From 095f979060010a22eeefda4c5c57c9317b071763 Mon Sep 17 00:00:00 2001 From: Marios Trivyzas Date: Thu, 15 Oct 2020 15:28:26 +0200 Subject: [PATCH] EQL: [Tests] Add correctness integration tests (#63644) (#63735) Add a new gradle module under eql/qa which runs and validates a set of queries over a 4m event dataset (restored from a snapshot residing in a gcs bucket). The results are providing by running the exact set of queries with Python EQL against the same dataset. Co-authored-by: Marios Trivyzas (cherry picked from commit 1cf789e5fcfb0f364f665bfaac021e24a4c2f556) Co-authored-by: Mark Vieira --- x-pack/plugin/eql/qa/correctness/README.md | 68 ++ x-pack/plugin/eql/qa/correctness/build.gradle | 38 ++ .../org/elasticsearch/xpack/eql/EqlSpec.java | 102 +++ .../xpack/eql/EqlSpecLoader.java | 89 +++ .../xpack/eql/EsEQLCorrectnessIT.java | 213 ++++++ .../javaRestTest/resources/config.properties | 14 + .../src/javaRestTest/resources/queries.toml | 623 ++++++++++++++++++ 7 files changed, 1147 insertions(+) create mode 100644 x-pack/plugin/eql/qa/correctness/README.md create mode 100644 x-pack/plugin/eql/qa/correctness/build.gradle create mode 100644 x-pack/plugin/eql/qa/correctness/src/javaRestTest/java/org/elasticsearch/xpack/eql/EqlSpec.java create mode 100644 x-pack/plugin/eql/qa/correctness/src/javaRestTest/java/org/elasticsearch/xpack/eql/EqlSpecLoader.java create mode 100644 x-pack/plugin/eql/qa/correctness/src/javaRestTest/java/org/elasticsearch/xpack/eql/EsEQLCorrectnessIT.java create mode 100644 x-pack/plugin/eql/qa/correctness/src/javaRestTest/resources/config.properties create mode 100644 x-pack/plugin/eql/qa/correctness/src/javaRestTest/resources/queries.toml diff --git a/x-pack/plugin/eql/qa/correctness/README.md b/x-pack/plugin/eql/qa/correctness/README.md new file mode 100644 index 00000000000..5e10c274671 --- /dev/null +++ b/x-pack/plugin/eql/qa/correctness/README.md @@ -0,0 +1,68 @@ +## ES EQL Integration correctness tests + +### Description + +Python EQL runs a series of queries against a specific dataset and the output of those queries (including results and +timing) becomes the `queries.toml` file of this module. + +The dataset is stored as a snapshot on a bucket in gcs. This module starts up an ES node, restores these data, executes +the queries and asserts the results that are provided along with the query statement in the `queries.toml` file. + +### Running the tests + +To be able to run the tests locally, one should set the environmental variable `eql_test_credentials_file` pointing to +a local file holding the service account credentials which allow access to the gcs bucket where the dataset resides. +E.g.: +```shell script +export eql_test_credentials_file=/Users/username/credentials.gcs.json +``` + +To run the tests you can issue: +```shell script +./gradlew -p x-pack/plugin/eql/qa/correctness check +``` + +or simply run: +```shell script +./gradlew -p x-pack/plugin/eql check +``` + +**If the `eql_test_credentials_file` environmental variable is not set the correctness tests will not be executed.** + +*For every query you will get an `INFO` line logged that shows the response time for the query, e.g.:* +``` +org.elasticsearch.xpack.eql.EsEQLCorrectnessIT > test {2} STANDARD_OUT + [2020-10-15T11:55:02,870][INFO ][o.e.x.e.EsEQLCorrectnessIT] [test] [2] before test + [2020-10-15T11:55:03,070][INFO ][o.e.x.e.EsEQLCorrectnessIT] [test] QueryNo: 2, took: 169ms + [2020-10-15T11:55:03,083][INFO ][o.e.x.e.EsEQLCorrectnessIT] [test] [2] after test +``` + +*At the end of a successful run an `INFO` line is logged by the tests that shows the total response time for all the +queries executed, e.g.:* +``` +[2020-10-15T06:39:55,826][INFO ][o.e.x.e.EsEQLCorrectnessIT] [suite] Total time: 24563 ms +``` + + +#### Run a specific query + +If one wants to run just one query from the set, needs to do it with following command by replacing `` (which +can be found in queries.toml file) with the desired number of the query: + +```shell script +./gradlew ':x-pack:plugin:eql:qa:correctness:javaRestTest' --tests "org.elasticsearch.xpack.eql.EsEQLCorrectnessIT.test {}" +``` + +#### Debug queries + +If one wants to check that the filtering subqueries of a sequence query yields the same results (to pinpoint that the +possible failure is in the sequence algortihm), needs to enable this debug mode with the use of a parameter: + +```shell script +./gradlew -p x-pack/plugin/eql/qa/correctness check -Dtests.eql_correctness_debug=true +``` +or +```shell script +./gradlew ':x-pack:plugin:eql:qa:correctness:javaRestTest' --tests "org.elasticsearch.xpack.eql.EsEQLCorrectnessIT.test {}" -Dtests.eql_correctness_debug=true +``` + diff --git a/x-pack/plugin/eql/qa/correctness/build.gradle b/x-pack/plugin/eql/qa/correctness/build.gradle new file mode 100644 index 00000000000..250b8fb8bf5 --- /dev/null +++ b/x-pack/plugin/eql/qa/correctness/build.gradle @@ -0,0 +1,38 @@ +apply plugin: 'elasticsearch.java-rest-test' +apply plugin: 'elasticsearch.build' +test.enabled = false + +restResources { + restApi { + includeCore '_common', 'bulk', 'indices', 'snapshot' + includeXpack 'eql', 'indices' + } +} + +dependencies { + javaRestTestImplementation project(':test:framework') + javaRestTestImplementation project(path: xpackModule('core'), configuration: 'default') + javaRestTestImplementation project(path: xpackModule('core'), configuration: 'testArtifacts') + javaRestTestImplementation project(xpackModule('ql:test')) + javaRestTestImplementation 'io.ous:jtoml:2.0.0' +} + +File serviceAccountFile = (System.getenv("eql_test_credentials_file") ?: System.getProperty("eql.test.credentials.file")) as File + +testClusters.all { + plugin ':plugins:repository-gcs' + if (serviceAccountFile) { + keystore 'gcs.client.eql_test.credentials_file', serviceAccountFile + } + testDistribution = 'DEFAULT' + setting 'xpack.license.self_generated.type', 'basic' + jvmArgs '-Xms4g', '-Xmx4g' +} + +tasks.named('javaRestTest').configure { + onlyIf { serviceAccountFile } + + testLogging { + showStandardStreams = true + } +} diff --git a/x-pack/plugin/eql/qa/correctness/src/javaRestTest/java/org/elasticsearch/xpack/eql/EqlSpec.java b/x-pack/plugin/eql/qa/correctness/src/javaRestTest/java/org/elasticsearch/xpack/eql/EqlSpec.java new file mode 100644 index 00000000000..a2fe13bf5af --- /dev/null +++ b/x-pack/plugin/eql/qa/correctness/src/javaRestTest/java/org/elasticsearch/xpack/eql/EqlSpec.java @@ -0,0 +1,102 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +package org.elasticsearch.xpack.eql; + +import java.util.Objects; + +public class EqlSpec { + + private int queryNo; + private String query; + private long seqCount; + private long[] expectedEventIds; + private long[] filterCounts; + private String[] filters; + private double time; + + public int queryNo() { + return queryNo; + } + + public void queryNo(int queryNo) { + this.queryNo = queryNo; + } + + public String query() { + return query; + } + + public void query(String query) { + this.query = query; + } + + public long seqCount() { + return seqCount; + } + + public void seqCount(long seqCount) { + this.seqCount = seqCount; + } + + public long[] expectedEventIds() { + return expectedEventIds; + } + + public void expectedEventIds(long[] expectedEventIds) { + this.expectedEventIds = expectedEventIds; + } + + public long[] filterCounts() { + return filterCounts; + } + + public void filterCounts(long[] filterCounts) { + this.filterCounts = filterCounts; + } + + public String[] filters() { + return filters; + } + + public void filters(String[] filters) { + this.filters = filters; + } + + public double time() { + return time; + } + + public void time(double time) { + this.time = time; + } + + public EqlSpec(int queryNo) { + this.queryNo = queryNo; + } + + @Override + public String toString() { + return queryNo + ""; + } + + @Override + public boolean equals(Object o) { + if (this == o) { + return true; + } + if (o == null || getClass() != o.getClass()) { + return false; + } + EqlSpec eqlSpec = (EqlSpec) o; + return queryNo == eqlSpec.queryNo; + } + + @Override + public int hashCode() { + return Objects.hash(queryNo); + } +} diff --git a/x-pack/plugin/eql/qa/correctness/src/javaRestTest/java/org/elasticsearch/xpack/eql/EqlSpecLoader.java b/x-pack/plugin/eql/qa/correctness/src/javaRestTest/java/org/elasticsearch/xpack/eql/EqlSpecLoader.java new file mode 100644 index 00000000000..b51962e69b8 --- /dev/null +++ b/x-pack/plugin/eql/qa/correctness/src/javaRestTest/java/org/elasticsearch/xpack/eql/EqlSpecLoader.java @@ -0,0 +1,89 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +package org.elasticsearch.xpack.eql; + +import io.ous.jtoml.JToml; +import io.ous.jtoml.Toml; +import io.ous.jtoml.TomlTable; +import org.elasticsearch.common.Strings; + +import java.io.InputStream; +import java.util.Collection; +import java.util.LinkedHashSet; +import java.util.List; +import java.util.Set; + +public class EqlSpecLoader { + + private static void validateAndAddSpec(Set specs, EqlSpec spec) { + if (Strings.isNullOrEmpty(spec.query())) { + throw new IllegalArgumentException("Read a test without a query value"); + } + + if (specs.contains(spec)) { + throw new IllegalArgumentException("Read a test query with the same queryNo"); + } + specs.add(spec); + } + + private static String getTrimmedString(TomlTable table, String