From a8da6a5a14b2f4f6c10720d24624f8ac2eba2d34 Mon Sep 17 00:00:00 2001 From: Liza Mash Date: Sun, 25 Mar 2018 07:19:47 +0000 Subject: [PATCH 1/8] Updated advanced-hunting-windows-defender-advanced-threat-protection.md --- ...anced-hunting-windows-defender-advanced-threat-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md index 1ceed89059..7394b1e678 100644 --- a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md @@ -160,7 +160,7 @@ The filter selections will resolve as an additional query term and the results w ## Public Advanced Hunting query GitHub repository -Check out the [Advanced Hunting repository](https://github.com/Microsoft/Advanced-Hunting-Queries). Contribute and use example queries shared by our customers. +Check out the [Advanced Hunting repository](https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries). Contribute and use example queries shared by our customers. >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhunting-belowfoldlink) From 17b036ca54b66eb18a7b69e034e47f02eef8f115 Mon Sep 17 00:00:00 2001 From: Liza Mash Date: Sun, 25 Mar 2018 07:41:20 +0000 Subject: [PATCH 2/8] Updated advanced-hunting-windows-defender-advanced-threat-protection.md --- ...vanced-hunting-windows-defender-advanced-threat-protection.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md index 7394b1e678..5e9c033c35 100644 --- a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md @@ -97,7 +97,6 @@ The following tables are exposed as part of advanced hunting: - **LogonEvents** - Stores all login events - **ImageLoadEvents** - Stores all load dll events - **MiscEvents** - Stores several types of events, including Windows Defender Exploit Guard, Windows Defender SmartScreen, Windows Defender Application Guard, and Firewall events. -- **SuspiciousEvents** - Stores all events that deviate from typical event behavior ## Use shared queries Shared queries are prepopulated queries that give you a starting point on running queries on your organization's data. It includes a couple of examples that help demonstrate the query language capabilities. From e07329023ddcc1516c3384201242e020a330a091 Mon Sep 17 00:00:00 2001 From: Liza Mash Date: Sun, 25 Mar 2018 07:49:31 +0000 Subject: [PATCH 3/8] Updated advanced-hunting-reference-windows-defender-advanced-threat-protection.md --- ...reference-windows-defender-advanced-threat-protection.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md index 1f90bb1c05..25e298ac4d 100644 --- a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md @@ -28,11 +28,11 @@ ms.date: 04/16/2018 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) ## Advanced hunting query best practices -The following best practices serve as a guideline for you to maximize the advanced hunting capability. +The following best practices serve as a guideline of query performance best practices and for you to get faster results and be able to run complex queries. - Use time filters first. Azure Kusto is highly optimized to utilize time filters. For more information, see [Azure Kusto](https://docs.microsoft.com/connectors/kusto/). - Put filters that are expected to remove most of the data in the beginning of the query, following the time filter. -- Prefer 'has' keyword over 'contains' when looking for full tokens. -- Prefer looking in specific column rather than using full text search across all columns. +- Use 'has' keyword over 'contains' when looking for full tokens. +- Use looking in specific column rather than using full text search across all columns. - When joining between two tables - choose the table with less rows to be the first one (left-most). - When joining between two tables - project only needed columns from both sides of the join. From 0614a78c5f09fa80775d13d7fda19111ab992d4b Mon Sep 17 00:00:00 2001 From: Yarden Albeck Date: Sun, 25 Mar 2018 10:29:17 +0000 Subject: [PATCH 4/8] Updated investigate-machines-windows-defender-advanced-threat-protection.md --- ...igate-machines-windows-defender-advanced-threat-protection.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md index f4517e8520..470e23886c 100644 --- a/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md @@ -62,6 +62,7 @@ You'll also see details such as logon types for each user account, the user grou **Machine risk**
