhAa(o}>fxslY&_}Gi-K}KZ@Mzm^|O#s&#le!fTHXTwR%6+bYg4BIddyRI7&5=q@zkP&TZWKz9NVF zq2-YF^SUkl4tWxC{N?-^q`y>@Fq_yIevIti>hsM4?P^oRLj^$1j`32sD>bBJ7<@mq z&k5o&>iNbI)D@e!!m9%O@t7ydTTFX@<3h5_Cx1IiYqt}?I zD&y<7mI9f)0c3W0{gIsxb3rnWFpuHPiba;>A(%D@_0^ zJ^WBjsZn^O33DyVP|d#zqw3GHSMj6SME;}MBK%J+PWT_jJ>tBA0yYffq30KYt7F6q zoKJL_E2bqmnWjt0-**kf&sON`p8w>y4usEf$c%7p`4y3YFPP$-@_z%1!JY?D*C0;5 z^W22w4cxn(P1Lyw9>6{`5%B{@g64FdHv!+YGiI~&Eg><6-Q+(jcufn!2^;x~Rf zf&^U6-LT6q$=rhlTpb8HGh>Pt0MJn-D3AClG-V>7&l-)fW4+{gLIHmd;d4Qx2{YVv z)lPjdI>C1|%4+?_`#6m7$$^K$8vOIMA3UIfVAU$V7Z5yrwFy>g!3-0CU2FZ19drzQ zq6+T~%5k&peUtPpF1qq^jr{^&gY-d^72I1BHv7FidalVwYo8J6h_W!Zry|R*8M)3= zQAw#aSP+ID8CDTXBylRyX9h7!ycZNUeKgp+YlVDGw*h^OV*kl8`6cfC3i3dqMPazr zG7NI3k7=W@o60Uc$}5B?yvr?3296Y7FBsg$9E?DlvC)sA4tzCCX$2e3-k2CRrR&ah zqb-TevK6{7zuh6P?K7#t4bd^ zjZCg%XkckpY9pACFrOK@9kjTu`$UmN!h4*bPkb;+6FEStDSRXAPbo|t!CP>2nW{_@ zOGpEHEiZezqh(MRswF1*LcL;JUN8~F#rB6TeE#i5D5&lrSSi6=!6^c#IYkLIbvz1r zhym|-d+s3w;S{zJq%dAJtI!-PA^SZRKasg=hSN2OMxIzr5EUs)=5SI3o>VzPIDOB! z(7(LtwlpiYrM~%cMb9;z=GZ3lMduN;(WKfKye0yOH0ypJ&TfRC3mkSYyupUpJsD$g zCmHc)q&B96zW~xQ{sk1slL)Piv_1A0=?88q*(dCufW|{gE+hC=D#Wmx(GIo!q$xGu zYx1EUJxQ?7sB_qws~#`=V+pD;9+QlF*VR#;oIu_-Ju`cm_O+6-DtYv0fwiO3^KDT% zM|znTR;WMn##TOPkwc_q6;57#zTbnKSZp1b@17Y3avKMn$A;j`V{n}Yn7kvIz;Mp) z?Wj8+6kWfvq(-=2-8J##70rjmr`YR?BwX@i{GsJktT8ivOzuzhU%vsEWbjEq10>a9 zxc{*6Pyw;lX~ZByWfu%E4!;gLVWhgcFWA=b~REvqh?D4tTkhN!F` z@5SZbc)Z`DwS?<1tc@dANZ)gXM|LFhaLzSHr70pmypGe5bIaS|+P?@;MSe&_H{ey1}%O|3I6Gc^I3JTdVK(Q%3W(C}EdEjoknL2wy_ z>>$OH=wS8Vo?93P*O18nw7j7l2cUl4FHF@fxzI@X`{#XZCG^o4I`G&K38uE&nSmQ4 zsL#Dcub~GHBzp~#^_sI?Xj9xT3ZJQ7!l<#rJ0sn9r^4|Ln~enE8@ydF45 zWV#i=DSKG9$q0`VakRKpQ6pGiD~J$}U1(fcj=L-z4WR*7fn)&^wuX+RYb~O=2kark~VVcEe z_V#QD)B>hL%N5Nal|1M?DinBQ*%*F-E9-(^0myrpC}3h|cez1XR-Sr<7_0eZhJogx zEC-##4HFK0#XQ(1s|2y>dot|>^#%xTQF>bBS;bWN^FjQw)_I((sOmF@jG5M2j)Ekd z?Tj2yWq9ZFKfsRg#FM~834%6S=!GKYYw*1hTjU}{A{aeRyFSX`5ip{wB*y}IVyYXg z191UtA8mlwa*dJT;o9OIfyH)aNXDoe$K%3gL5si#|L5~;>WJ|XFL)6Ahe zp@h^(l5d-P9BJ*JvX$-%K#)ylM=kT-7_NRf_O<7>WFr%$b@aCpR)q>(TbEkL0h(PF zcIrR`i~E}C!I-e8Ar!d?T9rH`bt7~2qA2r#Mu|5!3`Cy{H5T!_{vfH>UzS^}b5r*% zc8u!p&!wR?Dl*i9qS@heQ?9g)Mak`o@?Wzzz#n7Y(b{)+MEH!3;r3e*4=WEQ;9s4A zWZM?Y0#pP{7B#JIfs561P-4zOfG4wvk^t|S%b3(!8}Jk0Y#63K`nKAik3Vb;|7lNv zHeI)Ry5Y5)98Z^2u@tH`2m7Id&(EjrW18*~-u@j;yK_@|1e<6}n?~`(^M>o$B*a1q z8c0?zgMiPw+l6)fSoZ)616$mA${~N=ZGA(wU$kI!Ky4of_+6a4D0^H;FuoVCdhM*3 zm3@0IHhWC)D(@EIj#bGX8gHJQM=r>32v{2yFy!SQV`6SG6w*^rhQ%VuHc4J-$NFWS zQCd7o^OP*=4C0aHA~LbnUPK{AlweViFW|)hD?hID=I$5$s6k8V@sM#tX-Oe+M3TC^ zx>%{FxH98tUhFI_@FVRJqmVU*wZoGLzXa_LT(9{(e7g&Ht*@{M78xE!fn!tNGzn{& zhp4HRjST*g-mL`m=7k|Am z;uW#F>CgvG0rhi11lObAlK-5B(-}n3_4?=^fW^#y(va?13ns#x_fBcCeq8zU@#ziz zoe46b6A#44pjC1i<`%!3frr7n{h;h!zj}L$mm}x3JjDwL-FrEP44zH{x6q-CD$k35y3V|mRe zX+@WZF)bDsn~js{t9+cmOGP}UWSQWckJHuXrAt|I9+1p=IMjR_I(RY~-+AkCUh2~8 zEIt+^H`D9RSGHPSW*ASxRS@BSI$LCk8=;q@KB`|zo@v@IN)aFuHi93OUaFy2K;itO zpC6YhgJ7HNGzOMmF+qE$zw|D&JF+K}Kh{ga8|uzXr};rMdFt5=nZhpQMj zR-&j^{R5vU|D7OU@QQEfuut)7`*U24p=gQ+juG*sZ1(#W>FYv#iHAH)~ox z|3^6qZzjdC7{%Ss#34NnzL|E6p0ipEa|;LJN|nPIBj!ftO=Jq6F25bs4i^+bAJum} zgo5W#$IlpD=IObX0W(0ijv7!LUUAUmxB%m@vSx1Q+{&g~OFI&jH2|>A- zg&kR=``Rs`Ir*D8Tvy@aWmm!xiEEI_X^3&4XVRA*lW}^NnR*rmdL$u2EQiq#D0}C( zEEnYTeh;qSH!CBikq;DcI!S1I@Mlwf9QAg**l|K>9okDU9s^w{?{Zka&KRXlmJ#{7XEO@{p)4=`FC^lV#o&2cguxw?wq-Lf*p`DFJ)!hD8iLAYG$_1-@W=V77uzV zN#}G!#rvx))0&fi%u{nowjmb-3-JwnfP@uLRi03|0ni>|GEGthW!c9+&XTfh@Vx*+jWI z1R?Tb4SQb41ps?hPJaT{w!nbD*L*S_Hu@SD9+p5i`g1j&7;{(;Vj}axYkl$%)x!Zf|rjJxRK`Z+m z>HX~AFvo<4+*z_P$JF=$U>f2azady|z%=w6&J1kvW`wIQi&o%%r_hWC3-M%)Nok~- zYjfd@zT<8GBEOx1@k|1B0~t1GJI?5eiZD7|u~nbr*&z6!0~!`RI3-lk(=PmNa91|i zXOL}7w1@Xop{E9x1gcz$6eJIOaHhc&7CsFRA5RHvZ52Wek0&!=n-)hF)CbIGOJy|% znvL0;Dd{oY*MfM_!~liOXr-RbeD>WvZQB}}yE$-l4^A}7UCAEk1XXU)?OmXv8*rBn z7!?p}zVbApn|H6Sc6-KI+=c~W{SN0P)JPV08U4cAKU@rBWt4TP{Cu_ zsBzY}&B^xUCqd?V#9OUHTz^&mZ`tYfhZXME^oMn{i3W@+|eColghm8HCa zp6#XG8hv}82q5Eu#3g4&(_r|^e&WfWW^|%rKK^5%jbMdZ(A;Wv4Z8;(-}7r-^R7$@ zZA}YDWOJ29bGaZu9vz~_KjKotMqV|Lj7f4rf{JzK(c0is12O)wm2iQ>QTi%Mg)MQMAA0Z_b%SRQ>FweTqlm2EixGh7u^M!5^)ZIw9)J?W(yNp-~;mPw$POpA?>| z&^YM-r|@coKPkL|8X;<2m76J{FsuRyT!D6xDd9g8Z}~qC0$M#^1X}%{1wntKSwY^A z1j9Wz@9dW`wXJi{T^Iz#=Yx;6|DgR~quzC1|2fCd!A8&DQQ&%p$9!)sti4dfPw{#X z0}zfv;B%tuWOYe~HFw9{V!=g^oWR9F+F=Oa=SJTv$18dc0CItUb32+twVrj#6oJSet@b z$RJTxBR|i_dZRKnr>qmw7g1Jh5@64tee394GcIk-$-doJ_%3L)D_P)swgV1h^}@3< zXEPA}8l?jLC{NjSCdyu;*f2@N$T@b?Qz;3{!Az_>vthc$gh_(*rV`!jwt`Y%v!_Y@ zGMwpUy^DP~HYf#43##=dZX82>5SZoCL0%5{yg;Y_L_ zE=0l(+fvvHA({{~sD$3XL>|4_~MidPC~PoW7}c<5x|^?OgeW zwtUrPiFSkGsZ40!r`E@uWTqQO{mly8bfW_%@DHUav8o_~|28TfGWP|X5I^Gf&|!J9 zr8p{(lBq7QBzUz;Nq9^#25;8ds~4Z^Hynz$4_mg&&a}+A*;Vz_H|^Ze(9yH7adle)8SJK%L6|o!}2LX+F0GSX?1;xd%^t7Q?tIYb=f*aOI2+Zs<_xb56$LGM;`02| zRTbdeu(^K9+_KJ7({}Chluu78EuXA!aY^iaT@O z@_AX@($TWI@ubzWy6H#AedC;qxz)Ek{gkZ^LjFWdUHKr;(sJnB0-wIQiCfdQY1T3I ziTl^m^~?J>_c}n(l}B;!6?Sq-F;&lCl_9)->`vH`l`G@@^YXKJo9iZHJ>!%0LTOD? zdV7=i#KmRvYq`4efurEWP~(2}b~d1iZ%k}sFbL%U}6w&U{1xu#{+as9pPNT;Qz zp>1J(^ZbdMHV&k2g-m#A`^@qZ=i%vXs=5W-X?^{a<=I8RNpJGW16?!j!t!us-YbF+Kpw7+sMKU#|pk8zrl2IFM9xuxgyod=;A z_H27S5bNrd9vjYiv#a^o+2z?2Pf!|mVy2F(y^fW+No-sewo*@3?yDVfci+QaDd89C z_{STPKi@)fTqZ&X%?Q4A)Mc|)1s{f;a_&_cNe7;xGh16K`5M%@Dd@yDDlUf+smno! zRs=y@QBwMI2U&0weZWh|pd)mX~KmDri-q#6rC4L^Iyh~|=-WvH(q zR0W~gdu}R>!?u~A6uq=h`I_7?_ILl|5y`qC)%=k+nl|hhdq)NdAbHK>8m6FD&K*?3G z5y-Wa{ic>IAeHrU#Ryu+wLfW-uQGD&|4*AhDu2=@YoKLw-(|N}bzv)IYRZDKqE_{P zF<|Fk49IYzkH~P6b7=4{vTeBORi-CS9}%s|%jtf>Zw-;+$+KsooUY=&W?+CB-9OAKaihJ+|~bf$IlW4 z)?a7GqY9e0CRJB&XaL}so+IR0VA$_b_)!@0c2VZQY7-YWf$QLrpm@is3<6A11{sNQ ziP2v}$6^ZR%Hx&c?qPK;`Du-Ph+oBI@Y-x|39}A%P;CK*zuV=^MCSWRq%AEaO5Y~v zp@1ueTsJR7?GjvM9r{I`jOdQiJdqMm@KERVHfL;Mb6(JV?TRdC0w`s9%W^X?);XDXXtTBJ{zII^Li1pL%7`Y zq|Yyi8(PdXxB~ui%k^72e|l zyl?0gcdjxD_Uwnd`iDn1cSLAOf_Q%d)FaZd^e_IX9$hwh=}4r!e0i^wT82La;Ucp9 zw!<}rn%Ejclt@L<4}iJjQDgv#Otd4qG$HJc2J3xrmD0&N&5|l#H4IHH8x`_3}5)-3vwn6?S|6 zpgyk|eK*H^@>NZck>Tqc9jg_HMwNoYhCIO@EJJL97elOw!w@Z8K?6}ViMU=LduB{) zzC8qpR*)p7)Z_}iheGNMTW;>%;3D|$6dbGt;+Xf=8T;+d69+)fyuKZgoGrdWtc z*1BW3q9F2|c!@S}`Lu=GVIL7qz71OH_$-@WVAQ?OEd`aVMRo zK#JvhV0;Tmz1xdgAw|lyhb8HMbqXuu-PuAzTS9{UF%kyzBCjxD0}EyQ^%K~H!Y@iF z?~yGQ>SNI!5_oc8><3oneR@?UMB)=3AfZD9CQefoCGb(y+m{XUeY_X3q$T4gl#{N= z2hd@Mj1-37h?tYwQ|By7%_s*Vorp815wH1kaEA=L&Em(_?qj7Vjq+j)Ldou!3G@%6 z{=z<}4YTUe(=z~Ua&H$qBt#H6K`BFQ0RB-;3_@U9(Yv;D;X(r@W@j2avg=8o=g1h* zv5dy}bxIp;yp;9vw)1xp6yJ!QhV=FjgZUTEfTGx`5ji88#H6qo*ti1Rb4IfK`JzGk zg{gLfgBMHDl2JNKfr)XW2H9IFoGTscZS3c_&9!FcdUF%+H>%S6)Nppwg;;%7^ZI%e za*5Sda~Ye=dfU1&ccaky8&O1ie&XW#<=16I061j4D^6^p6j!g~n#LeDI5_z6?Lhif z!mGsKcGuxFatrnM#0T*a>662ezupb`d>q2&@L0KoO6yeR4a#HXl9Y|Jt!k%dghR#K zgBp(8185PKtktT(ArimB7*=cI4Z2FuP5C|!{{1>eV@v8L83+Q{{>V9!mp9;YZp)lu zyG$DlLzd1ZIiJ1d3_iJ4z^pKQM@bs?pC=-96}H?XKe~IqgbA00rAS(kfW4iq;nOKc zdCz9r&54b83Yy}4yj`V6)iVtvID0-?)5NDt9`}@CfNAh747oO0r)w%FVH&wpqc+P| zn(j(NGxkIKq}8IXZHli_pUDXc zoZE@?i3~@9k7q+;nr?H&P06f7K1@#hVN4W@H&(A}aF~kY5Ua4cv8axcAlJ5GL5JKh za49i;yNo?D9@`K&7QtaOjvcj@VjH{6)M9YbE zlyKSMZrwX&KetpIW(t)j{~J$lSbS2l+(VKZ!JlK!-*Bj9rcdO{cd4qXRaW2r{VdAu zeRlKnf%Sn{V)gnz9Ejj-|H=s5 zqz`imw#9SImd9yUQj9Nr?%zy(07K~X`sF)D-9#ncPJ>aeJMiUTAgz?&`JbZ%kAF6@ zB1AJV*;gg$OAIM39^*##7Q$wW-yHKXkFUPtvig;_pj*>jf%z?3M}Vp*ikaiA6CjhW z(3D>iyuPRfCV3sKL4qQFqi^>Dq$n5SS51}y9Uo5Aers}Pe9pMtnN6#6G%To;>?qMl zo}}8iWPi+g)Tc=MRwrpsm12ewm8Xs5c!T9dwTCyZlGDf9iU?_t!aIQ?^!j{}fpHZV!)ZtRbVHbuN!d2pgL5kT zl%J-w;cyR`F|8e>e2;yy^w0grUuB7Q*YeX|8T64VwgsKznUsXzvd3QOM%%uOW%1M_ zdj_il?UP?4fed>?)4+j3)y*(Jg}fDK0gGwp?Z!@hc z;*c)SvZgOfuMH;?o7b_*fI?WEu=im@nZEna^cFG;|hE1gI@1xN4aDOr(Z^bas{Du8^$Bwy#fm@EPhmVc>D z*n6XO=;qfC94K=}8)wSYMio$B{7C~W;Qe*p(ND=`5=iH;2aB1)Wfk$PHT^Mox?!FS z*YK_;HI+^Kjj{on-VUwA+@3qJQQgsdtB9-Z-U@9xGW%D%S9M*Ib&u9}xium@po2e~ zt`!=@#m}6BEUw(>-}o{0)CQ>eIFt7HiD`GH(Ed({f z{K_M@yD+U`-K^GPtC^)?j?8ghHGT|spmSgk^}uA!nSDNr8Liuu<6?(p1{DgAY_D|x zHlf}RYEzTqJrbT>SV9j_EJ@cx{q&)ip$rg-anY0kk}7Nd&AC4$^Wyn@vpU3$Um^C| zR85v7s4uAAK!l<%Uvfn5qpzo9;R&CuKS)RLa(O6 zcF)ruBy1Ps52=(&F!l@`tIWR?=)HS|iGFQ|LxawBsQl#yn_h`TU2?=hC~Er#Xuy$x z2Re~l?N1aYQN@9V@Zp+K;LtoY4;qIydg~Yd)%eR{NwAz@yM()8%T8c9@b(XRGKhq2 zb$=gVTh{!iZ24mXGhvSY(;6u**giD{!VGm=@hb&QFEbM@2y7pq@avpYW9DQpqqJKb z1j--8abu(u!o055%sClQ*ER!o$Qzy=k_}y@mdm9UKBJ z!W}wkQ7AZc6;Z@o#^sO*b?zRW&5P2CHt0|uk08*kiICciDp2|3pZhCb*kPrxZL0{kvnd3}gH2ktc5#wvg{@*F$t{77N z3(eB~eR!66{B0A#*ODxJ5*|0RlPeR*z2#n=Pr4<$=rF?@FYoj;9U8kGjt~QNn%tpg z;A^Z^csQ{OFX21^0Hg)Vjam$mA22-JK7Wlk|5U2(!RDN0&|V~kc|Qe1)6{tHz{6w? zNMc0jFA^mhbRcW~CC-cr)y@GNmPbEbs^3~=FxzxnGpTnArR5!^g z78#~%)s7t4DY3ZyK=3IIv0nWiVkOxhw=@VZQ6et_Uda=sJTdnLz1e(&;sr*#7?S)t zW%j2)%3$|7GnTDS)0Scyk1+JVzYtSt(6m+^%V?o;xIXkWQ|-yrAz6K8PV(-y&Q=iClIy{Y@4}k-(e0jn-xebk!Jh73iUTgowfR5`k zBo3lt%N^0@rklqr{xs6LF$8X|`lVWb)QxywS4%%YzWW);+`@AI;ut@xSgmha?8JUK zMJ;P>&kIiEr?`*bVl=^oJ74iScmpd|VwfP3R%mu_LPW3AxypoAvsGy6m&S=c>^0FG z8n~_pWWp&;Kyr1eN&a6UY{5qVXH zLXyEyV1T-izo#oQa}WCO5vmg$VM;U&m`t2MNfv9tyZOzz+PrkZsMS_cUoQ3OR#S7o zgpn8gL_8docN#JN_|cuf+=cc^CECSd7rLW9?*r2qXtPodrp{Pe>bs~BMhXZCFFd8n za{OzDEAPWWCIqb#Y7g11a$|N?YW+567gnF*6@N7l74Dy)f-&Pny2sRWb(x?o5gZ&# zl|tRGz$tg;(-c!>+;ilp(oBbNht~Va{j{pM3riVc8tKHGTk^{c~^t(A)g33cw%(@CUQgdL&eWi9HkRkUum2h z8b%IvsRiIV4XkJ1Enz1Z3G6dbZL`Do+IwVzvQZY;-|NgUxC``Wcg%)~SLyz7R!}1C z^TRr|=?9JNUf5W$HfOzpl73CkYq#*?m)ditdN!L`a>TnR9e+Wt0-IeMT1yxKk$N-{>^-c-lWm z$4b4?YI%-J)o9GRkx@GpU`JfAd$4tED2&`yRCh#~=1tdz5;ZWiQ7v@&kGbLbg_T)p zVDXY_FhZzg6y=E+?k(&aL-VX{34TM^B3+!hvPkmgp}nbppE9ioW(4g>(_T}yv(ivw zACKwBN$~NSO8&I+Ub!~rOdGuKK7hP?BNGqUu9K0G*>!e8Jhf3hGEbzyy*LNnk|1Fc z*mFv9WwsBG4lEB>(_7M?25UD<0CDh6neS*_bl0O~CFiKW7RDSObqg0v*j;43=+%&B zhYw)IW~xV-+Ecdjv33TVMzj1ZoC&EuMz-zA3jZuQR?T)t*#r$_!V(@JnvRHkKG>W! zQ>(9zq)JZ)B#(M->g^w_Rv%;h3~^t^Y@m4etKfw_(yY2wv2jecW@?@`a&RRSSE$97 z5wU`s?iHwi~Ipxs@j$W5b72=n_xo;EyZ3D%v2eon&F#Qkl-Dy>R4RMSIk z!qwq}J+;k>&0{-E+!UQ{G@i1Uq|DKlT>+jVfhz0lQ)8Zx-TAHEwycm{!PRtcNPpHK z+q_GgzXaJf3 z28Cy0wsoReBqTeE&3uO+?;9e0-#tA}95}}TcyC7Q3elZxZLNOd_wbDkM&0{+pN_q6 z_P|4NVr;){l?SOig}aT^P|o2F!^Rl}5df38nq5~Jrn`hYk`7H-8ru~Tc-5^ zfkp3u)uoOFjPBurjiuc5NG7A(F?ZJ~yeZeCxVg{h)wyJ2JWU|0Jzl_1ly|^WCP&Pl z3{q|wbI3o|WvXX2UN2NYhsw9MhVc%gYhgKCn#e=8b0ohTGPWVa!J$_W?*lag>yjtI zF7O?XfqKZIsnVr`mz9B^4}op=qz+b?ayGboBqN72m5q%SEgG)Vx!oP=1l4266q6?A zRu*S#Ehik(^c+TX<#Pf26-kr1h^$K`-xgDpAd|aii?B%}o4D^Oe&8?cl(sfdq3a0h z{?54guzw1EFe_$g=}Em0*M*GRm6(cc>*#mukmMDnNRv{}Jq8hM`}vEHjhG1)CS{^1 zQN0I_sMC&3-}k&&W(rR*cfTCJ&e)tJYDsFKX!7HViIc5C`N}VfAr$mR^3QzBowsOzEim{e%7ADS z{~jrlkmf-3#<}1-r0YDV!?$9Pt|%s!4PEVyTFK&7k#E6NaKyehh}4r|(z@d^j|-BB`{Rcsw!w$<#*tpu^&j@-cI8hif<)Zf^h* zm&|Gcx`BQodb&qh;Z`R@2*pJbfjthI)ua`EVG_$VW&TRhmN~6&h}%NVR6$td>+OUd zm*X$V}R<%?m+ zEopE7(Dfj!LTJ7vlx;yexQJk24#8-+pN?|Z>qKE2*$b?BK^`X&$0HcC$Kb&fTp=;4 zTwk1z=o|4wzwleTr7jYy@UI1}Sn0xuJ7fv&d8cE9aeiObo_WKJBj|kQL0% zl#H4@u!Iv}yo2%ZI>acdsNRCV-pV=^h9hGz?0V5_(r8^7IX^L++v;s*T#*nWRIy}? z8X^&SbJwOT7?S3gU0u~y(LS;p4-lK?NZqzLbvmgYVEK+kVSV|ma7oR6JlPy&>GyZ8 zX<~ZkpAV@>h>qGxM=#;OAO`;fxzULzM=cZAg$ONn?;}b_t%|}X%Zgi^4WZz z`UCpTFW2MExoFQQel)_%2ptYvPf|*8Pf`T?qmrgzbx=k@7!5w@E;!B^`!|zg>A-TM z$;2w>GVAGYWY-@w0H2K0j+aN@&#=`9-gkr+@T&J22Fnf5)nj|hHjI%8lEZZ!(yq4@ zJ-R3UhIeg$HV;5rZExt5$&V`zndJt^4pAtqgEi-K8ugQvKYbDia}w3VEQ+jJD}V3$ zP^A+mm^*CZQL7FfQEl)i(Q|MA?x(C(b|ir8^z_Au0)zvD0F^4z>A7~oR1gkr`^9CB zUSDb6Z*^R9)g)-vOSM9lJIq))k2pPf2Xt;7^G0+{5RDGr%TRKJTPYH$LV0XDO4?^| zg~_prRIC&~YBg8OW+{Ssb?3?^XW!t^0FH7#`JHF`A9`(R!H-;@aTT><_*(2h$wsIc zlr+^kSd%5+V)Lbufl};fY+O`HK^v_y)Pqa598Q18u(O{tnUe|K7gQ4pL0~ifnC#^V zKrqQ#$(jQU5Erw60%}k{PEaSy%rvyv&-XbEoyKi1?8q2YQ7*Eu9@OKGo9h}`0!&%5 zW@+mi-oSe{&Ic3Al(pewO>**wQKYtTOdx zJ5{`d>Qj-ti|v6`TVv-rNh99TDP3UDyaMwAy3sVt;Y0IjmY7Eu!Y4R>Cg#9OR)N92 zoj~yKJU8{t;6H% zhA-WltJ8&=Rle_z`nS4SB2!hVZ%>gTGe1^kns3%0%z@%`JdP8!0a_fuVr7-23jkHf zdM}7)!hJ*n!_2mH_}(QPjan20)EXObJX89=h570mx(UBm}OI z;4*yx3}QI;=o4o})b$ebIb@Aa7UnW@JT+KoiQY>^Iupv7ZsIsZMb%b~DQsDf{0S4QJ>kmc?x;y}>*c`Myz%WB&tD>L4xUs^7U%evvcs^J;?;GWk-{elNgfHeDg4!}%X zT19mVz^qE#bnAHP(e|Udn=L#7uoVoCplT@)#TvMg&VW0wb_eruc)B&f|X;8o12iAKaO53>RlI%U)GYq%iJzbQkG zt_5PKp-*U-N6*P`y*ivJ*VN4 zxd`4={V)%_*sieryD^~%#7}&0oK-pDyw~+ScUc%^8o-?9hkvcaT*^XHy*^YvL!PDA z;)5o(tcu+9akF%|f2)nNSzOaJZW>WJ$(xd#S>NJ1CWN6vrf1t|i%f-H zwWV|R@OmgMWR$up(oTD3U37nzGt~bagg#w9tQ&;BShzK1i9wc$>{oP#YIsx4ni2{8 z;p&TTvMs8e9SqwaL$wXx!3}Cz&=Kroiv5*W?a2S91xFjut4kwBu?l~7Mbbz^-4Gtw z$wIP=B$qYN%>X_7~Fasa-?R7SY+;5xRzh-pLJ-fycU~AACzoFQ7^f zX=Qi*ecO+q8sC8gP@^YWH9lqCFo5(!>-mi3;8ah!29c&^UQT3{Gh{bD2BBpeQ)I

`!`{UbUm~%A~yD4D;8P7%my0V zKzK)UTeFG2LWUvvRhguH01nYmy)QNogid>ePXk}QV8*(<7_FVxToGgL&M0CNWT0nT z`Vb1S5;)L?l)!K!+|SH>5U6OjI6wspkq7Ex+bz9Ti;fB9GcN+fj-@`cnBY3=k7&o$ z-Y8AF(Xhx|-Q?1!C7xti0TNnDP|P&#ka0>L9gAGSj-3;W_Le`ijwkq*dxSbnZnduC z!NQdGBM5T*pWK@FK!bwrOp;SaZ|$4wf&7Y}YNZspOtR6_t|_BccEgzAuB|%SWa18o zj!L0`SYwBzj-@cEY7?V5+AmXMBi0tXk%mwmfSTDlCdNk{G^p%JGMjz!!<23G+e{sb znG-Pmtp+dqZW;82TW0kVy5$O0AKDWk{aAKa%BH~#H}r2vrWFGKSh`ndaK35O-|&SQ zPs?pzv04#B3nFdU8?DQ=jXb&>G8>3usXE|a3gVPL>MKTc({LRg{)x5q7tsdWly*i* zy2Ny8kw~dhp$yCVS!1q_l=RzdBnd=EIHpvW41g_G>I5eVAy5S#9vfY|= zr#T1~w+u3>3l>)cuozX5Qg!vo5%h+4dm$_wd#r9m;Z*r#BY*D9Nj-KsRU*Q4%dg~D z4V?%_Gpu7HPV}X&fzcm;*pIeCTZOl8uF!Bj;|yn1JHz?^{05p5MsJ_JHN zZH5jGJ`SWjd1Cm6VFdZW^BEZ<=NE#?$kPSnvyP^-zM3eq^NNn4=qH1N%%hlAXU6P3 z@pw;Y_HP{-gvXB=ABV$pEXQ;pEowkD{0 zy41II=1B@Am!GQ*NVe|yqu|-vX>ma}vaWXV0aI=%_qzRbTm0F9owM;F(3}CBh9$eO zKE~)Q1HQA`$gt|ertU!=Em4dYv;Emch=m~cv-j8q2}Gk?j@-;=X2r~XFnVoAH+%bC z1io!G;To4nj`KN>HZ`^wu3h`lYl>-l1+k}S4KLapwq{Yb3^Aq%FA6<((;*rQLwL11 zV^BBz=0RWB1`7hL0(##UI7*UE9yH5I-UhZ9-1&@JJWO=rd-A~9Vv)~b zi95WgIWPcv+zwjcT1l0tw_ls~;E!hWCkE4bXf^;TpJVLP7W!cagp(`_`DTCpsE_$R zQ)l3R2MwZB{UD&OkAsvX%0x%;#=d;9r>d44S`}7arSBl!=^Xc@vN^Lv8V=S>2*x|C zRwKeJ-#)Kh(*R=3T5d!%cdtfr8XcGzOsKlppp1LzB*6;rK5AB(wYwsX8zxLY{JvWE z6B)E&H=j9X4;WgC$pnViNn!$qxL#uX3uKXvF9^HHk3Cw1lKTbjG(FvbOTm)w2Oq{Z zw5}xxT#vZUlD4WstZFadBlLkd?qi@9lr$?y6|(eFPUa*b!0r-t1!R+MKP){C`b^mO z{x&+%a-Gs0h|}Q|THy|f(U6A~v7t@A>T5?BX&y4bR6OY~u%m4b!pNuln%CyOq>fb%Thkc_Tk2_z2FFXkmdwK&ah4$nBfGY& zkN7`vud%N+z-0%a;_lnQL^(BvK3Q7+%H=tJ1zK}xnay_dWC1=T_R1GtqS_xa6$z(q1@_HiL4yX8JuMo;bHERI8`%ld4s-@f+y;7KqGOR&abvKx&&3R! z0Up3GhH&|)dQHvz{y_3p>Z+$)N@ggc3LS(fJnrLtRjo&RnX5}hV6PcFhqPb_*vMc9 z4D0ZRunN%KQuH>^AJYLaQmMCwPISZbAu{oVwlx%OLj2=5OrpzWh{!&kY(&FyIO3#w9x(tj ztOnw;Mu=4pIiU?->Sf!4sI}`gG=5#;iwFWHb?7y$uBwJkodita&}9UdGLDizSf-RP zhL8qKP*1dhE}bj$bkV=ff0M+@vjvknVom1MW#q%cx~rRP5#fsx`(Hk&%ecM%zxeg@ z#IB+)GAZMnJ;128=#tnJS@WN`_3`WcCvJ_a)WrD?Z!lurQyJWZ=7HQsFqP`hkWxqb z3s)rhuOu_r#)n-f0FnF-=@Q%*HU#C z1Du6RYyvtB(N*EiqW_!32wzxC1C{roQWC0bW5hb6C%F=YS_r(WE2 zLRlS%Di}ROK>e4wIZpj#ZshepnOnH!&pL0^8B=%}1hg5GV0F@tRCf%FdexUivs}_e z?dKb@?wH0PmU=U7a%J@Q1m{fWt|3*|z3=}k?JJ<-2)1nphv4oWEI@E~m*DR1?hFbMJj$?)&Tg_12$RGrfAM_UYYc^>o!ayQ(^|D(Nn+&x}q) zE1|3&c~RVf)R9=>zKj_YLP6t}|FG1GTbs8VyqG$S$rCx3Rr_gw%63E+s-$>nkge1U%#J2 z3k^As{&9eHjMRF;@+9-ZKbKf4*UC8p{!BYXl&OA{eY? zLgAHkYo?rZD$zs$Qw8Ky=iFsabLulA3~_PI`|bw&wU*65P3=thrmq) zOSp0i4BtecXNgl&O2v;#F7rRRq*W4y%$udN)O)71z2h9P)*4R3huDR%lyzd8aC!M% z!}6gUHL8GNAepZF(vd&G_2LrFW_cBI-l0L zm20l1Jk}59*KtunU$ut^mR3TA%QF^HTkgt-H-0Za$#VRWxY?!LFA_5%dmUi!Ja^IL zwQy0l>&W|-HX-<>VvbBU2T40SD*S~V1D?3T=knZ=I}S# z56zvzt=S2qHMx}8>yJz<^5oyNl-oZIY$k5@j1Ot+PNW`Vm@K??<*@2)i-#f6ACObi z8_bV$q*E=ck|xn{+&>kuH|uexSEj$HxOc}zV|~fC9b*aG+@XHGfTxo$NFnFZW^m!n zfTtl1g%b+QEvbl#TwfPlhui6E@VV1!+=Nyidm+w7rXg*)b{ckS3Hy-oBld7~>@r60 zE$)inf*+NjewL52ZCH1A-#eL9A@RM!p`ymE-7{X0;zz^p3fb~$PlL5gik}S<3r)Se zb#WDGhOyF}F!!c+WC{^!3myph(MaBX)2%mv$elOT^Y`ypUNNLj#2fz{qL|y>&~}NM z$=8uVnfGK%X)^*B<)<%h^};|O*)`C_;xAOGfygJ5H?4H}Xry7r8Vz%hc$?B@AQ_oy zk`%-|c@lwU|lLwag8xChl*0t|SzfWLF$zK`1FUcdw5rEibR2GBB1W z&<3&`-?NEGDWj^i6 zW_h8<7gd)=zfigIZZyMBg(_T2_`l+|=CR1GwizhW@OAj?9h2bmSM3B8zi8hSI_RJ& zOi1HeK+mb~$6Tao-#w$aY9NLWqLa*HB@b%<5tF2KhH1kJNl;V+$*9~ki4KL7Rg^5) zR^F4V0v(rfawf(%HL9dF)Edn~&&|s|p~2xbFSPy9QQ!eo`^R*UO8nn^Zev?gcdOy1 zK~O)-Ey^;z4mZ69@r?p)I4n%v_BmxCjl51iROGE{7k68gG_t->w96&BSDV&NtMN_)lzhJz{$zaz$MIsfd^>CD!k}I^rX2&FE;?*S-+s zHM;O#a!AX)na&gZbg7Bm;OXH2hcCi2iBojuLJB0gcP>BGUas=s-`sHA6F9G;s0gQWzox%(Qmbx84s+tBk6VwLtx08ojG?X5Wd>t|e^JZ_TnDxuY33<{)f6NWra{R>%|ESZv*Ue{lvGMLv=X}BtB=BX= zek>OSL_O?!T!|**`2~-pEUv1jiU(vAYJ5Y*1LS& zn?7Q5$*B@Q?$^zn8T}p%d8(o4zSU;a++~u(_{Z_ILUYRF2k^T}KUs3pJCq+l|N91WBEX zzWc_FOv621*pj6bA6L#;-T{g}hoz_#q%VsW)@A7FkGHL>qK>od2OdUOPVOVPYtuC) zRr{MIu}D3(2&DMSjN^Kng%3%qVK0$8x148#e^vhAzbZe@^Ab-ZSr84L7_1?W?y zs}jxXl`xv<2s-p1x^ZR=2PUUIo4a&KAKX3= zhl^WBvfW(QEn-$;%20;ZHO`ebkffXzzYF(rhk)Hhti>)A%Tb=J&GJ$e^K{6~&~{)e zgAY1P7@_zR>E(hRXpXO0V_lf(3C?G*XsJMGx>@`hfa_JY$367@L2M2xDyiZSBLk&5 z70|BVaNsrhda}C6|4?j)t|*rhu|_*o>ceu1G9jL^CxakCMtFOu(Cq)~Ny{cH1jpJh_IhlQ2Fk}MTfH*ZyEY@`s{!CuK9d0|NVnc#2MVII~1 z1vyxX8eUh&X-GeQoG<(I2x0o&ka|+PKh-H!vR%Vo*9n?wMIUv}Sj%~f{H4s1*iF)h>QZi9lc5`IICi`-EvV}*jLgtv6P?w}}b z<(*pkyRE5rt>&*%#{tw8UJwo&YHQ?xSe%yiUx~#|K@U`NLsqX4Vf%=vdt1w(oz@6w z$vM>dQ$jNlnCq6QoU%H)e+b1RTj_OQ>XxOTgWPYXFW}K3=s{UyDf`(Cjw&y z&#K_MOoa)1A*c2;(5ZV2&l!5OS-5NHJFnC z1{KlDch@Ozg-cv|-Kg08_ad6P^4|ngCJ6$aWXaBC>!KXq=*ID+uo_up=civ12+o84PX^m676YgF?3Tb=il%Eg4@4=pAgzQjcr;WP}sqLlFL$uE{-b180*kK4xgV9)7YH-}Vevpv!w48KCH_c+Gf{?S&g0>v@UCYbw zIYq^^)vx;7Fapk|Qpf^dnY}x|xRVu}>$NzP=(h?q3v$)uX)|0-Z*X4Uup3o9-9zVs29(BJ&dl&_Lc@1+bv1JqRp5YBS&>_eES9L{i=Y7jR^8)L$ZL7Uu(&oc_oa8(r77N#B=5FgRGN1pXwZQ8!3xOrB7B?Jmh3&gUZTgg1dQR2(MkU9EP}`A{ zvwKtccSQ=wf*Ng!cBa<0-v@1Y^Y#C!x(q}zt~GAr>e}@!wMxvY)R6LvYuL7w-+wl+ zqkH|QvMZA8%N}+)%^CA(5X^)nF${jMZc5BZ(M`AxA9m^09q_otIOu7?F+<+X=I5L1 zqz=+v4D`aqeNt=9nLgUVQUnk2{nU_sOz%N_jaXDT3o_2LLO>(Vztdw()Ww)=ctq)6 z>C2@D|49yNmr6tk538k?!F}W>5)YE8`TEr?C#kXr!`R1Lq9E4o&(6Hy&UZvVf%G;i zE(JBBi$8HcIO;fgPq;gdsQ}pxGwB^s`B%CEH~$Hs~>3ZKt*pXe%_ZwJqb-Kl5jU>s`_W(#*e~4KdtE z5{-wGyKMgKzxI4Jp#GYFW63Uo-;+KKnU@x7Lt zY|A=Z0+V^V-(#ZO`i?5A_M>_V3>#zj>-LB7n>%>V`?cp)L82l=@^PC!PE)jY7pTW= zrGgD)a(sOha-Q#D?yi>U=+zf-XbW9CE4vzxM14=AH)i@!Iax2`@%f{ye8gwu+Qk@f zd>)Jk0>Pg`q(^08Y0e$#ROTe@I9AHDpZT@gfQ13=tmv~kLOR2LsA=)2N`ym;I8Boy zT(BJ5{Ubin0{q0d&noRYTBX3l;?b>lfgp1$n)M@%f2 zVPTykyxImW8ee3mK4*k`TL#mH3$TcLoVE4Mm#||M=@SnDad<8V5QjH_Z=`J)dEFO` zN=AmNz@iPdIi2a8irh<^DH#K!BNEgb&`&Jx%4LD=P_r*3he@%r0eQ)gv`wHZ6(ltO zMUZvu5E|(nNLFN9k5>&xN^ELhs{EZ!DtE1TC^^@%R}@Xg){R-$7bv9~wZ}gQX?n}Y z<7Qt(s|W@CY^F_mP&0&<&_l9L?LJiCzC63#1i8HlC_s) zpK;$WA_}*2Y2FGO*l7P2{WHGAs(FzC0vlVo5gfA!;fYNOiwXB)8tYxVbUk?%&FU@n zdZJ+_$ATw!2J_!sSGg58$9KOu3+qn)BG7ZETi9gV6t*F~ z=eBV6xW3p&)iuSfszaDGXs!=~gQj`EyhYW#XT`YzyEB&4H^m*is{<*21EZGaY-&)` zKRmNr#3nipl_$iXfKIPb|Fx~&6YDqp9OuZETxzt8!8FEY>IN66G1xfvLvmmw7v*I3 z>784BLx)t(MSR~pfo1%K`0ec}mi#w;W$GYQpBBtWmm z=NiB!RmPJQRE9X0m|T8`O$h0cp;A+~7An{D5OlASUc;YIkCvf=lruNcKnFc9K@`B#W<{2w8{u*}~OA6PGX-hQ~bxd|HP zA0fV{36FTs-w@xUK5oNvZrw=IKYf13cR_Z)7Pe%7lP@u;8@qrD87!Ra_kd`?I&G7Jcnq{D$wscszzmCl;^4SO9&U`(nftrVK7IuXT)SidkZx$8Rot+tXtlS1_5(@F!_T z86h|bMjLH9FsP8$Mry}X8s`c+h+M~2fA5)8W$KwH8EDzA?q!3#*ONS$b*MhU%pvgx zh_Dg<++P1p|FO5o`q#`gTcddTRb-@+* zG|a*f+k%2DBRuEOZVqbp%=DUk>Nxi$Kg%_BvXOMsiYgZ-ZB?^)Qeq8`&2_r*BCGyq zTJp4nk>L@EAJk85yAH=(e=#byc8d(B=1EX_9StWlnGMW(3RizR1a;4fxF4vg(mU-Q zYZ3Ow<=R1dHX11c+jG2Rw_Y5_XlzhADPa)R}JPe%d#K_m7hpP`kTg;X;(y1;;VPA0F zAW@j}!K3$3pK5uQZD>+ysJ2gen+wQ~n9(9|RT{d9(Am=eXpM4ij(Cm++;S6Tp)TSe8p%Xtc$Bq$c zwn8m?cqsths21cHsjB?~_`vRS(M&I8u>H&{4EvvP4s9N5GWhjq|fYWI|#Sn?EL z3GceJaO8}oUawb)Wft;{=7{@B?7(!#?o%?ii~Z`Xn+NZ~7lbBS@x!Gl-RQ6f;c0_; znn=L_7kuZ$RNcP3Sra~rmjRbU356~RSC5{I_{+hlBQ~2uEkj#y7Anc%E>36jLjJw! zZ*;->WpO5D&D@MDV`Hb*s8cJcrj1X6ZAW6!i=^&V6dtH9mt=WACkA3EHHy z+u~Vq5RdpV)vB-CUT`u;jE6S^X`%$ktXLpTbaL1DY)i1LQXNa0sRDF`ao`Svw6r`{ zf1I3TY%s2AnN$j8s@y?oA5PS*x2_a<}J;t&t$F4QLWd`INybgcq3ll9d9t zyjc?9mIth0ZYb#;&rYm%{f+VeRI zo?cO#0BfTvtlPfXuVPwBJ9tO2v+n{Jz@F55*D?E0+u3E$G5+>;rX&!B3r1ziP z?z;K)`={UAd!i5hK=%?kR_ghN*<-$FB8$|k?CbP+#7xCLRvSQf1f?R&15ukI+R3z^Fp=10}%+ zU_dAp!~v`Q`FS9dP7i3^gJ_NA3>Z)n?(Bd%B?}}&aKhoDOCZ|7b>Z$E{`VkRXki3D zboR-7n9+Y2)H<2q@vo8U%vB-;QIS36b^!u{pD-v1jSeKc2k5J~AgT@GUq(CJ_nZH? zL<#=V8l;3@^=O;M0TTHtpd=+Ak>8c0;V-|dGj?}nq-t}{xd=Bcy*0XO|AsUudE^F0Dg5IXS+k<| z1+X$9A7-Z)LQzR|L@8vj)Ebw^!(xzukg>&?{VBSB2>kZdLJ34^7GzEo2J%rFMKeMr z5j+#wf4>g82>eLYCU`5-G)%Grx7aTT*UdnEBtNIq?4AK1v3p)fiWOu6^&AL{{iGu- zAiW(zIl95zBNkE>LWTco(|e~uhIXr3&DX&RAr_}h0UME*&?bZDU%I=j=-dDJ$8<&P ztT|Y(%cNz~6HJD&V(2!VHU5~pL885Cv8Nn@pw6>nX|)u^IO|uCv|IJ7!GUs2y*H5It3v+?ajhk^{A$*R2ScSK^zd#$(rZ(|OYx0MC}kxV z#!$q!?#?8~2TkxxKy*nKXwL7c#S7M63!D-^nKq4Eyi8+r?&lYAg2R%L_tlg8ZqQoRgk{$-v=;i=>yE zSCuX&Jn)(VXgc`ODTPyE~Py5b0eJ0gg~@z-fqEk&3UX@E3WzMc0XaP<0`?x z=;I~W?e1L(?3x^+=c!@7;t$5eb=95c;dS(lUkbcvDmX|RvBD28^cnKIjcG*{^Aj%x zmSD6~Ggf7T*aSG%{QiB4^m)wCTAGqthsdv8{zK+c+4S!j7LVOzrkBmUG@oH>r1JHs zBIPyoP@8fR2VRX#cSq<*lGV$ZdEaAGkUQm)b0U7%HITPv%_ldgu&;2GcD0V~AbB~q!hxlGd&d}Qg=n%H<`Pi%coM(gV9nRzS4Oi?;rI&k9FCfUD5my;l?6J9?vR+Z@!M#a~b z_7HO5qhtfWVvfvMs}8w7t^1V!AI`A zszTpqT@)OQ52aE^y^HawGV|VSE#!kgu)T_F8fbQziAH_8x>$P;yDnlRcx+BHhL3*8 z-+q)v3Or8Bu|}qyhSwuX%psS-$K}&`MA`Du&(BxSv0J6bX6|C^ejbgFH?bsb;Uah=udfhXH5Sgck3w~RAx{nHg>8mk*T}M z7)trjyeuskF3JH%9_d;7*3Jy&_QpYt;QO{8p3xtE!WJft_0?sAEo*A`HTc<8!(*F; z+pp`S#$}b4u2+N7EqtZfkOJ- zydD5pa~t&f4KpYN?49U#-8fsTJ(=Mw)})WuD#2h&o0<;Y;2>=Q)nLVGMV*O^)W4cX zIJer%kb|5tY6%q-zfUf7IZvapS0O}ytu*Ydf-G+>uuwF}; zus*}khMXzmAQrU8c^0zA*+{#X0qiB}RQ=~N_D>E2765{*4Y`B74S5nUkiN&sF6}Vz z|1|qwLMZ`8Hq>p=ND1p@z)?pS+M)ptlmMd>fD!Oq%|hU)BV=vS?c{CI4AirK_sp=) z|8v;{U;tpmD(z4RF#2zq{Xe0h7Nh6Dxp`Q{ZJ+?BN}NH}^7qX1MO^p*CwW+ z3xx%00fh6lUHAZx5)-^{`Rj>LoY3aKl}C&J`taWi|9>n?0bt++JKsk%3IRREJhvw?eq>QxjioV?HpYRuy6Ei3z|0Yax# zApV&D=NcU1`HY&xViYE;gx>XWf?rDp_d3$nD&81A*|(#k-V)<%w7uCkxr$pCI0wSS zjlX~R-rDbUcaU~kMBgABQ=KOJB1OE)y*<4teS(0*0%3tbAb8O9H!Dr#0Lw@+IuMBF z2?W9ge*OD`0FnJ;3j&$Cm>av9t6PhkTUa|-yIDIre6(?Oboh58B;le$tx^!6*j8i^ p`oEz6G@=fewl}tRP&2o8vI9*03l0POw-zMu{t9gQogskl{{bvmv$+5O diff --git a/Solutions/Microsoft Entra ID/Package/mainTemplate.json b/Solutions/Microsoft Entra ID/Package/mainTemplate.json index c14f772e4f1..cf724282d99 100644 --- a/Solutions/Microsoft Entra ID/Package/mainTemplate.json +++ b/Solutions/Microsoft Entra ID/Package/mainTemplate.json @@ -1000,7 +1000,7 @@ "kind": "shared", "apiVersion": "2021-08-01", "metadata": { - "description": "Gain insights into Microsoft Entra ID by connecting Microsoft Sentinel and using the audit logs to gather insights around Azure AD scenarios. \nYou can learn about user operations, including password and group management, device activities, and top active users and apps." + "description": "Gain insights into Microsoft Entra ID by connecting Microsoft Sentinel and using the audit logs to gather insights around Microsoft Entra ID scenarios. \nYou can learn about user operations, including password and group management, device activities, and top active users and apps." }, "properties": { "displayName": "[parameters('workbook1-name')]", @@ -1015,7 +1015,7 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]", "properties": { - "description": "@{workbookKey=AzureActiveDirectoryAuditLogsWorkbook; logoFileName=azureactivedirectory_logo.svg; description=Gain insights into Microsoft Entra ID by connecting Microsoft Sentinel and using the audit logs to gather insights around Azure AD scenarios. \nYou can learn about user operations, including password and group management, device activities, and top active users and apps.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.2.0; title=Microsoft Entra ID Audit logs; templateRelativePath=AzureActiveDirectoryAuditLogs.json; subtitle=; provider=Microsoft}.description", + "description": "@{workbookKey=AzureActiveDirectoryAuditLogsWorkbook; logoFileName=azureactivedirectory_logo.svg; description=Gain insights into Microsoft Entra ID by connecting Microsoft Sentinel and using the audit logs to gather insights around Microsoft Entra ID scenarios. \nYou can learn about user operations, including password and group management, device activities, and top active users and apps.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.2.0; title=Microsoft Entra ID Audit logs; templateRelativePath=AzureActiveDirectoryAuditLogs.json; subtitle=; provider=Microsoft}.description", "parentId": "[variables('workbookId1')]", "contentId": "[variables('_workbookContentId1')]", "kind": "Workbook", @@ -1088,7 +1088,7 @@ "kind": "shared", "apiVersion": "2021-08-01", "metadata": { - "description": "Gain insights into Microsoft Entra ID by connecting Microsoft Sentinel and using the sign-in logs to gather insights around Azure AD scenarios. \nYou can learn about sign-in operations, such as user sign-ins and locations, email addresses, and IP addresses of your users, as well as failed activities and the errors that triggered the failures." + "description": "Gain insights into Microsoft Entra ID by connecting Microsoft Sentinel and using the sign-in logs to gather insights around Microsoft Entra ID scenarios. \nYou can learn about sign-in operations, such as user sign-ins and locations, email addresses, and IP addresses of your users, as well as failed activities and the errors that triggered the failures." }, "properties": { "displayName": "[parameters('workbook2-name')]", @@ -1103,7 +1103,7 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId2'),'/'))))]", "properties": { - "description": "@{workbookKey=AzureActiveDirectorySigninLogsWorkbook; logoFileName=azureactivedirectory_logo.svg; description=Gain insights into Microsoft Entra ID by connecting Microsoft Sentinel and using the sign-in logs to gather insights around Azure AD scenarios. \nYou can learn about sign-in operations, such as user sign-ins and locations, email addresses, and IP addresses of your users, as well as failed activities and the errors that triggered the failures.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=2.4.0; title=Microsoft Entra ID Sign-in logs; templateRelativePath=AzureActiveDirectorySignins.json; subtitle=; provider=Microsoft}.description", + "description": "@{workbookKey=AzureActiveDirectorySigninLogsWorkbook; logoFileName=azureactivedirectory_logo.svg; description=Gain insights into Microsoft Entra ID by connecting Microsoft Sentinel and using the sign-in logs to gather insights around Microsoft Entra ID scenarios. \nYou can learn about sign-in operations, such as user sign-ins and locations, email addresses, and IP addresses of your users, as well as failed activities and the errors that triggered the failures.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=2.4.0; title=Microsoft Entra ID Sign-in logs; templateRelativePath=AzureActiveDirectorySignins.json; subtitle=; provider=Microsoft}.description", "parentId": "[variables('workbookId2')]", "contentId": "[variables('_workbookContentId2')]", "kind": "Workbook", @@ -2008,7 +2008,7 @@ "description": "This will alert when a user or application signs in using Microsoft Entra ID PowerShell to access non-Active Directory resources, such as the Azure Key Vault, which may be undesired or unauthorized behavior.\nFor capabilities and expected behavior of the Microsoft Entra ID PowerShell module, see: https://docs.microsoft.com/powershell/module/azuread/?view=azureadps-2.0.\nFor further information on Microsoft Entra ID Signin activity reports, see: https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins.", "displayName": "Microsoft Entra ID PowerShell accessing non-Entra ID resources", "enabled": false, - "query": "let aadFunc = (tableName:string){\ntable(tableName)\n| where AppId =~ \"1b730954-1685-4b74-9bfd-dac224a7b894\" // AppDisplayName IS Microsoft Entra ID PowerShell\n| where TokenIssuerType =~ \"AzureAD\"\n| where ResourceIdentity !in (\"00000002-0000-0000-c000-000000000000\", \"00000003-0000-0000-c000-000000000000\") // ResourceDisplayName IS NOT Windows Microsoft Entra ID OR Microsoft Graph\n| extend Status = todynamic(Status)\n| where Status.errorCode == 0 // Success\n| project-reorder IPAddress, UserAgent, ResourceDisplayName, UserDisplayName, UserId, UserPrincipalName, Type\n| order by TimeGenerated desc\n// New entity mapping\n| extend timestamp = TimeGenerated, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n", + "query": "let aadFunc = (tableName:string){\ntable(tableName)\n| where AppId =~ \"1b730954-1685-4b74-9bfd-dac224a7b894\" // AppDisplayName IS Azure Active Directory PowerShell\n| where TokenIssuerType =~ \"AzureAD\"\n| where ResourceIdentity !in (\"00000002-0000-0000-c000-000000000000\", \"00000003-0000-0000-c000-000000000000\") // ResourceDisplayName IS NOT Windows Azure Active Directory OR Microsoft Graph\n| extend Status = todynamic(Status)\n| where Status.errorCode == 0 // Success\n| project-reorder IPAddress, UserAgent, ResourceDisplayName, UserDisplayName, UserId, UserPrincipalName, Type\n| order by TimeGenerated desc\n// New entity mapping\n| extend timestamp = TimeGenerated, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n", "queryFrequency": "PT1H", "queryPeriod": "PT1H", "severity": "Low", @@ -2974,7 +2974,7 @@ "description": "Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when an Organization is added other than the list that is supposed to exist from the Microsoft Entra ID Cross-tenant Access Settings.", "displayName": "Cross-tenant Access Settings Organization Added", "enabled": false, - "query": "// Tenants IDs can be found by navigating to Microsoft Entra ID then from menu on the left, select External Identities, then from menu on the left, select Cross-tenant access settings and from the list shown of Tenants\nlet ExpectedTenantIDs = dynamic([\"List of expected tenant IDs\",\"Tenant ID 2\"]);\nAuditLogs\n| where OperationName has \"Add a partner to cross-tenant access setting\"\n| extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\n| extend InitiatedByIPAdress = InitiatedBy.user.ipAddress\n| mv-apply TargetResource = TargetResources on\n (\n where TargetResource.type =~ \"Policy\"\n | extend Properties = TargetResource.modifiedProperties\n )\n| mv-apply Property = Properties on\n (\n where Property.displayName =~ \"tenantId\"\n | extend ExtTenantIDAdded = trim('\"',tostring(Property.newValue))\n )\n| where ExtTenantIDAdded !in (ExpectedTenantIDs)\n| extend Name = tostring(split(InitiatedByActionUserInformation,'@',0)[0]), UPNSuffix = tostring(split(InitiatedByActionUserInformation,'@',1)[0])\n", + "query": "// Tenants IDs can be found by navigating to Azure Active Directory then from menu on the left, select External Identities, then from menu on the left, select Cross-tenant access settings and from the list shown of Tenants\nlet ExpectedTenantIDs = dynamic([\"List of expected tenant IDs\",\"Tenant ID 2\"]);\nAuditLogs\n| where OperationName has \"Add a partner to cross-tenant access setting\"\n| extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\n| extend InitiatedByIPAdress = InitiatedBy.user.ipAddress\n| mv-apply TargetResource = TargetResources on\n (\n where TargetResource.type =~ \"Policy\"\n | extend Properties = TargetResource.modifiedProperties\n )\n| mv-apply Property = Properties on\n (\n where Property.displayName =~ \"tenantId\"\n | extend ExtTenantIDAdded = trim('\"',tostring(Property.newValue))\n )\n| where ExtTenantIDAdded !in (ExpectedTenantIDs)\n| extend Name = tostring(split(InitiatedByActionUserInformation,'@',0)[0]), UPNSuffix = tostring(split(InitiatedByActionUserInformation,'@',1)[0])\n", "queryFrequency": "P2D", "queryPeriod": "P2D", "severity": "Medium", @@ -4453,7 +4453,7 @@ "description": "Guest Accounts are added in the Organization Tenants to perform various tasks i.e projects execution, support etc.. This detection notifies when guest users are added to Microsoft Entra ID Groups other than the ones specified and poses a risk to gain access to sensitive apps or data.", "displayName": "Guest accounts added in Entra ID Groups other than the ones specified", "enabled": false, - "query": "// OBJECT ID of AAD Groups can be found by navigating to Microsoft Entra ID then from menu on the left, select Groups and from the list shown of AAD Groups, the Second Column shows the ObjectID of each\nlet GroupIDs = dynamic([\"List with Custom AAD GROUP OBJECT ID 1\",\"Custom AAD GROUP OBJECT ID 2\"]);\nAuditLogs\n| where OperationName in ('Add member to group', 'Add owner to group')\n| extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\n| extend InitiatedByIPAdress = InitiatedBy.user.ipAddress \n// Uncomment the following line to filter events where the inviting user was a guest user\n//| where InitiatedBy has_any (\"CUSTOM DOMAIN NAME#\", \"#EXT#\")\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"User\"\n | extend InvitedUser = trim(@'\"',tostring(TargetResource.userPrincipalName)),\n Properties = TargetResource.modifiedProperties\n )\n| mv-apply Property = Properties on \n (\n where Property.displayName =~ \"Group.DisplayName\"\n | extend AADGroup = trim('\"',tostring(Property.newValue))\n )\n| where InvitedUser has_any (\"CUSTOM DOMAIN NAME#\", \"#EXT#\")\n| mv-apply Property = Properties on\n (\n where Property.displayName =~ \"Group.ObjectID\"\n | extend AADGroupId = trim('\"',tostring(Property.newValue))\n )\n| where AADGroupId !in (GroupIDs)\n| extend Name = tostring(split(InitiatedByActionUserInformation,'@',0)[0]), UPNSuffix = tostring(split(InitiatedByActionUserInformation,'@',1)[0])\n", + "query": "// OBJECT ID of AAD Groups can be found by navigating to Azure Active Directory then from menu on the left, select Groups and from the list shown of AAD Groups, the Second Column shows the ObjectID of each\nlet GroupIDs = dynamic([\"List with Custom AAD GROUP OBJECT ID 1\",\"Custom AAD GROUP OBJECT ID 2\"]);\nAuditLogs\n| where OperationName in ('Add member to group', 'Add owner to group')\n| extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\n| extend InitiatedByIPAdress = InitiatedBy.user.ipAddress \n// Uncomment the following line to filter events where the inviting user was a guest user\n//| where InitiatedBy has_any (\"CUSTOM DOMAIN NAME#\", \"#EXT#\")\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"User\"\n | extend InvitedUser = trim(@'\"',tostring(TargetResource.userPrincipalName)),\n Properties = TargetResource.modifiedProperties\n )\n| mv-apply Property = Properties on \n (\n where Property.displayName =~ \"Group.DisplayName\"\n | extend AADGroup = trim('\"',tostring(Property.newValue))\n )\n| where InvitedUser has_any (\"CUSTOM DOMAIN NAME#\", \"#EXT#\")\n| mv-apply Property = Properties on\n (\n where Property.displayName =~ \"Group.ObjectID\"\n | extend AADGroupId = trim('\"',tostring(Property.newValue))\n )\n| where AADGroupId !in (GroupIDs)\n| extend Name = tostring(split(InitiatedByActionUserInformation,'@',0)[0]), UPNSuffix = tostring(split(InitiatedByActionUserInformation,'@',1)[0])\n", "queryFrequency": "PT2H", "queryPeriod": "PT2H", "severity": "High", @@ -8145,7 +8145,7 @@ "description": "By default guests have capability to invite more external guest users, guests also can do suspicious Microsoft Entra ID enumeration. This detection look at guests\nusers, who have been invited or have invited recently, who also are logging via various PowerShell CLI.\nRef : 'https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/", "displayName": "External guest invitation followed by Microsoft Entra ID PowerShell signin", "enabled": false, - "query": "let queryfrequency = 1h;\nlet queryperiod = 1d;\nAuditLogs\n| where TimeGenerated > ago(queryperiod)\n| where OperationName in (\"Invite external user\", \"Bulk invite users - started (bulk)\", \"Invite external user with reset invitation status\")\n| extend InitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\n// Uncomment the following line to filter events where the inviting user was a guest user\n//| where InitiatedBy has_any (\"live.com#\", \"#EXT#\")\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"User\"\n | extend InvitedUser = tostring(TargetResource.userPrincipalName)\n )\n| mv-expand UserToCompare = pack_array(InitiatedBy, InvitedUser) to typeof(string)\n| where UserToCompare has_any (\"live.com#\", \"#EXT#\")\n| extend\n parsedUser = replace_string(tolower(iff(UserToCompare startswith \"live.com#\", tostring(split(UserToCompare, \"#\")[1]), tostring(split(UserToCompare, \"#EXT#\")[0]))), \"@\", \"_\"),\n InvitationTime = TimeGenerated\n| join (\n (union isfuzzy=true SigninLogs, AADNonInteractiveUserSignInLogs)\n | where TimeGenerated > ago(queryfrequency)\n | where UserType != \"Member\"\n | where AppId has_any // This web may contain a list of these apps: https://msshells.net/\n (\"1b730954-1685-4b74-9bfd-dac224a7b894\",// Microsoft Entra ID PowerShell\n \"04b07795-8ddb-461a-bbee-02f9e1bf7b46\",// Microsoft Azure CLI\n \"1950a258-227b-4e31-a9cf-717495945fc2\",// Microsoft Azure PowerShell\n \"a0c73c16-a7e3-4564-9a95-2bdf47383716\",// Microsoft Exchange Online Remote PowerShell\n \"fb78d390-0c51-40cd-8e17-fdbfab77341b\",// Microsoft Exchange REST API Based Powershell\n \"d1ddf0e4-d672-4dae-b554-9d5bdfd93547\",// Microsoft Intune PowerShell\n \"9bc3ab49-b65d-410a-85ad-de819febfddc\",// Microsoft SharePoint Online Management Shell\n \"12128f48-ec9e-42f0-b203-ea49fb6af367\",// MS Teams Powershell Cmdlets\n \"23d8f6bd-1eb0-4cc2-a08c-7bf525c67bcd\",// Power BI PowerShell\n \"31359c7f-bd7e-475c-86db-fdb8c937548e\",// PnP Management Shell\n \"90f610bf-206d-4950-b61d-37fa6fd1b224\",// Aadrm Admin Powershell\n \"14d82eec-204b-4c2f-b7e8-296a70dab67e\" // Microsoft Graph PowerShell\n )\n | summarize arg_min(TimeGenerated, *) by UserPrincipalName\n | extend\n parsedUser = replace_string(UserPrincipalName, \"@\", \"_\"),\n SigninTime = TimeGenerated\n )\n on parsedUser\n| project InvitationTime, InitiatedBy, OperationName, InvitedUser, SigninTime, SigninCategory = Category1, SigninUserPrincipalName = UserPrincipalName, IPAddress, AppDisplayName, ResourceDisplayName, UserAgent, InvitationAdditionalDetails = AdditionalDetails, InvitationTargetResources = TargetResources\n| extend InvitedUserName = tostring(split(InvitedUser,'@',0)[0]), InvitedUserUPNSuffix = tostring(split(InvitedUser,'@',1)[0]), \n InitiatedByName = tostring(split(InitiatedBy,'@',0)[0]), InitiatedByUPNSuffix = tostring(split(InitiatedBy,'@',1)[0])\n", + "query": "let queryfrequency = 1h;\nlet queryperiod = 1d;\nAuditLogs\n| where TimeGenerated > ago(queryperiod)\n| where OperationName in (\"Invite external user\", \"Bulk invite users - started (bulk)\", \"Invite external user with reset invitation status\")\n| extend InitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\n// Uncomment the following line to filter events where the inviting user was a guest user\n//| where InitiatedBy has_any (\"live.com#\", \"#EXT#\")\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"User\"\n | extend InvitedUser = tostring(TargetResource.userPrincipalName)\n )\n| mv-expand UserToCompare = pack_array(InitiatedBy, InvitedUser) to typeof(string)\n| where UserToCompare has_any (\"live.com#\", \"#EXT#\")\n| extend\n parsedUser = replace_string(tolower(iff(UserToCompare startswith \"live.com#\", tostring(split(UserToCompare, \"#\")[1]), tostring(split(UserToCompare, \"#EXT#\")[0]))), \"@\", \"_\"),\n InvitationTime = TimeGenerated\n| join (\n (union isfuzzy=true SigninLogs, AADNonInteractiveUserSignInLogs)\n | where TimeGenerated > ago(queryfrequency)\n | where UserType != \"Member\"\n | where AppId has_any // This web may contain a list of these apps: https://msshells.net/\n (\"1b730954-1685-4b74-9bfd-dac224a7b894\",// Azure Active Directory PowerShell\n \"04b07795-8ddb-461a-bbee-02f9e1bf7b46\",// Microsoft Azure CLI\n \"1950a258-227b-4e31-a9cf-717495945fc2\",// Microsoft Azure PowerShell\n \"a0c73c16-a7e3-4564-9a95-2bdf47383716\",// Microsoft Exchange Online Remote PowerShell\n \"fb78d390-0c51-40cd-8e17-fdbfab77341b\",// Microsoft Exchange REST API Based Powershell\n \"d1ddf0e4-d672-4dae-b554-9d5bdfd93547\",// Microsoft Intune PowerShell\n \"9bc3ab49-b65d-410a-85ad-de819febfddc\",// Microsoft SharePoint Online Management Shell\n \"12128f48-ec9e-42f0-b203-ea49fb6af367\",// MS Teams Powershell Cmdlets\n \"23d8f6bd-1eb0-4cc2-a08c-7bf525c67bcd\",// Power BI PowerShell\n \"31359c7f-bd7e-475c-86db-fdb8c937548e\",// PnP Management Shell\n \"90f610bf-206d-4950-b61d-37fa6fd1b224\",// Aadrm Admin Powershell\n \"14d82eec-204b-4c2f-b7e8-296a70dab67e\" // Microsoft Graph PowerShell\n )\n | summarize arg_min(TimeGenerated, *) by UserPrincipalName\n | extend\n parsedUser = replace_string(UserPrincipalName, \"@\", \"_\"),\n SigninTime = TimeGenerated\n )\n on parsedUser\n| project InvitationTime, InitiatedBy, OperationName, InvitedUser, SigninTime, SigninCategory = Category1, SigninUserPrincipalName = UserPrincipalName, IPAddress, AppDisplayName, ResourceDisplayName, UserAgent, InvitationAdditionalDetails = AdditionalDetails, InvitationTargetResources = TargetResources\n| extend InvitedUserName = tostring(split(InvitedUser,'@',0)[0]), InvitedUserUPNSuffix = tostring(split(InvitedUser,'@',1)[0]), \n InitiatedByName = tostring(split(InitiatedBy,'@',0)[0]), InitiatedByUPNSuffix = tostring(split(InitiatedBy,'@',1)[0])\n", "queryFrequency": "PT1H", "queryPeriod": "P1D", "severity": "Medium", @@ -9588,7 +9588,7 @@ ], "metadata": { "title": "Block Entra ID user - Incident", - "description": "For each account entity included in the incident, this playbook will disable the user in Azure Active Directoy, add a comment to the incident that contains this alert and notify manager if available. Note: This playbook will not disable admin user!", + "description": "For each account entity included in the incident, this playbook will disable the user in Microsoft Entra ID, add a comment to the incident that contains this alert and notify manager if available. Note: This playbook will not disable admin user!", "prerequisites": [ "None" ], diff --git a/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/incident-trigger/azuredeploy.json b/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/incident-trigger/azuredeploy.json index 698f86e99a3..1c490105189 100644 --- a/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/incident-trigger/azuredeploy.json +++ b/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/incident-trigger/azuredeploy.json @@ -3,7 +3,7 @@ "contentVersion": "1.0.0.0", "metadata": { "title": "Block Entra ID user - Incident", - "description": "For each account entity included in the incident, this playbook will disable the user in Azure Active Directoy, add a comment to the incident that contains this alert and notify manager if available. Note: This playbook will not disable admin user!", + "description": "For each account entity included in the incident, this playbook will disable the user in Microsoft Entra ID, add a comment to the incident that contains this alert and notify manager if available. Note: This playbook will not disable admin user!", "prerequisites": [ "None" ], "postDeployment": [ "1. Assign Microsoft Sentinel Responder role to the Playbook's managed identity.", "2. Grant User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All permissions to the managed identity.", "3. Authorize Microsoft Entra ID and Office 365 Outlook Logic App connections." ], "lastUpdateTime": "2022-07-11T00:00:00.000Z", From 86368caa36286a1eca77ef249ea8d8607957bc67 Mon Sep 17 00:00:00 2001 From: PrasadBoke Date: Thu, 9 Nov 2023 11:18:08 +0530 Subject: [PATCH 14/17] Update 3.0.7.zip --- .../Microsoft Entra ID/Package/3.0.7.zip | Bin 94146 -> 94732 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/Solutions/Microsoft Entra ID/Package/3.0.7.zip b/Solutions/Microsoft Entra ID/Package/3.0.7.zip index 2ace9e46be25f693a186e57b4b26b9a18393185e..247cc6e7def5abf982d3f055bc9c9503b320af5f 100644 GIT binary patch literal 94732 zcmZ^~W00j=uq|4)ZQHi(sxG^_Y}>Z&>auOyMwe~de%*VY`(DJm`$Vi?D`I>(bL7a8 z8Q+>qK^hnY1poj50sutQTn*OGG?IW40D$}z008~Zw}uYJ`cB3w<|4)><~HU|=C(F; z7LK+y2fUWH>k?D~JWS3?p zz#F!0zg&6_%FFSsBpVIMqmnMb1c~B5ORKA0Ra(A2o_!6i&iS2qkTJJC2AfS(R8GVL z{oUth+@?#2klh!LeSa67j8HXPKm4re+2#+6P|T9HXXKy(trN;a*oB^z3s5}gnDT7u0D~I_IQ3h^LOfGu}tdie*B2s z82y`)#?+a8l_(^$Y8c@lY}Mcgc6PsTdZZJ;C=da-t@5i+^5Rt@Nket~nU+;S2uM|Db=V~h9;w?6HiOP1g z>Xc;pM#%n}BtcEEn8TQS&P~;>hXn8A(_je?F?$Mf6&s+IkOi z0Ss=v88c{taPwK@N-D!x-hjkF5P@Ocv?d%ANf}Y@NhRO+6;30^;D9By-LbW&-AV!N zOsN8JRHm=$XM|_PD&?(eFG6qwP&o~$3L4plIuljQ_&1^iQ&Hm@L%nDvGYkPp@S};M z+T$<-^)GhtK0PVR-Af$d&g4y%vJ6O;O_N4|na$p^h%z+l%~6+aH;^CuSxpJ}F@Erw z*03ftQOp?AtUyK~O$3zu0*;lj!>{0+*6m|X^I=dzPma*s0zjJ9cRWNXG*$*8;osrE zhcHHrgX*8Oh-UF2d1XIxIBgg?ciT&P9>32bn#pmTBn_8Ive?SoAUM zFiUQtn#@jy-z8*Q4GkOyp})C8n>}elaGf9$*}Mk7ZHZBGGI!Z%$)c4hU^sV&xAv}$ zt?l!3m8kMJ?t}HB7zuN*%gRy%xoKn)Inh9 z7%#6{*IM*T-ms^q7Qmh6%}0W!%e^61_8SG`T=h5cBC43)7j?7jyE=(FcWzb`N}lvG z7Dlo=%1ikDi-fY&QUZTWWR@5@ql|i#XPrZH0VF`t6YPW_uy;VGP~BA}1DyDeVWky^ zwcaRn?hpc37|#nUdZykdn{S-V=QQh<3B2#*JX~0%lWZy8P(I2SzSTF)gZ-;UXz z;;KXi_Pw;T1|y1dPrrx*@8^~Z=9XMy^_kBW4c7~*w#*_4%zfYOu|vMR!{y?e1?|Zz zn1}||i4*$8Qf7Tz=Ye7N_Y(Voi!3fw9JpC&PcMVT_LIo>WK=<>l4Er%!df_OG68)1AemP<20%n)* z-IgKQFeeenf-z}dQ!O_^0e8-?m+q%_3)Xf{&zltoU_#gA)EVP`_L5n@AEtSf%YG;g zAZ$RV{Z?_43`bfCL?9zQmM=hd)7KJF249FCy7S>ZctE{!Gi_? zB5e>8F`Vio4ptG}p(?`f*57!pDSN$ec)O$V*zWE-v61j-@ta<^XunI6$0PEZOUYFA z0&To(v}mCA^HB)G{57+__#Qw)gWSSZT2=fKYgeu%4)eyE2-eX+rMQFGQAzRYAE6Pu zh(vH0xOe3ITUe0I1!Epjej_&%5f8X2hAl>*X(c-nO#e2M-}|jXey+3!h?kn|yw(5t z77?{gkh5}2P5fm-vkj}H#@hbE~y7vpI9+I5hh&y zCDk&)0sq~&>kWFR3RhUnP7ZeF0xFoMPs`4yWn7a|6nmTpXErxns)3ERho>|;u4Kmq z1DqkrkrqGOX^e#%=t5UC@69%zT^5IAjwKqji&osZ4&Q8uSHk+*0=kSfn~p%C#8iIVPS7N!Q?dY0z3IZFt7&XvPh4Qt-vM(uw<#5OBoqz#lM2~?ft(l`+#pCK+I8&xJ_ zv@w8455iG+^9}MA;9@1Qt-wd4l0=G;Gb~so#hDFtQzwH2{PvUMdSW&A)j@WDawKmp zx&eliX0xB&$i-O=*8p_=y(7G}4_G9E;lWp-@D%5a(X}SAC-alx48)O25P# zwWc;K+xIDLwaCwDqH>ckYh29Kw-I*JPZ}Tc#1ZoHpv~|PsqG(cH#%t$Um(7|fNvd* zvmy2{0j&mL4h7G#eiN1Cc3gqM^~~wvkS3Mf3m!g{*b5#d0-U+b41+>a1$G(?Aq@4| z%j7**OoHJJe4a5mFl>ilI%^L4dr1Ot#qr`;6l@qbJ8+r)RDvPZRCqn&9T3QUIlh}e zSs0=SAro|&jVPI%ZAdGvJ^W`JK{aW?SqB^lk>Vf3U#S`OV^_#eKhAKf(HI$ISYxrK zq{`YxtKPt)4*({8>5!gpB30I-C3>WxXX3lprB*;&!hc>IP{sBJ(dvUE<;P8%`#Pd+ zGZvYU8x3*gGXPWu04R}1if?tGYQO_nK#0SfJa?bd< zt2ib-XKHkxO15YX7D{Rw13;~7z||kc?)G`c*&i1{`67jR+Ch@oHmHq53ON|{OIig; z#B`iOhQU?vR%i045DW13XV~X12{hI8npJdYtVl>;r#|4zy91Np$7Z){%g89hIbrFD zyUOv+4`}-$i66hQx!|en6zkZ`i^1P1$T zG|Qk3Bv4fDs}-+7Ih*<^d`W;^6wBcqKUx&)q*kXR7a)H9%DQ0E30tu}Ta>2$`O~Zl zd?$e9OsI$Y!p|e_G>jZs2L;&P_e0_4y`|tY6#glnyX6^Q1pfNg^GE;nmbcq+Uzg|e zRn+A?nX~z)$4c}h0>VcT!M3B*r?oj2-Qkg9XVFTy#fAvn3v04gH2>G3+*5SnOEz55 zOL%1aX+DV1u@OB}jG!mNZtE0=2iNp3S4_7%=+!g=_(=r+A;dItkdA!y{*cw(wvkX- zz=mJ`!BmEQ@Ua-RVbCy`6}ZtUC>JhC(JRBChEXUpwf!v;qJ{vkOnA{xzR0LRkZ^lA zLu?XEeK7kN3xf&<1NNi*X$~6sHrtBuG#6kGwS9W{R(=PtClGVC7a`fbJ9%9Cp(>V^nUVsL35)YGpd#PO-XZ}Nc&B! z@=80GjDTjB1u8PPC@3aOrpz{0oCG8yQwqd0^m!%_U}}C~kz0JkZUN}ZUj<`p6j0hF zV@{P1P4DP&HVZ=7ACs#$2N)?lR)Dwz%OUh2iOFcEAoi6K*42${`-t_3LvI#1nWQ=# z%&?Z(wZkw2NE`=kAn(!)d4@Tff%1b5+5scZxXTt1C>#(=Snh}Kz(DA%>3I}pi|-F< zopHeO(kv)q5d|_vhPA-HgJy?@7Ld&S_n%)|dQ^N%vGzNU5u=_u5u-R41ImkB5;5ul zKq^hWPD%XGUhpvJ><`Org`F)LlIBDJXWES_-0nu4XJR8%I#Le=flzRGKcv6o>=A2% zqXbC|i6B8G!GgeJH>U@gbL7i3$F5;-u0SxxpzJf2H9%e=cxpgiXv%(wfpRyh5_N5p z#?yIp(wAPSGzj-g3rTR;Cy?s11ubz3Zf#=-hUC?WDjT7piv1b}6av!Elp`csCl4Qkn9Fh@J8tJr&pkcQdVu7ZA-NJ{`fVb|pj<<|z|XF|L{ke1 zMhq|GtW2qwQ{SW8?mJ7k*#Z%ROta3L{o^YYA<8pIP=32V`N8EniFXA9c!QulWG{6- zn(We-6>6@UkOm1#Eng2WS=KD_f~QdJ2|Di67Kf)9&yRSwidP}jo;VtH%Bbl`aF!yB zUO$cK2o!&!acn&jKDf-q5jLI_9rmVK)QGBV!7?Zg>LQ@}Cl`Yb%>J#>&nWEos@XX~ z-|I64DQJNblv_(2Lu|5F7WHNL1{!=FEl0b<-Q~jzy znPeV;XHX8a_4ZrcxgUY2NIcpDWlyNdED{{ZE%1IFF#}$~fielhZhHB3h}A`<{0pz` zPovwh(9J!|c?=A1gUYsXUqX+f@%%S{5+508rbORZ4nKWu4Fd>n8Z&ZHN;MDiB{vCx zqZH#&lUg}uThB{OS18%we#i1n0{5#bJ(_~2kLkJ?}v7{dbCf)WAHOVWjVFDF{~kK;jT zZfavA8xddz9lCK=>VZ$Xb8jCi%Q(@Wwtnh(bVryuV`s-6AB$e?pHqu(ET9|`Y&d0w zS<;Tl{f)!0HW7R+-d}?2>J-?-)A^9QlkWa2$g$r?-Y!;_Vk(@6Z65;^45xDSzjC?@ z-2@}SPH8*Rs@0b+K%^`U!((qN?QN8%E}H1;ts@{|4HGR-V!YDspOGs!W?AtJhncPu z>g`8Mi?dK|FU;KFt$z0RwL^AJl;a8Sm^7pynP=e^m&>h;=|2yC%A(u{X*Al0g&v|{ zncB*Hp*tSnQDcN;jh)gAAz2relSwu!gYPPuQ_PKo^mh_zSe!SQD%o+}1>>w`lvPf& zXZ|{S=z@(v9H|~21S-jYzv=xtDz{C+jc64NAV+tEAel_aopdH-jxp`H9Xz#n#D+-J zAVY%uHP4x-t`#DpSy*a|yuJ|fyE5Fi%0&+dS7ae-8q6RJ}2BvBnfF<_0lqtQ(+rPsveawHH?Yhh}<%R4F!>vFDkda>} z9D}D|H6pXSt@yO|l&w&=1hs}iJa3+B0yF#Txk)skUrpc=-3t?{gSXFaGKzh?ua^-Q zeJdn0bbyfABG*(lSeHAs@9~9keH#{<_@Us3k7Ei{Eh?r2SQ?g4?1N)ShnQVOfqv#Z z3A>$$cwoLdDG*s3kgcZ`!_ShY&EyJ%DA-?EkDkT@z*a96^`z)TZS}X-R@%o&#d-}A zXZ2u*wJ3w(JWY?`#SlY<3yj_r+GZ9nsEK9o*wx&O)c~)sTcEiEBBSw3fqHFk(2?D= zSB+&r&xZxl@th3L$~K?AfqGJkptK4`tqeOrR~qKiUwK1j!XO+lVK5JQFZqEr!%js~ zxl@72$Oj6iSkSbja2tb5GG{!JGG_k!tTdd-zvxKsZ%hbCP_)u5d8o={FV$nY==}n# zQESCHVt&dpM(FXd=!jNxqft8hnQA{V+zPo;UVI}V*U{vjm=>de?qU?^#Fmf)Hr3?d z)q6f)^BARYuVjDWg6th3(fSvalw)M!i$JNlBMeazu?xjHi*RG@I%`3^u&chendB`R ztBmSnxG@E^wcTAAV<=(}iM!BOv#EU`R!_G=h@D6z7PlfXC*S4y669A-;{uO+$#nV? z6;@9khtpczgD>EASez@RE%>b99w_c?05o)IN1UyUyCRE&^b7_u+*(Cem@hd0pwO~0 zt!B6{Dx%d0s!(mSfp41-N;qF=;2OC?ceydx1lcl19h`#P zAo*SvSk0u4d6A>^bT{qBPvARYO7-3I5e9o5L+B)p9n?wVfp4TGeY zy27`j&GqeBba}0Am_4~8mMeFnitrf5htqc-dMim$aw*!N!cx$jU$aqQCa4a2zh|Jf0`}*kxhHdY7@EW)z#%@*9_5{C=~vd z=ybiCfSBd9z|L(?UGKUJPR8(2yWh>vjdu5fiS__u?I4`xR>3c2H|@K$7)H+w4SA`@ zoy<}u37{mD)PjTZ(qPK8k+eqHD!OICr8e%ch(~&wnmQ=73NxApwq=9%Q$J|Cx1olE zuj;;=+O(ogS;l2+f%Dp3>J3aIY(z(;8!IJFzdhr00dRw3kZWBBKd%O%&bYP2eyG%9ZofXe|i>d@sw zFC-4`uZ)L|#_1)TAv%P9>LcJ%u-lc1R++kWSqr_zI@opAgN{_!_u+#&9FC>vw>S&? zK6U=MfR0&~gVi}2Bk$F^meGC04eb%tuaEQ#Y^ce^=3lY1>8xAEUX>4StiaG{l@JVB zW>FwpJ1|9`-=ZL#VvG|`ytd)IH1Gu@o3seb^1SQI;U0#z7&!x0xNbWDSxsawaccoM z^#0UWByl0dWiX*gQ;_CT7U!p97$0$jc1s+ChvW#_#M0<9$l#_#+l9Xh%Ew=C(5Ti{ zI^`wprAouTH!^JZMmc|V@JDd)oLE(s?PlClsaOQC!q3Jwg_ zx8`i>c)FPbqZ#65s0+ZdiDYifyXwbwz2z*I2{+N!NQ5?D9>5k2@6k~URz>DX#~Ohd z0^f;_+3xFgwUa`M1%XgPE=6CGLupCOoS=s>pj!f#HB6i zKs+(Iv=J&`Fy%#^&eY}jc8Z-a50yXfS3df5W1dG#rgW_*o?@~o$?3RNTf~E?ryEpy z95FlL{cEJy-Hx`jin%=jGfn`8w~#B0ro(tE0Xo@fUL%hmkm$!%&Q~CqYD8zXPQA+ZS#}@TB@+p69tHor2UupK#qW1$KePKIYJdSjSgq zLRP#=jF(^LGj9sFvS(hXWr#xD1p3Q~uk@5rr181Xs;5{LNN{Aph4vHc#Fd}~#ZWF4 znUU#FmD>UUv=+U%itOPH%`X(t0!+G zEN3xv17UTFbS+gHe7$Ln<`Cvv*Vt2M+RWq8N2s3s2}y4^UmmK-U<~vDN{X8|&g@lG z+eWSNbkDPt7#8W1&2~NQ1LS=m=1BHsX>}8x*69R93{?sY`l4!_FIw^?a|%)T-?X@p zgA=g|NT2b|c*Noldn}jgpLK(@A5*j|rd(#Q)}8QY`<@SYVqeemECpYPpKxg9;zfyFEf2VHfa|FN3b*S8i)H1vw9KB@k;2hOa+0)mLDIFhMa1n?5l8549u z_1Qx$^pry_4xr14#3zy!UqP%hS*EYi!-I5=>nw0^5h|aAe^*?kjaBv`*$;OP*s@?n zPh3dJN<&}wGoO0HK#~OA#g^Ht>viJ5CywAWE96YL>3-=G>n+Cn{6LcbGC=z!2g|3d z8!+l0ox^)*$)71rOKO3(GKF;snj8mViYvx)RIdH)f`DXyzx0FLo=M0ZwI(s#=}|bH zw*-sXF>@`)Pm^vNnm+#0-?1}TrauJGkyVs?aE@d@V(Vi~4sP_L*Tyxn?5cg5yA37_m`LQI3P17n8E? zt>)Us=sQlaWDg=A1EM@RgFj!v1~w*!f9#ZfzZPZ?wbj~?LP9?ICwPe_@OM5nf&*KShvU=BuQV`N zR1kv7yreZ*qxohIeTVd86Z%VDPfr)1Wlq^(jY{;xPRSfMuUjeGbWEwP+caFwHE)^( zRvi)|YN$`(&mEsHCqCm0>GnBn;k}$qym_vsJf|VqTiWd3?P1}!%$-Mwfu z-m!UPXUH>!oBGKm+MC4F?4lPvA=un!OS6O}y5*wQJ$2c1Zw$}0o(ih4$*R+PQ0M2F z?mc-`12>^qy=pb|Oz*9*6)2^fx`3(13a%ECk<17ORIB@)w+wmn#zIwL@K#B&z>Gjc z(+^_<4r-#P$kMJ+?p)*tQ8_b7e3|hr5nIANDmQOZzPU>nAqK^8ieFVE-W4iJ757K} z^kgV_H`w!`!BBZ=-=Uox0SkFB5)qG{WwcC=U6D=sVe7p~!I>|@23K4ZiH+uLxm11P zkVM&J~jD*@`V_3kuv9PqV0%1r@Qg2>2qL;UUp^ifHV$UFHGYO^o{&XW7Pd)*f z0~cFyL5WsJGbUvla9E@HM8<_Qz_`9~Dv-4s=?jT4&A#L7Bwv4wZL1zU{+-z&O zuJa_Fh)A&He+MoWadI=FuerII{5T~L|3)(_P`*1SRCq??{91EHSt^@$#kqYiR zzAL`YmGMiNo$3xsYT8k!Ytz(; zw);G`v<9v&wC1qPZ&b_-V=ZOS>{NYTdg;>6Q-JK@O-*^Ql2VReB`W!PSy~Q&AA2gS z$vS;=ckB@s7dHtoT)^XnAk-XAbg=?8ROTYi76psx+0u0n6~-NUb=E2QLTznayeUCwZ-)! z2cD2VbNGWKcP3vxVd)5NIpaD>vLmPHtg5koSIlN~wzsQh-&#n32301~D;r%wbq?z# zf|@gJ$)&8;@R7i)s3u&p7l@%BkloGb=t)mJp1L)*>HXH!Jr2HQ%LCGGZ~}CPXy#xP zf|f9IYB*`?{b-K>!|`2sdmM;sdrgJj=%3Efp(K9L_k?^iY*PO`*6OdD?6#)er9raU z&Z)_ZE3E`_Oj*uz)Or6}s8-Il)bOOQSGjBk+VMi{Z>Q zd5fD1!HyMEa`Tm==E(`wbt1CS-ozQvkxV;oyeVsT=FcaiDG5CnIdPc9iM_gYY&n45 zDOT#e<~Iskh0zDeU5MN}Ft!g3Xct0fx{xL$37(tSE#_{cfs$r-p4mK%4~9Y2O0`jG z;@y=1KQgzfG$zbCuz_)WP)@ncHc@z5^q4<63&m}Dc_}dORN}JwK21wy_53mI1oOHT zBfU?6HN?DjxP4gk%EyIf@pz;~Qd1xi()}||IH%+njPS>vdzs7%mjFd?wt9Z=#+_Np zcpHK^`or6)=tN4l&w|M&w6R2(WMTp7Ol4-@^*R*1FIpn0%h-a#{PQmQ*pmR6tI@1Z za#SV}HugBPD0D|_!wYzN9dn6=+&f32eQ5#FlV^^`;?H8PtQZh4N1p;6j2m5g2>Ph1 zYJ8%7RYQTwNjO+fFroO8{q6JcO=@+_nR1<$m5?A;H;@RM&^P(%oW;6bfNqq|5cGv7 zKfIh0C1zigN0G1rL&5{;=9^e1LE>}*H6KI%-U5T6CQ$Rbc8<44(#uLvq$u@qz)uNe zh6Yw#Jvm4XS_^=Q&6Agi_FoQDYd=(u5=n-*Vh3Rzs2?eYWMk(%XoHz4e$7X=GLpVo zi^jMQqKW)I>^F$qPFu}i%#yL?8(wWqJ@8f}R6_eS_gd#48x5UKuv}a1UiW=V5Q9e! z^(j1`?MWRoeNBGE`^I13XCis)Gf+4Y&t$xm6-%{Ts*mGH0ymQ)^c^=SYrxmtTmvrH z0O$SC%$Pr_yuF(_6-`)JI8x&Q@Ps~zNj*2}#!_QbTzXYtTEDXxuMBsBQAQgJ6)ESp zxxXqZHCoW@VrJB&!EI2`93rk)Airgh9KuG?caZwb5AbIuY6xn`Za0C7omsXgLYw;C%I-G$;5P>s5%dvl0_eOv9^ zJQxBZy}Ok$L`jk{j7}bOB42+Z9!rIUlfV}&?&fZRX|%s?jmoiP@jh8RoP%Oes+TZY zdpva&@YHs5!Q(<00k&|olF7vfe}4)g$^nHay`Ah#FG*O3Uc>L0Y*=n>ln{j?6c1FhprgQ80JM!4Wf0IW((Y$P+;Jb=HpZC=58Qbsg#?^inkECvV+ zHk@EBbI`S-W-Eu&`4qmsyiY^8zvGc%YMvbJX1ML!{$2SU_4U=Dr#)EexdYd_S z2c0k;x;}7~3ZgcDQYAcSIpK)`I#L6QA#HZrZm5iL&`});EkZO`2s)Xl>jY!g(?rFj zh?rJzibPL14{YuSo1+GTE3qK;Ds>>WNXHVhUXSa&y5ux#CbePjh2ucfq*qQFbkjG- zemQ#b)|Kc}VPnO65LjXKohRennBk*O0fabS3-d6|elf8=J_o(FSQ3cB%q=RObfmeGr53$x6AJg5Bl?+xDmj=?XwU}s`2s!KhB z(`QNdg?1_wb6mi!fpDJYd?x`!r13IYJgEvrgs*yr={qQG`SD#3F3^wSthI!)^2sVu zxuchKh=Onz@Dg!TPv=8)w#119Smy4Yp{+H0Mr0NJK`0y|VGhZAOh|sElOy_Q$G?vR%eV$-kYR$C4?xaXwAtJ?fVY(YugO?LFt< zzXQT99eNazJ~x?s1LKl?wxz{9NnYR5r`GC(8#@pKlv5@-%FLus^)4S zcr(*i;(!37t*`)ye=b#8>zmss8(Z61{kdBC&vnYlY|GevF_(}Y@KIj`GC&U)nW^8O z^}m=b!NUPZEZq_w!3S#3*9x+8RBH;G_h~-1l}JcoJG6|l=MiN4{Wj6yBae%6lvED1 z3cqe=z8f{WUY4_c@%h)#eKot>dbYPOzaEZcpU2K)pO$n-VsBl(*S@wt*}9)HV?(Vw z*in!J8N|~%A#blt?mdy8w{Q11qc=yEeb=pRz7K~go&bCtJ7(6uuv$7EkD58*+@mvn z;nw+wyI@_mjc#I(0zcxrwtKd%GH1Uv-!DyCB;QdrFR!kz*w#OLym@?-`aX zdGvL4h+Y#b{#v%Zl-S^4W_jFl-XSbU-@SRE_S}J?Teb1&rr)$(d39maQokN+ z*7F@F-*40Nc9=OJINR}@`JU-_SA8;r_*t?E)-%@edFRpeMp(Vn(&62hXYSnOi?7!6 z(Y)%jvZ;YT$2g^@+S8@?{#@~BgSzMPX~}1_X2aLKyWOdi?c!!X`5t=}%O9h+xIm_V z{Cpc;$*03_f_4w6r|XShqs7Bk0k^eyB{6y1v09}-M#rYi^1|{KGjZoXf4-R6==)0T+!0< za$D(2w=B)Oq zBE2bpHS^3m_Ix=wW-cx3fzMyuHk*H1ufM6uYuR?!OOf2)cOHZtI8Q?|&a{ zX5Qa@=E=Wtb#C~)-Jdy`=zSm3*{oNOY;##l4rQRp?S* z=l5(^Kll8~aEnt}kh!*km9*yWxj)`7tymu4zx-tW{<&^%a(hMh7D6+BJq`Z5tKEZ{ z=;}q24aIe=rljoHM)We||PO131In(Ys765ng>N50& zAfB(a2E>M`$HN)*L*;#>9Qmdi+0M++?%8Fz=B>@C$}h-u1pCb+b`L*0*RbXBW@C1% zjZ-Y?ybPD??xy*DcLkl#X5Wo&W_d1f&%7UB@S7#E!co!0|B;;??0j_+Kk4kX;lohy zQ~1`J?UzRdx#`=!S*&wLdDNr2DN|0qrjH}K+C+R)NwC9J5N}!h$VY4{xOL;)vR5U~ ziGn+eQXJ1FMh!fdvA2SP_bliVIPE{5u7DjW^hj#j{kIpE)dABe-WKSPE+zsZ%my297J z8@3Twz@Di`Z$0%s3Q$Ziu`iw&-vvB|V zv|lqr3@9rTcuC6hF!mG3@&-{N=&K5);Ubd#eFSm9F&h(#eSVlFdK|MD5k64S^p24g zmPnd6Uw_>G0HO&qA&k-we}+ta{kUShevmK*dcw(Fh?YDdhLrr_(VvKj?1BVU(V~Pu zP)kk4#u&mFzP*A7M?#4wO@%Ou^MUmF`2Pe&C!mpnfPT?#g_XquCk_*31c~MNL9(pb zOK}h$=g0+5+6PZW!-uawdbfV*fM1pVbfwOmjA?O}G zgK3e_6FlZEV3_6iz5c;PggZ$$H`?m|ldkH&>DFfaO;?w`(jVd+ssAm^?lndPo2piU zM7nW4@aLDxt{?Q72^CA5zPFI5T=V*UkW0V zxW6;Z4m~3w4g(tnXF6Oe0l6qBw^yk)2_*9L<}mB^U%ISJ{-ulgFI~JroCx{>(l9NE zmsYJ_^7)aA5l9!-atrD)ty2s5$E{P}6;0#!1O*Q_s5;Ao$NDgm05P|O1xVowjxdQo z`fi0u@BLtq7BdlruchPaCB=7AopmaIuu)ubN)e`IQA>|XrpARSljop>yA2j+_Lc;a zC;;ARi{Z+M!Hz=PoeAXAwKfuqR>aIg#jUHSWR-9%W7{AdC5RU$x=KiuCH!PW|AhtS z4%7mdAOJe*xa!P+$x1-qTLT>44swvMFD@6OBRt@;e)XNTmSobmwqn1z-oDZmtABQvI}9u1CkZsJETY4Nz4#>@w-aiDwEz zQ{XVOScrr`^6y9_#o1x*K)!HE{GsBGnQneESqSL*1%e|j0%LmYN2AbovH`Uwp3g%x2X0LoBe<_0M}BknZ>H)0X1c-iCsP5sHFps;zl~uJ z>mc-Lf~-yvocFXyI&z#QGEM0WGmJk3***LVEBY74!}|{`!(&kS4@{9XkN}Lh_4r*Mb_P?aAowe1=5RG0tl60#`vPo=(k@dfGIr58Bm=0+^Qw9AAxIKQbu7| z1BKZULW#S{bw&?FT>|o?EQ}F?5tn}hxFi4^Q})Da;8-a@I$iJTzr}12mjoTPrXfoc zsT8JT#lQ2~qA-#jq(CQT&tW#dxDkT>2bl|W(3ZuU7KIguzH{L(q66eGw_3m|zuQzN zB|^=^JX)JZFWzK78ZQy|`_C&zAlNkcK%T!5|9`kgfsieq0#Vc0`oA(r#kmC|FSKu% zO!^Ujd{0MIqi6vm)i+SvAWm-g^e;UP|I(B7FFjnINq#tMneh}>$XSs- zD7#I7wgSfM{uKLPfe!~4$>^}obpgk_97BE%-EAj|-3*IS3L>-%E9wIYMt`+;@vrtw z;s4PdhbO@g-nhKT5VJq2lAG3aF6BoSC4rLj2o92Nb}9)ISKV{$8SJESkQL&l6aO!0 zOWMC^aMM_UKPoDd&vD26v6n=A)hIUX8Q94de$JCg?r@Mzjm+U02SO!~^G|UA-2tcZ zBz{900fD!jT+AglsQDc9L?$oA7v7~2hEIr&mZ03irUR9FZ|K|XUJLBl_B?c!Fo zr}1ROKu4|qo?6+~0+3ZieQwndby^pF0)}yoA%>)hW9In2H_u&e#X_j)Caoy`ebfrb z6#gG;;q?61TK=f<>~ZvGT;w!fg_}uDB<%1D36HSgcoy|Ua!ItEgjP1oF_$_QkGRQy zaRqpgVfyrcqFOdRGaZ;C#8MqWD^{%eJQ&-~X4p9Jzf zc$t19=>N%CrPHz@^05y}xJkT`)iwxeG|1@wL096EMvv`H7V(2F~bK6>wleCjzDdriGs_saxcA$P8B+)>j(w%_)dFNF-B&;Oe?$O zi33W1=%(L;?LS&jhv{D=Zk7%W>l}s*N`x}_U~;4cw_*IUE@DC>tJ^{K5Xdy%KVIta z^skpTfFn7N4e92_|ZSb-66RD$84bDUV;90 zKD39CuG5p-UzQ_wIINd~Nw#=E1W;!l{}_430WNFSEDO-xe;v6GCmlVTSB_fX%D_FL z&mhK(iBk=am}#mDZNH10PAWzc=g*A$zlHdB#x;z{PwTorYN1!y-9;D#D82_GOj8}m zOa?+8O-lqz5)Ghxdi@9V%pXSQbNG*l`8hqyVH~h40wNmS8F3BUHMpxF<_oX8SX7{)}c)4o`$1+g-bep5omyvfLnQ2^*+wT7 z3kY(CHYigNNnznWPvK6ct0{cI|2jpGMNQ>#d`x2j=$_iu{p-lnG=eZ0!@vpSV}=Qi z3YG<>D+g~ZjsH4)9NT!vA=3_sY3}yOLT8mXUeRkmGp<`x0d~a!OyY01CeQ zLfn5rJ(QqNhI0P2Z2+#Pkp@^>^biXfuCmD3F=5d0Es#b|jZ#tX7?fxL+(1te9oc_O zK;2lHJc2)h{&72*!|^eVcdy9o&#-hkBcgu5U^t3(gp@2u&HGWB_+P>4+E%E!Jca&j z7o45}b%m|sAqL5ghftW9l>Kv<#p#g-2jpHuDARZZe^w|{$0vcmD^x%OIHEJ;pCZX; zWp&+oAJC~<2nIs3$@_!}Y@{D81A1HNk`aPa;aViE0; zO>@+u3}VVJS=6Yn8A*F&&gBLSzwhHkh5r|{cZ4QNHm|+I(|E;pyZSlrGfOPyQZbJQ z##J108(6s1lzdqo4=h&O=YKifpJk)k=dVnhY*&J0X=PmNOasCQ^N(7#5KU9^$-GfY z^P>`ylCb`6WB>QMp*GTic2gEi!{vGR$F*Mh9MC5Mcm1^j18nht2&Q@w4IFDozlm99 zlG!_>l;r;I4t{|&$A1lzN+9L`%#{be`u}-=d(6fV6`inMLLNz&u=eN?rp8vKfOF96 zAVc&3Z++H(DJ_k7;*UiC{AxiLxG`+tpKVV=&?ofXKlEn@onjf4EXpnpit_*O{#Y^< z{JNhS_7$+*_Ic#*XccYF12`P4uGw#n=V*Ri8Jr1b^SLm`hPdQHt?;;~qpkI4H+SJ2t3tvo?%^c6)4_H8cxY~w?I+hkame|RC2cCE=3IZ(}Le<#Y$5sKW$jtKW3WkcBFp9G93=@#b5<>9OENS5M{ci-?BnU_y46`DR6VgBt^9Ik-3=W&e4)Fic7TxF*&Gr##0r2NQOd~_ zs>!8j_TAxgdq~HTmR9ldI`)tX_Pi5FIpcdsvwQ7Ei_`ZgsTAnThRMhN-0Y12#L%Rw zSdBkDqfs(w&@wtjre0OWEM;?Qn(CY-oSVo5o1SPYqNprog)A=;eF|(BYg!MRjhRM zIJiAt1qW5^M9jG8#}J;0G9G%YR98wmlj&A&vaB}GUPOyIDf1Cve|EqBNJ0`Fjp+@e z)GLJj2+v2myRQA>Fh1H30{|EN!Skv;h{DcPtbk2X?M*xr7=u55x7IJuProzO^h=S} z5H4Og3B*kT6n-?zVj2s4gH%qdgmrzkgDN}Ru zw-Ad|yN~FRRAWv~N$b8lyB*ixOuJu7iL=u7@cro=^9f&aA0GG^Wqf%#2uVv~=B~I= zXe8Q^$nXNfY=Cijca#w0moMmF&T7xeEzuFm&f@ZKxw#na zq3jx_L@*7DS5jPv9z)TF5_aFrESzL4s+rl|i`(OTWJ+k;*N#uPDel>|PKv=Y^rJYy zXB;CNcIEm2#)dF->88N>TmoL(4R)>x3c=gs=1K?7V`K1nbL3Um}5(#t4Y=xu>J|Vzi63Bru7N_8i6d z$%(_6pYzy8!f|@xa2}>M>NX*od_-F;X3T1*Z4Or}bxa#GJlX$q4T^uQkJoxkPhTA= z^%>@a5jISJ68^|wa6nsB&a|1EG{qKKJF@R9)UD521WBXDPUnalue+86H1Im zM?>>4;U-y)0AOt3><72NUn85o zeZD&Hh0Eu7_|EWOw?1ol@U}amgOG~ZMB<F#^Aij;2gaOjE|=y7A#u1u07-Ct zSjQXGj!ZtVA_qC0YdOprzGe_wcU7o}RH;dvVZ$nNdj19$Fd#`G9WoAL5NzvLsd@!u zHm=fK#axDHRhn4dLRHQovT+q=y3xL{*+zb$`exJExawZwf(O@BpwuhYGL?11DtG?s zYJuKM=Gw3-G3fK18-4uc6UbKiTBR~>T*Z*LIWk$LQc9-Hs?Zx}irauwx)OXJTBDIW zEL$&Q-p#6>XnI|-SMIwsfsL!E&f-F&FNa7*g-x%ojRlHLAg<%*XRzId<*T*O@>Oh? zFCxD4b!=9N?23M}yqS|-7EKecPW!(4;onI#8;@as^@l@#vm#vfz2lujPGHONdFQ=5 zc7Any+_F1%L(dJnV+>Cw3cHX`r}QJSZiAg8yOCWBqO3bNn8p0H<3=-{y#m~5wlf!U z8_l)8Fxy~e6RWKa=2KrkZ8WR#s%UfBG%a#Am)p$c%0{!Cz36ycwzIgtUVbTrE4=rx zidks+BM^>K_BRizcMheA`Wb9-*{zK2S*mI8?;NzIMt*>h)^tvjXSHDUMY5=I88cmG zg-a}*Hm<%4Tl2D8VbRsu2DZ&YM!&q4S!DUQf$g%0Z7{D{7Fb?xV5?LxA?7tk`Bm%2 zwLw`+V|MjRu7fwO<`oQ*d3|4YalL`{FJ-sPt9zN%`li*pqIom3`qg#;o7M`8SV0RV zp~4np1KVREV`-I@!y{@5(`&<)C6!Klp|@|^(`pH?rLi-$a1WGj?FtT#GRulwzIg8K zbJe8^eL}J0ccO{sCLK)^u2=jNv)!ZztioiWj}&lC{mN)f9^F$i=~t#XN+v!QIm8j^ zKFI4kul|`Wn2|G4c6S|?oyZ$?!{)+A*Hjlf12p!RAZ_Bsn>?#Z&Ha{ z=*<;`nUzR!m%)@Xwp=g85q(>MnP@hd1mQH38yFs?yzV19 zg+i+4;acE|dLb+P?j;YFUV*+41pZQ_F1Bnp!XSn>rN*crn+#*fWKU0>;?iA~Kvg9t zvU1@QvL?skYNzxHQ~5?u;o0#F`J{{y1dF<3XNMjFPg`z%-@yf?dtQjoQE@Y;)+yLDJf2j`0{}y%joUo zfK_NNtf{gCMzWRIP;ihHAW}Zgqf~rH9oJFEb!<#rM?pMC+VZl1)1cxkn1>sejMpeO z4lT!G4$xaJ4rA>MRz+r)iLZEo%2a_;3%y1kvmzC+&xPY59-tbu zUsyY<#c*J?xP%8_I1j%oA8)X3M#}+imE#E3&2|NZY_a%&2dF?5NUKnTXG^;J^EyE| zh4U$LvoU5spy^ICBaN_a76?Xo$}X%*^Id8xDM&S#bCUTI}i1tQ+?dRJLUZM5@P zrCOI*cWt6`ScN(kEz>s4`KvbzCHUM1Iz8|j=?zLr&% zn1wz0XwFxa>RV|=T4m;Zgi)&g)Rw)%5?m10nr^D{VXS%KtEJY$4-qbt;+m9N);=0* zi>^fN#_kdMgj0!zO~m?+9+AZ|YoW(tui9GXvAA4d8S;p% zF0y)f2zGUDH6QJ~C5ORrY{qeO&GV>?gToTe1H-i)RExzKPk64+s9n(+wWc#R<$CRJ zy!naz<2fBzD}?K@&#Fz2yo4Yji>AF&-gwFMiQ{<}9WauB@a~E3tk8%`nB10LK-U?P zN}o}4M1&@=i}>akTt3iIhdGg;Q;4NFku2z%)AvozIq1nk0-++JCJ-HZP#Bau5&kmB z3iWkS99){jcBofP>>AUg38%q?y<=W75q)V*CQ&;zmFU~_9IYS|Xr9n1*+Ajywovpk z!zFO%>%sJCpR+#Q`qCGEmi?`l{jE2!#YQr_-FBzH)$DJh1Y!W z!Y_D_qnqab)1OTJ5cgky>nr3%25IssD00#wU3?vrKi0{s{Qc$Myh~B*3t&z18Mg&z z*0pJd!Eo=WHy9nXdiKz6?K>l@Wmzu{TF3i?L+5a0jhya2B~Ypq$vUnx-dX;wLtk^w z_p!aAch0}fKv`q)({Sb>X*3P6y4W)&Y_E~cqobq44t>6IB3I57$3(;uM~(+$1hvOs zk%FjMg2o=tufIRec;9`I@nP>UE64tR#+UuQUdERfhgo^LN4+c#dI!f@^bR}wS-HBs z&T$s&z5Q+`Nm-iV+d=ome%3do)2^Y{EYAz>&t}my81oMQO7n2>b2@vy!SU#*b+EsG z+}elMZygVNoz~F-P_ahV@!{xj0rA7Vkt%t;49OeMys3Ld#VCIHZ!;L=l*~4zVLP5X zMxz*g*QEdZH?(rm-?4qDANKpcu*O}{DfDU{0e|G=g!KD;wp<~n=lHisP1kBRXjV{@ z7M`kqLR@!5cBTQpm*awcaqOSxZB&}{AGs4iUDqJrG5YxbCaIFMN%PJ8kA86PEHTcEO{LyeG!!YtHiV99 zY!H#C344(N%zq~Ys)&xv%9m}>l(5jG#GziSQ|bO?1lu~MhlHZ}!2f*t62!B=b#2rx zmMz>-#WMOWoyQ|H0j7*jJ@2o)5a@6GMpYMRL%OQ@%vE+`#B{VIufkv~<-4EOrd0Oc zGr{h_Z?RtEuRyBhS}cgy_ilQ9&*v3B6g$?zvDF#uwGQp$z1IH7aasd=;Iz8?M|&^! zh6mlwaFL;S1`>E1;9z;2;kcOtObjo4^#!%nOAqIXbDuLfY#omdx~+kA+&esY z(X|HqM+*!%XgnB3^>BNX;l>+3Z?Lf>c|(n*NDVacS{-KiD`H^}(RMxN%wvvnKAn3k zsLBXW@|Z_gQ6gj+Enpr^N-TjSkxKOH!kcm{2TOX+x>1{&S3A!^?oVzs zLmMegMzc>{kAK6zk_!ylx@YQyH^ip(Ut81RUAodN=8?5nSN@LIB#=M43+^w5v}kTl z!s&4|%`XI{AzebxTm)!&s03>pYc>s-$Y|xlD}Oc~IN>WwfaQeYj(>HJ;A@cJTCP8A zXXuVC)-z-4vpb%RUs3;^z(03y-6=J`#owrJ)W{uL{#1V6`$}saIlzu>h4b91)6t%) zdM~4O)v8Zs;ly){mH*1${Y=Ljyro8#uZd+46+2h~?LXuSXtfKL=eU1a({eGfJou7S zQeU@`j^S;xFusz)p0*~FbJp4Bbrp>+GAynnppDJhOwGmxQ{@uVB+v~}x9_B;%BDV1 zHq(=2ns=3{#F8ZG!GVkz@+tG6(o$^ynMiKhhH7mX6KJv~NjGaGU^8-o4HgFXH%v9| zk`im{_ z)9ZIE`NAIsc`NrXbj&cJz!!4h;lFg*E?$3+|9q8ev|lK__rWiphmIH5d$l`&+t9U> zt9-e#q;^BYBJ?7?0zGJ!T;7}3w3P1^64V7OMf`=C_}KM%ld22n0qw_TwLJq8DcUl8 z&1eqe692dg%hOr-Z?nLS9+YpPgBI>ewCsZJ{S6Tcc!|0fbGmG2ETsR=h0YC!ck`ss zy7n36r>_VoJBdztpI~tsI*u}mVDMT#=qM#Q8|7?!Hl$t;e{=0AtL;%ow(X_s$Lysx zOuf}@nD`kw&GVK+2WhL`Qvdb1VATTNghK*I2Go*xbHrVg7JecejdbWI{MZDtR zJqcnrot0T`R9$6c*(O-IYq3tOc44z36GR2$f-z~Lf0wfvfclvKOj~#bd;BC}$MMgt z@M9L`>|HqBUvJj#IkhxB;0|6R%ku`-@Z&of=tu)eLsWf-sLY>(n1M;`XWgG#hIU!iiG_EgUo_gu17CRIiW$S zY+q}OJU5u49euj}fhgsj)NzX$af?6DEe2|}=$wXQJ3by*e!>EO+HVKA#`ti}lAXyj z>hsfb@x2&h@U-YILprVzPP*-0yYmB~%ZC#~gT<$e{~*Jk-{B$ZP@zj`_I&A~is=Vf zuMb!O$R8V=aamv6s&tz4%0#{5BWrwAy?RSzKFg07RziNoP$<%{l|rp~_NcyVOQtJ* z7l(L^%zQ(4ZJDZXD_SD64Va#zUAA@lCQC?${8X>41ukn(jK4DXm#bITplUSK7avod z@hQuRL1~p_N-E+k&P=ZtxqwprS>KRW_J*`VwJ!4hB}c0-ej0$Fewlekn#isvOz~+r z<)(Dr3bT>O^*qkU>DA}stnqvtcGlvzbvjN@8(ZW#oQ{*O6wSNnaFGO_+37fucA?b@ z_nCsUy48$k!#iR{Y!50TGbu}=)gcjGTN2B*L6{=3$s`w-@hcLH*ez9bzu82J_m1b` ze@Bqlv6Ve4+oD2MoiK#GCH!ek$ux9tZyo4B`UUgAn0vr;c6yI|&dwF@8|nlYxsmy3 zoz6Os*6Hqz4h|2Gx~-!_P;LABy`z@3Z@*|A9`23yY^yUI3=bGeU#1kvdeV~5Ij?%O zj(RGLDK5DD(K^^2@ z2({>2)Gm&_3POKwMR$Y13T>sjJjf*DET7Vh?5~Xxet6IZaKcY3+5k?(@kkrMia3vH z16UCUK$T|YU~R0(6Q@e^a=12L7RnYXf+R)%6B26Q2xLnwg_jF@sQE!I5Hn zgM;C4zt?HKuwb&?KY(57!0NqdSqJ;a-Oka$;nDH_0@Lp4WD=<}Zm+qvLshQgp*!uvb1?6w~ z15Cc(^y5p^GrA7DU1tbeIQ!7*wDzsTQOoKMhONVav)A3XoV`P9kt2i9gAV)gGIU1n z=f{$A<^!mSDE08evGSIK@yH04wAnn9_$j*gEy zgVw=|VYjt^v_EPcclP&MhrQnZp53$e9ot@TXt8<2L-9xqw|by$&Ol>rvSS`!v7d3Q zCBHV9Z?mLHxaM`yp#mhk8!`NhG(;fv9}(>k{7{nq~B z@St_vg}*wE(;f7NFGhQowZKSDoKv!{QCmqKR?+F$WoS1;I~;xW0bMq);wxI<7jx{) zy=n-)Uq8E(*4Q{@KE$ySZ5Ca-l+Y*zF%*ldVwO`^qf!$^1qYL9YC93;(j)_(cs1%gR`4rkF_+LQUc__S*IYno3$8mnPd zQa*)~YWH|$vgs#84|i(i#F4Kgf8!{`xs1btF%&sBr~`Jik9ySQ6?I2XW?}CPky{yq zC&~WCj1>`n$!kiHl(WFb_GL9}%U8*itZK4lhF0Y4D7jB?0YNqDj9!Su)M+BYL8o)@ zf+e~HiilgyB7QhQK!ePhTKevOCqKPb0IU-ZD`fzVjw^6<2pPJS3g~q@`;{^PM+en1 zboZ;4aMY`sp;8H5Tq9M@P^nol!(NpP&`Q0dsu`;GL$5%T(j8Z+4llZ$Zlz|$43#<# zGxSI^Hv|6rih->7XXQgdRW%|q6dnw!W{M97<(dXh1r_WvPRS0{yy0vzjT-owGt3VT zHL)PJVw#r2<3N+I*pZ;>yKeHQc9^Is_mewNG*Q2ptNgZPF@IW1C3wr4bxlN$>=Y>b5001lq`L$z~84gV?&W?cBKbT=KZaZLw`a$$)-rx(fzsfrV(g8sgL zpoR1@M~SBDvU$geE_5`|<{u|o>8zp5Hu%~sf2!y~az~Zz4D`=~knH}*hT{MD@BjP% zO>WLSclZ%CgGErvaNl5Ij5F>C&|3cq3e0Lp&iXabQ-%cI}shi|IdQSyx!vF zZSi;k+V+jD2K1L~J+S>dJ7;5C$1NXnLnzOp#t|Qi)6=z9Y!BJjx8XbI7F$EB0pZ`b zmD5HFNHp}GIdi9(rPEJ(k?=CNJoug}q{O~AWBRN&zNHGNH@+n^RBG0G<6AaErH)%< z<14fT)3B*+-WTtu33}k zD#a%@k@)gKnsvLS+zr!^=Q**DXqrGX&KX+}f7s@eN8VXZn2htUBum!l!?vuGl1A?l zX^$oEfIpf9Hhtv#zmQfkmZQ{G^Irieo zb>4Ou1k-KVN!r?|0PR$d5z{NJ9V13F^c5>38bboq@JKaQYc}hexve zFLO_rf3Y%Kb;SK?`5aB+bDckYN$TIP*QyEmA#L2v9IJK{rZM3~c}k`EGVt6XJ7Zi) zo|&xCJg0|-vBJoSl1KfJFrTN-z@{56+UI?2+J3=_ng(P1w`PVfZAjNCFgtp_U0fE+ zIJCmhn%{Vie>=U~(Imb>ZQWQ$**&xdsbqMdHs?O`JMw1ys8vES)75tRVvcG%eVGik zoxWs-+D>2DPM<8U^fd`$=TDC~k-ERs6$#Yb!}4)>G?B?*uEkS6Vcb)@UBb$!ULwr3 zDki|4@0;KrlqyV*I}KP?<+*X;x6|7oHiJ-2tkU^s(i=C$*J{SJ1~3n(=5jS7a}+mpDl2O?WL zL+gfg#YU+XtmKr5t*D{D_M(TjD;O35nfXdQH=B3lP>MfjRj&5-|$JcAmVDhV|Hb(%a!myW4dbdy*MyYfqUBwY8^YhK;oL z6lB1EAJN)Va2F%fSwmEAQe6oT<)&zN=YQpjICIhVo8oJe?Nnt1!(SXhqhCo3qOps0}A8+1v6iNTbjT*;yFS$Tu5i|5**vs)< zYd_4|5A!koFs1dgoH;(nl(_vRX~X)u-AKp&7!oB(%H^y`i7#?V@dW*YR8h9GRA>9u|cPn%$YFe7bkyXro5ytqwxgJGWP@HMa?Kn zs#LPs)_m4yxA!CsUAiqI+w7Gxt1M{*+jxIVagoE>Y0@^6vHXH{F3!!7Vx_@<_{w)Q z^Z2W-)0c{wMB0uIT5RapYVPPm z=em(cUJ6*cP}C$ADkZGU>sP07Pw*?Ii1IS4QN&Y3|Gg8A={@tmM^3sR)7NE7gvI$M zYdB9A#y?QK z`ofDJ^vCSyr4+JGSFdypOe|6-CB32v4=(XB>plq6l>^FlaKEYU`|_9B`CGq*uOL|M z9&pvS1IWhLm!DmF?)+>}f`nY`uKAh(Yc>t|3bZ`Vo_EB5Gv{`Iuayqof0|J5lUo5l zD!al4-2w9rGa-`%AX?_hpVqQV zB^*QhkN@^x$SZXnUglZ2P>v=3$AA65u(G)LJzd?38=suAv50t~ki|kic}(*^{`-IZ ze@ML$&v=UH*9-A_AzrY|F1vtkYAk8%%;Yh=GSBwzww|#OpT?VbFTAhm2U#X}4d-6v z$s7`Le!7c#bE}$JUZka&-)a8N;lkGXlI%r_ijI-&J(I%Zm#+`AbKM}Hf8GkKB)I}_^MyR;bNsoBT+LS=`LNFD0g8_; z?<~%S@)EA%j2RO&cfdCIDQiKOy{G+>@3Vho% z0|ZVCI>h(j<_Ihzg$F*YaRQ4l0fV)*qPAAl){2#t_tdNvMI~Xf*q)Im)v$y5SXr{W ztEg>SQhTc)n-JE$RZvtrd4ClIjna0o63SA74ogVMk>(UzJ{mz73|LsfX*@-giAP9U zr#OkErcDycEQKwqP4>EY=be^zHHtwoxg-+e5(P~eH<2^d#s#%A=x*_f2_fk=qv-1-l_Chs?f93aW{Jq^IKcRIekqiFczhn~a0d!AOVv#0+Q3 zsvfQafEH{;oY-f)4v2Z+fEc=Q%z$C1h2n$0D-Z>aJPkqqQqqe_td*Qn^1sSZ^Oqc4&e#-Nsxwv`B zC@QHEmN8)cZuE~YN$@()DpY)az)^J%?)PCZgWdw#0SyPZlJaMC+}?ZUZYvAgdLGNl zquY0qDc2G#&)lBKjyxmS2i2F%m=3Nln=ut+ zUp8YZ*uH$mg-SF8-LHeaL>cRTuG8%&R%V%6j01QF= znHlk4HJHDY=LSQg={8PPbLnN83W1Mio)^ICn8V<7osx*Ze#!O|jSp%Nc1{KGGiQDK znu5wIHGM&>>0@K?w-(;rO+|Z)2FS|Y;Yk|#O|j~OK1ZtS<+myW?6o$_+o{R+HxcFTA93Nfei&r7D5|M=S%3fN;1;^8ep>I@!^`%A&WKhK zD&zRWP+3j9lSgJK_YUAXhzJBjvtAX&K$x5{=qJO!$_@JB7MkTl3J&VM*`w{v1pB`vAowJxE*D6t zT(4BP-HorTh5yhEobs!?pZwK{mtb`3rToMVRs56gla#Nx z`$;A~P=CTsMdjhBmq>f0WTjgLnU=2qlOOjIbbCk1pUF~t$4aTNSdKr^C2;cRe)1<} zQ8sQo%|o{t7M-%y6)SY28)Y?oe5kKHTKa4m*>eLjel!fQ&AocC* zlcdzdhx*V0Xg+4U6=kLug!xmhx(rvQ(o*N82=pKrQL{Uh{56;~br;B2iGz)kEvY0+ zdrHa{R#K&$CBKg~LQm8aXgz@@f96i0ym7a`$mZ1!S=8RgDwyZ5@!AK*YjH#p1Mqoqd1~7*%~5E! zXnB&2t)7-UicnkZ)JGB4M-eW3C3MP?ocOo$qL$mT$h|wgdw@0VMz1sti)(eUS?-)b zDh=*X9u?RuiLsy7H%QkvNLMZ=GFw5HDW&)r#U+UUyoMX3Q***fsndyLr4-G_J1#*m zIWMi0bcU6E8Ip#Xabf!9w(VJmLmn7ii=N$P{oAoIn|8*T8)LCAPVa{6{cpzpca;WY z(Ji_enZK`YJSGO~v2<&wU_q|1{;s^*j!npsTzFe9ooqo;XHk45#2VM&OWKuXn?9O> zd4Z+9CJ3nsXCXs!+4-lm+4$%=%tU8d)&x@0tgF#m%(%Sz`A{gqdRnZf#pJXo&BAHb zsM&|J64Zv`+E82@ifcphLl}xHFIpdOrTXa0#@ZrWOt!WNm$KB>7U9|=Tw8=U%OYH2 zM;@DqDP@?j-aBJh!A%`JPz_Q>use5s$7|8UGfwGN@!SnzO$oDbyqTos{X;aobH*0U zcQ>6*qL;h7x9;?AHh`7Lc=xrK&32VA^VS8Q&RTzi>1+@LAEVuY7YugC7L3Jkmyx7% z9e!-HK-jM^*ZW(||M`C++9PZTTQA90x7{%&VUz5IjcGo7vO*U@)o5p1&ZqAjkz~7Z zZ6q<|%Mc_XT4+m8_ci(At48RHo}Su8kfLm;_S<;czerE}yLdp2YeS89VTobkQYg*s zmNjwz8aGO>)9bZ5UHso9gvF(EZ^(jjLR$w!4>ukYv4~My2{tC%ai6xYoZ&2lfiC&n zZt~pQqGwy%P2xef?!X?wo$hE&k0~zf9wobthg}$&ehX?0O)`av2KY<0AS6(xJgmV_ zUj*sDIP;Ty85V5*K)m2Kc;$Kyu1ilW%*1RYw#amYDcaGe+aJ_9_T*O!7O7%=27gQg zA{&VO0y^6w7w5R?g_iMw63#hsf-5da^w<@4JJKCuSDOrBgoEZG@rW}um$mXCysv32W2 zqT>zexNqx`YnQ5ygn=xF3kPm*WKaW8*w7 z>uXyTbd!o=Ct;ekoE&Ny+Km}y(|K=1<};BZlLki1VRkX7ij=j9MXt6o%V1jCtOyhq zu3$dSY9>Y5rTZ}>L)QFp6Y+xByphhU&j6H~HJjcAVP+*#++{FDM`Vg4`nCcy(QJY+ zM}-7l;jGBV*_6!VDX2G840eOu8InQg$7 zCGE1U(>GZ{0%H^AOV@%_A4~}h^S^kK<1e0{%q7trLe$T>ZZuRFA5*3ADandSXO(11 zYT_);Os}sE-KM|N7g_30CBIs8P>sWnpy~gTqaQ??znV3a9P0eLrlCacH)0)S%8DN| z@)hb9H4pEiE4olt_}y!Fk_+Hv^t#CVmmIaeWyi)}T7tf8#0Tq?ei;V#Y?#NO zo-oCyyF}g!(~-!<NKHQWJ|CLf_3ihplS5 z+l{vRRupf>DO`1vi2kTKIC*rZSiNYlbAX-tar~H516%G{|aXR zDH=3J$p4M7Ra+i*M?|FUn&5Bd$1E0kt>z|Udff&{qO0-xSdB*OwMmO$jtXpzc z+ma<1z6sfi($jL8?RZLjPCe*+b=(*x=?Ww9Mtv={wO)Nn)U>NNYXX@?u7{yNZ79Gt zq*-)`O9E9l=vNM&>`z7k+bL>xGP3jg<(md^K0!mkF7`Lj!ZfMHhEqg_Y(R+}qz~J1 zI<62cn&IjGq_@v-)HXStPGOisZOGV~^PG@T5Tk^FhD$kV#w0^$9DH)TmV^-Cgb?kb)mo4-^J&i75$>CT-93^t9OVrfp}<= z1cHiq^vaGnr-j!pk*YoANA-#m2}NS**kIxsKA{KC&QIGrAFS4>(>lKXve*0C_?Mmb z_juS*ubEXbL!}y6WFz67M8)IhId>qCq%M4S>RR*@rDGu0jB`sjgIp5sgr_oczmi*!Cf;h3%+yQDt0kTy;IUFm4TGXFC~pG zQYj(BTBlAbVlt$REGAF|ql=BpMl!WwctM@`*kY0@&!nn4Fz}Isqw)YL93&tzV?3>S zYr9!-FyJHGL7ZO|I&^ZPdbCiq`aV5@DaDrNumt@~o%J&0wUtp?to;-!17~{gzzns6 z&Imi5s6pColI+;npOH-l3yyG^dx;S)X)HLx%?;DcXvt>WPOBO8i3T*aNHbBxX3TF% zEg{qAXoW8jroI^ZJZ@_qNu*-0S5P1!>Ht`@Y*bdQp}hf{fGoYfz}@C|0$LMi^F6lo_8)lQKaY9WpWE zSi+l(y@pKA{3*mHhW!$bI1i^Q1M(XA|KVS#) zX|6(Zr6<)jwcEv|xycM;MSoR$Z*cDoX@NweRJIF8u{H0)?yl0c!+^VM#?r2FuF3+& zOI4sEV7{!GkHl8HL^l{yX22K4^~x}_ascX^sCP^N;~Q^$yV1sHL!#)#e3W5jZe{3h^E`Bju?@%Xk8 zVqF%6PsX=^5ce{byk31u^tm9!7hKFSy4yQS1Z2@OMjPA6j6SGLL$UJB`l~$|cU{ zm-4Rr4}CPkbZHd()@H73jzLAhltF`fyPHk*uaphDrS&@1uOs=ymoANX54nwph5C^JkUVuh8i=dF$4b8 zn1Sgj-(b}-1M^g}rnakbgGa;-^gSNzZypvm=ozQ0^0D8 z7f%?$wqy}n7BfPlwLU&^h>Qc9!3p$W5y$3ZpG5rdJoMJbPc|J=nEUsMjl+b$z%?Om z7dbh4ee-K7@Dx9I#VFEvuvd`T`D{U-;+f&dBIgbn<@Pkes_)zrX1F5KaupLJS5AmW zL6RLD?F~Xlx?{g{EN@H#+Vk<*Efzhv1u=^uw&4g_1qQHq+jeYWg=h5vHeb^g;q`%! zyrQPIiSB}#2a~r$Lf8+r@!-pm8;)6Y93>7_<}C~bQOhu=xBL6M-;f8-xrMF#7+ch` z$FA>2Q)+_*qIcFOHwb~F_W=vvi>BylaDO+afqHZ??*1Xb1q|bxv96K)QD{bRjt9!J zs=)u=jz-vidxr;2Lal^NWc9+I&V2YYa-3Y~CZM??^X@bZW;ponf?%4)au`1?$v}%S z&|>*pK!A&d&0YR!<1%$XLhMbBZsB=%lWF{I8hmu<`8*B_MMN#G*Nzr1Xa2qszCsrgld`4dyaoChO2xQ}iooM5y&j#`#IiYAj?=V);3SVw!U?(vIG zYk#l%qIG;|9ky)i;NW=w#o^)M{(x6)Gz<9=MeIm36d?GYw4)Lj4p!vQs#HhILI?K{ zQEMFdF1&zVhgTy9Hs{d37M9V9j}~ehx2D=6^|cV!wA@c|m`Uj}603rf?XW|*-DouX zx;Ujd=W{^Lc_JG#dgEy5LeObdor=T+7*Lr!yprGJh9gD3qFd z{%teaKfZ6$m; zFCfs&rwTb2@ficp8AX;$g^b0C${_8z=sIoXCf;u$ld&VxQ^MZl>ZNI_e>3j*CR+PK zdKMjSKAYq{%wV`bprwc(8KHfpBKk}1DOb!g%^Zrpg77^sI_V5?X!AAn8?Uu0W3pYEK4OZ5BalWc~chDb$U)-UCGNv*kP{d{^bS1 zM}#ymjkw^0!Rh0fH+3hTJaCo2rq`jM$uYiZgpNCeU8tFoFa(pu;xR}thCUI#u#{7s?-gr}C5QLB2 z4*$mCC#+v08m`kM^vYTm6_;Q)VPU^TI4bbzO>LdG} zFI1p!^I(hfuu#FiQPGu$3Jeuk8Y-x^|08RG3QF$3IoTR2h||?jK@An8^A!rInrAIg zL0PS`FjTOpC1L@zAgeBtgjS_8XhBt)D^R6^+EYgh4hqnMgBmSxSArH`^a{x1I5-^v zkM9D{d3`&co=zsPi5(!@3p9^+Cqwzu% zZM5-=sH}*Gu*HYM4IH%p-{Kf?*hSy*!U#srX`%#o(Ggc9t)UmDa#9?>T?=ZK*PT# z6KtB(2w@eiX-+*)Z3f=FZ9@4`K0v`}AjinM$pq`k6h$g8?>{AkGENb(_L-B@%L}OT zseyI8b$)_c5_Fq8jT~=;Z5+@Lu~ceCk2W?oag^W2tV;JHBoPKzgwrhs#URN~uIE5~ zKsGIpJ4pzGPMPBxZ&3nwmAbZMpxK|0xmK)LTS}^CF-;ifyHb`YsYwt`TVrQDfN}XR zIMh#QN+=QDciWwRoLYnE1PL2=eEP8qv;kS8)1JopiH;=_4L&a8znh7;|F3sf@%}%aRRNEL9iAW67}qVXaes^A4^YG{#%hR=TAJZ32$jHF_4GzV zycZq>iDQOp0ZWcSc9^9m(Tr49U{?Bqrrg-7c`E&f{+1#BYU?`YUxrxdv>>Y@Hwc3; z5RL1WHjQIS98{^TYt;A+191^3#SY>W?C3ODoK&%%m+ilI+sQb|GLq+@1^*?Pla~n6#d)+X^u@SZT zt5a9Iu7T_AZl@!n*EkNwiqu!S`L`^Z^JoK1!_mxn-tkaM5%gqC#ovNFX9NYNyZr+O zbJ7tkA=LJHqCd6PiObOQUD(x&VyniB^UQMecF4XHE~9@6?}szzD|c6&Id3A~4Duy@ zqeQLf*2){zr$Eh-oEnmJNa#VmgwZszt@>Z{fkMpdT2ZYugp{M}SKzNzb|=i;NP#sk7vh%6&~vP#Ya+Ua`SqeZO(%1!&XHV|1or)ab8jx3*>7 z+H?f+!ajIdx3&Z0#8=*}%}{}*-P)=_lVmM!Z6%>$PPTSyi__I^ZM9olI$xoXs(IGp z)>c-lEbP{{T4-|tXSb{xN)lQ{%Q(ALrMUtHE2uqnXSc%wXSc)J+09*vvzs4`Eiafw zG?r{KxuPdbi!ibaA8&YwoR$q07~-36+viP}N}loXTBG|Meclc;rvSbBl<2ead1Lp( z1|ZHR53`7ezzaVmJPzJt-e&w0bG34;;hibJ>Vk#P-^3k$jPSf*>Jl~%B8;!)!;}o~ zEdQ3q`-*zvtT}RF>@jydTCND6_xmuKZ5I^y486_bf{ZJ1eNL8ziW_N<0^;Oap8JQh)Ay6-dcO~64iO6SHlhcszCk4^Lvm4xUL_*yv$5?X z)ywH!9LarhLOP0Xjuz1iENX9Vc-*rg4lecDs_;heuv&hEy%*I;1#W#2+-%j@{+Lzij)CiLCnAq`A%;Ogiiz4-vJ)O zX)v;_`A(vp(Y-}&V^-pgWb;STOR{u^-`|cz0_iJ+*Bb9=xvA?+rvqhRnOFQA-8i`h zyRgK(j-pP9<9K)2Xmb(hxEcm{kHOC{^TN)^X<$EsR65YtpmoQSAaZUjk$gvIyQxZg zleD_9(m*mJce*Xkspd`wsT$)I5+H=ZXve14AtdUje1uxzkr41%vTe#sD`NT}s-}GN z0{>R&t(fkQY&>Y*Bs=Q3m940DMy6a)OjJk^?GL3N*zk=m-ue-Oz5KY-RtrYUCD!>kBSe1u1^}+e26Zdb1PwV#zG&j76q$? zN>xk0TnK)wuc4;Ta!A-lVqhiEuN821YO#Bp4Lda@kH#6xkjYlYFvuEv&QhS9Q66zk z@oN~&P^7NJ!JApObnEsubZ+V7APvZn!E@-=yR5~22)meI%%||ovJ~?tt!xoyZAL1P zFJ97Hm^Xo5L?(QuF-RuejLz@+Haj*RN*L5p2r6cwF)`-I4RC zCybk5dso;gnwv3l*)4FcZ){L@sNR<^`Wg?u^r7StjdhwzW}`MNy9~0UzpC--W$|j= zdU#zF?!K+J}bvfA@ua48zcy*0er}GsGshVdkcy(E= zvN&G74%_$wuys~NB?+y*Wnk;7G*_T!1+}LRTOSp`)<-pL?XCp2HXIckozaE34U2B+ zR&DbQ;kON2>r%-x9$jm6pCfF2lsOaV)u%+C3v8_%^R8WNK4yc3pP#}uuQuPQ%EL8m zF?;b{=}?@-Vd16QwxAV^=rJSo02G|@Y@5z*?7CcD65-d9i|H_;Kj-xPkUQ%WJ>CN* z#ThHpiJ~%Rcw}56J(~Hpg~P}4qFr&vb}JCNE^5UUY>6}I|AhPU+o&}S#NE@au5sP3 zuK<$G%5@MqQyMf@Lqr&+OoXc-;qs7;i8y1UyKk$9Z>Yy|^u)0oG<{=WWL?v3oJ?%n zwr$(CZQHhO8xz~MZQGM%ax>5O-XHsP_c{M|SJhr?6;2_A?cL1{R@A{k#N+<@b0e{{ zEyD>!LxA@0H~9Rp6TYWRbkOu&c`%$J-jC zUw7NkLOp}Kdk6dbA0VXEDEYi_Au06>bUl*>^Vk^QXw5dS110ROE*XwpR12dwxB??m zpKjzWYG0gV-_dbOb2Jpy&c6fOzm6FK{HX_ux?1>Rs{p(n9DY{w(e2bUkQXS(0!f z^Oz?OL({UbmiW{C9GLQ((YeA;f0{gmtk(66Kalh>>>m;ro`C8Ue-Advj4qunzABXY z5eH3S>2I;A1cyFbp5GzG^SaE#*XGGXJ4J>n#Fx0(i|t#J*@V}Jk0F{_X5F)NYU zV|s*eZ?ir1<4Zi$JwC>W{g7|J|H)LF%U5y6G;gjFA9O!5)#i^(wOf0C{r_dEUD_%Y z)X~O`1}223RU5lK@T06q0YN;AdU;Ncz)aKcgci= z7$SJ^d7teK&{LXH0XLk!gFeCfM0mQLNte>>SM0LhC^kP!`ffJthzSS)##0!==u;L@ zQrl^~RAul96MIB*B($VK2b+7Je>~}Yiom!GyGwzwxPps$~%pu49h5B*-7lw0q^j2LLP?DqKJ?RnbP9&WvTf(l*o*M*dmx0h<; zs#lYQt4FgTgARhPlPeQ=8$;@C(c-XaL*W#Fuwr0IL<`tda)oOxK)mw05D_(|eE~-u zg~XU*k;h{p9cKPfZ?NM_@M$126wRWiW8Kl4QH!lZp%$ad>kVLq&1c5ofA@T+cxm*_ z?L{66LnFl(vR5bJp!6v<;*SeY6b7N1zZ@CBC~;Q{q;5w4QuF_s$OYCu5PaMP8l;xC zT$1y`g?p|tif%De2{*+tlFmB@sE-Nmk@VN4+PktCMps(^w~DV4sb^0x^8M)>GteTssX1C zqQ}VLKcyx3JeKKaQo=vsyw6$EnnL6(aSf%VH|ZcMZ+xcxaDQ9_T2N``w`IB7a%V!@ zdG3Jwc~sk`Pu@YOB<|!RJWU_F^3SlqD+q4|=vWxc2@c(tZA|rqXugtu_q)`qu8;Sp zYCw`kqQ3IQNo?bUJ&fv9zTMbxkVgL~CGwe(eH(#e^}Z|WgE9oFsd=TS1Sq5~RQdLU zdsXfUh7pSMmZNa|#>s(fcHLIxxvN05-Lz8Zhilr@T8Ug3P;F!(a1JHP1fgzKb68J=G6#ZFvlMLu=hRZ6v$IyTt{$xfK0)oDl}E8jzozt>N)a0$}8`dfXEz81WmDK&hL+&oEys4>dQ zq?Aoh$F-q>#?+p0r{-WMjf=sODE{v)UjuW3oawD${ta@|f2v5nE`0gh=q3MWdV$ zOEAgP2v%*0Z$MV$Z-aef4y{-!=zK=&Fl(_^)&ANovg@B;6z$@aW9H z6^Y}n=?u&4wX&ukno!tV*|25OpuN4|YJkT_o$6(sy*pvl{$so`$Er;I2`&2VBr^Hg z)-lH;=a$s1BaVyzGhXV}ALAuS)f!H22k_5QA(0TQ(!c;{rJP1FR~ERg0B+ls1q|H0 zUV^XfWQ2G{T&g-|z_aVZ9ee52z~ z=fHiL9LvFsL9`I$K}U;#Dl&=7^}yH`Gb!Sk94;lGBYJSqC?iWille%G%b+hp#0n*` zJ*KeGcwl};y3!=4uom$_kyPG^yh^+RsKJvI!9{Y9A;@6U_?Mh;kthZBR#^xIE0PCuOF*vdwV}(@TRc# z&)b=1A-g$n*Qa1XUC<%r;J}{EQo(nJ7ht6qs2JhQcFLbv+I#E7ZZs;^;B z@wekI?k6%jpM|?nlW)x3R-=@q)1#LrXVF`;Cr4}!4_HDEL-!+yo#a!Mg?hF}vb@(s z)@C6IPCj)U~}jLn2*WT7<}R_?jyD`h@ltA3nE_}!biVYd= z4nE&uJ$1tJ2kLLrIGsRDd}VM=c?k;12#MJH<=%-AtM)oV&%c34HNoD_l7t z=0CN&i(otpA^`42tm%JESYph0*A^8~vOzP>obzHNG#XPORpRFFxVJG#le^>EacfW@ z#Y&~LXVaVkj20eJg&8mgCqM_qUX@Gw?+{aS3GY8I?!!da@8byOzYWINYU8P*JEb~^ z{lX<(du1E;$t&)yTiDe@@mb-7^hj4unHUlbMJ%2Em#%47>G5=WP>y4jsk8MDvmXnS=^?yOqOmVm}XrLpRA_(&PlaLJX&h8L?# zkIVJtNWkssBQUvrc=#jrlEG3_X&zA=Oj7Mt$LiEBY07c9t~2|qxhyx1TgH2gJCcUr>s%`MIj)q)3)eD>)R{fo z_zXS*x0@GFotg9ds*}aojxr}wxm%!L);H&gsvvP`M3sqJqz56@`mh{0x73MVS0(%} zo$+Rwyh;t_Wkn6UNxfH|pn)eLRHure7IUGjR;UcxO?F#5Pvf|HwsM1cL%GG`3u~qn z*2fC0+F$l$sA0H$u$->+P{sB2XpJA8wA(fqN*ixD=TgTqF}q+;lvVTi43=-47d1FS z(QC<3h^5*E>Wn$Vap1-^7=s5RKRWH)3`4{d>5s%!Xr?R%i?O$78FRLW_{wi2>-meK zn<&{7Za{0&?OWgA@kvyg`rzV%221(e#agM?7}K>fnGvgzoi!c2zb{~beQln!SE&Qp z9gf}@&yOJrs2h9Zo)o!%U$u}!^n2F&4R8w9;1*XQ+ZQB?a}8O^Tkhsh5Q0^ZqAo^> zN^F8UN*J^=;oEeBV6&}uBvf|X(AP9y5TPT*!2${zTW?m0?tG{CVOnrFRjv=@X$Ny? z%PQ~QxZnMCx_EXgiTLO^h*3rJckw+o-m=zlmzD97x59m2#tsqw@1R!{t7vBNPMJ5a z83!T{XIDt8SQA;U3C+IcU57Tzg5RpaZfBxLC@F=zbI!rFIL)1Iox1XV2e@M%KaaT1DWV9&n)By+ ziyik?Knne+CG<^15eZz&I6R2UqQE$JNYSoW`e56kX}6@5b;SO=OY3D4#FM3;&4{IN zg_;v=bO8P1sfl=U=D<-aD#rYb__DC^Lw?3MIEQbvm|F+=w%*c?n0_<_4UYN7W0slf z4NIku#Ybu~h1<$gV)i3G!v|G>-l?oYWDZUa(R6NHIKlPr*{R~hx{+%qxTV}~a|jd( zvE7Ch^a&2eLn%loB}NP>vKU;?8K-a_C+`aPGNUXLf2|c8da>uNlrk!b^a{7|K_s(`NlQ6=y(su~Scum{w}Cz`;06BQEC&1TG$fjdeiod{l( zr(EvPRjPqIPnOWrTIj)|qATdbUE0|mhiX|gZiY6`Rm@|vpGNY=<&GVI(zxhz~^tRREiacdLEi4=$qp z#zK3R#>TjtI?ZjRJtq-VHGVO$Xp~%5DV??HAZ}9xXfO$I{?+CndPVyuG5}x8cN$&F9jgY>SV^KPWd_(13R1(H)3w0#3mYx=!a?GXZ%L;ez8oV_5|wokW= zym2#Py?dyk_{!J zG$~Fq({aopIm{@Nap5M3V@H<(doh{uMkFJmse>FdqpmM38@{VmN8eTZ)!k6eK6;SwP<*;LcrAStW zMqK!oYMn%+T7e~Y9hkxue9Qld-oS;aE7VefQ2^x{%i#sGHLN87OA|j)S?VV$ z!{y(g0G4~P_+Qk5@aK5o&7K7m&NH_mr+II9gWF^5PQS+hS9S153beY_DEOxKUFiO< zT*dNF^a<^w?Dk8?>6Qur{}sJ(#&fUn9Pcs2b_gfCPVuvM?a*^ofFn}*kE*c z?X!bD8~X&DJ)0lrjptaOZ6hehbHE1lDCLWhD`AIqGM_=rTbYOh4L=Rm2=?@bhiQ8L zmbXQp|Jst;-jfzvuXD1ullXdd6KmRILjdz%@u6MK&zn0TJk`$PP&b>yOksjIc(j_ zKE-2`_>IJuyO~@)K8T}Ky-+6Nd0{j{6pK&r;Jd8JfDzLPB5zH$Uq z&idjV2&f|CBtntxJESeomT6ErOlgcmeb-t+b_R8i^LZt4!Jf+nYgN{?D^tl8x?XDD zY?nb&D%X^J1}|EJd3bJMstjlTk_1izB?UGXPv*<*&V^Joh;Fh&OD^VG397JSMpUk4 zgkl&Sda_t4dPd*SaEydCnPWz`GsSyoi7BEmEiG?J3eI@ozE~ktHHmglrS>#i+++lL zc1(lTz`#LYTw|mGqVV%5;iQ5;Q*IcIdGdERvNFiFfju8Mvy`g^d7l3_^HBq?Turly z8uo(5`alb0d$Lk4deCB-GUP_3v;(n(@{GsB*{&C2d$Vqy$BpD{2OG|m8_GM&Bf!we z?~p&2*2~cQTF)vuk0ib|uV&{zKtK?0Hf-iLa5X3jfq5^|7wNwwxaUJ=i65G(YxVo% z?*~^{_VD@|fYCl(uubLqbn=6ua+ln9;Qd}ae`oU z0WT4Vn)n>*pO7Zr+7HjKKNLns_u=b;FKFT5lFDts?Dc~ur9x(g=jlpUb;eGj}Sg#(F(hBPacT=i0H~t0FgK)wKf=RmwzZr zR*&I&wKe3G?tbF;lbdd;(Bc#4CDFzpv`w`$LQqLquAuKkGEc#)2dYE(%xc0iKd7@# z$3Ggc6<(r)!BI!h{m2?=MB~I!?RRSRIaSKKlBZOuR(9X@#MRXV>msLAYaK~`J znL9@FRP2Lw#<)0fb|9n}P4)jB>C9TtPR|+TXTXQPH(E)?YqeDwo`H!h?m*_NV}Eca zjd7DE-mgm`=3LqDPnhr`L*ohBA7uqeGUP>N=P;d=2LDR&lkXWzWMwv8K^3Y<0cyvG z%UnNDL_qVAm@D!ZxusCEv=G=8xled+h))b+XU^!hbma=&IIkGmuK~w#;%Aqs3{#lc zB|OM3I=|=Xkzv*eh7HQ0y&`TOB9m=2U#e(#Qhaz5e_Wp&ztaUhIYF!?+_kG~%Wfof z4rU%9WB*}bEW>e;ye-Av;V0iWGlJj2t97y|Mwt9M2Jmd<^66f|n1==Hl40SsOC8E~ zXM*d(?Zt)}_(c)M^Wy-q@xjGU2AC>uQ;htB`bc_}V*rynk|0NYiAH1aR~?iM;*f$D z`M1#k>&8M@aG>sc3$i39i2IxOY=`!O-&rYt8nO{_m!S$4>UD&`X%TL&touxc|5RN=o%${N`qDZg>MluMcCyiC zlotoEh&lFx`i|%{s~1o;O^9Iyw)P*yHao!AdcB0^R>><}{d4S&ecZj%Om>>kLRJ~Utu;)L~w2Y+iCefVy)&x~PdXh1=X2WJWSY}+17 zlXnDPlbzT>cZfkkeUFI8J99TimI(BNcZb$WfqN)(V2T4q5D{8E+7z2MCfeRjh|`m( znI2k)n0hdM{d}d*YiRAkUjR?6&9(0t{km9QV?d^mw%clDc(DzKdEDp(gvrOSZqdW6&bV;0ru8(UU=O*ksjDctQurH_gF~_w)pz5%|A6GDph+v@wkfuc7>}#1&DG*n+h>>3MklSt5W` z84`yrh+27;!<7lIV2LV&ckTAs``+&!8$IDmEGY#_Tf#sCM2~)yc$vLBp4o~yYpPv~ zFfQ;^q9n^F%E1ytA=@ir5TxT(F$~?5rSZ59#aNS%uD%y`*WPE%u{A4a&CeHqCZpNfa6|+sv%suVFVbGLSiY(T_pn;Se$JItBxMM7$V}( z=?+#=ES%z$$fZM|Md%t?KSygo=XT%DZHLinCc+YUZ_43#X@GU;>(a>-?zI8Z8hF@|y;i%)~vFy%}o z=^MI!H32;v%2suoO8QZx^tTi09$19I&&LtuvL$~m$jq=1e)ElD(Dw&-DpE-pCQf&y z@Hg>OKVfEAO5Bdmp*Bo^k|;OX%d^N(O_=^JWL{R3loX{oeueJs7k0W>#0;v2(yS{E z)Bi=O0>?{vp1w-uI#ortz2?2!CC2k+KF`ILyR1s$+~awU}fUqZ7Dm8@|g z)5L(Ru|#29M0>QclEmVyh3c47HRD3kxhntlNM{r_N_!O6YL&r_rPfFQxh0<*3Q*8f z5`e3T&l77$v*!c62Fr!&W2Ae`IRSa_=BG^Ile&8hwkf6eKe};Gs3Zp1i5WC4O;0c{ zWRtuF2(Zr`QiBYJD_R+6)^iu-_yy>qAvjyRp8UlFDd>v^?y?bi+8VxFVjv`w zp_YVKp602}tB^q)pWHB(JyH4tq*34i`}CBg1=Q3KvZQim-%OCfj525HpU10AHrw*$ zWUe@-llO8hF^R@0V?}?&JRTZqpcfXthW_lg6|%1JArU@iherseBLs`_!QXcpRsOUY z3i$w9^B6MssqS#sPrcryxGuN`r%W>EHIF0@B$+`UPa=gJ^&ci?bFxu4fnIqaL<(dl zl+Tl9=}-n7L%N16a^dW4M?!v=Y*W8HuydpD4)6{9s@8Ws>3kD){VqEUUK%6^wyu!D zhT3VemrHp&&yCV`utF`$Zq@Z`$;~l(APyd7E_m7+}2x2@nV;!kPx4qZQ^Ps;Ih0&bXcRCM0^c zd{3>(CTyjMxJk}eMBW+$u(9+AEiS*oYT)!JJ$nN=MLMxz9$0uhHr~xGoT53u!ZP)` z=whcF7ll?lm4#MF%e{kD!75>(qFY(EVdi>DyGypB?9sjl>{ArYR0GLnT-0-OtIWsp zuK>%Xv>e+HuyCW4Rqa<`=1TtG$>F(I@nc%Q+${~LRtWo)RYMFRB&yUX^eY*cQ_NKa zZpVR@#6&?XWW!LKLC9imYNDnu1GX8&Uolku{7A4oC+D%n6X1Zm7U?Lkbz3Ib%qK>0RzRDSXRvrBkMnD8Zk@qZTxKTCe% zpH6NiV8W-L%6b-j!90^_j9Fy(dAIU5HZOhtqcP%C6##^PfKr(9Mt9s3AfXWz5%5*BYmx9R?h6yNPJCh4z>oMxA|f>ejw)0h68)HRRNWLM*u?F1psZDX zf^q>;@V27GC`={JKV=Vh(Cd#@v|BR}f6`o4CXrxK#5^=Y!sHwRs-JE`TSUO;WwjlF zt}!4GR1g5nlRK)L`5>9y-^Sb9o5Ws&um{&7vjf45q&8{_cE+o)ZNiw*5I2qFm9>V? z@UI9L$BYKWe4!^q*Xk0Z)-;N0wcquC(Iau{>ZZ?;kxnuyMWf+NoVEfnl5=vaq!M}+ z!V*KVIR51z+$e%ByQG;cXE2D6{&46-of$;6)Ke+Ebj()Ss(dvM8bmdPXiQ#vok`WD z)e6IyD%A=iibaw4O8-`F9;Qn1KSNXy`9p04=UrM}Xgel=Gy+@{De9vMs=~Z%;Gx`5 zm=IPCu0m~Pei&?}%pj{)6vb8Hf0rkv!zh-XxA;5d7&^>cOg-dT$DgY0sJIBai&89R zO>X)gck66&s=cUEPU<*1Rp!h1=e;Ns8LMpj7`mTCjCaEb+W!(UxZVxTrXKv>4Z+h6 z2>J|Fl?))|%WcT@>OZ0RsV4t*DPUN)3_$(L#ZrIXhh6`kW|ZT?eq;f0(uou#MbS4F zfT*V1qeuKF^P&YD9S1}o>CpB5Q>~fJi_@pDG!)KW%0~;uAsOKTKgCej?DDfW$2HI{ zQxy53ICu!I(&c~*mJbf2OKY0A?o)&sL~$5nMwR`@XA0k{MsX}J>PB(JBe;iU{}wkN z%Zqs41I*8ZCyf!#H|~bfWEJph47ezs7f#ZKYJVQg%X;P)_2mPhl|Y`<-yIGEEHCI~ zRSlzUmzA2N>t>qkMS;-U28GgMNUpEA?>@vDBkYv-SLfvwXF;CHfso%3>o zX^63*MpdH6ZvTrCAb6eYNTL5l30_{>x3>2Em<;L_`$HfAeHgZ%PoxkmB!yU(E%m{e zP}Zvbk?g1czDFRlY_(A~SB7H2$ic8hnze`iJR1$ha^Zs2q{l_Ky}~4$fV40Ak>&m8~AC1m`zn$MMGGs(1tLn{_xBY zsvn-2-JllC^kSJkuLC**p(Ssbyq6V3^}6Erb(X9tpr`d$o2B3H(7%v2$#CoWA3#Qw zzcP{gxO%OEsJ_H-}28QpR8 zGI}c9l^=a60T12=gFP0HZBbvAI#2y&?Rnc=ayq9ZesVE!+OAjyH0=qyMNM{W2hIm? zS0nYy@&s;wdIq_Iz=$rxrSrbzcG2xVP1HI$tR2KN^FW7;thiT1D?UKdGVoCy0OO@` z0@ZX_r0E`A^aBsJJyUc4sawkCE8Z6T`*Zo;LDtDSy~y|8=6?B4_MghW9kb*JBts=z zSAOSN6#1g{*Ocb^;35z{PPT+3St;}gFx5RbV0Xvy7!jFBoRR6YgOkyuHeeKUBgmHU z(iL|g>9Id-Oz?5cz$65)PND%8-Z3E&)9w8JP%E;2QQd`S$ErlK?_hCEd8CTDxw%cP zb7ao)Mh)p-g5$i83aMNF*AO$#oXz3TKAmpwQCy-0YcVdaN<>4wtt6mnXi*K)f)3@= zrHLG!{9pAPV5D-YxdwDOF;CfuWAo4YchG79Od=@#$;_-0wZ}#3pJ$tCGx633DKpFV zr^09d7b*6Xx0I8f@!3sauzn)N-q5)vNSUbp|LP5JLCTsY!5!NVZA<`0GlzO0Z?SaI2;(nD2P~)2{MQQ#)H8c!LUlT^R|c}N0TlB4Frz} zb^Ca>Fyq+6$r0Q~{BzxXFPIqp7q)mRRaB6I|L~$B$pz7dKSGQ7TzWb-9#rdk&^2{61#b95M%Z%QgiS{25gEn|3aRJ?$#BJBgNll;Jp#JQhsm{V2+r47VM1!CFqeN z2So9vO(ly1D{N=VUYXDRNI@TLVk0(3LZbu4@a1;G>cr#bdZ5)~R-qJy>NC;+BNz6< zz3pn`9m!BNg`KSGzKdGd|(>9;QgJg+N?2uSUE@CXsi)4;IQ9$E2!Ij%LazU%z&SM@n&( zW3h;~TTo`$sSv1s;3<|6EMMQFB(ng>JjAYun+Be+rZ#7!@LRqjP@t@OSlpy~NtI~| zeD*d@>u=A;Z;Qj5N^M>Hb0ZIUpmhXYnjHXa<&ThaUaCAj+Kc_2gayW1%W343-*|5% zNT3-xC%LAs5Cis;#0+*Xb4~uk)0$>ni40cNNkjo0L%TB9r2H8=P(eb|JB$9-}PoD_8IyfGP-gqcu5$+w6M z?%+AHt*a{XK%s{XMFbp!wMO54_BNXs1Cq1*G$2%_TPjVuS9S!H*%P*pS7~kma)TTN z-r5*IF=_=YO&ZL&Y(q??#?o2++*xJ$x%;ML2be>TMHxZ&iZHpJuPY>MOZ9zK^u zJ^%b{Xqi#5-&N`#o+rxYg^W`{Q}uWMhsM<<#h-$Rnh_>kxY;?k?6y@;eQu-OHth<3 zv-BU1kgMRpCb<%1mfQmI!x3^3%Bt?8F=zj$E_vQX|D&JWM60$<5aJ2Lj?iT0*=ax& z|4{V~^3OhtJII45VlUx`bYjK_Zl63^p4@jo))jz?Y~BK^WBVPZhtP%?7UO9D6KhQ! z;%g@V6KkPN3$_zc!FT4Pdi1lm>Mzr5so!>u1^wUFN>&sZ?cvATOo$)`1F7@6cybJw zHNC;Gu~^F7KXIs&KgSC0U7M9dkkz_^^`3*9x#Pn3CGFptA$SMlKaVt%oAmy=ipbK@ zjm-^oj+o+(Oe>s`*n=`1tdPf}Hg6(qJtg$;r8|wRr#Po8hA1iTywCeeni!j~{4L_@ z2fp+XMUNZ-CZ<>dc5>ex-E0L@&f(a}euH&14{=)GN%dShGCx`5HQ0}E&@MbxFQ}^l z3aA_3rmbz&%H?t`quDW}p?b7M_Ng#9v#P}&|KR5VSro5^bT)27hW6b)z(M?JpPg5t zw!MZ90x!W)<0-s{9{EGlWps|bqbr3|Ny;`f}`pT5euWAN+hZ&`22^0Wbtxo+c32H9BNE_<=6b`L)(PWINL*}Q}gL+yBU~Rr;0a9?i+rqtr$|XyNH7gQjL4~WE zlGTN2<%En3W|pNHtCC^?Gwy2VRAwgW=I)qrFY|<~RVe!If4Z z*`;2T5N}1gv2Hif`d{at595Vd$&JdB`a|I0ETYkJF$htofL!&QqS@IBD@&#*h3(RZ z#_Un0{poa3Q(SK1Bqxfs4QF_wFUFGX7G4;=lej=XQ#(?wQF|rK=!1C8llM_PpdM8q zw$n5SQrUGCx(d~16*0v0dg=6@JYFx=+QGlS*S*kAemfZ3yw&M7$fQA*G5!5xD4XFzuG5__7N&+gObbp!`h1adU zk-C!skyFrYA}b~(gk>e^PajuzzxR^x3*KvG+Y%HgxCSN)37-8LqAjo z!(LKRkV$;eE~oj7i`jV@WZ%d$;wx7H+}*u>3hiYibqz;&}TF;}=9ZHU$1?jfuI$I*wsKu?jc9hQeR z%mevWa=-?YuyErMWK!dHowJ{(yKtY!vPbrGf%ycOfj?+m zggk00-=trobPa&+18G9-)}F>&cjic?ITd%%B!Y~~JY+DRnDlBi5ApNnK$e)u*>VleIZ&0NcUo%!(;dHJ54p607DnDo-JHz@ z7bfY6r`2uN7T}4Gqn)k%;r-LMp@6>2o3 z-)@5wm5JbSHSYR?4KiXdyyS_3qvQlYpmyPAA1{i>I98|nS6z9djGSz#(#XFXtz(PEqY z7-FBHwaWC7((_QxRn)UHn9Lh}LokbT!^gBP%%*p`y2gkjlM1}!fQLMyUtkBRRJ+o@ z%dN{#sqVh5_JU>e@G7kQVSbOB>jKY9v**9P+(z@{uTd9Wmq?iRx2*roK$G*~JkF+1 z9Z(4g(*U%2Vh;y;I>l>4C4I)@d6bHmch2aEYo)wjePzg4Ce7X}&NGvxXJFfxladm{ z&)D9e807r7@t_G5tFJD zcTAq$=)H2Kdc=_h&C_N};frH1A4`zRS8|=)w0=q61CDA=|DT#JY>m?J_j1!(nkj82 z1<|2Z+>G|$b~-^+^sCl3>e=n82m!`b2DK?70U>*t?WGILQ!Sb8sk3ZK63^WK?*FEC zVp^p+KG2pdlPY8DX>j}h7>j~|Djr_pqMqO*M9xJvs^4PlJ+~k4j0s6_qs@t*KqAf zbYS;)Dg#=mFRv9TvbeUv()ntJrgUrS9Ge5`EZ`6BOu!=CDAHfD6vAKM$9&}y<6FcL zp3WLjbWYD1Qf7PtAC;V71^y93Ro%tlDuJZA-JTI3XMK_#frFgfu`LT5K? z`q2dkqo&FJ$%lhO87BPu=<&BMr-uf-rZdXmw@U<57323J=1=QBOcILkl|}{26BuAn z1H3wX#260~`72sO?sDarI>mP~g2p)waksMTfBSC`kSEp=J8N{Rgi)uQr zO@m{$Y+uHV?2)Xpna^o;n)t$R=$~fUnn|FmDHyQ)8zf-#9ex zM5)i@Cq1v$|%U;2P|7My^Jixb#D`wG}gA#4Ih zJdlqfKB^&qd~gCnQt2w$ZCTAsjYQr+O1YuDoDzpTC>qvq9Z6>5p%d6W$!0(~3(1(d z*`g>zdSg7Lp(MMcy^N7OLSY4U%uj}6khUMu2t)b8QfaW0<;XIvE4#t8RONArlOIOO z&X}0yikOI}VD!8)CJV`J8?#C3`DFi1;9!02w$#Vvv3Oa`x-?&1XhhyYL>8M=`8z4c z78ZAF_;26wZUXEFNED6jC6qdJi6HBGrh4L}e6mU-M)gM!3Rn0aaBtalq~#^RuT!kR zn-(wfUa-}eJWTD@ujJc$j=twl%HM^tUX}g9l$1WU8hQ$DIk1HhWqS9muDX8>rWMqA z#rnC$Mv#`oPROy>l$#;N`d31SIUrGH)7LH8Ax&oAf4sFQe_w^L8n^;P=%9@N z%b<{+LUOe3N2T8_KN9pf4DPY@B;GF?9-#0Ogc~e^i2fc}lj$L*Hh+Kc<~I1NhE6|q zO5Y%6__uAXD;6 zCBex6bsc1_^FHY{AZ4N2d)W{ATCrw?$;7plR#`dbo<|5?F!#C9{QHrBETXY+ykYgU`xk@Vk;S$R zdrje8+|R(pa1N64g%GlHDdOA#!9V|YM=k4W`zdCwCfuT9R1ei4c%i*_&)d^JkJsb= z*Z4Z!Ra(-k-S>b`%jfa+_s0`j|BgC_8j#p*;7YDRl{efjVFwEM;B;?q$Ci5uyt0s? zuQZK)k0B}bl%X?HtEN_u~O#N!L zy$^;>Ed*GnZ8UNtW1iIFfTT5O+xsgO)-4nHt=B<=fe*YcoLnnWf!w?M0_&b{v)Iqe z)nAeMb!0FNs#i6bL~Oo2?*KC~371}1C@$JQC|_CwT_^h(xL7=lQ&u`Ym3>{mS*c+k zRk_uTsscPFacv>{S*EHMmg((a9#0;pl@)nrE%kR6QcY~r-Oj^0ANkuwrj_%n<~J1O zZA~hq8d?;0n!+68OaaMXW~^vEBFa63DkH4%R4IP?zo zEAWO#4_#I+KlBKIAa*MTHm-wZEv{PT9by26EU3R(Yo6l>y3CuxoemCe z#*K)xH!`(rjt52WXu2GdrqoniCGy1RvJhN@n%$_M#aZiDy~F&e2THx{;Ds~7#+8)K zuP~xTzHb<*Y`cTR+4qNf+WaBo)g$;~^JiOKZ)?b$vej!cXb zU`XYC(gl3drP<5`Q|r*}5L&)tD2xp`oA!fkzOameJmd?I=K04&U)&1v2LaF{!u`rY4_gQSPx&WQSQw*TajAJtq z9aW)@UBm?zxs^NV^8|uzqDw{n(5G-)Fvqh2;E5^-M;7g|b*#sX=p`cE64UH$XE?s4 z$Y63HuB1@PDHIx^`YozZZxeAKL0^&DN{;@Ku{(k)nAM4wm@BzWC=9 zIdSW}@!o#O7JAPC_6d>Y_fVzlOt}^-TxQ&DMzhj>ymRU|q8t!E zWiOFBdRe*wH79qBYO)?g}-K+T7S)cPf$j* z?0mMAJYPo$Lr_WjHLu8;yAc^%ePFvb%!oHEwi!=13|e zpd<E^!vx*X?_r(&p<~Ck_RtDYjLImP1=!hNEio~;Gmy*5%ipPi$49a?%v5gOchH}~gw?`KOGGz>_C z{F2q5CLuf7Ux~uObED^Re~&a~>bzx7+{~N$SxcJ0D62yEcFLYv+kROb8wu!H?=o(3 zsh`;`QGlw`>=PZ++N%U-lG&q3NlG)mX&m& zO^-lThNfRsddX4@O)(I~lU>-w76~}tj%I0s54c&_vINPg{CQOwJmZx)i?cLfj`GF4 zIb>p4$X1)GRmv4-sSW#h*o{vW<|%SYx=JQy@dK?G!q-WEoR}{wOS<$MRgb{_ znMC^|+Sz_PeInTys-qK8EJ9$WImWD&rkERVDxY}`gyyy#)e4%Bx7W#IP;)^M$CG-L zo-H15rRW~jD3>jCLIvG2Cjm$BrLLel5fqRL5`e<7h{+-|Gbcc@^ri#7%!f_*{C#s` zIVf7;FUPayV=t1D0TUrziuA`Gx>``obRvKdm?abbOK%EX=N^JlU`EbE^(0+l7Mfe3 z?>Yz6UE_+!=kUP7m;>b~eQ0e4?o|6LlnTE?kH z(w4I{zp<(J|0C+1qAQEGuF;qkI~CiutqLo)ZQFKIso1t{+qP|6|E_b+ckkQUD=%qn z&pk#T9b+mvv>vIQ?P3Z!JmHUJ4%unFaTUq+MUvC!*$NozED{*y+pDm z?J{4J*HtDw$%EBr5hLp-@V1Yv;=0E6Ss|d-*rc!DXQ5mMtO>2($g(L6RRvv6r7fdY z30?l`#hj=#J+BF_-`HWCnqJe!Le!7*W2x_`kZD3CNxw!VxefIv^&zh(grzBZV51_l zTHqps+Vr*X$7ArliVXPQgbK%h$au@5c;(<9w`aL^Hs@A;9kAm2zQfE2r?^)V-55cG z_T9UUY(9RkD6=~fpgSJlc+6zxidS%~faP>LvKd1l%hBl)9I`NZNh>wJK< zAvY?#r()2mR5F~E(w>acesd)Nf?A&5FU9%h+9U=gQ(NapR>P1N9SKKs*o@WO=>r!( zEStgPU3%(TrMiz?%%Q6P?8D^JUE1a|)2er3t9SCQ*Fo1Y6SRu(Ub-XvAq%W8)pVgV z!A)Y(6|LA>Ii)9kQk^O{XN9CEtGV1Kk2W&Or{>=_vdhtIahx7gv9djabl3lYt(l3bgJqL|lpC-v+}oTC{2hXk;+v)Ynr^WRFK zNXRM~Y5mMXW8rwrG59C91OeoPd;;H+Jl^NXQEJ)V{E#wb{Ls7@$0^(rO~|=!lM)&o z1>uhtWAcr@3RYz%{1NHiE5L6$j>xiq!nw^1L|RM`$t1#mfkGRo`rU*LZ>2}^sOG%S zJ?|YiSIgC?L+={~MQq2G)K-6LKGTI680W;vh-1Gy{~$GKF|_&Ne4vf1*wX6IK!;;& zjvtR0hCY{8P31@pn20bsDW2rW_e-`-hphlRzSh^cZoil%hrAZr=`0|XzTjioycQr7 zp2u%MJWvE_ao^q~=)-O7y(XU4E~i|?x!ql5NWL`qS-NxbH&p22W1_v-)Imu6-nGU$ z=l$3;N1;gdulq_Mx}HH*?WeB^k%D6r(gpE3L`>ob;wOAAWO?AbNfUMvD>iKT0@(%) z1*3mL?3zH>`hmY#pLlca+iq45X>zWmvV}v*XZ6dfV6MX4j}-|+)jk|zUv7oBU)e5^8{i~VQXWHw^NEIJ$JeG$ zAu$~ofC~63dO~!*`-6i);90U?<032-_mcc4nsLPjIrNkH%m-!&6eK-w^rVyjqEE=~ zXOtco#ZbYuK7#^MWMrU`X?PrQ4bpIlMil}oYFO|eHm}=i6yJ_f>RI#Vb*|>Al87uq z)nClEMN1yC`J5(QTGv9C?DYtb2X*WZ$Vv#Qeb8VB-YyYVn`R88_|t4MC=P8NG|@q0 zM4K-Mb5rt18MDd8u;}q&#p2fDfV&fixHUq0e)~XiTFZQ_jT|ksC}DV|(~~>P%G6GU zZ}@UvM8~?dJPD`>@p8gm>-_;|HyX`pMWQQ!XNF-KGaur+gnDQR0q3MC%P1}2%+N5F z(Pq%dKb~M+nDBJ5u`ZcWIp;2v_3#ZeSh1qAf#4epMk&Bf*z1m@%26Q_9*8~Sl0Ju2 z6RP`4Eod<`I`rQsI$08lfhF9+<}7lW2Io|Hua%mqZJha2Ig;83o*tL{tVTQQN&(A8 zL|i8Id5>@ma?80ZLiA!BoCJKl4(VJW^x@tI^nq;Qvgh%Ek}oys7Sd;dCLNd;epJm& zp97!WGW8ee{sDcO7C#la#(Hx|DFOA$n=Ee%;-5#;XG zgsL>ll=ZLQzi~{er$YF}UH&^ygW7AW#EWvFyKbQ{MV9hB~-8kL@9H) zUNEY=|9ZsPsaJ_C+k3A1$F9panR$vOLhsaQOTqDsr^1ZCH@U0EC`i zZ;Ev}J9muFpci_dN5*OIn!rsSNT*BIr$ZBAt;dU<$2BWKMhe>tXjAr8YHR%0Qzi|B zq!*DwOrcPS>#&k|neqs_Btb;e+90^Hwe{+o$Jw8zC(x+SzXoazKL&`9$g;jb(D8+Z$VzXk;!A1VfzE^vHyEFfK$(N6w7dQwlfT*J_OE+< zCFLXqv11_QzzGM_cE;p;l0cyvU)()YfzDwuy|gP-qJto&)h8;(D58;F6RIQ@eVuHB zt)>^XK5zu@haxb_QE?~m;Kv8BjM4-D9Od3tSB~EoHp&_hpJ#t6B!f+cos0d=<)?zw zap35{9stcD3D|kcPtW%eKvCLhg$i%-Ei0nG54Y$fn^5Eo#>v(?MB0+WS6N})f%#5M zCrUxN_)K(2zC($IwVa-gSuL2K*jL-Hc^GgPxC^-WG(h^t74WY`+Ht5|y_?aLI2|Ql z?Bbm6QuZS^I*TzYX#Y?JgZO^t2(z6PhBG1WxRWSbJ0EC&2Ia(8T6OJ4u^)J0x@>-f zbHwVVyV@)*_q=Hylv(e)efpkjnyjO9B-Mu9P%4D@G{u_J_mjdKwqK^SxH+zF^UoUu^#?VXYPDGvFRws6{XN>EAE6vMX$WTr&dpSO<`CjAsP_5IrpV!8Q!oN@_w z+9>Ml!();er7Yg*mB^5XrI$5*+%2FS=09*6>~u2rmQX{U+!OIY7Q#ZxhS3{ts=XL} zxr)(rj!A6^({_wM1^#$+Wtp6)32}MpbauYC7*drj)mZ;;NG%5psj$6e zi3mQ&y&92edGZSRqJ=d}W51IPQ~NnKRmPcjQgvKG{#DsJ^w+c73b!almEz~;4X_cVD~4W(6J9lZ_jQ? zGQ+xf@8*ckoBlVKGWC!}!}8MfN4})u_3Rg7zd{@WwrI~=b6e7AV^pDk-`KtN_`RSe zgQPtKyJIqtMA&XHyhIB-y3t`1vmh}sz&KT6qYtCM$tx#EBc|I6e%E@nWy|!3tmb!> z<)wW{OZ!wnurSTD#B@Y$((`rn)oFEX%0SjYYoEp3_ITdN!*3=U-|LJo3-q|HW)%&% zyeb3fcAW6YD^S39;A0}l`48WGrr;C0+8iowK^p;bvMe1ZH>$xODOU&ViK{cnS#538 zIvtv&+~$11&ZfS0Sw)XTgi9$}1=8(n7=Z$A ze1h6?cIo{bh zoq&GrvNWXKM7_H54LKU9PpG7TOmd-uM90i9*a$ljB=Ea(U9#oIhmh|(4d5tiioYn< zsFP#1NHs}f_Zp`ap-eK|ZXdHrmxLDW`hzQAkxT3G+0HN(2F`#Cpe9zsEhaE1f$O|l z3O9lYCpIb?p^mAQo!XJB&s%QSm`@!vsH%fn9j2 zK5@wqFv-qGp=QQ^Np}-k|hYs>uO!BA3)rZd{7uO{fLiGPmg~fGAR9B z#BGeA$u&z^;_jkvf0vjd8C`>>GWYyTVX15(td0*F-o%mEA{k6B8~0Wwb2S@IJT8wW zI2V=Fz_wUXB}-S4C@T9{HoWFX$7>118wSMNHPGijM)EL<$HV0A5>cEjY3EvH;h7$bI6V+FI(67ukYo3cn+d(UjQMut5EO{ zKP#joq3&Y5AOgoO@aW^o{0(yU?wddTKqmI-j}k~859`cE{DW}69J~5yUGS0mOe0!Z;bgw1q=p&`0kxJ*SJ)F43l;@RXd>V=9eBHZ*8(p9`tAR5j4n} zij^Oeb>Y&yP1x3%;B&auV#Uh*KsH?hZ5%{Pifk zCiuOel}Qb^Xg0*h{yRj`1yp>lZEEy6CPAU*5EQbJc^{i|q@dpA?8kusb{KmOOQ2a$ z`gGm!*P&iee`noY7IzfE<-B7Ma*}+#yVt2n~P-jMd((kWfFz7oCjflPjT!~o%lH& z8M>?iUyl!ANERL4ALR1QeeS!0Aky!z_N7kWFLR&Xo#FZG?qe4*zz2MO_3{U96|{zq z>Q(Y5TIzlG#ucV+qsmM=kA9qb%IrFHVa>dvv&}((q88kaR&7bJQ z{?u8UwTnAF#?x}aJJ^sarxrLZL;m;wLwOu_=HpE4@LHcyu6P5@CAcu@tZ9lcx0N)` zfGbPJJfFg@zi0+ryT!Z$NeR2i^Jha}`Zx$xr}}g_9xN^LGOXYK4S_*E&ymp`|8QMp z&i1<=gWiMSq^;||wUq&hzTWn1nCNpZ-qG4U@@?+=FLDHLj?jxBUCulN+YuVFpTA7g zf&OU01M$`Pz9LwFIFL9azE?f>APV>mKhR2NX^ZDC8M`g98@h;ZGI|f(uW#pJ*Ojpt zkJ_5h3+NNOOGfA(7A3{mbqJ&GHL!IA?z7uSPwt0-`h+M#nQ?{LQ#clJxn=W;u;)p^ zdmkG1rDpbPd;alSte-hcU}rwvYqF6EtF zNGy7C9~2va4;s}Aiwfe{s7)Ys2`ds;hWdswh&9AFeVQ&sRfYZ09dhXLk#Z zlV-{Yerfuvro^HMz&IK>(ztiOAlSY}Pl(!HQAs{s(RMY${)%#uwmLOX8>t#S=H3#Y zu9GU-T$^lW!*)9aH~vI5BZ;g)ZM%6pR}RtgpK6HD--)eG)V-XPX3nU6v&4 zp&A>Ui+E+8 z9WI0rh+zOmoOftrmXD6w&EA8_MEj+iYrI{67yi?~N7Sxab3hcpajpfu#83{S0LUc1ak5 z827JP%73<##DBJv%soBy%)Oig7TlHI&Yt z06SNkDs%%xBGIUahSC3{&#rr*VXbo?*}Hns-u1gY(%uBuCx_M|6b((>rmk#cZ^u-V zhIiw4-<+}|%CSe_EYEXiY!^3XU6|NrFJfu)9ua7;cZWW2@DrCCMRiz|IcRR$b*Z?B z=T4znNu}+;U~tv6!Ha=KZxz!8;8yaN&*ozW zE(xcaGSgi*`*$>#lCIz5DxnG3@A! zAzP1mJ@CPWnllBzjROx7Ffz^lf>V!ABbK#0gf{Um&zkuQ9Neb#cJ9pnquH+Z?T3xd z&iu{(&(F_IoAXpA89pC_>%y@kXWuAA+C_%)p29mRun`uzI+?kjpk=m#vgL(B8B&D0 zDq@ht;!_~i!tY2jJr#bU&@Y!|RdV{=2HBxVz>0(t)FwQpz`&6&=MeP5fnj$WfixPn z2UcpMFfLgEqE5L(a0Urx`jkDUDBBH4pFLCrq?{=NjT)FO=hqeyJMwt> zUb1zP;D%Ic#yxCZ!kIQV-7H@LD#3;x$$(||W4iMoI+(P2lu*s5??Vyhj)rVM;puxS zN>O3`K3U|?$Pw*2#k^PVatmu~< zvyetbS-iQMNa#)*zt(S%ZwqjAcz;P)dxVmVYTq6)i@5op--Z(*b_xRhQd}@)FdtCP z^>p269~`C?+p(1cNucZV){){ki;O$kaL+h*2L>l7?h}niModgzM0vaSw;|qabLHz7 zgzkd|!Qp9WbxyWcx2`AigZ|kg3*h1-N8r_rRRoh5z^VsetC76glL%*HQ=frgupZca z4~q{F9W71=J}S|lI$jBzklb3fIIq+>xD%_G(%Zlm0Bs& zNam=ml}b=k&h=RI+e{xmR@)`Rx3Ma9!)<9e*{EEPZ#siV_&iU3m1GyV+}EWex?7l9 z!53dE#Te#J6$NwpAsZe(2-Yd_9KMXtM|E$YBh=sJ{LJR{Pki_={NTRgAQ~YOZeoKe|+zpK70C$5pQH%*8k~k|e z5)EiL)c);bJAv#FdE@*h%p1k=#_Yedp&yq2e`f>mKiD^O7k%fsZZa4wsLqnqw(mG6 zketoFT3uQoi~8gqV?Ctf}&aJ8A`=-D1nr92@%fnV*Hp%DbE8U!r$!9>f`9`87iL^8s3c7CcLIPoYcuwu8h`)U%Hml)p8s6 zmT*DUKM{4_e;@L*qF4Dy8FZY71TVWj=zww9WU1|`ZxRRYi!VKvfpFMZ_V4Yu4bDq9 zVcT_Fgx4Wz1@2R6!^JG`xbbaElP=y@K;Y0@tD}Pq<3AF(;E8mW{6u}Seh{M+=>%|- zD+ZL;t;A>TmsnwMHtk{yfyM-9Zq3#32AT>#MW>>W{~S0E%$GhsITI}dlQa#@ANS9n z-!!u3d^rI>lD-YfMY`A7x#RY^JQ95IFnq!IeYod-i1vKA?|v|u`MAf{uu0(iCc&QX zPk+pO5r@*QHoBwFdP8%Zd z!9xNEJSY8o_C-H$NgKL>1Nvm{D!Lh9NrljF3qaIy(13unSRZ z9uq*#4$04B{*Rg^WeK@UGA6|CM~>}2CZI%RV@lL-YWyLY+qO`srU9U46HvM8C15hs z3J_@`3+#NJzAk&Z^HsbaZtv|rW{34}Ix(hX85ZSb8>jvqt5xVsgZuxMoC~nY)0<9o zEH()>8nU1p<_wT`yh!2{$gT|j3pzV2=@N9$X-0#1W&!@36xA1;n7tq`_+O#@IVL#QxC+1e$|{4UyX%Ad8V{OZVg!c#!%q> zS$%OrKU5Yp#bTG`BnVWliXFDdY|d~YUXl#H(mOn1XGab1&m8b$Wfy!35K0I~)uw2dSb)eE)D;kBD(QHBxbfVICE3n)gPJ#v(Do$EH zCHGO$AeGk^$=NfosK1aQ0oUT5n8pX@vVvz!*!q5)c^mbV8g7Ow0cHHF7j|WCbUiAd z9ErT?NCB2Tl7;2K#n^UZ|BE^R$^NSseu}S(W$rfxd2AF1!)8*HJf(mmj`jI6ju*K}j@ zAMeTEyB4Ha{nH3ep=L?W1Jv8o06j$M)L~#Bu!+AP#$J*5E0gvl^jvJ0xAQ@&TQ%PYX`a}-r$%fm$1_oVUd?UOV3UaK3X4&1+=vyh2$gDKH zld|@7Y-SSst?WO}M5|chpQLweK8hCJBgqm!WCCb>*aTxJmv8R;B(CZdMCA)k)?c^>!-769 z#dgcMe^mxQRn{^j-!LN24nS$gSNfp zN1o$lQCbD^NwGkwOkLHaHdIHdL*DoM^Gx;QW$wpU=bDOpOCGwMbMgH!IgS)t{=r$J zza2OEmWr^4((A2&{K(<#qik*XKNB_IcfMtN{m_G~h=(YGcYnAh>>A8qvGn=rE8yB- zF2UFYK@d;9wnG1LN~bA?oO{l@62sRi^^&B6w_CmZRCKjk<*2p_dvYhPGg@wm*_z()!*>mQ3g1D9&ktGUTY(HO4UH#QJ4 z{yzbW*0pT3SbbW4)Y2@1Z24K)A3%oT&&=eIDW#1GGZc8-hV#6PKq`emP*7w`7RtV2 zh!O4V{t^C3e6(>m+uxci$jzY29?i%b+0oH7jjuDO-hj zS;>6)HG#@_WchFe?T|w4A2klQXp0e&UR%*DQSTy2=Uhvo7-%{=X2B>MvO!^2Fg8xc zrFx^nSe7^%U|}vJ8^WK^pkzr=4HuRmCVonSg)^V!u%mm-tr}<7pwKHr6qeAI(|lb!OCnN6>lURnIh`m`oP?1k`TJy zM#lzsVuSDhEsc;+)JiZHk^-G=yzXl3$@6xWoLY-o%wH4_1t;yMAkk#zlY^gOvtEzz zTO*IQRK<}s?$6#Z!yfN%#*`k+Ru%ZT zq9O2UhS&=<2D)uj?5m@qC|&^=@4UC)L1@%;qQ@3j{HLVHBz!%ohd&JNI+F7&?i=jby_S?|4&E>^!OL5$k#cPn>-S1jyS8fqsYf9 zoT>aLq=@_zQfw|Kg_@r%oT$}c+7h$OBWZmdkT!w@Ut)$cS~0l$g+XunVVB)5q~twUgo!#gd6dfdjiwg3+e1 z;;yX6)UB5ptNqpuXJ*&ebQxut?^cliC{93}PufG_BKA<7wPO{D-bnoX`e}fB`Eg68 z507WHKz}I2XPPl^=o&|T4lRH`o*@c=CjS* zPtw=2<|@#|T+{?-i}kY_a2*Zhru$50t`#m*HRc)!26-QK+t3@8E~ILwuaoT74GWu*lTZoqmJ*qu46tc zllJ;q3-jx~6QBCony|x~pLpLpm$gk?(Y6+fy$@sD!1IEOE)88u## z4(n8kq^*D#d^m(g=3ClLI>(J$B}v6){Zm==l6SMEl3z`Lk)b=cIyQD5&Adaz5{uyKXpgUdl+~i6nIf`}8AH zb7^59ZmN{2rEh^DY{8@ z8<^uVHd~+_o#Jf6lC;vGY5kU7m#-4BVaVTHGF_#OeT)-{{b{%>{&{ge3_gjnjK-i1 z6D!CY&LW>O^l3e){gEcARWryv+Y3ISg=n>h#b+xz1>=7`*u#3b?yzkDlKAPNY{!{o ze*XtIelmob|J@S1Ww%nHkCC;5YdZRip}mg#uQ>XK71pDHKa_{jvw6MFPJ}U>oXo^z zmidnbC(ZaLX*AbRM13t%V91R+(1hF=z9-UhdoOg zH1F`{2d}nSid{bs)~s^chNPIs5#C{o(~GtF#R~MHEQE4VYcT3rjf!BOc9n^h0u>95 zuU)Mu+!zyBP^Bb8MMsyqzd&!z6p!rrE(;AYQVlWpX%n?wM)3D5xCj~esS~xP+J4k= zod4`w6AHHyS(PCZ3h3wnbjTDcrJBHL!6g1aAOm>6RyQGcl!7vw8oH*ifGyg`fUO*{ zrtnXiDg#JUrMU0)CAjabjl^o`jrlP?>MC%DO85w)*N=SMUFfz%}Wwj3&EoZLRjv(7D%)tT}1! zxq7Wk*urP6dU`hh^wz-pzas3orn6Q@v)|CUK-t4nd?8vXf4nPZD3w|F51A?cLuQIk zf$GHa=W1)N}x;**KDs0*vCTea(*U6S5z~P3}lrP`w~ZF;&~c`8p5y zFbQ@yK;bu4&?FYxAxc;;UwCeFnI+StF%2teYPbdpzgcfxu>0mX4C92Su5L$EFzx&y z34XR?h$Mh9#pGkc)Ui+MyLDuQIiAMz+!x#%d))&|9<3jnYx_hnPN+NlLWA%Y9S5d8 zds|?$?-pgVJmIU+^kvA4%CFN9I|4elb1?niW3o_C`i>SS)oYBO-PHGWn6& zC2yPZ$*v*~g^~I86YxAf#>aj53C$YLtf&hnp{-Ej?mpY3a#@|4>>ana`X}!>?x?Ns zDshl9&-0_RgPKvPgh@HdQE(>0Z6@HzxtMKCek`y`De>u1|H7(}jOK#MAJv_`1O4OD zPUnj)>oAEgqiFpxhj5r#fj5?RpsPzrxINrLs7=aFvHe=t{0Sn?7!6v=Q^wE*;G#iq zH8}{5S%Xfs#JkRflW(YjZ9>L>)6h1Uxr)kbQw7at7RHO-@ukSl`h^i}>cccj1X?Gw zK$yA2Xs8S!MtbS4RZ_Gh8M1B|9d5fIMh@f?oQGfs!iz`LBgf&$J1>EWhw`x_5JP7? zd0knu~lskG&^5a!TPgfMvcZF0VhqN&XVPQcR z$2urwhpHdZ1)W@U2hV`WcDzR6on&Td+QAvzp27@jrb8@osW*dl@ z!RX~&(haSMXe%`lhU;YxC?oTYd(mYj(JWZDdd#oky|Mv)S%*|18K3^#i$w`0QW zph^)UYtd{p;Q;@oOp|VB(pfj^xajc+OCcX&(pAS1sngWT|e8Hf)TT`pYHpD|YOg-zFLRSJrjY2&AY zOry40HXKcdVQ%N!pL}FO`m)o0kosm_0UfE_|URu}!T_TtAN>L^lT zLirTlIFBzif@CwU5F)Jy;7}@cQKPuZ5GfV(Otb(?s#Gae#Ze0?_5arN2NfYwYHRhQ zqCbiL^2fQcXp34%oly{f^J0|&CGegS;CX&q*`;|~(U-x8O%lX!zuDXc`h?Q);&4p> zqdL)!GI-t%Mj4U*OmMuo8H?*k0;}scFtquH+NnXXaJ^wn6#qDk7&ru7Q^|cK#R73A zV@i`94cnuV(>|Rp`4aS@?#*atKW<185!!I>W6E&$W;&?3_E9STRSHQvx?4dMPj};l z3Po%`gC~~X-XXL*XKGN2B)A0@n$Z}s5TwRxGsFQp@`Yp4uRwv^l0%+#&^f8}Ja%lG zCc&8*G$sA98_oce&dFK0qF~NXqQTGb48hwTYx>yG=vRhHrLbu^Z~R4rvAesJG>G)h z*hdta>0+weZC^!7z&-%IDla{vNV%{N=WJk`!BxU(f@i9IK*!L}^rz@Z9D8h?w~utJ zw?af(iB)OQ0sJfF8p+=s=6a)4i-JZK7?)^yj?zejkHw3Nm<~-Q&alD!wyx^Koy%&d zB~E;|;ji?u1H&T-q=1_;URq27X~PHGgV7%z`VjKk%~-j2KHqhmVS#Z<#tmtBcs6rN z{xtZIT5877pL|wFIwp?#$t@ytV~3Ku(8mio*lFwr@IJ=Qq@r=B+H1iv7ZmgJ_beEr zVz?FXsgHC*4#7Y7hm3YY+4nUUmEkgMaA_Z_FR3r-GppnG?B+8;a{SzJVMaQXy= zCaOI@s=ST-PG;IXl!3zj(M$woFNf1ApoodQ-T)xsCjp?D@~{d1KblDdKr?Ls&Cbcj z9|^`sq!r)b$1N*ae%P4!R`@s{>3B4Scy(;2E zjUJ~888XIyQLaw@9lE$Vh1%Eu1k2G126{;rOzbxjhZA3R+0M(LS^lC(sD#_NS*+>vHZyazV53>%;zTaVXibi2Yv#g zHTkS!c*4j#AC!<`byl%gW~Ai2%4U%+Q>2S>6uW{0BDH=V$BNshil708+?!pmmyfZ1z`c}j6 zrso5-M?OQGk08F3SP1f_2jI$2ga>0qny?>oFG2x6-h2cq?P$J*6XE~k%DpK7MMVt% zhzB&~CYxYL>J7SuYwbD+txlmk@)<4ISzeJA62}yJ0uj z1%pF!qtiX$6&UdG_L@}E`#bPA^%-xoOcfo2Yl)bfEwLgEOYqkaS6`h6JOR~;;g z0;*y*yTscFr!EnbluTT@q$PMvTiZgJZH6gMC!AEg$2-rzv>f83Wibl9I>P;Kplxv% z+4{=qX1MtJZSx0~uNp{Z6_Yu{>+p7QzrIZVQ5P2_T4v>l$w=*ATX`qy_-5%5otpt#bi*=3xib+fRTn-#=Fe5(;;!{D%Z zkHXi%30?g;lq32DFUSOUX3hJGWsO6~-|D2T2s>F00>g5__iKBeN{RzFw8O#K?d66$ zGHZpn!ZB@4HWH(I_F5vd-Z)=4+V%R{L!< zYg6|!v54b65u#mSxcVtG(xxV$^(5odLfzXgONB<4G*h+u9e(;(@Nyt+X_^xX?0dJ~ z#vHLP>A&&B(4*fg@RV_tnqKnr>fcM$JHNo2j&X6v6ensO)IP?2(gEzWT@+ytm?q^HxSdOmj)KFx-8U)jaRm; z3qHVZvubO_AsAE`%b(~)@=Cn#Ce*p|e~0jcb_$B*3r;OyL}haSCq*X8Q;Y$&C{d!0 zbA4n7Dk`kBDTS<#Fl9uX0cyShpyp4Po=og1Ia$bx*6_#Q3 z(q~BNpXFqj{>Rb(o04l#>_5&%I;9BqzE5&~zatcXXL}!llg)c@WB)!;YOidd+lMVO z8>rj-_~pnN6~rM)*s7@<`JiAR&{>=2^nQYYysKQxymxfZe&YMOAn|LNF4IgGs%iao z&xydTLqwEfS{@kPT-3a8u4VJmUl5&+m3d`;&pa))E}e;e0DDI^ht{!?D*VA;rkj`N$PU(gbaX*pAJOYEJ&Oj3>RuQ5RrzFAaoBhMmw9j#e zm(v}%RrDp)OaAAGnwbBLGs+cC(;lDh;b)2mR%O^VQ(t;yD42?t^3gd*o48#!g<*2H zDi+;Pi<;$VbXw!hjt;SChQmuSgF6CY4$GtXH`$Jj6zu$d5wFh+;(ftyELm-s(a;Z+ zQbdLnj146s#Yps5DO0rN0+u?Im;SJ;{0A|XY&r|^fl z$IK>&q+BSDp{Cfu+%1?9jQA@(mnmfd0&W@2aljw?$nMisq7pZ^YVNoa>9E$aPUa$W zWyGVSF{iDymih$d%zv3rjZBx4z5wQ}l@22)sG|9=MO}wXxOrV^!0X87Y_GqJAz$Jd~REENThP zBKiDp!T=RZ@B&_^wZ?EqFOs9QH%Tmk(VEvOFUa#+L%dHThvGat{@|*OkR0V67hXf@ z1>{oZgj#WZR{hn;fw1mU@5Xd(>7Zwvl)ANdN4@J3X5c(0D#FwCUe?DAXJ0qH=4UwB z3T^#F$YwbNx=;uFd3wXE?E#d2>81#}38RfnXAE3Z;kS9V^XXo88E|Rn3&Gwm$iQmO z5tNoUBZb5_g?AXcMKkrX=Y2*mt8kBw!>(&iVx2YKv|k;lk)9vY#S=~;)rE_jv6xxn zX8A0bX4zmY`aCoA_`Bqn`F_6E4r|FngFX>|nGYI^2qzY=GKS7QUHnUOWRA0%<`e#0 zp*0w!UgUiAw{oyHj-$NZGihhh~fUxRV-ehWD z-ehT`T*G6djH}hE_IU8H*7a{;T%kq#O2vPfv)_g8#kaFN!Mq?tVqy#E_O`AX8|ayk z0hogX5nU2b%42n7Z!>b8cm;mSLdCbh*Uh)%RwN!?Lj2POMBP0_)MAxaOpsl&O|6ktSSq@sx-QL5(n+Zc}2L1~PX^Ip!lt-ld;i`OfN0 zmDdWqpoqyMfo^Lv0Q*lyXO$;LyJwD7&QsvL69-a+(fr zJ6N7lO6O2OaxJKSth#TW+1-gdt0%>dMAuL>X4T(|Es;K1E=OEy1%)!;pm=%)EQrn5 znmu;o$X2x*|7%s+cboRs)AW6MAyihEC>W2h?9b{WHP_RsJ?37^`-_~X?RD8LXkJK; z`W3;=?@Wi^&%8N`dWPM8bF6}%^0|GGr&-kYDc{aPCE{uEss!;H2>Bq^3RK_6er0{% zXAQ6X+)CYS-{sythqKCohVlIUJu+fH zzCy?8vV|>F;x>tGcKlP4NcU7{dhD?fgg#ive?dg~N^^8AkkjHy@5r1k!Ekv>A8|j~ zepCy|G&F<^=P}ctJ4qPqk04-4SHTe>FR+QrAeT;7O%L z>4gI>trMM9c0!ZTE6^pzx5hDqa){L+d%TE$qi$T7)YqJPsU6#nJS%Qxe}#RV0tX@w zKSML4IK66fe*G|XtICC6AkS{)#b`)%T;a#UPuBj!$-D;+w+c96#z3lZ_9dh1_%~Rq zS(&vWsg4bzIz|41Iyt}kIyFw~2iknYL|$y{H}<~x@5t{`Ri^bP!wUU4yM#3MRJdQJ z>c6q>m^ZDdd+kPze-c}copPmoWzO^8CRb^{64kGnvT?tofBEvtxZZl}_?|XStsW>T zxUma|7Ix07S)nIn?;;q$S>dW(z)DkZAE8ToNX~0H;-)_~C{Hl8jn+20aB3@_G8Go! z#_kUANG0GS9IkN7#9_tJv|bQaj?_*CqQX(AWffHmAIlpVfNTNDtOF z4boM{MLy9#^fkktozd@|XQmkjtj`}nV}QL{;E8+| zK{D6+ToaC&ySK$bi96oJ4Aqe?8Y$7k6%*&#aVJ5FcqaDA@xLeEtaTEQ>(woO=e;T> zAY1-6kikRYXLYxFJzzw+7A`oCA2nQ8LDBK&F#(j(gW3o+0!=vg3K~3Wu;l|rKpBl) zJgEJ@GU{IOuZ;3E(V*JniKzp!G0)>>MwDXe|NLyV06&}Q-^&Suzn2S9b$XOhOg>O| zr%MR8HAinUGuPRfy1D|1x8);nw+9cwjuX-V_Q2-&AA5jPpJ{OZAE8+|W|emW{>a2& z%SaA^azr`kgNhy1$uxzHC`x@K^>;40`tM9O5dLtU#RL7JJb9+bI2p0kYY+@6Wz|~2 zF|r{n*f~2>tCKz^Opyc@8?29VC~kRfGV0TJEYJphl58loZ&W*{FAtwrgOgp67cbU{Piv0-;r~ z_f^>L9;{TqzI$~1{f&`k7g@)?BG@IN9QK0gq{3e?w?By-9C@KOfZX-S*xnn zI`(5Fk|=Hkfq+Z%f4kqUOZ)jyW14baR?c5)^<4vs!^&n_qfW2MG(g))F~*JFr|!c8 zs^uz2A7b6N^}jdq#e4V_;BgQ;IOu z&BxvkP5QnLa88RifF3H%N8Kvbt&_w6@9kg$O+ia-=Ww<1)Aur>^}#odyDJoo6fA`6 z+Uo};jy5pIAw6bs99~63BM@wYlam^<`&~#emfwfQb-|%eEW2a2`>o(hz-z)`Rj6mL zGnTpSP^E!={;zz(s0c)XJiok}rMY1YDA>8XF1%yyYBPqFIuRj2_kQnJC)>c0#ev?2 zJSz)H@fnQnBS4N@7+)CCwWSldDzD)HkbQ;_18>Ckf?>g3_cPA$9wzmDNy#yFAadIa zX=YDrZk|62&cG9b5FL^3*_uMUH183gSp^bS?A5qTUlOej&Nuj<-v0-}&)olWcJsI* z#U^Tn7eyGV1Vg{>jF|=ELV*mM4r>q|L9VSaRH9vmoSQ^15CqT-P}B&QWJQ^nD2YtR zRurYNDO&QB%;GWYR=YCVX*}j(??qjSG&C}72^HIUk-nazHL^!TDBj*!&9e}*=|&fk z%d6vvRE)qG>!_FVM`e4*!FQ!7Dpoq?8*I|jD&@*YN5ZD+uEXA8drK*C$eV zrg7WpkJi7Jh`Q#3E`e<39-Qq4R`DB0Pz2`?>s6&SFyCeBiFB$6YkKX zSu@zUR5w=MCCQfR(38>%Mw6FNg^>~Br$DBca$==~K)6bG^W7C-FNr;ywttkp9jDBd z-IXA|>jF^3Vvf5dzzh%k5PamlrGhzj=j4c$OGIayC}IqlOi zvVxdj_rKCuE4>lT{Aa@G7&>v}h2<8oDFBl1|J03^yeR${;afxb?Mf=qywH|SUScp8 zZN11XZQ2+al~z?(GzPA&qTtCJZK@Lyb5Y_Je_fiATwF*$&O(ynM!v|0+C?_V{g_(Z zj%!jSoIZgzqAJ~#;uXcIIJrJp$>UWvS?g#*X8(k|nLp17+}y~EGfjw|r__iC z!9F`B4Ws#Ts^Yik?bP2P*Wp$BslsvR+pjv+5p7Qq%TjAJBH${vnoz|@0?t@=-2rdZ z-SKyJitff|XSg>v7?