key) { + String s = table.getString(key); + if (s != null) { + return s.trim(); + } + return null; + } + + public static Collection readFromStream(InputStream is) throws Exception { + Set testSpecs = new LinkedHashSet<>(); + + EqlSpec spec; + Toml toml = JToml.parse(is); + + List queries = toml.getArrayTable("queries"); + for (TomlTable table : queries) { + spec = new EqlSpec(table.getLong("queryNo").intValue()); + spec.seqCount(table.getLong("count")); + List arr = table.getList("expected_event_ids"); + if (arr != null) { + long expectedEventIds[] = new long[arr.size()]; + int i = 0; + for (Object obj : arr) { + expectedEventIds[i++] = (Long) obj; + } + spec.expectedEventIds(expectedEventIds); + } + + arr = table.getList("filter_counts"); + if (arr != null) { + long filterCounts[] = new long[arr.size()]; + int i = 0; + for (Object obj : arr) { + filterCounts[i++] = (Long) obj; + } + spec.filterCounts(filterCounts); + } + + arr = table.getList("filters"); + if (arr != null) { + String filters[] = new String[arr.size()]; + int i = 0; + for (Object obj : arr) { + filters[i++] = (String) obj; + } + spec.filters(filters); + } + + spec.query(getTrimmedString(table, "query")); + spec.time(table.getDouble("time")); + + validateAndAddSpec(testSpecs, spec); + } + + return testSpecs; + } +} diff --git a/x-pack/plugin/eql/qa/correctness/src/javaRestTest/java/org/elasticsearch/xpack/eql/EsEQLCorrectnessIT.java b/x-pack/plugin/eql/qa/correctness/src/javaRestTest/java/org/elasticsearch/xpack/eql/EsEQLCorrectnessIT.java new file mode 100644 index 00000000000..54f98c0904f --- /dev/null +++ b/x-pack/plugin/eql/qa/correctness/src/javaRestTest/java/org/elasticsearch/xpack/eql/EsEQLCorrectnessIT.java @@ -0,0 +1,213 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +package org.elasticsearch.xpack.eql; + +import com.carrotsearch.randomizedtesting.annotations.ParametersFactory; +import com.carrotsearch.randomizedtesting.annotations.TimeoutSuite; +import org.apache.http.HttpHost; +import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; +import org.apache.lucene.util.TimeUnits; +import org.elasticsearch.action.admin.cluster.repositories.put.PutRepositoryRequest; +import org.elasticsearch.action.admin.cluster.snapshots.restore.RestoreSnapshotRequest; +import org.elasticsearch.client.HttpAsyncResponseConsumerFactory; +import org.elasticsearch.client.Request; +import org.elasticsearch.client.RequestOptions; +import org.elasticsearch.client.ResponseException; +import org.elasticsearch.client.RestClient; +import org.elasticsearch.client.RestClientBuilder; +import org.elasticsearch.client.RestHighLevelClient; +import org.elasticsearch.client.eql.EqlSearchRequest; +import org.elasticsearch.client.eql.EqlSearchResponse; +import org.elasticsearch.common.settings.Settings; +import org.elasticsearch.test.junit.annotations.TestLogging; +import org.elasticsearch.test.rest.ESRestTestCase; +import org.junit.After; +import org.junit.AfterClass; +import org.junit.Before; +import org.junit.BeforeClass; + +import java.io.IOException; +import java.io.InputStream; +import java.util.ArrayList; +import java.util.Collection; +import java.util.Collections; +import java.util.List; +import java.util.Properties; + +import static org.elasticsearch.xpack.ql.TestUtils.assertNoSearchContexts; + +@TimeoutSuite(millis = 30 * TimeUnits.MINUTE) +@TestLogging(value = "org.elasticsearch.xpack.eql.EsEQLCorrectnessIT:INFO", reason = "Log query execution time") +public class EsEQLCorrectnessIT extends ESRestTestCase { + + private static final String PARAM_FORMATTING = "%1$s"; + private static final String QUERIES_FILENAME = "queries.toml"; + private static final String PROPERTIES_FILENAME = "config.properties"; + + private static Properties CFG; + private static RestHighLevelClient highLevelClient; + private static RequestOptions COMMON_REQUEST_OPTIONS; + private static long totalTime = 0; + + private static final Logger LOGGER = LogManager.getLogger(EsEQLCorrectnessIT.class); + + @BeforeClass + public static void init() throws IOException { + try (InputStream is = EsEQLCorrectnessIT.class.getClassLoader().getResourceAsStream(PROPERTIES_FILENAME)) { + CFG = new Properties(); + CFG.load(is); + } + + RequestOptions.Builder builder = RequestOptions.DEFAULT.toBuilder(); + builder.setHttpAsyncResponseConsumerFactory( + new HttpAsyncResponseConsumerFactory.HeapBufferedResponseConsumerFactory(1000 * 1024 * 1024) + ); + COMMON_REQUEST_OPTIONS = builder.build(); + } + + @Before + public void restoreDataFromGcsRepo() throws Exception { + if (client().performRequest(new Request("HEAD", "/" + CFG.getProperty("index_name"))).getStatusLine().getStatusCode() == 404) { + highLevelClient().snapshot() + .createRepository( + new PutRepositoryRequest(CFG.getProperty("gcs_repo_name")).type("gcs") + .settings( + Settings.builder() + .put("bucket", CFG.getProperty("gcs_bucket_name")) + .put("base_path", CFG.getProperty("gcs_base_path")) + .put("client", CFG.getProperty("gcs_client_name")) + .build() + ), + RequestOptions.DEFAULT + ); + highLevelClient().snapshot() + .restore( + new RestoreSnapshotRequest(CFG.getProperty("gcs_repo_name"), CFG.getProperty("gcs_snapshot_name")).waitForCompletion( + true + ), + RequestOptions.DEFAULT + ); + } + } + + @After + public void checkSearchContent() throws Exception { + assertNoSearchContexts(client()); + } + + @AfterClass + public static void logTotalExecutionTime() { + LOGGER.info("Total time: {} ms", totalTime); + } + + @AfterClass + public static void wipeTestData() throws IOException { + try { + adminClient().performRequest(new Request("DELETE", "/*")); + } catch (ResponseException e) { + // 404 here just means we had no indexes + if (e.getResponse().getStatusLine().getStatusCode() != 404) { + throw e; + } + } + } + + @Override + protected boolean preserveClusterUponCompletion() { + // Need to preserve data between parameterized tests runs + return true; + } + + @Override + protected RestClient buildClient(Settings settings, HttpHost[] hosts) throws IOException { + RestClientBuilder builder = RestClient.builder(hosts); + configureClient(builder, settings); + builder.setRequestConfigCallback( + requestConfigBuilder -> requestConfigBuilder.setConnectTimeout(30000000) + .setConnectionRequestTimeout(30000000) + .setSocketTimeout(30000000) + ); + builder.setStrictDeprecationMode(true); + return builder.build(); + } + + private final EqlSpec spec; + + public EsEQLCorrectnessIT(EqlSpec spec) { + this.spec = spec; + } + + private RestHighLevelClient highLevelClient() { + if (highLevelClient == null) { + highLevelClient = new RestHighLevelClient(client(), ignore -> {}, Collections.emptyList()) { + }; + } + return highLevelClient; + } + + @ParametersFactory(shuffle = false, argumentFormatting = PARAM_FORMATTING) + public static Iterable parameters() throws Exception { + Collection specs; + try (InputStream is = EsEQLCorrectnessIT.class.getClassLoader().getResourceAsStream(QUERIES_FILENAME)) { + specs = EqlSpecLoader.readFromStream(is); + } + assertFalse("Found 0 queries for testing", specs.isEmpty()); + + List params = new ArrayList<>(specs.size()); + for (EqlSpec spec : specs) { + params.add(new Object[] { spec }); + } + return params; + } + + // To enable test of subqueries (filtering) results: -Dtests.eql_correctness_debug=true + public void test() throws Exception { + boolean debugMode = Boolean.parseBoolean(System.getProperty("tests.eql_correctness_debug", "false")); + int queryNo = spec.queryNo(); + + if (debugMode) { + for (int i = 0; i < spec.filters().length; i++) { + String filterQuery = spec.filters()[i]; + EqlSearchRequest eqlSearchRequest = new EqlSearchRequest(CFG.getProperty("index_name"), filterQuery); + eqlSearchRequest.eventCategoryField("event_type"); + eqlSearchRequest.size(100000); + EqlSearchResponse response = highLevelClient().eql().search(eqlSearchRequest, COMMON_REQUEST_OPTIONS); + assertEquals( + "Failed to match filter counts for query No: " + queryNo + " filterCount: " + i, + spec.filterCounts()[i], + response.hits().events().size() + ); + } + } + + EqlSearchRequest eqlSearchRequest = new EqlSearchRequest(CFG.getProperty("index_name"), spec.query()); + eqlSearchRequest.eventCategoryField("event_type"); + eqlSearchRequest.tiebreakerField("serial_id"); + eqlSearchRequest.size(Integer.parseInt(CFG.getProperty("size"))); + eqlSearchRequest.fetchSize(Integer.parseInt(CFG.getProperty("fetch_size"))); + EqlSearchResponse response = highLevelClient().eql().search(eqlSearchRequest, RequestOptions.DEFAULT); + long responseTime = response.took(); + LOGGER.info("QueryNo: {}, took: {}ms", queryNo, responseTime); + totalTime += responseTime; + assertEquals( + "Failed to match sequence count for query No: " + queryNo + " : " + spec.query() + System.lineSeparator(), + spec.seqCount(), + response.hits().sequences().size() + ); + int expectedEvenIdIdx = 0; + for (EqlSearchResponse.Sequence seq : response.hits().sequences()) { + for (EqlSearchResponse.Event event : seq.events()) { + assertEquals( + "Failed to match event ids for query No: " + queryNo + " : " + spec.query() + System.lineSeparator(), + spec.expectedEventIds()[expectedEvenIdIdx++], + ((Integer) event.sourceAsMap().get("serial_id")).longValue() + ); + } + } + } +} diff --git a/x-pack/plugin/eql/qa/correctness/src/javaRestTest/resources/config.properties