The Machine risk tile shows the overall risk assessment of a machine. A machine's risk level is determined using the number of active alerts and their severity levels. You can influence a machine's risk level by resolving associated alerts manually or automatically and also by suppressing an alert. It's also indicators of the active threats that machines could be exposed to. +Depending on your connection settings, the risk level can influence enforcement of conditional access and other security policies on Microsoft Intune and other connected solutions. For more information on conditional access, see Enable conditional access (should be linkable) **Azure Advanced Threat Protection**
If you have enabled the Azure ATP feature and there are alerts related to the machine, you can click on the link that will take you to the Azure ATP page where more information about the alerts are provided. From 682d8d124ec5013219df8af0ac4d8f80f55e5870 Mon Sep 17 00:00:00 2001 From: Liza Mash Date: Mon, 26 Mar 2018 05:51:11 +0000 Subject: [PATCH 5/8] Added advanced-hunting-query-example.PNG --- .../images/advanced-hunting-query-example.PNG | Bin 0 -> 31001 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 windows/security/threat-protection/windows-defender-atp/images/advanced-hunting-query-example.PNG diff --git a/windows/security/threat-protection/windows-defender-atp/images/advanced-hunting-query-example.PNG b/windows/security/threat-protection/windows-defender-atp/images/advanced-hunting-query-example.PNG new file mode 100644 index 0000000000000000000000000000000000000000..c218885086a18edf3802bf9aa9a90746f97b5b91 GIT binary patch literal 31001 zcmeFZc~p|?`!{O4T{fw;t+c?@+G*vKLy{wzrA?-lV-8d}3zG8;m8G>!wC$LtX68Ig z;tZ80=9nV_Diz`Y4k;o6f-miAf4}FC^T#>s_pW!HwGL~g-N5tQ_kG>h@cCTV_4vf< zs=36DgFD2;#3U|WICou4>~}peu}zn@Z56#EBld7i^lMYVb@Q`g6}`Y&(cpIv6AKeD zvFe1K>$kUv#@p{+a0n0+J23M7-zM4q&UrDh(29%aOsqp)=34|9Cy$_MCSIYKyZPl* z8vn9FiUI!h^;Wh-;@(|BNslwEMr}Zfj|#1Wj}H|AKO6u8B+Q&9{~WzCDf9eUR?WR* z?MtJ_?Tp=etcLe|>FR z&%+Vy@p91{kdWx<R2LA)WB)w^!~K)O4JDDG_}4OMghG$CjQS#e+fRfwy=1sUaw)W z4{2@5d>UW2G}@Zk)o!_{CcQIY_hkCt|2f#35gB(9X;;ElXn?K}h(*bIDe*G#c^=h^uWVh6&GA_L$0SJ^G+Tw=T7?clL9+|ChJfH3I3(E+tk-7q%vV zI_qD1V(hic_z}yLtelDKy0dXNZ8q91+`0-wlFf6BGLdN?9j7C3##QAoZn_2@GbeCy zl=Z640f0sO6Xpx(S8RfQGePG#t1GY0t5T*2ekVi3)hDT4S~_TnlI^d%XAK~#7yP*A zNKAs;;8YE}Z#CJpauqXeQ>%9@=`(R5F{-ed?EJc}lP@! zZTgq|bI)hEB+^#$+`8J~Zi_zAv`fmJ3q63Y@`T!r-P6O1;G0-D1O60TjWG2veUeR0XG4FDA)J^TliE4adv=`JYSQI0z-))t-VB6X0tR8!4bO2LV44a3mbMSWy zh%S{qtimo~Y@O}9dvKD{pzgE=>O>#I3-<6ZRkvrxCiG;Eq$4zi@KM{b0KYAl7}{4R^+)Ix8&ELcv1FyJ*R5Kszy z!wRE_3vV>!&AK>d#!&QG?}f`V)8PUililVJ9OVSvjlCX-)+US0FB-(LO}X)3 zj2t_$mT>1cUs~2JDG>lO_#5%<&r23}kggw+^M6&RiAUMZqsIG;8_GRGBErItc@EyF z)x+1$HKTk;>u+;~a!Mw45dc=NhJ(Fv5 zy%Y8$Pvd^mU_|uLuEP^bb++oY`*Oec_q!@nh8W#{|pi&R!QloNhDN$U1nezIyI- zqPW=WHD|>vowct+=c7t=r;Whjt5=CzZ6{9fH)`zM`<23~J__2T>98AC?Mx4mdS*rl zBCuY86DML9W@|(Ga&ym^g2jd?Rv^ha$CmhrzQXEgAUuGGdU_FGul@Ss?|R{I5c+aZ z$hC>~zaIc;SpNIZOXcm4sc-9C0RMXOB8MB>{Z~-x*t+ME)R2BVRFWhA!o_{R&#tz} z4Ld6a0VXEQ45R{9DDnb37v8(H9>{6U(}z5FPkLfPzQ|)!;_Hkw*GDe~nP041+^uN? zr35QKeQh4*J7%-rtbw|yp0I-rqSLnOk@*2%cV^1;_5Jw(m>H4=jeqwF>PC!jLCPHj z>Z={^(6ns|Q#dhf$w`y@&)RHmZ1aDEm?)8O>p61N=H$yRC6}8kS-{OUkh_g7hFKrv zN;a~IleNdjXKXWBj$P70)P`G^bf<^2_O(d(Z_CtSjG7wBAM)n+KFhxI>GS%Hk4N-R z@kj%>B$`#1^YP(z)Zxg!4$*=*%KdSQS>*!XxT9P2+P&-K*G89MK9BPXG4v;tf8DE9 zrjq=m>^iYw*6*26ZdcfIZ)r$`jG0wW3=#KPr>W@`uObnXMwfK?eJ{tjq_9~AcP8Mr~N5 z7}gkenawJ1Iu!n9&M2@5Xi%SNvWh`2TG7Xx# zQURc}rbC%39zF}f7or@!6Z6>D#4CmFA^n^OfqP8Q+5bxKld4aR3EG=BveI?@YBa>; zNkXzUMCl;t?Wq#n;H%&p<5Kmik^Sx)GFO*1CV-L0J=Q-YC=Rcm?fgS`+GAs3M`kNtc*p;XnsRk5 zPImZ-Jh8F}4zxEZ#td&1lXfe}{w|%dSTf^Pwd6BqZ5I-^vM5=EQ~7hN^_7(JDFyS5 zif7x!_2#An7s1vQlGkst$%AhE_!fypYCP^sIWCY*OGq7z$0G-*ks7E(=-t9AgK6)D zffaMsFTHM>purLP5P2gD;|@(vR=b=ViZ+S2K^wh(EBP-1^d6ji037ba1`BE*-`^S{ z(`J5wx9L$&i$!qH!lEep@Ud!cMAIFA>%dF+A#pI_`@vx)j8F!W5iMbd-|!