$)NiZETG9!i5a%Y0Z4gTC!R_qpwBfVgILz2akPCrTWYY{xjf z&T1t1bF{)cZnM$M_Mffmzn|-ruGNk4+;+_zF)2|ScfU>&aFZ#H3oE?S*KnNe2@9>G z+dhTBL?HKrYzwZ@jh7xxd)2Js+ccIj;htkE3+x**>ZV&bAO@wY9c5hfvd(+Bl6M^^ zICk_(N;H9|a^|?^Mx8nmYFZAF0YxU63z4XrREm$yFnlsLQmK7nV93--n2&oM=_P5(25|M8zUS`3Rzl? z%`?uT4!{$nl{8pxwyEx%{`1q2Eg`AzQ|X`o5n%(}3y>8ns&MB7$Ws2Fz~MXoty$kW zRSKCo+C4;TB1_U|Ek&a*`5rq{|Ban@4v!``4v!W(GPPPdQ;;jx+xa{dj12b$d1m@aozvP8#Is|M_@s`Z%nmp1u)5Yhn53vW%ThFI|x{jC}wx^ zIG|f&eqQ=Z-XV`3OAMH%7`5bj(x$s#7rhd{g;Ntn^u%}{&PR}i8TIL74sH1rF)C9^ z1X6`EiG{k>XP_;Q#aAE-OHKa&?J!xHdPx~w#OpyQcdrR8;@vJWTeZ^~( zSLB)76=Dy`^S1V$I^4GbFANcOkT+*quT0D}mH-i|70dMv9@))@@i5&#Y!d1bJ26tT z)Y{&O2bo&bRD89%1*S?6Q&5$PU?Q8qKVV~1R1AW0fSC#|cHvL}maF}_PmrNrL~#^q z5y|q~sm(M6(?`mab*f%~2r!uCBxYPfbPLh{M~+ikb*lu{KYK&ax&CK;_NWp2X4^@S zgp-r81DXO4YtfxQHrkI_=pRY^4%!&SlIB~812MZ45~RXdeNKA;%5X98!W%zNMGM4L zb^s#@0j!^GK)1?GVenD<(!GJD(&i{eIJ>7)zpR6opiaTBmb-O}*Mn9%Z8!bG(w%16 zBM!qT7_lWkw~xTn+hz!@daHq9w%hFV%?A>=29#R1Ub<4uOqDk9zQ$Qps&pJ&TkQvF z_bAvHhEs6w8)runBA!Rkp=nHs0SV#-mhas6{37q5!ilOs!=ppT*_T{QXbYly5&=M#m$(MrMADiO|pK&gbAi z-@#*YPEL{*xZ)ONTA`ae=aEHCQjY_$=e zOnAn^CR4r{RDQgSx`u=~wdV6ss&cPw+kSb^?s@)2h3i6Zk%0icIU0Br%@A(oeM8X3 z7ARkc*PCx?UZE%C?ff7pWBbDj!A4xAKyz|OE9%0$XK+mtJ1+Yi70CqY=>7Z6@Fq7)%s|RCuvHYlf7D2xxKCx8jRVuaAC>(?$ zkAjN>J8DFjW^r`VFgxn3x8b+zS^`tOG*2QJp64wobyL*e}NR$Df%d( z?BGavd&O(K6WR&xoX1_?9IFnnX0O%^!`jxY#xh57Y-z{c;I)cuB70zbsH#|6c7HH{ z2`5R>DjM!ATDS~7rhysI6T{nha5tP&cUK%*P`Lu`>-R%iPccB}_+CA3%1fKVXeYX~ zvGAyp=&BHPkBMj8UEt?J^V(YMh2M?8ZEgTwHs7^vDWHG_Q+LiRl)zr*Ce@oW&$alI zRS#+{F=i^2`u*wfOjHb5xIpL`p`F3U`Ue=|+RvKg7wSf_3Dt8o7$G;4GoH`)62U ziKaksn`__=fM$EyJi^qkWVW@#$ed3xLVERIRzVuLTHF1`!{&H{;rz?@~I+) zTo0<(i8*Dj`+E!N^|mNQ!MUseu%spQ84ikz$syx?TB2gHGP0_gpblKc9*U*Ywj~V? z)Keu59kX{-O6FNv-Jyb6i_#7*f5OEgsATm%*%Z5N*IL4I8FuUEmc9Ox^Cq&$q^|u5 z1yYV-s4kBxnXigJ$-p8_)NUuySxvM_v+&H56-U_*plaM?r&hVjSHaO^YMvF=R5qa< z!Wqd8Emc$=MBD1B7Z`_!rXeyFJcz z&EQmn2>8qgynlR9E(N5l_%33@wkkV|Y&P=(_d8@ni(S^e_opA#d3_&{UPp^f#Yo+) zwAkcP&v5@!kRHk3$bBnFkK{41zJ(v@-wM)sZj1E)UqO2GtstcdJd#IFPY>CbUmzG9 zVn|mG-~Xo|jr^BJ90ZUJ>;#a2VNx}w;lOB-EfLU;UniYDZeN!{+m-wHPklcKiUr4h zx&C*dK=`o0|4l>agF;WtQUrF36yhFjZb`NODcX4}rE@b61RfCt*cY}SS06P6JpGP8Bb{c1Ff2oYiGx zNR)~s&-2w(m3QtObarb@1!h?JtE(KYPZ*oGqEpgxdQ+gfyY3pSlo*pHj<1%I60f2u z`ctr}E@rjiJ2$1@eD(l>lEygAYUoCNrylI>ZFwWvmmS>*AR<-+xAA7^svk1v>oMAk zIw_bHGerLBaXk6qKyLxOuVTlbeNJ-$eRp(Xu6{0j(y?=0ty?9?h{t-w2|+u-vmhzj zR76DaEi7rtf`E4ZiI!erklJwK9am4pyNOrs9h?u4RQN7-S@SOR_SXY)ZzP1wX)&1H zXO#-B#Mu$`?cIq)gzfqdeDh9bt2RcCrVkRm``>wQz3#7S-<9{5)zn znw176sIdoW#BqnZKapKnvCDuCnIg;`lkkxwKfr_&ipbV2_N|IMn#W6_na1}(V8%n9 z1=-9Znl~YDXD)6ktxkNT&XcXc$Mo}{ht;#ZR`6fSpex+q*JDJp@Bxfk{LzvKY=n6KSIPs`#--FZ7iZ1LIw7B2ujeQn$|mIs$$4@ zQ8>X=LS8S+t8KKYX7-LnH z6DBm{jcw5m2knkuV`m3>Lbe`MU(p`~aO*q%B_%NW_b~5xzh$*x#Qf9!7CFW2UiX#= z;Z{zkO}U$y-?BR;3^`i$cMv^V?9mV?^2AV4MB5q`{lD=0Hk|fDC?*$+&j73kSY11@ zLT@w%y5BN?jPI%-bCSc(MT8PMg1wG}5R8(i6P)fdZLAsO2+4_F8tp7$hWq`M?%LHG z3Qsk0`kNB^Igq%(DK(ODVNmM?h?8&3rz-nxA#Zy<#UvBdeZBQQzW()eN}nGB^S;l_ z{4QjS_>yBDYiwXmWj2I5TD+p_?E@tjTUi?l8p6aYQZkDq%Mc{#Z+Y8O6H``zx!Pkh z#3}kAty5pzrtW^&7Sj^m68}y)k~~PWXmhvSdc-C=Kg#@>ggAt@vxgwvQ(}!7yqLuOCQT-}z4G zr>@>OWQF~N;fa3M0=_BoxL&cld^J`*c4;so6V#li?~3wRGSlmfm<(s+BVlSH_f)~Q zvCxyhAVS;0M0h@m1EMN4hwQH|*?w?@1Tc6O(R(c0U+}|eb+e}g=Z!IsE*V)L{hdcP zPkJrx3m2Z!(-+pZS8b4+{RP@5?o=uR_Jv*Y!~mANngc=D_4duj-rnz~Z|1ITa`Pj4 z{k$(=&C2#E=3S=6cV=_**kLigPtp&-L|W$9xa`vMgpjem4oNh+eaf;~pwsO>!?D7% z#WTf4dOpw+#)8K}>F`8}n(^+ZNfc`x76vhU&= zlfL=EQ`5R`-agsSvtsA=sefF06{z6GqqsLnJF)DTYHYa57~VX3E8^75wI1@Z*}^=b2Ss;lxIya38r<8JkICh&o8RD5IW2I1{ZyJq#K{o=@` zre)JbK{9c3PM2`Xe^%nr-u#dD^&s^&IOjEY!ZEwHIhw3Mp0;dM);Fy1*aW z;>h!UicVQL90;fB>WY5L3l!o}4O)($`)TVpvn?MWg{ol|Ivb3ZgC-CtF)>9njq$7W zUfT1?O3n|Wy;3ZZ$?6*w?s8oW2E5{MLnegKi1Ry2e;?o}TWtrYD02MwaAh)_jU{SH#bm_iG%L`nVzaB3}3RQ|tO5TyJK;7Iprz^`y3@>P^p zh5s^UX+`6!_{V2!{oBuJh&H)th_>)isYUa_Aov55EPQu=0JxvW+}=N?#4Ol}$my_a zPA&^`XvWw62DIa=oRvC|QvbV+u4-`VfX%$`8y$4&hJ55a(G6-(L&kIp-6nPyoyb7? z3Fh&u4>b}J$*8~#=^kX;Qv23@5DfJv0R$F&futOz6rP|DzX?AwZ$7aTPkT4KM+-M= zVxiS0#3*~Xy@G;@Ai)n&vG}SbF4r8UMVLJ3P}-r=G3GZ2BUkPra)(Rqd8TH7LAik?yM4Qr&n9 zV6{QvEc?ZP9@+@yD-$wdf!ahwU|zo6ljFNFJA{5e4oBrh6Uf^ew27xA-g*dMXElaY zjzaG-++XEdLzPC{@bKtwuxl8r7<&u~+y>(zXZ<^Tn~q*}d4p_ja^CwejgNfUY*6C6 zygum{OAj=|JPtx8H=dC1pQ@%zHF)+DdqUx6ln57zBCiIvbs2yy6Mt>*Y>u?r_qd|a zM}(uA~TWoFUbrnIqgMak^Q&ZuuV zdf`k_uKe3Rks<}YsT1x?$#7~IB|hwCyJMjT-KkElSSTF&s?x z9eJV-WQ?DaJ7c3*u@WUcREF~cN6uMi+!AqVb(c!w{fy=Z}7074WyG17&}dy5s?L> zU}SUGcFe}Xn^u;ynL%Br!$X~+y`D!k^7%rz09e%u8v znQ6ppRhK)-Vt1KQu_iDrrR0?@3|8t0Nh@NTbdc`4MY}=1o>NiWOD9MzWrtWB(7}4+ z3311j03-jj9k9t8W@?584G051IeKBuTGv7=b1W6yL3nPz@Z82oz4`3Fu zB6zC!k=5XSK6n($7=O8Ern33+wf=^2+-zMn?F+u>(@hVrQP>!Z$}`2i~y31d>(-zs~O{FsJHifWS8S1d~`Yh;Y0V* z7>lMaNn|?u`TBE`at1~vwKdbJqf2t+th^4Hnbl}BM(($KT>vzyXS zClM~gOKk0Jlykn_I%2wVosP?Bxk|M_#HrOmQ&4#O%aL@PGxrUB@B<$)8s36{`f}gh zwDYH@dvWeL)1{Vwq!1U+pWz>hMPI#;7Fi>;o#;QYIPQ<@kdOa`IN-iE{WNuWFlkGl z4c4>6+t_FC%%TgIUH*1TwPY$9R9Ya-41bi+u9y(G90re?%Wep{n!^Hm%|!*Jek!~4 zE~+jCr|zUlq3s?{Nuq%-(W+)@Z+zk!BwRdqU|qnt#imxRriwio(xOdBE5f5UDF}iI z{uG+C(J@*cK*JxX^p8KZ#>~l@5PojqnIguDB};i6{7TkZPZ~*#Akh#DmdcwhQ(BaJ zA%;-$ID}jcd&i^=x*+%gP_iiLjuhxmxKnAP`i+94K<8B7kttz1-YAC?rBTl``|#BQ?+Kx!BKW64K0LiD5FN7ozszwX{}*tuK3QT2$`ssAPB#mTyqi2SQHt%2?V1q z&?0<|kfLTb)xTr+f`vzSch;Cvlixi1h8w(J-rbbv4C~rBDy}qJu}cJ_{Bqy@Y6y!^ zw<1w@Svm5$2YH!1_Gvlhtt%7JtH|g^O(MM;v#nTXMGZlEn#_aVJr^!WkR9H}$nvCg z&qA6o=|*iJ{gS`8QC*? z#ji@HdRg+-UHv+~;LGS{%ZM=oc!xV`AE!D{(gaNEtyPxj!kkj1N}XCt`*P0jN}vrM(;P{uwD8)VAt3%#l6;sM%b;`9>;C@O-d{cUol1yt zoEl5ZYUTttwNMuv_G-C1u)Z4AVFhkeaRC&VkcF3;5cs~szZbbWrgEPC7~&uKl<$Rz z+Bh8QrPeX%s1=M(PG{_0R$|}_}7we9MGOxA2p9> z%w*y_B@P8tGY6$s(rLlSfKa{L`FlD~hNMa}|vsc{YyZ*|gRR zageWofJo(GSR?uFZUr1Q37>*~&Yor8DZm=fSpRDb4(kD1eH&e6m4nnP4b^t!&xW~X z$Fai^rOdHPgH!6}uz|&+(@V(?-OPe^ZvHH|_L0jbcy!L+levCvey-m`mmpnhI`zn| zz>P!NN_ZRKw_d&4M1NqF#yP^2XdAxc+@|J7baLwia{c-}?8TMQw=)a~pr1|6eQL(u zh+F!4I}TV_U?KkInh2mwpBKvSb!M)w6W$PG!c=T)JKAMOVyDau40o@$V6_&65z~Gk z+GHExMErc&(zeA;)j;Jz>w}{td|`h$*vaEoeoZ{~Z1Yi?LRW=h$EGrpe6!OkkZj`T z^VSc)42TZl{n1IrEV3yHN0s50!f@9fwX8Gy%gzJAgZxQrd23Td%vv9~KND^z(0%=F zI8E^lljnk`ne0c*O*y=@U z`#t@Q;Jr5TWGfS^D_gP#OpI2&OVBx-SVnZY{D>ZWA5x2q>9*>R98#xc@TB36!K9kJ z^f0h|`Wqs{c-}pcUsocnl)93`V4dIf(;ZDxgL1V>X@^2Fy%vig7n3S&A@&x#K?|rtL_luAK)u+Dm86Ne5E@mPb3D?D|BYmKy7YKZz}*Y z>X!EVOf3Mtzh(@icZnj22c+`UhAJb;_QZ0XxUkeN|>C(ymu1)(*kX-QHdJIQH+aczw zi!j?oLRit8dje8iGtK4?JARpi%jei&4A@oqhvE7MrYE~E{dDs$2AwFj&q~`)`ZZGb z4QyIw?hl~8dOILGb9(e(+VU8%b@%f|AoBorvV@a_Qo!3MVv&EB8w_@;mZ(+h z@*N`*suYs%Pzd;agQ>^B8$O}p3p-rJo#l(y0Kq-Wn`KIEiUFD@^CckV!&_s#I(^+Z zM@25{OuZDg%6h~K4*oeP-4PU%WU0ei)1HTvaf;Il088(+x14rS%}^31E8=SFTZy1M_plSsdH z!a5E7=ka>$$uq1BNo~NsI@}Z}?8C46mOBSb!cy%Q-O=il@YhLDY(k(jPg$D4mX=SWV*E4xUech(oA&Gj0m*l_ffDYGyBiC@e57q_ z@QBQuOj@|0C4>_vy^#bHCj-Mhr{?bPCii-x(2u9VLkG)qPNEI7h4ob zi+c)0V11$IcaQb+yT_uD5*TaMfn)E>%;PJi6L@nMrUY`6H+No;|QU>(Oj5=5uy$0VdlD+6q(Yrz7JqNJ<-DOtZll4TY+>v;wzss7UO z`B?cjOBm7SA6TanxSqWh@$)w!+=$rm@c3OLQeyW;pHn)vE=#xwVv?)x{73r=vWHw} zW$*1C)RvUqbZLRXtE~490gKbey2rCh7-a6ZhkO#S_m9x)h$DK=Tr+abo&WGOYz` zjS;}s+EH;b)L3hkNf{wR{qdYj8&*)D-MxNlgfjgWPdRdyLk90N%*nwKxV~sy*sYyb zAz$oNTZ8EKGid@WEJb;5cH{>qN;$PbuyOTuHM&SMvcXrV*|5Yv)&n{H?I>q@d2B9oD#Oy9M`i%QgH8rqb$)T%-2;NTJ&jU zhwa@a^G?pxJ|E5;>#HB@W}nTgC;rS7WzP3Bid}`(m1Cn1Ssr#}N;gJNG3BhMqwRc& zmb8bhZHip75Cyz%M!1(G8k>U0h15G^duub9B&5r%CydH_#$UG~ZqCrzX?8)+sD_Hv z?-QYZkH^Ve2wMXXnx!LYapRJ8tmeN$?l*OByfUTsbalJAr7tm{ca|@pMDH^%FS0hj zZiW-2HvUkZq-1xjf4t@92HsR%HEE3wKrzV$q&#j({4OgIqe&__ zk*8t(?bW^7#+ZEeGWtNxx^^JK+W&h#R9PYq)^06^633iYR^wP$+(cnx!URK1;;Q}D zV^rNcKdG($Hiwp3t*1wRg9wA!9Z9{TpXdeU^J(;!DSD_yMWS0KnMC%AOYJ<1^7qFr zmu zK1ybLwW{XP{7xu?Ca0<>qfB`)av!#RF{n8~0BV*mM&&Z3p%`PEOPqsVc%R(UJQ}^- z)K&B#QrMzsVXR2m6x{xhcJbly6?tWuPhHoYa2Kf!8nLS~8QIX@?bswIEJ&0prkQaB z$yrHcR`>8s3TAV@=9QQ{mOn(uEF@pFNh-*^hEMc zf61M-Xn)Q#1|-UWX_E;J7fDESp!;B*^BvN6oY50nGfGz!lgWmz_D)D$kz~u#6>zwo z7O}`2MqP|yItOJD`6MQEKi_C=^p#o>X@d@ijYiSy#KTx+C{(+7Zhr(k- zI!gD{m((Wb*j3MaW>X!v-JW{s{z|G$3F@}xPiAye;1Z5oha&OZcb9hoN){{yVpJdA zi5O>~H(Dm&JWrT6o62s}nb@O>dP(K2o3MOzoAVOnhwjZnuq|a7 zSRc)moVFON%HQ1vD>xBA)B6PvTz%!Q)}=>6Vqq!xx3dG3I`oJ}Y5?m`g)Gm_6cCr7 z<`($4`RgZaOm)Yv#0W83dE8M|dzuDM1F1{UWf6hmZ0-+zHy~VyMPK3VEcFf0yF^?M z6^X$yNS%6rMLK>srtBg{2S1%xk_se%Ey*+h)xaW@5del=Z!ZnwzSD-rF1q7S>yjv5 zG(wOkc9YtP-LFi3z^Se{3)Lf{LiF65{Mskv7_bV$si^gqiEIP~7qLL9#O z%T@FT%g=HLMm9plu%xNh(S|bl2A40568y)G#>RP-6s++oV?Cr~%i+|!4m_=lDdCGBdEwR8m|D@qfM z_ThC`+^ESV!veNPZYbE=jXl|y`a`Zb1IC}lKjWN5rYUHJK}boGc6fZ$Pg#>NbPbG1 z+e{!Pj)B#`RcEZPgejyB0UDGnq;k>-h~9aRA$$+`f@2zUCYvqnQOm3&_p*w(&vxFt)CtlbhOv)612bCILC<$nik<6!8IDEI6eWMX7L0J zL3~1^$6~k5lx0{v+DOD!<^<{I@K2+NV;$B^{7k6LUz^l~vb(l3S1$>f5^~bzcUzyZh7S^PDej^$#^O&Zr3xpV%GlKMbCyDOTwTUoO(^&f>BsVNzQ9%d5OhAFu zJ9F$p)%zgjNri$31*r>*1FveNd`B6*dGp2in-NBqfLGh*N0tE10)EY+82w|6z-w!1 zqiKUY46?nwVFw{7NF70-C3=2XWC*Ph#t#Y@>P4l~sB3Kiz;`_fPXw}z+P$?dmqmh; zr-=DgF?{#S5CG%A5-K%CbGdpQ0Bi^zE2kHWv?u^myL5S=Wnn~N>IfAt;GZbqu!yc# zRkaA<7v3HHUc*5uodF!d`ji~c65GH_ZAwFy?a`o>O%-5d12=x^vf{u?8oC>XgnN&< z&R-nAquTM_v?BR5)y|UXx`F3#+`mK|h`T*)C%LYgui9l~MwxagN~iE!RzH?j-{5cE zbJ}Sh2_lG4r{B!{8mlQPDop$um&jPI?v6azeN?w`2M2+)KoMh?ECgX%faf$+QJLr{ z_%+VX&RI3A{2J-#|F`yhf0F@H=&V}C%CEtPCVsX%L|o+@`>XNx{39RC$XXDtGQyY^Fbq7!DS1WR1jc?Q;R=%J?AK6jCNF{azegJncxp{o z*aCJ+!!>z9tg-rj4s^CnVM(Yup$N?X*WMVbazcBL+ga$62-K9H8Ldb5of1nvfV{eW zuzZ>-3%JD>gJDS-YB^cI^5=XxGQ#=F;^F>{G~Q+reN(zwMD7G{N^)j>i`%F$mI|f5 zTB9BOPs}PE?Z5Xg_pJF$6IP_!n9eP8?hn%jyKf+{rpktXeXyJgS0=1*C{tlQ3J)+$ zZmJoQL%^QgdNB=G1$46g5Ou>zS0UQjAkDMd{d|q^UvjFP{56`<)j*v(Rl{ZTh%;wJ zOjR`XAA+YRZ>GlQqq$3aqmF?MB6* z)~+J+&KM7??Yczs)(!iRFW8&#a^Q?t^nUxsojw2a zkYkfS7m3{4p-u*K{)R=pWO}&*)0gf<*g%injk;+d!yWYtnt9pq1g^xZJ&^D?TmW)T z+Vfb;SG;;~&%9s*-bTw(ZH=H7kMabHOsWRdw~Q>QyYj3a(==q0M?gYN-DSAWHtA2j z1Vem^lqj?m#Q>INoy@waXU00%g1@`#xN|-V;nc-wJKK1w22uxwB0>@=ID^RN8s&CP z%DpU9<1mD*omX~$zRd~7|+pGcq8A|%{2mnSGK<8r_Laui16$KQ|r9&4pe2C<0p=A zSBrszgS`V?m(Bp8!S9@$0y%7K(bLU7CA3Mq(kX{ynXfgp>6tlAa4eJly~d%m^J60p z-Wr1YmoiV+F@6sNB14r%w9?USz7P10(q$v48_OkYP#IdBqns?kyre$)*cLyv2>4tIeF3aC)U(METIa!s^UvSnp(}A0?a##2pEH zfQaAZO~!-s+vdL2gw#T%PQH5AxJl+{JYlLcnTB!o8~Z5GI;ynmx05HwJ&m~+|GJr+ z<~zLWCn9DPIpaxOdNU?YQuvEpFILaDBkEZ4KvTWoY@gv3v;~{Ro=`GXJWJDhgB^Nn zrunEvlHv2kr9;tUxJJu8qw?qN=IMMxYGPI5Dk%W_`Yb-L)az;4D!p2!VD+3Dr@Msj zlHFKJRp`kZfyI5a>hxFajmzl1-VMTM!OqEi5Vof{{n*PEZCsIE>^p((CP=yeAvdEp z6Wek-#&y<9v`3!nnLaMfTYr8k|I~W{2+QJ9d6<&v3c1HUNwDfys@A&$3}3m9dXmL>>KwYT0odG~Ue5bZb=db4H7Tgf<%7eZrc{AT z=}f-?ZGoU>0fws|-Hdfc^nOe~)my;FxMTR@9lOBU>kBrZfK%OXX8hB}`+n1$flgQr zDkh<4(|gaR{?xwXH>^&4KW|L`HBu?$ggI!jgKG=6!mh{E@cuVvun#zaLyu`$Wf@%R$Zr&nAq|wGVTj7X z6rG$osMv3mW~>E#;Y6v6tIkdSgFH%(9hAZmR}!BgjSwFGMeRtlAV-w!f6X96+LiVH z>KAZA>(<;BDn*0rjo*;gu;R!#Wz%=v`i%Qmw~Q;6#rX|wu%ljr8Qlit0-gu4mFi4U zF+_Xw7bSWv$FbN)g*v^k{)&Btrz790>HPN2>hMwC@As}5xy-aZUF zsj3a?4=mm8n0oY8ewJFI*Tu!IQ{|5Q{qEShbot{%ls|S-*mFlL6#3&Ws23s7R>c}q zfkiO>UUG(??+(cuIfuf0w{3`RCf{uvn)-L!Cc-+6DQDCkNn#lQvJUtEO8W|+ID&57 zT`ag05=d|f?iM@{+zC$5#U-$~YjAf6?(P!Ybs@NWaCZn0$esN6zw+My>b<)4c58Na zy8Ao*b=P#wIj7Hb$5`+3;#EW7ldQYqm}U$38G(Pe)et75NJbq(S@pp`CK-EccD0FX zZe7FbBkn^6wFzX5(w`QCEGe3zn=olTKBa_$Xc+)iO_ej9@vVN_A#5u&UD85^A5h0f zzI?yfsq;-1q_<(7;%;L!E#!jhmzYrG=;`fBFuioODV`Fq(qQ0LB`xJ7jDgFi`6G0A z$!U$P!eJnz{mP%PFkeR!5dkhD9$J8gLKWXCy-&3-8N#C~Xe1=|1?^6(U0tWGk)d4k ze4^Ub{8QA9jfX{uSnurs5KHEWqrzl zj0{}}IS4E#V_9e+QqpQLkb{}izz^PYMp7`b~NWTj+ z_84GJX`2%_EJX*@gmuZulfmZi1Fj}NqJB5kR8U>8Uhh;>CynBVEV_Ya({=PM^6JrQ zKP!2g7-7{6#ULZFQu9#V$XPI4)ByrE$T-sIFWjX2IQsq`PSBbs9~mFRNq zO2u74uUqlHn}0>H{z5`IX>$pG{f;NL?8naxk>K9rI>3iI>fY26StM)tHqiOL`bVA# zk^b}5&twfpYvB$z2ZcXk1(?zb4QSHpwI*)NWmkycTy$0+x3R7d#n0Ql_L`v!0=;s@ki^Bw%mnK?m=Uv$AvLFXpDKHZ(BvdpZ_2dGbn1BlLY5GA(J)3*msQ!m^0)I(Kz4hYrjNROI2o-4u@l);aw#PT6^U&Vq-VqC6lc1LB)arq=ruB9Ixb`S7 zD8@@im+G@_}zfRwGBVe!Ax22m6X`Owz-tjNvcuyHG^uxtk}hq zm4Q8V0PafK9k%k<`^ffVK)znyDDrc>nt_LKo9ou0eDs>t8+iKM&IadVQYo266^S~G zJaUW2N|gLU8rl*=lZi}S-zyWS;78b0g6jZVAJb}|3W*27pXQd7wNd>Z@yaAC{L$2g z%=MzO<*X`Etgs+?)u9rzIHHUxe_4FHF|UrXamBUt=l$HTkIVZFJl_xE`-wp=hk~EZ z>BSJ)A(jt5KS#$$xWUaLafy%eFFEdTde2ZRFXu`e+2q|$V)#d-*PwEQE9x5~%&~s% zS2v@TgEdOUZY6?*6UXFcdg4?iM;2S&!|9k!O#W9n@t%{Nk7&9RuL_P=%8TMNRs}B| zqtP?x?7F6&%I}qVn2>2r^U*lq4oabtE~Dk{Ucr22U&VhSM_Yu+{49Sar%d?nuZt=+ zOiS-eRdTPLVDXz>(@O;^1>*?JF=}+Smfso7XZS;hj z%WHh_JCa$!hrwl-{d|C#FZkjU$IMvU)v3Tw^lFg?qB^z~C^0p-TEHn$ZQ{6GMW0hu zJJk#4bK&s&`5Mi=rC^t#>!X7A5JE`nx!7m}N{K z=erz-OwD46RI;kxMOXHpp9PD^3Ju=CXOm}ba_0F@-WG!*>o3f)FQd4lVv53<%>c#e z-D^N`qS$`DjEwB&*5Mm7&lD&?6J)h9#%r3H0F%~l+cOs75hdG~-b<(@rHu~z1uh3~ zZ~vwyTS0-ea_-{1c3aDcZkoPe62N*BYr>gD<$_ReMx|PKB2&&|PTA|GGbIxq#W5-h zxZ^_`FgX&HTa?fBsIQ>dH-LvvXy17eHC^ts@QUuOX}!$;bw8|?&Y{uQ&|vcz+t=-x zAo^3f0I;B=H+CxxjmR1w*%|U+Tl|Hz!%kw3ugl%}#pwu~_}eyqee2SPUoMGj?i=fB zBkod~!1Ibz8nSq5Ns$=c6y@Whn-c2lL+hT&F+cFjWh(m8!M}^2`GlpG3At?wV%7K6 z*MF~EPtAbf=s2mQ--HbPohulTC3^!AUmzVV6w1BAfl7kv!3f%KQt}n7Simddu3#Xu;p6PXl`$W6~{$_AECP#))k2e7!VljNlmKPy;uh&W0Gl zG>%^BJasN$Su;E06}z$($+lr-NZ5(VGkAH`$ef{IO9%LmhO%1YC6X1z&v;y4A$T(BK-b@L zyVxRnRygmn_>zc1**blzOsM~BxbKYnR;kG|D|d0-f%VJMVv6*-=23rXgY{u4+zPv3 z{czeq52`6X_6;ky4LL}I3vtQNj*$K<86jn`zUsCAFw`{z2R6f~!c@R+L{b2}*ucONq=`O2`Vm_|Kcyx4c0VQn3|DX{FZN z_i>Vqq`pT}GJHsTfcvi)7BVYAB?!|&2zFNk+;{cnpP)+WS|q!QDV{`+7j{fOd)!Gh-v^d^Gaj9M}iY58^50bH?TgF1ur?&`o@Qbi4DH5!~9a}Mv>&K!Qe zphJ4j{d}Ju(~z0y{L+G03&uA_L}y5uqD{-%Kx_8#E!?+^QTA?A;WSrxUA_d}ehGSK z`LkW`MIzn#Y)!K!MjoRE#}tMCj9^e}FxaCd+ek!gV;8Da*h*XtCenpn@RT9A(6iaN z+j{y)Q!?Edcxa!Fu|VI#t6IU@`MybJ7{(g#SV_ntbz9bP&V$|t1;uhf?SC=)jc;$G~l)*LiQ$=+oNk^Z)_O*2&1YA%rgiVr<7n^GS zXe-I#Z&Dm%YYcK8&Ni2KRL$Vru4FIc{XtA-tt3Nc-tpvy5ZI% z`2kpBWYz&i{>3s(Vade@EwC&@e_TJ-8|Pf?xR?VoRf1=Z8J;*N8PPdSrY#n0`rTc{ zyP@F6Z8JlnwMl>V59dO87KD%;=3kn2S5SfOyr6~qurwt`HF>>bHTh-32Fu#&&%iWr zDP~Z}NdHlGNVdf0=uZ*~_CQwHb3p!v_g;;=SC^6|n2HRQO57=?>k1y2^ve{X7ibtV z%3(KSEl*27>Whz8icL))BOikM+6OnRmh8>KJKu5&K6P^SsJYWFe>*r=AXr1fA*mE- z6-!2ko=(zrnyT*R0>%`j{Hl{5%(Nk_sbug(CA)5%{Z1e+Wp?iVkNRzDv~PJ&n+#!w zKh`E;;Qfie$BBF5N;f55AQRK~pOr(iv>8YHDC4O8Y6&eq)JN2by2*|Ukkx#(-VIZrA_W_YrwH7qa3^btkN_xMI+Qk#)-8#xwgyR`{ z(#12V|8O+B!@sV}?J?9iY|kLDgZ);V0?Vsky;=EQQZM$hDS?g8su_22oZKaC_R;~$ zmC--+{#4UcT}%)BbjXaniF78D5;pl;5F18FGStoj?y)C8iO44{;%OT4N8SFCA*gJu z%2;&p$P&}eVT@>86^)E^w41exLjkA4dRpg&O(N+zF5{E}PwKUxgXKQx%k7Jp4&$Pf z^X^>I@~$(o)6;O>DyeMijZdBdj^o~Gn%RJSF2v0swE#PJC9RMwGL^w5$$dY$9p3{P z^XDNhn=c>!v~QdDRKs_kD#wh5LDzXTrd1EF|2;I&1UgD2v(FQ2pF0q zV>d)Ps*s@63*)S(k91|2mJ)O#vPh=G(N84$dC7oh6iS{`OHTAL7EQZ-_gDi@YcSZn zW;={bfE4$J=7*^UT;G!DC7C*U|Myy6cFtH#ihYYE-ZABUtRJ<@~rE+ zN1u45c);p5ct5$rgil(;7ej}(8chpTY0VDiwwU8aW2$yHUB(w~we@1XT6Vj)ngxnF z^$JA3+HZ}}sRnyfjE|+QB9Ie*6bv^L{=wuidOf@%y1jc~UmhU$arg{+tT?~ceM)?n z$#zNzJ6{RID%bAGjS5MIK|*<~=TwEWn^?!fGAQR!^(P7#EO2wTLGZ zzH{B{h@`xgJ=5VYdc|HIgkKaVa*o@Enj3Uz_>Df8`&C($Wlo2T;Wypa9(29BL%J)- zKFx8sel}v{>L7iFjGfY^d>clv`m& z{-f4ao^47<2q#2<=%*i6jUDED^?7`nI(5c84eP=}i=4G$tofMP#gjp7e5ni~&vGd3 z;=t5gMCh#Jht{DVhorxu!Gt>X7OgCe3;q@M;kgBR!mc6ZbGE7{Pi+e-zjNex2;eOI z>F>?4*RyQiT(qO=zYB}HkSZN`uPyEgM7(0JUwMKr+I2$CMlG|&Jk1_{32l~wYD?j- zn3*q2>;$tWd+9RI!(93*63#h%2!9ilWh}ht6`8~(d;j66S&znrD$VTTZD37+u*UfV z!waWq8a!MaL-{!7b2r`)qZ{vkwX{(Gc~8R#{GpU3L&z$wsmEV;@aKQvReZ z8pC(}&O=OL31@Ty?Y4Ji9f`p-S`NWX`gBL+6T>S0BUE2a_{)Z=4ceT{?^)0|aI$v* zPuW0NP!daf83>ZqUZF(xXB^Jx88(GUX(Kk8SENI!Y>i;Kmct3Tnx!CV+w^KP;;7i@ ze!=T_>ov1ufo!+$shbfb=2F(-E8^>+Qt3z@%U%(c4pzc5?x50yFNAUS!<&eep#?8ZCU59io@r^YUYctAF!wr0u7+&&qpu{CIab^3oCRM$k zVB2Iyr9Z;{cut$z*jogtJuhQKGu8Hd>Q+nIJHk0VZn&xQ;*}!&kTmOWGeG9JgLK}V zBi>B>fxYF;2WSM&(e4j+O5Ig*@?wwPn!$>5KL4xuz2O!l0lvFrO0jqo=l2U@wKCM0 z&d1uL9;nIav2ls$3QOxM`T3Cxmes2KH*VEXo*e$g33Xl<3^%;al4@vS7%qzcMy43< zit*H<<1=}x*M^Arr&_Jp?KJWCN)k~Ou5qT#NzL~TidO=jK~95^(I*OX{n44DVRmir z5m~wEs_@TAVa7{~Q2V);9Gm+6fr2NPl}IDK=LU!KZRpWrD4+bE6=b$X`c3`jH8L2) z;Z4hh+FVb5A~AD^C#JUVn537lAY_bFTeJk7(h@%ATr9q-0F1~Rfo)0sb{obUUKIN3?eDjN+)LCv{)2^zfKwhkvBz(U33=3?r;z=dtXC;vl zxs34d_21+Z-(QM#RG&pB`eWO=;6kHQ6cEHUGnW#>G=%S$()w{U+TwEE!v@#3t`aCM-Z#I^x;CgTQX={@#LeuejN^rPR|sx&r@ z_wA=%=j?zdNJ)l62pF__bQk$iy%8*kAzun%15{OJp?9*U#Gs{~YRSZruKsVayFbR< z-!Cq%QYzjJZCFIsN!``$O0L$E{nn3Nt3v*j8TR1^TU}`-=5F~*g&@k>Tspm=x`$w3 zm+P?Tcj(kv#lE+>yH;PrFu?rsCG(mmVueeOq8=rq8YI$M$ntbZiWa+CcyJ>Dln|;w ziEFwby=T8~JT}V$5xQdIf^(tq{S<KF305WP236(W+%?aK#&r?8Ig2zDVQ6$-2# zJnZR(bAE@0uQAc!LdeU0N}fX7wM#Pcw|o{!pL20u6|%*P2o;q5iV9#e?|UQPzeBdx zUH7c|5N%pq=(}|6!9=nxaER{9_1DC215A9;f13E!|6$^1=l?bFwf~y<#yZQ|{&4>= z@%d}sYMxCg}h(>BXfkhfOso8_Y0aGcz4=|M$YyeZqStpalpveiXH8OPTeF)<& z8tu+i5Si_$n0!lqVn&VI_9~XaAUW+G%N>dvUG@A_isaLdn~Ttz!eG;JC}C~HZv1wX zFHs~!yWw*vE|Lvo!9-TuV)AoT^A4Riv}R7el3j+SyutcX0n~0I!~d!xt^m#g>1|hb zDu(^J%`*X^!4#*f`Tc9{+)Dm6x55JG^@q~>Ac5)74~s!6_e-;kX`PBU{)vcd zqbRoO9S_Am^ghMq9Av5YXedrGqn3u~vyz-;j*IY<+=2VR&-|9$jdbsN{7H%VJIr(`+O$4y9B%ZuY-*R{Bp|ifOxs04%YJlZ zkD{8zF}eeMf!es*wC*KF&Cz0-X4g0dDygC6W+k&kTu$QYNd?n%E{J=98p_>MZt-W4 zuArB;Qj?MBVFWI)!mV2Imj)w!QVB^j(JfP@xz(^~UkS@c^sd8K-L1QZkZ-}hnoY`m zEsqlsItzaSrlLHwBGf{SbZ!&6Z#fUX6%l1ge$mcLF%>7@slj+9O_EqLN+a!6c+~ol zGG*DmzqiD&GUFYsi?xkt(-Cp+sUzUjwfpwXw5eIP*XD<=F%AlW>ZMS%R` z_=%1BYPtLovy?E@MigpSi@L2c`zVZTmWSg3kvPJh7+UVHtgBjdBu#YU`z8cYqK)QQ z#eW2N648wF1K-M0Cj`$si&zeioLPUkWA)DgB9Xp8g}incgLnhA|ms+~RMb zK{$;vai~dOA6s37S{HQ`Qjv}r5|}5$z?bRTPWD49cR_i?DHUHyxi(E{+cG7#v7~sA z6_*%!dXz8iu%m(sId^>Y1+GD?NO9)(*nFQMKl=SPEEg^K5vK}_3G-#7punFRjCok& zMu^-$n#iYYF z(8i;y8n7pQCwETW+vBCuCWdd?%;EoHF=p*@iekY}!qhsvm7+_Htf8p^g((b8S6CH-q&{fXV_PQk0B;^Uy&@Vth(OfLLzd}B;svUx;9IsO_uUX zsMEyI;)quE=1jdf$R_Eg+jiNhuJB(POv=S1a1p!>+p9rX`*cg$hA&Uy`q8~6B@`oV zuFLINZJv#Mr7`TboWL*jOUDtJzHJsD{(pW(D^7qr+h0xENRtNflT za0dQeZ)Y4=vrZ8MyWT){YC)uUIO54AhNNkBJ0t_54*y^=lBa4xGBW+{WQu~X>w~4Q zg+T@Wb@ybTm}Ua7q+RqRsxPCf3(fW+9_&RIp79(9n=5=+AA2g>2{cjoIC=l@vs+7G zmh{poMOY{0W%^W(w;HWCth7Jjm2cj!jq^!E8S?}~uMvx4G2+9-f$@XPnbS|1NE?9{IB(t4m_icor2^U1IP5uCShXbO9%N8g9 zZ$k~N)RWSt`G)Ff5hx>9A{d6{i~F@4tOVEO=h^Ef1xi5n#eJYK|2qu+A+UNT)!|t$ z+EqA*8w4mu!XENjj1Rt`cjPLdgdv|97Z#Arcm9p;9{c0gP`%trA+Eo)LM5?lPoP;$ zfbx(JdY1zz5AK2$&uIe<2}fJqg)>Vwr5L`rkphberKCge&6rmQ`fXh`lYA_@`!U|m z+?s=^$%-v{LvYi+(gDHphbKWB1UqaX%v@4oOLiW5l7WC4;6L+1 zz4ikvqXnz6O22wxdTPl{e9LdJKH|i|A6%9ceuvbLbPYdwm9EMyF1#Q9c4Ciqh}gT( zn*sR2#<6w30f(=@;d%tb#*|`W+ zb?1I&bIgTsvtVuQ*iariUMaL^e4_ldPVS>PT^U$znNXcEMT}{8BEoDXSvsMrb#3cY zi=;qJKP4BfrkTOV=(y#+5d}?VGeKZA1(B^&pU_bEYfAyr0#ascVE{VZfZ$z8w=^joN8^9$=~r5EyEJx>sC(NAE8rWfAW*P7ZG*tC<{Ak zoTvKbcTu7`wtTAcQm4PjLu`MTXUE;Uo8CnQLYxF0u{(E+Gfd)j|LinK8*n5z#pUSy zHmcml=w}j^jCSrpKjaVBq<-ybF1lI`_d9iFKzWzYe}mdv&8N*}ux_Mek4*PQQy*=!DtY6^v-vw`1+kfysK>)>Od0 zxNd!%Xytm;8%{16jAv5HzO<9_oEc{U{2Pu6EP<-$)v~E#9bcI= z{CihtBSzoHf$W)Lz0YO6qZx4{wsjw`Ic%5*r@6rFLU_&egW|Q&Ql~6dex;)A!S$2C zJ+IlG<3r;e(_=X4@&V6_$tJt(@_oPYAKJW%#n$AsPSG;2yDBy(iuT?J+n$;qftEzD z&Ky4$z-in4`3AovSbfluF-;BGInouEg9{cp@I`){yc zGz|}`0gI&O^gf9syST%vY(UdG{;-@^DSDZ*=YIB(|3kqdGy&C>3F;JPYd#hM0;leA z+qhm%M#K`LOG}-YP4Am3d>lGR!6l4W7tJl8QloBpvUV7HlK(m%f?T0cE0e6%jrS9xWS z_NjD?u1qbEGeE7cshX65T4VdEmVm3&h}{1}9>9nzenkRcGy^dD zABp{6peGZI&2NFWVPeEB|81&R-L^B(a(+%J+hCwt%rPLDWB6o(tobd_h5Vedw!r{@ zu>hbH29W%7V(xF@=6awt|C0ItBY6k_0}YHqk6ZrR7nA@kplkTqrEDbuT2Z4wGC*qx zp!K(Ac3E3VfEFb{3+RrM{~avL`{8e4{21V-_?OK8k>mw{77suR=q-DImN5Wc0cdec z*$)1t1@x9ZP}2fHizjAfG$v`6OKJ3bDk!TU|Mmx3z#pr z7b0(mw8uq@PG%hl{~=Y91;gQk@IfFDG6+H2LIcCsES!uE1fsnMfe3-rzaKD&>>p%u%wmGpqv28n<*iI(4ZQHi(WHPaB+xjx|Jm0U*srNlq`>$Pft$nZV zUfpZgeaT4zgP;Ha06+jRs+g&|Q^%*-PyhhPJOKcpe|>9cZ>;ZVtZXJ^{KL%J%+buo zn%3OG#`@gT!(mmV>F`staWhx7{!v2WnovIJt>j*6G%o%q3b&k^tE!S>A1IV86au6M zfI^*#ZPU~HFylhRzrbkOSB!I7X^c3Ik5?x9vHbI$_cK@l`?DP*;+|y5wTN}dI2CoO zP5Zfs2{KNvfSi+(tGBzT^#W!l^ttlr!qJ(l(>dvMTuj#~+8#II<$bgkPefcv#B9cm zCvyDgQ2el&Ncy8`dZ%@WA8ClQxK&5gpPObzf0<*iwi9upKbez`9)U+Iec~+x)Qx_c z6t55Yv#9!NpFlcjy5t2&S9mb^NS7aPXIvivy=~v?7+je7YU6-TP#flkf@*T&lRPa# zDHc8}o9k$=SJ?z5ao5aS;|PZ-353uO_EPA>DtmjJV%iS9r;n%|f95SOy9izQ(Fmvn zZC&-4f~E})hAy5FUM7ln=&4OnE9w_pRbCB_;l}Xma`7!J%fhs&R@;;}uk5e*%dS^S zn)~|8E=By!NT;fKk`@)uO0QP2nQ|dvVTSp^YE9?;UQoEkBeWl8!dS9q*`T~M@HXXA zhsHjFQX*wi${bNpPCxK0OQ{$5bCs)tIg_*RL6G4TCvZuHF$WlQ&VCjQ>Ib)6UEI!P$QxI2ZEyGe) zh$=I!=F4$HzSPprIdK*a8Wy%u%)cSc(*@7cf9w8H*!pXxgL)+%#VF<=B@Y?~^QgiS zocRa#p{8Z?9G%HDg_)>$zXJ;6w<+7S;$%d51UysMvyAM$MKpTG2g$^0f?XixAT%I!7hG zMSiqeBaZ?pn@*Z*AjIK|_ELyn9|43Y0LfoTCIIjpAeIm_yWk}Fa!SMppsOG}pEu39 zY;qtK+qmCN>LU#-GT*FHUPX0%-@26D-CE&kZI|r-xRC&N%OevK=jY8#f4QK=D znzSg>;J7~VQNh-UF+dJ!`%?>Tor|^m?~;f6{f#1sxwzO^((@et z$cNcS4X~=;LT(V99kQ+S3fsfe$(8?VSa;bC=dNg(p`GbE#{_w>I*2{>Ept_OV$pSb zh;!|A)W8ybn7Fpw`ze$GXb)zB#B3Jd1I$`87+9EZ4iv8cZznZu>9e*;TVkZnMiXYlGf!nP#U|N}csAL z8(4ewj|zgUUZU-6vf?d;N$_mjF743qb6-U>cTnv*?jEP<5NDl~OQ*AJ-9DE+#^L5b?Ag&jOGf}jd!QqpdUPl!9hA>O-KVKy zhU#eGrZHWYpt%?^WQn>R_0lbu2+rRJWa^v8oq|RxgcM4Qhp-2<@1A>eepH?h7tE(V zrLzU9&XZF(5aMs&XI?;YZV)m-jTP}T1<80CBi{@KOitDeHcv{x${mwsn$w4Apoy0egpX^LeW^!A;$Zc=+gY9HjMe!`Hca_arQI{pIR(J#Z`|PX!(MmRFFqi&1timEjFSZ=eT_syiB|50Pji2i4k$9_i!~w>Y%g z{@sg7P`#s%&Y0BNc-(|&5C^$7eA$l!)WWP{Hv;w)aR8ZTP$Ec80c1XoP4i%p@0VHu zx#CGj>^;YWPxb8#hRuiDI`OuukBPk&Rh&&w$v9=|6TfBUJ8P{S*)<*UIUUg9#X6xI z*^l=%XgC7s0Awz^rMYa6bFwkbnv+2)T`^zXP?&7N5Gul2 z%_dZNq|#dckTU!^JBcKN@L)l-0&@j?(T|vX&G&r3dV>HxqUSL30wCG~f_MDx zh{8a)UK;(cdoYN15*x}09eBj)V1rqrb*3N1p-O}3&8mRbZJHV>z`)Y!RMMqLltX+A&klSTadm{uRT0T$(iCj zsuo{o+L}6#NJI#ms_1SNFR=9x_kb6~Zuz?&2Hzs2UY#Q4wa7#f<~Z ziFAN|fD39VZs8g;qKqg~CIu~y4{mpoRVFYOIKU{U2($`Efj;?K#&$dcxa#K}MjBpj zjMXGJQbi%#>8ZOK=v8Rw$tMlQ9=*xIU~r4vm+2Yi`VquGt%JI|zIuWg&wCWrrkTXPEDkOW6zzysCX(``?CAB;dQQ5zH zIn^}J#VLl{HP6p2Z}!Q?t&7PGsL3TH2|N)rX;7*LARYa?G532rKD8pk&>1-IuiZ$0 z*pzo>uycPr;5|S2BV&wxq?4rHT4P{+DU>~wsF>@v%gwGlmH{jd_340pZFc?-q`@6_ zv7F&v2@U$vN>&tu5t#oNC3RBrEY2y!d{NVe7jS_Bz;w#Sbz@?rUA6Z6|N;4 zN|gzXhPn8H46>*C-!CdjaW|{3t>Ihu3HI?rW*Wb4G1O&OX>w?wO~+rYVDx?iwUNN^ zi?EJ|_3YTD1)ciA5_%WER7%k?V>fC9@a6*6InKx~-r1z~sg^hCWH%na&dypX8@X@6 z-9J#K{1&sYDOst(h11X7pF zH3gyO1(8H449wfLf{$o{fkcCgl7`{Vc_;EN!f6NsJzI{5I;LL1M+-}q|HXSB6$l)h zi@XU|Ca4DtIjV%rFBEkU@m+4j7_5CgUU;!WJLw}1M^x0TWF2^1c>A3!(ahjd4q#S% zOo~8{d}tK~p=xGqE|)xA*6BOHJJtKMAYM<5DOT;HYI$yrW-!8UiL$TPy zi^$=cn_wWaI%3UVClb;oI-V zjfuS`hz+l`AG~qTRc7gJI>%_0_s=3*KHK)rjC#^I`cj7=iAxCj*^L=ET$o`-`$`kg zS_ju!9*>ooC7cRz{Mbv%A*9=`9rAKyfH26vI__l;)w5e4Z0I|vw_9AbScTl|p59qe zHYz#inSXgp8L>R&)Y{1%QC!P9632Jn;vLa^&d45!c=Bqlzs)xOO_w#>Gj1FUE?qYQ z@}i$115L+nfB=V7Y z5N_K0`h6QotKJkKNy?YRfCQNUud9ii2?N}=g7VXnuU+hLHYoJALxq?xh`j;uw>ku^ z3Ri9+(eW->Y=iZ6*FnRg04{@;09aq?J~d&4+BG0+WK8rTKY1p@2Ptq1{f*-m;DBKh z3V~4!#s+sy2d03J++YMKP4Yn0HFUgOQV7D7*^j!S_I*fD?|@H?=w8$&mjF_Jg=A!1K&H>EcE~^MX)kmQIZp3vZxF_ zWWITm+$+KWQU4vi^Ub=Nw-;K$9Ue)10rg5a-KQB^sxhH5PG zIRW)t$K=pibqv;xg2byr-*Sy4TX$hGxr%1F_2$lt(qngjDtFH-4A=_U&D^>5h+MxTA?hMX#;b$?7LLr@!^X~q0sW={0aG#JX}B)|QA3O9 z?&&XLZ!WT>3z_&6nsMaO4ZUaKop2uS8o-qIG33h_4F~w2dM+lo)RkkDpz@MR%o!>@ zJ_=z$ zLRcY43H3Q^JT9b9n*mf6&rYZP03ZkavS5(w5)NRY`hr5_NHY_$G?f~_aZ~hbEI}?=qPFbSn0y=faC=9Q%VzTrV%wXoHiAsTG}U&r3?U+_5S~ke zIi5Dr?#2*F7oiwI>AXRHfQdTU4(|N8FqDI##Aka%BuwCy5a3$nl*%6z?*uud?gT79 zZIss!;Z2BvB5#dJNXeK-Xd`%AWLJubx@me&3%YV!6gn~FCq#TTeyyIs)VwfioKTF! zr4h9|!6HEBR z%ki)G$iA*A48|Ym41!=Q4JIJb5M#C6REi&QlR!r%30tWl$?#@E9>|*z2%yBLQlX*d z47VC4^pu~D6V5{IZAbg_Ycqzea^q!!SJ8wQ_~iIAS-sLbO1TW3e+B{7j`f>5OQCnb zrT7b0Wr3J(dU+SX;qkhc!8nzOW{Nh1&>fl*HsKYkKh`bEm?d{U07L*^2y56+A0S&P zw$o@lrR{ssrkb&&qT26qWd$&((p+vl(Sj04cDBkhotZn0;(uHW2q6?1u5hhGVO{~B zzJMc17lo4cP#iN^AwZ`l-89qO*asdbX+aw*iZ$YQ!gcLovJo_`AhtBP?}`R!6VXbQ zS=Dk_4Kn-FX{Qu7&^weCLgzs=pW82^-RvfAHBz!!;?=7r3*Sf^G|@b~sMOq#O4QsB zWb`5atmfxs5oWqjkEfXDW~`R|Vdi@K z8ZGZO1(4*ePb7K|r%}XBiXT&16V3iJotcR_ci0|ql0Q~D=L2868RkCLAUy>sy4p2R zbkSBXDrqx5D|a5)CYrI&+qaD|mMe(MgrcFK_FG|I4)TjS8zE*^MGRa5fIbL*R{519 z&D~7{!nGRm6ug-}sH4pVYK|Ek;x*2Ox%8!@k94R;ua^{p2tT+uKj4?MZi;QMwF{|( z!3miv!-6D!-m^HZ*6JDP+IP10)S2avcK8{t2+fI}fFUtj;@%O6>ZL;qQU9VQFIdqG zr}qC1Ebh!CW__z6*2n!^AZ_Zz3U8mbB%n0rEkBx2r$-q+gkUj`HY)@EZL9A_gQoSA ze4WVnuGdLzcdZ#vKq&cZPIWu!#s*1;42 zu#{7~5aE!N=a**>Zw$v47iasG$*X=s&NBfQb#az6!tiwImCUIX*Eh(aJ|#-k-Mj(a zEUngAsui^Fe!{`5Tp*DCP6(Shl|N<;*6agaaQywFb&#U0e)v;?)*X)q>9Ha9)QOp# zM3x2Y78(l1+u0i(58{(ny)g86tCLL&_iU}d4-I)xMMbKUc3a4bSB?WqScV=!l@eFP`iNGo8@%*y*ZD zNsMHPI5RM!kWmxSmhFy%{z5htsk{0XcS&5+?VNAqmR{PlAFyNbDV0D)S%69n z+9NR`ZCCf*1;6lTm(VO!>C8~yDqA7ITfmeMi4iGQ>*3|j4r)&qt|;<=5A1+c(eJp> zx>5G4M_NLUB8Yyv9@8uW_=ORYwB>e&L!0?SH04r9l=%nkMTNB~WH#!=&H{w6+M_&1TsI>I=!qWyTkM{3 z!MubN89nv_OA^v}59V{yKj%0V*~vBNxm;MwTgx>>N(G^`5RsBvEvMIv=H6Z@itm0Z zuCk|3sZ42UW>}Cw>WH6oOJDg~OEQ+a!QHq{O3X*H^`Mkf6)?XM3R>0eY}T(HoeRT1`Yt?` zX{LQIlNMg@!CD94v`@KEJOB!51O>ga0iLjXOrb=m(r!KP2Kj>3S4kk|G$W zR7#0p;XY+zo__=Hv2SNgXx;A~6eo_OpJW>Rq%k{F*Q)hTSTXH5Ne$`(P&l<3ZQH7} z0NY8ZNwdlaQ0vJ3okjXh)Ywzl=S+Y!Q6A(^iMqdPx(*9&H)fqEsk5z;Ox)M(hl!lm zHD~Rs3WbtiKf;VxDqT$Ij*U0TTYpzN=KcwaZ0e$)-t zDd(Qil(WJ@9U?BLo=Fa^cakYm{wfj%yT(|u1{KzhG7ms*W`_w1=u}pD$QXSI?Avaxlcl!93FNUqG7jO+TaZh!K2I6o+;owLbRw} z2m~RPKLDhtruDlNR-8ViaIi*m!vG?kH&Sd0FQGdh)tw7?RdrG!{%T90cWd4S6HObI zhKH`wl#4A~?q|DJn!IO`XsyX^u;JuNv6Tmo+{T+?2^+WQfFEhv9XTpX%2YF&?EZv} zLK&~InqLw7uxiJ=eDUmeucS2)C};Hta@i0Anr5i_kggd98Qst7?zW<~=5{1n*RWd< zShlHW=g+YW_+RkvHyWBpoD20Km$26rT?^W`XX_kmXInzjc*PRI{p=DAkYKJE<5win z?-kJFZhCmSBg;-Ym6Kh3 zRY(O(vk^Q#oR(OR$#wYKOq38Q=v}`#hiGwrZGg({8{I$cC@TH;BF0XUj{rNC(Tmy( z+ofWc2`Dkyl~2^qEMN{KWG?DWX!SJe=xy$PkPvLDqe+oS2k$Znq?k0)i_Ue>bTy-y zDY|TY;-Brzmc_wK>jLe^MLN5PtgZ)8u?%NwvFO zX_VQ~3pg%kk78_{j~+YYmdAdM zWYfrgT6W1HjeYspTEU??c3swFvXf4_No);a7dcYEAHk7v&%8d0(P^OyWfj%zG zkY8vNIB;LAFm`abIxf&TX{$IMJt85O-7q<$H*LHamK#MYcns*7%?1cNu~=xDwoY!# zJ=={I%o?f8)g?wYwjiJIFRNwNO&k4~eZ%z*JdWg->LugNGM)xCZLm|)(e{eJv2D#+ zcY6$8i7*!baYtZe>}@igyd%q&>S3SB*4X?|pUhF(T7Va=Hx8rNng`&;M=vmjR#$EJ zK*3(3)g4rVa|1=n5<`lzSfD^jUK9X=A@>7Mr;rG~Rp4A^(QdPxwZSOOlrh$fW$aOd znZ{kN>oUw%`XIMs9}M(%-ffb2Ijt}w2FbIlwx#3jryxfbv3iRAXqwqMW#ZY)Ieo$S zYKvZxdwzAUheNgGH-UV(usOqcygJ;oAMSeBAxus$O+*`OK|%sE&iF~t`%+b<3=+LX zR;8r1GuTvz8jk0Q$<^k>J_&jf-L}H|)h94L?`W1Yl)pkTzB?O1ofSMruA-67*h2%1 zZX{k{uVD`9;7)R}_(7=va=#RHNMh~UP1DYwXba%n2sbFHKvZtsqK2QEd{C>yu%u3J zwe_Q^M=@o#K6=Q5bKpuDSi^Wf6uB*28=a5Q6qundA0$FOV%CW1vR*hw8-Wm^?%>aX zCUSzOJ6eH1F~MKaT)^@TkVpqbLh}tNBDaAcjkfnerc`NFg5Hm6)KoA7M%o3YA9AtK zaPl$xGc=>J3KOYJ<-w`Wkp{ca#;crj7eNLYR;S`dAV16&@UZ==JI))m49CyA88+Lz zlT@N3K%X#ntl~aSv{GN^M&;H{4uhEmu*yP#(RxAELTk7g0tSoFM9s|T%niF;ZjyM~ znm{@t?Kfqf6#mxI^wyY18X^=oL|IXq0@bf*7AnM?Otj$R%6JHhnJ*Fq)+JJ-DW)KC zTwaCtyDSuXP%$Ok#@8v)%VzElqQ1h8%Q%lpKa>7KNY_O-9 zu!+bXZZ8;Eg?^Y$es9|-X@uU>1EHN&@t{{+}ru{^!; zC|EMyb+k$Rk#-1SiZ{JT6abIX7YrC4VhP4=kfytd$R~xicizOjZQEV7%qf0gJ(0U0 zbqEPU3)Jk|RZ`M-diz_R++avKdAB9D;1=gK;-~f_TN$KeZ7bTQy_{}z>@}0(4FEIc z8apv{*iTkZ1)!rM^muZ*iA)F-1#G{x6~%}~GqJJG)Z=Vy4|V#C?@aBM>S?)gM~r!8 zGvr#czRRqvD)lj0d)BZ_=cSgzE_`x(=Ag{xKGXIS!@APvQrBuWCViHZaAUDi->1&q z&CW{cTY?fkzb-j2IZ;>6pB6)u=ZB1l*$qSbb4St@5?axRCn8#a??Ktp+55Jh=Zja7 zI4pxi;e*oSfwr)K{T0{^27~lP0^%KsW9PqG)wB&75a__ZkIc*Qh6If z6H+o3D2(3yd+}DoAwl;IjU-+s!I@v6jk?XvcAiIEPmp{XBMug?7+sC0l>G^LcWYDs zPW(IL`s^qEF1|X_M-624(=6B#mpZ!^W8yhowKU~+_OXFk&L(&3`6uOS!b0xQS$2PT z&n(-0wkx1>*vSWBl#_io)*{|oc(8z#WHG&=@H$Cc;g%o?x`S5Xd2Wo6w&uH*F zq+~fjRs{j{i#+wol3?;QDj4S@{6+A?VYxwTI+jOY#QqZZc6EzvOs-qrcjP)3542Jz z=NHBDq*Og?Y}0wI_M&sGai-eksIW%dun{!FP|yL9C3oAHN&c#TiRcpCz9 zPUbJ3ATj930R`1S1%*ROanwfi%Yv$C80fdbiBv(FF1sv43dZkyTq< zEa0a@QTb<)|9}hgQBFmyBkPI}>~6^34<c-gDDIXdR}A^h3c=NIDx7+UUjWgg`*ca3#PnpB9Odng zTD4&deaj7e$`rrO86}Bkp}65vYsQ0v7xwZVBI@>EA0kbm0m-eRU{WTUR2=1GLCtAu zh=C!7i;U$BX3(!vNUvCKWwZiep}fy(|Hd@U&n!Pl60NTQJEw1do=0F!G^$cZJj+sb zu;6~Ncqwh2o{?@^RpFa6h5m!&MUku$p(P!VE&@EUeLdVr5y?Xz!dOkp$Wh&pp`Dr# zgt646K6!cdxjZogpLyjFfL)oKsx9E8tF)|HMCo4rhOiD9>4o)p7v9k1zSmP%zXIIa z<(E2+*5l~?HhyAqMg7&G!HTzWRtfGl*xDJdWVB14QHQq?QqCZMmo1|^4b9k#$1nu5 zThCRgbv{0Lt`~Y@&jYrqEAq;wP>r=QbnQD8{W~jlwS{WnXag7#%9iz&lzll!J%KRb z{t_7cewo70-gd=B2-4q?OA|2j=@~ON6t4;rMF{Qn;<2`tU8qI@k2hzN+pFhgH{k)J zF|>&Ex2tQK?X+DaIG43(AwQGlOzhlY_rOJmG_7+l*94@IBAWre*SWWbI#s65AjL}= zA|FUcC`t_Ve^WnV@s{t6xZP!-y^65jlj9}o_6!Q~`m}%0)(6h9v)f$iaiBH|LdETx z;m@jxHYJn<1^TU+janWkeNSh{>PW}^Mjn7>TVufrziM5N z&oOa-9kPCSDH~JJaE*y}|7xP1@OE9kyaLu|u$&OO2xtu4ih?eTMldz3V*ESG8&d&W zp2WyV)1Kh~P0GFi!p17f@%igwkf)hLdq0``zxQE~!>q173;EtF89jw*sct>Up_+Z4 z54f-!4S{Ve+66=EI@bmE;7&q3{ktrekJs(lny-1Kpg)%b$P0Nno#9tkyH&v3WhIOCtOy5aE6)SJBf1~ zNHBq7;jd9oKNha~`d5qdg@=brPhXELH{VrJ_QxjxAU*&HpM(%4#&#|)NFk6l;52jSfe{C*Eeh$EzoM}6n zV;+dHS+3K|@^~}A;@7NcdN-wTQhn}K%d>x;^9TRzfjy*heKhgLlM5nk0K|;HWiGDCE2TOq%Gu4%$B9>w5$)Fupn{KtZ;aUy=aSqF1YQ*$+IKHf4I1)W zO&I`t#?;TfDH~Ons|6`M53j9?;&NWDS(egA>toSv_v05{+Wz~Uqo)Ax{mvzoDpfVj z*!B!+3~BK004gioXB|=OYSopsN1n}DmE0!VJTZqPCeOwffJ}tS2Jh!kPoeHM=tV`@ z;Ify;t`BgN<5ohY*JNbr*YIlTgXu9BZcAm&_2-rDwcv61={`Hp%=l-zmG||5&RMe9 zgXi&4(I=xC7?Xl0*+UI2-#glmXQ@wqF07Ohw$g>}<*15v?MptiZGX{Vn>S4&yj+n$ z)$o>qtJ+XzT#{d+rF_@?AMCYPt|#qJ)%`L=ETX}0@7vecujU(y)XBCg)K(JIpMl=8 z>A<-{@Lo_hjkm2#o@&x-5JNM%FMifqzDUvsA1J|WH>#(?lvKO)Z+a(7j`f5Srv=Vk z4`ftFXR9R|jVO%)4pB&BrBz1bE3}%b@vE)hQ!jlO^y6NSsL6l1o`gH#NFBygZkIWF zb%u_2hHG+glEB0BZ|oXq#mBI^sqT$KSqP%51o3P6p|{*!;i?A`k!3qd&pgX!qR)>y zfZrjL6^$aHuxNeX;}zFLQ5WARcv6?u3Aoj>_c%^f+r`o3C9l-o(;O!B-*LEk1J!;~ z`c`yO3w8OXo6Gqyj?GH0?JoM$-On3uh{xl`e7m0+lr;00bgrdSQ@HqA2pQLz*)A1>O#sf|5RyfDLM`1R1ZJw{2H|O5NpPmTc!PS9p2gWu8&$j-yVG z_Tg1SKx@B@veml7eg7}_@6U^kvMe8BmB0hEVu=R!)ZMT_IVHQTj(*qf;i z{j-ULP}XFo_{QM5g0notK62&3swjXfBKuAXP6EZCt%O7EUOMx(_a{s^Lu56NyJ`cv zwn@wGL#c6VI)uHq9rT-EHTm>o?E!QcHZ{FRj|r;n%8M2rE~nsam$SUuxZ%bU*3F`b6FPC3T)N z__#b@LuDCmGvHS-obn@j*t7l;mS&wf$k!Uaqw4$3PgVSTkEBZs9T%Ltz@&koF_X^> zrA*oPeW+7AUtv35rROgCD@-KkI#%}aiZd#ELKv&w982a?&ha4w9DKc4w3RR{**pJW zp)Csk)LUJhfXZ)(WZxoaG!luV!X7%k&}AY#J-0M?*6}==E|&VcF4*7gelr10;d2HO zSz6KdecMz;*S8QQsu&W6MQn1W>yzMyB(kIovu&0LXx9pult3gC7Uh|0#O*GB7129> zusu88oi3?v&oWWpjYW*e$dLOZGmX|sK ziLT}ZeVyMBFG?>1#i#X5UGuY!kGjBzzOCY<o8WbSAKXSjG1K5Qd1`JsCYr(W!@ocY-4!)|c!dB}tyQ3MW z-GF{%`?res|6k?rV;B%gfyl@QfGZPmZ`EJbC z@bJ8UuE~kB3kVn9EbftiuHj=lAK8&!E(CmY4Z6xxR~rPpOC!3<&KI!onqS{+m--4D zD3SIN)Al(RLd@pz|31YY5_=p1Ls((+l^bVvnu6mVX5<;J35#~fpA=Txe?1}MUWtV$ zx04qP5N$`-C(QyuY(f=YV*XYO>wg(kZiUovW~-MPbPAA4JiK59-o(3Gd)_m(Z42<4 zGp(ogGcRA-l5FT3$ea&b1ny`p7PiwBtl^_y#Xv$0u}Y(4$~-}4saHk5u_*8`_EJ?P zcorLwM!WBKFzlv{+e&>saNt=s3B5L&Eyu4C2z%OqPUe<#h?^5>a=4Va z-$n{7*)ZCZ0AGF(^g3@o-0N>e-FtQOLbz+=C)mhQk7)9pDnXPGj*>m>KaiH^m zj`N*=9j_Cu3OE;oROTl$ZkGX2Nx-xA5)stmac|pICsyOhxG+7#u-?Q%gT6tF;X(y6 zhq$TA;bLJufv|_J;UX7md;M*`j2a@45P+BH&sOkVg(m!*vAv*2RQz>^XJf zH}mZ2$=uNEJL;h2pm*o-Zdd(P!FPx9Zw0Vj%0CrWeRfOf=X=uoDnM@j>EQkPH)boD zTDym~thL#*7}{c&Cwm~CN|cfUk50)Y@iR8Uk4SvY-A*--x?6JY-lN&pBCg{ zEK-@D)L2`;{M31*Xd7aS4>wj7yaYJNYkw{W&O>Dn5M81G{{~QAu>c<|{|0J7@sJ2E zzcpY{@qiLCe-+66Kfh0N)p(jpEO-gG?P&gL$Q|$8{?fvQrv`Wy4YrPSyNYJZ^AChR zJpVu#!$Vqx1yQFQdKQZm<|j3-u>b+HYIsG2>pa|M)%y$Y?P{pajMH2VDBHsMXk9i(z;qppc zyfp2{TANBx{ujc)vwulA`yxRorriJPL})v<4!8#LVU6}_&&iWL3Qp9})AFTg10PIg z6W1-tWa$rpM*jl%_xHa5H2MM%?0~HtX_=T*2{bhU7u;|bbT{Wa^Y6(9i+ep@UNCAC z1P}T>7^ZlOXEzZ};6%VAydKmx%?nT((cY2BBUUo?K#CC%Rt@hr|wGU!D= z^kAR#6IKu#Zq~y(texLy#_@cO!oNJm{7)XAG}IEmXaMxHEQ4UAv}pBRb$ac>TSDtO z-dZb&)^aKEr{S&%u1RNmCFM|U@;Uow8vZ8{sL*w#v?G6t{|933KegCTIOU<#JI-5tSJgRJ9By|X$#o)bakHg>D zuhrjsb9C*OR>A6u`Tl4b^Q-?qS_ZBw?o$Hhzfd9aC;(a3peX1gGWL(dvsBI%#nP53jFNvV{9`Qt4mO!)_}{_gIg71Z7{QN( zamWFt0PC6sww=L_5{1i&x#(f`&t+nis6hM2nZB|~;NjnJ`D0A>OXWfjVvxecgc{Ck z_^`pWLnB}qlRHa1j(c#(ns%UE}sB^1^<^^-{75 zOWn-|wok=zW(B;gNRSgma0#=lXpkR8&po3@6kg-M}$p5VXwXA6PrvkuNrLs`me-N0oDWE1069iTa zbl-rG6YB?*<>AA>=l8Z;)!AxI;cA!rKX~kUTlk~oP+;gEZh_&m;>%h3Ek)Cy__I|U zKvzYJi@^Xjr`n4y!5cO3RmFp5#%9Rr8?GACe39j|F8|2!;_j~;2N8(~9LxU6t1pip zhXd?51`1@&kd;4v*|O(saw=Y|*OqI`Vx!*B_)W&j{V$yVGbR3?sLc7tS4vc)K+({k zov)jih9aE&2@%#Fhq6rIdXx+PFG=>8PyZcCM&ifvufS%Z=Ed+^*M!$n6R=dHbF{U` zI(pASWbgDnhV9&GpZgNkfvC!V04k9Z`}%JeVZl5aO{b3QA2qA9u)rfAyyl|#*y~jn z5pBCYCm#L1HSBYx&50fl|A@QYL^km6=JjWBAPesNH~7QO?t94C0d~hm7{U0;VMY48 zY>tC?@tk_2jvghdt_r0sDMtQ=L?)q!#Glof^=py%e~Uu{@oe3@{uIz^7;rj%J-F=) zgblbOuoM|n&CkuFDEC2Cx-Tdv-i!X`9qRwceI;NnMvT5P5VssWVd-(d{5w58tRU-q zt(5Eq+-IakZ_|x`MZ7pulYm}UjN79F4;5|?6g-K^(JjI092x5 zc@~Cwe)BsZY$=;-FM%bdZ2s58pYM77dd>DFZ4%?8z6HO8b57#wLk|G1D8!Cq&ZMZl z(=3*nwj@jtfBw;k|Gs=Jndf#j9;tqXc0e9(YEolo?D_I9u}3W!AbPv)s~#6DJU{a7 z-(Zte&btNDmZo1^@@dCl3Uk#EQ`O1~#>{4%jYL&^1wWU4_aBcyc^qjt>$&jQXxRic zF>`={fO~_sb-d%lP1j~S@}sPE6)BRoJW{LvPbmF){;3c`0RLB4?nAE37w+!Wr?COy zHQARttfp)DFvEi5%;O+#&?8w;{}H%fMpfwd_Rj3cdvth+?j814c#(s0#J6-_*)4=N zu5(Lf{cXjS{7OYZDJCBnAwAd*!%Hu%Uj=~a@k99Mej{V;O&L+-GZN#Bt8lB=JIaR4 znj*@C9@a)at@2O4o4_^LCD~k_a5EJTq0s~d+8Mm$5p${dRBr~W3i@hH%m&|YXh*6f z!~^?u{l;IT=isu#uQ=!)PbHtjS(g;nNUqr?|Sln4}e4QF$CwSRkkZ z?KGk=Pgvf_X{3BAmn6Am-lTSXLz@3&ye3|FFDy?@t(Hf(F5!9nEsnBUt?Zk2Ynfwn z(Kl^U<>Mwf<+if28LP@N$8u%T@j{9pb)qZHG;=tb$_{4>=26;}9O|^2PqE!Q*lCM0DE#>D&-(&}YHN03R$+c+a)ma_bnwIY}^EsFkYszx*6orI@eD)#?w@oUO@?3xd@w(HB&P#copR51PkH z+PCL+I>0AleUn?bkA@p2NoD^al^DnVG<@n6-R?+R`$c!C>J8rddS7>g$VxnS^y&O{L=RD?AJ;Gxc{(%_=hgEs^Th3+Lv^F{@EM6o^ z{$rFnA9g7st=?@gYj1fXao)%V(<6doFOt&+*LHNM@{w!IVaL10UF~Vagvg>A?PI1F zEYpnIy4FazINbONQDwl`ajcEX83d*C6%APgE;OzO8w*yGP0F+Oj#uW*BlierfUUee ztKMEu>Trt|lh$D+-kAgh7%?}gfp8uy6J1>O?k$k_F;DfjKy&2Q<)gX>ZRUe46=|e|*UQ#goJ)8H;q};T!IV|rfTtmyqwEw5RC6tELiEZsJ}U9JC!N*)=t73S?5E0Z{wK>yxX-| zgC@^LM)o*99`i|NHSq z=B8T4{-s31nj~iJrD(&jKT{?~e|k3h30!2;k_v~-2_)c4Y-f}4S<<&ACi}-B-&8sz zEIYWcJRj*wB^4Y9ezZ4Sl9iXzEw=h$h2Oh!hF%JtNhss*MA9S*~5?dn&~{94>FD&%mG?eE0M@NO`3#WpJ~Q*EJ3e^vbHep=x(vPboc zQA^Nx)P-m<+rJ}dI`m;`Tf+g@bj2mfVG=Xg;%Uzyw~{yoo>L4CfqzfJK?|W!Ofz6M z6k2f6m$NzQHHX6@B`xWDY6`dazElySk|-P>v|7KLq_xBT{gN+{l5Eik61U0Ih`=g-ATDFUy?zlQx5>V!-OY`<6ZDI0z60X=x)MWlKX4 zK*n>N?dHer7?R(_&IC)ry8V9ub3ly0h4jS#bgU2&sl!Q9p=FGmU;F|a7?7kTQ5hdG z2zvCZ#a=}-tz()^F|XlJ;7%6Kv=PfCjkJzoIyZWkXhDOWOCx@Z+h`rTaB}=O!95jB z>NUB{Rc#q_7cZ|Gj9$7{%UGh&=bK6N;fIePTXjY&Q?Yf7A#D#xWF4l2O6_9k7k`Dv zfOE1Fe7kglVB)IsC9T^o_ITH4C-&N7mv5kTjAlt}qcYrptgq)f6qy`GCN{!NS4vl*PP{^n~xIT3FA z-mt;Z&fv)L>(SfE%>U7!j{nErXSk^5KwwEpJ zl^Q0*vd&Q7wYIJgR4t9g>?`hrTgQ0~gJjv*t8T7a$iI@^vW$0?-Fn;ju4&#ZWWU}i zpl!X-#0pv|2{n!wE$oj*#?m@FhaJum(ql;eVXj=}LAHNCZPRNBtlkcufmGb53LPAC z1G^o+-@^;hr3!sQao~@l#dMN(G)=i)u`Fh%X%E;sK2kt6@hc;o?A%i_?N^p@l&s|t zm$(ly-jrIBH^hC>QbQyy`Ee6hMb-xG?m}0!*fEZ|jTSiTaOqU`PvfJU>nzbfHE~ZZ zpArwyn+y7=h>09^1w?`4=wzCsh&-)9OtfAs!sV)v8c+`U>dSR!b=Oo3}|-iQ6YtTx9VrB(4| zLA^>L73;8B;EH%53-or=iKVwNU+@P0ST$W7coUe{orhnPbo4+P#!yIJF1jO2CG~aP zpnSG1#dDS{zXZ^0VZr5M0KUdC)Tbi0`>p_h`lE(-j zX+BdG2aFU?VwC|R>Tw=Q@g4iPj(uE5YvMX8;yLn`mj+IQig6o?@fy{}q0LAv0eaQq zFdm)2y2$J%@fATk2w`w&F1T(#=SV zoY$&HP{B#9Mb2q8_^G|sX}j}TE#7PGjN0v7R*UaC8>v=1kJaK@Vc*q8=dc<)R&CQ- z=KNJ_^eT6C?Q`y`#b4U=5g8C&U`Re$tUwwUd8zS?NzY^<5Pcdjbi_9}+8 z7W+?Chq0E0ueLdCwZ-A8UtE~#7Z#rSWrd}F5#gw94@3O|!cSWscKT(6n|?uIre9Kc z>3j7phs1Gg&2aOK=aGtoLn{;2;^(9pp7%Lwx0It+mSZ#Cul9U(br!<4Jnb6L_=%uuSKCX&94I?$*)g^$5^7d#Itl0tHr3W-ZQn&*>jsY%My z4k@?_7xWp;ej1U7&SDXrKznBU4Va@@R%tt{DSAG-K6$!e=8e@Wc;oV zK0{q3kQ85mE3Bq#CO%G@A7z^t>HFiqPG57bFM+g}&ZI9Gu@jF}7`xqpH4b{Z<++}2 z`+=i7&akJC>~Y`k2TtIdHfccVD>3P~&v@g^Z+-HZQEp>@MQ{9nUBhIJpIg zs5#SVc>iJ@t-=`_@Xw?U6F=YRTH{eL(0jH$(rxH{edJn(KIlO!PT-9CLBE0c;n_%( zJgY$RX6xx{az(@_dHAnuP;%1DA!)<&r;`~P#mF;wK+1rXi~LUPL)Xje>p8c^U6Cd9 z>LCL9w6inq`WlMju0T7#z<=}7#M|A2nH8o<2eay*X_HBy9j!ukFUKW)<9pvfoZzHM z{)$fmIM*F(zoG5p|2kTonjKPaJ^wHd@8|f>V@lWQX>3*GgbCl^v?qs+7qG^xfOHrC z|L7Q3u(%>G4XXt#C-8Vnyj>}q~xQ+7&Yj7*W2%WxLUw`4XYvWH#@SQmct{Th1&QXTKb;>8;lwfrfF ztt(6w4W~D9jB!`*d!w#y2fnY5y|J&G_MkiLx;@iyo2cRokic8mm+wj)+o@n&z3|Z| zoUOi@;yU&jf5+1Wh!6e*niJ|_|9C_yd_GoE!?^p)w2&7nQ$k)Qr-R9hlnU+@u1eu- z&l+2HZ>;zH9;|)-xUY|bo~e(Wk=5@FO=oNm8YmphR-i_Eb=!%$vCc13Hd>@i)o6*F zqVdO~n&GdAUS|;37SuG2 zW$g-UwzkPEAZ=Wj7rv#9yH zeQ&a!;l;>zAd2|^aL77*e~fq5WSi%cOFZbX{|SP)QRMp&XA}0@O#TU*7f!ych7qsy z5=JIqzG6(!*Jxh(H?R?X@O3n@_>uN@iIS0YjR&>|l%q4vKt57Pg%-e`So;+3gP|*& zUPSK=ynMI#Iaj|RX zKRYY;F3&W*%Zm1x8UIcW-e~o^3-2#s2~EsNxI6}{@{gc2-)c=t=43b5P@A8$1|6BJ^W?jtthtxW_kc7UXw9kS>5ZW9J?h#3?sb#ki$zI`Y#%=L2&4Q0@t6NNb7u;TfX4w?g z&0xuVM(RH4j8taoX}5i5L)Aid9#4_lJg;wV-r9okC=K4X`e-kbs&tSpa7@S@n~S{@ zxcfowRQXs|pv>v=iyIxO$*9I)6_}hh8M`Xe-j>Z9=^<-sK%lKu7&f+H&WI(PkwJf} z(jc>2WUG}MEs`Av8%Yqm)%q!I6ZE@}Vx4HE38IE^L0U95zMI($VETCYp7ih*&iLtu zeSd!8EI$;rTzm>A=j(Qzo^xB%9&_*l0CGBZ+z(0Cc;={0-Luh+frr~6J^j!$QB+VGbwGBA#k zBQb!eEX!-@^&euoci39X!l9XdJ z!kKwuofzM0WczR?2{1g50}P=Mn*-nY@Ha5@+F9L|OAnctzJ>kzn0^51qsp0l>+^{y zow9i)b;U=Ke$>5sOEF?t2>IozP&LEW3bkg{_jhe2eX+l5tL9x>GJ*1hSwg-jKq0zW zCfB7Loc~gEA)CvxddU-Tm0voU(m$2^%f+i}aBAGz^_OW%B$JjRQOSKe1(a>;0?JeZ z6d|FBm~CQzL)tfWr}gaRXtG(oc{YIRJJNXdCfB1W*R8P{J+J&Y);>SZBj(4UxfZ{! z>^NzOdM4R%@=TGs`|LRB>^Lks@-gz`@TSESInmm^1KTdmox>wD2}yilpb*&|YmVoE zFhx8$j&}Jvd8CDb_5gB5&zn#n((e5!)QPkJ>H4>*BEB{^_hVfHZG! z0aK%Iuny?l6Xw~mcARJDij56%0*odFsdbFUOs!*fgI>QsFm-SRuyxzE2D)Q=L%rYc z23^lF+_Br+RcakEE6ir8b+F68j0DgX5=JP5*?g#*rfzoMnxk*JUGU2~G5gm4P6slg zIQx_pCxIixq7Ul|8&wec3n#i8htARy*kwT`1-X2b39%oI5SBcs1(dLCMJ=F&r$=f5 zDLfxj3rOJ!pp;4JJ>CHEj8n?A^dF6uIO$XiXo+)bwSbmnx^4k6NoFu*Vg}nHMj@qG zcieMb+cNZ_1Be==BGqCK>Gj*^8bihmnvDUnQXcPGm2AW4_ZgUPSEl5*+;m=RIp;fJ~ho>dq_3J#UR zBPIPn?o<^dQ?^V)GDUMLl6zlYM`Cx^1sND@dp%~}s)P)Zg~N=y0S;!MFF+$LpLKp_ zt#HqyC(eckdd8w3m_t#r!n8rPflNk~?rZhJ**kD}4Z=SZ$!iJx&YOMX74zS;4NlzW|3Kgv(c=r$I>cpJ94dMavX zwJl-inmp|F`oqBX^^xO&-KFpL^pOewGJM}0TkbIEI!;>?Sw8WcOt(I0H$yuddGrol zHiau%V#m(XtA^nH`)8MFjp`}&Ax?HHovLe>%=fVA1cF>*y};$^4eTdZG+S zGcl|x=cHhg-Xqo=FTXOhUR z0_91Q-x^)v;g^h4f~33%J?vk~;Ys``U6QgE_l)aA{*h4o3^x#DMqQH&k?3@qD$p~G z-jEi04J{&WMZhDP5{gvFls9doynN;ZuutgMssI#?YEaaN3TCYjfc?m>OHr?01+Y8U z{KCMhTcOq$Oxz>Ytx&65u|l_IFIj`S73z+IHL5#swRjks1{i{BR;V>_Si#adr4{h+ zmlR|rVWD-Cf{N3Ka$-=iQj#2$%`})5l#@#-)sD!_yIe0;(J{Ve1hd4UG7|VvEHlet zI?(hZni5oe29hiO%p?<))&AlVil+EWB^52{OB(Z+>8Y~hqH(Xw8r>kh=+~ZIG$YfP zVU&9fpzg5@g{4H#lyW2iZCwp93LQy6xWg&klsVWKj``s6iN;Jny`_hRvN)6Qh zbfUF#4Hfo5ovfn0^ogq28R#F!OYQXcR2Bc%fB!%Khj#N~I&nYX%;0D!Wq59IFvb~A z1n4b=!KF9_c}p;0;DI(+FVSi2M(#w^hyT3@7jQ(|AMuKhcx=|q9N*|}Ap4N+2M+&4 z^K8IB(*>ULKp5wuMvafNr)Lhz;LA$hzFNNVZ*f7+a6s3><-?(nZKR@!#C*&Nn5+uF zPF`g{2@gxZ2k&zqQ8@P&ET8*>@BZMsKlttszG;hI?wI#Ue8SU0XPzZ_lccXw`*gwX z$R^O*nSWrbPfyIL=ac*yHDktuitGTbQc*MxbhP*&u2QwY=s+(Mp-guw5?#~BnPVa^ zyUR>DoB`<}S#m07@`d+yNGrx2lFH8_4sb^tv`%^;Iy9L~;hkx@j5~Z+0HAK|6i3fO z?#Q;Jk@O{J>fK6Uij&4-n69oQFolv!y0nq_vSdhgheMb-E3_<;XlHqQ14qiELON4I znw30>3<+tV<2`FSuTqk+Nw|EFR6WG}8^X0k>}Ww>@@!7{i{x_RFlA{zsdwBuDilj| z^zJa`Nhp&Yk=P!qy#e}25y17d-=&rRG)01t%ZjtfyDGzJ!EHmi0e!TQYcysB%*4YM zPvLyz;?vWYHF$^1FkBtRgH&{3MnQH(A&pp;=}a22oR!g3$$-xHQ1}UcINVyQvBWHi zbiDBcFcjW>zh13kV^3^p{26^^7DAv=>aFj^jq@O+AZ6l=9qD3UkoZ;l$eS+243;Kw zS$TA;Cc-t_%v;u`)afbV+$;y$;~7UEFL8Q_F;nuv)V%a>nK@{)&I`#-=t;XzoE@9W zRKwKrpoT87^*&~5`JE?{kKerw7eDzQiT^OOiOX{2^#_U>=7(FeRa2)z-%ISHJg@V+ zPwDyh^Lx=t=qcTpIwg)v9azS=7v(vT=GP&>12o6DP`t3%ap%JSIB|XYG3`vKBfdy^ zNab^2*UYFX@wfWg%<#&Fbh#b9+%BHU#_ueb&cn^rpWm+TjxrK|Oq{%s$9Q-M2f1RH zP@7R-_#SDKzTDgC_YP`%2erL}+LvmlZ+J}tKlzgsC-K~`bVUL&_t1I_9!*t}m}^(z zLIcNCVz*0K8O2M4*(!ns@Z|docnzGvX67C&m3pZg7rr~c4HGj6K}^MV{!z1L9sYI& zHoH~o^{Hmgj!8HZ@zWsDOquF;D%Iii0FH#R>Rx&EJ5v1)PR68iSy7J^^_&MNN&e~F zhKD($5V?a*65o{=Jg7hs!wdVI)Ok>FdHnbP`~Uj?{@?$D{OiB{7bNo#L%}khh{*?# zZfZrM!$bBslJMtuhd-dkfvMD^ci_m^UkEB;I@S_>w*W$Xe7T8R*=NcWbLvl7QZ5wK_z1z=P%BC#3s8(FzD?(k$-w}$Q|$p z@&i6l@Zl}kzWo*T;Pa~`(X+wWeQ+FqoK6q@1c2P!^+sVfzuQ09Y0u6(?o}ir3}px8V=d#uL;Hq~6EyQ1#9*E-9B&K$bTxR-l3j8uV!9~M z{fZ%iv}Uox9gq{d$fUjkZ%Uj*OMRf^es)Z%w|EKW*P;WWl}KKLnTzrcZ>_xs^s#zC zBFW|YLUbi=zuH4pRG74~uqL*vHCwxDluroKn>`cKnM)yi@Wr_lUV3Jc)2HGkr)1ho z-?IuDOy%&4>ki%g61*#^B0qvDw$Mc~?+YnTCM^5d#<#i>`$5_pGnFJQPX#4dUWj{S z%4j1wTI;xe(hubeRDERc4Z5i{Zto5Hq%N3yhtj=6X$u@mzs&r0d&khdV`x3c(7hk# z-Vbx{hq?E|-1}kf{V?}_n0r6Wy&vWm;fEPpKkEQfQd8pLr?d_0^Wkwm_D51E-DK?i z!As(U(xzB}+IC3F=cBoWKFVbdZE*{&;RIUSy|cdKWbj5mPDpdUjCX7)lTID@i%P+FI$D^DL(U@OdJT^lGsiGVDGDr6*+t!HFD{HF!`~`@8h?2nuAl>_6aFy*28P6eD|xsX1(V31EmjXj zU3*;c(c%X2Jq#~qS0QEj;Lko%BX_a*X2JO3NHM4Vq}{|Q`GL`~u!{=>s~ zvh=h}Iqo5_Eh_M;+T5q%=`#EXAB$gCe+i4d!qnGAms+SfTjcK`@Td>grAPCLvAH+r z=!1zVirgHbKKAenljdH;-lh*MI-7|5Mv<#ES-CzY*VW#49%9729mp z4Rj|XY^7;<<2r|@huMlkHr~{8?tM*O#NTAD;XGY$s>b1$zp0n^s+{B|Jx#NamY*Ch zJ?WX@(law*0NDT-l@l5*S?`o4VK?D3mL2{emKw|`n3ETl=0_UmrYbG1l9(zo3%adB z5OTthYAhCr(mU!3FK^z-fwAaPIw4M>;5xdR(F!bHmPlbPj^QiI0L^+~yID_mll$4& zAocUMv*SE!F6sAM$v(Vs?qN!d44UiF1AhMIbNZZ&OPX$2Yi>y|(8`~;WK@tO*Jb&K zca?tli!(huJ^0o(1B49XdvbGx6c2n_<3tfKxVKj9VZ%LaxQ7i3=Nr+UQ3i&?3F<>_ zK-_#B_}kh##@*dEhHXC@NZs2m@Z47bmj}m9vqE!&0Zs25uj*=fq0`nW)~;pOk5JF`kG_ldKy>xzf5-2^a&vtEhMn)wx|6B}|GR!qOY`3ck|OVNMH26ubjKXy zpHkwlNS{9NStWIML$)#P_c)ovX1c5&4`z@42h1N`-Uys>NMh}9>0`#}^1>8nDq;_v zhoCJuia=AG&3$6>Cr(UG_PZ>hvMd+)i*qqEd7^ye4H-|34=5`k5l}3SS<_UiphA|X zEvI1-aU4Xc&R3X(GbX~y5Q8^9-o!+F(9xrI`}V@e3NqNTnJzbwdC!jx%u7;H*{T5x z<)(3i@5`)0)%gPk^*y-XF2gm97PKAG6h^W9NgcPl&)jY03v)A(XS4mc$4q2P-JZ0g zI0qGWFI23`XIoUSGOw*-#e9BSB}ye}ZWTXh8HU}I(q6NQrrq?5gG{bd^@@$YXyUrm zv|^*-z>3|5y=o1bR%|+s+4Q;U0?>#@NjhEiij4$7a+y+L#ccXaCC?3>eG-mw;xw1v zril=Eu%1rC^@_vbWS^2s$@vXEPaMYy_3#Ru5(e-!BmM9_0hPtpvK!*ed@Q|$Cv(k? znY(p|cR*2X7-xFLba_{7JJDwVdrmC}`NN?r3;M&s!e8Wp|Lj1fb8nXPDh2E_eJ1t% z&aVElMw$CZ@^P{YDEIH+{UerQ-}>tZACJ)H)8!uCbR4pTWEdebjz1*KX2d(4%v!j2 z0QW)ghqll(;iTYq#o5t|M9M?F7wv!lsoz}XMS== z99S7jS%2K?uhl~edi%54&dz3h4*Ven!KXp>1clGmVp|ABI6iZ&Zt}_BAZ56PGGbFR zIlu|OOgsI{NVZ_)=q3Eb16A^qoRfsNc=|~f?ukF)q$1KVuu^3QLRE59h|7}wfBI!N z)vh&2|4e_?q7-u)gsNl|EbB%98-*99wdY8Zw67i=29`3`IG zwsLzjzD0b87cSDqVToh6Bnscc`wg-6!}oEfX!;MXQoB0i4`I0Mc!)xbl zX6OL`gJ^aqlK%uQkS|k-jnh3@>M0rbaGA5@@7ixX6(nFYKf;js@D_W~RcDz{PI~&> zm#s`m#T&LB*@^9}Z7yv41@xIMplo+?_$i)SGuIzwo+nfA9}gxQ)0Awk>*on1X3L4Yzd?F` zgY^Ce=_k2CS|KIl2CWw)Zrp@kX?n*^;>*6;E3`LD4%w5s7CpPedYk=!wtGaDnU)JJ z%iOS>Hz)56$WLHEj@=+KX5_}kV@+Z`mR&ShWkJ@S#DvU!Vzqk*j9cJ|0g@_SmfBvs za@?moGcY#^lurx7b_~f|HyaP0!%DQVS$8YO^k=E}!}YEUwQ)A?lXPj!+!08rA?Bx4qu+o zK-kZ)*3S<*|M5R$Q)_S=!ofG%0hkV?Md%`X>0z07AHm>z@e(*Wd(5Gy9Vi&;{k$~uC#$1O*JFuG&mzr&&&#o_>koiq=#mvIG(caj2cdwlCKJH7;9IQlbBp$DHgC$O)kGJ27YwX#N4s25S{tW)H z3bnX{v>#wA?r4`6Xbpy*nL|ss<|GBKm>`j~EA)1*)t%2xsYq0WK|!|;CKyUS<1As9 z@5w$Cx&9pbIE+rT>-j&2Yt40_8Q)pXHD?^Iv;l5%WvIkQge6XRQr93svn9e*VZ85CnP>Kh;a1}SI#S= z8kwVrJgq@Yv|b?0QAiDF>r#c9e4oAum(VhqKdLxjM0}T=eqr}ePzk-0unymDu(~Iy zx~Hn_d%`SH*avj7Btv#^{!5XNfNsKiIdP!WJ6QqA`Y+eNWPOr7Ttu1d@q5XzRc*4wpF(|+bC??44=~gJv1ESWWrUrRRMpx0%nZeA<1$iM z6<-$AtDIZJI&6rp$VOS9w|iowH^7_B>%8tCOQ!V$FY$&TU&wA7v4W)&6QI2H*UQjb zyJZAs3+CvYY*4qxa>Q#fdE??0E7B%=c}6EchzWY1-^+J(!uv!NH>7jDo)NC5IF)6IAc8og$?Z2K{})S#nAffH=6{5afK%*GFbk8S4ppZ}bE!h{ z6XYC@<3z6zErL@qG-%m0;O0a-U#&pRfg5e+Jg}NjkvB#fhBhXIl1|d((w~LkAA!eE zUKF6IIXI!f0S`Q7mfGC+J>NUIhG{I&zR|c+d7&F+cA`Y9PN_9PkIf0E0niHU&R5Pf zI*pi=>B+HN$G*`y*S`hB-g2c+(IUYgN)Jex1({7k8k>a(hZjkIk(o$~ry^;KU{Jt2 zhoLo+)j(E+*cS0~=z&6h1WO-FTCmfP|o@FHDg=4QD8P)I#J$R13J3M;l z=z*b+-hb*^pO63P=;U{p?8p+F6*J$KjfCy-c$SOIV6k3sqSfEP{Kg5v#FDhMR;I2bYJmb_LDydUQ zS%JJ2$uk`$V#`lXZqnA}JU`(8vSqGDcjXt=N9woB*YYlt=t>o^@YQ;6#1=?2N)@|s zR9o}FlC@3O4him_F_xOOfN>=TY69k)n)w8)U1}KWpy`dxtgP8R%AWMa9%ZkIvhU&A zM}TXa&nj6Mw{TL~p6R#}+g0Z#Zo;g>d^c}%3zO+{!HBI2jM&;^#E*ax$9v>o!a10Y zVB~!dEgoMtLY$RF?vwE~AjDSTB%fvfSs}!i{ID4%urKitzDKJ!2Y>;)<8r)Bg2&_fErmd=e!-02F_BMDn2rU^bx^W$rZo zfKV=&p1+Cjx_<|l(Cc4JlHBxQy_lO;_xb?sz${$^C+mjzqk}OyuK4~~4n3E{T|jF! z+{~L|;drD7zg_)6FrG7GI|x|=5GMIdrkOh@g6ZNxJIb*y!Y2S`(HlB4#`?q~tCQxm zllcw+Dut*(OgH7qGR|xp@y7v;{PX=Y~CI zu*VFzQ0y^-C&moqOUWKLcz(D+_KXMTo2SJMtPODk2?HDB2K5eqkAoX19==(#d)y%D zi#=|z#|?HL=GA;w*%&uyV2Ee{92BvWgnZQp4(hhKh1vAE00-R);Gnw)4z>dvT)e!x z2#G;|xsFyphhFq`qXb#OV--btd$uS+w{S|&vj415g12b3zn@@+5$sDEq2*8`G+OJE zj6>Qi^eCJ_5{vjSEz;)^OP+_``uNHtDuuQGw187q`~WjH;8~V6N3L)FnFu_=4_?w1 zNj%s~sOX1<8gv&{t`}Z0(Txqf8Drro+@|TzjQaeIzKh}t*``#Ph zna;G3jC_*2#UY7X5VLTx5Amj4OznuD_dH5v!XS_dGX^b${J=}bsH|_mU3fi(#T#%B zI1im*I^bHkkt!KpdB$(L3kk zBwPYTZ$lcs2M)+!{=L5gNQZWOi22zWxPW1NYdSPBeFU1}ltV$r3jFsKn1iAJy8T{9 zBUZu=l6pB`t>^I1$oEU3n~>Co%BQPkxJKo>3&T|&%c1n>F#$RyK&SO}Xn=`@$6WqN z=hEo_pd=VghHhcLyTvMbw+cV_BtMT&LlIF7G}wgv`hb70La>%-M?YWb`26+jV=aP3 zHXhV+))vq(l!hGxXm)rX-7Hvx;F%cdju%9W#i>6Sk9=p))y>h+(Cw}{)JJ`%uX|3f zH?oKQe%~H5)`Intr6{5)%}{{gzp))v19fmB95lZHTDJ7j_bAe5Ay|Y!9Ok$1C;fhrZu zSCn!Z;#i700Xcx2LHFXKOVXXLVd8)}W3nRp1d2VuEY5yJ-oj+yIt$EC8K-Sp;kIE# zD4l)O{a+WTp~Vmop9@~c6M8ypd8X#^Nxnk*Q}Xvb4285NUdtiiKf+h@jT~p>ssO(Nx$y#y^rBd$x+WWeB?|y6=%H-6lMns_?IARf>*u%RS_Nqc zF?lDlmTT){nm;K_{c1_$^(H}ZG>PUR5yA(hu)%sUhDrf}aymuGxr)vNcrN&)S}7zf zDWrn5m!j*Wmtn(lei0W#>F?x)y~C!Lj*S0KGVmSD#kC~4=$bUtdGxs;>2?K@Zts!wts&{jt)Z`-D1xE)t`_ z?uy;8&hLKrNdHX&Nvb(!Y)9*)_8YvKQtZ%U4lMC@ulUPa?G`r6nq$tDIDRwdgMR~i zznl7vb~LMJ@Rk8oxB-`pql}&ZcPs@aC~cgwDH%3t@BLoRJV_iOEq|7iR|=i-8?SRb zBcS6facQ3V^V`+kQKrbT_M0;e-WBgTx**V8G+i5}B$C75QWl9+EY(>MG|(maqO zWQ>$>+>v&Wgxs_MzoDu2W(>*6+%nEDUcHQjtG!d;&oBN8SB%WvuAS6Pvw#Vqx5;G` zfu>TpNq7*86pIg~rtBIS7rVyKO6W{sdc=JI%t7GU%W$m1+L4`8qMCY<^|-_BOx zvj~US*@Wcp|8WWKlwUV?kQGN(QIx`Giyia|XZbAq&o3HpiK2}*ejb$-u@JT-Dcsmc z`#%_Lp;PEZ-^mdHG-q+A5v5Ax_l@s(f5EGDPm&n9BO$o&SX;!Z$Mg5mkAU|!348qi$O8i2Yx^{9qR6` z#ReUfbdA9L;_g)7RgVMBev8EE$;7G)r8?DZf}WqovP7C%gwaZ$`Li+T zGPAD{<2NLY^FS$@h?A3(ZG*;1RnPNrKhn^t#vOz4R4kS%Mgiq9aRgKwJGa8cbnxp2 zkB~<-IyDny7B_Ky02mkRpbo#H?%nk@FnS%m{|7MJm3<_s3+Pooj!hH0zkciD(7~S$ z0LKQ8USl{I{bY8hTYk%;yiP{JGB}#N4iBZ|K~K_B>?z1|K~P|R*nxL8EyNHih@d#0 znchjhk*#;>)&CUTHC|p6eka=x#dpFLj8EnLaPoR;ch$-3rsB<@Uh4N2Z>>yLn#|3W z>7^k()zn!NNXcv{9$OK}BESPK`G@84hA^@)htXM)maelpWNU1&LWrc+StZbifc9fr zH!$}yKE1%?+e9?d?_+-1a+2P`)>=(O(lgEA5eto6WSxe6P%gR zm!z6}3dGqFkj!naCxz(uNDSZW(>~ z$5M4lc9HaZv`^&$#Pl7`Cf~uNL4t^2W)&NN&{B$f;;S|r0X4|EJL*Tie5~hQnQg1W%in?0)j(aDoFS=kM z^tYI};9M83SHvZ32BvU$%+yqK@0>X}Kf&iXpSWrUU_@f>c;vf0e13in+U$Xi$pe2h z@k2`PM)5~Ehw&%J4{2{YBwGyM2G6{zkJY}2_OF--hh*CiCbyU;>o?0^&4rrrn8HeQJB$|$_FUGb9qL-5p$ql|bhTxl%iRc9qGf!?<+_R((6b2Xt580VI zCuG!?53iPQ{9Aa8$cm0YZ?;^t!Yc*}Ub@he0uS+5e}mpeI#i)o@bcbG1?aP2`IxX{ z6e$V9f|!9M@}1lk2(QMI`4P~#T!n$>0OTq5GrG5keN4Z26O;LS%}SF*BDG%yyg=+L zgx4A$Woi@G8E~EfYy-Y|#q#JT#WS!AEzEf2Jf+g{9#L(Bd8wmax!|GD(Y}Y3cRHE- z;J=0bXYlIAgIRY5PK7?q#H{#Hmh6rw=^afsJK7;O6HHczJWn-qGRSd^S4e;mhQX0X zu0u%iC%go%FeL=Mj>(qQC5*^kaMpx(({O$(j8@X_@2Ngyyh)Bky^VWO9E?J_AebnZ zATl1pI8gOXv`z5qN&}yu5Sc-~KHwcGY70KUB8xgc6|x85z0!yt;$tyPpDT1aqeYsq zD}QyylS3S(-cVU1qQ+U2=uci|;+~7uF0GCEYn!QsPSSXc@1}D?SCu#4Z#@z8V1HFJ z$ONvlUv#E{WX-LG(REq|G?woc_SaBA?i| z6hAJ*HHy>~PrNBTEaEx$_IBytl2w!&J+Ghw_@Us@TSADe-w#|k#e_4qgcp8GFn=mx z*3wUrtIF7yUcrfW2}4@U9VwiA$!uNvh!J1=)yuu<4H7sy%if{JLT5 ztW>g!qA)&N*m_X75@gwbu4&#g7n{$hvatLq^ziDjlWLq?16C}mIP6sF@?0DaUb^k^ zw!(m<86gQ!aK-aHvbxdha@m*owd8y`jL6Ril0W3m0k{?iWHMjVZvrx+lEb6m66s() z_n>R%D?pS_`5oIj_8dLx>Is87&q4oNJeS`_`YPmiPwS=g9B)6I`Z} zzLDIy9LHT3gfdH6OIoRdaQ$vp+r# zzO88gWzFvK?W8aE`1T&(ZX>>}I;%9tw>PzJH^8!sn2MVi)W@>xwz-8l^|@f#!wM{W zxW}@$gJlyF#`(o-Ossiz=TE29x#TOqn>;IitfDA&&la>E7EbQ~wLnV0S@xe5Xicwu zK=^@pfAecIh&NT{stN?p0L%awF+%u5ayCfRiNF^GS_W8Su2XAak^mZD!Z^ibv<8Q8 zeisJ{z4k|ds{f2gX9vicz}uPgfXE0S&3=UDOmefx90BhTu>wTN0oI;`OTZAoX&rFx zg)^SO;fY}JV7W)!hIn`Lf{53oFG-OxF@ptb>SJ)HUkZ&cunOLYK0T#XC|K@zr}P2} z_G=O87R(fs#$df9_jVwZhi>)++n3&^LPN2V`{9@VB3$Bi##Lk$Aoi?2hu&cb3Eu8qn@ps{b5hH#{*j*jRQ~j9M`gJXD}X)?CS#!Iyym1k=>`FK zOy2{|a-EZP=t9JPv$sLhJJGKXFq#?uz%&DY=wB}X7ym<{81|!EUh)_@;vdVf^~;>x&lsB>u`uXNkg^;u z%o8HQh9wZ8ydp)|uIHbbmj$Q>n>fz6nt&7~VVyKp04qs@BvU1;5-pJG>0}KnOx6&8 zx05vd2zh`NE;RosyqA|*FJO@-X{;{R^bAnmW>Wr#>iG#q>h{)O(&I%)jI}?)9N2_Y&&_OJUG5;Cr)Y&z%z}XXXfQk!CO%lP`81aBf;0u(o|kCCi*N}omtEx$bHIrBE@dexs02Q$ zA5unIS~p{5X%fgU{uF%MK1+bFIKu@)yAC8}3Jkn4LdM=_VKP>muS(LY__DQ-oa(I7 z7?RtbiK_uNSHxZ1#IQa#SGUbAOs>xbn;TVNbE7>rw?%C3B7L`H?vAdn8K%ohBC9A0 z;IoD4Muk&;mi^}%TS^eRGXL~;Bn3C4q`+R>Zu&tDwF7ikJG z;`H(WvIqrc3updt7-=z(1yr2F=R8zz2biM)vw&REfFpr8lC>DAkilyqkt-H&#iAS& zoRVBijtC;XER1vlb-{@q@#1^smO;KxV`@o*3jhoBnListuTb=nl!WiXbMwUbdw|2D zGiMk21nZLpK81wy-dgLnG`Fc9dRuaVGI2Vah{1@+bp;N5=M>;4|x=a6K(HDRxE`{yNWxm{TR z-2Up@uM}H;z5$hA+}*_zt*k;FI`vIC%9hyY8D5#Sw1JiBX|deVhFGqIfsL`;dM3EX z!EzN%psd+FmYej&9?RWhxoyO9RcDoLV!3Z>m@*pxxJ4|*O^oUTxOLmy!i@S{09@0k zKyXcC58-YP!hH>{GR~C70^s!+4w$6Cphw=l1w7zuM{#rF$ZDpf@Y&+HgnRjXpX-2U zh2#oX=}g1$1BEyv8uJvarzFY}gDjmDG2qfW9^=qRs#MG}j*sa@H+La|w#g+m^gbG< zajYtIF4|kcWQ<4;*1ddHp2(}BV z3wCCuD8*F2@y?ZW51o=W1}{%fwI6+?oL*)b1{&xPx%`KI<_#uuh_oZL&r@Fh^yVj) zm^Z@gx$CL31aKq@SyE7+qVOa!=zI+@`$L?@mt4g}?gS;_Y5yFqNp}Yz_GCa&6M3L3 zU>Vwfx_b4ChLV#2%lG&98C=;5@8{Fd@nG7cSI#=o;@5wgcxSzS&m55ty`ugHyd*&F zFpqXL7eLt$`#>$glq|t5{>JVgX+l|W8ur@F zlJ?pevDGhO(m+$g5zUMI%NnunZ}8e(5FjKYTzkpSkBHzz-|)Q4&{glQXb2Cli_MRJtD)|52NXL|6_rf~hoJ_F$s z&XYTXtG|lf#6EXD|Mq$=L{OqG{4|*X-UAaC=xA!HfjJU&6;OyZ;`(If(7-u^+?P$G z(!q%oP|qNA*97}qz?1;?KfI!hc%krs@6s!)<8bB_CL6~VGioSgTrzxdM9PM}i~+o_ z=D;^5H--fT^YJE&m9XGoT4Y>_Sf>#MPhU9$-D4ljBP6Fg6;dnpppZMpAh*r zfv%iM!+!{8Y_|>I@NdrIU}^r0wEvRjBAAlz&`*&Gnk~DmZN8GR)%ggsV&jzp9&pGq zUDH(A_p$RBF8!JhqED#-4~Kj7oQ7oqKSLFOs)+XTwb&t9I#J-y&o2_PMSXrbSw^cX zAC{LhO_nkGCntF=NgOSvi_S)p$G19XV#ej6=*b1tV!tOL>dBMbW#r7*uYA$7Q1!8H zeBNd-_RqdISxW;g_VL(X_?^$K4_Y=yqpu}sS(rt>M11+HyB~Siu=f`oyZo3}Ez7J1 zg_kTBniHrA6Slpq&!B$Xf16#yyd&GuZcInpw;Wy1FWH01JX$&61644zz!_%SB-}xf zc&Euny=ZLrH#|R)i$>0jjt1nXb{> z)!6%Lw9!{XeP(H%47)LG)4)-qke|4XEL$qB8ueS<%B1>i+%?Q9cMWszuCWz&jqjIW zX4l}D0lVOHaJRHNH%@-#4jX2H(us2Td>uB-;yFLt0nf@|gK7lc zSBnQ$yajZ%d|-&*Ef^jn8laAcX#l(zP80zp0E%OdYJmL4s9btLl#Aa3jWx+7q~wlJ zQaxPWI`hfjXxKct5feXgb@hrWRsIkHn0orY2so*dmZ{33Zcq;b@Eo}1V8;pI4uo_B z-a`!8$6wT3EN_KUL z2A?|6J%$ef82P^vAA&E{dEoI-dda|NAMInUHwN;u<`pz7JTZ`GZVKedc-S1st7&?9 zBp^@K{KXpH19?eb?18*Jkk?8ePkCl(4CFPk^fkfo%u2M)Y=Gg_Zgng3>9fJ`tSSu8 z+GBXz!|;ffy}E>Yf|FIHz2PwUwZc&=%(fo}K#iw@vY1cO6oS@;=W zqsmtyC%)>k+wW;ad$iXt&_sF%12e_JL6D3DZZ0t6ZyI((EDYqEM)Zv-U=};%X3C<@ zp(m+!3kDPLKSitXJ^6SI(2TK>UP_&q@T~x5X}W3uAjDYz-vRgng*e(c;1WP=-4V6Y6_6*bN#s9R~(}7{w-Q=J4^#KW05Kv>kn;TmFkk_?mx~!!6QTtFoBF|u#qn}M7H10j zq~?6VE3u(^bp-<=f?OxKY=G>~Z?7Hz5}pCqOK1XU$dnt?$GH~i?Zot6;zUxicNSwe zlSd4IlazI`35fH_$FXGUGZ|R#1n+&tZ@r+iZDBbV-V4pEBb2fUrX01D)rj?|49ApJ zB*Pcicy&c_Oj*ff6yxITQE?sCYjFkqT|$f)W1or)W=~1gY(+)25Fl0MX*ljc5_$qO z#ShX!z~cSW@pwP+-P5Xwr+J|Scor1f1D;=2mh0Vy74K2OxGVOkV5um5MX|eNE!lkl z?;b?mdNgF#?u8bgCk9ciO+i!{51WIiHEm*#1fr_iC0WCJ5H;zGJ&3voQCkV3D$gt% zf~YktzfAyCs}kz88UU!ZTiwcB`fLEyZWVyq-2;#Zx zhL65-V6|JIbfO$SUtqOcJk@7A;91{4OjGX?;2{P^N%Ws^XDUFVV9}=~Jxreiha3L{ zEchQm#U_}YN1M!MzK6H>O&>6K$qLHje>_%XA$uGq-$!)_dI#Wnh zNfQG^>v7BhN&iE_EdBY%$ucDOwW?g-OEm11I=JicJ-esDdhS7&&sPAZo<>aGbcQ+L zCBN|{!Jbaf?C?5KTqUd*rX!8bN61t%BXNHz;kJrsE1)mA`}hq=G)AwUX_eRT;_VsY z{ksBy#4vUd%DHnQOqR+o*#!vdc7kI_uPP=tMMHbZ4ZGRrk9&_U+O;LX5-l&9!80x7 zFXd!+ateQTbUki7MiuwDVv%Myxw0rZULU7I+>??41W~#^0H**^sM1iPM*}`-uN)Tu z+2)<_C0gT#4a)DeQ5tAmlIh-`O<4b=KP`?bd?WU0DEcTtYW@zv%ae2<;@O$@cjQwi zNjoB5liWv&Ld6^y3NBH=P%#Ff+1ZCpcij%@jYy=?!qZ93Wn6)L{MvTHr?N_ zy73LGe9itLg2Mvcux&FY%@_>7mYB3;Mr&PUT4whA8nejO98AfI(YjGBT9jH6ekcV) z)?m4qF=rt8u};e|CgHUpEiIFCR)_wQ(3_)n9~rqZsF$_5pta$NLA~y#pq`9}%|X4I z_LxTk^;B(Qtl>SVm-NLR)Z2r4tpxRyXO`xmUSktq6LhaziNkdppnJ7j-O8l;Y|uTs z3f;5!=-zhFy$4Lp2wt)X=mAcEo&A*qd3J$*i6ZxWfjql-de3&ia|QC8BzGsQK2$@{ zh|dF7IHa}&+K-}R#L)5w1whf>-T^X{RHF(;!(TLdsHQhl#+RZ3(uWzmLBpIZ6=O<; z&>XIX7%n%*d-3R9rZ40)lI9RXjG(_FgjTepBD%ncZyr+w5C{QWGWzCvULOb)dP}F2 zoZ_XdC=gAWTl$M|xr+2z2q*Fo4d3_$*I%r3Oo6TgxU!{Ymz?joVVy)Z>23%Db3HHV zHv{i@bdj4S^-pfth*+lX=;VKYuxqNR0 zSzU3nJLZr578&>%!M_K315NUlstH1#^h(6+rJ-Xd!fSu?SazfAumY}IHi)2ih3^q! zWC73=|BaE$7w50z8%A-t%4_25a5`~e9wI;+0qkHd!?{^2EXuGYXj?=&JJ4MioyFeJ z9~AJT?D5wbYDL6M3<@N;6T2=rl{zyH_e+(akAxJRVlW^tlzAt9dJDmej}%IX_g3EG zo~NuJo>P_&ua>l^$k?OCP-eb@0lBLsn%R=CA};z3{Eu9}2?8Kosg()(-YkP_OhFQw zOdoYjL&9CQ6i?pTGvoo`q-ZvbGXBjY&Ka7X+~W&l94?nWg`FGTboc)T+)zLyetvl_ zq-lWZ3WK;|3Wc@jARU@537b#E{RyCn#qV{Rb~JnhYnj>`ml^Bd~z8e zVX&z;b!33nRuTar5S8gr=kdfMEeN?p-vt4(>5i5r1$g2p+RsU{cN#hg4X~vhoTr4? z`Ge!6Bu&PeDp`@Dl~!MGJDc(LVtaoI@8xCI3pjKUtJuYw8gt@W{ zO}x&;pTgelv&8v;1Nm3XPWl?g1cpCXc)`WMEFn#A+0)Q zI_M>c-Eh?lA#ng3v?OU?q%|1`$43r6Epwx@rywBEqfQVq9umSxOk{u{y%0W{%3Yco zBI$;_dNZ;xz?6@_3pZvF-5PDrM60zTe zlynwIzFrS16>niSfUFor%fb~oa=CsbXX-X|SAJfIlTO;Zk(DID@jhM@C@mNKL=w%o z9TyZ~Wq^J{wC~;=1UtK1ukcow>hR#!>J~L(eDXybUGJv1Yj+#XlzO?*yadM~={Kp# zS(8V!+3BYD)bKZWMQ70CF|=AH){^Rq;`Yer zWeDD?8mN<%b-dMl>!SXjYyRW*gW@}+ z$*RUqcl04YF>0merz2uU9JN>N6+%UZ^~PCVpQb2JaO-*4?JoatwzT})dh=D-?Cdw+ z{Ql?5&rSW$t#STrZG2t{* zdvvQpjE`z>oR=LMPGMvzYM?5#QiPmX4r=Tr&dmgy(eSN=!k=XFv~%k^N|uwX`%Pu| zrZR6E!oQ*ijgIEhH^pe5n`P%mhaM%D-2t8WKHO4LiguuhuiPP7NR|1THv=^|U-f>V zy7AR)39cs3!>+(A=JHv(Q92asVS2Dvs3V>ggotmVxAvWux!2^+|3f`M1#&92Rzy|V z7O!uvVoxGdvhXA_Pa>O35?O7{GBJs4 zYE*I(>e%*3lGpYG)UmN^or!K;80y&0DC*dbr;g2tI+kWx69WrEgNza&V)kdpy{j;Z z|KPd7w6bT;BHO80cKS?QTo&0*weq(Guuv>AeHDn*7-DC_hQvW_wB;jX-URsqqJ4^_ z)Jp*arZ+c(B!pkHd!a{lb}ky{)D{{$02c%y15tRflGcn zTl$5b#50jB7RcA3AOI-9XZfGO#@W*EKv3aq*oB;Kt)SEC!$0 z;tR$naF;lYvrCGW_wZ!#3tF2y)v*m;?s}LCKR&j>*Ad&Ge8BMV)B?g&wyl7^lAjo! z+L;!fa`j<)cxp^L!Xv>`b!|DaVh>L#S$KHL!&7q!Pu12eQ@~RbTd^hqrgla`NIMe% zQ)AaU6Ro;1z|`(2U~1O`Q%?v?9m1fB+kC*fb!nOAn!V2*nAZ$mux(LP@)A8$$7b2)3W79S@u_ z>wGY3^XHj5ym&yw2YWVWg!kKV{CGgb)E+k0R_6n#wlQNt0TKHPmA=iM7!WbO^d|vC zTz!}x5E=99^^pLPx)uaku?IwyEIc6M0g<@`L~3i6Cjdkoc9uyXk=>Et#qI=<$k?^c zM6WIkB=T|;B=XWjB2Ng390?2VLE7zx7c$y^UQXn#f9`O}%Zf#*&(p<)OI}uQ3$_5< z3d6%Cj|7((JEmO5fw7L&?n<6Wmtr;Z3(uB_jh+SnPw-PO9o%MTOTv+aZ)x7LxG`f0 zWkf@z%9(*n&r!lzD2py~2V;;ewBCte)g3e?y(jk`^qt$zStXZ5s^*Ly61>bTIO#>X z(}e7Z5;3ZOTXhfOk10nZc1;fLeR-Mo+PKwy`0gxOTMPb811jalF>&$ETlKDD;uLN_ zB8xPI3vUT8t(z!B`}kMtQ!Loqxq}TSVW(b3?bT^swo&(G7v1#oBfYG$d!t?#ySm0< z#6>;vh#u9be`7@bS|@5Eb|L_x=I}Jq+v#~a1YK-g7z#ix7-w@US6p3~s~j)1YMqWB zt#YBA)$&oS9D#54szm8g#Xj#t9#!;V^gOD_KRz1Zkk2~p4C_%v$B#!9J*qe@s%RT> z$b|94sN&0MQAJlDrbiXWH1a$Ws#w?1CM))+qLPJ26+Nmrm#AWG&GH1O;`pY=NkGS! zBjLf96M&9m*E$omyD*^Rt5KliD-Sw8J?JQC!5(cKHdFJ}s87(vMH^pLZx^-z+?v9p zjZcX-iUmB+Fr(c)%a$kW4zam;^w z7{~m_hjA1EBTtsm-u3B&GLl!Vhx+)B*5aUkr3dk34q11Yn_R{T@+w(V|@g$xUuem#U}(7 zk0s9G-5G1oSh*mKiMp@=Blq6DUz7yk))*dOdpd+Rp~t&D?A%Z0@GX@ z?R(z0(fc-1Rz7^@w-3X9C^-gcuQGP1kC^IH$c;NU9w7r6pKj}?ALDX1F-X|cx*!-zit_UP=x)Y#*=7N5t#9&20OWW^qPRI>2cqsJcS5qqq! zS)KrUoWKk@0R~yw<)RL|=XEg1@oSxl-dz|BvNZ~WY%Sdt+r2J>2NwMh`bWQ!hskH-0UFR6X2Cyq1%w7pMGzc(QTm zwu43Z)bntoha35{?h`c1A0J9}$XA`FK71%u$B%~_eJIr_T^&ny9I{|MG2Gai7H)L) zVS2c6OdHQ5!Hsq8Y_ehxH!4|pxY5Ina|t)r)+|p6H$IN9V`X0zBG{S$XB@lMnJC)_Bof-+c0_1p@rw2oUt?~^L3|B#l-~_ zH>$S;TL23MC?4gk*evLTF&Y(wea@?u1^qODpa~wNU)ypev3nYp5->boMZwLW+mCOt zKK5zW8a{NZXUSpI2~i;E=b_3N(<>LvUyB!*?*-JjiF)2e9T;xWc;&2-b?Yu_ws}WQdk<^9=r-;3v*t|-<8n$)K)56;Y|_h`&Cy zOSae7w|9f4a1@k%rpDxQAQ&_%Zcxs;iwN*%A*PE5AeceezKN4K!-p4MTMN0|uPOei z-5|S>J}P^`=HJf}x)z4*H-qF7SC;!!8#U}Z;W@SP=UKwn)SVS&lm}{qk!JV0y**$m zEJ2Z)PcLw&CZNDxW+`Fux@>TBgVp{=6rA?MUjKbeFi(JT%k=9{Q9@^es0}pZb<)o7 zhM!7zHQ4)r8?hI(xi!m}x`!I5(Kt)AvN*zVg&(8yEGm}`L=`L4fe#Mwonb z#GmRu*y0DzlFw=~i9Ht;$ceRlwj?fb4#=eyRq|H~XWlnT?(ZLps~8hr)bv_<{78Eo zOa@{xWSzkue?085x1lONbH`HT1@VTwkf05CWt_C?AuScfJks)YId-YpSmB~m zittwLwetnt(}u5ZKL8pEHh z*cYmu+A8K-)g%|gMAMwthuHL&7R7Ze-_jpRTs~MOFc|08(u);fDMLOXUo@r;R$2OR zrccHvMsPN!MQ~hwm>$6y^P~Ea5S+S(4Oy{Aa5OaoTUNJZuIH;{eke=tb5%HWe15xU zJ8k(=u@)2Ety&9Hj#>~0X%96Ei^+%{$VU8N*b6Ei>c+`O!$K#XwQLQp?vDb<^*^<< z*JlS#l4B015*%4_l&P@p6@ZGoZ=)*m>3n-~K1w&|7s08mStdqsCb7dzg3oM>L{c^; zz-Pv;btdX`VepyFQTWWJ$7kXh;WIEQU7Unjc7X5Jk8;&Lb0}uBVu|UqZgHWQ&1&6l z3t&;9n6_9J1A;?tu{Q9^c5q1xghCM(2u-J#-f)CH$0vfaY5_eVLpob8gKnCB%!GGW zGROvDxBC!WV+@02aB~4WeA>xzpyIv7>#z#w_59WX^~q%*Dh=6bEZ-cz6mGK#>Fz5) zLBtvadT<${bu2J$B}8n)O)1Rw$%8PV3oQeP0Y>h$$K(ut48lcEbMdT-S8n5#N6B5- zjg{mY0R|L}ZNoBuOO{akp&jiZRGAFAT_yHraFYMpPSKhq?V}z{3~FfxX;5@Zbb_4m z*iVA$Y;EXu(q&q7dV3r6N1VSjp+#~NXQdA^$m#67WP^|3Sz_HdP zqR>5`DZEvjRFv1yshEKQ&s(TNLZ8;wg4Z-31D=l}D&;*z$HZL3RHO9=nFK(yFb{!X zq2^vh8k1+DoSU=^)vVKIjRR}L`vH{j(4Q?eB<{9(wiM*QZ>!5Fp*!FlLO)(chfyCZ zo)Mn*17<*cxvbv+40OtAq=uFFMQQQ4 zo>rYz?m}GF>Jp7SfYf!cN?cuK6+!ok-smkg%ZBZCEKa137U!Kg%|eaV z`Z{5vh22vxs_;!NrSMJ*VlA$tj0vGugR8Pi2hgmZDBWyqb7R#+D~ifXjSZ@l=W225 z_*7gK+ic$S;mEFlbDxqP-x~^%+^CIlCD>R~jgGmkuZjGcK2ZAop`%okDna0`5h_ZTZsGwoIz=&gDIc2R z`tj+?T%q9}3->`zJr@4VvG4;N|LODYQQ+`aYu&@)G+338taoh`bH&5q=8_wQ*EGhr zjn%ej!=4n9KC5ZcY7IAO6~?tM4TsytOETL%F&w@*EgbIZ!}M_Yn1;SSJ;Xu)0}`!p_Dka9vOs{Q`w75!L2vp16kcMozXZ#MC*Z{`Re4h z(E6MSqB$cUJV1V}jh2QI2po@G>CTp9g8_m6UEtd7=n}-oNJ?mc|H57+MiFQtFo@FQ zZTa}gb(*j{C*DthJ?ePV3kRI6tuVxkMioA74)eSLM|p=e@37X3FcW(3uS2)z9@fLv z72TIm7FN%?^AncmEgyI9fSl5@an|RJ^hy@qNbimGKHVArc%L;}Q$D88+L!k3`_Su- z;n{c4jqxx}J~*MaAIZD#!@FPHqH;ip9?zILo?(A+(zn(V;~87i;u)?!Opj-b`8E1T zct%}|fUMZ#8A=u&&+vH0T;dtEHOs_!#!$P>Bp}7sNH}3@0+3?tT4$m+7Y3x*9tBct zdyryAAce^0^k&eN1h=1hAqKkrKE>hqnPV2)6)R1je2a@&Y**`YTL24%Sy)-pl;a(l z*E?7z=OHhY^AP`o=^T{aXg0tj;02F2ewA-?z4yWjCm!bW%&J>-s+7H97Y=anmQ88Xk0VEmf z!5)5=;Gyt>Pbm@LA<&D_!m#&H$Xicf2jM3?Cc-^Y`6YIvu$NeliD=jD^%|ie&2D@X z_nT5;O(BIk5Rqf7rE(13r+N^~siC9&K|AhqT)YDE!CzODO6fG}k@uAFTRR}^x!uPby1EJaco`#Ox#B&U#LFBcru} z#!9CStDv5KN_*&SDYuy8(Q*Q^pep&8qdv^vv9gd!+2Nl)8o3&0yt?I8N9r{Fw(gTs zydjD1|0nDY2q7GjHf?q--xurZq*%Y1E8&~E`(+y~2K%VJDi??0z~gE;rr1%tew*dI z-M9S-wMoc|fY9yzD{BnnPG`CFL|YH{l~xuI3-S{J}kp5e_FK%4=-CuZ5h za&=lbS5ms-W;q$1dTyoE4pnrVmN?SnO`9c83|TLw6I8PofuI0@-onRqt;f!HN4Th~ zgoZxc4NKJd->MM}Yc@9Y!EBUfg(f_ycZD^zTM7{!p z$WbERcp2hrVFt5AM2pHR%2mbZ&(oV;a5{7>98Z9lIRU~pUz6eXi3t$f(-I(DeVCpA zF{Wwzkq8iV;RRW-CqO7!cmjkcK+GipqPAw4m;f;mDlrK$VtXWoVS55%#MrgYM4v7U zF=A&FF=EFPBW6O3c*DU|VX8_KP$9??c9Qn`VfUF+B6cd)m_F?mmlCm4t=(+_EO@d> z;isvG4;UHFI1iI5a!88Rv>F7I%~h)vkaJR0i*Md61w^6WwxTE(@r;j7D9|x|VoRS= zd@BdHz`$m1XVHbI zuLljrl`D~ukyIAs)_V}KiMQyLYz5+m1nDK#SWi{@;$Km88(^HM!MGeJFVwpUUlg;0 zomHt_R17^uGi$l(zHv@DyjPz|GjZP~r`C7Ouh|P)?K~VY2tYq#zTnz!eyxbYc`h5b z7i?GDq7C5`y~Vfd35sp3m&%m_scy(3arV;(EFsFt`P+K)RoMLF_dj2LZWh09)%d-& z@%e12UI=9_@`n(oOt{REQ!$WOLGd5bbJ^*?Y(Sh8sWiMwmvhOjaPU-pv;g^cAJo%! z08-|#XvI1DvFwDL`gSv|hL31jG0+uF=&#Oc@F_4TbS_3P#o<1nL9 z_&dKJhl9BDK*|w)f_hEVhLhWSGg=T5m?gC=^LzsZT{Wjp!J#HUzm3crbKujK3GpW=3^_D z+b>WogWCZAE5<+@LOvIel{DA|#qlAN%2W=Ie0JOktm(469Hz?fLAPRj%iz+)_UI1I z=~pxAvUQ~>WynC5Gp-4t{F6qukOxm!n!p1!PrHp@M7`Fdeo<~nTK za^iJu6LgD1r!y_sQXHP zlTIdfnj^G$DM0wJgahtSLcDsyl;#D#I4`_|=jfm+_eV|+cLkn7I1+>PH4~7=X zy$}_ZYrOai&<{7a5%BNSqLm;pRg9^+WY~L}r>63i;r5GBQN_e1JHmft7MdgzfM!pz zg6=Z`-4S&^*OjHUYo!jz$DL+N!w{lM#C~&^bCJy>kJiIn9D3v%OPZMK_>GP-Ds6o9*(4W{*vCi%M5N|Rb#Hj;XtMq9ZDTlnQOH*%f!sJv2ol_=lD5~Xg&vuPhdF-A!gKf8Bz3EeMaT#p8 z)mq*bz(O(Dn7wo#ce?@mxd~EIi2rdI9$1HoN1fgiaw&5RP&6FyzJesW4=#(vBZK;A zG;0p9FN3rct4-Rn1+Xu&83Zh`6n6hRf%^X|dQgip00%3*WM?gM=IY?ZWSgdh<3tn- z(hI;xzzVf+KuOV3Ua=Wjl`ko(E#4I0VXM8u+9nG*cZ7Y%x)3thb#|73g5wiNGp9($ zKzy$|jwe758_l60Lj-eb^`KJmmXWdl4D*LMYARehV+i6%w&)CP>)ha`$RsOwAo!mfT}sc zF|DqRYb@!ORdsYQi}iNh=$YW$0{;@TXpJ< zZ{#%XRer)6hsns-|%R5J7coJOzh{ zv1y!hBp=E-k5_RJpL06DEDwo6%oAbF+4>_9;pYFUJ%6&W`_WLT*3F8{9G)@G?Jp| zDENC@;@>!`<@C4Oz+@q8|f^|4% ze4}ynTce&%bGK6u4K+?gsOkoeEaeCiWsoV1dE77;MV+us`u5Xs4T*kHi`S$DW-6)P z{1Oo_lvZq56P^DqZt&D@n9B`(ptRSE@O8l7kswuIv!!GGG%1^0U98DvsCqPKGkl2v zQ9t8z%2Nk?cqktpY8-5~IyR0InB{*fFZ<_P%e&YU!|aW(Ytomt^+yudK{p+= zbr*lnQE(a$U#x&F@W>nm+m1{Y)FKD z0(O-EX}(I<_?ltwh+qq|Wo4whzSOnFM6U=;mm?c$LEuvdHCKjS*Lxrv@q=M!t$3&# zCm#*KN<3@XXeS9?rvIt Wj06D6DD&hYnN0|z+tDp?X`!;VtKAmq`&PVCy{Bjg( zYnI753QuVmpM>AAJCcd8I|098>{@4{hZlz5@NyKt;icy{%!J?Y(*PDMNoCIPX%e;L zWPktgr(Qa^&5j9zqomXCucPB6%1HW*2Rw7e!^?^ls87npWjwsB-ZN|gEEMB`mr9VY z6%KAAHZd8i=eTzjCh;F)Cll6U<`v*2gkc9HRbngj!|Y=g#H&$m9|tSo69!E9?#VM! z5cMxtDHg7gItdnk5j2R|7FXOLGUe;7!5bZ4I$}WwDTC^LENO0XibWk{`Ko5L_ckTx z)G+A9*+;7D3QJTYNvK>$Fb{A%A&OI93nCZtlN5_g$!@GRP7Q;vtp&$F{`2+0dwOHq z383uq7aQb<3kpzi7hkc}MsX@d^nR5xh?c9Ajp`F5Y!N?-xQ?}*e1fo1QSH8K+*6hyu21}iTvczApt|V=lE}DOTW+?SP>s^ z;BWDgcgG)2Gy$|YZOM=V8-N1Ie{m#xfP#j+zy<;_++5K3Vd_x3U;*IEf(lezbzocs zIf=A6>^Q3tKPCd^f@w34xLZhmG7^QW2Gjs@VxE0SurJZ>Bch5FVX^R8#8I9)G0}$v zB`8w_Cy0`WCn#9NcM7$&E+W^6(t4T}5FwzIADF`N;q?9S+u-o{?f%iP!LR#oU;meg z)$(7j|G)S6b>&gH5;S@awDyR46}36&Iz_pNZ}aklhAA*fc3T*c{&awx=FsZ7SiTZh*(Hu$GQPosNRyxtF_j+aX|{Q5e?z0$`f9e~$jk9wUFQ z7`cAN_O9skab44-(i(13DU3T`8s@c)XJj^dVwm^kv@ox$57WcEV;a^T3FfV9+>{l2 zm{-Zd!@M5molBUvwq}_a=AF55cM>S~tBS>@&%eb*ZC_Py0k!}Z3bkbfmF=sXcY?#f8!10!L~4L~ z7ZHJ~GWFN;A;3GJfA|$oU=^*sOS{pEmVlJ;(05VT4rt{C%i7ut_=}o-Q|aC+m0A(b zw1bO`Ey8_RN2*Hl+VidK^u{_3%d{Pk#RM5lN zQpAAxDiMGkA>D$AcAG;`z*2;N=QHwqwu7Fag&Y8(*9#xcyHRr0zg`}Rx~&A?2kZPC zL%7MH+a2Z=T|&-i$=8DS%JAT19?|7pw5CJ%P<&BzV_aylP(!LwydGCiFY$;2XRL5T zcfA1!n7+;@1Sa(=wAEMW5&=gRfBqX=9NN9IFwVn9Sn|<}-AdEoj&5Gg98R z!M*eI*AMI(+mDBI7ZB35Eo)>`dSXcT)wGbVs}Ivdx?@`19tqN|Yx$HFdq`Kw!b7?q z(w$34x3*@P7}A~87(5Ab`)VY{`f38?cI;YbqEZ(Hx!qhJf!uDcd*pUT$Su|p`37=W zUM#EgSxz3J+VM zA8{)W3Eq8Z4w8=vxmOCmP0boD*GirWT!g~bVO@q&FW9v+czcME4QM$AVm$_OK?ckD z61hTkg9}~}H|;FC6w#(HdgP$Fmg31~$WJ!=;>nfOGjga0G}#FWLDXK2B?So;smjYQ zmsJFpAW&VQ11W}pOs~PkfHEgzQh;145SJ&ciDvCb4u>qO-8QskyV-&LMbN~$f zA_{u=ifaTB)5K5}kZ|D*%j2sZLNei1OHtN2{4QCaCwXc$I2l~vHjA(qL$o>CFT?tB zq;=`NNsia|Q5T~hee-pOE=q#cfC9wW_HH z;!o9f`)~28DsONzwe$Buc$F?2QWD96tZtF=Sns&BLj;!3hi4C zI==E7$Sk=&?1lHMVqc|&Adfq&7I`}t|81U?F8`j=L zQ9IL2pS;np{>xVXtC!gwrnT6HmW9gR!=6)EGgtU5)Cb<(A0Xx+O77xb%7mkDjF~8>D<$B1rf^?g)js0IOk7a`>Gc;D;ppW>4lj>C#h1T!k)p{5%tBGO`Og;LIiTz&Q5!=M z(ekHw^5wYlr8>VMoekYotQs^{4Z%I+i>JWS;+-#uJM#Eu9PhBv=PW*2@aU6>k#ZM@ zDnm_^k4)nC_5i1`xEli$$HG?!58h6R0C;&BlHlkVp{XTJXa(;@)A5q3A(y%mkI0q2 zhYc40rk&+}+D-34x6lL#6uh*XHG&uXuLzx?iBGHad$lpzubz+a@kWcZ;1!ca_;{?? z`(Kcj#FEjuNp4D#TECK1Vv#QFbtSKe*(Lwb#K8OxBRsx2XXM`+b41haCH{%FFdU4L zf@y@#6ApuL}L4+ABkUsA6^S2EAdiR|V6#;)!9LZF4Xu zT41GVH|IR)(%fYU?wbkc>hqKHpEA#y>n+9vRT|@?isyTdqaAXiC>|{7f4p}X!*S;O zn7#eLZq}qrI-h$i!sOOy#-z^|Lm#F-UrYtFQKh3C8nx&U z=1wfD*LVC)HdAKhwmUS0xVOFTS(o_nDQCV4)}^`C`D`=8WMv*2e5x76H(5-=YKcxj zK>E`XRyPgi*93%BXCI~}td2`Hcx;_hbfgW?tz+AhWMbR4t%+^hw(VqM+qP}nww+9J z`uqR0*10(s-50(3s@Ljzt9Ctm7w&+iO-ESO8mejv4UfSxs_JP%ou*!+jEs8ruLJ`S z2rHA~ zTA)^tyRKzPk4ihBn=W6Vbh10&>z=5>h&BtvN&R)O43O zxAvh3wpPq2@@mFhYUr83xvq!iMr7W}*~YIPq10Wh=o0#tG%wfPN8{I+>1%FjGU8Vs z+NeDT3GbXfcG7@aHWxdtg`CnWUag57M8`2YnVhCmNw2R%VbYP@k%)h3RvoA5LwD4~ z*PP)^FQk>xwEJBCi%z9E>)`|j2J$kzR*?nE#EP>QL@fXwkQcxME-}mV zW=dZGc)$m+C1%KYF6iwl)k6-;oV$(!<4qBr( zc{F5|Xbyf}DS2&qQf~Pp4ZdI%Xf}W4Pm9!?8Dty}KVX~0G{9;UPk=(3Ko9|vQcCo? zvxkve4zfLKMDOeV?~u=h8g>Y4e(1JnYaPGv@{Ufh`v92@2S&%RAN zhJz2Gho?&ydtuL=crxc}k?2HQ;x_-#mAG?vkPt;;mCpIAf{C1zNfP|c#*_FB;yVe! z&OYbpCj$JjbSZ6#`$jMcu>K4CeG#!?qacn$) zd;;Dy*{UkSv<-i1AI@y09+!CqGq$Z@@(go>5hy{CMuw8g-}IC;fF;mQgKR-AyyV1X z9N|YIG}Fz18_!rA*N!rldvZfGBgqW6&3{dpK&46=PHys4Wl5HEtwx~m&CK(j@5b$~ zegcB+t{6M!8dS}pRy5FQdh|xJjPl6=%2Z6D%*vx?)p+P~Qz9H1ngspv`W++JY{7Sf zxrmjIj}GFS8LOyY-jdX(M&a^DlB(O)snmk#W!iL<=e;)e2TpSE)x_UYB4Y?Tsopf# zFdlL|95z%bCl`7(l#2wOX!-K1@NsRWkN3`LZ_h0^m=gDvr_feH^NB-|xs{_@>XRhR zp{754x#&?HEVAX(8ou9_U|}2=du@4iM==U&v5DL?4OkR>&X^rhvWZNPn)D4ji^1p# z$>BMxbqCO+%52ych@~s)UUcf+^SLxGOTI5>L+gs1TG_8l&I`ve5&H|}&RFhgc3EZ1 znrJ^d%RtSj8Y|b!VL5B4P7{m>AyFUPSl`{cS)MQ#ow%6Z;DTzE6VK$-Jl?(#fYr7^iIH$@887^!BUC zn%_D~KH5Q(4DYVXAG_h<92N5~ioTZJxb6E;vVV*PB``p&kcY-vZ1|K&_U~A6(Woy4 z1MEno{7b>6NJ;YmLlckB0Tl5UN!ibcgtxB|$dccGy(||d#Pcq0$cLThlAmhX&$*2| zsLWAClIu7d?9-2PAAWTmndf*VxVs3JcK=y=9VS{0>Gc!d%cJlw{LnlYsd@@~UxGeb zA|##aBRIIaQP%imFPoFQ$%0PD$}Y zQ?M7}D6b+5CK-A65%j{*mGITsG~e!t^7v@jIFE)%1>$xBv&IO`_#bl&(6cI`uJ_=< z7zJQK6l9~<*~LRWXi}HnOscSr(U}=oVQ1w`Crz6S0*<6^yV?i ziECckH)!Kx!(&gEWny;o1tk{OBNaMI{$#w=cjBQTB;-2fO&PIpprF^!=%ooS$a z`WZ=*wytHZ!rI(Z&^wBo4&r3?;Q3X4@>xt%=u>(bsG&QW>2^g_!)*o;HtfSWH0(YJk0tmDT!TIBy_2O&u13@Aw~v1U8n1tV?k_{_ zxKCzZy#y!cE?DUGj0FXGz(xW}7(gZGVAs#E{UOKdqsj8v!A1VSkP&f2h~rNhZJw&1 zFN|Mv2HwP_7@MS;+f^Pr6-{w&XfYn=6n8dRhn9jGT@c5HgDNrR@=A{k+yRF&9MN8bp%ksM{M%7Upc|BhAKeQ!G!iGvBuy~GRo`-W@ILi>w{b1-n#OS6bxwU2MJHWVt z;AL`m!@tPyeD4fdnxKtm$f2~L>*7KcKdqS%s)r>JDJmsk_6{pSKQ3vTsf8h|!|k?6 zjErcX6;)~wj&Pt(>2?eCTC?*I{Y4(;Wb^bRHWiE$&2_{PB-%D7c=)1lBcnsdJh~|} zJR7M%{Cu1_oq1anoOx8s6)4M+m}r!9XQX(H`e-bSzaBKA&GhYZS*C;F^=;^r!A=gFeC&=8kRWhr!pcxH0SGHZ1wR9$RyhpIwE{E?+YuZp*U-~Z$>o2z zRAGWD*tg+Oq+BUb5_sRmf*e*`z4MW{T>s*zva3;{7MhIkp9gg5 zy*X~h##MeaEv*$r@QWXU^hM4b-gRV|hW<*g5e|uoPEN-ZE7}f8SO#C3up0F$^K#L# z7TC%J>flfLBCjD2?;l0I_3!q{%;i#&8hSOVwDJWs$AJv{fPK`4q1^jTfZFLj5H6QO zeArx4um8@)I@`^_ICBFu$a#J;lUKyR|6HmM0m$zYwT64%F6cie=%>{cnk3MF%mYAV z{ok!(1y5S2`al1n=;)mcYdC{_!=fyt9Fpxn=Db5_h7y*lO^%p@n=iXK;i>C zC|$$qC{0B1?J?~AD3e-X^rqE3`}01f)F2loGTKq z(5ces{Mqz6oxL}9b^aXs>)P8?TD4|3s-3z)_D|w~>+89RE&4>+d&q8Io2&_`fG@^o zSRBtM_at9qfuvP72Su3kAkI`=SbMMqP08RF$q82JBOZy)KPkE@xi~wHM3nCLS$@`g z-*0Qb{<+b`T)$K~v0VPnQF=R-``?wiES+!jbDi_Fgj9$c#VX)4YA`# z4tsyOy*FPt8)SGH5xRJ35v~BJAje&LOQ-liz~zQK02PE(ZMfs88x1%`fvf?bf+GQ= zt@m<)Z?=GATCL;)-lKrs@PxAg(r&h5_-(AXw^_*BfVcM+cQefqmHHZUn6Dd^Y9=2r zCg#U>x#|Nz7DxQ(j_cg^=PwI!WA`v(CXPV)1gV$0Mdh7#>C7HS+@3VNzYB9hxq{u5 z*w^2NJu-xiTvjc*F-^WDd{cYM!^jg*>a6?Mihsw5Yl7DPwa(#)OQ z1WB?pIL|9_t7fftv%qf%Z6vmM^T3fO4sOR4W#}0PNeDn>*;6bTKj`@~T!)-EBWFs} zxK7rP82rA`-W^$}tw$KuW`cEq{{o@}r2Ud1=W-*|cK?t*5!-J2eJyFMoX?nZ+O9PwL{lqCnhtO<)o$GqmB55VXFhgP8&#|6=bdM zmEErO!{(-jfc0p=ZWH&gHPA?I&T!2^ugOx$p>aH*Q7&@9vCI^h- zkM{7gE?dVuL*;zMDiqce!|r})q@~B`muh(RSo{3uV8eTv-kY3rm^&7QM3OK@zTR{u zJ`;_-N1ETNt<|Gu>Re5kMV2fmWOiNX#Cu)<~=~z1g-PI(+uQ_UGfjLH5!>{I4GNu@AdN*Ow_yv`%zsnOv8s z$^5ly)%O;ll4Aw^k7;@@A>$PEtq4QdME5j(5a&7_=xa#|1a1c;?0n9YLksAl6Jvp- z^gagz5pBbr>z#1y!k3D^?LzrFf7kIlDcR)e!cZw9;T>f|hw!sdLF63;71gVZ$)*)G z5ZzP7PaQN@yS}bGMLUJaC9CtXJ`4QXK^51x*Z-A1i!apCKE0?=-=leRj&8zjuZ$5NSPgA@-#8 zN1mVydU}2J>7c<7E&K7y(nnLicp(hUBVUjuNvE`Q+iFk|>}9r4KfX6@!EmKeFy8Ut z&i)Ao>h*iR*st4XSgovaU<(O2H=WsuheIj#L>j~uTMiz(6KJSvY9a)7yM8*7=quZTQA-^ zGO`@a_1D=5J4>nBkRG<5pw$50E;D3z@Pn6TA9Er26xe=?(Jlw0P5zYF;68dfYws|y z{w$a+%I-FpOISSiZ7W4x5}J76F#8 zq{F5p><%(P6F2dL(oWR8hX4K;*&PgJSCfimSJH74GYBcHRkn7-d6?H%dt5U9X#Gsz z{Nm)s;O;jP*OQSZrL#lBqLzB9)II>dJ8%huk3?g9SgQ)@7x;}54O+yRO8|;efjtfO zIh8a13w`bRgJs{|tqFn*2&G6I?0}+p2@7WbA%y}CIl*b#q}qwU`At>MeJYJ_F(5uei(x@~y8kzCmBq@1`ayS2&HsH27-v#Zee3h=_LCW&T_zz%B$x)lGVIdzt z@$||NBURp@M}Ez#24jOt(#2*(6$C95q+t%D=w zj?;YD9|MWnb3;-k)VinhJ=9j`BE#; zf?ok=&l1$d_);%qz)p?IeI@O;TGSJ(ZzB5d)fNK}|NDVr<1D7VN$k67L^V{e`T@_N zt-ZtY;NS<9hVK=bG&x2DeKMz6S1u)q4n@ZK?bFD;(!42W*0e#*A$OdG7tooS$ z>lG6g=CK+U%^>M-{VsKd`@Hhci~4#(anl7j#qMq>>MT8WA*zlS+o$K>DYmop?7INZ zB^X>kCE+WQ@Q=!bwbx2$r04$}vUIv=B0g3=UDkBqmF@yvt|UU*Nt^^svMR0xOC5?NK=MX+ zETNnQj7zIDf9A1ztTopr>C7^*ry2vcM^RdO-fBlO6OfKX0^iSck5*eEx5~3`Ds6Yj8*d2$>{2gxh@qdT=F< z6kL?9M=0?A2j=F0r7u_wVFxZolRHG4;G#T&E9doV6n6#`!N{<%o}DqzLc4@wkhdO% z6Rtj-rp`0;cpbVY6R7P5E|IM$?P<`qC3Q63CeglaS>umO86}Ufy;gNkhXflJ9$E!S zd#RKYN(OPggC3FC1n3r^V{$v zzo$rusG?*jhPV{!?`5B|sC(Q%ly-xXE^#ALedj`D7h;OE4FyORhC7gJRh^?gAo%Ee z=icroxekUSn_{$jeMwY8-$h&6`-c53eFO261qIBA62#W*CI{IitmwV~h! z5 zLump;Q{P~ZhzVdOm~>+hzTe`V6yLHTDJ$p=kFseUhV&m@h+K`&Z5pc5DgHt3Q$D{m zjoW<_Nn-G?5sb#Ccho2+qHK&O#4rjbP_;%VRbFt(w&7RB$b9`T(oCrULs>c)0QVSl zKz^&mA4m1$`D8u&Vc;jgWoq$*AVHGiwj#yBXsYvxM3x@JBI*7eWAoNCm8&h|7a>I3 zJ!5}`Bzz1U8DYKtXfgW2c2#e^w&N(9n+I#z-qOo(X8ms{^)kkSb`?;I?Aq}jFAo!F zR$Y35Oon$HtBv<*S9ctF(^4-tGEBH8pVReLlh$h4#WXY6$?Ej}GrldI4*)(8U$15F z{^x1>V#S16_o>K_4vTPk{XghqPW!oMqhaxRlAVL>YUVQ4f3!0>KaDpL3?{EsFESoz2(vQNubqBjV{`O4l~|IF(^~1)t7kk7SXZ~L zqhSdoJxWDpy2#$hXwZ)g%%3f!%h>qeiussqe1i)GPdESbcR>Rr#-Fe`uxGitO8lL3 zKfe^}`NaZZ5NOiu*z)u_0q{|Krd=s4$TR(7dxjf~zX%QAOVZnOGxraa z`cR&n;HL#aCjY^q!72D6g78!H5;sJ8oeob6(qko5D*GyOTmOXsi;w+E~x@` zx8yTup7}GNCFICCO(HpNCIma0KAk|(^jr$X`W6M&? z+;-3=o9!1|pGH8%Egn3zWvRa2mxe1bl8u{ySi#x_dfm!*+Z2*&=_e1}VJ{8Y(E(Vq zJ@FSkKP2Y7bYNSm)`V{XHbc+Xxle7OTL8=K?y`4%Cray%k>9fW*3iLp`ee0)rDg`XhsJ}NQ}a4_ zo*aQm^FI?^wf`reX(2r%yso-Wx@;6*taghRAf|BKLipiRIRGo-0^W5Y7s8~_lcsCxq%)yET zuB8=-v(Tc+jR@?l%a8)1gDcHwr?z6H@n5_Nbu6x z{^8;FmdfW&fQ5CS9fVfbP;AoQ8;lYiwGa6vJ{tB1RkUr47_+8>4noIKp$jf)j|hft z0Is!8=E2-cT#_7~uj|`^|7=koXzXBE{JYxb;zCyD9zAk&jF{Bl&)Mr1d?%x;lK5nEBG}&i(I=YadK7 zAu_u>aR>aW`l8fUdx9pcInvMB4?*+B4^}&OoZn07vSw>*?~nW@h7ow-?S=2N2WiYoKN7nLM9N^{-VA8eqU zNm*98)=k`@9}HKhQ9b%10;TYXtG)ye9jQahrr~CdfKfG%_^HM*_%> zVZXw(BgrdpX=girxcs2w^x??KQ~r?f=kJnx-wYsYfi7wg1ZLc$`@gIOMwss8PT9ko zT8?TGpTeW>@BFsNlKRMevAIL>m&5IvvXl&Fi8Fg-v;P;lz*>~QLxNvCliQGb#G62c zRG{R7v53#yM9F$FyB6Dt2uV`Li?PZS7tR@`{;oEQFSH`f45e1Endc(A*dukaqD}|< z9BaxNJY#`|Z3@1POv`6yq}S6f+j!PR(Npy-#HU$SBsOOafX0*oT0*ZnXQP6N`BSv)9J;t|;nk?;cJV{fra60BvNLVDL z+6^2r1NY1^uW+d!JWbz34AWejt+Gj9m=wT}z2xgpoD?C?`NAM-v}F%h>B3$U1rG?| z62ryP2!7#_DQHO67x%Lo8^=r%=EMg%B9p)Pu6DRy#gLmz;JTheAxmBhP6*Pyh~2?v zXM8$Vz120dd-J>WwjCi>;f5^F?2qA|KiMp6yTe27{oB+!yakm>DT=G4kh~e0K<0?^ z%0uUuR&VCiC4a^DnZd+SpmW%k>>z0%%*OB7JtAZs3Ozi#gPMv7%^m9+qgMAwq8i#urlgAjX#W#?(}{gzQ$*E7sb z@^ehA#%)epJ*Zigx{}(NW!CI1>(H_+Xisx`GLq$Cj>uo+3*BoY$esW*CXVPOdX?)PD_6)TUa3-(pU#%qm&MQw5J+&H zKV$YDxMXVPw5Pr(2Br?DT-F5fn%ebfVqqT)SwcA=t38+Y_d>U;6o_>P=|Dvq^Prtz zCk5(ong$`;%^6h+xt=9f_V-;n!N<1+H z)<0(Pln(i)6%GdR`7~ri8>mCStKNa=!#J4cF>*9+z0zyUqccp=eZ{=4u&v+*VCZ=p zxA@!At>Ywk+mMU4glR|fdQ$VmKEXh-E&V~SVCoGWOdR|OMxdNxFVUdQvZ?W~<1yA*jQMFP}Ct3ck0u_OQ4NO0j6PLebmm3gg z#yRJZXRBB=#y*$BXXUKUZm45YwE3<&UeQXaT)7AkIZghfIo>YwijP{89ukF3>oVCb zg{nR{FOU;$0pgLb<>+Af=pBx-Pbv`6LQgSDHZ59=(}4C#a-H}_6D9K8WisD2<7T(B z=~ebCs;KfQ)~F{^&bRi0{YkEdD>yMfWXvk-IerfHwm=$ftkly+CEvNPiCQ8^os++$ z2jQ%AB~S^eNvyY36POh%AW^MB$MjyQQTHnnx+xc5dF;=7 z{c_5`!{sz-pA=D7Zr4Z~>(aIMA*V0NuWC(`-~yj8e$Z>XuXpYmZz~GFDcti!4=8gn zT%;;#6&!yZ+h-$^#S+v%`Qvg02-|ub@fUDmN;K8TV`RS{$M zcDxe#Dx{Z8xrX@$yUva`nDMLwl;X!5Ka7VRk6V#U!)j6^B8= znX{kSUo?I0Ikd;*uG&_WEuAeYm9S6e96@|-JIb}xO(uHt_b517SIBOoXpeeK$)W3x zj{-_vp@Xf)ihdf}7ELRw?_duhW=pV_GK{zQx^Uup=NWbme0xUr<2 z+bqRGvg^@iTP#9;=)F15R?CtP&AzU<<;ZrJ$%kr&gUx=}zDU3|1le+#Tb(7ACbC+N zU!M(~=6pLUGvWLr-nxt^H-?Dhf=-zNU@+yzMnpkzBBYg3GXM-GMdlAP&`~Gp4w4=z zTr*AgtjehskoL{GTo`3LEjnuV!BX8TynefW(w8 zr3xvO9n9Clop{#F4eVq6Up3{!4CQ-qMDw{SE{&TG=5xgkVaE!-dU|>znPQ6e{(Ne| z2L(xG5Dh-Q58<+5l`1Hfausu3LAsDzW z|2E0%AtGi7=ZZCDB-tT_%D4cCt)$gpOO)6^YjsA%F|0Bt1o|corw7HWgmrEupKvJ3 zqqdhGCSdX;77H}Xf1-Y?j1ev#0cmFub-s#AdXk}0t#3JT8-JG}?F*RW2CTh8VR)=- z+Fe6g_bB@hBAHbQm*-IwE5r$79GLV%DKug>fnOHj)^_Jh!PW_jc9OS=fTvF*qb|cO zH!Z;S(o2gN<}h)&DbnkzTKXd-SRJFqX6rQ>a-q_tAcPw=U4=K)9C!q7ad>NU6xiQm z2)BXA@D>BdE2h|8^^J2jeQ{ZwicWN4DGs4)^~U?GZ)S}McrlII$B=`q6{XOCW05H? zpc*{XX?Ixgi4sBoEmH9;X(J8#V`OPQAO5^H@~%yZWZa_`UY7tn5&OhLBhs)8VJ2Xz zBO+1*<>kz9{y#`bgk?yomNYdyn9Qg2snt?6nE<*BwgQ2l>s9b(bp~{6B|+n`;6aY~ z#PvJur58|r!mm$7qR$r1OFZ4e{)%)qzLh@jVeGpEA54xF|9>v>yUp@&NZnZ&1pnn{ z`kPPD|A>QxUufz9#u);@I0KXb8GeF7@ZUHS$I3uWy+A^-Fqz;!I|;2&^q+tktAmAh zzD$93o+6%L8blP~-P9ikda|A*e4>@^cA$mp^3bI^%NzAr`M)zwNV2Xu<67IN@0UJnS&)+C{A2=l#f530@$yLSkH@XyQ36 zMRP3dKMB(-VC_;i-#s)3Fn)NADe_qXZKebJ_YSe8F&S6Lv8N&SZ%Q>7_r1(H+#mXWPz&U9sD+5NC8GHMC8GIYJrdt1%!PH}UjSA>e1PTXQ-2|% zQv~1A3Ju_EsG5*u{n)xOBH+5R{;bgeVTt9UKp%edlDIDP+9i&43eGA#=^tO%`h>4H z2UmNP@LJPaTPkXLF8hi?M)ZTE5ds~}N?*4d^=Bdw25bA?d<2~NN&qEv$%g_RX2abd zFkgh!6cF6KyJ1|2X4*7`{SIU}3KFW#e{ph9>=KY_t0=5v5HiTua2?vekzDK7Ble0# z;jfq+W8%EkEjQ5x6DZ%PgrD8-zOijO&Wz?2kIDk$sJ^6y5aOo57g>#5o7nOy2k5nB#n(inO;aQ4z`_FNo0~!)jWSRxp$>9Htzzl{hE+W zwT#!)e~GuIlE;H39$Ob^Oxa2~`g_#e+cdSY=$Rct9f7EVL{x$KtCq#9E1$kkk*`Kl zbq&A393ayT(uBG}revPO<*ivQ-E=K+4rdg)YWno<`iyY97ETIZD(!BXx(U6>h&tzu34 zkwE??UOP!}iM=i>JyxKOtHq)ap;u=+-6#IAdS3KhYet9?*jVyV8fH(GKVr5!_*EQ2 z6OU+A6*)R}U+aFZ&Rpy6I>mXKVduB+>@QD=u*I+B=!{Lty>l#QM7%XDrn-y8h*JD{ z=3FR*6*Ez6u~qIa-|U$#V*Ln1%H7R03`hMNOva~=p#Uya^i+oB2ENv=>5wBo{lQH7 zVHN#xd^OqRKzT%g+%!-o#36mOPh~N}GwoOpF=h`5(giNEBc5GIhm#7om=Kf(KWpp* zF-D+EE;FKd*`&K80u=XJy2GqeMe;k?DC)p9t~CZrrx|~_!U z0o=3cs_S&EX(q9OEgmdnk^T0}q6B;IY+EPw2Tt#R+Nxn~%tnmc|G4%8k34bNW=GSW z3KQPtHSuXJO#%`+zV~v`7b=-8kX=vKaocNZt^k@qs@S zJRyd7lxWX@gbcJujbA_Hd&5?UyfA1SN#*O zWFe%LmDpkxr7qoOK1uE4~fIJ|ylmms(A2bN_dZa*DO?)uVK^|HP z*ep8D{ZF`XOyA68q`!QICT*4jZ3=%0XoIteY?7$B5l{bVLPrm3S+A~u) zeXi0ZkaftKm!du~`bIcx((!p%hA2%T(NJeDgef}4@8*zU2_`}?5P_rj12BX(rX}g0183U2OgfZ2|SmnDFPvu z_@ieUqVULkRh~trs4V%aqs~vhc*xS1<)tB~Inycbp~Bu0Xhp#+CP0Of18|J0ZdSl2 zA*E}C`gL-Wl7{&Wf#u5#V<%Sh_B~jjw<}GX9Z%}|4XpCa5zGCKG?)pmBT^T%Zcbc= zNhTT<2GdjmxM)kSA;-9Tv{&pX-bhN{PyXURlUI3B*R1}|y}(QV;8rzh*gCp+0v;K} zd7i=dI_C}eR6*1Y|GWUst5;9abf`3`Jc=nxAVL89`lIocNRU_X)OjWqN?A=KANH~{ z=pc_aO&%mOF8-C|Eu_yNA5uY5f(;zOQWIj=iI=ZD8BaO+`}M(06ihKDpU8jQ1z6m+ zww0{~5HEDJ{9go+?DHkYoz#bpDy8ihrX)qu5^%oslr$=ajFk2GJ@fI_#C$0eAQFcT zXT`9ev{0+GfNEr+@Fk3o)(-BvU4gCd<*h~1$DE>h*`A63@<@`?$zs&C4%-~F*?9Q11`uzHa6aa5uft20)^*hE{hU+lapjcVKa$5 z*QDK*@>bRGXP&HkjAbT)%Ur%IV$;TYRzzcZ*}umj!ha;4f4=mwsZoZBk6zx@M|OTd zJGTL53V}GW;qfneoq|@w;%xzrR3{(76+){}7FIBMb<>i9ydctkVVGPp)UEKT1cx5Q z?z4PB_8qxNIuuhq$9}xnFy`5@e=k!rYIc%*s+~v;D%?Lf?u@Gz>0wJeh9P1-S4b2a z1u4?5&P4Ds@HbfHC|53m`e-Gbn=Vy6m&ZOFi)zeK@mL>vto!zz!)B75 z1E@GVC=+7_@9HW%-=RpJ0mx!owNH{ga6k-5L2Yx-iy}b}8~C;Kq2Vm?akP82D2$T} z*XjKS9S7;CF+|w-g(KwuD3x3P6hi_JD1SD0aNODr$}9A|R&?Kz7-)k_o*?1Xp%Y6a$QsH2{WTe*(4U zdzJ^K20$@HK&zqZHzwIvY7%QGR71C^{710ZbTDjH#3*i6z|U4^5VlT`tJUOqzCSFO zZ5=38uvPpg5Q)af1-Tx^Nkfd-R#(w3*tx0iU}QrI0c?S?{3lnHfdIUFj=lg7&0l3? z<*+b`Aernv&~F$wFU!+~q=BA1C=-?d$@A)OlrEZ34^d@<5b8H`9v15vZuDl|eCBmR zy>pdX#!z8nFcGu1LR~f=0}+xz@_tU4exQmFT;Zhzka4ulR^~hoO?<{N%fWSGy@=f@ z5+f5ybmS&66Zl>)lPe->QFvaq_#O03Ky*3VT@cs`^owTftUw@0fufM`_2$tKEzCtV z;|SWYK#HLRac%Mloq;tm~td@VnzNh-XQ#jRw(-?}tAfQq%u81FbzgpP2j*STb|KUBYzL4sFe> z5g94AQ~0OK&hDq@!A%IBv2nn5i|#~OIPMbk_a|~vO~kq|DwW6Bpc8O2WU55KP86gl z=+OritG-T;%2(s0EV5to$}oTC7T?y9pQ|Xdo8Eo5&iu=D+QC8Sn;GnnbxrLe@0YM$ zA3yEx0@|-}u{~h7SY5R2nS5IEOE9 zK8xcz|Fp+CRV3HkWjFecNWO84f|O<=jNi!AeaQF`Z-m?Z?V=(=R?W`-M` z+}pDSL2OsUPVt4WqOqILF^N4cGYuRpg z{Xy0f{0&b+dow?(IB;}0{|7zWWbXQ;H6m{1HbK+_th(|3fFA2__R@mbUe_p(lG9Mh zX$^F&2K&fS-_!t)4LjS)vzO=T5N$T15+}R1H={U=S5iF1a@;iCp!NlfsJK@jfkT;+ z4GSOIt0--vHj8p=IeTEWh%up&Ql_A<%r-S>`&Z0F)kf{k=BHL1U!v-8t|#$y&#fZt zp-kCQ!vqPNSjfbZw8k^efopd^%=j@jvDx^(Q{7u9%g>SC#}!rYLY9wf>vZSa&wE|F z^y}nfn%!lVtRVVuH?kAQsvCCHbp8YUH$ihBY2Ssq{>G<{LH`4Vg{FB8Z)bK*D5n_v zrc+A|%c?TxA#KPWWwv_eWb&vm_zN8j7N}w3Bwl3b)j5yEdO+m0#T%co-EZf!V4#pN zh!KGtte{To<~8R#L2*5-FCWp{zI2(+!!yV~B@u}0@nsPnjZ2ui0wq|?UwU_c*t?-R z6JyjIUVvCP7>C$a7tD7f1=muSA2|v1G)~J@%rN4r};L-Jr;?K z-Se8J{y}1THqF;Eh`#e!I~z?x;ia5U8a;}WcW3i@NRN3%UU(ils*kZ4Hv)+4@_0C? zu-+sO>N-5C0QuhtApi56j2k&g;#C4hce1!?7}2a?#TLfI&t^v8!v7J53^79$TR0;X zTh4!(G#VsB6GOG3L;tdxK{R;f36njt8}WAT-`s%z!K<}AR5Q=XkU5G(pK$)oDpzoao#!~+M}_(v4*VW*U@G6 zJLfnbkt6|O%drk{_}cyR5{b*hRRt1Uj(oOFoM2J4*-=KaKa>^lYq(K_iC^soln zc_dC!fFh~srlEbr8Ta^Mwj2tQg>ph933O7#ivAy_&M`=oCRo$MGq!Epwv98kZQHhO z^NelVwrzW6=ev6&c7L?0>qkd)b=R9&nfdS?Yy>G0viDq&OqHIKPEVr@KFmDsdvD$t zl>978fwkBY5ds^n+|ew<$Tq1;Ec&GG7mARJ)RD$8s?S*3msqLEP>tckIilQ3J+(R( zAXGauWu`A7fB7p?U71F!U~wQ%U9Zk07fFRLOh&pyu-T)snCml^WGi!Q#WQmCQePKu z5zK^-giHl7#?r13pT}oSA3^s%k|=^&JX%q`ZIAyghO8QeQrq4bnS@oNTiRi6`!-3v zoH?hq(MwQ6d$NYgc+vi*2xC*5IP9s!ESx4)LD|{RP4NieYamaD3`kEj^3v(yieja( zDQy)mIvj8aqj|)S)naiGts9ATFP`R?OZl{!CUT{b)#)+!D8L&oxeQWRV!!gOLbr&< zJcBY#&#GN=IF_bDMDwX0gUFSDZjPY%pbpGla|sYjz>K!5|~x3EO)w;WOUFcrKSw*(M_WWpW^`$I&-wBgy< zJ4EGhwAoe~{7>BAn78H<=YJWY@gMBq>3&)iN}|J`QB`W>eSWDSVFSOJ5T`+Z{q;rF z4f((2c_;3H3fYiPqTcWc>7rb)ifAG_SoLxZq}{v_g2#-NgvF%5wwlF%k{sbE;Gu)X zh#U(nvQc3|`p5h|!FTsrNllHH&za>bl7;!&2yaaE9Lkh*hI)OY-eCeJdohT8Egsd` z|LP`)_u1^FDxmR-!W|Xm+20)a_8*$C$gc2nN6`y;?tNjFSb8K5uCQ-^?nFC7^77k1 z-BO+R`Rd~$`qrOieDe(Y3Mbx5;WC5tm^ggbY&UZ~wT2IoqZX1h<^(kZ<-e316JEou z+vm1Hf)*%UHU@<7OB3EPQdkK2zClR zO3ft`3qG@2JEBe}8rZ|(^F?q-y0*nc*Xe*ISAUTrzQTIHa|CW5;(!XvU5V2J#(Qlno3IP3Qe7g^}H zD|Z%fDB0M9oj9|FGQ++X#>Yz?=}b%`Tj1CSnnp6+({=Y`@Wv+;9UFOaQE?LQCu6bf zCD?}qJ}EyvBdgb`j>j<;jB-Ej+IB)#0ipP;zVV)#*RZ(gO^^;^yt!eRX6AX?xdE?& ztP*<6mW8pxm~A#9I$(kL`BqwY%IVGqTGKfF7dp4b7`EW$3_ zu=V-QfBaS%XH-%5w?IdrgF9+6YU0V6^wdJ#98y0_PFiUL3ys{!@2|z3(~yuVc5tCQ z(q=4zM^0?4|G|k{&Xm@j^Y_<+%$M9j-Av%L8B8hDO|RsM91T-&;Y&en^tMPI2EhR(n%Z|=p{ zg{H1HFLWkH6yA7tiGK924sai$L7N$eJfjVBI!l3EOBu3D;I5IK{|5GC0h;b@d`Jhm zB)Fz1*>!>#?~!w7Z2K(u9Gj_8Bm`$5E?HbuBCMu~`01;zzcfh8R@f!JI`R~!tG@V+ z*|sbEkWpX(h(y)`)Jn@~NTA-~ zc!_~h1;Mf#;&UDzo@^m*?i$EMh~Hwrm>QgtiyvhTc{Eh&!twZq0nuzESDEZ}com-! zQ`SEQo|%-Qyb)3{ge4)wB2mSnB6vtjfobRT4BBE5zBoRWH1cS8edQ7)w5+ADP5#NQ z@c}cXB~V6GF~!+o-5NhbWtzWYo~wUH^{qHmA>1)A&i*N!LRKTWBX{ojuv5iA&~I1k z2#CPYigQd{g`+W0N!{%nQSD4q3$)g#vAGZ5~wBH=~S?92~uDqY#ZzFN9<_GdEC7bmVD#l345rXIeL58i7tQ zrZ7z8z0`QZyfAxh=z2AI1FNOcVUDn9L|j*6vL12ED1NNA-~@!(*_+uVgO_+;7tyi= zDNQZ+$^5a}o7u5H(v;ycqoY^(b)LnN%VY*ALzAU}!44uGWHr3QVx@)++@tabKa-KH zEZO4qCPi~Rpgsvcq_MrP=iU_Fl1>QyGh5+6j(vW)@Xh@f!SuvSvU6U2?b>la-F*?$ z945&K4Dn~Zu5unzVWltN?dkRF;wH>P$kWg(`IZ)C5XXLy9*!t(2W5$h`UiO_JSC1j zULNT1879S&sTY^p*EUdQVc5oZDE;4(%Zw%-XnQBfXfIxZc8o3I2{POFsftK!xy)3= zLnwK=$I{naz-9;5dqFXuM;ACA-DkL^ zuu*_rW12Jz9NBx{u~d!>K6)0<&_o2Y0hH6e9X5)VlXaUpvNmmtp6%g>qrhqc`HJ$k z%-lS8LgFetHr$bC(Wa@9dv;z`I6O*sAmIMqFCjzRO{n5POajDLAlZaHNq&*TTltr) zR+AWzY>!V_{R>K9=REUklh!?I-^H;I!m(C!)$_WAQMwc6Iu}*l%-q|QFFfYl{mXx=_`H}aflWtIh*BJHtjy&$TzNXc=x`ic zeVS{@(SG~|%HG!%q0*-$!4M+`Jr80xU72%O{MwB(3Rp-+Uc@mP+IgxfmmC(qc4Of& zhlS&q!mr(E(x-rh*P9(w)y$Ki(#!*>ZvCG?Q$-7@YG#V4YCagVU?QztV{MgsA1rkz zux~Y$)%=BOI=>5RX|1ozHf{eG{olwkrbcv~wtEQjwjMW^E=$o7U7v#H zEsXYnGSqCr*mk0fPzdF$Fj^89oh1<3j_wD!2m!X$JxLFdN2`gE2%QWJH*~M!J(|gc zM2h?~H+GdP?B1TDRQ5rCooo2POXoqY$UJVO*#Buq8;pDzFQZ*Ic}mAc5G63Yh7|(3 zZoVgMpMJ(fm*+?3b!win%lN&K@Ol$*r$;L%0Z640ejPTbrLl%sOYI`o|xh7KE$#7NXL)N6p3m&Lcn@dZ&59tDk7&Iu*<>YwXP9|HP!1% zxO9@5+3=>AWi=fk%XglY{fUz7sG>S{Y^NNH`Zp)$Y8;x&>GQr-cc$k&$e$}9LaIcc<( z1=8SG53&Cp#)lCXcXuVs^q=Dldj4WuXSC!6fwH?gMt>SED!^Y zVpeSdCW;|E#FIp4Zepnq5&F1b%KEtVyh@?&$WG&Q5Xbpg==vyFX`y*0_^7NhLyu!E z=-uM6+i)mpD-S1W9r~VGL*Z9<|p&kU{&~TGAR~&b(Xh*Gmpw`(_)ZImOj8$4%OHI3+ zdXCTXkF=t0=1-;<=mElXTb3WN-LOqTy$XWimTKSeax_+^riceo9GP2feO?YC>!Xz| zIU_s7CEgP4sXjIkumywB1sjAy5K7?z3);AHL}H zyadv4K1s{LNSH{nB$(VKGxDMrQDE%j{PzH3bBSMw_u!@-$66dkDw|n~mnatiCd1J7${I zNGp`w7@*v2Y(l7N7k0Y*YfT@Ae4T2JkVtw)sJanFoKz^mCpokaT5EV%_KU%0v)My{#tbaxPB ziqOoms_nDi3K7r!-pl( z&04r65U8+|OHBcgB4#j3pd4T!1m58A!cwpQxys}0#esyk>s_N6uTFNi2LMxYWQEMZ zIJE!{#u2tSA2>dd-R~bLJ>W%2cdjL1nvx*Zxq*xNzpi~N`$R)^Je7poLCW^@fR3zsKCUko|D%PN*AV#_; z2?US6%j2LZ&c^l-D}~um2P<326U?chD}@OJGb5rDRI6JE1S3aTCHn_s9|N(&O7#l< zH~dw!vD8KtaH$VRdj&20gT1n70)lzGp>kvr{`AFp6&c0W&?y`)qX9Y;E#Hg*s!@TA zPJGZ~`vgY8eoF+IoBtl(O2!rLayvvP=^%5)#*db@%wuy&QsB>vHV zhUA7dyoZz)^H1=b;vCt19BP6R_+048o!gvVX0jxjJTjW;g<)%d?pkwVa0DlYGHLHv z2<{Q{o38)*fEBQGwkl;JOO@ji9N~-v&{+eN8#l1{$kw-ACD1;vy=du+f!#lH_Ue`3 zJ3G_nUX=<_JH^e}A!{H>%!<>s86#23`6HRgu0!5dESiL$cNisUKpsSniQIPQ!0^=% znrwo57Bm|T+{0abu0MvSuu|(*ukY?{b)TDnHaZ;+nld>rdM`Nr6Ea8a@wnBL3I$HZ+kw zQhf{{NVr_#Cmgk8#>pIx2HP`_1P8dho|-N(6@hUpkQfbh{H}T$?JX&|ynvx->>F&V zofby*^=)mBXJ^mK87}sf>vKq`XZFF~>KXfU*~&%(T&UQHC;k1cM#@NhluVMMko=EA z*X+Pn*WUHs-ks0MsC`IwSKz-bjQ)`IwX5jZt!q0k_D!z5Cs9pEZ{W-Lx{UUbj}8~x zpR$Du96=eIo{hR#v4d&-7rPs`A2(ZH?(;EAMdqn(9Gqvdt-u)X(`PQv53pHdERA(6 z&V#OjZ-t-QOpEmkTjV9vu3Utz&_+SWBdp}O8Tm@Ai%5BlhlXnhfdsDaC8>i>?4wn-%JZRVvo^#w-ZFor2q^i4p%;gJ? zs(KE*H1KBgV%@nbXHT(%uEH2DP8TlEt~**as*bN1%Nv~7P_XA#-(Dwmi$L44hRg8bSmtOkvY3cFh z=EQalnI>qwvh!W!-~^Zp=HSA_d4YR*iP2J7xa9809O*a+yuP;EJiEf}6%Y9APjktZ z{jsyci^{%+S3%YM+kCL2hU{LEc6y!TxahcrpwtYu&vz~W1*feBGXnO!_sN zd7L5TTecd$`JZCw!nACR7=K7uOqhhUIgwXhqBf~|=BW#y2V99(dZBc`MI~8`y^l#$ zr3vanso;gF8S0133u)AOs7%tf$%Wtu+I*yV^$n#oa_TGqI<`qs$VFAC$Nka3CdVE| zX!91jBmBIh7+5@-?ne3$re-2$SY5IWw;aOhf7r~awhb^@%a1nS$fZr}UiAWDz1-Jf zE_Y^8E&$FlO!OoJ#^~f44B!`Kl;Bd!q38Hj0r`z2{Dd@K}}hDmKa{k3bYC5WgxtjcGXSfn@xSDI464zF)+N9xL&B7S{RZAjvn`j{B*in zq3?3EHe|Y+yWtN{*i_27=Hs`#-ec z*GuIYfM^c1m_goHGib3>bxwhx)q70GVM zCdk^p-oejt-~U_zvLbSLp-zhBa`J8kchvhTNTUamAXw`JKxht)qyI$h$y@6}myP0% zsL9Y3y0f&60I%o$@P|rx-T0=Ru`=YcMQuRvYT_8V-V5U~bj!Lyp9*-Tia~5lxW=WQ za|Bv}WIvzy;~f=8zLR}#u1bfTWH>=s6QP4HWnDOmC@9*G#RWhiC@slOuc^7Q(QnIi zb3y6`KL~jiEwv|E08TF1l2m-iA)rD4FRYP)uLbYe(9_Y;u@iE4@l0UWz7rbz__JDy z`>AW|+OpFO>+1UQyq~TbF)t4xQdc=UmAPT`+B$XgjvO@J0T`HZxR?Oi>MQIhdxD5- z_y9+Q0IHgIGM9+Vh3v@)ra+9GE88~vX(gd2sV}rXm#L<3c>t=AYP2%|$vai>4*og$ zz3-AH=?zNg;Tth<%Y+dn(=UXKMpCe{WFR~b^Gh@6wzt)froac@d$dx_mUT#u3tojy z-9lx~Zg$x1<@I#D0KLZd@?x^!pu(VCXkG%$U+?7{PJ9yuazIN)@^gx5@goT)7OKmE zg6lP%*G9MB22ppPM_hy3`-l9+`ULI*hXN`fgNR-Hf|3Nl8Y4ii-ylI%0Dg`VCZ)0!==$hlB_nD9^~CW36vjhzmtDJbYp+SUQ#>e9gP?MdgPC zGd6`xVY$kHBv>u_L^{Y^MU;LMhA@M$>EFt^=+|A95#CG&(mso3dAyHZAeJKyzTpli z1WSavAd?0kCDThE-EyW=S}&e0goK|U`I0OyRGYlf{2jA=l_di|FbU5b`y~@|9N)tV z8ntJa+MKtvarTu@gM{`;8DcI0q$?}HXyW*an&V^ukD(sXhoK;!@FIWRn5Gt5W$u+H zGA0|XEL!8-p3KC^(S_>II|uNYjd3UM1$Y6{O#c1`T>LGxfNT-rVt{GTgMVueS|Cm; zSR2*lu2J=f+K~5muuFxp(}7ve!%9S2?oXVUPTYVyrM#M`29U_OW?qUxn*JQP9Po)* zE?=v7)xU=KG(f?!Pc!YRDLMws$G$&K^8D6eV@916UJ`FSzJP0@g;1;=TkykZCL~Z7 zqQ~5WOh4x^bYu?{(jfTa;BFv+q-{srv^6@|tc!%z|U%pkRp9 zlWjLLOyhF~>IrcPv$<`Tq9V;ok_=*LBue#!GpCaKePWa5>Qhc8{q#_D}gyVIhq@{n& ztQ1iZyAY&GI5Vg{U1(3vi{~l7Xb{QlI|b;2ctrz1V}jv6^I)1tQHOlXF!488!k2Ej z-K|EzfaQY@LEt@+y`@rkcNGDPr1xlEpm!Z`65vt>DOsWI(;XLm3pxvxJqR;&P`D5( z&-(!DoCnl%!Ks_#^F#ubn8km0N=V%1ugH5Sj?cM;%R9B;$GI{w6}Vd2iX zV6UWm?)rCRO4n$GvJdC7!!nTgR~bp)E~AEud(f#ql>g2T*o4OI0=szr(0OE-={De} z@IC}opssiz6bi>!k+fK79AjtwfcQ&T0GLr|yq}jN@(#Cboj2B7vVi%)t3oXxPP1eJ zy?IFbKzo%8ty8A-q^#Y*c7eo=0{Pmjg#GUVi4A>ZVc2b9->vEV%uwoU`mxDbZj?<4 zx5>``Mr)mJgZpG(4M#{78e^iX3-~OE{tURsX{(7(i_xU@*=2rmCE$KpalF(fkQPqy zF+}GYZpG0PHiL5sIvf`F3?uOJeMA#42lj&9x9q)cFsZ3&=4#|}a8jKEUh#iA3j)MR zlke~IHWe_UCn5W^5?^|MLfymqchVM!1kT969`VR+N`sHfGGrmPR}Bfr-aUrD%KpMa zO`Zo=<$1yTFeiZVVKy%ksv+{3pHGGzd)tW?lF4QMBDEfxRz%m@bzWSuLH7oujCoGv zB9A>3n6G{h{Hi4+eg~$CafvKe9uOcC;EpRf8&)>nCf4;mfYI%Gk~051Z9Z1KUW37u~t-Rq$2UfUS5ax6%-sQ1Q2+%e+)adOw z285WvX2m4*UpU^3D%9A2A$R%|8SL}$K>g$j7=x!#p8Sw$v$eMCOKi$L;^tN6`2?@b zds7;jGEfE{huKxs;f~l@Bwh@~o4{iWfvUv;VVl<-Fan{TGKmWdzl2~N}EJiW0!&ygBop%CY4pKxn520AOuk^s?CAuq|KD6QAgj>>PHJ zyh=5*g3D^U-;?F1{{+~iAHVkCE|8nRPPXhnQhF6}Wx<2}-4i%hLQL2{{D7Jg#LxT> zxtcZHW#J%k;`IH60)~oUFydAN_3bCv;&YMokouu4LLl(_$mrRv0j@KHsed_>t)u+l z9YE&)B&dUo)0kYd&8AZWZyAYVic*qLtoNzH?jedkI6_6I*IIc%!}MteTfwIt86a-o zIi^Y^AwSU;NM-02b`&zbu!|QgER_=PKLAn6HsZ^VDGwuwCybnhEF>}zxY(w!rs|{@ z|M*N50aY3das=@L***^hbv_ZO2|G6*t~ka>j+T>n(W+#_haI$74&A2q-UY&k%X|HW zhm?Y?9uE{9zG zSMN6<-3Z?urq%VlMYZ9o=NPaO^(J!H2C6YsOrZ6yxHgEi8N_~(k3V99wlf4KDPF|Z zSo7xV*DThMSG9?ak}Z;CwrL68EuYNQy-)TUa^oSASV z$l#C(;Q+((wEmTe9mFQt1kbUF=`Z3GYHZVM^Wk*QH+vH!*?7LjR?v$S09sv|Q)XkZ zn!*#^6HRn_bb$Sbau7FS!uyoVmG7e_8a!~7!vrQbfpl$iA@Gx#_gVmE(s3=z%h$8P zP#J#v=z@VdoP2x0{l{fPgF(xTPtv14p`E1&!@;cz1_O1xijgoVkCzl=qUERB`UsgQ zc1$RwUk2g6=x|sQi_{R+Q3mZ6Bf*}H&26(LA+gr)4D@)q9u(y1POz5)0kMLM$a=R6 z4RKg0jokSZ4fe9=!NUPyi3>Lk^J&nV_FJ#S)JT==U&Mxu7g5NcMH~&#+z%>O>3Mv; zQE-YU2r-{gTwD^D^hp~u$CLrG?1f;X^wS^?t-Q`xU>SNl|8!>YkURqPziz3xUW4pf zTRanWH|o`UH+)cZr?o{43ZD9un<9QZP5A3D-$G`D(C{(`LbQ*G%skY-BP)Jnp#;vn z2WLd0~wQaWB5dd{?H`7vGA68eT-0`Zl{%)Q0-E1lPB z_HFoeI!^3N)Lxp0-<;uFL&HkoGV>Y8hHAb^bK_7g~f;31bwu;)bM_tEVl4 zqKu>;tQ?dZlD%qftsZs0nFqrLjJUWRA))&WQ1e9f=z{%-IziK=?G6B|PXgee`0)~9 z5qrsYUgA?gpNKEGvcuTzxmB7dEa|7v1_@IYsF_fYKA8<+MyN|?owEAo7DaA*tJ4xL z7pT_;#V}RBLtFAz!!UZWM!#da20t+bkS$AI7HHsH+LUTB&PSu!5={%@9zY=>t}*#` zh>2!qi&vP$?yw?c2}!F_5<*r6G)V1mQyNSM>$mj^c)_|sElvkMeRqip(5qoE5eEmP+89}93l z8RH*yY$iKY2@`aF$FS1bK~&K}6kH!m8gweKQSab{Wq4{&klR73tXbP`!g*Y8rStT# zPc^NiqrU;)$dNeWcZ_WZ4KJxQRPn%i3|DiXm{`_V`T!LJ_ZwspZEX+*Lg0rf=n)c4 z$qI^2-38p_jJRkp)-jgRqBU5w#hf_Whh!1;+`jl@jHVQ#<~E^HW57SsOCIu4F5+7yJ2Ofp)llu0cHG;@}<6XgmN~5%+=F3Cs|k zY5K=ZZs`1?6Bq$LOYryl`Eix7lecI-j_pwTHU5{if!V_7wUbMafi9grlu_~t;J(QK zC{6oga7j^%j!%Sj+6sXYlOa~6&%boz5T<;Xz8D1*=8Vp8oE^8SKtr+8r1mbwn7T2f z5qSNQB^Zfzt2fA`Rx-CIP_uxne$oZLbJC9 zI>S}4`X;ir+q{c2)aK=SGeEFM#HP6?ALz1sF2aH7mtj{RK3_*f0(0sBE<#Hy0rgqP z6{G2kwyyrkj?KpHvW8h@5ps!;3Yyo@cVJ8Q{;AhL0CKd)>s8P4>~f+E31spU33y?8 z^Ii{vDPH8ZFO;aWq*BoJ>u1K8t(iX%iG!4Y)o5d**p(y%F!><#@JpQCC zz!z}|AczvZtFQkdQs!A;GRjSjk&{Bp8GT@5C^I9u$Y)>kmzT5(?EGCx_^_CJ?Y?6p z%bT#$eh(eCRh-eea6z8ENu(aM-VG)~&HJH41b;7G2mlU-M=YN%C={TTUBv20Z%?j{ zfUa8(aL#SK`|DJWt;L5N0Y+VQOMwYUkE#byzvTfJ#pNH`{xFH;(C~7ux$XS$316@w z&8gPfKbpsKBUjt2Hx~crhQe?9K!Ut>;dS>30BNnbZUNKVk&B9((S40&`;+~X@stzrmnW9p6^ZYsp!Zw zU-N^9<=E^rxDqpOyutn=PJ+(ARg}xv1u!fVj6#2;X6J)b6C#{Le}{H;8Vz(#4~L`v zYvkG(`XRO0A_|nO#9u*3ZG5vGXX0fI*bzAuy40q$wUl{}_$)f!irR|F7<`34EoGoh zjs6p&4x!qHl`^+GZr{C4Vk_whumH}_(ifnz&&MGKT~@nQp?HiYJidj5a{f`A>BH7_ z@B7Yz8^75h+Y0Df8?M)W8Uq{?ZKoHb3uG}&dTcm<9O)K;W&xm+?$HKD(%JCejGoSy zmIdkv*>#H+vi%RHuf~`Ynah(*=I0gLGfmyEl+_YZSd)-!^A&iFg+mpj}VJtnIH@r~MK7gm2Jf6!n* z&7Yb!(NUM{%0}7KLbcD*{GZQ-sP7lNT@U~!fHo_dovtT~wAmZJSn_rO#1C?cLe!F1z!*TZy6ePYDx^r$Kpn0~cd31Twv-pC4A} zo8K^*5!{2bqt~8=2vFlMr+tOp#c$XWoI2^5C3;V&->|!8OXPc{9OB zK2IU2S(PPkBtH{aI{Sh83Ybx~ZbdXLKoOwtT&6L5OPyLEZctpcHZ=lJ$IFaHvAG8e z0%{Ys+wk;D8P1z=p%O3(ptqJj0%zwSP9ylM%NZJFnFDyt0XCYcLQRjfKLP1BReGLS&0A9*U`cF=*gAV}AWG$URk1DY{F zLyTbvX_G9Ych}#s>t4`z7&}~n}}!z ze?*sp&n*>$NLDnFoKlLY(FQwZeC$AVr0r~0m?fhq*wC3omglhKUFFrt8J(}Xz2UmB zPM;a;Xjkjf(#;%^j<{Z_d;;ZFe7;dMIwx#wmo*ET73Zw^30o4=MEX6o-(PK92`B+fyfG;`9sxJ+nw~B2F5(xRK*7Y4ZKF z!j6RMDRnrkEX9huGWxiO5ScPGKD38Uu0!a3ZEjz5AV^K!P z?|Kg3AvO_*3G~HOTS7|d@=W7?t^JhVBCD)@oTYgc^%2+JJ?gIVLS0!n5s@v?COW2( zl)+T&xjET#n9_n|o{i2#u$lhhz{*-TNL$#|V|GJbJAtTXLI`I$_~LL_eiD+Vy`vV;&yYuv=P@#tMTEum z5xZl1(fYmcA|=q-Di-9tFr3@o-|wJ$SXtn~4y_VJ6 z4EAqe31$c^Xel9yk z;PerYKr1d=AiI`A9~NnQl&hZ5Y?~Jc*B6YpkD0~Ghl$yF3`5@FPF1Gna;G=A>*xzT z7bZ0;4(C_ews^mJ>go&6=VQ?_+agW1GCKTq(1#(kc(=^JL!m@Z1cWJKTllwRlhF(Z z6_aq(ß!yc%fuQ>XNA5&2W(C?@KH;$q_(;hPSQ}wf1=~NVJ_!IB$^dzI^RCNi7 z1TLE9Q!UbuTI(^ezcSJfOBbm$daKoFFJ4(Jtxl4rC^VWEatWJonK%lg*5fmiYlTUA zy{NEEZYGoLQ@3rUQdIWHx{NQ}aPYhk?{C{evoj9}tk91k{@e7kSbsbQ_-)Zo4?4p1 z^Vpyt3%Jq$w*>~cOFwVrw{i2K4!C?T=l2-m=|i#kaD?&um46l*;r1N08uC75BkUrO z%vGZ-%%&1->d?5ebg8x8VSHn_myU^reGqtN=(nUqm+H4Hcg>ltRy%&9yIhDiXqu8s z4_H~JRl_ti={NfzC&h)Vt(3t4xSEG{>-DTF;N&1#%{Gc+#utDQoo<~Px@VumcQ&uXBdUy3tHu(r)Lz(Ik=MYIyx8Omnb+W94w>gHk%ca9%5R+J z`G+NGDP(R)?iCkpNLe)Rdg>aYDeFjj`Yudi&DGiX&Df$XKC8Ocz{H!NL`aR6k0UN1 zkio=om8rwp4qoe!Sh{BpPC#Q$CeDHs5M6Tg%Cl=ycx_nlCdOb-)J8A*!0#0LR8Y}) z?RrUbR2&Y;Pi2Ab%F;jO!;H0ChJS1b$;)K|@sz;@s-Jym?@3+y;!!s@h7yjw7fl;X zv~rzwex`pkF?{Ce*q&upel2Di7sXI8>lth$XG<@6#xu}BKJzndFnG>2y4b%-BsQ9t zuumVguZZuh_nch|?%ATI^KC1dxEo~gJs;Df$o1J*Qsb0hhK+&D#r#t{n5e6GQbQVh z7D3v^-+#1Tk`XHAb3-cv3wab56N7%3W;a#?CAXJ};dC@ztr=oK_A^2&B%+ANCZvok zwX9`a@NvOBmjEmjNT%M>v_$G=>x?ArV2&uZ<96=7l(8!`nV!zncRsMiSekOQmLx-Y zb~1KlZ3jtPOf^Hs+zAMbf}B5iVnFcf^@kX#dT&V=Sm$ffyL%dq!ZngpmvBi1ap}G- zC5fEC3(<_t6nuT4GEDca)s#tB&n3}6r5r>pLaSau@qNxmn(bNHu(0+f@n0jC1 z@>!#5mlHWTm=*vzufU7G|C&m*f?=Ubnwt=fcoU1RyQ3lgq!o`ZD?5Pl+2nT8k~4LoA`MSxnm0x7_FsKQ|CHznC*E%F0EkVP2N{ETtej3Y4q(_WdS zxa_G?;fO60;zu71g*1IdQ<=N^4R$~<83CWi10;Dqi4>Y{P~iD3KPaaG(L~Z+K;v70 zPF17HVv;y^>$9sTSy#(3Jf%I2rY$9UsP8^O975lFu_q(DHSKGks~W>nxCp;ohJBMD znYe2DZZLF}P#EK84{7zawiXA`sb~P^r||^!uiz(|)kX8uO@qGON6SJv8owVy2=*pv zXZoA2utqJ2swsCy*9G| z>jROcaS=GByRcIU5Am=g38i3Ek!fBjuO$Zev~Tl zQBP8)b1q8`08!%D@F^L3(z~oFRx(BL2{*?VaZYAwb{OW_`R9qxnzfGn7bYZ?$-XL` z4GxCB?|Z#@o7(I3G|=AplhaOo7y!-J?(Q7aAVxnG=|fJx3t^NN4Wt8y#Hipb_{K13r~Z zVt~&dLm^8kJhykBTSGwj7(4iB84Z?Zk{SPwCy_bd5-KFVoo3LhclsB)Vs7t*z;pOz z8RhWz&VZS@Ci8{laOcW_VlLq{!jho%9_AH?dTZkaISIWrIGYKwmy z-Zpj$?=S{*_Rf)MQpu~Iat!b^W(+jNHz4_T!~ZOI%W9*oY^z%FJcJ{8o-YmNc&LhS z5)xY(lQQ@)d`ll_cu=^LpE?ZQg>HFHIj3I7_16;dCSN*~GkbsaM zTz$aE@~E6hy-+2!Z3F=01eMLU;?DXGmG0Y%7N~kxqCMd@%8NjcW~Q z5M{rd@vJDWbPcu6RF8&oeFxk*!{BeHl~#i-iKIB`D@YojZXC&hFQZnPlE#2rB3ml3 ztF$5^O&xwrt#7fY!kubbXg55B#Q>o5@Eea;x391xPKotO?QFl_8Ws~Aq|oZ2BdDq~ zZmu_{aoNb5Jw$DCrIpac^(Sd zXFB1s>-&o9;F+8RG~=ZNEdYB9Fu<+mI78?e0UE=uxHk0h_ft{WxVVC(c#w;%d=Iec zQs~nIk$+I?ToG6`=?TtOU?a$EJkDx{({U6_Xq?CNqmEuM*YEB6Ez!5FUy6OiQu8$? zjl_Ch%ECcI@3-tK+5?3oT-#r(?9FYBfbt}+KdoeQnpmkw?RRt9_q7XGI@i~{M7}@i z8RR|~a-3$9WEn3O!`^YUKYgH+8$mh74(GSph_QjKp`A244K4Wlt4TJ@dli4wpeJ{s z1p~pWK=ex{W4s7vo5-sTN-U7yo}g=7H~vm*QqHO7IzB32y6&;ftpa80J%X-}Nrcd$ zpV&*?M+IasA4-_?kV*Lb3f{OBlw`Hp&dmWNrWZ?mlj+01G&94SHNC@Gl$yPd8g#73 z>{Pm09U>OnpFiFu^6ns$4(ck$;y+Qr%@J22TdA#cNoFayfADb*$rd|4WY+%_JWnD zB_nYinBVY8Kj^WGbF^v#cW?eF6L1~80RDCOPLodtkeb-k-6qsx;pGSdSC+$nl6Uln z|1S8iD{jt4iCmUy#^Ty}85LE(%9D}W&r{iq{;4;VF@=XrDpPEROfJQ>onJ0QK}iYr zi@Vj*Zc<3d2}!&)%Dw$kRnegbzA}htLOzm(gP>n3_k5PP63f)}AF8L;rx`KGU6LO7S@M`*)2RmeWd^<%B6J*jiMr$=3lv57gKFi_P82rbo& zU?QvZ<7x7XrOGr12sh;S75=yNQc~UMC1sj0lT?UOw!OIp2vz-v3p&z@88t+td5pTA zlCt&)ek`OHV}Qi6)d(iFYA=CBs~%-4qe82m@k=*H)};n0+p59}5X-9T)JQ@US%^#% zIQtUJ?tX?V>wJ^5B@p0vH6MCB_1Eb|d}@3^*aYICo*hps&4zV=7u&*nSy6PiN0>_X z5pgmHab=GSODX-1(VkbYgT$*8{I~HXts$=I&sh$*EuwEyGOEuFA7-f0|L9i!l-!bH ztKc+QGa_mGC)6A9|KByQEx9KkD_iUQdhW9Qb_Nxj;?>+5VZaBJCU58}>$Es{Ox`4}(DD;sYO*bP0m&!9e-{wDuK1 zaWBojxCghz3GM`Ux8Q-`?!FKpxVr@R;1VRr;<~s8m*DPh!S(Jr-?{I*_r0oH_3FLd zs@aD|WS<>(^gXy2odkNn(z@QgAR5C|LCH~cw6zbctlMKo?tz6Jj7?vDh+!}jiP z%o8gCPZ=C$Fs{&rw0gb=Qe3_dfOR9(T6?wGzxA|hKY%SidaIs@OOjxJ3IyXfIrk|l z$T}N{A3buH8mX}JMphqKpi0=4O0LJ{EbKkh6osmdsCC-s4Eo_+lYpVGj|yWOwHxD8 z7c}hF7yl4MEe_qxC5thJ3OclnS2ij&b`GD6XRetn?E%7q_ELEp?W60SWf#jU{d3<1 zFL!3cZL0evH#d`-fO=k@h#1LR&%Ob-zRg6v-eHpsOcw7izxsYQ#onki?LHibbtl#n zP3#|TL%Om%(4~%UjALhu%RqAp!raDV+i-GF>c$W*%xqm-!aozqrGCU;q#X|`>QRnM zV_lA*vp!068~qMo&;YXV_VcwIpFSfjHPn7g^dy|H{{)@A%2-lRC#f1~wccgDLpCI$ zbx{hLWu|8C!DDYMIy+$`7aw&g5MJfmh%l$fPT7~{uGIhs!q|O;x)}ZwCHDZt zz5OAXQzdSq66tHtk1-ub!B$B_H&NtbcIQ-_*{tQ?Q4RTf>A}ZTfN&O)Nhf8F> zyY@?|G5xn>mssxN_jA5)IYqe>A% zoMHs!NLiTqR~eFJ(e4{ej9OsNTvqD}it|fBzYOEXbmbBGQm>z=%6UYTT7U|ww3u)_ zmjj>yjFyyg!AJi~Qc7znH69Q?j+INf!)asX84wvN^~7#Ct=421Owdb)6}JRfP+H?| z02hrP@KZ67t)Zs9e=1*ppTM~!}+$anQI`}_TgTRt%V-pNMBG{?;i8|^T$No zrmCOvpxUJyx{p6g6_Sj8z|*wC>9JpWJ>IgmZ}x!d;Or7BvJDI12m}OQs+qkta6eR3SDeHzh{l;j)e`}1uQHvQ&vqQx;m&G1%ax|&U+^+og?2fy;<1Bi&TSG zaWXP@7;k9eJ}dwAYkptZHfEcIzEZt|AhHN`c)3B~@#({mTEgig){yFli;$@~&ohu|*B;2`v$t7fDuP-1S&=7Hj}1RP^O4O>1m>>RGIk}mhX>(nvb*yR5f1m7Rvc6GDQ11WUY@=R36I7uj zS+8@)kMMOkm%od1stLjjP!|H{!d-MBqw(616y_$UhVRcpW1Z#glc-{oUh~T$_WKd| z;k=_?*q1fR`<>Nx+LOte_-=24-Z}>XnyJ@M#ksU*I=_a2iLr*=lRpyBt?-F0Kszjh zj9>>PdUDOr8M~a2!Q%cb%2_>SzjGPX<(~#I_Ih;LUfW=M{hQ2R1!D_+s6TJuDY+^7bRXO2>cqr^ldSPdI z$U}!a0k^y2uHy09P<2Dz5 zr6{r>^OEQVsRCjv5#Nt+k?4h)jX2pudRuzQe@%+oT+qGrOwfJ^Ga9+D1Nc>fcTMjb z&^l8kI3SI!%ZDP_)}WqS(_WCpeS@aNuI1n0=6uxKhiBctX)K7G!;GTeMQqM<{4)aK zg63K={=>Z&q=DL*YBGn7Fv)HQu&f-Yc@Js5dn+u`8_??JGF+-%Ei13NFSm;D5SfhU z)H-_E?WE02(i_Ma>hNW|iJe&_t1N~Z%#X+7?I7Mq%K4v`C9@x^Qo6m=bBvDjU^+D+ z_LiVs`+WoYyG~7|XI-{#&Z{3db*2|Md5SsMb(;D)sa+K*f}`bIvjW}u!k&0>27R3V z@l#EtMUk3xEpp_my8PFdmuW?E;wYVG?O8TLuixWi!A>_YGagOD8J`yHKaNjV{;vcH z>7JLttVwzvwDt;Eh#h9}Bc&2^_>i|}l)};1@eAsz6^3LSk7aJ% z@w+=e_6E_AlwWFzs*TUS*oJN@5z4>4XYu3uXmy3thZi7_Jf?R?=rTD~hu=H2 zlUmtI#vB-?Q3z8p3Pb7owW0OimF|Ame)sJkk!2me<~^%8E14qZ*PbBNGpL< zs8t82TE-wv?;nXo+Ujg%4Pex?_=)=;Y`4qA-@%z%q{7TNEc@g zC&_#P%+Cz%xZK%rf7EYJW&K+-5}F0}&yKmL!-U1FbOg=?|BGMGi??YFtpjmauFR14 z=og}4Y9LQh&1mujc5?bQw51u5@%v)v5vwF7xTQYwo^me%AtgwWs!7fxKI6mHyaJNZ z_IOsJ*3ekTHPU;&KL|X<4%2&4j6*?s-@AXZN2frFon~D0G5LC7;dRT^dfDa=TYC>H zKRty1&4CH4a!)$8f2((S z(vPnGls2iX{v%ZrRIb$!n(>B$rt#(R*H7HkBG0d?G4;oL&)y?6&74jL9K(gMY*MH> z-hqu`6Dy9G__Q`hTu+us^qrbkt~Yedn-bBZFXy3^qD2*|zKr-xnJmTXr$15!RivBw zw5afX-h_y?EJWg~LVYAnX|9u`XT2GISC!0p3e_+?_f|s_6q0uY&+MTqJ5x0Ea8`tm zZpUgOy3k;vM~rvnyhExY=)+_lb56CGa-aYT@v6V^e&0*6nv115c#f7%+%i2|>R)N= zrpCd~&>eLVYzn)p1y|5re`0=}nS_+ck$HQ{+c9<4KQjwmKisQx$X?<+UegPx{Kl_hqjFw&-BG=&dw^D;ng@x(k2TuG zRh5Otl5WU3)L4N`vrWI>0bWkW`Y`tJe->NeH+9X}eotSOK!OsGk2YfVsjP+eWo5oA z=dDL76>Qq^_v}^hVQ2nTyXoBN4ut38cyqt?&>mA5O+cHA{p$TLilHf$()*bt7rjT< z?@w4#S-H;OJJ0l4Obw{cJ%SMbP?`gOHqhxJ0d8t%d|m9C%`IATwP=$SRqd#MARpMW zI~xA$J{FtCCHE)OPxnb1BSu_$?uQ9s8hj#+woAOkrczSI$%B~#8&yrgc7?Ul)kMV` zie)p47Y)2m6LoRJx$PLYN@-9w!rnr-VQ@&9?&G4sfUeY-KC3j{gAPmg_Ceph_1!*YaHv4QS` z6rR_pP(7KK;)1H_jyAWiJhgNa)jAc$KV5HN)1PfavueXFIE&IYTc2(F7z@lE6q%=H zT{>%MpzdL%C231^k}N~I$IGZ%Z-I&8#gQCjea zl)M!fiRK=1{FDPCUtr$%qu+3&-vDaIW>Rh%Mr5BAN{XJatA~?pWC%?e%OZ=yp?ZM_ zJgXPlsMcF`-7c>cX)#nrEA$V5{`+J3iFF?w@MOMEj?5N|gjM69OX2Trlr{%z2Z*+0 zD&|K)WiLsdaIr|*B3jsTJccs? zvCLWMV*r!~JJR)fU59M%lGiQ~|GRQSP+MZMOGIn4@GxaZ9ywy26W(yH3 zgI_Oykl2GN3Z<&uP9ErS`fBWr4f9bs5823tx)C#*N%-;iaS>e}+&O7LRf_ZRtrn{u z^4Zv4%wK7B`e#$YIOT%FyZ0mHGp<&cNDL4YdRar84_CF{+vpE6yOeXKL{uHCo>u&t z={07Yl&zVM%E%H)nwVYw7$cze!#<7?#2#f}FiTOyF|JwtH=J_159ase6+@3wSAt|*>TEP@u*NJrruxTsSG9h7vER42f zUQW&Vs`f22cpW+cUHfEx&!LamFI%w$6W@uMxP#Wu3Oz8cD!7kWK^{p>5Y*-gSPj@h2~l`xo<|$a&WV8oX)@NVNU|cQE^+O`EQ%Db+Z@VgFP8_L)q( z3dENgn)uR)s&_WEdv?Zob(dS_NmW_mt?MT>NhBbXwf~GRAaK(4 zz#9oJRb!RkL{KCnrtw6~Q4zz92*>A{oP;eOQGQ4#ls#(oS%ce4*h(AC>=sY#c95ZW zeSo3wk!&H-O>6*r3xW3K!7WB4@1$b|##htH_gafu7#0^Y6Lszjv5)E-QGY!It)Yz> z^sLPqeQtFt9>R_cGZq}gw#PZP=V<#=?4BHf#GKi(E54&I^GmJ;PbKJrK@`P*i(Aai z=mQs-HEKC9pGL+MLr~iCcs+Lf^BTF8$Hm0k^Wnrt z&s~~kJePfRRnIi`V13vs>_E7DbIB&@pCEhx4tVOT<$0OFx1ay zif@8B#36TM4rdM4vzmop7v^1VaJQG3hU=PaV}*rf1PqL{zZkaLW_gLGwyWT6PtNR5 z%utKc_hf1Xae~H4M5UXrL_mx&zxJbMK*N!DQU~}De+REvi~8ooyHS&7BxPaQ=!UAM zHoaY;1>Esa)3w~70qVsK1UHX9HsepMRz9_nm)B>e1a0so3Sntx5@{VDOFZBB!{2}n zEAG-d@Uzp6ik2u;qhr{XEU|E`!~uk4z4@QFyLfM*5L~?+CaUy-+np|*V{Eiqb)5Py zF8-U1<+GQFeB%DZ%UK}G^%P8bcZIJoIvhGZ55v2MY)t9|4Q0r~x`qS-lp=RaQW6BX zl$m!Pa)L>AB%mNSdOg6rJUQ(0N3(CK4JCEcsXdknvn)n3DxIfSU zm=V@MLl)ZcJ} z!yg|}=v!ixS$$(m*0drIXSNjhxqAWS29H3m7=5?S5U#DATOPiK{j-#P99+b3JULLB zz6uE+(EUDz$4@j~;eC6^Abs&y(0W-pUKPGuQ=0(I+lE;$L9zXcNJzAX3>kHX+qg^~ z;lLzJ3kJoG>@XpsycS-g$>(LHSVK9>RYPw~48VuF{Q9f3)Yqi)X zd=nTw(Bss^9o-g_zReNE92B~J>nV-R8>G4&Ur$Y#xd!%*{z7uR^K8FdJ5G2K_8p zKnnzyTOSQ6Tk8HW^hjOiMve4MMe!sfftf@m3c1T`2l9MBVpw~h|nD-Z++mjPS;T;wAwG0JX4peA1;J|{z?`BF~sqI_}uepm`Oxez=i)Nt#J_G~nj zpsi{H)xG;dF_vusBopLK8Jc4TM?W@re4|njql|Yp?pWd%IR_i?V{OP0K}Xe!A`ct@ zQR3N{Q7JhS9EZi&6upp-cW!*rH}3kMQ2^G{zoP&eAf41QC1!DjwBZ3pI$s8lgpd#( zF@J3l;0yv*o-_9UU2`nd(YK$@yh`3=g(5J`=GjP{2b8~wGT zkpIR~;W1HjxrUE&X6Id#bAOXxYX{dRwncE#7-fDyW}fQ4exv#n%ZKwNxX*wJYLU_+ zUAO-69zi#JZ)0W=%r<2!%0zPx*cGG^!n@x$3HZn{wsg54i3Ix>>v;Un9TEtT1{(zA z3Nw{`w4@yqUWG9q3_gSvSzrki&hC`eBhtPyw=_}D%lHbEF(}4yRbRwo=bE7m!jm~j z^6kQZsfCRk(@t~yO`%ohZbNzV%ZrtEuI@X&>WAsP$B5vcmzB8s#QW!L96BNLpMqyC zJx)}KsnEMiYZXn4)M$PvwsQOWd#vp*$@ub9PaOo|I>-g#TAEMw#qV(UL-%t|is7m< zSICayIxMD3Ki<0i!nalp+J7jlFd1#GOgYuDg(-X{l-V!l5SVXVmsbSKw%(;)AO@tG z(0O*?;*zn{zVE>RSQ#2LMJ&18R_7$}+DqYzB)|-JPd9%|=$1FvMc@lxTNCx*25+s4c)~oZIBIsPJEs>lx>=6WO$~&Ww=?%K7b>$(qB1S6n0jwj zgHAU+4(%}xqt*M_oXJ1|r{a)opps&sJr*#p6qh#s0A8;cnZdYw=O4I@%E%4k>xpsc*%zff&OBRUkp>yc^;7K7<@F;b)-?K(OeWSe3k5v&*kPJ5 z(%qBt5rU!lDeQlBw```+33VfHa*QOIEHNX{f7ie0bXA6ALb#ZtAM{GO{Eyx zqK49dR|e=QaT!pSiDBLb;bDtH)6RL8AnUnMn@I%FP~R0tt#5zUQllyfd87&Z{GJF^ zl5t8(4VmeS-6V<*jQ}P2>2^u#h9dTd*l?!xunx*0ucu%;LH__<*Cv$>=s@z9h;;e@`k6iSa zTeS@wC~yz)1bgB`&1l58I@6J=*t^&DU%Uoqdp%IpOU8Zs?&eiY@6f18BUdFAS4|ZR z)f7{C+?$SD+p_(`WGTCE;O+K;=#pc$5>87J+~+QK+GfNxTdhfDzH&>fUmRQI=}6G^ zNPan)@k}dW-+tiXsl{H=R5^*yy#w@(4S%Ndy4kUOCUHd=ZTn#SG2B_w(pgdAsryeD z?aXZsvI>|nffM(%MtSE2xz2kaODvmyESbyU;$^_<-m0D@A+Bae{jndvsg9oJH<3A1 z(5|w2kalni|L;6@?HO-HRoQZJ zlmaUr-gsB&bD0~3{BVrgCCU-iCVIk#Nkj_D6!oE??{Drwb+V)6=V15La=b+`DH9Bx z4w7M^E8{v-{d-q~6+}!PzCdN8F>3tcqAhczGVh4%=eE_ksQVOGF6%1;WI?9I@^hl; zENgWIGvjm>c2pk?4fpxR5Wa%LJ0OdqYf4km5H^L$cZIW~^d8>7Zn`~1=%6-GwNT>H z87+CW%SgVqj)Xt|*bbp#M_bhpdrfBh5Z?(21MPqo<3*VcQ-81vwKfr>DJ_ zcr}ry+`6E_Fj{tJ?Ku(i4B)*Vh$6m7^@aBccL;%1wsfM%GB%}D^yH@TGg~JOet~XA z_8^}{D{Y7TWtA)H_ivV*-0l=z4WxLD7H^09pC}8Vf^(CliyT-aarna9y6T5)ej!?DmY|tyjfjr; zMLi_55U7xN;V8!;e8MzLw?NYH;`HfImg#4$S+`_y$}c|+m3$VAgx^Fii7n%%gXH(j z^%H5o9er(WR|YlhgnXi1#7Pl~ickyilrW!NDj;i9kQCk{mthhkZ_~(&E9;R)%f%BT z=a&bOT-9)SeTuxq38RY{-cH?x$5~0_$iysjP3*dV)Ilpr+E}_VDvP>Y&1X3wEXlzb zKqAdrXe%^$NqZPe?sxEqk;>w2^NKyZ$a$&n710rG;hkXH94kFNugtf5G1r@~CU|>h zaE)6wf{MmDaWWz|n(j`^xce$|d$^%~%>N+Obh=SO`os^UcUia?HjI8kUcmQJg~pIo z`?Fb$@kFu;1a6#Gx0|U+ci}5-y81M{%%F2&n6>6wPQqK46nVz-qF^Hc0#Q#X&^E?T z`Fv)U0c@7&-%ikMG1NNUIt+VNO;x6oq#w;LV{xdYYQMC>A>nD?t--Xxow^6NP>Y)X z5V>b1$`jv5sMfuJ2g9W;4z*{yv-5F=_dA7V^L1k^oZZ$M4t^8&0dR_>JqlnI3N~FNm3Zu6E+%+IeV+my$3jID^>1cc@Mi$rQ&8>}N;%{2S zpJ6YHJp3q_Z&=YVo_M|Zzc69?pGk}62H18E&iiWzh@no9AYoiqa@|G&XUS5?B5Txp zg<{Ix={C1&{s>gKzruN4-V3oRitwrnv6Fq_5 zK6wNj+zyYW;N4T1X!|@J-{J*K5=i38YGPseVmIW!y)#(DoP%zv>%>9nA76ZTHZO?D zc@Z*%HDzQ4LZB#Hb8~XPDZBZ)H455n4}WS}7ip-lBZvvS_~W9)r0hWT^H~ufy`!8t z>R{kBU~xWUa?`>R^(%txBlgsl+I{l%G7j5sw~ju;0Ux{vM|A-9R;G>x8%NLcMi#{a zu?4TO?3>z92KF)fJ0qxjv8`15{2$>u8If9#2F}x6L@*CI3j(S(tn{Tak}Qn;cIEwx zSPC+9I4vbcCO-#{Hg3I^XmZZa_EtCT+Ei60dt%8!C|`pJ9F?EEHI~-Pr~Nt#5t<9} z4@1UKOk3`H-(Ug*zO0Z%7=>H3!3)rVw4PH{^r!?@)!kaP%4UQ;OT1$aT#XhF{eCFl z?Pj0x7R-46Qa;x>y3PU5K%nc6+L@;mfp)g@YdvD#SPUI_?T59B6}`4?DUwWJ6E zXZ{7MLBIwex86TsL)DT#1f2gDXbJ%vf!vw@fQ?m4_7HISU!e1G8B3EP_Xq@ZspabZ zFI~tIn41j4)GG_Lly)`k!glA>^?>cRsl;VEbC;IdK;eenxpK>vgzpxlj{hG)UkF>! z-)s{KAX5I_{acEb9`NPgOL+MfZ{43>%1FP2Hc|;{TzUM>%&S&cu{~D3@@P9!X*A|c z#XTah_WuGps5rEoYSgXBjU~pKH7Ff4FF7y&d)JL6jVrf5b$~^dI)j-eEvFD&{ud2- z0|FYOB6#qMDgmj>IsZ3=wj&Op@4GU#sb9hWCn;p3x8;Ay{5V*%MC+;#S)kTm3;gRT zabAXK=;_~Txc!~F?DzNS{(YPfZ8rW}D-NRD0uudCNIy}LAsYLiryBiFQqX5pm&N~< za>%E-91>g3(iHsfQ$n;IInDcLH$l6_#r31jhtJMOF&z|NIIzFDo|GL=2!6W;O{VNq zOMgybn&5T~v8pR8WNS~k+g-T>0{64MN{Zg{R!dzZZZ+4EFyvl`LXTI_gFrdwv%K6- z?+#V7lUy&lhypHIe@`a$hK(xw3JZ7zko6-!_9{*`ROWB*U6+kp;Hq%GRKNUGf!an( ztkBvToIqjCy@Uke_LHwMhux^AuV0k!#Ozg=%##!o?~u48r{>?Y*xSKz8+mqoV;j0; zzpD*#YQ(cd{fH(X?E;bnwk7qG{K8@E8jHT8BX2Y{qj3BF#(Csx06u>}1`UrK2Gj@K zeWMEw0&SkZA*w1s!{9>ULP0?xL2+o>Xn8RweRrgXf>OSRf+B#7{`Z%evxSMPg@%ok zg{2M9#?{6V$ZG522>jofz>!UiYsf%D4K=@m!uoF>;fFA%{o! RYZeUT9Rm5JcZ7zt{{a+NAgurZ From 74f4077bd05ce0dc32350b50d8d1f539854feee7 Mon Sep 17 00:00:00 2001 From: PrasadBoke Date: Thu, 9 Nov 2023 12:02:53 +0530 Subject: [PATCH 15/17] Version upgraded for Analytic rules --- ...nPromoAfterRoleMgmtAppPermissionGrant.yaml | 2 +- ...erAppSigninLocationIncrease-detection.yaml | 2 +- .../AzureAADPowerShellAnomaly.yaml | 2 +- .../AzureADRoleManagementPermissionGrant.yaml | 2 +- ...e Force Attack against GitHub Account.yaml | 2 +- .../Analytic Rules/BypassCondAccessRule.yaml | 2 +- ...tenantAccessSettingsOrganizationAdded.yaml | 2 +- ...nantAccessSettingsOrganizationDeleted.yaml | 2 +- .../DistribPassCrackAttempt.yaml | 2 +- .../FailedLogonToAzurePortal.yaml | 2 +- ...dinAADGroupsOtherThanTheOnesSpecified.yaml | 2 +- .../NRT_UseraddedtoPrivilgedGroups.yaml | 2 +- .../SeamlessSSOPasswordSpray.yaml | 2 +- ...Sign-in Burst from Multiple Locations.yaml | 2 +- .../Analytic Rules/SigninPasswordSpray.yaml | 2 +- .../SuspiciousAADJoinedDeviceUpdate.yaml | 2 +- .../UseraddedtoPrivilgedGroups.yaml | 2 +- .../Microsoft Entra ID/Package/3.0.7.zip | Bin 94732 -> 92778 bytes .../Package/mainTemplate.json | 2426 ++++++++--------- 19 files changed, 1200 insertions(+), 1260 deletions(-) diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/AdminPromoAfterRoleMgmtAppPermissionGrant.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/AdminPromoAfterRoleMgmtAppPermissionGrant.yaml index b44060c9f32..188b6014a66 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/AdminPromoAfterRoleMgmtAppPermissionGrant.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/AdminPromoAfterRoleMgmtAppPermissionGrant.yaml @@ -92,5 +92,5 @@ entityMappings: columnName: TargetName - identifier: UPNSuffix columnName: TargetUPNSuffix -version: 1.0.3 +version: 1.0.4 kind: Scheduled diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/AnomalousUserAppSigninLocationIncrease-detection.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/AnomalousUserAppSigninLocationIncrease-detection.yaml index 983d11b410e..5e0c7d1b8f0 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/AnomalousUserAppSigninLocationIncrease-detection.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/AnomalousUserAppSigninLocationIncrease-detection.yaml @@ -60,5 +60,5 @@ alertDetailsOverride: This query over Microsoft Entra ID sign-in considers all user sign-ins for each Microsoft Entra ID application and picks out the most anomalous change in location profile for a user within an individual application. This has detected {{UserPrincipalName}} signing into {{AppDisplayName}} from {{CountOfLocations}} different locations. -version: 2.0.0 +version: 2.0.1 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/AzureAADPowerShellAnomaly.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/AzureAADPowerShellAnomaly.yaml index b06497e3beb..ad4063872b3 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/AzureAADPowerShellAnomaly.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/AzureAADPowerShellAnomaly.yaml @@ -53,5 +53,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPAddress -version: 1.0.2 +version: 1.0.3 kind: Scheduled diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/AzureADRoleManagementPermissionGrant.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/AzureADRoleManagementPermissionGrant.yaml index 57820d9ba3f..c81080fffc3 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/AzureADRoleManagementPermissionGrant.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/AzureADRoleManagementPermissionGrant.yaml @@ -64,5 +64,5 @@ entityMappings: fieldMappings: - identifier: Name columnName: AppDisplayName -version: 1.0.4 +version: 1.0.5 kind: Scheduled diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/Brute Force Attack against GitHub Account.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/Brute Force Attack against GitHub Account.yaml index 14065db0d54..c2929343a08 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/Brute Force Attack against GitHub Account.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/Brute Force Attack against GitHub Account.yaml @@ -56,5 +56,5 @@ entityMappings: columnName: Name - identifier: UPNSuffix columnName: UPNSuffix -version: 2.0.0 +version: 2.0.1 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/BypassCondAccessRule.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/BypassCondAccessRule.yaml index 7a6d28fc845..8f5e12e8aca 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/BypassCondAccessRule.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/BypassCondAccessRule.yaml @@ -68,5 +68,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPAddresses -version: 1.0.4 +version: 1.0.5 kind: Scheduled diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationAdded.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationAdded.yaml index 8969ddde21c..2a14d11cc1a 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationAdded.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationAdded.yaml @@ -50,5 +50,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: InitiatedByIPAdress -version: 1.0.1 +version: 1.0.2 kind: Scheduled diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationDeleted.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationDeleted.yaml index 4c36295a3bb..7b9217a7ab2 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationDeleted.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationDeleted.yaml @@ -47,5 +47,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: InitiatedByIPAdress -version: 1.0.1 +version: 1.0.2 kind: Scheduled diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/DistribPassCrackAttempt.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/DistribPassCrackAttempt.yaml index 491fc18dad3..b327ebea13b 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/DistribPassCrackAttempt.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/DistribPassCrackAttempt.yaml @@ -58,5 +58,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPAddress -version: 1.0.2 +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/FailedLogonToAzurePortal.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/FailedLogonToAzurePortal.yaml index ad517f5dd65..97da73e4ddb 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/FailedLogonToAzurePortal.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/FailedLogonToAzurePortal.yaml @@ -101,5 +101,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPAddress -version: 1.0.4 +version: 1.0.5 kind: Scheduled diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/GuestAccountsAddedinAADGroupsOtherThanTheOnesSpecified.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/GuestAccountsAddedinAADGroupsOtherThanTheOnesSpecified.yaml index c99b2c98024..703da2f29ba 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/GuestAccountsAddedinAADGroupsOtherThanTheOnesSpecified.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/GuestAccountsAddedinAADGroupsOtherThanTheOnesSpecified.yaml @@ -63,5 +63,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: InitiatedByIPAdress -version: 1.0.3 +version: 1.0.4 kind: Scheduled diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/NRT_UseraddedtoPrivilgedGroups.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/NRT_UseraddedtoPrivilgedGroups.yaml index c483e85f4b3..2671c126c15 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/NRT_UseraddedtoPrivilgedGroups.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/NRT_UseraddedtoPrivilgedGroups.yaml @@ -67,5 +67,5 @@ entityMappings: columnName: TargetName - identifier: UPNSuffix columnName: TargetUPNSuffix -version: 1.0.3 +version: 1.0.4 kind: NRT diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/SeamlessSSOPasswordSpray.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/SeamlessSSOPasswordSpray.yaml index 1eadf42a853..c2dcf7bea99 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/SeamlessSSOPasswordSpray.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/SeamlessSSOPasswordSpray.yaml @@ -48,5 +48,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPAddress -version: 1.0.2 +version: 1.0.3 kind: Scheduled diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/Sign-in Burst from Multiple Locations.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/Sign-in Burst from Multiple Locations.yaml index 22e528f1544..686608a4dff 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/Sign-in Burst from Multiple Locations.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/Sign-in Burst from Multiple Locations.yaml @@ -41,5 +41,5 @@ entityMappings: columnName: Name - identifier: UPNSuffix columnName: UPNSuffix -version: 1.0.1 +version: 1.0.2 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/SigninPasswordSpray.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/SigninPasswordSpray.yaml index 404ee30a90c..5c1c0d5738a 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/SigninPasswordSpray.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/SigninPasswordSpray.yaml @@ -84,5 +84,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPAddress -version: 1.0.4 +version: 1.0.5 kind: Scheduled diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/SuspiciousAADJoinedDeviceUpdate.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/SuspiciousAADJoinedDeviceUpdate.yaml index b823ea6fb56..2bde16e7853 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/SuspiciousAADJoinedDeviceUpdate.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/SuspiciousAADJoinedDeviceUpdate.yaml @@ -77,5 +77,5 @@ alertDetailsOverride: In this case {{OldDeviceName}} was renamed to {{NewDeviceName}} and {{UpdatedPropertiesCount}} properties were changed. This could occur when a threat actor steals a Device ticket from an Autopilot provisioned device and uses it to AAD Join a new device. Ref: https://dirkjanm.io/assets/raw/Insomnihack%20Breaking%20and%20fixing%20Azure%20AD%20device%20identity%20security.pdf -version: 1.0.1 +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/UseraddedtoPrivilgedGroups.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/UseraddedtoPrivilgedGroups.yaml index 41365b14026..1616f79505d 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/UseraddedtoPrivilgedGroups.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/UseraddedtoPrivilgedGroups.yaml @@ -71,5 +71,5 @@ entityMappings: columnName: TargetName - identifier: UPNSuffix columnName: TargetUPNSuffix -version: 1.0.4 +version: 1.0.5 kind: Scheduled diff --git a/Solutions/Microsoft Entra ID/Package/3.0.7.zip b/Solutions/Microsoft Entra ID/Package/3.0.7.zip index 247cc6e7def5abf982d3f055bc9c9503b320af5f..650a3c9fa955207f8c697e286e9762126ee2d76e 100644 GIT binary patch delta 82718 zcmagFbx>U2wzf+I2*DEE-Q8V+I|O%k_r^jNPVgX&OK>N+YdW~QOXKdYAAA4Kxwo#I zeX3SYypzsK znuR6agqF}3BH8_tJ?r9b^4@dV(_o(x17(4dB&kqu@jYhXfxBfnqC+?YbuZWFENwXg zwQzFzjN5VLGOP7@*J1hLl65)Lpyj1aIB(YY}56g09@|_TbfSlAFh8!KRk#@zqrkIpG#Dq=)KxkKZ0G!UfA$M`sCocDlvhfBjJAmML~ zD8!)IUVZt{1K}k7ZOF4J^~?RyadlUOYX`9Za=Z7aiky~5xLOGBat*z&_pCZR1-7P7 zCLczK9`qeomd_58FC1N$s@5B)nse%u@K>8^wl>l*7CI^nd|ieIOD}FT4ZocgdLL#5 z3w)lxa3BwU?7esfHRR_m^W1vBe80J#S$_0vM(I7*EfDkO;93ETxcR0zEM(mzE8cj- zXWu?O`*bZ704qv71o15mH)r>10Lt})sjt;|bQkwdpKfTTk3KTu_xZ{d{f-Xv*#;oE zbKymhqDi;~Qg^|<=NwJH_jq3rVZ+w(yd!aQln+kQTn^PVeB6sa6o_lzLtW|1#<3yJ zz&GP%=fLjPK2^8tI2aM_g$J&8C_vBD{BqhiP4pWz6a@!jxJ3_;7>GV_%_xMjHOU>b z(bVz0{LE$8@j@343T&|7aBS)6AmDlye{8&xG8A-Ze~KE!ZqS$OI2cXH(^s&&^=ugJ z%RKti6m}^rG5<`}0rZ6$b|-}@0S5Ztr)OWhlTh>*T)7Rwj4J>S;i_KT(%Js>v2%Fq zH)WU2(&b!@m3$|lQ3!bQv|g_+=f)_TQ z8P5c`)Ousi8^F85sO<;Cg?5}g6U5Z)Gx_qV16t&Q&yqpV~E8 z?&(Rv+q*tKx8zj2{mcN75SgV*!D3Fl-%j3NyPSlVD1Y>RlGL|7qqk$QaeqI>Kq-q9 zZp6nY9;Fb}Qd69T6t)9;9$I;!D@5@~#={$xJO$=Yag?7r(5m?#?LrN=r|k_xxB#Y1 z|LNXVy$1gDBa}(di5s7dc0qY6=Nk+$;#gjeRNg{g4S`-Wz3$^c4vq@%m19+em!vBG zpGVK7=?LFLmfgP!RZeHm(EyqX+5yy{z$>wOAq=-}LBs{gXHa0szEmRpcY z!T^q5^-P+FOfsOP(M5eG2M?M07QN!-ErOQ8t3~~Z!)K1e&j@HoD|-oXY}AmHEjrd( zWmeNNQ&ur_Qt8EAtt$Sw!|2gPLhJ_qxT9$LI{uL={)*LO>6(YhN-2tcJCF3&w1Xj1 zr9q~&J)K`Ua?Eb}v>7PdZVE8?Sk(?I0BMlsYhp$R4~hB~o#N$bf|ktm|RLtfPm* zKgoxAThgpsJoxNcwPICdcJz{pOKOG!Xw8u|QA{>@FLaJpejcs>0**Hp&Mn+#E!^~V zKJ2~6!}mukWB+95U2Jn9t)8TJ_Se&jr;$I7PBw0 zkpVS~E-nMFEtjir(Jx*;B4}B>T3r681W% zuV=?XGRV5H{w*bCR)`(kX*Luk-5RbH7U>RrtbYEO;0|Y@&uEzeuhZ~Fr??2*sRNsy zF-kvj62$fZ)0*eAvOvs9W#MuvZ@X+psoMXfFnq_cL`UUWszucJkU={KV}Y!a=}gghLMz(t=JS`(mX*{yR{mfUUG4F^+Bg0}Fl%0u=a z6_Zrc<<^?KoebaNE&mm$Q>CFoZ;=h?RK3xl z|4|A0beFsxU~8+%$#2Y}0lUSx!D|&FkQa9m@f6Sc2L~C~gmY)ouRNKg-o(p{es@Tt z409n|drHF&X7M9g1EIK3L6zE$hp3gC+8-Ax1$m@+N9F_R{?<$6O|~~yW>+OtQOn^7 zp7e=@4FS=P-8y&W$*@k{a33lF60#+cO>(?7@tqq{m^6GSVT7c2$k*-W_9wXyh00E~ zwBg|w{yk2{0nk6^NZ7kb*fRr8##oSGWEMRVw%1ToJQ4Tr)SCeje-#)~g#NNY>X2Qz zoHa&Zt=`Gn>mPv#f3fN%8#Pu6Kw$YG!F6nU$=y!I?~t&6AbGqlIRt1msz>LdIiYB9;>H04YR67a>s#A)Kx<5HBZF>aUV%l>aTd zrGAoKFTV+mj%CHIba)X=t8mS5N1+e5%+bsT$^Q>}|ByU)tyA?OGol{Cii)S4e76f+ zXDjC<+_FkymCI^~FH$(tk0fz~&{N}7=w(7>`5@re*12Foz^}5$^*Q~^TZ)hxux07X zs?bv4dIymjF!osYF&|9+VHN6R;5Bmr8dzwuHoE%jwd808_y=fW? zQ;_+eQlR$i4PIznFTCu3u3Rl-5s{VLGa|+7Q~rWKP4Whbc6`Q%5_#vka=xq{r>*x8 z@F2UMjAf%sIg;jxNu$d`d~Q5Qwy)^fO_}wShvvfDJR{>>tiL{uzoW=m0_peUfEk+=$bb z4sJzyx6>9JP6frk{D~Z|wG2|e`Dl>*N#(|*bWP6!r_HjW%}|@`&mfh}dqB7JBDTlL zIRLu;YHxc;*s}vp&RCG{S7!blZi+_-ISQup4!Vx6i#$qYu&T^^c%2EuU4asBn)bip zLAnt_B3?WHs`zW=-P%al+?`Ib|B&jp|7h?-TdFr!q`vzu8Lj5%N&#Q=laTc$+4R5c zfv3yK*$W7Xa0`ieg`6h>y8h}9|7eDMr9IGA3FYPJgdJQy_}yxo+)#`mOwcxsjIBLo z(J1|2!T-Op!@*E4%pH$ER9pxPQhl=43t-wPBS|+@e0hyCvjK{R>k*7sP}7YX8wDT| zd;p~T^)7jBnDeVA{{!l)Ui3Gw(;!TwDV@=ks&;gG^C$-+n1KVKPW*@7%<-bge_Zvy zXqi^*K+)7qpp&68>7bIUzd3qu;j1yTK*gv0x^oDLKu5xU6-(N(u~Fl7{WUmD4t`Lw zSSZTte&y>d^jeg>Enbha4C5xwIG5oAS|H`X};}B)${)eUWT#+A%Zk(pt`Rbd&oS}9sk z{fij|EkOt=O|)zbA90#~Wi++hY5J8>fb9PoqRbraLpBks%5@&hPK7BOL@BBt#rp5) zQg!Nbt&lVoSoG=yAnI-*rLO~cnjxf=tJ4YdpPs$ezJ+Vs_Gz*9xRVXu+#q74VKmWR zzN#ZyNOIih3fDHg$7%XKMEw<03Cl*CSA!TfX|#DYh|jpk!0R-M64?2s@BBK%e^!Sn znD8dV!OQtV2ueb%yK7XVeo%@2OS4icoC=*xC>OVXHL!OHv3y#w@SpcD`-} z!>Y&G@TjlU@m7M5dRz;+vfQqX#GR z;)_yEPV4_99x!wkp^;!;8P^9196Mr(b2s@-%rX=wZXg89;d7Kkm*-=6f7IP zU*Q=wY4m=D2mQZyGO6Jg{G^&oy3FLNY@ksUCU(8~nL7jS9{f)^$FJ2-ze>+M>cp7= z-G7x{Fao;&D!szL<}u(?g9@zHG&puV#+dT4%<=_*+uMOG6#FSvLqimU{HWgO%%4Ia z_p0%j?;S7C*|VtBq^!5k9y_7LdP3lS!e1lLN-i~4xSzkP763~+UH+R&Ge#< zjLcA#LMMN_5H+==;3?z^zSxmG5&N7pFG5NE*FX^58g#9L3co0$O#83}2I=G{X{b#(BP zO3pcjg*2u_cjcD>G_Y4>Os1ro9hDT{&DM`_`>?(z2h8N0V1SC*K6;J-BYarI%lpX7 zm2#((iPuX~ahhW1SHh-17_O>BKPy9WHH9V7Mt)%|L0W&@h@TGqs&^GPCVnbCb#ykW zzH1XrygW!R3DnjbV+Uz;GWO=2Puq0ywr8vs(Hv68x|?J4YO)Vn? z$JJ3+4VTc^hG=UfmJOT6UU5`g)IcV*Sv5Cc^1o199^luWRF{U!_RnzUO>Xy%IcFmg zCKb+Ra%;LoAH~I6-l;3NM9ayH#Lt1$69^z>^l~oSK-I1{UVqiR^B$6x4VcZVL#;Ug zlg=<_V6#8A3_CdPD#x4u(0o&N4zVR@OFLOTz7jj1;!wt}k4`q(SSXRw_(CgMFe+&N zu-i>?N@t#!x2rc9RXC5(lYh~d#{a1%Bd%KsDutSIvCx6c6llxb^VW1RtV~T-f=Di( zo1$7Cs31teP*$imKR3&qnUm`W51_ZGZEJU^#}CA-sN7Lp+hgWWu-FgA4S1C;WJ=Q6 z*W2;Y;~f~ljn1Q5nWJON>7B8boAn5MY1F6jWRTe#a0&WtI=8MJXZGc<7nkSs=I==+ zO1}*1s+v+7e?mwPliYj$i@DiXpg?vO?r?@cB3N`0u2yft1c6~8Byk{-+Bd^w?_g*; zFVf}QoOw{dH0&Ce5}9LWLNvEEtOsw=DuH!^1&^*|3ZGAked8|8Yj`zzm}3HMQFBFL zg~x7@+#Z^^X1CbSl{9fEwbtic&lnFN ziQ^*%;m3SF^sM+mbC0w8&1;dGWot#UllYTmdYN}dhWa3V%l*z|xD_Kj$&gDL6QnyS zsGo}5V5O{>Dus-tTU!`*<5?QX9@hPH+YN4NaBYV|!TX29pR4LDintR^h&vesP^@pe zNJ4xK%~j^%__tp+E=a9$kv@Ooy4w2z0LrP`-e)A|)Hy8_2%CjQc)XkE0Y;iMZ7ZLf`rB%u&3`Gx9~7Xi@&&R;^+HxaFojqM zvX?xN(5>CB{a0SVa6(wUf;qM40{ab^S>;I1Lflv?WEm_E~T1QX^z{Yi8u;52D7*QHyw9h4#zs`3Ih|`OI>G&BX?xd{B7=xxY=cI zvN75s3F5VZ&0Y^XA1YUK3XM(Rp$^^G4dSzqEga~EmWBH1krg>i;_?Ai^whYY%#wXJ z3ys8_d?l=T-Zo!a0-Iq;@*jWy(Sxh;i037ciKcXdXN8eX9ic`lO-HGptd=F*MC(I zEgVkDUk?++D&eEDT+R(E8fwf@fF!X7pmNl4wDQ1p<=fAsk<916DSV-@Uc^aswPX6^}u6hwoixg{Npy%8OMvR z9~sSu$e)P%gb@M_3B<($YU}`%$)8VF7u_|_2_D%wUdG<3)>I<5vKkkabAiFIN`4fO%Sr;J;Wtq z|ES}xN)w@GEfZ%vjOPM6qdzqDizlOFBNF|5_+G2n3%0vVKlcv96*Jq#dOdR6#zm3T zcGifCyE%!8e{^(u<&bTrqDiyyq^lfLejiiU+DyNuN58c>)AVwpX{JmD>5cC}FEMcc zzE!k2~CY z*ld+*=COb{h5DknKJSUNQ@Sd69)Z45f5J#i;PO!_dX)bJc&xgq!CvcMcJ;Vga*}@L z|0ILqLYieTar3tc*(3V(ot(xe^VOyvitQ7^+0@fR!Zn@vjHXy!+mfrOc|7#A1^aT= zjQeNnav24X#DQFaeSA&(l!b%lOzP&LLhnUfhQw89cY|mn#0S15xv5_G?Ji9|fG={v z^owg;D1wOzXi2IPmUBOP$_QPU;`#7-K2>OJQ(I8WH=aR9Pf{Uiehp2xu+H{mX`%Jd zAlbvCKE#(jX@dE;<@Wq@xpBu(F8DvDNy?7r8j0-eoQe*|>KL=}si{%S#V`Ds$&1Iq%^7Z{n3t&4un0MS`x<_&B&KOY zEdtt~3ullXybWtdk_=Z>!RBQ<5(l2(tCopoec!gk1E=lu#=PQU4D3RR_EzD3vI~%o z5twZ!v$*<6vYNWe{};)iQeJD86zxm&!tdPc11IGZq_%9QNZtQu0x%F(7L(#&7D-A3l>!l7VveLp6R zQ$sD@;%+A+&W<2z5+2kJ`V+@W8_~fx4&bK`8VVrTAUmNKKWeKln9`+AaHHF9S399< zU0#y*7Czm@bRO*0l0CNFrhXTcC8h0S@5_?6yv&Nl< z#=Hqu^kxmNp}LJ@KA|-je1V&%_Ec=|6HL|ESw4MOa_&&(bzGW%{YMGPWcpP>*4{QN zs@Cf!XH@!BK)275!XvtTm0d;mJ8*JsC!V{3e zG;FsAiNUNBGi=l=8p-nLGQ^uR<03Jg{8B|lMk z@*<@Dj1NAz6u}G4G;mDF>)ul(RIE|fV?mQne^yxOQ+^Zv7Xo>1&osl9@xms_bt9*T|GMem?iX%YpY;IMQK8F)kL?yTMJ(#xl7*~IdF*?Lie)DgNKakQ&JDr>cA#bdMS;^0#Ytxa0xl(#d#ROiU<}tgMxGLP9o^JF(aoo#h1Yh;c%b4LUm zLuE9)q>cj1^fDYC0E&pqV-e~aY3;PFMdO`rkr{6DF`>>P-dtr*Kq#URnv8l&J`9;3 zwLS58poVO0L%X_UE?~Snyx4Z@(|SX{hO@gVMu$kbRuX4Msf`?1IIVbcrQXjbM8ze& zaJ?ff?6#X^({tR6QKpq#<=lOFMy}Jl^vEIJmuNE}sdb(O+z{Hn|L_-b@s{;&BU-HZ zS%dhfn^)k&iEW{gOht%P0my!PeMeb9+L5^t=X4Ax*pncz~Q?<8dWyv>1(e{h1k9 zDdb5_N1d7Pb`It(nUn0uKJc_-_EV6w%pEuMqGVaQjZ)NS!Jp6{wiGfi zq$nt-^ui1_?Ozpi<;ripiDm`ie~);=17P(SZ%mAV>W-V?CqYBaMwTO^CHltj5EX_0s7oNn6NSJNKc`Y4hNq&?58>>OrlC{4H}487O`0K1OMbvz}QsgTs$hD<-J0yMmG}B zJ#<96Qei&AIkc^v23^y^}=tIRPrKUV+nX_A^ zk{Q~sbEoZ>U`Wa+wXvdq{cQp0C2 zZ(@jMCX|KyzYEu0-?QJeD*l-HG*AQFLMF8GbsI#OFqxvxrnBle?G($kA9VsjUPW$1^#wG4fl}Yj+R~ByYP)>;eG=ddut2H%vYmc~1I5hz~Ji#V{@?k<%2X%pdf-S?y@i1o1Pw4Kr= zM?Dx^hGTWQ1T=0KW|-dM6%-{tpw8monubOV&D|ZwSZ-)eeWylZdejAE!H)ghHu#*E z@QN(ptQ%tMQd87E=Zsy_hCM)SA*#TG-CNWC-V94YGPCY1=5aYjZDoy7y;`84UL@hj z2;S{9f&bT*gBI7>V|C7viH*-GrJ#(UgDG!f!`{HH;zy~46nUmOqs1Hbsg}O#rZ_(? zkR?Pb3Ndj2Hc^I#`%jZ^uNEEtz34m(woE(-Tr`zPVc+E+q;*bv@C%qwJ$y`&b>I)N z@lD1UGtxH!*)kZhyMz&91>bPn*(~+15?V&BFGw3sOog-yP$|7=VAz2scH=98$ed}P@xE`fGI_Jvp^<&NU0Q<8Cd+o17Th>E$PYTxupT!L8Dv-c+L5#hP#zb zB(5q{Rp8T2o(uc@!A5G)9CgCn-e^M?_sxmcg*gk-1?bqYXo#ht6I3f>Ld(2UIBweuc*R#zhIHA@-!eE?e z96POLZ_S%J?^_`4L{Zx|X0h7w_ah1EC=ZK!l84bcYn&1O6U_AOI}lFio)jGuw^CLs zTpB*aZ(Un`YOk7CwRX;B7{i*>LI3KeA1e@Ve+zV9%#e6hRM%-{`UO$mar}~OXycDI zn)M(^ukte$qQCm*cshwSxPbRHpMSu6AAj~mj6K9$v9^0&;?fwKGV{FIt60%aSx48AZGj;7(@mt$xSp z?2}{|CmRu@)s&+L-T6D0FbJWK7Q#*_CK)d8YN<ygh3z}Wf zebS89YpD zC@{rgw*ok=ZN6bo;&xu1osu6xDbvp;VSNmopyI?evLiyllNVRs8JSV#d!*c_czn6a ztGM63(GwEVlEc`l403XqemVw8kIDrprSPk>&qe`1X9hB!t+;TFX0uj?@2C2e_^u8! z6sX97FDVVQ1kh9fJ=)3VNqKG+A7TxOXtexw8E4DNoGq0sUN#F9L097fO)5<5$Ut(G#8cGpixCZ52 z#_#>NQ=75<*YTWz-zf=6X8m;9X3hd?>ZyxNv3X@SP*lWUdy0K#nMF^ zKx+3IIyGS|lW=yD_i&+$l!JoY9N;jz0}%1C`oce436;X^nf^(cx|&mIn&kQ|KSeK8 zy_vf|txI;{)!tjVeoil*Z52|!X)|2Yd!?_-roY$1^VgJe8^76haORt43MJcv->|D& zU;W7UVUxHwG5d9#z2-->cl546leasvVpQVwx~VO@kU4FYybfhp9J(`>dHw8#9`L33 zxy(_T-bYLaTFZ3)Olhf+C5-1s^F((M%@M1wWHn|T=Az2y7(6Y#xe$5Fv&<(n@^NFM zQY&Ir!!5mnO4kfMXCpZ($7=@@Te~wvqBpD#u{_ap1Vf@!YS@#jkz8?TP^*cnQ&=M`Ai&3W%n=h~WW&$1 zOT?Y=?ndHb*9vGn;X4umocg}rv(-sYOs0NQ^qL;yvr)rIGjzHeoQ!jDxjzkPI%nHQ=Yo!xN-y?bo71yOU9sAWx90_3B=` z6<;Vkb;k7>bo{Kpi(v40-VCjj-l3tY`WM}-49_=+R*wnwy99j-em2NQk-ASZ)WZ=X zaf;S|$;O2(dnu}d)^pUWNsG`*gFv|Shx$L30v;PYVd90$eQwb>C4pJx!VToL4?9G> zN8A3c9Cmye&%eB;Zm#*^qZ@$DA#}D6jJr+*zsVeTf$vOAmRx>#5h{qn32jm~AH(3l z1EnhG{^j)aBsvQM2;*^hWG3H!Gm%d$xr@TX4Q5_7)zMJ~N63hq|nRh8;f0LE$Vfe)bepx z`=UFlz--2=?>4iFUQ37RGFlywTa_t+4$r}JxYRY98%#CBiG=3gX1ZhQq_}FEkx~(V zErl>LWm4wXXcozNf@HosdwO1)c&>3O5#0Rpa^m2z%XC}&4b<=;-Hudj zBxz5xlL0yl-YaXh5pib`BR2a5#ik|>Y2rZ=UUCNf}~OwN?qr2*yj<~ z;e@d+dT;EH)V+c{@`iswYWd(iH8r=erqTmzv>XX46W_sAO}51BB}W_QLexChQ5MX2 zN0$-Dsc=2i8P-Nfc|+?!vKz^li%nLw#{pieTo(EUbfM{sg#FMRHX%wU$y2mIX7t_p zm62so3UiGh1!jYhpvI)(3qZ<{#dKRd3Y5k5%YoS7^1-Xy@*Hane=QC{IgTx{D4Hry zHtvvx+s!|Ao<>sd&DQOd-R@MkfkY^_s21z8isk!5kn|_|hW%dJO-SgUwRvfZ_@aIw z1^bHt)ABM-Uxg-()V_)^-u^)E~qXF=lnx;~?(#{zVv-8ujWk^U051`mtz7JMLc{W)J>Ht6J$% zfIVTuw}E%rkrGj8#9_O8I?VNOhX-l9!%WCyTPRu>oYDt61Kf!j!s6C2#O4 zTZ7Q8gPO|vQd-rw8TeHd%qjTQI9xh+Ti;X0wCst_Vb@d4n)hkOQKl={S5Y4j%iH+D z&hcegDi3bv%IoO664QOcmD850YWr=DK&En)?|>Z~t`}s`OzojaWK*P7ekQVg6a#C_iYZLd$ho}8}{3`4=fo;5+$euo9^wq7tDs02$HG3&zp5?^AyrZa(V~U)S z$tzZjkvPL+sbvLp(Ip({mU(U}LTb#}#Zo(E&T{Cz<=|towyILqO>JCA7*m9HVy-S&izsD)U z4j!N7yq|p^f0g{qQt4gp1IBH*jd0O55-bzae*cLTHe&4oZ>IEv@Uc0pa7rW7>Aa>; zX|I}a-=z^X?k3+<+WNqL=42eWbyPq$)QPP~>b%^&^LEx|%pD6O+kska!Zu8{5Jqiy z6j$Ic(u9WAcS?u6spGv$S&ij7kShNio?0<8iLI)3us3K{bahF|4orF94|w0Zx#$0u z`9uxit&5L5ubcd}BCm7Z!Zr`RWJ&X` zKXmwh&7b;&qS(XX3K*y)QMqS?CU^fK8?kS+rwMk7qQ-iu5Qlc*gwq*#x@&BRbZ?#s zKaaj_ygUFe-1oD<1M_07!!V1pW;x8Bg$@OmfLn~1{OgISMd9qfv2T75C@{magrO)o zaVrQ{ul9ux%;J;;-IH_n*LfD^sRoeI(lW<2Bx}q^2P9950dql)($)n-M>dk%JbPB; z^aos9bi&DoCU_Bv1)3gBqJn5k)kby5=cX7dHO7kh2Q{;icvLfEEuWXG##InO?runh zqO^t7Ju_oW`SE^rJSBMFJE9->}x*5faL68;`nX; zb9u=S`cb?y5OZrbtJ^N>*fdbhi(#_Y-^H^=%v}cm4Qcp(B+Q|WmT_|lKZ+?qh%Ud) zU%RWQqD-hu!+@=jp-#)3Pe-E3g-llhI&j!9weCtaq&|zjc;^zdajL-K;()X$ket!y{mc;Ef_h85>(&}R88(MU-%`-pFzw}Gr6{_V1( zNu6djfPCynU`-ZZ0^7cc6SlqZW&Y@pN0a#sZOBmqPK_~E5MC2I1AYE2);_wY>BWRq$iCrlpGK9;iA}s9V-H?O=*t z({v+K{ijh+sG+_G2ftyUJ0<$&%DH+~3RPSIz?jFEGS+&$-q5V_B(i{~dQR2gKT%}# zei0oZLLT29sMbg{z3-=EL&s28(G6tMGLlV>jHAcpa7f_XEwQRVmMtCAz)z^?`*nE` z>8ObxG82+5gJ6y%RwvMXe^)p?{5#90eP(Dj^{yJ1OO)Mk(bz`YmVamgrKTQIcEpke zOrogT2oDx-xT=LM8cy()^&aU@-t@-N=;tksgeTmRHPB@K(o{$7Uua^h83XHWk0r~o zCuWvLn%)ywWMf8tp-=PB;9g3fq;PdG9jxAtnzu+Wm-}%E#2P4V&%}@t zqZmv%IpN2;6<1){8<)bi*_k=VR+u;hq^N9TQ@>0boCnlL&U{EWKZfs#NR3TWt1v4q z7o4#yd{C!rcGDNHUl{ya%24!P*T+ZBITmuKt-~E(^%UUCR54tYlivm0j(G6kpJ^&H zvuY}59h&U@5tfe*>DT@|%5vK>#O^UH!V`=_aF@gOcr*JG&x!K&V8cAdZ54MWAWvM~ z4C2n6IDC7?kHoxgUE!Td1enMk+g(rhKJWA)SoQ7D5bWu84~gm+z|_ojx=t^hJzR$_ zx2{tLrhwPw*VpobqP(8=8E_H4cVj3USh$CKh7SNc5~kjxkB(KA8fFj8R#BC_FPlh2 zLj$+)e9T^^>2gVGhxVd2ZCK1vD^WrgHJL%fd%S1on`;-~HQ0HY?$ zPV-e15`M$g?;xwCJM9kf&n`7B>$Y#x=Q%d{$If|t41T;wjvT?nfZv_~8DCE{8{T~% zX#4%qlueNBAmaVd6o|u7kh+KErk^Uza_vF$dU*~Gylf0vdUJrRN*a$rqO;v^I8$v) zNg(zR^Kxz2NAFH-u$|HZs6GtV%;*R*(4x4n473amq|av+OFH~w`&k9X2H)=lUDo}6}K|CB)SHq}u= zE4hJmg$RT-&`^u6B}-S^!FYZq$TYlfXt(~YWG8huQt=-Ov1B2X>vyL2=N9J9zRmAU zXY$>`vqXE`-7t~K=Y4vD_n2dpTwV0Z(|{GkK?WCunQd3?k)1hL?37gIybDBK8Hsi%56yfFUZQIv&jFJ}&O>HH_E%l}gh)>Fhd<%FB!DFzf0~tgn3S7s7K=S+sLT`!;NNM10GJ z<}=J|XEvvf*}@fA51!d%)!^@paA9?tj+|&Iu+{bk@gE3vMDQb(IQr3WiDPtqKmBZ8#WUIXY4Y<*#68bRSg(rlL#{?g&k_57wpD zkOD)p7`feI(@8&n{o+C3PW?22>u&kvg3GA*u*E*o z4TDAfJQR8RdwhK(^cD&z3QlqV`(0y?KAcYz;MtC)8V~Wbm zhr&myBSsUmfhuRpd94^a^!1pq)A!To46*{H=Rhzou5B_UvK z@>lZ`32u`?u~Q4BC0=w=6RwvG7&zUVm|nD*jKX{tLvanu= zIGXTstItlU+o=>qsO5g!rp>y_g-xVGhAz|gjnxT>;Ynm;flkuX#|amjz^{oZ1ro#j zxA=uVDl!&2vI9gKD!4syfUL!Udc{oyjS?mb3s#;iD2P|tR!%a7hVasDGKrDVydS^5 zR&Pg+%Y>h?&aGfO%==9__Sog<5^RFU@iq2*o6b*(BVRVyi$_j_hrgbTvJ_P?SxK6f z6^Mfb!4?tq)bn%u+D%`BfCY;}6bY?Rvh)X8E3x?W`-by^#DnU-HsLm(0Kp@j6As2S zTlX4mCPk7hIDkY9mP^*;(DDj-;`IU_gdORON!ZY$#arX~@3#I;r`r`i~a<{Y58Voy!CspZg0n8j4zSzN=@gk}=#a|(Mk zP_2}u&?V42V_^E;v@1m}RuA+;=-q94}%l}2qBJ(YoJ-Z)>8ReGHGZr(Xg<#n-->?)uAi7`?_D0Om4&bxXN z6KK5XK^gYo&QM%W^6_bSzI2!g&FJ$ysnZ(1#^Ao#rUVQ}Qh~s&GU5>8jkaf+!;>h& zpWRk5m@>0`k8>u`l`)kw@VZeicL3P}x!VU_=6;RB>3S;Th{OB{>lMI-j96sa(^9vh z&`~hf%;zSs?#G+e5TnmIq4k$;F?-lCIwFRbmuk!blmpQ=Z8C{Za<22M5E#yOM8=gs z#*jc=QXqbT(Q^HTb1%W6WzoK#|F%QseVW|KN*wH6&^1aW5s?6u33~1|8i9O$JgdFF zPoVbu0H(bqhts7+6SK5MWVQg~WqgHiT+VYUUgAYGTry)@kPVeu76+dP&9wZut^Y|M!Po!1i z48-Pr7Do9(_DP0#*Gx)EfEen*BTx1FE5aj;iuhpH`^v6sN%BW#I-9j3rIxAQ?7XI` z;-N3^p52Tfn6FQ!onVX%8(pX!e5JrTjbhQvtqAGYZ7>alg@?OS-jlr>#}B9s^SlQZ zH0;8R|A(e`4z8^EzK7#XjEOa|o!mGR+qP|ck{jE$ZQHhO+fF9Qym>zF_xH!?I#sv& z)ULX_yVqJ9of0@v=X5b-xJ!5Tdg!=rgWtHmg97vnwjhrd9<9)?!J%xp0 z3_&;I8u1nz?7}M%|CR7iSUr+Fe%eeGF4EsPvs& z6aeZ#DJT;ogr9D}4h}ZJ^y8&1`ZkK1lrsH&|MVi?DRvm zXVBL7f2QzY%`2^u(2dsg!(ll-nUR@01EJlrRidiF1#g)fv9 z*fb-rxcKH~6O7shME^^vrTUQ?S7UFh@Ni4iUW{uJwEd~d-36*^tc&UKJ)_F5E$lvJ zIoA%CNvH)|eSJ!*CtT2tZInd*JBD$_5Zlu4Nb2a|^YfAn(ju;lr$h;F5Uq{<1$h5= z>e0DVakX<=vI-Uifb1r=2g!vc%JH^6I4qbbS0Kn#4Tz8Xis$%sk7^vKQ<$ z;n~=oC57bICjEwzeds7h4BO* zMJjVl$%@o_0SBCYbN;lB&T}x2hU_oKjmt*X&tXk3#@vEigGzhSt=umr-Um38=~PCQ z=>rL_^w+sFxk#F3k}ge~v3c4Zh+jj;j#|g5HnrnxKcF;|P$%}aC=DFj0YELuhYiGI zSA%4Y!(@!$u^?(~sdNuAH4OQuNbf5Hdmm=_H3K;%m$pel(r1gWF@{Pe9q4qhyf6z2TH4_X3xHD0|^co*ItRT->-(-fg{T?`*d>Gkp2YXf4ekmASpg#R9vY(!NV zcbJ?E)+X}$GkaVTl;vmbaj<|nRcChv4#Vt6?@x9MRc3iJxZ+I9&MH6@noCq6{p)mI z$)M!qx8kIR15TBsCyA3)1W!JoirW{Ag+vuUgjLSpo~nIa3{=t@gj*jpiEt=~r%_R1 zyp8Ku(BOv+f>1Y&1Wjpa#zhYT{k4Wf454y3HxxEq5LCGYXO2u3Ks$B(V>oSn!{pYA zrJ&jPSxNHDYrzXiwG_XRV%1`#qi~7%%uhxdbD0#|~M zPV7_(-~1v@6j&Y<6}TPW5Gb9)B1P&g&nk5|rTC0Z<%OsSg~Caf&2=C_4ma`l>JWs5 zbObNp>Q^)Fl@7)t?lW+uVQ==IHk(n1=_JT&DSRiY7W8JJcGtxRC-)gTI%ayck;<~o zP%Zn=6i)FQ%jLhTFw+DWN3h2+NcOL>DlLhBN_W8#0YH2^w59!-#Jzksx9F~4?#XU$ zD578l26r|zL};_cUL$h7gyP{%ouN8jd&P||$q#5=%&fs$;BgJ@!}d~O+!{&q%Hh8k zvxoBmjpvwr>R#wCPXW@f&8gB3xO{M+&w^cjI=kTPrYV1`7k>LFH1iC?lpxg@2#RRc zlnb#6&j3U7Ctr;%gJ8%v2M* zEwnzS1CP;GxUXYVn(bXvavZ*Y(kfgfCA<0)Bv+yt46N8L!2UUmaX-dz<^MM{xE=2$nsBn2n@bQRJzbjH51Zy>j z<_J@PC$p&7WD#+xDGV;jbWROgxhgIAEKSOkuqY_?-37@v8d)FWljGh}3waM)#^PWF z0G7%%I}jm&#fOE&5~T0}^3tqo7M|b*vJ|JJ(fkORzKeoe@T8DMt3oQ-9`2 zQq2J8)7PBh?srcjdwb7KUUt5acT&7Op+-2<#XX}PKK-bJhAu%Z`A#>kvy(QLB%t& z7;~cSMF>^d!3gD2?2&ZhDPX_KqVrdiE^zS402j&HDof|s=l7hA=QX@5IT~_YO+a1V zPo5lIooR$7%`Vl7hZ5C_jqH1TRh=qZJxSF?wrCC;UHJX=F_ zM0;aE`O~`DrAZxghicVIxeLqx5~o#*H5nZF%PTc=gd}QHZM!0^6pKF4&G_P+oSZNI zHraY>v_D0ttzZ%@d5AT*zjHYQ5A3w#x@#nG*VIMY*A&x%N@!;{@^#)fMx`*9Y{w@D zjJ$NzjR~_X#(3@02eKs6?(~=zs1KBu<_}Rh+SF93e_O&LHfQv9+2G}rJ2^aKZmh;f zl!v~;lf=8ibp=ds8o&oa`U>KNW${tRRb>4adpjtkTZ9T7DX1c~y-mqWtXX@yfl{b^dqpkN)xI6rRmUh~%u`G$r z$SUx!SO|h3x&;F16Lab`*elC(r?xXmVH?rIHY=@_@L1#?J(hoSOPdd)~hwMOt;KH3<1L8K2r#rF*sO9@C?$oAi|0lNK*gs{+;_% zQ|&4NUr~a$_)*+fA6jNW1wMv&bC3bUfQ-23u;37KXIy`R|02h8;@-2y=`m+ZaOtMY zDi@tuP<(+$kd4>L!NtXO`cRBuh7zMPV5mg|-uJJtJkFPcqfRVC5nn!>XR~=^$^q;3 z7EBah7lD^!LGT|JP+g2AjA@}h8>*>m->R>gd`C`UlGIHDt^$ngs@8nchbQy%>+b;7 z@X0wOw+TwR6>?GJTe!kB-jSmpHldka4FAi%W;ly5N5(uO?^oiu(k~;j0p+WqM;d7; za5H~DSd))zs%xlXrkDJO-*WPT4GO4CnA&47S%v*-R-A5HK+|AnmFJuOG{59xsC-pI z)FRb}Se+>;lNJRB z>IqAFU0%&X#eH8@kiCL3eB|^gk*0JP`0xgHQuMpxH}s!5^MLkWF;h{L1tE{lRWaM( z7etFh>@&8!z{naq7vZ9v#bRs|Z^@RK@Wbw~)Rh!Iyz5s7WJU5nl;G!V<%GTAKdrO1 z(z0aHlj!nU`b=5MX;WZfq)?MU3!FgB*C!A>go|p?QYMC46J}8*soC3tHd~o z@H2@B_lT;DJVdjagE8>Xb&5U)%@~tGdK4NtNQ2cnzyZr2+|d2MLlFC2I;g|1mP#9* z7fTzisCEpT3Z~Dw>hhy2h)&G>GhcFW9JgEO$&LukI>O_Xq2ib)G$0Q%H8c=7Db6fM z+k!Kv{sc*vA8TMAR>IwG#y)6U4i5F220VxBH^lYqcTzaoBCh_C515jI$f!9|iByxt z1CP3X0+KosbUVzx@h5QA*X1_+ZwKHv8}gbM(4fI`KaB?Lb;=qVyPhozWoqrNV7cKc zlL>xZau!fIA#imN)>I!2!P8oj<4{NS-;!8kateKz7i89xd0cC2U`Kz=Y zX~5Abgvm?EV;Ey&Je-*pX$7EBE;=4Wf7$>;h?R!DGF?U6J6Gk%Yp(;FT<#?=2yix) zTxC7iYm?O=9U6k`H|=6PXr;D2l=4^tVzSu&4Wr;#>y4L`ZxKFv${lMZ5wjNsc8d&> z!=F}(lni3_*qNKRB$_3p*Apt5BJT&q`X@J_t&&z(57nkvV4XKXZ@8yG?hb5l*ac_D_ej22Q}3U#h!Tx^Sss(@mZ(OrkBv%>C_)`Jj;YXsv@Hj;4_+D zx?9+@ML}ze`2ep;c@ddMlWZi%d&0oh{pikJSI?FLvNbXw2U+jT`bF@$2iBx0$s^mQ zi3?e6PO=2TWy#Z2+rYI9a~&cXYfjM+f)%vJs0_=kR&ncaP)D4%$cag%c0gvon9oyj ztD*UeKAU2TBikr9>u77FQLJ+CC?x}_)SXS1Sd+ogUWD7V7~@38kqhT_lZl6A1gtcn8r>1m4QZSAJ|(LKq{;+MPMh}6OA+dek#FY< zV&iS7*UZQ+tY|uGV%wTj8!fcV{tjikfM#oD{H{sXX9{W;@DT}W|MtGcZ|{p1{H#?i zWsu5?o<{ApIJmX`!P<==2Hd{bxO=o__5@1s_%ss-1-%nw7v`>M1kS8xvyf#HmC-9TDWu=dgDoqNs0 z6NS}~=FBnzg**CoK?8=|3ye3cz!yJt7z#vKCQsNmcdLg<>?r-DOC_*2v9vX%X-fZM zKKTvjb79sr{guq2P#$v~CpMh2t=^6n5lY^1=u#|~(bF72nm%{h2d>B4D^;|+M0o1c z3^->;dmwp^hWLn7C6I#StuOIN&d82+@Hb*vL0nvVk{CB`2gme{(Q={J-YV2S`ayVD zHM;sC1@KV7%a=V1CFCJ!x&0pf7(_<_`a<7iE0}uoX^&7nN5jciDk89edx9-hoc8HV9-V5#*5e7oZ;(MZX;@Q zTISwowaHxwrRi@)N;TpZy=?*aRr9UizC22W;!f}J4)E1>sh$kx0ebvb>b-#S<6%JYhyh?w+z^cn5Wp*H#hdsAM2 zLgQwa%xgDp1#@5ILn20Z2Gxa&?yBZgm=gS`tYjjSOXU(m-%UI#!ryuo7Jj8`#aPc6 zQl}AD1gx&-I^{gh{;^P~nmS84IsMK=hl{Y?fr)jLS}*$EVa=c?JI}o;SrI1Lt_n|3 zFTWzZa#mLZFKKz)Pm$HIcxW=FYWh`g+#qLQDtH8rt3K=^VP-*l-yP*NlIXc!tokcC z8VfOL`Qx2fRX&T16OX=gG<)41V@ZuEnT9t&6DW1BQx&I4fjJeEOlwjiF11YEP)O!= zEnH?yqit=SfbfBWn}%wTk7=q2H@(?zaeqJ4wx4)Otl?cL_XL^N=YEMhP0rU_D4-*^ zB+aQ?syRIk?J^QC2P6UN8TuR>T3K^7eu@rkSD1QGJ7H99n1Urt-LLG4UYldQgdT_^k*&pw$#oO2|#a(2(dvSK?bP_1s(IdSjw~gMawX83cyl85=ie{WV zY4l)hmgN-FOzftY(Wzq(sG82`v^=n-a-YW{B5``ka<|ULyhU6Et*)xI>jvWAe6BjD zn~qL6p%#b%?-lF!RwxrS10~HLT#fXOz$4n8%UZ%R>xnpxX=>UYW||7Ro_Ob`BQ={h zlVciVMZnBBZI3f(_Qt(cTkV12v%Y8n^?CsIH~R_wWC)8}lX`ni&e-~=e^;&AXMI7t--f69qgfS5ajh^+n-ht1E)l7b9Te9>6!`n!j z7?1i|H%LrlhxnMRNN2D&*X}D+B}1cSKKe$mz#9}R${er?Qpi(&Gq*bVYn=nA*TW)K zW})K@F{~PO_r8+}`Neg99q(e}7?YuEu=l*rQ_`T*C8|9CnujtIZ$5{>+r&^+9byd8 z4S#csv=kgjNBZ2r4*C~5u)Q4wd?6k7NQGi8u{abK{z&ywe}MQsgxgUiWV;-2oyo`a z%e^rN#PvQa?q5gC0^B@k;*JPQOsK~VTQLePaHvg=%XNR#J?nmEIv5zEB9z+_#&>&0 zWkGXHldeY@TiVsOx80D;6U&h;>W;W{-*{Rof@GK9vQ5`1dYc!fUYd;ve9F@$IXD3E zRI~`Fd_pphT?nMTe`cz<6ODi4Ju8;r8o99xCiY`3>7!9~YusFHFWd^|s-3nXsAZL?Ci+RsWLIFW zM16gRn85a{&i6tf6!ZWH41`2SB-y5qCb2JqHbQu~c1IoFjv|S_IW=ZimbHsDg=Rxm zpPbFHjqvTo3t`uctb6x^8Q6=KI+!k5FZmOwYM>ALN;}qkRD@9HjVz zd6ULt4u#2GzB#U|3{8^2Kxs|M5gHxBj41u*r-hPq&iv}GYJhnFaB~9{zf2OYyQlbq zy<6qa>|L}L#OiI+`6V3$7d|GD%xV)mFFFyFtD+uOje_b=na0tWF_!w1!quW8g)?GA zUuLr8B6}FW;(!~BqMJXIF@{NztzO!A4lU1WdO$Q94JVpD^<~MN8g$5xAW0b(z3HIY zCAIx|Gp1T|I)i*vAjljlCAZTmetmL6dc0Ucq{%2LjSzgj@r>4wmil{=Ybu}Ue(d_i zrqKMG*10DdDD`k0QE90vLEpJ;b;CisM&XAvfsZZcb|~#obWEUrx)2wn#3b zYw!xK)Xw6@31v(Z&dPYUMFbVlgW6+Tua1w zWmL~W7mbr02))Kz9k*pd)RDYfb;r52*k0?Gq}oZ(r|o?(dR<2zZv0&}-B85(ub8ky zlE>yM{)j07lprV|>qgrrHGv36yDs!LV1r-S+5Q$xUo8M-&{BV5KMmzN0;1 zMfeqc%upr#Yz7)9Xn*=mI6$~}oz=+2(?OdYRd_fE*gT-I%SDMkO}YK^<&#Z_DQIY_ z&`$>C@^6g0b5~Txg8XK{#-)18`nzD}wd(JtSf?VPgted_TTxZJ)Zb0Dml#pvaJZnW zary-iu4mEv@P*YjcX|8S5rd+Y{94ykQb_M@=afJXTt+wIncyBsizFZhTDNBf?8Yjc ztD(_1fD;C)7MGqUm*J_MM@jPPBCby6y$+XYJ-WIEHmlg1V;X^2-GhNgADI-ykC0MX z{IQb-V@`AXvQFu;-jdqJEmTJv#5Vr1MD645r!5tFZZuFQwLyG*Zpy!`FCmtowfd+% zCcT%8a)O_l?-Gx$OMV2UPZ5{~|KmnyV%5d#wmTEtl5=)sP8qVjaqc63y zu8cioD;v%8bS+)~Ums@mBv^67P!v6o9~eelE{cq8H&Ojw`$%I#93+T`Py|Aoc;O+O zFNn+H_b@JVtKE5&>GjOCV04b0#>FI9`{HQPt@Oz=KUq}RtQ|y2;G<&}KCwI#Lo8s` zfd)u)7@gXEwkYAh0sE~3P`4$$y!hNXQ7>kWVDXF$4JaNLoJ{`XHCZz&@{eZ`I(vRt z6rr`ZT4-VIA!2AK$sfV|jiG{aUJscsWD5?0NTm4dy#z&kSw630Mku*FEk%6`71oC2 zSM^u%K{oS4pjLmcYUFc0b*%U6G7lNLfr81H^9uODvjj(M(O<4IsQWqu(#O0RNfx_5 zGl2G$@@eD?&WyU91k16oYP+Uw5$Bp412Ji`smj@*5|2@*l6SWkkD1xE)D>zE|yhKt=4u zF|W?bBR%3{Z1@(Q#2%s#|SpNxwda`_*2_rIureJ{-`VH@1{0keE5 z*n;tWRg9FMq7@D7tuK--3U6saYkT^3N`LM1#`bV2 z8+Zdx23G1Ge0Te3LG~36#A@t+tYXak+Y%ytn|?bCQK$$ho-y8)&g|yP7l&-p6f_T5 z{}B=R!=lixpcY_=x6hFmk(&}hAjb%|J% z^)^N`21z4Ean(XliL)AU(3|oH^{-Nz3@hw1_I%%B=<@BB>Mli0IBgo4ZI%7!-sA1) zK6{DR#bHhG7=x5f@d?b^aLy8F@!G|E(aXepZ2sY?QZf*!r|aYcXyrbGg3OTGk(daO zTsS%s3=&H~PqH9h{haKoV)N2Z_Y3)CK?a6}W4s9KF36yz4zzC;Nm(cp1h{==bUIe8FodT&DjcQ}5IzG1)Ta*@5Hl~9X zX)rS;RAz8TTPfkD&*6{_N(I3roA#UB%PcXjb}dU3xqfH$T0a7Y)BmgA7FD!|G_JJn zT|!Nv`G=~hY5-IOH(G!A)2n_}R?a&C_Gu}n@=hC!Qboq442G!*W}=r;Vp;U25BUdx zq^+_e*d1586j35tRf*Cem9OeL1yxoVGX3qor7GXr|jR zp~OcArH74B{zLCS*cSYsXst#8_|v5PdQJ@VCfZipb{6>_1MtOAcRvIV9z zq=tB_gwi-UcutF)p&1)tVtRzFm{F}va5C)C>)e;u>^DEA5Fr1fruflK+YI|`a#dMuKV99}4va~V@{xUQxe-t|eGCK-ZP|LDDg z0AD-~Ex!TZSPi{L+BT|UAutR%(QN4!l>x&9tt;QPwXtrS>M=A`)6p(epgWnV7RE3i zq)H&U<7xGn1cjz%`vD6hcb(I$P(@*u60J&-oid!2gPx*WMySAcY-ruQ)3{@v|Er|<)IS(dJ)n+&E5Rq`!$z*Bw;ZNqC8 zD}*P^0@F09Z<#0!l*6%KvdH;f2%pc>aF&@$MjV=>!C+a*#q(f5HpnyO>qo4hJuxWI z;Yk})4qOE>-p2)}V&y*Uh|sdhq!0<%6}$s0*Mni5&|Fhmy9s?vBYUQOjS}Tp`J!;~ zAIDvtf~&{?J=$7*_l(7eqdCDpu%7kA^fj7?@bmfYa60RPssO{3*u@xLGP;Ur&wmEo zUT8&`uQ`ISq)h!l_4L$8`HGWG;;T^;hXga(SZc(AchG^~0tDa;)JLbu=j?NB$=3!C zkxhftyW86YZ)-y1YgL|mvA&J7TH@*eyE!^Oa_-U|Q=7MMy`AU7B9ckcjD!M*S6^Qn z!*kAv5`fTyHJOR>=VzbdSr+4?qu}}8W6fTq>&xuPK?F09;tv`4P4-901$z(bVJ3uo zS5MDMbEd8PuSmg>tpgcz&bz~hp4aQMy*Y!EK-I_Ky$50wc&W*%6~cfxzE|-c>xa&b zLcR=Hrd}d5&d7e)0G8Vy-+~i~yB9p!qFIrl+pK=%W)Fe()x9}-Z=0fEY~v9Ft<3u z@D7<2DZA03$~@HA+NmqDJ^RmE&L@Gir;bz(GA`*m;ibQln(J`n>u>?IUsD#%i~ZFo z8Z3GdESegFvCROB37ey?C84)Hk~I>i?di<7Z!IU9Lp-aIr>(QGRrQiwSBK%X8k17i zof59+)hI`|7=$@J-BLeVSR+dRNMJK#8qXNDKEf-_=plS zsjtz}*j7m`mOp90Y#hD|YOY%PIH-d8r?WFSDqE{iC^GQ%F6vir-?5*`rox9DO!TMB z-D=4MpZo-$y6Rh{TjIWff(lLoBer8|^R*C=A{<7+`seC+8rsK+{bb8*3caox?ex!m ze7b+=Zf3vcJk?d4{f{T;8MG>m|F~@Ttqx$dZUtf7yZ6%)-gU87_ZQ{3_r6EsK(~S- z{4vnzwM+$JL?NoFUPPQb6AtF%?hqeUJ$g&}HMC$gBjl!`rM<0}dDuY4Q-hPJ<|dj9 zT$!-69dWfgJ|x#}+QAjIqHQ5|GT{)jXvho->vT{ZYcH=bOF5g-()-=1{3L-C3o<8bl?ApuWL+Ls5~u1 z10Uw&hHUVraMU#t4zE4wrE4%W@%d_G$fP^& zAbYeQDtqxB&?x3n!7yEjnrR~QIL`57mbhomk%|yMzk>bCkiy0jP{p1uZyaDHM=)#k=eQq< z&=tgNJ#~LYXqCUuAZ}mxo)r&K<5yz6DkX1>I$VWesqgMPL-x{Df@EvR}H`4CHw*ylH2q^!rc}W!Vuuu_BiPzYkeL5^%`gg=B6`k z?_wvYB}VuNB*CWh%3l92$Ge})9Oka0RJmF3yMzplzsybC zdLoO)?u+R=b>cf=0v*UDFQP8;peQ1FSO44{a#MdIBw^zeuK69|L}0xuZGjLkSu1OU z^6uG>Aeb>)yFZzg-${bK%0%ho2*+Db$l)6NB}^~+gB#S#v8H|hNp+<^*8z(p4i-4l zM*HE#HVe~zRX|Mb05v=^Tr#$Tibn%U7N9oOAKtb+X>?nY4ixU7NRqN2wkg}MfJ{tk zXJv4)v-Iz9UBB9baF8KGWeAe9##GXEH_uIw9MP>)P93GjmN*a=Dx<|YLt85wkl-`n zI6K()Qnh;YFq$*7Dw_+R`f4(U)3LZ=y5iGHTj=o)20lapwC)O^j_3h z`dShBRy-Vn0M$m?LlYrdFR76fbqumJW+g$YC)X`~X(ZIZwE?~VC&8VA(Chf0K(!t# z_R@vgU=OMdHAjM#PkR$zKpALl;cRG2fN zUDk#yps#}l3kA!d1j~$N;0`hGj&3|X#~{L>17RFpqRR)kvHVdG!TrS+=j{AZlo#yL z4263eC&4Rcd`T^O%Zfw<1Sf<0wHv_Wix#>~gQT2`-5P}K* zuK5Aga<_%n)lpp8ww)4vW0zumJL+jn;-A0D*;g0|sb3dh*D&Z>zZ)nSoPbqD=l)=r zUwB%xDiC%hqV9kN?4f<8D_@$vhl496H%1f8F2Ns1QYkH&+pEFFfmU8*PBo{U0ikYn zsJeL^%`)`w=XkUbsl+^9v*}3if2SQx0R~>IsS*?t$KEO~c{*2&p+2&NBI_3^)8boL zE3)ef)hXqT6coqs>%q$^z-CGH3bRC2A{C=wejX$&cZER0T&|-0#{V%Xt_to)yA=%X zcRYbZS20%)5S*wK;n@SB-@TAn0mh?0X+Va^eX1bP(?ig^=HO{xYGM}0@8;`Zij)UH zra@LgXirvFL1BJ_zgG2ti2nnBh}w%}?gI98{(`Oo`g4Sx)V1bl@-EvyHQ0ZsZ`Sw? znSe$#%#AqV3@~K}tL<+Kq}b)x#9x5*xb!;c{S>Ni^DS6Y*6f7>14ch)D`E5}QXi7( zi+2qrc3>NwYmX?lV+BL7ed{)u!H{J2|nx=XH|10UXn6V#U1XY~hhtj(ko zEEu`X5PLJphd(K3Nq4mS9Uu5%l)ZUZ$)LqQP%7WT!|-}2M%0B_KMBZFwth|(a8}wr zX=BfXtPU{YC~#*u24*h74^?6eoQ6x}jZN3za>j{XRBP%v8blMFNH9<=L^2*K5Z`Fc z3@7!;dybrI?OHs#@{k3sco*9VE8`DMb39iH;rUR?6KSHN0pAIm+}X$*=l!oIH^8)pg2KEjdZ1d2kwh#I2i@z%JW5xlbY=yLIuKl(P;VGeZk3({x~i*qz9hg&no-1>Ey;N`Tv=WUY49&HSa% zY2qrE4;g%Kpf36`%tu(dBFSByl^qYvRcVTMRK_D|d%0zY+9RyZakwL?kBJIFn{Af1 z#9E?5pEuz(28IZ)wxA*Q>mKD2NfJQ$l}c9wR&^_qDOI|jt6mXDl&Msh(%#8O>|hc+ zwlnaC(m#K86ymkzTF;rtr`eqv4jYSVaa)UK@Tvu}RRRQ+92n_nhS#Gkm-8R-2DB81 zp&Q(BqTAvkKh?z|gEiJIZ^-&ic#!@AVuICZx+eF!fQ^dRWv>lwG-9Q zL`z94|M}hJ__yD6#5)64RRVPWpWj{1lezoUTG>u*_?M>4`IncbDDW@A$Qy4FE?(q{ zb|nXS^6Jy_a9nmw_9A!u)q-wCWDO(9fU{5g?>HyyJtAd7Hh4F)jv2Sv+a=5`2L3SL z33EfyVt#R{(!IT&COMH{BL__C_}31Qcf85!wx2H0Adw*Bik0Ngl*)&bRCen6zS!1v zpw3*e&hH~@M&$Jv2I7s%V(65V6gEu6G7*ycGB9`vxcEw+Rgo7MBQbaj2d9>_jt(HG zZQ_O4D=rUTP3>m(*tHje9238*4;xg?L8-?R{H|` z%jg*lFn@l*g1fQ#3FV(0lW&g<{;$>AhDxueuysHiv-;-r&N6j5akNriH2EyejsdtX z3FULIZL4@UGm`*itWI08p5&^VVW;Zip!-R9ec5i7N5BuqlsEjmmOOi4hBT4qiJ6-4 zrhceZELE7=-srE_kA8kw<38=J1if33u=fwXC$d2{hCDikn)FA@j`E<3SIw(jd1OmTis5r&Cx@$!2rR>TXI7Q zH-Mq)u~W$sSQ{Zyc}_e~6NTZA1hR$Mw(fWmZ+e1#9G_12O=cmXgNaEEPF8b~izhV- z#6zu(8)318OAGg#mOG_WB4-;#qo1Y!sFD3-Q3gHzQy8WOsf*=xX5wbfG{FGd6=HdB zPv&=v`qwGIiPCaV_U9h(&f!XEJ!Dt;glioNLj?P0Q}11cR>IrzCcyd zZ#|l2Mq=ytauqA!Lvyt}F6f33$3PMwn$pJFpa!Ko>kmsX)?<%GSq@w!P}R9RezjU3 z1k*m|X?d4f`BTM)zBab4w=W?B4o`jMJpLHWwTih6@t+AsBdU|%H+XRJBh|5?m(PGp zeS=L?o?=l?YxAY=bIO3DRfy@%{q&tHEPnY6`2o%%IHyAopE^V5AfH$Y>6;Fw@NZ)jX4Y&)7#gL2(;(sppIwC?u7o0LA#}^k*J@` zYibYbIXr#cg|Nh* z?S!rZC(UnH@Q0K66_n5=w`Ceyb;$-za=A$!kH>x%$`Fg4Dm?rAC@+Gw5&T-v6YSk#SW-AT=3$Q5CmY(T|_jt0k2^Zas9I>Y%-BLHBunfQ3EI^Hx!#|7Ikhq#5_fhb7|+M@6?~a}|0qJR_{D z3SSV+Ggd{vFv=Aul@T_g>*IJ8)-|a($qJJ0y@Gjl%DJCRq6FF?yVT|#tA(jlz>gAH z)h{q`E0p)(hf0Wqus=)-kK|sG#6V= zuJXN*PXyvz0;J2MEfdO%(v*W7HUrD?23JeLx!@8Adcth8djDlLN2P0dUo5MLr4zu4VgdhH8swopEhkJ734~gtm0JQ?Vq24quiPr@P}5`3?d*(_lXn+!~G@J?*jWd7)d=_huO72hU}Gr{n%B)}C^GP&(A-9bO9WQfyVq`j`sEkAC~5*{3fvcI05}M-3wC zb2Cm?mD@fA@a(zy_vN}x%=|6G!@AhVN?(yBPA%?FsI@AIEx{T>v`Jxbz;H@9z6R58 zLm`XspG6C&AkkTZkD3R$GHhRp=%dyCMoMa5&~Tk8{gjvi;YswheG>C?zNoNpcxd9*7Q6$jt^QP*3ke3(hRt@|CEr$*eMo4Hu{8q7e9m7 zLVdbMSY#zsCH*A{d7|JZkajD1Avi!Izx6Db*$kLD5ndZtqdYhyK>mM2Zw?Nnc=r9{ zB0s42xSKix+N>Fh$siOM`bd4YBnks}F1RWAwDVP@ml)ibdTn;1;)wn2Rnk zIz{zFx0WvbOF=MWIeAj+Gcfxr)WhbX2f63pLG1iH`uUA*_~ zc=FqJtj&~*oD%22_(+m1;Z?dOEZ4SyPS4@&pM#fj)(JC-?qGnt6dofQ-j*hDldbxs zCjlHjLzA>An)2xuKvb}i>Cr1B9koLDTDtR_B#9)k25oHSKB3YN1Mdt3 z3s@J;5qb2$4Q=jncWj*Ea!D51xEx1U)bYyx-kD~bzad5=orK!=>~+)sKSk(#mQBY$ z2gIhL8bup9l4V^TJ(2~sluIPM5*K1PYf*pG$=Bf$Uc11a3Y&ZGFv0q}g8aY#q`-a# z7~aoRrfv2rQ&Ky;RW4`%xK=%|)g!qcCe67xu-dE|-m?5}m@N74<%-H61IMj_2XIZE zJ;YT#yp;{-#_i#_c{SKho;U2)f7^)cMw17t zjcm_?qlRw(Z6lD2J-jjlywzm`u=`x-yMc>{zIbhyR$qKaN@pzO$1bI00SdT%rtQr@ zo_=}((&Rs0fbI)RRf=c6IVe!dI!-3&J9sozfkjS~+gX@v%R&P1ULx(aEpd<)6JkcN z>zgnKN#(-pU9-fxc(Z7$lD~AtH8$w;} z9vC^5b$IB=S8Tpl1}S+;o&`~o%jFtm6i(aIqVgqhVvfB$yk zzsDtqIN(xgWhj9)U9Cm5v~>O-XA7RFtP0-yHu1l&{6EeXyg>F!WzdRh*#~*YUf`ng zJ@}R<6pXeDyaKgahIf(!d-|xNvoGGh-oLMj`5^pV5I(pfdz))n*W;2~RUtvVrky+W zKMd;IEamVgVhs5iJv2eOEIo1Ge6|R5Xj5?C@h+DGc2o==m}?$;XU+OV(fg>(nF!{k z*|pn`%N6S@9i$s!sAH&f^RzUzkzknv86xUdfax~@4OZ@>0L9zkUR zow~ehbYM&NKfbmOuiyt$BC)e$+rl(t08{Nj;;b$m;HWGfs^d-&J)<56OQW&4Mtyf zZY3Zs0*u#KV|Rz1C#ZMIpEa4prCR=8aV5Od$Hd2Gb0p?k5gGe9M#2Ho__p%KqqZ)bA4KrpFif`U#;deQZ=W`@-u5r3BmXQHMkHh@=pv1{hjOykIZ>0j9&}=HKTC((IS9WP_m8 ze@4NR_LAlnp6_HUoWB41X=(^Zh1QF0Rnjt~tDtOW#V+wiGwhjNteBmpQ`^Ewu3TED zIq6eooC7&3^?y|pXRPTS5?xV+yZ1kYOYp$r;wnW6)!S89PegKU*e=jTM!j4tpvr`F!LGzLq`0e{U)8ig;Mpw;E`0?jeWIa zx=B&nu)c9jySV!ELRfRj5}bUWbd#qsTJSHUV+6Fx{WKOF-dJudI@HNwZwBH$`CXEF zT@CzNHdQ&RB=gWyaMe&SF9q`cJ&YgK`^k- zUgZhvbNkx~!pPDkkSVAvI6CyL1w$1A!K9Qv3bR8B-W5WE^0HjSn+FI$pl2}&*-y0Z zXm&y2M#iD!$5}AH46;G1p2YILwh&>ML^6 z+6D<95g+P!%;d!h!B&PZrr(nMSFT)WKu#z0c^A3|2fL!|VP}|Os(n^J00SQOd`AEo zHn_WGY1e(x$1WnY2Pt7CR?ua&)%VR|SI1o`);;_WuobBn^h;mt6J+8aU@7pV=rw5O zJ5PhF>{*6vcM4Fb9AOz$nG&#Z5rTzPBH$C*@0G|!r<2pAI&LVOEmTuMi0HMEuLR+f zP^Ca6Q{tk%VzxmFHHf3p$#(CF9&v~uTHF+I5Wf@k z464@w*wHaD2r7br=E{A9tlvH)Nsazjio())-DVKB=(oH~`mPVFia)sJY{4HSi}_hY zw$sswMvz(w!~>&)Skw&0bm?(DK)X8Sk;>cI6u@gDSwq0{_x_l^Y${>v9d>1M%j(}R ze$dj4L%ih7ZfGxGBAv5h=X5zAk3I@MSny3rAo+uz|AuKP?Vg3 z-Ge(@GDe4z1$wP)wSmEPrGdfbl0P9!jCad_aLy0{!(MXm$iHi7TF49xI|SpDL%f;c zfSNGUnHpLMKfjA;Qd@(={;!AzU%FE2yKnGay>ktm;E1SK`S$>-QX=$ys^lI7;Be`p zI)5yfJyPD5)aYgDxc3dTAY%VA?-ymmWM=yxwHQrpNAt++5JQ4MH2v`lJSSm{w%e+A z@J3M$M;)FL6##2zK-Y`x2@jMFYzrQS7Z$PD4{XGzU_4y);J0DDr9=)9H{g_)55+5j z44O_aqn>AHcYk3!YH(S#b!*2L@tVG+!!V5bdFgfS27lwy1$tS|vn^E1J+wfMJG70F zUnJ_9V%F0R2Y&tq{d7PNKkkms$&%t>=Ku*Hk$mUZSX`z`J(f^eX#xf)RdrS;t&BfF zRFx*Jye^Jk98$^2Rdp7BL+rnvi7PW(Nhzqn$C(+tbzYiQP-$tkRO`e@4D`Tv8HOJ{E`Fxgr&ITf-R z@*Z}`8Y&)k-w+lU{Vkb`djQpGZc>Un%`hiA)1zMR9!^I6%D3EzE*W}UbiVS)y^Nh) z-b}xtNJjp|imibpUel?FVDAU}rDqB*^cQ;?GUcC3B|73WuhRdIr+19bs}1&tlg75) z*mlDi6Ordn1lQaTPC0?H&JqUPksBRv!=x=VBrAwj>T( zkhKzvaFnrj4s35U@!kx5G>rIE9h+`+kflKJLbqk#iV z>o*)OodUD(lbBRR7~o&NSTwKT?yM__Pb^4WlEDcs7o|^?{*#rwWcZ$2zkz*A8%)Xk zpzNox2*e3d28Vn9O}$D)D{iOI9JnV{6`IW@di&z=kp$cP@(VqKa?u(_SDqn9QY_VA z#HQ3XRevPzz)VA`Q!hA{!U{{;oNuRfl}0`hK)@mRL-WQjJ3T&(K+f}e^tX=hloQv1 zOIbzqJJChh!aP#p2vQ6I!HFRkVvQnS++>^V7+{ILy7~hC_sZ|}JAN~h zGciB)p4TBN>R_#JNJG9lra~>>>FQE$@S;A9C>2VQ!kbb@+HBF55-Kasn)hPTdys$U zy#S%ydq`CpXov>p!J0d!64#OXc2Zu1c3Yjk(~Ijv5?;{FgqqtNkNZ(8|AvO5!<^}g z=_tzosz>-j!T%ZynCEfaYWNMwWHcT6L&Uhk(^psbex{zWBh)f&u)*vuuQ>lF5(grW zuXA6(_tU|KBBKDkV%Z7^KTxaM&q7+?v;we@N@);4&xL{iZ?ihVBAmL_f&_8!1p%7_ zmnEXsn&m&Jc>zk(VZ*I5E?muoo^E=WU5yX)jj*1!c)G+I!!NGlo2}*DpOYJHEX^_G zHhlop?z&3dgW{h(n{O`P8ehOa=WA{7ZG}d$PX&+8fa_bPTLuBWI?LyJx&7n$>p)BoiJ?JC~-18yO`fU=y|g2 z>PxDyZ3q8MPLUiEx3{1&iC&MIL7wmuE6_gWTE^8fX^Ud?{=D$T%F(?IaQKTHdL)+c z>bXAfbwpkS%SZ~vd{z_A@4Cx~$CyQ4a~l$}SO#~@LKA=z9bb@PmMgz$|&ev-{0OryYA!nSq`tL6r0O8e=9 zKiG8Djy`)o-dTs@=S;3(4`y!~(AAI`?tj~C007Sx?5}>!{g>J2Ld@KwEd|9Cpsh%I zvnj9BA%P)ynD12fKr7#6+d-bt-P4f)b>^Q#{Jjum62_GNV4vjICC5F_N8DhQ?w=6z(7s!2Dy?Ovc~-lza-X``zN?&HT^`)=e0WdUUtUxgcwpm(Q^xe7s0tDy z7kmgX#ZHyLB201-TEWOUiNbcXDYuc_z9uSamgJYtu?&oa#yjreHVG|tVH`1kGbOAO zS<0nQ!R*7M1!~gW@VMifb`)cRwkJN188g zeKO#JUO}B{0jmx_3xN9Yqr+BV{r1&C4QgS5Egf0a>>-b!Ga)ol-&6##MB~Y3!>9V1 zLMHhX;uq6nw8yBBlWF}2shb#74xIo|9=pd$Hd?M%Ibh4@9xwgGzAwObC&i_s@kXwE z+O92@SE*cllU+kQTYdqvbOGN65T4}CXjP=o(xPD}*QebbyiRaT2cv?9q!U=>9V~MYkuUIJVJu z|Bd2z-P(Plj9l{_0l?Vdr*`L?F!PQ_SGSI@5rB~WJB$TKnZFhS1)rkx#14O@2xgZ{ zDB1A`jjN+OYdb zACvm@=}M@zI0U>&f;?qyfNqdWA6q(oa_1`c{tq76#W$-rgMSR>sADDZzptIUGkroW z=1fL72E2kSpFYDLtxH&iOy~ zQa!A@PMc=@^BZizaW*i4#*+EBC;F5Dy>IX zv$RIW;ad)q@r3lQTy9_E=~2s5fFEuI&F2=+Be1?jt!r@;M=I5a`xv4C5INe^=3em1^oGfH+~g!B zy~~E|rr>=k$YUXy&WLm|b|Lf<3V(EPRQuBb$(sc^ey3YVq2{IuA=4bT$={006+?gX z7Q|YePviXJ92$-uTDBr+0}xh=4c9b~N-{v2ogXl=7NJhxXejC&f0qgvY|+LLm+7>= zi5Y317p6A#J-$Yhe612f^_4OGCM-&5{VSw>bx+@4+NdD1`L69jdsg|Es87MndxnQU zIn?#^&KbMOXnKx!o&)2d0F<{;i3>l(AJ;Di+8dz^TFqXUVqa@DRRB^L>1UQOxCtJD z+5(|0y3kr2J!o)_({bD zGdim;k*%ku@v;!_7cKR-XW^XgUAku#c{y}JGOOP~df~v?N_XJ^SJr9{j8@r%ymnPNeNt|J2=$bn z{P6uq4>n~)wj(T*WlIZj$l*zFIMuEI}K!=UPf}nj>6lW%V>c*&G{fLLRa^cp%Cjm$f@0Cz z{~gskCHaeME&5~H?1Arp#S+XM`9$>3PY#Op`h3><9OI1aZNbpTdsNVQ6&db-8D?Nom{nSf#`23h254FH z45yqr@fJl+@*+DV5zMwCn##XIVMn($uz!nuTt6r{IWpaWI)k4=>SKx}DMMaBXd?Ii zN6Q8*tH3-2D;a+hC8Mn3x8Qhpius^RXbzeL;10&#7z*ooGX#mwM9J2+^ARZK( z2p1{TLmy40N!5P6FT6rj_+ncvh3VmgcP6J%<|}fP;HN?6=zk>LC2lqqE*kscJo5#JArlnkz{9>udSD=n_qsTL`kPn3UvTWFl?9rZD}9v_N!2oQ z*tdK|DKpVw83X2-#7)%iHDr#9|Aad~%w6X-e&w*8lsK#bGTHyRGD zpJJ-k7SSY%`(NQ{8U&yf0p=1mCn?IFO3*uY!QM*kW8~QxfIk!Ze7)4wg&%T#zc(0C zZ_829<8Nv=DlujLjR?_vy`T}5GV7+;kePtXX9-E$$A-ZR+>`2JFjEQ3c`SuYjW#2W zG1C3AdlSBfu}wN)HbQW+GC&hQtT<}Q+@LANF^%c<*5G$~C>5ap$Y{Vd50#X5mO&V_ zlBHh|RqK93X<1~jN-=N~eSFP5d4lIjA;CTbD;zj#2Vf%xy=dta;bqoeh^FRV#UL&! z*tPAfe+HPr1An&Fzv~;d%&^mMr3}3>@|K_9g9EV=gI#D1MLKs|%~%_+4qDZMi&|)j%u6nlWC_IVWglq<-?;)ONA{;z z$y5U}e=3$1yt<&Tmb(5^OkW@8mereYaDavVtCmvgyyD?v5FZK&(aAU03rWg+`DV~S zyKp9WkScP*z)&5=r`C#pQk5^yzo|<(e_Mro!eMb04CGIQuUO*z;HZAl5aVD3S4$O2 zck@FX&vuWoWI~#T%pS6_*n`6=>7EbIe(x}eynJVsg3c`*VISf^G9xFmiL~O&00Bh! z*#=+ETN~9c(tF%&&o5zh8=*G)J$^3uKYOibkx`t_`FZTM=%)G?-b}%LTY1k3@l$jMwR+OC z*N7@BvA%DC#G|5QtDy*JRUY3(R%ao@z~mCD_y>lo@~{~qy=1NC(95J(f+8V_-7=oA zPz-i7+5u6IrbB<)@y8H`mDGx3|xm07aj?nPx-6FYg^gwc_T0iLzz=s(Fri z->bW72MfER(0bYfZ^FN>n%IcbVBI;?sg7Y%1?cD((`?WIxFoZ2nC5ZBDms zo)dX5wz6i&IBDX_0Xw1gG9Mgd!@IuAPC1+@oLSfY$D}m|G>qutX%_q^*ZEmiq%0^^ zKxF8;*T$Vp`^VK8EdymGQ}X?!xF4 zGdR-rC!sWj8BUKI3fL*}1nuw3_yglXLEKUZR_eVZe_~||3&wF?mTt!m$=2zXpK|zp zv{2{%na;nGtwMs$nRWc^4##5*KK#?ODThAvqAn|W(E0fdpA?8?b9et6BCY2otGDhqNkmc&}}FYxX{7EaTh^<9bf;gLFa9<-$j5Y8>$Y zxVj#HbZqqm-mdpZZYBTt+ zgK%h0onux7iW-Rc-@+C0iyLSGtR2d(iC21VLtO`GWuBlY`hfst!2)ty8mYlfH* z68BmQzSRWs!Qu#2+P?~&Wc2D8xH?2yEKK7`c172k#Z7?E_l~8uzz&U zTv3pbSn*hHLkgVEua(79*rg@#Y1h(@RRY!eE2i=lJL61Fp2bhqvgd)hvRhQT$Ky9W zPSLyt;W83JA)Z+&IcTvzvylOW{hl+*87^dzB9o;*B3aBKYCS^})do-j=#FZ65+NsL zHnso+=YKnFhcLGy7>Izgb+}M6^~&ybu$s%gzzz?|-^#VpV5XS^lEgJzSz%LqUsdOp zL!OguJkhFqlF{seH=P&35{2H#wv2kOL3Qr>#+GbHH1z!We+e9-7M*Hna2|*3a5gyH zoN{N9OUbWVYVJ!^a|LJ#Ub+CTTX7r#? zIWxr={Kl=HwO14~FJ;U-@usP-L94GAvC1-E&ex6`}o3X~x z--q?751;%m5dSpxvy*CEw)U30XQp!5!A0ej^YwhBZj+A1uX9CTzkVZ!`m~zu@SM#b z_xM~V9kPmq`mG9OXF!5||%pxM~=VXF4w1xjdXf`?G^Em z$#S$&D6ro$TiX_rN~2QN>BW31uuuBIdgbN zRuLFsM_V;=6^&|I5F|uylI!;g_M!;j!wAX~0`d06q5~N} zbq8mt7Ak2?>_5cnqBGu2*UtK^=n*r3Sc%-&3A=KZ(mR&KQ zzTBsDz6f@BxkZmlebJ z6(jbK?p-`h_*f3RftvU%kF=1%U4oM*TQ$}C91%&^2dv42NC-ny;DUxd zc^6|{QSxTCQpR)kbSA}4u>#@8kIO=jzudADKWS)MM@b9}w1{@m)6`7haRG!Y6e9E?x0EHs~!fB>_ z-XzFvztPrykmG_!&f`GiCMorE>}*Y2(e1(h>t?SozYh!={;fC@Ho2{aFVE#g$#?Fq zbC`vvHqEZt$Z>mMU46)rVRBIKjbq)F4wO-+cI2n#c@JaCZ{c3nW0=-afuid}Ef~;(KTl-zKfw%qszAUt`IR(Uz`#7C<_mhWV+d3f_o; z_tl@{(P%};kg{lAC>2v7y6Rh=Hl$TXgf-cn7I{U|g^q~oyjK-^(FsF?DScJ3V-MBR z4RIyq3!GVx_}&k-@~-zQku5H2V@cDtswuWSx7WPb=P)4!+%$dB@!0nOz*w~$Z&FdS zI><_qV;VH=YwVQ86*z@Yb`auI?L7ZhmlQI(j;*Fn^g;(hOJ(gKv_uCY63W`cM*ojU zC|mmvER7y6590jjtM*nG>-(>3{m#`Y_%3jKX0fs8L` zt$Z!9_I+vgcv$R$4#O;j(8_u7ku!aa(S-~5M?rA$8bT4pDN^khafxsnnpcnGd3jNs_ zFdp_7f2rp*?Kx;LuX9(JM`FYvknd1kLl<2WAAP_OmI%Lt^2>L@YPwcUXc1rlovX~+ zp|e}6i+iN!0aHn`AHw8KMi2`%^siTp_m%unYj+4|KWQqah#H=bEC9|QNk*1B=eann zmhx@zF5meh#0Ln(6HR6^kouYH`*+F+Fc1J_6q$BTqkN{q@_TjlV-ooxC!*NgpM8?S zjXnsO>{Kg5!@S0Mhv0@B;1eHF`$m*=!xxo4%nOo4+hOfyIWbk)pxZ#SaqUc{{F6Frbd5N^4n|yOk{-5 z>Im}zf{NoTD!Efw=MbmRS8EYJ?dRlcWAxa+nE6Gjn^B0(5~oOvHH(WT?Oainn6X3~ zqS&gqi1kwK@TN45aZ(lbUL}w)QgPHF0R=C!JYw&19jp>41-AcEQK4|{Fj^Q3L!e`k z5}D>;@cuqQAEu(hs;Dt`QC3z04-q{A*EP_;wV)|ZIXdN_n~j83nEQBzbUkeqd@8B5 zQudOwG>UnslsIFh%nR?HT<U z5y)S}+aw!zNKyY;tq4QbQI1(34wBowWB75x|1sr5Zm4z z6Iwj)SSYR07sI(`d6-#QfdF+(2i575pD@@d_f_dr3WP5S_Jf zDez?_g0FBpy7iIjZKySN9n;o&!|$*%*lYcfFFhkIkR>kgfy7_c%!F3|kIW-1Unkwy zUsEAwB}2ZP8k8~54|wO0Z2b^^k}RPG=M%zo2@5qCHag^NTS&;yD)Z>`_GhTMfv+b| zUxCQNn7Su>ehjDbGY5y(mmFO5Cww0yqi?{8oi-(5Pdj!+!f`Lfeko8*RY9%45-G3q zZJm^X2ww&gJ1Yt@re*(GRzY*HEpo(4%DzpKwfFwZJmxk7AYq4AaWA-XYdxx;QCvkSF6xL$^1l&?rCP*NOi`(SbP4;Gws3AXsNOEt-BVJg>GLRqWC^yo{xGVIUrMU#@uMD3&tVKPpEc#*GjY+&(g>Q&)k>& zd6SK>>)6=vi`J1adZcI?v|M$|6!mWwbX3%8IwFJSKf4(l&4S^T@$BKk)U}Y_P+^!2 z@!%@}zX1=1fM^84gR=|)pO}m=SX3`og4|EloR{ANRuc82m!PAG*_|o#itYT;T7T(Y zD_@$z;^mS#!=m&uA3_tFeY*l~Qqz;bSeGzmh;2YQuNpZNEQ^{Wx|WQudnnf@+dWf} zuaDf8%Q&Z^n)+h1O`RI|ue42~E@Wy82ayecfbsd>gMe|8-*VL*R)$S2YbfY2#Z??! z|78s$xfZ8_x=sf7*)f4f)cl_TMG&xI!R3xtsOspb#I-02XZ1&lSvfv86o) zvU?p{Nu6lwzv2e=UvUEi6*n-T9lHDfsvFpU)eWXQ)ilEZ6{C4Y1q-7Ylu^haDzLZz z(OTA5D(z`-2i$-fR(%%d!$qR&G1_Wq0q4ExKcyc2eWD;0!+4b0my9ioX5Rwb z3K(rA+x};|*cZ{8cW~5-&3bGi`qxM~%*5Rz(bB(smVpQ$czOIiq$`1&ji1vRC6Y#l z2eY<^A|0dtRVZK`9;#SNQnhnR*$w7{<6_-#UVQ57OYtF!gug3MY4upzw>hnM#8V^v7N2Yja2>EQ`(uMS3|!^#E;}Me6|Kbs5=8!KivaLPmWl)jcOWI<)+fP z0eLScuEY`WmFZJ{dY-)K9C^ukEK^a&Dq2HBoeT1VH3=+MKv_5rF_=5eO4iyD7YV2& z+r}&4h2KjbT%cb!aurOfcZX8;*_K4fxElF8uieXWndG7!K^c#U73Qr()0_UegD7ZX z0V^4UTUZ*%B(d5aX;g8S`cSJb_GEeT+>&Z5$NmibwzvYb>ui}mdA2%&Rua6)34tD>|CpIgH#Qr@XyhYCnEFmp(%UlPGk3+GhjNA8)e){(sb$J*wy|y$tFV&UDlV#jNYh z{73ls_3pxW%|VOniAGHYE3T(QuckXBh9n-d!uJ!N%2v$>D|U%OgVclKuv64`3+eP? z;ufCD{s+0KhsR~GKlMCWy3L*jNtUVIR!Ejn=AHCXgCH<^s{wib*mu!5i9!@$7ol&s z>Wy8%L(+9K4Y2hiQ)(-xFsvq>ZnI=DyvrYPfY?3PD;PE0nwpNF^r#~i=Z00j245O8 zhxAh%JkvyYM@}C=G+xF;2aB2vtn+#3+V03uBQzq6{x0;_!csGQ=q^T*m`$Q^!OVAs z+vE%NI-K9y&1!D}{+|jCl#x%skXh7-+^amy;Jr8{-m%>U9kdIsong0mGc99?@%qV2 zn#_Decw6Z}*X`=VCHew4negRhAjE|~yiJngxxylUen{(TAuG<{X%psddANb;&FXA7 z6we8%O`*=mh;;J*7hrV|{zrh#kAbkq+H767r&=05H+KL6{8sz%OUG>(x|T^OJW?$y z4BwB_YS{7a)gPb5kLuV=t#AeN*i0fjGq}{i%sl5%Mu?~G>Y_^~9rna1vo&_LB+C*? z)|QnlH&FSaG*NRWOvVQ7M9oytIJZ!5;cCG5-qp&y@kL#PS?3l4aS)oDgjK{bj#iV# zlMa20?-hZ_k>6QkF$$Pb+WP8+Io5xa@6nn&Y^UCZ?58^52N@mLx?C1pivz5Z&5D~D zIFp@qo3a$S-ubMqJ7hX;9%5vej$NU@ZbSz4`exxOrD0_54!`oY1APuxjNY>zT#$dH!h zzSq5~YQ7eC*kMU;WciOZuZJOmyD_A2q_CPfR#hko2&y$BUVD1aX?H#&y{E1}nRna6eJiF_UR);U)0pV=rUmU~Db`T(C6s>V@T%o1 z%=BX3RrlQf&880Sfh1e*_vKoK^dGpj19NpEA_h=_;}S8l;>;8-u3U!X%~e@rh?@xF$eO$VLv8^&V0`pM)KNT06F;*hnz&G0D*y(#MP)4M#npR+{ z_G`V{PLP59g~n*PsqrVq-yX}GupX}?lrVAk_)M)OYCwZg&8ZCwVJYxJxtUe|i zQq^05`v^;vc1$F<`xw$zkMCSzlTp}NTRZ+7#Ln^%aN$%kMRJ<@q3zWQhnK&R@rTwI z-+u*75qxq<4=NVM!DSBq1&(D=TRYlXsAHjsA`3S~Ct6Ei!Bqq~wBF;}x5qLpG_t1! zKfrnMp6VJ7S=oMjY0l4jvc+sKav*l)iorA4 z9y$bpz&+Z{^EtdBlicVA1gS92vXpig-!MWxvC(R0?w$Lo zZU$vdBu5TihwF)#>0Oi{MMx#06!B%x_f|wbgh|IZ2HD=moJjqhu_8FZ~ZoNuhQ9P{g&X5UH7ww z%-`$k=xIODg`M`NL93j06(8|`eCCrGCXXc;GVhmQE59rEsEZm-od4ow}4Fu;t z8c4ORIP>TLZ7Yx!;$sBlgi!CSnjSSPNapREe?@gqCKYJ8-aTbGqTc=F7wAJdwum$A zVhV*vRdRs8gT_U~*$#99yTz?!+;>i+KoLXiz>&qn+m-akmE#=VK$JNqlAC^VXt z#DMHL7R`88qnEFyY#zP)Fd{#|W6K?tiXh?l_YZ)ikM`14dhQRqVMomZ&&V)Oz521Lxe zFs-LzRq3xVq_D4oqBLU1L8$QVWBE_cU)mU$B5W=g;9R0;>?dktNIb7pTEavvZ1vwU za6<$Z= zOpiYiC@1ylUbi`=8t#lZujb}gDu_@o9%u-z@oS+bZX>g(*3Ap8ceMTD*T7N5058k(>O^a>*qaI5TXZQB> zd>;%83XNVLHtB~3f~{U3#V!PNRyiI(ZQaR1lc)$i>m*K!dgh^8>&iES%tKJ)5Bxua z%xybwFb>N__ z&1!^}jZ@Pr49qH+*~Y66*XX79m9=ov)h{IKAM&321uPf9u3N$T8vzCB4;7RClTwO@ z7JFPLzfzlXk=;HCm>8679TlmmB|97k%zZC@{W*n~_ z)$*UX)X@V0OtBS%X6i4{4UZ;>F30S(L!1*H=jrKsT{g!EzKJ@7TbY|Kk?^2@F!Hz z2v#qxnF!e8zQf&-5HqR@QCOdS1mHuD8 zls_|I#W_;J)RX!8$lVYm?0rgQEU^cWc!ohguNdn~EJGLr%tzqi{{r$yH3g;8A~Z1t0Ft&#W}fk*YT+17~GIg!kGetHar_hCjjI5R=NpePz^ZxuLjiHF7k}AIi)zc$}DJd_!5;W2J;{a%7PYlvHnXu zjBT_fz=*GAUNHWTFT+|e-lhE}p2LipYfs`#L$&P!CW4*@69*9i`$YLZwg)ZrEi>_l zezZ+%+EqecXqSafjlie6J zeAO5&R!`8^j1INRKNLP5gEQE#9zRXejT(FO58km6ADp$k6MMCSP}H=h8@D^DmTNQZ znwyS*nsPCZ*J;Mq)d{`wBC$ok6N`C94iKm`o@QjIZaS)PZ4?82_J8#gTh9fW*?hYC zX}T>>Z?VEht*r)hP|ko*6$2mHP=SdgsTy7m)%k)HlpIm^`bVDe*#UN zRC*w2xwXoD+?u^%M)-0jkM*(ypfh;bMQz>Y-QT@sUgHxL9(K}%-cr@QI0*$$;E9_y zf1RX=jSC93mSR%PSe#>&V_;by)#qxlYnS?fe3m)vS*@eT7~my9kSMNZb&{?zP9qM% zFuU=C$sUf?bVOmNI+RpMhje~+LVUxeQr~snT^vLKQdv`qwYv%8 znPcC|9s8h=tfh;~zlF4v@;X^9eY{pAzjK%{2~athI-J`@QK2RQaxI{&9d6w&d(hSPEJj_m_q9ST9Xhlg8O&ZrdimHmPML-B-?pJ)9DL#ZyQhOSvznb{!b23@!~@sSlr_*LJyg3vjTeo^?$?+;p6p%h{-@;EL2X ztX7{Ok!w}!3ae)YD53hU>^aV`Gg`;1yJ8Ox;}x&{p-HtVdRl1)hI;j4f}BRx#ENKZ zMi|J7!B^B+Z3j=3*7{PRD23=lG<1A(2&Zgn?C8I+5-S^b|s zD}l@6N;Lk?c<>Sm+`5ud4cr=3*FyhOy#u_Pq03Ss6&EMg;i)HUSg)5}3TE9^q`JQx zaa_RlxNbRvJ!~EShmB-w^x6g126UbYTGK=5Xs$&s)_)kVS!${7?b=b+Oj}diH)1pc z7U%sj2bVe-fKwdR&GL{Pccie?WUo^aB>SuYc$Xsvaaw{6y`QneTgWv{-}Ml|<~rKf zu^|GQeJZ@Xr>6R^oP2-qU5l!QmD7f9dpNCAUCa=7|7YgMH=WpmDHPd{ z(LyK?RFA1F5KIZEK*;&mDqc3JAM?V1a6j^|cV{k3|Hq;eX4n2UGn4rA;nnh{{2F@+ zNalMR`VTDPyoFnVDS~#qdW^En$>6fID&d$tVqt<&2y{2yKt=1HlO1W!emm%9a-0%#plvS_|Rl?EqBPRdkZ)f%3u(b?CC6Yy>wzd8A=6=)P zCzTRp2YT)EhE1bqfBjL8c8?Ux5kwDCJ;RvvYUg^?pO12$Hj)cFMUD;A^ujgp&bq1S zmi8oL$$r{}8)UYS0IKQ8Z{U_XBB5b*vEc^`f|HD#}K{9Yng+DG_(@eLD5egAav48<^H zr|v0(7eNT#V$nMVDHFm-rn8FV=XBD(iP34*+@Hlkq8_~lZjD9qjL3w)} z_x0e?W<1x+TC?NAN3J7`6|INe;Icl2Gk^KA7t_Gp;|PwFwF3}^u%O&e@EQX|yV@Jh zx)&qKKN$m702B#WD149XEDwN?+hK2*Ha-sejO|0^m`w;=_-p}<<}D+CEr-^ z1obECj)K&aH(J%06x=FEb0N-p6lh&KbqoC6pJdXnvzz{HLK)Ge`4thR(&$=s*EkK* zGZ*1sJT++3(_ezaxCSC$P?kJl9;ugT{sfhzNCxm>VMWm7W z#KnYx`}u}=+m2b=rQJ5vO4!9SrZx!G3PK8B-)w}tQQdRUdB4saCN`O-h(u1`R7JKL zT-)3hE{8ec!#rNrC~|wCNLRxWZp*>CYv@np-y0P-UFJV_(j5d8zxi(P?d|HCm(7IR z@g)m^zTQ>TX6U6r(8#kc|8nW~;gvlu4*IL1o%S1byiLnGn}0tkRYnQI#DY(cMZdW? zABf8?h@VPLI|xlRN^hY3K)r5pCNHN5WhQC;Qte(nwv+`8&(8gb`8}5%4@oq(8tbnk zms%=QShK_y?X4E!&QXC^W|$RXwrHd~gr8|NFlIAM23<@raNxh#;&c{cq4;Zu0MoeBRO@P{%;~4}*BIBHZf-(};6vB-tPf!) zU}%v{p0(O$<7X|*uwW=HmckE~Ll@*46xw$wbQrYH5TO#qDICaYe*OiQ6I|J6Q{z*; zk)O47+;@x{)3?hag(2jd^PXVtQv!VQw@m{NM`x|G^R_61okUIHe6Z>TK0FBT-qmR? zlGSq@uiL?C421hw2#Q)4QsZVL-}mnv0Hu>!aj&vt>BUC^?sywm8AYO!WcXvE6!x2A7+ z^Xdop4Zv#cv~Dg@KYEvF7QN*6C{9qfeB_3&v{(C2YNB^FvTDTAF0QPeYQ$Rk-xjo9 zG?U#EPyI-l1UN*{&aL*=XcW}>Qo-Z{V&Xu%F|AK;6RIW;f1i`YZAJIC!E{Qf&^)vd zWTQm$4lOJm+5XpkMoll{L7^_6Syoc$QR~!afTt4BsiVqxPd(GJ)rN95wk#U5~?1P&(wA zxjkD&8zs#URIpf5F~Lj~*h|`BJd&B#hkXdN!NHKXN-kw8?h9@8xa#m^?=fO=V~|@t z^>-EnOoVc6iVCQ?1Is}x)DR2*Y~L4uAIY{gVBZxw;ckTMSa`55JRgf$x%%7S!l3DT z-*5Ls+4ERWw5!E~wLNzgqz%cgjp#>^fpCa zT&Iz|`D9dF1f^7tJ~M_@>sq4rAXuC?YKVUhJI&y?EWXmD?lFYAc=gKXSnmRPUiho%rynpq6`c0?L zc{`0PV~6oCiuqjUm_3zT;-3+PdQj50mEm zvp!GO1(Qz;8&DzXEjX6CZdN!-=4-?+_x)E~r^{!FIbJX2W?!!CE5XMbR?ZvaqE8+# z8aI49GWAY?;WxSy5q7;(7tdNx0A8+DRkK??&x7yAVdQHwVM^)Q+lxun^76^HcBcg- z>wGJX2hj~hpjixgE3O;n=I#9*k`U5M~o^#&sYCrp8@2mB!wdNdS{3fp! zuBt!mfuZtKLT>X4pMsaI)+%m2N2EGlc7%#0?UAO_TRLkWZ-t{{#4Q>Lg8dbs@T(H* z=u$pD*8>9KIg8yFSM|=S3oQqVIXeaKx*ur@T-{@-(fTWxAVJDBw5IeydVuadJ0X)% zAR0sd;eOi_@{Tu&;mzw0a=MUpzrr2U1i>qwzZ_XYowXcT>pAS!>h75)nj?U(-{|?%A9Yq)QvFSo+cvI+KSWe&TUnPVM5Sl2_@V} zP6_Y#d;7+G1zsHTIibL)Z1al+^z!HnqM+j{l7TG8 zE<|obb6n)({E9Cj<}X~~8OfO{6?qjzDwRa3Kr~@3)s6S6wvf7Y+^_Sb6K~(_@&iws zv7PB>*qwlsEO!gTuDl8gVvi~shN#ro5*5pCn?L=)CixAub3gc`L=9tm?`CY#Vb1fY z4OcJhsB($e7d3XZg$i(>-bd`)kKQpSN)WJzHdk~=hbMS>G&ICPuiqw~#@T^`V6!aA zQ0(Uf4%YQ}dQ$wU9ulj;_9xhjdeJ$s${@Y1{vUG2H{zaOK-GQ4#ox6NE@&NvaJxfi zM-&M_*2|v9dZ4Nw-`}^(s$=}9m+>mR-Sl9@0FJ6F7dKr~6AAvnjY3r8L?6V`J)@p8 zIj7gGlOV{9vAbgwnf)O+I5$WfRZYcNR*uWH!K3rXaJ9=CIN=LH$VvAL$A{v(1#cbK zy+iUw6*GmpWeA90gvs+J#G1*;_L)aJ=12vY%dcWrPwK};Kie#iJeC?!{Wt&UsNy4~ zue!Z|Pyj*2l!d1*z1{ydFj0ml@);DV;i93hgjP^%#pNpff%bnT8y5>`dHqNz!tuZq z)2x727uN(WuO-oc-o&InTzzfK)?QJQT20k_$36Y7hq)ed+#Xbs5MbHsUfCEqnr3(r z%lh|!TpZRr#GlK4F+;3)e&&3xtxCrb<)$+YJ}&;NII~YQ$GE1}Hark2ams2gA$%!` z36IIsMx?Je#D%mf&P#}>VIW38#aBp()3Hn~O;*21T$8|j<_NBCO03O@E3ee_{s}P! za#Jj??0ZVv@8}6vKo5$_2kpb*23!z-&#`8KfP8}?)smS}_j*3QjH&2j)n0XNXKQXr z*IEC2mu24aE=yIsl}yOYj1=yi7gqKlHa{a`hBm+MLk(P0>J5T}?PdPyfYgLuSLSY+ zF}w4+ptY8KiC(G}@2VAMHapgH)Rz1%Vjn8acc&O?$I_T}V7g%x`K_V{z9sG_vsm^$ z2iu#4(fsiBRGSl$Ob^r}&Qxwg{C@CE(tX+!=X(`CsZ)4bx-v#-lzu*vp>WP`dtN%`wef$jlvR)&;xdHc&= zlzLMw2E0x9AuI2aCI<&(tJUDGty!HZ+k3rw|Qs=UE zj%^3K3|TUiStv32@RLrbD(d(be{o$;*28mv9D;?3wM;N0-$uGNG$%WcpFhoD3)aS) zr%3Vo-BoBepX;Cv(E~h9I+qTb^YRLB&^4pyKo2uZ>q`g%&V_xh!Uo(p`E7TC-^a}h ztN?d9#gUte0P7N}#&%`FDy1hoxXw_?U-|fuRf4duII~a)o3PF>k?glHd(+70PiC;d z3Nk~)9%lT_{4L4My1BQBJU3q|#|fcST?(XB-Ih($1CmyPZF}wNa(9J-=Nq|CTno!Y z2$DmdkOy=hbx0NIT-KSJKO%IU5J0)RIYcc~$LfyzV2fR==wLu_Ge*HW`mdz^RbUuA ztqpRmpOVGEPgF4_lnM@WH{1#91_3V9DNwbeNRVy2zU`5Vr6PR-Mb>1;eMQJ=h`HxK|_5IARc} zGFlWS?jpqh%#>P>y1nbya+Q3@Ilm_w)!D+t*@D+C3oXDz` zqBSxmZNU-x5ajP^{QXf8 ztMQkj@eu=eS{;2Yfw@NIhy+K0>}`~W1CF-hRAv?wX|8z2q(_YWDQlx91lYP^JO9u+ zWKZ9WPYum`8vg*EE-A3m&b>N~^sV+6(T>>cYC$EG!a;lfxyCM!2H`o=Nm#8|%?j>W zb&vl&b)^>Na+lOxMYL&;`^t4$eZT)B@hZ579Ub@QN$3N;h-8LFgmN%4=r-9PkI=2E zg6Zd8!%Za}++Hm~YcO0Vq7);AV+4JhH#UOA}BpBZ*%B#QNfAnV6+IqHdWBw2U#PehG1}Id~c0Y z+~a2O57in*cs7~e`oXg*dQ4Gk%^hR*-&SPYeyzd&lDb0Y{Xv45$czI+Q}9V4vy8+D zwTc+PhEo^Cz5|cqjpf5M5vZmL!9GL}$IoOCUBo9z*1e!m=vEG*cV8!m zJJ0JX*ere*>4A?2XvxM-xT8D}HJykUZ}EJ*aVmp|2tZ!;7xYGD^}})}=g?da)W~N7#aD=KR-x*bpJPa(+3)!^uKCQ!pY;5*JXqdBA{NgnmkH&{uLyv*EKzAPx z$+uRYmYMFYV5xTzbaG+=JtP!2l1|K~Gox)jLitQhrF>Qnuzp3KY!+=_G0S>$eMdk! zh$XbA1Wv&LdzG$pSuZ^PI`NYtgKoA9n6uCi>;yCqTbR|K1wz&1jP{Nqii^D3p{8nh zgu(1E*g6mtE6@R%-}%job}$A}93CBzb~#A^#0zwn{y?}xr?&^GO8&g6S&v_+;#D@a z%inw3-7?hF&-HWmUTZdPD{7Tf9Ue&mGOXQXm z(NKa(A8iXo*j%g??0upeqhUcbvP6Jda@4nshj24@QY-5({uh&9@&|D`l$uyRO}j5Y zi*NbjoiIiHu%UXsr>1u5LElD4@`gaY!FB0Tyvd*K(dn+-aR;N-b>zZM$7BMMIu_Z` zHnlO9w_aTRHIu6S_1j6vRM1Ewu&Qv4U(*zhkMq!AUwOBl9E1*`zBj;? z#F<8HusWsD*)h2;m{s;hrD`aGqNTt)tLxxA3f2s@8Q6gt23iT z6dP)7x=0pL7(scfqs4J_0w|p=A!3D-1!!?Rld3|}r15xZ#tY$4AU#b)jF!HVk`&Zr zM=hl!UHP9MMGPQ!0qt~Qx1WYxg(u_G@5(aCKuSZBB1mbNoN=Gv)}cN6g|t~FpKfQ; z`}?j4cjX^*K!km^JuRsD+W;KjIf%CzoH1EKE+%DPEOZ(FLjR^ZV$*sE1H zcc`73QKUCPnPb=v*B&$6V?p9qLSCB>5oH#8*8?YAw@ye`%6eSarA>bx9qZu$L@U!X`y=J!@^}=qdshr?y1rb39y;Fa>6Vv7cn`&+&k?oOm~NHK zY=K~5knIP{{jtY-9{i}S;DzA%5_V}}{SPG?TFHk2!*(~&7d)T6n zD}Gg6wIz{&%7+wKQ5)Z@cFYX*@{6xhifk?w65}K|aA`>!5#RMeC)NRiiP7gt#(tNZ zGP%zoBHy4U$_EU>mFnJrn|K(+4;a~Np{$3ww##s*?Y~->5t<&*5QqU6sFGMy1HS$| z`9^F=rf9<|A$yA7TJW%o{HWoq!nhMSc2_l|uXs$>$W;>QQVoqt4P%LUY_)CIbm!r{ z_ehsTrThzzkuZrRsZw2tQIPT!-qorbi)S68__qnog2bNceYPxWVMdxw2JMw|pww6H zqDkK1k?M}#t06-c`7!$E<6}@R0l>Gu61>q z<7yckPIGQVG6!^@sorNB#u!s+z6)}Cdn-5AMAlzQ8^dFYpTqc;w; zu3g%BDt?qhMEXfu9ki`WNmuKn)0L3bWmiRTOK|c#FHX*~CoyWuEM8$J12nl`?>(s% z$F&32zwb+HK4^=_xccW>3iaH7^&w(yLgI5ZDDV+#Z~0_GtPpj^VP}?s(W1}F9oF*9?kr|b zA~3(wp{Xo5)SN{ZvxGk60_0gAg5Y2B(pVKrvZ6XYCn3ldMiBm)-0&+b)F0s+B{=Xd z2IR$44>ps(MB0ALj!}MwL8ULZ6gF{~s*fBw7S!NfJb{h@^KC}@;tvIumD}r~ic(v% zH3TIA0%ud!k}lh@X^<=IOl-Q=V=(Vg5%NEA=}bD@q*tU&sU+Nu13BpxnhAH-DoKx} z(&}Rr>UM%WrPgaLIw|DpEi7CbS>*q`e1&D8Y_dv{jAlX^=?yJXqFh7#x_@CQs& z9qqrRqxJuAWB>9R#yWrJ<;u-iDw_#*_T;e(I`;m!&0pkX>+1_8UG??;oOyg)Z_(r( zL^lOa$2$JgR*Lm;gQ1;z)jNxASC0;Wq8R4AHtFdLZXxa!9>^3%hl%H(w<05sm$4y2 zUP|nbcM7DZ8}-L~QYve0{j9>lVxXEB9BnL0be~6^W`32kZ7AN~lAZ5F-FaAd?vlAa zQ2QQ@S->pmk0OLoPb^Wi%#0PmHc-x30sL%fTfC(=1WL}z1V&) zMq;adE@HwJNH5J5_DkJYbIRFut*%YEhC!&P9gOoGWLw6bd=cM*M#8n>OXN#}u9c6x zt)Jc`Yb#qO4xP95VM{k8Atn~XOy`Ea5>{OF)y&{HI=%-syOs#q3W)2DVa7Q_V#D@gD2L^RFE7h=@5u@u!t$|7)p z!)lrVELj&{k40bPb#~PQ7+u~K)Y2CI@qeGB-Tm#j=vsNZ@)^`;G=xzZ3}!-RBCjQ3 zPQ_*}l*S;Ztx$OIb0stk4`77=n76{=D8<}vR8z1~v>3^?3f>fE-)L=P zT334$4%^W3A8SsbCanGz-ZMf=IFtL{$Gg3AQ3$w#^q4k(=LZ7!mwgl{B`9%Z8AK8FORXEbCFz>)aR{ewdw z1+2~mU3JEkATPrlqfo>sRN#qJ|2QX|Mu3O;1LVkY*TA1jKa`?L|E@*T{Oq?z2EZ?REB zfC8_DercNjU&y*(x6YVWJr`*wpsZSM~1E18MLd}2C`(sYb6?r13 z^1GAgHfDZ(sX64PpRF5+jSlh-BP-Yi%#8X6FTUIgFB-9O!_D;F}0q!dpj zqpVDGp`TNz$v2?Ock%NfFvo`@YUu(&*WT<}Zkw_sOS=AYO=VD=IM`z+s+ZKEgVf2l zN{~AFUOc;S+m!xp{=X*H%oa$U{Pw)YI{gY&>Y$-prn2=Ng5}{JV?}y?;p+^!Z@oaCR$NLv&kexrO9>!)=pE0{U?qU$ zi;CIb&)Y+BEeST~Q0JZSfo&y<1XiwGN8rhfro;~5O0-+D?jsupjPh0+cw&I{#pqS)%ce!f~d_XS5$rVC& z5yXW*c5qtv8W1E51+&aXmNb* z(SCF04uZ$3qG()){t;pz4VtHE&~`FZm{<#$oEQi4Lvn{9+Eg&q!@HKNy}(qq^3=+k zl=5%C`b2`Q#29wq6E1I=UaT2K!_l56ZvEr3Kfa#~k^Svhw^TWKrL;Lxy%voxilknQ2)HzflgOi4pFOf~#aeQ0>6 zOj|t99Z8mYNFX=TaD&XbSazS$gLU#pa&0iW%d=v(>%oNL-U&scP@XH4)xPhiG*Kpg z`+fd-$M=LZ%*nmY$Pfwt$w6|3Kl;CUhttV@XM*aB;jbMSK-V1>Br7d*t;Gzd?yZ%goSpRPc%OL24P|L zLp=x3)wcFfk1;B*pJPm?x0<&u|Gd+YKjhRWth-=x{N#yS<-& zJmB{orMYzXDNMzHXKEID6sDYdPE|GSp|Tg58_&xjXqKIkKa(?G*E)}FZ~3fkF%G^V zYYm2sV?)ZYkszf75T+ut&r zudYBu?If7K$Yu&n$pC|TWgm)_x^kV1joDcpf`J7BtF0+j{N#B_@DuGA(m$_)B$q)1 zLtI>4(f85wf*VcutdiUKR}9Ylp0d3eP#xK82ogUItADw&14W0`|7)1Jy<&iTncaq^ zF}4iDn!o=TBvt>jwBCX&t^JxSPxt1QBGY97GAlL&y9A+gpno^SXtd@BGaK~7gw?nosnbvSbX7qCurC5; z%u7W5U*b3e6UXiu540`|VHI^;a9tX8lzC>hta z&-j00kAo15Q}APht;AOC0Iw^PW{lY|@DOH#X^)5<7LBk3@(o7xk%$23jrOHMLoA`r zXpY}`Cd=y6LUlALkZBU05;wICA~r#{>Gxw>Om!W=*;Yf9QFyw$lM^N$y1cOt{Xf80 z^ZdZhx6d))N{@@d$Qi^s^(Z#$|Dk)W*grbIb{!fo{3&Wm!2`OkF`N>Zm?cy2ZtG`i zq&a;};eT-=RVu^byE0VG4}I;^vDop%My<`@`6^X7FwFT}W3$W7F?rU$XW9JpfR%#B z)Gim5EP`i~U$^h9%Je3$PJnm`Qr^!>ek&RX?~8^gd}Z_we@}lu>(1%wP3W>J57ZE{ zUo^NnKvj8>paY0kFrcqRh6qqIEp?7+oSeD{F5WD2-@=7u?v|)H{SkO>2={wO69AT( z_gC!aKDE~4>Fk74%)b|$AFY;Gf!8e1EVxZEFc4RV%XbnPVj4Mqp;ZpV>W%T==9(Ip zr-%ePp9pDanmHwwSpKTe|G6QPcxT=4jM)V< z7YkLhW~kc#tzlzs5i9;_P4VQ^+_9P^@Yi(-*@0c*S2LRUG+Zx2mG`0vWtAsf4Suy* zT6S#~uZS`U1(zyOQuzZ~=;-iA&4N!^{#GBW&-fAiU+UOth-eeo7*K=6>OnIvCRwz( zi_^WHZEt}JqMMp%PMqI2T{3>T` zq#X+D3#}-S*`d?%|8j6Q=3xaD%TPeKN_uY|0NIgvQb(Hc)G9aJO@L)3J)teUNng@` z^+b6D^;c=_kEN&$Ocb&&1jasWudt_lC5~CkW3q(kZJ0~MkicAcmCIcdnCNt|Z~aAo z&DjJ`nl7#6hD+v41e4eB)L{-I&8aa;{HeWPn`7b$&PrubMrN({*i#t?vEQuPdQ4_C zz;^#D&2GZZNay1Z5?k~=2zreV*_f_9TUp4Kb4zU z&|qF0($GZtUWb62quNh~^v&%^^eNgJG=t!U@L6ZQvP1I7{xA1KQT#dsXY){*3k%5T z8`P$*r8BXia$!jP|jevd{6&6%uL`PTHVU1%MEax&V&0y(ZtW94= zW|^>Ba*N|%p>V;aqz7r2d6|@^ed4P1=)rPSu>;2uNVp$bL>a>zfi)M3FleYisRMlA zqGPsZBqy6y?9^d}bznt|sp(3 zFT5hUb;gD}hUVX*@ud$eF(u4HmUc(P`^D0Pz*sNU3$>-}^yoK>-*0T23otyFfQm37Of}KyPF5+fk_u%5xYU|jQatTk41YH~+&56bpTu3jR{kF>3GsZVE=457EJ$MQN%(xHkMvJ!D-nnZs=L+%yd1Z~D~v zbi|+n4gj_rv|>MeSZic^I==}RU0f0Agv8RhFxcB0*uAnk&^J8i2Fw5ahl}ty{%8cP1KK=w~;hE=2N(L#K zurMGEIe6B&IrsFk6%*hCAL0J0%eHoi1A^gW1s(R|TFb69Ee#XPF_F!mHXNO?LRi+s zWWG1_e0aPwPg^!*j&S`Rj;XS;XAOc;g|aBYvT<73U-f2YlJ!sDSG_qOVfZ!innrv| z&$nXNsCtat#`N{}!4qX8#CUTuwmfjR1_B5|!wW4cwKia^OhMZRFmgoos{3`$RwUu4 z41V*I9vhZcstODbC6BFY5t=jhddp`%?Fqkhuo)qKt#d%NWQ^^j{;GD>awGj|ezMg; z$j+fa*pr}B+UNaS@`1P8k4R>&xVCWzJa|b;d2z0GM;1NQvgg9M`jq#YkK@}=zay(s^0yv41dD~8aZrLLPY^v>V~$9z zHT_*_j_B-vK@5lA41$pd9Al7WhjxdBg{Zz{crz=s;0ul;)Ys^_9-;lXM`QK$iX|d)#?(N!>+R5P0sIG%n3o#0 zU3Y&nScwd4eIG+Cj!yg3ns8N8m($?H2-!;jNcr?pFd}!a5~6|gFReMT^6_V6k%(^H zt-3tc<^Dmkb#*^5^DNY!W`P}9%5qo|*O^*aa6b}y+aT_~s6H0WJxF!^2UuCR(D5du zP@~iO^dlo<1;O^bJ~UcGmjCf$GTJA%7B0K3s}w7|?Ab#J&;NwYN7eOiF0CO@+shDW z{X8zgYKRNysU>EW)ofeoMgmy74n zi5y_E9+D;EG{GLMW$xq=2D`pubf>YpNC1sAd@&)GSWHOhdd}6IFT+>^ox}+e;f)vD{ z3_4Acl}@Z1#U_$#{&Sj4{aOA3LNdYY=96yM6YKX{i>S8-fzna%|FDz#yJqq!T3_^c zRr%yg-nUDvQWf@-dO-ZiC{L?#uEx%B*#C&usi@WGY^jg9?D%`%*F$IvC;0t&#aXER zU~|;=VukpkbbAt9ES|E*PmyOKuLtR+ZkdFJPI#kAM1RxQWBWOo=cztQ7BbPf;zY8Z z+kY`=Vcg`~cY~j1VdYN*e)bU}tZ!$Rl)xLIe|nV*QWSJP{Rx=FEbxd<-|tf5BP@@! zsS@%g`%M{`vN*kR!NYW9IDJ7bb`q*XkZ7%2`0>#Z1b6iFBI7GqhW~WtwAn!MV$I># zVA71eOK+abp^0<%CTV%=h|~0wu z*+?(r!yS1j2pj<$ZuXBg$~o|G%o05`HVUzY?WhpVxgLwsUxmySY06(X+AeE*=32-v z?{G2mnU}ioL(oa6ueTe*GB3Y>hjWL8p_@4igG;$u#C$;yWWAO>;mlKlRC91Xgksa^ z4<=(eVh^B8+$oWMneq z@-)^__;3JU9_ka=M@v8`DQ>S7N3c0-ZU3c%f=Q;W@@mfe{o31%DIem=XYzcyYQjy3 z51dJ-8lsan}tkFgGPYldB;o~ysYycg%?MMrj-?-Woi8{ z;TZ>V+gmQqW5?gW`X9M3*N#};gb^55m%kj;EWz!bG@bK;|8Cg7Y;QYOKe58LPHeoz zY@PLntlBy}AonRW0n-~BN6rh$y|Ul=S*c20nwRdI9t=2|nvjK5n&+&ZLp%I$a$RbC znmvH#wxtWZHVO>235N$HckisXVgTj*tH;BA-iW}wYa8CJ2eP}tIlgN}S;tfFiv5|W zoDETHUK)Dx^aWu%f;-aMgu6ra+`8REz~NYp%k&w{M&}kk*Ye6=*Uz$CfXh`JK~7e! zrhuG+ftWQ0s%t>*7LrFs&wG!%3+H8@xd(t8a>cwHXbu_5>(d5fj+(nZ*IY9jy0ICv zwZU)e{s8)|eaT-=!}FdWWUz+rNG~MR;?ryt2J79v{DImWaRdd&QR9sHbsH=GD_edm z2tJ`kE*@=LA#*Z5B{OA%TU#qBNuA%&Po!-GcyXX>K1#U5*LZuz-u*c(-9g!< zwwAS1JI=TJF@u}jwXL&hFBg9)#VD z#trU~Jdp0)4MRj!d^y_ELjS(|mu&pyY+8GnPRQ+=F3HMmahZO2co8o7%qBZdBZ!TR zV_}Mk;A+9?*+LM)kJ9-0&(>N9E+G)ajED5_7U;h1@qjEs7$bu?rf34V?%7&4($Z{E z*8J2Le#(%j59*3@L5r-Xx;b5geIH+yp(i=N!v`KC&J3m+p8G_q;O9HM_8)@Q;f5lZ z^8VIlYt+2zE4#5R+DmrU=|G0#SI+a<6X5-3+wUQHKoJkK#3>_5h9J9@HU$Lc*iwgx zProJdTA2G0ryDsDs8gN9vD6>21(>F`@RBwa@2tXNEC?YQbwaP)q_GblRpI6pRGcQJ zi)gD--v}C3qyEv-EycL+OPZmYnl4UKV6Hb3hS$RK8DYSM9M!N#Nq8t*vo3+$ObT+g0jDUR9x2_Hm*={RovUZd&zBA%Z_Mw-r0~aX>po zxtqF|EGRPQKr1tW zDhP@kdO7CA!9Lgmcvm>^pcSDo*x@K@6%p2;Ned57<%^J^Fvb{|)0?)aI zOW)1_p>y{)<}#hVO;p{{41z|^Kh_@u=EM`}PTGR7jXHY1!s6(E!u{rnA^`rY=Pk%s zLQ8Y-WD&7+KLsvP>RtG95|xqm9s3V9iny5^Ry8oIV&DwB7$1pm<9x`9@TO~t2R>o! zs~Cf0c$LXo&YC-@{G5irlqp9g-8B`n?EV7N*x-f_N?9m8f~L6%+Ru=qkiIgl4z#F< zEu=brt*pa?g~kxrR*r`RBI1pe(X1{)IeB-3)yUsA40I)6uL7Iqnqhu&P%ZPF{l0)w zJODhzyc!#SrQ|02%6|WmjS@|hWJ^tisa*)KZ0jL#Hh>0om&!sbgOU0fRRzWFhd1d7 z%sW4n!7xwpjAcW;hm&*DiY1qEjHTwXYksu8Dw0h$egPJ)l2~>|D$%g`icQm+58XwbhX6sTDM_;;dz$3vAHoJSpzuc#ni21T510-ogUvA4pQeYU82fW10nU~ z8L`s6a6U>0Gk;Q$qwRHhmHt4Qc20_Sv3908Vz#S43;dy$PIj1kVTy63CQVA$comQ= zySk&)ZC0_5$}skU&oL1HjH`D04%xO7#$!@Pf~8+1Q(uKuj{2vvNa~UtzXzZ0`z%nm zv$Ai)GvJ#Werz^Z1)3h+&<_8tgdisVYx`)tLs`1dAo{%)TH+t5(PPO3ENBe*gE?4p zVb)-p1!f3otA7c*s-aq1P{K|gl(5s61|{tJt@?rkmV^44UMFGb=|@YwBO?UsjZTQFvtdNvMR?Q!&Q*YxE=at2dXN;}%X~CSl2-+1tNw zD9@n1>6C+yo&NUljL8ZE`=a;77-)Gklsm~h z*kxQKjgrC*E2;dG-6817=+-02T@@+~%MCUWMsScs>Zc zI9fLN8!i=^Zsn-Fxt;vX1E3@MV2;-`@O|Q;a?&kL*wM)%@oNf94#BNDxH@gxE-giK z{WHlrW#Sb_PN*df1KUeKSdd&lJg=3yU?ntAlo zOc|g6A(KeNm8^i1FII)>pk+E4m z+0oBkPOX%0x{1#=aZlFJh7;R#;SSZDfftuEIKH8is*0e&9C)2(3pm{WTJ+m=^p)n9 zAgfnkwfW`$S-lVh{yDvRnqXDBh!v+mjG63gP;mhKgUlc+I&|sZ+$Imt-2@UNP>$e0 zDR&`3)G`Qq_-E&tkekXsdBuQwO>R3!PE*uUVPw<<4E4u2W)T_S?Id?Y2Sg*h>#Fd3 zE+k@GlfE4Fj5Ct#r;0GkdThVK&M3R$h9Kw8N5kREW<=1z{CwWQX6ong zqX!CTz(brz(H6tn#V(08FPFG}q;ZR66XO`FuJ7aLz6|Uyg+e1&TB8`JtGn)rq*Lauy0H0JgWrrIqgiy>Hk{%l^GF#XI z+&Ur?CSXMkWx=|c1RqdHKVtoGRx;(EZU8ynH`AA13I(TYhRzKQec z`{;CL77eG)#W4R<`O9b2AIbPSS;XV9Y0h`wy`Gp|wTcNts+Kudfo1b5x~>RO#vR2C zILj2b$-9rH2ZnLG_0e9tGs%~o#I<~xrazXPl-hztG zh^+4m%G#9;^Xa6i!syZ^8(l29^1K<=oz0z<(A6xnyqNjHPu|uB#XQ;joIdm{R;7PZ zrQ;1zX8R(p#wIKH2JYX_3ssSJ3*;K-s(<`48lkvsvsQZ1Ip@v&yH@kJEY?+_yH&pr z&lT!1t0Vo7Ma|Kyw-o7w6pv8!vOz@hDAS3$Ps)<>noXHXO?4G3MxXhwN^ratQ@zPT zZU0lRgU>-lq_fqz$yqFKDjM^aS}V^n^r;HM2~j(0Pc#o0zJBro7Idt|WdKCd4V;I` zz6#On5&VVgd6P8G1LMKE2TtD|e24azX47wyolyYxi)Ys}#hHe;_M*ACJW|!Z9 z72r9!`DC=Vn&1gX>*6G606vuf?_duxUGbQ1?>;(N#Vkh`1P4ObevkTN=`wzcE&IG) zON3RJagl!+A_5V8Zx5V$n#VsR?u9SiI9x;-~qoH#bw?#MZ&7h(k@HD9L`7Q>D!mi@X*2AzTN&PRYww2l8j6-e zM`=Cj8(k6qNTkk?GkK;~(jXBK~G{SkH!bMVof{CAK3VgAedz_?Be9p9m5O&6N|9-Hv4!uJiM?Y@j`Qw@6&nCN)|N^6pm?S{zrnPDk{b z@NvgixupoO-QS$0b0IHi&n^<$;5I%A4FpHnu4&Aeux5>zC*vWmKjd7{PQ&C0qzM949j=N%hPd^aGL+|JXQ zuaMDMW6+81CKINdqr_C1ATDEfurE5!+Cj`1e+!8*U|oLq4y*6dxjwnq6k27rh*;F* z7eA$2oD8ok6(DG{`dZIVT5csxdTY;rntvpaJP*`VmkWxoS<$VX^bFdS9KOI7{+;(N zm*}-4S&UdT=51)iv?~EEeBS8Bx&JME3*O4}ZTCjiGkF_XRjbOmyy96Ms60MJOh2*W z**;5J{lL<%tI~HJE?O%d`&X;dr=n&UdR)e3g;>2_*V!c@M--5Ze(gy_|y#EfAp`U$P#vU9aL88Kxl@jE{J=T8<> zSz#V10teS|h#E(lUqS#Z@3Qw*65wnAaRMpQ2gAhS=VEQa(fx`YyX(4n@|uc`4Qq)A z1WDe=`ek64{P}9g>bPe_T{_Q1(M_zUh4~!qM5%dgM&x&kJ$!cuKRO8;mafuCZ+XWk zLq{LfP_!w{T^y|UZMcovj|@AR!K9TzbVU^<8JH^3U@AS^PoKBj?l63z<$#H?l-D_J za8+^+rz_LpDpNMzRP*|jEXbpkiI54=y<9TyKwVTD!~?)?wVXna_svzWwizT=gxa=4{-wUN?$2S-<%zP=!N(PZnLFJP3;qFd{9PY1xDpS zyDi8wkrL@U(~dtecIRwBx-eET)vmYE6Fo7Ohjq%pFy7!Fs*`Gi5md{seQTthYBW++ zdnUTj3d&lxu`&X(RKQ`MQYl;wRmixj^yI+0AT3=jIrY^Fo~7>L0R%TyK=k~=s*`tC zMX{`V_<5#5U^0~lahFb6Sb99RQ(6NZ|KS6c#jb!Dvlj=Q%Fc#yU3OF`hR(uJtJ$>d zX9XuPi*RioH}?E}OGZ{0&IdI9_o&%|BdRKM)-;;t=eROAPe7?E;Sac`_0;z&#ap6A zkNaCeFf?b`z32hV5B84L6uq#8{5Z2LMMNsL=JZW)j^9&F!;h{4BM$@CIBF|BW_}1d zc+ZlmR)1fNE~tc5;v8_1^yj|uARo^;&L3GRC7x#lkS(F(r^)F0^jOEwU1cPOBD4k} z8JZT8t)_Q)ECJ=F9pYR(qnO}nKV?%!Jrqh`%NdiR69f{*dwOhjpW%A`VBI)e!M zv_E~Vr>}<0)pz26{>j=fZO-J$RY2q%q35XN80)_W^(k6tH4wdfL~AHq#JeW z!He^AZbj)D((5&$uxCoEq{PCpwN-AsgwBV3HIeWvt)PmQB8l{>Re=whe?Uy+PFB^3 z!C1m~4ycz7XnD+>t7~p=>{YXE*;m>c<4H`qNlc=QoNqkqmXP-h7EX!Q){Zc``oqC4 z$O}OQ-RM7?(mQ{{(%hiX|IT((-tB`v2NuMJ`!_^<`162Igng>LmYSwSLq;-0^Y#W? ze&?5miHOl#qSlH!^SOHnU}wM>lO0!lVo>iS2H5?RncgQW9UrjqjYme&4$4khr@bg@ znNPI>+oi!>0c^rGDVpI`WbCU`lP!!m=of;eOK!0LVy zZy^>?T&K*T0QkQ=o4IpNePXiHWzKgv+1%WG%IUJBaofvx?W(`?KdOG4C6Kf9bGYlR z;F)Mg(*QAE_CkhhMdE&ZX?MNUsFmZ#0Di0e1fBV|2v4zGz?-C-gr-gejFtW= z^vlsR47m6>u)AjI*#Cd6y;F2#Q5P;6+a050JL%YVI_g**Cl%Wj+crA3laAT3ZQC|( z{r@@Vjx)v`cii)EA9j6fuf5i+msK_Q{H9iG&G{l_rzh&xOZIMx!btw=nnfT^qxj{k zams&XnWmoW{nYKW_+D57UWr3+f9;sXlsGbfBB7-~Gg(MYpE{ce=*FZ?@=6{x;!e*| zim1aSHCAWl z3-0=gwEpt`3_-FiMsMj}zKbA%ir>+m%3GHf*}RPVDWf>}4O^He1g>j{Vjl0nL(< zx~L*qpl=Tc$K>r_t~cjoqC}4V=iP1zm$R%b1!Dwbk9MWR-gMphb(roUKHuh>C-4(F z;oUwd7>FtAiGU&Pxf*3Zn<%Dq0x$5(9lV%2(TX07QJGvM3W6Pi{Y$KB%k1Un6r2h# z`h7f-Kq#F6mfG`;;T0axa?Shs7}ST-PBtPajc9xviD`D_nJwMnNk?{1ZELyGcSd|A z{8Wk~xPo{qLKSxbxe$;Sm$v?V3+>@17fj=41guP1A?hbL6c-g95Pr7UVP(9c8=;*- z_}AT~?S1za_4T&3VkN?zBdArl{cx@9&t%-Kotuq6r66VQsWGDYfEZS}(1o*}PlLgdE4UXfqw z=lg&Y^bDaD@I?S2B?MOI-K!=(zZmqx9q0qA7B{Xb9m+wnm<0o|loLK3m{1eE(9*P`zD)i@Sli|}J`V<+Gy2$7ukYuB$ z0*3@9UGWZ+rzh`?tOSDtP%zb`YJ^|Pij0X@|Cot++jFHN9Mu!3D4#Se7q2HO0lW$8 zRPL*h9d>E{Q;zQE${=zR$oL@9GXZagIE*=dpmXiPP;zw(1Ko>hijdZ5=AGNvB_k38 z6F-vqPlzD!9yJ^6hV zfbtI-J!ekgE*iN{r!Dr#dozC0`2|yjqDR&(Ndh8D!jrZq(d*gugb+nEvhUX^QL#Cs zC+BT+t#kWQ`uJw*{mxmTIr;P9zX~+35mGhC7CR`+$T?@b0f^c6tr^I%K_I4!%#gME zSGw{2M(qXfu5WZkxmEg96%lZ*QShKH+#>5)Pe#E~DUt2Del-c7{HF~(>35bhco`QG zCmyHMk+r{eQ*DCnd_=W)utHPd>gpSAH+$f3-x_el9!YIcd7pC4m;XXK4(}{Guqfgn zj+V3VBUat(z@%%#DuF3N>`uHt+g*wmhQgN?kpyRLjBSyCOGtCOba$z;!_x zsW=<~n;)or0|}HCwL6fcInW&aJ{uy?4)YxsbKKHGn~*zmkGGW9l>4zXHH{wsQ4#XB z^28}qb2UVyF+>p;XGP~D(7+aUR>_j)pLliwvweVF$eQl1D+5K+)jz7zWvuLI9Zd3v zkR9n#?Kg!cN<*5nzGlprg7+dYTw&klD- zn-9U{UUWxuY)7c&?!J)+a^3&X)7pM&(ysURC?+wAULZV&|7)J;^se*hM~=l3By=@= zBz4dk(^;T>sO?Gc|@fi_+s%vyg!d zymUn~RR#u``CW;;2rfc;ZU!I-C{mAfeA4E3KGtUKE4 zKRg@ANrma71{b>W>FyXWZ}-nlWw)NjA%pM{&wBzIut-3?h6xj+ACp4}%wUz6rF2hT zhjh9Xq5F5K6km{W)xEnkucP}5l1;Z1<*S=u%F$+6)SPr7goA zYK1>ciE02sw2y(TFwELU7Bric6LX3l53C}ucM)&Cz<3{1Z71Gi?i$Uo|pT+n1lyJZyuARNx!vRs3;erz9wVbv(-lYBuFk-mtXu{a*6HlO*d4l`7{kv$&@AMjCw3s zAqz6N*o=hzBBD1!X>c}>}la5dG)@vXC;D&Nm;hiGB*=@5$B#g=M z9_0rNHYg1pi$QcRexuliD=D9x5DueQz*g)VKeTnhTL|zR|Ff>lIY{3vtQxLUzh=m* zggAeR-jr8sAMDK8T&`1a`C*zg9DNk&94kud}AZVj-gl;`!UK{9H6R2c8q z8DWT=py;%(9nyxM-X+2j0JBYi3JDww3JntsZTo$TWqRab#Ue{L=h`r___^rzA!O#Q z8-KTC`B38I6d3p~KeZZ8^vtUQ$85oJu)elj+${}FBn1lzPxg9NA**2GH^AWXIBVOm@3V*ViCq^gepFxBCMH$xX;enpaah`l6zDi zim;0KgGLE=yD!JaJ?5D8KXmMzK{2M)p{94jvfq+x^MDNA7Os>m?Gav*%=ojjA?v3g zgNnLbvSZ@B~zH=8&Oq{+LKJslRx$WtddFuPxjz5Igb41D zTlzn9NH`dhH^?8e@l(s83Oq(k7J5uXqw3JloPj>BEv+)bL}_l_`qXsrJL~=(UY${8 zkpBSuJ4!q%;B)si0=FAhB40tmk+GItS?l)1wqO>fCJ_rw-a(|QXhPP*=v*V;ly%Vs zcy=;0_%;xi>Llf%R3H3KsmA0)Hk|`?sZz;3zyB?S?LmK%9AJFSaBDfKqDk4|5n>%9G6fI7IRVOb_-c5 z_6Skmr0ZcJz%JoXY0FJL2IoWgEtGdI_yynl%)GhxOXV^=#oFl3I)5{&FN#+QeW)~u#*|-)NQ!2E z_=Yp7@iEjNA#@#?!5in2__Ex;xp-esZK{KB%)|gA3Ns!MLou=i~`f@yl*#8=kN04YopuIA$Zq! z0r{mJ&rZA}smzHd_jGtZc|x{cF7gIqPmHju9s7&w7&Mzq9)t{=pTHzSpH(2s9@vFM z;?;+WmTbWO()}s65;EcKz~ji~`nGnD8#do*@=8^x4a-C5o)HAkT`a=%yk-TdO7`#6 zv>7=#n5!g1^q);P@B5xRq$b>=)@{5c6dy%N_kAL(3(8T80kfJgJ=Z zrzD)w#xpkKU<%ozm;mhY=TV@qio|&d7?oM^;A?ELI(j>7s~eeiZR?~jq(ie9B9l!+ zG$TN>(LW#Z@gFjRrW%KkA7u<&?;s|6z?*CncaUKyA#~sf74`x)+q{v;4Qpcgpf7W= zXfvqHt=vTMtLi~0UG{v~ALNd;4P$>#L2bVI2Kby{ETSC;q$(F@xCfxM4Y{ZQ&I{SR zQ+HmDhc^f00fm^6_(H|*KRn_1#P`6EdG8CjJ3~nXtaW8c7j*$n4~R?XLe?eu@nhbd&fMypee|HTr)Vg_xzV6-S>M?d9coUs|9t|B0$&xT;Wlm z!0nYa<#mB7D=A6M$Qh6ope%A3-RU>rBNF5)!g6KR&Dvzb6~G42;({LKmlKM2>VoF3 zFIa~|PxJVk_D`=E4PhXF7(X9SO~%S$7M)20=phOlS0^JYb(+wM{7U#UZ);Uh9m^Rr zs4IC8X)*ri2%6m{Xs}Y({NU4l+;7~)aEJqfEfZ}+q7LSH5C8<{j7b}3=mx1h`vDWs zFuLZ9jLPZ1L-fQIL(EpE@&tr@S|hf|TRm_NPv)&o&5qK~1a+D$^u*T4BG8W5kPuOZ zyZ@!o+Jiw;PtC*2o6S1gVI%9-mRInJJcaJ!#i5eA%BFMr3apC%%=~; zAe=36^6`y5!(}R{2gN@04DFf=i4L{ZS1Ck^A8V#?hz>~}FT)X4d{|uSvma|l{U$7W z%5%;M`>vy?(AkCQmNLdgIHR|t7K*Mz@0Xhn-|$&b_G>^=)V3gu3{c&$_3Vo-f&J?t z&|nvIFOM$KT%$&yY(hL^1eCb0+L+Jx>I zSsaBqHmpw~VUSU?5^I`SlOhOB6ri0D4@$%mV1A~>S4@dv)4*Haqlca%7*#mqmo86}7tkAMaqI zR+92Euwrn1N%vdI;QnBHg}NuA5F?nj7*xow=(`j1664?Qo3DlD&l>*`wD(0wpdyEc zN-8ket;&hPAuj<5x-V#F3G4+7UlXs7L|;Bg^!_nf_#`aNo*s!BRIpE3wQ{saB!3L( z*yd16wjT>asQNi-g|kUws%6I}Z+FqqYU*6MeXcUolIA~jE+96XHYR##{`$ig6;3{e zzyiwMmxFZz8=L16H5a=yN6d8>&wLpT5vDe8$^~bxa?2{sxXtLYA7XzseF6>BU|2 z9i*y2G7X(19A10I;9!w+hs&$SkR?V|dmtRJloN)`m5$?X=$KXqPT1pfvYJWuxc8(Z ztRpq7cRd50f+DUU3uwmdZ6dGUB8PvO-zeIL_MbO^JP6~SEgcHfh`)(~TwiMcH%is| zKYW$qmsk^ujAA7g3sNq#;q;x!=-WLG0CF-JegHlZD-bOyHCfYwK**ourE`?9@5yu( z=__@F6jlv;ym9*=fNmCIa&Qh{5DSF;&eqS6vWrz&4LsbqgLhE)W8*m&a@`_Zq2eYK z<{JL>eJly4$tIjxj-TtXIfz7Gi1oUVH?Flh_7RFcHHqX$xB9mb#4Pya z-y{43CjaO?|5DAJn_&d76%7gIst>9kQ|)0n8I(`q)W@sTI*AFu)bYI!Y!OoyDa^A` zFh@!#N)a6F@9liXZkL?U@9hB}tEVnSpsvqF*s(7-MSk7-N}2bM4Q2DMv#%rniNHSE z(`rWIBj>_l^EaYWnvQGA!5b0C!LLyt6XlL>_>pVFSZ4j27VwkFU{HUAYTVmsS%XB# zZg{4SzZ2AkB-J=V{x3Yj(RJYhIOfb72SQM2z-dZVO3%?a?9x^6y7*Q`>x??Y70GJ2F4Uk@ZX|LwNqoeS)ml1#LN{y+VFu+Cahk>tnbzPbXQrj#B)hQD6It@`;0@*y*ALmu5%1L3l<%PjVEpt zgeGQ}ZHQHY{qx8$3Kw>pb>{TB9ajl^QfC#0*GQpW=xF89#|bO8&CM0cDc6zS1{f60 z;#_2*jAH1WfhgzSk|cTylgByf3$a%$=FxG|{5z~R$}$}bLMA~N261x#;p-&gC*FdJeR({zl(WSX2UAyJ)M1Jy?sC{sIs0}e{YZzfpKIhUBfB z)5@Y}V*{S3GJge@ZY^2Ci?pcH+w*p1j#D|Ojj$EWr7~Sojjuq2fb4fMu)|;t@4~%( zyzMIlk@L(nIFBR$4syaf#X;(cMvV}%&5iz{_6i^!n!@#^XkA&x-qwOAfgezVo*?h{ zh)TdTMSR)Df+Rh$4dK_Nhb0x+XZEp2uddGCmWN3utyJyFE{SFUT}x(QSsOJb+)V3{&bkZujnfU!HFSGdjgqZzOADfwXtLT9)kA-ZUoFufk#(iezf7T= zCF-CXRAjzH=1IkQk2CKAcw|;P0c2$-BXU-nAMCq;g~Xp&*AqSiOXbvs^O4Wm=mtRg zU4Yiy>InZX;3mjER-9K#(z^;Q3;vf^cYK8R7R3@w$raDy3CfT*ddgd(Ua8D3R_%4l1`Rqn3E)S~pTXKm0c zH&9{^;3G$UC?@ir_pisGk^U#V*4fzTB$*yLz@ua(kFpY4^$fH45tRS#9ol0irA4)T zPQ7R7M?XcW(Hftj$Nsl9mlI~mMX9>MAcde#n@YZ9>=n0>^FFqC_O;3Iikf6MS)zkY zuv&jFd1Hvzt#o5%Qvqe9 zQIkHtl>`;3fNje(!4F{c3y~&-E>T1<%3Z~Yl?T@edHizzIS}>PC0Xq4xUWe8FY_d9@*`cIVR3hH|`j$X8xR`+k1=<_rkTJK`wA!z02TXG2BAHP>{K_LZW z2}Ar51~I?z{6hB8cbIU6eX5}h*mQR={ih@Ciu@k%Sitm=HNpS}C258@ZE4C8 zh^QuDo}ptTmk7>$t$QfFBgZL#V-~QJvZ~ng${#en9^JcJU6~BGl;Df^$pO(d4VJ~O z04gwECH;4!CgJ1>55ZrTxhq(|75{7|e5LDk0t2JUOYN7FpEfrU{+fOo%z`VZ-!cAm zP_+pix1%+_U38?Z&lS7WUAQ%N5?k~OzK(l)0;MaNO z*vog1A&M~TFsk$v21i2Xtm-3?Nd*oAgYc}cIq>1zq{R%1;qYHJoO<(X2!j$ZUSH zw8xY%9#;cOP@Nin(AH1)c|9cEZso7()~^zdcGw%WR1Nhdo0`h_fFdQ35Qsd&K8g`A zdo#HralAv~Ui5GKvv1DxSYmf&_!JGC(tL_EcK?h-J#Pxy<0aE$sE6LHT{(XR?+mt7 ze|PEktj42TLM)o|aX2o)Fyl1?!n%w6Twk8q{w|6upx?`jHsk8hVq2oeEzs~U@LK~- zN%a~y;U4|%YsM1-gM$57BfUODLLjdBDSXk3(X9hpaH+%J`K|zwJGROYLN`kPZOUi* zFc=Ng%nrxnfVvQU#vk1(%M==e-$z+sL1h~Hh^q@Fw^x z`Txe2(3z&*cehD98I%Okp4EB8N30q%{1J<~akq8R3weWd+$;6xO(5R)J3`DMuf_9( zzO(H5pXRIh;B3nE;`9mp!I0%v>}=t{`!#&)djee+y-NdA;IA@~8J`%{gYgq#C6fCJ zjYV5IPB3ULD5Ld)qmyQ)5eNz@cjR@bTw|STPLvlS@cn`O4Lv?2N=l6XniP9dZ0I$k z&xA9=6e(ij#}CG8u8e+;Qr@=@+yI!eIltJ2Ns9mYg<0$VZ@=*6vr#0g&Er38jam*{ z<*0cA7}R{L3$BIDsYu2H;&NwI@;J`YgjkrHkFh55uB9Cyq6ElsBeMW<+=N|$95=gO z@yujhPlz|!TFCNYSLcGh($BxZv^f1eaA03_|K|KGvzHy}*tKz>qtrdT^6NJ0{N`nd zOQQoJE@dIG6nP#)!H%^hg3I@83}4gjsPtsQPX&*@NO1yT5EO{Za?%usb|5qIN{`-5 zy+rXMy+jNYyg;|@U|A{{XAE}ub7)T-@@^Z}L~FQ;v!dn!3f?ZhzU&mf-eSh!6&q)~ zXA~ef&sHpH|CigX!Ww_O`r8RY9jvtpoi?2QUjvW zjzLtKX+q!pq?HpKt_`8~ryWSKPv3$RyRn4Wn8xNWuzC$U`lR768R7A-s``HECA7Qa z6HW_EfPco5E`I&XDH`hLt)PBuy5jXVIU(%>LM0w=+cS$-oE1Q#}2Lryw&0 z@)Gfo=TQxM%hbZiD{zVnE4X1}fO8<1m4)^~LeE2?jq5@OS46Tuq}v<|VsZYADh?C*`CO5mxQo3I zCQ&BQ^E^$XML@!Z;ZT6Y95VV19y@y$c=Z^yF9&j=023_Py=AFjyH&JU<}glCs~b9$ zV(sl}vU4~3McUBnD^aZ3Ve;v@gyB#qM>o(C77ox7%%e29+*0s%PEp`RHUKdKmqAnL zS-Jc_Cpor9+PnGjRv8+WdcP;A(%;k?Zy9Z>{xyk8sx-Zx{R|HN>vmlf#nz$(TqmS)yR|XLGdvH>Z1` zjd?hw*ME17a29it=4CqFm84f=9%*vZO2azRP3NYiPdGQJ9@)^G2LDAzd2Z=u&oTWy z1Xi_s$JCurHV@_AO&d=mpA)eI*!8MQieGE|u(JRl=DM!as+=UOWZrW=;5_ygRG8zs zXX)fdik|vsVUtT(UBm6l19ub?ONIGCc}RpFkE2CBcGjJom*KQLAknx5dP|wL7uXQ*m zGmoX138CrlrSN@MRTe@k2FbA;_d>bywjs|2QAGVliHLMa2)Mk;G>CKOQJ>U6X zB1ibJDaRmkF>%QK4_?Qxx*VF{puD@isyvzGA{$@JdKG|Gv z)-=U?;y+69%|11pclRv?2=B6J%PwSV$e$E|i3=SH-G5g)9Zi0crNM6T-acWpwPKz9 z9iLN42O#Q7qAG55iNk6fLk}rKa1?p&8NlO+T;1@G#>XRb+*YM*uUqCzQ(xZJtmb!L zO60H8Z~c?JzS#_Rz>bhLtB|Gb3b}$y{|l&D&E>tce=jHPsY2FKKt1O{DkQI!5wh=S zS#i2vxvMI9EA|9I%G|VrL2349r~fM`MZT&vSW~WLi`En^y+m%FZEBD z?{KqJ!<&k!RWh677+0z5OJI$`zhilm{Uf=^CoVD<&0?m<4;!n)`V~Z_C zp1a994bZOznh<%Wfa9lbE+Avwo{c{q%jSmdKgRkxl7YAQe~tACVZWy~af z(**JGAL#~y{65>??5LA2LfJ{0JxEH*TM~Y7)@UGdcY}rw!V7m#lA1EVqjAPz6&waz zeB$pFN_>A){A8G09)n^x!l>T7LtMIQn49n3Jl>LDtVj#kN)=sPyCV9^=HQi<^J$Sg zzt&1=0v5_Dsset8{(3b^n_WGR1fvvNOb=i1G@oiDYF}N%z&yrLb@SN_UqJg<1jQk* zj)(#sw`A-BX+KOQL+@rvL5+fzgQ^l_w6|nuGO_vdR=d35KsHqK|FWS7ZDJ6nYmsAN zK&8(CL$(!r5Mdy`SUMcU7uT&-+K8VwlNk)yp5eF>s17NhX^rD3o*prZtfz%$ILlP< z8s81KU-ia_DNY$&q2Fp7)_@2A;4A(ABmh>vF`LAX53UgT1AhFmU2vt4#cj;59m8&% zt#2oE8k>9HS1HKUwMi1u1X$fFf_K`8@})5}1jAUu5cTAx6YXxV_0co+7UEq`Bj9Q0 zk3TJhI~e8(0NrsdTx1L&_}R-ut;9~eFRU`g1^3PVje^@9LUUDo2m0I#H3>N{;>C~m zB?nPSn?;cvGfR2;z0Gfj|CZF) z3jk(t<~pcx_+CapNXS3x^)}GtSz3m-V+ucDl~fn{8;?pk(^6IK#a1_lMOt@#SDd|5 zhB4&Ral;oAK4;XlyJ^nve&ofk=74Duk-Km46Sf|bk}XzY)m;kO4icSziEPBcYDKw3 z8>v1f1x{=f*5q1=e(yYqGFn9so*!B?r0`HHW=o}d5MOcw21>GY@5%b9_K$Nb>t8Of z1lTTeg=C*7{+!zW!KGZ%DmP|1sc(!2kEMF+-}eT+RtGS|p&02G6=~PFgFi|vT2o#ol?_m^3IeVTZeCkwc z#_cmImp`PS{#R(Du&U(eHXPr@SX&}z^RbLr9_7s2re8NtgSA{%lU@HyrZ0fV^k#TU zcgyy@3YQqhJm$mmMd1XEzBp>mV3rLY+V3s2;>V^$F(S>!D5b!R%+XL*mEM@*hQGPE z(Nz+TXlQIC!+k%H`*i3VFT?WG#lQ5L|H>!MR3!pO{}ZfGzr$nmp9qBlnR!VgJXVKs z24f=o@Pgj-#W;~3g+W|HME3QBzj~QU>XL2=S!(Kxs=qd`Fv9A{$@-ge@-Y>qdJ;|8 z$Xk^%M@pQ*Yo+tlVn3v3w{V29oHtS3G$B_Vst~6wmS94Hb~PA`;iinB7bjatc-(Q` z&VdAiIiYpu$mj{{8^UZqQktTK5!CjKEjw@nszmDRIi+)ygKD{@6<1U?2)fF8?+U%B zo+Ezm2-0pAAT+E;Y>RLemUMvXfEZ5WweMEL*<(p>*f9F(dt_zGL{%0bW8%xp@b+o{ z=4gT&zn}21w9EQ(-VsMPS`o_^XqcdVOt%S{+}Zpy<_&DrbU;Sm7J4iidku(w ziaL~z!}Ac6+3?nh_o6r+##7)BGto3S^s?s$~(_ENW4StWphcHu~|YV$bf{R zVVSt5O#YPclPN^W_(MvyB5WgYoe$0;cedP}M#F$5Emo3h0tQA~3>IMv(R$%B;|)1# z*Xa)0^Y)lnLL4ap9>4rhaOsG=OEPm#>E-Z)xf6cut%l+NDEXS zF)w>)WQ^}QD=@p@<>p*D3u~ii*2?R3o+QKxc)#atdmT$%q8w!(AC(2`g64scH2vKT zSgkq-a%|d#_Uv*5GKWs92Lv(W!d@f1Bb6}sb3sxiv;0XV%Bw{Z2!6rq5OY1+v>UM0 z#wfp)gN^fqsN}%vw>R(-E2bET!G1<*P7Q1`(qKedkJ_f5z5lKe)wrsdqkNaYwZ&0> z&yKUBCCbonA#ARcln;lr#}oo``#Ps#gpAdO(cZwZP?lSXvdf3pDqS7gV>E5T^vKME z{CLVBKi&@+6RWAlna=#zhpVqC3iIz|gk{x+BYxE?%flZu0nmP- ztBY>b!Su6=Ylcs3^1Rp%kXMQaC9_QQ#{<5T{bzVgcgWo*Tf5&0M6PfyAXfWk6m#}J z|DLR&W{fP!D+l&KZOG_ntVQ0y=+RX)ppqy+>CfgOC*$4p(u!W_n!V^5#c1 zULns5;()H>27-QC7~quFWqc8_ei%iS=t>YR{-XUJ(*Hv$nMH;eeZqhD*Ul6C&+{DZ zhY{CjT62-OCrAPz8-@u^89_X;5$T8Vi2_w?Pxxl*#5{8^$noE=ltQb&aLWB32ahKI ze>->tyS@K8cffLxv?~6U#&Y6eUiwtqGou#Fl!aVgdj~PtCINh5csMI<_CGNmGQ+VqHv-AMo^a9Ad+12~`~8E%GuQ5${WNnH;bd#XriD z&r9tM3^1FRN8g~9cU|`CfMrA!YTmcC#k}oU)}Z zF}qfG(^Hd4!*B55T4mi<7lD{{i&w{6n@}}&9i4&POrtjHfhE=|X#v1Eq!oyUIz1Hf z?;;jqkVX#z8L>v#IBDsq>ggVcSU2#=@Pe=ljI26r=nK3?hq7)wfQq{u>ts$Kh`ZF3n*vv*z?n>o%#=u-j;_b=A( z=7?_^62h>Q(_{*0%@=Tej?V>#nU@qFk z*FM$!y|i!)4l3f!WGMBXz|IBIZ*4!&BvqKSj%1wW&p6%MyW4Z~^XoPoncREM-|=hJ z43)E7O`gpFacy>9HP2kb&Wx+CU^IGyKrRhx18*btINxV>g_IgIG26)-^QHq8%%Y-@ES1HuS@{BdPuupJq_L^ zx)iUvJlqg_$lXTFL1k`gKv|HcH$uJ|vOjN0SK7y(4)k)@XJ10K9xVs=oj>2U2_A89 z)?Sw0Mz~0nQq;EDwGeNEPO%+T+{#kG*YSe{lbv+e*Jl>N8~qWkyk(jowC%6Xd{zZ& zPd)_;#K62$Jf8+vXlj5oCgXY*#Oq*!#r<`do^MMPE8O7WS@L(QOFJbxyvZyHuSRt@ zXgv1CLAX$EqlEd6w>&z%aTZ^5-j?pf^$WPzv^04y*GvT%RFK3{%Vq`6U4#J+W-?s; z$Vj`GpMJhq)fGJXNTSA~FS-Dyw#W>^{nkgFx51(eNCn0hfdSyB&7);HGP1$3z0mAI z_PQVT-?V+=PlETeySVfyi>1xk?%|5qM#80povSH%<~5wB*?n*DO?*(i!7yS7MdM?G zj3avi-M)!H!Dot~#~O{;IlA-W>TSu`Q1X=5a1+;im3xxL6`Fi5RBd*MD1xg5!y0;@#~#Ivd$Q9>F2E(Z(Jr>C7Ctb#;N> zr=c?{oT}t}-#Q)j`id#PNMgcLKJV^=^yvJmIj5RqkOD>lI|bVdlQJ$2i0yody)&Xx zTN*c*e;xwg1xZ?HX&_Ip?BrFk3&~e6(+MTUQ#o_S@b4)Vo)6?@0=WzZpP7DNr!p4} zGNdw+rc#TfQgy9mUXLZs+W&naDJ{dqptDa3z@{6Wp z(yop@XaFYOX)2`K=1ZyNV2vu0Iy3SNV6k8b8Opi@FbvrYIj-l{ zWi=8-f;Sv?4c>NKXy!bbGZ-`zjir9zjcu*Q902V;@Z=sSJ(S^n8Gu()nhbGF;DNM5 zVRz1U1(wXOUKDSr+K69)-(|i67k9t%q;9|Rnjq|_$&t77nh-!p1VRiDGJ+5vgaRNW z1EB&4=|HHrUE9QDzx@A-!2hoW|Ig>8Ac6BBf&afC5G3d?NZ|Vak5~wjHw%*Ye}cgO zlZ74ty={+JXaA!r7yl!HS?HXWMbI@1eLgMr=&$R`Hz7$3wv7TI5_%4OlMiMNkFUUy z^pyikraaV+J9db3;2pm)k=k#YT9|CM=!vVxBu!scIU~IZAstHrtiGd|5;Bc+aFd&p zWj(VO)?-qkf2f>E8zm$;xVa&UDonOow4gX#II$J4nr{dpr-Ljj$9dyj6RS#Uv>lp1 z;IzUyow@kiMlNhT9Qs)jB3TscYA>L*Kjws@=tPy{wY!}{-5+@534}p-Fjs=FU+n9R z%-uSZkZL^4wEi9O^X$9%wPX&s2_R1?n?8{(4maIIT2VtzJ4dA1+Th*!)wSdY>}%e^ z7k0rFLhjrb3n?J$=P-#5Bc+AVNBZa87r2rfI0PmbCKwnP9GHM%s-FY67|IU=ON}3G YjwkZM;9yGusWT4X95Bu3fnbO#JpR^kgN>ZebiAU}bsRl+Ke!!!IeQ3k~wA3GEI{Ar*e#)2FJ z7)djW*cNsSXona85J^9~!b*7C|?bWc={&`^8!t#B$ zxA^Xpr(N^-^4r(?=G(nGHh7n?6aapir>_;xab5o+V$b&_s&&16-8^ODUG4eQuwLvL zP3`pT{ET_|wcUf$bB=h1X$p5wFQ%((@pyG_&ocv|ZV3-rEqB!Mwy+dvU$p{GkB-Z= z7@yxJb8U?3ne(HoPe^R5FCEtnJRZIS4ezhi%p!}Y^~cM{dLUuZx2G(ZcdqZ;RwNnR z@N|pMDX-e6qaMxc5z7tBD^?ya5vO}^XS*2X5h9O;>vJ*Hw#H`r^~cQu(ll+WC(8HD zm|CSPubvLrdVxB%>m_F=mi0i@a)fdFd!$U4W&6`^N;ls`^L@&5iq}=y!8p=u{wjF; zVDsyhYwZ(3*<5|IM@^=QLoI-(-2PIx=((_}iZ@9&s{OOQRr~qA_|_6_%kkBWTYt%t zyKZy6MKjIO*=FQ9;w*wETzht!RA>MGGN^=GlgAMK`m?r{2VS{4Co@nCzcza&I&#^( zSSm|O&8*1y!1xqCxEEoSW%btNdK;9Spxl3|tnGfOp!)n}kZ35t+4+ zuNCuraee*W-u>&+`IQq^eWfz?xh+zu)wb02?b+7bo26p#vN<>645P=Q@$CbbPE{)0W1ka-AVSc3-?&R@xl&%1!OGf1L7j z*7*JDn*6L^fs&?t38B30;ZR|rGP>H5gtQ2TwC+H$$9f6YDZ zzQMD7y_L;@vAI~e*ptO!De}2cxmb(xJga@Z?7lrC**Q{aTJqc+PRxR%{d#}9pm=_0 z`}CFJ{nxUM;U#cJ{S-hobv_0$)7s?9KzMefWMYNN+2rZ~G`~H2oKU=xoPfI1I zLmUGLq5QG^^uV~-?a+IF&vHp~W|hP-mC?n$@aD{@-)eF>{>uCQN5WPb8H-T}^w_Tf z8a4@$i(Y=h*yb1Ypq9jIK%d(?nPO{e(6UGMI?@98J>|fqoAygKsv#Ek$sOG@FPb*z zgw2`6V~N(hB~9Oh{paPKsalZf8JvqEurd^2;qX}xQ%8+I5f>>>$ZuH|i+ET$6q#HG zY>V1jzcGG5?J&B7T+jjn3HSJqH>5x~g2;nv(>ViVx1u7xyO<0oT^GI-mmfKz&QJbC z93;}euORZ-XQoHB$qF>Xh-45Z!~@A4+t4@vDwycO-4(grjbz9`0IMM9O`C$J6A9$u zc7X=c(h!VnLe^*U)5d4@4g5kvV&TIt4HF`eLn|;69;6MVeRuaG=>JVLV#JS`mj$B3 z&GWG;20oQIB+P?G1Dw=X2%j_*4`k#_6|B%KI^RNQzv1DBhSAxVe< zg$2ASBN4Qs(_nTws{9R5&V0`-EC2+Or9hk$J2_e;2BXXpQNqCC3&wSjun$SDyE8Qv z&%f~D{{{Iw9K{j&Gv>j}WT<4_#$+Z_O@@xu{z_~9P{@xHgST)R7!~fv4qG#MY43%Am^UEl#YB~V%g7E8p1e|!f*pH)h3@u~T&^VonT@?Nw^PK=YNcwzJ}I*g33;4UEb@X@?r19poJv{+2|G#%w% zf|@{gvUEhG!!=zzS9;~MVtNP&Welj;^mBd@D8KME>7^F6umeTOdw+9 zzFdK5a6}eJ>*ob#4kddoCth7qPo z7AN5(gat`B-?mO9*~Qhru_pZ+>k8*bti04qE`rKlD}AmOei&o;sV#!vo)bf;$-dQ+ zs!1dpV}4L%ee*9Y_g@&m$@LE|*|kUU11C@7iw{necRfoUQPxOm0L!+AD&^vtvoLU4 z59Q7!3WA0|ZgA46KjYQ%$q0e?2qe;Ea?y;)3*V_SHaRD-`n&NSV!n&vd2%~sWi-l& z6s$g?KD&1{gxDu|`n2Ii-@$@UNz@&S|K_t=L=0>Iu%IGM6f6;-X2QF2U;C~v)$<*L zh$WrDVR2)>+um;C?WZg~UNJhO$2BC7sMA>rF4I9ZNO^#~9v7qx#)O;|2(3M<~( zT~RGUW_|ZBL)HH>l=?40>~67tiB%Iv>z~Zt5lbI;6Oc_`kk~1_jD|7)g4^~g{67M3 zc243j;2bJ__BUC3y=>bW59HfuXG3KLe@rg`D&5ige+78*uK*Q{H*8;Pu>IXFo~{{!0W$6qvrQ3UUYk_u(g zU9jY~Vu{Xbg!|llTbP56IaA1Nft@r;6jrxLPzv7ke-iZB=nRxT2t?z-$z)8m zvgb~FNZedh&Q&5o(6CUy3ICXxPiPG}1$GSvkwOSm>c6ts{XeoOnkN##d(QvhIvF~W z!$?MyD)0ib_-?Sv@U%u8UI-&eN|Ay@g!(Se`tB3(w_a1KA)-I(6*-kFumFbF@B_HH zJ(Fb~XkR&KZJ|odByMnB1{ZC_O8|-*8W;eYoyFjbU;WR*){%=EW4MySU<2lVx2`|T7FADU+-Fx|=M*vgFSb7KBpcoR?`6$u z@9B3;5F;q|U=+%tw&$|{Sm27eQwwpu_(7(0EdFbXe>eTt6oEV5ELSf28AP3rsFhmG zszYu&p#^G1YM8A2kO%zquWz(OPdSz1BU)%2|KCmjpFKC}o66bWsrXmV_g?iBGH?=z zh~aV>x3SkI(&t2zXzf6?G7|j{;_6fg$*S%L;Ky(e%7pGm(vjpzrDa9scL|8e%+U-7 z7%WIgM)GK1P?`RJd;Zw6G`{jm?RR#!lC7jx>Yp&-t$V0Y`&SwR^5K%(h3aYfcdXDl zy%$}s%>Pk|n)Lr7aZ)v@n1D%4Nz`CPh@Q9*Q4YPRc`c;q8YbtRvR=?J+<$D<_U>O> zt%g8$80^*hn_8=_6WugMwdXyo#Tm{~-9}?{)=GB=3LHHZV8v>n?{N(b3Ey~nZYG$@wJ54N9sQbX})CzQZ!XlJwKM{$Qi|+jYqzbql*mxfJs6FMD zu<8)F5#yB>3PwbseDgGl_(Xlzq~cvkmZ<87 zMHdJ`5Eb5szn4AFCsERKVP^1;oIkS;=u-bRco6-{f7<6KTNnTb^&`(@qF@7>C5|re z84NpFHUyP%1G@cDXg<#x_JjwUh5m{E7h(UKFY3=984CKa=eC7oT^9xA_^AiNx z$t-i^X(;iX{=BGoF4K|!1$9+`Ip|IQs9ql&H$Yz%yfLhokrYQ!aB!c%Z~qcRHN9LR zw_^}m$Opc=J(rsFKl-6o1XU*fhpgo;N77ke#&ECY8N6xdPR9jRc4+kmzV0E%@lkTU z6vX`3>eP)3l(;yO{8)vr*jfF+tHHnp%6r#IB=H81shKv6(RTb0shp856wsB}87TwD7&f^uT<=<7W|}sNIF#- z`2-SV?bQQoNJjBlq#mdRS)tLfv0wjAX#fBDL%F{h{i4vHirww%!@nN6Z83&@H@($; zeXMXn@JBn4bnVJX-ia8;<5*fk6{P>p5?;Pk`+u#If;S$<`rjUN!(H{iUf>eG(n~=t zU>%)F3F4 zF_?}r4v6KZ<@tqr|96$l8S%YckM;q)R_mU(Jk1S4b(x=bd&!MhJy2pi{aerpd z6BBHxQ=1z?z3b+W6O(Tg`?MgDWXtWGb1sf267d?jKe-?;*+KalJCB=H`wDB> z4$NCS(lfkqMi5XrOEeh$qEv=^U$cC6wC&bZ)UtbIr(3sUElX%{jVfd+TBvc9+$3X7 z#H_3L-c-qQcDDWu^2~V+;)bWga4Ccc+J2)mOie#lSSN}f^$8gYA4uXg6^tK@V<7FN zLtNCma*kR`EZhkn(z`Agv7;$wrihRT8-lRGEoP;N7zV!rBneD?vm(%^^h}Uymx&@ij zlJM1MRY+qM*AP~hBp6($C@bm8NX;u=LX8t7BtA2@YB#LS^77!AS}_-v{ZWr*m`l(9 z4T}Vakr|j0$ZiSg1AjJ-wV4uCQba9Ow)Zv_4pF`iZWmK#h>K5byE?iY(pgQso{Nt( z*Kh@XIfTC={SZc&DCbX@<<6p|P(ecI5kTq&HuehkjFd4h!V-C4S`+6XB=9l(!^@+cq{1A|4E_ zW3X}Oa6RrHznn3h) z_0#BQ@}&mp%cDNMq!FJrC;J+3Cdine@BOkRBM_pIiem0Uk18c|wt9$@bOn!}p^^~Y zst-J%BjT!;(L9l>lDfbAHg?_*{XunU$(|-i7!R*w)~`r&VH&xySJXT zs+I3Hl4FR`Gz7D!C$z8xM1Z`@P$0-6TCoUS(fd<4E;P*r_Gkutbd{IygIH}?0ZGnn z#6Xd}c23_l*=Hqc`!+Bz!83HPusbZ~(>BM5uCJ>42Y(nfV0BtX0s zibhE1+i&Mi3qfSna%;^!4&1iZ+Pn^ZjbJozh5_^MWMA322h0#_2iw6J=xe-c^!&Li z!8>7tQzZweKs+V{9lf9^lzYDVd>7J3c0NOFDuZ&dEZt01VUU%|6hMnPmHaUug3mGc zNm$3{zM(bgFHRnl_a&k?>8a;lcm12&K~ ztdGAA;5jhIBB`WYTZw8;Ehcb>=|U(R?av$E`d5KYK=V0g{umd}0pab^a|ysju-Xvn zfs#)n6akZsuxto##d=yBrLD@!TsAg>+_f;4I(th&ov4x6GUIC1$Dw67=cX#|0gkP50!rGnQ%$&3PK3BG&8mltTsbLH7BKlK*d6_ zRGn@LTh}*mbXt5d0vvjHT|~hASh>&@OrN=IN~2dJz*s3+WsP5HjG)Q}&9G^*tzuEw zGxN!CdZFP+Ys&{>Uh&Ti+fDU@>Q=eDQK zbumWl2p!<|w}59gp~hY7cA9|nui;CV{Zr!O)&pmay6T2DEl+Yk%9i_zU{&KsBE)d{I~If@C-~f;CoFTD#nRAI z)gqJg^KUhI!k%7{bN13PMzz0gg{lf{uoyHA{UxZ&e&P0( zcvbz!dhgS!KnvP(Rdf|C%U{Kcv;=!h!jDSFeYJe55_*oe5@o(DWqW9_(Jmg^jyA2{ zw=@RzBgJk>vrl=m%~>uC)lajIpHt?bLsa-+NHV+7^}a0Y5$KtG^l&0msA;qAc#=42 zx6FF0rD;>B@?4;jq1GB9*76h@KAe6ySfkDP?9^^H7utira@#2@XrB~E3Z+c>1+{uL z2co1)KQjW=TIzMkSPFMlf&NfAk4>DE8=b8O>5zNi_-Al*Qsjk@gnbm0ox zH~AduI&*-f3qOD*x32&{1y*lBUq&WvYf3YoSBZqI%61c_inM>rH2(%#;Zay-bMX@P zF((uWG^9z-=r=BByF>TYcDr?&tjj@x%jmI>&n@qv1Mlr451mos{&SW~+sjM(cPc$@ zn&kfCk@dK})1&L!)ZYvaTfvG77vZY71zGDzG<|GsFMr*M*-@r-s)%h5adHm=IL% z>@}q5Ef3Qwj8{#FRx$3sO@RC7Yws_ES=QgR44PilKLfQ@IEs6%f7LelLHuGxXs5)p zs<0FWhCf@zZ9~qDI)eF`S3Y<_6!4;n7R&k?Ni;oOv-7cz7yi)Ht}GtX3^k9uRG0i;k zSj;~vUUI}d-dHUEYK!6RPtAdF)S}d;MKT`>U>~L`wZ$vNC;D?e8jmT*9jTiLsTu6K z`^go(&BV8MA!{JcC0iC<>6Ex^7U#}&As|u5Y$eC4&2fJ<3n>%Ai`o>5kBk^N1CeMK z*{OS3I-N|UY6Nj(d>f+4!j0;sH_PnTEniaGt8CEtg>@BJLS5zR4C&}#$%J>>Lh`#4 zurcqmu^YWE2=(no9{bW=i=!CQizVY+HeR4PiB+4&z`W~vYSr=>^s>!{qeAI-TsdAO z7182{PY{yVD!=ADcoVekf`LOD?R9Y$bXGDED4w_yuf;o$6)m12XD8@KS`qTFhpE9m zA@`dt>W@NTE^8FkLGtvy)EL{rAU{YZK$t~}h~p}Y8Owq6Mn3?3>mc_{Be}=1Kw0YK z>vRrOey3lno)$flhlv!a90ya}!Sc)nLqDF;!pfhrBWTK}`Jz`nJ9Sn3%!iEI(-AbT0Zn(AArfVSP(ePwHw(^&f`ud3eV zwDlgo2_sxZ(*gsjd3n@mc6N3*0PoReOQ<}C+Ar9HED{c(2U^>&9pzJ?>eGiiUf#|# z=Dh9^b*XbsOWFVC*_ZIzs@0c(@mtlUNu-qu-W8%>^#-2fS+%jLb<76+xb@YNR7^E_ zbD8hH*K>{~ce*Tdo@yNCY}{~?5%U`UUHsbm(vID&we#|zz@efYSXufF%vs?exTVca zewM8ip1a&Uu>O46-5N#V(h56>J>F92Ce-`g^U;a{b0>C$Iah}xokKVq(_=p8{h6i4 zc5=PaqX6&jxvip4bCUeV6!$Z*v*UO3>`|vdkiY*>FDf-}%53~oHU>St2;kRn5_HV_ z+@7%Q<6(1>v2UT6e1q2rpzvzW}eCNFFKG|h3u$tpUz&Dk8JFIYUI#1SuKa0S? zvKn(@3g240#cuXt^H^0>61xb5<%+^FUaH|3K2YlFAWS-P0ed5Q;kMjqZdBVnw=KrI z1_ea4Yi7AlR&Jv&tLnOv{o5mUc_Rr|e)?3bg~l+NsWfZys|ttc?QO|@&@qkfwiF%5)DGK3v&phY*sb&g>AZ4x+MU>?T^|5~ZA}%}d$HTNaNt37G&xm@*{Y1wowkhub zzMP9C3ctwb3fNmwk}V{Z#C^r9)8?q-!1je-X!|19^WH^j_T1!MDaG!RsiB|m%a0r8 zxRpVs@5Z48V!zFUEj8FiE+R5^6A;|cMnlobo$a!_KDh97P(%2YSa9t(yc9)ppQAAP z&?MC1FD_(JFf8vTeC?cIue^$`L**JLavJY7W!d;KLBPWWTdnL}$>KqHM9$Hzw#3b> ztWMkqPpT!ZZgz0g9dkvWj5<18w^pjkUr4G~;^|ogLgKI}L%%r#Q~fncUCT(Y7&1=v zMW>)-s$`j#8jU>cV)lMHF?lzJ-#F2>m#if>%09_3>`&|S2%%6m{qxXIu#^LZjnO`H z(xHrbMgUvs5o+u)RIasLqrZ9`^In|Fn>b4R=BO*hmJ&k3b*xD)C0UtcobOD=l2HJg zTuQiFMl%BFZjXk6U1~Bq@?+`AyVX{o-qdWGqS}k9RZ)HmpC^vwX@WVU38*o)l3 z{Kp)F-f=ZYdYHD{ds+vNlhrCYQ(NzPfz`|aj@p}|=i0Nl84g=VxP|}qO40OWdXXzl zw!>_ZjNxXFU1;3<(E6)nKXyy5aC~`?0U{cQ%I8y_9cbfPnE3q$Ky})du9EX1T2Wpb zsE-QYw5XzOi|$IVBaN|}TikO%3!|o|DkJ_AHo7P|+6Shvi#$y{0Vh{~o|89}$1TS^ z9iyM@6j#_2O?=qt9g2BHe*I@k-uyjD)N(1n)B+R5xQbMa#f2PQ5{!hHrXN1%(lCzOIuHxm*NXw(`Y zXde255rv&cD((G3@0~4o2OHi(SdNzML2p~0k0dqPVICymv4fh@T+ozbUN3{ZH9H`W z`=O~|J-2ggTVf)Wsx^ddQlS-}R!nuo;cj6I9kTE^gCp!=vJyJ~#7ai-21W7{cnbM( zF@5Yr_1J|6=0bT-V?RQh*@0oZvDt3FNUa4#yt~Jl)o6cjz3-&S_#KWh?^eso`T|M|4vu$Jo!GWim{ z`=~MeHu8G|^zgLmgH?4$7;dZ;km-wlCSG&mbM^{{1nnHugkjfYZbX&yKIT6L_uJ_@ zXQJs2Yd60f@;gV6v`fY>o3HHQ^ufO_)VL46ldxg$n!7RQXdwW0r{u+_aw2u7xySt{ zxy+KSvlfXDSYj2S=>l|Tkrv>xucF<%*VSZJ9b2Tkyq5)}N5mG?s20qc0E2*rq#_#X&5;}G(&=`9#WXfbVvIOFS*Hv#Tp$gnm><3 z3&0dtw|UnLx_Tg$CNNr+0v*n=pyw>EX603CrbKC*iIGdpMs8$~_r5b_Rn9UkiD;tB zn%s?RbjhI<_CEs#O_JIu=}*y|3`nkptA^2;@M$T)0>YFM8FKvWm>15gI1^9MUF+Pl zg<7^YxS(`d(&AJt6*Ud?7fDqb%_^l!9CfM*Q3S!ZedtWGfP`u+!0RdTT~gf{%p&FjvtW#CSthnGWW9i=7NPr4 zSD{*?j$e%;?u|(G;1|c$!&P%$-xqz^@v}qytwsTgmLEuv^G_*|e#u28)ALTL; z8VR;cz9MsNvk*>}#4H?-rdRLpyJ<5vAy_scJQF{_O=}NQfdD-YZd?`5E)ZbJ3ZkL! z!Fn`0ZII#UdfN7~6;tn`=73s&y$ngZ=~S!v`b*~UZxjLF-u%#a{O*kPO@brYObO#V z_ruKKLkN{}1eMPNc-W~ns@ls%_Q^Lxf~{LbX6}lut`hp(!x5N2`8|7OzfV=f@t3;X z6||X2N8AORERu?>DAfq7;S$rcHR~LnNF_uAUKGnq!Klq-Lfh%@6N;7R z|Cln)VBjgFU6Kz6@tMTwi&Jb-jY*bcGbADErYGT!Q?WzC+}HMyNP_tV_pX*qJ7p6Q$e z1~^!BsjJ(ACL55o2kJA_;jPg8fTfU=ZwIsmklVyLK)g+rF%^1J9){%UJOOUqB}2LN zNxJ7!6uTpsHNxbJ3K9fwoZ;>-i;@A9eDQ1B24=0DOa<(Y5KaZNFU~=;x8SrW8L&T- zld_fQd}XydqjcSTeK)P!=S^BGepRjVcxfJX9JLy&LOl1cj!kxMPF}u&On=k|av_5y zP~KQ4pj5WCeW5T$56*+Nal)w;mD_@-h!CYe)xsbeO|D=Rb&yd#PE7Z$S13eZQ+Brm zc}YKX;rUZ8*sj&%7sxCO(RHk*5`?%n!D0&x#1)DfYNU7>iO0B)K&qr zC?ekpU-;)sdVArs{r+g%y)Okp-)}Fvfy(>1CjKme+^eFQhmNH<9DKE<7Njf^DY&Sa z`y)NUreqf#9EbzK2k<)ZOuT=_DdX?Gy1A2Sks( zot>K@lWo)NbtkWLZ<`l?99I0>*~6!CZUSh8-QsIIM5R*|s>#OvX%Yx7cCuD`y8t*?E*SHKZvF2xS1Fa~XKIwTWBa5CNPi7F=sw!il@hIaeV0jO*&1z#L% zB3x&7(Hul%40X<7qtvl{$p+v0LeY>s2hGHzVyip)?hKgBhm{9oOH8W_0)FnCd~cMo z{>;a86si^2Gh;&7$(L_;;X~2{8XTxTO6bYT$Ll+itoC%~NygLq^HT{5Jf*>>@Ni0N zdq}LNIOqch_UAbIPa+Vr^nm?+alG|RadM_Sl%@ue(x_~qDqXi$9PEU6YjzP<(Vaj! zZ|oF~av?lTQ<`P2VJ~bPJ3PaUCaa2YVP z6ME@E_}P|CbNaBa4@nFo2=Gjm_;tF;@!i|JG35(Ue~y|huksxe3jp%_7!FxRx%R~3 zmpXkqKuv=)U;0?2RsNei2`1A*XT03F5cM2FojfYZu7MyY$ zDTrWOogkikj3KDPV3a(cw>IF9{|&uJP~K6MOMeixJ>$e49+}!gp3ds&xum92sWjKSJP>1%FkON!HJa%cw z#2Mwc|JqE)frQibKJGKvvbMEraq0Yd=`O4k{3gMitKyY|!$?oP{|BC}!1wX2J|w*0 z>FL^^<_L@P^_v{~=;{K+pEuX*+3fO@a;Ifnqks$gdd`P*ikzM{7QLqu zmbP5z0+u!s21V03*KKuXf!uI){cXw`(CLaoi#3efFjjOmHz&ezDSA)wlIb|HAj*mB zBC_`m`HaGX9ygX&k=`frC0P2a;Do_~I=PsEFz2KaEQ|HX<_PPx*bUV3syZ{h@>+{5 z(dLUi3ox?XKmZz2s|uk{?46cLV zkjOVKn8xhkX#X6VH3gnBP*T&X3QW@K1mr}?!Ca}P$Oq)=7j%dI$heQoPAqn@y~q~+ z^(+;+D}y@>1UXGRSo)%D;A&;6G5Zv~WXw?ySA5A1%|Px7+;rqVTV;fCGB3jzmO3J^ zuook;rYfBndRJi&zqKjQW~Bp=HI1d_r8UIulY^=K4>2OV#Qe@@f6{loV+eb)R4StO~J| zY2J0*+XqkZ(&Kc7U!f%ra)EjK3EMCXzbTr%OdwfiHauiV5!WiseC`(}JdSyl1MZLa z1Bk(4t8?E$t1+@8o)L?!1?wj)m){~)&op*2i9jX2xTSvExR-xcd?`O^7$gD zM*@qL(Qn0$D0y_7LN4ODkMtKS1RQ!AV(CdGlbrd#11h@)f}%xUBWW}8$2;<{sh9RW z%z-7(&Y)y)y_b5!02&L?d2(6~*EUTJ^kLSTu8HJz=Wu|db$ODwjn86LMP!ky2E0(; z`496x_ch0r;Y)!MKi%}KsLNbB_PUYurqs?ah^fErP zudGzb)T7Z9HcRik$;Q)k&%Wjq4vR4>%I)-@NlCT4X8J{)d)gHCyc0*yJC5X6c*j0Q zJ1zMX(%Mp&p0O^%Ig5%kdg#q>GO(ALm7Ts&s7x&vTcKmV!Nc3YOU8Tu`~CZy6>wAj zey3e$vY4!=EAZpfqv22DIWGG!fvL@LygHy0NhE-F$Jmwa)AsZxR9W7k$Q`zj+~Zfi zC|S<}(njR-So@(&QSqVchaY)L@!7N^hot6R7&(jzd$vqOcBm}&6qIJnyA(VVG)P<_ z@p;P1ja{5u>s8&RDLebL4MwY}q5#XUax4~e6@lXb`(EKf^pYcEJZXP9X_?U4Oeyg= zuc&WKaKJ*JC0V`hfVfy-x0a}e8$}rk(su!C1tEqFw;!Iu^~3R%4vAmxdEtl&W+BxsY-XCCQl5owy0n z?pQ=(3tn&PSad%@4Y>ct41F?a-E^kB$S;<4N;^$eM~V^iKCh2jqF97?>Ik=w5{m`V zwoMhZ^Y}C3>8Mep>DD1SB7meYY&&$PJ% z3)fpu=*r?&@%?Lg=I%66Mt8?_LU5AcQaFN|`N4we8E_!5-xMXH1+CH~J41|4K~geu ztekHnb3vIGctu|<*P|f#-ii`_$aUQ=BHe^PJ#Qf4*ZW9j#wvr+$0OUi6DpTbRv;MO zk`KL8yjA@R*4D7JtYw-9F@%GQ>>bK+`$!ZS?A?XiS|G*vP&9fxx3QzxR6(eFnf75v z7NuQQ0}vw7sj7FrVZzY_SC?Wl3c0}nWnL9I(^xp+q$_h1dg=FzHHgN!zgmG8J}VJVusz*j$C!!Z!Vfa0s|4Q9+$NsxRKc#in6&jCsY9IZXo z2H9|uw|?NYy`rk&flG5W7&{}isxr_yGqRVT+ePx4=j|DI1w>mB$DM-@=3y>f3A8GJ z5$a|yOH(S7hROlSmV6vo{5YN1brR zbnPURBUIb1;%5MB(8a`!AXeA@ocne!jUgJN%D9geV+WsuBYvDyjRjmGmu-b&p)fji zFh7u+@g=n8zeew1?vRv-__`@l_ZBa$tHeB+4rEaxw4G2f=pZr4QVBY;~U>*h4MD)LJIHk+Biuu2vr6OINvhpw|58(apzQxqb{)BSq2yosO@ zyI>!uP;~d~kaIvdy9ab=eb+#iKEpvYL|+-%udKQ4SyI9*x#A8FWiLBLlg}eljjyB+ zgmV&urPOPGW6X#vr*&@A@3TkrAeV;gydi;+gqTejNrW$>Nufj2*JjqESZH(a^A~3X zT~8QqkafcJxg0iN1l|33Fy=Ypd&*@v>U`Rz|LSu$Y@{Lj34rB$Ny56+W=d?2-3J%Q zK4g|wvO6?LhW3syOvmUrO6=aSPm2z0_Z+-K2}3YNbd(0WU@-D{PWBn1VDjKAIn>j; zs7GI0l@f9b0UsDz-4y%!C{=mn%Pmr|M@&9|$E?YIfPf8S6b=4%8*bjCv0G2^<)oH* zc)4)!js|kFLn>#`HlttM55S!=$2KLYKajs z{C*F=!5#<+Dp0M3*2|liN_Rlk-97{lJ6|Z{z)%}o@5$eXu_jtND+UlG_{;ZiGugG= zZd(b90B0jIQglCA$4j5oG|`iH1)$-NS{JiVM?s(40b=|I;sR=nk6U)-iVdrg3{d^U zE1|6o1Lqp-4!8B}_B#IW6L6_l#myNnvq1^J?2mI_df=2^V$Nb>%Nw4>NV#Q!E@`3N z&4L6`w;cUkb+DxPviBIgdt`ezk->~XdAEM?!U~meo+%RRt9{QaG6OkgOU_Y&dMxy` zs#!Ejz&;B*?iPdUtB-YXBWUT&k|Y%p&jue)C@bI53~FJl|NasF?dfq$&P>nmrwI^a zZo_6YgFFnsM}@K`SmnGa`TbnT8+=T;YL2)UrbI>ui~;2!->{e;g~SqW;zQ^^<#SU> z+9Q~D+4r9fLi2+`b4YWdaa{MdE(>|hQ90u}W0&Z#()4(a zU|IE(84;v85hQAN68oX()Q9@3toY@sfmV)IH!r4B;c`Z}5Hp8L)w5Jy3b->_T(ku$ zAgD59jzx5yMO2xZj9#5DfjsvCvzH|By(IuUN5QU3yl^^5FBf&RpM#o@mW`$~);=K4 z11mZp$wudCx9(K+w*W4tW=Q&~;p=iGU5aC061H9?jr4iI@vBwen^PRP{^XA)tfcmG zOHNYo<4Sw8f?s@P6>nuNOW{%jQ5w$b0Ck!V z1Z*wIYG4PO30w+b22;|g;aTNA9Srv^5o$=*)j=jy&CH>1emtoAu?!Px=!)P1DS_k$ zi4|)cdMce#IGnO@^1>AyP9FVclidu`hd(b@;B=&*s;yg+a&}(@7+dW6&_|tE(xkHz znw#s-ZY-I-;s%`WYZFHu<7ltvz%s_v0N+D%L{Pl!Rc{Pf$A0wCUh9OY96KCO^J?CO za@zT4_0ji7fN+V(98#TT@Mk@+N=K>_bK)On!tGwgkHI%zuCrum~Lkn zk(fZuSVHEW>2a%A_#h-beMu-X%e>%j*?Fm5ROY$anK#T#Ak0Z8NM}?2`{-#rlg;~A z7V+}w<63sjmvv&l-dsDY0Uuj_bqGNO7F?9dKsj|NX3}MwjJopFO)5XYoBDCZ@@i!{ z%Se4$YKyP_tOK_*?aWvzf}HvUm!vuDwvfDf7P|QxZ_5U=^R6p=nS>10NRK&j-GIF>`O;+mGTsc^-HtL0dZDfdI3W3j5IgV% zgngM1W540hKmO7id5jIP@u8#^y;(qWVJtZK?7yQMf(}(iogj(lIN1OGw z^vs+0*IH};Z)qGT3#T01)Ev?abA_*tUdyWp^HhsiW`=)~GU6lrLMlJ*o@Q;s9X8mq z9oF72r{O`a3Z`OyeG@;V7wuy@;(&MqBX9D9A3^F3JZiuTY)IG!ebn3Lq&_xNN3)L! z)+N(Pu1y8LnPM%4VHr%jSPAYiL=nb-3lHl!(iH^9)&>cc)zJ_CQd=s4L`5(A#XV+9 zDzupUOh+Uz_hN%`>9f!hHC8u{`GyM8yDDxPp$a@TC}V4trUaLsep3teI&c>NA77T@CkX|6-R>N{O_QE6LNfV{e`dVVl2H*8Pa*e`d@xwd=;J$t=|A5g z%HdY?+NUu79~!}fg^=y+qmY>Ts zQr0E53%issK5`-#o`xqiRei#pXGB^W{r;%!SGTgkS$lHC-mQ!lg)6c*!xvU#)wvbZ z`b!<%i`_AFJx;GAq;(i}ax7dEuI6g$j z3n;Y7vhzN>n&=hp>XCm*kJw^xDgQb>7MZ*#ewmlp6o9pgEz_)t<2icMBEflMU9ID! zzLiLh)%#^5a&gHiUN1p%8$8{Tv;vAOrPQsVIrA6OYX1TeF(;6&8yf&;r(3Yy7 zqgcx&{2Q1W=a~j#?v;WB=oYn=8%yKEJ8+T(3w3juqpJAlupE=Qp;5J7kW$ib$rk|Ohn45C^u3DQ=rB} zXLqpGGD7<=wMfpw{X7Y=J`ShUX7F?hGPerOHJ=@0Wkk5DxI|>E0umCm)uSr73aXXP z@Zmgo$RDf_#E&(?#UrU3KZ9QCM>y4agxmb&T7)`mX$H`c(vXC`~gi8Js$)`xPFXBe$>jsB70tL`>vkF_hgw?C%OFX@Q8rR-8 zU(<4)Up&^8>N3=rMN4orO-K)N#72%zx!sB4iy3^}FSH-gN{oqCqn*ET1_8RLH^F5r zPW?Xc(H#Y7n~~L=s&mkpgeHd+)H2lLn;=q@H1?HptOI(i3~;^9+ca*>-+ELQX;T7{ zCmG3O7?i1rhqTM&X^dEkqvw}i95V*orZPK930ip{?S_yed%Qh(G#{FcpmVmWR}QPQsdjZOn@ z?)9@Dz9ncDhBv2Nc+)oVYJEK~K@JKo)*-_?0)@enj%#oRVQJc8!fac<3i~kvimgS8 zRcXj<+FqKTc_ln>HtpPS zuEZQP|LV<1kiIx?MC)ZTgX0$)@26<;?30|_`@YO=NHd;06r6WTeA`opuvXEnHp~

Wx#`y&I%-~*UvYz3Hm0$&fA2MH2?Vqq6p zaOv^-fq@FEM?Z?VnFFCYOi$PxT2~WHoOTG}vll-`=_6oGF=SMzM^&A1f+iL$vb#B2 zX=*RSGVp8~m`Cs-5a81zc!qfQAT6g$-+Q;Xy_8Z30;8AStQE`8sMK4cB(T(#lCkq- zlURgt@mZJ;H3zezdqQPrKd6T(LjQ2mx~2wn!3ruLsT$DCCIJ&#q1~nvte2%P+Ykfp zb`lpqcmxfg?=5RZoJ%NI*ju(nN;)Rsjl}^qZ+nNI2$lh2MXIfEk`3%X2XAT@TZa6* ztVb7X9cw4SM!%`$lNj_?XT%MwcZqRgshIVD9eJ8$YI161pCl-&QhJW0@=j1!16Cbu zrQ6*cYYKqn>HU?vM)8tmecN@nY4~+IZT`qFEGgZe#pbbtX!xs96ZS|w;}dePWK|o8e~_X`Ul4c0 z?I@&|O7*FP%A@!*I3e*Dx1uUgO9`L#)`dPVuTu%SEubG8Qc;ZS!S^6~28@ymBBqq@ zRo1ws5Ly(7iF%Aa-`wV@Xk|*Q279`>SzM*HFa%Qom@iT=K7bLj5v{hPiS-218>W?&VeF~rO<ecg4k6c%DOt% zWXr0xRH`n&6f8@W@YaWlw;~d4^q9b>ALP0QT(& zYJ~$Zp>G$SnBk<W5(Dd%_HH>d;QTCWNKcPH;3c&n;<@W*)^(qi+)Uteg8K|Ko`W4+O{cF7}^sZXm| z1fDKb3g;lnJ>t~gy}v484YZn|Xk)U96txHlIEF`qXAOLLG(Z{qVVo!Sam)9(I;OyZ zublq=5)m^L+}F=eZ15&PtsZJ_e! zHkw&G$)Xbm8mWeSxTJ6*KHfEgh-9a6AK*-9FAKK$aJNB^$=?pi97WuE0HXy7RqwIo zW@8v){shYLeF^j6DIl)9u(UPeCh&9IMVqL|I#SEs{!{{Ptd2`efvI?`e59qduhoR8gsCZKgdP7qg%7!N8ZI82~$Tn!^jnz)& zkEBS_JGF4Q(vW$51#O`&A3k&yVy-NCj6=?GgDJ-2qv*jikdzG<47GD#nZ_lN zt3`Ke!=j9pEQ$sAYDkrw33&Z!5By72QX0Y5{8}i{WHg6m9%kPzX#!6K#4vvgEu2Yc zAc@I6Fo2az5a|PmEHl&(B&0RBRK?(qw~1%vdh(ZIPaf^caQu> zkIDoJoT>(vd_9>N$<>ewjFzQ8Osx6%Rd+A=xl@k^w15;Fd= zI#LQ%+jo-aT+OmpC=S+20bhELQE2hSnruf8BhioC9-#+lE`;%DuA?Ym|J#bQmK5hfP@otWjfoIugPm|asqQaDZ=|;-V^0;# zWmhkGeZ7e(iFL!;vp*-01CqgPOfl{IK?CPU8Jw<^xqJ>OeWhy!`4h~&mcg;S!FuHx ziA)elz{nx96jP`G%6PYPcSNghB6X48EU&SizB)A;R@%uXgl`2q62G%LhrDth*11{$ zS`20NjqB(~xZ19ViXn1v+z#U3(F4lr?<6?2OJt9e+L#z=2Aqb5ed1g+x94)Yl*1T( z_Gb}65$SB~rURh0e*S6Mu=?_7Qkm_s*b2sSfRRld{<_Ngm9A8Gz;i0`U%=RagL?&p zTRXS=A_tW0lp)Z1h`LYvHG1#2-O{tOWN6Wkn4;>vFKSyk;q5*u5FP*H_}jy4N`%z%G|cHgj{AURFew z*=Is}W$B8cM5{t^QZp7y-96=r%K4rE4H+-qIcpo17%miO(iPxTmYtN~^JM1y&Ydx0 zmNJmaZe2NzkJ)mfzL+2g7o_jGjH>ze4+c>W^@;<%N((7ru<#g~I5g$0e@U$aU}bLl zxHoWU!k1PQg%L1{A247mGR^4~g|%uLnN;h`$&EmpiK-Y9gVjq|EQHlQfkp}Ni8LhP z5Mk#7gK+2_Gy*XV9%09ixVZ2^<9>q8dHV9^=E_slN8oq4P`+7Pye-+|^3IPWnDe!- zo(V`^?Gvd?U9Oag<-xfL72S!T+cw`tl~;#{)sKV?BH%Uu-8;l`To>QF8-$UVJ&v6h z#+draJJ$F&RO7Ps2&)61yuA((rf@ooczD+&ZVHF&)#Aw2x9()f5nn)YM9bj{Mtpb; zj&&s|ikE`%Nx*NrZl0*qXY%jNu57ST0uNfR$6z{(^?3~P{w_O!1}Dio>e1mb^K1H^ zFFhAJS(pGW-Hv(+uHeEMM@?v`j{?mma|y-}qsCI6U%?h?x7$|aO-TR{8n7T58}FQe zxST*2r(yglNFK~0kJ9j*k+d`gSAJg+;M(o#7pRTulEoW?XCG{fH;>$)Y9$fJ!NK8} zyf<1c^Fl&~0;LhWL=QDWG@(#?D&#A~K_AB}4HG1vafD;91m>R7*=mx%kr&^gUahGk zQ)$L5hjrSeoJv(8jVuS~7@PC?JH9b;Eh|{aP@(L)Z{+~l+CgU!UvS-hel@@~gK8Bm z<&M5Z#FC>TQ6v*@6x~IOpCy~pnG)MvP`v-@%Zh0KTj#EE_eU^S4KywoKbLR?YmL6v z5r{fOQXHlqwF-~d&OD%lN$J;ldXy0D{z?E5VH|1&`Yl%2ExiPwScq0tH&Fi-Sh~Gl z=}GfD>`yB3AFE5AAKybY&pxw-gcBx+2|4C6l_SPj22Zu3#(Mb`0o)OVY6S5R{pyTO zGh4MGH|=^{qzuyzE4u8kK@}B}ZERRc(biyx=Ihcx9qzWsjjDwz{kUx6nLT9g3~o7f zZTb8BPf_vrg(pG4meU!RbJlx@X}AHU<*iCZqpLRH^4hM9v~Z0JaWrySqw}qeF7v?x zTy|(-+H?0#Q3mDFM0R8^kk1?fvb5_rIF$1u3LWwCvuB}T%WA~b{Da>5N|aI6Xw<{B z)1%vXFB(G;0Q)nH^_13KBZu3bWEcLP+^Hw+ueN)|Q~f|jXLHt6%D6@4OOrASJ?wn|gM?v&ui zWf}mApAual>D_&tjn{6XI3H2vjIpc6ZjIn|pbym02^5`VbIZUNH(&VIpV};Tr zRH@OvT+R=yL^vpPMV9++NPG6CrPFBQv@fHNK^g#l3~{ua&9CChIaigQR}5;g*_WXe zkI(@Gc0ZogFRE5CCDcm$>}Y<;eC(+5^j5r>tHi#meu)^JAgr(W8Cp7l>w&?SA+wAB z-m7snt~!=s-;KLuJeu(x)_Rq3G2OIwc9k3_zKGgYlR?J=o3m{8E-D(eucGNVY0_6t zUJ)0-x6p4GF!JqlJcYDanlpAOHC#TcvubNK-Pv@3xE~bo&}?f3KN{B9t(j2_DB0Pp z6izasx3eWLFqCg~vyNI?v9oQ_(c$@C5MSxJdbp~tUPX7c+Ny2g3~Jt1jU$7qEk4E7 zrS^%hqGP!rR+C}epzPpI5WgtDjlFyp%J&j+6ponHEkeb57`r!o0`4D%Fcg;S~oLii# z4|1scE&@a5_lEKPqHntmE>JlTNuujchLYib()~>xeUJ1ytmbwyykd6e)2@Zd176;l zGHt)2zry#-90o?yI{M0|hD72_l0ZKcbK*DFgxbHig@mZx@f3bt_=Ar$SWtEyx4nfu z!VxjDy9@b3CK4hyw^3$UJW66WY<%PimKIpi^9=f;H7KC~$a$s7>{_MW2!lV*Z>uo3~DGm-H-exZx0u&0KT>dN-$)})L8Q-UzoGdBW`P~4jjgqJV-8n zYjg?S+lv(gJEsj^!})2^QE@3-25xGQq49yY!_@)RRX^MvTPPoKd%5wqC$#F3oJp)j0AehFg+(W8oA*GJ;1Dh6*=wI?q2q+ z@Nwtz9$9Z9C_gR|DX>-nXWb{9A=jDK&}CGFunrTlDnv%@Tc0kBUv*tU>70|)x`dGd z`FtIQgPT=@cNPLKJ9*qF_Eh|Y`Y6*lj`yr`ezp>UquiY}*0f@A?eIXBR;$b9Glz@a z`7sf~c>I9#*=kqy2;c|Pm2NOyc01jO{ynD`q((ggsdIhU@RTn4!QqyZ{a9PQw zk#7#!QiiBQh|#|)$!>F93(?Afhk=)~5YmniWp}P_`+#uJhM;q)Ji$uvAN#iPP3A^B zTLJ!o7n>Tqhgv-w0kfcxyu3k{g)PuFesB@-5!PCc&c-~7i{#|g25p3F}h(Z=~4-;Jy{>-=5kfE{rLOsVZ zH(KOQ2CESan+VpkzrpYKTjlHs!#hhgK&|6WT^&f`%%tl-y_HQ}R1B+BHn@uD;66Sk zg3Gw5%f2eizI@E-akv4mklOC{<_0(F@G#=xVB@Kg%*Bp*6hc8efiu|{6BArE2_~Q+ zCn3bKR_ojb8kS?pu-ETO=IJVM-D9dqQB%y#^^E&%cpyHf%e%VZx$)v+~#%OS780*!Qewv7>?e4pf?g&<~$iQpXT7CIaD}@tc zkadnw-Zax~R|%@72CImw5^hLf?eCn4Bn%0EWA4YzL)K8mMX}Ud|6QQ>VeB|xItrXq zP;`L`NIZ0oH#8dMTX3jb^`2CGX(4=)P?m0V`geE&dGc^lithSAeU$9IuT<_8sUZ9%Pe-5`OjW3-qepjdpp$?fLGX2B@XhnuUTAtou zrSiHh!q*q5Lc7F=E2Nfrxr!ayk~zgTMowUw+2=fTSil*Yg|_qMY?OX2;Xvf!xw)ko zx3ORO=BP~{>#gcV)?2zbvhDgDu^_9~S;QL89DR(eaX6Fcv72NGL>Sof`3m8FQ3@gi ze+;lR^)iW}Zsb*Nmu<`d5D~uj;;ARVuF0E2{<^q<+WBn+1o04gEcGA|a1yO+eNVTS z_L@Z-J3`BJths$5>G#q8DFB6TN7m4xrwxs3?_|#4v^Ac&Sfr-+3b&%!qwMz-mkr}HQXemtc2;3&J;ab!{(QA zFG$cz_q>-$xWU%~JT*xL>-EeY;fm206xq~K^A|jgF&}kNQe=Nr=ZW-{vZ>L z87+9j=^NxDqHlzk`**TFlaor5rP3t0S%qK)^k;cpct8F zBzHnf8ho&Y&-weK-iJ7X>xjoUD0Vk!N$;Gapx^2*w25gm?a%)~O2tk4D3u$AzgGrW>UfP&GuL$a-53 zgdQ^9F;Rv7U7u3e=*Ni|Y_{t0d>80_+|eCr`}qhLy6mqHtDxxct(~`CLk6k-t1Tsb z5OSSDnegj4T3?F}w{1HHk1&iiGkfA!AYeoxM?fskLt<^ujA9*AOj}~9Z zRh@*7(XY}-G$A%w7=&r@d~ArI!dESvx)uFJ!~geWF1YTY$ip7k5S^^mvVu1Ofb>*l z9Nl8B7H)=bESq-%QXdoCE90+EyMJXlf~BztZ5>}FUeA?a&Of6j>J$evaW0Vz_dYTt z;xsyRLM!AH3QLDDq1IFz-y-BhUZaz3gD^32ZY5P4dc61s8=^YXgeg^9t*(WYsFM?6 z4Qj(s<@U*bCs@{X|FPfNz)e79>_;qIea8__ma|6KOb+GG)b8bhDzmLt?MJd=cd?CMm(z1VPwM*k=ks@c&4Tj3MU{wun}G8EeB1(m1-IJ9m|#g4-}b-qdF zQR?%S<8Y$JsljY6{WjJ4tH7^&X{GS@J+vJq5R}4fwlO((Ale}Xactzta6h}QX9eYJ zgk1uIW43Y+A>;jofnn3x668c141+mj(+v1*)nm7atuV9~rbd4uH~b#@v2YR*7ol*W zH5!f8I!^g}nJ$E+wHa7ZYriAzKi7})NC~og2HX7)ewG4WDK&x*eEdlym@%rV6f{kb zC$*u0CUm7XaZ|6ArV=B%K!WUvsN04~Ajt+MXY&zuUpIIQpeFimg(Z79m6U>GqHASG z)0)tUfbP6sa=Z1r=Gu&>uHCkyAgu7hM3Yai0n^;#P9}4nN^~NtRK>QWU_XVnPhxZf z_26)Ox+OPT?@=elQ$8lFhIV1KHme;*J0>f1vocM;_^LQ2ZI}7jtCIUcu-)R){IX7jJfT<4dsAZBewdRtP`c@4mE2<|X=&fn5|f+@i8g5&;h`Lfet} z9@;L5Y~HKu2B8UseU%N{rVY9~i*AO5f^@0gHracVfN{rX3dfwNvkoM*7<7=!DoS1m^@WyB)J2`KTC~VTBJ$~8>Ee92E#&C___kTeMcTNaO-** zxweZ1<^^@R>V%olzMEj^9vt4IaBr9Q4`2SiStQ2v{2cDy@ws%vn0y_x#yKX$7 zdqRWH2qVA}&T7Q0P?RBAM8`b7n5hhIM>czJ>Zoa>=s3mIYxZ?#8xm$y;yw|_jSzv* zk?%4&mYWTmbTP=2kpTr$e2Rego~1ozO57_s{F|_z#NlD1oIEjo<^vM}vw=7%2b}cI zxYAmb=X;v_ zQC8Jv4(LJdtLTdwI1lQW6$~rV;V)I^cqd-0{SovaSXORH*Qn#J@_4aY zHt{<1CtKg42k;Jy;^{LBAwNyZ7`rjHL|P9^tjqf5JP9>4UahDy3Cr{#v|3;GLzk91 ziR-F_|205ft&-R1;JmHr5Vz>|%M-K+rA6!1u{B~YR5c1!A$ur))-KRHt(~pj;M~w` zv-=?e<|<+R9N_8$WsgQ$MmvWq=_>bCyuTl8h@zAB+J{0J;*I8A>)0pf77dHCY95}T z@=fxhhDNFTthftt)w>~GaAvs=-Fb&%2oV&=W?Y&PNckiE(Rd5ZRV5Lz_xG)0&h}AX zgpB3AzEJm&CYvD*>P)%+H86a5l#r!6yttqTa8=J;ZB+V9aNH`BS#TSk^+IlmzjHRPpwozkKM9nw{UD-v*3ngb6mEV6 zp;!kg>tmOw#U^NCgu%Ozyv{U;G~4M$!ez$||DF*HB5|TVT*Uaw*_TzKztAOhlolKg z(B}HWo_4Z@wyX*4PXKq<=~CHkAYx~)x?eU$F{Gj>UdT7zCN ztfSeay5wHHXB|mBUEE-;V@>6GC$;-m_8i-B3R=~J-OnVBF;WWm=3Rno@teEcsk*a{ zQ)+(s=b0q2oh2Yhb4atfQZ%Z}jPJYyWDea!c76`b+K*OP!SRRY$j;q)tpOf5Cr_hp z^U4@vh!#S*K9VPW6|kb8f(la;X+#3=3O+yTiUc_REn2kOl>yXFXxdK-nmRK7z2%KE zX|k!(k7m?Tq(bdUPDYS{iPS_w1q<+~RW%bK79x4X_+h{VAOGl;0cZO#-_8e+b;1GY zi5r~qO~$P;E(ng=6W5g<-Y=a%mubc-il8qbjRo&0lu%oe{B(b0<>y$8>;>qheKZpAexje>Cv9cxX3XgfLbHgMq z^v`_Bea#BqL52f=GehwOhf0?Y)1{}6<$fe1Z@Z!78^)~}d}+Rg&Bv~jaH44;JCYDl z18pMPtM)}cyod&X@zCDo@o~PUE(<$Z1%?kXn?u^wOnXs3I4Y>E7zy4;^4z`9$wEXV zo}Jx*59ho-{tK7qmqWpqcO5oWC0#lh!P`LPf`X6V*tJp+R41`+F1_;ds;F{~mX;Yd zi7|KhQT(+>wetSdez%*f3X@qJ?tkk7Jx=J3D<%DvN$^K z52n>a2m&=N^pd!vUg?_jns*vq$``8v(^yHpo)!5^#N<%#=^2(s46rhrU})6R4ncT5g5&SY7)+#^ zrc#MXr1tyPbb?KRO0=^-~5+p4D4$8K2$-V1S-;cz_;O>#SRlWTXkZ84L~iZ{990Y=MEgb01|xR zb99p$B=U-C*op9RBnNXN0dh;VULsnp@G_SkLg6Zr)&C@N@WRwpx^IEy7<7G6Amv)X zN_c^M4Mz#c^5kcQ{`Og+k@9aaK+C<^{V!@EgmOFy=gtBO7ued-(|k64pdGOHX5M1J zt2%`uh1=X~l>AcrFZ5e0*Kqw4eM9?cdVqBNo^JurU!oV!1W#s{!=b)4CUX$vfoI{C z$uWE=Fb(VS<%G2#H5eaV`|je+#XbVy*>m}EK7>y7*|s7I{D+)i58wQ-bEWNZe=KB> z2~;NH!z0f?H9|eU65^PhzvgW-<-fF~cJ!vj*6aP)-%WhEx`{RGwIxRQ&(3IHBSh5? zbn3B>qw(ukG}1+Q_DBt$HQ51U$+o&-GpH(*@A=NyPoY9)FW@N{U4JO6 zyFwM=gZBih3-)AN3xyz+hGD~%?`3sFz(fPX7~@W0=QULCx9|PUyxLw-l$$Mh{qSOy znM2H=Y+G0qFL#PLs=(w^dt)5zjq?Z@7 zYxPrFr$|7>@ARn17;)Qq0A(Liu}MP4QY$^IZl3RCQR?0plkoxwS|Q5CKM0Y#Z79J} z6y(PR=L%bSMeRXXba}&zd@)nn*Bo_2+V*b1vVB>eKkA^i_;6!(@#(U~WDr2xNuWZYR z%z6?$TccDpN%Tyo_BLDIWCVJ3&Op{6Ai-Z;W2b>)2=S}nr$Rr`Y#NVy3H3B`Fw3_? zJsrBRmum!hoqrCd1S)@MA(d-rH_;(p(Aym9Kd%D>7 z!R&0+E%3XOpY7ryneoB-WO)V{83RW`xeVS$KG)x^lk>>q+wy95{{slb@#Z7u?t@oD z5->P-;{B2S%Od-}lvYHcsruHf?|nLjItjT5|@qU}Gpf<{e;<65^-9mZkDpNg5_@reU z;_e+)AQtd|>c(6ElQ{iteJI#I|45#)9^36|d)PbO;|K8B*>0-P5tI@j*Tp8WOSLyf zQA=2y;QGLWGOG8( zJs3-p1fC;6H#bKg)p3YQUgJE$1KZi=&%i;Ka-{Urb2vPc#lA_C8qlYfbg3NhCrNmgqxXUwh_Z$yANHoT zcbrK|Lw=$D>=BJ8abSh?|rZk|^RAJjnOI}35iRfZ`|?vWg37oFen_sX&91tSLKFkF#!3{%QCS}a#| zI4j@3NY7d-=Y>0If8)Xm`MVKs1fW*cJ7e5-}sJ%|J z2n`vaeXkq`nbMPiIPOn09!I|Fq-l_X6}ia&84a>wB8rOy>9J3>S>~I0cVXlWz`=LX zDD!Gq%pGxS&|$4x(>>lHnJw{(hH`xDW%?`z}bCbT%ElTQ?7G0Tr&Vk+zrG$NI&<=%`ZJqIuGC^%%y-2vq zoLVsAUyV2Yhr%fx6^}pTT^eYwx=m7)pK7!n6Tk;8VvD_?yCpr%>H}3z6J=gSto?_) z%@2umUM>-YCIr6beZldcW{@u7tel)ux&uLk%Yo)XcMO^Ti+se~VVeej;t|M}K0Ig` z;*9%?pJ;mqYvgvU-<)}Qcu+}_AAcGBY{vmtTVRw(n~Tg*f0$WX6WAx^_sQIgktc3P^7v=FHZDxYkBcmHi-#B0G_a0uq_ZKFVYF68d!kywM<&O4Lznn?IVbul=koiiF!1LMKVTSyYqob({34E0MPY@kN z{=+YKyb{0=)42E&D)d5D5%qv4QmdDqM>vor4oaILebj=glV>$jneYOYs5W%l;gEgc z^X9qP8@|k*0u-ohi-8T2J^(a?nSHxn*~&TV>fK8SuE?|!K{4VUTea@O=YgW&ipDun)Mb*(io%*HZ?d+~e099Izzqyj9ah0mT z<6eTQVO)C0u3Cv?XO0-w7}Niem+uEDqw2kqp`!3kqLS?{|s}H)of#5Wz>Y z_QQ8yBNa=HOh!H8Tq^k{Zj1^6?BSe;;?tmZ90fBOriSh>O<+$(@>M-%G5~eTKnIEb zp=B5{ung&Sn`t1pOPN;MC~>AcMW{)L?hz-$O8V!-JZ8hp2f1pK zgCe^e?W9?2A=`?wjEn^R$qRhnfSB{e5>8MxoOWGtn86nsH6#I=^Yk@Zx9KXzopqnR zZb|-Eiv?cJ>`hBqZ>uuqe?G%X-k1|v9BV6}e>38WIcMBO3TdDk+Kq&lX_gHmd;H%n zkEkZumRvm&Q^#~V3AUzeHCj|+>xkAf_C8q&B!tlFNoSE9}LZP6B~gX@P*W%LlH<+ z#+motMmhZkb=4A?tKCTc%?~T$_Z8Z8GxD@8e6Pe%R4zj!iLgA)OH)88gDgI|VLW@X z^b=lVAc6LOSCJLg&_K!h2IS1WnxaD)XU^6?O;nj~wdX6yU2)GO@8??KkWSFVN_>ib z{Pc8S&+LK?1KF>ul-(1<;(~0B4=}99D3%jLt+!fL{tOvP`5-zA*m8HN9!S@ZeLkfG zt^|gsta9fy59IgcnL+Q5;)UGx@22MS@=-T|-gywDN|Zlno~F#x0XReMVSOWZg>bI+ zV^QFebNY)XUT*a5A(0_awXx^L=$EJuTy`2hH^>ZbU!g+{chG0AlnQj68>j2xhFX^W z)HJB2vcT?B{5XkpBtpYc%cjbZfUcazGeReUE^Blwt@QWB=*}gWVdCsh|3c@+Eu~9r zYQli)W7^|ui2E7@2osAXBANwYeJ#vMR8#keoOM6zOGxx;`8&NXpRk=G?k=-X5&6>u zgp<8jbZO-kQ47CU<;e%kIntRE=g`vgq49Qp@${?93nFWut3F=JNl|FUV_9g0til^q z6`~3@CYH5TJ5H{btcOe+#y-PazyWp9Y&Dod#zj3JpV~q!AhZgukkWGEFv!k_QC4+O zfs-rqf5(W|e#K{geetj|q+KQHS5*%&f|0J$pf;#vSxK=_6aF~?t|BSkzpR8H+kpfv zo5TC~v1X5#xfr4h-(6%KbKewP8rz8RFOh5zYr+=)fXO)Tp5tn=?}a0kMA^UH>0PC%Z3%LG@G;CAk?ACiyxY=#A--%f27^ zz1a9=6}WVWV5m1z{Ooj634Uuo7JqKe=L8|w86ro5Od~Us6^NEL!W+XQ{wvCnX&Lal zX3sL=uaqA`&<5FseS;9{FX@QX5G2}AMOds8nlVi?j9^pum%*|&#Yuo>5mw}9MT>Em zTAY8%KEaUpFP&)jW-y_o`KnA(k)ntNc$9>xc@#`QKcPJ$;N!B|o><=m6bvp11mV#G z)7@f-(*955&!0DmeTHH8ZbjyYA{j~TbktldS7AFOF=HX_TFI;H4IkmZBV3&_8kF-z zA5q<^ON`snsH-(v>p_9&(Kt;_v!}>NXF0W^v2a!%JK-3ad4)9!>F*U{(!;U%{^byS z7$UBF6q)R22&l0BNLZv@8Kkvz(|DUM%lppztXTb9#SLEWN{A0D)V-JLD4oif_{=pfyf0UJn;A=qa z82j0o0N2?#$1VG2I%S0s8^M3HVACU;U+?S_y{uXs6&1$VfY`H4mpf}7MX3?@;d}?G z??%eP85m@zU+;#%r=i)*Q^=6h&J++S%6_pRq%}RB zy;7gu8XfTHI54J2$L_aJ2WYkce!tT4a5z_~AOjq?OoS)$G;>|E>*w1!seyN$rp^z= zCq!|REeB<`x_2B~Ue_k@m?qI8jl&){t{gx=Q~IlJ9LN5wX$-^_j}jb}{R=)p_GhWQ zdxXy?k6NQVuY3(-$!gHo*ho?Q&pZ?j)&BfAm-TGVnk$E*tAYHft(}g8?9W(bRSjb} z-m?E!Gqmf+?lVt7>&GCc2K`c&|SVlZs^ zO!ys)wRmwUb%$a;6+FA@17P(3OL%s4HChCyc65e-E`<4XrFArnl^R0`tNJGi4Wa!c zq1g=@!K}|#*$aA*voJb}R>}KWL9{Qc?!V8HwS~Xy{Ly6}0FL|%8Ip{)pZ>vSRK+V( zg)d&mD;3k?*N~m5FGEB&2;jJep+WMe`{B)4PGgtR z)8TGHSj#{HA+jwtS1cjtl7T#3p62uV(~gDAOioGs)KcP%eX$y3+9O_zhWz+0k}u(& zR_br7A4mr?v*;DX#*7)RU3Vovm)!5tBy5tyIv~6<5A`T1i~GcN;sa!?0v|L%u%8}H8DDMo|q!;$itbCB>xR70!n?~9o)ldB1T*;5`T0i?eND~Qad_nYZ{tYUQHIG6$H#fJb zZJrWvQ8aEy|1B~h@Sv2s{eSmvCfKsM9Xn>y9XyLmbPz2kq|{02>2_3vwT&#RAzHBD ze7m*Lqm%zL59n$5JZ2DF9|n_vWz)RM5I z7id&r^D1Or$uCsrz3*SA^-%%wrB5yM+&kz}EsCa^WFC_&odL5}Gz6vrAKmV72 zksDL1*Z(CTa%96seL687OF#pt_@+rXID~N!nFuRv5Ho<_$!vpSRHfeavxqoHn=#@m z1R*Kr&dFS1#)+r16SS|?$A-s#Fd5btJgHRLs30Z(ktJpF3(`%0lopHm^mIHzxVDX; zRsI-INKAH7sM&e28;c+%hJpy!c4{J~=hNxn+2-hw@1ep{Ijj~O7P{pX7P%a>_aKqo zw}M)^xNU%L5|>465KHzPT66G424ae=&|;pa{`M8U6ZM~F@cmJwQXyyvaPF9VcD&6) z75LF2M^ve%Efvc{Ydja4KDm#BND*H=GGk6B65~VV@Rbgd>co@gda$(<4$%~)>NAP} zV^^-i{hey`U71h~rQ?f8X`%urxC`WkvK_s9xJiJt;C{TY{f1c=!30GNVT`c(OT%pv zYuSQFK@d)o3`v?CUTDKIwX$*lX8s30#8&?0yN+CJ*Y#6d`0G279|H9$413p&BqQM4t9NKLmm?+k~ z*;;`Kdul)AK1<(iXP|Lq6ld~7$Y+E)!43v>&7vChCpx*J$6c^!&IAr^g=#cwM)}6I z3o=@Yn*zIKwEdzg^KON3^*w*Fv`G2JJ`F%=36gn)R}nV@K50W|!9oqJToEhLRNXIa z(LSfjH3dHTn4}GK$vH1oof+%H`?sXDmXj9XT(vuBj9Q_1XRm_9$~p{>9&xW>Sd`VRu2C!SmEmPzjn5-G{12x(D?2 zC_`Tz6&KlJ940+JyBTz;M=JRjuJvwlByVq`$i_TVDy53e?+mFfi^*D%o+S7%< zWe*&7JR;1xphJgVqMaQexwb!*?}OXOP`O3|uI_5b47A#V+fU^?Y|X*r|0~~NX{&T_ zLkCqX_Y7bO<|_m9l55N1z z8z*ASr4eQ5>Yo;gH!YE)_YE(7dk~rD4xuA9vFQWwfh@Fje-c?l(ZK&l)Hg;~7A@U& z$F^ex=lwr%IcX2-T|J007$ZR4fyz2A8M&RYA=8GEl)HEY(aDru7$ZRA7T^kC86 z?_wWz`j((lh!`KE8cGUMk8dS>;9gGM1x2vt&>~LdCBbA5&iDM2gC03XE=qb1-l)_v zqBQ7$gexRQH}Fi^<|So$py0jQd_vCtD#NcHJL@&fKFO&aS`ccJb>(`Ub6Y~Hj8U7r z^JG^)xqi-EFD*=w=i<+xK}<55Vj9J1sUW0Gubi{<^1Xm`yzrG*Nr;y{%iC|NX70s2pU*gP)pq&1hNj z(Bm=OYSAk7HBI>r9-9^xgNdI<5j zzYZ|uW*Nyql>e~yCd&7l7PprN`HeGA5Cmw)iuK<(ytg>K>Ab7X1r=Gl0#?HT?4<RxU2g`rBYY5;gmNC((QRvJtr<)ylXElU8P35h$Z=&e$zy)s>~M}( ze<#ddEAL1xx4II@uX<#IuBsWJnZ@l=OuK17OMPd9;$5nLY*~df^2YxQWKO&S%E_n& z1;%G%7Z>TfY#cW;Co`60xX;;KM5=>D<};hCy(}3G}e|;(;Lm%!8mi(S~r( z+BF#J_O9VV)XC|tIklL!#TIh%?Yzm#^ zN+)@!yPm)d_s3LVnI%X@ktY?zbG}Zr>t&?g$I1KcNM3qEozj@z05~|SXrx>eV#Lu; z?iw!9j0}avc@xyUR_Q$>j)Tfx7+Ry@%Uo9vCO zpR4scJgFA(B$K?J#&71iWSP!3Mh0{Cj1kv#}$U5|MIejlEpxx&jmMBP57x z<7gIHx*Eju?=717y5Tu#@~Z7vUOsI-n0&sN3J8hN&gCNjlptm_vL2uAy$1?^;f;ArTyNk?s(P!_)F8U_>J% z5s9g!w8H_v5^uA9F&Y5S7!A6~L_x*~L^~X3QctI5WKevN8CsCH^K{kO2Fj>HXE3h@J4tX zB%{l0H_LqFZ2By9d3I&?zybU+Yj$;AsOE-_?EfRW15Sm{1}^aRGm5x@vZrqjR4nU> zjDrw_0lQ=&ruE~yLE3h1@jOG&Oi(Pq&I+@MZy7*zOuue~Q}4HhFNTcLpUU2p>Ws-2 zn`NjF<-arexzYPTD$emm^hVa7V0X0vPFyU4&t13W1J=)k$@r|x1-6PX+x0_EV&&)E zdWbNFA|nrxtupAMRjM?28I$)kEdEwsD@)xkuz1UN)-&f7w?9Rr_kQBZ?t|QbgKUmE zb3klc9*|r@790b_&xgs-sSaT_TyAmF_n=!m>{pWXO6pI>QfHM)plRjO-z&092`AD| zx|vtuUSDeS0)=CxCZg3=eO8!_HVJn@cBz_6%x{TZw;hz?=5?D1&;rworR+d9vyxvHMb4bM{MicCt;;Gvm3lDX9Ql_ZQqTB z7TSAX_3Fs#KSbG|#l6q^8eF$0G1fh5KNXR&^g$a&w{c-65k^8c}k|DE-BTrPe?a+-qvpE3DhRCbNdcdK?g)F zOFi}K^&Dqmlasby^R+pn{dKDj7kLWR3daC;d!g2+gZ}Vblp>F5=`Wh8V60EEqRF)0 zrAY^V<4FVj%*Tr$gOsHd{`flJE0GvkCkgX#QirB@d`Oitox`xhk*imm$88TqwP@bz zYbatdMCSQ*oU5uyLD>>ehz0|j8LKFCe7UR_nY%k=lHi-L*FTVI%)f&Xd*ytzr_XCL zsRVvCPdHvWawB4Pzv9g-@%yFBFn3`T6AZeKSDOz&f_Xcdv#2@XCRc)`U2rWUXp~tS zb0xd-*?WnIGP;7)Ua4InJsSOXLxA#id!H2?b?vp*>EP zJfKqO{dx8>SzZi>JSZZvURCyAd9iyP@I+FUh-oym5J=Dh=I!oMFqFa+oj{F=ytN=4 zS*5J{Gy9$tYbo<@2u^~d&@nLrtLPto+lfT=z(~9D5hVMS6nD3dK*-7+gl|ii3LtiJ-MPgI0qn z6l7aTQ~NU}pP*caS@9Nt${qR&?j^f|yfFXs;|SaTveA>G8*C{m8%wMCBjKusv*+QR zswpqpv#d9eiptwYU01<16D}{TSofycMdwq0LP3pJtd~b@5P4qgkOF5}sR2q1(7PD? zmlFzgDrLoj1Il>n<@?s==gcnP1f}K2{_ocAP$V?b+&QA)-RXJZ`3NbXQ;_-3AQwKv zCKl5Dg_Clh%G$Eyh}g1IyTkT3zQ*?PzdEmdUX_%!lLgxu8A;FHHDi+GB>)LArOLMX zfX~g=yF$jh?!$yHav8-0xVini&V&8>H);AVKf<)p2Z3c!$&R2nn|C5ot{3hIyX^b7 z*}MMS%o*&W@)L&Y&w+?G^)1VEkqN< zwdEteAotPF{6^rs;$y$yTX9W1HKQ$og6V4f%iHmJv^FQFW-xE6cW%^+c`JmDtF#Wv z?qreAk@)VW5(Lvn72Ie42VWLpyH7Ho90EfMpKM4id}y;UFyTja8+r4LcSH(QJr2~9|j#}-02X)zG9 z;+qU>nVxCpv5)8pdy^H(zZ3qGRWur&H>8Gc=d`~wyub!fyImjJ!SeuI0BT92@@G~nkPBD$#i!Sn3Ax}NWMetF*Qe2lEnpC`vZ*?#qTH@+WS ze7)VH_in0Tssf2k`7dVamwUl)5w)R$_fK?px2?MsA}9$N_(;>*bs3P+jO$DbD;LsF z!&sRQB{l(KB@9$av9qn)gWC1v;qE`vJu4#8q#6?^XqPn1BW8;ZHAc;83fIcmRgeWP zLkq&@$Pbi48>ds01~iMuN@2Qel0kH#XBW1q4OySV`IviEtGaIu>Kh5Mk6LKu28TUp z#D9`iqHpXhmRdEA<}_af^!wlPI&*O^M)>n=?Fax?Jf5d;9u_J-!gH$0VQW>+E3t^# zeY#$LOh(0>d7h&>Yk8x7X!dm+?qK3!