b/x-pack/plugin/eql/qa/correctness/src/javaRestTest/resources/config.properties new file mode 100644 index 00000000000..7da7c79d4c8 --- /dev/null +++ b/x-pack/plugin/eql/qa/correctness/src/javaRestTest/resources/config.properties @@ -0,0 +1,14 @@ +# +# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +# or more contributor license agreements. Licensed under the Elastic License; +# you may not use this file except in compliance with the Elastic License. +# + +index_name=mitre +fetch_size=1000 +size=2000 +gcs_repo_name=eql_correctness_gcs_repo +gcs_snapshot_name=mitre-snapshot +gcs_bucket_name=matriv-gcs +gcs_base_path=mitre-data +gcs_client_name=eql_test diff --git a/x-pack/plugin/eql/qa/correctness/src/javaRestTest/resources/queries.toml b/x-pack/plugin/eql/qa/correctness/src/javaRestTest/resources/queries.toml new file mode 100644 index 00000000000..01b0b8e4b97 --- /dev/null +++ b/x-pack/plugin/eql/qa/correctness/src/javaRestTest/resources/queries.toml @@ -0,0 +1,623 @@ +[[queries]] +queryNo = 1 +case_insensitive = true +count = 0 +expected_event_ids = [] +filter_counts = [62, 0] +filters = [ + 'process where process_name == "powershell.exe"', + 'process where parent_process_name == "powershell.exe" and process_name == "cmd.exe"' +] +query = ''' +sequence by hostname, unique_pid + [process where process_name == "powershell.exe"] + [process where parent_process_name == "powershell.exe" and process_name == "cmd.exe"] +''' +time = 2.5353124141693115 +type = "sequence" + +[[queries]] +queryNo = 2 +case_insensitive = true +count = 4 +expected_event_ids = [2764897, 2788555, 2794007, 2794299, 2793418, 2794327, 2843304, 2843338] +filter_counts = [62, 78] +filters = ['process where process_name == "powershell.exe"', 'process where parent_process_name == "powershell.exe"'] +query = ''' +sequence by hostname, unique_pid + [process where process_name == "powershell.exe"] + [process where parent_process_name == "powershell.exe"] +''' +time = 2.317765474319458 +type = "sequence" + +[[queries]] +queryNo = 3 +case_insensitive = true +count = 53 +expected_event_ids = [364053, 364054, 364076, 364077, 364100, 364101, 364130, 364131, 364136, 364137, 364142, 364143, 364147, 364148, 1967526, 1967527, 2278881, 2278882, 2678783, 2678784, 2678794, 2678804, 2737404, 2737405, 2756749, 2756750, 2764897, 2764898, 2788555, 2788556, 2792766, 2792767, 2793418, 2793419, 2794007, 2794008, 2794299, 2794300, 2794327, 2794328, 2829654, 2830021, 2842421, 2843199, 2843251, 2843274, 2843271, 2843275, 2843304, 2843335, 2843335, 2843336, 2843343, 2843344, 2843338, 2857636, 2857636, 2857638, 3285819, 3285822, 3285918, 3285919, 3299548, 3299549, 3299718, 3325408, 3335292, 3335296, 3338473, 3338475, 3338509, 3338510, 3371674, 3371675, 3371854, 3371857, 3372130, 3372131, 3372288, 3372289, 3372456, 3372457, 3335324, 3396038, 3414954, 3414958, 3415019, 3419532, 3440375, 3440376, 3440379, 3440382, 3440446, 3440447, 3440460, 3440461, 3440563, 3440566, 3440581, 3440582, 3440602, 3440603, 3441061, 3441064, 3441199, 3441201] +filter_counts = [62, 84067] +filters = ['process where process_name == "powershell.exe"', "process where true"] +query = ''' +sequence + [process where process_name == "powershell.exe"] by hostname, unique_pid + [process where true] by hostname, unique_ppid +''' +time = 2.196350336074829 +type = "sequence" + +[[queries]] +queryNo = 4 +case_insensitive = true +count = 25 +expected_event_ids = [2278881, 2278882, 2678783, 2678784, 2678794, 2678804, 2737404, 2737405, 2756749, 2756750, 2764897, 2764898, 2788555, 2788556, 2792766, 2792767, 2793418, 2793419, 2794007, 2794008, 2794299, 2794300, 2794327, 2794328, 2843251, 2843274, 2843271, 2843275, 2843304, 2843335, 2843335, 2843336, 2843343, 2843344, 2857636, 2857638, 3285819, 3285822, 3285918, 3285919, 3299548, 3299549, 3335292, 3335296, 3338473, 3338475, 3338509, 3338510, 3414954, 3414958] +filter_counts = [62, 84067] +filters = ['process where process_name == "powershell.exe"', "process where true"] +query = ''' +sequence with maxspan=5s + [process where process_name == "powershell.exe"] by process_path, hostname, unique_pid + [process where true] by parent_process_path, hostname, unique_ppid +''' +time = 2.152170419692993 +type = "sequence" + +[[queries]] +queryNo = 5 +case_insensitive = true +count = 3 +expected_event_ids = [2683341, 2684165, 2683271, 2691427, 2683272, 2691428] +filter_counts = [186, 57805] +filters = ['file where (file_extension == "exe" or file_extension == "EXE" or file_extension == "Exe") and user_name != "SYSTEM"', 'process where user_name == "SYSTEM"'] +query = ''' +sequence + [file where (file_extension == "exe" or file_extension == "EXE" or file_extension == "Exe") and user_name != "SYSTEM"] by hostname, file_path + [process where user_name == "SYSTEM"] by hostname, process_path +''' +time = 8.175453662872314 +type = "sequence" + +[[queries]] +queryNo = 6 +case_insensitive = true +count = 1 +expected_event_ids = [3338473, 3338491, 3338493] +filter_counts = [62, 14814, 32] +filters = [ + 'process where process_name == "powershell.exe"', + 'network where process_name == "powershell.exe"', + 'file where process_name == "powershell.exe" and file_extension == "exe"' +] +query = ''' +sequence by hostname, unique_pid with maxspan=10s + [process where process_name == "powershell.exe"] + [network where process_name == "powershell.exe"] + [file where process_name == "powershell.exe" and file_extension == "exe"] +''' +time = 5.97972846031189 +type = "sequence" + +[[queries]] +queryNo = 7 +case_insensitive = true +count = 2 +expected_event_ids = [3338473, 3338491, 3338493, 3335324, 3335350, 3400089] +filter_counts = [62, 14814, 32] +filters = [ + 'process where process_name == "powershell.exe"', + 'network where process_name == "powershell.exe"', + 'file where process_name == "powershell.exe" and file_extension == "exe"' +] +query = ''' +sequence by hostname, unique_pid, process_path + [process where process_name == "powershell.exe"] + [network where process_name == "powershell.exe"] + [file where process_name == "powershell.exe" and file_extension == "exe"] +''' +time = 8.302443265914917 +type = "sequence" + +[[queries]] +queryNo = 8 +case_insensitive = true +count = 0 +expected_event_ids = [] +filter_counts = [0, 18063] +filters = ['network where process_name == "services.exe"', 'process where parent_process_name == "services.exe"'] +query = ''' +sequence with maxspan=1s + [network where process_name == "services.exe"] + [process where parent_process_name == "services.exe"] +''' +time = 7.71190619468689 +type = "sequence" + +[[queries]] +queryNo = 9 +case_insensitive = true +count = 0 +expected_event_ids = [] +filter_counts = [0, 18063] +filters = ['network where process_name == "services.exe"', 'process where parent_process_name == "services.exe"'] +query = ''' +sequence by hostname with maxspan=1s + [network where process_name == "services.exe"] + [process where parent_process_name == "services.exe"] +''' +time = 7.880767107009888 +type = "sequence" + +#[[queries]] +#queryNo = 10 +#case_insensitive = true +#count = 10 +#expected_event_ids = [3940731, 3940732, 3941991, 3941995, 3942330, 3942334, 3942862, 3942863, 3943079, 3943083, 3943496, 3943501, 3943887, 3943893, 3944253, 3944254, 3945063, 3945071, 3945287, 3945292] +#filter_counts = [64209, 56911] +#filters = [ +# 'network where hostname == "newyork" and destination_port in (135, 139, 445, 3389)', +# 'security where hostname == "newyork" and event_id == 4624' +#] +#query = ''' +#sequence by hostname with maxspan=1m +# [network where hostname == "newyork" and destination_port in (135, 139, 445, 3389)] by source_port, source_address +# [security where hostname == "newyork" and event_id == 4624] by source_port, ip_address +#| tail 10 +#''' +#time = 11.688340187072754 +#type = "sequence" + +[[queries]] +queryNo = 11 +case_insensitive = true +count = 10 +expected_event_ids = [7440, 7447, 9514, 9525, 15795, 15799, 15996, 16007, 16025, 16032, 16026, 16033, 16027, 16034, 16138, 16141, 16186, 16190, 17595, 17596] +filter_counts = [64209, 56911] +filters = [ + 'network where hostname == "newyork" and destination_port in (135, 139, 445, 3389)', + 'security where hostname == "newyork" and event_id == 4624' +] +query = ''' +sequence by hostname with maxspan=1m + [network where hostname == "newyork" and destination_port in (135, 139, 445, 3389)] by source_port, source_address + [security where hostname == "newyork" and event_id == 4624] by source_port, ip_address +| head 10 +''' +time = 11.312391519546509 +type = "sequence" + +[[queries]] +queryNo = 12 +case_insensitive = true +count = 11 +expected_event_ids = [2294841, 2294859, 2726535, 2726553, 2727759, 2727778, 2818590, 2818600, 2818608, 2818612, 2818609, 2818615, 2818610, 2818616, 2823235, 2823258, 2840855, 2840863, 2883850, 2883860, 3412418, 3412436] +filter_counts = [28612, 4325] +filters = [ + 'network where hostname != "newyork" and destination_port in (135, 139, 445, 3389)', + 'security where hostname != "newyork" and event_id == 4624' +] +query = ''' +sequence by hostname with maxspan=1m + [network where hostname != "newyork" and destination_port in (135, 139, 445, 3389)] by source_port, source_address + [security where hostname != "newyork" and event_id == 4624] by source_port, ip_address +''' +time = 10.947543621063232 +type = "sequence" + +[[queries]] +queryNo = 