>_Q}XE7 zj815YMA_H6ILC;mwAaip_73?jP{VyrPtPUs{E0D3vkr}SZ-s;%M!sVxoT+Ib#x_q4 z`_JvHOI4GaKltU^jzW=rg}X>SaGC8}63+SSt-LLFn-=iY(>{vpm7F5pl^M`^0HhZZ zIx8|G*x+G6T*lkMf1)0DsGOMzSamU*%wJ_Zh-lQwb8u$QXfb-8go3K1KxyuS;<`< z+U(d>khyrmlA}8@8x#D*L~`~$#^Aelr&{EUIjvDRqGUOlpP#6xF zwQys3@ACVVVCx4}ERV9#Wg*e9$;Pm1=z zq_n9{q0IgTX8NT>({S#rf7)+yj@UFK{?!!qtO8}%bjuaYEk){O zP0AH}Miz{gyAg9mVE+Qb`B*G&?-Y(W?aaTrYpNQ8ALJDOWG|oeN6z6x_bTd0u<^-3 zlP{%zLiloRkqLU%mhvuA9a)PfOn!109Ssq=Dfe$-&!KCUL_DKn$W?!n1|ApHKPzrN-oic>d_+u*w~ z#V{_$XrVBg&8m&gxinHq9gDOh@&CY=Jox!tXA#}X-8bYoEs`ORYtKn)*a_Ye+32K% z`^DC>{^PE8pZz~a$o})PfVOT)EdnKgulrIOo4TD3{`oJZ?<(8ARS%suPBsJs4<96i zgiNg20ha9XNkgk}H>yf>tKUi|&Yx1-6p`9aWJvkL)SI%iRRYYXI`0=QsDs#3KCLJN ztBPHns^?{LaCxxNyXIj9aLEdwMgolLv=AA7Dt?f(-0fVKlDT?C>0rp}Y*QB;WK{FI z_D_pW$zL`oW1-ri`9#9l1U*|U!b*qoXi|&{bUr)G)rQtgZZB3k11jK!XsbmzDZ7dP zi%-Xn2 z=!Ck_z^cB{a((mhMKo0f5FQ3F_BRh(e@=*furF>dC!%1Czl7v6`qL|$Wv5(Lx;WEF zI}&HE#f`OJ0SOnQd(rG*MytPlkM|{}^xTre%r++BAn6%yB zlf?i%3o6lVP?!CK!H$+9Llpn|DFN zs+}7A^T{)g_m~9}W0X8?#37Q6u2Y0*n5*%teiov&mM%&NNTOTRQ#}qLUjt7ERC};s zdf&L2;j6m4rb>=>^s_#9rfhbzTU;ae$Y}+?v=v(eWlH%B6F@Ooc^X5T-^klfp><;IUIwyAZuU?BrgenC;y<= zxniaeL9KrXLK}RcXsFJwHQOXP53~x1S@-#51%R7K7R&$cXfG|(rJb`NM_qPZQcO|l z8zZp-0>YN*Uld{=9Ci^1b;d}0$$fn4yI;nWt7swcOL=tf{Vhy!kL#_Og~vLNt6vJ+ zD+yLsM|b+G`XW3{C-zUujyv7h=w}DfQlU4>9@Dw8ZKauoJKd{QZh{nag6ATDpmXvst5aI`(gJpPK9Cw<&NWH_7$WcB+yup(O58@! z?5|v*zr{?PIm-a>r@Ymt0yPyVvE<* zi=`Jex8)jW`p&}NAh?&n-Tn9^+QM?Tid~7h?*33r^5O!6u4d?RZFcAgeQVt{h%4$P z2qMzg*=sUQDt8_#m^Z9kX}FP42Fy`u(tT)f@x@$!YD5mQ+G&ovKBY%(|6K7D>>uK` zi+)+Nqd!pDe1^7xyM8r_j?Oi3zJtmTlrEy?>woFbrBk^gDDrX2=HQNF)*IU^sc-V% z#fCYn@(%@@h?7br{9Oq?D>7JGi*+Qvm3P-L!T>-awDQ9K2hppHM8na zC5FP!+Vl@`Mg}qwl@YYl@+a#@eG2UsWB3u=LUh`V76v<$D?FkN8VkHZN<@C~gb2iX zKJzuzarW88IM$tabvGcm+>po{4H490|D~~|<+Z|CyrrwKH@-X}ndULoxg@_TZ+`9b z9if39+R!DwFQ$nHZirZVZr({Fu%m!>og|M%HBh|*p;)6+2&X@zX{0tBf(wV)VDc{@ zHB|O-i{1$d;SuAuZ&T&?1HoL=kjtt=eG6+dh^_Gln>I(Z&d;egMFhp_PF_6eHX)3h z_$q8`GM!?D2L(1)`MEeBlsvm@rQNB)4#0Vr=4G3ZK3e(2iT}laaCO|x*9!S%DM^CP zSqOa%1oumMk1xFe42JPNx{UcLshw9V*VjY5njNkh1yerDI4!7(hYvG#xz{(;w{gaS z&nHgX9Lm|Crx|o5iN~P0`KR#8TTZNWDTS|0?%5I?-WWRh>=EQ#e`U|ya}^nJD&CLY zvEbij&U^Q_gnUE(SkvMMF68p@Y02b>4a{;llugg3s?8Hu|7-I_B6jvEygyTXGM8?R3t!j+E&wj3&*0XOgbaSGWG}dhWX(0Dp|CTogMrp}Qx4jP9{_n4k|tD~SIXmf3Cd z@0R^u!215W)gsC^v@3LM`Y~kgdjQnlY9je#WM3(&1ZZya|1o+S{z!rF)Fkoelp`wt zucxe;R3J1=Z{&Ap@%=KyyZQzm0Mk0}o8utD@$$k>1G7o6u|KvsmHd$1`Fw*L9a#Q& zW4h8s-2?f8_+xU}w4>sBupI|zE|M0 znUAucSeo|e9NX#9DL=;Rqo47X9#Lu3g{|kv?4K5_-Ql*&;4EMMxUEvJh}=>v)B46J z_|3Qc-=TN9^?A@x_edA&G(|<8Y;8gHMz@n~yC$cPE|(Kk{6dd)opgF&EV5|~;|C?3 z?lYoOy!7n5hPLXp{rQ`m_=2C$KzU$8_vx$vh^$8&P*tDs9}{I@b!CCJP4w-`n=aJc>J>T;WuGx@%9Ou}uY z$0lgTP0hV;oNf)>BGfHjesEBH;W!6)mvD0U*8A%)>3>fCo|oo3h1h(H6Qj>yZ_IJf zTY_rQop_7W#F2A`P!u9j z=CRFR=gdE6eoN{3*~C_R@2Whbj$8wS7?1__;-b7AF6s+xLsAsEp86niDrf2%tXA_C zBjEENc-|4XIR%9(kI!8mIIV5FyD0~g9q#P*u$cI$c`h{hgD!>?^XF?DKp{FoeOJnS z?NVD5pld!M$E5>6zL%wLIfnIHQ@@{Uel!v_iCSD+G7&~?RMjuMop`^rZGFv&I~C>F zDTf+A`pGXBxWP2&Oy%PodduI2K%V|FIl4B~fKI6VGvL{PMp|G0d!SVL=1dm3*0#9O1b7PSvNRqJ+3d z)xbC4!0cUHG~nnMCRfh~h=R@l9bbSA-K$YT;G6JP0j>~a`NO8%6OM1yd+HZ0=a)AQ zUd?=c)kJd3-fpvf=f0V2xAdi^A$&DPq=a^GzOYT~qB|;3>A+;YP>52`86SKrh;EQ) zO9Cj(Z9QZK4c~Si0qa-O{G|t4`^9fHM)%fz`;qlo;ABy!#>C^*c?sR?6~e<2(H1M~ zOGSY@0?T0cOhtQ7m)f;DTF)6i@3vnSc5CofwC1Q2UsEc;w&zJ^Kj9#HfD#_Qrm3qxRccCg?c&TdJ~2{8K#G zu{U0n-L4AF!=#_T|CAdaN1bDXRFOBxeSNwo9Y_Vi`-u+C#nw3PSAkZ{;C_mH>`o&v z<2SkepVwBmCDdNYmK}ObI56*4vn1gfa_6DmmFc&Lp(Kk4C+&S+j;+SJ;(A(?PWe&b za-O9itSbGy;L6-7@`WzWftvB#%^7{whkDz;Y65!YFUgp)5?7QZY)I(qI^EwJ#*N{isgv%Bc?r6IB29;=3dh%OtHOfcPa!<>Ku(30Side%;CM7JPN2=>!dGqZ?xuQL z4lkiWzn?z0%l?h{$;RZ5piibluoy=WiM-NF3}Bs3K6HU{&}DNRXwDc?iDBz>ASf@S zvc%(_2(IwQPZor6|3q~3jb(R+05%Sy?pU3LOU64yCFWs`e#8oG!b&voh&bq}Y~qYO zU*gly;$+c){#HF}tQT-Vq4NQ_CX09KaMDhHrxS%Zz6Ko->wS85%I~5HT2@SUVysQ# z6*>ih;?I_Vnv08-DQDP&4A8CCpco2Tb>f!Is8W?ztKt6WGX$t|SN_C{tVoz>FKvOM z3?jhRvS(_z&(ZtH?|WhM#buCaQ&+f+*G`|ebKTQY<SA-)mCO+T(9AqE%4TAk1J97J zhD1fUL$HzKhirDY^)0?7v^RWjF}YXUF&PcKEa@v7cIK5g0%cX0MXmWYIc`eMgUz!51d4dG;JLLBDfvrMfSGQUyJK(b>A? zal*W&&_TBqPy#x)$JvzRq9-Q>pL7z=C!m_hyNCHCDAF_yRu#jz;&US?7btB1Vk7-| zx8|+>qxVGHuJ**m>N2oTPQ?