|6&@q)b=jx>1bl3fxA=TQ8O&}b05RAf$C)) zFP~jtu!X%lyqi$^{cFlXZ*w-u*e1pGB&7Y0zg1*HDW`m9^|!o@aj8^oBTqp)>Mc=C^WVDa;|oTk8> z*%zw6nFQ?DRd~0GZUtR;>Pt_`4Kow$pFQ2ZR|+7U`e@ePkzhVT(EO5a$6{L#7?V6r zr4zqIb?2SfQMVcylmm2&GM$jQ5b@w4>UM$vk8ZIlg0`T?5qkTTd>D{1TOT2%jV|r+ zfri~+I_aYJw4gIZiN+p=Ml209>SI*ZP)L@3C~~>owg}3s^c!8S3mb;8q}#3y4-wj2 zEdDk5$n2QY=02u4}!1ZKKw6#>0-#r}7S*gsicjIdVs>k?lWqLR>wUvW5&Hp5yz1mCCT) z{WJA)TSJ#KV6?Q4P+<08qvNHVoSqX0@PSQ68DlIO+RD(H>LKP#!#o6rQraP#B_Nxh zN{chG3f>5!<2!)HT$QtK-QC~|N$tyaYFUU?Wl;4n0hPZ?StliT-sIheA5J+a5;(NH zUW{OjFXYw=w4X}ZbvMeQ@rYX;DN{dublRLY&f=UqYwJj#Mip@XrK$|kRj_pr@HgW6 z@wNHnANC+!5xiZ`M~~vawDV9$B-MK)7GiwxGKB+H?WetWgbCE1dSEJ|ts>O6g*3}5 zw|Fgm5=Xc}e8!~wbGETj-(I|Vw-j3wwm|c7UlF2;P&=_I*vV3yJ=?bE&#Ai#@JZ4) z@)Byh!vmWNSVwCV)vplEmn3Wk{IlT&lI~NutsCZ3{5GzutPa>T;H^RKfv&(KwDi*D zXYkx_p5%tlJ@2=a;b6Mo?ZgLd9Lp#iOju$`s)=2sDx23{wZLPS8~bb=c?Vw_IewogpQx7M5q8e_#VJ)Pv{ZZeE55 z0*%rg!qZxCq>VY=;xWIuG&KhEJXSf{P84( z5|5zKiPWypgu3fV{0V#VRTne$_KoDB&;of5xlbXKNX-RActW^j-ovp4Z>Tp*_9--U|l54xkXk&nHK+1tVpxJnj z%(b<2hM`wqef*5<`r5d2()MAL5cPT)8AoF5RYQUa@RL$?rJV!xXz-(={m{{qrEiIV zXvdWU(GpRDBF=QJ6?W^Q)-BLC**VE_3s$^HlWVlZW5L^CGA-)GKcRUh&IAD%9rfS` zDQ?HO7R*ovuW%ujnghM(-haeYoPL)yQ4cezHZnW!+nH-9e41)#ewsFoQiU~czBd-$ zrkPp&{8C)lcuxnQD?4HHV6VQ29c~Jzr`j(d7!JD!^yK@Vakzl%)~$AWWJ)T;q5cu* zFE}SsbAXd~@VONJl(i!(x?6W63FR!*gQ`au@mic+hXTG|iYUNtOJ6R)c%*RaYNd>- zkS4~7;4Xcb;KsFme|;KrTElFAqV1~M6-HRYWr}FXxcdUI(O)BQ+=FY@KnL|T(`hYR zynHooh^kqfWnOuPx!g-Yd!OkRz1Tkd;g+}Tg0Xgp_l9vq%4WlYZEF1M^KyN1@l@09 z2Dm-B$Da)mB0z&%&A!(vDTaXb=SG!h83wTgaZ*;q@;aRd*Vw?%Nl(S!1hp3q%)eqv zqnJkx@R$N@N10LH%_H9Y(bcsv$G_1+ZsoIe5U)m0Y0F24AL-3-Hc9wbzGM7(0tqVsv~++#JLPV4rnor%3^1e?hV$Jw zH(v)3ZS&>$j%;n9hCxg@2Z5FB5Vc&CXlAsgbnMv|oYk^lC1_01S}l)B!wpRmOXgm5 zJh#i8sIyUKKnb(kq`nPFhwr>$zTFp?G}WYYfABp`d+%wG&rkN z&t)2@v(g2h&;FK`DHGa3de6!f+_4HWm=CkDKYJAU;>K;dto0Sk{tqmN>gAjOdg_sS z{JN7gzmbWTl0)mE+UX94pu;2nXy%}u)+<+$Twi#3TBG~mZ}!H<)I>YPI-{yo(vv@c zMXz!q>B~tI=|#E-i>`f?t^z1A&IQXEs{YYsZJ`>j{m9o+_2kTQ<+7iekot`*8$u9OkmXd` zGHR8OaqJA8h#lFKrrg4=d{Th|zHWX~?gI}ItmZoR{ zjf%`_0SgRjQ&&Ro4?%Y-GN1|Z6^{S#@}@=c^8P;#&~o#1)~)=?e;M$$&CCd^xLXp{ z7*2!w)w_jcK6a-lvoky~?N+4F9g|B})yhs3#KDIc? zIvZeZ$c+r^srYMEDiOv?X-`IJzp?BOMlDb8o8o+ZWfF~?sjUN()iCHqN5at@I&C$3 za?iyF&1Nuho1VH_sqP~eeW2<$b3d_oo3`=9wBnuE>YcpfwcmBb1gRplo9+mAzyb}R znksZAxK1p(q!nE)r}U&x0@SH;b5=-rvYN|%@Mt3;e`qGOkzI^ri{bQ`imuj=Bi|{= z{L)PEFd^~}4f@6OP+_QjK_x%+k81ExL8LV*&&^5{vHA{LJie)h`T8`E|4|K{iSkq5 ztgBc~mb&k}`>~0L%f7OE*);u%umLn_&rSFjPETxRdfnHKc~`&r zh6vDSn3zyyWoWJa!(Rod*68W3|G{6=?WVI=jp=|vF zy^d=;W;Ffdg~v=DaQAjQL=MT^V2H=kV1QmBDkM;gs8--`R@bo+9S(6PGG2#xkhIg< zk|}`sZzW(vB$bS`erCbZFg)gH{Noz}e{w=z{x1n0?=z%GwQO%baG5eb$Y1D3Dcs^s zNV#qk;u;+VVGkCg@{Irmt1=V5@O1CxpRYQONV0#zxXlcNTTBqh#KWY3Aq`Z0uS176 z(<6CQbKYj3c8{8?bU4Q5_;CoKXtQb6RF2f&u@ZVG#iJbgUdfi}kkxndv9(pMn@?tmL9h9CIty^6 zPq-L1uX!+qr?G1w4`cya+}Bre`Y;=Nukpv#i%AzTZg*E1l1~jjmhPPVbrrg}=qP{} zn>rAQ@0-?W=bSH_<_H9-{#9QISl1J`xhxM{H);G1 zLdCi*Zvfk0LxCu4upJXHTVK#;>tk=OJ==}yK~2upRJJe(`K*3f*-bBh#v?rmtaza_ zYVMS{WHqFT8q);3VAj(V;m7;1{%pXp_dRnJ#$JqYD2n#MAp24)oc;1viQE7up_1|_ z60A=YI6J;JeF}-`zyO5*XVD{q^X(rTbOO(ky&4xG$=K)QKT(X!Hb@~K%%?t3gTO%P zc_YW2eCK_FcG!`6AQXcISNaSJh!GJ1My6r0#5IURB^p)mC@7&pf7rZks*wSJjuGk^ z^X4_K=E;)qEJ9T&X4|4g57~T9lP;|*!3*|!_=o*E_Io5H_|!f~kbQ5LaH|b722%Vf zHW_4xHV>Mpz)_-&=l$79`NNEvWMgQwxX@xTYq9V7kb~SB!9BlyAULgM-dBeY=UbG} zz0&E)on>WeC&ShOoaa$7ZY_XEeigxAoX}T#e?ZxdMsiva=?dVOp_oR^2YD|b?puOE zIcdr=N((qMG>m1m88q^b##!gbJzZ?9OQu!MxC>=H009QeR#Y}%yrV(L1z7RB-4Rqd zDnvp9F^62zXW(jrb)TsPErv!1etSg6i^9>+gqv8LMNU(ooGNd%lGA|N#_2zm!>N6s z>9NUAYP2)16wqu$#AT8ncko9*H=H}dM9;=SNk5O)z?~}u-`)Fuydzn-?0UQ-=Sxnw z1@~E?N(bbH9ab~b=fGvROeXxeyGNU%#ZN`5vECR|$^ltkt>GZe*&U(NgeA>6KWRhI zQUp?JOGA=Z1iF1Op(+JrnX)GM{tMM4dn$yU-Q~aXG^o8cOS~xOyX)o)Q)DTxR`Nf& z>*c>Pu^!-)0$+6_*LM(Hc0bH~P3v`@b_@jZD?cE4S|Iz-WkDF66(*ZAsfBJekbb&^ zN42f|ByoWa`_XbbEYY`5(|aH`fh>wlO2~qx(?X+AU3W}6kp%dmy|fPE>LcEqv#owC z@-%7uEczTGPy(csIaDtY+1-CN?CjL5M3(J6TMe`0@>0jk{J z)7HAyb$tsO=)oVpr`MZeP0r38{Uh+1-sgdF%DX0Dg9qH{g7xvhL`du5eEVV5N`R5V z_8iibeTCW@{{?WuqyeAwEL?~o7y@<`S`sHy9!{4efM8l12wS$gR(<_2gKc^Yi2^A# zP;2-;K!hkC*&-3+aa}*{?B{JcEKWx0Kg2|q^$CQAFC<7-dQ%lwO5^_HROn!x@#zql zIgm=b>kkt7t6gsYn#X5SPEsH{I(!bSP!MfrbiOAE1PZ|T{Pu|ocoviCxm}?W4G1Bv zK2b4R5tZzUP$jYG^LPtnCB3Nio+D^41fEfjiaVYMKhB?Jg#IV?2=|t{a@?MfQPzOi z9Q$J-8FVuAY|L*iUlqiTeMbj&e@G6A@Aj;G^t|u>6s4V3C~ziUvcmd%unSJI@kP!c zoNTRwq%D9P-pUH&4vaTqIuQ!Wg(so|@@+~~%%${njB0`W#J<{o%>)12fSvClul~|7 zmp`QzXvZLS^sYxzVs(@NSj9QrrR;}pbQYslkbWTw266q&;bz;*45xzLvB#0Nc0Q1P z49bZwwCdW8qA+-&x@^9GXNlEKceGhr?tZ0tP-X$%cKY-^S2bBjW=X0KI;j2@LYCQ^ z&(^Dj$f<^ynUTt3onDCyd6;@xQ%BwW%AtM(CqYifqp$Hb z-UyhnJSgiJD*+7fz>Vi_i5i(#|4g zwtl0ir473MWl7n8HkA9zwvbd;HwY<=-JJbZ=QAyw6duMnqbkyh6T6Va?*`?_>kH!Vc4z#>>e*4Ohzw zRyC-_@Z!#VKY%}7SarzBM$XwXzNqUZLF-`s@|o_tXV$K9e^rsjXlb)2;2)Y=c5Yri z{!c~~)Mdd2L1(AsX%Bd0yZ3yjE zUO71mA>Cf!tJbS68z9pkyprElmY4P}E$veQ#=3mseKxK z)8lz954VwMe5W(E#NXq#l2tU|@}m4hx8s;cUV#Fx10Mrk&Tr`YBL$z()#gBP6Vm9r zJeQ^8_*ymSJ>_zrJ#l3kDXXn*N~c4!l>2M}DJ!ExVhQu&7O;IZUFezmen?O~zb0UZ z%#WYbFb3Pn;(j9s|H`lP)DMm_SRcW-y@3}GLz?~~*g}d*Us{*FRd+*k{bO@iFSB@Q z>I@b#e*N#2abT`mm!cI;RT3K$C|osTDhPWKM|(6_*2GFXdL z=bs*~(G=sbPJnG~hHG2?bo&~{AO6=qfo(ZEbbYzB^9M#Ovtq_+@jem05c<3wxtTG9 zJ;um%B_G z2sshN^SN?eu;s=DlkYhV;3#W~JuB9zlVh|!wvO1OOG1iv{6G~j z$))vpZKs(E1EzrnP!g+Q7vdR|Ky_X$g&IMG5*rnbP)5~CPr$_0$~p*Vxy3vzQ%LsA zo|AI^C|SZ7DWC=p^ zx>^_N2LK4$688$Drtfia>FIIzL06c)?o zL+f}U;Y=KfEs{axvT<)@GFP%;#bWblf^tzv4Qz`QRkCyyi6XO)WW#D;I$lb^UeUo` zC+1XnT)m8P0818*)IUD{QJ43sJgLUzKVQeP0MXFBtkc!A3;Y1s`=kGHm%g9h4$&tE zAc4`tvkXu;Ly@#)sY7|xRX_bLU6Jr~Ui;OlzWk*V^#MNC^9i`Q;tMP-^+qP7kQ+j# z$2nj}m6xsS{O1Mp-aY@KZJqx>YFDA)8+uYmM?~2{e@6HjGtZ-sCzBB9?A-^LJ9$SU z_UVu0PaX^H%trVFf43B~@?l-@q9`}(WOdBjgXD^=ckkwAK@YZ*K=H`Y@bfjMSicH9 zf)q+}HumqjyrMJsCCT}Q!Gh>C(QDxmoS2OrGFjzVtlZtava?|B#LaGYL?aFn`48{$ zJ4=hu-0e~)qW<`P2b>&qr%O%%9zAxrg~7AqCaTkd*N+PFFI%Wq^Co}2k963Q4qlYBcl-6Cp8YW{dIXj6|D=$OjRk@6n8n{hxkBTgvjEs~6P z&f;d83RPOFYBZuJ-RD4NM`@0d5RXd>WY&yj@#Cm;B&auV#dh8Ae=Y^ zuwqh4H>qNI2r+hZTpSfs7afm9bq5#-NIgie3Vh9LWm3Z~m<{r>{|;7k0T!EWn;dzH zj#sET00wVl-oxS?E~s|_oWkt$V}-KkumqR|rcc!keIDoq_IK9ZW^qRnT+BHJA|=V! zyL+9ORDLw`b5#)GDGVL9yqD5aQJ>c4y=8B;)jxY^+G|)u+=sWFP0*tk>a&#Zd^b<{ z%hVgT9W#_SbRM!D?ZhyXro25&d4^^Qo8LbE}{>bX2d9Khjd~xi>B|bsJS?(s}gb)Kg~H zp&2vbFK}G1kr44f#=LZPYGo_ZUyf1#M%2tDIQiv<&*) z{X>4=z>mYu95BYj4yW}I>54bdT!IUg&YGqObyG>>{5^eT)bla)>XT-`wOiCHfRwO{ zJbxzSxsQWTb+S)~HJzNs+^QbA+4+>T>46+YZx^VM_r_(|`QYg8RW+19*YA0CFI4MtG}w z>OtW59lEEL&e9gkUo>`GWH)pX+hFt_xLe!G!>TJ|F&?osq372pc9#g(Jt#_wwd)W< z*==C!2-st{k)GHK1@;M6gfQa@wWn|_;&RLWCCr{D3Fm!a*q55wukHEAYoUJnG@hl! zVUQib`hErcie;>U{)y7=_ES=;{7TWv8e{nXr=aCTTr}I&LQZpse)+t1J2!7c*2Jw% zZ2ov_3S*T`V^{O}Zw6XC_<@{JTaNj(^3pVVdai5=X)8OQiBUvMHjS!>ljro!>2k)Y zHnM2URt=0avuaO8y5vvM`UybRY7s#rLJc8g%HVkLLf+Yh#G)tnUa{flexq86$F7hg zKjS=A0J=zX6ThOU;qh9aOroiG;e)*YNKM9A)D#M}jt*}@mPOs~2gK&5+kOA9`grIv zy%(VBPi|L8Z75$=brlaw6-COigB3>OxoU9qt^5V*>~4WE(o7kFPfdWIYDx?;Ka`_^ zBaM6aGra9f)VPT4C6&bEC2dzDv{a;vwAG1$+Hlp#5%;FpRGnne#_B{f8A;hD?WOPtW*$FxBYa+3*+kO>6V^`T3Lnf+SL+ zOl6$q-v6aUJbv7XmO^&J);4QBwsO=Qv8%xKm1bll4^e^G#+cGOlv4^KxL+_i)nq?| z3axgVtH~TRLQS6B{P<4&K`EicoV~}is4u)!c>Uz9So5A7J{Us-nR?&_cPX?5Co7Nb z63Fd+bXsz4ZyZ3Sel+6_t~q~(Q#iMJ{oXdE)j7PD57~B&oD-8v(bjE|IFO-hsN%3$ zdaKW>nodU;DZMYcvGxM!b=r{fT?^AmMJ89k&;wXkY~KLD^Jw-)M7^|-Ld&z!(d%6u zOu|Csz7i;ide-!-@H*e6|Ch9@|K2wrt3$9fkPv&go2CrMDhY)b<(8VE{HI+>{HI;X z+|@(N+|4Oc1d+;B^m=#lzCGLkJpu=WlaD-m?~~GJ2zo|dG)vBJ)#ZW@%>+9U5s4oSSx4Dkki?U1(NPX*=*Y zsA|gK*}$T=is>BuCf1Q%oP$N3D10|ieR%El{l>H+z{Rw8;p5nU`adL6$xLymjG$J- zAcVr!7B50_AlqrLEpNAoz|$`>FSFTKLW#eLta8;=#BkR?Tgjh4nvWQ`!~sqV?g$;c6AeHzI(}qRTOdCLX?Z}sN&8Urd;@zK zc9I3`_*k*ZUH6V7Vr-P-vIJ1jbph(8qx#i>nrOn?52cs>K87YYcyT?YivXxQ#ssf|Fn zWciCYDfjhF<+!`qs3pQ0#GC0;_Lw4XH6VWUP!W)FrtmjvV6>cFS%h!Pd8G0mt_v#(I$dj*4w#YE2Gsi~$w zaa4ZGT=yDKV-}Y!>{jcB(gp3J=E|H{Wi|I2{_lQdG&LBf;umK=q z{qGR1=(epKP&{3qw~i#oX+-Sdx_ic%`%h4U;y#f$B!tA|1?1N|KO5qWHdo$$0mwc` zARHb*L#uPLwYqgZnJ*-EkL)*hA2AH4W~?HR!~jw~09}pf)t*E+6O;P%0}At=4RBDr zUz*LcrHDXmvXdN18HV%YJ0A&widuN*MX^j5vdae*+0;T%)jCHqPLtQdsTzgvW@lh- zlgrFj4Y(cpN_wq-k?itV&;u}Fh+v#;sx1O!Hz@o4I@kH#(O|CT7YtDiWq+yEN}5J6 zM{X`x0-JKK#h~3}`tY*aE*id$R;e3qNyExU=6Zb589cz{dGe_wyTInYEFRL`K-CI7 z1FRIInLAY!%;^VhczD5BS6PINyJ0&GH6bqIopcIk>N!DfW?c1U3a%SZ+&HJNpz;9Q z52=t$p+71}?Llds%_(-$H)P9uL7I3Nc5v8%^ z!NPL=P^{qp6GitR6w;0fG5`iTz=`h&5JhNzr})j({1zAf7DzCbe+wkUh@wph5ye=M z5NUwJAogw^+6iO_$s6Z3pk67C)@S~m5B<>m|2rSwf5N_*yXY&=b%ViRUUi0~wtd?< zp5%1q#p=Sk`LXE@!!^e&F&2t-O2j93KWA0L=G%!0u4(|{s34Zc+ZD&|N6JTQHWPnW zm*+5UjlWqtZ#5rWaw%VXac6I>y>xC)9^Ex1%xRv^t1k^%ecB|Sow@k%H3!+)#5l7z zpR%bIwK+A0@GO{U-gIa!8VG%{JFAbOwP&b&SZH`NTATbb)#0R0rgCMpKKRtNoT`>v zzq5o5ti}c)=)C^l$4l|DQ=6D|EDX&Rh6 z>YqEiZe-2*bo%)~`ubNc!oAMU9k&qVI2a{>5ry-E?;XI!{NeebC}lb zv_S%Z4;~`u_af;(3$(MAw83lG?`Hu9JVf4FSp7C@Z90j?jB0B&3{knKgiM-{QMva5 zT?krp7~eGRp!^)he`wq+Q&N`T+azN`tbU}J?jr(96gH+r{ia43iQKmNLN$$V7B?P+ zt6m%`GpzuDCZfR3=kfERr#oK-;B|jNT*xAfG|_C zx+0Gioo~+QJWC8Hp!9W;AG`)4q>Us5#S5j&;ia2vJ1zPMC7}cZZcc7Ps#n7$p$z8M zs8R@Xnjiq(tonO2$M-MhtjAeLQ5x_?=ir~rf~tete_cyaa+Lqskc#2so_SL(vOUP zhQqGRjjl%pm?QC5I-Nk4qo=2T-E$}9PieSAo3$?H zAHWil;woL!waI@JED5(Qh%x#n;hcia5}f-eHz)pj2-2xTKYc*P6W)!zBJh_d>`Cak z*e-O5ni`c^WA$J-KT=b^ma)n!K<#rBRb$FSMb`GH4(Zs!BZ9%yjGO@BUJL~}R)RC^ zZfW$b6iQ@P8s14+yE-=0iTzgg@24VwDweoM>1~_$qWQN7vcz{8e;OY)foRI5>sw#( z%Q^)S`GVtB;VKnldYNVBBvCS-Xd08?g`U9iHymF`^Q29(nu~2AWfdn_`T1nB#S55r z-d3Hxc*{Fz;HSkHFNaQR?J}zGMCNME^N91`YWSwK__I1)UqL%>hsxOn@}&pBi1Ys} z$l-olgR%Pge%tQS1JBWt2(1G7glK?drmkvI8;T>k z(5p~?i>1#_UcLt4AT*thF*S%Z|*yP+`AX4>=@Z6OGRdyZ->7RaW z=EHcWj=U7I8NR73goXixxD}Fm=Koa*pCH9AHG^avt;~i@$%qu)XP$8qJ>0!(;J>hL zy8OkUAo4jQZE6XStwOk{WWM+uM`1j)yg!6=NTK$N9D`l3MGsD|t!NgncaflTt|d_n zFdZ4SV3ZABr?4v+9V6pXy;fl?OC0gHFqe@H=8JDovZSbn4UHESJ0Zcunagt6axwLO zM36}VUjtV=>lK|{m8Is})Kbb}JR6!pfNcg&^2FGXNOl8!{P@5k&Wk$X^k12kvG5x; z`5|{9i@|*9pZU!Y%aA^;l115E+F+1;knl8edhv3C7ILG(j`QtNGOx_?ItNy9s5{%u z%X7cvI)z(R*?>Rixo}Ag&Ro-ihuqDrsVs;pKszjszUE6zEmZ4UOH1@JbYMq$LCb6$ z7Oy8Anj!#nZ+xJxHAx6vZ=zy?IxR7xEXx zLO@BoDM&P#dF9}y*{s*XeOJk&ELCx2jr+6L&9KJ$n=z!vGT87Jrr-Le+ua4jO#@pzX7b!6{?)vibc*-9r?1L9c*X06D#0eN9gMR5bSa1_YHvX&^=G^#v|w| z(S~ATPg8{ot^P*`{X?+)@0T&|->?`=1ll5 zv!ehOz}Cz=v?oj46rc6l43ebB<&eO>jLZ|rJ7%=|wpvx?{Yv)@@?gZno?LTPC$Vsn z+;{&JYZm?+YfBLe6f;%|dG)x$n#|;Yt@$dXF`Rcz5uOc!#PXha?8))8J0x(2Xv?C; z@&R-|k5qD`XWGxwWNXDkTSsB#1MoSU-0s={|I<| z3IEidb<`hwjD@}SH<*G|UozEZ_fut%DQNDjufeaKvenJ5VT2PsW9ry0BpdH9f&;#< zjx`bT^(FO@zQpM_gV^i8v<>(cRg-gv=FyMi)@xEQh1(zgR#}$q1^GLsGeS&g{I?6I zQqu?Ec%s@#ae-{f#G=4~)hEtqQ&@3Z)?@0{%Z%B6dt^QJ+Qi=ZoWz1w%35V|pT6 zm8M>gHIE;$gJ6DT&u+b$c$ofZGxwDMSk?e816<5SOmH??KdQf{>rigEPiN*@;WAZY ztOB8v_ffYEzEbIeyZ2ii``lF916i4nU?>wp7$a=F-4uDGG@bJy!f;_l>=6VmQp`u+ zaOSr)ZS~4|6v;ht8`RHJ+0W>QsuPt$xn?a0m|1wX~abjv2Q~kc!FrrLyQH z?_^6RznJ_)g6!PvSl^C;2--9&N$BpeA;mHM{he9bk;}C(GN?gH`4}JP#jq%i1mRcJtqK@R_dT=}PVKeLK4C=VgP1jjt{;GNJV*8h#m3D69XbWkhs8ELl zb?A4lm1*xxX#L>DjA8<0`C*WUje{X}$?#8L3F#HeZFQeaEGv8RRm!cM6!Tgq^TlxZI%YI2sgeVh zo*Opa@%rff#CWZ@n(35LW!J2&)!rLAcbkzkC(J!pu9OK|c&$}WPUjw98-D%I9y_k; ztk%)&HFVBX_V5&+i&V-V?T8vmX4d@!Yl{ECn&M-Cdht2<1Ept8q~c>t%`Z;OUa$yP zcrR&k`EzJKE%rva$(jIaz;~JsuL}SF@pO*id3Dj&ZqlHQt;R-U+iGLmww>&-v2EM7 zZQHhuCSUrVbG|?Oy7qehK5OnZ#~k-qD5;MBIoz--)N>tn&cV21^G*4UPt0mGtcp~$ zK55-3;-NhB!i!z?w$39`7@`JO#Eoy=pb8Ncn}fMpcX&{-HdkMQuPVM1n`!=0zX(ild)=-+zdo4Gkkn4Y>umy8 zjT4uGWw*1TIc9%>clrl@ll=Sb?$A&+vxPQA1cWwy2)EG8qL+1PxKkF&$m{pw-K1PNJ+ zVX#JmEk@u-*%&Ph-b~O6Nztic{}5S7dQ*PIx61bJzFuHd!r^qjX%#B|X&ALPVjmVG z!|%%6=IinTB2E{l07`?RLu9YUC2y>dBYK^N;)LP%JaA$Em#Qpy`;2~vYNBmNg7Fs= zzZL<*xD?biMvj8g>STVCskzaDSG-@OC%uC3R<%KDMSRU;8la3EB0nkhA%?nXE|ror z#OX4w=A=S`PShDtW5Tb!xtPq62DR*vXrVJU#m+#|S$46?> zuoLdu!au*Yupd3%UwJ9EbsObID-9nn$)|1$D2EPcVh}(>f1Mv`qmUY?yhr1AaMJES zkyE>{OZEc7wEHD0i?$V5E0j%f4pb<`Mlb@t&M5-y?9AMmdO{{pI$7s514}}h3JnCo zI_Z6iNIat+G#Lp$=ggbkW>;`un^0zh^Qt(}Jom%jWQQl0a7;Oxq6rSS*anB;Y&ox| zFZn@>Px2)LYCu9K@L~1xpORjsn;8^f&W(g znQ8+Vwbu;W&%512lgoq{b=0thYBe-703~8>><3hvhPfjI4Z7@-9?_9J!5;-im^}iU zy_piPKi=DX$$-&2Tob9TN%)N?{c3(XT-5ul$8d@>eLE^v*hu{6NPO4<~?_eoXG zZh78N;91xGT=O%Pcp{Ahgbkg2cM9Cnu9n8@m`p6ulzwD{$eBJzWCO4b zF(b_2iDy67w0c0v)P%-|oo?}Z;zb$`mSM%!V4AJP->yl49fuXm6(0|MOPVHl%ej)F zHbVhWnRL`h3Q+^f_(b{Sgh@k=q;bO+Bl_e-LF1KbrMv=0>gWl7)9ePj-^BT?ry z5Zl8b;&LJtKa1fl#iyJ4Woi58%aX1n9&`dfUhCER_Lslkv^?0HW5EE*Bh4_q$L#>* zA&I}S_GeckQEdreHNATJR{u`(RG^qRo=`^eF?K_GcK(-?(r*coU)U2dBuEbiZBfXm zAC4CQ{2r8@Db39LHE}`$EB0LsN%rn^I~C_13dJ~uKPd+{O9-N=F6`d|5n4~+h-5am z2y9Ln>J&opuR#Q+)PNx~ek#lsee5p>04#%U88YOCG}5%4)=|0pp?%9FG4@oyF$v6e zFdbAXJA3|;tSK+C8ZX@=1b1ts@qJyrcL@rm?7I1^;rmbY?d^qxe#BS$9>TzMCu8kS z+X@nV*1qq{G7>}b6mz?S2Ki5A5FEnA843e69wrYCA{tc5DE&Iq>zax;R}PDTrYOygs0JisdUAm1nj{h9YAX7` zA3PQZT1NJ|i9nOk%*ejD_V>fNEUXk(Jvc8zM-t(vW6hO-h%@rp*;^*`VG*1%xa4~p z0lR=7y8{MWfvmgg^NO%(Ryfr6mFHCFwCR=6J2tcFpjqCoI8Z}vik?s?{JPEFtHM#s zFZi~!z13Z__NVSp>k!CB%o(1X=}xMyUa*yzyv%JzuK>lSuKgFGdgD!Ih@i1b_qPg9 z1Mj1$7B|H&LI1QU{F0~rNu{p{@!X!DCkt<}Pc1433;+LXQ9_?u)Y_Nn8L8+4{^*dD z!Yka|_B|Npzqda66Vw zlQfJ&zBu~#&x@Lot$zLwYe&uN>n5HvvR#WGjDOl@IW76l6o)LP6l5j!ffDvXe_SJ3 zAEfDFQb!|bgaQWSWv679zIKlj4@^(fNZpu>-{{$5Uq>Z6G!2T#B5f6;fT|$&!jWBx zLAV{{To;{B;B0|V`zZKS0+d?@R$Kav)XJ~N8sQ&}u0D7}*}O|9a5)!fW8xTz)XlNK z=FqnR%f{mKtIOq7YEywN+8PRVE(lE~@uM#;Ofgv?mp!!zxtye4jOE6sAP--tjs8~9 zJ)q~D_KQg}J1W^K(o?WsWHL#V$kT+`^I+Lx@vtMOL~Szf!uBFk0N$k$6jfCbGSke< z@PF&Np|WEl>HPB_SOVB)=mPz1uB_602Cjr=r;>b48dRgGln?Q4H8pH9$<#+hBlt8J zwrm{J^sSDWMXYNSw|D<(K^3Uobf_K1$ zlLTo_ZWbm09>x;igY|FjEBrb4X_ob9z3&^QpBvX#!Oc)JFmPy-6yY*#Yzm~e=qEWGu~Tv%Zax0iu#1wALeKYT3--SHZjCd~ z(gT#zOmXn^TIcpHUepm!N72k(iA4R-FU#f(@?3P^N>n%Cts|evk(L5tU2~|V?g`Uu z`j|{-+B1x3Z?0DQv|8JpyHXqys7u3PB~JYpgJ;l-U)LRuu9OfR3Rz(Ujwm^D;@T%F znRU^QCdJlvFys)dfJ?lp*p;}aYP)VauA2@l(4r5Q$ z%y_iQ$$Qjm$Vc`e!fkMkhSx6G(B3~13P65<`bQO4OfO(L=>q{l z(Qf(A{bSm?Gsp+Da~_bfu8iupWs7S2kaDUd&G1_pc6@`<0k+~=A3nxt-tZb0Cyb^CoB$;&`ni(@r2FFOL zd{~4f_xD{`^9DmrM!GsDv=G1-%2Iy$Gjzc)sS(0A%jWum=zz2Y#G)NCbtm&!zO9-h zW;`Vq*77T9=nJ9~aXGh|nvU`Wm6 z$l5bY#u?9N>{_Lz`~VaRl=%;|0vQGFS0k!ynYaNw|E;_NnY?2&C}GL${~cn+%aD(J zCOc7}jB>nX`pL^KwJ7{q9%4ufIr*&rdY|=wviN9hN5R2NO1O$ks{ho5;bBvFs)^Lo zA;S;E36eJLmo9LUm1g`OG9X96(J%6!S&~K}gtg}{8L#&NvX7&!7yi-uEx4gik1&-- z=9lZc4N|Lb*SXP)p;bx<1LDvX6In9;0bjmOTQ#Qk;`ilTWSi%_qPh1H-PZVvUP^Wt zr#n$j>aMzv`EBeYAQw_|L1|~Bh}|j+?=-;&C1X@2X)Ys7l{jXMh>h2Wp_f zI3W0vqrD=pY*oDz@1eVCe=j;j-9*V|6m4Ub5aS}^>*M;FrW zFYC=LB_4eRuZ$3;P)1Pf1~QPYgiFPos*LjRaEc+#<$5H8aRBz6Dh*YrP)XpYCKF9vZUMK~6T)qt z9Hx{e)NtS%axns368f3~q5L@xtJ{fH>rUE{C&jF1kfGKEzk+^|jZV$@_E5W%u{$mB z*HM}4zwoBH%GSgmuy2|{d$dCQpd&)|-bYB+Gf&@1AsUGBMUE1LGH-;?S&!KV3~UjD zXHp!yg%J}j+%pH++I3ATo2#4ANG!3oA?0iLRbZpQZ~Bs&oAlIGVA-JVM$UF1$Y}E0 zW1Yl)QS8XZFm{<(Wf7MOMA20h+5x660rX%*@2S}gNpldei>UT}KHm>){yK}5<78LN z9F`;QSDV*Jo~17hxwX}2wKP{#9YLM=Eb^$3YE#hWLA^B7p!@r`)!-R3%_a+HCQqah ztYH)-oGo7A&2e~7}@jKJ!fmt@z^RI#57fY5_9PIrum#kr|9tiYdn8~~5 zC5WHKXqP{|@)b)1VLiDjY=3`Ew(_Bnp+zo!X;oP%UM^@gBR7_H&C7pu{ zdpj9$QK;WCsl+-8YLfMMD6GUR^Ex8?X{M|3rM0?b-$WJq) z_byrp$dGSw;M5eJK+h$Qr~vuZY1L-~JA#^Xoh##&g}ts(5~}9zE!B>5sJ_#zun>3W zTPZIW>|O2Dsvp6mOVqVvf7VMO&;;7xPE+fit@pm^7OxAT8PQuwwnxA= zNfeGb{He^JUysDd5H-nV!Z67MW76fCqQ%=LJJ0n7EbUej2l~B2;u!bp3kb&MFVY51 z-JN`jvLp{P8fIf-&a&>|D>Z8Uu8f~iQc&yklFzcqn8FZy7W*er6kyRSZ7f zDw+*2q9~Q>kfKQPb^>i=3BO2n!QB**D_A-*q46~3d*XwA3Eppq{7WMo&1HOS3_nju z{-q(`KFN&jlApgQz!v?f;wwls=KV`OI+A~t9IAel$4eJU~ z8cRNBvMTbQGgWW*0-IdEYvJ|u zRsc8XfQZN(nyt07+8SCqq%TH4en^MdgW^cd$jg*;J8qu0qCnxG@!=S%=nch32peCF zo8v$(ZD6eKVkBdSaZB~3z{gF|2$ba0B$($M-!AqavVtHFcm>y zcM$d6_o@Ao*;EGE3;%U|k_LA(K!)O%);^#3ihu1$WzQ_5s{?07SCS2}w!U!0vX2K# zJZ++Mmguh~WD4KC!pSKxe-^-!HFE91TDcSNeOUt7q`r1Hew~~Pl+q>)z$GY&S-z(N zI3AX5F?O0>pQPQbFH5e!=KRT0y}-YcOShAI1I##*bcu&jq!VrTjSbF6sF=se9(-ROn>+DD~_rb+r+?gmYPcgnRC_e4nIwtDUvF zyaHCA}14n6qOhGfHsC6Q%EuW+Wk{#u#E?Z1^fj1_y-w}FxyNiRAps77Tb}NdX(i?S{l!1HJTmFf#iPph@7OVIDOEs4zvqe?D#`x zQli7#%>#81H-@Q7lzUV~otu2c>4 z6M7nx&ov`kk)}m0Y%j15lVCvs8MvvRQ}UC`R;QPD1J}wNczH6c79RBal!s;BOuVG6 zFb<|&us9VUu~T}#>ZhO5Iu7N)noUY9-x5LC%?=TymfRadF7o8M4p>&9{-BR{Zq zMdd<2ij^5wAN0#~qikYRSd(FY8>`A;-Y~9PQgz!58~z|NA35eodQYDPc&`&HG@l7; zSBzOWU(wzHZb|2BPc7iMeqwn~LDq#;FfhM;R>cA>Hgg+Z57q)lq;Uj?il!G<~JVIrfmTb5ryyQQM1%zAEBbJq22@eEcjc z&NyfR*Vrx@-pBZhrB*Cbt*V(^&a-?hlDV9oBrY;9v#Z7P9zF7PtNvX&2* z(Pu&3s}51YSBG^4%6{Tffi3RQe^%7U`Mv7@tEjGJ|0*h1!%q}jToKhz1m|(o#DGFX z^`ASg`qLd}9CtpZ7k54vR-;1^#^Cks=6C`Ay6WIXa_TZOU0a(k{8{x_u-j9BI#gF7(N12zn#;VFg`{og2AQ5=kuSO~*Zhmz&8$yDXi zSwMM%x#stD2XbT>LZc)_mM=lke<>7+W0mFklG9GFf51m3|XtMdkv7 zwtfQpizM=xT?XX#lXE4Wy2^l4KPgcxOa|=yxh@HnUl?0=bxSDkRCH1tkj5s~253G9 zs+m#)vYpb{xWt2LE`5nVh&q3^F93nYUxnbp?oUq?%Sdgj9uSOj=p1a0p?|LWCs4UfLPGEnazZQGRxJ13CF znlm1kjRSLuiDzTW;rfOrAgNL43(VDiF|aJ)J=463A3^AS#`-QK#4R|2d-N68Z;;Ny z`E`Y$K`cz#^$$w-;pQb4u}$+e_uS*+L;TacuCO>qZLGzlRE_<7m6C(AldyV8PPs3k zT3ZfmF8Y2X+^>)vK!h6EyMkY%+MCtXGhQDOXDyCUe#0LWT$1lIoNraq8}On;H|Dq~ zo4wHJxneE|E}m)*KfWSX``Su`Hfr!TaTnrSAyYPdALY8K`ziX1`71{IDly0Bdla)` z2UirZa7p_ti20Dj9pwIb+jk3yghH-L%tuo-9eLX~>iO8iIxblIa$jaT>{6y`886EG z)(Xa7@4wJ;22&+Fc_$@O0|Z>xZ7-41lQQA0YOd}T+FL;#26mZ5vwP$Z3_-98jE}2H z?{*+Wntx85s{?`_nYKr)cbmZ%Kvsl;%aKoCrp&WizZLoQ_`L86A;aPOaf^F2NOD2x zk+N}hoO?#uRHY6ow8KMu-TAXykzfTw9R2ks@JUfnf>&>N7Y=gN3@|)5plM0Lbyi%# zVn*~DfcLu=-3fpOciv4s#l9cc1&Bz{wIH%u^L|brS6)B8=bnPc`or5J+_BaNdZ^#Q zKe6z~F4?MZ8b8Nb?47OgJ-+=9hd*`qFLuuDk_Z#O8CC>tpbQN4sy%Z03nvm}@MLhU z&=6u(rM?37A^!n&%D3wsIVHy0UtlF|zoM*W7snZ=SMwW9mh^7oxLEH2daMmO2H+ z#QRBA6+SEa>o1#`co`Dd5;PS&7dtSIR~9_)|1Ujg;`L7yW$HAXf;h;2LampGz7B&( z$a(rtjsF}?x`%9D{0!N&lDvja5CpD&i=+`d*xf+r=RD!^4*liwP0#)48TKr|8YymY z|3~NAZCX{2|4-Csb7WeS?GUP_A#vZN*i3K_DHC%OUd5CM-v|6SQ3%%TZ9V7c4oEiZ z(P7vVJ{L{cL(3)H)a8o*1&Uu!FM9NkhqpOSH6~0KuD94d+#Dhdhe+VhU~q|33M+;K z8G23ZFdG)Qi)wNi2V7jqzJHT9&F_KfF8FrsmIsN&?o0WeJ6Jbc zwAych9x_w-?>Bg?*bTlWqmoE?OiWIfjeMH9x)^J|j<1#HEF5@zoo-iDLp~o5ewA<1 z94!ODW*6WRzlDCx1O|9X`oA}dXl=gOMz0#=k`m-2MWmH*U?GEmyG(Hbw)xo#qfRGnAEa+a$+D!ke-YevFq1~1kGjM{4fat8 zJn-C*Lmj$uut&+np)!o+)BD>j@1YG0VcD=MnVQS=Rp(1sKmfC=K9_1MMb{!}|B@o@ zgT@X#FkF1s`9X7h9y?JI=EWXDfl9K^0M%a&b1fMpg?cj)mh)Va#&u!g$>r7gBjBn^ za_&44##*6~=Y=jYS4D{l1$nfiOoWLpB=fw;9mM@y4@m{BKa9$SQpQk*lqKsEor8x7 zeMu-j{Vbi;Kr#>V$r6GFemmX>G~!4KvYuj&>O8&Ol9`gM36H20`JhWys5URYK+*3# znm9SDfP|U=1-BRJ1dW3+sof)z2EJ?ua8m;hj$}bv?ji$jINOZGWVD8hiPAqJHxnlV z&V$Rg6M3VKHy_o?Lz?cw=0%n$_#ox1l|k|kxExVzfOelJ^7iN(8);|VlOxQl3lvjI z7iq9IeixZuw0RCRyI#+xpX5A#YrQ&zAXZSnFfBU;`C!Gs}q{jGDaPz@Iz zjJs7VfS4AwMRb^_$g*79+SKaFMs|pP$qIWZC!O@OF3yB)`!V({ox(zOkcrG0&Y59{ zw%E$XeMIJbqqMm&Wc3mUvKQi}FNXUG-OrB=nY0NX@N~O(vT}4yas6Glj@E> zOxauP96$Bbv^4^wDJTRwg(56~Va1Dm$9Zf5;5E$9Q`nOwej)}isrRJ8{SMXHh<9OA zdW4!=&Q-m_)R{Zf^kX>}*>W|Bomsc@BO}=!cpqj{PHxEle5uyCLSl{X{IJ@b=sJD# zn&RQ92{uy}j)#X2(@~Nvc27O|T{kyvF(;X?Cfn5z?(nyux%tQ}{WNkPEN*gPt@(P3 z^49UcTo36&!kQkX-dT!JtMA>+(xUmLt{lwLWdCcC_+0;V#BUud1Wp}n@1xWc$Lq2b zq0kn7_M}PwdeU3F2cv5{;K58ws!Bs^0&>Z6Gbghg{x6T)pDjpJ+O#D7lk7Be_kXY! z@xdAD57&PN2{lCfA!ty~Yhw*-esp4i_V3M+R2M$KZxM$N zfAtwB8Z>6PQ>VCI<-ZWThEU>%c13#b&xR5Q8}#U+4{Uhn(<=gGzx>ERv3dEHtUU0T zU*CE;f2cu?@a&K0e1+o1$}gXI+K0^?!aZ#!YW&d!iRJY{)(8r%Pw(--HYVMr1WD7+ zy!DgdBoSGYLkTOA`K^)&;l!QViRZY-+|CH`zc9M^9f~Jak%WGBH2+Y|Zx5JpVd_Pewhr8glp@Ar z%N31KaYwIGS5M+If6)&v}D0IHgdVFR}HmLvaP4i1KPD018^ z`L{lpC=}D*DdPF;G|>uvn{L4OMQ)S+A`-&raoF)ygo%U|TBAA^$rV%DVjhb1WqEJ; za-&!u3>&U1+3i;(X^LckwS7DxZW*xf?HK%Wu~WNX)qknodfhuX#bKH)bU&Ds9`pD6 z<^gz03owOe(Om%owb^2$YuXpf*{9IB@!XMUVyv)+{V~dQj{XUv%{IEofw*n6W-Q0iV};QP2rw zuX<&FpNE|TgB_Z4xXF~cRyM6aJg0ZuPmp0cP#dKnzFr^nJ&2?VHS@f}X=3u1%*E); zHUbSxw0J!2e{qXhn^+)N3CiVu9^F!lI5F<%T@gl&O21E+B1;i;5OseU+CV5UkL||# z>Gep;bE{L|nJu#X7H@EoajoEFtRu_ zFGx}@7mFI(S7f#ac0534r&6FdmE;ZRKmj)Aiw}yYp|lHPV+(m6MG^~jLjFjyNI$Tk zhYj$O%?^%gr-vPNHXJpaig0o@BRVkHmg`ri$*A8E2S4MIGn-U)=ZKIUA`W7U_YQzdOL3al7i8VpKD)*s3%@v9vU(FwKx2n%i*IdMqOvN$(l%E6W!Z-|h9G!vMcY zn?*t#Me-KEkEo&hc17~k?cEM$R^Ju`<(4gh1Kt#pI`Y0+hj*&c6CRqR23rwDb$JJ6 z_?LOeI}F^TuKZMU4J#{A=ib*o)>*#T8N654Ma;QO=-M+TLAbV3*GZln+0F&;EIQv- z;vyH)5ym#^(p{zYi`=Ccw6956Kl69qW=ZljVFVb~%W2UQ7;uQ(Cmdp9+tb*!=RxzN zQ$j|g>um?HnCr`vNhD6S*Fj3AwQgs_{MMU|5*(1t#>v|K)uiFjw$3glNYCG~RpH)L z#+R7A%m%E+m+s9k)!&RU9fV7RKI7C*Ch}^a=R;n~9!Tz~+096!f)G}S?18z5vQS0v zh?GxzwEY~VZb^$1=p1xSf(^b zEKJ3yrW8`9^y#EK`)8yZHhZldGJ9oKrB7&-eqLqPy*4hj=Vc zD$|ARab!x??fTY8bhRl$ntLYA5Axgm`}np`b6p*~PHH3PNRw(cyA?gbjYuzOo^i;p z=vVL%nWIj6wPMoSZ4Os`8bY#!rHd!TXF@{^z_akf%JJvJEx`)(NJ<}op)CGPV1G%;4HfBnwdq96B3>{CaI*A zrl2p1k#rR$;f1s1F-NHwL~)v}gj&mSR>@}W*?_bd(ylLg-8vhk(q)bkmJUP1w2-=@ z5%mDpP*zZpykbAfMn?_*Fl_DAu71yUbrM=3js@GSqg{88ya<5@1;Thy)p81KKW}ht zUb~e9y+uo0m?dMvF5!gWBHre!*APqeOO*Q72WKm$NuAn)K^k9tB$PP~gTK2xcwr%W z1JGn)H;y|t5|d84JlE#V08yX3j+~bsz}Y(P1o}7n5*l`&2NTS>BdJk-?_`U&tSeJz zaA4cHBqdh-)BudV{}o}CN;fq9Eum*v-6D{NP@^q>-*Dp?&NS_L=DO zmXb4V6BuQGTwc>YPl~@}3%-d0(JGsAitC>(^+5Jo=F^sXAd80aX&y=Ww585+nWg-HTk655Efx6bcOZ+Hk`lNp zJBQmpK$oHzvir}M8uo8DvExG4vf)B94-%;`4EjX~ZwP;F6F+MAa{0LM-z?k3dF-LU zEf5$HcmD56gpfi0|Lv1d`vo5vC2(!#NyXe+T;i+#^UL#;NoJ+(2|zL?c?DB|lDbhH z#KOpa-ha(9NRBtgneenr@5Qa}dtJ_1fc#j(V`U>yTN~9r`%7^9rK};OY~<9tpIubtTW^O7x(#KervTBs54p)ME2e7=_q>}I%!i>7!3)}M{*!ASk#ob3) z7V2Ok!4uEsGBztAw3gcg7GtO*?p>cE`;8=eqk<&2h+I=v_BjRtJ<&u!_Qv3BfZbF; z>?hwH#O#2?mlxT$=QniAG-wb2IyXxfIT1YN7MG5Td$E-bD>CN#=$9I>peui>fYhD)MArSc^s zHT4+A;-W4vTgXPF;f!K|M04)KdA^?s_Z+AGi!q73R- zfQEtskGwJJV}P+XdWHTQ7n%2LMjxDl8Zi2EIcTk>T?hK+rlgMe!-i&vIW$V`N8Rx}vw>h|#1OwCNlxPAMoN~e;)0k`Fl z1Ds~8dv1J$v9PfGYjFI687}qgBQ>pDKc)WI+YcRK&w3u2H*j9&_`EmKi^?~_SK!1A za%U)z*kL|^&1;z)rqIzI`Ss0#P?+_q3ASM?tyvQ-Q{4-J*7ao8Q>XKz0$6%`KAeli z7r8E)nT+NA__&~`2#i1y9*+md0FO^RhIIhhAwMp5@*)l~;vQ@=`muIP0z4FN8cYDV zDg8^0l;HbSq@l9X5d(_h+NMaGoo1W($mw3TptT$MN5o%TnAI(x!a^wBJE%A8Khhdd zqCP3!^Bkgp&CAXL9?a75q%l_m<7-CyFMalA-7R>xMq3m((ri&=B$1Zdd7lrQo;8Qv zK+^H~f>Y)}hv&Lt<}!BitRbVbO$i9AwKFT{)VaKZCa+Wr)lSGT&+b)=KzYvR#nyLS z>tnrg*QdX@KLcUp&-VN`!oKAh62d5m4_>QDja#RFPT3?L5|EGc_>eUphQs|xxW$iO39IE^4p z=l|Qs{HCiivN#ugxyx#RL*%cdR!u>Rs_TABWMfEU%p2KILVwkk-*zY3d2AlmT)PE( z-o^Lh8rc~BnIVH*w>Ek+RbT2quEEp`4$Q_2YIP73D zP(6K&dsY|u;FOyFx3~Sk>QSfBb?)3G|!=%s^CZU$^Mg_z0J} zx(bOuym`#Do~zaAI>o-ky~4S&e)`w|oX0?w95lE?a<)%+&2nEkr?k4iP8pz^wXEO2 zv_f(QazdtS%x`$@m+?Fh5U&PW1q=j`+_gdmZcNCwE?=BGrnH`CEOOm(LXLMVp0}?1 z`K7N*HCFjYTGR4W$KEnNtON`Xhl<$=yWmWoHvU~NXauU(*X}hsm)HGtxo#eSEX%RWR~L;-6)AvW<wmc`n^#R+$9uV#Y+T-T4~s7S$5 zch5U4wzhE%_xh??xqRJveqdDzG_E_W2DX1fZJmwni>tgx4_q|SVAYGp!sDCAXJvLROb5*` zuN-0u+Vj?Mb|T%5TDu6AsG)osmsZ?`Pk_JOb6HreC`Ox&%UKe`Te z=jN*3P+D`<%?0I4^E~FeIGkYjt+8Zz-bE(N?Dm9`wY5b){Rwh0$a;;3PrcMN>lxV`PwI?t^+#D!;j5gv)=h{QE@a<^GddVLZr*l>-1non(n(RFQvnU_)(iWeGg z6I22qbbGhQd^d}}xqC>4p1T#A*=Ey_P#kR6fTM{SvlvtEsL+Ox^xtKB<^2 zcpi1c4J)_nQOkU$e@3YM5Du~WO!zOx7&IDFJ$-q(dF?;47&;_9ssHky+uT!-C!Q=u zta?Hvk3B2Ym2DP-)JQ$25pK&_lU#Ump*6q4nD>f)xo^RfEsITq{?Z~W4E5{?1CYdY zqPGeDc^C}Oj=+_*)oT$;jJt6Yx=ODLEF1p5Lw9$XW%;cr^qQMnca2TWP|47(pZ_KR z8!`Rg%x*Gb+36Lsq26)luW?M+^LniU@5R+ouV{*&3HqTwB8lOcZ0|$`S(4t9x9B4h z7yYjg;c$`)5NoGC=wh*#*7k-lz+%_!l2jKS*D|8obxD5{nrGrN$jH)CmX@FT`2^%E zH))F!p{h2`l7600|2rR?`?U~1w^3M#9JrCdDvHqe?2Mq7j8{Go!I=nCCN=7FO^kJG z7OVsn_LX>{beXtHia={=>8Vl#a>7YT81%ihv-;I@ZpfF)+F2jKX-oPYh?)rJ2cW`P^U29wfNh}XXJNm5sC z(>sJGO^+2@-q?aAZ(6Yg5OQi)374_94*`>YLmaCH9pU5PN?j|EFGETRlHxeWl5x}; zHHTkV-X{O`cFOczP|~a~p&Q7|U#yiK_Q^IH%3LV$go_;tBPYqhGJZ)(`0`$G!11%( zmzsCJ?}1P=ey){YXpNf*r7wjT*U(|o1fMtn2`#maK+d06F&R%4NKFW+%fdT78V(#6m`(r5+8mC$=D0bRh^Lm35z0_8>#U_piReAV&w! zEa|HnD8=?g0$XrTKugX~|Ds&RITrXdpzy^RS> zznQw;>RBj*^z4G+U?qxH2IT}<{XhFjn1e-%qM06`UPuC5)Exz{1|6Tb6n`ER`*22q zl+3=hKCf;KIv8AG4y2q_HdV!8sK#W}jGT=6l;d%@i;zNVTPwxP&(x5}jx2}6VrtGJ z4Nx&k)vt*F5>Ialf|g_2uD%zJ-ve6htN)jttTz|UoXN>5m4}Q|i4}m|OsG7MqR$VDTK@v2%HJq-1(&E|GSRzb^NfK_b9-8s zSeer>{rV$dx1_T^+Y#EiZdgoVx^x>KO7Zy)=zP(KhO1usRee!5^s)nakudUZKH{k@ z71}LN??Oo^xgEJFUu{7NL3EtJjoLXAB7mC_(n8PlsBp(b6g%!hsVDiIv$Iv4bO@ah z(k)-DHX)v8mi)P%!~WY+x}TH=#PJPLl4yh*^7mK4XCk-76)5%idu|7yZ?_Qc^8plg z&x=8ldgHO0?w^hg!g94^0LT~o$3Pe z9wjlH)`MBve9d%1GN!)LsXIFp2r>KV=H%5=s`CPC-@&V21Wk8|D)*z&$!^14QSa2+T(w}Mos&V7e!R^FxHKh$ z#HIVPlgO)Ql&zYQJ|ffD?Qk2WrSX&6>1m@w1+~lV5!vCquFPNO=IZO7CK3k@Vm z6&$h-J^I#}pNrwWe4EjE9;Nfc+#~HSTK%`{e1Gga9w>Z&20D&rf4)NGiN_nT<(H=9RWCm#Rml^^k2A93+X>mv z_J5b(8#7*M#KW7c=Z~(cFV1VuexqFbl^VA~^>=k14nmb)a|3js1VcBup}9hx@y)kT z?IKd&PK9w^##VI{kFiuqPo+>mxyIQ6J2KylY8eGLVLF=d$rz~efbZwc#l=^;A5=@Y zyjRTov~%wb?~*sHq`wXfx)=PRNX{XT4pEmNJh3EYFaZ@Z#%R*Ad@;&s&zJ>{=j8ydO#zyiYwEr+r?H;7I8C02lw^8zM)6O&=Y<`S7*x(0|PA3 z$5b8eE5rM_;#;+e^UIhg#E1|%>&lj9@qy?uBOTrC%MDnS8D8k5H>f7@8aO^5Z-%6G zfkVZY693iyVM5;ECU!QG=q2&7hptUtGUM;%!I)7=^Z?-}x2*)pDt0z&c`vSqzYpt! zN;qPcL54T12(u9UW931^GOf4x%n#h(hp39DDpA;^`JU@N_GSzf@Uh}B#?g5;>EiCUF%;dXu!CpwyYWN=9q`IMr%P{)!5s($KxP}8_@hq|Vmhy`GRuy)% zk%rNc@w*aClv=ezz%hhCN@TI*fEIigQiGV`ro2f8q1`-STz^Y%Tt!xL5JWcR6`pQ1 z`wri`BaT`^Rl%;m+WYG9_Gf&pVueysn_K~{2EZi1$)HS~hjr^Y!gz{##w(6|LvKWDHKR*65d(TX7V{$|a|Tp`aaUjp0b3>xZ(V3~80P0} z9C|R{HEOm7$pNXxMv>Ka@}_^w2_^x$68cIEa{UnAOlyc0&9=0flq%kVM=vE0)!VlT z5TFMY^nJ!5Z_7s45e0-&-?J&L|2B30JfbC~)qAN{S!Ju;<6G;p8iJ!1b_Yp7wn7nJ zjaY6@CRtF|*Vui2o1ia5U~FCM4ioG;*V(_+_J{R!?OkLJtJQcw6tKP9i#R;5O6+Oj z-ybtNNcqEkQTe}JQH%M5KBbna7ExcZ#ZjWCfM9Q6bw*5vRQFO%eLJ_N1JW7^ zw?(3-R|hGh!4e7XK?fRqM3cosx#U@P#V^pPLo4I+L$zBE$qC!3Lw7K+8ECpZ54D*u zh!L^A!!N-()nIzR<(<~Qc!mjp(P5V7?1$*?86Ryw_tMNh>$M|UKPhZF=vGSH)v{`s zxZZySbhbdXW^`!5G-c7CtM6tFKxdiRh+~gpiE;q!euT$o5NX*EM!(nTzq7jNki zkR=d+fk5!PT4T4qR~$U~XEvD9Tk~g+KHNK|SM$WGL_HLD#tY`ezn*~FXhq7ZVWyHy z`l)IWbh+h_1q|$ye~SHAbi#!;OLbdrBKipq3ub6qkDbNj^9s7c5K}t>(4~6&rH*)d zyz=g`B*z6)GlMtZ)qXY@uNJgP`0GHoqlCZO7V-=gV=M(OzXIeqY;fH2d@CSSzHFA$ zZZYa~Yh~O>8zV|YFZBV>@~rML<7av)vRcH*X~v>8DeHEvzc$)5lig_#f4AQ3qi}$q zxF*iTbGs~?cI-L2E zMRZ>)FT_;!y>^fqw~X7T!_XhCwH*INQY5bl+|x#$ghINPscXJIL>97X&}D&#o_y@6E}4RceW-O<&w;;I0>F8F_*XgI0_Nt|v22xk)o0V)b#8W+x~R zm?soX2%(Be#(~E@QN-iN{X^X+)?O$UcSe#^n4PBXi|lDL z!X)h8+SdqlU5uGCp{uS7eNk0}Vy^71#i~hmgHbW+@{tiip9H7y#=#~G7>_7b8^

  • VElv-7b2t+r=QqSMgUpp`AH%3{IlnL%&`JSd;pg zGZ*f)HARWHtmAm z4YX1VR10E-n=eibb*4(^ylIssFP1lKn}_$!SQXIvZLHU!yi*rgzu1?MxECg0 z_Dw2*evvP6AluKexXJgGjLpTVwAvy{Hqqjr$P)VW*d)wdhYFy5N|YeFm+^jH1iEN9d_ug_>Lr+ z-k*uBw7mS_ueW1<;QAe04C-mAd_=F$#QV+247VuTNt@F(EqjNJ=uvjfe6#~Y-QL;8 znTs6Jm}Bb&SN;#aKJtk1LEwIs{39aukry;|QIoax-!!WcQZ4(G5Q6w{rPxfyJ1ZZg zH>_@%n)1DShNm!{W6QVVDLo{6+(7P@_VVMwh8nvpnn(${x4(Ie;ROZyU27+1m{Tta zG{dL4lqmi~e7w9tYYXPTy7be_Rf^nds?j{@lgFXMQ`L88hH3dQ%YbwyKhz_636F~u zFvkaqlQstm7m?IzMMvWOm`9Z*C)Kbskc*p);TCOrz3>}W(&7uPaI0-zTuyKd$Sj+scaX1);MIvbd^(_Drq_9eKR>&-MEi&(c;!{AbXpO8&C z5uUG~OjB4v)4R83*#g=`H+vVDJw(BvcmmairSoMg**(9){LuLN5l^kPPMK@QZ}_#3Osv!|>WS zOMchTuuDMU0vBO>=^S42F6-hvd*kDJC{cd>_m|_;oc6W1m%O~7>&nYUoiz30G>_LZ z%njppbZrfIHf3O7>cggNNNKSYLvq2f3IkV&Z`VpIYs%@<$UPm`>b?Y5U&vgTy6jIR zr`1>*0&7Mkog;B+3)S^;3tTDL%eEWu5pBQxr*So5FX0L7>Dl$6VT) z;kcJXP4KW&rN!{N{!aS_6-hyod=bO6E96f-8XC*}J`VC(Sw+OMWWU}$hE%howywW+ zSyE#hov%j&%+<$9>(V;dx}Zj_aDsf(m4o=c@gE+*x{ryTU0uqjoi9jU@TDWCBC2!W zQE51}QRz5;79#>dr7|?Dh#-}DY4n2bD3PfT<X_O0l6rSp{AkfBZAy z1LpQqW)gc=h4LawrLdKrarsN~93`d#UXPPP4#k7$^HDta;A~R=q{Obj*Lv%{C3d9x zPy^w>k!WVaIPT^Np><@Bj|ceH>0<<=Z?+?ssq`be%w z4eoLjNn!O=nEHJ93PL*=&hw<1BH`YBHzQV0`yW^i!Hp z?YQlO=dABn5rm#>RL5cuWDbD$mEn=*$!?bzP_wYDnJ=XN>*IjR73aspn_GGnKGVyR zI3m-6Yf!W@E8lFu%`V<4RhixBt@*)wx*mpibw-QaKg|V}%|fDuHBeeEvmWvS=`PXD zIe9_Auo(SEcESMTLExlLmH30}aJEI`YnGmZC2L&_e@gm7oTf-uE7I5TK!%L%o z>U~V)FQAqrM2m6+-i$pV2w@k1;#=9;>rl5zgx(sm1EX*TbpdKjBFJnxg{&?hgJ<$` zbWTU|DNZaCn=n>R=udUd3W#3Yt=K$3$?X8f?@7{y!^A(OuG2a`^{G?s^J%Niz;{b% zkpAsSdF~Z+4P1d_^KyNH^(7uVS)0!zP0N=jPSl9KOdQO>-nT+e&(dD6pNafPTBhdV zJC+zv#&)M9Eeo12Sc6&OQR?`+bvmr%s7N4dKIt{CcG>pi9g+x3%B%D>Crd6GIKFR( zD#~_)?BjKgUsztX8SA*2bt-{M!)n&?*SS&W_tMbmvDwUKcN5!^tT>s59b5DOmE^Pc z21CJsJ@53&ioS;aq4Q{vG!swSmfVT^aaAAZM;tcS-@Zuhw4D3njbYB-!0*+K>@Om- zq2-A&(c2k##Uf{vaE1u$?HI}oK*jhD3?%7Wpb|5KF4jC1QN8w?WkkHkThnRU3nyKE znXyprS!-s|y*Y7a*kJft^0!p)WHnerjdWG}{Zd-87`SooucLf%%UQe&`*!P%miD>l z*$>N69fo)iz|51jzxSZG@RdlR7xZSh%9kltyLFhABNw|C{Gl^3yww*^&XKyi3NHc;iGC@J(O zn%^`{L8ch<*^oiiIIqVzQ)~7 zVeiS40;GFWF3Lm<0CEImo^dEP1~0RSeUoDx8XEzr>ym`6LX+xSiN?mWa0Rp&jP@3@ zh1Q}XKv9NPOqfA1yYI3@>;letr|_n8xWgaxtlCqr(?&V&)0CLq!cKH#l8b&j)GIac z5{F8MS_Q1?8%CEuYUM)WT>*Xw$igRU#2+$aAQ0)Bc^@9orX!?cTOLx1Y(w8VX=`TshcL6QhY&u zbTT_@;*2vC;Nu9|SePQs?X|bUCE^QB{ffc+(dFH8*puT*J-2M7)L;&!;r@mX}bipnd_;v2{(^Nv7|Wq7DCva6dk^0@OhTnI(}D$O98s+-$K zZ6J&1?cK@JS?-6v_M4U!Mgx5jP^e(GK_s&*1xU0797v?Kl!@U>VU3iAuvuIzSGKxZJ>SrKYPBZu%OAu0L1ggQ0gda?E>vZM##V{j*6 zSrT0XJSq&hst4s(Ln=E0{0$~+Bn{xOX|51Ru@Ta8N?%bXQ5)u0GDdS}a+4Rdd^qQknPbkk8`UTrwFXV<5 zt?nGOF7U`)9wq{*$QVGML}z zCsLOZaq3q##9Dv%iQcxd^y`FESwHt<@dkq&Dk)=)azPG6)0O9(d-;g-*wdA)EAdA) z860G#xFIK4F|x!w1ZpBpDc1aOi5U!`Ng2~>KZM)o=NU9`I1$I;A?w_Eci@3_{^&pD z!(f7gwZ)|YD>|v*WL7_+d?}G8)Zs4%1j468ZHY9$SH;yXESbVuZRO+yPc9Kj5Vp}fH}+*p=*TM6u`=aDw=$-j zh%Ovq@{Et6jTyD2D|~`zK$57-0*+B-$gGMwiu|2#&T%N{%er7k~CmZ$8g=0WcMM@{ew3oy6y9e zUX-w|)@ce;7hsma>qEkYtjou7g8#DVvQ1HOgl&hqWRj?PoRbOp%U!dSOGHN)Tl#cokgU=@PNw1*KX$>YqCi60)|3!1%QuBbTG<9~ z{gw}HX8#o#SP^N?$Ts=6pvl~@QJAhSElrJmTkSvSRekx&6kG&q-C)Hc&S8B^%HT z#AR7jhhIuDuArYQ!$3V-UO3phR`|S8$lRD=1&qua7fMaZs%!Qf5y#h{G1h8uLZQd2 zG|>NZ_jJdV&o*vHp^xX@JnMBoWwP@EiDap63hG7TQ@ym{LdKj7?^eA>Wb@R_lp6&2 z2pGlIUluSa^}*H-C0~Z>=Rh{i==TXXpnNE6@`+UI##BLc7*r0G&Y?}87P3_`)P=gY z0viiAKcBT;#z}+p93{nszV9v`7h{C~z5BiL)e*zR?-r@Dg~iP?zP7`@sXKH{cNc18(_+$UEXbFX{t1uc?4ot1u`&@}uK4ZzPu7;#T(nuSn{8TsKK)$neS>!SR zw3v!U*&9l3#Ctijt)aU-lOE>r2h_pC)@otcXPObU&U9`OG6bHf#{Nt%tPceCCDUW%V&AqPlA{PwxLF0C zBR!yW)xfTG!8(eAo~_m@am{C%V|YsWYA9eSWpY==X&s(r=!T#uP*zL(`%tZ8^6xrX zmV{J!Nd$T7etg?n#WhQx%r)rw056X*_k2u}$@7sm?y)o-^mb}B)MN@67K!&&nyu>8 zJ0%NT7&Y1!j12{8@d(2*(i5*TvW?LM zb*KH3GtbGww5{ZZTN~(*LMQ( z&Sn!A7iSlyPJ@0DlaSop0_9JiBu_SazhO@}l}x%EDSoVCPfgG2!r)u5R-9}0DGX-XTu(Oi$XRCVnMoTNoMq%V{Jo^qt zJ8gNu-}G>+z&{DDDnz#qjF)L10y~j3bGSx7qb*X|uGV=Stq>jAq7MJMt9CjmKV&r?U5oD-s^;CDGkt?Mk+OLbizka_7+S7B zh22=`KIoBW`hV~nPH9JX@C^Uy;2`4*Ya=n((v4_i@QCqe`)0<&2J? zt62Dg2WT#@DfZ}x%HcIqc_I^c{e5K5=o+$`^XStiV|<}g+$*u+24q>l zfdH!?8~0Kh?p5|vjQ3BEQ)5Dgm%jWok;&HrNREZYvhZ(~%T(TXn1Ma~R9gLN<^o;I z2A)@+VtBahv&R&l<-BH*;H-6}SXGf^O-`a=T!Ec>OC~ECUdVlA9m^as65Om%^X_zG zTJ=VQnunQmCc<7Utb&{x!1>0AWx?SNtm(je_wR&Z^`CT{j5F=+wcqklIEYx7t2Db! zG;X1^c0uSB3IMX-<=-O3;G41vj969%^E1AN5HNfZvS2H(U5iX7)5XWD`)Q{3UV0~% zt_Y+PpMl;yzo-=vjO9YTuL!aj= z<$l!DnLv5}i(fSQbRC}e^9^+ki5L|HCryI5<@m_cmx+RZSd045aH z-VlaUsByaiwPc(eX1|#9xD`^W&ja4{BVVs8{UA;HlZW*GLI2k{p+9HfnGo&uMyjl#uAMDA!y_? zOF9&F{oofDOB^cp;3Cin!)Pzl59w=&8LOCLqbP^PlC#^%>f?P?; z|8x*p(l71*b20-YwrtLB0FH6S?oRj-z;Wcz9cPT>hLN0=?AN4 zzjEN;fluFREwOMVd-4}#du+$>c}B#)(}LzA_5*Ndn0P9cK3A1yK-}q!M}>EduxVlp zF|;AXaxLQ9GJx70!o-HncCfW^$CI{sr8Is4rqkNw3>YM+H5&oI{d-nWdsE*EWOq5c zJ*XKPq$yYCIgyNI64kg|bY9;v0dciTt!5*-jksNvxfl8+CM@SOFuXi{{Ku&lBWz$P zAE@ncyUJ4`6lod9Pz}OeqVNLLx|^zjb{xS>(yhl>%FiGSYJp|ZJeLX$erM^{gTYOK z4ZcPQCC_4=7+?nOLW?=%fZobd#2mt?`{0+W0WX|JUAXKf)uh?I{t_E9<0Ul?*7c2T zQIRz(W-x!X;CvbUAE4YS7}o}4;vtB}>R^wTA&3a`Op{6OH_G9NB3Yvf_KB0mv8GKU zORJVN2eS`u?uXnowFZp)7jL#Ly?ZO(OKfp!q1^|$R*p1ffj zHIevpx&>J56{&_afCTQJ3%-c6ok0~d_b^1TD~Hx<0e0oEwZX2O1lJUvvRPXcxosfi z8giW7ArDrK8B~g0cLL)=AwL878)l6eqe(P_E}opm(1&^U(WX;f@}^h!h{mY*uu)wS zDTB;6;7W)Md2?(tDvi&#v~UO-da(PZ#*xK9WZ3>^Y%e@Z%378m?52-8{=Pn_2c-(q z*)z>@wKG^0aY7DAPAjqZ_H`#&+<4lT%!*fQ(sQYilyTt2LH?rt5c+e&VTZ2DZX~ON zABb1tGHC^Lr^)2SW z-p4vjtnXnE9GK@O^>S&O8TyWiOG{3C9uY`k92p|8qBLijo)^N77b z-;FeYNu=eAxHSdh=;Y8!kDm&9&40?jq``j|A9WbV%hVhW{nf)SSg2zd=)0kRLIau4 zCjiK5hDg~cEx9PZyBPL|^jMJDSql!3;~T>4P7<|?fb?5RUu>&&*w>=$Bl@&gplRYqhE>e!W;m5PKLe@hLw7i|Euzk{&8q?@oCp?KEhM`=yVEh(k?Ys} zAD8fPw%{aHQg&9cw;s9U%O`iUMMC?|>cMjBxOa1Fbg`Tk&)-Be9C zJK;_*SH%ypLR1;W3LF;XTxR3xNUOn@J8oO3i)4&`ghb9D^rTT)hKA@&5n$Y_(AZhu zqxmZ8N9u?Rs+l&+T%a&s9XZOj-RF+)_rH%w*~d-H+XENwryBf($mS_Wi7DM8bd3#Y>yD?MAezj7bmXw< zZHtE?(;t#i(;LipT zWo*SBjf`H#=zYXp3s?xC5!B7_Q?v}}?k#vHlPD%qDjq3m+}S;&2PrWb4k~6Vq&@Z5 zFe~{RBo>%@dF$dS(Ex|A)19#Pr*>otkiO(U5(=ObBbMpb831zU4D~)ddsUW|5@n*y zh5L$?HdfXjLnpHJCora88!s1yk_R?-R@1sjG|PWvQ%+l!c=)o=v!xG0 z-pY87t^boLStkb-8Wc>T^%K>Ne1zLQ_x>ovZrXl^qRa1U1b#0ek(O;zm8?f8AhUj{ zLiklgO;c)YKAocnx;1wZlo*>$@*HICXWZylCHBGjXlYH`95?J0uS&7S9#3z~*(xqy z%dHkgiwIFr8!oj>AjqB#l*4wK@avqIQrgUVKhFR0vUc3a{re+f_v*{v_x2~~0$`l{qeS1G% zHB_ry;#De$H+@ECX&_EndTPDrKaz#o%ouq4GtqaZ>jg<~8o%&ty`nfVdqeQXEfzUv z(W!g(t>Q_An-QMI;ujJ-`XBSAfDs|z6&phmzwS$+DfLe-E%O()$C zL%(Q*54cpTb#!*pWURZU{gwHx=(K7qyA1i)w5OIh2DkQ?dqV5dtQo^YjCRy=Mv0|v zw_yv*cmmbj>MyZX16P-!B631Q_fUCcxjP&Mfin*!5YY|SR_He|TrqLQkxZ6gSL(|r zuq#Er|7i^#-pi{K6t~0}EI=J%yFI~Uk&`qg12k+uG8N$#B|VloN~$BFiH-ORr~vHm zzfzH|Bbc>u9AbR(+RTn^p1WogK>HkT&XG&$0o`CpsaA9@TfuEb(dVT*D;pWZJ}wGY z@538W*^^aTRjv%EZe7st!AhXe@%I(PEcuI~TUsKE2HE4gfw4AP*Cvp$(asq<$m<;k z82c?t0KDs@KYANAwa6wf=_UM7d*Zc>>p}8QkjLZI^~ETpI8i&lp4i>6ldNekMu4-9Kiwa{QYiq!4%pp&b1Z@IjF%3 z6U8`%T;;#OtCD?t?o-yrEz8r7p)J$ByowwX?kcge4j09!dpLnW3ou1`ToHmt%K_WH z^V;y(8;Y)781;)^--~A5wl&7IzIM-JFjA!}5%{VuS7_#J@TK!?83j z#Y2E$Bu%gn~ zR=uxZVuqEtp;t>Pa#&}O>z^HFQd>b~GscrJ^zKH;-x@8u5LHxluuhe;+{r$0PK-d_ zLIo#Aq(2INzLm0}f>(`n=7ReS+OpFbzv}IRIO8XVbcdF_HNYdKnhNaZXmWHex&rxF zFI{)xXkp*;^`Elh8gr7r<60AHkMT|r&>B;u>Cmt=(pX9mL1t!;v-MaAXLv&C@h0gF zNYZ^*xIFYx2>ccY>!Pn$9$N)ulKs$&t@wE zSN=SP}zi#HB)QXyN7!Ld=NDdtrdGd`ns{ci(K-h|&xDyg$Vzh*{%(vGya z9{ppFtczq-5AR_U=w71n&?i_hvHDQ)rEq`{UaP)n{04r_O1f=g3%J6yPR?>z9CY~} zakOWK`SJXGVC~W@eR%gs6fSNZ$$ooNyMR@JB|{Nf+b~;PPn>f4?MHumCv?y?)pEoP z*;I*z)?|C>PyS}535MoR--3HwWz6E=4+L7Gy6d9Kml|d!_}i6n>(>^7SD$RYc1N~< zbICH^dm%dkNRBSJA^;WO*2WZ9J%C8T<=KW)hVlLwS7K)+?5OFI+>1<5gg;YZzGuj` z$D_@Cd93_09Qv|vX-u#=6R7d^N~pjZ&+LHdua?uTi$G67$nsM}hBAY?g29=(!kTfT zOE-^VV zvp1bXx2=4~sNC>Dck>!j-!<@)w%ZMF9k-NHPa+^}pZS16(baX<)Zgi;A^4OHUQIg0 zlNG!=E7pY*>3g%pv#CDVTfCt@)#vvbYyRoT#&H^ZRhk7TXxx5Y|6ST3hTELP%4^$# zxiUrOk+E>&>cW{lFwA$MWuYNv0C@Yu1iu4&DVr8C^D2lwhDSWy!3^ki#zBbsMN-V& zJRFF)@0bk~R54X!C_Z^%j_Y7Ig)yy;g@-*o%-z5shg4;`sP{uBmhzpFbx(sL@mtnK z^Bw|mfnc)6I4R`)yH>UR>rI>tG(Go9tJ?b#Q|H0gS>GJ>LeMWxn4J*yASZ8S?XX-@ z)uCpo;{f>s(21r`3{!(@Wp8+t60aI&9uWCRlN zNID&dXPQ{rL!nl+`w^r9B$)TqlNOqg{i~ukq#DQrzw3C|IO0)Nf~`3F=)=~io|am> z(SXPzf4db36j-+OPQUR;a|1N&v39v4gwI>WSHg$)nk___m~pKMTtHPGf~ zr>t?N-X|a0KD}YRb$DP)0%m}{7?}oyt7F}m=@(# zQh;r;UvPy^`ALiNpGd$Wj%b9~?;k^>67JO93X_DMTo6jofA#>T#3dI#WtTlZw12<; zmip$4FhuvrMO}cYy~*4`TB!1Qzz9gGOy|Y!l7OMLD?{drQH~0r!0{Rp|D$4%#qJ3N7kQNrkVJ1MZ8-P~pgvzI}giT$q!BC)SS5##EbF&0( zDQ;oqdrZ)Z97yXxx+g32tz7%h*Byw4Um{|zrOO8Sbi{qZfwbsbx4wYu4&AWJ zahp6bU(4seLOW#;b!AYuOiVYWPJ+2JeY81O5gz@ONmuMZyjPs^>}9wX!L>ocnpe;CaPGiZYAj3)V}%5!D=(ff*hB*agb@K+Z6H==0mU_os#A|!>mqa4C4x1&;-^kWLrDX5@=>jFBa3INjL8Bh zW0`hRYC#pba6yYG_~2qfaB`Mbh4w(f%tND(b08s3VH<1Ixob?hWbgJcJ9E}$Sy;MM zvzpy|@m-r8u=ucyMXf|?A4c<}V2SOw4*WQ{eC?2j7dx7=iU8u@g>|j+PBfP2FvwCt z4*rlFSp~ULU=o;nvVPl?t~pL}Xtty@9A$gCqDgP+D>kdUDrZ2l(D8liQBOHK#ke?Y zys!7;k;eO)vJhxLNa}U~d)4z(yoK;9TkGeqE>Re#hm&j+dK+Y9B|d$%LzP#&fwzfA zBdxFkypO3AVu?WW?|jQ*b+S~b-_LZ$eGpTT;}epR6<4=ZfBlMHwy9C$zxS$f;r_|L zGOfYmf#QYLRa)ax6oH8lxSb=0xo$eU;`UCK?zb%>{;f_sem_H;Pgydi(lf!LC8g!b zRq0m1H^hC&Z2XPf%5Z%Cbc9XEe^gF>t~ydbCBk%d#l;!8h|9iXI1ns&j#>pf+IMC2 zXQ>@IRt(`=z`LUC-spfuz>;P*y*QLbg;2Za`7SIIS7dT}$ANiP#X5BM6qR*r$OR4F z%g^f-{7Uc&^B!l2$>)9jdL}qO*JKj|!zTj?sc%ml7JVxeU4K_8zX0EVtgbxUggI0 zPrfpgJ6!&w!W1n@GK45SjIs@2w-BH7y$mo*97!hh2apul-Qrfl5EGI$7ORTWz~pQc zjw#N&i}ZEV$K{JDr4|g;-YPCMvKmaEDj?cs1TlV*#1q!=Y{2gIc#ZD1>u< zF)fa97&{=XO=3LlR90zr@QJM@$D~THKeYW3fdb%HC|%Mz7b{wQ z5%nn@*CdwFhF744RkA+R#)2FTqA;Tjmb{}4F?bKic@tQdT8L>%~H!TfX9VZTt}z3n((f9iZSYa@f2fB_ras zPSMZDz%OD=6cH*c{~Hs;YSsT)Vc>vtv#0)D?K#$>qzJTn=EF$5FYpH$#Q9GGXa`FG zqW>iU)cm&ukO%xV!nahb^G^aW)m_sGg!~T)fWP*0{?hv_`(otvbn?eN4#I1V z@_}-2WDFq$=EA?Ogs48PE-++tDcuJq!)%TtIB0Y}mjLO2B^B(X=}$-q?s4Nb z#>fj&9OZ5+P%{r*)c9ftQpUCck%jaM0O1H3Gpdcu9E<(2Qn{`qr0g$ zWv1U_7OSxq4GB|_<7efwhver$=`EHz9zaEH=kd`a@)~Bh*iOJTV$(+RmY*0Ed#go; zQ_}=QX)O&G3#kpvS_*e>I)J)sS=@*lXs=Ej*J!j~ zIw@s7wsp2Fzh-O>Bx&=4-2Df?r|r<#EHf0O)vVIr`Z67*yZjL}8{?xLr5?ie1F%WRnZUR~c?E04m=%nzQ%ql|!a-D6L!%`4z7ON|8hidAj z;Hl60ck(cCvlGYO574gZf;L$!fi%*oF34elcy5rWEI&O*9-!oEc$aKwQfa8RPpO;o z$&OjjBki<1I~mFJS1^%+CGeVbmO%H` zjEvMwBrd?(2Gy}}x`-l>0OReyW2fmna;OI#))%&O>!}4D$vnzmQT6ruskVz@ zTePqT!mY$@-prCO2S{4jMYfT5tCKc1H$r$HI6F|Y)}?R(;~ZJ2tPyN~EXE7^Ke#6ty6K)Pe+ zDXH7VK~>f*@Dcom5<=q_@uS5_-RQ7Kktu^Ynn)p#%O~f=RNbDu854f;mp+#x3B?Wx z*Y8~!@s|Tp$LuyoT86fsS!l#Zd${dQ^FJRu*J9H1QHGVG1sWC* zKxV~eRO9@)Z+NyPSW>NuCCOB^Z3e5bM?qRz-&eN&{K;5nT-7qE5YAM+htfV8uU-4S zjDj|Hqr}M5`crI`7-h9jlTga11XeLT-_)11xHblNhB(R|x*=4+P{ik$U^R%*D(>oP zoEjZX87MgCnbMfNG{Ux2%STF*&ucvA(Ct#<7Ud%Q@SwuS89Wd5rLQZ2vqiU(o)^nF+Vc=Qn@gIG!*5F*3)eG{7E{dD1*`NOE zH2z~{14;Oxg1_5WGsd!3NyY%RT?`}Hq=8`XG)(`WoA*1EbRGAg#FC`@xB~FQWvhhY zI>9;d2VzGeMU$%r794=mS8#-3y#0=hwAhg)fL4W^UZY2Ym5Qxee?kSvh>DG~e|0Xy#9|?pBP$q|v-OqK(9K~tI1VT{hkUc|u!GNHG%o8X3zuj>F<=(V*te@}+_iXduiV6#!+(<^bP5FKLJ*co60@xz)d$;Xf?a%%{7)8^n4F|Kx%IyGp`7 z3b_o=Ac!wyst`%Tz9?U>h{aEO}9IOFRT!{1H+frapA?u(XUgN&>Qaer_omiBLnZc*2(wE5{TJ zBEqa+FV%ZMs~djv$m@56i986&Vc0PqbihMi0$De)fbVk9s7w=J9ZH|a#qT)CCRVTp zt?Y*%s;{>Ebmp%{yHgGf?4dO&;V-ZQuy;^1w^?dj;=;#~MAJt!!-W1t{>13;3!u|V z5z^ygJ&*79kRhZ6;>g&dRIZ6E?}|g!xqpMNUxsRcq09D2E#3nTZI@Rflr>$)IW2M5 z!YzVzbrZt{$XI1Ay;IW_pLFwI#A(X`@@se+3~6GFhtpA(>!~tH)oq)5-&&;vY6mDd zX|ybjBw`cR`bQPDm@Eas8#;*W)d6W62vd8d#v3PLb8*M!DLkOZ!d7q?OgYC3K7->m zN1Qc)6#Y>9wf|H&v*Z#O<%Q4fVjRe*8_`@UKgT&;UT#)Tp*<% z54H|JH5l(`OLCbC8OB{`Za6`fJD_lg z5YxE_tS(5Ob5t;Mn6%1Ec=EP*j0rY#2k(P`-gRJ_ZJwz2anLAZ#Gd4y@Kg8Iq-q~! zfKgZ~_Ioe#AO1)!s!zUFq8l}kuj%uHDu;N1+f@GQz;=(J`q9!OQoVbTGj)e;X*je{ zgW}TIP_Tn~cDSSZjvbPqG;iwi)%N$nsIdB@k$v1RzGVen2#uRSnO=Io2~J_}X-YI; zcV+Z8J+F3_h5sn-mZ~N_mK(FQ>tw)*bXO(gJlm^TpK)nIcM}9{bC^z8)4mXKYFE#p z{<~ZEc*WUrUuch(OePa>P%?1LFo*f~tNYqPY|=vAI!de@(L~34aH@fh9VPf2V6T1- zqzVJ7ZFi4shD&J`5Y3DNNA_h9|F#=YkvUlHszxqdjO;i%^_nwT*unbgk+sq*qsaCe zl!$3P(J+qT=t2`1W(_}}Sg#UmJw&@^BDz{PrzuBwIVk5H(DK}0P_D_sIc=fyTlWLj z@7X_nJsV+3cr#`@B=;8-nR!q58@yXrSN;lzV&uQb@OEbJ5V%@JYOI6%FJ3@WEIK`= z1YSXBcpnqQ(&Nby+4se(Bo@ z5u^!PD#$phzxQS!IXw3gY-KJ$(IcVXcyRWsz<$8+HLFEw6_RD{Xpa@jiEZq_ix%=H ziRjn38>yFZC+5&4r)|4h(yahiTg=^Y8RVo#jLaFw@|Y9ffBSF-uUK;&aku;vt5QZ@ z4|TWW41uns@8nzk9$TF)Fx&BM$5<^9BitA*g_hUCn-*V{?u1smIqA%vBZCl=MpZUDb>KZHy-kJeLEdMQbF8R=JSkhE$kQ7w())t(@g7BB8 zmy2*HQk^7`T9NzALPtJ(=K|lAzi|(EoUO&7_2AE zc23-xsCYbN8R>J&xnm1OiQ$tpOuR%5(fmS6b*k1kJJ;big&#}6F!)NvI{D;Ep}aYY zcanxIC+w2k(5EA;(N$s5+v=sHykvnPS!%B&+zkBvH`eR;uXlXerQowQcxgOpZVSrI zI%cC16sA8o>x;f7e*)&ySC<>Gkqs7lde~zIos+WU-qm3pM1{E$>${Dkfp=#2;HK1% zNw(IOBzbf!Dqp(?;=~n{gvAThuU-Ky>A<%HU6Wetc-Zdt0a4ZxoG=x4xCyVx>*>J? zRpGpu@SD?Z)1xz=_Qve@Tq4GI-!+P6R(PnDt*t*r<8qQ5C+Q3lcd~?`b+DDct~DpI zDLp&b1`C6G=nWC0KP52=jbbquhRgZvRm;;Nhh{RHjIx#k@!Ab~#Z|c)I}$YyBnbN? zQWf>kcIX%pV3w^0B_i)@eJxyaN~mr#!{1S@(HD^1rM)`JtX#|64xIKk9|%UIR7ws> z&8{!*4Dl>L7hQvt0he6@Dr!6`ey|wffyyyHA#+~qUEhF{qo@L~#nqZ`>P)&cu!0<@ z-pf|gVsClC&}{s>VV+}^0@2vJAYylu>Ciz@5-#vrwEolovf`bmrJ`Z|ev#a%(7^iH zeZF%p5G6T<^IH!W6=p|$)-Dhgo7s|MU)XcBisqt3A6eDQ654!F+ReyfqGH) zCp#nbY1oapX;=#k`)PSeLj2$cQSM(20ow9}9Eo$Vu%hxtV}Pg@7^(w? zHj1))*&CrRgQ3f?7V%)H1sK`{hBgIg+kv5Lu&_N~=!m^l%6iBIkh1xws0-nDF&DxN zs%B$$aB|#w$OibrE!6qQ%Hphc0{i`;es#yh0!YpoG5===FjGYHp`-!qy1zc_X0Ocz9S9(7od74Z zkDO1Fwh)0kk)K1(Ar#yIu^@0M6matH^y0t5Ee+u2{4bec%fSC*)5BmixQQ{y32Xm) zg96M8+&TPg(hgE!UNPg~WH7H`Ft2}Av&lI~fq7AYd4W6R{C|Lf|Am(0`TDOkb{u$Q z{LkF~6VuCJUff__;Qn$3^D+hVS_kvul6DyS#|zwF&fuDs!MwQR*2jTyDTl0vLb+6X zj}TeN5EO4#xXhYocavVLaOR$SH1D2PEWnULVyd`^q_OnUfRjxlO~Wl<{MF#AFB?m#fA z1b#ZV1A1eX__>VV)W#J^h?ARsc+xqzKny^2y9szM4sKa5_B3@lpKq#jt57$;1EYZH>7xy`xjJTmM5`dHWKx|d#H(Fx zErAco4WVXX;GJT-YC1%Md-oyu$j;DmK?27t@_UpV%cr2qf` diff --git a/Solutions/Microsoft Entra ID/Package/mainTemplate.json b/Solutions/Microsoft Entra ID/Package/mainTemplate.json index cf724282d99..863624ded83 100644 --- a/Solutions/Microsoft Entra ID/Package/mainTemplate.json +++ b/Solutions/Microsoft Entra ID/Package/mainTemplate.json @@ -52,8 +52,10 @@ "_solutionVersion": "3.0.7", "solutionId": "azuresentinel.azure-sentinel-solution-azureactivedirectory", "_solutionId": "[variables('solutionId')]", - "_uiConfigId1": "AzureActiveDirectory", - "_dataConnectorContentId1": "AzureActiveDirectory", + "uiConfigId1": "AzureActiveDirectory", + "_uiConfigId1": "[variables('uiConfigId1')]", + "dataConnectorContentId1": "AzureActiveDirectory", + "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", "_dataConnectorId1": "[variables('dataConnectorId1')]", "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", @@ -72,440 +74,378 @@ "workbookTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId2'))))]", "_workbookContentId2": "[variables('workbookContentId2')]", "_workbookcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId2'),'-', variables('workbookVersion2'))))]", - "analyticRuleObject1": { - "analyticRuleVersion1": "1.0.3", - "_analyticRulecontentId1": "bb616d82-108f-47d3-9dec-9652ea0d3bf6", - "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'bb616d82-108f-47d3-9dec-9652ea0d3bf6')]", - "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('bb616d82-108f-47d3-9dec-9652ea0d3bf6')))]", - "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','bb616d82-108f-47d3-9dec-9652ea0d3bf6','-', '1.0.3')))]" - }, - "analyticRuleObject2": { - "analyticRuleVersion2": "1.0.2", - "_analyticRulecontentId2": "6d63efa6-7c25-4bd4-a486-aa6bf50fde8a", - "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '6d63efa6-7c25-4bd4-a486-aa6bf50fde8a')]", - "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('6d63efa6-7c25-4bd4-a486-aa6bf50fde8a')))]", - "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','6d63efa6-7c25-4bd4-a486-aa6bf50fde8a','-', '1.0.2')))]" - }, - "analyticRuleObject3": { - "analyticRuleVersion3": "1.0.1", - "_analyticRulecontentId3": "95dc4ae3-e0f2-48bd-b996-cdd22b90f9af", - "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '95dc4ae3-e0f2-48bd-b996-cdd22b90f9af')]", - "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('95dc4ae3-e0f2-48bd-b996-cdd22b90f9af')))]", - "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','95dc4ae3-e0f2-48bd-b996-cdd22b90f9af','-', '1.0.1')))]" - }, - "analyticRuleObject4": { - "analyticRuleVersion4": "1.0.1", - "_analyticRulecontentId4": "5533fe80-905e-49d5-889a-df27d2c3976d", - "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '5533fe80-905e-49d5-889a-df27d2c3976d')]", - "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('5533fe80-905e-49d5-889a-df27d2c3976d')))]", - "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','5533fe80-905e-49d5-889a-df27d2c3976d','-', '1.0.1')))]" - }, - "analyticRuleObject5": { - "analyticRuleVersion5": "1.0.3", - "_analyticRulecontentId5": "f80d951a-eddc-4171-b9d0-d616bb83efdc", - "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'f80d951a-eddc-4171-b9d0-d616bb83efdc')]", - "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('f80d951a-eddc-4171-b9d0-d616bb83efdc')))]", - "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f80d951a-eddc-4171-b9d0-d616bb83efdc','-', '1.0.3')))]" - }, - "analyticRuleObject6": { - "analyticRuleVersion6": "2.0.0", - "_analyticRulecontentId6": "7cb8f77d-c52f-4e46-b82f-3cf2e106224a", - "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '7cb8f77d-c52f-4e46-b82f-3cf2e106224a')]", - "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('7cb8f77d-c52f-4e46-b82f-3cf2e106224a')))]", - "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','7cb8f77d-c52f-4e46-b82f-3cf2e106224a','-', '2.0.0')))]" - }, - "analyticRuleObject7": { - "analyticRuleVersion7": "1.0.8", - "_analyticRulecontentId7": "694c91ee-d606-4ba9-928e-405a2dd0ff0f", - "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '694c91ee-d606-4ba9-928e-405a2dd0ff0f')]", - "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('694c91ee-d606-4ba9-928e-405a2dd0ff0f')))]", - "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','694c91ee-d606-4ba9-928e-405a2dd0ff0f','-', '1.0.8')))]" - }, - "analyticRuleObject8": { - "analyticRuleVersion8": "1.0.2", - "_analyticRulecontentId8": "50574fac-f8d1-4395-81c7-78a463ff0c52", - "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '50574fac-f8d1-4395-81c7-78a463ff0c52')]", - "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('50574fac-f8d1-4395-81c7-78a463ff0c52')))]", - "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','50574fac-f8d1-4395-81c7-78a463ff0c52','-', '1.0.2')))]" - }, - "analyticRuleObject9": { - "analyticRuleVersion9": "1.0.4", - "_analyticRulecontentId9": "1ff56009-db01-4615-8211-d4fda21da02d", - "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '1ff56009-db01-4615-8211-d4fda21da02d')]", - "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('1ff56009-db01-4615-8211-d4fda21da02d')))]", - "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','1ff56009-db01-4615-8211-d4fda21da02d','-', '1.0.4')))]" - }, - "analyticRuleObject10": { - "analyticRuleVersion10": "2.0.1", - "_analyticRulecontentId10": "87210ca1-49a4-4a7d-bb4a-4988752f978c", - "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '87210ca1-49a4-4a7d-bb4a-4988752f978c')]", - "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('87210ca1-49a4-4a7d-bb4a-4988752f978c')))]", - "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','87210ca1-49a4-4a7d-bb4a-4988752f978c','-', '2.0.1')))]" - }, - "analyticRuleObject11": { - "analyticRuleVersion11": "2.0.0", - "_analyticRulecontentId11": "97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06", - "analyticRuleId11": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06')]", - "analyticRuleTemplateSpecName11": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06')))]", - "_analyticRulecontentProductId11": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06','-', '2.0.0')))]" - }, - "analyticRuleObject12": { - "analyticRuleVersion12": "2.0.0", - "_analyticRulecontentId12": "3fbc20a4-04c4-464e-8fcb-6667f53e4987", - "analyticRuleId12": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '3fbc20a4-04c4-464e-8fcb-6667f53e4987')]", - "analyticRuleTemplateSpecName12": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('3fbc20a4-04c4-464e-8fcb-6667f53e4987')))]", - "_analyticRulecontentProductId12": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','3fbc20a4-04c4-464e-8fcb-6667f53e4987','-', '2.0.0')))]" - }, - "analyticRuleObject13": { - "analyticRuleVersion13": "1.0.4", - "_analyticRulecontentId13": "218f60de-c269-457a-b882-9966632b9dc6", - "analyticRuleId13": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '218f60de-c269-457a-b882-9966632b9dc6')]", - "analyticRuleTemplateSpecName13": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('218f60de-c269-457a-b882-9966632b9dc6')))]", - "_analyticRulecontentProductId13": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','218f60de-c269-457a-b882-9966632b9dc6','-', '1.0.4')))]" - }, - "analyticRuleObject14": { - "analyticRuleVersion14": "1.0.4", - "_analyticRulecontentId14": "3af9285d-bb98-4a35-ad29-5ea39ba0c628", - "analyticRuleId14": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '3af9285d-bb98-4a35-ad29-5ea39ba0c628')]", - "analyticRuleTemplateSpecName14": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('3af9285d-bb98-4a35-ad29-5ea39ba0c628')))]", - "_analyticRulecontentProductId14": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','3af9285d-bb98-4a35-ad29-5ea39ba0c628','-', '1.0.4')))]" - }, - "analyticRuleObject15": { - "analyticRuleVersion15": "1.0.2", - "_analyticRulecontentId15": "707494a5-8e44-486b-90f8-155d1797a8eb", - "analyticRuleId15": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '707494a5-8e44-486b-90f8-155d1797a8eb')]", - "analyticRuleTemplateSpecName15": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('707494a5-8e44-486b-90f8-155d1797a8eb')))]", - "_analyticRulecontentProductId15": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','707494a5-8e44-486b-90f8-155d1797a8eb','-', '1.0.2')))]" - }, - "analyticRuleObject16": { - "analyticRuleVersion16": "1.0.1", - "_analyticRulecontentId16": "757e6a79-6d23-4ae6-9845-4dac170656b5", - "analyticRuleId16": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '757e6a79-6d23-4ae6-9845-4dac170656b5')]", - "analyticRuleTemplateSpecName16": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('757e6a79-6d23-4ae6-9845-4dac170656b5')))]", - "_analyticRulecontentProductId16": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','757e6a79-6d23-4ae6-9845-4dac170656b5','-', '1.0.1')))]" - }, - "analyticRuleObject17": { - "analyticRuleVersion17": "1.0.1", - "_analyticRulecontentId17": "eb8a9c1c-f532-4630-817c-1ecd8a60ed80", - "analyticRuleId17": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'eb8a9c1c-f532-4630-817c-1ecd8a60ed80')]", - "analyticRuleTemplateSpecName17": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('eb8a9c1c-f532-4630-817c-1ecd8a60ed80')))]", - "_analyticRulecontentProductId17": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','eb8a9c1c-f532-4630-817c-1ecd8a60ed80','-', '1.0.1')))]" - }, - "analyticRuleObject18": { - "analyticRuleVersion18": "1.0.1", - "_analyticRulecontentId18": "c895c5b9-0fc6-40ce-9830-e8818862f2d5", - "analyticRuleId18": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'c895c5b9-0fc6-40ce-9830-e8818862f2d5')]", - "analyticRuleTemplateSpecName18": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('c895c5b9-0fc6-40ce-9830-e8818862f2d5')))]", - "_analyticRulecontentProductId18": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','c895c5b9-0fc6-40ce-9830-e8818862f2d5','-', '1.0.1')))]" - }, - "analyticRuleObject19": { - "analyticRuleVersion19": "1.0.1", - "_analyticRulecontentId19": "276d5190-38de-4eb2-9933-b3b72f4a5737", - "analyticRuleId19": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '276d5190-38de-4eb2-9933-b3b72f4a5737')]", - "analyticRuleTemplateSpecName19": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('276d5190-38de-4eb2-9933-b3b72f4a5737')))]", - "_analyticRulecontentProductId19": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','276d5190-38de-4eb2-9933-b3b72f4a5737','-', '1.0.1')))]" - }, - "analyticRuleObject20": { - "analyticRuleVersion20": "1.0.1", - "_analyticRulecontentId20": "229f71ba-d83b-42a5-b83b-11a641049ed1", - "analyticRuleId20": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '229f71ba-d83b-42a5-b83b-11a641049ed1')]", - "analyticRuleTemplateSpecName20": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('229f71ba-d83b-42a5-b83b-11a641049ed1')))]", - "_analyticRulecontentProductId20": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','229f71ba-d83b-42a5-b83b-11a641049ed1','-', '1.0.1')))]" - }, - "analyticRuleObject21": { - "analyticRuleVersion21": "1.0.1", - "_analyticRulecontentId21": "0101e08d-99cd-4a97-a9e0-27649c4369ad", - "analyticRuleId21": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '0101e08d-99cd-4a97-a9e0-27649c4369ad')]", - "analyticRuleTemplateSpecName21": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('0101e08d-99cd-4a97-a9e0-27649c4369ad')))]", - "_analyticRulecontentProductId21": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','0101e08d-99cd-4a97-a9e0-27649c4369ad','-', '1.0.1')))]" - }, - "analyticRuleObject22": { - "analyticRuleVersion22": "1.0.2", - "_analyticRulecontentId22": "75ea5c39-93e5-489b-b1e1-68fa6c9d2d04", - "analyticRuleId22": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '75ea5c39-93e5-489b-b1e1-68fa6c9d2d04')]", - "analyticRuleTemplateSpecName22": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('75ea5c39-93e5-489b-b1e1-68fa6c9d2d04')))]", - "_analyticRulecontentProductId22": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','75ea5c39-93e5-489b-b1e1-68fa6c9d2d04','-', '1.0.2')))]" - }, - "analyticRuleObject23": { - "analyticRuleVersion23": "1.0.2", - "_analyticRulecontentId23": "bfb1c90f-8006-4325-98be-c7fffbc254d6", - "analyticRuleId23": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'bfb1c90f-8006-4325-98be-c7fffbc254d6')]", - "analyticRuleTemplateSpecName23": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('bfb1c90f-8006-4325-98be-c7fffbc254d6')))]", - "_analyticRulecontentProductId23": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','bfb1c90f-8006-4325-98be-c7fffbc254d6','-', '1.0.2')))]" - }, - "analyticRuleObject24": { - "analyticRuleVersion24": "1.0.2", - "_analyticRulecontentId24": "a22740ec-fc1e-4c91-8de6-c29c6450ad00", - "analyticRuleId24": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'a22740ec-fc1e-4c91-8de6-c29c6450ad00')]", - "analyticRuleTemplateSpecName24": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('a22740ec-fc1e-4c91-8de6-c29c6450ad00')))]", - "_analyticRulecontentProductId24": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','a22740ec-fc1e-4c91-8de6-c29c6450ad00','-', '1.0.2')))]" - }, - "analyticRuleObject25": { - "analyticRuleVersion25": "1.0.0", - "_analyticRulecontentId25": "54e22fed-0ec6-4fb2-8312-2a3809a93f63", - "analyticRuleId25": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '54e22fed-0ec6-4fb2-8312-2a3809a93f63')]", - "analyticRuleTemplateSpecName25": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('54e22fed-0ec6-4fb2-8312-2a3809a93f63')))]", - "_analyticRulecontentProductId25": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','54e22fed-0ec6-4fb2-8312-2a3809a93f63','-', '1.0.0')))]" - }, - "analyticRuleObject26": { - "analyticRuleVersion26": "1.0.4", - "_analyticRulecontentId26": "223db5c1-1bf8-47d8-8806-bed401b356a4", - "analyticRuleId26": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '223db5c1-1bf8-47d8-8806-bed401b356a4')]", - "analyticRuleTemplateSpecName26": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('223db5c1-1bf8-47d8-8806-bed401b356a4')))]", - "_analyticRulecontentProductId26": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','223db5c1-1bf8-47d8-8806-bed401b356a4','-', '1.0.4')))]" - }, - "analyticRuleObject27": { - "analyticRuleVersion27": "1.1.4", - "_analyticRulecontentId27": "2cfc3c6e-f424-4b88-9cc9-c89f482d016a", - "analyticRuleId27": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '2cfc3c6e-f424-4b88-9cc9-c89f482d016a')]", - "analyticRuleTemplateSpecName27": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('2cfc3c6e-f424-4b88-9cc9-c89f482d016a')))]", - "_analyticRulecontentProductId27": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','2cfc3c6e-f424-4b88-9cc9-c89f482d016a','-', '1.1.4')))]" - }, - "analyticRuleObject28": { - "analyticRuleVersion28": "1.0.3", - "_analyticRulecontentId28": "6ab1f7b2-61b8-442f-bc81-96afe7ad8c53", - "analyticRuleId28": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '6ab1f7b2-61b8-442f-bc81-96afe7ad8c53')]", - "analyticRuleTemplateSpecName28": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('6ab1f7b2-61b8-442f-bc81-96afe7ad8c53')))]", - "_analyticRulecontentProductId28": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','6ab1f7b2-61b8-442f-bc81-96afe7ad8c53','-', '1.0.3')))]" - }, - "analyticRuleObject29": { - "analyticRuleVersion29": "1.0.3", - "_analyticRulecontentId29": "2560515c-07d1-434e-87fb-ebe3af267760", - "analyticRuleId29": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '2560515c-07d1-434e-87fb-ebe3af267760')]", - "analyticRuleTemplateSpecName29": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('2560515c-07d1-434e-87fb-ebe3af267760')))]", - "_analyticRulecontentProductId29": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','2560515c-07d1-434e-87fb-ebe3af267760','-', '1.0.3')))]" - }, - "analyticRuleObject30": { - "analyticRuleVersion30": "1.1.1", - "_analyticRulecontentId30": "f948a32f-226c-4116-bddd-d95e91d97eb9", - "analyticRuleId30": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'f948a32f-226c-4116-bddd-d95e91d97eb9')]", - "analyticRuleTemplateSpecName30": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('f948a32f-226c-4116-bddd-d95e91d97eb9')))]", - "_analyticRulecontentProductId30": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f948a32f-226c-4116-bddd-d95e91d97eb9','-', '1.1.1')))]" - }, - "analyticRuleObject31": { - "analyticRuleVersion31": "1.0.1", - "_analyticRulecontentId31": "39198934-62a0-4781-8416-a81265c03fd6", - "analyticRuleId31": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '39198934-62a0-4781-8416-a81265c03fd6')]", - "analyticRuleTemplateSpecName31": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('39198934-62a0-4781-8416-a81265c03fd6')))]", - "_analyticRulecontentProductId31": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','39198934-62a0-4781-8416-a81265c03fd6','-', '1.0.1')))]" - }, - "analyticRuleObject32": { - "analyticRuleVersion32": "2.0.0", - "_analyticRulecontentId32": "d99cf5c3-d660-436c-895b-8a8f8448da23", - "analyticRuleId32": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'd99cf5c3-d660-436c-895b-8a8f8448da23')]", - "analyticRuleTemplateSpecName32": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('d99cf5c3-d660-436c-895b-8a8f8448da23')))]", - "_analyticRulecontentProductId32": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','d99cf5c3-d660-436c-895b-8a8f8448da23','-', '2.0.0')))]" - }, - "analyticRuleObject33": { - "analyticRuleVersion33": "1.0.2", - "_analyticRulecontentId33": "a8cc6d5c-4e7e-4b48-b4ac-d8a116c62a8b", - "analyticRuleId33": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'a8cc6d5c-4e7e-4b48-b4ac-d8a116c62a8b')]", - "analyticRuleTemplateSpecName33": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('a8cc6d5c-4e7e-4b48-b4ac-d8a116c62a8b')))]", - "_analyticRulecontentProductId33": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','a8cc6d5c-4e7e-4b48-b4ac-d8a116c62a8b','-', '1.0.2')))]" - }, - "analyticRuleObject34": { - "analyticRuleVersion34": "1.0.1", - "_analyticRulecontentId34": "cda5928c-2c1e-4575-9dfa-07568bc27a4f", - "analyticRuleId34": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'cda5928c-2c1e-4575-9dfa-07568bc27a4f')]", - "analyticRuleTemplateSpecName34": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('cda5928c-2c1e-4575-9dfa-07568bc27a4f')))]", - "_analyticRulecontentProductId34": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','cda5928c-2c1e-4575-9dfa-07568bc27a4f','-', '1.0.1')))]" - }, - "analyticRuleObject35": { - "analyticRuleVersion35": "1.0.0", - "_analyticRulecontentId35": "4f42b94f-b210-42d1-a023-7fa1c51d969f", - "analyticRuleId35": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '4f42b94f-b210-42d1-a023-7fa1c51d969f')]", - "analyticRuleTemplateSpecName35": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('4f42b94f-b210-42d1-a023-7fa1c51d969f')))]", - "_analyticRulecontentProductId35": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4f42b94f-b210-42d1-a023-7fa1c51d969f','-', '1.0.0')))]" - }, - "analyticRuleObject36": { - "analyticRuleVersion36": "1.1.1", - "_analyticRulecontentId36": "79566f41-df67-4e10-a703-c38a6213afd8", - "analyticRuleId36": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '79566f41-df67-4e10-a703-c38a6213afd8')]", - "analyticRuleTemplateSpecName36": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('79566f41-df67-4e10-a703-c38a6213afd8')))]", - "_analyticRulecontentProductId36": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','79566f41-df67-4e10-a703-c38a6213afd8','-', '1.1.1')))]" - }, - "analyticRuleObject37": { - "analyticRuleVersion37": "1.0.1", - "_analyticRulecontentId37": "8540c842-5bbc-4a24-9fb2-a836c0e55a51", - "analyticRuleId37": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '8540c842-5bbc-4a24-9fb2-a836c0e55a51')]", - "analyticRuleTemplateSpecName37": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('8540c842-5bbc-4a24-9fb2-a836c0e55a51')))]", - "_analyticRulecontentProductId37": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','8540c842-5bbc-4a24-9fb2-a836c0e55a51','-', '1.0.1')))]" - }, - "analyticRuleObject38": { - "analyticRuleVersion38": "1.0.2", - "_analyticRulecontentId38": "29e99017-e28d-47be-8b9a-c8c711f8a903", - "analyticRuleId38": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '29e99017-e28d-47be-8b9a-c8c711f8a903')]", - "analyticRuleTemplateSpecName38": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('29e99017-e28d-47be-8b9a-c8c711f8a903')))]", - "_analyticRulecontentProductId38": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','29e99017-e28d-47be-8b9a-c8c711f8a903','-', '1.0.2')))]" - }, - "analyticRuleObject39": { - "analyticRuleVersion39": "1.0.4", - "_analyticRulecontentId39": "b6988c32-4f3b-4a45-8313-b46b33061a74", - "analyticRuleId39": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'b6988c32-4f3b-4a45-8313-b46b33061a74')]", - "analyticRuleTemplateSpecName39": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('b6988c32-4f3b-4a45-8313-b46b33061a74')))]", - "_analyticRulecontentProductId39": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','b6988c32-4f3b-4a45-8313-b46b33061a74','-', '1.0.4')))]" - }, - "analyticRuleObject40": { - "analyticRuleVersion40": "1.0.2", - "_analyticRulecontentId40": "e42e889a-caaf-4dbb-aec6-371b37d64298", - "analyticRuleId40": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'e42e889a-caaf-4dbb-aec6-371b37d64298')]", - "analyticRuleTemplateSpecName40": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('e42e889a-caaf-4dbb-aec6-371b37d64298')))]", - "_analyticRulecontentProductId40": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','e42e889a-caaf-4dbb-aec6-371b37d64298','-', '1.0.2')))]" - }, - "analyticRuleObject41": { - "analyticRuleVersion41": "1.0.1", - "_analyticRulecontentId41": "5db427b2-f406-4274-b413-e9fcb29412f8", - "analyticRuleId41": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '5db427b2-f406-4274-b413-e9fcb29412f8')]", - "analyticRuleTemplateSpecName41": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('5db427b2-f406-4274-b413-e9fcb29412f8')))]", - "_analyticRulecontentProductId41": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','5db427b2-f406-4274-b413-e9fcb29412f8','-', '1.0.1')))]" - }, - "analyticRuleObject42": { - "analyticRuleVersion42": "1.0.1", - "_analyticRulecontentId42": "14f6da04-2f96-44ee-9210-9ccc1be6401e", - "analyticRuleId42": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '14f6da04-2f96-44ee-9210-9ccc1be6401e')]", - "analyticRuleTemplateSpecName42": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('14f6da04-2f96-44ee-9210-9ccc1be6401e')))]", - "_analyticRulecontentProductId42": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','14f6da04-2f96-44ee-9210-9ccc1be6401e','-', '1.0.1')))]" - }, - "analyticRuleObject43": { - "analyticRuleVersion43": "1.0.3", - "_analyticRulecontentId43": "70fc7201-f28e-4ba7-b9ea-c04b96701f13", - "analyticRuleId43": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '70fc7201-f28e-4ba7-b9ea-c04b96701f13')]", - "analyticRuleTemplateSpecName43": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('70fc7201-f28e-4ba7-b9ea-c04b96701f13')))]", - "_analyticRulecontentProductId43": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','70fc7201-f28e-4ba7-b9ea-c04b96701f13','-', '1.0.3')))]" - }, - "analyticRuleObject44": { - "analyticRuleVersion44": "1.0.7", - "_analyticRulecontentId44": "7d7e20f8-3384-4b71-811c-f5e950e8306c", - "analyticRuleId44": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '7d7e20f8-3384-4b71-811c-f5e950e8306c')]", - "analyticRuleTemplateSpecName44": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('7d7e20f8-3384-4b71-811c-f5e950e8306c')))]", - "_analyticRulecontentProductId44": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','7d7e20f8-3384-4b71-811c-f5e950e8306c','-', '1.0.7')))]" - }, - "analyticRuleObject45": { - "analyticRuleVersion45": "1.0.3", - "_analyticRulecontentId45": "34c5aff9-a8c2-4601-9654-c7e46342d03b", - "analyticRuleId45": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '34c5aff9-a8c2-4601-9654-c7e46342d03b')]", - "analyticRuleTemplateSpecName45": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('34c5aff9-a8c2-4601-9654-c7e46342d03b')))]", - "_analyticRulecontentProductId45": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','34c5aff9-a8c2-4601-9654-c7e46342d03b','-', '1.0.3')))]" - }, - "analyticRuleObject46": { - "analyticRuleVersion46": "1.0.4", - "_analyticRulecontentId46": "269435e3-1db8-4423-9dfc-9bf59997da1c", - "analyticRuleId46": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '269435e3-1db8-4423-9dfc-9bf59997da1c')]", - "analyticRuleTemplateSpecName46": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('269435e3-1db8-4423-9dfc-9bf59997da1c')))]", - "_analyticRulecontentProductId46": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','269435e3-1db8-4423-9dfc-9bf59997da1c','-', '1.0.4')))]" - }, - "analyticRuleObject47": { - "analyticRuleVersion47": "1.1.4", - "_analyticRulecontentId47": "83ba3057-9ea3-4759-bf6a-933f2e5bc7ee", - "analyticRuleId47": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '83ba3057-9ea3-4759-bf6a-933f2e5bc7ee')]", - "analyticRuleTemplateSpecName47": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('83ba3057-9ea3-4759-bf6a-933f2e5bc7ee')))]", - "_analyticRulecontentProductId47": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','83ba3057-9ea3-4759-bf6a-933f2e5bc7ee','-', '1.1.4')))]" - }, - "analyticRuleObject48": { - "analyticRuleVersion48": "1.0.2", - "_analyticRulecontentId48": "fb7ca1c9-e14c-40a3-856e-28f3c14ea1ba", - "analyticRuleId48": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'fb7ca1c9-e14c-40a3-856e-28f3c14ea1ba')]", - "analyticRuleTemplateSpecName48": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('fb7ca1c9-e14c-40a3-856e-28f3c14ea1ba')))]", - "_analyticRulecontentProductId48": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','fb7ca1c9-e14c-40a3-856e-28f3c14ea1ba','-', '1.0.2')))]" - }, - "analyticRuleObject49": { - "analyticRuleVersion49": "1.0.1", - "_analyticRulecontentId49": "d3980830-dd9d-40a5-911f-76b44dfdce16", - "analyticRuleId49": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'd3980830-dd9d-40a5-911f-76b44dfdce16')]", - "analyticRuleTemplateSpecName49": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('d3980830-dd9d-40a5-911f-76b44dfdce16')))]", - "_analyticRulecontentProductId49": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','d3980830-dd9d-40a5-911f-76b44dfdce16','-', '1.0.1')))]" - }, - "analyticRuleObject50": { - "analyticRuleVersion50": "2.1.3", - "_analyticRulecontentId50": "500c103a-0319-4d56-8e99-3cec8d860757", - "analyticRuleId50": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '500c103a-0319-4d56-8e99-3cec8d860757')]", - "analyticRuleTemplateSpecName50": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('500c103a-0319-4d56-8e99-3cec8d860757')))]", - "_analyticRulecontentProductId50": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','500c103a-0319-4d56-8e99-3cec8d860757','-', '2.1.3')))]" - }, - "analyticRuleObject51": { - "analyticRuleVersion51": "2.1.3", - "_analyticRulecontentId51": "28b42356-45af-40a6-a0b4-a554cdfd5d8a", - "analyticRuleId51": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '28b42356-45af-40a6-a0b4-a554cdfd5d8a')]", - "analyticRuleTemplateSpecName51": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('28b42356-45af-40a6-a0b4-a554cdfd5d8a')))]", - "_analyticRulecontentProductId51": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','28b42356-45af-40a6-a0b4-a554cdfd5d8a','-', '2.1.3')))]" - }, - "analyticRuleObject52": { - "analyticRuleVersion52": "1.0.4", - "_analyticRulecontentId52": "48607a29-a26a-4abf-8078-a06dbdd174a4", - "analyticRuleId52": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '48607a29-a26a-4abf-8078-a06dbdd174a4')]", - "analyticRuleTemplateSpecName52": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('48607a29-a26a-4abf-8078-a06dbdd174a4')))]", - "_analyticRulecontentProductId52": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','48607a29-a26a-4abf-8078-a06dbdd174a4','-', '1.0.4')))]" - }, - "analyticRuleObject53": { - "analyticRuleVersion53": "2.1.6", - "_analyticRulecontentId53": "02ef8d7e-fc3a-4d86-a457-650fa571d8d2", - "analyticRuleId53": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '02ef8d7e-fc3a-4d86-a457-650fa571d8d2')]", - "analyticRuleTemplateSpecName53": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('02ef8d7e-fc3a-4d86-a457-650fa571d8d2')))]", - "_analyticRulecontentProductId53": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','02ef8d7e-fc3a-4d86-a457-650fa571d8d2','-', '2.1.6')))]" - }, - "analyticRuleObject54": { - "analyticRuleVersion54": "1.0.1", - "_analyticRulecontentId54": "3a3c6835-0086-40ca-b033-a93bf26d878f", - "analyticRuleId54": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '3a3c6835-0086-40ca-b033-a93bf26d878f')]", - "analyticRuleTemplateSpecName54": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('3a3c6835-0086-40ca-b033-a93bf26d878f')))]", - "_analyticRulecontentProductId54": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','3a3c6835-0086-40ca-b033-a93bf26d878f','-', '1.0.1')))]" - }, - "analyticRuleObject55": { - "analyticRuleVersion55": "1.0.1", - "_analyticRulecontentId55": "3533f74c-9207-4047-96e2-0eb9383be587", - "analyticRuleId55": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '3533f74c-9207-4047-96e2-0eb9383be587')]", - "analyticRuleTemplateSpecName55": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('3533f74c-9207-4047-96e2-0eb9383be587')))]", - "_analyticRulecontentProductId55": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','3533f74c-9207-4047-96e2-0eb9383be587','-', '1.0.1')))]" - }, - "analyticRuleObject56": { - "analyticRuleVersion56": "1.0.2", - "_analyticRulecontentId56": "6852d9da-8015-4b95-8ecf-d9572ee0395d", - "analyticRuleId56": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '6852d9da-8015-4b95-8ecf-d9572ee0395d')]", - "analyticRuleTemplateSpecName56": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('6852d9da-8015-4b95-8ecf-d9572ee0395d')))]", - "_analyticRulecontentProductId56": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','6852d9da-8015-4b95-8ecf-d9572ee0395d','-', '1.0.2')))]" - }, - "analyticRuleObject57": { - "analyticRuleVersion57": "1.0.0", - "_analyticRulecontentId57": "aec77100-25c5-4254-a20a-8027ed92c46c", - "analyticRuleId57": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'aec77100-25c5-4254-a20a-8027ed92c46c')]", - "analyticRuleTemplateSpecName57": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('aec77100-25c5-4254-a20a-8027ed92c46c')))]", - "_analyticRulecontentProductId57": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','aec77100-25c5-4254-a20a-8027ed92c46c','-', '1.0.0')))]" - }, - "analyticRuleObject58": { - "analyticRuleVersion58": "1.0.7", - "_analyticRulecontentId58": "acc4c247-aaf7-494b-b5da-17f18863878a", - "analyticRuleId58": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'acc4c247-aaf7-494b-b5da-17f18863878a')]", - "analyticRuleTemplateSpecName58": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('acc4c247-aaf7-494b-b5da-17f18863878a')))]", - "_analyticRulecontentProductId58": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','acc4c247-aaf7-494b-b5da-17f18863878a','-', '1.0.7')))]" - }, - "analyticRuleObject59": { - "analyticRuleVersion59": "2.0.2", - "_analyticRulecontentId59": "3a9d5ede-2b9d-43a2-acc4-d272321ff77c", - "analyticRuleId59": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '3a9d5ede-2b9d-43a2-acc4-d272321ff77c')]", - "analyticRuleTemplateSpecName59": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('3a9d5ede-2b9d-43a2-acc4-d272321ff77c')))]", - "_analyticRulecontentProductId59": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','3a9d5ede-2b9d-43a2-acc4-d272321ff77c','-', '2.0.2')))]" - }, - "analyticRuleObject60": { - "analyticRuleVersion60": "1.0.4", - "_analyticRulecontentId60": "4d94d4a9-dc96-410a-8dea-4d4d4584188b", - "analyticRuleId60": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '4d94d4a9-dc96-410a-8dea-4d4d4584188b')]", - "analyticRuleTemplateSpecName60": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('4d94d4a9-dc96-410a-8dea-4d4d4584188b')))]", - "_analyticRulecontentProductId60": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4d94d4a9-dc96-410a-8dea-4d4d4584188b','-', '1.0.4')))]" - }, - "analyticRuleObject61": { - "analyticRuleVersion61": "1.0.0", - "_analyticRulecontentId61": "746ddb63-f51b-4563-b449-a8b13cf302ec", - "analyticRuleId61": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '746ddb63-f51b-4563-b449-a8b13cf302ec')]", - "analyticRuleTemplateSpecName61": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('746ddb63-f51b-4563-b449-a8b13cf302ec')))]", - "_analyticRulecontentProductId61": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','746ddb63-f51b-4563-b449-a8b13cf302ec','-', '1.0.0')))]" - }, - "analyticRuleObject62": { - "analyticRuleVersion62": "1.0.8", - "_analyticRulecontentId62": "050b9b3d-53d0-4364-a3da-1b678b8211ec", - "analyticRuleId62": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '050b9b3d-53d0-4364-a3da-1b678b8211ec')]", - "analyticRuleTemplateSpecName62": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('050b9b3d-53d0-4364-a3da-1b678b8211ec')))]", - "_analyticRulecontentProductId62": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','050b9b3d-53d0-4364-a3da-1b678b8211ec','-', '1.0.8')))]" - }, + "analyticRuleVersion1": "1.0.3", + "analyticRulecontentId1": "bb616d82-108f-47d3-9dec-9652ea0d3bf6", + "_analyticRulecontentId1": "[variables('analyticRulecontentId1')]", + "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]", + "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1'))))]", + "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId1'),'-', variables('analyticRuleVersion1'))))]", + "analyticRuleVersion2": "1.0.2", + "analyticRulecontentId2": "6d63efa6-7c25-4bd4-a486-aa6bf50fde8a", + "_analyticRulecontentId2": "[variables('analyticRulecontentId2')]", + "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId2'))]", + "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId2'))))]", + "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId2'),'-', variables('analyticRuleVersion2'))))]", + "analyticRuleVersion3": "1.0.1", + "analyticRulecontentId3": "95dc4ae3-e0f2-48bd-b996-cdd22b90f9af", + "_analyticRulecontentId3": "[variables('analyticRulecontentId3')]", + "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId3'))]", + "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId3'))))]", + "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId3'),'-', variables('analyticRuleVersion3'))))]", + "analyticRuleVersion4": "1.0.1", + "analyticRulecontentId4": "5533fe80-905e-49d5-889a-df27d2c3976d", + "_analyticRulecontentId4": "[variables('analyticRulecontentId4')]", + "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId4'))]", + "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId4'))))]", + "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId4'),'-', variables('analyticRuleVersion4'))))]", + "analyticRuleVersion5": "1.0.4", + "analyticRulecontentId5": "f80d951a-eddc-4171-b9d0-d616bb83efdc", + "_analyticRulecontentId5": "[variables('analyticRulecontentId5')]", + "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId5'))]", + "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId5'))))]", + "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId5'),'-', variables('analyticRuleVersion5'))))]", + "analyticRuleVersion6": "2.0.1", + "analyticRulecontentId6": "7cb8f77d-c52f-4e46-b82f-3cf2e106224a", + "_analyticRulecontentId6": "[variables('analyticRulecontentId6')]", + "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId6'))]", + "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId6'))))]", + "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId6'),'-', variables('analyticRuleVersion6'))))]", + "analyticRuleVersion7": "1.0.8", + "analyticRulecontentId7": "694c91ee-d606-4ba9-928e-405a2dd0ff0f", + "_analyticRulecontentId7": "[variables('analyticRulecontentId7')]", + "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId7'))]", + "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId7'))))]", + "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId7'),'-', variables('analyticRuleVersion7'))))]", + "analyticRuleVersion8": "1.0.3", + "analyticRulecontentId8": "50574fac-f8d1-4395-81c7-78a463ff0c52", + "_analyticRulecontentId8": "[variables('analyticRulecontentId8')]", + "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId8'))]", + "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId8'))))]", + "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId8'),'-', variables('analyticRuleVersion8'))))]", + "analyticRuleVersion9": "1.0.5", + "analyticRulecontentId9": "1ff56009-db01-4615-8211-d4fda21da02d", + "_analyticRulecontentId9": "[variables('analyticRulecontentId9')]", + "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId9'))]", + "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId9'))))]", + "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId9'),'-', variables('analyticRuleVersion9'))))]", + "analyticRuleVersion10": "2.0.1", + "analyticRulecontentId10": "87210ca1-49a4-4a7d-bb4a-4988752f978c", + "_analyticRulecontentId10": "[variables('analyticRulecontentId10')]", + "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId10'))]", + "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId10'))))]", + "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId10'),'-', variables('analyticRuleVersion10'))))]", + "analyticRuleVersion11": "2.0.1", + "analyticRulecontentId11": "97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06", + "_analyticRulecontentId11": "[variables('analyticRulecontentId11')]", + "analyticRuleId11": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId11'))]", + "analyticRuleTemplateSpecName11": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId11'))))]", + "_analyticRulecontentProductId11": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId11'),'-', variables('analyticRuleVersion11'))))]", + "analyticRuleVersion12": "2.0.0", + "analyticRulecontentId12": "3fbc20a4-04c4-464e-8fcb-6667f53e4987", + "_analyticRulecontentId12": "[variables('analyticRulecontentId12')]", + "analyticRuleId12": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId12'))]", + "analyticRuleTemplateSpecName12": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId12'))))]", + "_analyticRulecontentProductId12": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId12'),'-', variables('analyticRuleVersion12'))))]", + "analyticRuleVersion13": "1.0.4", + "analyticRulecontentId13": "218f60de-c269-457a-b882-9966632b9dc6", + "_analyticRulecontentId13": "[variables('analyticRulecontentId13')]", + "analyticRuleId13": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId13'))]", + "analyticRuleTemplateSpecName13": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId13'))))]", + "_analyticRulecontentProductId13": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId13'),'-', variables('analyticRuleVersion13'))))]", + "analyticRuleVersion14": "1.0.5", + "analyticRulecontentId14": "3af9285d-bb98-4a35-ad29-5ea39ba0c628", + "_analyticRulecontentId14": "[variables('analyticRulecontentId14')]", + "analyticRuleId14": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId14'))]", + "analyticRuleTemplateSpecName14": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId14'))))]", + "_analyticRulecontentProductId14": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId14'),'-', variables('analyticRuleVersion14'))))]", + "analyticRuleVersion15": "1.0.2", + "analyticRulecontentId15": "707494a5-8e44-486b-90f8-155d1797a8eb", + "_analyticRulecontentId15": "[variables('analyticRulecontentId15')]", + "analyticRuleId15": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId15'))]", + "analyticRuleTemplateSpecName15": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId15'))))]", + "_analyticRulecontentProductId15": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId15'),'-', variables('analyticRuleVersion15'))))]", + "analyticRuleVersion16": "1.0.2", + "analyticRulecontentId16": "757e6a79-6d23-4ae6-9845-4dac170656b5", + "_analyticRulecontentId16": "[variables('analyticRulecontentId16')]", + "analyticRuleId16": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId16'))]", + "analyticRuleTemplateSpecName16": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId16'))))]", + "_analyticRulecontentProductId16": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId16'),'-', variables('analyticRuleVersion16'))))]", + "analyticRuleVersion17": "1.0.2", + "analyticRulecontentId17": "eb8a9c1c-f532-4630-817c-1ecd8a60ed80", + "_analyticRulecontentId17": "[variables('analyticRulecontentId17')]", + "analyticRuleId17": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId17'))]", + "analyticRuleTemplateSpecName17": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId17'))))]", + "_analyticRulecontentProductId17": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId17'),'-', variables('analyticRuleVersion17'))))]", + "analyticRuleVersion18": "1.0.1", + "analyticRulecontentId18": "c895c5b9-0fc6-40ce-9830-e8818862f2d5", + "_analyticRulecontentId18": "[variables('analyticRulecontentId18')]", + "analyticRuleId18": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId18'))]", + "analyticRuleTemplateSpecName18": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId18'))))]", + "_analyticRulecontentProductId18": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId18'),'-', variables('analyticRuleVersion18'))))]", + "analyticRuleVersion19": "1.0.1", + "analyticRulecontentId19": "276d5190-38de-4eb2-9933-b3b72f4a5737", + "_analyticRulecontentId19": "[variables('analyticRulecontentId19')]", + "analyticRuleId19": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId19'))]", + "analyticRuleTemplateSpecName19": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId19'))))]", + "_analyticRulecontentProductId19": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId19'),'-', variables('analyticRuleVersion19'))))]", + "analyticRuleVersion20": "1.0.1", + "analyticRulecontentId20": "229f71ba-d83b-42a5-b83b-11a641049ed1", + "_analyticRulecontentId20": "[variables('analyticRulecontentId20')]", + "analyticRuleId20": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId20'))]", + "analyticRuleTemplateSpecName20": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId20'))))]", + "_analyticRulecontentProductId20": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId20'),'-', variables('analyticRuleVersion20'))))]", + "analyticRuleVersion21": "1.0.1", + "analyticRulecontentId21": "0101e08d-99cd-4a97-a9e0-27649c4369ad", + "_analyticRulecontentId21": "[variables('analyticRulecontentId21')]", + "analyticRuleId21": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId21'))]", + "analyticRuleTemplateSpecName21": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId21'))))]", + "_analyticRulecontentProductId21": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId21'),'-', variables('analyticRuleVersion21'))))]", + "analyticRuleVersion22": "1.0.2", + "analyticRulecontentId22": "75ea5c39-93e5-489b-b1e1-68fa6c9d2d04", + "_analyticRulecontentId22": "[variables('analyticRulecontentId22')]", + "analyticRuleId22": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId22'))]", + "analyticRuleTemplateSpecName22": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId22'))))]", + "_analyticRulecontentProductId22": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId22'),'-', variables('analyticRuleVersion22'))))]", + "analyticRuleVersion23": "1.0.3", + "analyticRulecontentId23": "bfb1c90f-8006-4325-98be-c7fffbc254d6", + "_analyticRulecontentId23": "[variables('analyticRulecontentId23')]", + "analyticRuleId23": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId23'))]", + "analyticRuleTemplateSpecName23": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId23'))))]", + "_analyticRulecontentProductId23": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId23'),'-', variables('analyticRuleVersion23'))))]", + "analyticRuleVersion24": "1.0.2", + "analyticRulecontentId24": "a22740ec-fc1e-4c91-8de6-c29c6450ad00", + "_analyticRulecontentId24": "[variables('analyticRulecontentId24')]", + "analyticRuleId24": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId24'))]", + "analyticRuleTemplateSpecName24": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId24'))))]", + "_analyticRulecontentProductId24": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId24'),'-', variables('analyticRuleVersion24'))))]", + "analyticRuleVersion25": "1.0.0", + "analyticRulecontentId25": "54e22fed-0ec6-4fb2-8312-2a3809a93f63", + "_analyticRulecontentId25": "[variables('analyticRulecontentId25')]", + "analyticRuleId25": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId25'))]", + "analyticRuleTemplateSpecName25": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId25'))))]", + "_analyticRulecontentProductId25": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId25'),'-', variables('analyticRuleVersion25'))))]", + "analyticRuleVersion26": "1.0.5", + "analyticRulecontentId26": "223db5c1-1bf8-47d8-8806-bed401b356a4", + "_analyticRulecontentId26": "[variables('analyticRulecontentId26')]", + "analyticRuleId26": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId26'))]", + "analyticRuleTemplateSpecName26": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId26'))))]", + "_analyticRulecontentProductId26": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId26'),'-', variables('analyticRuleVersion26'))))]", + "analyticRuleVersion27": "1.1.4", + "analyticRulecontentId27": "2cfc3c6e-f424-4b88-9cc9-c89f482d016a", + "_analyticRulecontentId27": "[variables('analyticRulecontentId27')]", + "analyticRuleId27": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId27'))]", + "analyticRuleTemplateSpecName27": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId27'))))]", + "_analyticRulecontentProductId27": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId27'),'-', variables('analyticRuleVersion27'))))]", + "analyticRuleVersion28": "1.0.4", + "analyticRulecontentId28": "6ab1f7b2-61b8-442f-bc81-96afe7ad8c53", + "_analyticRulecontentId28": "[variables('analyticRulecontentId28')]", + "analyticRuleId28": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId28'))]", + "analyticRuleTemplateSpecName28": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId28'))))]", + "_analyticRulecontentProductId28": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId28'),'-', variables('analyticRuleVersion28'))))]", + "analyticRuleVersion29": "1.0.3", + "analyticRulecontentId29": "2560515c-07d1-434e-87fb-ebe3af267760", + "_analyticRulecontentId29": "[variables('analyticRulecontentId29')]", + "analyticRuleId29": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId29'))]", + "analyticRuleTemplateSpecName29": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId29'))))]", + "_analyticRulecontentProductId29": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId29'),'-', variables('analyticRuleVersion29'))))]", + "analyticRuleVersion30": "1.1.1", + "analyticRulecontentId30": "f948a32f-226c-4116-bddd-d95e91d97eb9", + "_analyticRulecontentId30": "[variables('analyticRulecontentId30')]", + "analyticRuleId30": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId30'))]", + "analyticRuleTemplateSpecName30": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId30'))))]", + "_analyticRulecontentProductId30": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId30'),'-', variables('analyticRuleVersion30'))))]", + "analyticRuleVersion31": "1.0.1", + "analyticRulecontentId31": "39198934-62a0-4781-8416-a81265c03fd6", + "_analyticRulecontentId31": "[variables('analyticRulecontentId31')]", + "analyticRuleId31": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId31'))]", + "analyticRuleTemplateSpecName31": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId31'))))]", + "_analyticRulecontentProductId31": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId31'),'-', variables('analyticRuleVersion31'))))]", + "analyticRuleVersion32": "2.0.0", + "analyticRulecontentId32": "d99cf5c3-d660-436c-895b-8a8f8448da23", + "_analyticRulecontentId32": "[variables('analyticRulecontentId32')]", + "analyticRuleId32": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId32'))]", + "analyticRuleTemplateSpecName32": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId32'))))]", + "_analyticRulecontentProductId32": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId32'),'-', variables('analyticRuleVersion32'))))]", + "analyticRuleVersion33": "1.0.2", + "analyticRulecontentId33": "a8cc6d5c-4e7e-4b48-b4ac-d8a116c62a8b", + "_analyticRulecontentId33": "[variables('analyticRulecontentId33')]", + "analyticRuleId33": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId33'))]", + "analyticRuleTemplateSpecName33": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId33'))))]", + "_analyticRulecontentProductId33": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId33'),'-', variables('analyticRuleVersion33'))))]", + "analyticRuleVersion34": "1.0.1", + "analyticRulecontentId34": "cda5928c-2c1e-4575-9dfa-07568bc27a4f", + "_analyticRulecontentId34": "[variables('analyticRulecontentId34')]", + "analyticRuleId34": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId34'))]", + "analyticRuleTemplateSpecName34": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId34'))))]", + "_analyticRulecontentProductId34": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId34'),'-', variables('analyticRuleVersion34'))))]", + "analyticRuleVersion35": "1.0.0", + "analyticRulecontentId35": "4f42b94f-b210-42d1-a023-7fa1c51d969f", + "_analyticRulecontentId35": "[variables('analyticRulecontentId35')]", + "analyticRuleId35": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId35'))]", + "analyticRuleTemplateSpecName35": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId35'))))]", + "_analyticRulecontentProductId35": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId35'),'-', variables('analyticRuleVersion35'))))]", + "analyticRuleVersion36": "1.1.1", + "analyticRulecontentId36": "79566f41-df67-4e10-a703-c38a6213afd8", + "_analyticRulecontentId36": "[variables('analyticRulecontentId36')]", + "analyticRuleId36": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId36'))]", + "analyticRuleTemplateSpecName36": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId36'))))]", + "_analyticRulecontentProductId36": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId36'),'-', variables('analyticRuleVersion36'))))]", + "analyticRuleVersion37": "1.0.1", + "analyticRulecontentId37": "8540c842-5bbc-4a24-9fb2-a836c0e55a51", + "_analyticRulecontentId37": "[variables('analyticRulecontentId37')]", + "analyticRuleId37": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId37'))]", + "analyticRuleTemplateSpecName37": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId37'))))]", + "_analyticRulecontentProductId37": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId37'),'-', variables('analyticRuleVersion37'))))]", + "analyticRuleVersion38": "1.0.2", + "analyticRulecontentId38": "29e99017-e28d-47be-8b9a-c8c711f8a903", + "_analyticRulecontentId38": "[variables('analyticRulecontentId38')]", + "analyticRuleId38": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId38'))]", + "analyticRuleTemplateSpecName38": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId38'))))]", + "_analyticRulecontentProductId38": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId38'),'-', variables('analyticRuleVersion38'))))]", + "analyticRuleVersion39": "1.0.4", + "analyticRulecontentId39": "b6988c32-4f3b-4a45-8313-b46b33061a74", + "_analyticRulecontentId39": "[variables('analyticRulecontentId39')]", + "analyticRuleId39": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId39'))]", + "analyticRuleTemplateSpecName39": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId39'))))]", + "_analyticRulecontentProductId39": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId39'),'-', variables('analyticRuleVersion39'))))]", + "analyticRuleVersion40": "1.0.2", + "analyticRulecontentId40": "e42e889a-caaf-4dbb-aec6-371b37d64298", + "_analyticRulecontentId40": "[variables('analyticRulecontentId40')]", + "analyticRuleId40": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId40'))]", + "analyticRuleTemplateSpecName40": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId40'))))]", + "_analyticRulecontentProductId40": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId40'),'-', variables('analyticRuleVersion40'))))]", + "analyticRuleVersion41": "1.0.1", + "analyticRulecontentId41": "5db427b2-f406-4274-b413-e9fcb29412f8", + "_analyticRulecontentId41": "[variables('analyticRulecontentId41')]", + "analyticRuleId41": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId41'))]", + "analyticRuleTemplateSpecName41": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId41'))))]", + "_analyticRulecontentProductId41": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId41'),'-', variables('analyticRuleVersion41'))))]", + "analyticRuleVersion42": "1.0.1", + "analyticRulecontentId42": "14f6da04-2f96-44ee-9210-9ccc1be6401e", + "_analyticRulecontentId42": "[variables('analyticRulecontentId42')]", + "analyticRuleId42": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId42'))]", + "analyticRuleTemplateSpecName42": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId42'))))]", + "_analyticRulecontentProductId42": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId42'),'-', variables('analyticRuleVersion42'))))]", + "analyticRuleVersion43": "1.0.4", + "analyticRulecontentId43": "70fc7201-f28e-4ba7-b9ea-c04b96701f13", + "_analyticRulecontentId43": "[variables('analyticRulecontentId43')]", + "analyticRuleId43": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId43'))]", + "analyticRuleTemplateSpecName43": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId43'))))]", + "_analyticRulecontentProductId43": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId43'),'-', variables('analyticRuleVersion43'))))]", + "analyticRuleVersion44": "1.0.7", + "analyticRulecontentId44": "7d7e20f8-3384-4b71-811c-f5e950e8306c", + "_analyticRulecontentId44": "[variables('analyticRulecontentId44')]", + "analyticRuleId44": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId44'))]", + "analyticRuleTemplateSpecName44": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId44'))))]", + "_analyticRulecontentProductId44": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId44'),'-', variables('analyticRuleVersion44'))))]", + "analyticRuleVersion45": "1.0.3", + "analyticRulecontentId45": "34c5aff9-a8c2-4601-9654-c7e46342d03b", + "_analyticRulecontentId45": "[variables('analyticRulecontentId45')]", + "analyticRuleId45": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId45'))]", + "analyticRuleTemplateSpecName45": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId45'))))]", + "_analyticRulecontentProductId45": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId45'),'-', variables('analyticRuleVersion45'))))]", + "analyticRuleVersion46": "1.0.4", + "analyticRulecontentId46": "269435e3-1db8-4423-9dfc-9bf59997da1c", + "_analyticRulecontentId46": "[variables('analyticRulecontentId46')]", + "analyticRuleId46": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId46'))]", + "analyticRuleTemplateSpecName46": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId46'))))]", + "_analyticRulecontentProductId46": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId46'),'-', variables('analyticRuleVersion46'))))]", + "analyticRuleVersion47": "1.1.4", + "analyticRulecontentId47": "83ba3057-9ea3-4759-bf6a-933f2e5bc7ee", + "_analyticRulecontentId47": "[variables('analyticRulecontentId47')]", + "analyticRuleId47": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId47'))]", + "analyticRuleTemplateSpecName47": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId47'))))]", + "_analyticRulecontentProductId47": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId47'),'-', variables('analyticRuleVersion47'))))]", + "analyticRuleVersion48": "1.0.3", + "analyticRulecontentId48": "fb7ca1c9-e14c-40a3-856e-28f3c14ea1ba", + "_analyticRulecontentId48": "[variables('analyticRulecontentId48')]", + "analyticRuleId48": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId48'))]", + "analyticRuleTemplateSpecName48": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId48'))))]", + "_analyticRulecontentProductId48": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId48'),'-', variables('analyticRuleVersion48'))))]", + "analyticRuleVersion49": "1.0.2", + "analyticRulecontentId49": "d3980830-dd9d-40a5-911f-76b44dfdce16", + "_analyticRulecontentId49": "[variables('analyticRulecontentId49')]", + "analyticRuleId49": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId49'))]", + "analyticRuleTemplateSpecName49": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId49'))))]", + "_analyticRulecontentProductId49": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId49'),'-', variables('analyticRuleVersion49'))))]", + "analyticRuleVersion50": "2.1.3", + "analyticRulecontentId50": "500c103a-0319-4d56-8e99-3cec8d860757", + "_analyticRulecontentId50": "[variables('analyticRulecontentId50')]", + "analyticRuleId50": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId50'))]", + "analyticRuleTemplateSpecName50": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId50'))))]", + "_analyticRulecontentProductId50": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId50'),'-', variables('analyticRuleVersion50'))))]", + "analyticRuleVersion51": "2.1.3", + "analyticRulecontentId51": "28b42356-45af-40a6-a0b4-a554cdfd5d8a", + "_analyticRulecontentId51": "[variables('analyticRulecontentId51')]", + "analyticRuleId51": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId51'))]", + "analyticRuleTemplateSpecName51": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId51'))))]", + "_analyticRulecontentProductId51": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId51'),'-', variables('analyticRuleVersion51'))))]", + "analyticRuleVersion52": "1.0.5", + "analyticRulecontentId52": "48607a29-a26a-4abf-8078-a06dbdd174a4", + "_analyticRulecontentId52": "[variables('analyticRulecontentId52')]", + "analyticRuleId52": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId52'))]", + "analyticRuleTemplateSpecName52": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId52'))))]", + "_analyticRulecontentProductId52": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId52'),'-', variables('analyticRuleVersion52'))))]", + "analyticRuleVersion53": "2.1.6", + "analyticRulecontentId53": "02ef8d7e-fc3a-4d86-a457-650fa571d8d2", + "_analyticRulecontentId53": "[variables('analyticRulecontentId53')]", + "analyticRuleId53": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId53'))]", + "analyticRuleTemplateSpecName53": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId53'))))]", + "_analyticRulecontentProductId53": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId53'),'-', variables('analyticRuleVersion53'))))]", + "analyticRuleVersion54": "1.0.3", + "analyticRulecontentId54": "3a3c6835-0086-40ca-b033-a93bf26d878f", + "_analyticRulecontentId54": "[variables('analyticRulecontentId54')]", + "analyticRuleId54": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId54'))]", + "analyticRuleTemplateSpecName54": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId54'))))]", + "_analyticRulecontentProductId54": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId54'),'-', variables('analyticRuleVersion54'))))]", + "analyticRuleVersion55": "1.0.1", + "analyticRulecontentId55": "3533f74c-9207-4047-96e2-0eb9383be587", + "_analyticRulecontentId55": "[variables('analyticRulecontentId55')]", + "analyticRuleId55": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId55'))]", + "analyticRuleTemplateSpecName55": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId55'))))]", + "_analyticRulecontentProductId55": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId55'),'-', variables('analyticRuleVersion55'))))]", + "analyticRuleVersion56": "1.0.2", + "analyticRulecontentId56": "6852d9da-8015-4b95-8ecf-d9572ee0395d", + "_analyticRulecontentId56": "[variables('analyticRulecontentId56')]", + "analyticRuleId56": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId56'))]", + "analyticRuleTemplateSpecName56": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId56'))))]", + "_analyticRulecontentProductId56": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId56'),'-', variables('analyticRuleVersion56'))))]", + "analyticRuleVersion57": "1.0.0", + "analyticRulecontentId57": "aec77100-25c5-4254-a20a-8027ed92c46c", + "_analyticRulecontentId57": "[variables('analyticRulecontentId57')]", + "analyticRuleId57": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId57'))]", + "analyticRuleTemplateSpecName57": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId57'))))]", + "_analyticRulecontentProductId57": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId57'),'-', variables('analyticRuleVersion57'))))]", + "analyticRuleVersion58": "1.0.7", + "analyticRulecontentId58": "acc4c247-aaf7-494b-b5da-17f18863878a", + "_analyticRulecontentId58": "[variables('analyticRulecontentId58')]", + "analyticRuleId58": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId58'))]", + "analyticRuleTemplateSpecName58": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId58'))))]", + "_analyticRulecontentProductId58": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId58'),'-', variables('analyticRuleVersion58'))))]", + "analyticRuleVersion59": "2.0.2", + "analyticRulecontentId59": "3a9d5ede-2b9d-43a2-acc4-d272321ff77c", + "_analyticRulecontentId59": "[variables('analyticRulecontentId59')]", + "analyticRuleId59": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId59'))]", + "analyticRuleTemplateSpecName59": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId59'))))]", + "_analyticRulecontentProductId59": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId59'),'-', variables('analyticRuleVersion59'))))]", + "analyticRuleVersion60": "1.0.5", + "analyticRulecontentId60": "4d94d4a9-dc96-410a-8dea-4d4d4584188b", + "_analyticRulecontentId60": "[variables('analyticRulecontentId60')]", + "analyticRuleId60": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId60'))]", + "analyticRuleTemplateSpecName60": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId60'))))]", + "_analyticRulecontentProductId60": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId60'),'-', variables('analyticRuleVersion60'))))]", + "analyticRuleVersion61": "1.0.0", + "analyticRulecontentId61": "746ddb63-f51b-4563-b449-a8b13cf302ec", + "_analyticRulecontentId61": "[variables('analyticRulecontentId61')]", + "analyticRuleId61": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId61'))]", + "analyticRuleTemplateSpecName61": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId61'))))]", + "_analyticRulecontentProductId61": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId61'),'-', variables('analyticRuleVersion61'))))]", + "analyticRuleVersion62": "1.0.8", + "analyticRulecontentId62": "050b9b3d-53d0-4364-a3da-1b678b8211ec", + "_analyticRulecontentId62": "[variables('analyticRulecontentId62')]", + "analyticRuleId62": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId62'))]", + "analyticRuleTemplateSpecName62": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId62'))))]", + "_analyticRulecontentProductId62": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId62'),'-', variables('analyticRuleVersion62'))))]", "Block-AADUser-alert-trigger": "Block-AADUser-alert-trigger", "_Block-AADUser-alert-trigger": "[variables('Block-AADUser-alert-trigger')]", "playbookVersion1": "1.1", @@ -622,7 +562,7 @@ "kind": "StaticUI", "properties": { "connectorUiConfig": { - "id": "AzureActiveDirectory", + "id": "[variables('_uiConfigId1')]", "title": "Microsoft Entra ID", "publisher": "Microsoft", "descriptionMarkdown": "Gain insights into Microsoft Entra ID by connecting Audit and Sign-in logs to Microsoft Sentinel to gather insights around Microsoft Entra ID scenarios. You can learn about app usage, conditional access policies, legacy auth relate details using our Sign-in logs. You can get information on your Self Service Password Reset (SSPR) usage, Microsoft Entra ID Management activities like user, group, role, app management using our Audit logs table. For more information, see the [Microsoft Sentinel documentation](https://go.microsoft.com/fwlink/?linkid=2219715&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci).", @@ -1156,7 +1096,7 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject1').analyticRuleTemplateSpecName1]", + "name": "[variables('analyticRuleTemplateSpecName1')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -1165,13 +1105,13 @@ "description": "AccountCreatedandDeletedinShortTimeframe_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", + "contentVersion": "[variables('analyticRuleVersion1')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "name": "[variables('analyticRulecontentId1')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -1231,13 +1171,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject1').analyticRuleId1,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId1'),'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 1", - "parentId": "[variables('analyticRuleObject1').analyticRuleId1]", - "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "parentId": "[variables('analyticRuleId1')]", + "contentId": "[variables('_analyticRulecontentId1')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject1').analyticRuleVersion1]", + "version": "[variables('analyticRuleVersion1')]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -1262,18 +1202,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "contentId": "[variables('_analyticRulecontentId1')]", "contentKind": "AnalyticsRule", "displayName": "Account Created and Deleted in Short Timeframe", - "contentProductId": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", - "id": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", - "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" + "contentProductId": "[variables('_analyticRulecontentProductId1')]", + "id": "[variables('_analyticRulecontentProductId1')]", + "version": "[variables('analyticRuleVersion1')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject2').analyticRuleTemplateSpecName2]", + "name": "[variables('analyticRuleTemplateSpecName2')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -1282,13 +1222,13 @@ "description": "AccountCreatedDeletedByNonApprovedUser_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", + "contentVersion": "[variables('analyticRuleVersion2')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "name": "[variables('analyticRulecontentId2')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -1348,13 +1288,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject2').analyticRuleId2,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId2'),'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 2", - "parentId": "[variables('analyticRuleObject2').analyticRuleId2]", - "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "parentId": "[variables('analyticRuleId2')]", + "contentId": "[variables('_analyticRulecontentId2')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject2').analyticRuleVersion2]", + "version": "[variables('analyticRuleVersion2')]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -1379,18 +1319,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "contentId": "[variables('_analyticRulecontentId2')]", "contentKind": "AnalyticsRule", "displayName": "Account created or deleted by non-approved user", - "contentProductId": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", - "id": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", - "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" + "contentProductId": "[variables('_analyticRulecontentProductId2')]", + "id": "[variables('_analyticRulecontentProductId2')]", + "version": "[variables('analyticRuleVersion2')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject3').analyticRuleTemplateSpecName3]", + "name": "[variables('analyticRuleTemplateSpecName3')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -1399,13 +1339,13 @@ "description": "ADFSDomainTrustMods_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", + "contentVersion": "[variables('analyticRuleVersion3')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "name": "[variables('analyticRulecontentId3')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -1462,13 +1402,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject3').analyticRuleId3,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId3'),'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 3", - "parentId": "[variables('analyticRuleObject3').analyticRuleId3]", - "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "parentId": "[variables('analyticRuleId3')]", + "contentId": "[variables('_analyticRulecontentId3')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject3').analyticRuleVersion3]", + "version": "[variables('analyticRuleVersion3')]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -1493,18 +1433,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "contentId": "[variables('_analyticRulecontentId3')]", "contentKind": "AnalyticsRule", "displayName": "Modified domain federation trust settings", - "contentProductId": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]", - "id": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]", - "version": "[variables('analyticRuleObject3').analyticRuleVersion3]" + "contentProductId": "[variables('_analyticRulecontentProductId3')]", + "id": "[variables('_analyticRulecontentProductId3')]", + "version": "[variables('analyticRuleVersion3')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject4').analyticRuleTemplateSpecName4]", + "name": "[variables('analyticRuleTemplateSpecName4')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -1513,13 +1453,13 @@ "description": "ADFSSignInLogsPasswordSpray_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]", + "contentVersion": "[variables('analyticRuleVersion4')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject4')._analyticRulecontentId4]", + "name": "[variables('analyticRulecontentId4')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -1566,13 +1506,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject4').analyticRuleId4,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId4'),'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 4", - "parentId": "[variables('analyticRuleObject4').analyticRuleId4]", - "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", + "parentId": "[variables('analyticRuleId4')]", + "contentId": "[variables('_analyticRulecontentId4')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject4').analyticRuleVersion4]", + "version": "[variables('analyticRuleVersion4')]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -1597,18 +1537,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", + "contentId": "[variables('_analyticRulecontentId4')]", "contentKind": "AnalyticsRule", "displayName": "Password spray attack against ADFSSignInLogs", - "contentProductId": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]", - "id": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]", - "version": "[variables('analyticRuleObject4').analyticRuleVersion4]" + "contentProductId": "[variables('_analyticRulecontentProductId4')]", + "id": "[variables('_analyticRulecontentProductId4')]", + "version": "[variables('analyticRuleVersion4')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject5').analyticRuleTemplateSpecName5]", + "name": "[variables('analyticRuleTemplateSpecName5')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -1617,13 +1557,13 @@ "description": "AdminPromoAfterRoleMgmtAppPermissionGrant_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]", + "contentVersion": "[variables('analyticRuleVersion5')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject5')._analyticRulecontentId5]", + "name": "[variables('analyticRulecontentId5')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -1685,13 +1625,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject5').analyticRuleId5,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId5'),'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 5", - "parentId": "[variables('analyticRuleObject5').analyticRuleId5]", - "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", + "parentId": "[variables('analyticRuleId5')]", + "contentId": "[variables('_analyticRulecontentId5')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject5').analyticRuleVersion5]", + "version": "[variables('analyticRuleVersion5')]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -1716,18 +1656,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", + "contentId": "[variables('_analyticRulecontentId5')]", "contentKind": "AnalyticsRule", "displayName": "Admin promotion after Role Management Application Permission Grant", - "contentProductId": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]", - "id": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]", - "version": "[variables('analyticRuleObject5').analyticRuleVersion5]" + "contentProductId": "[variables('_analyticRulecontentProductId5')]", + "id": "[variables('_analyticRulecontentProductId5')]", + "version": "[variables('analyticRuleVersion5')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject6').analyticRuleTemplateSpecName6]", + "name": "[variables('analyticRuleTemplateSpecName6')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -1736,13 +1676,13 @@ "description": "AnomalousUserAppSigninLocationIncrease-detection_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]", + "contentVersion": "[variables('analyticRuleVersion6')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject6')._analyticRulecontentId6]", + "name": "[variables('analyticRulecontentId6')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -1813,13 +1753,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject6').analyticRuleId6,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId6'),'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 6", - "parentId": "[variables('analyticRuleObject6').analyticRuleId6]", - "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", + "parentId": "[variables('analyticRuleId6')]", + "contentId": "[variables('_analyticRulecontentId6')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject6').analyticRuleVersion6]", + "version": "[variables('analyticRuleVersion6')]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -1844,18 +1784,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", + "contentId": "[variables('_analyticRulecontentId6')]", "contentKind": "AnalyticsRule", "displayName": "Anomalous sign-in location by user account and authenticating application", - "contentProductId": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]", - "id": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]", - "version": "[variables('analyticRuleObject6').analyticRuleVersion6]" + "contentProductId": "[variables('_analyticRulecontentProductId6')]", + "id": "[variables('_analyticRulecontentProductId6')]", + "version": "[variables('analyticRuleVersion6')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject7').analyticRuleTemplateSpecName7]", + "name": "[variables('analyticRuleTemplateSpecName7')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -1864,13 +1804,13 @@ "description": "AuthenticationMethodsChangedforPrivilegedAccount_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]", + "contentVersion": "[variables('analyticRuleVersion7')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject7')._analyticRulecontentId7]", + "name": "[variables('analyticRulecontentId7')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -1943,13 +1883,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject7').analyticRuleId7,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId7'),'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 7", - "parentId": "[variables('analyticRuleObject7').analyticRuleId7]", - "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]", + "parentId": "[variables('analyticRuleId7')]", + "contentId": "[variables('_analyticRulecontentId7')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject7').analyticRuleVersion7]", + "version": "[variables('analyticRuleVersion7')]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -1974,18 +1914,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]", + "contentId": "[variables('_analyticRulecontentId7')]", "contentKind": "AnalyticsRule", "displayName": "Authentication Methods Changed for Privileged Account", - "contentProductId": "[variables('analyticRuleObject7')._analyticRulecontentProductId7]", - "id": "[variables('analyticRuleObject7')._analyticRulecontentProductId7]", - "version": "[variables('analyticRuleObject7').analyticRuleVersion7]" + "contentProductId": "[variables('_analyticRulecontentProductId7')]", + "id": "[variables('_analyticRulecontentProductId7')]", + "version": "[variables('analyticRuleVersion7')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject8').analyticRuleTemplateSpecName8]", + "name": "[variables('analyticRuleTemplateSpecName8')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -1994,13 +1934,13 @@ "description": "AzureAADPowerShellAnomaly_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]", + "contentVersion": "[variables('analyticRuleVersion8')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject8')._analyticRulecontentId8]", + "name": "[variables('analyticRulecontentId8')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -2070,13 +2010,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject8').analyticRuleId8,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId8'),'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 8", - "parentId": "[variables('analyticRuleObject8').analyticRuleId8]", - "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]", + "parentId": "[variables('analyticRuleId8')]", + "contentId": "[variables('_analyticRulecontentId8')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject8').analyticRuleVersion8]", + "version": "[variables('analyticRuleVersion8')]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -2101,18 +2041,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]", + "contentId": "[variables('_analyticRulecontentId8')]", "contentKind": "AnalyticsRule", "displayName": "Microsoft Entra ID PowerShell accessing non-Entra ID resources", - "contentProductId": "[variables('analyticRuleObject8')._analyticRulecontentProductId8]", - "id": "[variables('analyticRuleObject8')._analyticRulecontentProductId8]", - "version": "[variables('analyticRuleObject8').analyticRuleVersion8]" + "contentProductId": "[variables('_analyticRulecontentProductId8')]", + "id": "[variables('_analyticRulecontentProductId8')]", + "version": "[variables('analyticRuleVersion8')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject9').analyticRuleTemplateSpecName9]", + "name": "[variables('analyticRuleTemplateSpecName9')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -2121,13 +2061,13 @@ "description": "AzureADRoleManagementPermissionGrant_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]", + "contentVersion": "[variables('analyticRuleVersion9')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject9')._analyticRulecontentId9]", + "name": "[variables('analyticRulecontentId9')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -2189,13 +2129,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject9').analyticRuleId9,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId9'),'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 9", - "parentId": "[variables('analyticRuleObject9').analyticRuleId9]", - "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]", + "parentId": "[variables('analyticRuleId9')]", + "contentId": "[variables('_analyticRulecontentId9')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject9').analyticRuleVersion9]", + "version": "[variables('analyticRuleVersion9')]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -2220,18 +2160,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]", + "contentId": "[variables('_analyticRulecontentId9')]", "contentKind": "AnalyticsRule", "displayName": "Microsoft Entra ID Role Management Permission Grant", - "contentProductId": "[variables('analyticRuleObject9')._analyticRulecontentProductId9]", - "id": "[variables('analyticRuleObject9')._analyticRulecontentProductId9]", - "version": "[variables('analyticRuleObject9').analyticRuleVersion9]" + "contentProductId": "[variables('_analyticRulecontentProductId9')]", + "id": "[variables('_analyticRulecontentProductId9')]", + "version": "[variables('analyticRuleVersion9')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject10').analyticRuleTemplateSpecName10]", + "name": "[variables('analyticRuleTemplateSpecName10')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -2240,13 +2180,13 @@ "description": "AzurePortalSigninfromanotherAzureTenant_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]", + "contentVersion": "[variables('analyticRuleVersion10')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject10')._analyticRulecontentId10]", + "name": "[variables('analyticRulecontentId10')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -2314,13 +2254,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject10').analyticRuleId10,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId10'),'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 10", - "parentId": "[variables('analyticRuleObject10').analyticRuleId10]", - "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]", + "parentId": "[variables('analyticRuleId10')]", + "contentId": "[variables('_analyticRulecontentId10')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject10').analyticRuleVersion10]", + "version": "[variables('analyticRuleVersion10')]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -2345,18 +2285,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]", + "contentId": "[variables('_analyticRulecontentId10')]", "contentKind": "AnalyticsRule", "displayName": "Azure Portal sign in from another Azure Tenant", - "contentProductId": "[variables('analyticRuleObject10')._analyticRulecontentProductId10]", - "id": "[variables('analyticRuleObject10')._analyticRulecontentProductId10]", - "version": "[variables('analyticRuleObject10').analyticRuleVersion10]" + "contentProductId": "[variables('_analyticRulecontentProductId10')]", + "id": "[variables('_analyticRulecontentProductId10')]", + "version": "[variables('analyticRuleVersion10')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject11').analyticRuleTemplateSpecName11]", + "name": "[variables('analyticRuleTemplateSpecName11')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -2365,13 +2305,13 @@ "description": "Brute Force Attack against GitHub Account_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject11').analyticRuleVersion11]", + "contentVersion": "[variables('analyticRuleVersion11')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject11')._analyticRulecontentId11]", + "name": "[variables('analyticRulecontentId11')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -2428,13 +2368,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject11').analyticRuleId11,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId11'),'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 11", - "parentId": "[variables('analyticRuleObject11').analyticRuleId11]", - "contentId": "[variables('analyticRuleObject11')._analyticRulecontentId11]", + "parentId": "[variables('analyticRuleId11')]", + "contentId": "[variables('_analyticRulecontentId11')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject11').analyticRuleVersion11]", + "version": "[variables('analyticRuleVersion11')]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -2459,18 +2399,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject11')._analyticRulecontentId11]", + "contentId": "[variables('_analyticRulecontentId11')]", "contentKind": "AnalyticsRule", "displayName": "Brute Force Attack against GitHub Account", - "contentProductId": "[variables('analyticRuleObject11')._analyticRulecontentProductId11]", - "id": "[variables('analyticRuleObject11')._analyticRulecontentProductId11]", - "version": "[variables('analyticRuleObject11').analyticRuleVersion11]" + "contentProductId": "[variables('_analyticRulecontentProductId11')]", + "id": "[variables('_analyticRulecontentProductId11')]", + "version": "[variables('analyticRuleVersion11')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject12').analyticRuleTemplateSpecName12]", + "name": "[variables('analyticRuleTemplateSpecName12')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -2479,13 +2419,13 @@ "description": "BruteForceCloudPC_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject12').analyticRuleVersion12]", + "contentVersion": "[variables('analyticRuleVersion12')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject12')._analyticRulecontentId12]", + "name": "[variables('analyticRulecontentId12')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -2545,13 +2485,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject12').analyticRuleId12,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId12'),'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 12", - "parentId": "[variables('analyticRuleObject12').analyticRuleId12]", - "contentId": "[variables('analyticRuleObject12')._analyticRulecontentId12]", + "parentId": "[variables('analyticRuleId12')]", + "contentId": "[variables('_analyticRulecontentId12')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject12').analyticRuleVersion12]", + "version": "[variables('analyticRuleVersion12')]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -2576,18 +2516,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject12')._analyticRulecontentId12]", + "contentId": "[variables('_analyticRulecontentId12')]", "contentKind": "AnalyticsRule", "displayName": "Brute force attack against a Cloud PC", - "contentProductId": "[variables('analyticRuleObject12')._analyticRulecontentProductId12]", - "id": "[variables('analyticRuleObject12')._analyticRulecontentProductId12]", - "version": "[variables('analyticRuleObject12').analyticRuleVersion12]" + "contentProductId": "[variables('_analyticRulecontentProductId12')]", + "id": "[variables('_analyticRulecontentProductId12')]", + "version": "[variables('analyticRuleVersion12')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject13').analyticRuleTemplateSpecName13]", + "name": "[variables('analyticRuleTemplateSpecName13')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -2596,13 +2536,13 @@ "description": "BulkChangestoPrivilegedAccountPermissions_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject13').analyticRuleVersion13]", + "contentVersion": "[variables('analyticRuleVersion13')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject13')._analyticRulecontentId13]", + "name": "[variables('analyticRulecontentId13')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -2670,13 +2610,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject13').analyticRuleId13,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId13'),'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 13", - "parentId": "[variables('analyticRuleObject13').analyticRuleId13]", - "contentId": "[variables('analyticRuleObject13')._analyticRulecontentId13]", + "parentId": "[variables('analyticRuleId13')]", + "contentId": "[variables('_analyticRulecontentId13')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject13').analyticRuleVersion13]", + "version": "[variables('analyticRuleVersion13')]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -2701,18 +2641,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject13')._analyticRulecontentId13]", + "contentId": "[variables('_analyticRulecontentId13')]", "contentKind": "AnalyticsRule", "displayName": "Bulk Changes to Privileged Account Permissions", - "contentProductId": "[variables('analyticRuleObject13')._analyticRulecontentProductId13]", - "id": "[variables('analyticRuleObject13')._analyticRulecontentProductId13]", - "version": "[variables('analyticRuleObject13').analyticRuleVersion13]" + "contentProductId": "[variables('_analyticRulecontentProductId13')]", + "id": "[variables('_analyticRulecontentProductId13')]", + "version": "[variables('analyticRuleVersion13')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject14').analyticRuleTemplateSpecName14]", + "name": "[variables('analyticRuleTemplateSpecName14')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -2721,13 +2661,13 @@ "description": "BypassCondAccessRule_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject14').analyticRuleVersion14]", + "contentVersion": "[variables('analyticRuleVersion14')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject14')._analyticRulecontentId14]", + "name": "[variables('analyticRulecontentId14')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -2795,13 +2735,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject14').analyticRuleId14,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId14'),'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 14", - "parentId": "[variables('analyticRuleObject14').analyticRuleId14]", - "contentId": "[variables('analyticRuleObject14')._analyticRulecontentId14]", + "parentId": "[variables('analyticRuleId14')]", + "contentId": "[variables('_analyticRulecontentId14')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject14').analyticRuleVersion14]", + "version": "[variables('analyticRuleVersion14')]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -2826,18 +2766,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject14')._analyticRulecontentId14]", + "contentId": "[variables('_analyticRulecontentId14')]", "contentKind": "AnalyticsRule", "displayName": "Attempt to bypass conditional access rule in Microsoft Entra ID", - "contentProductId": "[variables('analyticRuleObject14')._analyticRulecontentProductId14]", - "id": "[variables('analyticRuleObject14')._analyticRulecontentProductId14]", - "version": "[variables('analyticRuleObject14').analyticRuleVersion14]" + "contentProductId": "[variables('_analyticRulecontentProductId14')]", + "id": "[variables('_analyticRulecontentProductId14')]", + "version": "[variables('analyticRuleVersion14')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject15').analyticRuleTemplateSpecName15]", + "name": "[variables('analyticRuleTemplateSpecName15')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -2846,13 +2786,13 @@ "description": "CredentialAddedAfterAdminConsent_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject15').analyticRuleVersion15]", + "contentVersion": "[variables('analyticRuleVersion15')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject15')._analyticRulecontentId15]", + "name": "[variables('analyticRulecontentId15')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -2909,13 +2849,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject15').analyticRuleId15,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId15'),'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 15", - "parentId": "[variables('analyticRuleObject15').analyticRuleId15]", - "contentId": "[variables('analyticRuleObject15')._analyticRulecontentId15]", + "parentId": "[variables('analyticRuleId15')]", + "contentId": "[variables('_analyticRulecontentId15')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject15').analyticRuleVersion15]", + "version": "[variables('analyticRuleVersion15')]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -2940,18 +2880,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject15')._analyticRulecontentId15]", + "contentId": "[variables('_analyticRulecontentId15')]", "contentKind": "AnalyticsRule", "displayName": "Credential added after admin consented to Application", - "contentProductId": "[variables('analyticRuleObject15')._analyticRulecontentProductId15]", - "id": "[variables('analyticRuleObject15')._analyticRulecontentProductId15]", - "version": "[variables('analyticRuleObject15').analyticRuleVersion15]" + "contentProductId": "[variables('_analyticRulecontentProductId15')]", + "id": "[variables('_analyticRulecontentProductId15')]", + "version": "[variables('analyticRuleVersion15')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject16').analyticRuleTemplateSpecName16]", + "name": "[variables('analyticRuleTemplateSpecName16')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -2960,13 +2900,13 @@ "description": "Cross-tenantAccessSettingsOrganizationAdded_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject16').analyticRuleVersion16]", + "contentVersion": "[variables('analyticRuleVersion16')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject16')._analyticRulecontentId16]", + "name": "[variables('analyticRulecontentId16')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -3030,13 +2970,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject16').analyticRuleId16,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId16'),'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 16", - "parentId": "[variables('analyticRuleObject16').analyticRuleId16]", - "contentId": "[variables('analyticRuleObject16')._analyticRulecontentId16]", + "parentId": "[variables('analyticRuleId16')]", + "contentId": "[variables('_analyticRulecontentId16')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject16').analyticRuleVersion16]", + "version": "[variables('analyticRuleVersion16')]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -3061,18 +3001,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject16')._analyticRulecontentId16]", + "contentId": "[variables('_analyticRulecontentId16')]", "contentKind": "AnalyticsRule", "displayName": "Cross-tenant Access Settings Organization Added", - "contentProductId": "[variables('analyticRuleObject16')._analyticRulecontentProductId16]", - "id": "[variables('analyticRuleObject16')._analyticRulecontentProductId16]", - "version": "[variables('analyticRuleObject16').analyticRuleVersion16]" + "contentProductId": "[variables('_analyticRulecontentProductId16')]", + "id": "[variables('_analyticRulecontentProductId16')]", + "version": "[variables('analyticRuleVersion16')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject17').analyticRuleTemplateSpecName17]", + "name": "[variables('analyticRuleTemplateSpecName17')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -3081,13 +3021,13 @@ "description": "Cross-tenantAccessSettingsOrganizationDeleted_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject17').analyticRuleVersion17]", + "contentVersion": "[variables('analyticRuleVersion17')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject17')._analyticRulecontentId17]", + "name": "[variables('analyticRulecontentId17')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -3151,13 +3091,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject17').analyticRuleId17,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId17'),'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 17", - "parentId": "[variables('analyticRuleObject17').analyticRuleId17]", - "contentId": "[variables('analyticRuleObject17')._analyticRulecontentId17]", + "parentId": "[variables('analyticRuleId17')]", + "contentId": "[variables('_analyticRulecontentId17')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject17').analyticRuleVersion17]", + "version": "[variables('analyticRuleVersion17')]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -3182,18 +3122,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject17')._analyticRulecontentId17]", + "contentId": "[variables('_analyticRulecontentId17')]", "contentKind": "AnalyticsRule", "displayName": "Cross-tenant Access Settings Organization Deleted", - "contentProductId": "[variables('analyticRuleObject17')._analyticRulecontentProductId17]", - "id": "[variables('analyticRuleObject17')._analyticRulecontentProductId17]", - "version": "[variables('analyticRuleObject17').analyticRuleVersion17]" + "contentProductId": "[variables('_analyticRulecontentProductId17')]", + "id": "[variables('_analyticRulecontentProductId17')]", + "version": "[variables('analyticRuleVersion17')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject18').analyticRuleTemplateSpecName18]", + "name": "[variables('analyticRuleTemplateSpecName18')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -3202,13 +3142,13 @@ "description": "Cross-tenantAccessSettingsOrganizationInboundCollaborationSettingsChanged_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject18').analyticRuleVersion18]", + "contentVersion": "[variables('analyticRuleVersion18')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject18')._analyticRulecontentId18]", + "name": "[variables('analyticRulecontentId18')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -3272,13 +3212,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject18').analyticRuleId18,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId18'),'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 18", - "parentId": "[variables('analyticRuleObject18').analyticRuleId18]", - "contentId": "[variables('analyticRuleObject18')._analyticRulecontentId18]", + "parentId": "[variables('analyticRuleId18')]", + "contentId": "[variables('_analyticRulecontentId18')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject18').analyticRuleVersion18]", + "version": "[variables('analyticRuleVersion18')]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -3303,18 +3243,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject18')._analyticRulecontentId18]", + "contentId": "[variables('_analyticRulecontentId18')]", "contentKind": "AnalyticsRule", "displayName": "Cross-tenant Access Settings Organization Inbound Collaboration Settings Changed", - "contentProductId": "[variables('analyticRuleObject18')._analyticRulecontentProductId18]", - "id": "[variables('analyticRuleObject18')._analyticRulecontentProductId18]", - "version": "[variables('analyticRuleObject18').analyticRuleVersion18]" + "contentProductId": "[variables('_analyticRulecontentProductId18')]", + "id": "[variables('_analyticRulecontentProductId18')]", + "version": "[variables('analyticRuleVersion18')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject19').analyticRuleTemplateSpecName19]", + "name": "[variables('analyticRuleTemplateSpecName19')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -3323,13 +3263,13 @@ "description": "Cross-tenantAccessSettingsOrganizationInboundDirectSettingsChanged_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject19').analyticRuleVersion19]", + "contentVersion": "[variables('analyticRuleVersion19')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject19')._analyticRulecontentId19]", + "name": "[variables('analyticRulecontentId19')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -3393,13 +3333,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject19').analyticRuleId19,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId19'),'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 19", - "parentId": "[variables('analyticRuleObject19').analyticRuleId19]", - "contentId": "[variables('analyticRuleObject19')._analyticRulecontentId19]", + "parentId": "[variables('analyticRuleId19')]", + "contentId": "[variables('_analyticRulecontentId19')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject19').analyticRuleVersion19]", + "version": "[variables('analyticRuleVersion19')]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -3424,18 +3364,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject19')._analyticRulecontentId19]", + "contentId": "[variables('_analyticRulecontentId19')]", "contentKind": "AnalyticsRule", "displayName": "Cross-tenant Access Settings Organization Inbound Direct Settings Changed", - "contentProductId": "[variables('analyticRuleObject19')._analyticRulecontentProductId19]", - "id": "[variables('analyticRuleObject19')._analyticRulecontentProductId19]", - "version": "[variables('analyticRuleObject19').analyticRuleVersion19]" + "contentProductId": "[variables('_analyticRulecontentProductId19')]", + "id": "[variables('_analyticRulecontentProductId19')]", + "version": "[variables('analyticRuleVersion19')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject20').analyticRuleTemplateSpecName20]", + "name": "[variables('analyticRuleTemplateSpecName20')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -3444,13 +3384,13 @@ "description": "Cross-tenantAccessSettingsOrganizationOutboundCollaborationSettingsChanged_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject20').analyticRuleVersion20]", + "contentVersion": "[variables('analyticRuleVersion20')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject20')._analyticRulecontentId20]", + "name": "[variables('analyticRulecontentId20')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -3514,13 +3454,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject20').analyticRuleId20,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId20'),'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 20", - "parentId": "[variables('analyticRuleObject20').analyticRuleId20]", - "contentId": "[variables('analyticRuleObject20')._analyticRulecontentId20]", + "parentId": "[variables('analyticRuleId20')]", + "contentId": "[variables('_analyticRulecontentId20')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject20').analyticRuleVersion20]", + "version": "[variables('analyticRuleVersion20')]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -3545,18 +3485,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject20')._analyticRulecontentId20]", + "contentId": "[variables('_analyticRulecontentId20')]", "contentKind": "AnalyticsRule", "displayName": "Cross-tenant Access Settings Organization Outbound Collaboration Settings Changed", - "contentProductId": "[variables('analyticRuleObject20')._analyticRulecontentProductId20]", - "id": "[variables('analyticRuleObject20')._analyticRulecontentProductId20]", - "version": "[variables('analyticRuleObject20').analyticRuleVersion20]" + "contentProductId": "[variables('_analyticRulecontentProductId20')]", + "id": "[variables('_analyticRulecontentProductId20')]", + "version": "[variables('analyticRuleVersion20')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject21').analyticRuleTemplateSpecName21]", + "name": "[variables('analyticRuleTemplateSpecName21')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -3565,13 +3505,13 @@ "description": "Cross-tenantAccessSettingsOrganizationOutboundDirectSettingsChanged_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject21').analyticRuleVersion21]", + "contentVersion": "[variables('analyticRuleVersion21')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject21')._analyticRulecontentId21]", + "name": "[variables('analyticRulecontentId21')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -3635,13 +3575,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject21').analyticRuleId21,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId21'),'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 21", - "parentId": "[variables('analyticRuleObject21').analyticRuleId21]", - "contentId": "[variables('analyticRuleObject21')._analyticRulecontentId21]", + "parentId": "[variables('analyticRuleId21')]", + "contentId": "[variables('_analyticRulecontentId21')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject21').analyticRuleVersion21]", + "version": "[variables('analyticRuleVersion21')]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -3666,18 +3606,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject21')._analyticRulecontentId21]", + "contentId": "[variables('_analyticRulecontentId21')]", "contentKind": "AnalyticsRule", "displayName": "Cross-tenant Access Settings Organization Outbound Direct Settings Changed", - "contentProductId": "[variables('analyticRuleObject21')._analyticRulecontentProductId21]", - "id": "[variables('analyticRuleObject21')._analyticRulecontentProductId21]", - "version": "[variables('analyticRuleObject21').analyticRuleVersion21]" + "contentProductId": "[variables('_analyticRulecontentProductId21')]", + "id": "[variables('_analyticRulecontentProductId21')]", + "version": "[variables('analyticRuleVersion21')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject22').analyticRuleTemplateSpecName22]", + "name": "[variables('analyticRuleTemplateSpecName22')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -3686,13 +3626,13 @@ "description": "DisabledAccountSigninsAcrossManyApplications_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject22').analyticRuleVersion22]", + "contentVersion": "[variables('analyticRuleVersion22')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject22')._analyticRulecontentId22]", + "name": "[variables('analyticRulecontentId22')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -3758,13 +3698,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject22').analyticRuleId22,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId22'),'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 22", - "parentId": "[variables('analyticRuleObject22').analyticRuleId22]", - "contentId": "[variables('analyticRuleObject22')._analyticRulecontentId22]", + "parentId": "[variables('analyticRuleId22')]", + "contentId": "[variables('_analyticRulecontentId22')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject22').analyticRuleVersion22]", + "version": "[variables('analyticRuleVersion22')]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -3789,18 +3729,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject22')._analyticRulecontentId22]", + "contentId": "[variables('_analyticRulecontentId22')]", "contentKind": "AnalyticsRule", "displayName": "Attempts to sign in to disabled accounts", - "contentProductId": "[variables('analyticRuleObject22')._analyticRulecontentProductId22]", - "id": "[variables('analyticRuleObject22')._analyticRulecontentProductId22]", - "version": "[variables('analyticRuleObject22').analyticRuleVersion22]" + "contentProductId": "[variables('_analyticRulecontentProductId22')]", + "id": "[variables('_analyticRulecontentProductId22')]", + "version": "[variables('analyticRuleVersion22')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject23').analyticRuleTemplateSpecName23]", + "name": "[variables('analyticRuleTemplateSpecName23')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -3809,13 +3749,13 @@ "description": "DistribPassCrackAttempt_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject23').analyticRuleVersion23]", + "contentVersion": "[variables('analyticRuleVersion23')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject23')._analyticRulecontentId23]", + "name": "[variables('analyticRulecontentId23')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -3881,13 +3821,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject23').analyticRuleId23,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId23'),'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 23", - "parentId": "[variables('analyticRuleObject23').analyticRuleId23]", - "contentId": "[variables('analyticRuleObject23')._analyticRulecontentId23]", + "parentId": "[variables('analyticRuleId23')]", + "contentId": "[variables('_analyticRulecontentId23')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject23').analyticRuleVersion23]", + "version": "[variables('analyticRuleVersion23')]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -3912,18 +3852,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject23')._analyticRulecontentId23]", + "contentId": "[variables('_analyticRulecontentId23')]", "contentKind": "AnalyticsRule", "displayName": "Distributed Password cracking attempts in Microsoft Entra ID", - "contentProductId": "[variables('analyticRuleObject23')._analyticRulecontentProductId23]", - "id": "[variables('analyticRuleObject23')._analyticRulecontentProductId23]", - "version": "[variables('analyticRuleObject23').analyticRuleVersion23]" + "contentProductId": "[variables('_analyticRulecontentProductId23')]", + "id": "[variables('_analyticRulecontentProductId23')]", + "version": "[variables('analyticRuleVersion23')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject24').analyticRuleTemplateSpecName24]", + "name": "[variables('analyticRuleTemplateSpecName24')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -3932,13 +3872,13 @@ "description": "ExplicitMFADeny_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject24').analyticRuleVersion24]", + "contentVersion": "[variables('analyticRuleVersion24')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject24')._analyticRulecontentId24]", + "name": "[variables('analyticRulecontentId24')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -4013,13 +3953,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject24').analyticRuleId24,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId24'),'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 24", - "parentId": "[variables('analyticRuleObject24').analyticRuleId24]", - "contentId": "[variables('analyticRuleObject24')._analyticRulecontentId24]", + "parentId": "[variables('analyticRuleId24')]", + "contentId": "[variables('_analyticRulecontentId24')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject24').analyticRuleVersion24]", + "version": "[variables('analyticRuleVersion24')]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -4044,18 +3984,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject24')._analyticRulecontentId24]", + "contentId": "[variables('_analyticRulecontentId24')]", "contentKind": "AnalyticsRule", "displayName": "Explicit MFA Deny", - "contentProductId": "[variables('analyticRuleObject24')._analyticRulecontentProductId24]", - "id": "[variables('analyticRuleObject24')._analyticRulecontentProductId24]", - "version": "[variables('analyticRuleObject24').analyticRuleVersion24]" + "contentProductId": "[variables('_analyticRulecontentProductId24')]", + "id": "[variables('_analyticRulecontentProductId24')]", + "version": "[variables('analyticRuleVersion24')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject25').analyticRuleTemplateSpecName25]", + "name": "[variables('analyticRuleTemplateSpecName25')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -4064,13 +4004,13 @@ "description": "ExchangeFullAccessGrantedToApp_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject25').analyticRuleVersion25]", + "contentVersion": "[variables('analyticRuleVersion25')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject25')._analyticRulecontentId25]", + "name": "[variables('analyticRulecontentId25')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -4139,13 +4079,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject25').analyticRuleId25,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId25'),'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 25", - "parentId": "[variables('analyticRuleObject25').analyticRuleId25]", - "contentId": "[variables('analyticRuleObject25')._analyticRulecontentId25]", + "parentId": "[variables('analyticRuleId25')]", + "contentId": "[variables('_analyticRulecontentId25')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject25').analyticRuleVersion25]", + "version": "[variables('analyticRuleVersion25')]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -4170,18 +4110,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject25')._analyticRulecontentId25]", + "contentId": "[variables('_analyticRulecontentId25')]", "contentKind": "AnalyticsRule", "displayName": "full_access_as_app Granted To Application", - "contentProductId": "[variables('analyticRuleObject25')._analyticRulecontentProductId25]", - "id": "[variables('analyticRuleObject25')._analyticRulecontentProductId25]", - "version": "[variables('analyticRuleObject25').analyticRuleVersion25]" + "contentProductId": "[variables('_analyticRulecontentProductId25')]", + "id": "[variables('_analyticRulecontentProductId25')]", + "version": "[variables('analyticRuleVersion25')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject26').analyticRuleTemplateSpecName26]", + "name": "[variables('analyticRuleTemplateSpecName26')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -4190,13 +4130,13 @@ "description": "FailedLogonToAzurePortal_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject26').analyticRuleVersion26]", + "contentVersion": "[variables('analyticRuleVersion26')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject26')._analyticRulecontentId26]", + "name": "[variables('analyticRulecontentId26')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -4262,13 +4202,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject26').analyticRuleId26,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId26'),'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 26", - "parentId": "[variables('analyticRuleObject26').analyticRuleId26]", - "contentId": "[variables('analyticRuleObject26')._analyticRulecontentId26]", + "parentId": "[variables('analyticRuleId26')]", + "contentId": "[variables('_analyticRulecontentId26')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject26').analyticRuleVersion26]", + "version": "[variables('analyticRuleVersion26')]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -4293,18 +4233,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject26')._analyticRulecontentId26]", + "contentId": "[variables('_analyticRulecontentId26')]", "contentKind": "AnalyticsRule", "displayName": "Failed login attempts to Azure Portal", - "contentProductId": "[variables('analyticRuleObject26')._analyticRulecontentProductId26]", - "id": "[variables('analyticRuleObject26')._analyticRulecontentProductId26]", - "version": "[variables('analyticRuleObject26').analyticRuleVersion26]" + "contentProductId": "[variables('_analyticRulecontentProductId26')]", + "id": "[variables('_analyticRulecontentProductId26')]", + "version": "[variables('analyticRuleVersion26')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject27').analyticRuleTemplateSpecName27]", + "name": "[variables('analyticRuleTemplateSpecName27')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -4313,13 +4253,13 @@ "description": "FirstAppOrServicePrincipalCredential_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject27').analyticRuleVersion27]", + "contentVersion": "[variables('analyticRuleVersion27')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject27')._analyticRulecontentId27]", + "name": "[variables('analyticRulecontentId27')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -4388,13 +4328,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject27').analyticRuleId27,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId27'),'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 27", - "parentId": "[variables('analyticRuleObject27').analyticRuleId27]", - "contentId": "[variables('analyticRuleObject27')._analyticRulecontentId27]", + "parentId": "[variables('analyticRuleId27')]", + "contentId": "[variables('_analyticRulecontentId27')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject27').analyticRuleVersion27]", + "version": "[variables('analyticRuleVersion27')]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -4419,18 +4359,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject27')._analyticRulecontentId27]", + "contentId": "[variables('_analyticRulecontentId27')]", "contentKind": "AnalyticsRule", "displayName": "First access credential added to Application or Service Principal where no credential was present", - "contentProductId": "[variables('analyticRuleObject27')._analyticRulecontentProductId27]", - "id": "[variables('analyticRuleObject27')._analyticRulecontentProductId27]", - "version": "[variables('analyticRuleObject27').analyticRuleVersion27]" + "contentProductId": "[variables('_analyticRulecontentProductId27')]", + "id": "[variables('_analyticRulecontentProductId27')]", + "version": "[variables('analyticRuleVersion27')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject28').analyticRuleTemplateSpecName28]", + "name": "[variables('analyticRuleTemplateSpecName28')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -4439,13 +4379,13 @@ "description": "GuestAccountsAddedinAADGroupsOtherThanTheOnesSpecified_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject28').analyticRuleVersion28]", + "contentVersion": "[variables('analyticRuleVersion28')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject28')._analyticRulecontentId28]", + "name": "[variables('analyticRulecontentId28')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -4518,13 +4458,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject28').analyticRuleId28,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId28'),'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 28", - "parentId": "[variables('analyticRuleObject28').analyticRuleId28]", - "contentId": "[variables('analyticRuleObject28')._analyticRulecontentId28]", + "parentId": "[variables('analyticRuleId28')]", + "contentId": "[variables('_analyticRulecontentId28')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject28').analyticRuleVersion28]", + "version": "[variables('analyticRuleVersion28')]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -4549,18 +4489,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject28')._analyticRulecontentId28]", + "contentId": "[variables('_analyticRulecontentId28')]", "contentKind": "AnalyticsRule", "displayName": "Guest accounts added in Entra ID Groups other than the ones specified", - "contentProductId": "[variables('analyticRuleObject28')._analyticRulecontentProductId28]", - "id": "[variables('analyticRuleObject28')._analyticRulecontentProductId28]", - "version": "[variables('analyticRuleObject28').analyticRuleVersion28]" + "contentProductId": "[variables('_analyticRulecontentProductId28')]", + "id": "[variables('_analyticRulecontentProductId28')]", + "version": "[variables('analyticRuleVersion28')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject29').analyticRuleTemplateSpecName29]", + "name": "[variables('analyticRuleTemplateSpecName29')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -4569,13 +4509,13 @@ "description": "MailPermissionsAddedToApplication_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject29').analyticRuleVersion29]", + "contentVersion": "[variables('analyticRuleVersion29')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject29')._analyticRulecontentId29]", + "name": "[variables('analyticRulecontentId29')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -4635,13 +4575,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject29').analyticRuleId29,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId29'),'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 29", - "parentId": "[variables('analyticRuleObject29').analyticRuleId29]", - "contentId": "[variables('analyticRuleObject29')._analyticRulecontentId29]", + "parentId": "[variables('analyticRuleId29')]", + "contentId": "[variables('_analyticRulecontentId29')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject29').analyticRuleVersion29]", + "version": "[variables('analyticRuleVersion29')]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -4666,18 +4606,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject29')._analyticRulecontentId29]", + "contentId": "[variables('_analyticRulecontentId29')]", "contentKind": "AnalyticsRule", "displayName": "Mail.Read Permissions Granted to Application", - "contentProductId": "[variables('analyticRuleObject29')._analyticRulecontentProductId29]", - "id": "[variables('analyticRuleObject29')._analyticRulecontentProductId29]", - "version": "[variables('analyticRuleObject29').analyticRuleVersion29]" + "contentProductId": "[variables('_analyticRulecontentProductId29')]", + "id": "[variables('_analyticRulecontentProductId29')]", + "version": "[variables('analyticRuleVersion29')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject30').analyticRuleTemplateSpecName30]", + "name": "[variables('analyticRuleTemplateSpecName30')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -4686,13 +4626,13 @@ "description": "MaliciousOAuthApp_O365AttackToolkit_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject30').analyticRuleVersion30]", + "contentVersion": "[variables('analyticRuleVersion30')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject30')._analyticRulecontentId30]", + "name": "[variables('analyticRulecontentId30')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -4763,13 +4703,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject30').analyticRuleId30,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId30'),'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 30", - "parentId": "[variables('analyticRuleObject30').analyticRuleId30]", - "contentId": "[variables('analyticRuleObject30')._analyticRulecontentId30]", + "parentId": "[variables('analyticRuleId30')]", + "contentId": "[variables('_analyticRulecontentId30')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject30').analyticRuleVersion30]", + "version": "[variables('analyticRuleVersion30')]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -4794,18 +4734,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject30')._analyticRulecontentId30]", + "contentId": "[variables('_analyticRulecontentId30')]", "contentKind": "AnalyticsRule", "displayName": "Suspicious application consent similar to O365 Attack Toolkit", - "contentProductId": "[variables('analyticRuleObject30')._analyticRulecontentProductId30]", - "id": "[variables('analyticRuleObject30')._analyticRulecontentProductId30]", - "version": "[variables('analyticRuleObject30').analyticRuleVersion30]" + "contentProductId": "[variables('_analyticRulecontentProductId30')]", + "id": "[variables('_analyticRulecontentProductId30')]", + "version": "[variables('analyticRuleVersion30')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject31').analyticRuleTemplateSpecName31]", + "name": "[variables('analyticRuleTemplateSpecName31')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -4814,13 +4754,13 @@ "description": "MaliciousOAuthApp_PwnAuth_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject31').analyticRuleVersion31]", + "contentVersion": "[variables('analyticRuleVersion31')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject31')._analyticRulecontentId31]", + "name": "[variables('analyticRulecontentId31')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -4882,13 +4822,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject31').analyticRuleId31,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId31'),'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 31", - "parentId": "[variables('analyticRuleObject31').analyticRuleId31]", - "contentId": "[variables('analyticRuleObject31')._analyticRulecontentId31]", + "parentId": "[variables('analyticRuleId31')]", + "contentId": "[variables('_analyticRulecontentId31')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject31').analyticRuleVersion31]", + "version": "[variables('analyticRuleVersion31')]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -4913,18 +4853,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject31')._analyticRulecontentId31]", + "contentId": "[variables('_analyticRulecontentId31')]", "contentKind": "AnalyticsRule", "displayName": "Suspicious application consent similar to PwnAuth", - "contentProductId": "[variables('analyticRuleObject31')._analyticRulecontentProductId31]", - "id": "[variables('analyticRuleObject31')._analyticRulecontentProductId31]", - "version": "[variables('analyticRuleObject31').analyticRuleVersion31]" + "contentProductId": "[variables('_analyticRulecontentProductId31')]", + "id": "[variables('_analyticRulecontentProductId31')]", + "version": "[variables('analyticRuleVersion31')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject32').analyticRuleTemplateSpecName32]", + "name": "[variables('analyticRuleTemplateSpecName32')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -4933,13 +4873,13 @@ "description": "MFARejectedbyUser_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject32').analyticRuleVersion32]", + "contentVersion": "[variables('analyticRuleVersion32')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject32')._analyticRulecontentId32]", + "name": "[variables('analyticRulecontentId32')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -5015,13 +4955,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject32').analyticRuleId32,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId32'),'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 32", - "parentId": "[variables('analyticRuleObject32').analyticRuleId32]", - "contentId": "[variables('analyticRuleObject32')._analyticRulecontentId32]", + "parentId": "[variables('analyticRuleId32')]", + "contentId": "[variables('_analyticRulecontentId32')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject32').analyticRuleVersion32]", + "version": "[variables('analyticRuleVersion32')]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -5046,18 +4986,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject32')._analyticRulecontentId32]", + "contentId": "[variables('_analyticRulecontentId32')]", "contentKind": "AnalyticsRule", "displayName": "MFA Rejected by User", - "contentProductId": "[variables('analyticRuleObject32')._analyticRulecontentProductId32]", - "id": "[variables('analyticRuleObject32')._analyticRulecontentProductId32]", - "version": "[variables('analyticRuleObject32').analyticRuleVersion32]" + "contentProductId": "[variables('_analyticRulecontentProductId32')]", + "id": "[variables('_analyticRulecontentProductId32')]", + "version": "[variables('analyticRuleVersion32')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject33').analyticRuleTemplateSpecName33]", + "name": "[variables('analyticRuleTemplateSpecName33')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -5066,13 +5006,13 @@ "description": "MFASpammingfollowedbySuccessfullogin_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject33').analyticRuleVersion33]", + "contentVersion": "[variables('analyticRuleVersion33')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject33')._analyticRulecontentId33]", + "name": "[variables('analyticRulecontentId33')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -5132,13 +5072,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject33').analyticRuleId33,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId33'),'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 33", - "parentId": "[variables('analyticRuleObject33').analyticRuleId33]", - "contentId": "[variables('analyticRuleObject33')._analyticRulecontentId33]", + "parentId": "[variables('analyticRuleId33')]", + "contentId": "[variables('_analyticRulecontentId33')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject33').analyticRuleVersion33]", + "version": "[variables('analyticRuleVersion33')]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -5163,18 +5103,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject33')._analyticRulecontentId33]", + "contentId": "[variables('_analyticRulecontentId33')]", "contentKind": "AnalyticsRule", "displayName": "MFA Spamming followed by Successful login", - "contentProductId": "[variables('analyticRuleObject33')._analyticRulecontentProductId33]", - "id": "[variables('analyticRuleObject33')._analyticRulecontentProductId33]", - "version": "[variables('analyticRuleObject33').analyticRuleVersion33]" + "contentProductId": "[variables('_analyticRulecontentProductId33')]", + "id": "[variables('_analyticRulecontentProductId33')]", + "version": "[variables('analyticRuleVersion33')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject34').analyticRuleTemplateSpecName34]", + "name": "[variables('analyticRuleTemplateSpecName34')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -5183,13 +5123,13 @@ "description": "MultipleAdmin_membership_removals_from_NewAdmin_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject34').analyticRuleVersion34]", + "contentVersion": "[variables('analyticRuleVersion34')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject34')._analyticRulecontentId34]", + "name": "[variables('analyticRulecontentId34')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -5240,13 +5180,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject34').analyticRuleId34,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId34'),'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 34", - "parentId": "[variables('analyticRuleObject34').analyticRuleId34]", - "contentId": "[variables('analyticRuleObject34')._analyticRulecontentId34]", + "parentId": "[variables('analyticRuleId34')]", + "contentId": "[variables('_analyticRulecontentId34')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject34').analyticRuleVersion34]", + "version": "[variables('analyticRuleVersion34')]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -5271,18 +5211,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject34')._analyticRulecontentId34]", + "contentId": "[variables('_analyticRulecontentId34')]", "contentKind": "AnalyticsRule", "displayName": "Multiple admin membership removals from newly created admin.", - "contentProductId": "[variables('analyticRuleObject34')._analyticRulecontentProductId34]", - "id": "[variables('analyticRuleObject34')._analyticRulecontentProductId34]", - "version": "[variables('analyticRuleObject34').analyticRuleVersion34]" + "contentProductId": "[variables('_analyticRulecontentProductId34')]", + "id": "[variables('_analyticRulecontentProductId34')]", + "version": "[variables('analyticRuleVersion34')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject35').analyticRuleTemplateSpecName35]", + "name": "[variables('analyticRuleTemplateSpecName35')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -5291,13 +5231,13 @@ "description": "NewOnmicrosoftDomainAdded_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject35').analyticRuleVersion35]", + "contentVersion": "[variables('analyticRuleVersion35')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject35')._analyticRulecontentId35]", + "name": "[variables('analyticRulecontentId35')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -5377,13 +5317,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject35').analyticRuleId35,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId35'),'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 35", - "parentId": "[variables('analyticRuleObject35').analyticRuleId35]", - "contentId": "[variables('analyticRuleObject35')._analyticRulecontentId35]", + "parentId": "[variables('analyticRuleId35')]", + "contentId": "[variables('_analyticRulecontentId35')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject35').analyticRuleVersion35]", + "version": "[variables('analyticRuleVersion35')]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -5408,18 +5348,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject35')._analyticRulecontentId35]", + "contentId": "[variables('_analyticRulecontentId35')]", "contentKind": "AnalyticsRule", "displayName": "New onmicrosoft domain added to tenant", - "contentProductId": "[variables('analyticRuleObject35')._analyticRulecontentProductId35]", - "id": "[variables('analyticRuleObject35')._analyticRulecontentProductId35]", - "version": "[variables('analyticRuleObject35').analyticRuleVersion35]" + "contentProductId": "[variables('_analyticRulecontentProductId35')]", + "id": "[variables('_analyticRulecontentProductId35')]", + "version": "[variables('analyticRuleVersion35')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject36').analyticRuleTemplateSpecName36]", + "name": "[variables('analyticRuleTemplateSpecName36')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -5428,13 +5368,13 @@ "description": "NewAppOrServicePrincipalCredential_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject36').analyticRuleVersion36]", + "contentVersion": "[variables('analyticRuleVersion36')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject36')._analyticRulecontentId36]", + "name": "[variables('analyticRulecontentId36')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -5494,13 +5434,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject36').analyticRuleId36,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId36'),'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 36", - "parentId": "[variables('analyticRuleObject36').analyticRuleId36]", - "contentId": "[variables('analyticRuleObject36')._analyticRulecontentId36]", + "parentId": "[variables('analyticRuleId36')]", + "contentId": "[variables('_analyticRulecontentId36')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject36').analyticRuleVersion36]", + "version": "[variables('analyticRuleVersion36')]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -5525,18 +5465,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject36')._analyticRulecontentId36]", + "contentId": "[variables('_analyticRulecontentId36')]", "contentKind": "AnalyticsRule", "displayName": "New access credential added to Application or Service Principal", - "contentProductId": "[variables('analyticRuleObject36')._analyticRulecontentProductId36]", - "id": "[variables('analyticRuleObject36')._analyticRulecontentProductId36]", - "version": "[variables('analyticRuleObject36').analyticRuleVersion36]" + "contentProductId": "[variables('_analyticRulecontentProductId36')]", + "id": "[variables('_analyticRulecontentProductId36')]", + "version": "[variables('analyticRuleVersion36')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject37').analyticRuleTemplateSpecName37]", + "name": "[variables('analyticRuleTemplateSpecName37')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -5545,13 +5485,13 @@ "description": "NRT_ADFSDomainTrustMods_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject37').analyticRuleVersion37]", + "contentVersion": "[variables('analyticRuleVersion37')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject37')._analyticRulecontentId37]", + "name": "[variables('analyticRulecontentId37')]", "apiVersion": "2022-04-01-preview", "kind": "NRT", "location": "[parameters('workspace-location')]", @@ -5604,13 +5544,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject37').analyticRuleId37,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId37'),'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 37", - "parentId": "[variables('analyticRuleObject37').analyticRuleId37]", - "contentId": "[variables('analyticRuleObject37')._analyticRulecontentId37]", + "parentId": "[variables('analyticRuleId37')]", + "contentId": "[variables('_analyticRulecontentId37')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject37').analyticRuleVersion37]", + "version": "[variables('analyticRuleVersion37')]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -5635,18 +5575,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject37')._analyticRulecontentId37]", + "contentId": "[variables('_analyticRulecontentId37')]", "contentKind": "AnalyticsRule", "displayName": "NRT Modified domain federation trust settings", - "contentProductId": "[variables('analyticRuleObject37')._analyticRulecontentProductId37]", - "id": "[variables('analyticRuleObject37')._analyticRulecontentProductId37]", - "version": "[variables('analyticRuleObject37').analyticRuleVersion37]" + "contentProductId": "[variables('_analyticRulecontentProductId37')]", + "id": "[variables('_analyticRulecontentProductId37')]", + "version": "[variables('analyticRuleVersion37')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject38').analyticRuleTemplateSpecName38]", + "name": "[variables('analyticRuleTemplateSpecName38')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -5655,13 +5595,13 @@ "description": "NRT_AuthenticationMethodsChangedforVIPUsers_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject38').analyticRuleVersion38]", + "contentVersion": "[variables('analyticRuleVersion38')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject38')._analyticRulecontentId38]", + "name": "[variables('analyticRulecontentId38')]", "apiVersion": "2022-04-01-preview", "kind": "NRT", "location": "[parameters('workspace-location')]", @@ -5717,13 +5657,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject38').analyticRuleId38,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId38'),'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 38", - "parentId": "[variables('analyticRuleObject38').analyticRuleId38]", - "contentId": "[variables('analyticRuleObject38')._analyticRulecontentId38]", + "parentId": "[variables('analyticRuleId38')]", + "contentId": "[variables('_analyticRulecontentId38')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject38').analyticRuleVersion38]", + "version": "[variables('analyticRuleVersion38')]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -5748,18 +5688,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject38')._analyticRulecontentId38]", + "contentId": "[variables('_analyticRulecontentId38')]", "contentKind": "AnalyticsRule", "displayName": "NRT Authentication Methods Changed for VIP Users", - "contentProductId": "[variables('analyticRuleObject38')._analyticRulecontentProductId38]", - "id": "[variables('analyticRuleObject38')._analyticRulecontentProductId38]", - "version": "[variables('analyticRuleObject38').analyticRuleVersion38]" + "contentProductId": "[variables('_analyticRulecontentProductId38')]", + "id": "[variables('_analyticRulecontentProductId38')]", + "version": "[variables('analyticRuleVersion38')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject39').analyticRuleTemplateSpecName39]", + "name": "[variables('analyticRuleTemplateSpecName39')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -5768,13 +5708,13 @@ "description": "nrt_FirstAppOrServicePrincipalCredential_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject39').analyticRuleVersion39]", + "contentVersion": "[variables('analyticRuleVersion39')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject39')._analyticRulecontentId39]", + "name": "[variables('analyticRulecontentId39')]", "apiVersion": "2022-04-01-preview", "kind": "NRT", "location": "[parameters('workspace-location')]", @@ -5830,13 +5770,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject39').analyticRuleId39,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId39'),'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 39", - "parentId": "[variables('analyticRuleObject39').analyticRuleId39]", - "contentId": "[variables('analyticRuleObject39')._analyticRulecontentId39]", + "parentId": "[variables('analyticRuleId39')]", + "contentId": "[variables('_analyticRulecontentId39')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject39').analyticRuleVersion39]", + "version": "[variables('analyticRuleVersion39')]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -5861,18 +5801,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject39')._analyticRulecontentId39]", + "contentId": "[variables('_analyticRulecontentId39')]", "contentKind": "AnalyticsRule", "displayName": "NRT First access credential added to Application or Service Principal where no credential was present", - "contentProductId": "[variables('analyticRuleObject39')._analyticRulecontentProductId39]", - "id": "[variables('analyticRuleObject39')._analyticRulecontentProductId39]", - "version": "[variables('analyticRuleObject39').analyticRuleVersion39]" + "contentProductId": "[variables('_analyticRulecontentProductId39')]", + "id": "[variables('_analyticRulecontentProductId39')]", + "version": "[variables('analyticRuleVersion39')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject40').analyticRuleTemplateSpecName40]", + "name": "[variables('analyticRuleTemplateSpecName40')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -5881,13 +5821,13 @@ "description": "NRT_NewAppOrServicePrincipalCredential_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject40').analyticRuleVersion40]", + "contentVersion": "[variables('analyticRuleVersion40')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject40')._analyticRulecontentId40]", + "name": "[variables('analyticRulecontentId40')]", "apiVersion": "2022-04-01-preview", "kind": "NRT", "location": "[parameters('workspace-location')]", @@ -5943,13 +5883,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject40').analyticRuleId40,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId40'),'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 40", - "parentId": "[variables('analyticRuleObject40').analyticRuleId40]", - "contentId": "[variables('analyticRuleObject40')._analyticRulecontentId40]", + "parentId": "[variables('analyticRuleId40')]", + "contentId": "[variables('_analyticRulecontentId40')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject40').analyticRuleVersion40]", + "version": "[variables('analyticRuleVersion40')]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -5974,18 +5914,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject40')._analyticRulecontentId40]", + "contentId": "[variables('_analyticRulecontentId40')]", "contentKind": "AnalyticsRule", "displayName": "NRT New access credential added to Application or Service Principal", - "contentProductId": "[variables('analyticRuleObject40')._analyticRulecontentProductId40]", - "id": "[variables('analyticRuleObject40')._analyticRulecontentProductId40]", - "version": "[variables('analyticRuleObject40').analyticRuleVersion40]" + "contentProductId": "[variables('_analyticRulecontentProductId40')]", + "id": "[variables('_analyticRulecontentProductId40')]", + "version": "[variables('analyticRuleVersion40')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject41').analyticRuleTemplateSpecName41]", + "name": "[variables('analyticRuleTemplateSpecName41')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -5994,13 +5934,13 @@ "description": "NRT_PIMElevationRequestRejected_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject41').analyticRuleVersion41]", + "contentVersion": "[variables('analyticRuleVersion41')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject41')._analyticRulecontentId41]", + "name": "[variables('analyticRulecontentId41')]", "apiVersion": "2022-04-01-preview", "kind": "NRT", "location": "[parameters('workspace-location')]", @@ -6069,13 +6009,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject41').analyticRuleId41,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId41'),'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 41", - "parentId": "[variables('analyticRuleObject41').analyticRuleId41]", - "contentId": "[variables('analyticRuleObject41')._analyticRulecontentId41]", + "parentId": "[variables('analyticRuleId41')]", + "contentId": "[variables('_analyticRulecontentId41')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject41').analyticRuleVersion41]", + "version": "[variables('analyticRuleVersion41')]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -6100,18 +6040,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject41')._analyticRulecontentId41]", + "contentId": "[variables('_analyticRulecontentId41')]", "contentKind": "AnalyticsRule", "displayName": "NRT PIM Elevation Request Rejected", - "contentProductId": "[variables('analyticRuleObject41')._analyticRulecontentProductId41]", - "id": "[variables('analyticRuleObject41')._analyticRulecontentProductId41]", - "version": "[variables('analyticRuleObject41').analyticRuleVersion41]" + "contentProductId": "[variables('_analyticRulecontentProductId41')]", + "id": "[variables('_analyticRulecontentProductId41')]", + "version": "[variables('analyticRuleVersion41')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject42').analyticRuleTemplateSpecName42]", + "name": "[variables('analyticRuleTemplateSpecName42')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -6120,13 +6060,13 @@ "description": "NRT_PrivlegedRoleAssignedOutsidePIM_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject42').analyticRuleVersion42]", + "contentVersion": "[variables('analyticRuleVersion42')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject42')._analyticRulecontentId42]", + "name": "[variables('analyticRulecontentId42')]", "apiVersion": "2022-04-01-preview", "kind": "NRT", "location": "[parameters('workspace-location')]", @@ -6182,13 +6122,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject42').analyticRuleId42,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId42'),'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 42", - "parentId": "[variables('analyticRuleObject42').analyticRuleId42]", - "contentId": "[variables('analyticRuleObject42')._analyticRulecontentId42]", + "parentId": "[variables('analyticRuleId42')]", + "contentId": "[variables('_analyticRulecontentId42')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject42').analyticRuleVersion42]", + "version": "[variables('analyticRuleVersion42')]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -6213,18 +6153,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject42')._analyticRulecontentId42]", + "contentId": "[variables('_analyticRulecontentId42')]", "contentKind": "AnalyticsRule", "displayName": "NRT Privileged Role Assigned Outside PIM", - "contentProductId": "[variables('analyticRuleObject42')._analyticRulecontentProductId42]", - "id": "[variables('analyticRuleObject42')._analyticRulecontentProductId42]", - "version": "[variables('analyticRuleObject42').analyticRuleVersion42]" + "contentProductId": "[variables('_analyticRulecontentProductId42')]", + "id": "[variables('_analyticRulecontentProductId42')]", + "version": "[variables('analyticRuleVersion42')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject43').analyticRuleTemplateSpecName43]", + "name": "[variables('analyticRuleTemplateSpecName43')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -6233,13 +6173,13 @@ "description": "NRT_UseraddedtoPrivilgedGroups_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject43').analyticRuleVersion43]", + "contentVersion": "[variables('analyticRuleVersion43')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject43')._analyticRulecontentId43]", + "name": "[variables('analyticRulecontentId43')]", "apiVersion": "2022-04-01-preview", "kind": "NRT", "location": "[parameters('workspace-location')]", @@ -6301,13 +6241,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject43').analyticRuleId43,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId43'),'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 43", - "parentId": "[variables('analyticRuleObject43').analyticRuleId43]", - "contentId": "[variables('analyticRuleObject43')._analyticRulecontentId43]", + "parentId": "[variables('analyticRuleId43')]", + "contentId": "[variables('_analyticRulecontentId43')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject43').analyticRuleVersion43]", + "version": "[variables('analyticRuleVersion43')]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -6332,18 +6272,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject43')._analyticRulecontentId43]", + "contentId": "[variables('_analyticRulecontentId43')]", "contentKind": "AnalyticsRule", "displayName": "NRT User added to Microsoft Entra ID Privileged Groups", - "contentProductId": "[variables('analyticRuleObject43')._analyticRulecontentProductId43]", - "id": "[variables('analyticRuleObject43')._analyticRulecontentProductId43]", - "version": "[variables('analyticRuleObject43').analyticRuleVersion43]" + "contentProductId": "[variables('_analyticRulecontentProductId43')]", + "id": "[variables('_analyticRulecontentProductId43')]", + "version": "[variables('analyticRuleVersion43')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject44').analyticRuleTemplateSpecName44]", + "name": "[variables('analyticRuleTemplateSpecName44')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -6352,13 +6292,13 @@ "description": "PIMElevationRequestRejected_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject44').analyticRuleVersion44]", + "contentVersion": "[variables('analyticRuleVersion44')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject44')._analyticRulecontentId44]", + "name": "[variables('analyticRulecontentId44')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -6431,13 +6371,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject44').analyticRuleId44,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId44'),'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 44", - "parentId": "[variables('analyticRuleObject44').analyticRuleId44]", - "contentId": "[variables('analyticRuleObject44')._analyticRulecontentId44]", + "parentId": "[variables('analyticRuleId44')]", + "contentId": "[variables('_analyticRulecontentId44')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject44').analyticRuleVersion44]", + "version": "[variables('analyticRuleVersion44')]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -6462,18 +6402,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject44')._analyticRulecontentId44]", + "contentId": "[variables('_analyticRulecontentId44')]", "contentKind": "AnalyticsRule", "displayName": "PIM Elevation Request Rejected", - "contentProductId": "[variables('analyticRuleObject44')._analyticRulecontentProductId44]", - "id": "[variables('analyticRuleObject44')._analyticRulecontentProductId44]", - "version": "[variables('analyticRuleObject44').analyticRuleVersion44]" + "contentProductId": "[variables('_analyticRulecontentProductId44')]", + "id": "[variables('_analyticRulecontentProductId44')]", + "version": "[variables('analyticRuleVersion44')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject45').analyticRuleTemplateSpecName45]", + "name": "[variables('analyticRuleTemplateSpecName45')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -6482,13 +6422,13 @@ "description": "PrivilegedAccountsSigninFailureSpikes_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject45').analyticRuleVersion45]", + "contentVersion": "[variables('analyticRuleVersion45')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject45')._analyticRulecontentId45]", + "name": "[variables('analyticRulecontentId45')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -6554,13 +6494,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject45').analyticRuleId45,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId45'),'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 45", - "parentId": "[variables('analyticRuleObject45').analyticRuleId45]", - "contentId": "[variables('analyticRuleObject45')._analyticRulecontentId45]", + "parentId": "[variables('analyticRuleId45')]", + "contentId": "[variables('_analyticRulecontentId45')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject45').analyticRuleVersion45]", + "version": "[variables('analyticRuleVersion45')]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -6585,18 +6525,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject45')._analyticRulecontentId45]", + "contentId": "[variables('_analyticRulecontentId45')]", "contentKind": "AnalyticsRule", "displayName": "Privileged Accounts - Sign in Failure Spikes", - "contentProductId": "[variables('analyticRuleObject45')._analyticRulecontentProductId45]", - "id": "[variables('analyticRuleObject45')._analyticRulecontentProductId45]", - "version": "[variables('analyticRuleObject45').analyticRuleVersion45]" + "contentProductId": "[variables('_analyticRulecontentProductId45')]", + "id": "[variables('_analyticRulecontentProductId45')]", + "version": "[variables('analyticRuleVersion45')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject46').analyticRuleTemplateSpecName46]", + "name": "[variables('analyticRuleTemplateSpecName46')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -6605,13 +6545,13 @@ "description": "PrivlegedRoleAssignedOutsidePIM_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject46').analyticRuleVersion46]", + "contentVersion": "[variables('analyticRuleVersion46')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject46')._analyticRulecontentId46]", + "name": "[variables('analyticRulecontentId46')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -6671,13 +6611,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject46').analyticRuleId46,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId46'),'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 46", - "parentId": "[variables('analyticRuleObject46').analyticRuleId46]", - "contentId": "[variables('analyticRuleObject46')._analyticRulecontentId46]", + "parentId": "[variables('analyticRuleId46')]", + "contentId": "[variables('_analyticRulecontentId46')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject46').analyticRuleVersion46]", + "version": "[variables('analyticRuleVersion46')]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -6702,18 +6642,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject46')._analyticRulecontentId46]", + "contentId": "[variables('_analyticRulecontentId46')]", "contentKind": "AnalyticsRule", "displayName": "Privileged Role Assigned Outside PIM", - "contentProductId": "[variables('analyticRuleObject46')._analyticRulecontentProductId46]", - "id": "[variables('analyticRuleObject46')._analyticRulecontentProductId46]", - "version": "[variables('analyticRuleObject46').analyticRuleVersion46]" + "contentProductId": "[variables('_analyticRulecontentProductId46')]", + "id": "[variables('_analyticRulecontentProductId46')]", + "version": "[variables('analyticRuleVersion46')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject47').analyticRuleTemplateSpecName47]", + "name": "[variables('analyticRuleTemplateSpecName47')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -6722,13 +6662,13 @@ "description": "RareApplicationConsent_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject47').analyticRuleVersion47]", + "contentVersion": "[variables('analyticRuleVersion47')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject47')._analyticRulecontentId47]", + "name": "[variables('analyticRulecontentId47')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -6799,13 +6739,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject47').analyticRuleId47,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId47'),'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 47", - "parentId": "[variables('analyticRuleObject47').analyticRuleId47]", - "contentId": "[variables('analyticRuleObject47')._analyticRulecontentId47]", + "parentId": "[variables('analyticRuleId47')]", + "contentId": "[variables('_analyticRulecontentId47')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject47').analyticRuleVersion47]", + "version": "[variables('analyticRuleVersion47')]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -6830,18 +6770,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject47')._analyticRulecontentId47]", + "contentId": "[variables('_analyticRulecontentId47')]", "contentKind": "AnalyticsRule", "displayName": "Rare application consent", - "contentProductId": "[variables('analyticRuleObject47')._analyticRulecontentProductId47]", - "id": "[variables('analyticRuleObject47')._analyticRulecontentProductId47]", - "version": "[variables('analyticRuleObject47').analyticRuleVersion47]" + "contentProductId": "[variables('_analyticRulecontentProductId47')]", + "id": "[variables('_analyticRulecontentProductId47')]", + "version": "[variables('analyticRuleVersion47')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject48').analyticRuleTemplateSpecName48]", + "name": "[variables('analyticRuleTemplateSpecName48')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -6850,13 +6790,13 @@ "description": "SeamlessSSOPasswordSpray_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject48').analyticRuleVersion48]", + "contentVersion": "[variables('analyticRuleVersion48')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject48')._analyticRulecontentId48]", + "name": "[variables('analyticRulecontentId48')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -6916,13 +6856,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject48').analyticRuleId48,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId48'),'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 48", - "parentId": "[variables('analyticRuleObject48').analyticRuleId48]", - "contentId": "[variables('analyticRuleObject48')._analyticRulecontentId48]", + "parentId": "[variables('analyticRuleId48')]", + "contentId": "[variables('_analyticRulecontentId48')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject48').analyticRuleVersion48]", + "version": "[variables('analyticRuleVersion48')]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -6947,18 +6887,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject48')._analyticRulecontentId48]", + "contentId": "[variables('_analyticRulecontentId48')]", "contentKind": "AnalyticsRule", "displayName": "Password spray attack against Microsoft Entra ID Seamless SSO", - "contentProductId": "[variables('analyticRuleObject48')._analyticRulecontentProductId48]", - "id": "[variables('analyticRuleObject48')._analyticRulecontentProductId48]", - "version": "[variables('analyticRuleObject48').analyticRuleVersion48]" + "contentProductId": "[variables('_analyticRulecontentProductId48')]", + "id": "[variables('_analyticRulecontentProductId48')]", + "version": "[variables('analyticRuleVersion48')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject49').analyticRuleTemplateSpecName49]", + "name": "[variables('analyticRuleTemplateSpecName49')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -6967,13 +6907,13 @@ "description": "Sign-in Burst from Multiple