13 +case_insensitive = true +count = 0 +expected_event_ids = [] +filter_counts = [28612, 6] +filters = [ + 'network where hostname != "newyork" and destination_port in (135, 139, 445, 3389)', + 'security where hostname != "newyork" and event_id == 4625' +] +query = ''' +sequence by hostname with maxspan=1m + [network where hostname != "newyork" and destination_port in (135, 139, 445, 3389)] by source_port, source_address + [security where hostname != "newyork" and event_id == 4625] by source_port, ip_address +''' +time = 10.790051937103271 +type = "sequence" + +[[queries]] +queryNo = 14 +case_insensitive = true +count = 10 +expected_event_ids = [2294859, 2294908, 2726553, 2726804, 2727778, 2728887, 2818615, 2818696, 2818616, 2818697, 2818600, 2818698, 2818612, 2818699, 2840863, 2840951, 2883860, 2884007, 3412436, 3412605] +filter_counts = [4325, 28612] +filters = [ + 'security where hostname != "newyork" and event_id == 4624', + 'network where hostname != "newyork" and destination_port in (135, 139, 445, 3389)' +] +query = ''' +sequence by hostname with maxspan=1m + [security where hostname != "newyork" and event_id == 4624] by source_port, ip_address + [network where hostname != "newyork" and destination_port in (135, 139, 445, 3389)] by source_port, source_address +''' +time = 5.669673919677734 +type = "sequence" + +[[queries]] +queryNo = 15 +case_insensitive = true +count = 0 +expected_event_ids = [] +filter_counts = [0, 28612] +filters = [ + 'security where hostname != "newyork" and event_id == 4625 and logon_type in (3, 10) and subject_logon_id != "0x0"', + 'network where hostname != "newyork" and destination_port in (135, 139, 445, 3389)' +] +query = ''' +sequence by hostname with maxspan=1m + [security where hostname != "newyork" and event_id == 4625 + and logon_type in (3, 10) + and subject_logon_id != "0x0"] by source_port, ip_address + [network where hostname != "newyork" and destination_port in (135, 139, 445, 3389)] by source_port, source_address +''' +time = 4.042601823806763 +type = "sequence" + +[[queries]] +queryNo = 16 +case_insensitive = true +count = 10 +expected_event_ids = [2294574, 2294577, 2294613, 2294616, 2294636, 2294637, 2729536, 2729537, 2729661, 2729667, 2729683, 2729684, 2731764, 2731765, 2733260, 2733261, 2733324, 2733326, 2733347, 2733348] +filter_counts = [12, 78] +filters = [ + 'network where process_name == "mstsc.exe" and destination_port == 3389', + 'network where process_name == "svchost.exe" and destination_port == 3389' +] +query = ''' +sequence by source_address, source_port, destination_address, destination_port with maxspan=2s + [network where process_name == "mstsc.exe" and destination_port == 3389] + [network where process_name == "svchost.exe" and destination_port == 3389] +''' +time = 8.589568614959717 +type = "sequence" + +[[queries]] +queryNo = 17 +case_insensitive = true +count = 10 +expected_event_ids = [2294574, 2294577, 2294613, 2294616, 2294636, 2294637, 2729536, 2729537, 2729661, 2729667, 2729683, 2729684, 2731764, 2731765, 2733260, 2733261, 2733324, 2733326, 2733347, 2733348] +filter_counts = [12, 84944] +filters = ['network where process_name == "mstsc.exe"', 'network where process_name == "svchost.exe"'] +query = ''' +sequence by source_address, source_port, destination_address, destination_port with maxspan=2s + [network where process_name == "mstsc.exe"] + [network where process_name == "svchost.exe"] +''' +time = 7.901392698287964 +type = "sequence" + +[[queries]] +queryNo = 18 +case_insensitive = true +count = 10 +expected_event_ids = [2294574, 2294577, 2294613, 2294616, 2294636, 2294637, 2729536, 2729537, 2729661, 2729667, 2729683, 2729684, 2731764, 2731765, 2733260, 2733261, 2733324, 2733326, 2733347, 2733348] +filter_counts = [12, 78] +filters = [ + 'network where process_name == "mstsc.exe" and destination_port == 3389', + 'network where process_name == "svchost.exe" and destination_port == 3389' +] +query = ''' +sequence by source_address, source_port, destination_address, destination_port with maxspan=2s + [network where process_name == "mstsc.exe" and destination_port == 3389] + [network where process_name == "svchost.exe" and destination_port == 3389] +''' +time = 8.94772720336914 +type = "sequence" + +[[queries]] +queryNo = 19 +case_insensitive = true +count = 10 +expected_event_ids = [2294574, 2294577, 2294613, 2294616, 2294636, 2294637, 2729536, 2729537, 2729661, 2729667, 2729683, 2729684, 2731764, 2731765, 2733260, 2733261, 2733324, 2733326, 2733347, 2733348] +filter_counts = [12, 78] +filters = [ + 'network where process_name == "mstsc.exe" and destination_port == 3389', + 'network where process_name == "svchost.exe" and destination_port == 3389' +] +query = ''' +sequence by source_address, source_port, destination_address, destination_port with maxspan=2s + [network where process_name == "mstsc.exe" and destination_port == 3389] + [network where process_name == "svchost.exe" and destination_port == 3389] +''' +time = 8.767765998840332 +type = "sequence" + +[[queries]] +queryNo = 20 +case_insensitive = true +count = 0 +expected_event_ids = [] +filter_counts = [2, 35] +filters = [ + 'network where process_name == "powershell.exe" and destination_port == 135', + 'network where process_name == "svchost.exe" and source_port >= 49152 and destination_port >= 49152' +] +query = ''' +sequence by hostname, destination_address with maxspan=2s + [network where process_name == "powershell.exe" and destination_port == 135] + [network where process_name == "svchost.exe" and source_port >= 49152 and destination_port >= 49152] +''' +time = 8.5178701877594 +type = "sequence" + +[[queries]] +queryNo = 21 +case_insensitive = true +count = 1 +expected_event_ids = [3364186, 3364187] +filter_counts = [2, 2] +filters = [ + 'network where process_name == "powershell.exe" and destination_port == 135', + 'network where process_name == "powershell.exe" and source_port >= 49152 and destination_port >= 49152' +] +query = ''' +sequence by hostname, destination_address with maxspan=2s + [network where process_name == "powershell.exe" and destination_port == 135] + [network where process_name == "powershell.exe" and source_port >= 49152 and destination_port >= 49152] +''' +time = 8.480346441268921 +type = "sequence" + +[[queries]] +queryNo = 22 +case_insensitive = true +count = 1 +expected_event_ids = [3299718, 3364047] +filter_counts = [24, 3, 37] +filters = [ + 'process where process_name == "powershell.exe" and opcode == 1', + 'powershell where wildcard(message, "*Get-NetShare*") == true', + 'process where process_name == "powershell.exe" and opcode == 2' +] +query = ''' +sequence by hostname, unique_pid + [process where process_name == "powershell.exe" and opcode == 1] + [powershell where wildcard(message, "*Get-NetShare*") == true] +until + [process where process_name == "powershell.exe" and opcode == 2] +''' +time = 2.519618511199951 +type = "sequence" + +[[queries]] +queryNo = 23 +case_insensitive = true +count = 0 +expected_event_ids = [] +filter_counts = [6, 6, 6, 6] +filters = [ + 'security where hostname != "newyork" and event_id == 4625', + 'security where hostname != "newyork" and event_id == 4625', + 'security where hostname != "newyork" and event_id == 4625', + 'security where hostname != "newyork" and event_id == 4625' +] +query = ''' +sequence by source_address, hostname with maxspan=5s + [security where hostname != "newyork" and event_id == 4625] + [security where hostname != "newyork" and event_id == 4625] + [security where hostname != "newyork" and event_id == 4625] + [security where hostname != "newyork" and event_id == 4625] +''' +time = 2.8286166191101074 +type = "sequence" + +[[queries]] +queryNo = 24 +case_insensitive = true +count = 1 +expected_event_ids = [2860083, 2860090, 2860098] +filter_counts = [6, 6, 6] +filters = [ + 'security where hostname != "newyork" and event_id == 4625', + 'security where hostname != "newyork" and event_id == 4625', + 'security where hostname != "newyork" and event_id == 4625' +] +query = ''' +sequence by source_address, hostname with maxspan=10s + [security where hostname != "newyork" and event_id == 4625] + [security where hostname != "newyork" and event_id == 4625] + [security where hostname != "newyork" and event_id == 4625] +''' +time = 2.765869617462158 +type = "sequence" + +[[queries]] +queryNo = 25 +case_insensitive = true +count = 0 +expected_event_ids = [] +filter_counts = [9562, 124] +filters = ['file where (file_extension == "exe" or file_extension == "EXE" or file_extension == "Exe")', 'process where opcode == 1 and signature_status == "noSignature"'] +query = ''' +sequence by hostname with maxspan=10s + [file where (file_extension == "exe" or file_extension == "EXE" or file_extension == "Exe")] by process_path, unique_pid + [process where opcode == 1 and signature_status == "noSignature"] by parent_process_path, unique_ppid +''' +time = 8.545618057250977 +type = "sequence" + +[[queries]] +queryNo = 26 +case_insensitive = true +count = 1 +expected_event_ids = [2732749, 2732788] +filter_counts = [89, 1] +filters = [ + '''file where file_extension in ("exe", "EXE", "Exe", "scr") and (startsWith(file_path, "C:\\Users") or startsWith(file_path, "C:\\ProgramData")) and file_name != "DismHost.exe"''', + '''process where opcode == 1 and signature_status == "noSignature" and (startsWith(process_path, "C:\\Users") or startsWith(process_path, "C:\\ProgramData"))''' +] +query = ''' +sequence by hostname with maxspan=5m + [file where file_extension in ("exe", "EXE", "Exe", "scr") + and (startsWith(file_path, "C:\\Users") or startsWith(file_path, "C:\\ProgramData")) + and file_name != "DismHost.exe" + ] by process_path, unique_pid + [process where opcode == 1 and signature_status == "noSignature" + and (startsWith(process_path, "C:\\Users") or startsWith(process_path, "C:\\ProgramData")) + ] by parent_process_path, unique_ppid +''' +time = 7.217672109603882 +type = "sequence" + +[[queries]] +queryNo = 27 +case_insensitive = true +count = 1 +expected_event_ids = [2732749, 2732788] +filter_counts = [89, 1] +filters = [ + '''file where file_extension in ("exe", "EXE", "Exe", "scr") and wildcard(file_path, "C:\\Users*", "C:\\ProgramData*") and file_name != "DismHost.exe"''', + '''process where opcode == 1 and signature_status == "noSignature" and wildcard(process_path, "C:\\Users*", "C:\\ProgramData*")''' +] +query = ''' +sequence by hostname with maxspan=5m + [file where file_extension in ("exe", "EXE", "Exe", "scr") + and wildcard(file_path, "C:\\Users*", "C:\\ProgramData*") + and file_name != "DismHost.exe" + ] by process_path + [process where opcode == 1 and signature_status == "noSignature" + and wildcard(process_path, "C:\\Users*", "C:\\ProgramData*") + ] by parent_process_path +''' +time = 7.179757833480835 +type = "sequence" + +#[[queries]] +#queryNo = 28 +#case_insensitive = true +#count = 1 +#expected_event_ids = [3299718, 3364047] +#filter_counts = [24, 3, 37] +#filters = [ +# 'process where process_name == "powershell.exe" and opcode == 1', +# 'powershell where message == "*Get-NetShare*"', +# 'process where process_name == "powershell.exe" and opcode == 2' +#] +#query = """ +#sequence by hostname, pid +# [process where process_name == "powershell.exe" and opcode == 1] +# [powershell where message == "*Get-NetShare*"] +#until +# [process where process_name == "powershell.exe" and opcode == 2] +#""" +#time = 2.123962879180908 +#type = "sequence" +# +#[[queries]] +#queryNo = 29 +#case_insensitive = true +#count = 1823 +#expected_event_ids = [15830, 15831, 16224, 16225, 19287, 19288, 20441, 20442, 21142, 21143, 25417, 25418, 25950, 25951, 29536, 29537, 30405, 30406, 32403, 32404, 33172, 33173, 33967, 33968, 39377, 39378, 39716, 39717, 43268, 43269, 43824, 43825, 45508, 45509, 46089, 46090, 46529, 46530, 51674, 51675, 51888, 51889, 55264, 55265, 56141, 56142, 57908, 57909, 58230, 58231, 58750, 58751, 63042, 63043, 63137, 63138, 66696, 66697, 67713, 67714, 69531, 69532, 69761, 69762, 70295, 70296, 74491, 74492, 74594, 74595, 78126, 78127, 79333, 79334, 81171, 81172, 81246, 81247, 81914, 81915, 86253, 86254, 86753, 86754, 89689, 89690, 91860, 91865, 94186, 94187, 94451, 94452, 94777, 94778, 99303, 99304, 99716, 99717, 102661, 102662, 104322, 104323, 106507, 106508, 106862, 106863, 107024, 107025, 111244, 111245, 111885, 111886, 114295, 114296, 116422, 116423, 117509, 117510, 117981, 117982, 118024, 118025, 122618, 122619, 124594, 124595, 126985, 126986, 129421, 129422, 130309, 130310, 131018, 131019, 131252, 131253, 135561, 135562, 136659, 136660, 139584, 139585, 143571, 143572, 144658, 144659, 145594, 145595, 146233, 146234, 151538, 151539, 152778, 152779, 154701, 154702, 157134, 157136, 157592, 157593, 158117, 158118, 158675, 158676, 162781, 162782, 164152, 164153, 166053, 166054, 168817, 168818, 169143, 169144, 169654, 169655, 170353, 170354, 174565, 174566, 177093, 177094, 179814, 179815, 183115, 183116, 183310, 183311, 183801, 183802, 184748, 184749, 189501, 189502, 191080, 191081, 192345, 192346, 195317, 195318, 195376, 195377, 195837, 195838, 196794, 196795, 200341, 200342, 202036, 202037, 203203, 203204, 208363, 208364, 208644, 208645, 208885, 208886, 210082, 210083, 213481, 213482, 215335, 215336, 216422, 216423, 221394, 221395, 221891, 221892, 221945, 221946, 223180, 223181, 226452, 226453, 228599, 228600, 229680, 229681, 232906, 232907, 233353, 233354, 233573, 233574, 234840, 234841, 237941, 237942, 240351, 240352, 241129, 241130, 244218, 244219, 244732, 244733, 245176, 245177, 246549, 246550, 249754, 249755, 251940, 251941, 252758, 252759, 255855, 255856, 256399, 256400, 257003, 257004, 258275, 258276, 261189, 261190, 263519, 263520, 263883, 263884, 267126, 267127, 267530, 267531, 268447, 268448, 269654, 269655, 272657, 272658, 276340, 276341, 276515, 276516, 281093, 281094, 281509, 281510, 282969, 282970, 284363, 284364, 287551, 287552, 290961, 290962, 291065, 291066, 294622, 294623, 294971, 294972, 296234, 296235, 297287, 297288, 299819, 299820, 302558, 302559, 302755, 302756, 305655, 305656, 306013, 306014, 307448, 307449, 308681, 308682, 311156, 311157, 313848, 313849, 314250, 314251, 316957, 316958, 317295, 317296, 318875, 318876, 320190, 320191, 322389, 322390, 325662, 325663, 326470, 326471, 327902, 327905, 329040, 329041, 329290, 329291, 331044, 331045, 332241, 332242, 334594, 334595, 337411, 337412, 338071, 338072, 339140, 339143, 339177, 339182, 339181, 339185, 339265, 339268, 339333, 339336, 339357, 339360, 343120, 343121, 343904, 343905, 352053, 352054, 353349, 353350, 355023, 355024, 357208, 357209, 359242, 359243, 361309, 361310, 361592, 361593, 363378, 363379, 364607, 364608, 365956, 365957, 368705, 368706, 369514, 369515, 371375, 371376, 371579, 371580, 373779, 373780, 375038, 375039, 376016, 376017, 380471, 380472, 381644, 381645, 383285, 383286, 383505, 383506, 385725, 385726, 386884, 386885, 387724, 387725, 389853, 389854, 391165, 391166, 392958, 392959, 393209, 393210, 395714, 395715, 396662, 396663, 397470, 397471, 399762, 399763, 401030, 401031, 402465, 402466, 402669, 402670, 405010, 405011, 405875, 405876, 406650, 406651, 410772, 410773, 411999, 412000, 413243, 413244, 413520, 413521, 416315, 416316, 416973, 416974, 417786, 417787, 421517, 421518, 422874, 422875, 424060, 424061, 424428, 424429, 427779, 427780, 428408, 428409, 429353, 429354, 432686, 432687, 435423, 435424, 437032, 437033, 437181, 437182, 440234, 440235, 440868, 440869, 441388, 441389, 443391, 443392, 445004, 445005, 446324, 446325, 446454, 446455, 449459, 449460, 449986, 449987, 450462, 450463, 452701, 452702, 454539, 454540, 455858, 455859, 456028, 456029, 461506, 461507, 462126, 462127, 462509, 462510, 464897, 464898, 467505, 467506, 468675, 468676, 468835, 468836, 472893, 472894, 473468, 473469, 473660, 473661, 475799, 475800, 477773, 477774, 478621, 478622, 478701, 478702, 482142, 482143, 482644, 482645, 482755, 482756, 484633, 484634, 486812, 486813, 487382, 487383, 487515, 487516, 491161, 491162, 491571, 491572, 491617, 491618, 493782, 493783, 496144, 496145, 496542, 496543, 496657, 496658, 500422, 500423, 500836, 500837, 500955, 500956, 503219, 503220, 505635, 505636, 505953, 505954, 506043, 506044, 510449, 510450, 510656, 510657, 510918, 510919, 512808, 512809, 515591, 515592, 515811, 515812, 515904, 515905, 520069, 520070, 520154, 520155, 520557, 520558, 522377, 522378, 525081, 525082, 525210, 525211, 525268, 525269, 529503, 529504, 529596, 529597, 529974, 529975, 531410, 531411, 534335, 534336, 534352, 534353, 534421, 534422, 539725, 539726, 539972, 539973, 540278, 540279, 541853, 541854, 545019, 545020, 545059, 545060, 545322, 545323, 554569, 554570, 554915, 554916, 555216, 555217, 556643, 556644, 559468, 559469, 559553, 559554, 559836, 559837, 563602, 563603, 564099, 564100, 564519, 564520, 565978, 565979, 568730, 568731, 568752, 568753, 569154, 569155, 572732, 572733, 573441, 573442, 573673, 573674, 574891, 574892, 577768, 577769, 577867, 577868, 578342, 578343, 582367, 582368, 583113, 583114, 583371, 583372, 584374, 584375, 587093, 587094, 587175, 587176, 587889, 587890, 591290, 591291, 592503, 592504, 592692, 592693, 593755, 593756, 596732, 596733, 596881, 596882, 597756, 597757, 602192, 602193, 603143, 603144, 603301, 603302, 604103, 604104, 606717, 606718, 606889, 606890, 608009, 608010, 611366, 611367, 612710, 612711, 612803, 612804, 613546, 613547, 616301, 616302, 616466, 616467, 617744, 617745, 620839, 620840, 622092, 622093, 622099, 622100, 622775, 622776, 625467, 625468, 625683, 625684, 627072, 627073, 629955, 629956, 631307, 631308, 631313, 631314, 631892, 631893, 634512, 634513, 634983, 634987, 636479, 636480, 639071, 639072, 640553, 640554, 640611, 640612, 641011, 641012, 643640, 643641, 644023, 644024, 645803, 645804, 648027, 648028, 649630, 649631, 649718, 649719, 649937, 649938, 653637, 653638, 654047, 654048, 656083, 656084, 658297, 658298, 660028, 660029, 660143, 660144, 660223, 660224, 663671, 663672, 664068, 664069, 668249, 668250, 671073, 671074, 673385, 673386, 673407, 673408, 673546, 673547, 676791, 676792, 677131, 677132, 679335, 679336, 682039, 682040, 684029, 684030, 684182, 684183, 684352, 684353, 686921, 686922, 687247, 687248, 689561, 689562, 691387, 691388, 693293, 693294, 693631, 693632, 693845, 693846, 696487, 696488, 696921, 696922, 700518, 700519, 702156, 702157, 704765, 704766, 705173, 705174, 705466, 705467, 707782, 707783, 708461, 708462, 711606, 711607, 713194, 713195, 714981, 714982, 715635, 715636, 715869, 715870, 717905, 717906, 718409, 718410, 720664, 720665, 722155, 722156, 723879, 723880, 724633, 724634, 724854, 724855, 726889, 726891, 727415, 727416, 729976, 729977, 731237, 731238, 733251, 733252, 734130, 734131, 734385, 