&f@E4JHin_m^O8Ncrb)L__+*p7@#r@lm{nMbb@kRyn z*07V^4-h+cOMeP$GhBN$M7j$>!oMRorP7Fb<_|`Ru=Hi40*5% z{1W;@i81YM4}gVA`^W4p+7#M#(qRA*{xyuexhY-*SY8nVQ~#K>&u>#8=*W`yR%|Zu zG2OYW6=Ht_Xzv?4Ss*`IbSUgV zBgNHA1T&Us{@#mHot1F@^m4p>mWtE{w|E)Cfv84oFs!-Jcmum$0rP|LKd8e_Ljx$P z*RO9fLA#f19IhO(m|gyK^j>ww1E9_GktU#4f&9Iqg?0PdP1-;9QRRQ-&koIqcM{OQ zOeDu8ayNV}MN0WJe~Vt5!lymL%~VMf^ovL4`$qT$h@Ri|rsREOIoD!D(PnNBy83}e z*Oni+&0a4RI2k$*(I}X$(o!|**mP2E@7s>euC1!(Ke3y8k_bNC3i_Xba{qJa@h1Wm z(>B@npI)KeH<|x?n~$Ou2z_=hP%XcGKliF-*BqNoVz=Nw0FT()XHm9WM3%MbCm=Ro zb=W5+HnR06cm|R@Y{bOu0c8vYf(0tTxglUtd9ZmaMLx51 z5dIk|982ij2;xw>HkLm6oM5zXX}nF-n-7cgw9p8WbfayI3FGLqH^c|l>1NZP{S#>3 zcWQfL&3(E@GDn(5qHHB^oq82;X*#vHS{0Qs+JJeHqd7EnX(i}-SzEeA(j4Z5C^ktb z9h?jma-sBwX~~p;>D~gaMH@&asy=L^WwA_PWz1;z&H!k(R9i+Q6-pWVa9jI|JXKE> z4DzbpTsM(44JZyuqSxj&s#F(Ou);E?M=lKp%l)BpN*>;k6Ee=m+DsE~x@9n%yYvBR zUSwZrF;t1_q1Mr_Bkvt>l&62ZT@K@grzTwfDJJRd{!Wc6;d+s4clG?fqHIvgdnP|+ zx?yv*R!nXsgWB?uquytcR|AsjZi2c%unr>{K4{V3@1Ww+F6x1;G( zp&|nYcl#$ooot!>sQ=u(`P=)Y6IF_$MvG6Gc;nw^TJKqc+PR-bR&QU{Wy>EC$eeAH zI>`HWJ8TKOPqQPp5%;v^zT@~c1i;Q=_@l9yeKu(oxh5q!HF#{p4~^t&K8flb7^)bK zpD!spiGRrMD-5%qU_?+fDCHCM3Hxk1}8qKL~VRtujeBvvNu~`I6S>Aq{4dvJZmeLPnvjnzc< zJ&blBa%Z&MZHdG*3k*WA$DNp0lPb^OD_EV!ej%s8jtpJKu4k0IN4 z)@o(m01&a7(#Y&b>@LnQG+<(~u9itSb{UZNOXqm?ov$ANSIrg&4LdQQw-qxIefZpn zubHpp908Yz)dTaVkta1N%WBxcksSRRseSJwtEG-k70Nj}2AApEnuR$>ExAD*m(?bA zRMrG>{dU>(^7HY?u`;7f=>%At#K+S`J*W5Ua;8eYd zb~0+&5L8f^mIXEl7F3p_Z;R`kt&fk$=8i??e3k7qGbDCv7}!RXF&S2BIZ}CA9$qx=SDCV8A5`OWZan=I+aW!Q^+EeD>fwq<`H4Rq)Vq?M{yHtB zCyk(fU02IsH}KR4sXyL#mKq7-<^NnM@b8`qI^zJ$Dm)ZY5wZr!94st-kax^Hl@j?Q1|9_gz884ao!4}ik>VLVB8$@Gj}#+4>OZctq9)dPcczdCvzmI*$7CbK$a&A?@l{CwG@3Rb8!Oi2kthL ze>m4B<#hrYFeMo9*@7)Alb0$5@ZCZ)gJ#3C*kBB4s&3A+SrroYzBBk8h1G_PfWVr+ z>VL!OI@pHL=}tGQ zuBh_Krk{_KcAo=M^=teu#UZzYC2?2Mf)6{O&N&t4p%FK@N|f;N zU?ZPb#pAk^lDtzMv?9OWiIAWd@z1TYJc-LIH@%R;r%L!om8DwY&UV4pHGL(bc&lqK z0;6-AjvzSew%04)NNX2? zap2S=24bWT=1X3;ZQR&x&>LFIh0#7oIdmS}>wq^T*#~~atcT*-jj^QN4$ol|Q8x$E z9k}{rm}3U-3uWdkCDKh-%>wS|3|8tS*7J;cLP|P_WSdc$ClY5TF}LQRJPD)2>RQe# zuit-%Z`{%qDeHZt!T{`oD@&BeIYVr{I$7Am7T8SBQW=6s`m*g>*{5+quJp!{eakAn zQ8G2cZKP}bU_-{5ZVIBt$lKsq0S}IaXOZ}^9V0IoUFf+Fh6%hG;`u@Sg#iQrG|ZvZ z{VPZt6EqftDUiAX*BQ2H5}Fp0iLr+bMgT<{Z%YDEWs#V2LsCgZQXME@_~WwnE3oD` z>^vnH$P9YNz((D&!ez@4A;Z-xSii)CiC|q$C&CBP#+|veV$xx@o>-uT#3g$`s%8jS zxUpe>fg+$JPqSzFysj-ANvs9!DAAy<8}5w1Z<&BAnmEmZc5up^pT$4AO{?T-S{C_6 zRzTz@1gAgx1}}tZ$(Lo5{_@F%cV~#Sb*A2TEW@g$k^8r(*mQ|yS}92H$ew!3>E}>K z+>_vPeEn1~BmKFWPuGZ9cN*AFt>|j7-Lv7^njqHgHY{Uc7uOS+0Z*}!15Z_F_q#T2 z$H3v{u9a{R(z!C)Ojx;Kdle39!H1Hk^3Y}Av%%}>$EYKX8g}M`kvb&b%mm$xbzo2h zvj~8B%sVh&JYObIr}@m|7PCWM!&NMp`IqGle}X&_H1}Jc{OJGf^E<`th=orV-buFP zwt?0jFPjNo-kGr=Z^)co0~tn0ziA#tqt!H!^?xBoZEaC01%{<68NBpd(6>gZ^Qmbh zEEW^)+!2{TyF=SQcpezQzg1zF!ohW3U00CiyTi{lIfLi^Dzkhac`b9v^d@#8d5RA` zmlGuq&E5lNo@OQuK%H5+J&1fhd!BidtNV4-fvO{a$qt9shP+zDMam4NRw8_E!rOvq zqBO@uMd$HQI_nVxfpp23GUf6d>-IN3b&$5eN^n7p(|~FO^2*nnHHH8mc28g2GCgN8 zZxO%TZI%VE9@0!w!<1GJRyMckRY&GW;2E$E@qAE^dAD?b#kYBW(0;Hh=B%d%v)%2-1&i3T~>vyQPbX66J4h-}m1TRv-KgxSIYHrQ`nh z|07}`CRT6`yYXoDUxIb(k}DsQe&|=y{r~3UQvHrx>g`JY^UM5;+JcAnso)(vIGaP| z_ZF}JPP%Ch&7yyo$ou=-m<194rh&EW0ZQX6K?8o4Vm&& zwvDKybo@1uh8|3qGrcBb?O}uz^VN?{)-7i`P-2UQ_2u)L)6`|)(~mTZrQTxNu8%l~ z@?7y{EBtmHLfQP7Qz>yR<)(-81g$X4!mFv`c*{bIPlis5hHktAg$H}(D{*YR?o=_? zzW9{P$5s4EBc(qkPlqkLK5~Klpd{bc{p`M;{d5O*GjZwM%!915eqW-Lwa+tk8Fp=_ zcSLJ?n>~nI7E~G}Kj`r&Wr2F>g$gEe-r;yEzZqoP6h<4?Mccp zP@xW?Z?kLBHQe1bx1sa=eNkHLHwV{>o2%AmeB@3Ph9j@iB14<};vJnK5M8(g^6N)6 zn+#4Le~Rfgose>EJbfaDtVzL*V_BxIv;{$hDO-p5os5*Ad6iHq$WhAOt}A^MtN;Yq%q|1)kp}1pzZN=iH`S zD(&ieBMiw~}pJJiC@3ax7MB zf~E-VojVp0Z^qr!pTahF4nl3V>eYN$yp|0qbFO}LfJy%7x^oyk|FHk#w~D3-UDV&l z$2Ay@JD(_`XdnBBH%3z#r0t&Ax!)2=SRK?d;1WyObFNS^!q51QqhEL6SfC~XD#EIU z)M-zOr;q8ZpUW$1Fig-jVoSuOtD#I*1LXO)3AmPS4^z4h#MT8hoK22*JEBXRibKOE zf`IVZ(dp9cN(4Qn693*fUB%MgfqgM^U(0Gx9u;@hZU{H>mmDAYfm;Qw&8rC__+`0u z;K#N*6jNwS(SHmNGsvsBor_)9FKy*R*EDNrr_C;5mP;0=k77vsYOmGphh3qq zJ2)iJ-nou?f zO8>}sayq7lKHa*mOTB|HTR)AZSQ(*^Yglc^mkw+YxmuM$cMclu6YV5Mc?+t$4~Pc1s65JY}Pyp16@qy2`Lu+`p~s z!o66Bg`3Lm1IwG~A`ayf;!