Locations_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject49').analyticRuleVersion49]", + "contentVersion": "[variables('analyticRuleVersion49')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject49')._analyticRulecontentId49]", + "name": "[variables('analyticRulecontentId49')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -7030,13 +6970,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject49').analyticRuleId49,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId49'),'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 49", - "parentId": "[variables('analyticRuleObject49').analyticRuleId49]", - "contentId": "[variables('analyticRuleObject49')._analyticRulecontentId49]", + "parentId": "[variables('analyticRuleId49')]", + "contentId": "[variables('_analyticRulecontentId49')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject49').analyticRuleVersion49]", + "version": "[variables('analyticRuleVersion49')]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -7061,18 +7001,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject49')._analyticRulecontentId49]", + "contentId": "[variables('_analyticRulecontentId49')]", "contentKind": "AnalyticsRule", "displayName": "GitHub Signin Burst from Multiple Locations", - "contentProductId": "[variables('analyticRuleObject49')._analyticRulecontentProductId49]", - "id": "[variables('analyticRuleObject49')._analyticRulecontentProductId49]", - "version": "[variables('analyticRuleObject49').analyticRuleVersion49]" + "contentProductId": "[variables('_analyticRulecontentProductId49')]", + "id": "[variables('_analyticRulecontentProductId49')]", + "version": "[variables('analyticRuleVersion49')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject50').analyticRuleTemplateSpecName50]", + "name": "[variables('analyticRuleTemplateSpecName50')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -7081,13 +7021,13 @@ "description": "SigninAttemptsByIPviaDisabledAccounts_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject50').analyticRuleVersion50]", + "contentVersion": "[variables('analyticRuleVersion50')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject50')._analyticRulecontentId50]", + "name": "[variables('analyticRulecontentId50')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -7148,13 +7088,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject50').analyticRuleId50,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId50'),'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 50", - "parentId": "[variables('analyticRuleObject50').analyticRuleId50]", - "contentId": "[variables('analyticRuleObject50')._analyticRulecontentId50]", + "parentId": "[variables('analyticRuleId50')]", + "contentId": "[variables('_analyticRulecontentId50')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject50').analyticRuleVersion50]", + "version": "[variables('analyticRuleVersion50')]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -7179,18 +7119,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject50')._analyticRulecontentId50]", + "contentId": "[variables('_analyticRulecontentId50')]", "contentKind": "AnalyticsRule", "displayName": "Sign-ins from IPs that attempt sign-ins to disabled accounts", - "contentProductId": "[variables('analyticRuleObject50')._analyticRulecontentProductId50]", - "id": "[variables('analyticRuleObject50')._analyticRulecontentProductId50]", - "version": "[variables('analyticRuleObject50').analyticRuleVersion50]" + "contentProductId": "[variables('_analyticRulecontentProductId50')]", + "id": "[variables('_analyticRulecontentProductId50')]", + "version": "[variables('analyticRuleVersion50')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject51').analyticRuleTemplateSpecName51]", + "name": "[variables('analyticRuleTemplateSpecName51')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -7199,13 +7139,13 @@ "description": "SigninBruteForce-AzurePortal_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject51').analyticRuleVersion51]", + "contentVersion": "[variables('analyticRuleVersion51')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject51')._analyticRulecontentId51]", + "name": "[variables('analyticRulecontentId51')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -7275,13 +7215,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject51').analyticRuleId51,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId51'),'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 51", - "parentId": "[variables('analyticRuleObject51').analyticRuleId51]", - "contentId": "[variables('analyticRuleObject51')._analyticRulecontentId51]", + "parentId": "[variables('analyticRuleId51')]", + "contentId": "[variables('_analyticRulecontentId51')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject51').analyticRuleVersion51]", + "version": "[variables('analyticRuleVersion51')]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -7306,18 +7246,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject51')._analyticRulecontentId51]", + "contentId": "[variables('_analyticRulecontentId51')]", "contentKind": "AnalyticsRule", "displayName": "Brute force attack against Azure Portal", - "contentProductId": "[variables('analyticRuleObject51')._analyticRulecontentProductId51]", - "id": "[variables('analyticRuleObject51')._analyticRulecontentProductId51]", - "version": "[variables('analyticRuleObject51').analyticRuleVersion51]" + "contentProductId": "[variables('_analyticRulecontentProductId51')]", + "id": "[variables('_analyticRulecontentProductId51')]", + "version": "[variables('analyticRuleVersion51')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject52').analyticRuleTemplateSpecName52]", + "name": "[variables('analyticRuleTemplateSpecName52')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -7326,13 +7266,13 @@ "description": "SigninPasswordSpray_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject52').analyticRuleVersion52]", + "contentVersion": "[variables('analyticRuleVersion52')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject52')._analyticRulecontentId52]", + "name": "[variables('analyticRulecontentId52')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -7385,13 +7325,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject52').analyticRuleId52,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId52'),'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 52", - "parentId": "[variables('analyticRuleObject52').analyticRuleId52]", - "contentId": "[variables('analyticRuleObject52')._analyticRulecontentId52]", + "parentId": "[variables('analyticRuleId52')]", + "contentId": "[variables('_analyticRulecontentId52')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject52').analyticRuleVersion52]", + "version": "[variables('analyticRuleVersion52')]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -7416,18 +7356,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject52')._analyticRulecontentId52]", + "contentId": "[variables('_analyticRulecontentId52')]", "contentKind": "AnalyticsRule", "displayName": "Password spray attack against Microsoft Entra ID application", - "contentProductId": "[variables('analyticRuleObject52')._analyticRulecontentProductId52]", - "id": "[variables('analyticRuleObject52')._analyticRulecontentProductId52]", - "version": "[variables('analyticRuleObject52').analyticRuleVersion52]" + "contentProductId": "[variables('_analyticRulecontentProductId52')]", + "id": "[variables('_analyticRulecontentProductId52')]", + "version": "[variables('analyticRuleVersion52')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject53').analyticRuleTemplateSpecName53]", + "name": "[variables('analyticRuleTemplateSpecName53')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -7436,13 +7376,13 @@ "description": "SuccessThenFail_DiffIP_SameUserandApp_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject53').analyticRuleVersion53]", + "contentVersion": "[variables('analyticRuleVersion53')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject53')._analyticRulecontentId53]", + "name": "[variables('analyticRulecontentId53')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -7531,13 +7471,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject53').analyticRuleId53,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId53'),'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 53", - "parentId": "[variables('analyticRuleObject53').analyticRuleId53]", - "contentId": "[variables('analyticRuleObject53')._analyticRulecontentId53]", + "parentId": "[variables('analyticRuleId53')]", + "contentId": "[variables('_analyticRulecontentId53')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject53').analyticRuleVersion53]", + "version": "[variables('analyticRuleVersion53')]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -7562,18 +7502,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject53')._analyticRulecontentId53]", + "contentId": "[variables('_analyticRulecontentId53')]", "contentKind": "AnalyticsRule", "displayName": "Successful logon from IP and failure from a different IP", - "contentProductId": "[variables('analyticRuleObject53')._analyticRulecontentProductId53]", - "id": "[variables('analyticRuleObject53')._analyticRulecontentProductId53]", - "version": "[variables('analyticRuleObject53').analyticRuleVersion53]" + "contentProductId": "[variables('_analyticRulecontentProductId53')]", + "id": "[variables('_analyticRulecontentProductId53')]", + "version": "[variables('analyticRuleVersion53')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject54').analyticRuleTemplateSpecName54]", + "name": "[variables('analyticRuleTemplateSpecName54')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -7582,13 +7522,13 @@ "description": "SuspiciousAADJoinedDeviceUpdate_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject54').analyticRuleVersion54]", + "contentVersion": "[variables('analyticRuleVersion54')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject54')._analyticRulecontentId54]", + "name": "[variables('analyticRulecontentId54')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -7666,13 +7606,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject54').analyticRuleId54,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId54'),'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 54", - "parentId": "[variables('analyticRuleObject54').analyticRuleId54]", - "contentId": "[variables('analyticRuleObject54')._analyticRulecontentId54]", + "parentId": "[variables('analyticRuleId54')]", + "contentId": "[variables('_analyticRulecontentId54')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject54').analyticRuleVersion54]", + "version": "[variables('analyticRuleVersion54')]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -7697,18 +7637,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject54')._analyticRulecontentId54]", + "contentId": "[variables('_analyticRulecontentId54')]", "contentKind": "AnalyticsRule", "displayName": "Suspicious Entra ID Joined Device Update", - "contentProductId": "[variables('analyticRuleObject54')._analyticRulecontentProductId54]", - "id": "[variables('analyticRuleObject54')._analyticRulecontentProductId54]", - "version": "[variables('analyticRuleObject54').analyticRuleVersion54]" + "contentProductId": "[variables('_analyticRulecontentProductId54')]", + "id": "[variables('_analyticRulecontentProductId54')]", + "version": "[variables('analyticRuleVersion54')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject55').analyticRuleTemplateSpecName55]", + "name": "[variables('analyticRuleTemplateSpecName55')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -7717,13 +7657,13 @@ "description": "SuspiciousOAuthApp_OfflineAccess_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject55').analyticRuleVersion55]", + "contentVersion": "[variables('analyticRuleVersion55')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject55')._analyticRulecontentId55]", + "name": "[variables('analyticRulecontentId55')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -7783,13 +7723,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject55').analyticRuleId55,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId55'),'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 55", - "parentId": "[variables('analyticRuleObject55').analyticRuleId55]", - "contentId": "[variables('analyticRuleObject55')._analyticRulecontentId55]", + "parentId": "[variables('analyticRuleId55')]", + "contentId": "[variables('_analyticRulecontentId55')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject55').analyticRuleVersion55]", + "version": "[variables('analyticRuleVersion55')]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -7814,18 +7754,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject55')._analyticRulecontentId55]", + "contentId": "[variables('_analyticRulecontentId55')]", "contentKind": "AnalyticsRule", "displayName": "Suspicious application consent for offline access", - "contentProductId": "[variables('analyticRuleObject55')._analyticRulecontentProductId55]", - "id": "[variables('analyticRuleObject55')._analyticRulecontentProductId55]", - "version": "[variables('analyticRuleObject55').analyticRuleVersion55]" + "contentProductId": "[variables('_analyticRulecontentProductId55')]", + "id": "[variables('_analyticRulecontentProductId55')]", + "version": "[variables('analyticRuleVersion55')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject56').analyticRuleTemplateSpecName56]", + "name": "[variables('analyticRuleTemplateSpecName56')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -7834,13 +7774,13 @@ "description": "SuspiciousServicePrincipalcreationactivity_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject56').analyticRuleVersion56]", + "contentVersion": "[variables('analyticRuleVersion56')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject56')._analyticRulecontentId56]", + "name": "[variables('analyticRulecontentId56')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -7918,13 +7858,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject56').analyticRuleId56,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId56'),'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 56", - "parentId": "[variables('analyticRuleObject56').analyticRuleId56]", - "contentId": "[variables('analyticRuleObject56')._analyticRulecontentId56]", + "parentId": "[variables('analyticRuleId56')]", + "contentId": "[variables('_analyticRulecontentId56')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject56').analyticRuleVersion56]", + "version": "[variables('analyticRuleVersion56')]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -7949,18 +7889,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject56')._analyticRulecontentId56]", + "contentId": "[variables('_analyticRulecontentId56')]", "contentKind": "AnalyticsRule", "displayName": "Suspicious Service Principal creation activity", - "contentProductId": "[variables('analyticRuleObject56')._analyticRulecontentProductId56]", - "id": "[variables('analyticRuleObject56')._analyticRulecontentProductId56]", - "version": "[variables('analyticRuleObject56').analyticRuleVersion56]" + "contentProductId": "[variables('_analyticRulecontentProductId56')]", + "id": "[variables('_analyticRulecontentProductId56')]", + "version": "[variables('analyticRuleVersion56')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject57').analyticRuleTemplateSpecName57]", + "name": "[variables('analyticRuleTemplateSpecName57')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -7969,13 +7909,13 @@ "description": "SuspiciousSignInFollowedByMFAModification_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject57').analyticRuleVersion57]", + "contentVersion": "[variables('analyticRuleVersion57')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject57')._analyticRulecontentId57]", + "name": "[variables('analyticRulecontentId57')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -8080,13 +8020,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject57').analyticRuleId57,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId57'),'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 57", - "parentId": "[variables('analyticRuleObject57').analyticRuleId57]", - "contentId": "[variables('analyticRuleObject57')._analyticRulecontentId57]", + "parentId": "[variables('analyticRuleId57')]", + "contentId": "[variables('_analyticRulecontentId57')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject57').analyticRuleVersion57]", + "version": "[variables('analyticRuleVersion57')]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -8111,18 +8051,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject57')._analyticRulecontentId57]", + "contentId": "[variables('_analyticRulecontentId57')]", "contentKind": "AnalyticsRule", "displayName": "Suspicious Sign In Followed by MFA Modification", - "contentProductId": "[variables('analyticRuleObject57')._analyticRulecontentProductId57]", - "id": "[variables('analyticRuleObject57')._analyticRulecontentProductId57]", - "version": "[variables('analyticRuleObject57').analyticRuleVersion57]" + "contentProductId": "[variables('_analyticRulecontentProductId57')]", + "id": "[variables('_analyticRulecontentProductId57')]", + "version": "[variables('analyticRuleVersion57')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject58').analyticRuleTemplateSpecName58]", + "name": "[variables('analyticRuleTemplateSpecName58')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -8131,13 +8071,13 @@ "description": "UnusualGuestActivity_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject58').analyticRuleVersion58]", + "contentVersion": "[variables('analyticRuleVersion58')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject58')._analyticRulecontentId58]", + "name": "[variables('analyticRulecontentId58')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -8220,13 +8160,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject58').analyticRuleId58,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId58'),'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 58", - "parentId": "[variables('analyticRuleObject58').analyticRuleId58]", - "contentId": "[variables('analyticRuleObject58')._analyticRulecontentId58]", + "parentId": "[variables('analyticRuleId58')]", + "contentId": "[variables('_analyticRulecontentId58')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject58').analyticRuleVersion58]", + "version": "[variables('analyticRuleVersion58')]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -8251,18 +8191,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject58')._analyticRulecontentId58]", + "contentId": "[variables('_analyticRulecontentId58')]", "contentKind": "AnalyticsRule", "displayName": "External guest invitation followed by Microsoft Entra ID PowerShell signin", - "contentProductId": "[variables('analyticRuleObject58')._analyticRulecontentProductId58]", - "id": "[variables('analyticRuleObject58')._analyticRulecontentProductId58]", - "version": "[variables('analyticRuleObject58').analyticRuleVersion58]" + "contentProductId": "[variables('_analyticRulecontentProductId58')]", + "id": "[variables('_analyticRulecontentProductId58')]", + "version": "[variables('analyticRuleVersion58')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject59').analyticRuleTemplateSpecName59]", + "name": "[variables('analyticRuleTemplateSpecName59')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -8271,13 +8211,13 @@ "description": "UserAccounts-CABlockedSigninSpikes_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject59').analyticRuleVersion59]", + "contentVersion": "[variables('analyticRuleVersion59')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject59')._analyticRulecontentId59]", + "name": "[variables('analyticRulecontentId59')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -8355,13 +8295,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject59').analyticRuleId59,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId59'),'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 59", - "parentId": "[variables('analyticRuleObject59').analyticRuleId59]", - "contentId": "[variables('analyticRuleObject59')._analyticRulecontentId59]", + "parentId": "[variables('analyticRuleId59')]", + "contentId": "[variables('_analyticRulecontentId59')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject59').analyticRuleVersion59]", + "version": "[variables('analyticRuleVersion59')]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -8386,18 +8326,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject59')._analyticRulecontentId59]", + "contentId": "[variables('_analyticRulecontentId59')]", "contentKind": "AnalyticsRule", "displayName": "User Accounts - Sign in Failure due to CA Spikes", - "contentProductId": "[variables('analyticRuleObject59')._analyticRulecontentProductId59]", - "id": "[variables('analyticRuleObject59')._analyticRulecontentProductId59]", - "version": "[variables('analyticRuleObject59').analyticRuleVersion59]" + "contentProductId": "[variables('_analyticRulecontentProductId59')]", + "id": "[variables('_analyticRulecontentProductId59')]", + "version": "[variables('analyticRuleVersion59')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject60').analyticRuleTemplateSpecName60]", + "name": "[variables('analyticRuleTemplateSpecName60')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -8406,13 +8346,13 @@ "description": "UseraddedtoPrivilgedGroups_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject60').analyticRuleVersion60]", + "contentVersion": "[variables('analyticRuleVersion60')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject60')._analyticRulecontentId60]", + "name": "[variables('analyticRulecontentId60')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -8478,13 +8418,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject60').analyticRuleId60,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId60'),'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 60", - "parentId": "[variables('analyticRuleObject60').analyticRuleId60]", - "contentId": "[variables('analyticRuleObject60')._analyticRulecontentId60]", + "parentId": "[variables('analyticRuleId60')]", + "contentId": "[variables('_analyticRulecontentId60')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject60').analyticRuleVersion60]", + "version": "[variables('analyticRuleVersion60')]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -8509,18 +8449,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject60')._analyticRulecontentId60]", + "contentId": "[variables('_analyticRulecontentId60')]", "contentKind": "AnalyticsRule", "displayName": "User added to Microsoft Entra ID Privileged Groups", - "contentProductId": "[variables('analyticRuleObject60')._analyticRulecontentProductId60]", - "id": "[variables('analyticRuleObject60')._analyticRulecontentProductId60]", - "version": "[variables('analyticRuleObject60').analyticRuleVersion60]" + "contentProductId": "[variables('_analyticRulecontentProductId60')]", + "id": "[variables('_analyticRulecontentProductId60')]", + "version": "[variables('analyticRuleVersion60')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject61').analyticRuleTemplateSpecName61]", + "name": "[variables('analyticRuleTemplateSpecName61')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -8529,13 +8469,13 @@ "description": "UserAssignedNewPrivilegedRole_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject61').analyticRuleVersion61]", + "contentVersion": "[variables('analyticRuleVersion61')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject61')._analyticRulecontentId61]", + "name": "[variables('analyticRulecontentId61')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -8599,13 +8539,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject61').analyticRuleId61,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId61'),'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 61", - "parentId": "[variables('analyticRuleObject61').analyticRuleId61]", - "contentId": "[variables('analyticRuleObject61')._analyticRulecontentId61]", + "parentId": "[variables('analyticRuleId61')]", + "contentId": "[variables('_analyticRulecontentId61')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject61').analyticRuleVersion61]", + "version": "[variables('analyticRuleVersion61')]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -8630,18 +8570,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject61')._analyticRulecontentId61]", + "contentId": "[variables('_analyticRulecontentId61')]", "contentKind": "AnalyticsRule", "displayName": "User Assigned New Privileged Role", - "contentProductId": "[variables('analyticRuleObject61')._analyticRulecontentProductId61]", - "id": "[variables('analyticRuleObject61')._analyticRulecontentProductId61]", - "version": "[variables('analyticRuleObject61').analyticRuleVersion61]" + "contentProductId": "[variables('_analyticRulecontentProductId61')]", + "id": "[variables('_analyticRulecontentProductId61')]", + "version": "[variables('analyticRuleVersion61')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject62').analyticRuleTemplateSpecName62]", + "name": "[variables('analyticRuleTemplateSpecName62')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -8650,13 +8590,13 @@ "description": "UserAssignedPrivilegedRole_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject62').analyticRuleVersion62]", + "contentVersion": "[variables('analyticRuleVersion62')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject62')._analyticRulecontentId62]", + "name": "[variables('analyticRulecontentId62')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -8720,13 +8660,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject62').analyticRuleId62,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId62'),'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 62", - "parentId": "[variables('analyticRuleObject62').analyticRuleId62]", - "contentId": "[variables('analyticRuleObject62')._analyticRulecontentId62]", + "parentId": "[variables('analyticRuleId62')]", + "contentId": "[variables('_analyticRulecontentId62')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject62').analyticRuleVersion62]", + "version": "[variables('analyticRuleVersion62')]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -8751,12 +8691,12 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject62')._analyticRulecontentId62]", + "contentId": "[variables('_analyticRulecontentId62')]", "contentKind": "AnalyticsRule", "displayName": "New User Assigned to Privileged Role", - "contentProductId": "[variables('analyticRuleObject62')._analyticRulecontentProductId62]", - "id": "[variables('analyticRuleObject62')._analyticRulecontentProductId62]", - "version": "[variables('analyticRuleObject62').analyticRuleVersion62]" + "contentProductId": "[variables('_analyticRulecontentProductId62')]", + "id": "[variables('_analyticRulecontentProductId62')]", + "version": "[variables('analyticRuleVersion62')]" } }, { @@ -13051,313 +12991,313 @@ }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", - "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" + "contentId": "[variables('analyticRulecontentId1')]", + "version": "[variables('analyticRuleVersion1')]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", - "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" + "contentId": "[variables('analyticRulecontentId2')]", + "version": "[variables('analyticRuleVersion2')]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", - "version": "[variables('analyticRuleObject3').analyticRuleVersion3]" + "contentId": "[variables('analyticRulecontentId3')]", + "version": "[variables('analyticRuleVersion3')]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", - "version": "[variables('analyticRuleObject4').analyticRuleVersion4]" + "contentId": "[variables('analyticRulecontentId4')]", + "version": "[variables('analyticRuleVersion4')]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", - "version": "[variables('analyticRuleObject5').analyticRuleVersion5]" + "contentId": "[variables('analyticRulecontentId5')]", + "version": "[variables('analyticRuleVersion5')]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", - "version": "[variables('analyticRuleObject6').analyticRuleVersion6]" + "contentId": "[variables('analyticRulecontentId6')]", + "version": "[variables('analyticRuleVersion6')]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]", - "version": "[variables('analyticRuleObject7').analyticRuleVersion7]" + "contentId": "[variables('analyticRulecontentId7')]", + "version": "[variables('analyticRuleVersion7')]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]", - "version": "[variables('analyticRuleObject8').analyticRuleVersion8]" + "contentId": "[variables('analyticRulecontentId8')]", + "version": "[variables('analyticRuleVersion8')]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]", - "version": "[variables('analyticRuleObject9').analyticRuleVersion9]" + "contentId": "[variables('analyticRulecontentId9')]", + "version": "[variables('analyticRuleVersion9')]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]", - "version": "[variables('analyticRuleObject10').analyticRuleVersion10]" + "contentId": "[variables('analyticRulecontentId10')]", + "version": "[variables('analyticRuleVersion10')]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject11')._analyticRulecontentId11]", - "version": "[variables('analyticRuleObject11').analyticRuleVersion11]" + "contentId": "[variables('analyticRulecontentId11')]", + "version": "[variables('analyticRuleVersion11')]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject12')._analyticRulecontentId12]", - "version": "[variables('analyticRuleObject12').analyticRuleVersion12]" + "contentId": "[variables('analyticRulecontentId12')]", + "version": "[variables('analyticRuleVersion12')]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject13')._analyticRulecontentId13]", - "version": "[variables('analyticRuleObject13').analyticRuleVersion13]" + "contentId": "[variables('analyticRulecontentId13')]", + "version": "[variables('analyticRuleVersion13')]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject14')._analyticRulecontentId14]", - "version": "[variables('analyticRuleObject14').analyticRuleVersion14]" + "contentId": "[variables('analyticRulecontentId14')]", + "version": "[variables('analyticRuleVersion14')]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject15')._analyticRulecontentId15]", - "version": "[variables('analyticRuleObject15').analyticRuleVersion15]" + "contentId": "[variables('analyticRulecontentId15')]", + "version": "[variables('analyticRuleVersion15')]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject16')._analyticRulecontentId16]", - "version": "[variables('analyticRuleObject16').analyticRuleVersion16]" + "contentId": "[variables('analyticRulecontentId16')]", + "version": "[variables('analyticRuleVersion16')]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject17')._analyticRulecontentId17]", - "version": "[variables('analyticRuleObject17').analyticRuleVersion17]" + "contentId": "[variables('analyticRulecontentId17')]", + "version": "[variables('analyticRuleVersion17')]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject18')._analyticRulecontentId18]", - "version": "[variables('analyticRuleObject18').analyticRuleVersion18]" + "contentId": "[variables('analyticRulecontentId18')]", + "version": "[variables('analyticRuleVersion18')]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject19')._analyticRulecontentId19]", - "version": "[variables('analyticRuleObject19').analyticRuleVersion19]" + "contentId": "[variables('analyticRulecontentId19')]", + "version": "[variables('analyticRuleVersion19')]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject20')._analyticRulecontentId20]", - "version": "[variables('analyticRuleObject20').analyticRuleVersion20]" + "contentId": "[variables('analyticRulecontentId20')]", + "version": "[variables('analyticRuleVersion20')]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject21')._analyticRulecontentId21]", - "version": "[variables('analyticRuleObject21').analyticRuleVersion21]" + "contentId": "[variables('analyticRulecontentId21')]", + "version": "[variables('analyticRuleVersion21')]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject22')._analyticRulecontentId22]", - "version": "[variables('analyticRuleObject22').analyticRuleVersion22]" + "contentId": "[variables('analyticRulecontentId22')]", + "version": "[variables('analyticRuleVersion22')]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject23')._analyticRulecontentId23]", - "version": "[variables('analyticRuleObject23').analyticRuleVersion23]" + "contentId": "[variables('analyticRulecontentId23')]", + "version": "[variables('analyticRuleVersion23')]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject24')._analyticRulecontentId24]", - "version": "[variables('analyticRuleObject24').analyticRuleVersion24]" + "contentId": "[variables('analyticRulecontentId24')]", + "version": "[variables('analyticRuleVersion24')]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject25')._analyticRulecontentId25]", - "version": "[variables('analyticRuleObject25').analyticRuleVersion25]" + "contentId": "[variables('analyticRulecontentId25')]", + "version": "[variables('analyticRuleVersion25')]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject26')._analyticRulecontentId26]", - "version": "[variables('analyticRuleObject26').analyticRuleVersion26]" + "contentId": "[variables('analyticRulecontentId26')]", + "version": "[variables('analyticRuleVersion26')]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject27')._analyticRulecontentId27]", - "version": "[variables('analyticRuleObject27').analyticRuleVersion27]" + "contentId": "[variables('analyticRulecontentId27')]", + "version": "[variables('analyticRuleVersion27')]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject28')._analyticRulecontentId28]", - "version": "[variables('analyticRuleObject28').analyticRuleVersion28]" + "contentId": "[variables('analyticRulecontentId28')]", + "version": "[variables('analyticRuleVersion28')]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject29')._analyticRulecontentId29]", - "version": "[variables('analyticRuleObject29').analyticRuleVersion29]" + "contentId": "[variables('analyticRulecontentId29')]", + "version": "[variables('analyticRuleVersion29')]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject30')._analyticRulecontentId30]", - "version": "[variables('analyticRuleObject30').analyticRuleVersion30]" + "contentId": "[variables('analyticRulecontentId30')]", + "version": "[variables('analyticRuleVersion30')]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject31')._analyticRulecontentId31]", - "version": "[variables('analyticRuleObject31').analyticRuleVersion31]" + "contentId": "[variables('analyticRulecontentId31')]", + "version": "[variables('analyticRuleVersion31')]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject32')._analyticRulecontentId32]", - "version": "[variables('analyticRuleObject32').analyticRuleVersion32]" + "contentId": "[variables('analyticRulecontentId32')]", + "version": "[variables('analyticRuleVersion32')]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject33')._analyticRulecontentId33]", - "version": "[variables('analyticRuleObject33').analyticRuleVersion33]" + "contentId": "[variables('analyticRulecontentId33')]", + "version": "[variables('analyticRuleVersion33')]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject34')._analyticRulecontentId34]", - "version": "[variables('analyticRuleObject34').analyticRuleVersion34]" + "contentId": "[variables('analyticRulecontentId34')]", + "version": "[variables('analyticRuleVersion34')]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject35')._analyticRulecontentId35]", - "version": "[variables('analyticRuleObject35').analyticRuleVersion35]" + "contentId": "[variables('analyticRulecontentId35')]", + "version": "[variables('analyticRuleVersion35')]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject36')._analyticRulecontentId36]", - "version": "[variables('analyticRuleObject36').analyticRuleVersion36]" + "contentId": "[variables('analyticRulecontentId36')]", + "version": "[variables('analyticRuleVersion36')]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject37')._analyticRulecontentId37]", - "version": "[variables('analyticRuleObject37').analyticRuleVersion37]" + "contentId": "[variables('analyticRulecontentId37')]", + "version": "[variables('analyticRuleVersion37')]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject38')._analyticRulecontentId38]", - "version": "[variables('analyticRuleObject38').analyticRuleVersion38]" + "contentId": "[variables('analyticRulecontentId38')]", + "version": "[variables('analyticRuleVersion38')]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject39')._analyticRulecontentId39]", - "version": "[variables('analyticRuleObject39').analyticRuleVersion39]" + "contentId": "[variables('analyticRulecontentId39')]", + "version": "[variables('analyticRuleVersion39')]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject40')._analyticRulecontentId40]", - "version": "[variables('analyticRuleObject40').analyticRuleVersion40]" + "contentId": "[variables('analyticRulecontentId40')]", + "version": "[variables('analyticRuleVersion40')]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject41')._analyticRulecontentId41]", - "version": "[variables('analyticRuleObject41').analyticRuleVersion41]" + "contentId": "[variables('analyticRulecontentId41')]", + "version": "[variables('analyticRuleVersion41')]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject42')._analyticRulecontentId42]", - "version": "[variables('analyticRuleObject42').analyticRuleVersion42]" + "contentId": "[variables('analyticRulecontentId42')]", + "version": "[variables('analyticRuleVersion42')]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject43')._analyticRulecontentId43]", - "version": "[variables('analyticRuleObject43').analyticRuleVersion43]" + "contentId": "[variables('analyticRulecontentId43')]", + "version": "[variables('analyticRuleVersion43')]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject44')._analyticRulecontentId44]", - "version": "[variables('analyticRuleObject44').analyticRuleVersion44]" + "contentId": "[variables('analyticRulecontentId44')]", + "version": "[variables('analyticRuleVersion44')]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject45')._analyticRulecontentId45]", - "version": "[variables('analyticRuleObject45').analyticRuleVersion45]" + "contentId": "[variables('analyticRulecontentId45')]", + "version": "[variables('analyticRuleVersion45')]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject46')._analyticRulecontentId46]", - "version": "[variables('analyticRuleObject46').analyticRuleVersion46]" + "contentId": "[variables('analyticRulecontentId46')]", + "version": "[variables('analyticRuleVersion46')]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject47')._analyticRulecontentId47]", - "version": "[variables('analyticRuleObject47').analyticRuleVersion47]" + "contentId": "[variables('analyticRulecontentId47')]", + "version": "[variables('analyticRuleVersion47')]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject48')._analyticRulecontentId48]", - "version": "[variables('analyticRuleObject48').analyticRuleVersion48]" + "contentId": "[variables('analyticRulecontentId48')]", + "version": "[variables('analyticRuleVersion48')]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject49')._analyticRulecontentId49]", - "version": "[variables('analyticRuleObject49').analyticRuleVersion49]" + "contentId": "[variables('analyticRulecontentId49')]", + "version": "[variables('analyticRuleVersion49')]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject50')._analyticRulecontentId50]", - "version": "[variables('analyticRuleObject50').analyticRuleVersion50]" + "contentId": "[variables('analyticRulecontentId50')]", + "version": "[variables('analyticRuleVersion50')]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject51')._analyticRulecontentId51]", - "version": "[variables('analyticRuleObject51').analyticRuleVersion51]" + "contentId": "[variables('analyticRulecontentId51')]", + "version": "[variables('analyticRuleVersion51')]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject52')._analyticRulecontentId52]", - "version": "[variables('analyticRuleObject52').analyticRuleVersion52]" + "contentId": "[variables('analyticRulecontentId52')]", + "version": "[variables('analyticRuleVersion52')]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject53')._analyticRulecontentId53]", - "version": "[variables('analyticRuleObject53').analyticRuleVersion53]" + "contentId": "[variables('analyticRulecontentId53')]", + "version": "[variables('analyticRuleVersion53')]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject54')._analyticRulecontentId54]", - "version": "[variables('analyticRuleObject54').analyticRuleVersion54]" + "contentId": "[variables('analyticRulecontentId54')]", + "version": "[variables('analyticRuleVersion54')]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject55')._analyticRulecontentId55]", - "version": "[variables('analyticRuleObject55').analyticRuleVersion55]" + "contentId": "[variables('analyticRulecontentId55')]", + "version": "[variables('analyticRuleVersion55')]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject56')._analyticRulecontentId56]", - "version": "[variables('analyticRuleObject56').analyticRuleVersion56]" + "contentId": "[variables('analyticRulecontentId56')]", + "version": "[variables('analyticRuleVersion56')]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject57')._analyticRulecontentId57]", - "version": "[variables('analyticRuleObject57').analyticRuleVersion57]" + "contentId": "[variables('analyticRulecontentId57')]", + "version": "[variables('analyticRuleVersion57')]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject58')._analyticRulecontentId58]", - "version": "[variables('analyticRuleObject58').analyticRuleVersion58]" + "contentId": "[variables('analyticRulecontentId58')]", + "version": "[variables('analyticRuleVersion58')]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject59')._analyticRulecontentId59]", - "version": "[variables('analyticRuleObject59').analyticRuleVersion59]" + "contentId": "[variables('analyticRulecontentId59')]", + "version": "[variables('analyticRuleVersion59')]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject60')._analyticRulecontentId60]", - "version": "[variables('analyticRuleObject60').analyticRuleVersion60]" + "contentId": "[variables('analyticRulecontentId60')]", + "version": "[variables('analyticRuleVersion60')]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject61')._analyticRulecontentId61]", - "version": "[variables('analyticRuleObject61').analyticRuleVersion61]" + "contentId": "[variables('analyticRulecontentId61')]", + "version": "[variables('analyticRuleVersion61')]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject62')._analyticRulecontentId62]", - "version": "[variables('analyticRuleObject62').analyticRuleVersion62]" + "contentId": "[variables('analyticRulecontentId62')]", + "version": "[variables('analyticRuleVersion62')]" }, { "kind": "Playbook", From e8cc05b52def48b3841e0d25c02060f68735834f Mon Sep 17 00:00:00 2001 From: PrasadBoke Date: Thu, 9 Nov 2023 12:07:51 +0530 Subject: [PATCH 16/17] Version incremented --- .../Analytic Rules/UnusualGuestActivity.yaml | 2 +- .../Microsoft Entra ID/Package/3.0.7.zip | Bin 92778 -> 92777 bytes .../Package/mainTemplate.json | 2 +- 3 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/UnusualGuestActivity.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/UnusualGuestActivity.yaml index 5cdc6f7a6c2..74a81622612 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/UnusualGuestActivity.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/UnusualGuestActivity.yaml @@ -88,5 +88,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPAddress -version: 1.0.7 +version: 1.0.8 kind: Scheduled diff --git a/Solutions/Microsoft Entra ID/Package/3.0.7.zip b/Solutions/Microsoft Entra ID/Package/3.0.7.zip index 650a3c9fa955207f8c697e286e9762126ee2d76e..978f68a3836efd6d91f94feea5a6eb99e7a9ffc9 100644 GIT binary patch delta 77859 zcmaHSWmBC^(`^WW;3T-aySoN=-?+PLaJWJsxNqFu-Ccri++BjZyTA8ye!!XPnyRU; zo=>Y*P4`-JJO^_$2UBB63x8&0t(iM&XC+r}Mcax-QndZ5c=)5|Q{kX9Q?kuao~1#e z+Ak}Y7a=|EeW+@!?@8cFjz?m5Zz_o%LlzDm8xi$6Gwl5R-@Q&kW&`&@K2 zAHVw7Vx**g!*)6CS)8gYqZV(k;PN9R&FaLhV{If&$6s4EWPOCb=HUy z<}b#ZQwoR`t`0F7`LuUovzb9i=UuvrSoH*Zo$juYG-q+E4Cwpj>v5_!KK0Fu2lI#e z%DWo3B=U7*y9{*Rv9VE_J}~UD^(ES8Ui>uefFeDfDE|KxzczEf0GEP3FZZJ#JVns1 zmE>ASCod02Q<8#rcYFUdRy+J~x9dkUGh ze;=Hy9-$U7$Pl7Wz?Yu%61)YB2nLNCx6*!0jdd>iVJmpE-(y&@VURE4wHyLUPGbvp z_5k6kspZ2%SC7zSM^BcN)0ks#Ag%$ioOM*rHC)tlCEXxYSvK&nl*ho!DxfD&CAk##!tRo8WrK}CD%Y8udXiPqZ zocZO?b)8|nyw9MX%5rmrY*w5qr^+%jC7qH^O6t(#p|$vcg-d~}VRXq- zQs~+RD1cT6u)3bv4;>fHT_Q**Ud-awbU`_d2V3r{E4ZM@%1nS$STzy|`hL^Ox$LtV zc;i88QyGqsN*b>#v3=BPb6Z`uah|6*lOxz5WEv4WYh%3ew(7J2i6dVv*%muFIYin%#tMF2}%iQJZppCJ>|l@mo7 z!Of+qOZ0`Qy{sg`PG5}AJ{pM-dt}Pl%lpjBmGWSTiPtO1aGv6zC1F<}%wAIh!aCMg zM_~yNMN}2X5u_6)Py8wb(Sjf33hA|SuPMvqvj`yGDm2>6WzBsCl2t*SHF8>6f3!K_ zeN<%sX7vYGXJU}?%6mMv7@tyT9HBO3*FN8)6@&r|49DeYTFbtdSQ3e?J(XWi*? zmI}~PCMub1f>h{`XPX#GGlt5}tP5r=MvLn6YR}CtGv0oIxSVVIF^OkoEykdOR{#7S zichFwkb2|`X3V0LffdiN4AfM3=Q~sVyyS((-yV*(#A%B38b0rP8*Q#4!t20|MFeS@pX$@0#G@Gh~txbzd;$RWk&;#*oD?r z*r;RxS({wEh(AJ6oEQ@`+`Ry9XchIt`)#!R)2CP^J84LlHxv}3=jmerPO)3&2#wq=a*B?(Q(qkp0^mC?IHvsUp{JjzZt~ zZynE$ND42G*M73^c+FVk=m;&1N6z@sNHCKRnJo}MT@kKkLG*CLFo7rkGjZbe%PjZ9 zNs`R|1L!Y+yqL-NxA(wrzFKv|%VT%N{qTCfb=i1e<5WEH!RiaPYgsTGaGM)^Y9wr> z17Ux0&6?)WQ9C|8Ge+v}8usDh@+dbPh(kF)Zy}Xs$PY6FTjvJse)^u!8Or`CIvhel z@C1$13%lF;6Be~UwHH9b^m6le=`7ueF&U0#{A4UYou%$^q7X1;j1xsG_Wf}aTH!1z z_)_T>LhLDCA`Y*S5TAK+Qr_JDn@z6XV6+veRAj6buZ^6cD@j7x>^e4XV01 z7ZGm6y#CwS=>FH;<+F0;t{BZ9^5H3LAN7^{l58Jlrc?sqYXZ^cW$C@ew@3%rT6EOc zbr7uDhUCQVIgsiV=a`N+V4BG8+hjx)>f3fr&fJYy+=J|v8r~6b09@<&baF7Wgbf|Q z{QDyO>#W24J`RAqD4voQqUxad1P?|22CZX^kZI_|n`zYtXXw8oyx{yR2n~-6QU1aY z1+p;^Wwl+j5*pBxDA7yf$!|@|P#a$1Oc{?lFC3k?ac$&ok8HF($2|9OvV{SA4}kEr z7b~2xtE&!hI^C)`ZPCO;HlMGCvW1`=6CD%doX_xr8vsF)I1Ri)Go5PKw_}AX4kt;E z-xp+-JhxxXSIx)U4aU*+tCda@hb9<|&hW~>Jju6v81d6at0$-n2m{*R9n((y2K&26vNN|crBN+s-haO9>jryr5%oPCd&InM_qUw+jD8Kt z_#3x#GXd}er*Ee)o-Pk-`hwg9@gFGSXn*vEi<55!ogMlzO+C2VF~yfXs#wFGe1;mS z1bn`>ESOn3>@K9)_?b2h_7}P9+R7Jq0Xnv-VEyUmc#FDu)*c z6|_kaft9Q>YtGfuzhHf~!r#or+>X7!o>^(UIaYW(dXnnZ1lTSy-yFi;w3$br?cv?a z!eE*hSSD;XR_PNb%yU?9ckc>$p6M8flBROsn{zMPF1@RIk9IUAFIQIUw$qn!v!@%L z0T?w7oh&g}4YBBS1gr}+!uzU8pk-cx9R_0`d)_*nqXum6k2F|KL>%U*&eA|jlKN)) zCEgJRxw_Zw)@Ek)Q92Iffq>00YI0$F$F#bh?cTBbncy0PxIaazBAlGe`HWuffsh8T zR14zfXsG8DME|knoY}NHAIe7QVVyr7zL79csAQl zgP&QLR_b39+HEhp_QSS{WyCH>R3BDlW9do?R^rwk#$$Xjd&wXubZS<|6Iq}ZRM>2(9PDb*t1Y7yY6-GvZP4^VB=id zv^t<>59=|Xliq)9SaZ0*hDZoePtDZq&xRjoe`A`<`O^=K%jCQxlhHfVTl2@pgvfA{ z*$t%B-J?=uI!3DMd4v)^NLWS2)0b))ZN2k&17ljl6H0;AO44qca`N5|(DE`7Tza#k zmfkz!1AL-{)VS>?Hpb~!*$Zf(tooyrv#)CdyYgml@j=}j_rzHvgNTS>BNY0pm@?}=mQL}0#RgA{F83ADzUx8UI>`YuLZ@GH`$Tz=`A3;)&t>qC*I zPYVBo$5V!xq08v4=hc6EBGqupQb}Jna4s8JkF1Eh(z$|@^<=fYs1q8r##~YJDz85u zv`kzvu(ni(Av3sf*IWjqD;ux03PH(B9+mmdT7S5(>}MCo9?O4>%AOuCOtzG(zPNA) z{GsAkvgy$1(x-fgw6)IA=t|URO8GSQl4zA;rA2;b^BzrfVhRN_my=eHr%_FvXQNgo z=aeg9nY&D`%_NJ!Den5S-sAUya^hY8GsljXuvb&?_5#Ab_jzn%(QY9Qyi7x8;`J`& zELHSDrlye@)L)>Dy33V}p3azE*BeUAQijf6@{H&^Uf+aix+&|Eh!~-T_-{$lXcKX^ zVrxa_8r*{%N<{bpjPKkzQ@wC>f!@@A4Pa$*o0!4_6A zm@^?14!Ck*{_>Nlm}Z~H(N_K;n^h^IYctR4e^%-u*AfEO5xI(V4ZZ(P)HUDz7xVIRRCr^ov8R5*K9wkL4v zJ0;m-{#z@zUb}zveAE)cQYfQ4zYoJr5CH>d;-jkOr#G+9FW|_BOl(}@`jY`%tC5A+rJ`B*hb0(=Wk6DoQ7DE zC*HK-W^iXk6}@ws=kM-ykBbajv#vHEE#g0!s)tW|AU}5lVvN{tnTH|XD%IF<_G)6XARrAG$ie^N1vWWENTWTR~o$7fm(S0A*P845fMgX6wf z?KrHrrkJ=&ZeQ7gObOFN`o(XuKAx^AYb+g40)M(Y>lsJWHBCDn@)4~f8iA*mt!_09 z;3K*H^VP7&g55N4Qk9lz!>ny(3?#O+u019*6lgCxO(WNXH%+<+4WTqgJGFq6(+fXW zU~&D(&|Q zm@4UiC~FSgK2A%HMBX7a_g=tT{yyZgX7-eydOg1no3I#g5(w!LJqW;=-@a$q9^@BR zTGEOaP%))N5=F1pVC^$xb@d5twoR=cB`EZLW--B~ez(G4?nKe}46aY|@?Le^&E8OD z%N$-FPG{2{QH!tLDyU%G-}b#vnibr0xH_4pqK`bdj@Us`Kr{uYC4j{_$ck|q!3C;#8Q}s zv3Vs#GBb>*|Oi5cX8(_vg-~Y41*(=)B3fmklS1>P+mKk4T3h zSu>+9jhC%mp`LbemJE+f=ITd><36M$h96x&|2DYdAnh3-+;cf8u)(G3=)`RpvBa=U%x$t613d`47Y+7H!u(xR4S6S}Lc`O2;lGahg| zy$zo>hTrDBK_>8K-zD=jlk;g8U1|!j?Qj|ky;@HQcHei0*yrMA%s5`=h_4(UHN68x zeIE4mFJYG&djVTZz7}@;abF_sn4h~BW=fx*cG@rBT|~0qF932X9g<$4k&Ideq*-_5fd^d;ZaSOqR5F_UuFUA{4R6}Fh?7Sa&p*YO&SUAQsx?ym?_Ywq-&&<(RCsr zP4XS#14?c&_<^GM)#zLuVk#I8t>lz-JjA6)J(CcLtvBR!JdbOSA?^GYu9;+xM&pb9 z>X2N#liBi{>!z8Yz53SAlqCe&k;1xCh`e2W?t%NI(oS&MD|Hf@I>rG7SLk)J1QmHL zFNxJgy08AaSQzzD7x!PK!Q`#TE(4}aqHS``0QvF$5GL!Jj-)K5TsAF__4QBQnFc1V z=IaHvC7RJ*4X!);E^gjHh10${;(o!>HTnDJ7Am@XcuM!@8~e-gH~s}*T%^8^%ol7r z_DI^xKNte9$quUnC&F98F)lIp=!_TokFy5>+_Ed3Yv?`pyX{B%U2EE^ow?@d-qz!jUA zUNFLDhi@=wKX3i~oRXigD?hS)WhYWe1ibIJt1YbTG@Y)}3ri2PqsXuC5vF)XQY=Xd zi*UaGB7}8%jtd_hpQWzu-5+Gh@dRQ1Y_prdU~JN3m(U5-)qL}-8^{UvZq4+ki!c|o zVPsjxnfg4d%h3sU)8dpQzEVesZ5IUjVWiPtAp5-~fTY*%%XUDPkND;f3ZFk7X~42c z*!bTyo8G;uxuPnEZJ$7X9toCV+3dV~P6q8U=@%tF^1V{;1zq9#94lj25ViD)K=ma1 zN#VS%oH9{i?@Oc5N_jyNpR^?o70%GU-N_eYf1?b#h{^sN>wt#YJxy*tP@>A8-VtS9 zMmBeevd-Pk)a4F@FCf_f6TlSr7zwhKfpp)_fXvnTCyUY0I_{L`QTp?$f~9#A zzJ>>`b{jnCLbd^YbbX0I21Z4+)kq-?Z*#y6mc>utRocfB-tyJ0Hw#;jXL_h2zFukT z*0~YzOZ}lf%3we(f!f?t`QX_QEpi1tOE^no3UH4dWz!R$%C;Q+ zoaTL?z0gJ@PxliJ#Mu~N1~g~%;DJZ7@b`!ZC!G=Wdww@IM8hX?Z|xDNE{l{7F*&)Hf7gUDj)<~7??4Gi{ARCz=OmrT zbBYtyPr)Yj^M-MH^t?tP9qPmRAH7nlxkjR-KzuXTQZHdCg}glq;>U zr{MFII?hcEi?A^vqZC2d&- zFi0kES3E-^_3Tanz*a63KEa zV@|YIE^;Bo=IEIEzmGf&3){_@gvI3$tmU9X9*cad4X*(StQzBKXOpuZ<&;_M64S>j z>{-a?q3HGOC6{9b6k!G-;%<&I1dA{h;RB>#Jp;;WX&y76S$+D(0$Q%)L6ZFS;@h=% zm5Zdgl)6k#s^t4wRL-$jBXBxo^ zN2jQ$G11Zd<2&RjD<~*!Lkb5ye$xVcE5zsRiat}s1Z)Xi@{IAf4OH1`2AmDic$kCx z*m^<@DDK+8E~(p}AQc2-E@1l9EiLoSBNLqb^1{r220AEt>8=Zi#GMe@hLrBW%^&is zGe_qm$OBvb9&b}&dWEfP5DM}nCF>t3AW1k>q6XN6ODhRmkubQJ2H1j7PkCFBaJWwz zX$gIaab)C*iA8%><_*I+YPKQ~k)@5W4HUC?c;5i9I4r%w*i~JqC`~mE}=>3&~O8 z;j6>{X9RownWOHu&ZFguomoPQNCT~_a9A4%^b&Ro%*)axuR~A%Jot}y9U@}|RkuNiE6;FvCt$*MUrP5u2*Xp$s9n9e z6mIsuNX$SCR5gpWY^ znOCO2$E8Wj1&^z=3!NgQte^=^n89?)d05#o*qi71STN1bfLgPmhuLB&)o1>j??;Vu z+(JqQ8~(N#nmvYodqSEDf-lW}cDS~pA6_E6ir%*r`Sd0=2PWj1As1z>LVfQYr;hS5 zT~N7suB-X}J?SmC@z>73v=m_>`qseb-U4CC`p1a|Gk&#tdf{#qnrwH|@4J<<0n4{aSq`-evirmniMqE>w zY#UUc@|7B{6s#>Kx5;aDP`pU@%kQsBA(F_n3`}@5iCD2J%)0wajw)=ih^<&VOvh_a}v1ASx z_J7^gIK$xp2nC@`k(^A-*a%SOR6`?3nB>60RF55{q2zblkFo$;cSL0K_6j(aM166_ zn6=aG&4vUKJc{NjxRhb{W#*-h!_q`!Yb~>r?cm+Y9q@yJ5P&bmP z?CO?_ATntF6N1upu11OvppH}~qZTC`PB#R;0}Qb*>LBD zY`%GYV+M2PUwG^tk$YQ7JB4#=^EcKmuCS^UWWHQB1xfSfLH$lT?cpiC!QNOk9;e}_ zz|58){1?n;6?H4Zp~ZsR$zD%>9;zRJj!GB8vjW$ZzZ&1#!py5C%>1=Thm9M*s6N>w zMSh}CpAY*54dDO4LLT}x?@Ox9tu}%d?Vh)a&!c*7Hj`?int8(@P!JT5f#W$;+K<5t z@phWR>5v?dMf@-b4=SffO0+6Eq^m4^mUjJ_! zb7jh!D~Va*8Rl1xi92)1`rYYi^KjZe{ocydz%1q{NXID~zm4P045eq_pEEPx(@_Yr zJ#3~N02pl()Xi6JJy4qtEf6tMOce8XWm%^{#RU5L|85D)iwghFb=+R85Hx5V{E2Ib z@G3i3vmEmBqKj#A=dvaVhDL3-OU&KN7L4t9y=TgJ-S*47@6)4>CM+Hr=I2Z51OC%t z-v?&g=2@GI_iQ<2w)wh0;SeEEcOxDj~u&3xN6W_kz>574I{ z?A3zn)q8g9Ahq+TUv@IcHL{h<$P#ZXVz218?@=)RtYRCKS5$s?JAg6o{mh1IBj^VK zkQ%eP>av9N^^a`P`XSlDJaMi-DLq zIO(lQ-knEqtSF1IJw5v^+M+uU%sLKaB+nJf=pT?;)YgQ$;yd8WlIrb*4Rq71c(MfN zg<~6J&U-4edcDSc+ z(xbsm_VityIfs8KP)>Iv{$d8Kkqa%~B~?%9R@K>|{L%7uVL^EuLOy{a7OU@a&C_+1 zMdW>u%ttJYk+pU-0(rxU9e?j^9!E%U@Jt!{+Ga6kg)#u6rIDDN@=tSi zdk?pmOIim}YNTYVOt)4jpp1SmU%BD{;%coGRW&4lqRF>j^cfr}w={^xoYy-+G*@{b`!f}a5lob#`l6a zuC5qBx0MmqIJtCnC~L>rHz7e4kyB5`gZ2N5d;jp{#&fQ`a8M{c7_vkjb~ zYnX>Eq-Udf>6ear#{q}7prrx z8e?#yOy=d-pNT9ypxa3i3emQLA)gxA&zwi*KHz|4tS;46c$qfgnlGc7yo4^_V5bX# z*los0RMQdV_Vd+@Aq^Zx@~s6&%e7`jNW3-FO=G2$fNN30(*Oi$Ozy~G%;)@UnfelN zm1nU_nMl8EV;gg~eB_@P&ZLhWS9#AiM~6t)yRfmLs<-RppR_P;X4h?$9bxNQVP$FFb@x{v8h2fpPb}xLsp4|WbI6{ti0<@uj!Nx_7C0DRLtcr zCLMCS31QyAuk~#20TXf?I0rM7^TTl-`9Hb+F9VRkHCV zkCUi=!Y*M+(FI3(DF_{93nh3Pl3Ua8tUj&K7qN_rEc18oO_XsWBhP>-qCBV zZrTE@LJ#4$f3SrQW7a3+O3f0B3@i}sC{)QQJ9B9fnXXt*gy2>ap+}rAb8@p@uA7&E zC#mk%Y7(t;T&Lw`=;4XQ=4?Vd5B~*bm7ulLs>ifXmR!hBC=CJ=S=ig%ajyJ5riDE( zhSYN}^Jl-ZT`tQ1rpU*PJ(EGPHxiEPPKL3L`PIp6<37G8`f)djntLp544i#j}G-h$J zh5|)T#2;_n@4^Kep_T#?dyDv2-sA=~<4o-V4ptP_FJo>v2C0@lj=GaA>Eb&Io!ASD zw}BPl^kCQWYc~{lUZ6AG+oyU(CabtOb=~?MvNbb57@vvDv>xp_x&CR!Pv;y68dOa( zXX8{VYn9=rya>gPx1Dkt`-h!0a()0x($#9>+)5#1V{fbc_5D(YRjiB!@~tQ)@U17M zt3z8`FZ;YF*g%6(whOqv7`Q>%|D&-*u24Tku>!7=G84qh7-1KJL`gB}RzOvoy#3vwN;oESf z7ue<7&iCmAIGz;!>iHuY@|dMZ7@&dU`EQnvx&{HCMa!1n#$KYbQcK6rFuf_Sgi1c? zko~#^Pf?ke-qqa_w~~{$u|3j6ZLF<35^Y{oNJ}yR}MA#sU5+q8qBZ~d-1ZNx)|!_YyBJQV8k-Z zsqt-0%pWT@D>X;Sa79h?^7B_HQR|8_yP{nI%{S24KCGOfz}|!XYv($NaE?25BI5hz zOOI;Arfw3&MHB^uE$tjg(f4%;>n`$pCb3AITSxXb-u20lFGy1~jGeaK%ARs0?T)3w zs#6#=-pwr*^EU}*H|Iq4fKtXHkm%^Q=x`79G6}(H%QXw(F}V@t6;=~8LEFkVJoH3k z%@O$XN0gQK*&-40`*Z3AQ{Ng{0kL@17%=rF9!m#+GvRf+@;S8b(sYaUpM?1xPp!@*LCWS_=_8fl|ZQK@yiwh zfcnnfkhyhJ)fR8`bcpo3!HTVDmR=V3;_ha#7^fQswX?pUt{(?a@wf`q&#DPJ8Aoy; zE57;UF)O~sl1DQN>)_=Y_W%zig5AG0607+2zXPGvx=gp5#u<@VRrKOa=x47x-}y!4#C0F*^E{NHPXv1I}QY6k1=DXHYJ%S!)~*K zu=R&BbazGQOLl6%7igHo`I%efS}tPU%x=zy^XRQJMu3lm-XooQdHf>W{OdEp-z+dr ztS~{F+Y~Vh)<*xA_q%{Kg_4mA4cH}Hza$S;@S7ujLOMW^*zV0TYzICny29gKc!qG7=L&Q07nkAuZ$$qrtAK^Kr;mVgQomfE zIsWBIxRB(LqlAfDTCz%$Zp{Ib8oXofAZehwN9^0?cGtAxX8Px23OeJu+%@)nUa`sO z_OS4^A6nxYoCQv(_I#G17E%ZP%19J$wWP}eJ{4w#QZT7W=O44g4{CevF|)$6jqXYb zI>z-Gz6HAfZYKk8m1Ofy*UVBwjO*?A%&X~j4(C|tUYM6Sf~GNC!|EbCQMX9M%4a5N5YiG6B;Ydt;DNP$$k}F zzcrVW)4mR7WL$iTk6KccW6Uh|$}AZvVxew@EveTbxdK9}Sc8V+?(Z=!zD4 zk`A9fPm)faV8_m9n4-nPLafYObHf7Z(Gebxr@iPi?OsyU$|4DT53LV(w=tjz?7ZKr zl@T#M>*V)7&hx>f7QhfJp-F!8FrPTopC_1PfsDy9jCsGA=&>4xz?+2cI8+?L=yc4W zSQVtTMdT~mS$8^Xsm3x{+qj6+tL3z>N|CG&$d*UNa2r$dP0moo#@pyuc047FjvAs4 zP-rnn+|{KRU=`{tW#DnXIRT*GIx2ef;kFXal{Eec63%-HCpTy6*?y~9wm}gQm7ISI zIT{-!TNdCJ@wV<};F5XbsOd~}*ch}fI#^Ht6%oOz2PUv)OuY5rb6Q_UvU{s{T#_%T z{iVwwptAP+_=bAkQ7d+{u22kq+}qfw6z)vFGp1(S@L>ei3l5BTcma^)`u$BK-jk56 zA5}D7DN!mkp z#;}w!=f-l<$&s!S#q!3R5u-^@GpSb4VJ@TKy6N*kK4=PCP;frND6B4D$1&dgV@B`( zfkhgnW$&Tk0?A z{PGoiW+tz@xM749kR!*}j4$xegtNTw9vEq)7N{!)@#_KzdPUO)@8;7=Cx*|-+6S>z(C zfoz9vwZ)~`Y{I32@HgC7R^+f#l56y_Wt7&A9x>)y`A?KvX<&+${Yde?s+!f-B9AQP zLNXOrKA3er93z_2!7w9UCwt5RXy#u+C_7k3Fdujm!#x2e0@Mhhv#6GAE>Lmpa!YkX z^}U47CQV;4$%SUB;SuYAkX-zTLW2~ofhdiBr3zc8jqF%o=Q!me5i)7?}l#5#}NL3I3F?8n?=KSayV*SK+e z)$;NVE$2SbhC4E*G)lSUa=PYSi{mNBC)AqZuKTs}-UA3CB2#1}1S*kmDR$V8by448 znA(0rjTsN5OgL|TcV-@C^jz_C!vUd@Burt8UHS~&IRW3$sv}A5T#xQ~MaN&*sf!XD-MjK9 zx(<1-g`9`0l4Dc$uu1MWGu3%hnaJ00bN^`=&xpH~H3VUL8Jk~xWJGn$m?w`gzOqW3 zj{}{r{`G!F>!Z{@o`sYsnn7KeQ35Kjcm4SPLVv1u)>3l$ECdu#aR1L~%oQ@|`1^LO z`7Y}>yR^4U$4XedaP#Or1_2q{1UVeAOCa6<$d23RQujq3_aCavXx#+SbLx(r$ldvY zlTC^@)2Tgk$Mp47`&4$4q}IfX}-7K~U`i5z--zFAhC{40j12Kl%D2 zh@DD4@y0Vgn#$kp8GR@GOu8DRTgNfV-78hwx|YOifnVXm^*aDm*kAXEC7Y7r0E{Qi zyfy{4>Zh1vwHE#{cF9FpjJGg=B*Lf*ni~4xWMm_Wxi8JC>zf@kmm7M7J;1kpM#<~$ z5tjw?$;+Cs8M%<51VCk!l(vxkWAFR)R^ZclSLshhpx6RLX!wT9;yRz;Zc?{t{`awoV_x@u2rKPD0t+ohi)6j{V4 zSQgMae+_;F&sZ6K)OYnF=NI*krvydxpU~48b`m*a7~Y)Tf>( zmHtrv>}mb$!>7O4W5)cPDr|2~$zDqFgT0rfXGvg0r?b+arg=!kA6isBN*YIq5`-7Y zw32poWZk%!LXg1OPAUbc`RwTdYUBVl5lZj_HFl>2>R z0(F)DB6GiHUEt}`y!)l)g&E+l6gKY2b09A_PLez`No=QuCLbXZ7IMP>q&;W;PsuOD zKW|S9!Iq-6uu#O|`+HDvoodh6mx@;7Z#oFo7iEKp9Kx6V3TcT*bIZSJi}4(7704y@ z$x9KtTn}k$(b)f+I3*5>$nGV_OIp$fLTctEYe)yh!p&HN>0+6vlG}l!IjpPST+YiT z8FYQJ8kk7F1y1T%u|G(ml5kCX_A1XLC5(Hd?gQaO|MO`(=iOM5+TMM}6Niw<)${&# zF1mNeeO(zVVN88XP<`IG-3Y|A`FaNLzH-H6-6-vCgbo&O!WpC8Vte?E#x$Cu_VmxfM-s@)zofK$S7qT~8jd!u&{^Q(O&FO?77bcx?KAfT2C|T%wiZNoE2>!6;(HW9 zg&c`_sEx(7R>+ml1E>oI1AcEL;NOf?YHNd&KYn#8J33)M_Czi3b)7WC7$z{HI{!WD zvrSQ+UMN5QhCB_h=h3hWrRo^}w&9{M8Q%J3$UcF`#>*b|Ed=Lzvtmx0@0jj(7`OPd zicFUL2-_oLMD{XE=gtbOze|0RgX0Z43W?!9om+BiNma=vQ}wC7MI7dvhW)QzWR?Px z@AIn5Ae^%6aGS~`>oDU02&bRrP#cr^))H*3M(rs=8DBhLwV|qSt&kc(mN4_{n#{(C zUq%yp6*J&0Ph0s-o4mmM`;2P+pXhiCMXXV^6D+Y}tPyjQd?>8P2G#d)aQ1L3FN+PH zdKP|Usj)h;Wa7)XVc);V&9TsxKt}>`PWv4$Oz}otC0 z=THQN686}>MMM%;V5ouxKj*kGns<_ZarsMy23)di+I+lir)+XYR>5V!MZFnj2V z3M7PR$+dMxBSlh}WJRW9l6f!c{KBWC_)yvKta2HkICOjP(Ji4Ptj&S@U4c)5$T`He z6Qa-0mmUKLRXGq^L37OL%9k(GPq?ic?w@*+9{}0!p^dj`Fgee_X`(?j8?x#OXW<}^ zSr^Mass~Fn#5q`tl@}Wa9?u|~BF+@{NR{Q&xbL+|O3943QEF;5dIz`pqEtTHPTpBA zfE9sCO(o&UV$Eb%u}V<&{PAn){BcvUZ-|Cw`D$`J=AC|}4nQ^k9G^)Lp>d*rGNZ28 zC=`;e^#__jJIbc>9@j^^VysHzq|s)5?0?4Tti;lV2!dF;@`VFsG=?Hw=AATkT3}#V zX?Kla{n@`#*D%T9ZF~MsLi*>%G(%Pw3b6i&uUT+mJ0r;jigRd6*x$sEc;;8P+kC;X z`P?4$^u!~t6oGI?af^f-!Zh153x}RHDv{PN5RSLvyF;BUi?IK0zfJaVgWZDMhmOe{ zy|MF>cFn3$+igOrTAimEyZmz6b7_2OMG>bK66BHyCgHq1ho3$BR=OsGK)z@Y1h7Iu zP!O(|azCH8Itp5HP>~{Q#C^GPvigFmeu7$q8X`^i?bm#J)d7M8r!8viQ`$Y8BdYH% za^szXFZP6FO|Un`Z&PtZauSp`t1;gStF0-sjXve?8d=xZ_x?UFh%+qL4qFZUgG4{q zYKb4O63UKpruYxQ#F8S@?XkQ81Atn8|HTDSNjvuX$8$I08$Vy*_|la0GmSSX&CqaO z1?^=wcOU8f=KHj9pt6Jxv`i;bQT?a)NI_=obvSE>;STPozqljI`Z$UTErHXs312vH zp%jw3;bEMboLaYd&h)6BDE?0Ge)>@NX&E1ZOvF9_0((V4SkY#!_i&Q zpdtP1OD6U>nEasRh%Y3B`YUsEbTrCyhjpKJzv+C<5@=ZDQn=KHf&@kJbh=3WYXTW+ z^O>_N0jyBRFO?8YG1Q5MscryeVOri~tf8V<)V}&rr=}e8poYN?(O>vmCL+VnfLBk9 zYT5nq?i7C2>fNiT9kh=pPHWm_lE5z2s%Hc{yu3<2)!CA?jr4t@h(kU`xbS*zNDIQE z;luid0PgKcHOl#c+ie-%9$-DzdDtGFfR^m1NjVjW0ICDl)SYj?89 zDJ%^r!3-5Ioo6u9yir}YS0}(dIle@W3B9G*sh++WP;FfAR^3(k`sZ$ynFYT_x-=MU ze*SM&wx4yu>`wC{>nzr~2C#*yQJ#$n8>P(G9`*hzwzL|L$TQO}_fhN?bv|V3NUKc>!IngClIpS`#mekIkIjbjYbtK!r+d~cE_a_KSfF~aL)fPnu zSF`;k{QzW9tR`U|aVTH297#7?_~UQ9xOvZ^-lw#C7iea_Scq1IUEngluebHm%BD1I zR{%m&C@f_kyLn(oASRL$Tm#k>d7o%Sf?-M}jO*5-%)$Y5tu3%vgZFnLpk^{R&}qFY z+{B0TxI&Qg*v@CfV`;6VzD=>BWXERsDV5~ltvER2p;AtUcX+ufk0MdDV9W&s#cK%y ziA~6~;ki_iTCy9Gg3G)>u)HUq1-N$wlJT5bYnF35$(HPPt9dTMGSZ>Bi06!M{_F2- zy)btY(T7CxeE`9*j1WfxH=(J5Xgh{OyZ^@kQ`%P>*G>xvutaU93OvA1gn3(Uu@D=>V_L&_s zZ6UA^37Oz5u8KVk(Y1!^ykPIMUak#usK?8u z30(j-`Xg$qb638v!piSj$1a#u?=e&ux#$&d!PQ@>N$zEmSjWVhR+B$o_#dagO~^UI zsYHSgqY#LWyI#v+E%jTp8k@V2H+Kz8d#Qm{pd0FHo*8vpC+V_dJHGr4|>xb ziav|8&Wp3CVwF!7M@q>4=7(gKy!GRuUOd3}suptQmduSaD;akPu_F9s{e4@mHxX?8 zG+ZaLhqgZaX|cH~^ozBh>v@e2SiV9Ge%#X9xo<@j%VienHHo&$dCS4faM}x(evzd3 zGS0A*whCuOFePfPG6VS<1(}U$2Zth&lx+kNqUx)ApklA(^|-z6|MJsa2c~EE3qD}O zEs%Cz-pevmo+Y@h^BK2r?TRncefhfMC$!}LRQY1l7>Hj)dD4Hy%)RND2h&5Enb@&f`cmJU; zUs<>U^LSLXB)|TP(+ZCO{^uyiJ|OPl*A^63(PoSHn=)9muJ-t6 zeIdt3QORPdl4cM=gpJeID!Qvw3B@yLQw;Nov94?A99i+6jN}`b|A#rH@o00_&O5T> zu^nX=h(A1Hi78b&3@u=-+?ZQHi39b5a&zW2T#U45fFs^diT$y=FuPSrI#nwuV`kG+3SV>{F1Y!2`k zYBkEY219=xBk-KX-<35V-1Eu1r$oWHM(1*nx3pGnr};#RuqMAZRhC?$q(?dQk-tNx zvqBzTI9|nh7NY+PCi?lSI2e1+w`A#Sq--HhzRuu+NcuUi1aFiZkR8iP&!dteK`b*W z>?D#D51ZESewr7l-S~nL zo6b7miAi;pX_dwswSp+NDV(0y;7?*2FABHFnSqvkv~8@1o^+9SZ%_!>*{JupwegiW zO$~kX(u`N#!x4c7U``L7q@X{BN{WImHq(@2_!l|s*$oimLpwb%r?tr5@-n<9aP3ZR zF`Xt4@Hvqxm_2`YG%N44snU-H>T`HlZIsQHWmF{6=C`25>TCmgvTM+tl^ zxRJCtCv_6I(QPY;{P{XBst|68+BlW#p!3P)R2eK^5!7FojAQ=p z?LqDl}$shCT`hruw^m#}AvKB`6^NzLQ}mJ@x{tqYgOMDGj8q}QnC6Pw0q zEyr?r6sgysF>p3aKmdbc#Ug2^A?eG3EG>2!ogdECoMasmY6KU`zCvb<`0t?&V+f3v z3M?%1O4&&awZrbxD~C{eV8*`_pEbHK&^O)|x5usR z&+fCf$JKvkJ|?M{tz|a2hCm;BNZEQ#sOb$Om-^lj7Yy4|Tey2U=_h2*YIV@4U)Gv* z>+{q&+rE0n_BBexe3dtUXbs+7+?3Jvz*j{9bhsuMcxWZ4H=ImT8lWd?CdaKNYDjf$ zUsbjJ(qEy|Ri+x4Cm6o(Y2VZ6FI&_2(&kDdpA5vlB2n_c)z6cGcoW}h{bgUE!)0{8 zri^YXd6G5uy}AdTE;!~J|5FA%tAW3Lw_`&si7e{aa7IWvUC}GYIBoQnDi(0+dNiQc z=t_c4#*^{tDICk>R(=wD%o*Ih`J+4;Io}usaKkj*Te)aug*$v&G*%P`dzH1D;uRC= zw!hEzAXJz(gk7c1X$ZlGsI(HsYyfXK#~9G0R`zzS&y{2dq_HJPIl@i6blg^R1DU5)?l3h-J{H92^1QS2`cFV-++xN^o3BoDMo5&?RI*ulK%a%O&%KHomTG>SFQBdj0 z4a)Ujk>2eCg;V0RyIzP!y)OU)L!pp?@Rq0pNS(7jje$;{oZve5gYZKh?lrjN1)RdQ z060)|mWPrJVnW7|y%==kN()G5Umclj!A`8Fl3m98f z#b~IWy~za=K(qpyH6FjH%x%sh^PdL+aFnZ(eQxmMT}wVUrQn=ba%#g(U)9QZkCoR z?cpG~G7+X!IzMyIb~{ARcnHP|G{{J<@G-DU;n&wZeMf>dXlolpa zorzo?lUpA&VQICb(@FuLf{mc#)3|P7l}ClehjWz1Sj=PNh(WY#_vrmql^@~Wk-rNZ zLTO#;@+r;AYO*&rMmvh4f)>|)h9-#1ubCzvf^ZH68+QkrFBe%5SsF(f=<;y-yWD1M z_i|(Q#hbOnlFLzhiq@=B@#Ffv8dcuM#kH=z-;v2a9u#D|f~EuRXmb`j^C+CIFoUbX zE-#@eM7=qN`8(_;5GwJ;e>V8O=3n3LN+Vd|E4k;Ek+R$MHBa>Oyj5V&>w?bnd09z3 zkG3DsK%A|sdKEHDBxz1l6K;J&Sb{@RUAUdC(E6ChM2T%?oKW{0!C@}yc`bUdYi#Rk zNNa3&>RA|~(|{=WDPcg@jiG7oDXx$mU0F(^W-nLtqA;jH(rj38dqFj=von(Cn% ztwxsD?lAG3H1QYTGdST%B{((-2Un*h{@7(lM8d=E{IQB=8X}Bc85la(8#3a0Mm$h` zb;yR~Ct9zOZ1i>?AePta%s)qnRLef4k*$ZD8UdQ%2*~^6fZhr(6~YqvJm}jqr66PI z$YN=r4Ep{>g0E|TaLkJOyvxqBT-Dr-SkjR!Pj{$uHf!QW^wZs#rWIO)R+vpjq%d?k zpd!>kA&AFC)B$1+jl(1ECPp~#K!woGZHX+RQ~N=s*8}ga*<`YxSJD!>kFlD=WmcP+ zCi_BY2=L^Tri$IM&DB9nZtqEks+O>Yi|v5xeO!~Ou7TqQ?(T$66w1J4$R%(R0qNVP zM1e?pZ*iy7*t(Eato$1pW6f6TwOJyQ&?LN?8UO9i`N~#gAD7ME%naTV1P+hTckQZH z3g21(aka#-%a+%)jR*Cx_X;xIRkloPP}Oex5a2YcLK;b&`X}1jV4+M)`AjO-*SPJk zs@Js{=b%<*O8aq2>Mq3J^h-#w!n(dOd!U}7G`Vb4nJe#to17QnJH+X5khXvkM2@h1 z!|ARdwnU$wx~$Fil##`iuu+0hI`HXdkfEH&AtcpNNB4s=$#B|PbC5v?2QC7k_(z5r zzyP&X;V3W$^;+%VeEAs8t6HEBDhK(IY4d~6^elhU$q5^gZ7;d#+&k-&dp1B&t6A586Wb(duOOZKE;&`N9;~}Nu6EYILow|o{!5&5~SqR`rXAkLepYURwZH9aG z9T6kI0>ct4mI&Tb6IMN3cidEOFz`3HKy@azWJu5PdzNO%y-s8(A0YMm!^B#>Ah2!! z8yBCIN1OpZ6XNqA=vWc}IAzy0pZ$Z+Ir51?0ntSlsJC>+c#yi1r4M%{*Dmy3i*=vB z%bj=eY*W~qGZ8h-fOHdZwy&7NPcz#!{0lp%zi(&(_P6f$Zzl|GQtE|_$BRt&F|fra z@@~(Hox}Y05G6SNAwaO`5AUMrAKr6!gM3Ge$vBq#9FR1Ix|s<846)j5rB5NG4PIk+ zU~TNaZX5>Y4<1L}T5dJTzd{3Dj>CnuJ2l&UBeYbpP%_1hSbRRlS27iC?dwQvNr-5g z6GC&BSXhutF!)1{XR#9$vC2f`y`mA$gwC8NROuDE)TRj?{8Kq@ufOvrdMaBIP<4Q? zXmA{w29L&jf>TrhX^XvSPrL+-YTo5mGxdT!>&nUeQHCPc5%9^qAt{1uD@SEomi!t( z`cok4OD*yCq*jmnWr{S`gI9^A$+`_f)E9Xy-|1_Wtf?8JMRsPjST0sI`M>nFDuTJ$ zEM2-=l#l9D7Ym~9SO2DMNqOJ2?Pf_5PM;2~yB#2*AMUQIFIhc08$s@8Vw^zxpR^^^ zj0__Nt2^$p`RKdEAuX z(&OE{g_*jjz2n0OSej=cAi(X(tQ>|4EBse1u{fc1^R0G zd~Z5-hu)!gK(RWP<2+Uyt{!$Pil(F$0sGl1t=7ix-L&ntvOeY0X)A}yg~0J2d*LkB z?bx=w15+dUxM0QV+g*^DDXbl;-UDoeC8c}L6&4Yn%~8A`P`5oLCmY%KNEFW#h0*%% zxPt_h-2pAKgH&AzaZ1uVscOYL_SILd>mHc>oD9HFv43uE#xc`#yuYZvnk~g(IZ@q@ za>+{$n{V01_ALS$O2+B=*`M@YVykj7wpLWI6n;|Vcw#ziv2L?o ztD|qdy^|elsx!{kn2%!t7T#KTZ{kaFLT)fSjxSNFraRaEN+@<$cTQx+NoYP-&I3ad88B-p}rdV#O#ND)12PBOD z5HsVd@aJKnso0w))rE6kb|^`&iI-gBr3vD31=1tm)D)d+#T>S5%qJeU{I)tkBC|4s z9NpI0M%!fK@1f23%?D{CnF@PQf=~5?d%Ereu}>B;W6|sL1WSs_8Ug;YLfpwbd}4+# z2}1r%&Y4)#VvC9hpAT77st&`%M%2znhKc=bBQF_St&SMPrC1Xi%&S9~I?*1>RA{6s zWyHvVo(wgJ>>^VbFtnK4i^!(argct%Q zW@?Du1E!Sh00TISIp~f^t%?@~Y*$vi7w4xnXTcWV!|O{vU=m7ytha;W@7dc_4Ja1{ zklyw6brW3)&Nf8BtmCr>ik2Mj>jy)(x0i>@Dpwv_m*GpN1l9nu^99?e!65?wJi`X> zHT&62u`;Z~s3v?tZT~JTZ~wR91i6hb4E3m4wu;A!N%Cypuh$WwQIoBt>jt_2jz8qC z@vx?E9uC$6AeE7hF$rejczuOJihUuItj6})Nm}qe+-$KkJWG32jD5is=@4=o-{uUZ zvO*yDD)qd!S`Jg|4it)b*3<9ta`zkpcZsWb*x_oqg_9OB|Jq)LXlMV!C@{D1=hlYx z@ixj&h^%1YsXAGPiH^QTJ%QsvU?XXVbj+T1Oj*bTP-NG`SP=>TS|{-8;$NGBGPDi% zl~&+S(&S$d2_|EQDJBChcln33mj3(HH8DG1ZUcv>5)ybN3Oadu2D)mrjtKP?nC=U( zNEH0>eul5rl2j`H=;C7RG!jKM5)Dtp=VBI!^x(^Vz2jA%lNfT&zX)ciI9b7?zWm$C zB2}!xfEkDJE|nf0b+19a)6+aDxF8khP0Q^{SqJN8+~+>-V#|%jl`k7!)dD&^CDJvo zPV}8_u6{MyNlEobp88xj<&(tvBwy{I<5tfrQeBU19X;!y9-8jm>y6;)EnQ~iC~11g z&0U={gguu%Lsvn*uLb@_5-a;DZnVVF>|)Hv%DSqW z3}0Xr@I^F%DmdX1Ta@)gF<7i}TP3X2NqP%3GuXAJB{x{f_Vw7jW@E^=WWHYk`qsux3E26oLt^L6ex=O;`holbC+dX3BBBa(L{C<`3X9fc?#VJU`{T z27%A}N`?pTopvH&aTMYDwoq6zWlNw;qfv)p2CtYiA^2;;EHMOJsE+KtfN*a110t4f z@Y@*U+`$;jmz`A--(P9R@lw&PA?VKYG>B(#A*|k*TigMEd7N8{pKlG(R#xoO3e&uY zL;Z&6vUV-TWZ)C_uTB!jXKa0VW;OYJ*$$Lda@TWq!s~*uUFu zK*I5Q)7gt(9ue6U95f1BQ+eUSgqI=nd=4UV1}G$qNpRHThq7zq7T3|Fzo@N}M3URZ07`C2a!8i>uOu;N zWUwYFN<-2`KUu4t%xw~d#-NrWtKiE-wWyotto7+ScC|sp(A{V;Y3R{MCcfJqI zo%q2>g)c~}xb`EP0MV?7d9MSn(mp6-1a^Ji*H|fluxTi`rJF(9FmdRY3WvW08xESf zpgiZM;{X;cj^1awRcGQ4KV_0M@C4G0y9KdT{%|v@9Wf$CIrdZ^fE16$Lv=q$;*UK? zdYHdCa4v!N@1@~VSpm0ox0ZKJpd(U3W4o#iwMNx!_n03Q0P?vj$s^<}NA2<#D4ZfT~Z$$Q|X=ujYm6~7rp$_NpKMRiAUpjTS4XC;e z)d9vx8~j$aj;_GJ-1+xtyU?my%W!i_gsox(r}#>F#l1b=z`51F7(2!QbEXu`Dk`ir z6wl?JONg8QUc8}lu%YtZu~;1}=bc;EXMylffM}pjcER}#e5gV2fd4L%>qDji=n^Y# z2qqFE-TjXX7D7pE2P;d(_}RPo&9~o-l+0Gr*Oo_Uy`ILJzTXLpNp`5jDrZLmt+HZ>ad-4QQCL8n=4xL1_eR(?Pv_ewlA?(JcBGaz42 zfYvSkRrxR8Q(MIqcE?nr&t4j49jMoL=S^hD+F^pLQl9v3IGpX};ZQSR0fFa4oB{^J;WI$vn8?Y3rj0Djgv`rV6#gU3 z3N;V4$>&?F^z3(`%2&@+n3~yCtC^AaA)|v~=TmI3;m}`=Kbu8i?7k0BT5S`oAffD! zdT{Z5TBl6V4Ii)mDa$F^Lyp#w-o4-Zi>#^u!i6n}%XnOc4SRFxr^$~CZu16PGeA3# zk9s6S+~yj2nh)ztitxB1ez*CAM40@shx618pZ2&3s;Sc#H4nlyTRITn1hIgYO{(~i zZmQgzmI@tuQRA12Q`n{8dHE04F$~KRMYMun2cLs4g|63zLclz3!SWEmEQw2kgwid0 zg5Rr%*o0N1P0TE_HIh81Kg^5QJfO)$)K{%*)1BAh1UC}r6P5$VYck};C{whE)T%q(3bt-e?brCgKA#0#%vB6ZbpGB78fYG0= z4IDLl_iY|-vxXg_OZJjm-Di(7Pb&`Fd+qTYHdhAYZRmF`*pty~0|5RcT_?Xn7>l4i zp)i%~nU3s+)3{gae$j^#1<3ZS5U2K0#N!YYWFZ20pL9COY##iXUIGy@P%&c&{c&l{ zqh?Q;K8_Xr(kTaCPpgVIGvi2!{-#m5^IlA#&oWXk(#^o|zbZ;xhtN99Qle$@nIUfd zdiK16GY_~hz?!DqjskF*vk5a*3^BGFDOuDv(E7*~&b3!8r|P5`k9y8ejIolydj1-H zUv6+TW&E{W_lE9)-GwJFx##-(3|Ja{Ohfv@vfJMi9(Hf1X#F1wdpA9=a?A37owZuXb= zUy|xovDAx1bzhZIRDrh$kmpVFvDPIehXfX?RfV`{BNA79A2C9lkeB82u5QnR8|{XnAnfF|#VTG82(?ZUq@llzbyM zDZg&}Xmdi1?MRIUmXQh!Q<~SkC2zQ92K=T9_Lig=oIL;xRazT@wbp;f`l@{|BK46k z>o0^PT#sD;jkf-5kpCI{pr zcd25HX`UVeCJX}nJ3R~I;MLbMP&J6`{^&8V&cEdx2hxE{5>_Pb3u~jmNt=@svJ^lC zyzaiQJD4)*t6PE5*>OMWnHVDp=bTD-SvzLeos>%d_AovGIXFC5cFIEiYaf!P24lBN z`?7k_nJ1=^GkDqPv<8z1qCQD<<&5g=lGy|n5^8s1LQesYP}!?ujB;&2njnGbn2P?+ zVE~O|geXfzSOwA;4#b|>7PtXIRsay5s$xUBP6uPB#E^DO=z^3xcGkkaO+=BkeTVGE znCDPFA-y^j+|%EiExQ|k+SV5F%yj#oqt@KeYVnaa460$#Tkcz$BFn=MR7wk=9=`h~ z{8u0&`D$_K6KiB-5TQ-ftItxApRzG)(Ab!^+wyIwJLFG5d1xi@xYplsh@Zn%awAZM`s)+sJPU#$Duqo=~^Bhvi20xuPiE1UQxVt{k9YhQ%_*tq%F8q6V^`!y>n(x4dlcX ztczw=BH5xLGrO&p0PCGqG>c-rPl(eFrZFT^INGb$!S)n8(L~^%_G;%Rz!$&KvTI12 zX)t@iHjTU3T47ZIs+lmfCiD(BhsVGW%T4WtZT`9yGUWq+bg-&H9m0m@bsa)U^-P$> zV_>uHpX93duxe)XxzabA$H3By1q>Df2CQY}pZkG_ zzkJpAq##tJ@!(0Elr*iaxqLtRd!rRxQei-jouzS6$*h2Kiv<_|vO57kXgVuQI~e{H zBAHZ-1-}Ixr4lI5)a&`TsB@!II26~q$PR=D`yMZ(wyqEpZNkS!nnY7v2gHF%x2U6& zVOqptX_62!3f3(FgT*NVAY;gMR8JQ=XnmutF7wK)5Or*oG>rlGyPfJ`}-29vY zS`e()LKiGr3l7!7`%hnCgS%X^9{mk>$>x+N10g@7EVX8_*OPQ7F*y z;!hY0-@eE4-o`yVT$kX~5Kj`%c(P3jY|~eIOT1-2*hURwj#VFC&~i|<1_^tVc&S5> z#uEi_k5ZkDS8y)X2!Jh;0`+Ka<}Q5Yekh4HxD3S$(r>{s3iW2!c&X$kh7tp(cq~)D z_|WE4)hxngOhlt%MRnY;CaXjEHzp?6wQ!1+M74L0QjNO9+}|q{Ymym|uuOPVy%^zi zX)GykD4D3X*iPe~v>N&4G}9Zq7MNh63M2#k9ptYF#ygy9n(@qCZuCFeU65)V%+>rZU1!IbI4~M-&DSy52Rwm$v&P4CI8O8 zIZ1MDE5zoLLBGVdCmq zkc$j%xqS%S`tbeV!dn%Z05hj%vtQT5YlB*ixa^z7%FtMNePxlv&*yn3g+yF{!3y#%x+Fh3t z$iq#Xt12do=YiRW+NA)dwr)c|w6P6DbA=R8(|4Ja!sDTJC~JS`I|S!U9cU6>hJ578 z%X-f4Te6!15C+0`ECplI6T!%j-H}^omCXL21fL&4$_c6vLy?-2G8;&R)bxTf6+pXOirRAyX_tzZ_I#bOG_m3!q0g90**DQA zFf8G1F4LiJ1q?7i1i@?hU~EH>;zqJFq2&MOA3%n9M|wie^pq0Gje72?(r2VNy!Bx2 zuLuh6suHum$bJDxws%z_bhvF4uzpN*J|X>ebtuaKzZ?!0az|A`nMgZTyr75hwcC7#FD*Llw(*6&|i0N7B9?oak9?phx_dxjoM+)3z#cS3u<8N?`)-o}AYdcx@U$?ftMW00?fVQ3xye7k(wmk9g%Yd5 zp{;Uz|J&BR1O(O&DgdNlpa`IaM8k|Jg+}`qG{|?*fzW!33VlgG!BSe?^Skr|F31%m&|wlIp?^^-RB^8;bZDXdnWs=orf!jE2Y;gr#;F z*vEaqLHv5giJ^mbl}iM)lO9NLAh}7?h3Z~0*5uTkfHJ+KY#g$X$1qMM?d#Zzk96o)1ryK!+hM;T%Q%sj)*ozHt4d zjPe5mlcp^lSsne0>44sB%<{1mfDelmCpJ1x_el( z!0{b-*NADJGe`2>2G6%;$icO3kjplmWAAVZQCZ3P=T9`!eftx(((~W5W19cppJLNAie+(aHL?ve8x4vZXl)4O(Yr6sQ<%$maP)Vzw8AY3OO%nf<4 z^XKPIB;}`+SIYVgD5))0na`;Csl)!A>fWe}(`4@QpTqYlBw? zUKK+=YRq-x8yOK}rWRTfrg+|NLKVG-_153hNp)k!meR8RSA`ikgoW}0ma&8Xvum`P zwKf{Lnx!eY#HIATBG^mw`MbJ{nl*%e&v6fEojdL%1;WjI#|m==wr%4 zSM_6xGWYzDvfd66@U>iZ+d{Ty?+{sV;?>>L{bUa!5I$2%eA|S=TdH+wk7sdVl_zFldDrkH+zt_>=s?3_k&QG9QVMmJZ*I>3%dZuE=uTvZ9=Y}fS*Jz+~|>+fH{W% ziQshyl8@*+1CwZXE`Ufu7|ZhnB9NoRWHJy9OG62t4NA~*Ks-t}XLEB4(A z9d>tW8h|P-+^@%6b$ykpC%8kV?}lQ^MvKTej|#!fN7hBR9t3Nnh@wLZJIWYg`ovg4 zpA$1exYFZ&=yfi#;Lg7kAl#1kac|Dh8#3-}xc5rsFr+G(&|{GFY^D`Qt*5 za{Nn-L1DfhKN9_At|Nkvh0aj)(g?(_!5>;(2M{rzo2E7I3(mIln;fLH^rK`p(&Idu zLNM3{Kmr2A2t`@;)?$v@{xuSuzWNgy%wc%_%(hM)b!lT=_In3ZT~0~aFLQH@OS)(% zG^WG$F=wkpyNR9sG}~Bh0s5s{GF` zZ5{H9(WXUc@lW#pJ05WWaOQmTJw(2%5=MQ`m`#`pq5KasLdwP5&z;sA|Wui%vX27`&zD3YUF8Cb>?DLkw6@;F~*Q zaA4lGEgL6()6NF*{`J5iTcH9TJH3G)t_Q|8DrpWefZz(m!CzoiQK0t@Aj`JrN#(cK z@WVSnuH07{%EK9sYAIif=;CPi>5T|{*fO4=;0C`)PI|?>Cb=Fn;biuLI(%Te`4lx^ z$HZDiYQYk3<#COD>}Q?DB-<2l8xg~~stJ*nwYCd-B>uLDeV4XJSCnvF7)fF}h$BRe zNIQ@NVDsvV*-=mtBxFmD3pCBHE>UXeYd!)y+YP7gXBmP@5_v0uZ1S!@_5G2IWF#DSMp&cZ?RX!4{x^%#0|DNj{DFXyT4dQ-LdoH!5WG!$}3J0I|hBf6(< z0fisusHZdLJ?}7F=g~brI(clT= zi$|w6l+5N?<3!5I5@X%dB4gbjsvSc%nNGIfVqPGI`=1nH5zkceb0Hv8}Qb(|ItAm_l$TcciT87R@V|@ zQI@cEv{rM~@8AAc=(80jh*?i`deU@TTSsUrJds}ky~!22*i&iA74T(sOgSZ zh{o!Ojlb!R+jD$DnWpCKn__q4A3ZuhFWS$Q{$$9G^BINZAxP`oM0;Gcw+ECxe#{h{ z2zWU0{S9z6S5lg>7XV8<_v)AoRLeh^sjOPQ|86GZ15};-Z)b?Bm!EFn$@2Y4xiY%S zHjapz>NXCT3LyL7+cH<$CRiSSFQU3$8)B|8Bk}wA;Bv~fde((}pRm_W1(c5Auj%M^ zuc>JD7N6cVX{RBJ(|IKzGX90@*ghH#_$x~e3Qh2?5+(75PyJ$_u91rqffCPQ&hnrq zWn{^u$T`4hR7(YA6!&I6re6|Lqf|^t7;3J+`() zhQ;ZTI%gB?r-qsc=_?f7nhgE|{HO_vAY6#?K)|_oIZh)})(=blhgT$H9&=42=Icdn zwpZ*o8my`@AwP6LFY!9ejoWYj?1IiY5GdZl*$8|S0FTvZ_a1GoasTETvOsgfiAX^6 z0dPCHJHWfO#Wwb%PQdmK-uG9DobzN^FLQ&T4HgCUDB1~Yc+HC%s%7`;+P5Q2zWS1Yb zvC*e|18E!_aUubgF3+ngCh@Gv(LI5z!m|%)4A8zgs)T=IU!)!Dv6Fp(`s%rUXH32I zQFT;K^4I_kI);7tN4RZ;nJ&)BEnV(HYTVwYBbVy+ty83-uiHgihf}FEJ;uqPPP&D6 zD$9Px14<T4SUv1psr#&{MPD4|<=SulV6Am_&E}Un3z6xte&G z)4>kbCTYd*TJd}4T|O86IQ?G>?`KKE2vnxu9$Pj({_=NIGn*TA4h3%S`KqOtsHWm? z)tj%nu`vU5`2nUK^fmdbc&W-FpW%Ff##j>7QQjZZJ9=%<=EHL8cREjFvsw_^Qh?tc zoF~YID(FD!8et0Onqp_Zy0#L&I8G~r{)6lDtzu3e9fTU^)OQ~=`~59bL0*VULiJ4xnaZEUT@iuWjAWc*l+ST)~d#CZ*{^X1C%0~k~=qLFkY z;cPv7m2|e1jsEgP=((HeV)ac4?6Nq~-!%_HG!Nk|~sk zkgZJ82g}@OPn%IT)bOflFNXad#@j0;az@_~0;!v5jj|6Y@&o81c263mhu)h=%AZZB zwd@Z?kdTwOexEVm!|n>M_=O2qM!3>}`)Fr6JZVUBb1*|@EQEafTDs>iG`#snB~=Aj zX5A&r!$=#1J$-PLLZ=f}fLH8@GV~Y4`awlh%51PhK97C~#R~5(PPH(RSHdB`o_n1{ zy|RL+#(dBktJ+Wf4|~j5%xDxf&OsoLym7HjIyHWWIz1}D*&v%r!{X9(i(GP$ldG%~ zba}sQZmsVeBQFKZ1kwfQe3f;gk000@@C^K6!(`@Oa_J`028~BZ#Rpg;diURH!Zo)I zDRZvEO?1iphZ1?l5XR#jhCj!7J0E{mcJ#m2CjEBkZoSRlXC`8tsx7F->^pg08;|^0 z4G9gwMSCIunbp(p)m*0teEe@KW5t(k;9Pl&;!$L`yLw0b?6_RWEyB`rdM2VI!RMJv ztknD^W@~~NDlx|$8Zb`xUs=a|x;abZoE%*T%|$ReX}{KLI&7`J)%{#g_b^)6MoR>a z|4M;l63(VmkR|}PuMS$)nBV9#o<^8OU`Vr{By<(Ppr1qW%&AsuTgaI(!0^+TH}qMH zj~~QhaCXfd^_iSp&sukK>J3->uL{pc2Nz##4}RlDN5}a}HrTMCWWfzcGD28TDIhM2 zq>-w>zX48sT}U|#5x6#b@oMDbixf4*@|22A#?gt06qhUX55m(m=o<_ImbeY#6U7+n zkb@W?(%MXS7_P92Q>DP5^&a5v0EkeUmLBaHV}ktP`MW)OHaik~+2USXD#}~(9|ST45FIOcN$t_vR8IFBWQF&!^jU2l81n4Yw^cmE`6SKQoRJdmo~wg9b@ny;Il$MUhSlki+cr4e4!z*X z@a54r0^t?yH-gQEIl;j6S|r_yAkH_%(A{tA$xcm;1u*fFLb#8>-&fRSNgP$-RSa^F zux9pJ)3Th}`mkieabHAdSc#yXy}tpdIl0`6<5z{$^E3i6d84S{`3)3AJN5i_w-i{h z_Dnl2N%xrfy{es`!XPjk^|HlqgRZ~2^OK^IXfkAR`l2@oJfg-cGnDuRzZ#2CE((bR2CmJH~k|B_g3Mwb z&W_5^|Ib`FnR{JiT}*0-(s2W4r*W5!SU8V7_FoK^D6GMHDpH$H+?!*)J*-C!W?9D^ zLhP@ey{-()N%@6B@l@}dJNe(QCJjUW!xl$|lJ5H?p~YJ%kqsI1tN@wYiuSN=p}fLV z^e1i&zELL`xV#RrAgIv%oV4v_mMa*P=FafVbrOVgb`cT|vuRa`YXhQ>k})XJ)1y~k z7Fm|pa^t+EaZli=eSTea60Ez(^kr?4A-OVa-NI&BV-w@L`xXkDzXsnAP&%Rw+*+nz z&g0gn^G`uYoLm0m#scUQv*YkS^lXY?lgo5@E?*-cbx-xEi+wCH#PsGkW5fc^HX8Aa)6hX_#7zmMT z-b2O@*tTM4;E;1bJ52(1vXvJuMLG>#=M}NB%T^pHQxAm9e+LXIN-XP)Ai?c1o?P>4 z1hABx$^A6lv&eQRNqlx2pnc{5!&kj4(`vQU_zJ|`Rwn;dMVMbpq+HWUL1rp|ve#-F z>Q6~IDc)GTpS6lBzCE+|iKCNj!yp7tA;iMBLMf?=x7<5lwf7uLA1Zqg$=hQfV@(;E z)vdFaCqh)-JOjWMw??X`p@T$*5z_4Nl!m1eY5YK2RC`lE&ULI_4xUS_$?!2|wr87# z!qWHh0iEZ+KmgrA#zKfk4AUYdx@K=n{jHQ%x=;66-L>4PQaGDa>e6$Zy(1yy)5!Tg zndVenf`6(#;VB=Wmv*)}?N6KCo0{TIB)x3A?VT`6vkX8T4N&5bHVkB$9eh{ zPS#%7d|cFpnyM(d5-M#CbXI=k{Kpe@5p)cI+8cS-)|NL@eb_LqjHL)jv{UJA*x9>e$7iz zxtcdCunQO%%PtLFeEeMlDYkMI+>h zabuA#2=;hiUGlyg#%wWQbO?C3Tz>Ty#hBK4x7entj_gB&Re^Re&{hp!skUQx)YN(N z?C6j!-B-eQaG2i=)V+^1sxySYYsXYazH0-QR|C?SFR=H%7_2t|lC6K`Z_2ol2x!lk zrhilN^ZR`+aHhx3BZM2}Y3?7$z7WAHUjmrR1l-AcrH$pj@d~{9AH0GRewsT0$Frbz zM?vn;6AZ8T;eHOcAlr$Ob>cw_*`%70<-ec^d}h^`qDgf)ez)l|vZl=#@ALNeOV$9E zj6z42IFaPc!b2Qn(SD+|=;2V#-D>ulQ%OVGscPr(SoWuP|d0HQqTG4M|~zH=l%=4mnD zlMr=aAZ}JvItG!60Mf}&;T~lwc6Ya$XuAUORE24F@HGFU1d|hgraxwNF=SqIVda?n*`;6kVvpW#cFn*?elb)YgFv9uyhfl?fd4c7 z)92%BO25@UuBY=AK=7AX1C9o8fVg|gr7)>%ql&q!E#f;o=Wu_`K+mB^X)+gY5myFs ztQP*+U)oJxPF*R_Qd^XMtCMFws3^(KzvBi`Y%h50^_S11GAcv5DS3)+MXL?nRJKWL z{0y&XqntwxMd-@<5V=HtJbl)9&qxU=EQ_v$nX*k6`4_E(dQf8YQZ6arYZ8pC?Q1-$ zb~@B1Yp;$sn-Hg#5RBHc>kvIo&a^@me94BOla}(@xTN8r({}j2iD9W0=zF5J66*@`4*ul)i9QS(DA|##TL~Y}Nj$dt2vn53@7tl3IHA-T zd&d_Jhw&v+1q19PnTx2;9{5PP1vqAPID8SIEbkY^`eg}H7)y+ief}K># z{Fr|(te!<2L;$IZvVR`r{8n&K!cEp@&u>lZ9v)dPa;x1m&0nKRv!-fmIxntR%TzPO zPU97U3f#HPD5uxfA~;jh8P~q9>Z%Pn_dH#1qJ((Nf}HfDVv2CM1jau>nV=qMa0XWQ z;qFhlj{$<{#JyQWY>BgzN1-?M@6lIddYCy3xuGtGe!NfrN7Olm=h+5pJ4s_Swrw`H z8rx1|+k9fHvDw&0W2dnjtFfIl`roegt>fR%R^EAL=DOy*XD(}@jeG^#S$7!lW3B6m zwX<$en{X9jg0)*M8O7mBeQAG>hfNZ>2QO{n$r^y=M*h4uR|{QlFq2Y`IxvYY+~B)v z4YC=pLEC08oW7+aNewePCTm(rtEMC<8GnDpwlyyRBA5Nf)8yU2DXD%^h39jYrXB58 z=J>+l9WQfA*YlfrzfLxKLlce7POw5K=Iv`O529&42a`3YH}+E+kd^m(>IKJ%@1+Qd$GvwiED5nwz5DWr6!EmrfhzSOH=xuzcQG2689DOR(4y!xeA3UU-_<%DlaR%xUXogPb}_I zs!yINE5p{P4~ZLkbM= z3_nqr7^l|Dmp?9(*soG@5JOx2-ZSv|Y0^2UtUiq{NTk=T+?7AToR z(}6fiKbmKMq{N^3XC(|Vh zN0VOp>bUW#wW^uuGxjyv}}eMC0J95tRCrp*f4!m8+apFPqr4wcbgLTWe=9dN(9^4)#nNM`rZm; zGi?$B{LkT?x5SaL!Bf-%#3!_(^xM)<7)We=MBw_1$q0gOCj#dek28}DF%CseqT<jf%uh+NBDyo~>q%i(O zvWmw{gJ@h)dBHPV6iEFxDa|Hz(SKdC6nIr{b#8w3CjHTEiL+4(_oi$YV?L`mfaFml zk=Yph?A8EB)p(-8+kAOr^p1JVyYPkAVnlvX`BpQ55s@v3rHMc4GKrh00=9cz5S^bUnmK2;48oL?}BMqkRP;mVBW7}il2`X z<7q5tx{bzBi~JFvcy)@*=CezqOQmqe5`L{>W3AMhp^L~KDqa)^Wm+odC2@uS?S1bw zzW!-4zY31bmfgc<7(Q#lSNpzVg;3T(^s5T689X~%n3zgo<(s}Re!XwM<>4D{GC3VT zY|4^>uogU=d&&mI?bCsvsjY-g`|M$lHYvv?>Vlikvr%Mhz zVpSGK4wZdXQkA9T(IE0@9P84V#W|AY$lycKEtSCis1=o@d+UZxy@t(>`Xj`aYy$v{ zb!vM{KAJvz%K-7cZWxw{;@!EhR{G2Q>8pI*o%O@o`hx$YzmM}-E4*A@ZA;p6RqNrH zcjbiF&lq9}?-vcKKI>6C8}WiGj8Xw;S?<$OhD#k$m!BcqzCu{^I- z_M!lYR#`UXe7=qN^c4Gjh2R#X?g7;XtU^;aqMXDrr_<%jPL=~7B9MzemQTR@m3S~M_ z1GWPfZ^TIm)h*mrT-&YaU_fZns4_ePtKONXWMUY~^=_9Ovse+#@MUg=8J&i8r2J+? zNpf@11b$6D?jod!0b79L*G|LXgl5Vtd)(YKc9$tZt{k;=&ve}HwBH2ah(MW#-@@mz zS4RJv@G_*ri?nN~JE|Z7UJ6$Q=EyKd*TIL?^C@@9MyVGnQNLpRB<9hGn z+*snVkWjxv)L@+KY}YyEi9JYvuG$P;bvPhC88dS@qAVj~3q|K1emR5Gt{VF$A((5I zN~P7|O@R%U^0mXSeh!#YHn*8gGedBXjgXbFlN8+AAJ$zB`&Rsl;=-Hu)ck$A+$o0X zX+>YbT2{V(s+`}->&z{JyZ%8~LsWn#*1;(8>vB_~hzt6ww z$1>-d!~;j`6b`pO%h=p`>#~f;yNMO0g6b&`nVh?K=po1Ia!&wb^;?RdD}K>HQFkM%ge>PpU|fN>q1CH{ zYv~-Zj`SDRu0!QfRzGnN@IZGwI%$Mu#p*Q))C3+RnpKw;uk2 zp;7q_4@17mF$cK5;YHl&5Zzyk|D58$r^rBA;N1E(MLoRxpJbu~xd~yvK$3~Bw!r!S z+ypw1n-E-Z6uX2%G6I+xS_>vs#Gm%4_)Dzjp~)aH`=(ZCda1>i z2#3@t)D*3;l<0oBV)&fMcgg0@_!^lHM|_ty0wr?xbKp|V&9zUBDo z9^hY`8%b-R-LH7fyYpGgF1b;rly5Zir`i`W(;!pB#947f!zCOddlM8ZqnJ`fW(?~? zkSbQQm>uUX<(=yUzG9$V_u_mcDnf~q+8Y!Rb)t7Lu^1t-j#7SAQXj^eH|&iwmKvqx z*yM0dp^RtsE6Wzz*);qXrc^wxsj>@D6EnH~)|}o#OOAf}yGzt$RK}8~3G%Z8Zwq7e z-wn)!(}lui@fWQNj0{|+ocgb``u_+FIyNjE?zkoQWLOrD(DHYGupCI6StOPcs3cHr zm{^c|NpjcHIr~QZNepYdlNT)?+l}hJ`oBrrRRBr2#oZ0x^}eU0-H z%y~mpCpG_Ey78Sg@xIha(LNB`%lFXms@g=oiWbKX^jSh$Z(K6c zw<5x?9xp7rTwCC3?L`4fGY~2CD#vwU_=G}~KP$uVd$88qZjT)I;#?Hz;J7-@RjYV? zl|Yueqlu9f$9mb^qN52C*Xr{DU3spBn`04AFm@0={hA5(AW8Kv%^{M1?u8)8y8{o^`1u_P{{~R_oJw=dQ{paXG zNLq7AwPQafOUgwI@HJg0YSVlZLQ1R=LJ>@~k_nhX9?CY_!FK-bHCfYaN<)3JQI|^` zUD?@xCROqPb_nU}C-weTAf2Zj5Qv?4-ApXm<1`9?9%{nAGJWg(n{tm)es7HD7yaB{^SSAQ=k*qhh^?Xe7jY%3whp+LVhu$K42%pMzBHfEDBR)15()?%1MgA`P5l#xZ z>gfJ)$HN}q!+vf(Mmtk@0vHoEtGm1%c5YlqrqaIMU3aQa2v{yzcX+8Z4el<~H%F9Q z1&*XMKw#@ENhh@3aG!+aO}{?UNl=(1>`1;++TN@baf;5lTn_)QE;rsP+^%$0wVx(Y)a7cSL5udNF z4-HB;sFJ6yV6$S=ORY~MUmj}~;h<~gRw=Oi05c}}k=6b|0J!Q8@wQ~*uOqD(ft$XcfYXi6DcJo=#3X>|K0ApQ3M zP@dk2&Y_-_9GiL~CvT-8KXwD%-qrK?Mda>UsHt@OI=s7*k}iwuh^aBBDW$wrksR3I z@f-QT1^R^kOfiq+NV1$X?v>IU}DD+j-#%s9Xv9ISp&8yWu( z%JHCwJ9zpxE`$pC@R3#i_$+6waXQ^w@mr-js$izK{{=v)J1-}AhRZLU^pl5#c5FITSNnmr!mt4Ih9R3Q9f6VE^o z;6BaAY#;DDJ#cFm^oyo?pj_v=$4nZx-odGiR@zcL(5=m!ktCJ3p{FvTrFt;T}M<^vD z-tJ@x%VlCpM5~&5tu)B=nRzTP5!`U+8t$kfdeO)hSuV)1gjoK*$Pg*kSPdp_H@>8~p zLW>ul%49V6iZ}$V|5vgt?i7I(8;hXM#$5*qn)PBQ9hx;KXQR3Fumb$XADu8ZM>_+H!w9;=WgNhwZpq!F|;4*uVTN8Of=Ju|=={r^+grT?A6dRy)V=nl2ow`RcsoX$U2@V{+w)(>0V;*C2z zz>IBBX3}W^yd|e{5?zaa-KgGGh}w8z$Ym4hg|#K}n8LWAv%n27?0yVI$G7-i%F>66 zo>*uVKWIJNF*3PArpT}cOK*QSIAtlVsEH$S5Bdh#fO!F!6}e$E1WJg_Zrels)r>RA zvygu|&A#jdJcd>R$;NC9ht7NGLxrhni)E#mRcd~NcFg#$AMyCEwLwk@1do^N&Gxk4 zbj-Am8D-^*3DOv;ljVC9bbK#WYCHY*5@mUF0wY=r^I3?gB`^*K54dmqKVNQL;rm8! z-l-+7Z|M4tqqpEp`kova{~oOw_2AqzoN8n=-?(W4bh8kHZh~$eS2=D(4B+(>UiX&? zj=^%!$lZw*YLbE7Nxd(fojCHH5^}v0cVTqDhUVg)xi;;z&w{Q|<+7øx)B;fiqsKTS`brx?mFJ~G=W2~a5e9oMHFUcf2}{SzKmb$Saw&GFy}Ztt4%H*~?Hc;cdB7;RfZh#Jy>B)E&OY60@OmD@hso&I;D^^;NXp9DCLCL-F`pjtE^#7YdvppZb|^8iV*3bR+kI! zMBVZDGIf$>_;3(v{>1;#u?>2Yv_L=OYb{B%g=lThP?v;3fT|9WSJKj%q*6Mz<`kKv zs=J+3R}q*#`3-r1Xb>S^M}hD+i2YL~Agyi%of=R_y@=wW2^%yH>_=}00o{+LDxich>G0AjVcJD=0q3x1_9x1 zVFJ?20sp>I_CkE|zmoJ_?r^xy2m#6s3pW7*JU83#`c^-^#wo)@qW5NZu!;8oE${Ui zdh2jZ%n}-H(AI6oEadSRK^d(UJG)&-dzQ>jBS)gY!KAVsmWKB%kbAKt-KtvcHcP5B zW#PltLv`bLu#3Km0%WV7n7@kY`;kXnY$U|)+!jJnx3v++hG)+U_ZN(zS)r$Dk~*Bu zKl4=u4?8`&0Y6CYhI?WYSr?7~ll~G`dtUSq`%C+aNE4Cp-J{lo#*1VB-ehEX4Iv7L zr-p+Sb&IBWKv)6VpW)mq2GN#C3A({@VyxZu_3}w{EAurGm4T$)mQmGIDcXI zCZ~4B-CaCNZyUVYE-$%00S=drkNfZM@Aj?tv1}|;LJf~9W_BBS+iK(N6SR)yz6jvm za#2fEUOvQ&tt6!`#k=*uPYX6e9G*c;Zmb&OF^p79EoCx){8D_Cr(mbi0oGm>(oq8Q zPA%}*sHZ7tLy=$wTRFjaV|*Tb1(dDWEk1EgsGF_8g93qSI@x~8*}%;K4+Nn|REA58 zguoA~fJ#p23(@vWGSB1@n!F@Mw!UfA~@&>)Vx6)c1VthWh$564Vy8ML@sgKqRQKsPS8alggqs5uVMzNXtMpeK}EO_xi8#2U|#pm ze#S@m1l47P}cuVu!pQxH#7Oc*DJpg zx6qDc7*v*}VWR{5JP;hK>|)p5k-_Ae5u1B}t%2FBSG(1FwrH8E=Y(x1|B;7T$Kid3 zjW0Ghk?iVP^Fp!wnc+F7s-3CD_?L#f9V0M}?zY1Q9--H6<(DfnZLj98&DZkt`x?;u z(g!e~uC=H*q3C;6yW9_*gXgq(`&{67JxnI^aAV7+s-wMHX+~z^7St*oc%{^EPA>xo zUjKFeQ~VB7+o2P;$jzDzmIbY=N{gZnpk@j3SCx%vflw9WoovI*$lloEnq{^^oXufz zqxoC`E5gd(%)@_uzrz;)hueCp!cosrF}niJy*iuxMvdGXyS%q)YgJe3l7TGo-V`F^ zn@RzZ^Q{gIPgzSUeu{qEF5sr|1ODdAW6dO+UseTMwujBaDILv_<}I1dM!04BPgYF+ z2*C;9XrL=xaKgiq_OM`~{I&+a{WXkf+2Uy6EflK*L11npv|>%D{bWuZ<>o2FVW@Tg zFFO8T0Ce1~<+oYMiDt%0w4BQ+&tsHIyV}y%l9ZR(DgjGDC*({HVW86<%;`KS@nZp} z{x5B$Uk$#5-qx{>&&<=+tjM0&;gT8}ySpx`wi`+r=szdC2g3elw2CW5_VCzS{;Md$ zCN9v-ka$8Bey$=vR;)eMf2@GU0vn*Q0F2e9-LlkeVuE=mf(Fc3_7@Q7Nlt1L^@T4J zG+@boHsW>x2#Fe@GxL~cI>lkOv{@CgBx=M=YlznUVLQ7Z0$vJG9?3`^#f&c4Xgs{8 zGnvZpfm8&Kz3BncOG(7<(itu)r(hYGMCyTKHu;_60*9j8`zkyEH@w0JWuFtY2VOM( z;%&D2TYDP5@{{rE4ZOtV;ccb~MZ4)CT>_Mz#MK2rJi_H=OOCE8k7rM>=Q!Pf+fa}O z_$79l#=r}mKGNm#Rrh~%BlM;27f(`8AX4LasMqJGHfEoXuJEF|GRXJ5>Q)VYl!d&U zR@myn4QXA7x<%=!qdFwT6X@S=FM1#}xdF+;^ZyAG;^yV-)=jJL)J4g$p{WP}P>s7y zSmy-si}06ppFMeAAA?o>BLN>K5BXhbgjeY0l4*A0rN(g^W)mhIU(6f|F?of+!92qG z9fUh*ypes{n4t`Y0JibY{@GW}8%VI1Hq4$BXOgl~QFn8DHSt(^c=tgd+xBOc9R=bow_k-|;G1JR^ks3^tBtRy6f39t{_U z{vxJ&hNHv&Lz)jw7_!Fe?7&=%0r3uw4vh6Z35Q=KY*W0+tR;tMN2`?$0M>mrs{mK- z#auPpbzjU}72CSux|>{6Guv|B&O;BpM>Wj!u)d8yuBWqx&xlGR*_XSdmMu*Jwe}jp z_MM69-DxKh8tI_;FwLBB#i8IQ7^9_&NwE01H3l>gPRB0DedEqa>F1T_nE&y|o)FQ#}O z7J6$9fe@$8GGFWRBg`EZD;UN$bLyLh-t~92%(d+5(!6@0g1humH-9*$Zi}gFxZ1VV zND$eM{_4N_ne%ly zyDwVXmEQl3$#S{*#9*<;29zl8K&sMod87QiL$>L37n@6;F@wU_xp)1^DqBwS*oEu( z0>>r3x>kA_BrTsFbWd0n}m{StSY8tzxNvXRS9 zti&mS*%8n1-4da0AjeuCh>7&h>S>ej$(?^k?22KjZ^IAN^C$Qu6c)MI2CP3dUk{kY zn3ZE)LH~&+2k6!vMS?R`tmu%9>`#UyZ$ik3m2fi)^q+HS&E5OthImiRTxvb~I2V~W29Fb~#TqBZ(k0N-Nh!<5*@#Otj*!%&)V!*7imaMs`STdBOZ$KB(lGN%NV0Ac>We+cB_U6Pk z7`hgm;*-8EvuykZ`!+x}7k$jrusoNx0Fg2Y9=J+KX1-3yE9jrYn6mzoqUT!uQ#|3W z=*n~d`uPuL@&yn3jQ_CeL4%p!37r1*&B=Co!NXa>UDT4EAK`Y^>KJohOS+Cp=DOZdv*=s4 zvpT9(lntA#lvO~>LtqOQj$Ij(I!{);H^$?YnaJ2Q{LUg)9yQEerp;Ou*aUU#qXvOO zbC^*3EPG3MEo*ulkDXuz>2WB@agJp850C6DM`@{5yJpixfVAWvr1b+7=cHC3Nb84< z)aw61T0bUnJ5eaQ(yx6)0#>c1)dN;Rb&V8M*I@HEtHDnw!55lcTKmTuZRGe{x{sPR z)X?g{cw>D;SqR$*0t7reK-!2X$p+g2+2dN{JAv`o7+G)?z;l~in86*M6&eFMh9wXb9B>b@RsaGUDjJfT`U0zW8Ap7VgR zB(Wo7y*p3qgXPRcQIW{cDKSZD_E9^4^4ntd&(I)^AZW}~jUo{`{aENl%Y^@GUO05d zm#02UB`=eupt5-Ny^6AU%KVcc>c$$>lSa)V!EsSPw#GVcj#BJdH-aGtuczo}Wso*~ zXhnaFp#^oxANBvnd{7@ocwote_Io*Oi1%pFG4=~zSNx!$z@(8K8G&Un&RzsNoa0XX zhMGKMy*ut(9e2D(^oQfgN)ygLdk6ht?9PQ`sNV}lA=tZ(wwBx$SD|wD*Sn^$bYtq?Q{eek!lbP zrxBHQ($%3Ez{*j-djdh%<147AXVANuB!Wlr?d6^1#3i61y}}P9?9HA;Y$LiS-4AbgZ8$n(hq3Ox zrQLn{@c*)v6RRQXgH7#`6&ohT5MDIH5Y!sG>K&BP4dz9DF3X}P{HgTG5QcO@tji_t zx8X=zYAZpSk27FqjFA5@fGQd|tWSNoK|C^v&*KdLrwIIK%!gXXgd$ji)X_bt_5k8X zXA)w?uefm}*A!_tPfr{Gym}EOG=1QT;^bK{cv{qA#;~Vx#N7K`>()g))t*%u-EMiJ zxQ6X3RCQw0O99xXx{P_rdwzj@ec}5j&dt6zIQIoqH(=RZjHyE=-13@viC8?F5h;jz zC&JBM={)-HI?lL!cc-N1TJ#bDv#t@|41vL3C5iZ|aAKII_KkcsW^TQnSJg_O2_^io zWD@oYhN?|KDz0wOVf2q4Tng26V^3DvWlSB2r>xb>`YN)TS2e=rXxl86OK7;NxXv(L z-7`CPTmYpOdhV$1igU0U+?~YdezMlELPe;7vmI#?{lTjg#I*|j>+0}@r-w`N_6PI_lNyhgZE|CEihG_ZeSQebH2P);H^ z!NdlNDO-NAIC|$C)$^AxRycQu*x@A+RA#jJtP(=Nut&EK%RSYvk=bn? zeSoV}NNN4rEkaf9G}B}E6ud#vNM;Bfb>cZY_*6^=NE{Ry6xxZW#khkKxtof+&*p_z z70meUt?9gLbB5#>?Q!SpK0~uJ>cK%2KjV5>CL+sedQrg)!t`yL1j}?(U-YTyc0l=<^9@Cm6Ni|ej zX=HgXDI=vTLT9nM4quh|REhg%>|dmjW!>Hm!L7D;H;9MD7B`Jmx;J$Pm73LPQ@hZT zyj6HcfXE4q_*-aA?P_&7ruWBe^~}qZe)$i~)wkIG3f&aYsA&*hUrWa>RO8s1-qkMj z|8!H;49JNC!Z14)MxKL~EGjqEtEWLu+;}d?iCa1hUj5riaeB*R`!Yh#U37I3csYv^ z<#!=*_{n6d{+@$(?ccQ4*wtMET%40{l}>tjY^ln;cRwr&b1;#})jw*&#wa#-ecO*q z$P5RSPU;F894p`1bwDsvcovy_qN-1TqW>pcLK)zOt7^9W(-lRkHHI{ed(QaL$SuN6 za&d4?E+TE0U3iN1rmAAwB6=*PJEdn@DRY~c-y zK&Bb^d0rLb$7OzTz%&KBqzK&Hea!Yxn>i%>?t8IoNl+ggV0hgIOa13wRi6^FdBsSu zpIzkl;~2T|<#2qhm@iH^sU^|Z;UK#mgL&Z1*4g!XN!LDtGX2XibR(($IC!KIqVfdl zhh!*jANH4juN|4G7|Udyin-FEJ)cAErSUvS3($m~jepm7f{VR?^>A_|*b#m=T179c zt1k56KY;njEvfjKzhB`jC`-ynL$(n9)i3?lRt_6n#Q=M*D&9m%vn)oXG02Bj(iKQy zz^^rtM@gI=zNJyY%(=XvxJCW9cz zY05Kj@Cswe+NpiVto75kLC*ztR8b`F+QWD%)stS9VqAWFH#(hQJLc4g@4{S?Z{0+K zRZ*IgzD)ykJOUopUkG-rl`9a)DRclM61fbnf%qqm8M32a=eO$m#tls5$B(g3i(O|j z=n8Ioym3oLxkW)gVx;+n^;42m=WlVNVdcRQ|Evw+_?Jan+exASrglmTaVSfOE@ecx z*SXkiYK<3Lj~Y{=h;^`;PBD zsl&;{qR*OY?-Vrlobjqe_^B<>)sx1HVWou_nZKUZ^?FJsu0GQfWRtxC;;_NGo#@u5 zLp;7o6h|9i!TuIVdBbXctCxco;4z2$Vf^(2jlzo?&DD7Fy^150O?~Pr?Iqi(ez7C6 zzqiGs%Xpsc-^JPtMwj^klCdaK4`M6sl|PD|3P0tk6Kbm_p&l(_bubwnc$QDpEQT)Y zVFinCoTH|1cm!c?c?1ms#)DI5OF_P=s0H>s$~oVe;V1QhF?aWDPwp<8%Vi4E*K%pm zo5SPJ`CVDnW%CNqW9%~|MWrh~97EQ7FEFGXHd6Jxo~}`gfwGssRI1h^2r3maXfT@4 zqSQgS%8*QPC9MX>(69e(sk>5?t0r(?zeTCzn!1SSq^K{0cmO(3wl4lhkLfIqXKFN4 z=q!FcLWVi&INu$}$SYCm+csu@xXk0LKPmqAC?2iy-=p|uGL7%jN-X|!F}fU7;k(^8 zmKWTt<8b}o!s;CP6^5;%{W{?;Bc(!~Y`IJYfJ~VqO$Bm^TPepV{-qq}3RKFJ0^4?e z&Os;2ZUDX?a*(%U2)1?ElE6-XIL;bXjbGSO10jHn19Z8*|vX}Ur2vsZp$~k)sw6zERXr?|@fwbkOU|ik^Sky~@EJ58n4YW{~ z@7G;A-}qvcGEAw7ZdY`I>vsHg6D#cA=~(PZ1++qITk|B4xQFU++o}iGX{^4kW4xYyKbZyyp!!{dn$d{?@<8{`V1N z_5zX0G6uKT^HJ}Z?4g7@8n+YR)OZp$1Cngu3h=U(f#@kU&ikc91?g~)2GP+?2y<@s$97j$nhz;W!E2LtSiPvSKaVtxb1pJDUl+`F#AGO= zynYW23Z1%;T%Ko*3wEE4lMGJ5Rvv*vE|-*G=9HO(t>%C|qd?@#7RJPtN{yC4U#J!m z9-s{5QZA$0-UsY$O}-Fn_Kj^0eynx&B9Cwr*t)?;dmvEZ#f+!&H~%=1J??2)TX27R zyt_};!`^1rp=t4qsWi<@G;(E69CqCdEoGI6mmM(Im|haF?PomTAHc`&Jo08$`LfJh z+E$?zOYj(vr!h~9O|=x~o*8N}87jEvk>okxC=UNEn;d}Gt03oct-cWxvZ)ib|3i-W zy|imm?n4`gqv7?|K08?DO1x1iD#$X!>uRLpHr^c@d;Mc{`Q|%$b}FK!&c^%4w>`k_ zxt8(6h4I50OO5S@58=(by6hU^wfq_Z^fL->5%}-mc-|`8r5KLV0Z&I7&tivEDsyy~ z@7yMf)qpLiu`^Bqp*StSDqWk^yIX#({nyxOc!3(b-*g|n@efdTR~q+~tJ@$HM^h-n z&CmAA=X@2qM;zZ5gIIC2QTgx5``sDmjiDs1-@AONxk6T+9=YdZ`B47-BdJVCBZN^Nk5lM8}*=mmKLNp6!%cSSl)(EOYf| z<|-T~bqWzCw9zO$+YjUjo1+~?^&$DbhOus#JMyG`rA`eY6&wDEU#98-@dZxc%5>}F zRWL{~&V0-(Cpmt?Ed+R7*CM}a#GnS7WlcraJcdY>`UTOaow5bWcR zEBYW7z1tT0ho8ewioG>sQ%m(Ta*2Eg%-k6z_}tm!>Ur0vB?|o7Do#$8N^}FEF#}V3 zxyFJ4U7DGkK9;D0%28KppB%&BK8BgR$hJpT_?fDhoM8d{u(SCr&5>8<$Qb8;lKSLG zlhjoMgscCJC=zWv9XCBec2)rF{ARFr{9PvAzNdEZkSVDa$d?VdR)0lgN$LvYXt`UY z?V-cjfh0&5Cis21J~~Ogn6lveV;6e|#mjZaIauO%7_oCJcw7i^bFo!#7|YbSn&wd> z!l@m*xTK(-)BrNmU}(K4#n-O6SArQ8|AysH8R&3IGQYymSB#CV?djQKC-_)oEAJ<(%)7Qn zWu5D}bw~)SkJuuGWv{kU&SrN}hf;q-sgyUNR)ml6^X6Oaruv*TUBu=NQj8(i&CkD1 zci=A{SQG*-9eWahaPidVNKBp}-`x|u;tf{pi~(V@@pwR_AcdWITvz!}@9zUl z_Gbv!9ACr2!z*@U!-d4Om;*iLO#02NFKA0XmQ9*7xCT25cLxe!l2Nu^o>Hv>>Jf`x z(eXCvZYZO*FeCj4RCbVUo`&|F#m`9hPbftW7vo6RHspD?NZzMF56YAtEhIfM?Ul}7 zH1(5^YT12{pb>-cqc(LP68eJNY;$az0_1OhDV~aVSPimEBA3qCqU`&@r%D$!H$vD$ zMhW5=Pm+Fn$toN$MB9dEsM|DrpFBbnC|cB&SepN0VG#&xIa_j@V=~_nbG|4H_K58; z&B`Tm<#6%M*~HPlbD6o@2Km*RIoV>7-+D6D8nF?wY;Ylkri)I|K?v3cXK-<~a zX+5QB>b^?jN=^-9S&G*QkXRon#yV@(_ts3*QTpa$o>I^c7>iWqV_~GFE-eHx=*u&f zl|%h!GvhY*X7(YMU@?qS_24Y`+ADso31rMaai#&8Ps{nLE=Z}rI6OIW75ZD@*lVP> z>@4b-{stc^upZ%jiLYiJ>itJBVMq1Z>_~jaH*a@uWTF!Y>g!Sxe#VH?*x7`{uy}mE zx(Wq|RXYtrM1oj8AH4833WGnRLU*j&bA>C%eBBUPrtn~V$dr6HrH%ib=|9bTE|)vf z@~8#YHC}-I`A`Tx&Jh0C-^@+NJ>1|@ue6LVpA$K^LO=Y+l@2?Z_Tg_M+1AH~wn~0m z(p_s4_}VC*Yt$4H=l(SpZ#W(gha2tKodXkK1j1-I*~svo{bN^JSi@)3tWQ{yHNtq$ zQHC0EDR1}{;s^meuyeZ<%{40gQ4X%a+_dcRTJ+eGH^Zq&3FZmT=q1QsPYGk ztsX_UhtW1hRdj!himhfr6UH*a9;f|f1HM*^3gHPS1f2^1kis{qPn2@QBEM(?&`YfW zDXkECSP9WZ6p1ddz0VZ!L+R7>@IJR@L8-z-nJ8gAU&&xB#uGRsBleekBGDZ&NTUh4 zq=S5pF3VcWdz9*e{^b1{b@u+er$3;+9**!foNFLKzatqAV%Y^l?bK49t+UrjkMxu4 z$G0jGvC-E9oBv2m>R8S!jY3cpVA09}n_`v}vVKGclIt5LM&A4!@s~m|UMl5?)PkX} zq6T4Vus9P4-D+gPr;LVo3;LErLo+WbB`++gUhUKpvF&}}KRLsXA69eDyUv#NukZ3V zHaC=eE)4A1uRKT-dr+X@B9PNQiR(wy4l(-RaK}rcA7Un##mIwQ&*xgmVG*MOc-7k2 zdKg9%Mpsrr^Y~#8QOum0g+KTydsRW3^z;G|%e$DE!u7X$2kP=qo4m^N26b&GaDbKJl;bYr~ zKfM>x3dEac4=E8#h_H}Ql`yA)`|a(<8HoV>%$m{w`peTV4R=3fCi$8{P6oy zMrmJW6*-kJF6X)dP94fFz{kC1ItegJ!pfePG_Z{9E-jq?{-*mk??OAx?mYu9!8-z( ztlN#{DKnV=d#xgtIxS-W_da9IX1wH8J>|)D*bB;`oKyS7tln-h_j=4BuUU<%6Jzy7 zP5+ge2uyLG@C!vg9D0C%D8{>#1x*_ElRyvaT$=P<;!=O{R0OwL zCz-FMJKFk{OZ?B`0i{@W2P#q~EvI;}qVK5wqU*QWm;s`PlKJQU2^4vh^t2|#`+nao zTK{|@p{A@nImW#WE$7{%MCFoDNmTH1UH0TX3){;EY7;NG?+O5~1r0N^k4Fr@OyNEL zu$EI_zmQAJqEUX*L$=|pSAEwhHX~(zY4%`Fl^@(|5E)!tq%d)#2LSeg{R{p!W--Rv)2yM@|)IQZ_-^9w(#N+Z1=-b9YPxNAg%00N+*OPkN3ZIUB z3?x2)Ih!PWRjHN@qQr7T_@R0WeYz}*0CqlxtIPTEr$bXT|7iooF(F@n3`yxs34MLm z!Y5AL^{}H+XxHAEUlG3U-$J$-$Rh~;lK1)dY6mF#E(Py|2OezQ#a}v?V5nC+4`SQ( z^XzNx)MmUkUCdkj}6#d@CCYI}NK z8#CUzb$1`99`Z7#Q@X`xAVl#f_l~h$AshEt2e}@v^By)gYh#H~-P_y( zJ*zOCnK0pZ7XizDmy|%;(DRn2?Ft zbb)GdAuKnJ<^*QB-4^3R>Yu7g^l4L&%vbj$>HqQcPVsg8;rezPr?DG1wr!`e(^!pd zV`AI3-Pmkw+jbf|@A~b%|L@T{SnFUN%x7l4_j6y@lZ;4yUF;MDI!9a3g0yY7*HI)_XVl<5?k{Ho-u-m>HkqtS;&aNEz`?SEl)E$%t|gK=CQMV@B9lKdZQC_f2}8C zOt&jO!!0`O;5s9}6pMCGx97`7Sf?5y40Cq9;*DE1?1i7#T5;AldoO2JWT!t#F$KOr zOvMa4#)KjF_u-}Cx%9}HS?-X_8EXn&NKTZw3kr2$&=mn3L%Kmuj!B; zIBsj!?^&CiA5uq>=%>LEKaFLKEiqz2%Q)M>ba1YN5FdTb&()vp=Rix{`eSvh~xdiq?T-57Xm`k1xM8XKlcytau( z9J`k@bmdBZ!>d8G+&=C3y``x6OwXY-TakP?dNN#DQt>-_Mm8q1vEE6xXe{4(3YAyROCoLPqYss*~?ud0&E3kMN!xFcO0FY%iU%9fI^TlNxEwL9OYieCPfDE zcePIxUYtfKlC#T|>iiUw%~3e8$2Ra!yEMJkXH-pj7LsOuHujfY+fKj6vM-@&w6F{O zDDeByJh(3tE9~UuPJt0Ag z((4WMK-%+1dp{Ii{e-Yen1|I!j4)-ldJcSR$nmGJpYr_C$+v4ACF>3Ym|E(t?Ae>ROCk`Kn9xBAKMB4ScjJh2(!-zOr%quS1>?8c zYeQCke%DK2A({zt<;9`qzhgh!zV3$KD2o6V52>wcfxZyzP4t`kwVeTdsGS0nDe{1y z5t8#NOlaZk>QFx$*&n0zA7kNlTjKnQ<<*z|iL#MP=*9*G%hMs=lv2eSZxl~zDE8GQ zW_aN>&y}xu6s~_Nfr0_b@i;;V1xUJ3MJo33pk0uJtQ_vl@UohXZ)|Ccs+}6m1Y|j4 z@EGCbO_PiF$!VdJz~Mp+{mCx0sp^98hS{AK#>%l+!=YSd|JBef$nyyt6cm>tZ0LPC7y2CCHkINYhow&RAUZFe7*f$ZcSUHL~h+{O7g29-2&*^r)F|Z9G zya0nj4%<&joV*~4dpl8gMwUSR7CEsMS*PLEai8V2W4I)u;9Cq-%h32B74~UpR-_n% zWt&H~y=sX_dG}!WmBX#Z^s+aHJ1Fg%gGuuY1IZ* z1)VrhQ#dV1c z_rW9$3-iH8RMR+AwSlvlmZ7N&G+rvHz5#fR!_vxQIc#VjLl%WO28X8_b8-J9w17rc zf`#iVC5Q~A)w3Ix9(Sd}C{B2GWX<}~%cjP)1U&;PnOS0WH2a~Wp)2Im3_egGqV$(k!;siym?XTqgV#u1sH4Kk~4t zBXY!Uov1cNitW5eUd|yJ+%n-!_V-py%>CK)qW7ip>sZ5G;S8T%te=Sq|Bfpu zS2~ve4yL2qPgjhN1W9*ndXwQSSQSAJHC)H5uC1JR(2fS zC?iWT7LR}sY4I#scoczjy<{h=Sb8o;$r+WNWI2Mey@G{(l)a;~#@}iCaboEY4Z8(& zv#9TkP5LAb`Q`IlK2H^v<*LR1I5P|b{b;mYG|FSzWeC1h8vz$%G_+O4-DOT}@1T#B{|mA1I6xs*>PHhiDXHLyZGQ$`? zqX&ODa{fb>k{TQi=wrVfYvwzj<+s0fLynr->BQG&!T~;-36ZoE>kdlHVcIw!u9^gy z5)AM*dgAXvLYa=rXrJY6wOH`ai=TQ=IYzSsfL=e~mb8s^Vg%+R8&upZ4hU_z$2Pk> zTcOv_>`JHkdVSX$&#WuAyNfOnVkLqX5YenV$mzcwuH6X=n>-9`-LXasyMOFU^IKPm zz5(J1IljV%S3I^pR>At^s1KgWaFS2P7CcG{&cILAjrfUXbj0Q*4I=j$C*Y!xSpMB0 zFs>3p`5Ddp2V2G#y35kM02suzXO<}To2+8WxHUkASp zTv0mnNY4(HY3UeTcOD#&he$%GU7u~x{z&&jyzAPz`hqV<7$^8A2i%+WXBTdwvSn%C+0govsCmNpVIw;#*O{Ll zHy@fK>_5Si?O!OVzH5*E-d=y1ttak5s<>w*nuT^!x3Twe!55d7M42UZ*ngG2beO8C zAV7W@UtUz3Hw9SC2_8g_R*wq)$v;WH+eQ2w$o;;uAGVP9OegkzV>m;u!O(EhqR;1( zkK^d$Ex{g<0bd08Z7 z7#L5bdRuwJ()@R*)I|ApyvXYfd!)@KL{UgINEKkq^ryujmD%dYcx11)BaUN^#JXX^ z;e3p|Z=gK($cvz>3~Sal+@;6|hN>W@A7Sq(G`b|}NMHa(q`?iQ4gO*@KL%eJe%2MHrFd$27;Ob``q zZ=C$c4wq-}%Yk}Ibkg9|`}G)1VBaGvPln458<)WMpBq&2P)WN~PaHl1INJy|kuk1V zi2CUvTRQns{veI&x4&2e-gWBwB@|EYbhHmvtS~eDvB5iahCR>f;>r-Rky3*IFgN+V zEgJ@dWKF8;EK9gz+HBfc{7ZewPtXeYsp&YO&1v=kKa)1zCoNMfJ$>QZ#BJe+tq zu9}%*SCr_J>Ax!!FpMT{k(bM-5Td$MDiyE8+;(_PIhzO|WOgB;d=jm=yQ7k-H zoH#Zg?*j*ea13Y#Mbm@n$F!~M^U{E_>QC@D(B%Eq{5(Mo`8hTZEh<7czq?p~=lZDT zdf#^SG#4W_qfyPv9SEH7n)xQ-66Du0ZT}O3B7Kp|N_*XQ$Ws8v4EP@vrIdB#LHV~oIvE$cL=C`2Oxse<7*$)UwP8+671jm zoUECb0|u^oS&hD)KP;g$sarob+y@zbJSe}kVXs?`|0sVuk#NVQlGO+|Di+TUNd(Lt z6IHr`Rgsb!q-1}|WapR1&1Ig&N+`F63mFoBEKmxT=&g1)@rV45`D-OR8Zx>sBMm`> zVqKm0$5G~2bQxfh&5z4h0dB2k_?-6;>EixkvVHJqBcIdoH01UlJGc?fHp%-Wcx1-! zB}E{27cjBJn;|&Vvyy<79Av0jfEKb>x}DDyAxmOerxQ@ndN3Bv=-HQSd{wNVeDWLu zGOx=x#Gt=MO4OjaHqt}*9T7F`gE+YJ4(we@8kb%|pf<7Cj#7xh_@#2#q>CPn*=|To zQ_1mHEXNp?y;s+WyAaQO6Zh)$>eoH+EkQ^we~{Bs*-~7CzN=^knQu39_s^75{+af> zbq{g_72yRB6Rl^x++p&l;v?Qs*RC|dP5pC;^l01n!2LF@EqXj-4{;aE6Y>(PMTf3( z1c@A00Hc}2bT5+6!bHnaD|NBEtzV{~^RNUP+ONta*@@<4oT5{Tn+_VzPQ&#mL1T*y zF@Uflt#VL)!l){((%_;h?2|TN@Cf~1D7gB@vw}~7ree-QS4bD8tL4>9tCr`acNwYc z7{cYBQ|(C5(0IoNRC0A}R%uIbS9NSY_i{`ERHo*%uwBP8d&jnIPROquT2B2*=_^oF zCAC3aEX!O_7mKv|J^gQ^6Kab2;OUMUbCa~7##Gj1qwTmzQn!NKhvA zq^g0^P7p^9TqJ5f?Fcsase!OTxr95p7i9_Tirox4ofy#^tPxXNe!!r>;t+Y=#E)~} zb*@)b^faR{mo4*XVRu3XXTP4SV)aMGUZQ#uktlFiq=Q^0$l*`ybo4WUW?7)74)a#Q zm6#IgleQZ*>u>b*V&$^hQwp{^$xkJ&^q{!3oklkY6edM-1z&hC40B8+T&xQi?S{B9 z%2#EDf;vrMM>k&*x+=)08y5<$W;}Y}Cn34hx*6w}Lv2Ou{7ylXZx|fnG;>D$+Cw!H zSwe8RiD&zf=TMEk38YZ^@&A-+>)Cn1op0zl5I~k{bv)p|!meK`(CrCiy!; zg|ik?_TTI7 znP%sb7ue`_NL!DNsQoa)R=fg265r&AV=Rt}VdVWVp}6ql#=t#!Bk zSPa%Uok2H>GvIf6ReD!W1~j$VTbl^R$KrFypXWO~ z9pEfj0P$m<>@Ja^w|M~`@j+M z63rh>&xg3adNr#Um=`sRvqYquKL>T}$suVGwYq4gA8yk=S2F706X#kG>2Uju-w;&2 zF1=8{G}d3@Dy*%UA?t?N&Sndw8n^1|Y!k!F?bF|`1^2~CDx)AWXv3=omh+pFdQiPn zJoq0i0}F9pmTEeR%~kTiHrd(qzhOQTfyxu4u_A$U0q%E$Eq6_7Nx%-bU&EQR9z@U_ zBY}XqJLsh9VuATP=>Oy8qCfN}w~eO>sfoqm90)5hRSx+7d)@E_y>8eOB3fMb-?Snb zX}D#;U&m`+pMJcr8Tyz+d~@BME=2hf}bT-GG;7^sIMW8@?EB_0TfC~sGAD8nh+9lV` zrFJeziR`?nIEPn`y83P~36ZrQ?~o0VxIFb6TLn3(J$-TQ7sUDp%iiz7UXU3RH}}LY zLovg)04Ro=3LHw$>if$VuZXn^TXxR<3vwN~hYo`~)X(C5BC16i>YRSNkfoLGZW;-{ zv=;vdAWQI(Pkk}OAQ0gWCL`pHDUT+$zDppsHkNz_5z z9he=}P2|mbGL%k7X2#rh2rxG!_q{ZFJ2^MC1~TFN?4V~i?ZU>uYnz4w1*h&^GU4T? zOiYKTT{|D}K4?qZz;Uy5+_4GFF`eLrZ=8?ToZ}W9of|i}6aWsG>sOi=WHT=EjsFBI zk7>!-KVcWXVG3>^ny`as@LU)aEGQv;v^(w*lv?>8UD}?C<(Gfp&j;(hjBldrygQiy z7y7?8Q!c^kS7 zko<{nhx6)%aBKScy#|78ZAPHwHHK~N-Ry0uu)(Nryq zRDd03~ud=o$%)(teim8(U`Us9$ zq9~EV!CrFcLApd#)H7GzxSH~kgkUH*1qy@5S~&3XMN^*8<>$%-p3HHI(ExYj>sA<^yF^Dh8Im{~21F{H=I}C+`wR7~=fVocGP# zF=k6n5nhV0k79w76d7sn*Y*CoMi<5HO8~212NN9XJKVJW3*z310xcY!xL&5lG5QC} z$=ElY!TiYfj6k*O2o5CoEHI}?8Ki@)y;^8+j+Ud7GU4x#UqBLnU@m6;WiQpRaT2+q zvjr9!+~wvnaVXk&s~$^322UWmPw2`d^KXDT-ZX7M+@+QCHo#!e_q_K?F56Q~$V%a) z@u!Tfl1nyk_>i+B8}ZG)zJ0@5DItBg&7|#s*Ao}_Hp44Knde!p>ZAAU_;;22lMXIj z2&vLJdcbBROotIMkSQk#y{;)Y@!2%eAecWuwe(j8R*{XfU}wSUT7#OJ3f|HrF>r#u z!|K|J9@eWf7__DDo*{%t3?`h{jgFXt_lLeeeqXN?E6?vfDR@O7yP_ z8JX_Akr;pShH;X^KmI1pbIS~8To^K%u*E4hg~MHV7qkLytGJKrnii_?-W{z4<+62E&waGyvPe! z*zssZ$YT!>?1*r{wwZxv^BO-V=elJV zyuXd3Yxf>Udu<;3+S+@6?c4>Slj~!vc4N^ss(#G4LZS= zT$}VBT=m%dHw~88H!hoZ8fG`mgFh|}y4$ZFT_22#7`}^n%%)Gt1%EyNG?&|bkh`t} zy0;M0vuf9DE+0JBWV_$%mUxdJ9-AILUZFR1d&uH{Je)R^KJ#Q{b@p!xb*~^G=Gs7e zb{>v-E9iW$PwDK>3h3NO$%{qLnXoxDXz$)KcYU3>c;LSyJ!ZHwr!c$3yL*54nLgLKx{~XQvc1|GT{a% zZhDo}Xfy1&p_;-+F$&#|?f&{-;){{D7j}Pv`X*HAP*1)g!Y<dBLJwXh2sf=2 z;>VO{+(pF-i|C_oQ%jbC+>5^~g5K?n??zY}%!|07BmyJR#xnF zjgFpm2@GfbRc96rj^YLIUXipQ)0N@c-`r4)I(8gfeoP z2vBW5Y)33~R5#;6%-rsOwI$n=+Cw_Jh~_|cX(3j#Y`kuNA5i}sY8}F!DV#s##L<)q zALkZSUWyp`pXUH38c))e1(md7^9espCe1V|SG3ju6Y zRJ_o9L|?A+2n8G(e9=F~zEUt9|1SpY$i!gGB;kp%@Oif@8?y85J4`O5Nhjn|6eHhF zag51CqkrQAh1eIAhWKQi^PEG|cgwrSt}L;G!&U$BKQ`iRIMTzkn`X(`*-3EU zjZ=F{y!^?Z{!`|6xwYBA=M6 z!GiVQw-O8o)p$$B%i&Ay6Me{s*eK>CXRqo>nl?WCtgZ3?qb$&T)TriSv{+#SVLl^V z?5oig*~sx^K{TJgP!N(^B57|gQ638cLDjj)sU~mI>Bl1IN2St#<_aPhl zeQD*S2b6zMeExiEMEJC7UgII)F>3}~U2jonwM+MCo5eJLSy8h(axxpJ%AelDQmTTK zdI@7eCc1+_In$9L?8x6ITV0D>@CNOo{mgXjQ7#!=x>x-lNr$0a$2=NhysGiT;np3w z2k|bP=yupN?xJHi0wJ=03cH{%It6-dIP)i$t%k+a%22D$1}p+SEU8d=VSfUQL*H`m ztlZe2)8&{5&4@i#8Y~4D-05n-mO;5KDMC%%en$CWHd7GaB1DmgAM?x1evpuu@-wTy zMy!m16x+C<(tm_q`q`h#Zy>@B4Mf&i+!2CAxhTV=RXu(emRx*}QYQh#(n}sPcT-531?JK>t>v?w zzn&EGzH?ao>57ysqBm*Bu}B|b+#7`XX&g9oR$q{M%r4Db^}zdvaI1m0`#rxX9ZK}P z1Ge3dV5~~^ySgO2;L>59lTD==uc<=NFyXbgSQYZ`LyvR(Y(t9QfG~tV1ppn=uTIYgGHA6 zN<4m*Wz&Khi>6MohNFjxT!k}O;xiV;=&y^fS`5HLp{z$NcPqLP5^!Vemo*%hGlGu7I?wb&W};H1Gy1pu_VLn*@|oxNa)?La6#$H zU;eO)hS;cwA!fcht!Dh+?5_rUiFVAKb!go5o_^kkd{$BP4pwm`u=-L1|GsL2A)1Wn`;bzJfxesuBU}uFG~(~`kPIB zT7YeUyJVIU{3rx@Bh(Vfh-@CMWK1~*8xs3~b%2Bj?Z}rN>P&kw!|=|FZK6H-^_fP4ExYAg%Yo+>TTJlnXIR#4>gu~n9rT&|I;aJgDEyt zPS>$c#ozSVW>!mnVitX98g-@jsHOyzhUe;66_S7w)Blysob}JG*)H*RlHJ_B{eTIO zbPyMsuj%)-8k@?>F+KhctD)?ZT>#3Obe`PTS-zp}!btsuqw^3?+b#ZLEAejs{PPC! zF|qGS8)l}NB?qBO`c84;Wsa$X;Aq+Ky8GOR5f=fpW;iQ&2b|K`5Nv3+cz3k7z=v}X zfcqm$IA#{^o0oYL$VSY7!aI!d#wMq45*=C^o=%pQabr}M z-CH;%oqsXB+lio8=hcxNk)FJhi$JbSwbf~5^&K&5AMejL!J*9j+8bnl9;B7THO?Xo zuJE71^P%N_(~>JHL5);m+}~)gTQLR}02@7rPf{h>0@$Xnmpu-nIQaj#7yO-9BVzV1 zWchQMSxrqxqZWA_0SGFv<&n4Pd*4LA7v@YX58ae(fowRv|U2B^!-nESt zA*OOR&TvDv&g#LP(FR-Ps`SN`sx!T#q_~c6_~^*P2|o!XJbT!K`E1kZB4O8qr&Wb&hgW)=#R< zt8**^)U7olI})n@YV$R?asa-~gIDvV*_UdNi=_KsX3=j8IakQ4^W+hOW_62#oRpxW zQ?H(5aqW%G;_Ay~aRp%S*I?m-?%7tfJ>zir$xSjN*8ogK!^D*@LO+AM9fl7z`%ii; z1U9wmUByxlvSep!XR*$oyY5c2>LYE}36+RYGq!#Qo|Hat6JHWf1=#B-b4vKtiO6Jh z4+@M%PaxJfM{nL-d3vVN>ZB|y>s$v&B(A1o=|w6w3v)(`GfHfv1xl^>ZrrR- z?(^!t5k%1G1hfGtCQdNNawQ2Fuvr+sP1_H@nHfaCawHs*qO1jMjNCpZjcABl{tm`) zk<76-q^=0io4=arywUi5h>p;E;gxTZZJaZ#`mOnaqv0ZLlQU#%8GP&uT(POQJ_GBt zLxsi*v~iI1NBok}Aon1(vAm$X10xBHdMek&xM+tIc?SewRI^Qvqzji?np*3W)x$k- z{LL-vfKD46J|)eG;5)(hB$ooiOl_>uW+xQH%rSMz(5#JX7_7x{?Z%`~PU%e@g5M*b zpGmpl&FeBq>^3e)ugPos-Fl=>uF-UQQ$>xN$`PY#<#H?vBW5xiw1ozJzGuF~Tj`cx zncDGMXiu;J8WT7hGX<=oR-G)3`9fp-7p2CIQp&~j-mGiaVZ5Yz)oQiU&IcoUZT3kI z<|VoisCt)4mJEcKI`T-JZf#V`-u7>=ulqK_j{;>&@;8xQQY&LYPTwQz_XT<9&Vvt2 z8otbpw;;1Zb^cyo5J8?pl@0582=#SjP-oXvV{IYE88P$E`7BZ0BdE@-r^0qb?q`_G@L&{9xuh zY+L1Vc3Pp0`HjnRRaIhZ=5Y+Gas?L+|9j!zugFz^F8m90&$-oE70olJ(z1qMLX=Yp zVuW#JcZ}&$OZwDNE=t~4c)uR--8)=nUlcSTW0vGj*+Tt^l5oWciwEXPkAD^Z0ERp3 zNDJ|gSNB`GirqA*rUMPrFfS@FV;4S*0f%+0uu^L9x4#h z2iCLVNU@6_DBtR36tM7|6u7e$1Z0JBWg6*Qh7w|cv1A>cQs9W>3a zrjM6R3rd(VbG-fdozUKt$Ig~LZ&kpHdw4nV`q-L#wbWmc?72jwH;jEB#VD|RSgrNYp_S7@#&Kj z7Tvu|3P!`3UaYT@b0*L84)9mF{PSDY`pl|ond-43rLAFP(}6cJHq#*^3=jBWj+p629~viJ<6G8&#@%nM<6|MX91MgwVwAHTR$Y;#JBP%U zVwOw{TA7<^B=)>f&Z!+4EaEX8tVs8}C1wP^vC= z8iWCh!5=d!ny)^~uduNy`x(I^ORTAr;4iFr_wG38MX$x%!)%a0i)R;gYt#3g-pCJ# z0_gMlvC>XLfhLoyjeBYhTa@VNx*);Bz1gChEM@A?a%tne!YNWmJI1wSAK}`Ufwv4V z|8nZN-rF6PmzZ9{4u!P41vUq-`V=`y+ZTkNArqGrqpPm{A2%Z)x-3ynN2$C*rbc(# z)2G6zfH2}buJcUC#+~pcqO85jEN`SXw78zBQ+mT3@TYQ3_B|=K)a3S(X)sc(T$C26 z8YV3qy1;xfbA)?m@MX~dIdo?J0NXgNhnVAiqGi^O+A(>cL(b6@WW2|lHRX6h2yHF7 zj=A@;Avd_^#Gc42MDR&!e$BFYa)O;%O^jTR#$&lIQd zKC7Y*M5Ll@v0BIL)AJwQ(bCscF=A-ZbIm{2AsQd>8W)WaH`4LcDx&EcOdA{iO8%|h z(Iz`FHQ5v9SCw;D#CY!oZ&QW#=X3mx`kG+C>B~-}c)J10jqtzheB5GO%!MSyi{gVX z^lp!lr8R%O>+_l4L+H;cR~p`X^xXcWibaVl0`*L4Z3QjdC5P8a@rC*vsnN5_T0&Zh zn6^|T>{IA8gW6SD%7QF9#)fd+)67xvC+J?73~F#DnC}0MoZ=bu!u0@MnP%6Iy7VNS zCfn^ujY~YfF%{Y}h6?gl-D7|0lJKgmtntt((Ix-s!69R#w_4mv!Hu&uk-bp%ZU zBNe_hA!CA`;WA!p`aRXC3?V67C1cXpZV)J_a*@_$*I_7MFQ({RhubCTT%_Za>fY!$(8 z6`y|;IZ?MpaV06A9Zx3+S@F1%5x?PTF)e2}ooIP@iBnn!qaV9AbASMVQ~=MIC@41D zA0j@Roh0*aA6dmiSRO;y_hh7S^_!sdyaaMVPh`*dr@~pY#>X6sf1(_OH>t=}o|HT! zh7a$u=b+vyJ0XAD@AS!xcw!5R=??riHLFD*9EY-2DhVaM6EhwpT_1+aIxUZck&?K>vnWxlIvVFG_o5&$tXoZk@vT4;&lb8LsnI( z1w<~sw8ERdv^R>KqyGvRGo<4)rWe83NqdKo5TjTc7OGmhM0^jPh@I6h#^5 zUkSaM3^C^JDkw6~_OWthf)d`)egA;{&Sc$?4{onpBuT@7t!|HylNI0WC@&J)jZ0_p z`bRSFC+?FKm@fB!)PHpyU>15VaK8@hvTor1@n!u4T^6pl|I21l=O3FC%h45XK>_vma%38vq(BmG$O8CRtlbIej?3Zix z)l-*p&{l)JQ;xn#s*gHvZap7=&j(_?L)QW(-;c1_FMaVGI9>1}=LY<5E`B8F-uBxe zd*-eH{fND1d|%WMyNg6j>>u!qD^60gNFWhz)?ALLG}ddn{gZy=C+*@a$*tIF8;(K$ zWL1>gIPV%sZiru6>hNaN>xmko7nm=m_LA zkP2sg&(h71YdzP_AyVr{=xf`rl&I7dz+_3-(8P!ssCU5p&S)I)HZI*;9UH{ zuqEAj)>@e1+oJq~q!4urB8Ml%oUn#V<$3Rnbt_9Z8sg+(X{QBHZS@UC6!I5H8JUWKU+|JlxPieu2gFW#415529X1a$tAkk^SiCVtsqihZP zeYCBXF39k{WE4rYtqes1w`D|kPe3{pK;XHn?>KPdvw1D8MW||>_s1qNFoM)g3ep?J z+obS4h>c34W`8 zv^h3F^M58j_Gqa<2?sS|bRDYb{Sc^1zV5;{_`(FCdpC<-$F~LM+pza&aqXl+1a#vO z;B|ODoYOo^eU?@EP}`tH(wO)p=Px!0W|XG@8Jk6Wu%?pP+?Z4m5??F;_C;gVo^(5& z+OJ#aZ@W(LuNpSQeCYwCi&~=BCJwwE{e&=SQYt3kSd|-vDlPga?GLh81SmQD+Op-s za~TbV)Wi7S=vI-$7+!x(gt{N$>97m_NhpGFmK;^$DW5RVZ?HdqeyV-u{&Q61cP-g7 z<+;VcP=9K(eRKeidlwW62ojVHiSXHHW~A@g}Ecb5Iuh;-~1wUDK(LP9qvbu8?k(g z;@JiJ;N|%D3P!+ojCNpAlY~XPTD^LQy4$ezrhkT*O`|y+eIK-cfLzX2RE?zPLQvr4 zhks>&+HFr?)#Dui=Q8r4UHBt($N>grLsR-|FF(o#cfMA;<)9eGF;%{nVI9dqZ8khn z8DcOtYP1vqCyugcQ?faWzoa}OQ4z(R%1%&9_Ub@+zPKN@kZ4miIi3(Z5^*BzAKzHU z2pB42tqdj6Ci)Vfq`*Ve=q%I|d$XEsaSmXtv@Y=U?*PvTM44K*dE3IF@4$UAt`LkjvciQY+zpqjEo42T|DG|jl#qw zs;Y=M2Q^t3TtVLy!afk`I&qata)>Xjq&fDr{_wf-%?GkBD9L z4s7sI{aV*V1jRm3m&`GQGO1bg*r-XI>0HHwG6`_^X)M_&QsdR$>AV)hMZ=ilR}(u! znp($`O`ud+cESrbR3{-!pBYgJ>BqOs7h5=j)VFvuZScL=C{* zi&(ZFD83r%gxFntA8cc&6 zY5|Lxmzg5T9KB6)m5{XRqO<%TH@*J)UXfhH$eqEO+h>G_jc@6j@c%?yc8nSo5HJES5vu$-k>o4XpDvAF_d}U-q)@>DB~sEIX|5-PjE>;Jlh^UK zuGf3o%*TRl=2snONF&Yayj4lhv0tE#7_I|Oh;%ijQ$r1*Ws`1jVQXBsJvXu;ey;_ zpK~P&TCWOUZrjL>QY^>DkCc&v&}?Y>ldpDvJ5lT-x(+w!xSy&}+1Rqosv89Of zNn}5g+TzJ)OXPt~sgaX`lh!AXI3F2oA0IzqW8?2hu5gZuDmw~U7?W8$jpo^TNzLCF z$AbsVqY^KVjJb$v2;ebK%$Re2+&iX0kxa-p{brzf1?7Pehpa7rXA+i0O~_KpH&+PR zQ11V%0@gQs$7s4cH8ud98L~oYcKB*TDuNrqC?t+H{xGmhxyNfU&|*577TX`oRX-+u zM{d1)`yTQpoea95wqDY#ue%dH^T{%nd9_M83K$CzRsJ$j6G>qssSKff<8tUgI4I*0 zp{aT|$n7I?1&7-TdJSo}$gQGs$68>yn!L$&A42PLW41=bTr~nbsKBQ>Z-a}k+5636 z^eFD(wnTH;_!{hBF=;scW}(kH{ze4okaWlCCx!PAgWpOp6GXF7|k}~yOeJ;>EtaR$T zRwTncK~gFFyuJj60F2xIA4E)I8GMQCPv-OtMNTMn(({CN`K>G-m`kT^Eff4gR|8p` zb0w4HBdqPP*r5+*86Na;vcMCzJk@ooi!@S0(xlHDACCaqZ4#Tuj4`Y`z16-N+ot9L=$+rS9R<=cpP!-evueG;~imU0i zg>iRxcL`2#cPBUmcbDLj#x=NWaMy;$-Q9vi2u^T!yZt=pJ>U1|-f@21`(ux}$FAM0 zc8^irtJa)zSFO-m-C_mz3DW8gYB&mswi$UN5XNC-*G@Ca0~l$$ToODzaEd_r+-ZGs z?1vLt)M;l6Bka`zk;=Qe?!;VT8fBbAfGk+9Zs1Q%%ooPMsLYCn_o51|!E^ER+(8$>Pd}KVVs(6}-&tm&S^B&8GqddY(cX=nKyW-Tb`xCA2$-U~5xpS#J_afITUx zgs{PSq}q&hH^SWpTe&rv@st?QHd6 zps!E!#KuU$JEpf;dO{xSFVqJ~RpVVJc z4&t1dSKZ5ThKxI9_$&cql_%v13_FZb<37+|hMLW=w}jSY(^F7O zEoJ~^ua%z^#TId-t3Oc@HU9PKQz9GPb*VhNk*jLAZO9kJNW2`@H0w#uGjTqNs3 zi*vIIYPy@Ef&z>Qe{e$kPd)=*>SE<=ZaKr_GvoYhu;$lqfyPKSmyzv_1p8FnY(q6E z3e=Mfss%Vq5k=Wdk`{6F0O8_w6%y+CLImy|hWiJ43spi>DFB+3!p!h%CgO>izkh;l zz{&Jqlu1|~fw*2nwT^+P+iZf{#DX*;tvKM(Q3gbE@S0_Vi&tLiUi);V3g|HA;EvjO z@ua6RZ6iu#{HQ`6I&BK=m$xZCE!mkp1r@v{xJ4))m8m;z~*v9k@B0=yC< zcA{Aw%P0bP<^-}w!VJ0eg(GPi8g*<#x%=0svhF&3i>8B1NL$uc{nZ~fcDN0R3F{1n zqgf}XpSz8v5~a1?w$k|uN5Qk@#53ka834|zY*PlNG~V&KVD#zLn!1H@BvSQX1oU>R znj%RYJ$qtI>E=;DO)-jIK1QAP1ToIA>`?iT@1fpY9+)>UU97L@ zcLI)A!?pEhbCLtw1?t!n+4q2X42gleVQ0VSTez?28SgZ&ZED{|<#Za5^?&Yxnx5Nc zmyahK^_`|_%`8Q)(y|Yu<~|7|^y1`y)h_&j39EHzPTR_+fV8yqlG}5ys32z(;C$C# zEpTQ*rk(m1&3tDR2&IIfa5>*c(#v@lJG+|jvf58iHfPlhq?{eoJEI5mZoF|p8{^nx zC$x$6%LWbC^f|9F8|&4kBSkoQ^N+E$Wp%YGiO?l8j>?iVZe^MBJDN5QTx#nD@SW!a zZy+iOTe|0EZ1F8RT%Jl60w-MCi}^eAcBO|9RH%|ui$?bf?eiq~e=tRCb2D+tJZNX0 zm~iEUEC0yEWG8beh58H_U}<4{Cn?x@>17z_{JOsL@=oQpsMm?TvCaN+3RVyrH(8y3 zjY;Uj7Z{3E|NoRK>H0r>)vph=8p$MVdsvi#Lu7(mq0DQMx1qJbZ@g+YuvI5NeIEQJ zz9!pbZ#GfB*34Hf{6;S{-02zNED?7!*qOkZiS1&gj9gYl5voA5sI{jQ_91pwEJiJ^ z^y-$R?En->iN}p9L*GuV=sLnKQj`9)G+kG5=ekmMmkr2v6=n7{WwIs>9TpDKM3kGI%^MP(H+#NU;#oU# z7?(0fs(;iihHgVyOIYf1qI2k7MU&NnGjnEWzS2>{Oj&9JZu^+`&_??4O_)P5&gq6) zy!a`a=+%R)ye&2eWo*JM@zz958fzK1__E=uMIeUCF3Xg)fg)43Naq!bpzpma%a*~-GeF=9*H`?ThXFT!uVfhg zaJUipMyg$TCib7jEt6AJnSauD9bTo@>6TVL>(Mqpyj6L1Z=(Ed8|KRAd^WI_2r&Kv zOy*p3B!HIh@KUDX5%!TstqMWggUVq808bG0(@O`r6ez*3AErL9WZ%Z`5A9jq6VbV~ z=@ytw=iI#t=xx4xqdw%@tZ>KX!1311Rk1#5LjKvnUw?hQ{XIeM-{b-y?z)0&32^g< z-YVXdgslT=Qb?B4eSFsXu3d}BfP+%_&)Hb26>-ynI;z~(an;4pMC z2x9Ayf+L#L)_4$(3z0ZeByA1!MCX5@qLTluMEsz5;NEJ8`4u4-C+2-e)kWMq1sKqn z^`phhbF9(O?Xo%uI_=1MAimUAoR5RrFauLg2gKEGZFRRRIH^ZXgQe=NWT1)Ve1}e0 zFo?hR8Jf&aiDw?7n5 zDJ!