734386, 736204, 736205, 736713, 736714, 739984, 739985, 741082, 741083, 742719, 742720, 743786, 743787, 744221, 744222, 745932, 745933, 746443, 746444, 749263, 749264, 750366, 750367, 752008, 752009, 753080, 753081, 753495, 753496, 755035, 755036, 755389, 755390, 758410, 758411, 759397, 759398, 761121, 761122, 762405, 762406, 762769, 762770, 764477, 764478, 764868, 764869, 767938, 767939, 768782, 768783, 770685, 770686, 771814, 771815, 772171, 772172, 774130, 774131, 774586, 774587, 778045, 778046, 779049, 779050, 781044, 781045, 782403, 782404, 782884, 782885, 784186, 784187, 784553, 784554, 787718, 787719, 788267, 788268, 790073, 790074, 791681, 791682, 792183, 792184, 793395, 793396, 793609, 793610, 796939, 796940, 797327, 797328, 799358, 799359, 801219, 801220, 801618, 801619, 802589, 802590, 802812, 802813, 806332, 806333, 806530, 806531, 808565, 808566, 810398, 810399, 811011, 811012, 811758, 811759, 811974, 811975, 815970, 815971, 815976, 815977, 817897, 817898, 819710, 819711, 820311, 820312, 820897, 820898, 821050, 821051, 825408, 825409, 825575, 825576, 827401, 827402, 829578, 829579, 830163, 830164, 830465, 830466, 830634, 830635, 839215, 839216, 839470, 839471, 841079, 841080, 843454, 843455, 844225, 844226, 844421, 844422, 844630, 844631, 848626, 848627, 849110, 849111, 850569, 850570, 853303, 853304, 854019, 854020, 854075, 854076, 854370, 854371, 858379, 858380, 858937, 858938, 860282, 860283, 863102, 863103, 863640, 863641, 863775, 863776, 863848, 863849, 867887, 867888, 868631, 868632, 869941, 869942, 872433, 872434, 872878, 872879, 873045, 873046, 873366, 873367, 877089, 877090, 877821, 877822, 878977, 878978, 881738, 881739, 882018, 882019, 882201, 882202, 882571, 882572, 885994, 885995, 887024, 887025, 888006, 888007, 890861, 890862, 891109, 891110, 891235, 891236, 891760, 891761, 895148, 895149, 896785, 896786, 897867, 897868, 990560, 990561, 990684, 990685, 990788, 990789, 991639, 991640, 996646, 996648, 996651, 996652, 996839, 996844, 996847, 996848, 996972, 996973, 1009871, 1009872, 1010948, 1010949, 1014928, 1014929, 1014991, 1014992, 1015064, 1015065, 1015868, 1015869, 1016528, 1016529, 1021078, 1021079, 1022103, 1022104, 1026119, 1026120, 1026205, 1026206, 1026299, 1026300, 1027555, 1027556, 1027971, 1027972, 1033757, 1033758, 1034398, 1034399, 1038572, 1038573, 1038653, 1038654, 1038909, 1038910, 1040904, 1040905, 1041026, 1041027, 1046911, 1046912, 1047385, 1047386, 1052466, 1052467, 1052500, 1052501, 1052961, 1052962, 1054026, 1054027, 1054143, 1054144, 1059142, 1059143, 1059463, 1059464, 1062680, 1062681, 1062698, 1062699, 1063245, 1063246, 1064115, 1064116, 1064516, 1064517, 1069462, 1069463, 1069602, 1069603, 1072660, 1072661, 1072694, 1072695, 1073393, 1073394, 1074029, 1074030, 1074554, 1074555, 1079990, 1079991, 1080074, 1080075, 1083598, 1083599, 1083604, 1083605, 1084645, 1084646, 1085164, 1085165, 1085783, 1085784, 1093966, 1093967, 1094379, 1094380, 1097330, 1097331, 1097354, 1097355, 1098485, 1098486, 1098911, 1098912, 1099852, 1099853, 1104535, 1104536, 1105054, 1105055, 1107744, 1107745, 1107776, 1107777, 1108921, 1108922, 1109306, 1109307, 1110311, 1110312, 1115084, 1115085, 1115768, 1115769, 1118048, 1118049, 1118088, 1118089, 1119423, 1119424, 1119532, 1119533, 1120917, 1120918, 1209358, 1209359, 1215713, 1215714, 1218051, 1218052, 1218121, 1218122, 1219625, 1219626, 1219702, 1219703, 1221446, 1221447, 1225646, 1225647, 1227111, 1227112, 1229226, 1229227, 1229278, 1229279, 1230635, 1230636, 1230890, 1230891, 1232248, 1232249, 1236173, 1236174, 1237347, 1237348, 1239243, 1239244, 1239295, 1239296, 1240621, 1240622, 1241002, 1241003, 1242326, 1242327, 1246402, 1246403, 1247613, 1247614, 1249257, 1249258, 1249273, 1249274, 1250594, 1250595, 1251101, 1251102, 1252480, 1252481, 1256578, 1256579, 1258051, 1258052, 1259741, 1259742, 1259777, 1259778, 1260920, 1260921, 1261539, 1261540, 1262873, 1262874, 1266863, 1266864, 1268387, 1268388, 1270215, 1270216, 1270245, 1270246, 1271527, 1271528, 1272498, 1272499, 1278187, 1278189, 1278197, 1278198, 1278204, 1278205, 1278208, 1278209, 1278313, 1278314, 1278918, 1278919, 1288922, 1288923, 1291098, 1291099, 1292606, 1292607, 1293982, 1293983, 1297116, 1297117, 1301785, 1301786, 1302462, 1302463, 1306308, 1306309, 1308523, 1308524, 1310109, 1310110, 1311450, 1311451, 1312665, 1312666, 1313744, 1313745, 1314731, 1314732, 1318325, 1318326, 1321374, 1321375, 1322569, 1322570, 1323741, 1323742, 1325022, 1325023, 1325879, 1325880, 1327088, 1327089, 1330378, 1330379, 1332833, 1332834, 1333843, 1333844, 1335254, 1335255, 1336736, 1336737, 1337421, 1337422, 1338987, 1338988, 1343248, 1343249, 1345666, 1345667, 1346545, 1346546, 1347818, 1347819, 1349351, 1349352, 1349731, 1349732, 1351487, 1351488, 1354505, 1354506, 1357197, 1357198, 1357965, 1357966, 1359394, 1359395, 1361157, 1361158, 1361339, 1361340, 1363215, 1363216, 1366060, 1366061, 1370247, 1370248, 1371271, 1371272, 1373504, 1373505, 1377157, 1377158, 1377189, 1377190, 1380224, 1380225, 1385496, 1385497, 1391430, 1391431, 1391962, 1391963, 1393391, 1393392, 1396167, 1396168, 1396465, 1396466, 1398788, 1398789, 1401903, 1401904, 1405834, 1405835, 1406078, 1406079, 1407344, 1407345, 1409429, 1409430, 1410390, 1410391, 1412470, 1412471, 1415223, 1415224, 1419262, 1419263, 1419342, 1419343, 1421411, 1421412, 1423608, 1423609, 1425794, 1425795, 1428900, 1428901, 1431550, 1431551, 1437424, 1437425, 1437699, 1437700, 1438789, 1438790, 1440882, 1440883, 1443483, 1443484, 1447916, 1447917, 1449902, 1449903, 1453863, 1453864, 1454266, 1454267, 1455012, 1455013, 1457253, 1457254, 1458580, 1458581, 1462408, 1462409, 1464147, 1464148, 1468377, 1468378, 1468887, 1468888, 1469523, 1469524, 1471955, 1471956, 1473138, 1473139, 1475774, 1475775, 1477301, 1477302, 1481502, 1481503, 1482267, 1482268, 1482672, 1482673, 1485129, 1485130, 1486956, 1486957, 1489611, 1489612, 1490688, 1490689, 1494739, 1494740, 1495728, 1495729, 1495937, 1495938, 1498152, 1498153, 1499725, 1499726, 1502623, 1502624, 1503323, 1503324, 1507733, 1507734, 1509166, 1509167, 1509196, 1509197, 1511453, 1511454, 1513385, 1513386, 1516965, 1516966, 1517351, 1517352, 1521412, 1521413, 1522484, 1522485, 1523021, 1523022, 1524739, 1524740, 1527052, 1527053, 1529880, 1529881, 1530165, 1530166, 1534607, 1534608, 1535829, 1535830, 1536361, 1536362, 1539099, 1539100, 1541895, 1541896, 1544770, 1544771, 1544924, 1544925, 1549602, 1549603, 1550921, 1550922, 1551595, 1551596, 1552943, 1552944, 1555977, 1555978, 1558563, 1558564, 1558877, 1558878, 1562920, 1562921, 1564525, 1564526, 1566940, 1566941, 1567991, 1567992, 1571336, 1571337, 1573673, 1573674, 1574184, 1574185, 1578301, 1578302, 1580097, 1580098, 1581327, 1581328, 1582079, 1582080, 1585771, 1585772, 1587739, 1587740, 1588445, 1588446, 1591952, 1591953, 1593257, 1593258, 1594631, 1594632, 1595221, 1595222, 1598713, 1598714, 1600821, 1600822, 1602094, 1602095, 1605313, 1605314, 1606467, 1606468, 1607894, 1607895, 1608341, 1608342, 1612086, 1612087, 1613862, 1613863, 1615223, 1615224, 1618287, 1618288, 1619485, 1619486, 1621902, 1621903, 1622188, 1622189, 1626219, 1626220, 1627477, 1627478, 1629044, 1629045, 1632171, 1632172, 1633115, 1633116, 1634890, 1634891, 1634908, 1634909, 1639020, 1639021, 1640186, 1640187, 1642032, 1642033, 1644952, 1644953, 1646058, 1646059, 1647969, 1647970, 1648161, 1648162, 1652734, 1652735, 1653763, 1653764, 1657525, 1657526, 1660195, 1660198, 1661247, 1661248, 1662715, 1662716, 1663123, 1663124, 1667273, 1667274, 1668135, 1668136, 1670319, 1670320, 1673197, 1673198, 1674307, 1674308, 1675691, 1675692, 1676384, 1676385, 1681824, 1681825, 1682549, 1682550, 1684761, 1684762, 1687243, 1687244, 1688307, 1688308, 1689750, 1689751, 1690474, 1690475, 1694869, 1694870, 1695566, 1695567, 1697971, 1697972, 1700210, 1700211, 1701774, 1701775, 1703262, 1703263, 1704418, 1704419, 1708147, 1708148, 1708698, 1708699, 1711841, 1711842, 1713911, 1713912, 1715033, 1715034, 1716791, 1716792, 1718795, 1718796, 1723745, 1723746, 1723888, 1723889, 1727294, 1727295, 1729405, 1729406, 1730603, 1730604, 1732105, 1732106, 1733966, 1733967, 1737661, 1737662, 1737764, 1737765, 1740540, 1740541, 1742549, 1742550, 1743415, 1743416, 1744685, 1744686, 1747082, 1747083, 1750508, 1750509, 1750773, 1750774, 1754238, 1754239, 1755760, 1755761, 1756610, 1756611, 1758638, 1758639, 1761340, 1761341, 1766124, 1766125, 1766656, 1766657, 1770486, 1770487, 1772599, 1772600, 1773409, 1773410, 1774889, 1774890, 1778344, 1778345, 1781762, 1781763, 1782324, 1782325, 1790835, 1790836, 1792056, 1792057, 1792833, 1792834, 1794160, 1794161, 1797171, 1797172, 1799577, 1799578, 1800259, 1800260, 1803694, 1803695, 1804595, 1804596, 1806493, 1806494, 1808148, 1808149, 1811297, 1811300, 1813719, 1813720, 1814640, 1814641, 1819073, 1819074, 1819562, 1819563, 1820232, 1820233, 1821815, 1821816, 1825108, 1825109, 1827419, 1827420, 1828494, 1828495, 1832121, 1832122, 1832487, 1832488, 1833214, 1833215, 1834810, 1834811, 1838436, 1838437, 1840588, 1840589, 1842039, 1842040, 1845898, 1845899, 1845991, 1845992, 1846642, 1846643, 1848933, 1848934, 1852434, 1852435, 1854349, 1854350, 1855763, 1855764, 1859288, 1859289, 1859456, 1859457, 1860082, 1860083, 1861956, 1861957, 1865892, 1865894, 1867276, 1867277, 1868784, 1868785, 1873124, 1873125, 1873439, 1873440, 1873825, 1873826, 1875550, 1875551, 1880277, 