=3~HQwW1kar_hwG0lB*0`&#c3fn4^5S3y`Fa#s%31J7 zwcPMEXVNDh)H|7K4Q~*O_361Zi{1?Gx3kQmS_CzI;+Ajq`8X$BeY+m{43ekzfS-JWmf{k=Eun3i3AyRBJy&a8R=|<1xM`VVH zA{v`nZDiS<bI+Kk zQXi__3mrK3_5GnOq-3~bky-E`+%4tAzhuoOOH+tGmpQ_&f{BjE7W)E87HFha$|QAB z@R*jAqDgKiceIajh_o&)E+O2cV=m-5C}Dv1NS%q%D2!yAc=3Gtxoe85M*u#ECSPC+ z_<5gM8P!_%56U&U;S`Atawh>-G=5rG?c@w8f11+;GjgR3ZW&&}Hf78IIA%>&@cQZF z8rl466lpYKJ^f~e3twuX2rfdCy%VX6IUViY z()=UV%1tV5o}#o`TXnB&knxH>55Sj+0=OBU0}=~Xu+?lGkuBbA?M(1d1W?OfxYV^w z^Ki4Z@{ksE(D|&&L!xbz5=RzA=M5kjeuWQ}*NMb0pIMJQ?`*_%gNIvBEVoeoT&#OL z&B(C2J$(tM#h2fWlnpeJPc@@RV;wHzhOSYVnu$vLJ}ZGbQxPlA{J^ye%R~Vx8;xCc z*q2cPSr0)O0Ap`w53v?yhUVZr{Y!}OzIdM_N6;yX2K^vQN6M>S>=(XGnmRRe{c%wl zV+K>^B6@^F6^+te6&-$ZL35+XyyUj5Vp z;c-MVcekHYR3o^KF~AUoYbG=+=Y;h15s?}=4X(-Jvgg9VHNlO4voBY|fn*rJ#sOy@ z^_VD|cUeAJe!8Z@B@?0v?u~^F{QP+7wxZjoJMG!6TDasN5HPTgd=-T<`A*vQ^w%vSq=1BH;-RrC%RlT_YR5?Ok z4)mgQy8UDA97o;E^@I+oD0FT3{<+7x3?5O({nCx>9y`Yk!xMRZBwJLz!L(lzdADjKueg!XU`7?O5`53`TF z@TPno1Jg$^^I%}QMzB+wdj~ovwhR^2 zk)7i+yaZKlGKRoKB?b@ZXa1aE3CE~x!7h_-J{B;~P8DXAPJkd2WUB-C-sFm))cB~j zgdBNCk`=0+zF2T0|mh>n=}@;&@7)2+)bcniUe3`TI4 zlwt(QS=GI3y%uS{!Tb&a5D5cc!=A-E+xC)|p{co%d%n+V_mJ92Hy;+{Noy#aq8!C?%>x$M@7irqh^-)WSCgZaiqiMTrWdEcZEA5 z;oIa0Itg=aK7T#Ng*9TGJt$V;;~9zbej`=w<~h*$2y1HyO*X2^Z^g@OJpH3GH~}tT z6+PwU@k%_fbEBQZq^Ck&wKUS$S~oi)hLf(3$y_@eg+NeW`fw|>m)d)1M zBs}?DZ{=v7xYQxwouNhgr%6zj>)9|r#rU)1ce<~>8ckKRH&uS97MfDpB|TE1p?wMb zDvI>C1;$6YASE8^seBja$nH+n&=4hc>*VHlu#TeB)Q>G49)3u!Zd`5^Kllp%WuCC~ z2lDDGszZ)y54i?;s^2Yp{_D*&jmV8V_~yz>l@X>-I|@V!^KqnER4(XR)`AEQt_VXR z&>Z&EZF*xFM#;6cFMp!D95Mk?ktbLYY>CT_-L>*yFc$fu8O}XMErSnN8$y#$y%1$3 zY3Xh2_QX1s^~hq#D&(a;Wx^LQf&J#Ah?$=j6*efLYg*34=jbS0Ep@VPI36yF3^V%j zqD=OQO0RCS=Tfb8i-c3;1lsVqG)op?mzf9@Pf#GQN=_pO-H|4eZjc+Kf zj$tJl1~_yFjL&@>;3i6EIC+TZWL!56c0z-f)squ1nt;v}aR(tcoV4~_0ISG+j1@Q? z5WzQMYK4|C;A#7jY^ehi;yz%2#%(NR>PW?wXYr157J_A3E_cLCa~0#&{Z;=-Fuh6M zfbJ+bZ7Vb)K88*cx(A+yqR&y+(@)ioyHkj#U=`(X7G-_@uiA3FeyXLrL2tBXXF6BY zsv&fOcpK^kcL2CocBO}bQx=HND=Ym^EE0Ojby~)jmE~%HBPWWRtohR31cZ?L}bK?({soS?=OujptYVQX? z(j8GjoGmJW+B0`g+Gow+i%BR);*rK)26ze?&&Vj?n@niV*jbg_pY2{4FkKsKp)5Oh6S9S3}hGK*6&Rg`ZzG$$TU}Y|9 z$TxgxU;e6MH>gz=Si}9^Dj|BM>xzn#qV~NzdZFJw8}@-ws%pfC4+TAHCYNd!|OCl1*_Na(GX!uF0zYovF--JZgoB<^wWPWLwm_UZz7cD ztrx!HsV7P{WI$rK=)IX8F(du<2ghjb!}-jalv^1lXs^-v9lv@k)A#+z1lW5gwxXjF zTYr-eCYbKJH#17zqd4cgJ11>i@eeqq9b5otyxSh&Hj^k^{cg2kVF!&-IA zoFd)^cvG4wN`}5uYE^qc{1Y1s)KF^VXOqk*$|vTil|Z#4_l>O1lFpVRlhIPYg+gBC zoP|G^vIu^pp>iiI2LdvivYU!?@u2<5XfKI}A%B+e3wlJTq%i>cH}&I}#pK=LEnX}& z(@a17cA^j7fjBj;%ds^cSvpqki_yqjB~h+l|o4Ks4vQ=kKAUsNKd| zkMJj>_gAYag3FMq2(OqPm&0t_wg|MrDhQii~Ptawa&btZv*4F$b-E?wiY=&9}$P!rBY znza5;8-SSDmCRz111i5zAC6XarXyA~!ZKT2(fSUo){r0ttOJY3)}(6xjZX+ip1v# zSyZV`OR97T9|8H8x`}RmmQX$4?dyE<=->Y_u;-mwKw2U^)m)L%tWwTwk0iTpigh^p zACuFTHj!*%z7^NoYu&N%!v47Jjkj*(|I#)0sjKL@>V)ClpRI10;@%kbYF+;CPn9}0 zmB#)@JQ607>8JlAet@VUM*B?g)gKB~1`_#-ZZVSH596(x5c!ysn_Z{({-f7#!@s9S zR^tAIkm^v!B*YjWdyoI~!98|+<2L^nU{vw?niSQ>MZlmIa8DYq4z^@qR8dBGr<#*< zBu7S(-%N>V(jMy81fEJn@Z5i0eJ=XnRHq?lEZ2WwjP&M;9I_RgEdt$t)=y>lOojC! zaNzNdtI>_|^#d)ILAX7W9sTvqe2@qZ*S=}gEC)2nPVWA0`+>NcfbV}m=zGhxX1@aA zW0G>I0%2?nXo5z&0!Z}N>K(U_IdjQQ9$c0Ck>oer)LgOm-mjSHwJD{J0DbVCthpCI zw9_7OMP!#R+rPBNc0JeDP>)EYy&t>pPtRLaorbLUTQxp7xWl)3;4+a)T#c-7YFL=3 zGa@RBg}mi(c-Yrkaj;&F$EpTU?=-}0b+2Ky)(J#V-n^2iE9uf;mNZiJP6j*~)AXCQ zZP*E)khmH9pdsJp=yPobr!sWEdUr9nk;B(^f7J*!w4xWkNMT1^lPd)?##L&h=Y!~w zaG`)^zHuY$8+HBcBNvsPWz^l3b6jQ!4r&ZBT%F*grfn5Q2`uY+3rk;gIyx)nz+Oa! z|Ct%Vv>U8@^qYZ`~K7O zgy?&*$tk>!BGF+$=&-Es%Z8T(}a5uJ3W(NB9mK%Qm~4M9saW3 zU{QOcdE~sKdC9H6mLG9Tf(2V$!Yq)k_Ad)Q);-NjFf^7=uewM0B92cyg#W}E6xT{# zh(4^px@q?wLLS=wf7SKw@l5ys|G2txxvqq|l0(dtD+-YgoAZ)V?_8psCNa#hSqsf^ zMk-Rx^p-(4IUhH}Z1}#^^}c%lKDXP?pI)!qUWe!7`8eF~ z_s8RPVQqoBUykvGG~c?3X(H zsI-<6pb&&KYgbPQjM{Lt@+nEm9&Tgm6+DYO;2WkYU(hwE99iPgjGT+;#MxQCm6kM+ zpPna|luDk_ZC@U2^=^vT6Qo*s)Jiuq%l^CdNlXy{@t2n!@<5#GyR9;jf1V-l@vz%@ zs!G!6(KX_ea9xhn1rpVhf^@5!(nup7M|RwO4XJMh#r)A|;!#^!s*Qh18&TzA{fhXqEyN#9czr1W`7XT9K!|t4N zpNnOdR zSS4HfEDpqI(FvYXEg zrw}eGockZw)3(h>{!JHhze0nzbX)z`-vI z(@Qk}`V`BRI;cZmw@6>Mi)c-kLe6-~)xmbcESAqHwPu{#D-B+gz`RT31jd?e2FL@pP1U7}6YDwg6 zrgvAbRN}@vi0+Zq;^8^*1!0Gx+98;Dwvd+^vw`A{Flkw7ZZ;Vl;ySy=(VVeN`fT{L z;d(U=`H9|o(>B`IA6HTF@aN5K=9wm8l12J%&E9)yKZG3+(_WQcP@Q_^}Pw?2XdN9dD|?!