#f(PJwqLl8qOKc5rbG>YvIdBkF;$RiAI&-2>sqMC+6UMT0lFRE%*SBI$5&@q4= zn6A7XVlM%$;?G%zS94*<+)d}%5_^JjX>aG*O3$A+Dk{a0Y9ge$J(2-oUwV?$#u?u% z(|S+phrhU^I!I`bQ3)4!>#CC(#%%vV4@#35yo1g!NZ4*F3ND&bha|Gyouk;xttO?M z!7-eUj=NOjToMqF8f|RG#JrC7$E2(?M(|NW{oI@FIw@3-;7!Iy8DqgaeU7k^hv|{oOx>`Vj~aH< zoS<YMl`hcfgTML~3PMbX&C5HDq%Z%bl25Wh7C znwo5%Vg&kZll%KclRuNC3UB5&QDeqt|@=HKX{JaNQ{z zkP)GC+=6%^EHe18#;B*4X?c}RBW6a7K>d;m$w;a%hQXT;A4{1R>{=v4@?(M8wuSfW zISk+9vPa!@eFAv5hOh6n_1_O3#o~UY4_`{|9c=8kS^b%0RGc3azdtFP!^#Q^(J)B1E82&J^mjKCxY^8t6DUNH4xpR61svAN0 zOL1W){iDV$n!q54(ErVjO1|dgmidbyts`$ z_rik|5?Qye@ZLD^yr(_5d~Eej^%s+d{3hm6UnR-&B1_KB_d1D4`vV;0ZchW&{~P%g z=opdl4nWlnzCHR;f2qlnGyYLuh;oBEaXJyxm>I%aVsX>CnCjsQs&5P4t5_z1Sfzl~`*66;(8S zX9ZgwBE2m!>wd&nEqhx&xS~4kJ)U&IJQ$g^pSNAT(bhP%q4Ro8biGSEnVB3rv@KiT z*l@C7omrjPj1}tEq=)M#%FD$A)>&`il+C}xr$OjMm=z4X+O_L%DnE~2Hl|%BUgZK$ z7lnOQGeNCAy2UM)^t^Wc%sA~1ljHg*F*;qF!}Xv@-WZoMI^766N6`(gwQBpB=r1yz zL6JQ66D-mz`jTsg@6)y0X+a#K7d?+$xv@ak=bQCqw#E)0-l867MH&TwPL5ted`+fF zmmCr7kCJ4OuDklLY#wrxCyML@#=$iNq}M;}!uMIS1a1$}z`S&GNHn|mrzjTA&K%2h zMBOykyEWeSfQa;QGtZ7ZH9=!l1nRc#X-h1IHhwNYF6QkWLD?9hElbd9CCJyD6FN-F6I7d6Gj?_2gw=l10#_#l#h(iRK?{2WlY$3XJ5VVbu9o})ks3x>Y6u#0vQJj zna0@gpli$Uq!da>&KthrL8h8?WT`~Bfsjj9Ez~)Y!WJb5$>c-nq_YDi!eq9ebZr3c zlAMI0-ZaayoPdFOhQSKt`reZmfLBOy!d^EoUA8Cr2y6PiW6P*R-^%N96vk8$xwci& z?QV5Xz!$7Ay8=i{&i}01iSsPOlJe>mZ=G+*>1kiq($W%m@)Ts%2TH?!7(%Cb4GSR{Z=_|m2}~3-zO445%aY>p%!FDRdCs?du+L&i}9Ba zJgF-=oW_X8A2oHTA{XQ#vELyaliau+q7pC}LtF@!aofX@PRe z{782fOJ4LxcG}Qfr@S#3&*%hwjXFI{5Yz#^W*91$G6LfS(=r#;G{t(JktJIDUXV)7 zIA0(JucaZ}F6;wczS2QaA4QB!u>$kqp4Kf?xmR#v9#bN!o)e}$p-q48V_mPt&nBNnHx*V*8#l~X_GWgQC&!P*K7 z!5)bS)!g_dxO z=#W(v|B+WFbDBp_^6TPSVs=7128Z2tdnd5086OZbI!D223Pv*WHnOwO;q>TDraJSLTeN}8NwnUSzn>2>3!1tU z6%v52X7y-cLht#mHHL<3ugd4~H}4f#>wHw zI0Sum;O+P>=4_gU3;121XCFR(CvoI%O!5q<2+fRJg*2MQ{_M%!8i64buTzgE)nvF) zvu=y8GUITyHOMkvapDOv@)+IOeb5D^h`qsi7L6aXM=_k~D`DH6;h&>KX-D!2RA(~V ziBd&5Vkl4HjrfjK*ta-9S4YxrQeB{fJXMFoJC@oI!8sW;ITCvr!CZma%8O$L%YF!; zYjIkr`Ef}GaIjRixw`fUo#5)>^Oj>nPC z!$9|s47-_a=q_c?j5Q++G2=p2jyZ`va6zq{{w^AxFMiCuWe(yR`$rd6s{a3UVZrVd zGo|c+h9O*sSOXmDyYN2Aa{U)&(8GWw>J{s-CL|(i}_*-j3WA6xd#FJxv#}!LcHrX5!7s0PR)L_b)=cw~G$WcH{ ze-hlP)4doZBY+!EgP6nApSh#zpdM2i^1>KKd)MthsUuksCXAPt2<4G)@5SGyfK&2i zrIGUa0(@5pJsaZz$cxP1MX36P60=R-F?>@r%_-;Kh@k8tHgiPExR>VDGI~!+XYBN2 z!+3p&37y9Hh8&&WTquufB{`1Lc{NfN7w{nL0)#UzoN|0lojBNarEO|cA& zQgg9X>&H)f?jp;V`!`+ValXce5Xk+nkhpDt7=#;R4nGGNKn9=*;zldA1hLm2#<^im9x2NH%$M|}I3YEr&= z^BBwwcwZ`hjb$nOohf94QrRs=Po{;|2(M)|X{4FCyrZkal6ZoKpVkxoz)6XcD_X>8 zHjDjkcUasi&10r+hsiF&t*`_)8Y{KIFc4F44Uh_!F1zgzrhZBSODI1r)=+*XjrG-m zC6uPn=a3T?wgu{qb^Al>2bY9Tp)6I<>p#T*j-z4(OGdeU4z=*$58WfAUYg3alxc03 zlu&!fGLIMB{swbMKa>0o)%*IKO*Nc%;?$!)VsAk~=yate;{oRrAvLW%VP{iMft);k z1Axb*%;^}}WdFOw1F#_04b$*Pni>~(s#&f2 zdlV4;)=0miHbrdrEjW7Ssn3J;jd8~G6YJ!4+s)vl^msg9?q?zx#Eo~)XXX0+8F0RjPHc{! z+kiM=6%V2F#c7gt$KIA6 zw4TND>Sd9wKE`{U+=UK|KS1?NVw$V**^m@mtb-RGv5+?CMER#!|2%+CuKsVaekT2I zu@2?A_Mck)A>{r`b{$m`5GU&kS{~PI#~rcn*Lf34&dyyomKq&{@!f zuqWam~|-%(-oUZoB<@I9}5#i=?HNFSn(z=;h59WKgVOk!Sy1L&;`? z1t5okqCTgW^|gle<5q}5Fkk$|49pjw@`Cx|j+#;YhV|#L-@^;8*iv{mVad-viWr{{ z3g`^yE2me4uFw7IcN2cyEc=Ca;sI9dea4I4|C<1~A4JxpX>|3J-6D!DHvo}FVZk{v zoC0BMnod8BY+Q4Twk`an(;>FRSjx)k)DUydo<*aZa3~PZ5{GBEv5Me(Y`%I(?hnP{SOjuJBFz(2rYea9;YjEq$2Ke+%RmzgTsh*+d zddSc;y3iINCh1ZCC^(3;0)2v~$O2OV<@~^ud|r85yWJ-BSXp9O?iW9BCMe7VX97BC zj42T-^7-KRHu7;;uhq$ju@voVn%>EGqt&m)e(YQyO4)lU*dx_U_(1^$ez!d3I`wB@ zCmzq@os~h$dF>cKwFMuO*OH?`VU zV_wpqv_KdQI+;RHF@QUDi4EyR2-T*znI1xW1Yz?tx@@gaWTc0^bah93wk!M#K&@q0 z9M9aaXeC8>-vqq<^hsG(f~>PZQHG}!OWBZraFYXojpHEj2=SxVS3o&4F1EG}|$bkdBSYM|> z!(;pM$dBy+`CJy zVmYUmF}F`7feA%H0J1BGTrMHi2vU{f&H>U{KLLJOxStfe{bN>e@K*WPp>sXwvNitQu_Y!vN`0py$^UDDE{-5M{w5?gT-9qizuBhE)!L zwmBs75*~kO%Hk&(O5^o80VURwl{x`x@lltEE!@ODp}HD1$r^`}1uaRVS@R*>+3r&4 zC=apQOt)1v`k}m^rG?6S7WIgcjV*+fz=!QsR{2Tgr~2{fcumK{~~UHx(=SKF~RbKb1+b z#~sUTW@KMWSoisYg!djv0hRKZse@oh9#z1iBHrCZ!ty`rL|! zJVT!cTo0sGx^@pvzdOrxV{@5J+vJ#ktGRL&@y>}ixNL7n^N6{UeH=B)_KPZgsE9^K z4jIr|+w)u)?b=I@p$~#78+ON|bL53R;>C>VJST0CgOE zhc0@|u~C#{q+{%V`uikMuqjpr=qYfe-Vc9lum#;`+qt@kM21;Lyv5emPW>*7p&fp1 zwAB(#@X(I?y)@*+$WkThvGq3`&DM|G1|485xF#v=qJTrX4b5NU;U0N!;z(U6jPpdb zCi!QU?5lW4XoPihkaytmYOM8L^R<8hj#o9=XoQ8#N|Ql7i5+QCPEuC@AVrmh@(yDB z^1?y-T>B~M2Oi_b4*xgtDcVyIx!2 zp>HfhQde`E;BWjGRv?SF*YMsk*93eoHuVx0hc|NcAXPSSeO~~uQZ>8ya_o*Mn%ucA zjRT)&?1dst-{m*>_CtVp~sPvmWFO~vY06dK`BL5X3e5#P_Zm@@aIU?v_QIG zfpt9J6tIq`jFq{@<>-C^*70c2@={BwcH|@T@L7P&LWs71{jn0TaDisH4mcVTK4(Ny zTA`_GUe$drD45!2jb19<#8(K+n5MK!H!gcw5&xdHNAt%4>akdSoClbG|Ak)+&Dj0V z-xCM1c$4lL0`pZXcpEYWZi88oUWL#FTu9oiM;Pu)9lIs9e0%u`83!`7#qdh69Re9V zNLs4=(5GZqH=lmlIcc#d1O`k<+Gy2Q<^33gs6eb-i~yLF$UrPiwZasV&X|CERPvbt z-FpNEfT^#Tm1WZmOGjMjA!b6 zm|~Yz`-yXmZ(E|<1LNe05zM;t7r5gKBmphoD4lf(l{|-DTh5rn^ z{~CARfck$29=Ka(Ron0 zDt@%2W(q6BQTbS4%L3D!tQw-U0+n3?gJx7gyNLheEEbl0p}VwSquk#Wv83}Z<>afn z6xLF|GVTyK0!rfQ9Wkku5dCljzspNgbbwuw18OULsmtEMEc_iAyb1XNas-0Ep3-b~ zF%QUNjUl>ds)#%##Ekkm2%PU24GPIohR_Jyz*_@MER;b8siC)SBESUuj4K1}N!ekd zu{hLVK$DLBkA9>*--)n>$;k%D%v(tJh;Ta2LvBg3Ocq32Z=}no)OD=xYPQQdwCyCWVOM{yHxnCkJhh-_ zNpB%bo50O?uu`jp7U^zrR8O-JEv)0^lyQ&XW!ymsNo+z!J}QeMikjU|JeO2mYtO? zoMvqDlUD7H@8d%E+=Xv3dUnl|Et9`~+<}x$8&mF*3XI>(YWG+dYuIJu0Z#oWS%NWq zJcRx>;=k&lI+czkQo_P0U@DC7$S;0hRny%Gg;pUCil4#6xnEvxoHX5CU21gA9Rw%QT%ULZbDvQSq|oM{CKxXmQhld|urkG(bhan5V;1#XET& zQA$aY!LwFIxRA8WAqLiVLdBT1ygU2TU&w=FuJ~G`{spmYpCgAi!vf?=g4LOKknXRjs?2*><>LE|qqfp{A)zCS(D z9olp(e7tmUCW62k%q+w$$xfaUcfJQ2dVG0LTu|w~`#d7ubk* z_o4rs5BrJkDdGd}<5|dpj(QE$a?5soOwBq1vUq&q`ZaMs)Wywj9N01}l*xG=Oo>?Y z=8&{8S&qa{sJ>&i#$?l!QhY4cQpOvx@ki4~IkI(e46m(u5&iFNo3I^=+;lR!f zqvhGpf~OV$v%;)?-l0Anqk^I`3C>%?RpOUhf!qo}$(WhUxyd2D&Z?a)0d02vhqbkG z2@@`$klDG?h?8=-#M{e|C`1usg|_QdiicWax+o^D_43Kr%}ernNG>}~`r7uw3fO6A z2+1EEO>o3jh5FIbe!baKWG7gnD2?+{cOhnU@xct}7~`J6+%>M7`NUXa<@Yp_{RjRh z-R?fCm2E>n1`~DQg&$f z4^%ot|Bn)>De=N^6e>*Ef{pT3fxlYr4S2ufXdRSM%#Y^UGx8`jT-O^& z9;{jD9Y@T1tJ~@tgq#J_4&MkT(j7;xEdj%T>y~EoCj-FnmjHPq&0zA0KQCN($i<4i zCgU7CLciB-)?(ht#@<7g`akkz=Rfj6kD`AQUqx+dAV_ZIp!sZSpuh+ZMi?+6gAopl z=wL(uBQ_Y3z=+T1P=icz|Gz`P|Eb}BxNZk-zXJ#SzeT`*2XF!hd;kahe}%R+$T|Of z^Zx+>|I-cs-R`}qkMF%nZMfxQ4?g1EgAQvvz=u1e;B7(xMfx9=#yNP1))28-N zHD=nHbq)vrb@L#~01* z{>?ZQBx3W_GxWEk|L|5+X_V*?n{!lK5phiwQ2Ox-NT0QZR7X5BvDGP6lp4pmT&f+5o_SSH z0iwz6`*3Bc^Q%`iX_JUL9U%0NNG4P}wx8kJs8UP}e9Lg91J(`(7NG$NBIl;5=6sVu zJRE;VH2Sg*w{ktd7h<#+(ODKlyCzGtg-%TE_0961GFTFS?Ji|aW4L;P;p*iXuBJ0w zy;g>+XE9v80fwuI40jOunC7w$w^HZ#!UlDWUQ3ph@C=o1AG?6X^m6AV``&u}%J;p(+ATs@27>J2blO=P%($bWmY58t!5Z@>JHV>&R` zI)atHzJH$%ZPZg=Uk+ZSjmM6jkUn;GvC)ryzyJQB*AFKlG5G#>=lBJ=v*VjS?&E(@ zG1j&7hT~)H>;3!d@TN6tzS;lqWL%ByU}O(Zhtsce9=W@j8cm};|7;-rAA9e*+(we5 z3;tiTeTQiF*pTc2Kmfdns$osB$Wk>=mr7hw)ortajFvzq$ZP?bm`p$vOT+U7$862k z_SdmJc6NX73+(gE3+#D>b&p#{Mnr$!a3LWm)4EkeW?VcX+~eY(yN5`j3(-8Q$7D3O z3|(8P|dXg2Xq6`^}QI-tNvkpCt4B1v6odva4LaWA;Y16)BWPg;Ml$(EFWyQ>d zIr6e!C@=dZ$+Tz86_tIvsN@+bRTGu{Qlj!CW=Iu9#jrri5|w$3kDf+UY$iuK_vMI+ zZHdVJZWWlKg(fd;j@TR&ip@cJdhL00CFj5{IeA7-)gHU30l8lT3D8nZz2SmdKJLRfmOAby&F(_9AkH z>(DM-d3IFQgzK=Ba6O5oR7K%3jHI%JYaaWkrx7ljRg}($rG(42w3JL)AYw&}R=Hd` zf_79WXh-w3#$HOUtR2~9EzfeRnyej_lC>wX&8jGChFMmYtj%MQ^)!F7X0yZ6Sut1R z0Hr`DXX_iZ@3O0kO3BtWq|@fe&~c#*9haxqo;O!=j_s0@XZcl4a*j($&Xd@7Rg@gV ztSd`$=CSB{8p*NQap??LYLzm1zf`({6)In%%H+wBtQUon^`d$^>}BLi*bBRaB@41uVdKaS(0Qx#CbM&)#R_!E+v4SC$Y1uD1jZr#x6?)JM-ArJ&g=@Y-V)^ zUzU|Z+Xl2;(qaiL+J=_OmM49kV(IJ5)ufDa@?|f}JY$LW86^!g*3v?wyotsd+h~+A z(l8n-s?-}gM>Bup`I~vo-n;_{H`u@H5 z8JdN(zfGnD`|Ob4RWME&(zy%gogCp7eCP~5I=8y9Wr`d4K;!cvX&DR=5H|Jch<{O< z=6dlU@+YFZBnjlFU>Z5(@`7N`lY!`Za_>*?$dnHN`NW2l?5j>~wBWJh2V$Jkb;8Gg zhzEDx*uj4q@21m9{Bm!Py=je|02(-kwziz#XOY($gk%0K-s`qICyZXoVz0h7Ea4f0V^pzFEXfJYUj3Rjx0Z#`6~el`m55 zOJ+oMMN$YbB(&3P?^`8QW?5jWNYNHs%AQw>WdVO5{eaHb*HcI|`0dh?Bugx00?GHk z`9SQ@zqO}>l)kHT*UgOQNt=Oc`CvCQO821@y^I`_S%2imcWiqmb7dq}iAD7L4?^%^$s%Vn*Pjw6a0zb7;217I-6kd+SVr z$fSQ3Ckkhf*-}qD@B-+!Fm9254QFKFK+&EP1;puxGpKShA+s2!g$9xXL{Ro3&Hy+n zCX;aF4`2ivkmuGJJP>CFGgRc!`N{RBjz5YaJGKCXF-3b)-K{qTLWf~ArVK^ke-AXZ zHyXk}(IVNW)(a6aE=s_kgYLHv#kx7F@ z;Rp)ARwlEbLNV)i*4M~dE%FNH;c*ywD#;BJdme!vC+{u8;f8}57E6On?W$T8N`21 zJn(m08BBQ_Ig`8pW#&b`ZE6&cRnG9)f|(%l>B^71{4SgVH_&A&@&=y&$#d=X(!9VV z9-kM06Z`;zb;c?HF+U8DIFa}}X-Y2u9LYI1*0A#2xQHaEJLE<4Z9)!ytf)~>l%xbMNO6-??C zTWMrnv&LP#x}Ib7(z({GNelsf>&G8|`UJdHzEwuXwQCsC_JBlIX_S&_y&CkZH^tMy z8QlrKi=5%mACzsEHSc;gPjtOLu~!~Dvw*d0s7~Ts(w9?6MuTmyKUgaiXF-45$3L9I zsT;Ph&RpA9acaJd`2pB-StGI=`pFs1yzIJYnq+s{3)Bz)PU6{k4CkxgJ@Sha`lk> zlAT5MhsC!-xWjt~yO_DQKLY3|rGFbi^Ddw^(LReVF1wepKTCD({hf!})Hnzc*_uAk zy|mT zmuuK76;z0Mol$<*x^{g~R@0c>{F3|NwQG3=g=F5?m)%^iVf#zzE%Vx5X1Bg>?XIZa z%xr$OQ^30Q!aQ2gLQbe~#8|`rm`hn&W#{mWvxM!n<;Y^B(_ZNPYZ_cFV7xT;rVgHg z%-*hG=P0u*$?}Wm-oAfOEvwKp6bF7Mo{apoy=lq8J#0oByJjJD+2 z4JOm(WtzQY>SK{z9FbOpm!^qVW=Zyfgh^Uzh^#3;En>0A%V6DYA1;L$VP$NeIwW_N zwoenIY;=}truxAm{3q^lSvp&GpPabC}ovr z_UU;TLCH?eILH=oB7R6&Ze?UbJ1)#4t!!Cd&Fah6{G#bq{i#gPYPZ3ZK+To^lEY{s zO@@W8Y0Cb=mRsPD)~xt3BVQqts(JVLe$!a^@4fCS`HCOL~Q+e65%8Y`2E|qO6Vt^IBzR zdmwDyzF~3sFWe_o79BOOeP2+pA1J*KsJ{NE)(rc4U$oAbU*A)eWvu5#>v)y*yVAN{ zeZ7|JaORx2q^YSC7pEk?yg$hz^LAQbl``j^sj~e>vL}DBfuJDEPo%t`M=Ae~+OMPb z>sTAVjskxUQ}Z&1(V${1n1>se^w%g>4lPDv4$xc94`by7Rz+qP@vnG-##Dh)3#~?< zvmq6*&$;~}o}d}UU}aT5hm{jufG$?>UsyS*#c*IXzl0|sI1j%o?{BbbLdyYemHh}- zO?Cx@Y(9VgfG21`6-cXa2G8bn_2-9F!Ffh)W_!h{Dt9xoM#gK!BPij;oW0BX7^hWe zPvx!7x*MNWYI~)fQ5A@I&D&jNBemAXW0hK6V&Aon#$grOShP)BGvlucEi19BTR-Ej zO6|+t1Qwd?JgM-RQ;)Kdxa*r zz^&Ens`75EdG4#F_QFr$E@MzlN^NVOjkJ09qR&Y1JX^?TBzKOj-!oEMe(&~dM3&rv zJsW-HH&M?>Vwt_rbCFkVFY{bf&an-7MpEb5Jv;@uI<=aOcHWkwI96hkyx72D0po$e z%Hn_3Vs+L)&vmHUC55Uz!|z??|iL9uE&1~rf44oyZv>CN~L}&~!PUg2VDShEMMyA<6>$*@4$wc;OekN9m@y|M*ASI3(lO+j@V5 zyhtETK81;#G)V_vC&i!W#jEuF<=;kEqSco`nxr%73r?)>(hU8<{&BZIJZyH|f!jRr zhECIQUK}=04*Eyl(a;%soda4xsahoIxX*a&1h*c2%_%>?{)*pv|2Bik8mpg1GY^YK z)c|XYJ7diD8p%99K0a#G=aCn3?M;7CCSsO2_C_EhID7mROAswfm9fwB>+er8-gjPP zeAqwA%5iXz@#SE@oAKqvQC6PLaW{*C?%_#Rc}MMotX!RL`y`9>?m;KBNLicZ+hOO$ zLDn~A&_2MZIipc{e?E(+;g}EjBhACv&ui~@`zOQW=HbD?N%H`Dzj-p~wwr&)hfs<$ zbWVt=A?cs82)*OZNtm;W{cA*aP`(=uFdQDULdq_*K`TJeu#lSa(YU7y&l`Hkh2T?TcoCYH5X=9m?j+zu765=e@J$wA-|sE zl6~>qA0JvcY0`h>NdV`%UGjeiRzCi}L8|0z(0sGtV-Vg4_~$O8Yj00#6$N2R9fJ1c zuyGD+%oIo;;D2{^aRrkZMQT_rU^#&=EHSQ(4W->qJP;|xF@#Drc8EySfU`&+*1uB% zO+-Ux<;ynAl(5mHg+sg8pwjcp5RP?h9ugDHd;aIkm%yIAtq<1O#c_XyIjY!3zoF}R zY%hRKMrWhZUwI`k-uR79T`(KcUCn1cWv3*jttELCg=5LzJ##jty!VbVb{l?+{ThD- zTrKxvVY0vX&HX)JSGXv)ox>BS-QRB>xhMP0gQ4d&`)=QBb`FmBU+fPKJMFOWK&MtG5^67uWh-IAkqfxx{I#dZv z&RXW_ZNHI!dP~W4B4;CS%4{i5NydhgvbLCu^VwTY_msQEuSc7#FrLdVjx#hZjQyPy zm7WfO?|#!|7FtwA!qYV7m8(o5WRY3GTDUSVe8&pM(J3`W=qvKyLnsVYQn*!}!EtE@ zoI`f7JbJd33+#VO)=RtZw_kg%KO4gwuzd%ti2sE{*7k>8^lj3M7n6$|beNEb!=2>k zDcRmmwg8>v&)tS3-?2Q9sFkKehJyGxxksh}ICwv-rc( zSfyLHK`s?8jq%l=wlOu!Cz;T)gcedT*2_gCv#i6xLl7>Qn8j;378!IECEVbqr9<*sv(`;#BfP)ACW z(d<)y#J}NR=?w<$-E(!p8(`N4ubt`O&TKUEd1O7-k-w8Y3FMFO!u!hst(vQoaCsa~ z^D9AaFl*@AtAJS^8o~O;nN35+GFrXxDwvJ?Ui5#87Qk|XxZ_`)WB3}TsFwQ=*Bkg_ zhmFkG`RtEp<5$#vCk!t9TYpNGZ^<`m8#VL?PB4|9_aAAiV-Lu2o#-LA=~UW{rgt-X zS8e)a7EMN;wegSq-H%k>;4M|MJf^lmlB{&{3P;+ROfJ}9+xJz}yU4P+l7KdLXTw;H3zo_SmPsf#!nu9NSSlO(LfJ4E zNt1S!sMMAuZNY(rSn?_Bpwd(9{FzE_JBDg~m=w@pU1D}?EMPNoi5(V&_cv^6+{xb^ zXN}_8NMF*_hP|7=9)@bHPp{6)+e#Cb&*py$l%R5aGX88GE#&wP+YOqhBEcbiYReW~ zX@v!n#!tv9aj=Tw?pMBoZSnhUSy0S2zS|!lO^)O?$Q6&d1nDl_j;Na-SH$#d87Y-4 zeWu`~$=Bsb)4JH)%3I4|qbvtk+0?iB-sB86u@6&!5ci~VGui9onyA<(l-TLdx50lm z_wQKqWiSl$cJ5!O%rK_F7gF%>U%G7J#3WR-rM%Hlz>FFs9$|BJz?^7gBBhOQ$2!z)OV2)CfGbv}svjMew_?z!eS!<8mvTv{aAR*5< zFm;!AVB#^7U>p4a)%XK;7{KXADlRuqpS%W}8^eI&Syj~OvN=<<*mBJjX(4}ZUG?|L z7K0k<<#zh1ESB}CwZLR!KnqN7(extBhzEM^ z5q%4h>=oW=W{V{@3v;Ulm%CD%y1I$)4esC+!5}MrirUw(WHBS{Kk1B=r|Ma6{mg=* zh0R%=Ag%MfKF_R|R&Omqd6a(!@7MZhuaa8oAe~{DU>uvXtrLX#fpMxVJ`>NU1=3EJ zU)|_fRYnyCD?{b9$k-LB_KJtHl6oUOWb-NzSSbaHjb*4aB!_b{*zdA5*z^{9wtS^U zvg6<*32Zl=mDz4o-DPCyCRn{I(M~LPW3wa`LPAvf?EI-^nF8GL*z9UUnn0BcgqH8f)o?siDeON39E zJ5@8+jgZ#Lo&IPx8DQ6+-p%^d$xk}yc*MEPg;odvx%O+$J(Q=z-9TlFWbFw_327H%C{o{BCna)}17sVk} z@Z2z`f39?}E8(WsMd#e7yk|*_Z1(*OVt5z7TuE~!{Nalz`Y+zYX(>vSeFyvXKC1xfW5Su#_1IFm(>AY6)GI!+-PkLtBG$7Ss)`73jOxq5XC zPK}oK;$v$wK4mGfOj;$0k`r+jWwzJzTtKP*tZzswdqY~`v@Y`gC1+NjKN^52{VMa0 zG?86TXwYeia#K2Qh1E#p+Kl)(-8w$b3ghFjSc~6Qbew;#CR=0^qT`s2qIu^P7g@lD zMaPM?3$2!T&J;zfN6mOPxFb%?&Y;3GlaeHQ9TL&KC2?FAm?;*AOmcaZydvR{-BLx* zn++`S-W!eZzeC9Dxyl)p9Z{jFUKGLE68?0iWE%Omw;l{2{epQw=AJOlPWPGP>|FD) zp+$F!HTBox=JUlu&?lg~&U}`%!=pHwn1NTMq=xBeq?>g;4e{jf9`ZBdh z($kuJPI=YPI%-rHn_qDG&^p*kRswStpO<_090vG4p&Bsj5t-AmZO!?B7;t?0WC77)*8@~OxJ5bOcEKaG%?4^ zA_k$nf{|Kc5g8a950Fythd-xJHM%PiN;|<^l=N>uj=7DoGY&xC(pn25y_B#iTw}0f!6EX-b z=x`jbB5&w_el9L&Hh>z7QVTzny+>*ai3Wd_%BxcHfvqbmAX?fy3DJ@oB4T{6E+f+1 zbwURQ%bxYQwJIfpM&anlZh(Us$P3WO(#ziA#?QPIVR=+Z_?9AP4d(s84T^elg;@vD z8XgaiPmbID=HZJ$r+ILEFl?T*5B8f!-R{A@+jS2-*PT0&6XWyeAdN}wMRCzx(u2NpxlNnE}kW&vsb7~cy>vCad>$2VtC*+ zPaOB4d2lp1Y@T%BueRrP`rW~c;lAU{A<3yYC99I!O8l^lLB}COy&3A^=&Sc=vU#0c z(E`7iVQ21DL-75>#zk6Va>{IolSzNHQFQH6YDOvWp_qRvW;yj~RL(?kL0~d%+D^H- zG)N!IL1C44>5aqjt}<^~t(Jw(m6_Xz(BFg|^a`htBp!C92?Ue=7|r54(~|j}__S>P zYuF)k~K~C%)p7g9VPcEZXoE4I-?gN zvFS9G;IQ33e8Cc3L5YZ4&0-#$Af!%a4K01=pq-yys{r;1N0l-FMJE*~I)V(HN)>e5 z?So1gfTF`{89E15YdG#!%}{@-h7RtLs%EIvt(alIN(Shq?s3%&RmY)Qz)I%8RcgbF zPP)*ZMna?fTF4PB~*Xq_a*cB(|RgJ zTh^*;D|CVIqH3aVF}kS6)7x+`5>^8!JjsV@aYilwDjR0p_$~D`o$PUK0Yy2pB%jTV za*C^xgoe}KpPpzVy+|lgqb=(fPIRu&K|NVdezsb${$RB@v#F@b%$YpqLaL~sYPXuT!h0dio1-X$w8sULBISq% z2wJiO0Inf?EG6a90OMKg=F1KDN8uoiEeM;NV$_qXNpO6 z&a?245(ZlCS<`Wql88+txqOgj-EJy(!|cjY-ozEJq@90e2um;6UEUe_0@A_;nb|<3x;=ARh-h0Zepl5 z(?{NPBCfFPP?MFFYc&zBq2HDix2#c8m1)!8J=mg~El^;JIgOGl#Xwt~a&&cp({q%W zmI_nz(!XnS&|;kzM$#_ksk%>{9p~k#JlfjXq=A1J4m|9#Rfd*-_CWIT+q-b`i}#7z z4|AP3cAOp~@90<#|5a{;`4>ymRma?(maowyiR=9SOM3o&{Gh6kpHj!&$kA#yU>Oru zlxLKiufmZ(U@^v(qo5- zikhz0(-%`z>*>p6sP*(EGt_$e%6j^Ab)~OK5GQ{c;zZ8K>Ml!=tH87IiH~ z`2@MAdb^aCQN2W%&#IUJPrko~_b{o#^0hm7yjCZL!6SdQz-b`BdyE56~^e~%xw(M?x_B)#W4o=22b6!%HCUu>Mn8m^( z&TY7DD1~s1Cl>#%MB%|0iYi`sbynj+#pLln{?Gs8|NDRcH~QCq`!CzHZp|=pSFL{l z>1J9aHav8XLrnMQ_uD_A#E}7r98E6;Fo_ONa5qgqvfs#x%GVgGg!&^j$+dW=q*H<- zDJd_Kx0qJhj)IueL)e6GNNJ|b?P^BmIO%93E9*ApDnFQCVj7E$BI48Yb4zyAj>7(Ncd4c6D?Nr$Q;GC&t#$E~S%zwK%F8e!q>wPHu(B zN=``JUP#h<%B~aPC`0g2MKj=g&3{JM%a+mjrT(p|%oFXCagX?9*IT|qZ@J2{ITT{) z$-y|_A2+NAd<@O{&WUclDJ|sO8;vfMJ}RZXfmy+*uB<-6R$elvEVWo=I$D24xpE>~ zMd8Zqx76ZuCd^gW6WjT8ky`YLc&UZ+DSN49rsvtE7M(E-EK;OpreA9L>3!n7B^w$_ zt4?r#pH{F!6<}3WUSfh@O^cUjoZ291EgUJMhO2JH`UI-3l#fEOo+r=PdY=b?J1L?*7lUlu$F(?o`MYc?=xz93hrWLbJhl1$GySXS0W5~2jpF%+3>Kw zVdDhF`~fi-^~-AA@s?muSE21X**Ui&rjr8QZ(_AqvJLKl9BCqxss+B}7>VZEK-ul= zI9D(663lN!22?GPJqK48nFeobdkyHSdceZT`SL<#MV2r6t(?H5h2?)op|e}2)GY0; zQ86J{Z}v<`=O%^x#aCxich=w#)n^BcQiX+gLNenx^$#8-~_~p-Bm43`4a%#rpZD)y=P; zYQEOY*P8jV88$*QU)y17S!+AY+77d}!>sKvpVJOgYCp@V<8xGr+h5W;tjFzL)Az@c zC|#u7&We=yBDW}>pjTB7$=bOxv(S}X=Fpf+GnSsKjAQy7W}$x-j6f@!cUCvtoYN$8 zZez=`=8f5Alx0hZ?IUK-Uu^nV&8RVhNNp}GnU79|CDYP?G3An`XUCG6GUULX*fOV< z%$ZW=7bpMKUh;yrjMfO8W$p*Yi<*&_RIX&Jtv%Lfr~6eZx^!Jcw%W^3t1PGlTYGy; zagoFMSz0%fvHgF7eJ-xev7)8HfB4RKI2-X-Q7B2uuj)uuu5zjFAyUa6p z%|SSY4jlQSGW_?~kQ#6$FUvgH6!@_>o=hLIx^_3C((D59I}9)4X|8&j9)Ds=?riqe z$NuNY324aYC>-fq#mqulUI4S$z;o5y@%#3N-Mr!@gPDJo;!NV;q=b!m{pu_k34X;C zQC?Oj) zzp$~m`8`|SjvJqxy0MC6qmV^He({**fBg6V`u~u6BcAaTm0xef>y3E9HoNQwx}lMz z?K6MVVR&Vp?Y(V1<8Bg-H}zgvU(*k=PHq~`t;*9mB;@?{ZtCs5YA1P~o@REZ`6q`< zR~t)qX1H`a;yrf*NcU;E6B$C^=Wd2a-vFko&4XUP&##vdWAo#I8LXWDc@nYFM@wM}1_oV-nL zSG^b%l}joiZc$K`aT9w}O)jXOK{tPkS5ydTt7*fgUm}>=Rx?${J2ZAXC6NdD2HwsO zTJV|MY$CH|WB>4TV6Qg=7# zg^}-ZGLdRJeL+UAg?~c7h5SOASjaXRhmnV#4*7{0&XmHt1+k+grN6@a>A643?~>GX}C}Sbj9-S1(yv#i(Hs1=ep?`}mRte#p}b z6~_-au5Q8oE(&KbT2OXK-2s2DCI49sxA!;PY-LVe&vR*cbp1{`0Dnnqv2#;+El&I8GtR{T7AOA9jQFqW%wK=Xa)Y7K^cbg3 zbLKWpg}{fi(I|x7F^9qFJ|*RU{gRz0cHgT`*f|Zr&z$t_4-`~ZOVc;R+I(zv{?^>P zJBGKn=zy%;ZJuN|zblp<=yM2rPGUg*aOl!Oe>hlp6BGE?2XZ%|D!*45V6XLA-bqdN zzpYSi{*hGf>cJqhSy6vY#q0X}M-PwC9re>{V-GJn4mu%PLnx2q4@+Y;_D+Y)Q0^VT zeGm}{hNitL@`11!W6)2Qf0Yv$?o+?k!_-37`Y9ft`yjPaBmKEd7D|Q3Yvfq#C*Q1w z{@j?Ks$!hzA-Cx(HCbqscPTim&t}hdHWTFkl!D;Xpt{^38M%L6sc^d`XBv)|xfyv$ zm4EQ*($(8)(~TAWLl1Duug*dGS3B8)(W9606Ax6$PkK&LzT)X8o%m4w2`3emhU0E3 z?Xi-T9u;I-y8lmq+)tI;Jx>2j*V;W%YK6^m@{w+V(?1W=KPic_bCYErhRw3+l)bKK zp;N=C?7v{s5JrDf%q7Y)_GV&>_#OlOu)+zJPF0agT^LsfOW*!*n&z4$s1L1x=3}~B zQKz{f%wKZVZMd?OmWr1m(1UPD)$Ww@SD@0=O(0*T0vo4$Qb}f7O3EHqQW?gQe@bS` zRj&7oC{Gm*Fczdrc7!=mYfDC%C>`{4)0ZtRWyu@1v|NAZOEzLVEwyx}=81X%tryVr z&)fx+ckcEV*}YnjMeThu1@rthUi-v&ElMP@0H2pvXRZs&9EE0!wkO%x>RGu^gxY4O z4n0lj27e$!1vW}z>}T~2 z()A6}mFs_r?OM=9YAFt*xIp1QuHXh~V@+6U>2%>(YKivnjtdl+UYC|ybcU9Fks>WC zg69utf9 zSei9d&>&aXe^=gZCo1GvZoD0zF1Em_vpBgDVugQu@CEhCvQM8)!92&-USkAf!I?{u zTz35_tu{X1gq7$#OPfGSs&%#U=2I>&e?1hFV7)BX%VK(2lxksfYSi?@SqW-Iajht> z6~(op_$d^{l{c-=w^M!gZDXwwE-tp#2$#~-)*9hjBV22Q*GnT@;zXXPh-t~NV7>Fk zu!Db_dKgd*QpRvP_XBU#q`@=J=uz>)k6=#;t8j9dr1kwnJh=154$XHrolfGHdwaM3 z^lsLNoyd6awOGye6gTtcC11{(e}m<$ABG>}z5Xcd?~NUh#b}QeN!L33*kX>bkFeGU zTaEwue87$yTS;wkBbV?4^ro-hY2`A|FB3cxPL#r*A!xWPA66wTJ=VhF}q* zhqm-|kLeeWT0vj*^i(f`CCZL!y-Ak+OLN)Z!vHnD3oYJ*Erx?zA(PrIXX5`g>6C7} z+ikWx_`gX6n@jKBk_GvM_71Qf9y}&u6QlML989*8F>PIYgINTEF6rEE@Z8&CWSf86 z4KjjZ-GMWLKi$!~9#dSpU0Uom2D`9y{T8$sx?~Cq4bW%wAS6(hJZ!-aUqsP=@g7d| zd03G79T|nU;VXaS;lA|L!Awj?;)+Z+n4%Sby8TXFV^4o}V3R8LXYj`~B(j6ZPcUaY z_q`9%F%s>PFbYR03`L}OFya}B4y#Tizr|js|deg__?)wic**WWGC^J7TmxRl)bL+)o;4SI+ zQ*|^WJ}m%;zFSW*O)$huMWt6;0MQ68W^1SqGb??Gu4Q!ZobN zS>2>ecIG%{WXM`SZem^$TQ|(S`U*fxb7s@KFv@I%L0tw>R3Z(E=-Ud!#Ip&)9GTRB zv_@s9G5hp9jG$yEXB=b;I1xW2r(f7TWMsm#DCQB{4W74^%DY##`L2I5OJw!|n=I*& zZJqs^#Uvn`uwMEOqB;eGCrW?*+%DTwaEQn_k0AV! zb087p&tweC$r3PSfIlQH%Q}1LXO6Q0)w`d=sbT85u(!SNMnJ6V2iLIDPf>X>MEY-p zUfLPqfW$=VsR{mOHp^o3DE6KN#rinKwyhC zCHofdb=#d2##(=SFrcIGVXSZ@-Jt$4J@X3@&X_P&&f`fsn)uP_PmC+JBfVN}$4%J3;AjikuP8;74fdXf}L@9}*Q!Wk`qVOaOf z6*NbvR1kkJt!Er+u0N#;K?&fc0sik1pWaEAxtk=GQ$MvGIsMNB z!vJIRC~Nh$dcocvNBIo|Q8glA_>@>_FuG`Krl)_W)s8{8ZXfNz!NuVRx(g$3#OcEysb5j6m^ZHF8I!&r^HIkc&DUS8UrbnUrHLCr3@y+ zRvW>F7!N6u#TcqUx|m$fXEY0Q!#+iTG+hy=;Go!X-_ESpfd((RlR;V4cC)jDn zyQI}3>48m564_!fr-aMg3rM&uV@?UTcT6LrCmTsWEl2269cb&3MyiF4gx->~giN0^ zOC)_zG)v^oQuY}sdk#_t5jicMI^#(u3(NcM-p2ngzwCWc>SbG)s^@B_bwwO$D z8$SyH_CmeEUEl*ZW|#Y}(>{JtwmifMrw^}TLPcAzszWqH&xoST_+)B@398wUh#`jq ze$6;*$mGl8PvFBWIinL?wALDa+uuEPiIg^p0yA_{q&$y1jqRPdI>l znXAxU=Aycye!IM~cbP?2^jEb31~J8S}2!^jRsiY(@Oa(PJVwP=jOnuX;67?Fs6o4H5gUyH-8O-Gk!B8Y7f3~5Y@De z+f)$MZUwk8AnK(!kHrZxO6_3pQ86qq(lCf|9>!KC$^v;i2w!SwEp^9i01j6K)xd(8R7PVdQnR*n(PX>@$_r-r1tERnojJ~iI zSp^N<+oQc#*vYJaJ<+|R@E+g92~5r)YDXm>dSK7xN>^bT{eWmE@jkzlH@d&?p`M~c zeYLk{lc3Yx?`@%~bi{%p2(oUFEYuv!j30LG=xjbB1hf_-vZAQB%;}6K5qF4hDf(ru zj|L{21E)x;(TcfqV%UG8Jdhou`6|NDj68M^g{IF=7STq!r46l~h7GDqH;gSvmjWND zj-uF=>lz&;HS3mKRn_Vl>hd|X>aRW5pIJ{jwO&2_JfB`&&JDF%y;iI9r&g=mp7I@5 zU9E0kN>}9bsyH>5&s&zA8 zA(N_kR;F4nazLuATAxEnu$XSWjB8S*{1s-)8CeObEoi&xhdA=P^A1-<1jrfDzuZ(Gh`gPOyf=?On5FA zX%h1&YH0I~pIm<`DVY1WiHqFNU*I+jPgJ}(dXMjG%Ewg2{)&}Iy^3BzX795D!-v76 zkwi`%63SIhg4DpfCrr0Pq;e-Ij9hyW#snlgD8##j3b5zC^_ zKfpd5BB?+CR`0r=D-_kNJwWDb+9SL@@R2vv);IB8I2(V#8tRbG+F*86u{ZS<%Z+5bD89m2uG6xKp6OJ zGEKfs!;c;f)Z#IRHe>?=yN1sX`0q3vgd?)^`nrkluda4U46COc)cmHwvWTf+DFew4 z@8g>ZFAxslano^!@no{+9rsT>=Xk%_IeF1;9_)X2UNldRoTH}e93Gw=yf`{KI_UGJ z4QCOLRl{OiAp^nxq^gmCI5@FKn^GN6iagx5$IWpV`0xTo9bOGRIMYJ^I#@?Di80f% zo(8qO;%mXKCf`p{%p`YN3#$Sp?XYOfemtE0{`q z86baWZ;wFt;#!I`L^zw$Fg^a1%2OX>CBszh#q=vo1_Nh;feK~(o+<7IrZM-T^FB{d zLbFj4F&A9P37w?ES8F+UTV{rIRrc?~nSqw32BKCV5~WtNkX_A7Ww%jrWUQ;hH#{QJ zlZ?Mc&lgM8cK=F|M;#Q_Z@<87z#^p@PL_YUgKsMl$5@lqU%h*_L#Dz0tp&hBO+O|s zmyBjD>m3YXZ%Z!VNbfHFpVBqDACJwAD5Hn;bghrx1M4BwAve!%J&dn!bws7#)TS9_ zeM+~_isZhDnAev-9PapW5K<<5C#T z0i$yPXxhsSyy!qCW3jRgW^eH6rD1D-BN_MxD%c_#lnl?54e}0FFgzj9TEveG2eDFq zVYU{`gYUBhY!I|sr(hYrGZyDEz9)u^-f)Tp!VDc@mpqt5C&v7(NvA?Ig; zocEs^a^ANtCFLMzyNZ%j29Yw$Sp|ROoLN~7IVb6A$hn4`&3uJSs^(c4rBJ zYQ)9BW`p*MV6&0G;=CtvZVuRdP=n1&1e>qrRg70o90QH+^(1m0zH!j`K$AMMv7ocr zQks8LKxf5!%fneK7|0~IGkCa5NlFp!UVbTQN{ zK?f1*yYog9ZHFRL#(SK0M!LM%PbRSLgtc|@O6wjP+*5W=dfKp-R|RpihO*pmk9jOh z-g#4@GlP$vHvh&E8f;(6r>cM5AoO}q=3A8_H>HHWMZ_iy=&ePk#23GBXlS>TXOo(; zAW~)!;)Rfcma`PtB(AQ-u$O5V>a_>kc$Wp>!`nJ<894qohWC;)4YQ*4$!oD0hH&8{ z{xq2KYgo_uJ=repKYwV6>7`ulNdAD=_^BPbE3g+)?zQ+>soczBd2xSdLO4#z*!k$) zz!vPLdZ7){J#34To#^&v><2rVD*R78)*uM2jE$2Fo3;18w>O?f0kEb&HTadGi=5@m zHY4WYM7ZLPyx?|vx1%N5C4V?2z|Y$2hU$43%tj;hHr!=(C9t2CNe%3$_074%?oBeW z4ka|7rNs?v2U*BXGw^>~rntt1yODiG=Vh#1gPg)ge)XofVrchZHd428Hpn|P$heGS zkW_}qC@&;S@ok+)wPEGqi+B6&*V$ou z$fRnXm1)y;0iIi%KChNwF@?H8eno}4k-y^9Cvt9%LjAB-s4q*Qj?NOmY2)y02sFM8 zN8an(@$_smfdk>#r>C-?BPW=CM`!~F)vz2&S?I=BQQP_vJoT(mB@h-YTVK1QT z7Wo*2_kmamCk_fRdJ6e?YxB$*jbN4RQv$h1nb}j$D1v{cKTz9r>O?e|VAq_*h&*Ur zb2b{O-N3uIMJPSW2dEfz$mpLnnP5Aa{2O`s_$iKfNs5^D&jUHTx`Za5SxCoAtS316 z!Ib4sV{bIXG<{=mWZ&0yoXNy?CblOX+qUgwVms+zV%xTD+qUgYY|WebzrW{0pSsmu zw`*7T-uJAvHV!XBX?|>MTA~;iZae$bmC;gx=k5yB9{PS*XcfBp0R`|tz|)s46FK-U za4KI~yF=>$*uzs;DRWwNFGgCGI*}|xrjp+x9dpMsD%DUTfhCu2WV->~`i_bApp=GU z@%t%L_3cNoEFbTne`PT3W^k4Z;kgs%T+4;L25~4O5#lJa3W_y@x>`le@E@I_HZgSnZrh>svy0W}rYMa?TpdP#F9Ne)%L5ppf!7Z(>5SBfn zNzfEnRDu8oKz`p`RXNEs+Fe7sDtIa&_S4&Td~dM+fhboG=j_}>KsC@7iAtXxHCsz_ z0hb&dS$@5$L>DBfFR&dx+>LT%c3gjpb?~m^LhQ)*r|WQz8p6{^EPv`|eb}C?_pxd# zDXh;XaHrI|Sg_clO0q6wOO@Th9U3s;ta0VZV{Xpyc`dgdxiKYk>$B46CWPGhR-Rmi zut{%|&-JJ2+HX%DxmG#^7?*NR(DL}YMaDkJ7x)UTj)a~ zMt2I;iHq){=2(y%bg!&rB9lYq98BLuJR`#2@+UOxkFF(S9b<5hK9p?$hQP#Kl z0@aim%8990COTaBt#(YT!<0JF*LEugJ=r;~70L2Y$u?Cuf;#zS;pNlXYB))YqdtmE zVEw{@$*8L7XPt4qoPnv}Avmu3kh6r@FWTF#NXOv>kF_GzA4ySI2#HJYuf(eInPePz z^c^EvYjzlmYD`HqJOP?gw>p)vniQCm(Mhx>#o|&+)b#~qo|nR<#x&YiR`Kxf$hfH} z26>pKny^zFZNF}Br(5?DE{HX}E94#^fvLT27r0a8d_4sMI&zEB9J(c%Q&Z5+!*Oyz z5}=-;&yk^}6=%bTX#ZBZsXMhJM&-IGSp4Me@~-HmIksM7SBv<5fUT8P&SP$F% zjg@#Sn}xWuY*!D?Hl0p9g&TT=x8#=5OO=+@xsoSMb!XwUqX&&1jP;V7VycNPaB2yi zI%c1$@sv)>9a}2raWp&vr@J&~^K{f(#6{5ZPnC9Uf82}DpN^@!4x#YJYw=V{+C>ldk$Tp|{)Ugsp$_ zwqn^f;|tpLGBnv2#iBrpYl&gnlyJ07SS96 z;NOt`t*yW((joU0D3;=12g1VdDW2+g5WIu9?Uh0{O97V|d`v&w8nQuLZZl*5wl~ki z&VeRui~NiZalc|MLZ$@{0$b%cUG_HIGH<7+f`HK~LOIQ$eAlN`zi5tV()1`}N;+G2 zx9XF)W7xAq-4GUU8%|0@5N-3Cx9B=VuX97yOR^9ia&<}e_dz@qe+5)LAezU_|E9g* zl%H*-%;8|bnzWB$3f6JHlSFX2AYHBJu;Qwh{nC} zoEAxN4qw>@5&N+e_tL1kHf$`k6>J7^)=XIv)UZfY5uwsD+2)%oQD2@S#IydW^*t8| z0o@1whD1jo*`kjku`7f&g1@_TLmAqNB#FB^F=kViwT&@_W<^q;n8~&Y_wB(8X48zQ zef5Ls-;I*mpDJD}273KgHP8orrX6iMEQGK1Mv_tLitO7_#jY&axJu8ekrQa@}}# zK?lK!k4Yr6(#XbxP6XwmsE1Xppo%KfFcLlbv+lTHrLa)p6iAHV%S@J3Xb0n06mW%6 zc;!VIZI~F*;;D^i-~6bi2SlUMaHQ!~Uy{tOMu%(i zGK)gV<+y@hmlU5CCzc;!GD1ot1XpJ~t@W+B?v~_|$|tH1yKbQ|Brm0~%f-f)YcLMUyMGmX9U0KL<& z_}T9HFuZn(k9W`XYCM@`F*@313E6n8-c9i?C~KtE2&oODrk*AP?awCG+eI54UyTbT z?BwHNc-L?M15b&&_@-Y`+)4}NIz8;wNwtNzE3)|039yuCljJ%?hFc~kKYl#>ykLcO!qH(Z6ukuvI zZkiCaC+$?;aBMEL)%YcF|l7qa{!(N*lMR+K%sb6Dat6H@Us!Ep zho_GXAuvkGuVqywne^6XRta?9d1O6~3HFY(Py(XAWot&jcC^B&3L1TV+(7l$g~#zl zSW3rXqP)6@i=%mu{Y7fGuC9Ug3iigR#&4{yf!~Mk85G3#kW!iaF%$WtjXE0i{^VFzu$FRemzX7BYo29FLKQpK7O_>AOgl)|zK&TDtx} z-p%SruwsXxD7qovF^o8!6&YKvBKth|5P_pY>?8;WPy|97cwxaDPY6rmw=mALD_yyi zX?4uBU~~=~#ziDpd*WzOE%Zs#s6SO$t?Wff;G&}EKd?L!f`5HiH$bGr=+N%9K@Q^u z?6vemT^IN8;B#e1KAAay#W6C}BfFn-F!_&FXHGB6-=Bu-?D}C*gw$MXp@p^uiviJ) zliq{)8$tx-Jnu4|$mZ<@5lQjadI$>nGJT#$jgWJ=n+tpA%dHH_|J4173$&ga1hsto zQ!St4p<}gIn{mL9cWh}pGrRO#Hiar zuoUxMZO61V{4B)lI0q}PdQ);4KL!ZYZC12(p2{N|zw2@s;RO7wLL?a6FHan@QB%-7VC`G@?{B{fZ1ZaX zhIo7Ix#2m<;RJGwuv=5yYepJaSr;vyv~zra0io$SDIi#p{Tjjy;`|M;k&U&%Lg$U> z6S=`7?PVm0PlonP8rV6k(+o4eu%t3%p|_0J&>pww&U^XSSr4A@fw$p7b*C?wh`Os1)}{=;=E809v?Cp&-+xwk5^`B zQz!d?hJPBuj_>p7_ISdpFJLEUOr0~mzm9DES$TA3A+{hb2vjzvgBGbbGbU7Ka6?-z z=AzGLmkmq-!6cjVo7l}LHm-6hO%S3baWRmYY1=%Dnl;mf}1 z{ljfR|3qsw3V>Im^79$7H_?`gH(4vO5JlQ^Y@|rt#6QaEZ%joHhBlD)RCfbw`t?r#;*QqU@kni&8b(b z?(T88{!XVPc2G0#2ph4-1tLI)v$x+RW5X~C(?!UcUa}HA(#R&cJ|);&C4|P&-eXGS z6wTNO6Vp9(*^Fv=oP%MPUgx%~davm|nE>f8HO03s+NST1CO3;x?b}pd?L9Ijz*4T= z6fNv_ob^QJyc#6*Z@cswhp!il9_u=mY5)i$Qdogl_C<90!J3+CSmy_Es$?);-M#lVJY3NjwEQ|;LlyKc zY3qo}FM%P*@g@t`$aEMcXkB?==jQsFO^W;AWOaL+P`>U&hFU1YT%am}t;)>@`ek4o!dl)7 zRcIu_7};)-_y zY-sdnnsy12tK3zJ5k4dOo|Cid}WvN6;M`LCe;yaEK^4Ah4wNoQ=ctx1;#cM**P)H_>S1TU*X zW2==OyD`2EGg?4#b%5%a`8H{r)S0Nz#mj0*6OmUmL??)`$`S-;Fhq zf$W9at9Y8pc<&&1wtHW_8{zUabG#qUOyNZaewFoJe9qR5a*zSx*4f>?+>~MC_9H@Y zcynLIoa5%;uKW4&ba&R^__ykP(C!_v37phKu+Cz6N#HA9NB_dp`q)He#AyMjOQP6!%i1T=T&5BTsO3BgIP0RCK1Ma93ved z4tZ+h;Fv;~eJ`1`)#BP)PWCF+al0+B&}d1FW6u%k57a7^=RQ_Z2~WyN?onsC#t+Sx z?@(l0p5DNZv&}y#IpFce5F0IW=8LD+kCU~A{&!)y=HdF;g<*zQ$ixWQ^>$U} z!G@L&U6HMszgBWS@uc0gq;in4iEST!71W#u!=DH9pnaOMXr64(Mp0l<3t&;y7>un3 zSWMXLwaxK8Z4oRHIIRz-zP+p2QS9QG4cx6A4J|;`3vyi@hUY3wN?A8b*zRYeY~3Od z=Cm{m{U~9LNc}^Bjr1uzW0bmZ&s3wkOt!S0cfJ$_D?1e8rx!Ohl*TzE-hQel#g9wv zQ)JKF{9tMToZ=)l@99E~J_9Nz4}Uw;Z(3SPtOpj2iUi2v;`ml=x)NWb#nH{;8Z3X( zfEi#czB5XWTG|+>g87G&6F3TMi%@cAb4M^EpOpUH;8yBti^hs@1N@i?FSIG?)e zONDE~o`Hf2PCO&FLrT-75Jeb_f)(n@SSs54vE4-TOftQ$8toM79zNY)bXT(5JqI8 z>Z%2V*;C;lKCX805!J(2we)z~Kkfcx(03kfgJJiQdCck5N$Gsd8^^hw$sFXYAy>No;&%=n9DAA_zxF^9joA~^ckIA- z#Iz@uJdZrjg`$YyS@F6#;G+J3PsGM4SoJ%^3CDU>+5{n9v{Kdv<=M3xhBsrha(gf< zyO9KYmWkBI5sm{|jmzO0yb-1qdf^84u&-+0eo+0rXy0 zwLR3(@KEvSG726IBw2vk&f4w;bH#=_uiYvJGSvi4^a z!d`|9g&|PR3R6kf%{(Vwa#*)kIc0#vV``Y>EIY zoAL${pF}Z84C9_On_HR`;z|Z zDJ>Kc5F8hBI0yFSjFixI7ALBK#Jl~RvrGk&z%*khql-(BIY?R*|p@Gm%KnmOi2By**ql}<3oI2-*Ry+Y_BU0C{ufZ)L$d@4nb1ywH?J;>uu&vr{9!BkJwhAOz$5opb%FWv=rrDo z4%kKeNK?KreGLOwN@|EAm|287il92GWmpX$XVJ=pXdGWtZh^vD8(QXET`yGwr(3Q{D0R+b@ zM7VcB=y%Q~mgCSLG$4cJK2+f8=^^M{vhlPpG%<_fcJg#EMalvoQz0uMv?nSmp)kL| zUyFJ`_bP^TZs#6*JyfB(R^R+pWz8Nau&DbiC5*lV>H{);@y@}7c5I_F?P0|> ztRM*158ZHWsBC^4uLuXh_nQ^Ro1~gq@Sz=8L2Y?`7Jm?jnhYSFVE*uRy4Z_J9^7$$ zbDD!KZ`|*9qpXda3I;9y{u23SZieRrF``b)x(Pt8vejdXfRobJaVuK}WL1C(d%hdP zQN|+NUXUO` z*D_d3&3&1NI*mcmdFbFKaO`Jj)*+58hbZKes3A%&PqoV_@lzSfi#_vz3=uxRe&N=V zYbU=+8Oy*CGqk`GO*=M-?XhfW=wZulz%37l1h^e?<_fU0cKVG%r;)QvK6v1@p1Sbc z5FcU5vLshkW>y?9N2M{&K^c#v_34@oYL~Dk+x~{6E;=$8ZKg@u0&9^Dea?i(I9Pb4 z84aON_b`V@k^suDM7j#FqFbIssnYpa`HV2EOr^q<`bs`*3ls0Ym5w)<_JP`7fY+L1 zHESZDY70Cu95NQw;<6G==TZC3S^*GLvS*~D8Cr|9SjxM{>(^2og06SNiE53F_)r&% z2+~-yxFYL4=0)a zjwM*h0TVj@HT~r6FS5FAC-XFjBuKbo#d*^u@?j(u9lE|xHnr_2(|=gz_JBy5;kn(0 zzwt(7F?5QH3+l&XmS&6yX(!A^>n5 zqYW?<1S}tfx{9^2=FPM%5}o>K0W%`L5UJ>Z)|@(X@$bFN*wG?B-#nVRs1eu!lZRjAtT$dBju zKK}2@=akNtU2v7>A^q)J}ji6GzwnJg);Ft;F+-K4VDl7FKUQf zCq$`2{ptky;Ig|E@d9t9a$W!W^)T(}Yuyg5jgbSgfdIk#YjQ&gSAe1Fkz?^9SSul7 zS$3QzGJ}@{(l4_u-LXWTw0OH%KAoS?6O(G3%%(zT4{BtHyBcd(!XgRhX08`4 zH%i9@j#i2WKMVg6ppo4~VLCniLnx*Osk6mpM#4t+6hS}hAB3`=?u>pF;pa)fvC>jt z*3J+q3VpmyB~6#wk&@VL@X06N21m$xw~upC%R|3Yplml|VBZ=^5!2;ZIa~;qq_y}% z6#aqBfz()1sUb@e?JemO1VuqB;(W=3*)ixDYwD|FAhh}=P?44pQfe$_ki$X4D%KQ& zMBgDu$fPa5QuaXZ!uiEnEKnzl;e;XgP+7zxAN-FyZ+-v=zCdLnuO7`3BeB(MnTq9I zQt_(weYZwwHf#k@)u}6PrAi+J(=Pg9X@^<)L&ciD zCZ@HgH$EK}h^M}M7Iy^ZQpsG3@Ye*R0maep3q3gck?L5}%csMpynIhpp8Tnv+UiT+ z>zEEps}S9l^Wi&NQ1%Ee3aVlz9P1o#0gYh!=0~=QNC_IIz3ez0#82rw>zD6!vB)M( zU@<4gx}4PWKOkWRQ_@e}{yTPSg_1#UAOr@%{|u-t0*s7#2KjhunTm%ih~dYP-pi@j z+4Fw{`3C+|a8`#NE@hg|UOu4&(l-rE;qUqg%#7Kj07riy3}hsu7zfTkvYwAL&$tKZ zmhP#1Mo((r8~~mK1y z2N94Z$xbC#?yBydsjN1*%wi&g7@DCGuFta(k1}D=p@@YbE-jNQ+~h@q&!~QyGzLnD z1umb7ft1j8Du*~uTIay*Vm4)Nb~py>r#XewpLMn4gOleS2n+m~4(Lj7(!4eWe^{9x zf$^Pko2DU^7p%}E7aQbpcxk*zxcw_9k*m9P=DwXhfOC-C)ytK|}r-a1?G}U{`-JfXk z@euE(_5reQ0k=}v-4YiQZqrRn3#FPS`bJLB?lW;tpLQ)IN(2%G#Q%N~Ax+YgayE|mI4K57{W z=o~AGA-GAzHDg(O$!%`D>)PbDPwNNPAC)8O>2k9!W<#s^xU@yLcUFpye(odDTnSgg zZ}7p@5kuUQ`-i4Z94_fjmT#uvK(PVJ59U2NBm@DNv*+Ort(Q-Mr7=CEvsG{kHA0dV zWJ`k(82Rso5d9_tUd=yit;r^(GR{TFfC?JTkh=_90ft2;>9z;v+XeGg(|AA+Y&g-M z8#f=U_EgO@n`W#b6q0ilazbScP@_9ui{}D!5!I#=HL)ECSB2m)-bXG6*y;X`4ZHLO)0^!sJ~6l_&rnRsfl$npzD+)^9b z*e@0kQO;~x9$EgCiMLm=*8YzM=$j0wv_VW;Yd12gx8z79&H`h~$W^`q`B>m9kfqC_ zEaJ-wQ_03{BuH(S+v5|~hwQ-`ZRS^lc^kkBI1~skUQPJmfg|xL1_hW( zVx**OOY8_r0aF|0kjj!t*g+LSNn;XXM>IIuCm8BL1occUX6G)NZ7xCX=WFrw!km?`I(IfzCvdS%xJ%j9PODkn2^ygr502CP zM#t?(j2-3LfOLq@E1VSGh1iOe)e#l4AN|%-lTU9(%<%r`w`v5G$0nT4O4mJ#)5j*> zi#6-$xod{IHL>^Q-a-qU8eCMU)k=v?!D>RZ31M)+P;wZ)1{1HL(62Dm!ub=Bs7%3o z&HWr1R^X>1`bd?(k&@acG;Bw5A0=i$SYlqqfJs1{RRe<#tT!Q=KUpawENLSWWI{pR zSfsll7*vkJJ^_nPq-V_GE`iF&>K`ilcQ@bJMS`(D za@ez?pe1w%7lQU!;UXv3i_@dNv>sv8>Z1mzuq-%sSD zmQY!rC68KJ|I26u;6JOW-4ui%<-Vh9Gn1XTv-_j6W=D%~x&%M4A(C{=3?x|5N9eOA zV#xP@lY=BFNTQ`rCnd{(5fT6E8%kMO)BJ#2dHZ8@T7f-%pp)*%jh~O|GV*Km|BN7L zt`|Y=k_M#v%6dE837u!n7ok$x{v;yJhyCk@>{knO_U295@&G{ zB%8u3bd6Xpt^FMyLs_T;7jjnd(+O^1fZSwmBO0FOMsbtPy2J+o96m#n)JdAMsb)ZA zkdf)(GbA05TA^z-&FMvwM3Pv8HYQ__Q0be2cRHn9_qv=6h_-&kfvKdn#`ADQdkR_c zV*aN!3mBCslOx1eZ|-6uU`;jO8n7m6(Lm?^?=?2Bly80iRe1aLUbe`+J8no*r<+5= zB&Tzd$oj;GfnQO~J0`Q(9?6fU#kQC#ihq3D#*$I@>5?}E(hu`3o}7W&$UGw#S+T~LBAqs*8=O3CU93# z*B$_;)^C@@TW-*jasR*TQZxWuGc8(i&@QbUe1E7}ZPeFi$NsyVatOeF=L$BYH@@ zbZHteVb6S~5Oi=uaL?f;hyDAA7#uLiJm$uV<$JalbSK<-}6u{^xWJUVq*=Scsi>_57;2B+W$ zQ|;y_Q&9nvw{@RK8S#&$J-ivTd%H=e0pVu%tVIol`3SjBMiD~t5s|TrWhCq;OE=F783s%bXrkgGAsh7S2FPR;&lF@XV!r!|mjkfc2!*+!4DXf1GIe zjb0lL|2zpst!+;x8DMB3@r1qL1x$m>$-B)Kq}eO|nFWGe_Ynz4+C!RCaJHSLaPs;C z)zlD{3atm*vbcFrS3%j6%a5e_MtS=bTCa(TCAKFyB z2rJ(!-3atBMhp63bOet!v6uQ2hbM*$iw|Wb#i1+?dBhTDS7o*?`9xo@#1*;IHO+DB^5De_2M|s@p%J9?%+XGlcLWYX=mCepCSWiEYd_N81mqC)v z#nXo?Ut6^_*e87E^3 zSvHQ(O`XqmBlCUxm!r(viD_w#+!}r`G3RmwILx6|$}>{p>N*J@5g*D}^u+lw!DhNI zrXO%o{xe4|Bp|y3`m7V(ot;fl_MjuwFvTvj4}byp{cKwR>3dLD^Wu)%f{$%@NH=2q za*Uw!N{jD{{f>^CQjA-eR|{ef=%>Ee2gvwez~b-Y!so#0uQCnJ(nlGxok>7}a=1lc zMRLIUc`z1Mv4BrRpJxImolbVA>X@N$mJqPIoDjitJx>Y3C%#gFN~YLZd)aKA6m~F= zX_*D~AgH56EjG}+(t1{d(!&k4^TB5KfgWLyAWGa6VF14ao}?k*!MiuAFPlQxa)Vuw)V%Wc$q!nRet?&h(FN`4OQdsJ zz6ZwXbw+!F<ORaxk zO{ssNsn{!ck@0593+EL6cj!|#9{E=jO*5H+VY^_gaQ@g3!bp9!PmzT&ayib%BlbQ8@)M6y14b45HT?`Qd!Sve?@a*_e+AhnUfh$Ed9CbKK6u@^|1G*k0 z4>;N1twBR@!Xm%+emCG#FdnS9^INlAQz8Y68*s?Whu{@L22Q1wQqQrmxjnHS);q7* zxVGVocurl@VHidOQ7=3%UE!{rJ3%kXxVMCAxCZCRaR;|B@(M*=lFho?V8PEmp&$0? z;l|w1IesR)+uB0{NF-nRH5QhrQjR24mKy_5AV=RnGzB_-5+S; zW#@mse$vn^zWOH3>Fk2?hxf*;?f;*gTs(bohRM>J&MueLkaxF5(ok`?{lc(OUy8Z7 zJ5ZhGD!Hh`40F6AE%N#1?s&wnY}1wKf}z`4=QEew)7a7Z#qqH8VcfHC67#d zsyI8a3uegNaIv~Gz@6XqG}VlS-+z`g+#&q}N*Wm(0bcjH1i*2|#M!`6mNxiR#ejSjt76p5fw()0otBK=w__JZu zv*Ofvt23wiA*uH0CxJU=SuaFopo*U|Z8Ab{wN``z@Q=ueb^m+D)aoMUX zu=zTwP|4hrjzSdBIv5;QPmKRb+MXuST^zDYYsxVC7UlbfG&6TwY9mI8%TFt&*zo)8 zfmO0-d1zB4sp1GyjP%@rM9RIVJJE(?&)YRh>EQU+cyy`LU2{@-)WS415~*cOGvcA{ zcmwy?stIQ$4OMsTAOE6*^E;GDsJA(5p#83Rt|{x7-yr?wEsJ9p&-}+U8hHUKC>WSo z^BUIPrkv>1lGqgy4DV_|>P+#3wD=XRP0xA6Y=KM@#Z`JaS7>Rk0ibPeB4*BbOUszA zRfxJa=@vWu(|}B_C?U8hd9>XMc_psA?4tP~GPM_>Cg(Mf?Et<)4H-_)G(dgNSnMWD z*IL3I&w8iJYj$~aSj-)&8Bcwe<>@edZDM#hBFKTdkeal#MK#0=@_Xz!(07sDZl|FJ zg5F>@P*}jQ%*{(%`(du0t~1a)WvIdAKBq7@6rKf+-OHihSLl4Gp}@dbr%<{K-1`fv z4lokdH?1)eN~qyNEd+u7hgGK-`IC2A;lYo4Q0mZnu^8{GHxvXKaonvFryz?r$p9KFZe}SaLgZH%7%z zc*rr|m{FK*m)#_Uqfn*ehAM}~;ZK_Y-0DHZ%i^m18sX*u!CBc zgV@$47%omVsCj{d_`=UY#`zG?l(*0oTtN&n?`;=>l%PuxyG2dea8RT8-jLBZ?X7Gn zd&72&@U?xX2|z9qSqut$R7++u%rv)dhL2Ag_6+O#q6!SFp}OgrAIAh8tw{8OH)AFc zXB-4_RKVwK^XO`NO+nPY&`U4$EbTjA+ZKet6Op(#x6MJ~QCR_W0|`Xad36}?n{ESk zLq=KkT_ot8Kx$n3X7!hzL65=$)MfceMK!K%P8Ec)MZhRk$#*utzDJS%>x>Cnu?kf2 z<|>KX7xWWYZmyVVX4@dOJO?qW>K*i|Tg(~FXW%DSfbqIDP3B>YgBEG%TsChnT3-sV zyCFT;=dM`~2z)X7`R3g`aFzLokAZEhHLsBL>r|wJ`J}hm-+sTb(LTs++BmP;k8=3# zpHK8C((8_K4t^{Cpi3GE@JxJLu{#joK%nDrk429}DzjCcFL};LGXd9;2c%sY(v3{M zIRew3oZMBv20PtHttZjj87P`|UpAHE%WsMOeZ^73v)LxM0nv>flCiNHhd2GOhZv@2 ziF^rp5UPTkd`B~biN-SQ_HxhK*jMjuiro`N=>GO_gSBP(@C=uOEM&H=u#ukPR_V;d zcJ65Pq4eka>gb;R(__Zw>atAF6$2}nEE3pP5N53yg!KfiZRmSWSE@-KZxF+{Spd0xQ|1N@)GqR8^_Y*laOPd-9R~ zyHkHRdq2n|IT(okk`EJJU%h*h6bt>}s@vY`?PJDgde&owT0@#^1*r_a@P+*Jrp5p& zF>w>ysz5F+F{dIZn>^;=cEtt8>lzEd6{$U2Zh2PTkV++NFt=lpa%%S6t0FSX)yiIIH%dC0?jFTtv%_D-UB-k~XyQ?6Ken^{FQUwR3>a{0X- zhdnC{* z%Kvrf>$+j)$E1ET-jh)7e69A>o&|%kHNN;7X?go3yu<10W-!I2nRVE*`KNC6uy3zrEpxbt}*^2d)8rdNER<$^wK z_rO6i{Vp%w155Yw_vXXZk`m+h*i$N=2?~!8G3QBfVx=2l_&%b_(GwHPLV)Yt*NIFU z3R)f76lMI={aT~5lRw-WFvc!tpaw2vuj!$RBiQpoMAiE0tb$+NuQK zmlDBQe`o1FXfKU?r!aY<88X}W_avgq``AS*ZuU_0Q{6d8G&d)avF$rhsvKK~T4(a4 z3|q>5ve>SOY(QJfj!U)JY{s4b#|B1HF3es18C|=jp5E!O#(Z!K%unwl&W_EDC}z zf+0d{`Rwhy^=CUm1op^M@~R12B18pjeYiT0>#Tmyi7pz&`SUejTj6ieCNYwvjX~-m zR$UCq)akwJsE0aiqDyYzuXnu(T2rL)qL`W+hn{rLK(hs-QIfAi zPR$;VH?NtVfj@~A*nnqwH+ zus0{2NaGP2Q%zfBbgn`Rr`R>t$gf6#sqL(qkAO`f%7prFE?VvC!Dn8LAey}5qFT-C zlMuMAn-{Uii{wk})^nTXrofmDoxMTMrR*sCib)T%<@{B1q&<-;7Puessi_AXKgP|& z#8(-Aj44do-6W3z3x2t}2-sW_N?Q14;iBVPPhJ<-qo|l$AYgK?21&U=c$BYpY_RvL zMROhtP4XNa)~NNq~VA!#`3#Aqx()Daw?;U3nnoz-?=YS za%&yFeq$TWO?kA~Vz*tCKcp{6y7M+GA>l(B_+d8y0IM&F#BCQ)Mot!>dDJFiK#_8m}c@ zrN~HC1EDxAgvp;HI;H}o*;_Svty3Wh-=S7bR8grei`&T2jzxY7W3SU2WbwBOJ|r(G zV{U#yJd4=hz>f6;T^~tM7xYc=l8PwFnRh+Y5<#}e5Z4?wy z$)!!n*){|?qeHtr$3KDz-oB;N5nRB|d?@DHYRk}u-e8&}Qg+{Y)fff~{`EzqaLvO} zTn2U#W9hV`ez%-ieJ&L+TmB*+o**YySB78melbo$Vcwk9`fFI*xp9m%_{U{y{oO?{ zz@=Loc=5S2Tl)r{%$hWKx!I(niXTpc)_`)+Rnvgeu6Am1(KU4W$ICHMdAgqSV(Tj| zhcAE3>vj@e+5+0BFKuB;+DykPEPuasSJ?k0+x_J0Ej|Ef5<~Xn-tQg9@>D7R3{k;$_sr+ZSd}CBowCaj%oSuIsR1pQ|7}qkLdSaWyhyEL$Y7b;B)~Z05{E5Fx>x==cY3<}du2 z+-t<2C{}tl?_p1yM|o!_#(R(#-)G?a>7#y>AS}T)k$6l{F|R5?KL*IdA@T`g(g6eq zya-1E1t#TKxcmd!gWReGbCd@8QS-xZvkh0Q?4)*eDVf=Md3C(rzg+b5`t$kT?D6jAjSaZl#q)W4 z^w;}6Tpv&oA>^BX%+DlOt7715i~N8s)<4cC4fs|Lh9|HMov>y3MiT>9fUyUsQcV7XS*%;doT6XaQWT z-n||`y%=38vTM~A>>m~nt0941UQW;Rt+NS%e49{os`yisU!n0_{}mda%BL33^+A09 z7aGs=U!f7imu%yxgS6Lxql&)Q@U>-Onk)hQ*%2*693_yBJ=GPal?QadIQYnMM0Q&9 zQ-g=@jn0ALrfV`}py&RkD0Sj4Vz=9Jmkr)L1v%Fjp15^3SY_rx>DB!LZjsx+zJ2yC ztZ>Rf83@7JiL>vzpFqPEqpmNIqvbQmw2g;cX{MC*ezm%{Q)x(2fcrDME|>8vfDz4D*~|dihw~LAf2hUf-?$do5(*;0oMotaSU1z z7yOxw+c$psvyH;@|MB#V(RD>z+p%q$V#H@4F_Y24VhZ6|GPey8uf z_xp9uIOF`!I1iIoaH_KW_F{J(-xnJkt{X} z8quh-u8RR97D8^HWn>*6TShN%PwMl*Ol556u@rK3x{NrcNcW5GEre>OHkp9A2%)Kp z04;*B;;3m0!=@C+H0GBZ!(Zv4)CLbshTIF#NojvFh=NwL3<{!Z+^?yuiVW8%2d<+} zu6U+S@jWReIfmdw0!Qrt9HgLUZQUaL%=&Y&)Lh^)25Cvru5EYYBfuO1sN2!_Vqn}d z%fYanGW5#CSN8V~9Eg=H^jdm0?}Tyaz~j(v9g@I%P@!WMJ0B^)b?9i%IIv$^Mbtk} z=V_}RYva>JuUvFd5B(|ooXafr6LRjNk1T`#uOb&`_J`Nc=>`;mRBUYo4Iy7`4THy+ zzCM6!+xpcvIKa~WMO!&_LFs5Ih#!@d`1G^uxfE5tLNjQhT{trW$Q3zdWULC~S8pXa zt;|;t*wUj~xT!=r<+QvE&YuilwZawWta{dz;A8?(sfj#Z9M=LpC8sDYfOAj8Br^%3BK~O#2SWlgtwO%{at&IyLi(u z__uZHyf0pnah%WJzp+(?jO7@eg#u3PL-{ErG;XPIGVlQoWjFTa$7_bv= zFZIDiF}m%$=#|D%csx zB;Buz_(PLHA-obuHk$n;e-c2&(voR{kG0#eL#lPA<-0sVA06~x|4io}$<`sk7A(4c zc1II2hVTCA*;GUC`cW4Zyy*Rb;VBZUlTSb47ZWpX7Z;V9nF#(VA-)+$~I*dJUL1*ZwAvinjS$?LyU@P19Jl2S^>eeIi zIGCJU9-0xd7Q~@U9oXKXpN*M44>WHt1;(zq)VGq2Y#9>5$N(V5cJaTYO;y5xkRXcOx&++q9m?a7Jun}a0F)LFFU{Mg(Q5S5xQj|7|e z$#h#}j~xYN%@xB@FC5`bZh0Cr^|N{@64ewoeej-HVE^d6g^~~xiPDMurZhOcUn{Gp zh)YZ0RSO zgD+NjM>?84@T&VP^i#1nvMr%;$)i7bbFoz{xpVgP@TE^#vU@I| zvfasiiT~b`j83orO~K3|xf`d-g-ZcO2+gvhtPdX_%KvRt%NW zR{ew+%V<)XEv6|OtVe^AgXkv2{_RxFKeRX^Sz#v=0eN^`gi%Wijxsv*nF0Z^9{g{5-;8+J z*{G7{Ehp~wq-YTh0P$)13GO{;kPrj96*Ma*a>cDrT8Wp)jDh3{^!(+KwPufQ$;$&H z?C2^-E~C-R3S#62A8tM4yA$z9^SX$0I^EzIRCE14z@C)=0$3phA|T$rSZpBUyWZd| z^aUxRhm=TwXs>$tdX;VlT}&x^J3%t(dWO zdbjbk;bS=*hU#DEcx8kQZxft6*|RC%gal01{*o>)E;?OaSo7}`Zr&*iK1b+hD;6J7S~ul3;K?@;>oZd=8H#O5p8XB7K<)=ui5kOeR3NTdYX*E`Cwy@ta3(@;fbU>nN$Ap*HbuZI^N`+zY;%`X~mne<)0h zi*Urx6FN4mg3_)sLGkSNqNwxX@)OU>jd%=7<{~pw#)`9f(+{~;(!!Adku)=YZ&H-D zU+C-N6nNl~3%D?NNy`14yW2C?^!sq*-5li>cY#5}zm$O4u&Et&0tId_D*nIjx<^^~ z>N6Z#jhr`!HdRNQ8K#Hz-nceh=|Cw>YDa!*p7$`8!ZzMTJ*HVLHE4v9XOnh@(aGr# zJxVp4lluV~0m<|#3BweoWv)-m_>II*zNv%`)`UUH*I&j@^mdoN3Y849wQgH_@Rc!f z4e*y-7adU7E|Kr{uR?0W-|cgDhDzh;&&j|{$U9Qpr76cNE4UENeiw;D)lBUn1IGm{ zzl1jNZ_&BUz7S&dHU8W+-qy3vB3nqq`p{PcZ^Xp^*W0D&HaCrl zlv!KlG<%-gOJ3|#n6M&Vnt|9v>{|c;n5dQEPbq0t1z9U`&VVL;jh(T&o*^VV2=l9T z{{38=6f(Mjqpm^xOb_BorR^Y|L=Tb>O54Lm|HqR`*Z=XP(W8|?T=BjtZw-mQe+?^N zx?9ZjWi|n_Aqjy$+jaOC-tqfH@C=^d^S6Pd&X;FZPe7Wki3vH(GR<>zl?Wv5jRTv`A7pSw zh*?>|n@a9!yTCjBGrW`XD}hNMZ~+tOg>t;g@Mmly>^H%3&so}2&|qHYo(Qkxh+!cA zk%p!oh86+FfDs%qK?fDY7ojTpRxKD&U;u-=)W)H+Te^#9q~{(>S*jn>^i@^}8!hy= zSB&?i!f|VN2v&qzvue? zo;EfV1Z0(%ch91Hro-}k^$cPX1)wIQ*xjFelEIDNiJ0xwDni4&CisTnha3ad+o@Xx< zxC0c>f%bh4XT?BxUaz3I4Ph3c*XZN?wr^M{h#yrE76XLkCt1|;XK>CTPN6S0qJBD0 z$yX*AvA?nMi`2HFkeVgWkeRBNmQ35Zqbjgsi8sY?)bNn%rP~qAXdUCE%k8~>LcvPM z(S!sPJkRk;yvcX4Num~f8&5@p#CyjXNBW! z;{Jmq>oIsUNg>9|93zu>_%8)4vTKn0JlQE?jbbIC!g;)HvPp+DP2E~~7>ce+-15(F z@_=fi&wVGm_#ap2y`kThE?@DOlYQ5XBL8wdW>$)A+L7B?qMza|Z=mpf!r#Sc@)x z!J-46i|QMf*+5Tota|NFqXy7xiB{^?1vFQ#v(s9Ys2WZUU7LS+4aG9FRc2HAnZx+)19Im*TKpsYoHz#FGj>$}LK z)K5Baeqk(^uu#Kc<0G!N#f1EP{9a%1HB#9Y3ZU*i1Zw$>hz5kC$&;uctd3O#9jp<(CnQ ze6(|^0on3DEREmvz&Pauh}3UxTZz}=SsR%VSo*R*uCo#M92*;c&^Z!Cj}*-SVRPGN zXuq>yqN3K)kr=hc?SNTZt%BjziR|IR)b)_wP!ZV8ufdlD4fwEx#3P6vT&0KvB;-WF zV*0U?6n<(Jd;%VDQfTkJgdI&R?#!8&?0+w843_V-^JOS4pD$Q4EK4r(A+=yQcFN(W zv^)t-^oUZ1*auYds!&3~vS>J?YsmS#hjM+g-7}T=`zXF~n*cfGRW#>YZ5lLqzh!I_ z^`KH)IEif$F+bjV5HU~lTQ0l9N^xl9jD#Gfxr>AAA=WXIYjDeHYL&1(c|c#N7}cKK zB5^|5E9U<|OI51fixqjqwr>c_(~Mjqi^8QZ?gp8&XryUx^c|faXVWk%t#$2ky`^L+ zN&cxZeJ!;v1Kwvea5M`)N~|Up1MetLG9?AWS=@8PNvQ<(;-c3JqKlS58+V;I=zNxE zz8i>6+z>`tYML;ccdKhj8B2KEo#V7pVzG7Ql$n^#q_F`Gee6beWM?CpQBk@J;Kdz{+Y282nn8ST{ zk?eYiwjNr(j&Z07NlaDjI#KWvuDvBSb|#vqpjpS<7P{J5xsebz;P=M+li^z zZ)24(Q+JO-(rOF&dwQ12zz#i?yZHI;U0K zVBa~V8cUnn7(Z~3$xpm0NQ-ME`lJ!t+4|H--H$V^lR0`h z^o#WCv3!Ql_8^FFXW$v610K-&@+2Z{)H7(R*A>nUDEm2aKOKE#`&1sErp`M@o^u{b zRaLNy*3r@CgZ$u31B(?=7f(VA=g+c|wRgXY22_ym;1}>A?57VdGHe*T3MJLML#z1g zNTFt2j{IKG>E*mga?y#PipRnZ^H!$qP5;JbmT#X`47(_ zu7;z%8><9JO((`e)G4=|McU?Yar0lOe4B6@#-;0PX$-8f(mz`1*gL@b_5^dcO83o9 zd8*jO{gf!GRgcUd7??#$K+mBa%jg?RUot#TPJXD$TsnBZWy)AiRjLnvq@1X^H-rRt zjPw*I_USekwNuqrj>F!-eO=8Scvy>^Q&}t0oY$`bI%$zv_;7{x{gmY3vfy^iK6#JZ z8BOYWQ94oit8D(S7f4C@vD=xPi~*wmW)kMIlV--hv7fL7KMkD3XUU(JMG z&U8o)Nj_wSA0#}Mu2~G0?-7RvX#~aLq-g9F((A{>Ek2h1hp1_U$7OIl_B>j-&7B2F zm8##AO97=+d8fTJAjXT)YDkek_C+jCvJiC-v2VEYl|#@&%5^IZ_~u8h+*U?uR7Ez^ zX2oiBn?K?Jx%XGUVAN=PdM1L(qn6|=51h&s`0|(ql%LYzA1%Z;l=J~4lNBrsu&AlP zTA%x_osJB3B4eWHFT%eqt+c|2ZeyfK*d+@W%>mz49#aUK4S2ux>$Tnjg1T}})R7M( z7BOQAud*=1x8js|$95MC&>FaQ#=YjPw2UF9t4A*xa*Gj>9pytkx65~z=ySYeqUYy< z5Ep^)HYv)da?AXMA??e>tT@BRE!f+Y;Rfbc>py#;_)f@einTt*WK;j&deub){^Pyo z$3WU+Z?$gNQ!fwywQvaVTk9t%nXqN-S|O$MNVO_AdOJz0=D@$xczF7HT+41|jVF}H zZW`H{!L1Hv?m3S-LNa|@8~t<2VPAqOTXRoasx;x}`iipECK`W~7FzD4>DZv1n7JxC z*EZS>d^Py~n|i4?ftZU38!*2Zh>O_VB%=Bi^LQ<3BI(Gt_)aNuRF;aVl6S3?h!y-ZK++3Hj}JIr=T>K}Ri%4ryB*c-^U~HuyHzo}>v@=1*8DzK8RxL=2(|=xu3$Y}kHv=LOgZshK81G< z2_;ycs&!$@0VFFl?`S3QGu$p8uC=+In6d_V%%iR4h<#jLWrsWmvwQ+>C|xI9zT^Ye zkB5siHxk-q#ijB-jfqaL+Av;L5)D5gLK$X{E?X|c%+42F_5Rww+SbC~lV;2Rx>(PU zse@lXw9p_XW(46Ix2Ul-SEfjD#R?QxX7?nIru5xspu!Y0jl+|iyC;G17;zS&q*b@8RA$3WU|&a6#vt$a zhl7C^k7AI+pNa>=6e}5S=o@W%;`F7alvqP8t-wtE$40lE5F^Jkt?^1z<9E#8JyzFY zJzmGCVT>mQehYnQ(L6zq3dRT3+KTykBm@=MeayCGYBz#+5mu<}SjcX7F=VYCU%11j zqHwadcl|j@oE0G9!>MJ9kJ(w` zMC!_wfR&=J2_OJ|_LcDG<)GHnEXCId-_y*|mlA+R@Rsk^1uT(zdb4 zGuqAjF}x|8+~@`bsWQ#6mUI_iGeH55>~uPr`+xn^wt})IlOu=Db4FZ^_R%!AwSN0k zs%mK%Nqm2_%d(f+K^-JV9RiaLC38u;GJ)o#-xVPAg+}JDWqbM@X}AB4SJaos{{l@P zdl-Pt2)}PAXM|4`hxJC?VtS?g`m0@41m-;xta=siH{yX!*`wOOJj4{Eraw?L9n{ zYxRs$(`U}xe9_cCf-X*fo7dSp)y_Vf*93o@+V9om{$7{Ij|YJ+9CY6eTjg~s`APoC zmyhP4SHQn)cHz-H#&GrNkRB+@v2=SZ<_ji`H58hEZy?jL=E|eju?B@8-bX+o2#wCl znNjnCWWK(I7c}=|GQpOsy))Khn!OJJ!9LUz%Q&M>PU=s(hEV^M;m3RQ@jsKIHu~^~ zHZ1Mdcfaoui)_()Hsf#c$Dy1W_a}32?Ju38&}ml_1G3{-wc^=~f#*+V>>j-bu%hDN zv1N|RMNkL_2Zu@T?ImjrJnweHj#>qtkzoJ{|B6?E+c%FVuZjMC3mToZUlN=x+3Xc$ z%y_%1yH=WTGWsL&W0H)&VHcvjGrJtmoDLlrk+5#Vv>%JrWIn-?!MzBH(Mp^Ip&_`B zaDAv4Kt7a*ZJSH^9AFwPYKT()aHe5+I&$*>;Uyj z7$A4xN9g;nrfHTDG1531O@~4!e!lAL)X5C#@IgkiGuxbIP~YF_ck{aBq|2ZGQII;z zYdo(x!s*t=emBQ?@?)d!UPs4=$uC-fqu~~i4fP(Lu+0Yz!_u)=bKi+v(*8j|Jhk4& zJ$7qXKI*txrCd{yhh;bsW#vX%aBx1Tc1iZk`jL=j2yn`&V?YPZBl;HCtCzdV1MT z!fZh_5A@)`V-RI4L`{>cVPb5jm;Zw(6_7C#`0Z#`uch}h&_66HcGQ1ZfV==VRSSL6 zBClqBiV0bVoI0E&+Nc$Oh_f&oH;5Eiw7Ghwk>;c&58CZHDzla6$h3<*1=hk!Cj^EWy#IYmtg#h4h<7o)04=1kn zkK}E?hA<)K_O3N|d-;RyH;6r^3Zx}$L>=gMLp>ejiwak+cEi4x|3(_|+Z`shL$}|k zbc%5yFaBDnLtWT`t7}StbkFV=1>{W@^mbtZzYhzvO%;a8FR#5BS>aZ55m)W(9%G+#rVS17Y%H>{88JFp3ePr zh~251=p@srTfC<+tx@`iRpyItbm@JXB1^*@;&O)@yi4_z#aD1fFxQtk-b>|^H_=uq zKPPU?7P4abg*@sHmCz*{8NRr&*bXd$$-2A1@6bWO2zD=>xhUAufy3>wFbkS0aaf;y zgeN8Gr$5H$7H*go()!|e-`X7u3-Az8`RBTY>(oh7>Sn=;bEJc5rt%F?x*kGS&aI3SkPc7@eOVlv49M(weA+i)-z#%gaT~Eqpa3ju;&B!aP|# zR&k622s`M4hk4JG2Gert3vFvgb>>|LZ`VCrWt&I)VL4>#M;!sDCAOKxQ9U4R?Sp>3 zk>oR>N7a-0_K5ahV%dqv@oB|Xe?upwgVyK$FplO(;i16FK)h$|{$KTBB63GFfoZWf z)5;hTPC#7!Y1qQQqBTK~tq8;e6|IR488G<2sx=u0RV|w8re_1$q{%`n{iF#91CIY; zK>fER-Z6Hk6em~NMJ-NW;u57`UL+wo(5f!B@x-Ip#&3j}@l`B~Cjay@>_wA3y3b#8 zSg>;KNu6n_cU-_kG16e;AS2)&souu+VT3MB&{hI4!HwJ@HIYx)w6Z9#gL%pJo(#KMqsb5wkvE+AZ zxxmB;B9$gHOpH}c$K|e#5}<$m!_R;4iKFiV!(uU0^*Ga(r@vJ0quy2xIw)sBr1FQp zM@iEe^GtP=;ks+1S;FNAxXWIN6FYJ7)J9R8>9}AM&`GTi;+ETMJSVN$o90B%e-yBv zmoXSU?4q`B^6qY5Gp`7U3y(T!LvN^SpPht*C-J|UHGi6-jExHlwUK64%UGIcl4oSy z7&YK-v1^xphkBAd>RGF0z#QNsM3gM9VsnzIHc2B1!8E`2gUud})pA7Tpgy&G-{pSu zR(Rn6ZrOYLckQ8^pPZ0h@u)TSocERnQB&DcigmgP<5^-~%N+Zlk!@s(%RYy+l;M(& zU`G0im|KOpANc%Cy7N&U^TqlIw>xaTuE6W{dL9_xX-WjGF=QUYd9X@>FF&0|3eUf* zab$hm;%$i%cKzWK;6SWz1PTc;pgj?yRjcR$)e}+@vJuMXGje1*o}8byTz;z3kmg!K z+c?~~UG!k6?^}+#>Ktf?S~+xRKQLKDuo)I=ipTf)T5or)E4{fJ|F#|V+2F8E)hUaj zN+I4QdF$-#Y-P7S7Z)}pX>D9I*uXr*IKz8e}r!?j1%I5&1?(2u&KxJ8YUV)=PAY#?i> zf~dv~3uWUGk>=!a{P^hBq~?5~={(bTjv+c5*SnWIbd;#6)Os{6@`A6JK9+JKIjNOp?mCs&|Fevr$3!UD|X0 z!O3WysOpM6Jc?Jk@`oYQq3mg;9T@7>j|p-bRhKBDs~%w_F9u&-gKPjv`$o)W%fJ0GhZnjTfKwdx^~#VPPo#+S zRIgJK6vvz(c$Xt4Nm_y}gP)1RYseLC-_;P|)&}~gu^~d*18V%d$ENyET>Nzeu0@r@ zDrrMEJzO@aF6KzP3h0U+N(aoB|4zxH&qIN}-HrXA`Qz)Wg`#b7u`qx6QHiN$$eNP_ z)SJ(75Om-P)UZ(W>vhHD5}uma6{xljH+;iO z6;&J~)o^r!h^e~#ova>Q_LhODMDl2~wzluyJg)`^WYR($K(Bq?uvzrnk2;lT_ehBx zA&elkKbTWq?c5Ir3sKH9#`0ljD6wIHmKUC(ch+@zw~Qw_Yxd(F{2+^^WMw^Jgl*7c z9>_hoj`dBuPjKS>!L8?6Phl_|ySVlDyGJK!d-kB9XPtCkH1b={+ALw0OTUCB+`ITL zA>Xf%x8c__GmZ+!FF)l=`pCyOw!{wOYHGsXQ{^Geo^*rVE*fP~*!M1*@cr?Dd>X+M zAn-hG|192Tz>(|H=~H{2Z5+!V{$WDtFCQ+Rp_oP-G(DvVqKLu!%tQ|5;o4*G+1+`2 zCQeub(*&UwY(kc5soe8~9!G9{Bl>uQ(GP~RsIM;*z8>5#W*6p|nP-=-{#p>ZU zxoytiEuJCvV;Wd`9Kn&Zb^&4_gcbE}lFtMn-qYE1);k|b{>~JziYf^QP2iE8#M;ApO7T}&Byo~}uD>{xVM+P{Tbi@12k z)C8efLrN1En2+!@YIqJhAJkgF#wODik;)sGsmfJ>>sWk)&tXY;w}_WBj@%h2($lnp z-*&L+8mf!@eXZ)I#{$&Z$#f7>{^GwTu(zviUNIMGCy*-a>s>=@hFJ~-O*`xIFOzv2 zUft*BWVjsKZNJvQ-?FN;9sf?HI!YKO5qx$c_Swbx@T=V7*E8uE2jS^PnN4(Yw5t|p ziZaSj7SdLTD)*|f(=~5I?--Z7in&c^{u1}P_RjPA6mX^XT>16UT z<0iBgU>0|lYEuO;XU;sPzr?uqbn_5N1|PX@WW9?x4K0x?uvOV^ey@QY77C@qRupGF zazUv^rF)acfJOfZ5&o$(jSDp+Ah76iiYNDEW^$%K^1Y^(=ay-6=4M5-Foa@j!4u4V zT99AirfJ~*_)qKH!Z*~xPU5C;emIQ+A6~>a@2WHxsj7K^^JOPEjgja88&OI7TzbNM zhAoM!mV$Uaq6^%g!I}QywBi z2k^6J-@WH0_+`ztMQ!VfTg?vX78{m?M(hlK8-|8guYPdf0PNOIo93Sy$8VC&Viy7) z#R(c#4?GAJ_UiwfCI(ky>qcyy;)*I@x)FQzzb$CJSSE)jzQ(Z%=@Ft%Zk4xYqmV8{ zIkOK)i34rLv^l#;sGK_b^_MhmJG!?Gwo_7-_P&KM8#S75XmRQI+rREJYGwr=8g1o| zRRyI!jc$Dgcq$>i2AZt*^b;L>O(>VQbMV8)Ym%{eDOnF8lvcp#3^MRy1tB3E%~}uh z5D#}jEmE*(E|(m5F)K>8!5*f!D;2d7zCgZ6td8lxL2eK^2gWz_2Sq;J1RTfR+3e!J zz$`;-P?|j~XkGpWFGF9|xQ19-muyA?a4aYIBAx!oYjh&8FsqBUdj&h zf!wS<>|L-89+sk2Y8l8>IuPFOan8p4VowT|FMWJrT+~YRlzW zUo6){{JJHo(5W8LdS9KQc3*>(D};Vl;_II3DK81WPH#Ce9}LN{Vd(WjOxtj$=n!LmvH3>ZTFF_5p4y zmGydPh|KGLl=09t4ANi7*VTEECO7dgYsHA(rpWWFG}2d}jPmoKl#0@xZIIiQ4 z9N`SPGRVFpi_35GWmd>d9a^8hLTnJ-y?8(VqBr2WnE_BL_HWnACLBX5B+8hhk5r#+AI z3GD)qW$t@z?*f>?9;*yluLOFjiqjw7mkwq z8VksO`4QLY^6}FGzn5yOFIVn`@ck7#=ap&6ClBC5=Rs&kq1g>E`b>W+%AtSe;#uQ~ zAm6H{)vb}|!GG;A@~N39rR2}+vuWkZ%IS_yrzI5ILMyEY@ik?jc??A>o*UNI&D|}s zFzD)MZ-^<9t7#;xbZ3@@B|$szd2cVKDO5m(_036pFpLfW8^I+IgW(+L;mvCxB}3S{U(t?P zqVN^}U+!#?&N^<~^;|9+^@jEXy$aQA>@HyF(__-;7@g4A(Ie6L(W7r;TFqGg(;r?2 zl{w!OsT)zkJxyeqwH2q`o!jaT!^Duw5^DI7+!BF+d;6vW1p$1@Ig#M#9E*zutcsWm z(vah7@`2Os89EJE<_-qgT4xI9N`CVKrD+*j4NzPKiy^uCrxxhrKP~mG##f-09dzA+ zPQyHY0@_+#L%(9S{NHKK4^mOA)LCqG780z~ar1?V^3Ix~P%Zs4#Gr$tW|q5v^ZxSG z|GNrbS@+LnkJOT&7VUYI=CEH#BZ_<(Eo|BAXQY7(#_#RD;>9mvy1$}sr}>1wTfY&1 z_i9a_Z^##eH$l-ucMWKHjFx>(QVXj)xL!sZN`9n=!$dnf#-Ug@D0FIY!xt!*P`U!k z*Jh%u&eKJDgGT{F>=JKbZ7GAjC@HhzW4RsdLgquZAV57XsKf}fc;Wq?nUbYanO{k& zQbn2u#E{g{+<32Qi>TZDC_PU;@%GKBIPkO`+nIib+X+g|b_XmCyYefk$ULg)n4;6- zOH{17ZBP3*DQ{?<`ynR3{$g(L-Hb0j%zYlUxkpMg~K=i)y;_uoBFN}`Dce_JpN3^f9UiSPp1J(UR{=Qw-9pgv6%vayr z%??Hk;Ay(@2r@J^Q4kK?sJ>{N=!2%{{-K>SJ!jOc|4N({Yj?*iHXA5BI5$WZT|>iD zUO~XS!LM^_xY}g{oO}*L%FXcmP6Yk=7NT`r_YTDyT^uljzGVtZScJ{@Cc&M_&GDJX zJmyYgt+Fxfvfr)ZLF+>n$ zBUwCEzU!#QYy+<7ER?S72f>z6XxDW+jZegeIuEmcD?hYdX1)KwldNXzl%C zTBoU6;JByX^)S~%Nzj8X7PjnluWW)ELpQvLYg7AwDGr+*GQ{#yR>&1kM4som>J02J zd<{lY|A4dpvGcs*}nLu8t`5g>76>3vFzdRtdtu|)DRS%lR2lK<>211x< z&+*p+G35qRniVUv?)7{^IZN@!s=eyk&eq(LuCsnXmsS4qE?aeiwM^K|j1<9~7jDiV zo**-FrnaE&!!P*ev>POcZlP7W9DbM%({ zE^;3_U4T<8tz%j2`gG$c>RV+GLd%ahR`HyBZjLug&BeLcqy3d1qUSVtZ9JZra?kKmY(#)Gb=*Qv(W3T>s4;S0vwv&Mo!mdlbsmU+de zXJ41cP}A)R$wqa5@`_hrr%?9*H9J#Ex}yDMFIv614jVz|yE^Eq>MDKB?1IMAD!s#h z8$0cT3H(>1idRVCRosRi-Gv&P;D1q^H?zgN+MbI>Tf$ciyGv!?&*W2IPbyyK>eq$= z;^NyUhL+l?br^?ILU?Ue!uCQ?jzRz1rOsvD9LEk`IVvC-&MK0WatNl=sfs?1;V+@< z$$ofF3CYI7UM`$jU@Ki0o|}^|D41@r1!wEcU#xij?kcidz;aK3oyP#fb9qHL z=$hGcpof#Kg%O5?e_@}eumL|#dE1@n_i^(AC&ZUQb>yZZ#J+^Cv0YWTO6|!7p)*wS zS3V(Zl^BTN#Gi#m+Jtk4jpDk6-J3=|e=>(#L1l{E!%4WAza^hpx9~QV=lh(-eL^Bt zp9&>azh&F}fTET7t-Wq_xw}%q^NrHyM+@6T7>Yx_hzCp`ZCLfEx$Hk~{>U)(A^`R7 z<`At&J-a)>!#BJ-MF#`on=vZ((SMY>w9qhg8qfxX)Xykl5hkix63c{#`5Ny;bwgez z*d8QxP7fnQhJ4wd z2^~WwFedaL-hko7@Sjil2~OC{%c82EKgC?xJcCC3boy-l3m7&)R zCa{Xj+8I33o?hd%`BHLSQldfC(&7?Fk+(E|DY2g2+my5(kafX?D|+LJ<<~#j$yuFWh409I_9Iun z|5#^!C2d-ow451qH?U`$KMhmD8uApN1!}?>+P65Qso%SK!8`lj#7Ho-4{0>^;jX_| z*e1CT>6xKGCNl}YLx*b2wlg|NWV@WKkvj6jO}kzDeb4Eei||vHHDJ$h>9DHybeNRV zy2zg~5ViCSRh`Qe04JiWJJ=!LxK|_BIARj2HeM7Z>mngSWJzm4-`@3Wxk@?Y0p|C< zM0d8Z@buTj_)hX1SAB@_x)h^TelF^^J&{!_!)#(s-hwCbAuia{_#0Rm;_aNFUl}SC zaFV#48aCwVltHaiKStXM56hdYVd#cAi}uNdx2aUo}|A$ z1HQK6R8}_hr#y+wNsn0hGxjD;NC14@uw8Iy9jd2q#^)E^d%EBNq3)-ZcD~hV6r;LQ z(jD>H)xs)hg@g8jbB$eo4U%(~lZZO;Un>NEYI^+dX{)rTm%F6qDr3xg+*hv48~Xhp z$yOme>=^hECt(isB2$=}kSf3_VA^CuJi@oC3#XrZ4L6l^2zs@IZNLefNP$$HUrX*M z`qDO{ffMQKVF*#sRY5vRdOA9)h;^=9jd?$Dmj5F&o6keo!U(77{9?>}HPM4?6U1(T zX$mMG%Lj>1dcg`4Tw3%?+Y6rj@LSZ=zp4G2vwK>PQF8n6>zvQXVki-LIkuiOA*{oUs!3|;_3l!9KP_E209mysKRY=B< z{LLZ6;=&WN!5A^(ZJLm~4~ixz4dKwLgx+6HKOQ$j166-9BXG#n>W9v%=&?kv{q7jE zH(HT#D_w&tl>)A?1OmyClUVU#=?cLVvdYPg(W}Yu;MKq2-9bbP#DB&y6{?~AGm#3f z1L0*QhIfedohXax%OVkZitYuKLbq}Vqx(7~{CR#?;pWeGu^xm3fSzLPgfH3yS<{J> z`IgYf8^0=qlo*s{f5B=}RzIw8at_b)P#$CkYS{JU90AzH1VS#`d{JEr#4JaxB33Wd z{2z>WUY^8G9&w>3SM#4cKUfc?i`latv91xl@Kwl-SXmxbz9UsP`_8C(1nA zlwBTj0QmyTr9T+{(CO_#s!A}wde);9U835yjulwXULN*Aam&kIT*h{VzUyW{(633t zRgv(k7=u=FV0ckh;OOvbNLY!+=vDoZV1?R}`X!ur(ns4;5iSpR1#h49#&}p5lOhSA zl^pdg=O@|Bo7BqwON3!sDu3`phguWYr+N1!?&t021Sgy?et6J50cmNSdN8*!Q37Gm zZ}32u9@U%tpFIZMl{>yr%=(Tzxars|Ngc}^7~8s7t6MML{$G=-{SDj6s5CGrVsNVP zO`Pcp$H)1YaIXSed>E4u651bflqCysd?P8jj*b$cQ=^+nLd1=j*@>1^JfD`}VE_wa zc@zi+?GZ?rscSb6G6UGg(#Pf{hlB7T^mm{UzT}5l{I-3icYso(TuX(MtPqBpArQi2>AdV9(epk1lu0-CY1T zAF<3Ht*`_=&b44Y+Q_M^!rq-=n@GcWv5VrG^jGP{@#k=dDs7I(dS9Cn1f5#B#b{7; zUoUZ0BJ9;GhnYP^soqq0`{;?DYY!ixLY);e@~5HJri)}Tl`*upI_3}VP5`a5B}}|% zvJmqJ|D>vj^rr;Ebd!be&>%leOdOzRtfKw|QrXeVs6Vaz*H9CubOD`o5w~E&uA-Aa z)bGl(C_qj_vLeW7n4EE+;M1W$Dn;2Wm(Q>>?XA5lCRq75Z9t4`wmm)Mx6yzgMD*9M zkMK@YE*fA6*`$F@FQN&)DV0Uhen}4!IU5O60a;0v$2m z3W?!zcCL+EUNoGE6QGgW&y)wt=bF!tTy)`u|0Y`_Z!br_;_f5$)1MA&D95erTMqc_ zpI_ZwiY$A%iPDdPK7v#qmru$>RMrG;ZUYg!Yi5pw1r&tS;9nRhu2%xlgX*KnoR8z6 zUcfEEg|4(w!$@H=fH~pLv2+!+#!+;`2Kb{S!_Y2^>oIqTK%iq=sP7rUt zk1a(-(_1Q{3nYzx@a2_XcJbT2PoXT-OnlgoUfPfl&9*@rJanYK?r?ut;=Zp~H+wt^ z+r2A>H(y^a!3-U5_H@fjBE5$bGUk4<(U@+P%xZyTW0LI$&kNjRKM#G>R`B|NJpE&M z;C$Ep57(O7oElSOYTLG_w#`g!+is_}t(n@kZM#p;>wo{AS2>a#$*Uya?7i0dYM#L8~sV=yh?`rdR?B4`M(?U3{O)5hLX5 zAD&7H(%Do9jN_ny#YIg7eCJ24SUYeAdaq|G+Z|4dJ>MFTW&W0T=ZJ#algEig5x#up97S0%Qp@-yc67m+@xycM&U^eKK@!Q&3nlbWLv z{dU0Uebql*`6JRMj*ou#XorT-;r8zbsngZG{lpiyVqx8(x zKBo1zcH5uo_0CwEt1r^kF7%`&3VrRIT(pbaQS18}H%=W~6@KO55kBG;`|WEIlGR%2 zG$o`!eRfqirx-i0)WS7(@{in~5AIa*W19YJzxO27A2mgzoqco71$rNT zdJ!@=Bl0-w6?h4Bw1OBB$wi*A*_dP?dQWX*LHXz#;4o4|TyVVfCLYbQu#r{dS0umm z8JRl|w?`Q9Bg9wnBhxne*Ne}&wdyi+hPJ){td1h4#C&tho$8AG|5~zWq8HKsIptX% zd~v^IC9x_Lq=mJ5kAsoS48VOeIpLO>s6NBiOK{+v^vH@QAFU?-2(|moj8c4qMxiY? z7c{b)Y={^>;#cEdIEIP_^=?5#^@Rk@%I$MgMy{*b{0Axa#muItBU!RyQ6rPv9^Y^V z8Za1lDZleRb7)Q2-KJNhOe!VZkL9FSs3+W8DkVLYN~(^MtJ?5$m0GU0YNe2=wlZ<3 zWs&{o~?&RLKW#Yqhpv#W2)dU)^EP8ViC335jqJMaY(p1siGz*I zh8QmNy~Qjz0NQFsFdQxKeXBlDK8mUDHyr{#3tyksK+Np9ew6**G2}0#JBA7SG_e)S ztASksgGw;=gt|lpu@t7#vH;-}4^OZ``}$&JI|&otJ`S^S2C!&Zd@~w#nb+0b0AO@` zR!~Wr`Np3=OS<~naL}}IcjwcoPOAx`(CJMFPeYOR^<!|uBpv|G!8z$j|o@;LD8D ziG)HXZZ7smQV%6aAakAj%$ z9lRRdct@+&DQDC{>T|`$Ac)Fyi0L0%U(E5@B6p;;zU!!?dbFt>2jP;gb!6kic(92YhwkvDT+&6!%kw!JZOQDsnV zE|0?K7_|iP$eilMaFcj(OpBG-@R%kE>AU_V|EQs`G9}=3ySl1WE$#0vU>%JDRb{;cjeZxSRQ1tkKt0JfgHce-6)E?^QtA(~1`QJLmMJ1bX{uSb*b6Q938UK?j3)vmD2J5yQKtzcq4K?SSUt z9$`heqw;hGKeSyUP024NUgY{?_NVw0KK6}es4){j06dY=dwY4i$j&7}rfjO*<6bar zgb~Zv&he2X9cxnM%!r9)`-vQme9~XklgNE#?3c;y0b!~iIHX8$t78nC4>i)S1HHR~ zKlwr)UF`?W-<~&pd8|dhYJp4h(h%yk{ti$Q?CAmUpyq0crD zFNyUD_#k|4tNQB~Ccr+iVx({2Li!vEZmjIrD~^dpFqnYd7deTT)Tl`qBJP3 z=D*exA%a92NMuAf5TD}PbWz6qA#R>^932J5(v_zco+K3K1FGW*)?%aB0nfPHWje7Y z%HMgXrW4Oh(!?~v)Ro?qx4jg`c7I#6wHqu*6%NaSwp*5Uc1X(r zt_aqW7VbeIq2p(13jcz)hK}A9^gLU($R&vxD)m)|`mZxYCJhP2r821yfU;I-Z3owNT)NW+}i-G~Sl^PM>T z>n8r}Fi}*`^~`?;>DZ<>_5B1FQbOPr82`4T)fs|FMvv~$CxZRQo`-_J_{jq<#0hRG zwU0Oq?escqX)pcAF%o;nt%m2=?&*7>jr#KsuK~T#P}_gK`%u-^wvbQJN^jqyji)wS zHm^=TXviLO8WPr=Fxg_bBQwt|@Z(pbDGn{mozl5*U9Ry938LG!eZWM;6A}pvfGZ4> zg|Duh2!4E<)*=@CQ%psHLvqG$ETI$pNy^$`$6Jr*v)?0r|6!U_Pruw`G+3s3p<7|f zsrzJA^DYW&k*VRF47_^T8QBXN<4v98=+>s!>L&f)cO;F!#|4GI?0-b~Ih{&RhJ)}| zEX)Q<5KbAi4n8ltVAGL{N+b-$0hbJ|qrBZ!o&rZKM%wy{Ipc*MOGsH(IWd3vw<+)Y z>AqtG7#b%~s)ZahqZ>Gr+Hp-sM{$-MWxn3Z|K;p(hJXLsfrDbWMt*+1yx4{B zXqpVTxQ?S6i*zrWkzYu3!@cddpOn{K5B|7HnRD6O)Ss)aKtSmtn7Ygc7(!AqKq22) z|HVpNJI}^OZ?F7=h6$*)q)_saxQxr=|p zV9)O@+nxTZBm4Bf#E*mOKhCT`(Lwe9HOySzFur`5J^H25)^tPawI_N>)&E&q@4hUp z1M17=&(zX~<=((=@Kb~rlb5N>f>}`82+xbaBwnM3+I#YfrLUsWN>n3H`}U4J(`gfLr1iou1?gE`1ymEl z7lMXRflQJN4KbTB81zgwZASt3P3geZC9s~tO|pKHUjn!#_RKv)+n{~1Uo3cOJ&DvW zygJ72`S&n%DR#B(zd3ju)f2je-G#z~SzH4l&i5R0c!qP5Vx-HZhRgrh&p?U{w>f)e zy%Myz_x20lrGy7ZCA?&7^Xc9EH+u^c--a&7Z;S7~ZeeV2U+~l)$olAy!-jrY*;|K= zHB0r=L?Xbe0B-PTH0Yrbjx5SgCTg5dS#F~vPZE_#YntaOH@Hfn0>MQb(6Q|AUvt}e zg~g#fgjeCA(vNSp?6P#dw~01d@|E@iEhXspI>a(IL^+Cu(ads)dQ!KU+KkH4kUgTd z8L6_0X)f#Mb>%N|L0U01Cyki_TW@DAGOjje3mD)Ba>h;F3;s#$Q6Riw3Vv*mg~*DH z$F)%l#!M(!FeAZ~TlhAUT4(~Sh}l&11282tf3a|e`v3kxxwvU-=e`3o)&_TGKjPq zkO8Z;|B=0xZJ!+9x(^KJPl}pT@Vaj>91<89#Z&O^8m4O`*}aY7{;(rfD#GGB(^bv= z``NE$w(X9MQkTK?Q=)Kii2bF;YKN6=;;duWyyf{3D+Q0CLnbm=2+u0Ne$P>v;aygh z0O9IOc|R+umDdy86AqU9N$(lt}Sjd`HedU2)jq9@uSnoc=Mxcgsr(2Zt+<8})?tKj+ShX=SA^(;WCrfOGg$59&I}>hqC>(i0}ke4UZpb@l1{m``8H$-AUk9#{=XpH zt!ZdM#S$dYqmXjI&%>l#yAdIr?12M&vW2vKE~g#q#hc&1T%jKXX6&?^|J7hs)2J&}dp0+}KR|#P%ewk@KD~|u&nC}Ejf#q1np&ld|gtg&K&nOjIM`m{PCj>UAlw?2c zDle15xL;Jc0X+zip^P0o3P;5K)F8|lVhgCbl!rz`DYb(OSg_Alk6>r9h@CvBunee( zRyI@(Mt+}8aTP2CTZajs$|97l`t{i{qBSPG9+u1VR{tjDjLI#fU2mwrt#A4(3SV;H z98=6RcyVV~bU-9c0F?PkwNO*SMyG+)ep-ya;7ndHYQz$N9p46xZfL;V8ePrWTXSr| z_eq^{DA)!`brLlReE<`sQdz^Ulu3BDC+KE#gQEMbRF%L|hc^c$ACLW8@~?F7#L5-? z+;ICEhw4;D$v^b=wODSu2^tj9LS{ntOrxkzsJEzaF%dEV(#m*mq@y_C`CMO1Aaec=$lH#8kuGcFPI2Sej_}hL}9xV|_|9ybv7OmI^AI1{N zmd0lsS{qkLG9j^aHWcRW7G}3>#huwp71f93uY|mMSLo}{0&UZ(&M8W=Fb6?&66<*M zayLa9gjkGK^ZZ!qddzY-V+G^kv@%0DyU!DU4LnmIPh31u-iV0~@t>W0y^CXSA4@R- z{%4r4@{+X;!XSUxXhEm#n8uRxkJiTVrRazjkac@UtYD^95vkvey`OF$j8o=~nZq2l zL(x?hw#od&;*L!*qYf-_nRqX?d1ynv{=_+8KV{J-Q>W z2ODkx6S3t1J2l`yAR1msQK_XKePs&T9!8F^PW6D+*|Ip?q+TsA$&r3(r83{pzvR&s zjqj%PeV($J&%1)Joh$|jKkMyK%;{tMseYb2)Yw=NqT+!O5XQ$ z@rz*Oh-)9S!-Es2kQL?VuxHXiDSIi5J1V*Za+bbj8-1#Z-&E?lh^{yB`K43{|08`& zeXl9zr%m~&`8>J{@j0|8C429+fj67q9{WnrWqfHNRP z5cm^{O*iCIqot7a`s?d=1LO-OJ>bLfrxj`RkT2F`+lIME+OoI&_0cZoxrlB9aG1<` zvHv9_+|)G({XfXSAEdT!wHvZBMEn_+zKBF0&)bvKdjltsDAE*~)ZV*Gsl2zTQ<@yk zP&W9+FyZH4%(Xu=Wv)KPDOy8eSmI?E49 z!H-$mMoOv0n95)Ve`LR>GDrr%@}-$#ox@e$ z%l*UJAYUXTqfZTRx!DTo;lqCvx@~5!rF~zaplNHy8T=F^x=-Z+k5qMsKgLe>zOq+H zDoG1}VhVyKd%2MK-I%TnLmsCWKt5YcrK_muDjA9;P2;6_%pL>F6?d-a5;$EmZ z#RN0Fm}R#psx>)3?|LZkzE0G0S$!m&yPxX(A7Ew8Ow02-xeAR2h+js=GQ9OgLr9dG zH1E^pM3h%<9c*@ccPW4sR`%kifaiP6;-&0-KbzJVpy{FC_H9gzSsxeBQAx}ytq*@K zx~)!Gs8#AB-vxc@He^&IOWU{1>8XAlu1(Q|st$RJZUcQ8k=KvE85KQ5x2|n3x&t|=8 zMMCxk)t0pNh5#;(4-*lCuKTzIL(e3JLDFy5F&9)(MmU@sPDOOjpu#^QUqB9XUUDB8 z5%WkPoB}%w2~&h+ROpzAWDa}T#5!x(=J!lhasDq0QXrk;*J6^aaBSHmGM-%Xzr|$o zWC`^P$pojJPqNiOq}yjHq}mqvm5ze@4>GB{V*<#gXrSuuDD%jcd~B6iq{{6j^&U<{ zx?7BKGc37_t_Z;dl++>@e?$|cPewrWUzRl=HO=#NyhG#C)d@#@e9{xNmdYC z7Ay?2Lb!{9ba-0*Q7cV8TPx!Mfg)!wdoc^PP3Ts!}M#)j1Xo{RI;d48_@nfrQU zkLCG29OL@xkDZD+n9Z}gV_wkty6x-MmVNazGfdm~`g`=|SzqvqwcR69zg#mgwZ4An zIG@}n{hODWvec<%@uB$<&|_GZwLb*k}dacgN`ytHX2$50u!dqi~g z%z7^dkS~6^JwD_O^UXQ8{tD!Zb-q`j7tHg5Fy-N?a-zuxofj6H8UaW8_}EVyw+$9d&}54vC^(87qtCBjU-n(z^jU`Y3NdhUYu^l>mGUaVd1()M zzv$ZBTuw>q`h^Z0OIq=9<3QDXmT-oxa`%pY__CY3_Sv?#uAbVkzdwxX-R7=tu5O&3 z6FPf=rbzfNmCxoMTspfxAbLT+o3eBKZX-CmPiJ@(bTJsydq8wUd~nqd7EHe+{hB?#t4Zu)kz zxf+c7J&+L(@$o&tb<6D$N$7jD6vC*y5#YRQZQexvW0RsLMpy7TL#!dNJI)C$qJi@E zbQR`fY(-5-r3|xc#7tWA(UYD&_^QNol!m?m1-c_#! z5r$tm$72f+;MKD1^%6fKi-wxxlo2O`lio=h^UboP{v$g5mB?*o>O+)n;6R{Cc^t>o zaLD3soZ8Aw(p)Si0+wliOq`X|g4l6pRGgBM)9qi~9vOS!U|9mf zf7L|hS7c6B?yHz^RFakZ|B8vplOf3icwa_N3s&qS{|@qU7gZ1GugqLT!Iy2Rqo^N9 zZ*HL7KwY7QoX+)de1m&AcEYwt8yKW|!7rZ78gw=v<8SJsrTE`EpdoXn;#*!sE4p6% zN@QOp0HCkYg|$oxc0dnz8}ueFp-#!qSWmi>{bZAZQe^n5AjorQWf&9x_QMpwIm3bl zE(?Uh3`J5Y2{8vwn7OelUIzbL0^(GPGpMr2j4~|}laM*XU1Cie3L;$+@051&g=dW- z3O2_Da7mlL@QqgvdQSn)(rxSJ6pqVM8B0r%)^{leU^zFi>023JpxnLn*-S@IBV|`K zy};p%&$TE2S&mHdkMA&X3YnMzqStFTlc85XsI+B^(l6wrXDW`hKTxRs#O{U;pEc@OqK$t$yA1 z()}!VePexGyv9B+x_%AQLbJAXYHWKbP?fiIkuq213#lhdkCpC$^I7^gGlrZDZMWN_ z)DLmWF)7~3((%V3qfNtEfS*b_=|S$LF~+ruBneH^wSTho%C5>FsUj>HqNpfF_jXJJeQnS*}JGlEN6{Fkt+`d3H& zm9Uf5VW`uU{0i6&So8<^F9i-T$Xs9}1QufUnHn*Ogu|2o)VHKovrVxWcLm%z@YsEi zGeA$?h$vA)0~mBu_5R)1k0PXSTHRBoX?}k5sA9U|!!oHyt!?2T!?izyFU)L7ZK>y$ ze=I2aBk@S_lTf}_PevQ&uhI@TtlVC)kC{1y8igi*P2H}&r8tA~q-|z1_(jeHqMH#i z(^{Kz=qX{WVr?$KGHpr|^ihOJNfGRK+wJM;@AkrKF}C6y=Ho&4_f zF1_NMRUwivoS@^Olvn6VP@E^B0o0B-vtavFA+IYVr7j01(yk3v%WC@L<}PWb7 zl?$+pW#AiO!aT+~eLP{5JB~}7lo;?o-osYHIPbgx!MQ-N;wb5$U$~TL+La@+rZ%$E zk6Pl7rg+VRzsDadCtT75?H$Y#f2Kg^5ZtMPsZyuyP?NVbyb!NZBwn-SgqZ)JV|g6_ z4bxmY1L)@dpP;ll?Un~?&wCXN4U%{vFMnQ{iDF-?*gG|t7K+a`7J>|Fl0- zoqF1mX?&KP`F4fZ@i$@K)-!}oh`D3+UR>-wL)GgG9c?bOl*=8BmG zV~C3d9cSK8U1u;rYp*(tBfv8x|GJ|da8tRy)H3AdRx^iwnkiKPpGhd>Oj^Yoo1`G0 zNiWZ9if)`ZiyvY>s%S+6FC~Z=LVZYWfmouZsf-o5aKu>|obDk%xz?rI`u}Gs3tJT^ zReWWJC-+0xBv>g10W4L4_JFvAtAgj{Xjo+pnB#9>L|z*}x`GF#wu0v0dU|LJqKL>n zr*2sP;eVEO!-F+ zBK5094!<-`p==@?edV=1{2b_S^QfEJSrqMVvEV~6YlwTTG)S#s265{NjgWwxtgaFe6N7N; zP}wtpKe%+hW$j6|E?MQ9JNV6@MGrQD`G4#Mm<0<4zW8SL=ieh!nOQ&BwJwKvpUYpr zq4*`^Yh@9Q#ilvl|Mqxhbk->T9$dA=z5*)B1Sy(}1X5j<{{d_3CWJfVa2mVYnd&Xy%c?T3rfVh#V zL=;)BlH@=yUepCt+iQTSA?h(bp0cX7UdZUuF7oA%*RfUE9jwTLDyqUF&HoPO zJHQQDk#?7Bn5+8v$6%QJs@+oIRqKK~_k6YHye!sPuBT16AI}-`DXTO6#H{9U##4f1 zT!Kp=YDq6Vd4%Cu)hlJuan-6!siwM$8Kd9yPbC=Mva!xYp{DPt$Nsm#B9fWv+~h2# zcO|tsbB*PfXn;0VPB0;ITjlx3BZjw+ET0(-b8#7X(k-l;(Vi0F+acVg^F^~H&LjQ) znj234J;Y<5)xI^%GthxOL+gcUER5Dfy!CBO>t-fw4KZ#zx*M%5Fsyf&oZo2RN zaqpgTS)wa_+Wy5N`TXmY9A3(~j?qx3O%bwgSQ_Q4_mw{>zXdJ8b8zv>XlpaV6O7Wv zNl^2u1i1h9644ZoYWMA-lUB^Ib%V3PcklJ8K9w%vw_3B#>9mH6=ba>JER@b++L$rwA)y;7&1cbPTS;+a3YpEO`OY} zC1*?FtOl~;zZx;zfeg7Olb#@AjpRx>xv5TJhEo}aqqaou^Eaxr0?}8oTl{gvEG$j= zCq(mYSeZw%4~hDZwUy1OCNs}nd|x9ZT5#Ib?0dh?DS^>S(__L!4Ekqjy#$<7?D9lj zP=I&1H4m!e+G{`-LHJZz8M#=Q}hCwEtlkGdjv)u(;1In?!Q!4 zqM{ufb*VOIL^%xH?PxTe(e>R? zG8f{K`s^~H9d`Y*P>+9@<>rS81J;ZI<3v38wM;!;dd>`(49l+26mlrZNQ`a#Am9#% zsXY=Q^6NTYp(@^SmcnkX;c6^LK;K1lsAxW@X-{N40(!VAK12E`A$fKogtMq7d{T z;c(4g3^=E2fxpIV`gDWZRQJtH*jk?ook4=5r-U2|uaF%QJ$hQL`QB)T)s)NF#iv`T zkqMLeYWMGiTHwOhPh!*hZRp3;@=K1@rldp^sYD<6aNj`8CV{L_H)Ov3n>YluLv_?( z0L!!NV}U&}l9j6DW^?s}4Z5e9Xm3A%xn9d;aB<`)J)dATkY_LmqCTf# zhum4RHF<;2lrC8+7Hh4%wZar)+T}zJoDy?t|8gCN-R&~c7U`>JOk&B|ixxPe=!9j$ zM`IjCH2|jPc@%5JjP*Wp)xO&(G`SFswN$u~_H;zTUk>)fi{Co_WDvh)hGlw#)FLbJ z;7m_Z?Q^Rb_7uClnPp@kv|a1)Hb>8sxUG9;jt|U;sKBTk?6CgwOr%73Pj}#tkKQ}# zk<5=)Om^t3_ePD6=3$-E(Tz3whG?Z)VFcFkY65o#nyCiERdr{=^KD;Y%XVgZK$`NP zU!fGXhBA1}S#n}}^5(m!f$e#OBvtD;!iHS8i&FCdxHji_6z zEHphH+aaxyhWFqR%WQ{FgwcbIMrnK9us%C71Vd~7Uz^F4^fx&NP_r;iE*IAPJ#%_y zXn_3@jrSvRrr?mW%9J_nN6SlGnTxwZRl*6Fy5;2WD)~FYCbx$>eo!<=>D{P7%um+N zl@y)O`TRJOEO`VliSnhb6Mv|3Yu)!50vL)f zn(~7v`bp9!{@&5Ml)x6RX@V7JR9PHfF-^yd)@m^zG?FC5es9)3Dj27`>jvriO+Zjx zvP?NA1aNvk6xrpSOI>lLxTUQvVJ1i2I`d5y0r(B%4%(5YZrnIAv&#xM5FT#{g}sv+ zB_(F|ZEZ4RB{W{FD~aFF(h91m0rDi0>oz$aDBeL4p?hg%13E)7@7V@P|JJ9>+4`1_ zral$x);)#IQLeAik~Fser|9|s3zZ;l)kxJrj|yz zfe)73@*XerSKm;;kK!^8Y=2yjTy<{EnDj>`CX`w4)A?_F>z&| z1YxkzX3V!c-q_f9&gr)K;j)|W+}&{RdszKGLm*@BV|U+I!8P6ips9U9UUq|r>V)F_ zP&=Hj)aqn-F=|y}zSewe_~+QlFY1q4{p_iUWn)f+buxmPLV1G_))stDG{TBjT%;Tj zdsf(zJx(h!vL))$xmRI}(@3xSG0Ysm36DRBpv08$8rFXbr$n_4q|njN8atmB-kn+# z-@xnj7~0usK8ymG6>Ts5wI{xUgN};01l&p5NocBsqopT>J~=x2{+FNoHaAS2dn+|& z+!0b!>vWobFDwDAz{0z`a?GSp7@j*8 z)s&^0D5RuGnMttfM*orMl{8|=k(R9xUY8B!s40)-_Lc}RJcLVv)I>4kwBs0YDt5&k zCd%a=R3C0KswZLra(@I0J7jH*)EKyfx;`VUKfOPK;Vp_$n!A^7!-*i`wzVd6*CYft zE@I^+<^G~!3UCG^m(I?z+&IJ|TaZ&0l_&A`?P6gWzYgYjvrQz3X6t?2?v$`QOWBgq zh12zDRfqz+Q?+MTp*jb++#9c+zz0J7n|)#sx{xOvs)XlCr2R~Su);Acuc|v}F=c`! z4G5hgsbC}+3mD6%aOI}yv-~8C5*Nx{96WCbH7|zB)Ag@Q9Kd4L`|0Rw0;Qc)cwj2Q z*cd$h%<>a+n!}^E)UL|rQibod$a2_;IBQTj;U*BSj6IJ~Xq6kAy7qJf>ER|FMD^RS zB6*phpY)fAkidYzlle9i-6i$#k4d<}?k+9w+t1L5^%b&BCqwGeuEbw9r&p zGm~{t4Y)kG0rw<-7P|iUSltxodT~7pmWRD7?{o@}k$-n-CVI7tj;2OnDadQbSFVo# zdSHND=uaQlq{&ZcXVo^-QzH%<7yVHG>Zj&QiU{vv`<`wRC5O^c1U8}ZBMIn{2>lAo zKXsgwB_r=F?Id?PtoJEzlV>Lc#wwz%O#Twm8O>l9-|iTWcc{ysU6X{Jo#YOh6Tf*{ zwW2Oh61!DdJ~Oqa%P1QYxY4qd=l%KZdyfSKK7ncaf8v3O^MllS_o|4@Ed>5__kmW4 z9n+8qVI^9~gaTX44x5U0>otrAo=9?OE}74_rX}XZZdCC{&vI~;pL*^U<1C8h0iLxG zgn$$N{L2m64?oBg1aQhC!}|cD^`3GpBB(UETXfEz+*gtkR935k$wp;E+&@eR=r};# zLk9Xy&!v(;WKV#cOyZDqoUV}Qb!ewzU$xYbOH+Os%5PU%!Rr9Jd(ob8SkrGq=wtiZ zS01z_mp4$5z33)zsST#yISpNsg3(ZM!x@A8cma1vVL1K;0fK!xl8PjtiUftA>+~&u zJ#Y&@8>RX##wDdI$GBreaXV5gi#Y%rka%^}n>}4iV+uPbnD{v6v-?J~#I80d{thoU zTQ$y(fn3k)en-y7YWdhBuOu?l#z z9RzyBth3z!*v#AJH2COWbQj5g)@q+=MtAEq=Uh9!QR!utX_J)%z-$BGer=d}=98|Z ztc5}X^HbeQA}*=C4J`3@##2~H7a}K4r<38;7Q4wdzIJYc8XRc;Nl-Plb+_wX&{wp2 zEa3-YTO_W>9J8esaL1wTB?o{}4(r=UbAXKJI8wjhnV%^VH$?R#hz{pl^4AQ7Wv9f- zVk6gR^q)g^t63$+4&5JcYW|^W;Z{1_CjAakbcFcRBAhPuuN2xdQhNHg553-??BCnp z6w2GUCqUHj-rOM+*ae7sTuw0HV^R!Q_nuf7u}hgP06oSzDiY7#BllPaCfNIwzlW37iIRLFr__ zEBs23dd~;H%S``$pI#lLf0yapMNinj?Y3~`rISgk8*AKbDWk8o`IjjnOSibz&az~_ znJm}VL5nxGMWoWDf3pNDHVPh?8zX#~sLeD5zPz{P?6)@QQ z+Xb)c?6}gBC0-6v{8_@tiqb|Wy${}&_@nhI+erS4>a?#3J$fFHEXUJqILNn9a0qE78*d`|Bkc)7gs{ z8aov+rDx?+;3;O41wWYmMqubxStzIcX6qyo$&sV_rs}CdY_COp0xC=~+-v07hU=tG z@(@p?qSi_I{xc1bn~$ox$txy5$yy;Fc9%iT-{9NnD!tiA<2U1oNAjvQ)kqj4)pob| zR*#jYlOWPHP$&MBbkXkl@9y+qXQb%>MEY50B-?hFQu-E+G=Tl?r>^GKW207`w?{FN zVbnbS8ElJLg43J!!*5ay#z6kdp+oVTrb?a2Z2C}zCU_)(0}=6Y=rJNtj`H@}Q+g84 zt7P`r_WH0|#k%l~{XR1?x%w?*1b#AfU3Q7pnBFV+cw+kd)0^@JxSb*n490@mQ@XN` z-&=!L->YdL=m4_&w6yZjgZDR(ndr^(-dV+TuP`syYA&yuE>(iTz1s?=xA zaIIM|n=(D%!^Sfunlh8z<3yv7mIUh8;?8 z#_;tOB0ywJt(b-S&sqv6Yc~^LM&w4-V9t-;d8W-udXVMh zybLlZmy9|`{zLlw4_k=e^xxXU-Ts5qf$S8hK1xu4|I(+sW2~&*FDHe?dJ2mK%ts{m zQJ+y1;w4mo5aoyzjCUHN#5B2k;wre)tq8@hOR4yrguV97rD+YtkB?-kxhPM~73UcjXhC4V!D-Ekv9}QHSHLc;K_}MeX((O1(H|bjkT|K(CRn(Y$ zt6?h;T>cilKY}D4F=xC^trS}jlg81Bq8kO$4E}x;08@vkHxB--d1LmIZi)QW>8m{c zK1wX&Y()nN@hakc8ftr9g@dJ-K0%4AB&~B1 zX}Vyoa|y6P&Z~?YtnriyYdCo%*B--yO$0mXb6TUFi44{w5)S8_(Zv_4p8V%&T#->u0$v zo^02X8)n|7_%n>ty#Bnf`pSCq48+#cKHx_XCG^~y2R2kumXw|H$>F=W zhBx>R#2Y*&cEMAKx*26=MFowSo``6Xn$+GrdY|Ns-Fas$V<-XbQv*%=OwW*>G1o@L{G(2D13Z9G870*+mfpy+PIH9 zKFnILeEfpy%a{bVi@0aDOc&r$C&GFZ?@^f{)V0n3qImHb#?)Vm`(y{R8pc>{#=P=C zS{J+q182A&wWZF1dTyarFr9kU|GY{F^A>4LxHR`bPMyu9JNba6`zhi$nAVNxV4<^t ztZ8`~RM=yO_Mi=-y_XlP75iUD*Ca+>tG0eI?9DwW%H71pU9N{tX{ndqXGtPD?-cZs zf_w>d=`gpeRtpNbUaIwCk!vFYII5@k!P0y}Q@(ca>%Vm`;0~?O+juG9K`|hZ(Ls>6 z-ZmMhhWD4vGj)LMt6vGlPenKP!PBqZxH~0F2cpL(0fTudRWL%QUgcP(^A>;WYRW|1 zQjrCdG2n5eu4ZI23&sst56+q_aRpBc*n%*q^_!OD$=+VqRl1&fD5#!X!GxeHHByTO z>89W+xebdjrVC;}I%fj+Jxhu1kbKBO%j5PNMBVK^9UFjMhUm3?Y8JM@Xp^cClUo5P zw4|C`T5oe#a>n*>FN+==$e8le;T=SstC`8IO7@)M-$!s_;(Y6Cs`8A)&yX)|;v9@8 zqZY~XrtIXOe6$U1R@$S1JI2&bFyaXo@0qd`&>_m2jLQCp?qw1Y?&d&>|5CV2m!-)N zt=P1R$pX;qAU+%T9i)2NkA)dQFBvX-;;-E-*mi z`P=IJ%{-wKR~$ArVm3A1wdqC?&@+aB&DAg6wcZ=!G@J{5T-xfm*y6*F6_Mp|2*p9MRnWkxj%(n*^+rK4jshltC1D3>(k)7z;(#qMSPW zxHh*+3J|2ab?Z@5!)~wnb$E3~mVysj@oXz_DuK@4RrB7gTMB*#3Pi+MbY-sD6WW59 zn;3`BH+lyWDiNB; z5E|$~c@!I4|V z{K>x@-dS-bZpFlqKDz}~MOvA(B19!S+zqh1AvhmTYZ! zYn`_d*%!&Bfb#E8Ae9M^0)aTy-q1B$V#x)3Wy3>=A6&>90r@RUsLg(t_m>O z!9D7AKp_9LGu*(bVV-bY1kdw0ftTL53SYqMn>EMajpny-H`Pb3QLzOfMOd?m%z)?` z^(N*jiz5`fX`dLppDCBmVpke{gyi)X`|Xe1<3>lJy8x0LQON{aD3=c{2Q~=52YLx2 z2gMxi=3woP+rgCK$Ur(TO%|x-VGLlIRzCyVFP>yw$gdFh(cez^sXB%f5IBHt^PsS@ zRnpp#I3qeluL$&n9ZVc)>Xe`Eu)RWbV!7?e&7M&h6Ri~3oV1Fty>FZG6!jRb z(D6>GalKwYp1sM8t&VI(1>;=Z`se-Wcyi(zPGLwmzN5zR$>q28a*@#&egx>CS333< z)KIB5=soahH$H$we4iD@U66Cpgv)m&O)3Aq#k&(s1qA$?frsIZwJoh4H%#u6q~*#G zoBv;HUl|lv*L8_I1PJc#PH=Z8Sa5e}+$}V2jk`;5cM@EK6Wrb1E%@~Fe(yK(RZZ1Q z&HT8%PT#7t`_JjS?_O)2ec0~9cTJ)AZsU-q=Cmux)pAVI(x(*=;4YJmF}^lmzwY^L zlbiF3+qLnRQoR)?-}Q;D%&SH(1kGr}QTArDYQ<=`r~^s+>rTkHW6Y-Q$03w*MzH`m z<9|o})uhf!A!sa12A|_fG%?!YTRkas>stT#Lp!%fAhXyv#xMi4n*s}N^M)9Q6Tt?L(BRDDaLk#CU9%@u4EnQ{h_`^d+$v0zJge`AGvv%g z{6OtkT?d*4`UvX^%rzqBhGG+MJEK&)yCK}$*;9%O;XYB!xpwF0di!xf?^8*bO3qjA z{KgkeNO}zpoAWzIxHXnW!d_FAcGtu~hPpi3UuJP74S$x|iZlrGfJ@%Q{L9J8HI^#H z?&Ok>A2JEuk7tSC`C9Oltp9okZV%SkU^}nLUJL|83?LL81`FL>+EHH>sVmbo`zKex;h_PMTcC$B|^8|4Kba-G#1rrvfu7N5hy1 zp~lY!)Kjo?S;eQ*0S3sTW;H3ODxK!^V&4*f%sJQ=*2Hng4(dzqgRIAY9Kv$ihYVKf zTLJgqy~YE^-HnI1pg6M7*QM&={tf~lxntAEnYzJg&uPFMJdCM5rJ!;B*AOFV*%+(U zwIUIzfZmh?bYlR?<-@w!sohcbo~TKejgiy}DhAJp3kwrxy8R#d41DXcWq4_$MQ3Mt#1sU54=MhZz3bcB=5O@+3osRZN0Y&AHrSvKxIz&_;AR~XYgNB|^Mo3MYxPQ=j&;^MEBWBp&TT&85{6_mdKkQY(i$5)W; zJAkPCnzA`k6|L8qOh|+4eaiGo%KPwr8MZ})1KZc5=_yjU^va$-jsP|XXSzQ6_SV00 zvTSp|*xkC89BkgDtqTytAC!Vena#0is^-=9l32?WMv@8VoKaP%NOnS^4WrI9rX$i! z%MsLiA^Hi)kR)s&*1z-w%Biue257}z6o+!Tv&yl2K{o;pe%_c@4YVl}Qf*;rzsH-z z3bc`*%P9m=6w7CZ2qjW14}6mr#CW#-z?VO6BlPr4#kZsIVWvfx!R*r-Ujp>a%rX8k3^x=16*_>Ii#^P za^h09y6EV&^)5Z%S6J!E3+_ATksD8%lDxIQ{Sb(bq#Q$H1Ml5efOmx$o8u9;0!mz1 zA?JBXW<8CDiPBm%=RvqWPNMj!Rw;=dKp~RC68wbgwyE{AXffW<`*x`6e zS1chT{azFR2-|N8oj~i?v$)^>6+HR}y3BIzS)Q=iApX2>KTQpqW#~BZ;L0Z!7n_nd zQc*LOA_-LEjkM2JK@>JyHjcNh2ehaOo^T@IX1A2?@#@JyT0?1E>-y^&5_Jh(NH^wW z54wB-4S%z`R(1;SKWhXl2;)9KJCtaVO^8E0p6dQ5O4aTkzDoH+q8Uw2xeA*NC6Cp3 z>ehVpHMcbNCB#`W>bCjs>(P9M!_>ne34zGbT-n6wJ#4rQ( zXK)r^6bDbj(a)5+gI!evJXpU)bXNLd?=u^A^;5o5%~K@8Bl3e}EE%rZK9W^IkmsQ# zgv?Nc{i=vRzO^RwZqL4hIe|OAV&e%d~MD!!7S;5oh*XqhsrEYffZ@-KhGU>N&&Cg-T*@!77BZ33wzZrdg(afG%Vg_*( z4+-aK4r(6J>|(nbRZQYGB&gN7N(jN#3%m|&l2R8d0p~cVSV2as<~n*HC{%;T-Pjw4ex3^5Aj=n$oCD#W&~T zj|k-w)M}22^TsrO$+KrJw|hz^hlRKW8Mu7tU}J!-BhH2!#Gr>@}|T5E$$ z%t^Y?U&UD(CuWW_BB{7ZS<8U*;eFH4AU@ZH+f#GzmtC&4;2$QlUt9>5nxt!6w$x$$ zT#f8*Z)ZJOfmhRgZ}xYCgli8Y+o%CaKA*5VM%4mQGBRH`HJ)@@Y4TNMHCm0#*?mdb zUx77y442vRq_fFGXsv}Ed(1;_z4owOXPEfbYdH#MebkVr3VjOysage}L$#xnJ!$4GA@9GZ4X9;!%Y3GDVjw3~@EnZf*@ zquh-7xJx#xn0Q&iZFYNAxsG`e^AJp78m5>pwhFxTvtwQI5Eh)$Rj%cFp z&CJPHcX6B7D<2`B#SfBK3BRfwc-7q8++K^$ijmD4=-P?i{~wco&YaPyc3@d z@5d-!WG0ouLH+2O6=^BRDrEzEY!rdY8QlKl1xq8zH2j7?icAXvz9sfc^B$>FK!xt~ zwo}*A3Ml#}5}fHdB^>!TWnG5SyEGlB+I|9sX|6g%9cs{B{IjW)w;OX9Py|L731jh7 zK$v*gY%EeNw+yUxQH)G*yk~<)h@iR~A0vOC#EACk5jy$ginQb~8B;2W>E#=xU7Dp~1aE#$T`+3G%h+%VmZ1F$V8+F{#! zD}*U=nYW$N$ya*LVkLIKCzu=S&uWmSu1B^B8h_@HqODtcdCW{)&?8OOx8SnPMO#F% zpX!WG{9Re&G;Zl59EG!KEEhE6%TQt9`dtFzAXLk*Xm<~P>k>)qEGr!W=zSR2K}mG0 zJV-myq!mW7vEDz_Ude#2baf$KU!J+UIqyRl0Mue6%r_ZP3!0)zC|{qKW+b&I`nd46 zp`m!sIr8q+*W2Bc6B#Xq34H8m=pHU1yJASPSHYz~%Kho{234tV)vd@Z3~eIW3!?MF zfMxx$wXHAvW!Y(x&Wr90SdS1=N__T~OPDxW#T7lYzq?J~kaUQ&`ni-x()Z$(lOjirlSB$WBV9UyG>mQi|BJ6OxB`^rd3;Qb%ZGL1*aWV!(i z9l3!e-A}QRo>I$eGSSRh2lw>!7-qj{)E6Yn?9x&z>o zTj>N)lpl{M*lNE4Id=f_Nnf$ACcY0WR?rsBf&S`Z7%}bubY@pZ1a|<}Ax?3U{4&yh z)ezZ;-+a3hqWmsyiwm$mV_!Gl`Q@lM4=nbn+k-zQvg*%Y1{aaa=_ml$I+P8mskW6) ztk$v{%bfN-HQYDPDhZh=AW8FTk0vaNGExZCP?S<)Y;gbWYAyQxZT-^G>8JU1I((vt0@NOf=s*BI`mtPgShO4zM^#9Z@@ zJZ?K2d`xR<+ZSG1V}5+bZH){pZ`?P`nc{feiNX=O)L#$OfYG7vsurnFn z`w;doP^>WZRDn5P69B4>=aWEtm>%5VYsbgVq#O4r zaPWB2(Wra;;$S)Yy^A@4&cNAHOt{4|=$^s`i!D|8`EH@#rE`v)y_U7t*blMA)NPov z0zb9U`eZ6kpa^V9LSyLLYNcuzzH&)5pfT1NoCmBPJrEl*fR@jF#LxYN$hV{n0epYz zuHWLvAt>ihTEi@Z&Mguj-i)BOZC?(7w>;+BaIfeBC(#lm(=pBcJ<>-efpY4RJYWqO zs|%a@%_;7cPO*PgdP*K)!|KaM&@0Y16_7|CNGf??P(raqp?-*pYrrE4ia5mpZ?O=H z`qaaja2Rgk`cFpMl?A;Ku`@#mp4(=u_fmcahA=b#+F==)w@Nxa`bT1RPi_NRRl?5e*g2_GZ7Kynjk-9_si zIZ6c_u|XV{SI3=IeWC01?%vt#%3`{qhFrKy35uz0v?=ib&_M937`_5cn?+M5yoJAA zHDF4_<{Kzoq434fSb6QGy+}J?+W$|t_1F58W%lyk(-9CKWk>2cP!G*dZPvSy< z{>IFME2CtX|3ceRQ$iK;?SvI!8}5=ZJ!<3(8hs2Ga=5b=vd=jKA-af^hUe#S5W${f zlF+oVIup%PIBR@oqZusFEG`ZK?({J4O_hQ|jqRe*7afwqf2)W;x<>}tw>19|#Tr$+ zC)Ch2WQ0^xV9c=_FPrPzhL>%{!oZjJmn9JT#@uPFgx~~qp8{rqi-8qR6EW1xGLA`ITlOnKt3|Wj-k6Ep!C=>*p zyJCn!Arm|tf^T=lMS$2QD`8Zeur>B&=8QkaZ7f;#D1~6>it)2)BzZvtIe}CH^0Uvx zYAtu0GQza!2)39PITe9o_IWH!L~}5fXcb=6wZ*l$bs_N&glU_wMf9JH&$X_Bq<8^W zU3p(tjJuu|%Bg^|i;$YaFUEpz@g*A*mo%TX0ZoKRNn*U+Yu23Vx3*Vz5lU?rf2FGN}lo z|JCG^9Ij<-gzLLxrAz|AIJSkB7j=Q1Ii`ysk z15=(?x$`F%{oK}!a%i&tc0ZK9?Y*uz-18cB|4j~YP@jBY)EG7Iaep$ zbQ9QA?!xa}waPx(lB6g?=>G-vGe$yKw2Xw{6*H z`}Z4!4tJn8F8q`JuiUTYPVz$?JNC{D)cOaP0o|sZpM8z-==7i@Wvqo3L1(d4oYS2C z%%RRd4xC8CUL7Ku>5W%#mo>b>=IxTJi%!w2O;${PiE-vTW+B3}9OcsX-+A3?>6`i z?7cHnj01n4)ngdHPeYAseM_Z*xE0%)oG91_7@!8E)`F?DBQTX_k=Qr)$JP}A&z?y4 z-4UGFr*6QB-AqbiOl#vCM1z(iWAgBaoap#Rbwj`GBKqyoF}F1qATaY$pP=FC1pU*- zjj&;BhVs=GB@zFNKiG^2jBq;g)9(zEcr^MBCMq8PAu1>=_=))_^JxbCt%f_jtj=5w*&bFm`RrxSP&r;2eB&e< z8SK8Q7KR`*zIw?T0e$UvhK;chHn;cak_fS{e=Bp6c5vn+q{@L(J%6X@bO_0KFr5og zSi?p?BjV)DTs}naDS#yuV4@ADpF9nGx0(*yEau6ln#K;5I48&2oV@jZu{QLEDl|Jz zxB^BVQ3N#V(RK91`F-?6t7vT=&s6;F6EsAzbwI4pMaU#ZcAntZKU`ZQ?cIX-D@=`x zy(Ee1jMsH$o2I}G^*cpdFtY8 z6>uYWbUo{n6V#dAZ_fird9Lbps{RmFvF^IpU9s+B~wjPhHHqW#i-K%Z`N8)CL@VBqS7-#Q$UmCshfg4F!$LiDbyIvc4K zlk7+Va;_Nyu?>%GTMN2K07pW+23`dhW}{fb;`+;;f&bh$u|op*)FUvtm^9?|1HWTf zQvp5TKp}LqrDv~g)X35d%XS@H*IzJQ+~&WTeYOA&xBqEruxy^>KMowF`s|bz$-ncG zis-)Jz$xNjESMaGg$ElB+kaa&6+?NPt;K2m+CE{rxonq1Lcpz}2N3rlQdl3i@{Px&IHpe-4u)up?~M zHf#~NRjE*T5qJ(WqrJ47{`={;Jx#2Lxj16<-gWu%qNQ%Hcj$b*^$6ZA7 zf9Q6hsi|+s1R>dDP`ewo^pKu-dy+L&1zpTC52_I`ITDggmZ=E>EeKNJZupE!Jc*)v z^AGSCYT&L({P_H&KiE;`aa1b1cy`1LRjnYaZ06EI+uv5p=z`|UE31P{!oNM6rq8UL zfgq?Q7BV8|eXJ&%h}(fH3z%3(xaywYHzMcJ-xk0=G0d>GVnn` zOCi;Xa=M%H(^)uz`72$%2;ds3q`bE>r}VFP4o2^TqY6 zRrZo+Efhur4yU*tgz7^|=sM%L$|r}+Vr%K)nQn5GKz_5^;r7ekSPA7xqf3k%UE^9X z0r1TDZvtTXGpl*R_~0^eAmGanhj|YwdAz2Ax-p!lnTB>E*Rk2xJ+;CtefwlFZGi2K zGGwQ{xIj8nVmlH~iHNVACB0)E1HUrGp#tYr*aSSDpA*dQNZtqGmqmU)^rypJv*0A9QP&+wg5Z4d zwQxln)$n3zImlswCoJb!`RnA?7arBpR)sN} zKZa)bh}h~kfvvx*elPwmm(gx9FARgqa|SF&Bp?zj)cP>Tnpnl5D=vZh#kiRGY18`0 zE@z8_HtMWsWz$?xBE-?%pwQTW1%AV5&{#{VsKV5PCgA~;PTzaW;MQa;y)>mNAMLo z$4)d44n1u-3p@0lp775x50Y+E`r2PmXKs`-2s5FeY1t&Ls!~2Ceq{+$F?*9yuZ&m^ zUK2pD&YP+5qSG>BOOKPLnSg`Sm4HXuM7Ep1$b3PK-T}J)U`8!YFG4shJUk8Yfv$cJ z8;nUN+!-pFUvaGX-TOp_lS=%+)7HlA31UgbJDn`~_9nWZ!{?!g+g@B(^*$F^NXTDw zKAkW0`u*Jc(|r%Us$0mXy{3g}@|ED`n1~0JJ&^UM?-IUFu&9_Mxyx`nkQG)ux$~=| zr*^7q^*%r{(nNfdS%+SiGWTc~`G*Hp;rfs{XuAIHM(kF-eFYBPA}3A-Lb(Iim3_k4 zaZ%q9{*fxUyV($#(iy?zQq`4WDWrhVHK^GhUHWx+S~D~g)ljp15gG-EhOKq{q{>Mq zQi!k7+LHrY%ygI_yHSU<(^r#PajnbBS?X6s@KY97^))Bnk)AkH%blpDN?I`z+6ha9 z*WWE2Gi~CoKrEfPUZ5z3A1?vu19VTtmCPIb-XWf=C+ef)16=)FNxPn zGcziJmfXj%Zn)-(s;J;rPE=lFIOJzPJ#q;}-Q2H%sz0A-bA z2rz|hqCWvZLIED995Ed5_Q}`nb)r_f6_RRvHjO>~_tVJ^X4=$-vT9%#d<+@mw4K-s z1S5u;7EH4B&gUs`hgThmz#3|1!g_CB4Z@0zNHaVgnB<56%!99kBm0P?Qn--R6#0@c z$#lZo+$pRM)KKzn;&&J-6j1V#K+#Awmn)WsWgb7lPiD)M`5|1e_5b{}Fd?b!$_1k0 z0x*lKFjSy^28#E4%l=1H3hPV>#>9WkubU(M_j-;Az>M#+s69{G6()m{kHCVYjv}2{ z2L)ihqrucU5xqFLvQFO#bAf+SG*Sk=;oLRvU+WHtKv(d;EWF--Ej)0vYQg2E3esVI z#x#dh)1O$W^LhME&Jys=LIk3S2)4SMKSIbISpHEN}m_f_6J#s4zcB{3dU*yc75EuhP?CPSRF-$($ z;!~XU_J<3V$u)3ok)-z}WJ!?D`4RN-u<6-d804(Zxa4_ORTRxQN2nX~$BQ@?l=ydV}q8M`=KM{8?-Cv(=WbuGr zD8A9_9`OK`vz8B(Pm(~W7tlopGX9795+z_YT5y!DfS=Yc$Z}#1W1Uu>57l_EtIl+q z=!7ktA=lZ6Mz!n0GEV)Nq<%k2#`bI7Mo$zZ_0RgGoI3ptA8i(`fWiGMwKWHQBvSTG zemy^3BK5d63?@oTt-9!Ywm945c>wc}PB8kXsiCmn=W$4bbOt~uRODJwv*g9Y>c=}E za{a(N(-YDTsQRF>FZc=r#;$1}CjMfqo0-kJzqhf6MxN z9ZBt<;R;lORC7RYMzkZd@q&f;Z?XN_33xIiPFXPwkv#Mv(;N91=(DKCMC0a{7>E2ZS5^ zAwt^T@B$_ns=w`~rhdfFWYT(fVSeJZNmw{b<=a+rphag#Em&$LxR3D2ZeYeKVix$` zod4|5mJgp^IVsrYgQyN|e^A_b&pK6liL<<(;qN+|g>TYQV+Z|V01LQapHTN$`|HBmB{Za%KZ~i%ZvrQe zadYdQF1gaYbtLn&VA}P@$;*jXP*A_|(EQG4?p9EzcBq2w^3Uls5YK-5S^Lx@;?%6# zDPo5bR6TvK>T`_!9p&23?yS@L{`y6mrlsL)u0kbp{xXtWYf5*opF3C1-p}KmaZN?} za0B4ZytiBVd;d-Bv7pgp_Y=PnOT+R6PY-$bvyaiMRG0E)m$xT!52fdb6}Zh!EqE8C z#kGjPmi*Tn^5yoi$9;pmwV9`Iod=u2J-7FlEy4#}+|{SWmk}N^l~j!_P95Z%kP{pi zHP7-?$Tflx;S^W>wYBL5$fiJ~OFy}0C|#h_<>~hop}OOD;X(-rzf_;c!DYHyI`eS@ zYtl6c;gbG(ET5Of%4J^2$ZW;imBsB+J^mE7#Anm`Yji%Rk`O!?&rzZRmm5C4-gxVe zSw9;u(uR3F9D2I^rz@61Od4oXnI+3Yw=SX}XG=MrepHkltoH!_%bH5Q0u*sG@h6}@ zz_ksONwnAcp!YIZoC&SO{3JB+ZvSADfr@H$t+In$g zrhB+Du8C+dar<&ok#!aKac0jCa)SWuHyB0^qiT9+lyl)MWY{y8j0D+K=1;37R(xL1 zT_JJ-s_%1=?`YEM?X75vTAGncc< z-O!+n{Pd|?$vb%KBYtaePM*F+WwA-JUC?`84p&Nr#%p9vN4d{P2wvLGy1NYuiS!_$#<)Dc`tdtIE7($1`r8xMEbJvs){qRA@m*UghrU*Jb<#d$Id zw(41T7qoZhN9`HSER#$$uv56bC^_?dpVZNx)GsqS?Pt?E>(>L|t1#J5dOGNnOGia@ zoFdAViwq*E@igw-F@ig4rN8@%a=|=CgMV2}uF_bG2bt2C$prY5zB&r0&FtF&>#O*gG-Da&}OL6D6HUBJPcj&tqYM=K_y z7UHqAH~g{9mDqj9H++SAYHw9Ue{AMID5`z&FjLcvp0HY8XDZr=%Mg}k%Y}GZhI4%8y!2cZl zKVlhp{v0^q|1ARlcN2br1FnGs{{O-vaJ(6Cy#Ip0|9a#9_`5g2V9PtsE%30~J@8Oy z1~&KS0{EJNJ)4qv2-No%n2;ug*g}I63qOOsE`YE?Bv9f?{>X)=P#tQ=8#}<=_e)rx zNb3hWq!p!DF8JUXu*fo2S53=qK*`2Y)!b4|idcZ0Jr!o<*-xEB4Or9|@2jTMM~TSx zudj)ti&AVCtf>y>j~yhd=NiK(8KBE6a9{XWC90E~9ERrhxovSzrq6%1QHq)khrgGG zNf*a?I0@Nw7DEBrqSC%^21HpKte!3{5RJA$MFCF diff --git a/Solutions/Microsoft Entra ID/Package/mainTemplate.json b/Solutions/Microsoft Entra ID/Package/mainTemplate.json index 863624ded83..81f5ae066ea 100644 --- a/Solutions/Microsoft Entra ID/Package/mainTemplate.json +++ b/Solutions/Microsoft Entra ID/Package/mainTemplate.json @@ -416,7 +416,7 @@ "analyticRuleId57": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId57'))]", "analyticRuleTemplateSpecName57": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId57'))))]", "_analyticRulecontentProductId57": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId57'),'-', variables('analyticRuleVersion57'))))]", - "analyticRuleVersion58": "1.0.7", + "analyticRuleVersion58": "1.0.8", "analyticRulecontentId58": "acc4c247-aaf7-494b-b5da-17f18863878a", "_analyticRulecontentId58": "[variables('analyticRulecontentId58')]", "analyticRuleId58": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId58'))]", From f30fd0a2507add482dc73caa6ce2d3efbd236870 Mon Sep 17 00:00:00 2001 From: PrasadBoke Date: Thu, 9 Nov 2023 12:33:26 +0530 Subject: [PATCH 17/17] Version corrected --- .../SuspiciousAADJoinedDeviceUpdate.yaml | 2 +- .../Microsoft Entra ID/Package/3.0.7.zip | Bin 92777 -> 92776 bytes .../Package/mainTemplate.json | 2 +- 3 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/SuspiciousAADJoinedDeviceUpdate.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/SuspiciousAADJoinedDeviceUpdate.yaml index 2bde16e7853..5e4481a612e 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/SuspiciousAADJoinedDeviceUpdate.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/SuspiciousAADJoinedDeviceUpdate.yaml @@ -77,5 +77,5 @@ alertDetailsOverride: In this case {{OldDeviceName}} was renamed to {{NewDeviceName}} and {{UpdatedPropertiesCount}} properties were changed. This could occur when a threat actor steals a Device ticket from an Autopilot provisioned device and uses it to AAD Join a new device. Ref: https://dirkjanm.io/assets/raw/Insomnihack%20Breaking%20and%20fixing%20Azure%20AD%20device%20identity%20security.pdf -version: 1.0.3 +version: 1.0.2 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Microsoft Entra ID/Package/3.0.7.zip b/Solutions/Microsoft Entra ID/Package/3.0.7.zip index 978f68a3836efd6d91f94feea5a6eb99e7a9ffc9..0757f343f7a05369d3fa359985d735550491379a 100644 GIT binary patch delta 77998 zcmaHyQ*_@?wDy~%u^QX9ZQD-c{9@brHclGbwr#bsZQE$<qE39ee;10j<>Www2jQG9iqVHwW&k$1oZyMr* zUt6~_9^|Z~R)tSKw)c7u8t=g)jtyebK(R)1DlElA!M5Nd?<=nk!9Y2_b%bl{ui`VK;(zOoJi8D5OkhM~H zd%ZOh|8Gx)uW*oPv*{a7O*HM`z@JtGEncHbBO?^tIAUk}4C|@VL@<7QK)jIY+>vhi z&WA)Y5+&P=rOBp2{O8HQg26WZ7flew&GMD%5_@PR6?Tn5&aO3Y|Dugqn>S|vBA!uO z#)u9;gMc2^E zMI z*X5+3@AOvB$E{Gz=^wpw7|qw$Pe0x!6(v7E9?xV>LOyTN*OkRVNuk$|&$loGp{(G6 zowx1meXN727>C!kSTSHwdwB{kCbqfu>AJQ*bE)jb{Hs6FiK8VbUVxuKv3Jbt;L6;Z zJ^JyzG2kA!=stJGlSyEF1|}Z~3RX?U8lb;{{iCc1?48Ep#%=~JhM(QnL*t|lH67iDTr=)=?Ia8|7({Q_MNk z;uz&&q~K99S=Uf;Mrf>|A59-FIJY7nHXkl#Gb+~@JNQsNh0`qaji61Wl4>wOmtBfH zyR1u%r!!`{KuxhQ)>P;-NJ^-qswb(WHV%E!22z42O?e*KQOz5%=5bVP%z%UMM5co8 zaqc^pwom!rAE(`AF@-{i1VB?ZUz}|SHQm_oQFc@fsx%m0^vPRsBdqPtAXRaW(Uj3d zFI`h63N2ct3)OUs4^0JHC0Uun#FbW!B-#EZ207Z}dTSrt@}|{>(<;j<9~^!Qp}b@T zK#$&OaJVS}=kD9Cd;U&6c`@BMN>7Y&q=ifZ7|QYLjz(gyVrSAf_nd*Lnu71{2zZ_J zC>Il^hEMFQEA{D%IKDcXaCUez&N7h{b(VO#v_Et1-F_F>vS}r}EK~~r}bA{n72SgzdvJ4FUw1^7v0D1Q8 z1Es;vkV9b6&y%;OEelJ`xlhh?)Qd(jf33gVX41!uSsu>8KmX;kJ)dlx4W-c7??6OP zhZUJIiwmzTl#+c)SY@0K294x~UnP*o=-9#=A#R$%i2Of7B3U;Hq=sztbuw)eX2 zJ6-zP%#lN_(FLP0%xyjdkb;CN*o7s!w$Z1?K@|f==Rum%te};+;d?2atiw!+iGe$c z54FSB0xNz1Mfrtvu?Hlnu05nr*H0is zJZPJdL8f6qlrqluD-(GD>Eovluk>jrugB(uXHFANSqic{TcInF?CkgmOZtP9zwdC1 z1*?{%iA0Yf->ei@S1G|On>5wU%eTKo^KshZy(TYItiqnigr3`;n4W8|bKE<#6ZfZfg|?J_?*B#X3ik?dwT|xt zD<0=3^P-4+Sp-rWnvaF#z2GASa5zSo+eNG$h-t{gg z8BH%Ud_vv`H+26N8Pq3BE^*jw3|5}=NHS&HOlA!Hm}&KYzbRGv^Yieh8Az`)l*A5M z8k8(alfG0b((A3pkC-)^z0)~@gY+S?>aKHFqje{~e2(UGSkDHp-5GjDK1Jcj69Qsi zd3+6O7InfL0Q}zjd9pf;-_9nQ{V+<8#?y#?38Zq6cIM}1%}$KhM3%_7mv#$({JSR4 zi5_VUQ{T`*slM_pvP%^TUT7}eKS6!vRyYqZP8lf4EXoVP~x z<*jY6GKJ`%AMw?v5DGbqL5p0Y1%qY_uIY%3^=`VIk5ko?<5wYG9u_t$TrM;px8CMC zm)p3Hz&L-$-!A)fQ=j(GZdH+xv}K$_k7}D`XfuxJ)k&syWP{EWEoJGWXus9T2i%t4 zq%GFkOEdTL^QEibXOk00T6~aIKba;9AsG&W;iRHCE@Io0iZ$Gkrn%)-41UJYOY&ZZ zZ1tA>T?8MJGj%xI!5O)@gmaH!9Z#U|^}M=-2NoOP6vUi%JoZLMl-4s#=<7V08@roG zszgEg<><-^ljD|hIh#hTb_OM@awUS8tAi+35}sBWo@OZ^Ch4@I;?R+d+j&yV$S#DX z&BtBUa1_m<$8s@e3#&JFmN7|-a`Orz`aOqC)Yh2{x+qpWW93wlBrf;&co7u8p8;u} z0B3seEPEpEk62YrFZ0}-FqEW=gQy@|Fsi+sj z`zm)ldDsQL7bc!4$~lnsNk+*9k!?HVr{&~tBDPx$*7A(7Y4GI*Y@K`$LqwGjUmI1-)XpL;?XhKV z*lBm05vH*-Y35oD_ZH~Bqf0!@)UQ52QL|ZfCmHD z@Gd^~=9P4NUG~9i-5b+6F#VuNEI2r-r%UzoqoT@f<{F>#96p#AnmiU_a(Gu%T z9BiKzGYzPn9S>|*6$?EZ3P$;(Q;E0^$qrhh0{gnS7Re4~$qeSZ(t?@5jYjdK=32a_ z4o|L#>|*X(iBbOWN$2C0 zR{^r-!zcS`Nzf?4O5?1SKiWeSdCDrh0G8L{BkQ!pA^v)t1-VVlv#A>vfdf;HmjkZJ+Zyo)(xx^QDKrzb>u<-GXPxNGX4#A}!o zrKiB?)1}m$y2cB;?hCsQI4N6t^V)gqrxx6925$OT)8~6a)B^fHxdfh*Az1!@eUj`m z-eQ5KXfam*?rJGuB=Y;*fm+&#Orq;QH`VtDgD%-^!%sU`3SB?gA{pMqo}GbL#>p9? z3nGuV{(kdig0@KrhZA;!<3Z!QgFN7X05Lm%nI{i2sX`(l<}IpK(eZqCIqMeUqV~D^ z$$>4cs{YlA{jSbZ9kH&Zjcv%bHhyA%f4`8^kI;)`c?%sdBQ=jOb@Ly(e>!x3b69q6B6QQu_Na_ zWl{y%cX|Q7FvZ+r#|M_4?9gw!tI~&E_E5*s7KP=2!YZ}biv!yaXWa=-hW-c1PwZrq zd;Or#>uu$634rP~-(cY!QWVcaA$8_F4Euzvw6tjXy#5l7r}Iy*gms6Oi?Ml#)!g5m z*V2KfFpvfA?KuzQD%SMJO@2rs<%d+xcgLD_3IH%V-2cKWlAVH@W^svCvVop~n3S9(GL3{2)-5*;~Ub`HCh*!lID^oWO z3l~S^j=VSi;G>ukX9sEa*!IiA;wk8IH$@`S3iKlEY7ZZgu*`NH13kX57pv>9M%nuK zT0mOiZ@YWEj+o&`@D-3NC+hHZXqZ-d6`$8PiE9nY`9 z&z-t?!U?k9$A1D^N#Mrs!uP%5(ta@cJ^+vwm8oQU!-O}jS&YB@{#jttEcAamg_(P9 zFi?axyxkQklaHZ^#t+5)JrI-qZWBO<+6K|Oeoct~m>IT3QsrmxRp!OYf5HAXCG&Lh zPh$9#2!EQyamI^Svbjwlvh8MS8jUlBTxmfYPHbktMq}ci*2D(k-lgu*1*;TIt{@Pl zJrp5?J1AExmi*_S$}DH=5$~n6HA$Yzne(<}BIPy-WXnxs6WPw4+kNP&)c*6`yJ-|| zzx{oWTWr2>Wm`t&^z_^F6_>twzJvxjzk;bj`xv<>W;$e52;E(uN0lRfwyIii59yac zaGx?o$j?O_{8aNlJRs=tLW`g6e|i8=chj5yTl4X2Bg+KXy2qd2&xYI}J77g(o3h)J zrF}#s4AzT#L&iTR;qnp$KO^(GVJCfS$Ft^K+{!+H3_c6d5%c*Yh3KO-I^6IMRCnjF4L_{#)Ea#gU>W3Uo`X|45|A==Oi!)}=cQF@Cvu$C z|1!R!$C#V8pdQxRWW-dwg9FEYlC@h}JzUN}b5620xK42V$>O2qSTjETDI}hxot42A zFLb-m%MF5C5j)PL;DgjV-e>Zb(ae^B7FHLSyWPLFbfl{ZNw!?6B~yYIzSTtG&u7N2 zUi_Jgc3#-j;a&D#)B~u-(3)oPZiGhxyTb* zYy8`~{mZdCK*)V%Br1FQ)05L*;?kpUr?2;+RQ)Bzx3EP;4A}Xu_Tu#w-@^O&3x7F+ z&^c4Fc+=9GtI%VyM9F*>bfAOxHM0F7eTcZFN-=I~jVHc}5ey%|y4x zSkeM*IG4Dv&zWNC1!UGlT^BhPWse>NBDVM$N_0okXVSr1ntE_XEw&kz>lvj7JCkLt zdqfpCcPf)din@d4YOp~D-%P*c=w-K^lH93*NdRvUPDpPZmf$1AR`JZrEk zS2l7G9^w_@ocwv`aZ*lBUmiVb_N}1A9{Vl7#BX8G>~BZZ6g-K}?)-Slm0`UvS4qu} zZ47UZW5}qtQ4ne#UeJ_;WUwu>$jZ?|MqyxC{zZGvclV<)@#Ys*rWZ(v`VJ7%I2s|zpB3DxxH9#es-kDoD%BEH3T7!uF8;fFQ`OS$TI zdtzy3ya3O0bDxP* z(q0ug4@=YZ)VeEKi?DON)8}^+-c}Dws7X>*z(4=$*hkv(Vx&2oP}re*o^@W4G$QQM zu|2jMUtQu$*O$fU7!5OZ<2qJ##mFfAc zxgZ6He2Z}{U2;Ao!Gu5V^E&C5l8gG1DfWSjov4=s&Rm>wsv_#jjM|AMLmn*IVDd!B zfY2PFK_8Bge%&!7mf}52<-vs-w}4^o^6BbI2B9-VZ9W_BL-ya{*16euR`5E?W<4=B zs9pQ8`!4b4q;@q9mrWR}>W$M_^F%QBkJHU6rR?`2wdt)@5bG^;l2>LQO3e$`E==n( zQOHL(OBQEWxDS*pQ#=KU<@Hz=x)asjTilI z_yZ|>qEG8H+#tnSHd}qQeF?+Mo>_wK)Afx&<&3ZT1C#9?v$s$RA!~6D{w(GafW)qQ zPvZG(+PZg&z4?TYb7wSNI4(WB@Zpg>wqnssarKqtzHI8Ke)I^oCsJe}ND;^RQtS}w z9V9-R$)h`Y^u5YQoA;7uuk zlhDihlv=5^yt80w#U$9mxv!RjI$oraK+S_HvJmf)WB7Qp?FSuZRl+N z@KOjCK3B_nEseJN5Db-_Ld{itr>Pw+UNadUJ72xOU&Snl6xsZ2_up*|ST{&;lJLf? zQfGJ=IK@NSYP)7>cg|Qx9LuXTc`rm+1o7<+Tp-Z$v(d;DER&#Y{zM&i3rII{8X-^B z8l^);T4m6^Tik3l~b9evWkL{aVCM1#jvYnAzKm;_?-X!Hpi3(4Z4Ee zzi`dvnVRAt!n6L4{Z=mkG%5Nd=ezO#_qHu8+*iDNhAC+Y3c7Nd=W#S-kBxZ@d#jlz zyoU}$C}vWNBp0Y2JxtS*!csege?MXnCg$Mk~HCoxVEO`9}i=gT&?_|iWMnG0e^#opTB66qTtIQB1$2FjrtiKWuz#PBLrIZJ4tAh%UNYK3 z-pDJX(n@ptQN4Tf@A;r@(}A!D+cg7v7`p#R=FOHL}WD{87MZX zZ85M#FmUJ<01Y!5Mr1p&$_ZYvuG_Av3|Z*EYx{u2D#!EMzm3_g?Ct5O^7@2y1Y4vY zV1H*|&Y*&2Nh0J`y zm>%y~%FN|a42FM^IPOOV9N)KvZ1svbC`%_oxzoh~Jc(t-V)G<$qTes2CMjyUl85r> zSl=nZ#<$~_(@zFJ{Qn$GAuW9d67Oizo^wQh?U_KO9L~0%3WcG};GK85=V`u4m z*cj5cBb3IEdP4=k=d|4_6W(c})cL67_9ux4y**XwhGTrGUf`uj7>kH7N0cu%ckt^9 z{T8|b#@ccoZ(evGi<^zHA35wVHe_^t9|^5Vq%_C*kssr_D+#r8G&=L3X@snmbrt8_ zJ*dE`GB$4#)J#P+SfusKek}S~jHK|kMf#(^u%c(6rI|Soq_vmRW;mlr1b?te2dO`x#IQat@2petwG>l+A?2+So;t(YP*el( zH)PEfsxDP+GOO-r5ygUGs-S$uER3|~??!|sGv@f!m*`uDX|Zry+h9Bty{)P=KT5ca zshq?nce}blUD`$~W6AyTaT>un7a5GovDV`~DY@%EG}9)C)a^g7(Y05&yNMdZPDREe`Lc5QWe( ztPv)9$o@i7T5lt6U4w%4hW8>dKPScq#vnG3^EFoA~gY zng|0cr?@|T14qCK!y(AN0AmRlgoL~wIl__R5uPVZsGTj zK||!fke;vFx&*!5fJ2M8!4GZ7B3FmA#C_zavK?MGv(~AG!!`O!)2yV0Ng)_updS4W z@zak}qIm1=2nS=mbizC?o~uhM!Fr?8}GchT%Fk8X7= z*u_Ai8e{n@kAja`@$5b1$sN#U8$*&Av`~R=%SX~B6ZnCMDKB|FaS_gEqO~&+G)5A` z8F+ot0%E+9n_8G24=7KWm<&C=D8{Btbg@dE8tfUE>XqncG2$?kUYbm52rkS%d4!5d z;!AfeNmD=OhexI{&O6NEAkda&<}N)2UF>}TKXRw*f>1xZzj5*kSQsM{?)-dQ(YvX(P-iGH5zvZOR4b^av~w zPR1ndYgooDqwqOz^keXSZWa-@+|fhl?Rccuw#vR;s`rPVMlbb+&mss&jE9fK^}(E& zActs#_Z!z@SJYOdhy%P^-u)wy*Zx@wrK+p*KQe}vE$P@)@S{}?1+*{~Cv|&_JS{W^ zX%J5-L#^5T4iu>N;Kq?SbadJ^(ROiP?PQ$BaVa#?IX^ao7&=zLAxqNcsoPZ%nigrK zw6M4Zq|&X*|5Fk_Iys>kmb{F~FHLeP-WFD!406T_tFskw!-3sD{fs}&EMF{;$(ee) z;i-B(bIU%Mmm^GvPg!nbVh;Zq9!jPG_3Zj?6PH#mxC#kvQ`fyk$J@im6>u*!ZX40~ z)$R}}EXERElI<_F_%9Hcrg}0t>9(y-B0-_`V z0;@*<1>F3yQ)>Y~7K!GZ9{EsRB|}!R>eAY(QY9^|*NpE@x1}VC2OEZGzrR;p8NYDz zXN-YVmQ9kB;(RJv<*aZP<$_j&&`y4Daxi4Li~%IeVMfB3`QU!fHnrR_s2l zb6*^2hF2W~4_t|HQ+1tnvXnU|I@LXUB6?b=x`vmA5p_0phGu(6;WDNgsZmm> z0VL5;HE5vMO!&(&2wL>%xe3%~D`AyOY97!=v&X?%>N;k&^3Q8PRZS( zn)=z0pWk%${praHl1?2=Q{#|=@_Dhz(`%?4F=44Mp4GbTOtVTU?@acE8vWesRu5OR z@SG*KKUuN0Qu(onZDB2k70236X%xYx9Jr(z`Sm4O*iyQ~D9LGISLe2Ym*q#%7v~|o zMUjDse2&Mds60XRBS@vUYKg!B_R$q%ttK(sh0cVRX6A!Z(}!Yx2WcdplC@lSM=mDb zvIa3}b1KH=0hQ_RyCz6@5p~tY(JkKUUrWpKubK*I`m8J_CUs5FOTqRSth}zaKY-5L zX(l^4cZG|A7WiO39qekaI%4SSMj4W7Pc?p`R@KzfuGsC&!FisS{N58#r3aYl5?D7CHTmAlp0j?A~l_X@{MWq&&o|KCV`k z3+QgXzm^}_O!`)*Gi4f+vEMZll%zDb^jBRn+we`SA>Hv@G8aEKX7LJ2CAWQ0RQG#t zY;pJj^bvCsW0zIZ5lqgJd$8Ub4{=r5bZqeYqh?6a?d+zf?PJ^})5e&(z+afA1}_V@ z{z)DM)?>~VdYi2@J4v0E;1xlW$M?aK*u^MZw(y0czJ!+(b!}D#L~J!iD{puDbQ&?F ziwFi6>(MM4Gk>RB!%GS#%W=!-KRQSLMqOn%UNVQWEo*D0e(oKH#RYQ95}?X%gyyk8 z*}CS|R&*?$tlVNZHk@@PVC8sk4WCXI_dV>|H>?o_z<5A)!FU*DOksTQKd?;8!ni>Q z>K*5IS;h}mJNXmOMB5Jlh~;2fw+$1C3IRku`=j?Hl{Ox1w3CcKdi(#8<{VX&p59QE z988%T`dt7qS-(PkWBTHIG$!ba4k4K%5&5+y33?rXl}S1S)-)Y}W{Mn1QFbM5xppcc zen(3l<BfbE|2*!=**oP-gJKdr7 z9`L^W1&*Epj#nwo38zDTfE8=?IShQ&ej%50?cpe?ygW#DZG~gmHjdlp z;o-`x39p-yvWy@Q6>(RhZWhe}Jz2m^}nxoHfx zstCVx)*ldlBj$CZq-qS3TF_LEssVYa`$(5fayu!D;(S5m;`=q2|^lX4J{g( zbNT*f&_Et>&+x?$4{+cbK`z^rISl-I60BR;drF}g^&yjKh$`VT$I8{)tF_7%4A-G> z^9VA)ej%hnD=(SH0^RFAQ{Dd@VJeCUu}yTs_BuI@%T3#r*O~0s|CR(Pg~C*iQwtE7 z;fWzyLR z=I7#WHW6l@t&4`yt*ijV(=smDXMDUHIxmmc4t z_R#*lC_~1=L7HCQA+KQ-k2$7n6^|vR)Y-izL&1GL1S6-t>51^KimCTvfSwB*S0UEv zjNQV1ULD4l8!uXPg}?q<@abD3$?%jBv1EI51q+xvvf_NTCjSu?wzSk>gP=CQ+M zcc-bRPbAXF*yfRp`(3BWYJgx^-7z`T0dg24!F^az2p3BL;79C%R&nc-4ECs-dzifd z`dWuOJR*`gtRX~T&BRy))VpeWf%|_jn<_%poR9ws_VdsRID&7vKkL{vO|M-?5DvG% zHlR@gj4anGNr_-GS)e{ZFIqeSyMhlk0`d%?>fF7Xc4SpLj=9`%P`Kw`){T1XZS@xb0Pz_fH#fMjd1dN(J}cUU5@`;1oC38qpFG(_f^Rp zA)U^tibzTE+t>Z@hkEiKU> zUXG}-Pk2s5V|HLruYlgvfwCq1nq>x=F3adt9ix09#L2Dh{t~&=szxU8bq3B-u%r{i zEd#IbokD9flupj7+>-`e047ZRQjrIMq*d7beyc%S=hQ)!3@Rxux-h0lHl}|m1(oO> zdiRFks_%X?6{!G8rJ*&qfRZBSM3lJvR_9bxx{T$<-GCktS{oDO2`h<(^C5I$4W>!1;sM&Jv zob~>`f_B7IV-svqk**e;FtIu5ct}F z@-VPPVl#wN7omTW3b_3HQG^&w?=X)^b#PQ+GP>JB13`Qa7c;&d^QYwg?X4c?O4sIo zD-lso29b-lN=|GJ2DgV*FI?JFug1?TTj#NTpIa+nI#G|>@vhbVu?$BrZ!k7~b&Jor zUsMGGqG5Fp3AS#!b~dOjBL*F5M;}xG)h&v8v`5RK_v;dxOpAw*b|m&cI~Yt7Z%a9) zr!@bYGK_l(C8Y;a?ShN4rA*LjFMH~T0D|&<=ggkKiV1hyf3(e}Gv%jYqT*>w=cajQ z&{w8-UHknNgHD{1<@LAo-M^-!oGjK%fB%B`aORhqxzZ$vPZFjsp{BbTBwN~nO=2?a zB?4};=XrwabC$v4_2NN$(>i#$We1VSe7TaknQwlQ$fDq8qy3og|0K{qu&#I6bHgCh zx8qej@p^8h2(RRn2qp$x$!kVjgJ^VbO4qL!I3DjUpgGG;04P9SjFd0@{kuzx7$eia z8F&FSVVSlga@ZOkve`Pi3-=n}G@DAjTv|O!QKS_K3R||qiBua&@2AAgANai3{x%8k zzrCSstd4ou(-Gi%_xyg^R_LIvd=8g zCYOJsr;=bWbvKpOVY`k7Mtm7nK`8-S&T0BE8nYlfvUsJR>27s8Yl0}$=vBe@P!kS*b8PqBq-+c!h5QP<@qy-C*oxgrESzh zaT}GU`(b3=orgqPexconIlqQ%ib+!PN171UZ|->gEbsC$%eP8cgR+m<5 zb>zVtV9$%Mg)5#~zNb7G@>{*gEm8R>u!k8vzzcHe;zq?*&ps!S4{};0lgmyG=p?Ng z0CfnNpR(Jaa-rmR>v3aieBa>oPbQwbAn7};Hv|faY+%`(I{r!Oa*Kar;+cO<$)pCX5MNtR*jzIMiZ{FNE2&*Ag80Gz*Tnb) z_oAbhBE>r9`fH#Xhq*fL!aFD;AMfMB)Vpmm7U}{j$Vsi~ujbZ*r+<3~}Z#-GJB{}du>+lZW2Ri&65$QhAld;5#z9dhIvr&+w z<%@DMb{xzb={aLfu4R;~V%2Qn&&`P?)eM^l()pVu=eVj_9Qzrf3D*mx@H3c#@DNBDg7PI$W8rfr+r%Tvd8K>!$^)(lzYdM>NX-uyy6G9zR z^~VuBvTI+ksm*8B=OVPcM-D?&<4NCObkvckoTzEN4zGQvDhFbfNv5;9Xa zNlcZf#Ti&4;_xB!Q-RP!W&`sPa#iP~e@AsW{nx`#$;96iZbOq~&4P2AC;Yk7o3?u} za>q?b6(9MHhh$>MCKF;7OY=QLm8_2IyDmWzss;M>U{-#{=x9fT-#mKtr)iX$h)b|6 zdD>t6Ig6q;CeeJ70u1r`fLQoiZjo4{Gc2^I!7J2+W+Z z4Vn&>SQnR0N!!9dG{{gxl_HX%3L{(0y}be5%V)Luba_c+@@xo_NmrC`c$51i0u<|z zR>tHCj>B1Z31yLZ?KR4kvQQ<<;KsZD$0?su9$PLYLEqJD!K?p_rgJ6i+OqW#>$GB( zPVGbcu|MGr!?DO4P{NpQIL~U^`MH)nDSfyy_Et1;KZAvK%d60t*}!b079jb-Vxz-xSO*{Xpk4_WVGmN?ay;-XodF(X#nW)$1- zn>bRPsC>Ah$k9W4-e!reJO#a$|2*S5RSif8A{zW;$RcIwUuHwtj$SsMDk|9j;y;K* zl_d!EvrhPRM|8V?L8-8g%-O~mWt9Wn`cS=`Y}Rt-Ld8ivT-{GbA!{N&f!Xd|a=Hu& zge(8qTMSSxvTYOHzkbkZSk(kAtCsXSaPNlQwitlIqv6f zbR^#kVK}sLuiQwgFnr46FnW6&ue=3VczIwMlkcElZnvO{g4uO=ynjasEYcp2TxrI# zm;GtMqf}2NX4=N_gQwC4p_Lq{OVprIC_WLpw4&D)tMtDKYSwZx6dEZqiX266y=nYm z#I%670V(Kc>fV0Md%2HgHZGRs`1%i*QoZS+f>&JZK8kuQN~uIMEiVHx0^6B;XE~}d zRDMdHbbuuElZ(zRC8h&Tzrw^Mo_kyzG7(pRS%Qj z!KjO(bp4)YcJ9;vqaxf~gjhZ%-RGN>mC8C~Zn>1oJLp@vn_(7EZ@uO-d;)J1uQ4;z zEwJVjl0EUdjJC-KcYULf_2&Sgz+L?|ANo`vlVpW+4A)Qgko3pb8Y6#Y9+73wSOhhmF8dk8TD`d z_L^B0)kgbK4UOuYe8ya{%Fi{IkMxHkwe!XK>ATa#!wu!iMVn?`z`D8Pl4jd@aq;Z2 z7$o7RRk@Ta)7%518a7$i+AMlk>vG-wFF9>t zR`EazT{Kqlz?1Yn@^opujZ$OG(CHD4hfAup$MAe9wfJYRr<)&&YPJV^WNED!*XIz% z>03rqe6&VUCPVQHmqh$062|(IU}(l4dsBZwr1|**Q9f7!v7!8N_AB?z z0^E0_hnn+tQI*Lx2vARnK;Jq9k(ZdAAKG@ve|le4K4HWT_G}+axR?+w8xfr@H+%XM zv$}Y4X;)YG_SR=0dsNp??#q~ZDFTlRXn+1g@!JhPg z;JZHvxd=S4l_-6-oW2HJVxBUy6R|Fj{`v#Q5_bn9Jk}jkySt-*BMS=)g9IJc95HXS zIp|w3Sbw}LRp7#g2ch{i(JX=$kM!I5Y~Y6lATt>)>@Lm(u`%4&2Dz~(VzV)vTPd&8 z^7^Aw>>d4EL{I_X=g1_|_QIsbS`~L#d3V)nXq`s4!xsfjI+@ zk1(!GHUBZV!HqPC^ZQEW{0}Uetn!Nn^1Xc^W=BfwGUcJ`^gVkcTo)$Z>$~q1?06I? zE`O7=W@Ko6n^Rm`&CI2>%)S`2a4fB?iLD_?RjfJSR~Ng~-SIG_hB|nC`^iWJMxSl& zee2cjo@&v(7DS9c9^ogT=v6CrLFoYBa|^0d6o<~oVy6Wk2=`)J_Z$7fz3HCwsO3__ z*54nGEeGH+_g8aYH2Q^aH!B&UY6}{m-wOQtGb?b{Q&5rLJ#P z(pQ<`UVbnAyD>!2BxZeKtam~`t#k5IV=xGj%d2>}jyfeZyAqyOYriLZ?y`_aIwCEiCIf6yIbncMu; zdv;5BcoDu>Y4bp?@9JUPB<-A7tTi{IBVB$}Kc|rah zHG)vV648A4_z&zo{+#HNPY^lT&)enuGnj=jidI%-Cs9zK^(_p#2y9Pso1J{J2{tO1CkwNIcP4H{=P*^{5*wtc_0bX{eAZ{9*f-Q~PE%W2?A&7epO zU}!9P;tBr|8)<{bh^1+n3={fSb}>>K{UOg z4_VuZmvf(YVJT?_V~a5d$ez);Yx$kvJ}8F=vT!U;7HI zHR8?w7V6aqdxs(ay2A3luK`oUz?rcX?$J6OpKBkVeJk{DHm_lLX{`l)|XYpNZk)xd}i{9zz zZq&KQg>0}x^a5tTZS>mkR<&FWhQ>HXXnYT}9DdVK1IL(s*idB*(T(*0sZWR9xRI!X*yJRf8Ft*yN5t& zni7rsM~t60?HiAC;3-#)fzSdd&bG>X)0Sqkm*&jvY#xJTxByr0`Eg(ag*KvR@kv?2 zKeFn&9`FfD?1q6EIEYc!ky*K|K5hg0GkJeTlrF~Xk+#TDsuqanv1^Xfn_sELM9%Ws zwKB08(v#W`qR#d(D+!mupq-A3lIBHTJTufv_!EZsS&pZlpA7U+qR8r+qP}nwryL}=Jc!Y-ur&!iHwY_j2%^H)mdwu zy>}+tALJnymd3@lvdw1AL#vMSk;i!@rSl#~k(dMC!J1`CW&b3?xK3+CjRmf-nia-x z0GBwepoKzjzX*lUsDB!XFfEDWz458Bxd&mXMPVA>JaLVcQs(#R!OmSno&kx3(i;C* zo<)VP4&%6RamqD3ni}gP4?p=#Wje58Y>0H3YSPX${Y89%Zb=iA`y!45hu#^_#L#f3 z2qIuhX=5YlMiTJnAYwHCp--*dwpkYz8i3yoe`2G=Gdt;PjL6~S2Jd-nABzu@w9X4mXkK!&O_pldTSWlm zY`D@mSDaLkMV{FNlcu`K3u~u7^{fVlJRcx^H*JqyZ;{=G>O``mD|GgHo?pyeAFy>S z+QJc1A!5|iJRw;Bi?(~_$?&s~Pvo7|x{0IIHmfRs)!I9SUuAY$+bxtLO4bi&ZlPB^ zEPs+!49&S+sMcM^>ws$S8mkh!4ZQ+|usbd#*v@q- z7`U;Dd0L3ev8t>9#jM-e0WGKwc+h4}+1gDrBq^K|b|!|#1x;mOj?qmxql{%RO!UB2 z72#sT{9d=0zd{VPRZ;Kc^ZhYdcVKl>Mp=>7@E$Roi;QzN!N){iktx0R0w+L9MmNRU zrec^XmGuiGkZn=x&{HOW2qH9ExaW%7)X2Yp$l4Q%k@Ce&_A7OnwH425NK}qx8 zRCOi=!*>>~>^ObG^60y=UK{`?YP4tH`W{Rgcj*b3%5@lAaeU=1@Am8Mk^TOK{KSmD zWu!!S(~jk;+cKq;*=)YUhJtbZ7vQJuQB2BTl}orw<&s`os)yv)&U|=pVZzyvB(K5{ z<wcg_sMgnUu4M|&nEzDoqSNv9L3C? zhUC`3QaNP8! zNTw_m1-xnTy$3;5j<$dp-Zcdqq?TV^bwv2wh4z?AtHt9-86%$BhiAw99(C2$DX zdzp4yzplj5L>lT%4NRph{zWsx8M^cAy_R;6((!YL6%b@CcQYJ8$Kir#1SXVdjs z76+ZJ4H0@rF)`9MXW)i1d0IH0lLm5AwiW9Z7G$@%BlsXwo7MwFFEM1-1d)Q4o(vFk z@D<6Ryq8KN5$=Y=#(zKLz@LyRkB`}%DROjO{V&Wh6jqh%B*$S_*99P#m z?sA4%p%wy88KSa(hGN@8S>^VWy6QK%j!b#aX5P>q{KY>byNP}Zyy>t! zgr&XM8sYZet7QQ`ii{{{qF1TEudH8R)LFqjGhe}Sa}rt%dkWryLBlsP@ospn#=*i5 zErL$v>Et3~G#~FMJTJEgtiTB~!h$c(+u`}1zVxBYqe}MYTnJnhzoGz`M3#h&xOQaeyNR|LMNXgp zOsP=Cop8GhUBo73s--q;%D^tWPC%p*k8qj$Q6JbM*oqHwZWt{dP~h4Kg0LC?iK)x) zGag(YaDb|LGOjS*#!wnuZF7*k#mKq}A3s7`xax!X55s?*w?IQrIk*=NV^KCC)?54DD&e%`i;_#x<3&g=-~Ejpkq z1nGD!DxnzaQ$7X%#Wi7_{}cI{#zX2Q8=<3#n@kTl_(7#)r~#XbY|iy+tMEP(dQYV~ z9@aTJjN)bmczP16Phf3DjWVfzeA85@(<)nHc{tXF*6|^y_rU~D(kPVK=mp&laLz&u1G_1qO~PfN>xkaKWKl|?M26G;`Jabb1(%yw^ken8~X5@&EU zujC5QAbl%R+s@H>k z`FTic``qI#q4f1?ZuV2KgeQ`c)$S}jiyJcE3WU3JKw^F;x_-81^B&A9v|-L#ujkB* z=XD`41Gw92P7@xjRd?NR7xS+o#2L%qIW`A?yTIFU^Ex5e;hIcP4!>ZW(g-Wg-q?V< zAhWO>XNz#2@dlf&Jl)7Fu78r`Du$2IyB<5VQx$tiC85O-Y%v%v~x z2RC<7rWy`U-D3FiesGyR=8C|oK%5P8omETn!49^ea%gddUW4E_&Yl9t+S|-=C?^h} zpdTX=n!gR<&mSl#h99mX8vAjOm3am%_WKSx9b|LD>>?9!A(9^*)q8 zwcXpgA%`rst?)ITCC?^B0Sl`y)c#`|ocZigqQaf1lKS;sA8 zs-ska>5!bs-j2_L5neE6!hMLl=3KF&+>v0kt9}DW-s!|atY0Z9u4z9ef9(fQa0j4R zSli!g_1Q6%C{aQre(X?nQT~eq@C5xn5U|~28k){`PjkA}k0#5N$BMqjizuL`9VD3} zNfkEb3LuX8vmbV8_{PJeWHN|p#xk(?%CQ}rFXoX};)n4(XV^c9afO+GrbHUUZT$lP zyR}&VulKMF^K$jq z_1MHd>!HW|lk!nuAs^vN;eGKuG?xbxWWq@cm#2Gz!gPUtlU`$uLI=ODW%nN}M8)bb z1;M1mzXMuh58|K8e^dFWQw<&sR>_EWj{A*w8a2`(`Rd=GMq!gJm}Q_2hc68f%IzU+ zQ##9H#@rAih~GA}j=jW&ilN3Pj~I5q-YSJLR$korynk{dK@&`Y5)rWa zKEj6j+5G+7&|I<0Aj_1YEq^s4B?-|xr z$#rkffQglu3}X5437Q>JKXmTACsQJ0aJ$_=0N-RI?7LeJm=_Zjgp8v`HE3Oy$7pxO ze_8&8O|-@}oF%>?RZ_b9wE%b4c@%lU7_RFDAAR{4`?5(H3N<}5A31m;`2Cvau|U`% zvx?)~2{q&JJv=UG7n!H#!Zr1J%zCO8*qLZ658R8*ZsI9p(b1(>c4yI0NT&$cp55BC zY=kPoabM#Hfc;H%$JXozT%DF~4P%B+G?{+ApXfM(G~=G(hRo zr6%puZQ^l|<8(O|&3Hu^kW^naJqkv#E>#A|53$XzW%s3s*4>Uo!hg%+BUQzyECA;0 z?XsAtuU;zMW|^cSj6f5qZA6iF)3_HcYieBoOq2Zqh^#ouvv`R@3OxmgIrwxO-iIG5 zhr!q@9N>@P&v;0lSf)y99M#A*mg@W~J-cVPv>}5~6BwC*)TVQ2zh}rd!JuGeEa9Dn zidxR8*l7GUSNp77JZp$OuUQ~WZl6ys|Lo#Xp_+lD+Nbu=r}9L1gcq*a?QXd=fm`26 zW@)ktu#TJXJOj>Oe@zor)k0O^{B5pKp#8u38=`p*%ENBi%=5Hpc$Yk%7jc&iB_>|78|xUNn%`9HH(Jmnx?T(HW60k8K?6uTfSUs@75 ze`)&AH%r@+VB_Wivo(;`L$TEXAf=4ZK+5*VfX0`XT`>j=iTy+NS2uRK6jm2Gw;h0o zdp8(Yql(-z=kE_|F~+rGG#=~Gak>+C19s)pf+emwjuThTNRKtO;5KHg(o^juSwS{e zhxk-?pA^ULtOwMa1@hW=8e1vAImq8y$AG;_!%BTUOg&)DarQtf+*VKqpaU(YJ-NQJ zUWb|#7EZw*`6fZ7W>&Ylb-UU1H=$i7n#j!H^#Aw^9fjE*nHThss>N?-%^5&@Vc|Em zb-mT=^S-gEE{jFExaZ^ezc$GlACuy>O@@SW=P_cb-Iwh?{R;0N&C>#xp2)HZk=n_a z#@cn(m9DF8>Bvrd5X*qg?&|B1bhWL|j!JHpi{UAcQ+%b3jv4Yk=nSs zqkk57%bt#|=jN;j9u`|~8h_WHzLtucDqiTCRJ;9DKZ^dUV(jYe>r$QP(PiW&texd) z2Y9=&yYQDo!k3<`4oN8;zAwB)SIFi{cpW3THkYtvvi(|J&3FO0l^WrsIwDk`L281K z(4X^Y?2fm?VE^6VkkibpcY)Em@kdD2{9#yKyPq`PsK@|zq>b{K(O;sWxaY&mVKxlH zLkrtBnS%k#%-rPgV!umkQ&is_>gW!~wUuEX)BHXtenOtq%RHY*z$FdbFdifb>}$rbt8h z^ILG@j@3E4+pfG3PS%jZU~8&53kw=LeWf_rW7${*Y+qw!{i!X}kVX`jC1HMEGf9lB z`mnSKZI84f`)Q^gQ+C^}U}(#c`xbatCP*yO92ZFl7!^Q8SdjkCByA9a!ox5qTu7@# zw>kmcP-z||?ZJJ8$P5u(Mdw^Gov{k3D~!a~n$kkUMcE5sOQV>=MEEy#kpL=bRB`w? zbhGCS-9n5uCcDQ8c=-Wi1tH@V+7Z)Tfntnpxi4C_)j0v%th!Vc=*{(Yd@gTM)^-IJ zB8)g(cQ7DG?29XC(YqKR&!{CeK4&`l+0^cz1$Q z(B$~OBX4sE2!6WCnv2+B^D!un)D3NUA~0jW1p;CpC)s8@W!@Xl(ZTQ?QwFK37&*XV z?`UOt16oJrg?vGQmbW7y9Cv#3alvp*%{ z>njvQ>MM~@3Ay`n^hm(@Qmv)VW$Kee$_F)X8<*X{9%B%(5g1Njxzm~Pl%HIyFMrUz zx(cY>(b263**>KCa+|U79z>l_?`?hZuaV)Nl6!Ra;=z;g`7F?rA3tmAwjx)Oj-0$y zIYRiFeLiBBxW|*aS4P$--(;AoC=m9&lH>bHRCWBP-Yt;-glbQmZm-M`BoQwJCD9+v ziyNkDQhcy1UMm+7JL~H_EO1F;GI3HW(h4wad$9ZzaO>%R5ER;Q7s>y8ZUReGSY8f! zBA&Ditx7P|eLf{fLEPDv%E<;?porB5ygz;dW&Z~4GR5{olK{{*Zn zP=a_Cm*XP`ugHn96Bz_@2SNW0CER@l!M7$*ANe`_owT>MiyrIK@d?)a8EBF`>nTP} zfT>c<1d~V{YH`WuT#$x5%;sO6CD9K+9QB6tIX`e2KHwqVnZMU_aC=6n4pkAMH1D~( zZy1&wQ9Jz^#T(_nsbfwYOF0FKx(kpxq|ts4hpL(_bMV8P>%&Tcs0xAkfrfH_A$g6Q zEo=PR*ccgPt&*enrohwv%;TKeJbe5$EWxKW@K7P>;bLa&(Oq@oYW-p=YdfIw(QVK) z;z-M^7UGn|HmQ*|hG&*sRoUU`n*Oir>A3L{X?5m&!Kx<S&o)=Tf-u<_NbXy-G1Q_BXTyOLeYRxNm9Q=5JPUXmJQ!*Kh1jN!ws{zE@k!tIf# zqVU)%#}u2eQy7p?1MD1djXm{$=IhTu;(jMQ=Be0{U#5flEqMhfff@qK zF!ILRM8891ZAR+Ieuoeit}l_+DTPKK;dFx}a+A6#EJ+oDP?&GaK{PcuJL4A@_pReZtN6DedoG5JU9#Zwf zTNV}ggYF)WE){fvxWn_1!F8cTZPBw3Mue^H`3R(Y#Eky)har@GNi?-DZx8}HJ|^`I zx!mA>+>;=+Rqz7fAq==v6#@%g^L@aHlJj0W^i)53@VrK7;QE&ubslAPq$eAv_Dm*h zTuNvNq7fvR)92!2&F1I*5kG{jqIg0pb%bmJ%s^DrchP*-AHix=No<&Ay~K@|k{4+7 z>ph!tT;k56Ws*5^ zKViK}EKD}(^C-8;JC~OEWhlZ+cm5z&{G9hpg;aJ^ukt4BhOdP(0H^i^XB*vQazimI zXxeEbu(Tgo3!KK1>nU8=l~2zX%=oEZQy-Skzl=bnI4wGiF^7iewq*}F7@`I!!L23p z+g*Y#5hNQ2w0t(9v>+8|OtdOMM zTYG1C)AiRY$}_t!|Efx}n&yH0u8?T*Qfvn|+e)G7(G<`qmwHfqDWPbyD&5|ZL0(lR z`K$Ok>r#^@A8oI$+ zQdhgeFR+*{9lP(dIQe)YwbL@Lu0Ue!eMTbpKR>@HumxEW#E3<~r6+m%-r>a)AhR?z z(aD;4$XfqV!be1HEO=>pKrn{0lXjw1Zk-U7AoL*c)kld_JKl*TWbKM{ z<$rI}TboK?!4!dcp3pN$X-o%Be#{|%$mMaaqu|4$nm=In>fx7Yd98~**`p()yY`bl zd|*XY&0wEP4!nt(|K@u-A%GPG@B^yjY~}+tfgO}w>E|w>Bko9eb#lAeB#p5O8Y<<{ zWan!ohHXn~IT%eOF3&)8ruApim{p=7-I|ec`Z{LTtuxbYf9xh7Op>~_z)%oQHy+11 zCWYRvGcW8Xa_(sV_MS~)#t})+>YbPw^pY{{+vOahl8R2C_K<44z>$gw1_iKUk|%Ew zbH{bi{E)d9*|1O^raE@#XX3Ni_EL}Qi}|^~=-(G*%!)j=V8elI-cvQ-fJ>)E+BBs( zgod~W+LPl(}Y;MTu2u*WJyc9J(H7;fQ8j7k8CSpHa?vcBZYrM0u}-iZa~>U;r=f)j$nSfethI6Ai`}YvAaX?Q zMwJxZx6R%~|12v2uA+=)X@(q5hp?R$wNK8YKeY%)<8;C!WQM%B6Ek_9Ue38;Q+@O( zFTCjd;G}9RLYq-dJ95;wzDju#&opZGlZ=$@?Z_xlHXbZf=^bln;t45*x6l_rz*R47 zd{*I79^`yBjh=?p$w@GSp-6_^5Uh6Ip&>&4+IT@IJZ#3o4a`urA_N{FRCk z`k!C{p4Cl<8|Tz-P?{>V)MCR-30_D5BV10KW#Bw{w&lJY=)9!JFs&)Q)sfl>F z2}~Wx3$mC_*$&X zka=2h^|LOj_sm0`-h;V&^TH(lj#T9e8}ii#z_HG1x8oocyz|NvSy9I$`@eZt1Dtnt zz|Dw29o99I|3B~ObplSII!{)*=)yd40CZ&$o;VQ7**`>95QMrBEtjk`%2vTf1_B3r zCgI`hJ9}OHE(H=f8rpxP{u(Kws}0u#}<3l6EYaC7q5Rkq*c)@WNdu12UK3N;si)z|9@stE1h48N^A(gmPQ*meEn%tT|jfdfpK9D+6_#c*kcVaM7j!zJfcNI z3j$qFwt6oP@}V5D5|N2=tD(w--AQK;BXUdMMe)RgZ5>B1aPxHqcJvErgG^6w$B6m# zpJjkA62P1?0YIg&R-#F8o`9NELhFNdz;%1PVm$|f7*u&2G>TS7kd*^ujnQNGSK~{B zkR@O0lwqGGVO+|%V#EJzus2_jb97dZJ;C1&cMeBO>k9Eu{Xw!LNpV&qH8tUL)1-@o zyU%;4F30#gkP05}dU9Q?yjvjTrqEXHaqXJEjK=gDTb)!E0oZrVe9T zh%$mwm~kkVaBp1v`8TASs^_M>cKjCb4^>lErHGAdF6Z<&SK1=VlIHnCvmpZMKuN7; zGn?HdY%@w7Z_saTjl-~o5zJ@Y{mpT9qcFkm%;fj>zIQW`Q`+!rSV()27j-)Xdf{cg zTY?%s6etmR#7g2N#_A%eRx)wt9gfBnTyfGKv7i;JsMXaA36QjC5 zgGc!kKE_TqF#kg&hEx2wsv4xQ&!eO7??s~0_K3=604k5G(BVjPfY?i(aRFGEqJA>O z30Qi1b0j}TMpE?c;{m_7EmSCxaLpfO)W}c0(OExyR`8R4Yp2Q2K|3WC3VOdCk1jP< zVeMTfBM!r4QUB6eWF#@jeS0LoX%>fW4J;(VIUM)eGwNTsP8NZI+%OVdfrf^cw{8~b zH(DYT0vN%lVZ1-mOA!|0dX-g-Oi?@DDNYh~sZII|Y0#NT9uk+Yw>PS%Lo&W3;yXeRP5sjcKAb7gRcN)x$3-?K21zz=1!UT5j!S@~0*}0H z?ookb{bR`{WNpIMiE&`YhGg6!F~;191NJul4xlDKY>zq5v_zGfBWKK9@Zvp^!w$vS z&W4J(GJh0b;HWzwr5S0LG@{=1zls=CiC|w zXH8meY4xP~HkAhCupBwjR^mtKea%*-%_vSbnpVVmQ!#=eURjZ5ZU|#co3mC&kbXkf ziuz)uHS9TxUb};6VK$+s7WeJuG+HSq55TJD{qA_!Na@Q%{@ASaqiu83GUXv>ZCu;-dbw+(y4=8CsZo-zJ2jC^*$Jh)M?CY=S1%0~MjG{c0vUq4 zXh_pgM_Qk0LQj%WTXf2e8*Ni{p=+pJSNR?**+mQa-vKX`sb&@*RLhq=EyD| zH&|%7?wSg39j&-JIYEh8le*Vz4X{|;p`^EhouoDAMNW4rnWV@nFDnt)Y+K*2>EqG= zzFEavrS7&yRNw-G;WCtQ5CG+tiY7oH6Z{9{ zqKh)Na?K1073@)&vI)VcXs*0Q#`C|KXDcwDyB3>e?aQsUIxa;pBzp=elqnn ziW-?ZOnoVk>L}*O=pq#EQRpN^pjfb1rBwL&W)JR|&|bv+XG%&0P3{>o>$`)D2X46X zMkU7n;cwaC^i4?sjSujAPtE`|?jh40RFty=AG=GeDHso)oT$4CA_Ke1`Atts-vnE` z%fXuMXDWnm=31X2z)$Up5|BV?bS>7j={)Q<*yTgrqhb)wt-#Lh~Gy5V3j!Y@>i8oPvM^ zP30EVDU$iBzI`{Buj^D{*zH6CLGeU+gqQITT-F=G#pO0A4T2km<=pL@gMnBmY@O@; zU)BwEyi&goqNWPz3DIh15l*8cRO})s-O&##SH~=RjJ$^C( zZK`Ae!Wwm_%qV0ze$XJHIFK$M^oW!ewgBs;)jLn~9sh|R+$gcNX&3|bn0T-QO_%~t zhmJgPieivKacV^7VC0q7@cYNkuO;w4h!IKKlA+{az*JkL zhNC9$#jYr6oFV#eu|1?x4IPa_8`cfgLYpGd&4kkb4jx|C4bj~DpTKL68h>(I{mnNc zDaAIcl*}}mrfal`mzz)j^CxU3tEz#wJOB4#fX)9mC~OwVUt#82E^zxH`Z)@tRe*zE zg;LR2hoJtJ1i}a}6!z#$A1iEXLOq%c-}p&^{r~(XurF0q_=yuPA-m47R$J9H=&Fad ztT)fB2e#7p?R-5W+m>6^{|(dL|8tUq+EVVoKB;tQd!SKuXt{L_Xt!@oq#WIrt+Fzd z*qW}9C0>3y`!7g0V2~r*z#wmcPyGKey8RcULn~@U9|Q<{p@Rx=@T+ht9P8lp(`wZL zvz3Ew>)w|ay#AL$ZG|hhAjF35-pG=SDGz2h3)%&F@f->I2BOJs~I!!KbP;`l!CS<=y5u5%PLv7HW z72fQ;5jSK~LhrxxR7r(F`$-`OOYE8ZCB`gw%*!_15HEV{nujAsfc9tyMM}{ARR@Nm zPIV4YwCT42MH@CS#{YTD|A{tz4xNBp)DYTyOl@SqZ%s7}z;Dfp*x(UH+(Aw?AWc@Nz|ML^=riYfs>rR9=^sq0FY;pn^a!C=Oe&zh-LOeipx zg&@v7zp#%=pc-fABITjbddY-vx9pLvxUp#vy%3k>S#|OYHh^;NdI%`jN~e)A((WR# z)`liBh%RIpA_mHUDoweUuw^rJv}hcFOt)i7Ci)0A5Sa7nNA+j-A)qMp9cc(A>@eo5 zFSb+}K^=CUn|A$crJ-Wag;efmvQoph4nvR7N){kPWIk)lD z?LQg_aNtoa!~U{z5_XZ#L||G=;8-wV%+iMGyi*mCW`|5;Pqzf^Ib8FP*>Wy`y*OK_ z@6UBO`}})tb$4G_?Z3-!*4`?6drp!=)DG0F+cba7j&dp#>1WkG6)h(o*Uu zoojx(zw!n!)CyRrN>ZG21*cz1$A8e!d{Z}(b=13hYF%N7JhiwcCiNNus!lCvj@Q>Ayx@$4f^jQ{uTmwSHT=4c{;zC8wlF<) zX;U1QK32eaf*2WR+!8#X_(KypEC`QQ5P3y1w-y5;L9yK8WRg6O)&!0&GCJwkY$X%o zbvYB_CJ+)QeH=pxJq0%v@zJM3Y#nkj*3Q*dHWJ2zzG>vktjXyBAk^1^ibs?U2=xX9 zQoR2U_4PTRUutYb@H7_C7A)wcvNZtoOP45tcByT>-XZ4XAl=^4POsy^D}IbGVSAAG zCGv0&g|o2}G3w z&IX%Z3E$?BN4TDt2)^(1fn1n}D$wLdx?od~5zQey0L0r$5wwK za|haP(Oov%YE!Ij3hYPGwgXjx(=*W*Y5wO}m+#GdH;g-qIsoAq z={<OS?9WZZQl^j?4U=@ung?ka=sXbVd=m#L0LXy*y^W^xBY?N+Sw_MFTW&U(5i$8QleE= zq*&kUTp(JyEm|di0k&KOb0eli&XEVnJMj`nfk0;(7}F&V_apO&k&g|Lx*h;iI9~Lr zQWzPmsGFR-qutnQosLm-N}2~sJgY)F8gob0M5s#%O7bg*Taq~$1YuKDyo8PKree`g zdPFZgKmK-CyAt%{lgc3)Wfg!894Aj}l+N?UtP zxTzzc*-e+m?+B#1e~%j+_*^<_p;ENaqD#1}Q8wl!_YI{tFEcs-YiPo)($@aBhGw~c zr~`Z!0gXZGrGv=Xx~Y`L*%~M_xc*yIxcJKQ56J~b`F%uV0ib~Q_vQ6qEFSO6xWE1s z)<6Uq{g1Tpk1CgnA8q$~6xh=bxnsKHOrJXFgp~fIcPaKC_9Ia!yu(}ph0h<|`;%s6 zJ|&=>L?J7_=>RGmlMS^b3Kk3M5Qd%t1`#}_pecV=m0m&O;}qy-r^KffdhJ@esnB!^ zziUYR%mL`{IrSaA(_O{utC=|D1@Bbiv1w4avLV*AGW0njlMCy`(PXPu2HE!(= zdw@h3|AA4yWs-!RP}qN36qskC2jEB3>+s#F3F?~C=rfE_*w&H(YlZ(bnpBIa_#9Au zli^cXaZ!i^!CPs*?tYK0Q|{&`eLc2XIl8(?KqBs#u;AtAVg!>3=^>Na7K8K%_+a)A zBA-KiLCJD--oq+YFa}C;BgK~hSVY-W3;BD{SnB4@AcU8(!(xSq>cXBuyS7W^PO0o3 z1wfIgoeQAWcVloH>^R`g(iq)ZhGK1wI2H1)+x%+Aw+U`+GD!hfa+zJD8L}taaPOLS zI97az@oxFJ(sP>X7~;c@=g6NO!`M%&xAV{xLb9u;FeWK zL*+y*?=lYBg?+h(%JfIC2<#cd=Y+0X=r$w}I=b8o*PsTFAxAP1sWM%=LSs*xEgj== zOI`av4fN~{Nl>3!=P9H+Zl@d~zBw(QX_D*!tM&`=uPRW%21t(&`I~0x$-*q1lEsdM zd%R70bIBe)hI#8chHXp$Rt&nOX(7J))dHQ|@6*lS+uza#LR=_BME0(g(ZoAn#z)pZ zj|2&Oi82{5J`+CCxyHd)UA;t8tx#wDaRozVv@ zZ>{$A#E}ENgXr5)U5o*Zu`zg+jkhlpz2lrr$A6~mA zo1#qXyQ>NP;C5U2iySTkjruDLL=KG=9}!*zLFrsr!EPeLtEL zmRwhy)GrMUWp#}J$VF#IoWelWak*ybDyS}*VRQkk9huXH7wxB7MV=G6i%_kobL-Ct zRqu@@JDntMe5H2MaISv9Rp_}3@AP?M^xv7Vg^|m;qSu}+rzDNeL*7hc z`E2`mCz;t#`eVpC>GhONdwWlrQV1&^uaA-BT=)T6i7(N ze`PyWd_#M@crw-cU+w2sz&3*44-k10x^V~N4p&Mx7#7=TxDSuHZo4V2mL6r0&T=w+ zoib2YMsD9)x!zmeRk~kjHxwRGTzn#$Q2+yIaT!Zgy^(bFS4`wqKe%#i)+8uUprdJ@fFFe#DGHsUZ zTkG!wV+U0BdI}}S{P35Lh1=eM!F4vP3Cn)dUmx&a4mbUoaQh_awc4V2Ifs9f0s!CP z +ZSg*|ZbNV2h^-&f6W7R6g`rA-)U8#{P3@p!TW} zl%;x_HY`~j+iaiV4H(bDSV?}3E1l5F9mqWrJ6M} z&&b@i*_?x7QJ6em+GcKm9Q!=h);bLDKieEY?md}r9YMBk>8}uq*;ffIrp2oBA5F|n z$vLFlg%Lkbrk;-T#$Z_EQOh3PMamP#?su!k&i=q z63+!xOp!YFX*D>`MKFi-J%f8sx>s@K8kF1lkk1`w-Ag~w#Mmy86xEdX$`=+vxSUFN zaQ>#JPLvoyl?U-F?T`xR8aKKO^OH2sRH}e?(5TSto@X#;U-r7-TzIQply4b+}4|LWvC*$kNRL@ z2L|`ROSfx60bF`7)AjeewX1jAC;)QcHBO;eCtZcd8Zn#O^qD&JThpG$-dgByqWs|$ zFO3WFcFxvd@7lTPbM~_}Dv%8L=JfTAH3QB&k^H)MfBgvxf%(s(2qX7W(!S@YH-idt z50SO@S~<}Xk|TuaISYf{1)=WBt5Iak7;;NQ_zM|Px-F`jPV4~9sga+}!;>xru#Y@l z$@tr!@nTl_SBN$OQ#;@)p}Tifg$!TU~k!Q{_ zQ^yp}r@p9~iMxv+TdK<63Tt{Pfn^stQyo&aRl(^KP0UPM+|o1gyTR9iHkaz2-W=}6 z%f2*!YoBx-S0#zQ4#v)~WhX2I$fz3;hlUuW??Np}Y<({l!*QJ|L+eA6{G_*Eh_~tt znJ5P{iGY#s;VDDNdTUr1JO-$)b~SfV-V|x2EXuHuZ#(x|Q{0C|mh<^zg09a+Gro0e zraUH15A}uY*RXtx*5ZSz5*7rd&x)ITH+d@Rj^J)YRip-dCE>H0dHsO=GRl(Hr>KvC zAUXz;*5|Rn4utu!=ya#$er|Q>Zwp5u6i*M|U4ZnWbkBvld9!0qUqPGP>auu9mtn~h zrb4|^g(z0J%_8=?`qk$(%qIUDZ;%jYq<(92q)XY18eHCSpmCE+=eBfR{N^-)hpvrb z^diM}x8*a`_%^w2mC@HZ_UJ~Hn=5ZdG_ZdANOJHFBspCo=b=8TBrFNxAs>Gk9t%(| z4ajgc!#X-aEGU9JYgd?`Ux5d3(JBO&oY?0l+O!3U<+Wx^Pe!9@L%bLHX>TqfTY`7w zvmv2mYMCwBUnCO+obfrJC$O$M{1N7udgDe?-J7!LNR-#$(4^cdKkD9QocxmU7fbf8 zz_i6p=_Lw%NrEw<4WqIiTcW*{kXWDn1K_YtCnkc0eL$%$=b&U8jel`+|Atf}-;|0Q zl$evAWtCJ^31zKwwtDR@j5JtmBbjBuUc`+cDP>S|r&0*3xNaPo*9^LngbNrFl3%gi zK^2BYp#wlPC-WtNn`c$B8Z;eMQtYNpX(2cZjieF~`ZvwKgY~!m837|3%Ey!#19ZyV z9G9X~RJcp^TGg`BVNf?w(rnjyoU$t-6VlD_{VvHmFNb7Z%eu7TA50W zdF;GCH5c9UfP|g@{rRvxWXP#`7oY@oyDn9mTAiQMLgN`y;N^JWo^I*&c7Bo{Z;g-W z{m01h7yeb4WXlS~dt82?TWg*8|=5BMixo3UVjb0{)0XIklKRfyD zEsQj-c5F6Hmh0Pu1Zn$k;G`<+y^?E2Zmh0$X4usvo_Hz;Z>DiR?XUhZT`$8O{8KHg zJouO5S7B8$)gjvUJ&F6GhkEmk=3OB>1SRDe^*|XB8>{!tB3n}U2v(qOp7QFB<{LJM z{*fzvF`Er@w~&?y#On`N!2bXiMEpBF>&Fp%@GZ$e>tyKPWPZBl~2G-DW^=7OH!Rt^-o6e;fbA_CAnOS)r%6y(<=h@8`D2$_pmgn&(dCU zbDwgrIwf74F_j?*b~X$Nb-x~_$Hjgzo&Q$vH}24 z+h=&Q@0L8D@P84lSoF) zDGw2wO_sw;+NOe&!!0c5kr}a4h4VWJO4Rh;lT?6@v(M(#bKBE*P8)pVukc`WM1B;Sr3H_@K}^T8quv{G&(Y?M%V{sH2RL? zCGt~EPv@WJ-RY!QD1SDdjK=Gt&79%#eiRTI{`^2_?8_zBgz#IvF8&`h0{MZ^(0_G0 zXIq6JmaQ~UA(s7b$x;9=Sz!-#AsngT4n3h5Ptqb=hzzuOr#bRbg1z*`8M7%aHsC)3!G*{Gip>?2tV|>FDYQV`R3bAE7~L zIibFN_FVNcHbPAA3q_q#uQkEtxS#jOO_>SB&dfwqfmj=dfy7)VADkOY4l?x(MJ>EUjUQTO;qU|tYz*4G&DMWke?wL+xTM6lV%fz^{LWJYZsj_<5gWIx zO?-La!kp?{uCs4`IUmLlm+!9WZ%dc3O}3j!<90PaQmS@dU*0ykm+4w_(%hO>gV|-q zqoQQe{O9Ay*N~I`jTa%ec;;PEXyz%)7*6V>(q1hlUw5x3$!ITNgPmIw_?+24!3N{9 zU!R5PsD|k1MO$=pIh8XmbP%bCcI=?hqUv~ETSR-}+$nlp}fTzfO7B+oN( zoGon+#fNk3Q54}MAUsn7C<)J?$vQs8sVzWHt(qXq`@)NFEatp@%mb5QUivwnK8-QpqXcNi6JCvMkWT9~U#uA+7Bt8}-fOp@x zuzrq1cWX%=U2~)`zVClvQTyXcnFYSPJ!&vjnRyibFoy=CTB{L2>2hPksO6E;g_-<1 z)T|Ib3TM`pn>-LNO6ybdhqmbFrd(l&&ebKkS0BC$x5x-F0yk`4!4^bB)aw`_I4;q; z6?`2uwI_T(>Ewp{tC`_F8$|$Xi{-v4D}iY;e!wk73KDp0Cr6+RQB**$4!GRIbO&?9 zMb(c`E4|zXGdlwyRCy_A*Q~0>6kA&XJ2LM)p3=_^{-J2MN`3XdC#>0d>ys$o>-mZU zm?wjjn1{^J7#c&DDjs5T*D1`Ve8ooG@&b8SGv5 z`CUx=j*jgVu6lKDU6YU_JXtCJBV{h}Bc-BRV!MnDI4f$Uz|-jbP;_Mb*cZWEBVx_V zHGsKVZ8ZByz1u3vFWsq1FymVxdPY<)%}_L$IG7_W?}V!P@Tu~AD;@j=$@ItXQ$Jfy z6njDGqXSaF(P@4<{qtvpg|I*P8EK1u7}Dh@&l{+))lx*+P427b7M#{sANMYjmelM{ zH|ieSL(v5YTujvdoTYy>xcc-@u@hKyO`*Yo=$$QD%=ZN+{H@gT20ffVsp8SB&+{Lt zBS2}=y07|;rAZv!k{CVZm1*9Tu7<|x0W$H12XY}0_Ao#!^GBVEIXP7JHy!^$Lmg+1!Z2Tj|&1Y-5B6=24!w7{$9g zeZY(=bMRkV^f@G=+6*#=zYAYfDqX@S6UobG76iPj$UAEPRK`niHhYT0D{gk!Ga3 z@bM*E1;^P}Ohb6TaNY6mGFh3Kb01E(*RA6&qHWxsZw)TE%e^-ARE$ta%s+NEE2SvG z1{{kfC;Sn4Y=;yAhGnlca~RpBv3{0GT0-s3Y=b4N?`B|RPZz@bK{F@e2lGYFW7z`` zITV7VkbE;_XRvOGKLb*ABqKPHbL_IlH~l8ovWI9($+q3HJeFa_>6wB_W=@$D5lCHa@njU)p!KkU8eiJ7}D zDGQw*6`c zX7-%vc+cf<&B~04#`8t7d(SNeKb2dFc-B+Maa{)mV%{kcR_}Opt zZxG`N9s?H_OO3tJ=y**F4&Zt2F&@cqw)lL_aaIuPojTFP%zLn6LeSoXoRX}8n={?F zFMKcRLTnXMyXTr#U<2&Zn7oes*%*ihQ(1M7=pVq4{1u`2q!=8}LSDT&NEWzE{tGom)>Oj=3hvP+Y>a+9^#(jfwR1nReAvI-`FS#NSrY2sYG;Kju5RD=l_0gB~8 zLl2oKXjtx$E3oI4ts{-3O2)gT2jpzzyF%N|o!%?xBV}sEvXnt18cY4QRL1>%9gLBp zC7J#)-t_wJY>o)fVFzMnhH7P|P=!CCMqo>o-}zm-4U(nAeCTAYk4i6Q(o_Z(%i^yX z1TilF%GpJgtq1_0+@S85WF*|-egr~d)VAc6VK&D3F1gz&A&+b8+lUBqh+X3;$BmK^ zb41?ljR+lX5ao>c^hM2=`n7i-OG`rNkIVve-eWD|y3f==Sk^14nP1V1kq1~?h;9@T zY{ty5Tv7tUsy3&VnzbpK>Glv=oumF;ct%^GzD$_&_vMiAg!re2DTB6|Pv2CAV5)R4 zx{E~hEaE&u3q`7Xw_K!GYwdAWFXbrMCtPar&~k8k3+$9lbj_DlU~4L3h!1Gh~a zAk%*C-IBTGbqjLu*-a1j%`JVsx=WZNC3?ZX3#rT!P|By7+Eg)_WPk88NzFtPA`N{` zTNauf`qg|GS(X|(u#8A0uq`OT+F#u)&2vBT=Y=5^0mfgvAn#$T5+1)xirE)6Th&v~ zTL4!?@(U7CMuA{tCjxh#nKJRWU<7z_!19qmJAcbCP9=B7s=;wQMGlk4Pw5wv_1}3n z={%0#yrs@L_i0Z-ZgxxfZm=aml3NgwSG-&TSmun$F;T{8`LKz9iH1Z3jbf~H%4+T7 zm(*{KmVC9oY{$y2#7sChT_x6&s#5XwrjL_*S?=1K5#+&pIVHs{%PW-GQ_H9m0q%rk z(q%l+39>TMI~vJ`Q!M3%ldBMH@=>^uxO>b4q!}=`k2a7T1SRREe>l?Bjij{b)$BBJ}V2VzuAjl z^$reyE)j_?2r0r6%woxvIBLff29z=es0B*K1%K6dtHWVi_|jffspn?NVp#}FD<(Xz zAQMAa*^>nd*N?!_epYWlK2ElNyz%!rBA-27M1G_cO-Q{$2$-Wzh7v)i)iiExMG|WG zEBkbxC$zURj{Zx$Xw_2AXfCJXA8;B50jC^05O5kcFIxQ{Z~}(^A*UjbOiK>|=G78o zCFWI73!4IJVPOzAil;93a<;I)0POxf7JRtbu1tsPI+8~%6?