1880278, 1881417, 1881418, 1883213, 1883214, 1886662, 1886663, 1887192, 1887193, 1887389, 1887390, 1889073, 1889074, 1893629, 1893630, 1894553, 1894554, 1896948, 1896949, 1900210, 1900211, 1900808, 1900809, 1900949, 1900950, 1902639, 1902640, 1906938, 1906939, 1908160, 1908161, 1913125, 1913126, 1915874, 1915875, 1916596, 1916597, 1916916, 1916917, 1918381, 1918382, 1923011, 1923012, 1923659, 1923660, 1926285, 1926286, 1929032, 1929033, 1929666, 1929667, 1930543, 1930544, 1931581, 1931582, 1936259, 1936260, 1936762, 1936763, 1939290, 1939291, 1942033, 1942034, 1942585, 1942586, 1943975, 1943976, 1944863, 1944864, 1950244, 1950245, 1950628, 1950629, 1953494, 1953495, 1955716, 1955717, 1956293, 1956294, 1957677, 1957678, 1958291, 1958292, 1963269, 1963270, 1963446, 1963447, 1966534, 1966535, 1968583, 1968584, 1969426, 1969427, 1970768, 1970769, 1971313, 1971314, 1976388, 1976389, 1976580, 1976581, 1979882, 1979883, 1981508, 1981509, 1982271, 1982272, 1983987, 1983988, 1984021, 1984022, 1989037, 1989038, 1989420, 1989421, 1992777, 1992778, 1994275, 1994276, 1995294, 1995295, 1997117, 1997118, 1997586, 1997587, 2002421, 2002422, 2002987, 2002988, 2006237, 2006238, 2008789, 2008790, 2009808, 2009809, 2011260, 2011261, 2011780, 2011781, 2016221, 2016222, 2017163, 2017164, 2020102, 2020103, 2021619, 2021620, 2022324, 2022325, 2023924, 2023925, 2024617, 2024618, 2029101, 2029102, 2030137, 2030138, 2033186, 2033187, 2035036, 2035037, 2035550, 2035551, 2037061, 2037062, 2037951, 2037952, 2042630, 2042631, 2043892, 2043893, 2047829, 2047830, 2049573, 2049574, 2050258, 2050259, 2052532, 2052533, 2054021, 2054022, 2058413, 2058414, 2060171, 2060172, 2062926, 2062927, 2064269, 2064270, 2064741, 2064742, 2066242, 2066243, 2067664, 2067665, 2071311, 2071312, 2072899, 2072900, 2075925, 2075926, 2076932, 2076933, 2077357, 2077358, 2078810, 2078811, 2080653, 2080654, 2085023, 2085024, 2088015, 2088016, 2091236, 2091237, 2091760, 2091761, 2092163, 2092164, 2094587, 2094588, 2096948, 2096949, 2101486, 2101487, 2103735, 2103736, 2106946, 2106947, 2107505, 2107506, 2107967, 2107968, 2109262, 2109263, 2111520, 2111521, 2114942, 2114943, 2116976, 2116977, 2120043, 2120044, 2120374, 2120375, 2120869, 2120870, 2122248, 2122249, 2124685, 2124686, 2127716, 2127717, 2130372, 2130373, 2133385, 2133386, 2133703, 2133704, 2134128, 2134138, 2135482, 2135483, 2138753, 2138754, 2141748, 2141749, 2144067, 2144068, 2147204, 2147205, 2147359, 2147360, 2147588, 2147589, 2149147, 2149148, 2152068, 2152069, 2155022, 2155023, 2158744, 2158745, 2161998, 2161999, 2162004, 2162005, 2162560, 2162561, 2163637, 2163638, 2167394, 2167395, 2169704, 2169705, 2173054, 2173055, 2176437, 2176438, 2176630, 2176631, 2176755, 2176756, 2177835, 2177836, 2181244, 2181245, 2183312, 2183313, 2186154, 2186155, 2189064, 2189065, 2189327, 2189328, 2189552, 2189553, 2190635, 2190636, 2194239, 2194240, 2197465, 2197466, 2200741, 2200742, 2203775, 2203776, 2204503, 2204504, 2204830, 2204831, 2205685, 2205686, 2210406, 2210407, 2212163, 2212164, 2216314, 2216315, 2218508, 2218509, 2218819, 2218820, 2219299, 2219300, 2219898, 2219899, 2224073, 2224074, 2225434, 2225435, 2229820, 2229821, 2231591, 2231592, 2231882, 2231883, 2232694, 2232695, 2233332, 2233333, 2237450, 2237451, 2238588, 2238590, 2242930, 2242931, 2244643, 2244644, 2245010, 2245011, 2245945, 2245946, 2246367, 2246368, 2251023, 2251024, 2252324, 2252325, 2256423, 2256424, 2257914, 2257915, 2258216, 2258217, 2259636, 2259637, 2259665, 2259666, 2265612, 2265613, 2266860, 2266861, 2272738, 2272739, 2274030, 2274031, 2274628, 2274629, 2275831, 2275832, 2276043, 2276044, 2280314, 2280315, 2281503, 2281504, 2281509, 2281510, 2281717, 2281718, 2281719, 2281720, 2281955, 2281956, 2283364, 2283366, 2289368, 2289370, 2293031, 2293036, 2293039, 2293040, 2293409, 2293410, 2294303, 2294309, 2295775, 2295776, 2297289, 2297290, 2298525, 2298528, 2300841, 2300842, 2300843, 2300846, 2301055, 2301056, 2301253, 2301254, 2307629, 2307630, 2309865, 2309866, 2312740, 2312741, 2312744, 2312745, 2313470, 2313471, 2314695, 2314696, 2315154, 2315155, 2316025, 2316026, 2319551, 2319552, 2326314, 2326315, 2326758, 2326759, 2334392, 2334393, 2336248, 2336249, 2336301, 2336302, 2336907, 2336908, 2340612, 2340613, 2341869, 2341870, 2341870, 2341871, 2341871, 2341872, 2341872, 2341873, 2341989, 2341990, 2341990, 2341991, 2341991, 2341992, 2341992, 2341993, 2342005, 2342011, 2343422, 2343423, 2343423, 2343424, 2343424, 2343425, 2343425, 2343426, 2343694, 2343695, 2343695, 2343696, 2343696, 2343697, 2343697, 2343698, 2343739, 2343740, 2343740, 2343741, 2343741, 2343742, 2343742, 2343743, 2344015, 2344016, 2344016, 2344017, 2344017, 2344018, 2344018, 2344019, 2344034, 2344040, 2344933, 2344934, 2344976, 2344977, 2352849, 2352850, 2354594, 2354595, 2354820, 2354821, 2355758, 2355760, 2357417, 2357418, 2361361, 2361362, 2361617, 2361618, 2367629, 2367630, 2369216, 2369217, 2369544, 2369545, 2370283, 2370284, 2371910, 2371911, 2375881, 2375882, 2376417, 2376418, 2381861, 2381862, 2383494, 2383495, 2384108, 2384109, 2384769, 2384770, 2386059, 2386060, 2389869, 2389870, 2390796, 2390797, 2395962, 2395963, 2397578, 2397579, 2398306, 2398307, 2399147, 2399148, 2400516, 2400517, 2405655, 2405656, 2406739, 2406740, 2411755, 2411756, 2414081, 2414082, 2415168, 2415169, 2416329, 2416330, 2417020, 2417021, 2427718, 2427723, 2427728, 2427729, 2427724, 2427730, 2427737, 2427740, 2428888, 2428889, 2428890, 2428893, 2429125, 2429130, 2429134, 2429135, 2429162, 2429163, 2429175, 2429178, 2429202, 2429203, 2429204, 2429205, 2429236, 2429237, 2429238, 2429240, 2429527, 2429528, 2429808, 2429809, 2429837, 2429839, 2429896, 2429898, 2429902, 2429903, 2429920, 2429921, 2430192, 2430193, 2441597, 2441599, 2441604, 2441610, 2442229, 2442230, 2442583, 2442584, 2442585, 2442589, 2442739, 2442740, 2442744, 2442745, 2442746, 2442747, 2442750, 2442752, 2442807, 2442808, 2442961, 2442962, 2442995, 2442996, 2443020, 2443021, 2443024, 2443026, 2443072, 2443073, 2443123, 2443124, 2443437, 2443440, 2470017, 2470018, 2470158, 2470159, 2470216, 2470217, 2470241, 2470246, 2470310, 2470311, 2470384, 2470385, 2470589, 2470591, 2488124, 2488125, 2488184, 2488185, 2488367, 2488368, 2488487, 2488488, 2488570, 2488571, 2488688, 2488694, 2489757, 2489758, 2507940, 2507941, 2508015, 2508016, 2508304, 2508305, 2508366, 2508367, 2508404, 2508405, 2508579, 2508580, 2509120, 2509121, 2528991, 2528992, 2529023, 2529024, 2529318, 2529319, 2529364, 2529365, 2529457, 2529458, 2529598, 2529599, 2529828, 2529829, 2546869, 2546870, 2546871, 2546872, 2547167, 2547168, 2547204, 2547205, 2547291, 2547292, 2547502, 2547503, 2547725, 2547726, 2564671, 2564672, 2564747, 2564748, 2565035, 2565036, 2565134, 2565135, 2565175, 2565176, 2565377, 2565378, 2565620, 2565621, 2582402, 2582403, 2582540, 2582541, 2582746, 2582747, 2582891, 2582892, 2582930, 2582931, 2583148, 2583149, 2583381, 2583382, 2600620, 2600621, 2600790, 2600791, 2600963, 2600964, 2601119, 2601120, 2601181, 2601182, 2601431, 2601432, 2601649, 2601650, 2620112, 2620113, 2620351, 2620352, 2620412, 2620413, 2620598, 2620599, 2620654, 2620655, 2620970, 2620971, 2621179, 2621180, 2639705, 2639706, 2639996, 2639997, 2640026, 2640027, 2640313, 2640314, 2640376, 2640377, 2640787, 2640793, 2641006, 2641007, 2659635, 2659636, 2659964, 2659965, 2659971, 2659972, 2660218, 2660219, 2660397, 2660398, 2660794, 2660795, 2660982, 2660983, 2702344, 2702345, 2702539, 2702540, 2702670, 2702671, 2702696, 2702697, 2703180, 2703181, 2707378, 2707381, 2708591, 2708602, 2721044, 2721045, 2721294, 2721295, 2721424, 2721425, 2721508, 2721509, 2721532, 2721533, 2721871, 2721872, 2722735, 2722736, 2727251, 2727252, 2728032, 2728036, 2740115, 2740125, 2740130, 2740136, 2745206, 2745207, 2745449, 2745450, 2745653, 2745654, 2745680, 2745681, 2745952, 2745953, 2746095, 2746096, 2747205, 2747206, 2754752, 2754789, 2754790, 2754808, 2761485, 2761486, 2761944, 2761945, 2762173, 2762174, 2762203, 2762204, 2762686, 2762687, 2762767, 2762768, 2764214, 2764215, 2778577, 2778578, 2778800, 2778801, 2779055, 2779056, 2779093, 2779094, 2779743, 2779744, 2779953, 2779954, 2781205, 2781206, 2794986, 2794987, 2795231, 2795232, 2795530, 2795532, 2795606, 2795607, 2796126, 2796127, 2796606, 2796607, 2797998, 2797999, 2816265, 2816266, 2817618, 2817619, 2818053, 2818054, 2818150, 2818151, 2818751, 2818752, 2819314, 2819315, 2821684, 2821685, 2832455, 2832546, 2836925, 2836926, 2836929, 2836930, 2836973, 2836974, 2837249, 2837250, 2837514, 2837515, 2838172, 2838173, 2838355, 2838356, 2838864, 2838865, 2839638, 2839639, 2842411, 2842412, 2842417, 2842420, 2842423, 2842424, 2842425, 2842426, 2842427, 2842428, 2857771, 2857772, 2858165, 2858166, 2858295, 2858296, 2859985, 2859986, 2860124, 2860125, 2861016, 2861018, 2861025, 2861026, 2861228, 2861229, 2861232, 2861233, 2861458, 2861459, 2864892, 2864893, 2865043, 2865044, 2866459, 2866467, 2867960, 2867963, 2870922, 2870924, 2870930, 2870931, 2872760, 2872764, 2872986, 2872989, 2874315, 2874316, 2875033, 2875034, 2876700, 2876701, 2880510, 2880511, 2883207, 2883208, 2884686, 2884689, 2906396, 2906397, 2906702, 2906703, 2907111, 2907112, 2907448, 2907449, 2908091, 2908092, 2910573, 2910574, 2910936, 2910937, 2923054, 2923055, 2923392, 2923393, 2924132, 2924133, 2924239, 2924240, 2924660, 2924661, 3002193, 3002194, 3012045, 3012046, 