`6$}P!`7sHm!12hRS%YR zoybx5c3%1+y_a~Sd$e4g9!3*o@tRefKZ*5L2%VAA!A}iCa<|Kxid%LgCHD`+seU?5 zrHw&3v}Gpr4Yw0L{_~)G--EEO1 z9U|45N~BgkjafKrIkElf!B-3C_1$6+Z2s$DZf#9^@m#};)hWhQH8+u|CLX~(W6`dU ze8DNR?B|fkX}UFuDXJg{z~tTG-Nd$GAg=idGl6`c!qOrhkAdOY-oCd7VVR{>P??-<}NCYtbD+% zc{w)EPM4i*em-pRrg2tm2kOltgLwj`6vSKWSBochG1ZARCr?sXn1K=3HQmmZ*75$W znxTO=ckthD1-pDX##J08-bkt5i7 zOWKO0Gd=se$up4{(avN9x~>{p$Z}oqqk!0m`6Il?20d;K3syD9y}D9+{D~WFLD{G! zX#LV_97C!|;x^z(|TlTMcPd_;m|FP{lpVIqfF#+?pmX*Vn(Hm^c^G7Yfq$3yW1!AQ{9U z0dXQR4zdwSza_Wr;Pv_G7~v=Fb6*$`Nkvob;xBQNOi3M6gWvWy{~r8X^;Gn|u!j$< zLl6Jhic0AK?yz6W_L-_t*H@_dz<&Ta{Z0k{E{#KxB@(ydc0NB0IKil%CZy2(x|cwv z5;Qg71}?{)URzWNL^oBln7&u&d+$@)8+g$Y8X9Sd7QY#MP){g>_*h#=bDXNUGk2A4 z?<}9`P1-71Tih5YwS5PCzVXwEmR!>)?*r0Dy_YrxrYM2N0FYgNzoTLTkjLNf1JbO| z6~7wESA|E@)6M|GjoCj&{3GlCW1ZZ{R+AK*V0XE0RK7WNT4)~oa2Lb-?eE!;MD>Jj z?_m_jxI5A>ej48Oep1NGQ?Cm$P3K>bCDKIC8G~}>uXgesYz2qazy6}6aMw;HO@VPY z=$0zh{BY|3?0>o7@hGDtHM81j*uLVN_xUE!H0GReSX(KVZYz(oiv?cFMKkx{L3Z(R z#`1AVquY~&RiC{5(trLY;B1u`$Uxm1IRyxG!Uq&4AGNx8|{%kyu4Nv*!Y8T}JD8C&m`JsW*5 zx)le;+UP=A!}|@6cx>5*(ERmyeb&l>7m+1Z(@8t4eFTrla~oyqXGb$@&^LEj$E?SQ z*SZE(%sKws`)(YlQ}|(D4;T(W$ek40}|L42jX5?{oTvmRgvRo}r zRsH8PZh{BHU~)j@gFEU{Klho-W}Jb8fBpkN6(n@5{;_7o@3Q#*uuL3QOJYaGW2rO0Qh+*?aXxPthI5V(6vt$ab{a3Gl#0El zIvMxL;`%`GtxM~km}fNAr{dKbM&8B}dJm_6u{?O`U9YxV3>NprKKl?Xa-x?$EkYUBq&;gBf`M$&4#s+3iy--g;pAT?TfRaj-`t65Q1U#5>$byh>E&+~lKWk}GouqJ+0p_*8Z1W4y*St0J2r%tmO$>@3Jq;4}$)lky^+zTxiXRo8`P;We#CRso6{;X z?7;Baz}i&u#^+)ZM8g>WeXqVa9kIk2B7xXlaAn%>X=dE$jW1zE8>7t|O6<|r$pOt) zo+F2MI*=nuThqECXn@6&#}<}`N89X_Ia0fz5de64wADG%O*vaj{Hg`4V(m#iXeK@0 zuL@uDXX8qBFfG)rUO}ciSc2g{)&PmcQVAM{hlB>1r}_!Jp0TQHhbXrEf_koW<({!i z;n~BHm)uaC)|J{JjOWaD!Q0WJt}g)r0ql_<{t3YlUW?2u*ebvMR2xX?JQ0{ED(=&F z@|o_CmG;&(R@-Je-67X|aZtFr4-pgXVHxVR^FOizdzBmL9xRC}LUKiK;vu~9`Yx2D zlDvOQ^93KTohP}lmE5U>IL(KoXJv2VFpTy#XjY?b;T(Dd)@?P2HA- zVwywiO$}-K_ABtmG%*98V@W>z#q;Kl-q-858Z92``GDn!%Ql8(QX337!2O2+&{ok_j%0N}@+($SZ`9X>f-AOjoP1=HJ4$v5R- zFt+2>Jaj!ksJ5obl{Fb$0wI{}zH(Mg5dXC6$2rnrOkE+OD23qjC*@F^-&6|7)kIr| z)&@06igt)DMm8-FdlQ$Q{NqTiWrO?kw6|ZsQrlCLFF_CK1Zj_T zWVty|WjDT_&*VIeQytS!Wz^tuwx9g1uGsQzJj0coDdz>ZI|YB{UYs;3$~oQU9NWlr zekOTlabT=h((P!EZJnzHJo(LCWUdTt>+XRrdV9K&QFQ2^g^bUG?3vO3)*HS^! z=HakZEfp%sy_jYW_bljm(O$D7Uj#^VGl4?pVywnc$=8d|BrW7e>|(up=x$ZzA4k8n z6{e3tl_|n9nR8B^cFJgY)rXIoZWgkvHi$2!d?BD>4jQ|QE83_Pwc9x{F-y03$jo;< z+(re#sW1Mc4{~&^{CH}OK{}dnKalXph+TB=M_`O^I8*Spm61lC;v?2SzR!(K7otN* z73Y^TS;ja}wgNjzNKIO{ptte`(NqDONnBG%^W&C)(P%nPEp-8PXrLQ~u;rquy0lV+ zFI)6%*V>+|$4UqN*`j?T)`2=Ye#5z69?XvwB+GDKX86t&B=tQVC{W@2bX&lHJkINf z`PE-xR{|ObsunuRPTo@c*T+qJzP%HuQuEn)nre*Yo4boK88dL^?CM>vhWU{k=6b1& z^q(v0ckdGK^#6(oz=j%DjfDiv>dYAG#iF!tb1y^#RnH8bTqewVcw%hc5 zct;Yl&ir6kkA7}2Yj2Xzw{S*+;Slv{7m9D$BmCo2G;F52lR4E7_@<@B{(Bvgm44i* ze{6bp)D`Z?hZH_tXV-{b*Ea#kRYB5ZvDP{{Z(`x!dKR*nDES^+X+8LtH;^^AUw${= znJoDy>5AL4+@l6v7oExXF?}`U=&6?HCda&;o9Zs&%n;_?-gSu-^|PTb0oX<3dA;6E zS@d=J2mb#XEg!ZFoOFQJc9e2V?zAytvBzyS*u{B^E%$(j7KDGmV#wXPoKFD$R|IWMCq#aWcc(9y7>di!hUr&D zzl^`ANSZ$g`&F^xcrFr zQbH|I2>_VWW}eU(r@BfkqSn2E9HImiTB@YJI#dKS5vv?zF-H%+P+|FgxQi_r)O5vb zXvWl|d+(#)8}9;|37+NF;*S;5_9CnEO{eleqFPqQdxONK2HW%Y9&cOO<$-WF0pM5D z;#`;dAEM3ML;qAcrmsxi)vZG@Waj{W7!8Q4aA`)Y+d` zTm^YEa4Rwpa#+cSSyjAea3#1 z2UmR2XGjn`QP`iUgQQW~y^ZVn?Q;bdNrH2sT4(EZyz(!qzmqzq`QbR)_K9Am zCES=5A8eL`PPBINtAW}_gX;xfl?);#{36)Vw<6Sc$fYgZ(@dSYQTWItQbAFkQOcx+k5K2 z3FmiA4On)gisb;{TCvp<-w8;if6U?UX)&>n|73?rya@ytRp2xU3EzJQa<)iR%KS}N zX8fxnT1uh~@;9codB&SdAC^E8N7w*4e4u{mix#7I+1>sJ*&>0usfc)ec@xgscF0+2 zt%nDMP6z%&?k`mf`VG~5B6!V~JAVstj_)jeCB#W;lP9^SOHQ225=Hss;lDc>w|LIbx`MCumGDz* zn``#LszNoRJ4lNs=%ovJ?$$4rN6JE&eK#`}!{Idg>)F4MhyBHsD4rqOCUR{hq;CHQKG{otd4X4%&_3hU4@2Hj_{J<#(?paz%m#_X7sh?R$0MK=)F4rKI= z+85B)Ey)9`_d#+G#9Mq+U$DplpA<&?SFcwCk1*W;@K4Yi(D(m=9ibSMPz&XP8aG%` z=Cp#(=X0n@l`Q{v%|VTG?oe3TXV$QMHhb z8M@lAviv;NdoSwks(&=3*+n|V9kzgT+!*$|1p)eff2@K-oGQSflb)JJ9BnUdL_D~0 zk)SxPH?H^Fpp57E>~Hzmf0J-0ZlvGl>0uhKtqV4B5FKVi!#AM9DW23pVD&k?o4nPe z!~B3#IMLeo@dsy-6iNn6P)Y9~FL$L`?Q6~V?