_5E3v#ckVAq5OP}O&k zga1-33&f!9Qc~)~pW~h9iukOU`$GTeZuqSHVABmC;?Y*#+ua zXdjS$Kh<{*aU3EV1yP+>7dwFoZtA#9CIp))}^=0ftf zkAKB1vbS>VBlpQCl|u-e%$d?4qu-q=$qh3?xdl{c^!!Th_uWKaWyx#{~m zb``+ng3}g?pfCLY!b_?OA=rtdDkfC*-C|ef;h@=xM>t1l8Vwmp5>p?@G(KP_lPVrv zC&WJv1;G>E&)qaY?2)y%H$q$DP>=4-u{Q~Awth26>QKQ&*`L^&7Ohh^NnS{|Pq%q3 zpa)!$8PaL)TwMtFtSQuwY~i9V_`+S~mr{1Af-wGwKP)c&Tt^)*4J9BZYx+a_!!u6S zthzCm?(N+0^C3ppFWxT?7|Gsol#h#VH`_fE!9>j?qFa@h8=)r3tvRXVrqi{NBw{!! zjTKn4g$X*ibQD{`zfdJ4?%D=z+-uh-x7`3wo__P1Mv1M(Em}i?fG+y9-ctTR@Q36- z$BD)gHqo~(f-v7o_#zZ$H)iqeZ%KyxJz(X$r&wcF7$r87KreyO9cV{*B-;y61KrC3)j=LDrpE*z|qeRHimb!jv8O*Q8 z7cvIo3&D-oJ`RG<5RdAF055L+j8&i{((Q@N2%^IvQ^uH2NGUj_$JE&{-0;nGHBLiU zWEolL8Oa^xD#%!C4sqiN+v7wP(;QCp-?Q{le{dferuFl6;=H@ld{u**ZzRL0<=+cc zCVxCS8FfHO(05F+0#?svk zF!VSZn6f6Q7Ifdjk-BH_OOal%(Q`J-p_6drfMkFtj>j7*d}(F2N#;2!r7po8>kaQW zwh;_+ntCezrPT*otmq`fI|}Wy-b$E`xqW&5WWZhn)M$aih=$TgKU~ zgq)k#E5nj#*{DXQO6KA5QHn{sn9c8y)0dauGzs6$^g1{BoI9&EY2e{oxG}atXN#vK zW4r|x+*YI_(E4ZiU4En=lE0_6M~+3NVx7+uW|#_rG~3Flm{uDVzvk>M z)NY1vvwJSg(_%)6HTFT?5L;Qb*xp#J#= zf0mRBcY5Y9JPdDM;(Y}gE<+N0w&pDXyA1erxh4kP>6|fQF8*oN64hu9tQ=I`z&b(I z4a_FtFI1=br~g&A&z=7m^G_b)1y7I+wxv8u47Q*LwI>UDP?8=M{k=*4A;1U0x@T|= z=B1;rE{o?DpYyHzM6#2G=aluov3>dE1&tdAX~AnZHd#-IycbsVePJ0s+PI_>PxvP9Of81ExPO10oSrhW>&x_@< zvZ(>Wd+@YM&YLnj>xjyh00eEWj@!GX_zx0R|^7UFehQ2&w+wVQHF< zxu6ADd0jCAfbgQ{zy7BQ+Nw33q9kN1!Bu5)ZWpZ991W3yyn|Zog#Y}>1a6>#nI<6X z=Q4O%7Mz*@&-YWM+{@S2L5B{ykq7Xm$r0Q zqP1*AM)y3{ohGMo;doWi2;?@)w=ojjt&r+6j@ES7w>@n&*NtXZt-mrGxgnmgEbhTF z)30V9EGVA}gT-d6pf#~(SrahtRHr<!jQOk+r+$gRtq#SoM**2xAS5BvEX z$^AS$Vl5bec+K6x!(qZz^+!llv*qtH&ULwOCghJMdZsMACDU_{CJ|A~|AB7Cj*mqk zcVSc7>rw<<;=9{q(5`Kty8komM zt4osrpNB(h3j+yZh*Mu#>DSlEOAw%t2qRSO0PGVz2R{-_V(&H!(Mf2d(a5^Vi)gh` zl0+#|u*ydQoEGB`{Pj|`KGgm$_FF&qz(7YA$&KJ$QhR1It^Pt!CJLMBjL8Ao4qBQL z(o%_==vU->G7Q$(B(ujk9Wz+i0WM00aiyLSMz5EMV%Jr)sH{Q^{X_%|BBOC7=nK99 z;4o5dD5pY4lD)ycF-$nN!VOE^Gab@;?CCM!!;?QNLh__LtDjdp8FiuZ1)~KU>iYi= zW1H&!Zx~Co%)Y67Rlaie+c#p>>Ky#Qw2y_AP{5^dQVkdzr3L&%cQrOL(}p4o`mr(J4E(sf)#9XUT4VWesG zQMjsT&xqx?nBuz=w4zK|oXt3_ z)!(l(A|8@%EW*?pxX6zMcLhY(*0fYAlXAP_tT@Q$v{hIep_jQ6@N`65_q!)UO3-xzow&@;-`Rz$48VjTK`ub*6xfQOgkoUHy?_WBX!yIX5=;Q_JX?MX)+J- zi(57Qp*2na!bqKxJ-Hzj4kkPFUZN|nKcfJ1tKa;A!m2xh9Ifr}M& zS+YcLhB448(6MT>sCy_uD5PY=tlLePxKrUAmeC&u zKGCM`Uv`lIaIi50alcsRn9Z3rkdvDE3z?e*jN5(Yx_WJ325%o1eLW67I7!NuuH)3j zALjYd6Mo8`%~P*OKW$2Kyz1t!g)5D;IQchhFn0&CE;TM@Egp z!DX6u54L=IptY4JqfUH+dgyYk3K#A`mQi$&vamTdAlpdhiIfFz{c~SiYGCfXzXK~x z_hV`a;$^(N_-k6HrPc4bsV-1~(?iEdRIY(lY)+Mut${uDuuo8&sNrPw;qb%ON2eL` zZ6_J)G?Q0K^&!tb4*gd17j>rBr3E7 z16RRy<7w)+b!8&C8v&JNt982&y~%AChsVAF_CzAK+t6h_kpLKU9dmS#db&!n4@h>s)d*R_ml=#o*mwiPO@!RJ=ch-VA`%gnotCm z=j2M$@U(G=oRyX|_ife59QJ40-7@!PV){LyxH;q@{Pr?er#alS9pdOXAL3u`L|;Aw zX+cUn5tK7HUQ#`mFKQ0n{&qt9_aRZ>dzW;L{bTjo>e^AO1=0D-%UI{e z3fHP%8-TG^OP8>YVLrB2zjXYa{NE{cyR~Eu#-H!Ubu#*#Wy*65-P#`?mmwXpdp| zU^h;ZzQ9)tYQDdrXa?~;De%Nxi9Of(NuXi!0`CX#+vZ6=T4zQj6#Zl`Y{?_J@zY4Y zJVEFA48L_2KmP$9BFINbh#1cS;3&KLwNuznr^UC&Rn|{;WQ>}2h_{^t9TllV#LgBM z`|rO6+~$I>R=@*?<7%cMd-{w=4V*{jXic%4$?_wdfa;46FQTD&rMMNT#}mr zQbn9(fm9JDdn0(|niT3OOqy-TdMdEfark`gNPb?7?;SHtuhCxjF#Ep%1G4Hn5&C}w zhBa~5=sCfk`2^j+_uXmAQRW@|%}}VPh~imYk|-*_&R@kZpoklAd~$hU7oTAKAaT(P z=maV3DK))NgfTXg;jl#{vSqccq>m=to7?PmHUbfX$U_TF9uIQjGAPvtoRYE@Bqc4J za_bN^gyUAIYT&kgNqGVCNT-18*#v|pk6vGQ*|wsFC-?>;I|yT z;hiF5$s(Mu3(rfh33U6kt@67fS)BAP806?n^ML$<4nhq=wabBw&j*#RlwptAylE+H z7p`tb3wBl3zoGd0WU~S6Dt_o8Eq3K3Zp0iX^YUL=f)*GbL6*a|1q;;2dwspcGLifd ztYfmR*4vwdn7I$^X)0jzNpXLnb3bzOgrdE zbba5;OFPivY{-e-cYS!kE48xvj!}zt1GY z`e8Y%V%?+$s8{j<^-5}o$mZ~Gu{5_=E_QdU0A69-&a&%KS&DQF2ST5ZLWKq@KU6E(vA z>ym+4?E5;}W?mz?QBZ<#u!eWn3@33l*BY$+K&pOjB?*a~i+n@;Y;%!=d_$-{?E1|S zIBq=={n3##a)yYG21n%M5(~%*L?Z2%f}*G<|Uz@brOiW;M_b<#LVmA zF!?yy#F79Jv8F7nOb9^@`r#%UD{JupX5}NZ$wsJ%v;S6<$;I?8c%S|#Gh!_i(|SB@ zOw)SMbb!rh{!Sp(d4*-V_3Izp3*R{b#)Hu>LK{B^Q@2MWL5~N|*b8S|Giad9XTK1h znQp4fS$Q-rAm#)mr4+h>7~Hzz)27$A-Zq%QH`(MCgki1qngaOa{;WNqd+qVYX7B}7 z$WVSieU_8Ipg>GX_ZsgTo!mqdic6CsQg$m+G)Kv2!}-hhg!aIP@+`b{Y`&;qq=n1& zox;F}y$O9nm7W(J*mW`U!=3Jz7R!TqMWl5)`t|Bz8?CBrrOubW{JG0^3DB2VTCM+2 zufMKLO=H7u|Ga%~eR*)AAZ)bW zMWfztz!~QB*iQq4#jZ)aiT16O*{V`!MHDCc;n}D|t1h#d5MRG&?CDW`N0dEIVRpGD zINtljeF-oy5d^^Pm`F#1Q6$4`Fq(&oE`pmBNJ?3T3(q-6&Jl!N7X6}ue{Q(p6)-kg5ZfnLf8(HCr}_@CN)jd%%QN`dcbv#cp5vXiqSR7o3wN zg1}`C)9XM)7<|NzOi1p7^YFl4YNbjGidvEaP}By?9hs37KO#&*j*L}7n?SNA1Pj~9eZ(cR~Zz6FL@6-aTyea)3xC`|b*`3Yl@~AZ5 za+fsfsDD*E8`D@;0ZHtMxXSpaM(fsHx^zkTY*gvwkFp7vTKMPYv2V>wPUd0fsp<|5 z#A~@NXR8Sk>JDp#Udn5N3Ls30wFZ)~g#DFJ(Qq&i`}^PW2^deY7+>mRt%VY|!7n?O zH>=d0{6m$VpiH^s=xo+JtAEwt#C-Z6wrux| z`@3?a)t@tQu9y==+hw;<55tSBE;G@ATQSApb{;0rZjDw-{J?aWt|#pD{aSMS@tbN< z;;vx6s}!&{-3vZbergoA(x0{~6W!rJ)JoXGD3@MSWuv%^hhDf#9e5=L9g8yxiyIB36*h`5$VA?zmT$N4G9zzz0R@R$y;E$Y6#<#5GXf1Ev{F$lCs zu`ky=#+;7VSFXz0_pCY(L^N_DUImhcN|{Q*_w#9v8~TAbH!N-<5FDdPQ12s%bJo~_ zEd@a90#A)oaYD0dY;o6(;a(jMr5_6%K^N?G$T-HSLiqh|b+$TZ+)Q`YFZB|Z_ytJW zArY~oue9v@Zo{7b8TU(`j7DGt#JUwhETHW#R$RE7Ov9(TqpniS(#;xt@!Rrc{?~a66 zn{^f6WTBSjCaBWd%IRWO#N+<0Etf?_2l}zViBXDj=n@fH>g?#O#4N7}a^7t3b?T4C zojE(cf;>IKg=mjePVvg>^NEQU5-jG0@uyr7w6ZXH51LibmO`PXl5pyF>L{8#UN%tf znOzPkieK_eY5aE?Q6G9i=bpKhc--43Qmj|dMaG|^(6G-%ZvgNs2@Es`Tpoc~nMFC{&~i>?2!RExya9*Pb^ zobLClHcEEAx;$p~zp@5n1kAI57de}IyNQ2tJX= zDi$o%n(MoK-j`AVvEfjf09S5e%{(U#m41?Qj4KCdrE~CqS<-zRlqI1xf0b#Cm-FD& zz8soN{=J!$LqoLFfK_!ovC7F#$QB65pEHS;P{|Wu!881?u0Ka$AHju;9s{`QyFTC) zROlVMfMlpo`9&)(g$P1z{$P3dj&e>q0$}{ppEXDBq7g3z@kKc=0?SScaj<#DTN5+- z-~2t@ZjO_sDpxd;t{~}HjKEkOakc^;Y4GvJaRCp~IE_|z+-{hvmb4=0o(mU}`~=0^4+{mcCV!{0sHfxS%4 zltu8OHyeN1Y}DM!_ zZ{E%cu_?uTCMF7HMIYV~&NhHAp`-9x-BNVe-)U0y*RVTiRO4TMo8ll7YJA0)Twb<* zyEwWF)b;yZmVpuFWGLpKg-2?b7*-(q&z4f6hk|*4F^vk5xzna4CwX4Bi-%P`z>#7&XxE~@*$8!I>- z>ASc?WHM&;kw*SVZ7@ylpQQR@!Zs<^-`E;RpfB4jXL0VFfj_YB0)-j!+NHrcSv)5q z=@ix0b8{seJ}2fylH8Ql3||j`hSd7S%NzuMpboTto(&tHcOPDv#J{{iD3WJ(D*Oyt zP?+nJdx|I_?+7S3%!=N!)&c#5jFmoOKa?2_jEWNsF)4mf;4M$Z3m)Aw2qza+hY zA9uFx*>_7N&PpdWASSMwvgU8h-BWfwFWu0y2hz&>70mdzR`*SJ<^cVymZ_&sAlcr+ zGh+Nd<64}I47pD+W0Ca|(~i|FrMNatIr@-Qf1oq6$ZphC^C;O|HpXOdMg8H>S_Qlz ziwM>#qbOu=dtjK%ZIDAQt-!y67m$zqjo^(H;lRvf2_0vYH=m)TG(a=Z5*W!79CfCX#Fjm=Rx>w`F384U{?6IPRXR zg};NiQcI^T@?_K<8=VIb!^UfWnG5jY1#NjYIyzw+WMpZ_iykxt+M)nm`6|Rjt%rem z`=c6=xSd?$*$t08g&X9zu3}%aTG;W#PDwUZxPNrRy1pr@zzSG8B}dUqq1=032QRi< z?VO+x_v^u=ip5mvYBVl5@TC!GwcaJ->%;DcS9MwZT(ILO!w|x-@BNU|6TR#k{kQZO zCJtYM=5>Tv0H*DgqXESBYyB+hm1)OuqOtCrX_Ashe{wSiLUx7C7+J`Ko z95K06Af)o%J{nCPdasGy$R`f!y*0SF?-3LVyrR6ke~ZShiQhW>HuXr`K51T<^b$H zK2;Vjb$3KLB|dn&J-E=XE6kV5&^J@bJW!!hvF{r8VE#LhwOTSCmL=fB7=IDab97#v z^!=tV^v^+!$C4In2|+h@{R}h4(;?S`wOJym<~7gjP;JN7gwEE`hFu$UD!Of6=ZOs& z5=?(yE)nxg9dFP>XyN3aUjdL7kZy%vJ`!o{M)X{V$1C{yQ!~nm{_eSpq9~My*)5RD zpsCKY=Z47vVplvmG8>nEM0s?Q?EU;~1uoIMBc@ITT`vPnyz3?!jehwIdqJ}Am&)Iz z>nUVV%DU&eQv0;y+C(aIdPyVe=xkXkihem`3u|cuBq;u+YBbW>xk6)QpCU7pZcqC_ z`HOwcGC};aT7Pg&3{RT%3B6**Y6f=qySaVWn_8Z-$cV;x9p{|dl{<~EOmS=ac8y2m zL>K6z686+gkU9}rL&h>@9KuXo%iuLB;&Hp2K0+J8vaSAts7j8-<9tD`O-1|{oaka#Ru`L4P^i8e&p5%swTtl6sN z(PqDpN|C-1C*tkpK)TG$^xtlLFLev>Z^|C5WQc|lp2fVQ95IyBSizmjB|U2AOP@?i zLl6~b3)%y-?sg|bBjsH|RGY{uKzmM@37+CcODBtREKD~O7B~8)@goY+Rx_l+mmaJt z(u$$`j0I0jBdID+9Rd>>C3Q}48xG|Bp0)X@^72k1G(qg!z0 z{bQI~&!j#ouF-Uest<4YnRM>i=V{@P)Sa=SFauICA1mZoJLT`dL6dr9Lp=dfc@)YI zmnBo@`#bz$b#S|b)amYESXb%*sMZ4MQz^zMGBKJ>3y72M@27}rX79xnt$|;{vk4p} zz6vM_DUDHIinWMAV0~*PFt!6g*L%P@9m?_*g3CQj9{WXFDN@KDe$Q-`t3Qd{E~eX( zPL!!pHI46)>_8%UUrKW^6HZDD-boP*er471r?g!w9DiPK&j>fj-iu%S{R0|WuQvXm zAW!*JVsvZZA#Hxd zb{#D$Uyywzd^F&;MCg8Wv&(BP@tG;l%YV;*E4@z|HyFGuUP>C2>lC8P9%)s&$i@~B zR_5Oz`)2BiQgUF6`gYVL#^Yn<2U~-OT$~}@Qr21-m=T_Z=VbSvUC2+AbwRT%kkZ<` zoHp0fO>zkk(yKbFWk54&EeNxD$AK{0rf`0#PaGb5)qgRYH~PQz8g{i*TVs$XoSCeW zLmw!-c>Zy8S{!9l2}U{JxtS^4S;*no*6-Z;2qkk-2}litGmMGJ?3`o!#YXZ}2z9CRM)#Ng?#n1B36=$qB^M38b{mG_4d)U>(#JtT)?~_d-@wLM(eB-K)-!(vu zo$4M)iBo<}t!0@|QGWg3zAi&)9n{y=5A$8-c?#gSD!rAkx`3oObD)(*En@sv?Uwp3 zx+y5)z5(=Wi}?0tKAx6{*9AF=td3axmr={hz~-1}mbxykRFIIN52^x^j*AC9GUwUG z0p_!?sVP$S9v5a8&6Y}S0HwjXG$YClS>AIERdeE3_s1jL<(asnyNJqyLWSqA7c$Ua ze}pQuuh>vVr$998+k6IyJM<(Qa5cw`rb5W|2BWXep^j%WIwb{>xtAXJI-)k?^3?3K zDfhnE6Y4>(bCy{8s(i_I^jKd1YFf1B^D~ZAt8+7g#JN&c2%txL+sxDnjDDNUWw#>b zkdY!r8?!86n~(4DGmSg&F>^q3@ZBXAsNR*{lNDcGWlJg`05JD8>m0y{#fL|&;BJm;SA%B{?7KK#qT zPSK1b(Rr~{dB)^Q@dmcM(Z|GD_lKVQnFp4o#laqyP`MS1h;4X--?dv~_X|&);WlzO z`X<*Z-7aa2k(a(mBuQ3dv#6=_sK`FO?9%m)j;sm!*vPf=EJsrN8(5*=CoRg2q(ctw zh(+u=V3$0PV75cADIzIjkU`k#~1k^E9ofHyPq`7g~ZN?ZB+ z(ythDqL?o?pR6jWk!>LDd-#fW?1dcNoy~ z6y>{3nW6{T;qeRtiB5i2dHP>JP=LCq1~p%^k%=s45-uyMB0jBuO1#dv5~TX4QHvMl~` zbe)Z#hYT3@Z$i7*JyNpCqk|~?^`v74yOtOY$58c~?zFcd2t)?;fdQ%5O`>P6W6NVY zj53m^LdNR!%pR8o8_b6-!H%lJq$!EVDN>M_T}BUI$*3KV(iz4L+vxQAfx4#;!daKL zNv;M9ua>2{6E;W$F75#ZZ%95XXaUvvK{c63W^CsL*&tJqx+g@2v?Dr+6cZfk#+NQ( zaMNuBo5vAb-In1NXpcYQ4L8z050Nvlvg!Ogrq|r&Wb97&;;6#SW76R4JX_I{gpc^D z6}(F)EC9aUv-e33d)wT01hi|hGu7(~NltBm&i`6_fE(8*<}YeK4~Z>;V~^vJx_KLz z)3zNpmhg>A2KI8cdXEE}1R5ilfx~vdDf^8b?soWe8;bH4Fl>u+{3%+uC8uidox>s< zYe_N)yQrXyr>%!@75K4F;)Q;_a4F3o#+|H7v;aiSE~6h)dj{dj?KV@u_pF6Pv>wPp zFPlba38=^-x8_dXNw|_K%{DY^e!8o#Cf;M7NfY~?GWLy>8QUIDBqtoRlGOS&^vN$j-6K`Fs0^iNwSgTw{jW zAUPC-;E5X3A_UZ(!ECqIk75LCkXM?VP9QREtDNce#vx0;W zPPj!R;kBP^^fyWT=@WE+#U1%a5^?%;cHCrq*`kq+2ks_>?bP2u*C3u?p;Z(g%TA?^ zX5_f0I9!$OzSw2xUK)eW;FDCwCUEOs(&#utZ#&9{g#zwx%3dx6TRLerc;W?%v^R-} z4cJgL{*OrGY-%?;BdFc-EyXmWRgElnoUDt9?}hI3Mrl9+)E}a4zhG-Zg!X+Bncb5( z5hV$DfJE9gtn^_A)x#pht#ymHmqS7GuRC*+3l$REPLp)XiK6DO(w0(sZly^9Q~F6> zSd(suY#q`7J{4lfSM#`;9OlStg+KbF8%*#qWzq-C+8Z_S!XuiT549PF@rGk%z~g)> ziyz-eVPaV}=7{0gA~JC=OR<*WVAjDAnE@;dz;*xGE3-nLDKn>19g-=>@A7COQ5DyG0gFAz3$0yo@JZBav?o0-!AfavwZo_5-SCPh7M2?^Pl?z zieJXk#Dn3LSHE-W$r z8Fvxyjfjc=qd>IAl8Mx^#ePuwhYQK`P=}~aNp0zaMbBmv!HN|oJHIx7h52wq7weC9gu=*AmywEBc!io zB+DYiA!Q$dAq#r{SxIbzwTYf}r~9av{lxaR(~?dlqEt$7C6Z<%{iO70PSIgOiLwYE zx%<6r5S1%>;`jC7DMa(Y6Hg481n>+Y#XoqF{eFLPLHA+tyW=A9v90FKc;7ys z4z<=hT6DmM;jeiWz%b<8GdkDiFVu~ALy%a2I1>m6 zy~yYKe>}ZobR|u=zdg~!wl%SBn-fiJ+cR-`CQc@{ZQHhO+t$Q+_jAtwyq{|ITD|wD z?y9ceeP34<&6|KC|6DLFN&P=+&Sc?m^%5m-SrDagpJj80pXW;Nt8Z10U{!}bq#b+dy;AEl)mR4prgRpTdVSS1V5N z1&^C?Pd_BTrJ>QWp%z%q$*}y`q1699}3cxq~rt z2P+J(lFr{+a+Q>s5JFc(cBtFR3krWQPbn0eG;QXCLpC~7KluA8^USpZWekVY7dv*` zo;~JaS~?o}KqOV5I%;$-jGZ+?Mkz+0+ubK)pFX`WZ9Sz) zef?w(pC{ADZwCsh12n;A-7C-ahX6t2zb>uZ|Ey8|IR7>W{$zgL{G|gFaYc5`dY}ci z?(8b#s;+25?SszbtQ1cA>YdXkV2H<;sA9)1Xm-_tA<~-C(pZAV#1$eQr+V71n*6p( zM*zHG&ef0SMn!_SgsB{?Pt_{Z&I>8cKI#Lx(hgHjf{X)cv*D?qO=XaMfpIqB=`)-86#(F)z42G9I;w|^M0pHpu<>4qlsHJbj1nFwZ5dmNcZ zEFUT;U?SE_J8E6R#2+M?)ZWJZI7e~iCA0`bZ8TQ*a-N9!hI~pj{u(aM>P^9p$KDveh*vqD5 zbbcM2CK9_Co97BrI$&(RyEAc7c?WNtRU@9y^c-4KZzUt199mVBKSHxo)f#kF79R8B zN*goEe#)pM;QN~_$e{hlCYOTPWXc~Ut^h|#Ddmsh|U7FrjlPfxeyk=ZZbR>f!a8(xD&~WSOzCJKvq)!c;l!bLyyZf zT$_8|6oXt)TGmElhQ7xkp|woSd2d7<7Hfs|3H$LwJpGIYFL>8R@Jw)MM34S#%aR4o zWgi+$O$6RpEez2mhg-G%wD%>s%|>DB_Q7qmax?%}>g4FJJ}c7q!nph`Dtq`?$w-LZ z7=>uJ1U-nZ0S9w3U?Sq-Y(mXOw;M-)hv=glloZqUb6KC&L?C>A*}6%4Cw_S^#;(nH z7kE6By9#m_AU5Xy74)|IF<=oN)OQO<9-T9w(Md_LZ32ElIt4#(F`*nQX}KdKK%h)C zjzEf2sjB=7ov@a(j`)%DMbs>0$2+heFV~bb0r4JeqR#{eXk7D|Xr@EkQ_Un5YkYRA zFsJQWek7$;>i6S_-PmZM&meRl&5w#F*K|w8QD323)HZG2W3H z(JPXFrMIwOaaeP0X$k#-T*nTK9Y@2C2VA`*9DNS^ z5gwWO0~|3XAJWh)tz+K#;b*7b$vde`CGDVz|6bmTe zT%EbU{Py{cq`Z6F-%5IqcgzSrk?olM@oyv^qO3YIpLC7V7mW0gC<@&ZyMO@lu!iO; zx92zaoO>w+rBA9m2@sM++y9&Vkvr3|x?J5iqdr&d=~R zvzFQj0CCndEzJo?8x&@tia?cP(c4^}_x|(-3Th2=ak3 z5K;N#KD#$+r5a8ok+;Ma(?{g$nMSf!(eI~9>U0i6v((LFoTZm08_B`9n8%avm92Pr ziFD>t+td;rW?TQ@NxROk)ZKDxNI=){6^;Gc1Rs7t=m85r3Sf zS|?cXPafhJZI34EC7$jv#zFt4(^7w$w-h!tWSB;j?IaRxgHvm?R0-fQo=xQ$V!eQ* zJ8dB2U20k~8jQJ)c^&iBoZCtSP>NO9#Q-s35dC7_P(b@I0ZJrkK#63?OQVkJR-&YjoK(7ni}xE|pHcu= zQ=l(i&kmjUWqy<1|CB2`R{p14=}BJngCIFzt0RwUv@5^>YE zG*@kyYY)zTtw|>QPBlW^J62IoyC++= z=6*NuI)nW|mEwA{wRBCaPw^zdoATR0HRq&4dD@L=zd}zCf55i>NrjSxco3VdsGOFd zW6ugj0j6&%I??v|=$fC^*4-$#j>pK}eN7xNe(!KJC*exSd&}A%QV{mrJ@vWtu@T*- zO1$Akj|^qoKlVXWV(+W7btajiWHPlZUY{NIN5Kmpl zs4gp99c$}1UFuGZ57KZCSsu@X{b>sm8NP{p5C~(|5Wt;assA&apfdFbhV@Z(fb%&- z>(hb&nMJGkr8CtYfhCQOG)vLvzKjO2`Np29Zw!wis}U_Z2_4OIKf5QnDTa6?lw!5R zf7xMaxqsAd@9h>(e5A`;7WdhwPf~OSb&*r4{2Q`KHv}Bkjbq{ zSXPlEchT<%8iH8v8ltQah00LIp%7AE=&`tupevEpUkO>YQs;po$G-@4?XO3HL-pTR z)B|1H(qG>rUJs3d z*=3$t;0%<_L7|*NKWRzXPoJLOpToR(7A-tT&n!dPz9T-9W60%6#O_lp-kChm{O9-Q z)ZHEuo>HDIk^jy;`G}NNttlmeiGIg|QN`Tv;N(nnO$Z+yP45@R>z}{P(gkJVz9!Y; za5r_{m&085SqmtH+=CG&>ZE7s1<$Cc1h9t^Jb%Qtt>2xMLI()4H9lZItjMPZzfZS3 zK3l$_`>F`7?<%uUOLBS`|Fra#LzU#ZEkwUqPOeL>-U6m3T7*7L)BEIrp=r=nh2b?C za!l9frQl?@%`1q|k=t+INOT3S+qU@}JyLOj8#^zr`9{8VaAwy;!>-Yc@QnA?(Fk>g=DeqE4L!?9m=F31a* zEqTZ?jTktQed9#(i;u`!d;dFS>&l|Js^2akR zsHau#Kd!+$p(C}b*0pmKn!9>4+n^BnU67Y>yRrC4QFDdOoLI-8H|)PXrFsBnE5~<( zULFmFX;`Zer_pU4d3t-CLIivmHWSCK^ucv1w12>IKF`A*I?0ZzWUb&dA-V$9lizDJ zAb}Yzu`N}73nmdO&bqS=Yl73g8Bc>$(8FYAuOY>4?Tl} zRW|t~0hbjC=4~7GW)Dfs_@tM<2@@U?v4h`ZVgx7WxE}|&PiE%$@+=mZ6x_H7y|IGl zTmu3VlZATj3X{l#%5I}^A_eYn9}!zoU)}xj_x3gdA(9Vw+>$Kw4BtH^yFh7ERN#`src;NiGLd3=q$ zU@=QLNdB`{t+#?Y8xQ+PaM3z35Au|EM}tyD61jPFaY51GH8f0RQ#nYXio+zoM!>X^ zCG$5Dv4w(kNF%5XVdlVmig1Wb0=Z>oFGOR?sV%1`yzJh7g6*$aqT}-h=|Lf~rvc6~ z(N+N#>`Xdz^^($6R$XuJtZT1BA9`naiN#jf*cLS+Gv5jaV*itU$>|XwHEvUX33SkV zs)o&#fUg<+U)9$|5Yy174WoL6zNc5q4V?ih*E6__Ym3Nte8e=@KB>aro_o`H3Ed(~ zyRts=Y~??(B7;#$+e*az#kGNO?>yu-N_~^P@kzeOpfmt*YPsnh>$jw-uc73XW8`|6 z-BMea`SJ;>y!+z4?qiAznjVYqXpSHaOIS$Lbl8 zFuAUy_JkJxM8e1Zw|27`^>sB1CtnTlao!usX1fw$Ea!j5M!%Sf$^nGr3;rTq@U+;^ zeE8l~{lyZZCN@FIb2@WpMsbMLbEuaweOPfje)+0mMhDC3WApd@ZD%j-Dkj#?%fyv% zj&UGYP{?>6nOyMeAF!5nvPk{kj&L{VuwP>lgP8Tw5FQP0yqFQSzO=n_NFb=M3E26N zrgXi>ciMmbhsPE|3-AIeo077siDW4yF-N2a2CD=V2~|c5ViXlBahP#M#n$`mN4(!= z)hdmrlS2RwxapIm$Eu2{oMmzrow(Z^R-QRD5oz%>8_RQoxCE2Zl%grgsZ-x?># zfjqs;PF(lrjH>({G*7uoiJVR!~{ zaC{Cy+@oQ7*U(q2h`=d&X7=fXb&3r zwsa{L?(WqGH$VX#YqL)4NE<wfGOTBv3CF-hWhNs7)886GKM7S!#{vQ$qL! zfTpzQQsi=he-~ZBlrd&c3#&=Tn`G!rS`_B;BU#OTXW|GvFMwLkIVjRISt*%TB@>o- z)Jl|7mt8_mdDsGukIKRwYhVLtf88_lWsn_H}VMMlI6Z z$kg1OAyZdeJ{}f>1j0ZfHE@1Vf)5JAjPr6tU`jZn zeJny1s>8!mzGe)un%zQ86G2dd80W z@B*QQml}!hT8g{INi((d@L<-HM@0XIr~g5=d?3>&|N0zrjoj}eVU_p5-`lpOJmSFU zkgR;EKShYBev1!%QJC!&!1{9t&J!*whMC2e1u1+{{`z(PkrOXqX(z4z2-#e#QUkjg z#vi?9?5#1!(R5ZVpbs9q4>PCqJ6@>1>}P1lHqWEM&u?3+KQ!j;&d}XQcwPCOqgIe@ zUizF*kYA$|fn~SMMA=#5^+88?QlvhT?nfX*a0=dAsyV5m!~D7BMIEG`Dk$AFljoCB`UnN9S#dzh$3N z8h1Q0B|0G2Hv-v3%hIzym=#UYTKXL$z2KbP+@WDssafzx23grHp`n|+(g>rc`^ZfQ z;fEux4(SG_VD|>|w1l_cM0Mr_^^wUwdne+YjH|-W_}!JL=UDdS?KrDnGnLcYSFYYW zdd}}6yM8>HRLH(C=Y390?0^^g*ld+uZLU|E@*6-5sS-89)~y*h6dh?a0*ws)!y~mM zgjh9MIQJ?NQnQRFPzmjXLzC4mY!(yKEGfXfroI-N;ycyHax7&)I8^hx;c7B$HXkm) z`>KV1BucXWr=Cl9_x4Nq1qDxv_{X};`j^bQ@z{v!#tSGN!?ChiG~ji|KYN(p`Pg=P@T?lyz-cE<=e9=`>sE(A ze|?QfXEDwn8yiOTPuhj7!-jgmg|p6>EZt-DS@+;a16jb4l^E#kXbulf?Gtx(HTIvG znpPD=xn?gd2U?|?X6Fe2M0s)5B6M!&cA=7tI^zh`h&|@{e8A{Kd&UILT=R~R#c4RJdgxD^FS>?O%uomp%(AA`8+I1jJuzMU!f%_bw@S63%uf#Po~45R%V{J^$lA@99Ro z^zbZ2kp%0W5`VfUZ~EXq)U05Gv}3aG?fIS2&Ua8_vhwd-0tZ(0M^g#-O}ds3!5ub?0Kd( z2M6CMw|3?gKYo+}*SxKoHblNll4GQy7<>cST;$+PDKJHtPIhXPNN(w zs-kL$la}rrgx-l^vT%K=xD-Zp@J#sp8FJtTRYs(6fXn-sku<6w8M6N0VOV6CWW!*` zYP5;SWJg>FyPEGT)Z|_9zUXig!Vi=d`phO0w$!yj1-U{j6b(q|x8|=n;aUo&7!}2Q zr8(O7DD8V;=perm*XQlwr_bBp;~a3Iy>Zt(gO#}_Dm>E^O?T840N10mKQ~gc?m4ETBE7T(-O#8LU0<5|H>+!jR!!h0HcrnD+S#<8yxuogls+N@G zatNP??1Lj%1@9*gT^qy-gLBcH!ep(tr#k}IK-LZc^y^LX5Lq8@313Yw)!X`kgx+WHcg!t|Sw{aMEM;>-LC_q-QZ%h6IY&6&^ z44z$5GTBxJaVVu`=7i|H9{Jy|w2b#8uZfMz9{aoMHRRMkTWgz}56G=d$Zk1DIhv@* zK-7z5Amwx-K!L5jym`@xjD++rmB~MQZGGeFX@b$Vc;fNbC-b@MEA+;O52J=1O*`Z= zxl1f>u$LX+b!Fz__4?&oAYVoyuzbda%nRKX>=oSR^}gAtqaw2K_Up>9Xlcda1$sx( z#m#{@^;}G$sZ9jLn#Pn4Tnq~K*FWaqr^*G$AwM2aS z`|F<}4zj<1rKDqXU6Yp~7TBmj1U#M3^2No|#zvpH8^C0F`D@kp?tqAZ+wa;8II1T0 zQ-Ksv-5o$2Ut&u(LtkMDn;bqT<6X;&Se0|UG z(K>;bjLED&tcx@H@(QHJHFu!5pI^E8n^T=PrnPl!{+e^>I_E%ceebyF*!&P_!gdV( z7Sh4XVEv(JVR2RMHtq1sAEI~-=+Uowb|zNC9y~X@ay&A0_-97_ZNQ=~&13oU%58PS z*QKokSpfD0-e(myl@Hnn=puG)Wv=T_zxBU~c9Jyj5qA6KpR{JQ3}Muk{n24pydwfr zx8t}aWC`u-_DQn8Q#@b&#{MY9H5p`H7JF+4{<@4A-(@8(_k_>GRU_>Muy%DuY)_R} z^rP+SPu&Dp4PQR!mI=}CmkMvBN%?*s&TuS$LR)1#vw|Ai!u-Kya`9`QuS_C(ct&<& zZ?OiIPmGAb8Cf|XBrylin1@+3OZ<>cz~2L*7D=+j#T+#C<6610tkba8!d5$v>2 zAjR;p@_+xVNm|bp$+m64I#B=hD;;~qqcaKG>R9G( ziWb?%KF!Ck&-&_c%1N{A?jRFIb<$fcE)I)~s>9pWIo8FEUQW>&5YsH@UC9Q`|HCq% z`G5agLM0^?X!yVRKizb48#*pd-Tx2cuuiSEMnaP*Y;i01D5z~ohqv5AZfut!XF>%9 zF_mhlDmzOs7>r9qH#~RB=w)3?K6vmAvQallG{}yj?3Y_z~Q_RL@3i z2s|Os?-l)qk0l?<0QUZE;xSxG)FjUo&{mRsqnc7OOdOLe>;jG4FB=H?EY4;B z;p9hwLefq7YZ2yTNfq^>5fj6b050V-I-&p>5^1wrqS|HfPYPHi6W(=6S7BU;usML2Yy81jl>CwDh0ClX9q zZP4|Gmf?UR7}OXvTtjKW*f-r3*ho4}KlpDy`37@}rj8cEnxG(S#A#y0HTM4XJOr?7 z0zf+QArNJ860r4S^nMRZ0i3k=GgmL2PC_jLR%#A}^BF4bKoC*LTo+N(U~$Ae`nuPV z>q|?_Ze28(1)vDI^F?@FTe|p7^bx)4U#s~_#ar0?^@Oz^X@bN#hMh@P840>IijgQq z8TfV7r_Zmf6os3YtM;b_g%oNA3n-?F_1)f5-3}}_!HZCr^TMWbON$61KMeU5s6e&4 z%yCeCIKtwY117QG68ii{Hy)($?Kl$o{P~Ob8kB#Ge4+w&eL`y&kC8)2s}~y^-jMLv zr`%(9F^QOIa1#WP@|p{Ao<88R2?$%$`_4HjNjF*6jo+8R5 zXQVmFF+m*Z0v=(jq#Z*Tk;8!pmYaiiDqiwri@hSOR7X9uD(~}M;5bj z;ycg$C>1~Rtij9K)DDCE-itb315Pb~pQ+GUs5%av8lum6fv5CSf2{1wuhkuDnZ7dm z=fct!3wfg`4v`Z5>~LRp55P!iMolon5bGNV6+>i;j{lFaJM^S4^P>}5=m!yY2_V8w zG@VnIIz&PGt#?0iMp)XK)Ryy6G(W_#lvSvf(+*xsM5y&{pXlsV*d|44tFl ztG41)y2?xT@N5GS`um;#qUCC=cV($-6{esX^zDxia=<~)3<_@wfDFj31bLh3t9&)xp|Ei7#G2P%noqH-)Q4dJFAs zpiCE#+(P6Pe6$>jL()S*n)vr~AbwJd@zR)~Hzfa$`)cXs%B%m83buFro@a7EH2QS7 zJNS1}v*^4??qV_^iG@Ka(z&^+B3;`;ztL3cEYa(CDOtuB4R+HR1iy3sp2PBM%-&BitBLa5t0bZvetbk5FUQOPog+|gHw+E zpYorOn7A^a>NWf>@&VzBkE~a{(!l1agS9~u7m>Lbef0Xj6+lChVIK&K-9oMzYGQEu z2i8%>V`JKVnA!*nwTV-R0f%1EoI?y@dc>I=eDz$2Bf*SE^Z!@-vl-+VbHlZtcgu0m+RKJ=g5&YMVzNb*cL zg)|a0fb`rL`;NuVm9dA8)(IRxdn|#7%sK1glz;c*7i$SN|G!MRo|AR}1Pwpw`da#{ znW((EDMQus;qbr;rDk0uGY1AncYbk}nQ81FMMoWLbzZLs4LK7QSIe49;P(EXj`c(D zQz7lS%*3ow3GH0sj{o1LoFt6FKvz#cQJ3F-jbCIl+XYCJbYZ1bnO`p;bjChCda^ws z5oh$c9rHiLn_jo<=%{DJ{O3+U=mbUdU$bO2*q%Vc|3&oMY@k*zT<^am5Ae75<(z5< zCtCk2nR&Use_Z4E?hwi^AOzEE7@Mw)@^HpXvUclobcD+*DY_V+bz}*Ony`HVqJQCj z0o;DGGopVpl?$6`y75&2-H({|K7j&eL2S|ci*XCFGc+Hyx(`=`sv(|7oHwR6;&DlT z6het2qo*&j8_C@@^(D>D*TuwYn3i&>4>xpfIXomnlQaap@yH!vC*~Lu9b3^$$k9#$R1x zR6J7j&A~kAAXQF}qa_$VT6+*jZ;(yaL{u9$3K%~?TE1m0}30N zhTmKy2I*hJXMX?ZUhp@}c-$rT@QOn&MwnPhan5^)T#xH&?LtAd9LWI|V0#f#Xf%+M zlaR%N%}$Mu!+i4IgY6DmZ_Bv%(LUxge*e-s()|RywtCkGE6SfWP%bMH)F@;Z$9SmH z;u?&3LZ>phwZ~*mZFf~7hGY6|!urNYFWl>%ul^3&FtfR{n+MHHgVQF66SU79+h?~4 zSyEEQT-LJu7&!dd94-JL-DK8IrQ?h2+)fX0G0T^Pjprrs{H$&;#(nfvD4P4^7!#cE zZ3X{JSZA}x~SK_|p&C*oQqoXinq`5H&Nh{o@&m9i4wuU?E5!QW z1~(6erj9~dsMk|kRTkTzRodzpg~0>))Ptr>jZR@rTC#UI>lNHNCNqhMpoEI6VZRd$ z_7NP#ge+%+o~5OImqs#^QeGvVEJrR$#)lrD@>=o8H!a@jN@da~iADFjBU8KjWKi_y z&|lJtS_=`%d6`6Duc_udT~!v}ccJ3(UcN^5@=S?a@=bMpIKs8DAsnd~*VeRm0LtlL-Mrt#NBR zg}fq5FRk4jpJCs%9FcBdR@g+$n7Y_RLYX^8seY(ghO8c-d==wPl)%dd|zhe2gby)-T1MiU5ggm%bf)!nt19ALsR*;WqR`}OG0y3 zFPoWg{r$gy`MsrNRni?=iN3j=`TZ)Ay@jNMx5CzBv_7#!Hfe{x2sL`V1aS=MI|<$_ zAAA1TbSc+KQSHfL$=WP3txgobzK*9)ak<}+vD{L&eE=>YcQ zW^4g)@%ILDuxZ#)kWI$AB?W8VegYK5y9``&{t;;#eVqrK&sW&68yO~JOD@_T~IIOgSJJlGNXu}%J z9jV?3S)~qa6V5QLs{~TulOpOe$A6CH^ppb`cjM;%o#n75OH4_Sve%WpAA&7u)9>F; zAL97Qvs50PNeRF1(et28vA5+s(=c?ivoS&<{-Mr&JEqhMFEXqtXqSe>VuC%OrQx!> zl~jPAdV{_Hp%I{~t!F8xIN$CbeNNlb5+G#7W9O5s3Rm`2eou}w5%~AZo7u7S2x<>- zA`GTB_~OW;V8Jy8676xgec3T0PVjpC!vFNj@`Gha+xD{Z2a930Rc6?-7^ zQ~HZ4ICuAk=^&5cbB~br!HM^!GvxG9jlLiR2Ig;>Vm`6!Qur(AkAIad6n|qf*ES8p zxWHOSJ51fGhVPBB!af!dj-i|(iNYj+iPHRrja(>Lel$~7J7dxXgk0^rL-nvt+|BBd zb%*0)3jd3$VCmN~iY$8oDj(6M(9&l?wZ7B%BAq+!bgm{%Qf!U9HZ}2^=+$B!qvxfG z4B~6+i)wvFV{HbJ?fNh4&M4tk#fc{CZ|hjb6_yN*sx~$=zqI%NHqKe{RV3X3|2_CV zjdQ1<2cK_Xv%Zl%VUd^6nzrHx%IKZxjFc&@KzQLSN3v{QhT0ZiaDtB%QB_90pqhHm zUPGKGVy>a|f#giE)eSpsD<%z$a}_43VkAijcyJzHnOR_ z`Q3s_d!Pz{@1OI4yr6?q-wu5IfoL%3{tJ0tkU%%eMf&I&8)4Ln6gk5EOmF>T>obRg z86(O8=ZcW+N0^`m(Y4mTg$+#ZtF732@33BKOstMbP`^K9h(`g4ebDH6`Yo*XsH^ol= z<{MOj>o%{Nd+)&4>Mxx-20a$t^X=XvLKzgy62|D*--FI&IqUqbB)wK-95d}ktbdhW zSbO~aWp=sY$8<4_O??btl$-N7Le3m7SXe?uGYMZSRVL{}Sm-GReaY9eyRy(vtfiV; zein@fYtAXPQw@G@qwCGpSbmaS?Ao%(-K*jb?S_jiq`_G@dYMz~nkv=v&VF13Ea)!T znDJr9=)%!9Nr&O_>7y(taTA<5$muKkY=X@^;8f3{P++AafOX&pL#?ZHmAT0n7fD7~ z1(sQ9!9>(xxmNAhOhMz=snn(r0$&Anc`6T46-FyQ;Mtgj0aWU7UWf*&6Y^Gh8>4-w5WBg@&Y=Lln zxt+kXW^=Yz_sp$0uti;jdM!?ZI57}6@tk%{P_1H&1*wT{@3zU+SP&s0^^2GBuzb?K z?)ZCNEt#AjT2{xOMl*fEXcw|&X}t=8$rFIX(!&}0wyYqmm?ji8Nvmzv z#20X)ycC0sv#2A(++^T98*$gn`QcNp^R=UX8w1-hF}XlhgIqT9kj%x=MQCPkidw+a zch{OSF2%2mxI{Y``hd5D(XrqW;rK-y1g%+o|3qgdZDQZlw7oHyEAtr%)MUWZT6~^& zWc4pQVE_!#U%mf^e?N-zHYiUNNg&i+9LjFU0YI-|C-I{%_&3bw!kuXj#KODZf{0Q+ znO`MNI%&9_6?$Sy>Km}jDR~IHWITqm<&Li<%z1MwR=nIgWEXV;^73p+qo12yOT3Tb zN4ri{R=7{tMhFPT8w;{f%6(ZrDYLRmM_sSIp8!z5?=>`&8l}(A2!gHi0@c|x-@X~6 zy4TR!$BpVPZ)Xr)R-l>`e@Z)7hJBy8MZ0l4MCN6B<(Z_j8T@8^YEP$a$x5GlVk>{8 z;+ASSnn7XMdXk!mM2ya$g;Dk}t3<~Nd*ajr z3RFT?xp*XvMA#XvaDP9#(|s8d(Lrk(X!dQ2yW!42r1%~^BqW3P7XH)I^J`JrSig5` ztwx^0NlzxvX{m||4O-P%zsa_d zY4Lp5vZ|G~8$+_4575AIT}e(Tz`?4rR|W3s*c^=w&!~K8@@@0mD-DrgHD1ZewwMZS@Haa-xMG}rE}UUFP8tz8RNC#v=h3<)~7dD&QqSZ z9Z$HVuAD64X^;O#vy2Ejdv#uY8mnMHXEbDjZ6J(A!{!KMT3%yixtFP4KF^dFDhn7G zTkuPf(0}8}*dI&UUCP3qyU6G&H#bYVz~?qe+s7)?Mo+-vKXs<@(z$UyqaUG{%=RJlbQrkQJ#x?v6l3$M zsB#a~v|$5-(a0;jT!Y3Od>#6Q>aQ)s<|~e08)WHR!6vUyma{7`M~?5IM-+juvz2kt zd<1>9CArDdMCCJ;gDiTsMcJ-NEV8L>DEi08 zM6)j2p3*WQg0f3&HG1rVnHtrWA3VwrHR+{_tN%tGD4sqHHYthcxih_Aij0dj=MlAODwf0XAgqVCi#ftVNXLFaq%LlaC zkqF0-qK3^XYxX*-{vBbKCn*5XMTkeHU5aN_MFNSDA2V-~8YhCIDw7NE3iG8yR(i(Ax5+Xh znBs8Vx(e78A0j4Bu@&Moihb2on_q4!xC50pK$2Xz(2)oxgJ`!VwGeRXLF<$a7JhKa zZ;;{$0Z~{)bGMbT>9^%dZ)ar#TwPO7U7r~hSOI${aT0L)Q$)azea=52E3WE`gue?= zN`=EUXt?KC>0wuX%5Zt@o3WaFN17_KiY@Y%&(b=?^kT5!q;!Ps$v|?TazhCJ;(5Jg zq4E3%2x}DBGztdQsr(D1ehLF#?Q4gV5TM`a$S{*y*A2<%!y{d@+n)xk|Inu0d6%vW z)zOJg{ZIu)KF5K|O%cf-@%ZE+_4OWf+nvInv5b|qsSX-E;#^0jzH%+uO^I|d?*z_A zrHRCKWh3koi%vtVb$DTL#~Of02vao0Qx~b@Jp{@aw!DP6or1LglAAEpNO+*DCWP^X z6^Y|T3e1H&Ha+EYFcWy|E#n*#QG}Y^H-mwi@sARgKx9Cd7&FEE<$kEoXPLS9gZ$-k zVwYGmdz0Bwg;re%W)`vC6U;dJg#CLA1VSs5Gp%wR=Zh{MMd2U3IpG*mn=TnrwsjHqRNinr1LT?@KWJTS{4Gz_6-6$8libi>Bq@;$npP+3FHFN_XK zDDujMzhwZM!GAJmX&C#KC@Jk)Z*?rvpV7&r+`Ks7#uG3o&`=gc@TM>PY|@KFUJS~< zoo}Ys&yTj>Y3BF*U9k?E`%2xCTrOy@u(_T z%IQMddJ~&n-u_p$Y2?Y7Z9%>TBiH1WF>>xBL)@w8$?4~y-ws!kL?FuH_$nz}!>#a7 zlAdJZlTe`AR$e*Db=>?Ri$`(`wCyIpTq-UpO?+Noz2QzN&4HykUEdKHnl1QX3lUWdv3RkV67N1{ zyL@^CMevaX6GRe1@441wd-DzFFTF7n^b=V=R*PMGB6lbBIh;gmr3*-{So4}6NsIWu zHEwvwV*NX-GNcHxENC8VP~{|8TE6W;Rfq>vx!N3RDJu3KI2?$_u^snn#*iCI+x8F) z8+xLozWjuM1lKLn@40rzRTqmCf*|KnUS4V1X>psg&}V8gO>sn@-%nq=3_rVg$Mf(R z_Q3K=l!%tuPEm8lSSl2+#CU8zS=wKu3RR+#ELtj5W#n5b3XK;T!>%{Qg_)XxV=e3WFsQHh4D?3>sesaHxQr1Nrg z)wvwM3h=Mv$#W7#5K6@p4X7rCSpG^3B^v$H589Z|9ZO`3hWSadCrYFzJ*aTtPaRLC zf2nGaNt9=3ORmusd-hbSU{h#;9ga9)a~$9l)3G4*bnuG=F(F7rexBzAoa)KEd4j@z zNL2J$-_|coZ)T-gf!{ZX2A>-|UqUoW^ z9>jo&^&GpQV8=A+uO-=2_JJ$T;Qo+1tpS6AU`+5L%v>U7(^vxj!lE)3Hwt4WSW&YD zui5W$Cu$qVw8Ylhxtk?=vEf7CNKY@wFVkqRGM-(6$e*jRZGt#P_-g}`8kxOfMmS{l z<>se<#9MDJR5Ar@A5vF~#UP`(Cb6k|yiaAb>`6Fr%~ zy*PP>y3CNdRlvla?jpT?zd5Xp4jiBO!I+I*|K8hnjPmZ1K6Yg#u4=k3uXf|jxWocJ zWCtWi0oADy%jeOqlJV>C<&6M6vBO%6n0@qjxf0T^u0;_m{1?=JPWfbiW zk~qQ$f3Q2)18t|8zK~ozb>Q(6{uth33WkQh$`p7Fd%pv$%d*0BAos#jvI>eh7^VwP z54H;3PTYI7Vv8arM#<2Ar$+otfvl!nN3!kag6iTX?DI`bla4wh34OpqZBHRUzPg4M zEksLL>4vi5qQPX;e5v#S<^rYqi;y+qN~iBB8A{-sgGK*7ip`95{$MlSM@_X zMY#IAcvIx@;$^B6pbX_1cD$H;F3nR;B_>_!Zxj@e7YiLZh!Im^wi<3Y8z&}x0xR&t zeW#%4S50ZLvY{kOOhp;2RP=;DjF~7s$+vMb(XipgLeTwVCnv>3s4Ki=Ab;7JKDiFp z@>kSVJS~K>A#qC^2TBL5&u(x`Xr@?VSrHf&r1mh-!om&gGbVBz*AACR2q;*dO;#!o zLv%@pRxjc(ZXG!r|CwNvn3wEs<9V8i9{H9l!Y%#p!2Y&gDuocwq8FYRXs z@$~5SeyQnBYZ(q59R}oC$UI}lQ#CNGu>4Vy(r2E|t=5v#He#Z8oraacdu|gQ%H9aw zT-PvG6;%1opubb#Al)-2%Wr6z^vxRp{os_$s|*0H#|TL)B4|Xl|0P(H=Rb)3sTb7c z%Wr^X4aFqfslluG=?Y_IXGboojr~lP|C5-s!r;g6a=VZ}3N_^i6HWnj>L)%Gi7*y= zXNm!Jk&cTEI`MGO^gc_SCw}C;TES(~dOcccrZO(#XWC21tl5cj-VvM9;l7#m7f z)1d%Ke5rayF-J*po0&VmqFmGp8mEnkBr(YogywgdZp|f9UA~~2N`*2J9!C=mje)&3 z_LeaNe1}}ZFxFRHE$7kAStwN_&5Qt}nO>H1?RsBVtJ$NZCfEg|LYtG;;rDLaL&YDRtijv3|5wI^{lb?tX z8M>JfgChs9$edPT2DAnaI31s5q`qNx`tg;5ngpIFVI=jPO`b;T8RqoxWwNfpu&Ab5 zJ<&OkOdI_?s|4yMllEnWsP%%@s(@zBt=Zpq@!qa2g@eDywtjvNR3xU;VS!e7^WYWJ zt>o(3r~+^&TXYJVl}T`-pVLx)&3IahIsyM4nWXqWc83{CSxv-_H4i;CIg#_(m0{sW zdxOn2!0XDIlfI@aUpKdA(qDE%F})*fdfr*Vg;W~4?$1r=JwT$z8e~^_1pp9vo$2P! zroU8gulhvG+8P_=sTB)ZgB{sZ7N=HBogKLopx7wfBa6c7LxLaOXhJH6_si6S#*Hx) zewh26iGGKkTIk0!!)$W-^ z`hDOoB1K~4N%$cYXz{(xYO(h81&BrxIEZcXuZQ_f3G{?(Xg$++BmaOK=DdLH^En&lvx> zPxn5Yhwiy+boJW%p}MN(T(eg-5CPLu(*qqJ1qAFrYM-VRt8oaw z1d|OES2)Ye8p=pBeJ<1|7_?%bjxuLPpLlXw2sP)sV?nAwF`47W-WWpqHD4xIXVDv3 zb4H~;;D=~rVqsJHZe@d2=N;=!l@FV7dd7uj$=A3&%el5(A1wX}m)FQ}J=Y%)SHFSQ z+6_gslLL{o)Tl*>!n=(qGpE{_DBF{WGGJp8v6b1JJ($p%eLVfrJa1Pnr0!QbD;-6> z+S9%vfL;2#ph;99V_REm21GdgOGh$9X?l^9bly3R>5IU_$CI>SO*SP3R&oioPFjOZ zNKBqlAuFlLrD$eUi$bMd0&_LM(!7rND%v3Xob};bDFBnbY;I*K{KW8G=tiZ%P8$=N z3NBsbk)JuzIM{KRC|z-MP?2dza)Yiy!yZeuEm$g2*h_Gk?0rfDN{AN=1L``xgRlV` zYkzb3qtrT%m=zApP4)dJRarMO>V{-j)!d1OTMVAxy8dK*V^L_|(|)4@1gWj%b|dv9 zJrfH2>e@R`q?l2yi%k&hhdL_|3$n@RY7{gw=f#{S&sKX@6Xt4Np+odu2F!C3Ruf~c z8W%CcNF#c1ZhByK@WCanKmer8ESmWbmk zp)Es8C#7tl-ojD>3LdUEA_gN)n5=*F;jyH(Yn_CSzF2`5G}f*EyP$=R`h1OuJhyL$ zjZU4IOuo-%P7@86WIv?L{vsk+#*hww6JxiiluM`EAVG@nJZv>lQ`t+Fj80BJl^ZRP zQOAskU8R9wpj+4@Jyb6X%G4-?Xbg4ewHDoV1nd{Ya+jPeH0D#GbRBU!@_o*5>iR?8zfqSs%4W*yLXQ;D)b&G{%4UCMnn2?B zAO;JuxF2nQqe;Cx+%UB<@}cN>`vR-APmj>V7gr_3;ux;QF;@f&Mpkos7NN;2fX|ks z$#w(rQCjs$ZE}6ACZiT0*~PrYk$U+$Gx-<8MNdK`D&13kh)laGJAV{PS%kiLu_8{j zPo2Jv-?X63}VwZS{LoctZLR&w7wlIYStEAfF>Q++~@K}rC8EJ%J=_g4_0U~km$l3L@X!$PJo35 z&#W+(#7G`1w?k<>n@dEpDW^ZcFY@){yJ)9^ZbuzmrPl2)M-Qv{f$QQ<_Ml&moqyJ{ zNjo8zpo@hN0LH{E)LHejfJG`#hAKbC+a}(d%4FS!3au5zj)Ox_lSUu{g`63dIwgtP zR7_;yNekg3B0iw$&hK~4Ydku-&X#T`bA25nC*@6m)^*Gv*F;4Weki(ldU4o1vQ+eYGqxla8eEe3$1c{Gf@#Gbd_Ss3;ycb+y zi?NiHVcU+s^Zw3bn}lt`gvOxvPRVW4y~bELzkUoT`G-UY*8!6lGVqP8tF={ZZL|UGhzS< zE5mlrAU%5vBSf9}vvhK?{1+TTNhqracFk7o9}S}pJKjb64-8c=wDOjEp_j*3%9mCa z%=Q)$W`A0#Sw>09wc1@$g4?UIy2}T(bth7e0YsDecUunQmYy^vyyOW{IgO6|5L@ul zOi4nm>UDNwZEp9&fz^QJq3GF%^BJKS#55th>5K!08pWl%3ulMV`e?sE{|0fn)i=Rx^YL0XCub52Y6~b> z09pGqEpC0U?2kP>Bs1K*SLdjIrRj(Ef)PEZ{)I5$Wg{ygCRBs9|; z#&IvN5q9qTev(zg1?^S+2dOmjZ81%0D<$!)Fw*VQknrq^$p}K9-MS}N~ucn?Xt!bUXVS0=j)TwNi0^JJ9KZOkX1*q{k<;hCE%LBHz zHXjAmd$=A3IfaCLAFknu7}mEWzIOE5=X~CT;4XVm>aC#18i_3%eV0$lNwS4P{2`X~ zR~)22uF_u>IL6!!(W$Ob zDHX1{q1SjG0tZbPoG(;^`Q48gdcOeNBD<|h%DwX}{cF3F&-}LA{^rjsR|VEOXbKZj zI2JIo>gSOcY1*%kD9(%UVFMV1bJ$4(y04-V)PG=G6Ty0&8jSSpjq8`e*Bi@-hmhsy8*N#39t0r2_ZY%U+>@;Z;wxgX3d7y+zq$8Ym^Ga_`%ipPIm4HEI_O zQmAEcUiI%R_nOd#9w-i*iNT|Cdo|3SllcXW-r5FQUluuQ`+IShG?LSa0h7)K%hh0g zdrO4Q+laDuLHBan*e|EXAo&fmy!p$*A}1LjjpB;8vJO)pIwMxSUJA90Nh48m$>i}t zG`9%t+be_>wHfz$>9&=#nm-`1>cI~0No6ZJ!X}>5kWa>+7}*q!0=llW7YphjH53~; z#rZ<0+K+r?@tIBW#4xl|>WmFP|fgH@6FFy3Kqf#*b_Lb?D1vFv8X1=7TXZ@EDZjRmg^Xt415>3JZ&M zCmiAHW4Sc*nU(W4r{3KV@abqThnj)8WW>xU=Xukw`U&~y-c%2XpG;2yFOQzKs&C(T zJu~#@GCReBbayK(8wZ$Z;&{utE%1>+^O&al8)1hCRl~aS!IdO`+p}VcsdmiuetdqH z4NU^GBQyX<`HB>gaO#Ix0y5aO7}7@=A?&f*yLs74@-(5-@1ZA1SiQsPSzRme&C3*a zDJ<`focT{Bv(9}OQnRd!DhawRilhV~~ zbsSoEAeFK6%F1KrKNgUN-65wWt`o%V?R9?20>wMht_3o!$Rr)oF#2HFoi3$z=@TO3 z`YsXn<#Sw;SY*}RcB+SF;-v4uvXi+%PCPnGvt!OiApG_U$aFk&3E=cw$JNcs#2FRH z#wF{*cKegz=nT*cU7q|pK1e17OG|yNeAcdyVz+)#eZ;%At?}&2e z=xjEygb1Epn;t%ujrm7J&U0;2wV#7)6HR3o( zZLQ0i5g!7A_p=1%KAhQ*)u3XPjn+zuE!s%Rk_0?M{!$uoTvZkkTht+|U%Y7|vt8&P z5C=1W#y&6u7|{VU0B{&4QdsfFJx=#T|GK1h}yID)lLr!t)cKTxYA_rTKwm(z#Kr; zL3$ByzfO#8>Z&}WpXI1ec27sv>C<6uQZTkroE~$Bw{uH051900MfuQjt>={VsceNK zFypVasiQvF9r4$^6;xr~=h9XgBVr4PzFW~&8GZy?9Y_td2k7?pPB;u!eDwl9@w|C4 z^>(JDR(m`60MZq@7lD%-PBlPW25u^^?#0~-e>zfxSi3f#PCd28X;Ger8T#y=+s96k zxzw%i6g>-hT1U*?>D9^Z34*LIl@vZ^J|*HT)nBpZMO^*u|zY5SV$r7O7JfkBGr5Mpk zgzy)n8}mdIqrA3?+E}!n=aK?Q*|MY&NKBS1=1|GzdY#Qt4qH1#^{E@xRP$3y7*GcL zP04#mpSDm(k(gDgvTdy>mklVbx85nxs+$2pKs4CA2eqzXirWl-LyHf|E{G62l|9J= zoI;k~(N&&BeHe-9WACtssS4Wmm6#J886&u=+de#SiIhbCc7r95rv;Q}2P{`)bN1WZ z?HjdweNj}$Kmuh&aEX9KqWUrhg~ZI@^Tysf3%89g>%2sJl)%a_G2%bvx90|WiCgiz zFfG69h)EvnSLVv>j?;mJ6s5Sdj!BXcs2>ARqnat6Odd;ZWe}+7n<8hOAluU;uY0qO(xj_Mh&(n; z3m=zCGFFGJG(xbxd?_Wpk#aAv1VQnaH7#y>CH!P;J9$(R0H16q{2|x91!=ch_-6v& z1zKjLLu)V!bZqwO^T?D;AbREl-P?KlD5)X3k-Ql^? zKc&tfWTBa04TM+jMVni2U}F8Mc?&>uxatZhOPvsesPh5&um8m-{+trlBlT?T%KPDc8f)DVy{7#a z{bBWvI3!bFjGG!>?jw4&RS%*{il0#wMRZUVMcPmmfzu8`@+^I{>L(ktLb!z=EiiHJ zKJ7t>X60~l$-9R!dUN+fw_6{hDUtZDBK#wSw=QN>(F%T-f!co~4BxhQpxxFlkiyF8 zv~X{ioevT_v4_f~_I@xdh|7&&zg5Ra=#nFwte%tlDHj%GP)35%%}SDti%$C~Um3GC zw`Qs16|gBd4MJl`)&m9Me97+}ShpUA|IUl^ z_#G1d@~?CO@?pl;ESUfo0;2^+3Wuu4xh~Pfj8G^ATQ}Z2r({2Y3(`@fCmTY)he*Ae zgQS&`uY^$9<2TQz3yAZ$T-BMJu18eYFO@5bXh6O4e1nI>w~J-dX2p9HQm$!#Q-V@D z8NXyx;Q1cKZR_zN(zTmA_;>eXkAWJ*?{y4V-Q3S{rBtbKKSe4KqdmQ&ux78nWY`Xm1ED=s8Z3I0mU8FTNo;5wQ zFu+f__T52Jp3rZ_*-Gh5ltfgjq4*)P=XAL2O#L<^-!#$T4Fb9YtQ_xZN9jTsacz$l zzTD9Lkasda%R_P|zWGM>vLj;yQ;qyX3v!}$wCa;99a+aPk*+p|PKOV{&h-Qn3gPTH z)B*JOuSuebl@b+rElST3kW*M9<)SS=hED)-dCDHeDO(Rt2t}CZJxDUbQbO7V_nl5m zACh%4+Pt8>d2ihWcs!%<^nVItJ40_!APcZyk43rVOVid2 z<|5GL*QArlN-&1o2yX27MsFK-B1{R@$GsObSYsH?8K>o^ERQ64)$cEUEsXUu6H-uR@y>O(Bss_ zUPzE3Y^*s(s{6Ot=^w!9QzBxC%LLsfc8N-#`5Ve3-6CHdT=4gL3SpO^Md!|u3n^CB zKLkN_fkMew&vbCEibJOHXvXsKj922^p^ym%9}$$Z6DzyXjlG@Z<6~T2cjgFphCVtA zjIFESQrVz97>`^AYh^$c`^L#9rF8F`BVKNPgn54@&0`x_|FQ+lHuP>DyR_+oOX*-? z(7ZvUazrELiQoHL$n+@=~3!-Yl}bd0NXfY0$5;OkRKivj%&k&w)NHvG-l`m#~){n1PoqTE0jZWR{q0hd_xs>{8F^B9e?6 zlt0@HmwQPW$1tdZeR&O+U^8Mce8|-Bf-Sep`vMLcyrbejokFE}E{+Y##$+M|#bije~NOR-z6}Bx+QA6QmOv zh->W1q?A9-Xolw1VOpxIkTv9rDvh(h#LVf64xB+@$a~x79shU-|8T$hv?B1i@FU6i zNe`zf8qnqh9ki{Kzm80zt&c+DITY&ZY?%hCzKBJe?>t=IQ+WK``!ss9uLqso@pn8S zZ<5uU;EaT)2_2R1p5aj7hwPBlsLltb^RLt@v*LEh%VinQP+F}yzdG%#$THi%cZF@K zX$h!GhQWwCE)^hLu%6qo{!Nt^av~-zU!j+FlLyc-sL6&k_$Sq?#f{(AIrvd)YA;fw zTQxtN%dXscHA`XVM4%_UR5+y^46>ZtHF4WUq+Qjh^kuujX+obHdobU9G6){dgEwI12%P#o$L=eNIv3IZ>rpRq@qTpY zIUF!e33R-8wE8k*XtD_cdB(Zccf9E$l=Fma$gwA2<&$fegq~@&_Rh6AP)q%E$JDGa zC$SyUPOtE|5!=+cm6uM}~LB6hhp zRu)SK8PJ6(tp71KHv$sfk3+c4l!biX3j%Nz+1BS(!&VgCJdo7Ka;g4i6ow+|Am|xM zmEId+*8~G;)ur}m|52{G;>Da(B5#oZOzfw21yNUpIF*AtPVMMyHU3s65SGfZLb|7w zl68GeQ?fkgyxIFOBuXRoUD;8KnLh?`gFAl8lOu4bdyW1+YjW{8<L?iP8*?RU9Bc z^aHUSwy?%Fe(M^krb;DS+UC`boK5*TdPbSV`<8JVb1=AXagR@F*Q!+{$Z}S>w={Zv zKWy7l1zwc8+SpGBmlcSkeh5TsXXbQyKlKkSi(A_D)uv?8??Uz>j5a-#F~FuH{}g$w zr(4FWaaxzkv+nlCXLFc5b$!I8RRGU_jr}>HCxP zf52t*kcD+|?@LwjT0Gch*Soakht~Mo_g5HsJQjtq)BHGJtkSWA-sxulVnJ@Hw#VK~ zRQhScfw?+WKZf=UHd8;Cs}D_H4NCsU)y2GL{^RQYS^vY;f%Dhg&iTWN&_enj#fgC> zNH=!ykO#dWR`kBy=R{E^pno!>&Yn=hA@?`r>ASw7KOgKJTWY*cfOzX{83&x3B zV8OV3a#do$f$m!Ttl7`_CyVPkOx&Q)PNCl>`aqOtsdP$XIU8q8$6vxT?)}@BJ3^8g z*n6Gq>(cK35de|}{(Qk6waeT9wMdYiXxK~U2Z?+_Y_}7kV`v{|`N==2$jH$Kj4nvv z1vM2@USj@QqihTuW!1HcwfF^zl)gfO(#6oRi!PTAiCPt#hc)J7n1u`XVf7{?e1hLah|ch$e5mRX=tdOc~Y0JBAS(^8&%?W%Fe zPz$gWU=vMGQ7W&JzRGQ{wl^~bfF|Dzz!cAl(#xQB6hf>aW+kLC7q|#<>ec7GF=j1F z;zwX^=+@-KIVPN#5SpXpIT&E67!x-#JR#mP); zL$Rj8+?NJR*}X3248fr;Am<%z6X?kU%T>4$^*NF5B1L}KGK{`AF)R+SVmKy}FS?89 z6I6u8FFQx@UtkG%nCy?UB_uW3&;gxZ>{+b$z7frzd&CZEEm3otEAlL_%RfJtQSQ%V zOi>pTC`M@Uo^d3{DX~xxrRo9`IzIZDUP0!voHo=~ct4Y)aMN;)U(1(vaoz6WdxJW;KdbfU zJ3H}oya?*k9wB?X1-Q@*`%}Y+P;EnCjD?&r*TSSYSABExoQ3LgP@%#PK!DEkVdm)D z)YxOebZ)06&>{I?+U-*OvFftQAXU9Y-}*l-T}z<8(kMeI07z-(>(cqX4E1a><$z4? zNrB{Pq6$Bkm9YCQ<4cgi;tsA^#D)KJNo$!8E*aLD6>r4fu$g5YayUp5=m2`TIpU6{ zFQ?J)HsZHi<`LuUcpJQB>tL?}+P- zGjl&f*jf_;U~cY0H7aesz^Z=m%J?0ZkCavK6i;Ty1%_Xmk}dvYQ<{$q4nzcu%-wPf z`KvFu*7fgK#}JNOf~7WyC^vf}DQdq#*5E684Wo0PkMV)-b<<3Ksobx6+EGf zsMpx|xDniktU9`ja0t!s^Bap$M@hr2X#*p?tHOD`iG^g9SQ@GkJ#t%_DfdH9iZ}|G zB*_Ap_=Oc!kd{)vSjHG}?VF_$LP|)I@WfRm*+VqQkz1y-CZD~8^PSypbdF*tRJHuY z*~C>A0W~-3>>_jz)wP%_6?W-utm7viT28A?h~H0^s>4A}Yc#73%CHt)Pl6&x8{@ul zHxIPC{fRo5`OcQti@Cc3N-MU1_gheN^&~R)4>W4mt?CH!-W)SM<5VwOc-prz;w}dw zQ`zu;FYDR*WTF!O-ox&wt`^-ec>xL5FC7}>1INDQyZwFJj!B%Y1RPFGPx~hD9E$*Z zQ~0vLNN1q`Jxx`3h|?Wx;FFcvtesIVhfD5NXOG5tb?a6SwIJ2%tWvmixTBy~mqIDm zuamD<>r$;Ges(%luf;l_Gf_>9SB!yz3R~x&Ml-6bZQ7 zfIQJvLgdx{t)=LDCDcrGamhzv1zQ4wd;zVsP%BihNAms`S0kL}FXEk@G<#ygTramh z?ar!>DeOUl3b<>MG!W-GHhqZBFm;L9SE2(9St$X3))zkAxOVj}@&a*0u7<`qGr0nY1Y?~^$-nPo%_SHX*~?_$IUF3 z*5`?9$g6?SJ2|Ay0MfdV;xo6_DWZE?m%A=r{l01POE=Kq7Q$2VY@Vn3u<^LfKq5DU zxHsTCX@e4k04osogk4i1rPlJg{2JIh|v5YC^32d1^iv}evpJgRn zO7Qo|h-o3r@qcbTB>8t4R&5eZRtY1!xmGK~^(?|ca@g`ev(tnGnBQ{t$?#u*k0C>! z#BM~bMJI6;7Y?HoghU2jlF~Uak9211K^Y;UO?f9-+`)0+&)}(z-^?=gvagg~KuV-g zGGfAEyBH3tPrDkVxnfjeM359oBsNaW}w!<9QXH8j?ouepQg?0-7{8ND8Es z|2VVW2~WLqDGc#(xbBkk0bTx5mF(XwJzz-I1RqxZ8+iWc|F3~Z_}{<-2b&p7kgs_D zUfJMu+|1}EYpnfR293kzqO?{3ndqNe%t0oDyIU-_0uqb{<_x4mQqk`vNK3`ym;z*O zL26&(;zRMt5!Fpft5Jyr8-v8+sr6?z>Ct&PV+*~%&Y8W?nMWLN(oE(;N{oD{;6?-8 z=O&Z%5%T*i2d0zjLSKBR`P|BLE7Ca(xeRyLM*?Mtjd4q9EpMO28NO?Ea|CygyBz9A z>}B9MmV5*Uh}J;|>jiY|vEEq=6VF3eb3uJK%63XP(}6?!o-c-kDZ=2K!Te@0T$2+V z^e1Gvc6iwyuJyy9!{6yEVe;DUqwLn$KSDnQ>YFD=3Xm|$o%^V)7Uc+LeDf3MAS}*4 z(qT{Lp*WZB;ysw7ADlYeb0=MZbgMlI?_o}nD{+;afKPlY2;&D;AqP&dR(dE*gXcp< zSD>4!hQX3Smb(#xURDz~*l{h?n^Fnw&PAt84){M1zIIycZ>2_&vlPE-uMpWKJbgF4 z6yJZM$(~Ke*ARCt+X&L}!xM@0Na!j+9Cy8}K?QPt<{uxkIJ<^D&W7z;bpf2)IwyE| z#?J*?04A!cTU4*36n#fmA>$>kDTU{jQTqNFcd*^x?Bq@tBW;ZhztpTby{(gsghwA$ zVBqp`*=&V;3GlU7U8XnhG&|DlPNnmdb)}n_Dac?BJe(p`kpDoW^NYO_f+?X5&D@v- zUgSjcb=cdTzd~97b>{@?n-br5G6H`72VQ$$fWKow$czhh>p;<(dQeP&lBzLTxB6Mt z7nSpav`xT9BcxFgaVq&sQBCKeBx*V)L`xI44+T>M+l1o6uI{moeZU2*^%Ng7#<6?T z58mJ$J05y{jAcyXgAd9dXOh>4_paS*{ZfQ5nAzy~5U-4DHD-&(bDH9gt~K`~7=c$e z;E8O(R{J7&xGDPH0O*rtV&aNtJIW$8Nr%;7V!LWW$V0n`!a3$x5OT17LZzwljQ>sd$3FqvdeR{cV{_jP3N(ino>ie7V>L{(W+Jj$ zKd1Sz{Id9?mp^z`E2v0e=J;h{z^nTXK>0p9#BF3DED3E!ZwKcTL6eyG_PoNo04;?p zND2|!UHqz>IMCyPS|xjR_g;yZBSEw&H+B*fD8`C%#v9lO-tXb3(Uh7}TICI+0b@&c ze_F4R4Pw5u$|Pr0wi4nCP@#svh4lCLb9gIA)JO_UC){~eBHmnd5Wa@YU{}WgO%5R~ zf{TbD)PnWP`1(XeDF!pcXw$<(n-LmB-7)4Sbbt3-8`~h#t6~#%pFT}!YR*afWiU?J z4HmjAQy64Prkn`TU#3po+`VMf+#HZ*Z1_NbzOJZw7&P2Jy}ihA{|UkGl;T6FN%O=@ z@>31_eb2q z2NEjR6dSyrDv={qp5ehs0(%1CPo-B=DQa}Nun%3EB^%Hg7nf|jFg=!K?q4&buEW0! zt^c_1Mcy{${VbdJ6X;Bj!iXIiWv}ri@M|klMIb9lSL9w))IOm<;g?;%#$K|Ol7XiLW!BW9;e zoNnSQX)hfW$+qoo`l?sX^J_kSOZ05ZA}4v}*VPY{2QvN5QDm#{5z=ov-M!s{sA;32 zZs!cI5gpG`O!8AW+f^)z#gQFGQeSL^GRV2u%D*T`B(|hBBjPhq zl=04-mras9aH$($kUF^5i&xv!YP-kAKmHCZ}* zRs{o29I*2##OzeCJTbJcPmSYSei~J8*1?w;r966H(N-;!8O%8v12W1}&Plm?c9OaWS`gCQlZ^Zhr%odx+`K-35(SOy{6pqd(m3W@8>3^@P?s&K? zT~#<%0S&&L^2ILweIIjRopc&_Tsm!#l_^^>c>8ns&|5O<;VHZJdTsVLdX!j^t|E&9L{ z7`irJtMggOse7q9*LqvbsZ%qI$4S~AzJ7R%9E3VXXHIpBc5at#b+``M-(a2ORzv@BbTt|6d&yzz;|T4*0)?**_Oyvmc~zJT?Ix@Ee)_wx=!l zMW^3`B49=|a`1D`?iLc_f*8$Z!~l&5(J?u9MoskT(vuk7wIia=&QEy?XJx~O=gdu7 z$J(MQWac2Cadr$pYM;UXR%(}5@%lxz8Q1+MdlhB_3f%kwX_Lw{epJ~6qzWO?Roaqwj2_o#lb%vAzDBoW&(eC~LB>NIc>v+WwiE^fK__TlS3o^bOA z#D!K?8tAY%>EL~rrosa}v+?^u#geb?GS0cEI&WWDo~y5TFkVqH>W7|!km?sy0`BK> kj)mTdQl_mTl@UIhS!*7LXl2Nx(AYroewea`gn)qfKQJ`OvH$=8 delta 77977 zcmaHSg-_kh^L1Ma#c6SOcXuuBesOo#;_xYj;(l>=cXugzad&rj*Z2AU{(yHgnPiil zY&Myk-I;Uta2EP#7P{Ji2JXzzN+V~))>5|4lBWF!2_s??=#0M|MFYkz-#9((TtF+z zlaay&^o+=xIxq_&qXl>K5fWns>9m+sV98LJ*)uaEw9||a25DvdzS^x|pQbV^Wz+q? zMY9iE_do5>#qjh>&i@)8+Px?o#;jPBbHtz~f#%jR^T8i{L?rWDpv;a*1U-0pGH#3P zpH70*^e%eq$X_j0>c3Ze4W{OT{rK_8QmmkZ?`xpR9zS+U20Bdi&PB79l3~8MMi2&0tq%8a8`*29+HlYE&g`9cv+K zIQ-tSCha8<6D(}`FMjr^qgsR@Zz0Z%f?u>?WsuR(yR8$8)f7T9=iFJyqASqjcz2Dc zF@sa7PuDwFhh4e;sdr8+h%W^2`QLF8c)PHi`#bJfSt(2&==WHA6YMfBewnm?COIB2 z`u{|~HgUaN3V6TVk9=?!Lb+6sX&#-tJRD6*2;AN6ZK^MOoF2j*nP_0)y&XQhTo8G^ zIijKlTmbG-1~Ghmoku%@$N+|k9-jlZ;C$zLR~NE_cHVy48;at<+#<5X{iQ4S8|^`C zTUyB!`|`~M%=AaiL*)hUKf_W}A{)<0>`{tJok&rSbN# z#N}(T4z=(at=fvq!LZT-qp0VJItR{iVq6ZDRxIssObxafWRm}6a%L#T?rus;$%dld znm>i}OjhDva!I=72~Y=($|aLAz5KndHHee*9?(@@Y6_Rhj8)-KUSgu4RWuG#Q&vMn z$fs9M8GJmn66-g2&UZ10Dqc(sS-k-H(`Z{>Pw$6}iR3Ke#}_SRa%ngtpT>bLcGcva zk!7UE!O1M@@%X)eXk?xDS@gYdAvG!VM~KA@*A-aasx>(+fb%x?^CU-7I4i_-FhRPU z#X6LpN9C6$wR&&@o)HtNMlLwnMTVSb)`J4);!tF z46@9RsijB;*l_aEXJEK+AS=PUIyZKTyfC(v7RTG_iSpV-ArfE>Pda&eoq4)Y94s>O zcqSUmksmb2@A8M*X^2BuMq6viEeOLai(>K92$IHs7l3HM53&VxnmN}LrE;105HDqF zEvC|@UVVwmz>aEJ&CI`A9B|&sGXFCBg35CParR9BEmY3vy~P=+dt-X$#*87E0=3;5H7`-pk=@}~=^u0C zI+Tk0R*@a?x+VNIvSyigIvgeZG!zMn#v34ITBMmq`jYg)(le|4Y4ef7y4;#`v&;0i z-ylxFsiqHuXhz0-6e@7#@1McA_)2=oN8TWYObTfjv2=?74f%K8GnFrko~V3nVW^8N zwx_jX)ojteYcoTJgXSQMOEWE+dOP6}3Wmh)TszAWThHkQn#9g=UHM^ZDueslQMN?O zEahoo69xwM;WW$gnn(#8GNinmT$zp>7j`xvvnyrcHF8OgjG@MNZ)_*Bw^3jk(;jYo zpyI)MexK=7=+fz#`KmetuBs!&BQ^kJh8JsuBx@6d-MtjT82RFN_ssWP-it#|f#VdU(H$l6(3Tqi8Dy z>Gb;inZe`q(I30WHRJM%XuBta%dHw1XghL6?OI(ianLrQ`VAA6Q^9cXptaiovy}{l zKeV2W!|kLBV3#UCGJ}#U?jE=i-;1X|VO;sCax;NTPy;GZv`HW_Mxul>L}pHj4wx)x z6G^v<2`Ax&SFhs2d*Ny?aX89)vFKkA;m+7sUO;dOTA0bSD)s$|wFe2tTHS!8Q1;E; z9XcwKUt2vn1Qj7g`1;L3@H^kF!`TsW!Nu|FFSZ@eY4dDt!NswNX0-Mli!&b(b{FE+u;OpM&AL{S3pkG_{ZCOz;_?b+M%Vgkh*@-qDiemU=BsZ0* z=6)jYKWT&=NhA8>aRW;JEHda)@fJelAyzB~ryd`dadJ}D)b@u}woV@yX+gBic+T=M zWoNw>@`{0kgm{lQ zHg6dQ^-t#$x%K6H<24SbxH=UQtVh3Y?yPrhc6E9$pSdYS@dbZ)2-!t`hn_AG zhyNB&xN%u>Z~i^P9;OCBLwQ{T!KkiFjPITUDW0(oX}J9+32Z)%hLj;bt=D8sT?j?p zNUkYi?fwVAwXSyuI}>y0-~sgJSE1i$?Pm9}kQaqhk^&TMWbdHCh(Dk;^kGtU?Ko4- zx}bEuSNIp~&HRwCh+w6!e4jzq`XVeg3zmZYy5hyUsoZ%jsp){~&@xBzSmb%Z$oP#* z16Nx_gUva{xwoSYG}x;jgsZhs?u1oUd4S#FTFGI9Dk{A3d^MOQ_}L-BAtBc33^%A= zfH+nix4=}p3g+!t{)*jE!u`($sRj4#H?tM9u{QlNG`%Xt(}clsdc!l^QZRSY?H+pE zl;O$=$~=6()_36H3gy7@IOwd5ZQ))$J(bDC@6)~Re8_2#pR)uTQyXI{k$@6)k+^y_wC^O^U^x8U@Du{$^8e8B13DYS?4!>XPD7k=CavKZ=L-JznSTLCBg z-V76Wt~Ly@CHG2}&?oP~21WZKDF#n|hA3 zTG=gUYDig0XrScrp1Eo_wNQRDx~lkoe!1SmXkK|1{fSrRXhUMM9idphej+z~jJ#Sct;z2|@vFkcVR?DbJX3Huue2oh|bV^2 zcs2qyivZKjA4w-w3556S8wit?l0K8NHtl zs)mpKTc{$;!NHWr;OQ0ssrO7VXG(e2G{ut4$Ji>c+D_1l>mW9YOT;C$8CDF}q`zj> zbYBUUC6Um?St&w>WE7mu^iktw6r`5;Rflxh$*lggsbn6u4HVIXQC?rXl7tbzwSzX^ z29``wC1&KTh52Q)_ELPk2qlzi!EDI2(CHyWDv3HcDU(qMH&S#ui5hj!wH#fRUg`kt zOx>~_Gli1NUe_*jsub8L$0oHFsNTbT%;TW*8y(UZ%C{yIM9@_=G5x#l%hA`6>U{q6 z6a6wN_sDqU&g9nYu^~Pp%y?!UF=h7%C_$oSpsbpMFXn}WmZv{`t&-N#J&)5jqA@t3 z;9sdA>7p(p>uCoqEfK<|H92VNz9T%qC5TIo*=%5;pMI0MfGVx}DBBCd zuF+^N4wQ$x^6pQH-+1Q-s`9$CdS}~5jo6E^5%#wRDBd{25=6selc8=CZ+bO({MBQZ z#9!$$vsu)$XMdJW9oR}ipSsusAyk$UESg$#6GnStSlQtiuUH@jYZiRXF{Ujz*zw+r z;TOE})Jf;xI%YzD)WLe6Nzx_&p-nhkCFp6|^qx8%y|*V4b;nHQv?YC~(&4p;^4Kfw zD_9v17K@8o!2v6bWmV6zy7K{xgk^mz3pHp`{TnxpC8>&rE6oB>(xQ7so|EQZPE5O* z`O(L+pCdA-$MX}-WhyVuT>gJ4`4p|&)jRbl9wKb4($zZ?)Ekrkl0Df10~!g-I#!a} zW_vy`H0pr$ihd3pqoWN+TWLF6|g3NBcK{^&0w+VwkgXnzTPH34tW z!|!{Y$21h~7GT3k*JmVL?^4WAMjd2m7@B_m*GkptLP|$##HQo*S=2(B)=uJ#@CR=1 zxJjA`%agDufw|Zp36dydG1ek01*U48gKP=}xPJ5>T-lR7u(Sby7u7#~80nlw#xQ@` zfM&vmQfWC8T=p&Y^lJA}8OlPY3<$YBj%=u(+(Zh7>6bCo5rklIgx+a?E={v-5-a;w$3 z(EAi8GUV~Dkq{tZLX`q58j(`TPxmZHUr~8o(fR^UO;ZV$cN8&{M{>`9&`#ReMS*Hy z^$Z0iP0xLk6Qw<8#x)%)cnloy9_!BT8l->l8&jziQ=0djZJoELLejux7^S*vyJ@{^ z%&>OgxM*s$H&>aXdwF{tyRJimHTu7?eCxUUSJzt=h!0Jsi0b$;1UpU$^rMQ6sFy>v2o;^{k0)EAD-$cc~l4`bPQjfTR_hh0LHsy}= z+y#g-V7+A=274)2VZqw1a_If6A~Md7PS1?fuNrKm+dcjAfmw2-KlV2Tqfq)=z)2SB z22osw)lk(zv#A09!(cF`Lh3D%Cu(<#ebOu7pAh}w5JSs@$G$=Th#mOw`MqW2aCrr+ zEiRI*5}Yl-W1HTK%LYCD?QtVRPq)WZA{G~fpsBElAR9qvB5Kuyh9V~8gqWieNkEFq zu}ME2e0LEqj5Zac^;C<*Mq$ftwKd7eS$zA-8fZe07ThOxllk#js)I)8_unt?t8L~@|93t1_@HPoSNdX zhtDU#KVzvCVa0JpVZbOfKgyvir8bdQ?Yq1k7aa(_f~)U6-}3e$m(??;d{k?By;uZA zfFpl!x5$A%_T2V8{q_K#km90d9KW&&4WbBIl{!nW0gH=wNRv%U-3Wex&ojVmj6?Nq ziO$r4to{XDm+0xW;;@^wuELrzv^12)sxzz_SF@F0&al7jbDuaPuxEdDGDS%jac~{J zgD8(+0#Jz;6hUpaZMdfV#Z-^IWRLXRqXolinPOIBR*oWU)ckXDm68AP9QOL~9bPm6 z-Co_oQ8)GTK@0(Xbf(?jmlq)JZu=;mrukH|=)2f0y(d z0p;$NBh{0qOk)$6L73{vrHKU6v}ZYzus;1=2v&@2(L$~2l@EuHsKZgjh70aR`e?Tv&s9>h{N--mon7#ScnZhuqHgNPIxZLygamD~GzR zD|Ni%Ci`9{j4-kzp>r-g4Vrk>l&U07re>LHX*9QRo8#>*FSx;VRHNoAUx0!CmoRwdRVD^+6u0%B)-W+xqPo+`d?uzQ0>sn~Z@$xs)dA!}SEm!7KWZFccLvdv z?!EWk!MraTk+Hc6zU(YLVl-^P1t5IPXQ}MzTt_ZTAiepc$?YAyNiH8RLOJVFc@5d| zCb;DttwpS>rwOKrgJUi1Udez5vIH&<*#!FN61(qae2bq6`1g=4TksO)`Mb(3+me?F zeWVptqE|Gd_5iz9)=u!hST{;A0_WnrFUB2Xt!*WFcI4U;Gic{efwR9E>Tsl^{RT_o za8Rcb=cxE}z8(c_1BJAXBQZ&$&oFQCEjk}i7`GCYqfJB!&90f0yoQUg7@=z%EWY)I zl!ohm?LMfL*UUMc#NJ?Zv0oLOgL^Vlc5~f09k^H50(_w;#?Oin(vd{q>Fjk2*e{WC zgw0y671z)<^3T6QtChho&uxB5s4~=f_0z#buZz66|0V?{Ye91EH(?ZMm2DzB-XFwZ zdDE7Vp^(j@;kLT|#WP*c$k}u~&$>uG(xc9KXV=Na6Ci)uJ4@6jP_im_|J+PTdk;t9 z_IzV^35>n*&HLaW_O@rdV9~Ng&|LmS=YLJIU+F&)+7gO(j=o1@xX^o?Iq>I_S?*Xx z>$cl%JJRc1)l%umF+=mRIu}O4qiA|)6ksUu4uw8OG)I5`r~kN!;*nH}cOXbGDAB+M zg{k6d>M?qVe1iFr4-c8qx^<|VjLwR;XZbcJ0K^wB{cU-`5~JRv81G1)v7j>Pd2<&; zv}bSjmSU^8$W-<6f)A*bavgp_51kphL8tk$_3KM=Ui_}y@Y0p7a0TJ}ew*t2@=oLF z3Z0PD5F4`G+8#l&M+Etzgpe@D`)>jm$LH9vk+B)7s-FD;=4=lT#;;b}add`8T{dy; z5I{%c&9}BcJIJdg!;d!HOu(9fc?o;+%Zv_t2kcF=W1`q{EdiEoAmpc^dSAZGk7j@3 z9^0?m{+Zrl8$Zdt|GK9x8HbMjTea@ltDG&YwBPm);Nuo&9+Jt*z2~6U8kKrc`-Casg3Eo$yypu$>gl>BuS(763gj4T8&M`H8$z7TA>7gZs88Uyb|>(`mye z`fjZJ>u2^fxOhPc%71%?m3SCf-NZ{fwsXq!*QHRF+Tp)~Wc-ayaE=inTj_}RZS+W- z9e*7}8SMOqByQ*k%?U16Ag`GHp{ zZx1+&SJ$3QEM4xY!Sc8|#jRVP4*env6C1A~r1qe3%UO3Aq74~I$zj;;)LCbwG3>xL zg6SL7E!BO6xzS%_`3=rRLaFjFi+4rtb%MXH!3qN27GTH_k-|g`)4FiLBWc)s_=BVNFxowz zD=UJ*6PcIRFwHL&vjc67-IgBoipQBVcd?R-`g@(xOP$v!LKa6*I8!lSBY7#-SOSTy}pvDaPVkWc0XOL_AvyfSsF z5nYS+&8d^`LZY0;Gb8eqCJ_1*biQ26v7v4rIx1**gHKRfQD;z>Y}%dYWjE%eoN%DQs5!Cd7kCE zXTLaRwb7K5@!8KZicB`~sbgifOr-M=v^uup%h7!DQ2k&rR|jeQ1!(iIeiE>*K1G!j zw`r5w)QvfmZ2N-*+3UskYp+UY2{TDG%Tg?H$HqXR44M>)_p^#`P*PongfT5t5p^@Z z``mmBKDNa_3{MB|fl1yo^`QBqQxufws3^X%9kS$QWaQRC`GaoXDSqB%qVqNd?@1zj z*7#02hPc~$$}ClVj`}EEjDdYDUBP-}H?3U~*S~?v@J5`#)TwJ~#+!QvIO*kuiSG<_ zQ2f$W>mPwLF1QUT*@2xq(dIa#8j)lX!Q1S|?+Jxu(i zrMQi7C~R~+On!)moQ-f8>?ifq_}+wAQZj{v!aYl~`k`!98{zPXk_MQ1@|io_?_e<) zI{DG7+7J=yD&qV_zYj-d?!(43CVWj>6yzNNEa1LY9Pg9dG0QJ7+{Z zH-U&h5qR+j%ZBitv$DcRQjoF-a%cacm|euC{>&8t3a(4zeGE^A;X@KR6@S*}2Zdm7 zl#PV2yJt-L_taYW+E>UxvX!}cYw

    VXnWh*WT8;H(#+aiE9$7qjnYyX$5!+IR@lr z>Ke_9)CUdr?tpjPx;!6^C#?wai4fDM&H~={m7Bb)FWlCkCVn0Khr9L>F#;;vAcW;- zSlkl;Owi^-;WhxFe`+4FtuvFv$@+C=au$nJ!5Farg}TWoJlsP1=oI4^HB&Fn0H2Vs z1Dnue3~f-rk`NyWIgN_ovFyw=e6V5UN))&Dl^M*G26cPt_)kVM_%c)h6~ zl^{df2kt$rl*wF$%ykj7%2_&nBv%0X$(D2lKHqi5E))LW<`_RsV$mA+0GIBld*uh9 zwY_lv@QD62qu+&2)MI+LDzY5*L3UjwEI&P%@t(=XNVZd^$W$IIz~*S|APMme!-M6` z8$bLjWy>p1!EM`wVo)unp+ve3s!RSx1zQ5v5|!QHu{NEQ(mP zNCkS$?Il|UCi}2jJ7`>F4mYYzolOlW%?a?%FU6t#MQ6TP75CYz#9Nm`bk6AzvpSB) zF=6>KcjjE}7&NM6waF}+#O}VB*ozQ2@c@V#)`t|?(Q+mOBl%>tAtaDz)m~C0=3#Se|`9gf& z>oaAh5*v<};q{2yi&GDEA{a}rZaMKI0_Q%#D_-Ylrz?+i4F}=bGB|Dil~;Qm{4VAEk~aJqGiyrPd*2uRiN8Y*P#&N?d63L7AmSO4G4d% zMh~q&$f17>0v{V64$dxu*WUmlCv!(wXPitt{9C61w9neIIW9B`BKEt{5+2zEacq>SUOiO--FI<=wCOU%*S=YkUCdzqzlB8a(^Whbr zU!EzwPS%VaEE$MjUm8*E^0Pzqd`-vStjy1D!TJ>KqZKHfcnR^`59R=U)?H7N8uWk8 zG)QJmo5*LxyqMkb2H&TjzQzAxJbAs02J-;)7Ir1*t_m0TCETtU7xU~2hY8IARl=CxQE*k@- zcyd4gNj&Z5F1f*4UjdB9sQJh-vcw5CgLo|?Z-v=4nQ=PU>d4MR^!(9KXoIaAq36#J^iTAjchxN*H%60YB+A!nN*i8dZez_vdkHCpQv-I=>yWNq>^ePm`cR+O<7n)ZmTyz{=)t0IvVa%m%wNwD3bGmz1W!jol(3!sBY zkb^sni#toTQGp|m6C^UG&KD=n3>h;;QA=EdyoymVCw3X%J6$bq4x6VxTN&yYMeO-$ z*rj8)v0ND;bo6|)re=HE@_{yoO%(kMHt}j^%eU?*jfdt4=*h+kdAl+!lb|AeJ-y9a ze6zxWf3xkk7t8qdng@Sl>%%=u&s8l3Jw0io8{Igqh=Cv|ls4OhoV_f8nD*Cu#`M>1 z-`x9NU8*R8qQN0P-o#$uKOXkIf7*49rKxDohFyA_x9cM=6Ce^Qrrj-?b>ecaUq;d# z2*lXK+1oF3+(prhaH8-uuU#8}M#3GSB`cC4yc3o2wIAp%{Km+;FL1i7FCr!%&ibyS z+M5K*2TmxM1-v@-bwMN4uDL^=%{ZPtXSeo}JCAy$Cj*?rTR9BOaYn*+3cma9`D4$@ zHi5Z?Wp}sz=yP7rtT@&Jz7WKQ%+A_OK|Q@A8`M5XRuFfr3s6FbTHG4Ew{vMp3l`T4 zR~8gGFIi_SFjHgtv0q0^*$uv^+7gf}t>!-mPX9I1PDCJdWvm5-;s%cQS@V3zweAEx z@*=$%rarez^6uyzkBgnL7juCV-zw$YxCKTFGa1^_vfiT1y8^&0W9dn=1=4y4B<3~M zAuf3KcrqlqJE8qubjlvgLAhaA`WbT`N-UnQ(H}P-k00+FACd2O8}B2W6*_EktLk)s zaBB)?C=$xr&i9$Or?-1WYA4fAq>?kTpXG9U(N^VWqEESMbFVpqXmj4BvYN0agagad639MD2SG^axerjm(rCfRwpEl(#SG^QldbBa%K7u zNV%Eyg`wdw9nNL$uFp+SFCWvFRNs2bXIS4l<;c^mMBG9SDjeM^egJW?(u}MeVi-@7#Um}(>|FmH*r8o4c(lpN!YyJhByw9gmE8FF z#^+?)zuxG?epZ(?o#>epFYH-a)`w~>C9HOI?rc}mirowMqoZQBGI|1(4^Iq)t1XQMg0b-hLp{jXmL?x{ z+rrR%D})jSO7^O@$BIfdAf|C3z8zwh%}$Hmb1(LfbVgz&t2|*Z*{?Qi^s9Kn?0hx? zW-=<}e-Hr^iD!n?N(-dg1WeP`&%qSXu~NVB?ySrObh*js+aY{NHtP~RKBJmGx&h_AkVpHz>0;^e(>`&L6P zgGJL+M@rE-#1KYxs6HoJ>sC2R?@E!x!@fTqQE))JlPnmlWeGr&O%Cs8%pq|dutU;U z7Hi8rO&W2`mQamfLY8i@(gZzL#s4bTe3v4DZpqpv`flmSFCmOk4=c9fo^_TMfwpIUeO*O& z*U>L=e$3Ri3oy(Iw{a=Aw7MkfydfBucvYX39aW#DYSV1JL;>d+IfMGx5Z@VZM)h32 zE95{)b`~Rkym92i=t4$V6*-~(P9v#ig3Bw{#){e7gkO<+!#z^VG7AT@lH>T&eD7*L zc$~lBUh}|9K7&~5ViK{s={YZTIow}6-;B7bJRpYVKmj+Ho14bSM8AtyR^pEVi+FsJ zRt9Ni?)8S}RPs98ht6pV#!@GvHks|X5Kq9jI@WjpaoKh3gK3Jnp;-64pPh7qD1+S= zbr6#DM@r9-=0$g{$c_!t+)ziwy)K3Fxa{5}S4gsEX{%NtdWiV`B{X3!jKS-n!m}^4CKw_{H}Y@UFbb^sC1h+x+b<$*o>S z0atAO6bo+$or&f&u^ssitoeo8fO2qJkW1OMD>57p(2?flU9~KoSyYs=X7vu)nw}eo z%fMk=i}ILQ`!wyVeI7WVl4!=tp;+1?%|~$&f)!^o={UNHl{kEU07}%+Y~k!;@~}4bT0mc;UY6gO6sx!>9g1%>Q0~x$VD8xXA`!#t3SmI&&Bfs~=o- zr(JusT~5BS-t5H1!(-xEbEf6n=Gn~kYWq8!6#nl1D-!&esY~Fmj_t8ILrYZ+58yFt z+R$0siC0u;YWo_bHRcvm$|WAMT{q(@C=t=QxLM#-aPTy=MHs7&wsu9J&WQ+WO8A59 z`E+Fj*uF2be(lP5o*L_ogS@PvG^-VDVrjXA4e&idP?RDwyJhB3lvli;1zWy z81cP0nGhXxHM7;ebu}i`X~vuuyIaq?g}|_O+k8Bq|?9Y1`5lY zg(C#md$4=$SR)q7cB4u_c;9&GRtewGNhH6BB!{r3o+s=1IEQu>`aTnzC(N!Pc^U0` zr_1H1Dj38}*=%J^I*@e5P-51~4;by{6p8v72eFxPptyfl!o(ME?=x=)+(JB!gRxt4 zOoO?NZ$x;6R0WJtxAF`QJy2P)`TzbEVc~f;Pk{XSl5)Y=yGoi*Bvv_!RUF8HVU!cz zqk}?lP=ds(J$s*6$>h^UN))e-m^C(E}azBg&SRMLcK1qLJO*er}@2@n`sRC>AHT+ zj1Q>u=fP7Pjy%<~O1yUZku1oPcP?qvl6N6#%#wTQe{Lmdf?FdJ^Wfzg=KvQuoXxK# z0<-A#zX^flnsk?|#F|!@u0;5Z-&2GO%kTbBAvUu2GTxgcpmx>Jl3ie+WG1~uUX|o> z%a$G9$bHnvu~kv}$)L;hAaw1a6wOTm>XMDh_XP?%VQ%^ssfLqCC!>qw;XG>VjDeS! z&OME4Y3w4*?AtT`zf3T8j1YdS>m(5}=6c`P_dEYp`QqUVb(lpP-$Zv6@S6i&d>TNW z(B{QFWD8OQRIgg!-=})XTqWP?mlu1(qXHB{=D!c`JoZj&Mt01Qu*G|Sb0iY``X|S# zD$Ix2b^!Ypyl1fYHRxrw>W;Y~rok_4@IX+iVpa-Z1pigpy29m|e}-_CG4}OIsDSv9y_k_pN}>|bpk1|xqy+7l*-PlF>=F62y52P| zyPEv{n1o8dE^~=_pHpZwyge*ElW>s|BhqKJIFHDQ< zfl~mwOK5FGN6I2;=b*4qx#OP#RrP!otbw_n=_aA{!WK%nV^O;7r{r_ctd%|NO_J^} zyh{3lg6#s>TVi~b2EM&ljAHg*XhRw$-2+FNYH=xvakaq-YC$!-S#c@O2`6u)!>WIw zBA`p+2#geFm*bQvWxffl-I~eDYF!60Ff0I1agmD(vJ4p|p1JzMC(!I~Z0?`;GTPq6 z-KsE6mA$j%dia6J1wj`5a8zmf?t{I#l#_p~k~vGcXVRRFULZ#FoW`XR(I4|Uum_!} z%ai0q?-lJOd#&`&7m62|hKgAVJw!uF{*iImFIv6Q5geu0eM5Fqbgcmn)EHj)cKJgmJ%- z;Jy+H&y$GfFjy4M;CM{0P#LJX1rYj(bkv^CSg0~j)HEz$_h>rqtB@z@0WxKg(OgCp zyc5%uF>%&<741*)BO?YV{p6ZV;diyk`j`dUi|M!=Z;qfp+RD0gVK(AU71Vz4;!b<= zCpTwmS-vZpHi6;c6&(Kx*c%!on&)8`aJTNJVUxIHsc4P0S?M(|+F4FFfkHwUwSah* z^zpZDJPxbN2sSUZ_Dixw)qk|<_>@+@AKy{V+iOH`*5r%8k9+Iu6+#_pcScmK>)s5Y zI)VPNc27uB-TsCl&q?ssphuMu{EN5AH&d2n6Y=Q=WTD1nvQx71yB^RE@SYWN4@>ZG zUbc45s-Z%9k<|OhIQ1b5NFS0^;#glwJUP-)Bwt#8Gh{ICZX(ePJj`JbSTlL<&jU?j z2?)%E8-~{AX*_DPs+kv)v`dR@>AL5wN?enQ>i2*AR{Q=sTv_F^gD8ng$`_z+^6`bkP`**y*u zc{Vc%{9;C%iESpGK`OND&$91QU09sSB3R51d&7BUK?*%3zD65eLT+jA7G=7X`$Vyo z3MOyfj}YsvtX^pW3f(i63P_b%c%j#Lu??w920{&a9PKdrp_qOPBJW@xL4V+m4|V$+ z^Hafx%%E7XI)9FBlU=MGtm`3gGH(2qXst_b)fWvF11mQDjdyA4$Ash~0Wugur}jnY zH~N$_^Jm-Yjw#rW@GxBN;~B;~Cu%EuTUxfs-$De7j^giU00aJ~MXbuzP@N6s0?hN6 z9R!CjMZQekc7rs0ybbHOSIsZ)P_l00tvJJ@iX#+T&ZnzhHP{}qyn-$1ZaUv8?%e|k zNfj6ffC@w$@*TEg9h7%y#@0WdM~(WE$DKBQI57>lTu(sNT8OJi8)up31 zL@Y(pn2oh_0i-uAQn6YvUL!_sBx>T|hDb3%JG1#7bE_Az>=;L+6DJTC4LE}*3J0fl zJ~}N~qi-IGt*Z0O_L2zr840O@n%7nUpAKg^Pp9K;pMIM$lu7_Lfn9v5zDG8kUgz4c zayXkP(j&FwgwH8Ew!(Mk2aeXsUW})9Ozl6upFH<)l;5hV=_AIzAc$2O7(_6lGclIPEPnv>= zR}P2iDgR}9j54|eLJ+Huj5HYy>-E5YHB2VC__VhVQJ|v)!e+AcmkAevrn!J6D=B?c z5;}YCkcKgGj6{LL@0K!=-Rs{ie<{hNE4O301X)v3olxG(tJXh9vnW81{h-C@17uHd zBz07uR)3BsD6~mEhbu6PjWf@qcKjar2%5Gu{Gx+eO4xTi84~!8EkXFog*_QU>b}8p zgZd1Odl-y;lE3rsq%P$|vE--H7Z0o7AKraM?$c)Hl%adGiguC;A8b9$-HZIg+8q`8 z)lGxSeo!K6ky6-#6d>FP#^uzbBfzR*M^WB_6-OY(6*-W7Mx2;2WJ=XdtQcdxRjqVB zUUCIP1X|qKD$OttS1{+t_&CZ6-$llL^&0=vrCHZY^M6EBg^*Euu02_qQKH0|aY7pn z6xlGLkf0;pC#_ktO-0{ezuY}dcpLJTf&yXtAMb%hwJP1CU&~vJzH7r*T>zy62<$?a zee$UZh_g$7Xo_$hY~;zr^~g#PI$aKFYEaq!>o_G02+Qmx#YtGu1VF0iB&taUM8iy3 zf@otHDU;fcW-+h+a5^m+r_=VzsAC}dNH4f-j02Qz&-YP<5rh9QP^zvDO#J-aq2%C* z_1GP`wAXo3A8ioNfa3J;sMjW0X==Xg_&d@RTP`)5V2ZZUA8Sr>~_&L`l+B*O@Xvo9{`?Rh}Eyb0^ z8;n(_dgiehZ|Zixdyts(jepFkEP=2~ufwb>60Jgw{2?5^7K5#fW?PFeHR?5|@TI(Q zmg_2dR`MzSr18_guSu;9`J^?VRxtd}a{f&whW6P~ltj{_jIl1bYNI?=nD)yiO;4AxiLch0b6fz${!L(AG5jWq>sBxYbge zzvIRvvEl+rw3sv%+Mk)n{QNV1fw&!(Pa&cB75H=hysr~5P-=BSkjGRm4iXW4xVOB( zaAQ3&P;|YZZXe`w`T}MPSyqMw6E3>6OsgkL2oWz!w@)zbMV?=H7Z)8W8JtxtksrD~ zcJN8lJ_-3iv?<4uc({an!>Qciu$;KG|H-AAyk6Xut4lIIWE@1}{f zt~WkU$8H3uQA`IdJHwdS$)eXpbB^l3;`OoiR-$D^MghmuNG1r=1>KURdDL!utrC*b zW33b#>J45&tv<*V&o&cx7V}_*3Jpb}i6V_87tsn()!gxG$=q>ckx#I?M%hYI9LAkq zg*HGr_Z*jjAFh6)cQUP}&>$F`rui2NUn|nO;~v2A)+!&ZR6l93UK{w13;4yAzlCwLV3k*@?XNh^LW%VKXhk z35vCEjNjit7k}ncv)y>Xw*Jx<`Sipsrx*@@Mt+Nk6U;c%JOhiCIU=6g#~+5f?6X6a z1jxYezuRq-KHOk6BlV(TFh#BJyrf>UsMmBEQ>awsYQ!wPoOWLtU0RaIss;x-CxD4L zF3;g+&c2tdO2d;a=m)ZVh9JXVG3I+5?z?-zt==4<<{dcFa|U#m4lk5}=fN7<8n2Vf!z;i^Pt06T9G`9UC26wz$u9DWAyyP3?aA4kMT*2X>gb%#(y_ z@EFZOTKe5xxpf2e&WH4EE9A7j(|-Gbf5Q0-ehDN56slM6nKVEb?7U=2}}@%qUwz)@t{9C;r*S-+WQ(pL%n-1&LN?ja zoVbnnW4w@EE?TJIdUj9~!mRGi@&*s?=}s}s{)y9N5!U8!HQI65K7kfLX&Wy#3a#P% zld9x$PJ4VUF@;1g;jPWlJiDO8zZfG#tYnVfRO3cv$xaO)=j8YjDLUkqe5Y#areCFD ztxIKB`P<*S6((l9YN?VSuo-Z^xgyiYGH-gPaglizV^s~ePK>3KP!Ae3aYx=B?w8epR z|85T@n9mPCFdmL*_;+h0Eo}An*R%tWd6BBPS@@w`^-=`wNWss4abkd3_o42m)O%+r zCf*o`X1Q&^5}uEj)#CDo6ilZ-d}9a z0aT66LN)HcasTRxoB+qQ$}nSZj^lCxj$>QzVfV$=;<{Fa^5Pxqp{Eq$gSVof^oI&r zX`Z2_%3SgUk^E6-&}V?h0t6Brmu|&%t|YNwGavz%dV*khPQLJS?eZt#I?EKK3g>wXgr)~O;JXS==11AmAKLyO0!(UMtzSFN z!^04^n#glkfw5EcTJOFeU_NpTtih;<#t3!Gdaum)J0aybLbydObAEf+}G6(M>kE1#=4vW zVOEl^ORNDd*p7AZ6R2QFo+iiPM-3d5m(3K-RsRJZ?lQyPQhp(QNIXuU2T6YR9z8T? zXqgSmsTppN*I5tey4mN)%f@jXn5d7)t&Ux}-f~OdYi-*g65YoTA*8}r+<6y2#YWke z2_kJ{FB%QLIH64rKkMLg_*3zCZw5gSEmxhU{wk32JxZ0;P0)+08oI4S-!i}zWhK{? zsr6;No{sS$V1NJAK$qsq1`B}%sS!9v&r}863BtNr5QVX8Cu@F!0AC=8yOwAeV zXO_}#5F!P*%ewp494|tcx+&NWBzG-6xYHst6{r_0UzhW0Z?IgsDBPHZl~eDs2&VH4 z;wz9yQ|Yv2Z)z~*i9@$QTyz<0&_Pp)y)2L%Ia`sAbd8L}%D96~o<7$(JKPQ4W;P7g8Nr+j&*UbKPLDmZVykExYRdKA10@ zD5KDn%dw9!P|mUcFZ=HP%f37%p>mAl5tZV+y04DQ-28Z7A{}~TAD-R#1=8d;g}LvK zN=^@k;0iaIz220-BDFQgzv>FuKMIQ%N)$B$@x!ehw^qLicAn+Sok7iic~17|FkAWU2=;e52M6M{aWX!PfbWO zhOF4jKmN}-q;mO82%*0jYj>L3F`qoq?{gR|N+s3W!z+~*5e{3$1!1;)i9!F5rfZCn zBwCs~wr$(Cc5K_W%^uscW9-(-WPrq0qa{*@vi|pClNV4RsZ01bF2wE#yF=AF6H&?buQgL@c z)M9wdZ|2`8<;eev>GAtTlISH8n|2Wp(cnq}~LL=e*P*B#@_QSS^63&TZogdGq@m< ze$Few8|BW9Wu@m)Ns%Cy85MRCNeT&{O&-;n(7BnCeNr{yKyk#-e6HTtHQ}uYtbtTz zi;GBYq_cFik19XSi_~s>0bsOF34d?ij(L*KkK<5l-?M4&OJ2TxMaA44TYK^L28$}#+l9QN!6 zi1DGF9+=ZwWN&#H-V?ZXC%2eRlLz>mNEOVUzZ;sBciL3x#{%^^03KEwWwT`&6^XR@ zEoiYi+d^=Ty36l+2-xdU0v`)*BrVQKodj-l+X^CozRrs(gj=FEPUSl2d~!Ke2Fn*Y zYF|0J*X}KVi-lyLc=mS&&$;MaPC1OgJc_i_?x}{sZ zRP9gk5ATQ@@Vf}=0oNttn7{iw$}eBXw=zv{+6Zs?kSMGr7x& zKI+zm%VVPV1!U4|RP%{VlhDzo1ulBr2_5JHm<{LO)UL2*X7;L5NB!=2ycj=Ww zC_OOa--*u}-52N^Z;RXG*7j%jS=;04KQkYbRLs^g0S&Gp(1#vUwq6rzdc(-2zIVh0 z!}in`?p{v%3E8t+9W?5fwI<#AJT=a?ub#1ejS?|m<;@>jgLfAK=5u;FxdxPZ{*A2LATljt#XWvZ!Oj z86oL(MXwy=w9#9tSiq_4(X~cb5_B@2j8{+LSSGjflh|X<;O@;I<;lqT#wdUrrs3Yo zMJp@Z;nSkAqBz*Atlbo^m`Jz%eYOXo!n7d(c9lA(Ap{?y(n=VYM<}?ar0DWgO*iYf zlqig8@@H6MA68-&HxNWiNU|!^WL~P#7hXZeZ0)h|UpKKmf&JPR_dUJ{NBm--DNAfF zBqV`j{AJz%`P*T;i}=jPT%Hs8NeKKu6#m&h=7)c;{yYS_{5W!-n~v)!F0f@JlKs-Wp?OD_q!z&(Gr4| zFVTH1JRCE>EItR}BA4*! zIGX4!Tk_y5?=v81WfQGOL8T`*DA#{QdbbZ0PKnd*dLbJ1z7QA+g$#tZL>)ltob_o8 zbn@f`*SQ~rAM$Xo!6h%?6s`rpfugfKlxz?aGLG!Upc_~E8T31}9?ZAimpxGd2=Y`h zHGc3**V}qp3fmBfEc~)BU~E+tqoI2CCP&EV8;YfFsmECA8$E=9#({>;m zM_njkWp7;~Tqk^P77;I>54^59dyBD0BXH?FKnG&?sp9sA36L8Rl|XU(BP%Z&9+16= zF>L*7Nd$%N&iF3+l8egC(o&@z5DtT_v@ zU`T3tQ;IRAY5v4ow9hV2X<;(enaJfax%EL4mR3tTtrS$S5p;YS*Db8_sId5Oj?x&5 zd2Adph<5EBy}zpRBiuXkcY#AFtt(wVrCC``_Qu9&M^RMJ;@Z#91abK_fNAm}2uxg52pXw51WKd#@aQRRJHT)Tyv1S@ z2hV9JyfIB$nx49CZ3Zf{^ENECp@VH$0mSqaCKVZk6m^|Bs|>C zAFF7lA;Q>|fuVD~AtSD5!~@k=hipiGqV*cdMsN24VtK93{Bwjzwd_+G*?PFC5ugc< zd4C+xTj8ZbSR$VXeS4-9WDFfyEDe-F-@i!kb?pz1Sy7*N*?E?$n!6E8I+Eq-4t36E zP27lnx*OB9LTdnMh1q083PYy@DncC;f_Pj+9U$h=I6UHRVubS!R0!?dmdGMHwI5V^ zJ@D?DO(y$!B`uNr7^^v4X0@4VvM+>&o}AKDu{*Z8I*7^bJ;_kj61H%$9dNymYf{xU zaNNM%ozRIw8JG;Y1WqC#efyLs5J~SX?sOVk7qW_#e8qadeCC=pvPQb#DQucJ=SDc@UE!`Q{eAw9 zn*#;R?`H-1vN~)>Mr6=&6{iC3$~>V72AZX*2?zAe7=Mq&mpK|-;O3!wz%!x*pxc@M z)o}4V?~DbD6Q$%jj#5deDg|*pm%X2u=qL8s2Bl35W*Dd3De>u1{s_usU<*s!lLmSy z1qLg~0aC9&Osv%l0^9b#aq(Gs#2Mf-AwCa+jwJ!7?7HT&fABd+J~1dDy66J+ zmd+RtQdhF{;jZM`g}!UC?(=uK^Ddrk3VU-VqNW*;ZUWBs6;t?WX1j)e0kDJm`-T=^ zf9rn#cEZpmrC!K*yvTGP16zC|@AjmMRuX zrnnJ{&&T*mrlPHV9f>Uo5rC#SAvAZ1g$20;gFp0m7CS)^t4u`RD;nWU=*)RSm0qDs zZJN-*Kb7P5`a6H3r?MphRR;)*2FIak@MydzI7KyWu{Z6Bmw-{tyWDD~Ua)6fIhjAo zP{cX{KDjp}MR0B9s7%X}Ujs;g3PgRWCElLY>T$nJk;Z!PDzP+K7tkO?eUZoVoxfJe znwl|MWM@{35yml=p2~-z-VO>C>Tgw@c`U zyQ}I;R*%j`ko%b!C(!;UYY8YnY@@NOh#_S!kDC%)dc2#LJarF7h4i{NDVLp}x0gN`Rwi{RrJlnewRn97 zsd6{9coZ#Z2O(Pu*-=Utf(L0EN3_R=`e^&(I$1f+irippt3#rC`;VIAk51FltyV;3{h2qzM4MYbB^7icjz5ZtN`b7oX2Xz)x&N@(Ui0zU_V=>)!O*I zo3`Cn)~9?rZRJq85IFwhFPz1?9ov?7U}_{E7pz!)+Y1sig|$P~dmCX%>7H|iMZ{-w z6z>PrZBNO`M)o}t#q&gAw7xs;AVFn!K#S}kRTn~>lJrihTJes3^;PS-2WCGf129wo z_Rr1DIA(f|_ZQVyv!xg;C#w5VE_ume^DW!hzC}Po$v8bf`;*>FY*jAC)`|+2!cU4E zPt1qRSDuwq=gYTSX0;xHwf-axYpePILcH?|gPJY;q>KuJoS^QuwiZ7Nu^F>6^iddO zV=kn3ILf(w$^Rq^tS)7&+pO2>=v!|CcCuqlb;j8m^KmS|!dnaPO?)X%$PEUq4|pwY zhnLB0+923Alrf4bdg%^p_k? zh#gMGln1gYmYXVZH!alx3FAM+%(yE2d01#F_NGa7;oO%UO44iMC6{<WcQOy3nBhx;kUx`iCf2mrq9VfQLl%{)!!WTCweyi-Vn5r+OU72K zBL;CP*2D($>JX+*w8t_P8mS7Pj2Jo4lc5HYU1SOah8A<1{L#p>5%G6mPG$H+1v*zy zW9ik;)aH2Am{l^;M`L-(iSmMN!0I%6z5Nj$J*G-C=mImzNVSBnIXlji1OI!a;W zK&fAEt$h4QZ12 z{=7z0`=8&A0Khhmo?jb{5JSMkObyX{z?705U;t+^2i*~=Rq>*L?aGSx;{3GcEZE|E zczwyAgwh}D?V$L3_BK@m%0&UBcYS@`L|1~d4N)-b`0RnACCB^v!O-pP<>9i*m50`4 z_|hqXHGu4V!8U4ehydW9XV~DqW_p&m8MR`FOd zNuKTd^*SOnYO@rT?s9@g~D!@+t;Wu#+Ff>}6TU!jmM1g(9By^Z`9y?w&*7E^!qPJ6tWd zaMB{?U)#$N?d*RT1?Cq1+}f}{-bVQekrgaFRVT|Z(b3naCvZFnY$WZFj@i?WDGQkt z+4V41M8dz;3B0=a*QTHhZNq(~75I}h`4>cj$=G3v$$-mU{voZU|6X-X%+8nFz~QNc z1YU`PPM)5Dt{Q;W5uv^U(|rLJiGn}g&+xTcl1k+tU0jTvMxv-jqTz}7T+9NI9(=j4 zcf9Iz5<|}U7r_h_Co6c=mw!81q>43o#$mimrH4n|Yf$g>G*1dHNX0o+o|}z!bs|^} zVb%_o2nGgPj87Jw#swIH8g*#zyW||(kUe(j@Nc{F; z{eD(=89ntGgW}Z&YNi7GXem44=&?Ryqi!pcs|`y1&vWP;_C(dF4%W2dI<2`Ov3-_m zef9bIn(5p9a_UUAfDTWIbj_<1eW#nNUrlyWQa#|vQ=jXme3Dq7l`fgBZQ!r8Nc^y zfxnT&%6^I)Eparv81u2RuBs-(7Z?S65lx^9PPoJtWj#?07OUJ=2`hDy-U7`GcCBg2 z4Hh8Tz8;&`Y|QvS^VJPD6m-URlu;m~J`FBtEih6H)(l9MLNLKKXcCjV32Pv664Ni* zOgXMs4v#(2`~h5Me{&ztPx-Dv;Pbwc;lX>Sok&<5MYz5#6xK}H5-8JX)M1#xE9OiH z{+cjL3;`FaBYQ6(oSXfCh-Dl6HU?mvI~Zg6va?F!`z!4@UMjjZ1l@U_2Js9ogw-2! zi#y;ik8?}$^Q|G;%8GqjVVd`FsNWD>)~>~v41B^KR{i#KE;BrE3K}g zs$`~~>_rSY>e}vl62t@c@3tF|aJ=4h_TraEM0N!Sjl$McUbryfWr(6mG%3Ig$#c)@mnnn?#{8sHMm%_%cx~>gG9Xf6GP1 z2qZ|>LoN!L)?ib>0TY9$)C>^K;W2!Oc9gHLP!vdx;L_?&d6{0EY}?_V>%gnD56T#UU7z7*7B|ibVN#MY*)3R)~K58 z9`mDueC|r}2sz79yZprp$h3%lN_s0ZW4Ain&6`6=M>%3pdJkn|=obb)_G#gKojNTV zdA*d_Jm;JOb(9#ls2kwiVO}0f?ydDDX9?SP`}?7)b#~um1P3DZdtleQue|nAuEWN2 zTRpZ4P?hTiK4E(63HGqgeDf{fceNmQ&w06em+I(=$$;oP#)DMUHO$c)k^N~Jnz47K z=9hk`!#VuVg5&m=PTg$-s%}GdfHBerzg4ZHEATIO{_a0$7g|+o8E#IAuvLuU6kjQ? zxVOg}IJeptW5*a^&Xj^#MTM1y;2~yk)-gb$zY0thEOFkY;Y;YWgzt+U2U&^l>~3)`zk`Xd4OXe!rbffQJK|+1=roHB z_lgqR$`6R-UWv!Xy*=!12IT9hb&G#h{)_k2R&j;hF_q}Emxfsf>h;}u6B)90nBeNv zB|E2Fly#6V!n9tJS&DjSgNm=`>&M8Wt8OQJdOZMsXR0-fN&0Nc^5jsjm+?nL*_CB+ zMmB6a8HKoXqTlfmSx%-|F?io{3zv$^)Z?`zeAN_fox>y!z);p5dmWjRHA$k95|yZ3v4kyRByxUdCr z8IP;5VQ((|H2HDCZQfvO)(+&O9?1~5xkjGm!#a~9Jg$h}Z9X9pCV%YVJaxmTJ#K<( z>hwj;gK*834g@$sETCnRDn6u}DmSO4LWc${YWz}h3cD0MFaNiRP`YJL@Ou~$o3LuMiJ4`#Mv~|Bhk5auZ!!_}RqNYR2B-!_ z!30EYQ9xjHEQgelwpy%+CY&1xnF-MVVX#F0K~LLNj=wCGcIIW|`271$ zCf~d*R5@0$uPY%<#A2pGw|%s$T*NO6)=^mk0#T!^?yFLYD)1Ho^1Nw2*1DwRkibH4`2Rs8*fJB0Monh>$wT8m@Vz zoJ>l!#+RmhfJs$KRi?Om>{h$qBpgoN#eQp^(bIxoA zEf3B*W>y7PW+JlAtstX`l5gZD<=1T=ZBD4M9jURvGE#wIO7pt6)~C&C^4`gh7CRr)Oaty!u)Oss@qWA3X-v`8S^9 zKss)QymQn$)yYK4`rcCd%D#z?|BrxIS)j@fl5rP9AW zj1NE#4$qaHvQYophoq^&*zMB3tR8gciD~2n1TPz%)?gAr)F+9qoKc-!GMm6cLhVjW z=qcb4DtlFoQLYV06C@BFQ__UjrN5(nl!wu#ifD(4*pe-C3kuqI>bC!WS~r5x!|8qBXM zVt=?(`iJ8^{Z$0;;JV|88SEzN#6kdff+BCIzIX<-5arf@64fdV*<#)~FFCU1&SH7$ z?qxIa3QOmAp_YT$6Y4e>k*_mCV_r8VE%|lRvPqDBH0ZpfP;C%KA6aBQy(QJjH13#G z=TJWNnumf)LPvA0LafBrGCM~Kw2#+j125cCY3q;N7drkpuBqG=lx=PX;T-@I*ZHhC zO4@f{6kReqgNK6bxujvFR<iacM|908pZk0WtlnwwYj6`1|vx#G@4!U+BRv%0D~h+S-Iux7v;~)H!uqM8ch1bIft(CJe0!y~EAnF)#pPxv9Od&0n`d zrhEX94pud&L)g%~u0trPo(Z#f3~bi@lU(&4R?Un)SNdl27+89-fWbn*fVHgr(_c|= z2}{vri|{>QVBOC^@(D!BpLpeQvw;XvO4ntVlEC{BE-5VIAz`YCjPXB2LL2zJcAVa@ zkb`}E0)xpYFesNBpgyNhLdq}rm#_Ms6oiU29z2PYlBTsam+wb^Z?u9-Dh$Z6votO$ znH5lOvEbrgb|>HmO=pE^2g9F2B$JA<;I~Jq1j;k@dj2iy+^7@|#kDT71L48G#|x>g zE5t;b@Uf95(G=GKabVId>gZ&c7I9dbB!rBDbxXitaf$#)Kn$6V>ghrUt#7o|WnMWp zOUY=TG+oe*9vuXWXeLW(IH@wmE0#BF zvC9J!=`id%l>+xJ-B+qj2^>k^zA;z{BePqs;cZTd=YiMQ+r z+o)m8vFgJMS`Mn#AYqRZFLemgc%s~+RA=KAoJ%zVV2h+cJ(`=j3tzb(N}>%eL-B(2 zTd<5mz1cNhD*1__#K0*Y%hWGEwE0vui*Oke(WqEafQ}p1WOWGt#>C{h7EZB}sP@iL zs!?~C`+J3AO)>)#mI;rl7bBc5jV0v`B@@*a+iBdBRwKWhW_n}S0uwA$fn8TW7(Q|szPy}qhYKVH@{QcKb`g* z@>$0>fXdhNfmDn**~b&12X^)qiuHdv2gi97twEjI{a^yCs1rbHj!h;6IieGREe86_KOgi$Z!k*y=DEi1T z1jwhJ%lT>=E7%ELCpTu%C`v5}a*@F;w-13^KOTWy*f%^?1~?seb@W!mlr@&H7uWM0 z@l>`msZQtD<-=FTROC#wp5KhcRD4(Br6doic_zimaimSYRlq^{C`FAB=M-@l? zzcPSDBi%8XzRwv)oembA-a^Tg6;N0%nfwi8PlazFCzThh7g|}8s~X~RJMRpC3WW z391l7k(!b+8&{lV4@iiXIDW7Vp}J6@Gz?9?N9%_wau%P_o&K#X&-!F_*FjG|?w8Ea7b~)1hw#3@|_h!E5p-y3VU((CmbCjPGj#{ z!w)S;@oIRwML{7r)c@>mO2DBLOL+O%6a;_Y;i-XuJ!pzx)ddLl-6ny6jj+Sh!l16o z#}u~jGc@ET{{TyGS`rjWtOkd+%I*DcSN9SSSUacykb;3CfEE%BGo}<8?O)I!fbXaS zq4gFO`jUQvrOH5g;m7U6mXSqGkV`_D z|3sP>Fd&wqxwQQhtN0MVb4Hye|8DEz!k?9o^d|AqU~W_pr2H*j>8d7#|MWx;;x&Y!B80!$CR!iWs?1(-F;?4ZaU0)rB4EnSMhz z6!A0AKm=CNF_t+P4UsPhOYJhSkNbdw`1OnvLkI0Dm)K5vAi;s;CQTQrd&O9jQ+EQ& z^p3J|$U>GQD0@mavnn-XOQ)pSVq@wXKOCo_X?7o3es3#Vu$QLE!O6lJn1> zXr%l0Cv2tX|6L4d{(pm_Q8sm#LU5zp8WaQcAevnb>>wJrTrPq50zANxf(`Q-*8rCX zWQ9^kYFLi-l{7P|KmFf-Lb=(H?;u0Hg5|eBRq5DLuAmXqvDCV;65hcycJlUu?Ox&7 z@^8m+U-s|7TWYm;7J%#ovm`#Z>je?e~k3)1~N z$X4x`j{lEw^IwdETT-RK7@(Wc!>VAL-!V?d5MLbsu-kHjYvrTbeF_x@YkJo%uC(Np zgjrMAotjtC5`^pIgSjCOcK-a_iKP7W^5>jGra?CM(?N{{B;nqZYUt?MR{S`qKi9^_ zPE{6y8{s3tP0augUOYT-47H(yA2mhOByqwD&zduYCjDMAkf{wjse*}1$=GR3`QMh4 zgPl|${|f*8-5YKG)&{Q(yefu#)R^nWH!>o|Of9q|O!2(kgerOu>#e`9Ce@7@TT09N zCx`&wWtf3OSSUYW89VqtyGE;7Yon2?S(<`NTuR>~f=#uuvGYve)Y7&CI?;s%uoOGS zFP3jES1QzY0(P{#f=8b;h#i^~kMiXHkcW!U;lT?cMpi7~5a#tM_3!uQ{?4z(!U z03FOwnIY$d@_@s>X61nu=2e?P>vYlpzya?fLjyUq;X+NqwaM#Sv<2*ai#Eg7Z_)Pe zHvbcCL3=Jxeo~m#!CDSNA5#{(svlF7x#x$J^>&C~%T>26WPA1wkp(AS-96n;_8jIhwr}hKL(|oms~2sOD-XiRt$FzEhzuw8oRKHK|hV20Sb+EU@1ozC3L~J zN>lvwTeTy=Pa+2hH+p0yV9p^xB6!__!Mo^g0)dZ(IJH$WsER=VyvLgi5VeW>G3}FIu}`R=U)N@2)E;X+?zA>hKxHK?!8hu z45^Gb3{k3@f&>xkfEp)(Y{Gy?H!@P}5{iI~q# z)0+1MXWRKr4pLhBQ8F9paUM+}7;FO|0fAzKqAYuBF-L9x8VOEc{Rs``FuZ`ACvd4cDs!URo7 zE07>luB?R!k?kr$g*0e75u8B+bLf6+D4vMbf|)(mqtmJD;+d_y7=X)7PQE)iQoLu&J`#~>bUtZa_SJeyi+LG z(^J9Dyg?vJ3-H9sg6WqH)8hRF1sIo@Gr4g;m?255*aRDdPJT*@J~wJ4hbbJH-i%?r zO3tu_hgngV4!rXU!R6%u&LqY_MZc@rlxI)mZODLjA_bISWl9K45UQ9w4&LC@Aw{AgV89m)M$oA@*NuBZWk?U%qQ%Kq-RMDwy2 z#h;G(g~DZ@k4dgm;t&HC6!_+j7#x^)ZOg`q-?Xzqynj7#$X2L;$4+nHhwFi{jY^tB zOmGF_;4iSMDA0QckY(HRr1INq_~D%(SMI9}<>3rRwUn<#baAx%^hN|eY#C2baD!hY zC%s}`lU$FPa54+Hpbj6{Zazf~*fFtIky^0CTX|e#ANyHnG08Rs+(yK3u4+Q0Wv%Uk z9*Ms#V&A3h(G?|J7e?o)R60#-71)648mnb##H6MYU?S@nL zvkXBciM*9SHhI?{`+;&tID@q@4UYScnC^#7;=s!)XW<}#JeoY|PCbSmUCL9{&&zpg zyWUhSJ}1tDISqvz(#{9G;)w34TR`E*IXPDtS;=)DzJY{#J5}~^lD^)}SX}>)mc%ii z+{9a7tDi2Y#mNrk%xqd7+R0G2a(I-F-dB`kD&VX(I7I2|FRc}FAk0_*vQV*ZfO8e} z<$b{*o0ty3_oL#7!W9Z%7R0$75WYm5mD0=Fjv;bo+ zrWeIOxtaqB2*TfWGIv z;|+N0+W+XFj(bMDl)G&l6RT?pu_#N}I$Eo_>i2K|EA-h46U3}1Iz4H+t*s+86`shi zfZpT^UF@l}(sOgSZh{o!Ojlb!R+jD$DnWpCKn__q4A3ZuhFWS$Q{$$9G z^BINZAxP`oM0;Gcw+ECxe#{gAP6Rxh`2GgCnky;I*b9Iqo_lqC|D^dRGnG}#_ut)Q ze1NKx|IG|>_43mVJXyX!DOW~U*~Sr3Q{Be-=CB9fj=9n{!SeWf5!LnD5Oa+giQmTu zms76Qvo7TOguQMmpmYp>O-HwTO+~A>`1GzxI}KT!&MN_t@h=>pWBX`0;IAw>C^W&l zN|eMKKJ|-zx<)Qe1WG)IIm?5dl#wNqBIf|3Q7sjeQQVvPoK|xF%b?_oDznD2g-9?g z@@DzNzzm`JZ=W!wr-hyBv9%>KEKZNqIh$ZVHPl2%U!myMWbhZ@M@>)!;X;fD0?xh5 zaT=Mjepu>1ydoKZdCWD9n6DSP*i~=RjF6>EfvTTc6ToR7}x=!OW)OEdy2t`@D+r0fs zi73eP^IvG&bT zCHx!vBJEg@o$LeDSI_l3W9qGss-tp}#|CK7G3>)X!fh+eba75@>2eoRNosVGqtN^?i*ck5IeMe272o@=U!_A9vn5=pI)#PrzKEB45R!=3)2P+I7} z@X9VMcm0sl{M>ex(_V1HnK6sMW);FZ@?2d9ES!W7hC{i(i{muErVsAv7nn1Ko|^rB z(EIFs#Sd4(B)aqe8VPC0)x^V`4tB6MNh^NWir+Ku^10~8>Hk`IKT8rupfdfo*s}5Q zmshC({A_O2ITX0P=c|@pqMC}oRd2rP#>NcLURM|pot z@94Ebn-9yW-|0M!&1yktOa1oXJV7p0K?hRT2va!M6g%_PwUzM2aatMlA6%br6?6LN zAk;XgzWbor?{Aq3^0K7Lpe3oR(TMc}ejYLd4A|gtIq7Hvq%~ZK6ywvV@d+^0yB=($ z?TN69nQXE6EG#XIK;S^&e{VAG&bBkrSz;QfQze}X>VH#JCfL!+Dt6d!<`4?hWa$4t zuF3*COXguW;NR982nGiZyI+9~`%h}Vf5Vg+ld~KSJjI0ZX1wnuxhJ^A5O70ZI9^DT z_9J_)#g6*sZ^JYFr0v1z`i*{{$FoW$-!Ix%>=|77ssqx7?If9xwXwApE8e4gk?~_O zV%2<;5$Cm?FISEqz@UN=jie(9XY1Lkq_eGT^p__>&)rNHt8YqRm&J+xu6fX_eU~p? z{GZ*=IxV#_t(k{R=P#(1On^`#LbftVA1rgDJ#9wWP{XUHy%_d;7;mqX$QgY{2&8VJ zHOfAq$Pb{4*ga{K9(r#gDStMh*0MhoK|)UA`hCV9c2{u4FHE>H!j%r(M?2HuNkfvG zgBdboA>`ZF(mj8n;mtQHsVcxS>n>RyM%p0k>4T#bI-RfrykbX`p#fhM>jxE4DYL;2 z`8@g|6f3;DIMu>LUI~Z%dhT@+^~wsO8uLMGtZF~?KkPAMF{4q`I0u0|^2WtB>D2fg z>h!422H8{^7MG@5YklV!c_~;XkS;*ytE>}!{J`FTXW$PTCNuYv zOE-}=XgoqHKEN8$y8(Zv3D?{D82%jR?R@-M+0p-6oAleE zyY)7IpP7hps z)jQ&6$K^t95tf$IGZ7^TKF?fYrRFa&TNA`ki8=1jfN{G2$^sno>EVYG#A0> zr2Sf}>9Do>R`+u~-NR^M8!Zty{woEJNjRHML7D*EzB*`GV}7I0cp70Afg#O)lF(HK z{TzyCPPJOwLe7K%hM&H?q0d@;{2&&Cvup0C&*bEK*1D5ZZ@AijRd_x+xcFjw@EbQe zI?h+J!G;Yb3jjAD$p~RVrGU67l18fj{suVlbs^;}MBv)!#jBBzFH+PL%Tp>g8Am4~ zQe3XkKL}6Ppl>h;SmHK_PZVRQLk?n*)@HiHaD`QzDg_3u_W*YXK!nn?^k~l*6XXZa z-|f+}*^$`G7Wdj(8FARJ)R+MFU>AD93nCta0Ko6aA%F^O+^Du{KvR=UF^Fn9-)U%# z$zCCbCSuST+E>Q2o;B~7($Sk>;RN47_MJTLTBU%5u3|umlsv@gWVV<2pt&A(W-MMI z@|TQf9IS8R)H2%N@I~$#HKfyWl`@|a>v5OzccA8u{wsno?oyW&tK)}pvdLt{3o$Nz z$ePw$5I}?e*+NV^%h?5=%-O*q{N3jMD@&@Z%YAa!NXnUo7S}G`v!($o`WrLjkrm#@ z(r2}KV92vmlixwc2Om=FG@f4CeQb(3mz{fuja!=o$3^nJt>PihCuzp!jFfoyTpir0 zv#;6D0lp43tWJmAw!!Ik=mk%PFOR+v2(M_r5dbzD<^%)NYmsy-f;it4LwCQeCp$GY z7Qn@RS24&z!kXD@P0Mm>>%)=>$9)lm-gzbd4j zrxA$B8$|`rZ=fLBspq%5rND}{XWDT|y2s4#Rqgx~27%eAmo0`Hbp6$xpA?lulOc=K z7l7U%@Q50(%ux2TzSb#uGF(OJIw!1`4RCznanePBWmeIbH~y{P5yn|Tud$BXWbh4G z6>V|DGb;!D)T)&telF;5k6Mb}Lw&z9*2?_GS4zy>=Knbn)0ZDwdXBitgFY%O?dV1> ze+0M-tasYBQcPUh5(Lz;^Ass9$fB$J0rOU3sZ#1J?cX2S_SK2!o@yhf%;q;iSh~r3 zOJHj{YC{$EZL~nDD}3p$F{?TdY?;=YHq{nc`6PV^2QUZAO>bXbSCiEs#^CjjrfzGp zWIz}Fm&9r_x~!Ot?HEI2-25MLc2tJ`f9Ar;-0LFiVp2ntjvF{Tjk|2b!g=HY*ncrt zqOb<*sYq=)ac_?G_OKo`m}MPv2(iC<_PR1GC*>Ck#Z$d+?&N>Jnludg4_h1=O1kfp zgcfh5L^fp1v&!67w1;gA9=-YkSY%mV%Z>Av#yx?f_W5|=>Bu64uq+M@+KcCbeR4cq{PiW#}*^ayhXu@d`an3D>N&PNe5z;ZoXH$Iam zJP|whL`+m%o8{xIQUom{V<1GXc@G&sVB3nFfkVy#?KBD4$yQ#t6zMc{oma%hE?aS+ zOg#`X|9wzVVp(Sd32u+^R;#7PS0L`T zGWoA6!u(ny<(f_kGE)H*z+S6qs6Qp;qg~ByW#_j5TFsR=3Vxo(NHS^9;7QHBvnd9V9Z0kYy(8z%>qy=Rf4^B2 z#5=G{kIE^II*PQ>ho~mm_%$y<Ocdstnw;tn^{IxjX-g8;f*7u*duAlK0&(W{Uv>&>`UAa{1L;6k}TF-C~=n zIDZ2c>LQ^t)%KzqhC{hN}X-|usQGd*@5A>1fWbN@j0g$Q2x62M$0;7;Bv zZ7lbVSKw8^e*g6gslRi6mzh9^xR2_7kN=4~KH@Rg znu1YT^SelrmsYSI?C7MafX9}pl+~m#sDk{>_h@c*TupCM>mO0IN`H(O({gLk9xR&P7YHZ>7`Gq z;N%D91Y+@sNaVv|EUFWGJk7#E^N-g_UFOXP18Ei#>X~ z*);PmT*+M@JZojmhFMM-x49XE(#dw}4r z*Iz!5%BT$KrsOHQ6|FXOQ`si1@iV-ljdBh(6rn5YL*x?q@$^~aJtHNguq?U~X392Q zOqOoOSz<9lVD_RU*l1=)1fw5dv(0oggCW?V6>K9hv;!~rWLB-OEv_Zw3OGz zB@G9iw!`;byp-B;H#p+LO-p{F@qpQ+P<)yvwHQ1c0e#;e1krdG=9g%$I=-&2)_uPj z2=KmK>{w0r-wklNM8ya7gd-DGejW5>kA!~1@XhR1hn6oNWHH4Gy zd&m;~9Me2kzK`07kav=_H}mSzugbIS>3dpnPyuM&Ir^=e@rF``2Fc z%*>6MQJFE*SON5&+;Ep@r^%duRR$^X=C`09UD}A_Ps(Oq`nhSUH|E~*b^ZNHLdYh} z%`_^Zj6^_eA_~b0cSnyu@Ou~O_K5dD7>leoo0KDQW@10=s^KN(V$1+1mpMPo)ySX! z;j$Lm$XB49b%y~z*1C>ZJL?9u30Dy&Si9AdQ5>$+mlpUv9yUqj9=x=PCu;zf8~O9v zTrG6H!Awd$>cAwraD(rvHOOYX25pxBsI+Fn5=0ft(uacWc>XV+t$1wa@lV@ zP2LThlIkZ_cs^%o+R<)hjxQYE@iM1$J->tv%hG||}X1S^D6zVlihRB*ok5|-8Q zLDkQheQLm$eBfSnt;X|F=vzjAo^9J=f~Ho@-2{BwJ}V%rVD01Ao3}S>x!LTWQQN1> zJS>-b;ecY?qKYJc2;|bTR}V~?eN7EYK{iZH!S>&~as-e(@r1TWwlmiJH5SY`7M`2)rv@a$ zd69GYRHV!1?aqxC3!+6qst7NFY-NE$N=+EAP1*bum!|YRe`PT5B<}0CvfBdARVY;X z%6D~Cd0FAbeMNJ9VsV#Jeez6MF?Nx|>s4GY(NJ2)dm{_rGJV$vkW1`4w7i*Ml^0u) z0!A~9Gvh!AvALg}(Qxt=FC_r&IaaQ_+o;N8N5{)?D|AIJI8B{BfDYewC7g7~1Oho`KI#lg^pe6yd27MV>75 z+{W3CLES|L*cU-E8=YAe#r*IFrBU}CKos(HLuuxLJ&;s5iQ-g&m5sg(D%zMx6|Whx zBC#c(EKo9s%717e?FrLi8?@sLV7a1*$qYkh7rf!}fHn2>{K>dLRCdRR6D|x~URQo! z*-FP)J!{D*U2*(jWREeIWy%YC1#yTY=*5qP2Ed7L$bQVRcaL))tnpm;N zKnv>MyUKmC09T)J>b%O-kHA9Z=L>{Aim*hIP`NOUyzH}T*19pM%tJnj9lsEJE%vO}(T_T7`nb6L zVKLTFez(xjeYfcTMHkt)`Py7`lWA!S{-L_K@tTFL?&|Y9CMu3}&}FZJv^?P!51a?w z#7PdJ8?V{tH}6nBnJ!s4n)J$7$Bj?D9pNtUXM8`})9aCkkA)}Tc#8AFfrS-qS(nd< zEPBj|_OABENyCmZB0slE^i0k0cJf!oH4N9hT=vp>49zXZ>Vf6m7diz?=3Fx zTL(~hl6#JIP?EAVAbKZUO#R7l%`U{IWi!ku!J0~B^+@-_hUuf)z#GAOvb8|I+myI3 zd$2TCBG}HZK2ONk_f{YqVA>=G_@Bc&Z;2yggQutkh)-xm>9?h!Fp${#h`{w1lMw{n zP6W;`9%m*QVjPN`M8&f&oik|`FoU6|cT_ED?PNkd$7+AJG}T(xM6NTl@jNUcOssoH zhyN+Te+OMMT@?#MfUN(rVDq<8%s~ORLhKL2;BmZvd&Yj=TH-SyP_t6UY1Rl$R~fd= z^y7`QBhKp3MA?vF%Xx(F_fc(12ABrpj_MxgjrxyxD#DDX%RUSRlUb6EVR5pzp zoQ+brH)XpR^I63K0Li09BC|30*{uPNs_{gFxB2qM=pFNzci{`K#fbc(@~vh9BO+T6 zPc6Tnx3|W}+U)o(?;h^`&E5Uhu9+qJK;Ms19PXL6nBW1<97uxY0#PA!&bvWMMNB%e zF_+L^+uYhD^=!?!$%@f1YTij6DgiQiOo&7?diEsm+&a1w0BT4kY$(R7Tyzulkv18o zwLdGz34h2hKaevo7Nv{>dnXxU&W8M{0NcaZ=rG&4F!h{o}NU-_MX z7fi!~{Ghc1^L`~${Ct!cPh&yTZ8VNrd zy>-K;Uc+Wb{SjhIwgDLH)b^HqG=27#0pfezFf0?ryK`Z!^q2Y5SNXa->xZ@V1^-EZ zALp}Hc)7gVmbB%n*26LH$_cNZF~kzyz>5Y|pY^C6a<*8iIp_nmH+>##nM-aN8nxv} zIbTs(u`c!G$f%}jEYB;Iy(j>pRhCUTpKl{RJ;i=sA-Dy>d({T4LQ^-QoWw;Zds|9c zZTsXn^-?VicpW&(%DSe^#NxTdv%{>)AKtl}zi6}%5d9%#Qa^3!C4`v)9EEg9 z<7i55NXgpE5n;{x^L43T2fTfJi3;DS5IY_%6}>L*D(y@<>hFsU|AX#Ddw5d}jcARF zRi8>kKe2J4AYfrZz?l@hNA&mG3i}*5vVY&{U|YZxn1pI`K{+1F3xIVM4C=|h4igWo zF}{c}cHeMB!}tud5+&)MDGI25O1S9%tp%ur-5gv<5fxC$S9z@A&8 z3d{_S>P*roe5Xr=G99P^+kuNW;v|IX7Vavp?N)R!AT()I86JUE?*#IcObkQ0-tCfO z7At}ozRayKqtmdCl;4afNp3Ehz^|#tU4#@dU<*+E+G#kP&`g_+hFld14j=Ha*Sx$KqE|0cW)sqiB08tRTJNPw5ZRe?D&%+Yo5VfB2< zU9wT?g-X<~7(a=5bP!l+Ks!$Fqed5?249zqzgPH_uSZEf7}SMOgcsU}tTz-~7Y>Oe zsNg?EH(fv;P7!x?Kl0ALU8lxN_}NI{h0%1Tjz{c0__S8XiLNWZ=s}%5lc1_6snB4&F}#xTS%^1Scw4R`%rLbGYr;PZco=tcpiu^ zS1}dZe)%M949P&#j*DkXSdzR!q{7dQB_0b2^*clj#>vihol~CJgY@UB&Cpec1LBi0 zGlwI}G9tE6bnfAoGf3^Kv2PNBxpt{kS{>dL*l;OdJN)YBrj*TXX4A|N++!nTCF~>x zxAup1SHr#)zoNMCrad)(pDuTbVR~B8SFo0qub(RCxALMobBo}ve-PFX72t_=FiQNo z+>|Kdg1#;#V2)v$JWmkrN;b1MfSJ}y0*(!=C>2ysdC274y+aQ3uzpJsbj2?kDC%xRm5}AU2#hQ6 zHne(ma4nr9){*|A+I6Tr%IYT$LcS<%laV-RD@^oFh?X0IWhUJ_)9BD8X-bVILfb$d zj=J^m7YvQcZ+IB;O^!L&H@t`&9isbd@t;#1_!Jo^3!GcOrl^N^|HDaiAPOPu7YHZO z)fPDaA5NkJQ3$~WH(o8*P_vGex$3iypoY~n?E(Xgdc@$4E@6|jf->t83dx9>p|xOAMf_=xioe8a9-0gSvu|pJ zrk7fLiEv1bLQT;cONs86D~8XBe3xwgjIWXTaKv|MBTyn|KL;+=++6$AsPa_ikl}W; zKgg`oZIDHJkAM6qjh;Jqg|7^Paj>gzT^E9d_zgjQn9r3=SkeacMEQ&AVf2J)ZEyV) z`Ih^s;{pD~xskL6+Wm^xygQ$@?2;R0O8G`Jf2w^EGYv8|Oq>-*G+e?VvNu7oGKwix zWX7;Q1gT;*i`jARQr@{v;422&buZ3Gq9T+ysl7oFQ73u_6N?cN>nP<{CG}yfdBff~ zW2sR}j!h2d6v}vj)vqjDXlK*#TbNSuxTeZ3H8GRxZ_Vi~wB+cgzq>?DMrAB%njjK8 z@U}2U|J}e$I9(`Q7Jt#Yz{tR5%BlZ4tN)L{pku?r;f`B!Pljdj2rYm22g`x9nMGnL zfl30^hKU8amn3&BowIMmpTw}XJ9*LavE8WdyPru&`Kpir^K;C)>Ng05+-;M`>1bpj za_=K1{Lq1ZfWA=sI?S54RC=B_h`>m1r&~uUPs87=Gd+Zy=_?KG;v?C>`K-5C^y&RQ zPVM9_U8qTTYXTG|^nfi|Ed(z7x=CV%ZZ2(~$lM+rX@1!|yMi*H>M$`IOoM+*DGn~N zCT>4YQxFK44E#X27lCH#?t7+$>{nACcNjaV5HNOB?5qU0O$8t0jde)sv%{HL7u->i^MrSzgaRHu!TR*N-BT%i#V)ECGM%}v+;0Ym+s&sD5yVvsRt4&(eXD)K2O zpO7QsZ~rO!X;>29ADv*%XZ?xwVkH|jOqP&Novx995!H|I*;ll|yq z)YmvK!JIclbyD-sr5oQ_6Yoo%6zu~st%MMd`OZWJiF4i5xqJ@|uc}Sdt7viTK+h7= zdgBscq;ExpUp-z}cDc5|)!K_vnt@26S2?Z=!zUD?{8<@>--ET@c6;Qw7w4i#2glWM zu3E+Gs{|t29Zig^IM&PN79CBHxK^JJ=*n{~+#HK|g0X|}>DNrK2T7`bX%3P6<17S0 zoCVA1241ip7IY-^{45E-1aqC{z}f29BEU^R)p|wh7kV&JnK!_fyPGla{pYZ$=_!Kb z>OUF}LeiQ`svY|=SyC=yfUoH~QJdzQ5K>}|5Q<=;l}x}C@=&(X4z}}eugRKbQyS`% zjk;Xo=*rIiGpUjXutP{!KdJY(0_i;MfI#fT>t#j?F7 z?2yP8;{~}5wwpHYNRXW=msT=osfJLnL(%o0_9s6`o&ue?J}h%D;@hp7UC8rp6!ME1 z1xk0mj+E26_S;&NXH0~pUJWk$0eQRn{2RyRsaH==ZY^GxX_JCOf*X5#T$7%~n}~&{ zuz$gd_3c4>=Aw-|ZhdbIh_;GYa`j`tFCSRPlp3^YLikj!6X{-L8S$~fkmf&2F7kKT zk8o1RRY&)aJ0AA<9`5IBuyf-=GL`o2?z&TbLcns#0`BlqX&T&J zsBexaxe6RfX98PiNjjnJhWjKWZ~FC-PJ+TDVMp?n()MPhh*PwurU)U>LVB(wYR{u{ z#;H2xUVdg`yZdRBp^as{zeFFb9Qz!BrS{3SS@(az+6=?N4&SertH-dc6e9&YghSf1 ziTHeVeP~d+L6tmp1)CL{4wPD-M!r1OEW$z8%&k&j_n9%tkF53&0>D*&h_@vZe;sMX z5FC2?G=7u(@pcv1qxk-5=!rCg8r0_GX{a?Eg1UcB;n#u*Iu0LjH2Rb-l;a$7heySE zX*ORm6w#9Awr?xZnC2RfSM7Y>hmi;i54E21J(Sc7s4u5DLe@GJ0ML{&w0QJEtJCQA zO+fnZf%5cDbPn~b@FCur>LQSRH*Wuljlyq5KM@)@5O)2H2 zisZlskKf1#F3>0RXNq|oSL!)Id7mW{3K^OVqv+~d=V|GgtI8pUr&|>;9T7X9%bEx6WyS&a;9&KG z+Rz~AMWu=Tdr{Y2c<6>`RPQdHkEBx?y~}Vxi+7

    $8^vCad-LUwh8~Q81!CjYs<- z={E?55s1_>&)UMPc@6eb++SAiSqfRocz}+YuX2CWQS8%`chWaDC^8LC*kwn;-UZHB zmr*53!%8oVQOu==!MUD;Rf;c|J-QaLj1q&YBQ439`DsDLXy`r^I7wE6qV<4;Z2m^vul4PCKG=?p= zXn_Gnl;c4UckuLYTnH8N;Ula3@mYYg);OK+t@y1{9aS*X+y8=6cV15L43}Rx%fY_M z+aIq(Bw6wGz~ntJ9NTC%`&$5g8h+K7lF?09BEn1Tb0}uEE}`6P8a@Cs6qI_B!T#xK zLNCXV!v=66xcU0a(cW&GUT4|M{nC>MO1E32%N<@=(kKz1q=*^3wh9fDevI|Ibx0_`nq1uUe5{~8nsghp0s4tpLj|Z z$h!{}-q&?i7J=8jGOL#$5*qn)PBQ9U5Q_SJrVgR%H_sahxNI`18U=IzrBE-q8d`qG|V&<&DTAZPfy}K^o&T`)zJZsG{C2?T(W{@v%@s@U2 z{m2u;CuYmsaDlvs$@E@n4^iUQ*Ot1nuqwJqu^XY^(MrFi3@UasfpSU;g3IhdZcQZS z@uzdHk^?7Me*avR2yHec&tx7=!p;wZB0dSq@NR$Bo%N|5CN$~p6K%_TC#+76!#(Wx zM{qw*wrT_b@5R$dLT}(g^~?Zg^#4n*OF_VYv{!G-y#U>zR{Pd0I8NuEEBN2GIO~V4 zZt=z)9$>~cC^PA_0N#>QIf<@Cziw3TDnxC(Fyyj{^upQ_c}!tk&@tc!78=SI~R@B6ixCecMY{0w#%!=Hw83H9lpxJGE zsK1(VCV3X}FQ?g;eI7$Afn;MghC}B)^r6Dkw8gU0%qlg%K|5xA*N=F7*V-T_1cJxQ z^=5n8Z#rh$$BeS_#RO@L)XDNa3Oc@*Dz%+{dx^5VIe`(ah50PR)Djp6g9qF<{+}{!+Gj!6sB&4;e}gZ* zToUrY;FNj9(Ox+|ZdBpX^*W2UnwK*TqA^y{Q$A--zn5f^KwV$I3Gqtf07-YhVLjqB zM<-#ApfXKMY($(+1YK{RGMDINqpv8t<}D&Aqb0;++mgC&jV4yUun>I48>{*{RoOs> zrMJbQ*+=F+35uTsCbrdcb!tm8F27MGL&+{>u$dv^HtWcrnR0oI5#B#QbmY# zP^-&@ccSiie3?2)GkiD*HGkrN=-39mNm`(v@wJvD+CsFpXQ)fUAV5`z$SY~-Oj0Qw zTXTv`Qq|o~s;dZ011G;B4-gF^A><%{Z zo|gCe483(YCT0nZHfYzjV;1swjG&BGi=Evrq&-V!r;#Jk-(XVN4oky(7RbF=l5SP4 zcAF(tnzHa=>!G@FJlI8FMFFzaPt0G%^!>;qE;bTkcWw)zsN33zW5cuOh5HM}(5%o? zHAx*#=b!nifZ$=LM>pUH$=z^IY$EHzkx73Et35Azi2bGgMWl&H`0i0_LgU4;e{V9f zyoL~k!&Ae-in>KpJRqz9?ay%T6@zF?q;b!lD`)b=fi!SwF$<3N3n`ct>=vK6Ce+PV;6Z^vHJxlfQfCqw5 zBr3xtMnd2RRX`;t^o3}9CYfjQ2u)s+B3oZN0Pl{gg}+s(!1ZK^S5vFL6S27uvmx4J z)ApLtw=XN=FKTcUeAxbueOCY5r#zky#8L>>vA%?Y4%B2m2r~)=u3ZXEuC1y3Rez)?Y%Vj?sgfV z;!vB=-)d?*d@l{TS%@)0LkFoWN<#-^f&f4!h=LSmnF@&?G?mZN-<=u*hj@G-`{d4xfK@P)i@LyZ=&CbK)6#em`?hM>l46(p>{Xqyq3XdHv{Tud>)#_#@ zKlpm(SK=1hkqm>%vNUXT0O03=;8oAqk9de0UuQ}vv%?c_i5 zFzYzH&#>{u1}BnTU29$_mOnE*=Tx;bwHW`>khfz5rqSJY*uW$7+O7O@Wv1=b+_m{y zetusA8Y+DN^XXcPiW7>ySGCLi&^dTci?;`j$E=6RWFBs8*;IA31Jz11G84C;Ug^Lq zrG|5Q`M~Rco&OZS!_;=@#4U2OCWB=`>#EYCr~{~1f&{4prUgP(jCZmPGb4Lri))tI z3UM}v#f|231*`}we=`sN_5BW8{2y-XsR~CuN5$+4IQQyo@*6dBZ|w5krma<7sY?d3 z#CubSjBkKS0g>~q4h>IPODcYfe%r2_#t-BQWuQM!c&~rXdPb|bQe+R0 zz2(0Zzf)Y`P;`4=g(u*KSNNdp zbAtB3i^gBP%~pSFPs3M!GG4ubmpC8~Z!=9O+D#AX5}@=Xt}cj2xV&u1(N*Q~?CJF! zryFn^3eo_-#7@%~c%jorx?H~M{-320`cn6cC#fe8sc}5i>+@3^v(HCYcu`#$#Cu+K zs|G*HLS9ZQZ1v!Vv@S&5qV&{J9g^Y+^l!HpJrJ7QfZ*Zzf5HSHZeGrA-L(2nU6dRf znu-8a<8BkyIYIm){3YFIPoCGuU{(J}z=z30epedd6?(a3nw@y5aomR4gh|I2GlxP< zULkNWk8pkm;SSO?vQHZ`l)(_dHs0Ak`>J^Z3HH*4*^}Z-QdX)QWn(>RJI$FYQ+o|2 z%%Ne8wtnA?1HS>zp^h@zD7|ja_yT{Y5eC)5ck1xTh{nQUebRqwZwy+iU@HsYGq0D? z4EG05v0ug8ri2$)u?v@5%x#akl%;*T>K&PI#Gs2Q;t_#P|3>CJUPX&%gpi-X#?j1* zroP3a;lj{g#8l64bl87L^Pvet)_9#An2RwW-oepGVkR|QnJVInha^YzO`4?Vblx?+JJOW(2__L zR|clzMF92xi`oF3e^EP_%tgc)(Wup26V<2%QNiT>&j`n`#xd0(mu*I{k;s9CWH>^* zK=L^ld0rac1o8Gyy9wjkFr?{ebn|ZzUuF~9{M!>g{`(=qQ0ZDYL6r0pfp7xkLEj!2 z8HB&|2U~j|^7H}4ckI2)3zMHVE~-cX#cg-?yqui1ZLI22(9>vS?TFn#;fB*%RkY)- zaVB^n&PE<71Y$dCmeL)EPCKP^(65kB#-nVf2m8?a%H!B0<$pD-$j-}qi=HMkLCpf) zb0wtHiz(iRh2C02AjGM&%-6d72y=(U3Wl-GocgArcl}*0b1l2NG_M}0;4VENb@PW~ z>b97=hO1p$t@OjG`C2t&hmG~@hQDj{MT?6joz<*c-d}Au1bGms)N%zmRv0_z^zCLr zzxr1{LFF^&>vDEqw6-g~{~eR%a`TD7VvP+bQQm<-rRnlU`FV$I)9EfYmp)?#g|Bn( z`jb_*oaC_!*YO38OMEp@E4>WDmQN4z9rmRjxZ#37RYL_^AjkFB$e#Eu1q43KJ0(Vr z+L>i`I;E@p*QfJc!cbSLN54ew6@4qvNkm9F;Bb>gN04i6NRzk6cSsZxd7tyTazFbe z?ld*ruWV%_mz`LNQv$Oip5ePCLft@)wLTCN>7CWnCf}1g|BeWB#jw=3;RovZ6MPa1 zi(G75e`>xSFpDuO$GU?46HN}#tviYYXR27yAsgAB3`yREkP$24W)|o_=hB+J87#07 z4}BPAwb#7Tg*oQ>v%0jM|FKC=7;hL7$TSP8;AI~$vV5Z_Kz!#?xY$M3|3kE`D~XK* zG6}(pze9&qVx$2!UsPt%jFWxX(WSVFVn-jdj~B*94z&YU*L*j8>clahGuU!8yfjEx zbsd)cqH&EUmX9z||F9V1Ju!2s_2}bVWZoD&POKJdoES@&Ku;&7EE{JdF3~tbQjb#e zs@5s8t|pBKSs%+OAOK8OS12GL)llKo`-H)ashm z;YgM}yqwva6Wd_uT5yU_`nt@r@f+;h0NGshF;BztT-pLe$|QK;Dj}KqIw7y1e-2~H z`b&zQYxPg@gu9|E&;9G?KbXlEJnS?6!>R`jW_~Ad`qwun+vNohX9agrOL~5U+gYn) z>^T$zTm%4nb7^a3MQkCKR%ObqWRm@2?T)RSbRSD6KGM(75_^}^+M;J33boEW@CYpF zIwqOxdPmKoZ`sc3s8&%nY_d{T0WA-KEm$~qWlZWkS@qr+k5^_QW7F_Ei&%NoFn5_Y zYf)em)Ul5m1PaYzLhZBcE#bAS>2W-Ef)%94p(Ma@j%4@`kL)Z*X{lAaX46H|l7G&u zAD}oVwE{V_e%MH@{+~1J$0Tki3Po4?wU0=^sK3ubD zh&ou9&z`!GHchLMy61!E+I&t$&o8M5hU-O#X_tnk={~QLijAv+CZwfrz&N<}b&Orz*TW5NQyrWq zRBK1z2W81~9#EDfc4Vw~=K)$DEN3o?ibQ@+iAhSckJ?dwTde*W8l({fjhU)ZBtoYj z3%zKW@V}ZD4xRDksn1f$%Va62EM9%DqAZ>=|0IaIu?F>|QL{*JT-1-Pv5uRg6noZ< zV93GiDLPsigiRk>(H~=IL0$4k{Xdlt>ca>REV2$ypx=`1f{6NCq zJd40?D7yFX+0D6xaVT{{&b6ImF%j!IY`Gi0BygI=3=;bOB=MQSNQmu&cV&WZJ;7@J z*b&y{u{Gg&@3gYu!)zW*`+e!#hR=Co@C0|KU6`Q+a3rnx*D#-t>Y4YC0jnO8Z#FFR z(dr)P+RKf^+{_1o!4Bl_32BxJ(V2ddc7&0v6QiXDfSTo~O^e_wYm-EQcFZ*HVlmSF z@P^lhqce6G>)u=1-KP)#FIzdW8nQmv)E-%}VPXv7MKcURt+A`#K^fg(UgYPpEPBG9 zN}mj20MZGuE|<99h9hmMtpsU4&Su64`40oAqJhKu)Q20yBa`?%&hUSVz<Q-0YRkqyMhsjLUa-N_wtEFA*^78sW_l80=M&h_4DKhG}Zw$X8?L z*6Vpytpu7-!XHZ}VXt7Q+61KH>INM~|LDP`P)#@XWTjok)PZ=)TD`2VBCB~-BV3LK zY_n7@q2a3HI>U5z&+OcBQEH**j_R&B2dlx|Nqp`nYYi(@gc>;8ktX3^>$z(?)rYxs z&hT7}$C7WtjApmJJ5Z*xv)fUVnrFRL?$(f9s}nsSQN?|0)}`pAcgDkOge&z=**HrB z`zIy^hGq`sB!Ux6Y@nF3DUr5f0*D*_Lnr$^9PHHe=Bza99WF#RrMEsHL;K6FgL%l05` zrq63fC>kkJzPLnJO7VnHB&9S^RL7Rw=c-73Wh*J3RL=elxaLfAlC13gE!L?7#?9IN z5B$mXS+0;qX196txk`nU*00?nROL=HJ$6sQ8x)OXhR{(bp0k5b#bkiQL6JeBop@S| zJ1CL6skr-WUT9UpjNjgx&bu~eNPf{CcfRg3G&`dn97F+xuJLj6op$vCygx5oIo5*f z9m3BGJ_n^75lxBq7|i|25z*@1;eyUl3QL$sPC*J2tWeq@8`^N&%hpSP|Ldt@4Ty zuq&d+v?fVX4V6|JS>8*^Na>2uS*)(ZS7km`;{F-?7inZ!x3@!ZtL@zl;$gAHO=Fer zP2EAIW;NQ>F0>?X6`m0wasng%7FtugT3wFm{V`iT^D?Dh{sVLMEw;ZxHwC0L4Z`bd z>DYy899z=^u6CjS2b`*AKula1X2-(FbI_7S<)(V|G>C~C&jm4YONYU$e>*8oZ+UEA zM##B~t}X&EXECDuE+h^=nM~E+bMUVHQ)`V~-6g=qIr&!Uq?gB*s?2-$!=f+;6Ny~? zqb6*OVsqEG{kVk8a8T)_uAsrO@||4=0KrV*S!D8wsy+dV{-1COAWB}Vu5pItN=B?(T6F$E+Z^Za4v%WA)E zB+MploN>u?cZQtJ)!G!hzP^mp5 zd$Md`DNuXK4owb9;R)6|lp{#aGcBMGS~#`jKa2%%e9`^jVBno+s)l;ABnW%lSz6JL zar5_9#>?5l8y0~~Gw}1gD#VY={NjLV3U)~mxVih7?VmPtNci3NV%L(OJ~+Vex($~4 z&%LTXC1mr8kzhZ&$nVE7a^uTkAih@27bl$5lIZJjkll{K{F|+_>-CbZeFSCtmtp8e zQvGr8NF_w&3DghCP~1N3FaKs7nW-4dWS)w-(xE+{L+z#UJV*=Bgr1Fm*LQ-8y@2&_ zawOOhem7c0FRZIB^x;2%`N%D)_?f?7;VdXi%1A@D5dPIK{nl0v8(hTzz@Dp$H&N0o zi&1F|@}ZSiWhF zOytLpu}_O#XENvtZhO3OOGddxK|f-o`GxgUl2qq!aid}7!4dzg4dM8gMO)iRq5r0K zN(*r)ONcIIM7Ys+bB><Gd&;%L9LFB7 zsOR6qgn&?LVEmrQ5>Ob7g{U2fc9-IjWZDMHFe+o^uBBeK7@#iPr3p6%bo+6+dQ`2mu#C{hn%EAEv)ik%8S<*5^Dt0tiyEn;;r z869|*Pt+`iE`fSj!Qva|sOcLXL6}<}K|{uaQ)f#-zNx4M_B_ft-?^W`DTMUA82!(;tqrMpfe%w$wm~q(8zE1A;#F_A@Ip z$=RRuy;#xdOd)h#JBTR+XAFPpps5TgSP@j%Euk#Mu%S5(S389{Ff0l`8|%z<$5Kks zp{VdN>mbTIwC34db>?mo6m8o!E8PHAmK|tp;6`(7WDv-y{*+_jU1jptbB*yw5!44X zqE;c))^VAZKbLmj;Ki{7IWN$Dhg3&W=cw!@J|{xe%D-~X9s}*_fj^q5PgNjoxhdGe z$G*-qjatu=4{x>J$DTED84l%dG%xENeH|?Qz)sQ!y zbfDDSkW3OBxhsI_R--G}01_3@2KS53|8Xx;mOJwGuJn-T9#TMsH1T^0Zxr4VKX4e2Ce`vTN#L+QUk4Ey*>Cp z$o5I$UvzDoS`Ftw&06kV?SbrPDXp+L>mO#0bkGR?Z@^5vT=OQeKj zNCK&Qu3z$RF%$TP`%s<##8;3G_h=9u-GngbW`AsVRi*im(iFTlX@}K|D*N+D(>UiM zlk;`KY)4FnGRo`s(4f$%3(4hq*0^Bz**MAI6l~=YIOK9k31&{2IoN6r*fR=5zHDJk zT&YwbS^|BcT1a?+GLTETjBb11-qz#`p=RIM=HSO#XD{*yH-W7ijI;*=6<*AEDu45j z6WQaQmbC@#Rj$Mvm7;+=|)gT)~3}>-&W7_$~geRh7PNqwabP~^Y zN-ZoE6-$=6`ZIGCj*~it2ou_96rSw|a)iy%j-vXId|$&@H_RP*(!NrshLDO4|HLm- z^?>*SCvauD_33Le#0%s5#uyk$Zlk}s&9R?ti4|4?%<_cQx zGe&yr~ZzH>(deier**e zCrc%|fzX(Nsl8ld!GJE!Oimw5R6*saE45FKVQ?SAOkQN$BP;w&RZPyX0Djone3s_O zt8-+G^FK&^a->P>3TS{#>VG4OL>o`XO;3=W73}fMcJPoXsTRnW4Y^i- zMPy0p3gc+GTcquw!`Xo(NEasfeYrk5Nxhh|;QM12dk4kKb;mha;&&Lab1QgU2yt_< zRc{!})VP}FQ6s{s9lN-spq|tKGSgsay(q=kuDMr)RZWAt5a0nS=JFex!+}li<9qq* zak;v*{l)qo?9o%CBLv9LU>=6!AJ+z3{gV*-bCLcH%bzmPwUlIjg`uw)8(Z7cv&ByE zvB*~5Pga?CZI8-2*K_NT5LO?tMGDJaZKa&e?xGH*{)SR1Z$hmIAK~ZCx7tnhIcd6x z%^jo|L#&&he*vdE@RyHriIGAq3IUgnJqh9Bsn3y^JVCy@CwRphtk@X?!e-;~fJi|K zJM*}%@}b_}2bk>75Ux4ChJ}Y$?8b%*iD@whdd!*hn^|AbmV7LmG-q%Pb{6gq6u=~- zY`r|CS_RZ27QLe5ZPMLPMr&b4`Vpw?Alp0*?K_K~k%0Rrlp=?VainV-^1NFl@6#TX zDLq<9dSu!woxf=6Cn43c`yN3f2H{6->OLg&1-aSg*fs^o-~LiO74NVbWS2xPov}sP z_k&NBE^2Osu!oEi#4(;E{q~YoIADmj4bM=wY4|>QgeFk5s4KBF|HZ;05Y}?GA+7}3(Jza}#k)F{G}R%jN@ zIAGly(RYEiv$4~9O4HPRmBy8v8pg5|uM;4#J^~bDoi*!wYbNR_eRDBSDd;yAsm#a1 zNK0K>2x8EeXDlm+`X9}V+uWPkhg^ciFizEjv)pU1__ZdGG5^Gw21GtB=c~FPrT*gZ z0YisAKvYe5k;Bg!3i7nt7=ApMwcIs?TOe;yb>1yL%%Ooj_1u7oa5k zj1i}?vk8e|@%Vam6-unyX%He3#Pa#zg||@{{23LxW8I!BTsh|JhR8C72jfGgw??EwHZf0_@L+Lhx~h@W=jUZaVJa2A6uJWpw$R$hj5z;Xkf)*vYgH ze;diRJ~p&f^4pT`TARSvM)6#urT`?){cA4Xa6BFkH`=i~2PPvBM#ITQhWG3ryVAlM zKBH!R!jh~J#(R!3)QC%Y!>@Vg>O=y zDCLGle$fP=ms(3{h0w!Fh%TZ?bb;-CridR(pQeZRxit$)6(-6=3FG-n24gXvz#$p2 zzvL5%?ubDeO~@r3_`9R2TFo@7Jia_vbzR0rmB8gty^b0}1*a$#9UDT`<&6 zE#=udd!6)1Ke>Kz=l3PDYPMJu-{W=SFIM`R$mzF}hI&Cd~k zDHP+SQjSP182Tz|5T*u;Gl9^pMizX^Xn41vZ#gtH^P*Dn!jkIMPAw7J-Ut4ZGyM2r zHRrtRY+3*ME`MWlL%HX|z@GiegEX-R1qv<#Iqj3UenjmMqYn;uyd;2rh?!g#BM){x zpKBq9MU0A9t&OdRVKiZMWfe4!ANCN%%&A%UgP*cj6|_E2FMvRaWcbe@;acFs9?cAW zV>EvDOwzr=5-ILtn55Apc-WG#bW0!!^*2RrE6-5YLHzfu;3xS}!vVe_g6nTVUV0w_ zDmIE`m3M^J;@?j*84v*vYR;QnF+$5y4tFSh5rL~H(PjGmP&MVP6KC*+wO{_p^KuSE z)ux<9Ay;ZYC|1QT_GgU3Zw;1K&>@b#aza0k_~P7555n#f|N73BR}mM^RrW>0f-ig! z$6D3vN9x$(&}Q}1dl9WbylM8360w8`3kg*Ta~inc-fo8ysR+Ky!Km4OT7CY(|)R(6%nH1bBqj3|^*XX-J7_ltE zNcVnzulu~?6aoNt{Z3;Baq3u-B_M7gZaPLDq^YAG6rz(GuCXzOJ3Deo?M5$pd89MwO`EY?G|&d z#~kvS)u=i#R$tWgU#W?}6!!_gP~^j*2l$6#yzBX4T-5^d3gL6yzZAbmh5Al2h&S-& z%zOGxGodiL9Iwy2Cn_g$G`{cX+AJZyGvw(s1ZglNahQOt`^!Jvzmo#FrO`1Um*{Wg zC$DaqNzbr;Ys`s|!ei{z$8}{ZX{|tmMe!f8m&73sHKeHJw@2bX;%+gN5+nXdlxVpb zi-7brloh?M$YrXxfh%kD#_A`<{((@$_QRqvuZ90e&2`$?c_I+rGW zm$=klJQcyM)=B1T>5jI3lbo~Sv1N|ddN1M^{VeW#b%_;FU=mzsq%w+4I+b!ixehq^Z>v< zuz$hdX1t%zo`XsX-z_VWMcokrJ|g!WLdUg6)1-szXRa9;B5GEK)il z9Ep6^FH`t*>|-GDF=vy6uPW8DL6lf-2tQPBp--1(5x~yJaCJF9{&Z-H=09zqI40!l zk0B|YDWR{=TKL3?yB>Bl3hmlE^DDyF{aeU319=3&U-CZxUhM!y-=*N4@W6wuyZB4z z5)Acf=Rs_{ex7~Jo!X4oh8*E<05f-DZ5^59nXq8i7mb+Tb>73~W^F7niu|X^ z8yMw;(5ARvP%2}QEOawiK=BRmxs2|$ z_W$wpPVsrP;of!|r?H(hwr!`e(^!pdV`AI3-PpEm+eu^R%d^&czpdH0?~U1*-&}M4 zah$U0pLN3b7PnoiknL%Z!FQKFOI}x`K=Z`sO5m4CcY*gIm;O1oQ_1tz(8Jj3!eBdx zy2n$M9RXonG^0t)||vR0%#BIxf}g?EMP@D8YONdM(jMzI*mHq)|dU%+#%DD#J%rxOdJ zh?!Zg;LGEVC(zEsj0CBtZTpThyCsyD5ZcL;-Su)o zu+i^n;O^M2YgX@>n;ajKM-r%~LE*oQq>U`lV!k$Twt{G5UkAcJ`k0-oNjA(pC3GAq zf}I#2t`abtVQP7 zFlEBEbrk&Ay{v%?XVM#PHN3_4Y4@Kk1&wDqcE#E9q{GpZVW6V8{7=-3Oms#=ouf?Q zSYn(LPms|Mib!7kQ51)ypX@)~W*5AE#}a3LA*|(VcqcZ4$16b*GMA3=5pC$YF+)&@ z+hjCXia-e*p8^H9RMj9NM)J6$yctMe?jqoz%PGnWJFhXZwQnwWm*xBmzBoxzmD}e? z_uAIU((r$(yn#sESoIJDC+91b`6)*0qp&^Jfqz;hX)WHPs!Frq)bq13zinH0`qYW#i$<7uGJJOU%z0DOD>?KszqGiigovRi}B~+|oqg2Qx{>$=}mVH%`mA|UU1!ZZ< z|5rs`h%NhX;#XX#?d||i{r$B+nW^#%H1FOp*~j9zlQ5S$HHp2#P|}*sxJK!WFnSOjr8-Er-QvHB#YGF z$e&b^?5c`Qal@*gD_(KQUH(=8`M?0hcq{>!JUDHL0wvpc;I8z)GMF=i%PLmhv864_ zHYyb3FSZfA`v?b5s%)Hhb~CLwHYa?@FE+tV6=%3N^sdxU7WTzzcBM+Y?*^`c9#5cO zLU9S=R!QX$8`B%8=a9_8M3pCbrb%Ik*$CY4~$Vq2n3<) zKBw9GL_^mH^U%v@v;LC6&J85Lw-s??U=Gl0mK9x*aU5P9_g-E*hDjt0x=-6z;g^nZ7$>2f#y?#4f0Ef=mnYQ!?$LP}Gcry)a4C zZh$$O*xMED&9I$KlEUg5B&GbwTuXsl+cDpEUf)TH*hmQz~ z&&B=|*KAP1U%0+f1WQ+3J-cD<79E-8#*%;ra{XJa-QKBWGgqV@+7Eei*k? z(O}~NNE07^KjZCrwxk5zt{I=i(Co5 zqSrkx$TIy2JYd;_2ax^x7`8`D87gWIhXCD`-YZQ?xij1KeIxWPLj;Xl-gE8ksnvLP znhjGd9I8&Rh)jdJx<=8nm-RHu-Trub8O;lDJGUv=-~G+yn4Cb$^^TU-F!la3t;jPa zzoe^_cYi1k=vIZI3&o3Ws7#a_5u+Ppb)5R&O7%CHPcz^vjB_OnHZqrPy03rEFYn91 zAqTM>%OUP5n^7bbKBqBX zxeMbrm5*F3s_<;lTSv-G;UZg4;+J!3Ti-Kc%Zyjqqp=UC3s_SzT= zY^!G?f_`9JQK`bA>`xFa?S7g0bWAKGNRNS;L>y z{aDeohx*-o+F9gxhDJSN`@FLGE$^pti!zm>e;h!%L4Yr{rn7okbelB(w<<&R9i{y5 zvAzug>=e)LPv=zfD|r$~hanOchqz<)C>143VaHlqI>A`KdVgKgzv{~Xnso10M>8ij z+>^J)5-;gE5Jn3pH2=Ai05wfzQCF!W>-*Pb<^M#iJN7RTE9IjRmIV;}f`=vnW%KO+ z3EuxnlBa9dGG3b4_q2F+Srh;MS-=V-L9C;{n1KaXU$?|>I{)WaCf^zVk6n2Znep3> z0$H27pkGs*`NBkL*5$H^(wQ;;QzqU&&*o0(BC6a~pakM&fG7(rx;nSx@)h)MjDuzxSx?N}4<`7EE^wJT!e)J_MU79%$B(L{itsZe`R zYzEcJ@o?2Bz!eSmA?HpYn|h__5& zQInY9mRn4d^Rp#t-OR33s*fk8?s!IRneAOvu^sOQa?}kFN5K9aI;{M$<*^dlH(PD+OqzpiGA92~LSP1Vs&>RzB)vT*H*pZL z*C-wbiP)ll10OJ|6h!(J#q<|T+6J=I!YqFf$Bs$7$ak`mG5uB_5o!?>S{$P1Q^8e= zcx7rQGm8fPieg3a%snkDM1tE+<(4FUhG|f*b1;eu!%$t~;+Z20f|jq5U}!Gk7lI=T zsfT(I((m0wNA0&kli^KxUeZ(ILuD0pW$oK(nuAb9v@RAJNy zw~Bp7p7sWA{hEJY<${L7h-NS#K~UjFk3>^?XZ7x6fUp(WitqNjdlIp=khS6x2R-4@ z$i3inLYl3qc#q=$#URRCv$JjKp-$KQ-kFd3=|_xp$9~D)-un4t~Vh^5} z+ygs!zcGKLW%V?pC`wG52huD!-`X`>U}lEoV2A?n6ixk73bJ2~LmtUJ4K6_F`T#bib4OQhls z<%5oBuUKb#dfa?y3b*?NO|pBTpv2S~{jvmRs) zzA>!dDycT*^1qQf;XOZM+*4Z!2iQQ~wH*OtI|s%B-+>865=EX3mI8z3hkxIDx69K) zm38N2p&*Sk!w>x$gANlJ`;vnO7h}3=Uyt7swT~z}NPvMz)0$IP$FDi^TJ>v;e5R(- zp3p6Qrv86pBruTC19PofMyv^Qqf*hTdQkpfq}A&y()v&3!Mt;H_L+(R*zR`s_fF-z zdp&maSa|5$)OYTZCD_GX$UFHGn;wZ~eZ+yNYWMgVK`=;`%S|O&gMD^R|nfJ23+h zTaXP{bRZ>7PpsU>4yQ-Z%Yj;QRN~;&`}G)9K<^_9ce?WqD}@#fh-eoKc)hgXE$zHWzb|;|kA92+uUa*|V)7?9TABw-7N{A3FD7WG)}Z@YO-u<) zCPH!$n483G&4NNBUX$!R%M>b~Hl217`&L){>uYcO)O4)i<}{nXuW>8SlcouVE=LG^ zRS7C*E_NIYXZ1{x3sTg{bpHxD6oavA#O3lSn23%62drfA$>^)4(^5P)g@Co_B6I3^ zHV#21dT3OYG`0}%qra%Vf-jhhgp1IBnH17cA3N4rQ|ArSI*=vLhfo^wF7uCT1llf% zL=%i?ZC;Kb`&GlgCGZ%Vd>PAQOlLHfY0FVk!6KxrnRd&{X>7udqW7D}G0Q80SC>i) zwY(y2t&9N((fAZ}ssGSkbWV00%YOOaP&=J=`p81iY5M`}rvD*(HR5#Qepa`rHMpN# z91K=_imva&jL#fE@LI80&cYF-f}BPQTPTA-YKK$bGfvbjs&n9r1)LYb!y%h7-bC`9 zr@2N(GIL*XU|WB@4;&1_(4*uRP7kIX)3mJ5O94tMzd+xzOHmVKY!2%Ln0kl{n37_= z?1ITw?ir4FVkOD)T_x?qZE&JEPuokCK$xNeK?2v_g>0= zITB29Hq2f}E2d@tfvX-C!|&%0OQ?)$R*&`ffrcLsN-wQg>lWib%id1J-Eb&n)WZym z#Ik}D05gXK<<1}#gv5GDncvb`d1bM48D}x#N-bf621FkV6avM%t6hzJ!GEIrEoDZ7 zfzf?wDKJ7LtE$|;4${A)N{zGlaCpl>tyB%3a~~p{-Cm5h4<4=Mvg@CQT>tA1ZiKN; z@;nI~neur`;>+IoPb~4I3k-Fy#A74{8ffIB1n-q>=P`!M5L?u0`{%bDj72ec^d=cy z70D}|JO_W_)}`&EQC}m(t5IAU=)in|Bf|RquOi%eJJv1*wQ~mQ=bht)oOm`1S`)F!UIeeXv8ID&%3@b*pLBl5VKEk@Z>4dPBlXERd50tyEhLPs zy30|#`W7j?KS6nF#h~1TVP$HC{zYZzCyoE$5$eAXP_>O`dGCA;h3tjS;7)WGi>sLy zO^->hQWBRjxXZt%S`lBS@s2g{m2!1xQf^IaQ*mfI_jE{9o|@Cdav96$8QZo#A-l3~ zKJ_D^D@Rh1(E7?^S>$|Wu}G@k)A}16k(12^Pj^(A8l?o(r!prSY{rEfJ00oTN=fu8 zkG1?p0yC&4RrD2i0@<@+B9QZFMzFX}^@a4y#NEg|DT<+2Y-dnuMG1j9XhX)ptQkiOyA#sb`*ob7!}CmePBJ&%+M8a zFfO39>SM({DI_2nVp*51-qZ-Ej2%PGo~)Q#2q^qgw)p|1KHWS1mK_K_p|QCW zMlGwKAp&{l>1{4! z%No~76xoVkoSjRg-{qS)PD-_)zk`nW?pZk*(9mLQX~Z8N zi_0c^o^SWChcRac$cDLKc8k753#*Xn5bWlt_T&KOSq}4zt&Nac( zVD=e)z^Qm%dLn;osJq0GUt2Rp)Csnk&EiinYSGc&CW4jSr@LJX>W!69LV~B)f>jMD z<1-_1r+f#e)fGtj+ zx)Vp;SA*sl;j1rq2bow^#6N!r`G0-6s1Lo#ZKG)dDk3o$dx8pd6J~!+L z;LR`lZdwow)m_tJuj4eXPe0z*47|<4U4V6mVm@5VxtL1&`=0-S44nF3Rwwd=mVpM} zMO+gZWpB1~8G9|`3hWIZ{4i#CZℜzk3-qfzN{zw%V2FOOd95BS(2F>j#U+0fdr{ z%lH&*lWONuIu;~_cV3j8!YW2xd^Q*bN!yNhNQa1>pZbg}107YLzPa=XVElsy*!tYr z@-w1i=bqT4$!Ay>6v9mS52a@H{N##OMB9WcI_CZbx{TaIhQb``W%4``)*uXZOut>o z&`5PPj)YxWiTwi*#d*o5z8Rq53v&gL67b+EAD9&pc}weqgm!Wx>s2123P}_!>5bG= zN~$U+Xd~|q%#P|L@MJz2NTneHOz7M8{$>VbK9`1XC+8+s88E)Kkh7b%p<|#mjY9zf zQ}@mpuyRwzCd1P%9S^u4G$pN|IGNgRSomh>j<7;EPDg7_v5O8)4I7;D06Wz6EA^r7-&W&rxm;2CvRtkP8A6@&`%EJcA&14Oj2yUtBn|z zzO>bnQs==4enhv!xpjg#)qQ-P1A#WyBam|H!!~xVb~as>>T>WpT0f=1tsAL3oHUUd z$E;|nE0=|NkIS*gDpCM3F^ODd#{QoCI#PHoltLQK zUMqf+g_)_Z(?nkiHR*R9>DOUGt58S!zlTX3S7QLDe{ye92^0sdcydjed?KCxS33&i zt41o4?5YmTktT^GKcULamGVECVHcse8C|z96YF3zM^(}@_x_J*ZQNh}3QN{01~mQqpdm&b!lAws9wP<gg?;oV%yUT(rvn!T492Xn3iWxHB|+vh!q-vMvR{0q&9|}i z&&PlCdBH#4BADkQy^ZAdvQ1-*{#a3%4x&64EFU%Tf>DV7R_mV=!Xk)|Hw?*s-Tm=` z=Ek%%G(Q(^smE@B7ym&g;pb7B_AOx@p!fu-vE?m zjq*wS+hfMW?uSE=9hAbbiGP8}nTmLK16A9(AwjljGP$V{G>mWQbC~3s2@l0x@6G@V zmYnblNa*osdGKR55afV+K4gF&4trK`+5aQ^+94Uk$%#MPSHqRwf218DSi8^?YYxt< z%&_nH!&hQt?;uc{?e2=wF|a(>XgWOZqSY@6t_<~N1#w(;;-;y>=>Sr5z#{v*o6bBcqOCZPF|sAa0}(X__L z!Le@93F~L=;L^3n-d2;#wzl@(S2K4(;OO$$qSa7%jjR_vE^&%`+3X>w$5Cm{fY;<^;)*`TOTtd8W_-7__ zL*kX2+jQDC;=Cfxtp;10k_D39wL#MRXZAVQZLFQKxU6;LJTsl+vb+j5UAZ8@J3Di4 z^de7gX?YqBnG~NVBE-jI0I?dPV3|LUoBB44Yk-=Kb-1^hl?{J=9@vK*te&08%}ZZ( zFp5VOx{5pfrlvg?7libU_l}&FHM7@=WDnbIsNUqvK5r;Vq&w+Q40Zo%-2Lv!IVl{jRpFN0$eqLV8S5zhLA<*_k02$FC-sL$&&2k&X)-9IKcU$O6I zZkb?%11GIgaz1$7X-MpXg%b?S;*czpfEkD#U|#h@g|GZONhXqb8;t z#K{K#nU~O|_wTNhX2r>^j z=!Wt_PMx}gJ!Bl_!aSHvRVN5BR@3^mAmMHZd+{9c6U+EAYPiy@nN3KPRbDuyTJXWs z81AN}T?~?Se*v z=E{nlj^WWWpo5=K`Ri%kH5rZ4WH9P_-_@il(nJ(DmwbZ1oTsA2>H!+Qyd#}|NWXG2 z*+WR0^HxDdRwE?i?q+60Vshgz4d)1){@+tW|F8EyA^F!Z5g-5c{?Aa3kNceu9Art_dVP*?9$O^CGLSI}=f^glG~#6R?zoB=oj@!E)J? zKLO2#;BoHJqx6iYkX1>0N?Jm?g{+rDE@B`_iZdE4ie4&&x|WIH@lQmM*Ek|f5&Tdn z098aYCrkXr7m)MCsEsoF8U`-3GuExxu%l9lSJBuqO%0Y3`qIdUjsqc3V~@xVA?+2u zfV~e{knc+?C*A+)ALO6E-WuROEt}T3@wrW#TwHFEXtYZ9XqrSdep^zpIB+oOtH_<+ zLsO`HA@$`<1%Emi+3*x9Yx=Kf?O{09@yEe1+h8d$Tk z3=>P#TMCT64X@VI8iKzcPm+TMU3c6O*p}EM4U<%M`(9XZ@;XSK_!CJjxl7+oA!y{A zN!_%R&362LlF!9tH~-riAyY_a+=gwQHo~ws2=&V-VCbwaKjoNBimCE}=MC;w9d{Qq zuP_ZlHQU+5^0#;z@FxSz#!j#8EJ`fltxb_mQMErB;evX%AK>o)EEIB}p z?gK-K%cP|_ya9?h4r14=yw&6iAxld8S|RF8A6ZCNfO!|1Con-UifcC~Olz=SfOB-G zv(er>(`_XVuhOD%L6uoUyGY%^-B`BV2_)jw$7L50VWpTsZa1_U*LhL`{HsZq=llnr zR~JBJ&Gj+cQzT3o9O?gEZXd6%sdU$|IMcB*XvL^^>s9WcZH%b3jzv0g&|?DWl_-!X zS=1~EO;_m+)dX$SK5;~-AvreAXZMY8$wn)wVF+TA79|-BV0yk`ld*}CsfV+7)4u7cxeprFk6-aYdHdH z7c@*@n$owwEF!_yYN7BMua2wf|L6TxV=d8)nXwFwo7~gQdozE^%h7oV(+l3mP-@lv z=;_ahi0_H;M2Axe^6exqV>&L>Dav!D@YeWHhnzpuo=Wa|A)Qc z=d>Cgy?-IYm&3$jVlo=J$Zaq8arz-7l0zE&n;eSSut{fuJ$< zY_xheM(XJ+i@$1=>G1w};RWM>(^Pw?E7;uhTQQMBo&G4p5|CXCJ0Rin*fpgkFRcre zVkP>8Tulj2A6&mTao9zVUEMRjJ(Gf^NDN(~jBIx;mfz-k`H_>FBGNiGsEn4rw8Qkk z(eE+J=U@#MI3|p-_0_ebVv7EKIN!4vX0-gunkoCaMDxn>dh&zDdE8q)+mE?}CfA^I zZS%#erlFjy8<-!B(w~nIL0TA}mFw~$_$T|_f{eEW({zE~T+JT(tqOa-GwBuH^p(xB zjfx}_rN(;c8bbTKw@G!;3)Xo{J${@xa~!-pabt2`;f<90!sbE4`a@b7>Unv&^gs=k zd3m=O8&)#2S<;rf&NGO9X~-RQiIItPR{|O<_V30{VgRN{X_~}<;>?2zJo)E>0u?diDI;KUL7AfOLo8Os7sl_yt^+8V5N zkfpSGQfXS9V;-PtsTST5SNT_yr_PxT@NOQwnk~(~RDH2Xy8dMp{xO$z0k1qy8qsf3 zGtbXX1_F;xJ-d&^v^F-2sxFtsi{|=FNq>dm5!y(xRf)1sFV`BG-wZX;@-A?LMF(k-hp|M>KwE zzzFBj`l7^=-^7^T*KlAwaXgisDvoF-*0f$5r&pKKk>`{$b5SYE>>f*>Hj|Ilp))B} z;GWu$I%C1zoQc)(kJXD?*xd`&H|WkCJXcyC-Ag3s&fir0YC48axO}r9d$cIM*jkFe z1hC}2akVX_n*YYg?PKDI zx|qeEAT(!*Y&!$0a(~_VtC@})^*@KGa6K2EdFEM0*~2P7njYBeFH$!-g144I$G*W7 znRw~ZvrOBUtG_@R1xkIyEg24S4N@7&2>^2T48%}sDV!JMBJGl7?O=x0+hhnjFexP| zHIA9xTm#2HTr&@7wLoE$QyuX!@i7yf^9?ezFh-jkk>E4N)FeVOH?E;D7RR+35<@to zHns8pjC_73=7cq^OCzvZJ0rX%t?hT|k~q3V(dteWHf$<|kE)i*GRu#cN^j5<=mWhz zXFfz*X%^oZ+i;s{PB5sAVXRH%F$!C>Gu7t{jPPC*8`?`K7Snn%uU&?56YEr}R7*M@ z4C%DkCf%8qXoDf@oF|#n;a+OVBDA}-kSTiFe!RZ!TMIq%moCZOM0iTBj0HMkM%3*K z@XVbD9TwMrn;UONWC6ql@{X?bqRr&YC)?9H5V zX*m^ccLi(9_YaXj3J&V;^<^n5cI#%N^;j_IK(3Q>iAjHf6@!AyW1aOKuw-t~*fiZQ ztbY$k-k1fsLKj|Eun@d+`}d@k5TuyzJxmm7rH_vc!Y`Qwxj^_`8hZPiOFV#ewgPUOvQ^5#FpMMq)9I6QAIi{dR^iEe!z2UcbuZ|;(toV9=;M<_}#s#RmEunX+f;)!8Qoluqfhc5YU1sk-;uWX|~ zee(hdKkxmW9=Rs@cNN7}!19>{ThIv?2ie|!U5Sd>T{4|$>nKX&die@e z2sBv;e{e5I_lg5RzKa(i*WzjDzwn$Gu(K7IRo3MUw6}@1C4>x4f15| z1)lv~>Gp>7(=n+VHB?562dkEPWgNZ;>%xe<$E}gHe5JIp{D5{fvBd?Zvz}NtCr7C! z?VuY;BwsZ<7fqn^TaR#yjyqh26DJl(jB`UrwwwCs7o744Mgd|wsH{;2@9?S$DqKf@ zk6QiHJ3ADJ>e?j%q2@>{(o@bpljDBpD|i0qyQ=w_S=l_*ZAn5?%^>L-{FC0Yh9@i4 zPPKbYP8~_@BG@ zBzlUrLvQodGJ5Pajr74dc?&UOn}m%J>=4*^t%w@n$SQ|gfs~reUy}F>C&3C2ika?g z1B!v3xX**JW`Cv~cVcX&U0Mhh@I@an)rmSZO1#FisQt3L-&n@Sf^pdC39v;eX4@@0 zBS>}*i7Z4d80j^?G7|?xx-9g+ZtXiVlEv?t&Y0;{U2F|*?T-iCrC=N?w{p=BHNbN% z<PNX6-l!#>eQazw7S**B*|(=QgEh)kM{r*?;_Fs`FF?9q2;O4#y_gO3(WEG6V3`+ zyAxNLbIwrSgD*09-{rak)@NM}{tf^#)eoc?e;P~;)sK|=MqsOontWu=Z)utMGUaZ( z{%Sy|INPcd_%8;1%qVNTdN031$0+Zo2MI5+q)dXou;AXiVWSql7Hto+g8wR-UDN?; z()JzS$PNho>2mupQcpq}jjuNDsnl(dqM~X81rGOS3vV)&s6NZ2jP?qqNE~b#){?x1 zYF-B3(mnmksOEZZcbH$IdkEU)Q|}g7?LF&~WhHE0;C=;9T#}Ejy7YbAjC_^L5@fX% z%gUvzb*4SM%N_Fx!p~zn&a|!F2yTGz(zZ&|+>x4)qB_P7sSPtfN|z*`lOhWZE>G!t zLxqY(DdEatl7gWN^cPbHn0I;~dc9vmXJ!x34b!^t*2o3epyfRh%9j-_acnU3Db`nkF6R{9`S=(E*Q9;RsO!Eq9FqijMxY zk-_hzKWgo*G80pi-J!mf*>{Bu_nxrUl_-Bd$KR-~@dq5g?L>&R=_B0;{maV3DZ)Wt zNL08eI`~HC`WR7C-S1VG$Mg;a)16hU)W3J@y8cZOjTBR;V^nR;Z{{jKyjF}W&|^=D znpM&i)J#CPp(JLTLZu$ms?1apVAeJ=fa#iMii|r!^+cyvg)v5V`*-9RN3R>E3+PBU zxqQ^7C2BX?Y)7bH;_{9u)0EPeleOp^`$-jtRc3CTHc4n+0dr9e2}eNMSCfTi(EeeB zb=|GDJ#ccQ+=n`NOu!>d+H*~>y9${;IC-mhOzPSd3<+5_!m9K-6zTiL6s^l}n*^=1 zRIF0$n8jZeza= z=yHTa(b&@LU?`Vmz5)VNz928ngtZm&hB;vLca;jlW6q=Lkr+DXUDFVPctF6}0I&%QeL+r4oVKaXom@ zUv~b=XV#KMr&XYcXYu$P@A^ zihZ>f=LYcj4}kEFKgi!K^Q8x^2i0T~Z1y<|QA(cAp4rFI4hFJOs1PY_;@46Z#$Gy8`-vUN%uufHeFaxAd3mFu!7IOn}6 z$n2aBH37S*VosnZ*c2pW?46#1n;VLRKXNe3jhu(Bp)g|+5g8HrG+d>}+9d5q>xBMQ zSEFye@$G$nxHM`YMitAUQ@ZkcD95gW5gE^^tGj$l5-I^<)G6GS9;+cSTq4~#k4+wl z;N|4WE|SQ)Ve~RiRXuOWSV`$71#{tQ&s=9@00EABfNbr9+t2UXiB&5vn3Iwl7& z9~W&SM7m74*VQ4)TBr8@k@C!3v%WXG80Fw)mXo)o_MhWbP`s)#@1&p1ZSIg*Dhk#S zKWAqTD}7!;-lbZbN6kC64-hvp;-6^`{5CbJL>?T5Gs`u+$E(QZP}PU<#>UMlsB(1Q z!2!Zffu!xvpzaw20UBKfG^7SrLO7kR?`R~<=(GB8A*{u|-3=y0^?TYiDfr?O$ z!J;`HQFw;q&f!v#iPd9=i-Z&ib7@e~AfV!%ERg5A4Hc32ItK-X^hVJzSzdwXk4?gL zIkJ6bWr;ah4xW_!o1T;xlC6W^3J4Rp!!x=k{@6)dyPzP0XetO>jJB=x~d1^YBMuk1)iRn*vsjCu#)T3>zObNf3CuHBxf4?J1C-{TQ^AzKly%y#dhg~YtP|~3q;Hf_}yIm zjMusCvqkjCS?PoCIph7N3g1;IY;5;{YgB%cl1U5>ceCbvM5(@B-Q}0~GcR!$dr5Z1 zR?A=v@)wJO?8bTLNK$>=(o(w@gKl@^5FP(~*<}>7&jJKL{`Yw}L@3)#cksSFBQ-eA z57>x(5q*=bprcKhY`2c}IKZe^Mn2xbx{bN2>Cs~Up72QhTpeAI%-2M5L_sSZxkYh# zuShpuGn+&x6EjmMUAE<1E1OIaf>w7r&gdu4FY4}!EU#_uVm&uqhNZrLZHKayd=T3> z&4Y7s2g4S$=b3Av25*aU4-$e@&G76V=Q+yOfc9dh!p8NN&wD~k7&^e`-_W6p=q;$@vI zsZk%XG8bh~^x^mCcJi7pi!!z(qr%ZKOvZNl4qI|F9t`w>$6shFXHkeGcTZ zMQp8rndEd!Tp}L8Y}6NgStnL}!m*Dg=)EuCD#SmDl>Uqz10CW!?{qSl5G2Ukpihlm;DnTY9@D>hXs5&<>3RA$cS`A#T!S)00a4z+6y z7nyj{1Pw^U{|%M#JH)*^M#BC&C97(1Ju#$%1S(PGN`hae2vBm$FZV1l3w1AcmSDn< z4=8DhZni0FcR8HGirVkfslZw!xgAE=S?xU+C0inirT=@5<<5i)Oy_PEwU&1a#HW7m(fry` znGop0#m8;;csQqinEEWO^ro^#il8?3PRd)X7f3Hl27vU-=4^{b z$lYnS+%?~~P~UbPVPDm)iFnieNftFlu8r+^+WQEgQYDp*K`|;e3Y44mPTC%1Fz}JG z`Ltxpgyz!g3#f+ie$cKWh|<6Qo(OR}!qsLI_#0mc<|Hwy$Xzy}uUBt({`^$)%=P!E z(Dz!R8<_IgqNlGrwcb8DfW^5B3=tqeI)2BHM)Kt&n*Ig$5+WeyI8d5;P|e(~f2D0E zl2e^v);26d17y;=h~z{=-C3EHprr=fHE#%g{o8oV!v^Y(5KZL#nQZf$;HBh5+I5&O z9ZvZ2Es{qk^n<5E{}mL!%^1zVq6RUuR+U;6utU{l&~no^L&U1y6o$HgY(OS!Bce*& zeIdaA^3$)vU-h=TxAO50fN>uA&?@*DGGq^hw4ovOy@wBJgDX$7&0p95P-q%p~i*-t_ap0JSoPI)IVIcs&GEKkfAOHib-iVRnf4S^^D zfd1|zfTmxWxzHdW zvNOW|8ADXz#Os!*PtO@(zJ;{dsz_$q7DZIiPz^>B;M!e5UI1lbMTcL5VCOO2^2yUT zh!-UcKPZR3*qYyG6HqUf1;lDmoUgB4kGGxNRwXOdN;gBB+Yef~blyLBM|$!B`!wOa zLqx+Q*F4ySm1iR-WmtrjaL^O4el7S>Tda>_{}{h*brTmfWW|hH1=O=G1Vn^~#w;Fk zy+)$r5LT9lpMND;=v}^kDS|TFP%Vp$SwsMzeX+fWStJ`K`Ry1mWM02GLs-zz5D8_b zy&oR4=oL`!t@6FLkr0Aypf(9$A3~bcD12Q!H|R-nSIxzm0vf{B7M z!K)&20ynXWBb`91wCI2psIN+dn?5t76x54ro-Z}&a}ezU?EkCPQhe_iPabN zJF)A+V-+%QKahVn&(Ob69!TlPH$vR96202O?YL zjsV!61@tt#e*Ea=z4KRv>|*`M<-OI%JwCbbYsZ~C1Z_cpB^6%o5?&s)Q1#N;zs-|h z$M=${vgn-MTpKHj)d+wyucJ7LP*qcYE+V&`$=zI-h>-ibbuK$pOXo)*8!o1M`|$E+ zqvrPB1g&lVyiG`H^~SRn*&#Q92Pu+jSE!U?%#>j`S?}9J8Y}9t&O!weaTAlg*aBDZ zPFyr%{T7ZeyIyiz?=yCwbu_fF0Qh$>@NZxopX{)X_HJz0OEk!KEsj=*=^yt9U<+XTeIQw^L{8pmINZmzgSYLJ=NuefWZMY zX!1JF#^riXi|JUP)$FSM3}K{6ji)lPttZq1T#EZ!(jGXTZ@`JuK7B*MZL*5e!|p{* z7r8i`lo9Y4;#E9YNY!Ji!=%p2kcwzv+0Uh&yIiTIQIQAHzKI2B670L zhYPZgy-pQKC_T!&Ijti%iZSdPKa)oeLb4#~PQLcP^>-lIg?Aoq&~iOl6>V0z#(N_p zi7thoPa^sf*Az`YTObZ>N{*ZioU}Z-$9hX+d3*Z`85v&yW^KvB6duP~zVRL?W=a@`Zw2%06C;el4bxZnpWk zT={d-XXMtar}rUu(ow$?V(TT<>bfhzBabwFnMbpPJ)a>TUb&xg-eoil;3nB?jUkG^W?P6;~IaT`>0 z&DLictxJ9nvn7(l%3E&>jZV$sI}3Tv-XHF-P23f$trUc~&yHKD&siLQJg!+r{L+`j z2*F=A*TGIti9hX+GF*BKmM2R90}s(Hhd)pX8U@Wd=3-azl*w72!t~d8O47t<^*JBV zIIM8&y;dN_IYCe^_`JRx0?=;zeiAZ@rt>DSJ(9V&jG3|RHZwEDY{xM>W@eiH?t6Eh z=1C*XXy!+0Rh7DSbxWsfpS{+qeN?aaCoBZJ6lKZ(#;+TZ{#u?5089k&vbBLyVWL}< z$lzmIKFDe1e)3N8i~G&(`Soa}B~d)_bhX23K}QHT1OWN?TJbJ(hvIxKJx@%DmEX2o zGsLG~i=eo9mh2+6tXF8QZn1*a?>3zzBP_V5G{ft~)W8xMmsWP!=p#H}Izx<_lwBRAxoPdr^h<;JL(k zZX}*VZQ~#DoU_?rrF94M2_ig4lfQuht|3r(+EeHzQPh(495SI>-Je;}C|4-u`b>aP zGN3RNkgmG_WN~G~AF!;?3hr|Ixv}D1>#0DIo~O_T`oi-8pqrl;zl3(@5NvHKBj-&b zWlu^fDPpi5sXimqjc~WYR&GsZJS8qLmO!9!SLy8vr@lw?kx$8EEYvTYkthl4m717Wm>?Z}-h|=PVb%m09 z)K%+)w3UwlL{uD5M^7g4uR;chuYa|a5k~E=eJAy`68y~BC|r#(3JftOJJy_)SyyB8 zC-s+9f;ea9)%J3nA>&RN_#|Ph^2FRt4l03^6X6hCLRVUrVTUp5+z0y0P_r5Kme5*k zdW!0)#SEbAwepjq*dmT}jVCIi#=ky&%ESd6%*%R!HZd|Tif^PVuCalWbkbfL)sWp+ z`hl_3bX*hvq&*UjOlrDsyC?0DWB;)`Xu(S$bDmRKENK&+FR@qaG zi)1}$ac)*YO?OjNP=GPv|6lnGe5#9;v$^FAkKc@w&tT23-vW)1Y%T+k?TrNcRNQPs zH7N$vlM1SJm?Da@nItXZ=mEmT>nbMH^M?rDI}Gbgqo#l zhb=>m8USfy2N_Lda$NB-eIs?9Y{R$VF-B$sO(Ap^1P^is%WKWkP z-}I*=MS^dUUT{6=8jAX#K~vMyoTB|!$++9*B9{%1tMRi9wGQ^!)R=;4ma(%9n1Z~L zBX(k09m^oTi3#fr zg`-&~r+nSU(un{W?YFIT{=!l4bUE>ic~KT;Rjw%mQwHz&TqyeVYE8pJB@(InF9LeI zRZWo;j-EX+rcCoFzJ|ri4=Vc*CIvSV zB%UjP-k}eBjzf(Xqze!PgcQtRp+!)_N?lWTyuF_r-Ue8xDRNasvAf-JEnI=-@Ea~1#OID zkDbsa-Y*w4T+`>g#%!!tn~oIW%N!ZdoFKdf$(c$t`vJg1o+FmTsnYSx5grG{5oLV%xS7@InDe!|SVw;UUHAe+(dz%AR7uzW;j4aqsMkm(VcWx^3>+d8+zMx2i@pu51%9)Ha_zSmqJY`A zq{UksR-=&rUdI`68IZ|40Qj(U8-+}T{D`n)e8j5fQnnkTWrHBu)vr;i? zaiv$c6m18fNLnIpR53cxk}=kU=)BqUy%Nvb zk;Ax@Ia1@JZZUKl%39J=mlK^s?<$(C7Mz(gL-Uo78fMB;8*tmlyoWZ@k8i>pig8Xi z)Z-;i(ZsGE

    bN0U(sI3A4msbFu@w`L9)K`76yIqU0JpaZk_=GSGd07-#iSs33w&L z=!e6Nz&BFuDloDCEN+>cqRRY}w(IaJy-v5Z!ly^u{P0%g)xC-Gw{4g!pYz$kS~9@+ zGccKR&5;0F0np*4Lc=5Cqkvi!g0=^h!v;J-)K4!Rs0I0F1AqPX_4fA!xqp)jfVk@lt|h?D z8+xmFQwp{Ys6`=FO83F1{ryWVA_ESV_Bp=ZYRbiXM)4f z#UO~SLmG}~@{8t!NL+~InG$JhpeMS(3l){ZZ)M^Kr33d?L(H!Txi~TJJ8CWx<|)8{ z#;hMLUY=u(hHjVDLC|SO)&udSwi5gt)P@+ub>ez1(V2 z${8HP>FBsibBH0UWp`)-Pxh; zP1!~(C z-mm8{e2>c>b=MXA5C~u2YwN!sJc`BrN*}(I+&kFVZ?pO{$*4F#D1LuZE{ByB7N$ui zrzWxy*R>fXlcUhkvUWsSh=5Sk==r^{gnBrQ+A;iLVlM%b3E4{jl2ZcL7IWwH2vj$M z@R#DkOy)<8TQq?|5TXB@9hC;4>xPtR@r{@k$yNFb7Dw|^i20782JZu=`9!KufTH5y zN`HVSI#r;x+z-}oMjxw>uI3INZbmc@-ex}@^;d?R`==USJFBG1(hZ`))DqI+dGX>l z_S_2(Qb=UozT$i1!1Lah!R2GCcdEabG~_oikNT=fo)=m2cD~n1L|;At;3#){ny~)g z$ge=hh>Uks-QbT$Kk6?vd2+@->I+kDP$y0&Vj43;SW7N$Iu}#@eDSws7?PIpXB9D~ z*CM$BU1||ufn08^9A3JwK$1++qxv#Sk<}$7YfKx+L`h!v%Ea|mv7Mq?#dHHyn0i&D ztYHYp@ZwUG1GaLo;Qrh8v7`Dk%W>7(=-Bw+3SbrqTmewo>#awE<8((>--#!Jim4@G zmZP`y7o(|L(?*HC1%}^_^M@Z%Li9fr@hCME|>=+v-b10t2f#jr#5t6uZgaA87DK7V~4h7 z>l+(R768_n)tSv$p>9ojxPGF7eEd4=Eu4z^clb02od~mnfmgeB{Y{nU(aXlP%fzc( z;OU}>uUaOkwMVzO#gd-auAdpF-C=TEA0Ty=0QPj!NONg(@ zH0hEjg8fmFEZTKf|CP-{e)2?#oxnJ_hJf_?hh6wSOP1j6AsU#MZVriN_x=>c!r7T) znU1KN=6bir+a3^+K5pjOk*6+XtcKv7xU3(?<=`(y!__Mf@~th%H1W$U4){nHZ(VzT z0=%LUra_7g#tH5w*t(mavDahz>YB`J?ZkpLAyJ0cm}6*ZbQu~e38uReAiH_7L!BHjuAz)RoJE7KW)Ou!0;eB<9%QxQid|U zJR}82bd4ONLQ0v!CIm8onO_O08T7Ba0AX0DipvGcn6UBAzIxy5T5L5VNg1na-Ute0 z94urSW5a{4EyI&iC}DYT_=X4BYSNLV5|IW%E;;p3=R^uylpG|J59O224wwj&*?!Ws z0k}(Y5{7!yEX#5N2Id(CE0F7ZPhtRGA;k%M-MmcMp420(>GzH;qYiy5ugg&wfT7vkXhht5>{rz9Fyo<+7HRmcWyzAgex52KK`cI^}f2 zLRQq8xso}=fR6m=upgQ*aC4h8vIFY3>Upb_3upU2ksyk=uiXi?5HqTx%VynU%LQGG zzd|5SK#9rji9=S!?<~YXv=savfG(@L<+nVw)E8?{nT+J}mOX%#&ILsg6BCK&epgEi zlvCzMy1RJtqCc|JhSoaejlp0yG94(K(*P^FX+7$=mLxu~us-t&ws+1mGl zRBFcg0x@_k1L1aIAL#Ox4vP9HVr+^Pm=E`~ZlT7#f)k_gzKv{gajM$~SlOix?t6Z+ z2Bbtr;{13yC6f+}BtN0<8~?=TfjtVtO61IDNg&24}63%9odQEF=tT zDG4p!C_l>P(zxX zQNUs_hnxB92@|f_L@-FYXKnKgo<+Z(eBFYFqv*V#kLAs9?)G3p1k8H`YImfxf_Bti z&@`N=koap>j}|8Mp6^;?Xt?&Od>(&uxpk%KSpDqwLGb=Gb5f_ntZu&1>bAB}@N@L0 z(Mn8WR90hVr){XsJbqPlRVZ>p7&^`)zn0-iFYfJVU1%j>_Yc?7+YUkA#}2d~>vn6L zJbsKr5T65Y$9HjOQ$Q9j;CFqVefapDI(JVHfCwFTEhHSh}J(_fr z;YQ86ExziE!`0Rx%Xr0!C&b8ObZ7TL7nBnA2IpBce#{=laHg-MZFh!$jxwbk$tO^q z$!sS|73GMb0);o?J5pia;s9M8NxMmPfe!Li9S-kUYC{C)Bp_&VB=$0bxdOA57sm{i z{gAH3X`$xFB^kiMQpM)#+9Py=tB2oPo((w#9j03wO#?_&W3?rD#0JN&15<&vjYn36 z&yxuuCQ!G%3L%X7Hy-|ncfN1A)}OG4&zE5?@#Uddahey7Dzdo1PGesQyCVMRKAU{4 z8>>AU>iWTCNx(hTv=GdXFF3{M+uQ|KPJSwEirkK1Q+bXm$%*G=;~CAbnQ(HI0cq)C z%H25(bpOb(o7sl$QufSPGr|xvE>xA6lh^|n)XM4aV&VA`$J|@yAg-~0bYbP{|EUWL zb+4EyX9qM4;X1?`;85R%_equOzo>v7Zp;8mPZ3PN7Z8e3EBA^d{6E~zA}>51B{keb zI&Xs< zMa1+cp{+XIi$O91xbZZIIZXYTJE{)qG36mIjA68Q-Tsq0k_8dMcm>H&9)F#Ye%f;vUB2AE=^BsoH8uo5AossQ;FYq}?}Mo{96>OZmRZaWYFs0Mk|mBv`!E0}_NGp7V%MFUy-xMQ4Ln_3N20w3 zU}4+5hA9$$-!ns02PTKxlY~o z?3<1;n5Yo>hp3RxRF#`XD39VW#;S(YOh(02|CJjiEv_PEcWino4#@)v!=)p!eM~i} z(7bsJW(K@3mA=NZl>N>Wwn3@v7N;lEMr(xEwwg53%3R*jRb@#$LBmh$iGJXuM9CE^ zVl#1vdh2g{V*c8E|vC4nWBpB8HcA38Q|NQZ2@Bf-^~SpWq4k4H!lzJ{D(Lke5`V{0F@mL{-1tH*JOo1b2&tE*axGcPc52T1HX0OJZq-P$ z%A=s1|AWNfid&}*FYM{t@}+QRf4jNhfe~R7o8|J!DwUr9Cq?D!x^cra{E?={#hq$a ztNtEEM87rCuc%Fci0!@wXKzBX2&{7Gx7;to+T~MFb#Usq6C`n!>OIL7f}4()c9JH7FJDYZCkrDh3#Vxm}Axm$)qB0*+HDD^+B>) z6W-SK(pe@klKsTFO~>$~B1V$6RtTfZnYm1|76#$@GlU1LcOgJR3MR;35`G{?q5}7FPDQ+UxXHf-rqAa9uAH z^CE2Xu_8?fxUOxisn$DdRQ1j09D~`gER1{Xwv@~Ttxv`i6QGw+z{>WS_FW1yx$nvg z9xkE~eK<9)c<~yPMTDa+EM+B-j^ZR{yvR&u?2e1i4?j_L39 zj-T6rIAG)njD&}wr&-=CYsRtR-GJMks5PBUtBn)C zkx}Zy92}~=XQAsEC2Nu?TN30yoqj|LZ_ZvW5FTA6(FqTB0?z?Zq(HC>l^3zz2|5dU z5cWho2WH-jyiCz19>;c7CM%|?-2|mgyf0MZV+kHsW}wYgF2|8tKr;vi_IYT*@TZp< zk95x+*oW*1OxW<6UpG+%WX^5-bKC9L!||F{StKpBe7-G(MK5o@AcJBJi#+>x4JDTi z7JwWEiu#;h*4G-=k6R%M!F=&&GcaF#$_wU;J8DMp8`hu0eh)9WVoT%Qge5=wC}Hp& z6wn#YR|2M2gs;#2>UR@<-7NcscH*tr`-~U8|C<1~A4JxpX>|3J+aiiBHvo}FVZk{v zoC0BMnod8BY+Q4TwJrRm(;>FRSjx)k)D(Blo<*aZa43+-l7MHov5Me-Y`%}I}LX%s0aHv8ws9#ZtAtI z#=N9IX@M}Bbh3q@VgPsQ5*yNsFse;)Gd;wY5rj=Xbh%oe$Vd-+nd*-CY*+XffO^ZW z1fIEJ(MpQQz6p5w>65ao1UYAbU{QvrH050b4}k(%YQ$6?|jV3i&m_y1$Hjg zlyo7_=KSotSX1lvU%$Bcr&Jbf&*$B;8kcotC5KY{O`JIFuRL6jG1FLA%L{s~H}rYU zEP})Ds*GaHS5~QEuRc`jeX90^R_a3sjM-`As7sACL)b6O zOPb6{`A-X0*Nlb`ELaSS=3+^=53uU6xeo)ROM#wWPoTKh0H7esf=Ap5g8oL`AkYn~ zJlf`v=u3F~p(%@>R49!XUjj<3B`b9T)Z(Kq5nH&4eL{6LYLYb$B@0@TX0z5qxU=1* z@KGLOx0!CMTJ%GCKT8Xh_bloWBO6-?DS`WNZ7Va>SJ=;92FUq3WQSH*;P#@>VQ`vB zarIwxRal|800G~O)`$54ax4sCMlhoPKwf?Z)OZo3_a@|5kJ5D(amRZ*bY(j^+__CHFXLl*WdQ0p z_zqq42*|Nfl47J|?0@?EBv`O1Ue#0JO1&Tc*kB8~&$e@Q5seJ9jChN!t)2Q^7(+Y! z+-R#Umf-Ov?)TD=6C+ENn8()Na5P&#ZX0xfvCx{7h>Ic)={B@LjfZ>Wy@?}rp$N_s z)tc0wS+cJZA)yi0%|YIQ$E&f{cg@#=1~^{TWPs5K3)z(>gL)D>(xRNCu7DIZ7Roz_ z@yiPbne#7CNk8xyHzwz0lb&)spTeoRW{rTVoK=u-+}m>%-01tZDW0~8P$rZuz1;O* z6d(G=GNg31wh8{mk6{I}czX@+9dk{<_hM5oadCJfM-NhE1K0Nj0V`Fri!aCSh+@f| z>i`)X0R5hUV#I+qX#{H(rsfU=$q;%RIcaI=HYbajqA-+lRAtsIiY67yLWe+(bWIDS z3l><%^GyNkcq&+#Yg~@*7hoNa1}!hOlxjyIG7p~x$SjO#`_~^U0SgyshU^jK&yP?vX>R{&pvH?v_M=v7K@Mb0MqZk@Qa}t zyZ`xg;vkl2(p^JfzG?+8L#D`WFe}=t7`lK9Nt^Wu!+oh^x1^qLuP`C&K!&y$Ug@<% zAd3e{OO+q`lG0Fx3Kh=mDIFH9lnj0w0$ zC7&74y+>d$Rgw7DUrSmX(cn04hdN)H(HIVwY9>m%UbWa9k?zEqCO;J%GPN4>TkT$w>G5h7xy|S}gdM>N}XB4lf(l{~C7y zD8>I};Ca{oYv6%z%dEy*a|{oh9xqvMUttZiyemWdx-l!^7!Rio6`Zy7gTXX18_QDe zkzdu1mefpfg*Yl73v5|nnv+vUlu@LzOJLB7Drgt=f1Jg_QYdtn@oSX-yCR-+-ldX! zRhPnA>Q}}c0!IL#B(B~OmtG0c4@dC3yfj6(OL9PMg)ep4JD7#PBZD^~UqFsP@YhqG z%`WBvd8{!+7fltBr-YbMKL>&H9iu@ZIm!?kfg5;ffQf}N$RKs})=dPMV4ranpgk!& zOf(jUIt*yivH#JJwC6h!)-XBQ0GW9U=^hbI$C=mwbRwYlz0mJKa`*%1esqnOI-XOx zd>Zj*z8;r{^h4BVRp^WcwrXAO2*JsMXzPu1g_OFE)m^Q2Ifu5L#5L?{zIrq9F~?I2 zdY1GSva|`@d{==^oEGBre!0n(X}q6!BMa1CFcXohxGd%(lSM?9clr~qOB939w+*JQ zFGax|is=CHfqv#$g8e(66Op$+k}M5kO5MSaW>rtsmlXamki?Dxki{?8&d4ZhE|)CK z*$or;#eR5?cE8@Hj_x@R_gGq9wz_kg=EeRN7<=|DzJ(h8;TJmErE5fy`}2?8zhc>0 z#lmUECO>J_?)W|~bkAMn7Ncj^JlQh&>&G2P#T3w(a+g$K{AO0W$GTX@_>TPI_f<9Bop5Ls@}R^SOq~1W<;F?V-PPrnkA&aC z{^?>R1vuDu89B51PHo3(cOokUG!=-Rzu*E>gH4hy)4T7p$VF^ELu@VSU#51lOtXt= z$2bE@sz8YC_{9Pjy~@RZ7V(Y=z61B`-BnC915=2lS)~o!$m1ve^gSECEB8)TpEC4D z^yw?4e*!GY7ETx^vbDe7t?$Qc)mgR?lPwFb`Mn{sb#-pYPv?6@N7~})c1`x4oC_Lk zBm$w-lCmv0*P*?7$9|9@&~KThb45tD@)-e&m$g1xOZLTzn+_E6>IR`z^^18rELFXe z*AbX7mDqWk*c zEfh@rJq;~11s3{&diHHQ$%>1g)#~Y5*~b`#1>Gz+Ze;C5<1+lf?ifKAzCgaAT!*M=u5u|-4JtyFSugz_aFxbM4hK{~`DnQspb|U50OD=2BD!SB8y7R2dOj7tbYG&^qkYeO3LoOvuPVC2~AMh%g7FBbad^mp$ zWz#JA*=gUI-Pllt{>ibOzY#Zi-ZUNH?LlT(`BC3#E;zG%)+9^>G7gX%I`*S!gD z&QKdJM{{_^+d*8x7u^eyi1rfC6L90Iu?qL1Nk zLqneLci*p35mIPzAC;Gag$vrlauy6LEg@Rq3e@&V@cF!&JRltN`-O}@*977LHeP&x zdZIhD_ssmofcROm+2zVR&WuF(4Sx-uFEIYdg(YnB{mzb8Rh)|cSLeOQ<58L_?GLaT z=pZbOmcvL1*O$vFSDxcP{e_)o?StExXfwirCtL;z$wstuqC9l0cLcL}l_8fc!X!s; ze#!+pgg;Cy|4+w>ohn1fY=*ihV0kU)ypRswr}k~B+qL3ATvO>gdIKOkK;KGg0AFw; z-ra|uFCX?3-BZK|+{d%91s(MosO6UJ`k0z^1Z45}!u4z7eyEFEz&NmFSU8jOI+zl% z=FK5#W3n7cfKX${Y>mmLDW&*Wx}}UaV&jjNk4j|g;uv0A^CJ4++sKayfPpFo?DOHk z&JCmG+0TNf7G}j+{k%hcIz~k$6%w4chO5NSw}QD9fRZsY*>jUadYx4}TLRkb{10nu zl@cagKq0epr4c9PaEZ5NBi zPrBWGR>y~l~UO7v+Nu0Xn8AqzgFX0F^6;>C}RR3t<0~}%C4Fz4HL#vu- za7>D#W71B{pHBCLmz416v2O_H3oFx)6P|tF3a0?SStF<)JZI%aqa;z`DPtbWK1$i4 z-9J$25dA+&q^Beb!%?U(VGB0OR|WrSyEowdj-z!@K`}p?YtP7|Kp~3R<|un1ns8lj zAbGH6p?4fH>#c6912hOb3#A>t5l*B#j$B&;hOb+i&7TYa!=D2bjI@HuC;q%};UO0* z^_q-x>^Sd(dHx2Y7Rb6uM0aph*9t+BgRf(HbH?OX(-! z&(NzEEUSsS-*Xrwzi{n>D#jxbAbUGPy+pm9`0`c)0@={hImS5DMn9)Iip*yUE+=FcE) z$u~l+;A)V|<<8-Q?;K{$6P-cEPWuR9XQDO4DiMR$;dn6$jVv8u(yzs&H0uP`b$qeh z?%#}4L83NKJwtyx`VVi#lt+mUu{lS-C?T$?0ZKn!0qN7WkQ#_*Cbl{S6Am^?=?r#| Nf^ajokPr|M{{x>-23-IE diff --git a/Solutions/Microsoft Entra ID/Package/mainTemplate.json b/Solutions/Microsoft Entra ID/Package/mainTemplate.json index 81f5ae066ea..bcc866485cf 100644 --- a/Solutions/Microsoft Entra ID/Package/mainTemplate.json +++ b/Solutions/Microsoft Entra ID/Package/mainTemplate.json @@ -392,7 +392,7 @@ "analyticRuleId53": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId53'))]", "analyticRuleTemplateSpecName53": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId53'))))]", "_analyticRulecontentProductId53": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId53'),'-', variables('analyticRuleVersion53'))))]", - "analyticRuleVersion54": "1.0.3", + "analyticRuleVersion54": "1.0.2", "analyticRulecontentId54": "3a3c6835-0086-40ca-b033-a93bf26d878f", "_analyticRulecontentId54": "[variables('analyticRulecontentId54')]", "analyticRuleId54": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId54'))]",