3033407, 3033408, 3033411, 3033412, 3033439, 3033440, 3033441, 3033442, 3033861, 3033862, 3034167, 3034168, 3034354, 3034355, 3034820, 3034821, 3035311, 3035312, 3040871, 3040872, 3042347, 3042352, 3062728, 3062729, 3063085, 3063086, 3063219, 3063220, 3063586, 3063587, 3064258, 3064259, 3068573, 3068574, 3069407, 3069408, 3081549, 3081550, 3081808, 3081809, 3081932, 3081933, 3082462, 3082463, 3083222, 3083223, 3086022, 3086023, 3086871, 3086872, 3098108, 3098109, 3098386, 3098387, 3098508, 3098509, 3099036, 3099037, 3100879, 3100880, 3103250, 3103251, 3108276, 3108277, 3122162, 3122163, 3122444, 3122445, 3122695, 3122696, 3123384, 3123385, 3126183, 3126184, 3128598, 3128599, 3129904, 3129905, 3142039, 3142040, 3142432, 3142433, 3142617, 3142618, 3143054, 3143055, 3145566, 3145567, 3147811, 3147812, 3149159, 3149160, 3159093, 3159094, 3159373, 3159374, 3159622, 3159623, 3160134, 3160135, 3162708, 3162709, 3164608, 3164609, 3166231, 3166232, 3175697, 3175698, 3176274, 3176275, 3176504, 3176505, 3177048, 3177049, 3179527, 3179528, 3181572, 3181573, 3183347, 3183348, 3192507, 3192508, 3192858, 3192859, 3193206, 3193207, 3193967, 3193968, 3196541, 3196542, 3198393, 3198394, 3200126, 3200127, 3208631, 3208632, 3209017, 3209018, 3209394, 3209395, 3210330, 3210331, 3213306, 3213307, 3215434, 3215435, 3217541, 3217542, 3226000, 3226001, 3226453, 3226454, 3226628, 3226629, 3227704, 3227705, 3232276, 3232277, 3234145, 3234146, 3236250, 3236251, 3245489, 3245490, 3245997, 3245998, 3246265, 3246266, 3247237, 3247238, 3250490, 3250491, 3252137, 3252138, 3254688, 3254689, 3263232, 3263233, 3263752, 3263753, 3263899, 3263900, 3265265, 3265270, 3268849, 3268850, 3277426, 3277427, 3280405, 3280406, 3290912, 3290913, 3291445, 3291447, 3291626, 3291627, 3292865, 3292866, 3296451, 3296452, 3298120, 3298121, 3301573, 3301575, 3309509, 3309510, 3310184, 3310185, 3310361, 3310362, 3311290, 3311291, 3315480, 3315481, 3317252, 3317253, 3320297, 3320298, 3327857, 3327858, 3328821, 3328822, 3328938, 3328939, 3329766, 3329767, 3334735, 3334736, 3336820, 3336821, 3340473, 3340474, 3347758, 3347759, 3348772, 3348773, 3348854, 3348855, 3349775, 3349776, 3355069, 3355070, 3356782, 3356783, 3360632, 3360633, 3367890, 3367891, 3368906, 3368907, 3368963, 3368964, 3369851, 3369852, 3375725, 3375726, 3377359, 3377360, 3381523, 3381524, 3388256, 3388257, 3389154, 3389155, 3389246, 3389247, 3390037, 3390038, 3395953, 3395954, 3397613, 3397614, 3402815, 3402816, 3409800, 3409801, 3410751, 3410756, 3410810, 3410811, 3411696, 3411697, 3412323, 3412324, 3412325, 3412328, 3413029, 3413031, 3413228, 3413229, 3422987, 3422988, 3424458, 3424459, 3434596, 3434597, 3435225, 3435226, 3435311, 3435312, 3436188, 3436189, 3436649, 3436650, 3441958, 3441959, 3443169, 3443170, 3452077, 3452078, 3452758, 3452759, 3452835, 3452836, 3453834, 3453835, 3454345, 3454346, 3459698, 3459699, 3460810, 3460811, 3468652, 3468653, 3469232, 3469233, 3469328, 3469329, 3470249, 3470250, 3470859, 3470860, 3476098, 3476099, 3477246, 3477247, 3485134, 3485135, 3486157, 3486158, 3486315, 3486316, 3487207, 3487208, 3488076, 3488077, 3495474, 3495475, 3496530, 3496531, 3504518, 3504519, 3505261, 3505262, 3505558, 3505559, 3506462, 3506463, 3507464, 3507465, 3513361, 3513362, 3515277, 3515278, 3522607, 3522608, 3524664, 3524665, 3524782, 3524783, 3525405, 3525406, 3526459, 3526460, 3532056, 3532057, 3533247, 3533248, 3540006, 3540007, 3540929, 3540930, 3541030, 3541031, 3541759, 3541760, 3542897, 3542898, 3548833, 3548834, 3549770, 3549771, 3558018, 3558019, 3558947, 3558948, 3559029, 3559030, 3559789, 3559790, 3561269, 3561270, 3567774, 3567775, 3568650, 3568651, 3576200, 3576201, 3577137, 3577138, 3577168, 3577169, 3577902, 3577903, 3579631, 3579632, 3586254, 3586255, 3587556, 3587557, 3593820, 3593821, 3594653, 3594654, 3594686, 3594687, 3595375, 3595376, 3597014, 3597015, 3603218, 3603219, 3604321, 3604322, 3610179, 3610181, 3611558, 3611559, 3611571, 3611572, 3627972, 3627983, 3701696, 3701698, 3711411, 3711412, 3712475, 3712476, 3718131, 3718132, 3719507, 3719508, 3719538, 3719539, 3720190, 3720191, 3722172, 3722173, 3728858, 3728859, 3729789, 3729790, 3735287, 3735288, 3736287, 3736288, 3736289, 3736290, 3737054, 3737055, 3739058, 3739059, 3745773, 3745774, 3746969, 3746970, 3751809, 3751810, 3752809, 3752810, 3752811, 3752812, 3753593, 3753594, 3755692, 3755693, 3762603, 3762604, 3763342, 3763343, 3767804, 3767805, 3768727, 3768728, 3768774, 3768775, 3769510, 3769511, 3771846, 3771847, 3779531, 3779532, 3780063, 3780064, 3784378, 3784379, 3785381, 3785382, 3785478, 3785479, 3786097, 3786098, 3788972, 3788973, 3796692, 3796693, 3797966, 3797967, 3803040, 3803041, 3804041, 3804042, 3804155, 3804156, 3805036, 3805037, 3809562, 3809563, 3818170, 3818171, 3818759, 3818760, 3822600, 3822601, 3827780, 3827782, 3827804, 3827805, 3828429, 3828430, 3831366, 3831367, 3839085, 3839086, 3839698, 3839699, 3843167, 3843168, 3844271, 3844272, 3844302, 3844303, 3845045, 3845046, 3848172, 3848173, 3857348, 3857349, 3858120, 3858121, 3861318, 3861319, 3862380, 3862381, 3862471, 3862472, 3863227, 3863228, 3866734, 3866735, 3874809, 3874810, 3875440, 3875441, 3882752, 3882753, 3883737, 3883738, 3883842, 3883843, 3884557, 3884558, 3888024, 3888025, 3896726, 3896727, 3897082, 3897083, 3903250, 3903251, 3903680, 3903681, 3903689, 3903690, 3903715, 3903716, 3903717, 3903718, 3904131, 3904132, 3904904, 3904905, 3905062, 3905063, 3916450, 3916451, 3926611, 3926612, 3926838, 3926839, 3929870, 3929871, 3930579, 3930580, 3931196, 3931197, 3931380, 3931381, 3938849, 3938850, 3947423, 3947424, 3947601, 3947602, 3949319, 3949320] +#filter_counts = [1823, 37787, 37776] +#filters = ['process where opcode == 1 and process_name == "cmd.exe"', "process where opcode == 1", "process where opcode in (2, 4)"] +#query = """ +#sequence by hostname +# [process where opcode == 1 and process_name == "cmd.exe"] by unique_pid +# [process where opcode == 1] by unique_ppid +#until +# [process where opcode in (2, 4)] by unique_pid +#""" +#time = 2.1441586017608643 +#type = "sequence" +# +#[[queries]] +#queryNo = 30 +#case_insensitive = true +#count = 20 +#expected_event_ids = [15690, 15830, 15688, 16224, 18863, 19287, 20086, 20441, 20946, 21142, 25134, 25417, 25798, 25950, 29432, 29536, 29785, 30405, 32089, 32403, 33047, 33172, 33795, 33967, 39085, 39377, 39583, 39716, 43074, 43268, 43577, 43824, 45298, 45508, 45930, 46089, 46430, 46529, 50566, 51674] +#filter_counts = [37787, 1823, 37776] +#filters = ["process where opcode == 1", 'process where opcode == 1 and process_name == "cmd.exe"', "process where opcode in (2, 4)"] +#query = """ +#sequence by hostname +# [process where opcode == 1] by unique_pid +# [process where opcode == 1 and process_name == "cmd.exe"] by unique_ppid +#until +# [process where opcode in (2, 4)] by unique_pid +#| head 20 +#""" +#time = 2.544095754623413 +#type = "sequence" +# +#[[queries]] +#queryNo = 31 +#case_insensitive = true +#count = 5 +#expected_event_ids = [43577, 43824, 45298, 45508, 45930, 46089, 46430, 46529, 50566, 51674] +#filter_counts = [37787, 1823, 37776] +#filters = ["process where opcode == 1", 'process where opcode == 1 and process_name == "cmd.exe"', "process where opcode in (2, 4)"] +#query = """ +#sequence by hostname +# [process where opcode == 1] by unique_pid +# [process where opcode == 1 and process_name == "cmd.exe"] by unique_ppid +#until +# [process where opcode in (2, 4)] by unique_pid +#| head 20 +#| tail 5 +#""" +#time = 2.4966301918029785 +#type = "sequence" +# +#[[queries]] +#queryNo = 32 +#case_insensitive = true +#count = 0 +#expected_event_ids = [] +#filter_counts = [1823, 645795, 37776] +#filters = ['process where opcode == 1 and process_name == "cmd.exe"', "file where opcode == 0", "process where opcode in (2, 4)"] +#query = """ +#sequence by hostname +# [process where opcode == 1 and process_name == "cmd.exe"] by unique_pid +# [file where opcode == 0] by unique_ppid +#until +# [process where opcode in (2, 4)] by unique_pid +#| tail 20 +#""" +#time = 4.667104005813599 +#type = "sequence" +# +#[[queries]] +#queryNo = 33 +#case_insensitive = true +#count = 11 +#expected_event_ids = [43267, 43268, 43820, 43824, 45507, 45508, 46088, 46089, 46528, 46529, 51672, 51674, 51883, 51888, 55263, 55264, 56139, 56141, 57907, 57908, 58228, 58230] +#filter_counts = [645795, 1823, 37776] +#filters = ["file where opcode == 0", 'process where opcode == 1 and process_name == "cmd.exe"', "process where opcode in (2, 4)"] +#query = """ +#sequence by hostname +# [file where opcode == 0] by unique_pid +# [process where opcode == 1 and process_name == "cmd.exe"] by unique_ppid +#until +# [process where opcode in (2, 4)] by unique_pid +#| head 25 +#| tail 11 +#""" +#time = 8.868574619293213 +#type = "sequence" +# +#[[queries]] +#queryNo = 34 +#case_insensitive = true +#count = 0 +#expected_event_ids = [] +#filter_counts = [4, 2, 54954, 394] +#filters = [ +# 'process where process_name == "net.exe"', +# 'process where process_name == "net1.exe"', +# "network where destination_port == 445", +# "file where pid == 4" +#] +#query = """ +#sequence with maxspan=10s +# [process where process_name == "net.exe"] +# [process where process_name == "net1.exe"] +# [network where destination_port == 445] +# [file where pid == 4] +#| tail 3 +#""" +#time = 5.871383905410767 +#type = "sequence"