`)0pwiuP0>MhI9{q zn}y0n+SejQZjRKh7mhw{&qi&@jvbRCXvNCt1n1SGYgkh%b=tLd;|MB(CjelbOWeW- z)sD+s-XJmcz8n#2q^8*le8h*{Y!frn{>qv*&?U7lwb8EMHVjpV8Ad)A3rsi$*)MZ$ zlV8f*g2)=<3&%b=0V>KAK z2sM#MI>x9J38m1x=2d1rh; zpWz&#VmlW#eZO_;v%Q-q)^uHr+Ix&)uR_sl(`Tg6C^r|;ew2pny~GzMbb-EQ0skp$ zDf;RuKn1yh3o$AiUKjFvJ1}6w`LUW(aH!2)3t6{gYEg4hIzT(#dgRE|-i3j$>=UB2 zF|yXW@rVK9HsOAWz9kZHK@-njxd-Zb+lP=|Q*HpVep`OPSVeD5{VToOt%dbMAM67| z&bl};1Wmyyqg-Q7sM#=85uG)~yrP$@=VM;gSP7Wq;c;5vV>hBOgX;rN9=49*^Ld*E z3>%;Oh!A5JIdjz<@7}OJSEtbG7l3U#;YA;Uaea_pD-jS96>JOZuu?sy(y52a4Jb_= z9n*YKSh}p0bSt%UKv3}4bb8I`q|or>4Hy6*M)jy8P$W0>CdKO7=JajM&o)YonlJH9RooU5L02>#Y& z_oUV3&AZ8B8%e8rbgFZmv6B%v_O9^xhZswrqR0kXnr5aibM=rY4Uy2`*+ZxVHfMV) zn5~l3Ef{?+^9<O4%?9!|fXGQLv;{yi1!8DfSMt)d*iWpd?qfur zVSbmYN@zAHxZp|OnA`b4n57;3M%*<^izEQKDD0Y2YU)BrM~=h8aN-1amR=Y>gERVa^|_INj%J3NKwKfu z)Lv&#cHEk{_HQ)839|Nthz2_UZJVg$(I0t0 zI^o!vPF6W4_%PjM@FU*+W!hrU;imcyQE=m;K(Sh{AGC}0D-9q4$rFFI{X&1|#*p=E2*`h`> zDnAbHAOB;dOeUcPa?r*?7G`DcHe7LON>^p-;+SQBkZv)}X6i38H*ejt=x8~b*ji|- zJ%-2xbog#8J1UE^N_|?x?x6+QiCj$H0eVTzdJcN60#{so15i@ZNw`77D#Byo>=>O# zTkbCIMS!GJKMX8|(`Krxfp*ZBs}*@TPi(YNF(Rz}-=LDW;q7)&=I6e2j)j*-;f#tm z0LBpxpj|*tOEm*A(zfcjB%fMx>_Z^FozNb*-!E=@?X>!e84hCxC4IwPcB3hXQ4D7n z7;UIDUs)T)*L!Zpjp8&Mp1S28_IlJC>%$Za(9*0$q>~?;O^8rt4Qrd1?c%3~iAsE^ zfxCImYZd%=2=blPFJsNEY}JAoDp7li&UxvF%&j8Te?0C~eoeO+$2S|DAjfb@_?-oO zjp8xpy(Gu8So9Ugp#g&MJaNpI1YTH^$5MU6H!8oUJpfobt|uF9;`ks9iO+9u<)}R`RHW%8C3b@ct zqM+nygUfqp=Snko=CZP-Kr9v6*y>AFX+?=7rq})$a!=tr?kvaI)1GwszTp(^`T)_x zf7%J%Spfw&k=4h9*UdipeUHgV%Gt+qsjjWYl>p>dS3cv4;9E<&&Igig$wv8jXlI$(wp8mS3r>-BKY+!=@s#H_JM`=zPC zg4_T~b&eKTL{Oi71qL*DcXnsaTf_m?Q0fBlcK@J~xqjWPzaTiXMnvA?K=+z}zEz#- zt~r#hpzddZ04;g~U_(4? zi3~@PD~gNm&zvW190@v=NBDxr}=lQ4adl+$b-$TGZ~g>Fq26 zHu~~^7tx`QW~8FcUb=};QKVVi4JaDpYXJk8R6?f6;9rQ7HmEEi(>Lmo(9S58IAIl7 zr)P_wtiHCdhT_9qc8%%P613BnLfgQc7>=)%{YJAzsQ3i~i54301HLaNVglkzO-icd zl|KNQ%SQbm7YuC81N2JJtez{Y_$XkL)(o$eue%Ovdbw8YhV=kDhxq_l%k|Z%IDJ2X zqx;I)i==CV0`!t%oj4nF7(pMBLof&C zqZfqK_6N1=y%)o@5@@cCacYPd3V5XK%UPhw2l$>?SZ1?*K|PE-*{oigxPxGQCEW(u zJDS-}RI{xx3ByqZjxk6T8`Rs@yCg)#*whnn#V)#um$@*sCqCZ?DNoPsa0ZD`dGqUk zFO|XwycO`bdgo6m=GWf$c9wqxBs9{;588&A{&lp)lic3?pV^UlbK#9_KQ!@PGaU07 zPXeo%ep2EbnQmt!&9pbt3WZQGNCZ8Vx{SGIOu?ZTW74b|=s{v26J4dtsR2E-;iR>) zpmTJn3%@-nQ|$DFaHra5*qi>m6oK|uk+IDDH3s#nb;Sg>2whL;+X(B!;M&|j-!6E- z*%>iu9{wAFex6k6&kzIRV{O>1F+-5? zi*+Bk*<9T~*_`6SFc~St(9vu607X4av7y9xLol%6+*QWIB7KE@PWI0RnB~=ZNTH8# zv<9F~CaP=lj^bs)vZN~aWx7!5QooCZ)1BD0YNnI9yOwV9*IV+&X@k?UL}Rg_F;IlM z5WlSdjecY_pnlD`=N0yKGqe3+dv2?U*_Sq1P+H^TgKb~n?_q>HbcjF~U5C=nF15*l zil5R(#{qpm{<15zv^w{O3AlZ%mSXmi2=Pj`1X?I%B_X5-fZQw?7v6Y1Ql-yU1!Y3P zA8eTYd>@;cY^K6Cu88RD-jSJ*F?*3(YPkf`RjZs~#^xfeEAa!D=eZU556(I$?3z;1 z1z(-MYUBp%B&4FwSZoNVkuJE^2Cht9|4|+N581P{8FNWDF5XitgXmuOY(i*%L`79u z-rTZw`JSXy+Fn2xbSKc&hzpf8dd_(#DvdONMak30Y9t*@mo&Y+F`8*(oayQI&X}ED znfErn%+54J&5B=|HtaI{%wBAkBb7(bxu!&OKTrnBc)Ntxu)_(eQ6W`0&b1T{UYAr) zNCDk{fv?Ub#L*hq5cPLkK`zg_eBbgGeQpgb0@D}E2#KtDZpj=rI+4$1ykE!|G3JL9 zt`3YpI108|O4S0O+WQfs3DqF>gRo!wQJAyXcBqQnoGWC>#=NM0vhc4q)P4$x{&{+P z%(ZHPPEz7sY9WbhW@@;AEO%fIKu2ZPc$Y5IX}-@;edeJPH%VTDaWK<5YNTK#{0 z_4@m~;cxmLwFi6Msyxv-!b&Jb7wjw7{(2+!m1ldr9Vsr*ckW z>Z?(I4K5T{7Te***7Xxwdp^=v&DzEieCi&ElViL;PLJwq`5V57EzA)j`LEZzUe`TU zk?3kEoUl95pnXP;1GJ#&$zB-&IC{*h^3R9_l>+g}i)(8H7V42txCqp|naToxJIkGv$ z0MN<)fNmrj0Za!D=wx^NIJ{%?*Tl8k-yHehGvJN&E3KW3W*Gc&w$m-{0TaI;XM1EM zN*Zm7mA)(F{W|J1(ux}~CltXg|X$#ccld0BN@&fi+$YxrD`@60XD%I$@|K~!v5(!&Dp*TR%3y9%s0s(#DiBdq}7c6LC z?)a`S)dna(;R2Xi4Csdg%x&ppyZ}>dY(OKJP&kh03ukr&7k~}?bJtm#12hH7huQ8J zfP9_+rfitcPvzIoD4rKANBOM^H=>vEdg2d)Ad|9{pU5Sfj4$V8py5}>7Nd1r~TgRGB|Z29fz?Q2%$I#@v02+z%VkCMX& zkFW6hrdH{w^0lf^V z&S6?-7u^IS_a*hbtbP6YHtD zl%-mWvLqH9?EgA9Iew4R6<|LO#k&;(gZ^b@q&>WSiq+4~RSydG$$u$RKj#bxmnVsm z(5eNd)zbI}a69H6@bya`9{KsUr9%ov* z_u><|p%t6DIp^s--r=&Z2v=%rQ4%Ps4j@8E1C(KZTj5Yxr4Mk|3xKZp{K^}vbancx zwbl;hA6rDp*DEY|Q`k3Yutz#{{F>}w@59v2d6n8%|C%{(pR8ey2aq*`Rt=p~Dm}U_ zo^NH?4#gN_ibpIh&!UNd0l6e={Cf0}AMxeE{*PQe*?nN3=BGqJy=XV4p)=GAq`6;y zv;O^8c#Z{fa)FrILm>CI^G=T{{td;(_BI0G=Ti7RT2$j!P@eeR=9?NGgWhus*dE+u zVgwXX$;dy#HtiJt1xj5-k zb(K>yk)jRg)1i3W64iej^^c z0FPqYr=LxRkU(=UlN>veN;po=*pV86{W?HdOs=M89s995N7_!SIWKVN`>bTH|3=IG z)U40054E_Ns7EXPHrIVO!t0Sl0;F&We)}t!SVk!3zNfN$;m6S(8b6{LYxrPolqKTA z@F} zvPZsRRhtQ@DqUz5A)9my@E8BMUy-P{hxXx9v#p9*HpJ#zmTF})P)OEZ@kfGhN!i){ z+|R&Q7J+exd9%CHQsdR>{y$x~WpW-}_g5ovp6;qLi_~@=7{7V^=M}ySnv^vEap6jU zLJ1Z7b89)-Bsb!1zEv~b|Bet6O3L3wOq=(2WH$+z#G3Z^lz54*f2P0#+FQK)dJHLT Wyg*6c({S_Lf1SB-y7ZJs-2Vgo>bMdB literal 0 HcmV?d00001 From 466ef3790c8504d4e15a066d95bb54e8abaff752 Mon Sep 17 00:00:00 2001 From: Liza Mash Date: Mon, 26 Mar 2018 05:53:00 +0000 Subject: [PATCH 6/8] Updated advanced-hunting-windows-defender-advanced-threat-protection.md --- ...anced-hunting-windows-defender-advanced-threat-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md index 1ceed89059..d7c43de55c 100644 --- a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md @@ -56,7 +56,7 @@ A typical query starts with a table name followed by a series of operators separ In the following example, we start with the table name **ProcessCreationEvents** and add piped elements as needed. -![Image of Windows Defender ATP advanced hunting query](images/atp-advanced-hunting-query.png) +![Image of Windows Defender ATP advanced hunting query](images/advanced-hunting-query-example.png) First, we define a time filter to review only records from the previous seven days. From ae1e9fd2ad2b6ed771a30b08e72128de12bb65f5 Mon Sep 17 00:00:00 2001 From: Liza Mash Date: Mon, 26 Mar 2018 06:47:55 +0000 Subject: [PATCH 7/8] Updated advanced-hunting-reference-windows-defender-advanced-threat-protection.md --- ...g-reference-windows-defender-advanced-threat-protection.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md index 1f90bb1c05..dc4b5e7f19 100644 --- a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md @@ -31,8 +31,8 @@ ms.date: 04/16/2018 The following best practices serve as a guideline for you to maximize the advanced hunting capability. - Use time filters first. Azure Kusto is highly optimized to utilize time filters. For more information, see [Azure Kusto](https://docs.microsoft.com/connectors/kusto/). - Put filters that are expected to remove most of the data in the beginning of the query, following the time filter. -- Prefer 'has' keyword over 'contains' when looking for full tokens. -- Prefer looking in specific column rather than using full text search across all columns. +- Use 'has' keyword over 'contains' when looking for full tokens. +- Use looking in specific column rather than using full text search across all columns. - When joining between two tables - choose the table with less rows to be the first one (left-most). - When joining between two tables - project only needed columns from both sides of the join. From c8e7acc1e4ef0de3357db9cee380f382c4f49a9c Mon Sep 17 00:00:00 2001 From: Liza Mash Date: Mon, 26 Mar 2018 06:49:52 +0000 Subject: [PATCH 8/8] Updated advanced-hunting-windows-defender-advanced-threat-protection.md --- ...ing-windows-defender-advanced-threat-protection.md | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md index 1ceed89059..1678c960d9 100644 --- a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md @@ -39,17 +39,6 @@ To get you started in querying your data, you can use the basic or advanced quer ![Image of Advanced hunting window](images/atp-advanced-hunting.png) -## Before you begin -To maximize the advanced hunting capability, it's a good idea to understand the following query best practices. - -### Query best practices -- Use time filters first. Azure Kusto is highly optimized to utilize time filters. For more information, see [Azure Kusto](https://docs.microsoft.com/connectors/kusto/). -- Put filters that are expected to remove most of the data in the beginning of the query, following the time filter. -- Prefer 'has' keyword over 'contains' when looking for full tokens. -- Prefer looking in specific column rather than using full text search across all columns. -- When joining between two tables - choose the table with less rows to be the first one (left-most). -- When joining between two tables - project only needed columns from both sides of the join. - ## Use advanced hunting to query data A typical query starts with a table name followed by a series of operators separated by **|**.